1– , 2 *E F <sup>p</sup> p t t p* (6)

( , ) (,) ( , ) *p p p p x y p x y t x y* (7)

*<sup>m</sup>* [,,,] *xyab* and

cryptography, it is best if the order of the curve is a large prime number. Generally finding order of a curve is not trivial. In a situation where *p* 5 is a prime, for small *p*, points can be listed by letting *x p* 0,1,2,..., 1 and seeing when <sup>3</sup> *x ax b* is a square mod *p*. When *p* is large, it is infeasible to count the points on the curve by listing them. There are several algorithms that can deal with this problem, They are Schoof's algorithm and Schoof-Elkies-Atkin (SEA) algorithm (Lawrence &Wade, 2006). In principal, there are approximately *p* points on the curve *E* and inclusive of the point at infinity, a total of *p* + 1 points is expected to be on the curve. The order of a curve is called 'smooth' if the order of the curve is divisible by many small factors, where this can brings point multiplications to identity (point at infinity). The type of curve which is desirable is of type 'non-smooth' order, where the order of the curve is divisible by a large prime number. The Schoof-Elkies-Atkin point counting method has become sufficiently efficient to find cryptographic curves of prime order over *Fp* with heuristic

time <sup>6</sup> *O*(log *p*). In the next section, we will discuss the two counting point algorithms, the Schoof counting point algorithm and the Schoof-Elkies-Atkins counting point algorithm.

### **5.1 Schoof and Schoof-Elkies-Atkin (SEA) point counting algorithms**

To determine the *#E*(*Fp*), one needs to compute 2 3 *z y x ax b* for each *x* in *Fp* and then test if *z* has a square root in *Fp*. If there exists *y Fp* such that *y2 = z*, then we have 2*p* + (a point of infinity) that is 2*p* + 1 elements in the group because each *x* value will produce two values of *y*. However, according to the theorem of finite fields, there is around ½ of the non-zero elements of *Fp* are quadratic residues. So, there is approximately *p* + 1 number of points. There are a few point counting algorithms and in this section, we focus only on two point counting methods. They are Schoof and Schoof-Elkies-Atkin (SEA) point counting algorithms. In this chapter, we will describe the two algorithms in a brief manner. Readers are required to have some backgrounds in number theory and algebraic geometry. For more details on arithmetic of elliptic curves, one needs to refer to (Silverman, 1986) and for the introduction on Schoof algorithm, refer to (Schoof, 1985).

### **5.1.1 Schoof's algorithm**

René Schoof (Schoof, 1985) had introduced a deterministic polynomial time algorithm to compute the number of *Fp*-points of elliptic curve defined over a finite field *Fp* which was given by Weierstrass form in (2). Schoof algorithm has managed to compute the group order of over 200 digits. In the Schoof algorithm, the characteristic polynomial of Frobenius endomorphism is critical to the development of Schoof's algorithm. Another crucial part in this algorithm is to compute the division polynomials in order to carry out the computation of the order of the group of elliptic curve. If the division polynomials have low degree, then the division polynomials is said to be efficiently computable.

Let *E* be an elliptic curve defined over *Fp* denoted as / *E Fp* , where *Fp* is a prime field of characteristic *p* > 3. Define the Frobenius endomorphism *<sup>p</sup>* as the following:

100 Cryptography and Security in Computing

cryptography, it is best if the order of the curve is a large prime number. Generally finding order of a curve is not trivial. In a situation where *p* 5 is a prime, for small *p*, points can be listed by letting *x p* 0,1,2,..., 1 and seeing when <sup>3</sup> *x ax b* is a square mod *p*. When *p* is large, it is infeasible to count the points on the curve by listing them. There are several algorithms that can deal with this problem, They are Schoof's algorithm and Schoof-Elkies-Atkin (SEA) algorithm (Lawrence &Wade, 2006). In principal, there are approximately *p* points on the curve *E* and inclusive of the point at infinity, a total of *p* + 1 points is expected to be on the curve. The order of a curve is called 'smooth' if the order of the curve is divisible by many small factors, where this can brings point multiplications to identity (point at infinity). The type of curve which is desirable is of type 'non-smooth' order, where the order of the curve is divisible by a large prime number. The Schoof-Elkies-Atkin point counting method has become sufficiently efficient to find cryptographic curves of prime order over *Fp* with heuristic time <sup>6</sup> *O*(log *p*). In the next section, we will discuss the two counting point algorithms, the Schoof counting point algorithm and the Schoof-Elkies-Atkins counting point

**5.1 Schoof and Schoof-Elkies-Atkin (SEA) point counting algorithms** 

To determine the *#E*(*Fp*), one needs to compute 2 3 *z y x ax b* for each *x* in *Fp* and then test if *z* has a square root in *Fp*. If there exists *y Fp* such that *y2 = z*, then we have 2*p* + (a point of infinity) that is 2*p* + 1 elements in the group because each *x* value will produce two values of *y*. However, according to the theorem of finite fields, there is around ½ of the non-zero elements of *Fp* are quadratic residues. So, there is approximately *p* + 1 number of points. There are a few point counting algorithms and in this section, we focus only on two point counting methods. They are Schoof and Schoof-Elkies-Atkin (SEA) point counting algorithms. In this chapter, we will describe the two algorithms in a brief manner. Readers are required to have some backgrounds in number theory and algebraic geometry. For more details on arithmetic of elliptic curves, one needs to refer to (Silverman, 1986) and for the introduction on Schoof algorithm, refer to

René Schoof (Schoof, 1985) had introduced a deterministic polynomial time algorithm to compute the number of *Fp*-points of elliptic curve defined over a finite field *Fp* which was given by Weierstrass form in (2). Schoof algorithm has managed to compute the group order of over 200 digits. In the Schoof algorithm, the characteristic polynomial of Frobenius endomorphism is critical to the development of Schoof's algorithm. Another crucial part in this algorithm is to compute the division polynomials in order to carry out the computation of the order of the group of elliptic curve. If the division polynomials have low degree, then

Let *E* be an elliptic curve defined over *Fp* denoted as / *E Fp* , where *Fp* is a prime field of

*<sup>p</sup>* as the following:

the division polynomials is said to be efficiently computable.

characteristic *p* > 3. Define the Frobenius endomorphism

algorithm.

(Schoof, 1985).

**5.1.1 Schoof's algorithm** 

$$\phi\_p: E(\overline{F}\_p) \to E(\overline{F}\_p)$$

$$(x, y) \mapsto (x^p, y^p)$$

The Frobenius map or endomorphism *<sup>p</sup>* satisfies the characteristic equation (5)

$$\left(\phi\_p\right)^2 - t\phi\_p + p = 0, \forall P \in \{\overline{F}\_p\} \tag{5}$$

where *Fp* is the algebraic closure of the prime field *Fp* . Let *t* is the trace of Frobenius endomorphism, then the number of points, #*E F <sup>p</sup>* is given in (6) as follows:

$$\#E\left(F\_p\right) = p + 1 - t\_\prime |t| \le 2\sqrt{p} \tag{6}$$

Obviously from equation (5), we have for all points, (,) ( ) *P x <sup>p</sup> y E F* satisfying the following equation (7):

$$(\mathbf{x}^{p^2}, y^{p^2}) + p(\mathbf{x}, y) = t(\mathbf{x}^p, y^p) \tag{7}$$

where scalar multiplication by *p* or *t* signifies adding a point to itself *p* or *t* times respectively. For( , ) [] *x y E l* , where [ ] { ( , ) ( )|[ ] } *El P x <sup>p</sup> y EF lP O* , here each *P* [] *E l* is called *l*–torsion point. If (,) (,) *pp pp t x y t x y* where *t* is *t* mod *l* and *p* known as *p* mod *l* where *l* is a prime. Now, the equation of (7) is reduced as following:

$$(\propto^{p^2} \prime, y^{p^2} \prime) + \overline{p}(\propto, y) = \overline{t} \left( \propto^p \prime, y^p \right),$$

To determine *t* (mod *l*) for primes *l* > 2, we need to compute the division polynomials.

### **Definition 5.1.1 (Division Polynomial )**

Division polynomial (McGee, 2006) is a sequence of polynomials in *<sup>m</sup>* [,,,] *xyab* and goes to zero on points of particular order. Let *E* be the elliptic curve given by (2). The division polynomials *<sup>m</sup>* (*x*, *y*) = 0 if and only if (*x, y*) ∈ *E*[*n*]. These polynomials are defined recursively as follows (Schoof, 1985):

*Ψ-1* = -1 *Ψ0* = 0 *Ψ<sup>1</sup>* = 1 *Ψ<sup>2</sup>* = 2*y Ψ<sup>3</sup>* = 3*x*4 + 6*ax*2 + 12*bx*- *a2 Ψ<sup>4</sup>* = 4*y* (*x*6 + 5*xa4* + *-20bx3*-5a2*x*2 - 4*abx* -8*b*2 – *a*3) Ψ2m = Ψm (Ψm+2 Ψ 2m-1 – Ψm-2 Ψ <sup>2</sup> m+1) / 2y m , m ≥ 3 Ψ 2m + 1 = Ψm+2 Ψ <sup>3</sup> m – Ψ <sup>3</sup> m+1 Ψm-1 *m* , m ≥ 2

Elliptic Curve Cryptography and Point Counting Algorithms 103

Here, we present briefly the Schoof's algorithm. For *E* as defined in (2) over *Fp* and the

*#E* (*Fp*) = *p* + 1 – *t* where | *t* | ≤ 2 *p* .

*<sup>S</sup>* = {*l*1, *l*2,..., *lL*}, = {2, 3, 5, 7, 11,… *lL* } such that 1 <sup>4</sup> *<sup>L</sup>*

If gcd (*x3* + *ax* + *b, xp – x*) = gcd(*x3* + *ax* + *b, xp – x*) = 1, then *x3* + *ax* + *b* has no root in *Fp*, else it

3. To test whether which case is to be used, we have to compute the following relation:

<sup>2</sup> <sup>2</sup> <sup>g</sup> 1 1 cd ( ) (mod , ), *l ll*

*p pp l l x x*

*p*

 

(mod )

 

of (,) ( , ) *xy x y*

.  

This is to test whether *E* has point of order 2, (*x*, 0) ∈ *E*[*2*] or precisely roots of *E*.

*<sup>l</sup>* , compute the *x*-coordinate, *<sup>x</sup>*

( , ) (,) *p p <sup>l</sup> x y p x y*

*ww w w x y w x y x y x y*

then try next *τ*, else compute *y*' and *y*

*<sup>l</sup>* fail, then proceed to case (C).

(mod ) , else *t l*

*<sup>i</sup> <sup>i</sup> <sup>l</sup> <sup>p</sup>* .

**5.1.1.1 Computation of number of points, #E(Fp) using Schoof's algorithm** 

Input : Elliptic curve 2 3 *y x ax b* over prime field *FP* .

1. Create a set of small primes not equal to the char (*Fp*) = *p*,

2. gcd (*x3* + *ax* + *b, xp – x*) ≠ 1, then *t* ≡ 0 (mod 2), else *t* ≡ 1 (mod 2).

*p*

( , ) (,) *p p <sup>l</sup> x y p x y*

If the gcd 1 , proceed to (B), else proceed to (C) .

( ', ') ( , ) ( , ) *p p <sup>l</sup> x y x y p xy*

Hasse's theorem,

Output: Number of points, # ( ). *E Fp*

a. For case when the prime *l* = 2:

has at least one such root.

b. For the case when 2 2

6. Compute 2 2

7. For each 1<sup>≤</sup> *<sup>τ</sup> <sup>≤</sup>* <sup>1</sup>

8. If ' 0(mod )*<sup>l</sup> x x* 

9. If ' 0(mod )*<sup>l</sup> y y y* 

10. If all values 1<sup>≤</sup> *<sup>τ</sup> <sup>≤</sup>* <sup>1</sup>

c. For the case when 2 2

11. Compute *w* such that *w2* ≡ *p* (mod *l*) 12. If *w2* does not exist, then *t* ≡ 0 (mod *l*), else 13. Compute ( , ) (,) ( , ) ( , ) *p p*

5. For case

4. For each *l* ∈ *S*, compute *pl*≡ *p* (mod *l*)

2

, then *t l*

2

2 2 ( , ) (,) *p p <sup>l</sup> x y p x y*

For simplicity, the polynomials are suppressed to *Ψn.* which is called the *n*th division polynomial.

Let us derive the *Ψ<sup>3</sup>* = 3*x*4 + 6*ax*2 + 12*bx*- *a2.* In division polynomial *Ψ3*, we must have a point *P xy E* ( , ) [3] which is a point with order 3 such that [3]*P* . Therefore, we have 2*P* = -*P* and we know the *x*- coordinate for point 2*P* and *P* is the same. The formula for the *x*coordinate in 2*P* is given in the earlier section.

$$\begin{aligned} \mathbf{x} &= \mathbf{A}^2 - 2\mathbf{x} \\ &= \left(\frac{3\mathbf{x}^2 + a}{2y}\right)^2 - 2\mathbf{x} \\ &= \left(\frac{9\mathbf{x}^4 + 6a\mathbf{x}^2 + a^2}{4y^2}\right) - 2\mathbf{x} \end{aligned}$$

$$\begin{aligned} 3x(4y^2) &= 9x^4 + 6ax^2 + a^2 \\ 12xy^2 &= 9x^4 + 6ax^2 + a^2 \\ 12x(x^3 + ax + b) &= 9x^4 + 6ax^2 + a^2 \\ \; \; \; \nu\_3 &= 12x^4 + 12ax^2 + 12bx - 9x^4 - 6ax^2 - a^2 = 0 \\ \therefore \; \; \nu\_3 &= 3x^4 + 6ax^2 + 12bx - a^2 \end{aligned}$$

We can replace <sup>2</sup> *<sup>y</sup>* by <sup>3</sup> ( ) *x ax b* to eliminate the *y* term. The polynomial () [] *n p <sup>f</sup> x Fx* is defined as follows:

$$f\_n(\mathbf{x}) = \boldsymbol{\nu}\_n(\mathbf{x}, \mathbf{y}) \text{ if } n \text{ is odd}$$

$$f\_n(\mathbf{x}) = \frac{\boldsymbol{\nu}\_n(\mathbf{x}, \mathbf{y})}{\mathbf{y}} \quad \text{if } n \text{ is even}$$

If *n* is odd, then the degree of ( ) *nf x* is <sup>2</sup> 1 2 *<sup>n</sup>* whereas if *n* is even, then the degree of ( ) *nf x* is

$$\frac{n^2 - 4}{2} \cdot$$

The following proposition shows point additions relates to the division polynomials.

### **Proposition 5.1.1**

Let (*x*, *y*) ∈ *E* ( *Fp* ), with *Fp* , the algebraic closure of *F . p* Let *n* ∈ ℤ, then for [*n*]*P* = *P* + *P* + *P* +…+ *P* is given by

$$[n]P = (\infty - \frac{\left\|\nu\_{n-1}\nu\_{n+1}\right\|\_{n+1}}{\left\|\nu\_n^2\right\|\_n} \frac{\left\|\nu\_{n+2}\nu\_{n-1}^2 - \left\|\nu\_{n-2}\nu\_{n+1}^2\right\|\_{n+1}^2}{4\left\|y\nu\_n^3\right\|\_n^3})^2$$

### **5.1.1.1 Computation of number of points, #E(Fp) using Schoof's algorithm**

Here, we present briefly the Schoof's algorithm. For *E* as defined in (2) over *Fp* and the Hasse's theorem,

$$\#E\ (F\_p) = p + 1 - t \text{ where } \mid t \mid \le 2\sqrt{p} \dots$$

Input : Elliptic curve 2 3 *y x ax b* over prime field *FP* .

Output: Number of points, # ( ). *E Fp*

102 Cryptography and Security in Computing

For simplicity, the polynomials are suppressed to *Ψn.* which is called the *n*th division

Let us derive the *Ψ<sup>3</sup>* = 3*x*4 + 6*ax*2 + 12*bx*- *a2.* In division polynomial *Ψ3*, we must have a point *P xy E* ( , ) [3] which is a point with order 3 such that [3]*P* . Therefore, we have 2*P* = -*P* and we know the *x*- coordinate for point 2*P* and *P* is the same. The formula for the *x*-

2

*x x*

2 4 22 2 4 22

 

12 ( ) 9 6

*x y x ax a xy x ax a*

3 6 12

3 (4 ) 9 6 12 9 6

 

<sup>2</sup> <sup>2</sup>

<sup>3</sup> <sup>2</sup> 2

2

*x a*

 

*y*

3 4 22

*x x ax b x ax a*

42 2

*x ax bx a*

() (,) *n n f x xy* 

(,) ( ) *<sup>n</sup> <sup>n</sup> <sup>x</sup> <sup>y</sup> f x y* 

> <sup>2</sup> 1 2

The following proposition shows point additions relates to the division polynomials.

Let (*x*, *y*) ∈ *E* ( *Fp* ), with *Fp* , the algebraic closure of *F . p* Let *n* ∈ ℤ, then for [*n*]*P* = *P* + *P* + *P*

2 3 [] ( , ) <sup>4</sup>

 

4 22 2

*x ax a*

 

*y*

9 6 <sup>2</sup> 4

4 2 4 22

12 12 12 9 6 0

if *n* is odd

2 2

 

11 21 21

*y*

 

*nn nn nn n n*

*<sup>n</sup>* whereas if *n* is even, then the degree of ( ) *nf x* is

if *n* is even

*x ax bx x ax a*

We can replace <sup>2</sup> *<sup>y</sup>* by <sup>3</sup> ( ) *x ax b* to eliminate the *y* term. The polynomial () [] *n p <sup>f</sup> x Fx* is

*x*

*x*

polynomial.

defined as follows:

<sup>2</sup> 4 2 *<sup>n</sup>* .

**Proposition 5.1.1** 

+…+ *P* is given by

coordinate in 2*P* is given in the earlier section.

3

If *n* is odd, then the degree of ( ) *nf x* is

3

*nP x*

1. Create a set of small primes not equal to the char (*Fp*) = *p*,

$$S = \{l\_1, l\_2, \dots, l\_L\}\_\prime = \{2, 3, 5, 7, 7, 11, \dots, l\_L\} \text{ such that } \prod\_{i=1}^L l\_i > \left\lceil 4\sqrt{p} \right\rceil.$$


This is to test whether *E* has point of order 2, (*x*, 0) ∈ *E*[*2*] or precisely roots of *E*.

If gcd (*x3* + *ax* + *b, xp – x*) = gcd(*x3* + *ax* + *b, xp – x*) = 1, then *x3* + *ax* + *b* has no root in *Fp*, else it has at least one such root.

3. To test whether which case is to be used, we have to compute the following relation:

$$\gcd\left( (\mathbf{x}^{p^2} - \mathbf{x})\boldsymbol{\nu}\_{p\boldsymbol{\nu}}^2 - \boldsymbol{\nu}\_{p\boldsymbol{\nu}-1}\boldsymbol{\nu}\_{p\boldsymbol{\nu}+1}(\mathbf{mod}\,\boldsymbol{\nu}\_{\boldsymbol{\nu}\prime}p), \boldsymbol{\nu}\_{\boldsymbol{\nu}}\right)$$

If the gcd 1 , proceed to (B), else proceed to (C) .



Elliptic Curve Cryptography and Point Counting Algorithms 105

*<sup>l</sup> x y x y x y l x y*

Let *l* be the prime different from characteristic *p,* then the classical modular polynomial has <sup>2</sup> ( 3 4)/2 *l l* coefficients. Here are examples of the classical modular polynomials taken

4 33 4 32 23 3 3 3 3

6 55 6 54 45 53 35 52 25

5 5 5 5 4 4

*x y xy x y x y*

43 34 42 24

3 3 32 23

*x y xy x y x y xy xy*

*xy xy xy xy*

3 3

2 2 2 2

*xy*

*x y xy x y*

*x y xy*

*x y*

2 2

*x y*

(,) 2232( ) 1069956( ) 36864000( ) 2587918086 8900222976000( ) 452984832000000( )

(,) 3720( ) 4550940( ) 2028551200( )

*x y x x y y x y x y x y x y x y x y*

107878928185336800( ) 383083609779811215375( )

4 4 4 4

804321565297868800( )

We now give some backgrounds needed for SEA algorithm. These information might have some gaps and readers are suggested to refer to (Silverman, 1986) and (Cox, 1989) for

The theory of elliptic curves over complex field is corresponding to the lattice and thus equivalently to the torus that is the mapping of *E*() / and / () *E* . Lattice, *w w* 1 2 where 1 2 *w w*, are ℝ-linearly independent, then an elliptic function *f* (*z*) defined on except for isolated singularities, satisfies two conditions: *f* (*z*) is meromorphic on and 1 2 *f* ( ) ( ) () *z w fz w fz* . This indicates a doubly periodic meromorphic

128541798906828816384000( ) 1284733132841424456253440( ) 441206965512914835246100 26898488858380731577417728000( )

*xy x xy y xy xy x y xy x y*

770845966336000000 1855425871872000000000( )

246683410950( ) 1963211489280( ) 1665999364600

19245793461892828299655108231168000( )

36554736583949629295706472332656640000( ) 6692500042627997708487149415015068467200( )

53274330803424425450420160273356509151232000( ) 141359947154721358697753474691071362751004672000.

*x y*

 376

 3 3

264073457076620596259715790247978782949

5110941777552418083110765199360000

2 2 2 2 2 2

*x y x y xy x y xy x y*

ii. *m*(,) *x y* is irreducible when regarded as polynomial in *x*.

iv. If *m* is a prime, *l* then, ( , ) ( )( )mod [ , ] *l l*

For *l* = 3, we have the modular polynomial as follows:

For *l* = 5, we have the following modular polynomial:

280244777828439527

**5.1.2.2 Elliptic curve over complex field** 

further details.

i. *<sup>m</sup>*(,) [,] *xy xy*

from (Galin, 2007).

3

5

iii. *m m* (,) (,) *xy yx* if *m* > 1.


16. If gcd(numerator( ( ) *<sup>p</sup> <sup>w</sup> y y* / *y*),*<sup>l</sup>* ) = 1, then *tw l* 2 (mod ), else *tw l* 2 (mod )

Recover *t* via Chinese Remainder Theorem (CRT)


### **5.1.2 Schoof-Elkies-Atkin (SEA) algorithm**

Schoof's algorithm is not practical because of the exponential growth in the degree of the division polynomial and hence it is not suitable for cryptographic purposes. Atkin and Elkies has improved the Schoof's algorithm by analyzing the method to restrict the characteristic polynomial of elliptic curve such that

$$\left(\mathcal{X}(\phi\_p) = \phi\_p\right)^2 - \left. t\phi\_p + p\right. \tag{8}$$

where the Frobenius splits over *Fl*. The discussion will follow the literature found in (Cohen et al., 2006). In 1988, Atkin devised an algorithm to the order of *<sup>p</sup>* in projective general linear group dimension 2 of *Fl*, whereas Elkies in 1991 introduced a mean to replace the division polynomial which has degree <sup>2</sup> ( 1) / 2 *l* by a kernel polynomial with degree ( 1) / 2 *l* in Elkies prime procedures. To differentiate between the Elkies prime and Atkin prime, one can calculate the discriminant from (8), so we get <sup>2</sup> *t* 4*p* . If is a square then the prime *l* is Elkies prime, else it is Atkin prime. However, we need to classify the primes at the beginning stage and there is no information of *t*. Therefore this method is not suitable. However, Atkin proved that *l*-modular polynomial, (,) [,] *<sup>l</sup> xy xy* can be used to differentiate the prime at the early stage of SEA algorithm. SEA algorithm is one of the fastest algorithms for counting the number of points on *E* over a large prime field. The following part of this section follows the text from (Chen, 2008), (Cohen et al., 2006), and (Galin, 2007).

### **5.1.2.1 Modular polynomial**

Modular polynomial comes from the theory of modular form and the interpretation of elliptic curves over the complex field as lattices. A moderately comprehensive development of the theory can be found in (Silverman, 1986). Before we proceed with the SEA algorithm, we know the modular polynomial. The detail proof of this theorem can be obtained in (Cox, 1989). These polynomials will be used in Elkies and Atkin procedures.

### **Theorem 5.1.2.1 (modular polynomial)**

Let *m* be a positive integer.

i. *<sup>m</sup>*(,) [,] *xy xy*

104 Cryptography and Security in Computing

*<sup>l</sup>* )

*<sup>l</sup>* ) = 1, then *tw l* 2 (mod ), else *tw l* 2 (mod )

*t p* (8)

*<sup>p</sup>* in projective general

*<sup>l</sup>* ) = 1, then *t l* 0(mod )

Schoof's algorithm is not practical because of the exponential growth in the degree of the division polynomial and hence it is not suitable for cryptographic purposes. Atkin and Elkies has improved the Schoof's algorithm by analyzing the method to restrict the

<sup>2</sup> () *pp p*

where the Frobenius splits over *Fl*. The discussion will follow the literature found in (Cohen

linear group dimension 2 of *Fl*, whereas Elkies in 1991 introduced a mean to replace the division polynomial which has degree <sup>2</sup> ( 1) / 2 *l* by a kernel polynomial with degree ( 1) / 2 *l* in Elkies prime procedures. To differentiate between the Elkies prime and Atkin prime, one can calculate the discriminant from (8), so we get <sup>2</sup> *t* 4*p* . If is a square then the prime *l* is Elkies prime, else it is Atkin prime. However, we need to classify the primes at the beginning stage and there is no information of *t*. Therefore this method is not suitable. However, Atkin proved that *l*-modular polynomial, (,) [,] *<sup>l</sup> xy xy* can be used to differentiate the prime at the early stage of SEA algorithm. SEA algorithm is one of the fastest algorithms for counting the number of points on *E* over a large prime field. The following part of this section follows the text from (Chen, 2008), (Cohen et al., 2006), and

Modular polynomial comes from the theory of modular form and the interpretation of elliptic curves over the complex field as lattices. A moderately comprehensive development of the theory can be found in (Silverman, 1986). Before we proceed with the SEA algorithm, we know the modular polynomial. The detail proof of this theorem can be obtained in (Cox,

 

 

et al., 2006). In 1988, Atkin devised an algorithm to the order of

1989). These polynomials will be used in Elkies and Atkin procedures.

*<sup>w</sup> y y* / *y*),

14. If gcd(numerator( ( ) *<sup>p</sup>*

16. If gcd(numerator( ( ) *<sup>p</sup>*

18. *T* ≡ *t* (mod *N*) where *N* = <sup>1</sup>

20. *#E* (*Fp*) = *p* + 1 – *t.* 

(Galin, 2007).

**5.1.2.1 Modular polynomial** 

Let *m* be a positive integer.

**Theorem 5.1.2.1 (modular polynomial)** 

15. Else compute gcd(numerator( ( ) *<sup>p</sup>*

Recover *t* via Chinese Remainder Theorem (CRT)

**5.1.2 Schoof-Elkies-Atkin (SEA) algorithm** 

characteristic polynomial of elliptic curve such that

*<sup>w</sup> x x* ,

*<sup>w</sup> y y* / *y*),

17. At this point we have computed *t* (mod *l*) for any *l* ∈ *S*.

19. If *T* is in Hasse's bounds, then *t* = *T*, else *t* ≡ - *T* (mod *N*)

*L <sup>i</sup> <sup>i</sup> <sup>l</sup>* . ii. *m*(,) *x y* is irreducible when regarded as polynomial in *x*.

iii. *m m* (,) (,) *xy yx* if *m* > 1.

iv. If *m* is a prime, *l* then, ( , ) ( )( )mod [ , ] *l l <sup>l</sup> x y x y x y l x y*

Let *l* be the prime different from characteristic *p,* then the classical modular polynomial has <sup>2</sup> ( 3 4)/2 *l l* coefficients. Here are examples of the classical modular polynomials taken from (Galin, 2007).

For *l* = 3, we have the modular polynomial as follows:

$$\begin{aligned} \Phi\_3(\mathbf{x}, \mathbf{y}) &= \mathbf{x}^4 - \mathbf{x}^3 y^3 + y^4 + 2232(\mathbf{x}^3 y^2 + \mathbf{x}^2 y^3) - 1069956(\mathbf{x}^3 y + \mathbf{x} y^3) + 368664000(\mathbf{x}^3 + y^3) \\ &+ 2587918086 \mathbf{x}^2 y^2 + 8900222976000(\mathbf{x}^2 y + \mathbf{x} y^2) + 452984832000000(\mathbf{x}^2 + y^2) \\ &- 770845966336000000 \mathbf{x} y + 18554258718720000000000(\mathbf{x} + y) \end{aligned}$$

For *l* = 5, we have the following modular polynomial:

6 55 6 54 45 53 35 52 25 5 5 5 5 5 4 4 43 34 42 24 (,) 3720( ) 4550940( ) 2028551200( ) 246683410950( ) 1963211489280( ) 1665999364600 107878928185336800( ) 383083609779811215375( ) *x y x x y y x y x y x y x y x y x y x y xy x y x y xy xy xy xy* 4 4 4 4 3 3 32 23 3 3 128541798906828816384000( ) 1284733132841424456253440( ) 441206965512914835246100 26898488858380731577417728000( ) 19245793461892828299655108231168000( ) 280244777828439527 *x y xy x y x y xy xy x y xy* 3 3 2 2 2 2 2 2 804321565297868800( ) 5110941777552418083110765199360000 36554736583949629295706472332656640000( ) 6692500042627997708487149415015068467200( ) 264073457076620596259715790247978782949 *x y x y x y xy x y* 376 53274330803424425450420160273356509151232000( ) 141359947154721358697753474691071362751004672000. *xy x y* 

We now give some backgrounds needed for SEA algorithm. These information might have some gaps and readers are suggested to refer to (Silverman, 1986) and (Cox, 1989) for further details.

### **5.1.2.2 Elliptic curve over complex field**

The theory of elliptic curves over complex field is corresponding to the lattice and thus equivalently to the torus that is the mapping of *E*() / and / () *E* . Lattice, *w w* 1 2 where 1 2 *w w*, are ℝ-linearly independent, then an elliptic function *f* (*z*) defined on except for isolated singularities, satisfies two conditions: *f* (*z*) is meromorphic on and 1 2 *f* ( ) ( ) () *z w fz w fz* . This indicates a doubly periodic meromorphic

Elliptic Curve Cryptography and Point Counting Algorithms 107

Two lattices, and ' is homothetic, then there exist nonzero λ ∈ such that '

is a holomorphic function on the Poincaré upper half plane, = { *x iy* | *y* > 0}.

If and ' are lattices in , then *j j* ( ) ( ') if and only if and ' are homothetic.

determinant one on . This is defined as such that *z* ℋ and (2, )

 in , then *j j* ( ) ( ') 

\* { | , , ,0 , ,gcd( , , ) 1} <sup>0</sup> *<sup>n</sup>*

() ( ) *a b j j <sup>d</sup>* 

\* ( , ) ( ( )). *n*

Let *l* be a prime, we now discuss the method to compute modular polynomial, (,) *<sup>l</sup> x y* . According to previous theorem, we have (,) (,) *l l xy yx* and

*<sup>l</sup> x y x y x y l x y* . Besides, (,) *<sup>l</sup> x y* is a monic polynomial with degree *l*

*xy x y x y l c xy l c xy xy*

where the coefficient *ij c* which can found by *q*-expansion of *j* –function. We also have

( ( ), ( )) 0 *<sup>p</sup> jl j* 

.

0 0 ( , ) ( )( ) ( ) *<sup>l</sup> <sup>l</sup> i i i i j j*

*i l ijl*

 

 

*S a b d b d ad n a b d*

 

*<sup>n</sup> <sup>S</sup> xj x j* 

*l ii ij*

 

are related to the action on the special linear group, *SL* (2, ) with

for some

*a b SL c d*

 ' 

if and only if

F where F is

.

then

for some

If lattice , there exists a nonzero λ such that

the standard fundamental region.

 and ' 

For classical modular polynomial and any *n* > 0.

*a b*

, define the map

Hence, the *n*-th modular polynomial can also defined as

**5.1.2.4 Computation of modular polynomial** 

+1 as polynomial in *x* and therefore we can write

( , ) ( )( )mod [ , ] *l l*

*d*

**Theorem 5.1.2.4.** 

The properties of *j*( )

. If

*a b c d* 

,

For \*

the identity

0 *<sup>n</sup> a b*

*d*

*S*

*SL*(2, )

*j*( ) 

function (Cox, 1989). An example of elliptic function is the Weierstrass function defined in the following theorem. Proofs for all the theorems, lemma and propositions are omitted.

### **Theorem 5.1.2.2**

Let be a lattice. The Weierstrass function relative to is given by

$$\wp(z) = \wp(z, \Lambda) = \frac{1}{z^2} + \sum\_{w \in \Lambda \backslash \{0\}} \left( \frac{1}{\left(z - w^2\right)} - \frac{1}{\left(w^2\right)} \right)^2$$

Then,


iv. ( ) ( ), *zw z w*

Therefore, the Weierstrass function relative to is a doubly periodic function with periods *w*1 and *w*2 which is known as the basis of .

### **Theorem 5.1.2.3.**

The relation between Weierstrass function and its first derivative is given by 2 3 2 3 '( ) 4 ( ) ( ) *z z g z g* . Then there is lattice, such that 2 4 *g G* ( ) 60 and 3 6 *g G* ( ) 140 where <sup>4</sup> <sup>4</sup> \{0} 1 *w G <sup>w</sup>* and <sup>6</sup> <sup>6</sup> \{0} 1 *w G <sup>w</sup>* . Hence, there is an isomorphism between points on elliptic curve over the complex field and points on the complex modulo a suitable lattice that is *E*() /

### **5.1.2.3 j-invariant,** *j*( )

Elliptic function depends on the lattice being used. Let *w w* 1 2 and <sup>1</sup> 2 *w w* . Since

1 2 *w w*, are

 -linearly independent, therefore the is not in . Now, belongs to Poincaré upper half plane,

$$\mathcal{H} = \{ \mathbf{x} + i\mathbf{y} \in \mathbb{C} \mid y \ge 0 \}.$$

By restricting to , we have 2 2 *g g* () ( ) , 3 3 *g g* () ( ) and 3 2 2 3 *D g g* 27 which is closely related to the discriminant of the polynomial <sup>3</sup> 2 3 4*x g x g* . Then,

$$j(\tau) = 1728 \frac{\text{g}\_2(\tau)^3}{\text{g}\_2(\tau)^3 - 27 \text{g}\_3(\tau)^2} \cdot 1$$

106 Cryptography and Security in Computing

function (Cox, 1989). An example of elliptic function is the Weierstrass function defined in the following theorem. Proofs for all the theorems, lemma and propositions are omitted.

1 11 () (, )

i. The sum defining ( ) *z* converges absolutely and uniformly on compact set not

Therefore, the Weierstrass function relative to is a doubly periodic function with

The relation between Weierstrass function and its first derivative is given

2 3 '( ) 4 ( ) ( ) *z z g z g* . Then there is lattice, such that 2 4 *g G* ( ) 60

*G*

\{0}

*w*

is not in . Now,

, 3 3 *g g* () ( )

3 2 3 2 2 3

ℋ = { *x iy* | *y* > 0}.

( ) ( ) 1728 ( ) 27 ( )

*g g* 

.

*<sup>g</sup> <sup>j</sup>*

1

2 3 4*x g x g* . Then,

*<sup>w</sup>* . Hence, there is an

2 *w w* 

belongs to Poincaré upper

2 3 *D g g* 27 which is

and 3 2

. Since

*<sup>w</sup>* and <sup>6</sup> <sup>6</sup>

Elliptic function depends on the lattice being used. Let *w w* 1 2 and <sup>1</sup>

isomorphism between points on elliptic curve over the complex field and points on the

2 2 2 \{0}

*z zw w*

*<sup>w</sup>* ( )( )

Let be a lattice. The Weierstrass function relative to is given by

*z z*

iii. ( ) () *z z* , *z* which is an even function.

periods *w*1 and *w*2 which is known as the basis of .

*G*

complex modulo a suitable lattice that is *E*() /

ii. ( ) *z* is meromorphic in and has a double pole at each *w* .

\{0}

*w*

, we have 2 2 *g g* () ( )

closely related to the discriminant of the polynomial <sup>3</sup>

1

**Theorem 5.1.2.2** 

containing elements of .

and 3 6 *g G* ( ) 140 where <sup>4</sup> <sup>4</sup>


iv. ( ) ( ), *zw z w*

**Theorem 5.1.2.3.** 

by 2 3

**5.1.2.3 j-invariant,** *j*( )

1 2 *w w*, are

By restricting to

half plane,

Then,

If lattice , there exists a nonzero λ such that for some F where F is the standard fundamental region.

Two lattices, and ' is homothetic, then there exist nonzero λ ∈ such that ' . **Theorem 5.1.2.4.** 

If and ' are lattices in , then *j j* ( ) ( ') if and only if and ' are homothetic.

*j*( ) is a holomorphic function on the Poincaré upper half plane, = { *x iy* | *y* > 0}. The properties of *j*( ) are related to the action on the special linear group, *SL* (2, ) with determinant one on . This is defined as such that *z* ℋ and (2, ) *a b SL c d* then

*a b c d* , . If and ' in , then *j j* ( ) ( ') if and only if ' for some *SL*(2, )

For classical modular polynomial and any *n* > 0.

$$\mathbb{E}S\_n^\* = \{ \begin{pmatrix} a & b \\ 0 & d \end{pmatrix} \mid a, b, d \in \mathbb{Z}, 0 \le b < d, ad = n, \gcd(a, b, d) = 1 \} $$

For \* 0 *<sup>n</sup> a b S d* , define the map

$$j \circ a(\pi) = j(\frac{a\pi + b}{d})$$

Hence, the *n*-th modular polynomial can also defined as

$$\Phi\_n(\mathfrak{x}, j) = \prod\_{\alpha \equiv S\_n^\*} (\mathfrak{x} - j \circ \alpha(\mathfrak{x})).$$

### **5.1.2.4 Computation of modular polynomial**

Let *l* be a prime, we now discuss the method to compute modular polynomial, (,) *<sup>l</sup> x y* . According to previous theorem, we have (,) (,) *l l xy yx* and ( , ) ( )( )mod [ , ] *l l <sup>l</sup> x y x y x y l x y* . Besides, (,) *<sup>l</sup> x y* is a monic polynomial with degree *l* +1 as polynomial in *x* and therefore we can write

$$\Phi\_l(\mathbf{x}, \boldsymbol{y}) = (\mathbf{x}^l - \boldsymbol{y})(\mathbf{x} - \boldsymbol{y}^l) + l \sum\_{0 \le i \le l} c\_{ii} \mathbf{x}^i \boldsymbol{y}^i + l \sum\_{0 \le i < j \le l} c\_{ij} (\mathbf{x}^i \boldsymbol{y}^j + \mathbf{x}^j \boldsymbol{y}^i),$$

where the coefficient *ij c* which can found by *q*-expansion of *j* –function. We also have the identity

$$\Phi\_p(j(l\tau), j(\tau)) = 0 \dots$$

Elliptic Curve Cryptography and Point Counting Algorithms 109

<sup>1</sup> 210 4 43 *<sup>i</sup> <sup>i</sup> l p* . Let us check *l* = 3 and 5.

43 3 4 3 22 3 3 3

*x x*

36864000( (28) ) 2587918086 (28) 8900222976000( (28) (28) )

*xx x x*

( ,28) (28) (28) 2232( (28) (28) ) 1069956( (28) (28) )

3 2 ( ,28) *x xx xx* 81 11 1 65 52 ) (mod113

<sup>113</sup> g <sup>3</sup> cd( ( ,28), ) 1 *xxx*

<sup>432</sup> (*x x xx* ,28) 5 *x x* 90 81 6 49 (mod 113)

<sup>2</sup> gcd( ( *x x xx x* ,28), ) 94 63 1

Let the discriminant of the characteristic equation, <sup>2</sup> *t* 4*p* . If is a square in *Fl* then

 

<sup>2</sup> ( )( ) ( ) ( ) *TT T T*

determines one value of *t*2 or at most two

( )*r* and 1 *r l* .

 

*l ll T T tT p T T*

 

452984832000000( (28) ) 770845966336000000 (28)

*x xx x x x x*

3 3 2 2 2 2

*<sup>l</sup> g x x j x x* . If *g*(*x*) ≠ 1, *l*

To determine the type of prime, it suffices to compute ( ) gcd( ( , ), ) *<sup>p</sup>*

Let an elliptic curve, *E* defined over *F*<sup>113</sup> with the equation given by *y2 = x3 -* 15*x +*13

For *l* = 3. check whether it is an Elkies or Atkin prime. The *j*- invariant, *Ej* = 28.

For *l* = 5. Check whether it is an Elkies or Atkin prime. The *j*- invariant, *Ej* = 28.

113

 

Let recall the reduced characteristic polynomial <sup>2</sup> ( ) ( )( )

6 5

5

2 2

4

*Proof:* Refer to (Galin, 2007).

*S* = {*2, 3, 5, 7*} such that <sup>4</sup>

Hence 3 is an Atkin prime.

Hence 5 is an Elkies prime.

**5.1.2.5 Atkin primes procedures** 

**Definition 5.1.2.1** 

Since 2 1 <sup>2</sup> *t p*( ) 

values of *t*.

**Example 5.1.2.1** 

3

is an Elkies prime else it is an Atkin prime.

1855425871872

3

5

the prime *l* is an Elkies prime else *l* is an Atkin prime.

over *Fl,* each pair <sup>1</sup> (, )

The number of the possible values of *lt* is Euler totient function,

 000000000( 28). *x*

 Substituting the *q*-expansion for *j*( ) and *j l*( ) into (,) *<sup>l</sup> x y* , we have the following:

$$(\left( \left( j(l\tau)^l - j(\tau) \right) \right) \left( j(l\tau) - j(\tau)^l \right) + l \sum\_{0 \le i \le l} c\_{ii} j(l\tau)^i j(\tau)^i + l \sum\_{0 \le i < j \le l} c\_{ij} \left( j(l\tau)^i j(\tau)^j + j(l\tau)^j j(\tau)^i \right) = 0.1$$

This is obtained by equating the coefficients of the different powers of infinite number of linear equations in the variable *cij*. However, the finite number of linear equations can be obtained by equating the coefficients of negative powers of *q* which is a unique solution. It is suffices to calculate those coefficients of the *q*-expansions which contribute to negative powers of *j*( ) and only need the first *l*2 + *l* coefficients of the *q*-expansion of the *j*-function. Computing on modular polynomial becomes tedious as when prime *l* getting bigger, the number of digit for the coefficient do increase rapidly. Previously, we have listed the two modular polynomial 3 (,) *x y* and 5 (,) *x y* . For 11 (,) *x y* , its coefficients are more than 120 digits and is not shown here.

### **Lemma 5.1.2.1**

Let *E*1/ℂ and *E*2/ ℂ be two elliptic curves with *j*-invariants *<sup>E</sup>*<sup>1</sup> *j* and *<sup>E</sup>*<sup>2</sup> *j* respectively, then 1 2 ( , )0 *nE E j j* if and only if there is an isogeny from *E*1 to *E*2 whose kernel is cyclic of degree *n*.

### **Theorem 5.1.2.5**

Let *E* an elliptic curve defined over *Fp* with *<sup>p</sup>* <sup>≠</sup> *<sup>l</sup>*, then the *l* + 1 zeroes *<sup>p</sup> <sup>j</sup> <sup>F</sup>* of the polynomial ( , ( )) 0 *<sup>l</sup> x jE* are the *j*-invariants of the isogenous curves / *E EC* with *C* one of the *l* + 1 cyclic subgroups of *E*[*l*].

### **Theorem 5.1.2.6 (Atkin classification).**

Let *E* be an ordinary elliptic curve defined over *Fp* with *j*-invariant *j* ≠ 0, 1728. Let 1 2 ( , ) ... *l s x j hh h* be the factorization of ( , ) [ ] *l p x j F x* as a product of irreducible polynomials. Then there are the following possibilities for the degrees of 1 ,..., *<sup>s</sup> h h* :


In all these 3 cases*, r* is the order of *<sup>p</sup>* in PGL2(*Fp*) and the trace *t* satisfies 2 1 <sup>2</sup> *tp l* ( ) (mod ) for some *r*-th root of unity *Fl* . The number of irreducible factors *s*  satisfies ( 1) ( ) *<sup>s</sup> <sup>p</sup> <sup>l</sup>* .

*Proof:* Refer to (Galin, 2007).

To determine the type of prime, it suffices to compute ( ) gcd( ( , ), ) *<sup>p</sup> <sup>l</sup> g x x j x x* . If *g*(*x*) ≠ 1, *l* is an Elkies prime else it is an Atkin prime.

### **Example 5.1.2.1**

108 Cryptography and Security in Computing

into (,) *<sup>l</sup> x y* , we have the following:

 

> *<sup>p</sup>* acts on

 and *j l*( ) 

0 0 (( ( ) ( ))( ( ) ( ) ) ( ) ( ) ( ( ) ( ) ( ) ( ) ) 0. *<sup>l</sup> <sup>l</sup> i i <sup>i</sup> j j <sup>i</sup> ii ij i l i jl jl j jl j l c jl j l c jl j jl j*

 

This is obtained by equating the coefficients of the different powers of infinite number of linear equations in the variable *cij*. However, the finite number of linear equations can be obtained by equating the coefficients of negative powers of *q* which is a unique solution. It is suffices to calculate those coefficients of the *q*-expansions which contribute to negative

Computing on modular polynomial becomes tedious as when prime *l* getting bigger, the number of digit for the coefficient do increase rapidly. Previously, we have listed the two modular polynomial 3 (,) *x y* and 5 (,) *x y* . For 11 (,) *x y* , its coefficients are more than 120

Let *E*1/ℂ and *E*2/ ℂ be two elliptic curves with *j*-invariants *<sup>E</sup>*<sup>1</sup> *j* and *<sup>E</sup>*<sup>2</sup> *j* respectively, then 1 2 ( , )0 *nE E j j* if and only if there is an isogeny from *E*1 to *E*2 whose kernel is cyclic of degree *n*.

Let *E* an elliptic curve defined over *Fp* with *<sup>p</sup>* <sup>≠</sup> *<sup>l</sup>*, then the *l* + 1 zeroes *<sup>p</sup> <sup>j</sup> <sup>F</sup>* of the polynomial ( , ( )) 0 *<sup>l</sup> x jE* are the *j*-invariants of the isogenous curves / *E EC* with *C* one

Let *E* be an ordinary elliptic curve defined over *Fp* with *j*-invariant *j* ≠ 0, 1728. Let 1 2 ( , ) ... *l s x j hh h* be the factorization of ( , ) [ ] *l p x j F x* as a product of irreducible

i. (1, *l*) or (1, 1, …, 1). In either case we have <sup>2</sup> *t* 4 0(mod ) *p l* . In the former case we

with *λ*, *<sup>μ</sup>* <sup>∈</sup> \* *Fl* .

iii. (*r*, *r*, …, *r*) for some *r* > 1. In this case <sup>2</sup> *t p*4 is a nonsquare modulo *l*, *r* divides *l* + 1

*<sup>p</sup>* to *E*[*l*] has an irreducible characteristic polynomial over *Fl*

*<sup>p</sup>* in PGL2(*Fp*) and the trace *t* satisfies

. The number of irreducible factors *s* 

polynomials. Then there are the following possibilities for the degrees of 1 ,..., *<sup>s</sup> h h* :

ii. (1, 1, *r*, *r*, ..., *r*). In this case <sup>2</sup> *t* 4*p* is square modulo *l*, *r* divides *l* – 1 and

0

 

0 

for some *r*-th root of unity *Fl*

In all these 3 cases*, r* is the order of

and only need the first *l*2 + *l* coefficients of the *q*-expansion of the *j*-function.

 

Substituting the *q*-expansion for *j*( )

   

 

powers of *j*( )

**Lemma 5.1.2.1** 

**Theorem 5.1.2.5** 

digits and is not shown here.

of the *l* + 1 cyclic subgroups of *E*[*l*].

**Theorem 5.1.2.6 (Atkin classification).** 

set *r* = *l* and the later case *r* = 1.

*E*[*l*] as a diagonal matrix

and the restriction of

*<sup>l</sup>* .

2 1 <sup>2</sup> *tp l* ( ) (mod ) 

satisfies ( 1) ( ) *<sup>s</sup> <sup>p</sup>*

Let an elliptic curve, *E* defined over *F*<sup>113</sup> with the equation given by *y2 = x3 -* 15*x +*13

$$S = \{2, 3, 5, 7\} \text{ such that } \prod\_{i=1}^{4} l\_i = 210 > \left\lceil 4\sqrt{p} \right\rceil = 43. \text{ Let us check } l = 3 \text{ and } 5.$$

For *l* = 3. check whether it is an Elkies or Atkin prime. The *j*- invariant, *Ej* = 28.

$$\begin{split} \Phi\_{3}(\mathbf{x},28) &= \mathbf{x}^{4} - \mathbf{x}^{3} (28)^{3} + (28)^{4} + 2232 \mathbf{x} (\mathbf{x}^{3} (28)^{2} + \mathbf{x}^{2} (28)^{3}) - 1069956 \mathbf{x} (\mathbf{x}^{3} (28) + \mathbf{x} (28)^{3}) \\ &+ 36864000 \mathbf{(x}^{3} + (28)^{3}) + 2587918086 \mathbf{x}^{2} (28)^{2} + 8900222976000 (\mathbf{x}^{2} (28) + \mathbf{x} (28)^{2}) \\ &+ 452984832000000 (\mathbf{x}^{2} + (28)^{2}) - 770845966336000000 \mathbf{x} (28) \\ &+ 1855425871872000000000 (\mathbf{x} + 28). \end{split}$$

$$\begin{aligned} \, \, \Phi\_3(\mathbf{x}, 28) &= \mathbf{x}^4 + 81\mathbf{x}^3 + 111\mathbf{x}^2 + 65\mathbf{x} + 52 \text{(mod } 113) \\\\ &\quad \gcd(\Phi\_3(\mathbf{x}, 28), \mathbf{x}^{113} - \mathbf{x}) = \mathbf{1} \end{aligned}$$

Hence 3 is an Atkin prime.

For *l* = 5. Check whether it is an Elkies or Atkin prime. The *j*- invariant, *Ej* = 28.

5

$$\begin{aligned} \Phi\_5(\mathbf{x}, 28) &= \mathbf{x}^6 + 90\mathbf{x}^5 + 81\mathbf{x}^4 + 65\mathbf{x}^3 + 49\mathbf{x}^2 \text{ (mod 113)} \\\\ \gcd(\Phi\_5(\mathbf{x}, 28), \mathbf{x}^{113} - \mathbf{x}) &= \mathbf{x}^2 + 94\mathbf{x} + 63 \neq 1 \end{aligned}$$

Hence 5 is an Elkies prime.

### **Definition 5.1.2.1**

Let the discriminant of the characteristic equation, <sup>2</sup> *t* 4*p* . If is a square in *Fl* then the prime *l* is an Elkies prime else *l* is an Atkin prime.

### **5.1.2.5 Atkin primes procedures**

Since 2 1 <sup>2</sup> *t p*( ) over *Fl,* each pair <sup>1</sup> (, ) determines one value of *t*2 or at most two values of *t*.

The number of the possible values of *lt* is Euler totient function, ( )*r* and 1 *r l* .

Let recall the reduced characteristic polynomial <sup>2</sup> ( ) ( )( ) *l ll T T tT p T T* 

$$(T - \lambda)(T - \mu) = T^2 - (\lambda\mu)T + (\lambda\mu)^2$$

Elliptic Curve Cryptography and Point Counting Algorithms 111

\{0} ( ) ( ( )) *L*

> *x y* .

*.* It suffices to check the value

*P C F x x xP* 

*<sup>l</sup> x x F x*

*<sup>p</sup> t l* 

**6. Compare and contrast between Schoof's algorithm and Schoof-Elkies-**

Polynomial time and deterministic point counting algorithms for elliptic curve with

Using Hasse's theorem or specifically Hasse's interval as a boundary to determine

Begin by letting *S* = {2, 3, 5,…, *L*} be a set of primes not including char (*Fp*) such that

i. Schoof's algorithm: Most successful general point counting algorithm but not practical because the degree of division polynomial will grow exponentially when *l* becomes

**ii.** SEA algorithm: Most practical version of point counting algorithm. However the use of classical modular polynomial will lead to the increasing of number of coefficients when *l* becomes larger. This problem is overcome by using canonical modular polynomial, Müller modular polynomial and Atkin modular polynomial which have similar

 , so *t l* 

*<sup>p</sup>* and the characteristic equation is such

(mod )*l* .

(mod ) and *p*

Using a specific type of polynomial which is essential for the computation steps.

Both algorithms is to find the trace of the Frobenius endomorphism, *t.*

 

ii. Differences between Schoof's algorithm and SEA algorithm

To combine Elkies and Atkin prime, we apply the concept of Chinese Remainder Theorem, and then we obtain the *t* in the final step by using the elementary method (baby-steps giantsteps which is not covered in this chapter, and one should refer to (Galin, 2007) for further details). Next, we summarize these two algorithms into making some comparison between

 

 

*l*

One can obtain the value of λ by using the relation ( , ) ( , ) *p p x y*

We find λ such that <sup>2</sup> <sup>g</sup> 1 1 cd( ( ) , ( )) 1 *<sup>p</sup>*

*l* . Then compute (mod ). *<sup>l</sup>*

i. Similarities between Schoof's algorithm and SEA algorithm

Classified as *l*-adic point counting algorithms.

Making use of the Frobenius endomorphism,

*l ll T T tT p* = ( )( ) *T T*

construction like classical modular polynomial.

i. Schoof's algorithm*: O* (log 8 *p*) bit operations.

1 ( 1) 2 

**Atkin (SEA) algorithm** 

characteristic *K* ≠ 2, 3

#*E*(*Fp*).

*l S*

that:

Practicality

larger.

Complexity

4

<sup>2</sup> ( )

*l p*

.

them.

Therefore *t l* (mod ) and *p*(mod )*l*

Then is an element of order exactly *r* in 2 *<sup>l</sup> <sup>F</sup>* Find *r* such that which gcd( ( ), ) 1 *<sup>r</sup> <sup>p</sup> <sup>l</sup> xx x* .

 where 2 *l F* is a primitive *r*-th root of unity. Now let *g* be a generator of 2 \* *<sup>l</sup> F* and <sup>2</sup> *i l*( 1) *r i g* for gcd( , ) 1 *i r* and satisfying 1 *i r* .

Next, for nonsquare *<sup>l</sup> d F* , we have 1 2 *x xd* and 1 2 *x xd* for some *i l x F* . Similarly we have 1 2 2 22 1 2 12 <sup>2</sup> ( ) *ii i x xd xx d ggd p* where 1 2 , *ii l g g F*

Compare both sides,

$$\text{rg}\_{i\_1} = \frac{\text{x}\_1 \text{x}\_2 + \text{x}\_2^2 d}{p} \text{(mod } l) \qquad \Longrightarrow p\text{g}\_{i\_1} \equiv \text{x}\_1^2 + \text{x}\_2^2 d \text{(mod } l)$$

$$\mathbf{g}\_{i\_2}\sqrt{d} \equiv \frac{2\mathbf{x}\_1\mathbf{x}\_2\sqrt{d}}{p} \text{(mod } l) \implies p\mathbf{g}\_{i\_2} \equiv 2\mathbf{x}\_1\mathbf{x}\_2 \text{(mod } l)$$

Also, 2 2 1 2 *p x dx l* (mod ) , so it follows that <sup>2</sup> <sup>1</sup> 1 ( 1) 2 *<sup>i</sup> p g x* . If <sup>2</sup> <sup>1</sup> *x* is not a square in *Fl* , *<sup>i</sup>* is discarded and move to the next one. Else, we have the following.

$$\text{... } t \equiv \mathcal{X} + \mu \equiv \mathfrak{D}\mathfrak{x}\_1 \text{(mod } l\text{)}.$$

### **5.1.2.6 Elkies primes procedures**

Determine for the isogenous elliptic curve. Then recall the reduced characteristic polynomial <sup>2</sup> ( ) ( )( ) *l ll T T tT p T T* 

$$(T - \mathcal{X})(T - \mu) = T^2 - (\mathcal{X}\mu)T + (\mathcal{X}\mu).$$

Therefore, *t l* (mod ) and *p*(mod ). *l*

Notice that (mod ) *<sup>l</sup> <sup>p</sup> t l* , so once we get the value of *λ* then we can find .*lt* If , then 2 2 (mod ). *lt pl* 

If , *E*[*l*] has two subgroups *C*1, *C*2 that are stable under *<sup>p</sup>* , we need to replace the division polynomial with degree <sup>2</sup> ( 1) 2 *l* by finding a kernel polynomial with degree ( 1) 2 *l* whose roots are the *x*-coordinate of the subgroup *C*1 or *C*2. The kernel polynomial is defined by

110 Cryptography and Security in Computing

*F* is a primitive *r*-th root of unity. Now let *g* be a generator of 2

2 22

*x xd* and 1 2

 where 1 2 , *ii l g g F*

*p*

1 2

( 1) 2 *<sup>i</sup> p g*

. If <sup>2</sup>

*<sup>l</sup> <sup>F</sup>* Find *r* such that which gcd( ( ), ) 1 *<sup>r</sup> <sup>p</sup>*

*<sup>l</sup> xx x* .

<sup>1</sup> *x* is not a square in

*<sup>p</sup>* , we need to replace the

*x xd* for some *i l x F* .

\* *<sup>l</sup> F* and

Therefore

Then

*i g*  

where 2

Similarly we have 1 2

<sup>2</sup> *i l*( 1) *r*

 

Compare both sides,

Also, 2 2 1 2 *p* 

**5.1.2.6 Elkies primes procedures** 

<sup>2</sup> ( ) ( )( )

Notice that (mod ) *<sup>l</sup>*

 , then 2 2 (mod ). *lt pl* 

*t l* (mod ) and

*<sup>p</sup> t l* 

 

, *E*[*l*] has two subgroups *C*1, *C*2 that are stable under

*l ll T T tT p T T*

*Fl* , *<sup>i</sup>* 

If 

If 

Therefore,

defined by

 

*t l* (mod ) and

*l* 

is an element of order exactly *r* in 2

for gcd( , ) 1 *i r* and satisfying 1 *i r* .

Next, for nonsquare *<sup>l</sup> d F* , we have 1 2

*p*(mod )*l*

 

 

1 1

2 2

is discarded and move to the next one. Else, we have the following.

 

*p*(mod ). *l*

2

1 2

*xx d*

*x dx l* (mod ) , so it follows that <sup>2</sup> <sup>1</sup>

*xx xd*

*p*

1 2 12 <sup>2</sup> ( ) *ii i x xd xx d ggd*

12 2 2 2 1 2 (mod ) (mod ) *i i*

*g l pg x x d l*

<sup>2</sup> (mod ) 2 (mod ) *i i*

1

*x*

2 (mod )

 

, so once we get the value of *λ* then we can find .*lt*

 

*g d l pg xx l <sup>p</sup>*

<sup>1</sup> *t xl*

Determine for the isogenous elliptic curve. Then recall the reduced characteristic polynomial

<sup>2</sup> ( )( ) ( ) ( ). *TT T T*

division polynomial with degree <sup>2</sup> ( 1) 2 *l* by finding a kernel polynomial with degree ( 1) 2 *l* whose roots are the *x*-coordinate of the subgroup *C*1 or *C*2. The kernel polynomial is

$$F\_l(\mathbf{x}) = \prod\_{\pm P \le C\_L \backslash \{0\}} (\mathbf{x} - \mathbf{x}(P))$$

One can obtain the value of λ by using the relation ( , ) ( , ) *p p x y x y* .

We find λ such that <sup>2</sup> <sup>g</sup> 1 1 cd( ( ) , ( )) 1 *<sup>p</sup> <sup>l</sup> x x F x .* It suffices to check the value 1 ( 1) 2 *l* . Then compute (mod ). *<sup>l</sup> <sup>p</sup> t l* 

To combine Elkies and Atkin prime, we apply the concept of Chinese Remainder Theorem, and then we obtain the *t* in the final step by using the elementary method (baby-steps giantsteps which is not covered in this chapter, and one should refer to (Galin, 2007) for further details). Next, we summarize these two algorithms into making some comparison between them.

### **6. Compare and contrast between Schoof's algorithm and Schoof-Elkies-Atkin (SEA) algorithm**


$$\text{1. } \mathbb{Z}\_l(T) = T^2 - t\_l T + p\_l \equiv (T - \mathbb{X})(T - \mu) \text{, so } t \equiv \mathbb{X} + \mu \text{(mod } l\text{) and } p \equiv \mathbb{X}\mu \text{(mod } l)\dots$$


*l S*


Elliptic Curve Cryptography and Point Counting Algorithms 113

SPARC station. Then, it was also mentioned that the information obtained from Schoof's algorithm and the heuristics can be combined with the information from Atkin's method to

In (Couveignes & Morain, 1994), they had shown how to use the powers of good prime in an efficient way by computing the isogenies between curves over the ground field. They had

In (Lercier & Morain, 1995), they mentioned that when *l* was an Elkies prime, the cost of computation turn out to be greater than that computation of Atkin prime and hence suggested that it is better to treat an Elkies prime as an Atkin prime and hence motivate their dynamic strategy. The implementation result shown that Schoof's algorithm in characteristic 2 was faster than in large characteristic at least for small fields. The large prime case was faster due to the polynomial arithmetic was faster for 2 *F <sup>n</sup>* since squaring was an easy operation in characteristic 2. However, when *n* increased, the computing cost

In (Lercier, 1997), mentioned the improvement made by Elkies and Atkin and worked in any finite field. The computation of isogeny is only worked in finite fields of large characteristic. However this problem was solved by Couveignes, by taking in the formal group and had implemented it. The computation of isogenies then turned out to be the major cost while counting the point. Lercier had proposed better algorithm for characteristic 2 case which based on algebraic properties. The slight change in Schoof's algorithm sped up the randomly search of elliptic curves with order nearly prime instead of specific curves

In (Izu et al., 1998), they wanted to find elliptic curve which had prime order and believed that curve with this order was secure for cryptographic application. In calculating the order, they combined efficiently the Atkin and Elkies method, the isogeny cycles method and trial search by match-and-sort techniques and implemented them for elliptic curve over prime field, *Fp* in a reasonable time where *p* is a prime number whose size around 240-bits. As a result, it had increased the speed of the process almost 20%. They managed to find elliptic curves with

In SEA algorithm, the classical modular polynomials with degree *l* +1 will increase the size of coefficient as *l* increases, as well as their degree in *y* also is very high. Therefore canonical modular polynomials achieve small coefficient and lower degree in *y*. Details can be obtained in (Cohen et al., 2006). Besides, according to the work from (Blake et al., n.d.), their approach shown that classical modular polynomial can be replaced by Müller modular polynomial or Atkin modular polynomial. This experiment had been done for *l* =197. The result shows that Müller modular polynomial has less number of coefficients compared to the classical one. However the Atkin modular polynomial has the least number of coefficients compared with

This chapter gives some backgrounds on elliptic curve cryptography. The mathematical preliminaries on elliptic curve, basic definitions, group operations on an elliptic curve, the

investigated the properties of new structure which is known as isogeny cycle.

such as supersingular curves or curves obtained from complex multiplication.

prime order in a reasonable time for characteristic *p* of base field is around 240- bits.

the classical modular polynomial and Müller modular polynomial.

**8. Conclusion** 

compute #*E*( <sup>2</sup>*F <sup>m</sup>* ) for large values of *m.*

of the isogeny took much time than in large prime case.


$$(\boldsymbol{\mathfrak{x}}^{\boldsymbol{p}^{\boldsymbol{p}^{2}}},\boldsymbol{y}^{\boldsymbol{p}^{\boldsymbol{p}^{2}}}) \neq \pm p\_{l}(\boldsymbol{\mathfrak{x}},\boldsymbol{y}) \text{ or } (\boldsymbol{\mathfrak{x}}^{\boldsymbol{p}^{2}},\boldsymbol{y}^{\boldsymbol{p}^{\boldsymbol{p}^{2}}}) = \pm p\_{l}(\boldsymbol{\mathfrak{x}},\boldsymbol{y})$$


For Elkies primes: Recover the *Et* from *tl (*mod *l*) from Chinese Remainder Theorem. For Atkin primes: Divide the primes into two sets that each in equal numbers by using Chinese Remainder Theorem. Finally this theorem is used again and then the exact *t* is found by using baby-steps giant steps.

### **7. Some literature on Schoof and Schoof-Elkies-Atkin (SEA) point counting algorithms**

In this section, we will give some brief literature of these two algorithms. As we have mentioned earlier, René Schoof (Schoof, 1985) had proposed the Schoof's algorithm in 1985. In (Cohen et al, 2006), Atkin and Elkies had further improved the Schoof's algorithm in 1991. In Elkies procedure, Elkies had replaced the division polynomial with degree <sup>2</sup> ( 1) / 2 *l* by a kernel polynomial with degree ( 1) / 2 *l* whereas Atkin developed an algorithm to evaluate the order of *<sup>p</sup>* in PGL2(*Fl*) and hence shown that the number of point can be counted on ( ) *E Fp* and this thus lead to the Schoof-Elkies-Atkin (SEA) algorithm which was practical.

In (Menezes et al., 1993), elliptic curves which defined over field of characteristic 2 are attractive because the arithmetic easier for implementation. They have employed some heuristic to improve the running time and able to compute #*E*( <sup>2</sup>*F <sup>m</sup>* ) for 155 *m* . For the Schoof's part, they were able to compute *t* modulo *l* for *l* = 3, 5, 7, 11, 13, 17, 19, 23, 31, 64, 128, 256, 512 and 1024. The computation on #*E*( <sup>155</sup> <sup>2</sup>*F* ) takes roughly 61 hours on a SUN-2 112 Cryptography and Security in Computing

ii. SEA algorithm: *O* (log 6 *p*) bit operations due to the replacement of division polynomial

i. Schoof's algorithm: No classification of prime. However, two cases are considered

ii. SEA algorithm: for *p* > 2, *p* is classified as Elkies primes or Atkin primes by using

ii. SEA algorithm: modular polynomial with degree *l* +1 is used to differentiate Atkin and Elkies prime. The construction of modular polynomial works in complex field and also need to deal with *j*-function and *q*-expansion (Cox, 1989) but the result can be applied in

i. Schoof's algorithm: Recover the *t* from *tl (*mod *l*) from Chinese Remainder Theorem.

For Elkies primes: Recover the *Et* from *tl (*mod *l*) from Chinese Remainder Theorem. For Atkin primes: Divide the primes into two sets that each in equal numbers by using Chinese Remainder Theorem. Finally this theorem is used again and then the exact *t* is found by

**7. Some literature on Schoof and Schoof-Elkies-Atkin (SEA) point counting** 

In this section, we will give some brief literature of these two algorithms. As we have mentioned earlier, René Schoof (Schoof, 1985) had proposed the Schoof's algorithm in 1985. In (Cohen et al, 2006), Atkin and Elkies had further improved the Schoof's algorithm in 1991. In Elkies procedure, Elkies had replaced the division polynomial with degree <sup>2</sup> ( 1) / 2 *l* by a kernel polynomial with degree ( 1) / 2 *l* whereas Atkin developed an algorithm to

counted on ( ) *E Fp* and this thus lead to the Schoof-Elkies-Atkin (SEA) algorithm which was

In (Menezes et al., 1993), elliptic curves which defined over field of characteristic 2 are attractive because the arithmetic easier for implementation. They have employed some heuristic to improve the running time and able to compute #*E*( <sup>2</sup>*F <sup>m</sup>* ) for 155 *m* . For the Schoof's part, they were able to compute *t* modulo *l* for *l* = 3, 5, 7, 11, 13, 17, 19, 23, 31, 64, 128, 256, 512 and 1024. The computation on #*E*( <sup>155</sup> <sup>2</sup>*F* ) takes roughly 61 hours on a SUN-2

*<sup>p</sup>* in PGL2(*Fl*) and hence shown that the number of point can be

( , ) (,) *p p <sup>l</sup> x y p x y*

*<sup>l</sup> x jE x x* , then *l* is an Atkin prime, else *l*

*<sup>l</sup>* with degree <sup>2</sup> ( 1) / 2 *<sup>l</sup>* . To construct

<sup>2</sup> ( 1) / 2 *l* by its factor that is kernel polynomial with degree ( 1) / 2 *l* .

*<sup>l</sup> <sup>x</sup> y p <sup>x</sup> <sup>y</sup>* or <sup>2</sup> <sup>2</sup>

2 2 ( , ) (,) *p p*

i. Schoof's algorithm: division polynomial,

modular polynomial such that gcd( ( , ( )), ) 1 *<sup>p</sup>*

division polynomial, concept of torsion point is applicable.

Classification of prime, *p*

is an Elkies prime. Polynomial involved

finite field, *Fp*.

ii. SEA algorithm:

**algorithms** 

practical.

evaluate the order of

using baby-steps giant steps.

Method to combine the *tl* (mod *l*)

such that :

In (Couveignes & Morain, 1994), they had shown how to use the powers of good prime in an efficient way by computing the isogenies between curves over the ground field. They had investigated the properties of new structure which is known as isogeny cycle.

In (Lercier & Morain, 1995), they mentioned that when *l* was an Elkies prime, the cost of computation turn out to be greater than that computation of Atkin prime and hence suggested that it is better to treat an Elkies prime as an Atkin prime and hence motivate their dynamic strategy. The implementation result shown that Schoof's algorithm in characteristic 2 was faster than in large characteristic at least for small fields. The large prime case was faster due to the polynomial arithmetic was faster for 2 *F <sup>n</sup>* since squaring

was an easy operation in characteristic 2. However, when *n* increased, the computing cost of the isogeny took much time than in large prime case.

In (Lercier, 1997), mentioned the improvement made by Elkies and Atkin and worked in any finite field. The computation of isogeny is only worked in finite fields of large characteristic. However this problem was solved by Couveignes, by taking in the formal group and had implemented it. The computation of isogenies then turned out to be the major cost while counting the point. Lercier had proposed better algorithm for characteristic 2 case which based on algebraic properties. The slight change in Schoof's algorithm sped up the randomly search of elliptic curves with order nearly prime instead of specific curves such as supersingular curves or curves obtained from complex multiplication.

In (Izu et al., 1998), they wanted to find elliptic curve which had prime order and believed that curve with this order was secure for cryptographic application. In calculating the order, they combined efficiently the Atkin and Elkies method, the isogeny cycles method and trial search by match-and-sort techniques and implemented them for elliptic curve over prime field, *Fp* in a reasonable time where *p* is a prime number whose size around 240-bits. As a result, it had increased the speed of the process almost 20%. They managed to find elliptic curves with prime order in a reasonable time for characteristic *p* of base field is around 240- bits.

In SEA algorithm, the classical modular polynomials with degree *l* +1 will increase the size of coefficient as *l* increases, as well as their degree in *y* also is very high. Therefore canonical modular polynomials achieve small coefficient and lower degree in *y*. Details can be obtained in (Cohen et al., 2006). Besides, according to the work from (Blake et al., n.d.), their approach shown that classical modular polynomial can be replaced by Müller modular polynomial or Atkin modular polynomial. This experiment had been done for *l* =197. The result shows that Müller modular polynomial has less number of coefficients compared to the classical one. However the Atkin modular polynomial has the least number of coefficients compared with the classical modular polynomial and Müller modular polynomial.

### **8. Conclusion**

This chapter gives some backgrounds on elliptic curve cryptography. The mathematical preliminaries on elliptic curve, basic definitions, group operations on an elliptic curve, the

Elliptic Curve Cryptography and Point Counting Algorithms 115

Cohen, H., Frey, G., Avanzi, R., Doche, C., Lange, T., Kim, N., et al. (2006). *Handbook of* 

Couveignes, J., & Morain, F. (1994). Schoof's Algorithm and Isogeny Cycles. In: *Algorithmic* 

Cox, D. A. (1989). *Primes of the Form x2 + ny2: Fermat, Class Field Theory and Complex* 

Diffie, W., & Hellman, M. (1976). New directions in cryptography. *IEEE Transactions on* 

Galin, B. (2007). *Schoof-Elkies-Atkin Algorithm,* Senior thesis*,* Department of Mathematics,

Izu, T., Kogure, J., Noro, M., & Yokoyama, K. (1998). Efficient Implementation of Schoof's

Jacobson, M. J., Jr., Erickson S., Hammer, J. , Scheidler, R., Shang, N., Shen, S. & Stein, A.

Koblitz, N. (1987) Elliptic Curve Cryptosystems. Mathematics of Computation, Vol. 48, No.

Lawrence, C. W. & Wade, T.( 2006). *Introduction to Cryptography with Coding Theory, 2nd*

Lercier, R. (1997). Finding Good Random Elliptic Curves for Cryptosystems Defined over

Lercier, R., & Morain, F. (1995). Counting the Number of Points on Elliptic Curves over

McGee, J. J. (2006). *René Schoof's Algorithm for Determining the Order of the Group of Points on* 

Miller, V. (1986). Use of Elliptic Curves in Cryptography, Advances in Cryptology —

Menezes, A., Vanstone, S., & Zuccherato, R. (1993). Counting Points on Elliptic Curves over

*edition,* Pearson Prentice Hall, ISBN: 0-13-186239-1, USA.

ISBN: 3-540-59409-4, Saint-Malo, France, May 21-25, 1995*.*

Heidelberg, ISBN: 978-3-540-16463-0, New York.

DOI 10.1090/S0025-5718-1993-1153167-9.

*Multiplication*, John Wiley & Sons, Inc., ISBN: 0-471-50654-0, USA.

Berlin/Heidelberg, ISBN:978-3-540-58691-3, New York.

ISBN:1-58488-518-1 , New York.

Stanford University, USA.

*Cryptosystem Workshop*, Calgary, Canada.

177, (January 1987), pp. 203-209.

9448.

York.

1997.

University, USA.

*Elliptic Curve and Hyperelliptic Curve Cryptography*, Taylor & Francis Group, LLC.,

*Number Theory*, L. M. Adleman & M. D. Huang, pp. 43-58, Springer

*information Theory,* Vol 22, No 6, (November 1976 ), pp. 644-654, ISSN: 0018-

Algorithm, In: *Advances in Cryptology — ASIACRYPT'98 International Conference on the Theory and Application of Cryptology and Information Security*, Kazuo Ohta & Dingyi Pei, pp. 66-79, Springer Berlin / Heidelberg, ISBN: 978-3-540-65109-3, New

(2009). Cryptographic Aspects of Real Hyperelliptic Curves, In: *13th Elliptic Curves* 

F2n, *EUROCRYPT '97 International Conference on the Theory and Application of Cryptographic Techniques* , ISBN: 3-540-62975-0, Konstanz, Germany, May 11–15,

Finite Fields: Strategies and Performances, *EUROCRYPT'95 Proceedings of the 14th Annual International Conference on Theory and Application of Cryptographic Techniques,* 

*an Elliptic Curve over a Finite Field.* Virginia Polytechnic Institute and State

CRYPTO '85 Proceedings, Hugh C. Williams, pp. 417-426, Springer Berlin /

*F2m*. *Mathematics of Computation,* Vol. 60, No. 201, (January 1993), pp. 407-420,

addition law as well as the doubling operations are part of the discussion topics in this chapter. This chapter also includes the arithmetic of elliptic curves defined over the real numbers as well as on a finite field and some examples are shown to enhance understanding. Several schemes such as elliptic curve Diffie-Hellman key exchange scheme, elliptic curve ElGamal cryptosystem and elliptic curve digital signature scheme are discussed along with some examples. Concept of point counting algorithms is also treated quite rigorously in terms of the mathematical aspects, and the discussion is restricted to two types of algorithms, the Schoof and the Schoof-Elkies-Atkin (SEA) point counting algorithms. Building on the discussion of the point counting algorithms, several comparisons are derived along with some literatures on the development of these two point counting algorithms especially on the Schoof-Elkies-Atkin (SEA) algorithm. This chapter has shown the procedures in the Schoof and the Schoof-Elkies-Atkin (SEA) algorithms. Extensive mathematical concepts explaining these two algorithms are displayed in this chapter. The Schoof point counting algorithm is regarded as an initiative effort towards producing efficient point counting algorithm, where several modification has emerges from the idea of this algorithm, and the immediate improvement were produced by Elkies and Atkin. The most recent known modification build on Schoof algorithm is the one from Pierrick Gaudry, David Kohel, Benjamin Smith (Schoof-Pila algorithm), presented in the Elliptic Curve Cryptography workshop, held in Nancy, France, in September 2011.

 The arithmetic on elliptic curve plays a very important role in cryptography and this chapter has highlighted some mathematical aspects needed in the development of elliptic curve cryptography. Many studies have been devoted to finding fast algorithms on performing group operations on elliptic curves as well as algorithms to compute number of points on elliptic curves. So far elliptic curve cryptography seems to out perform other cryptographic schemes. Interest groups working on elliptic curve cryptography are seen to have more ideas to explore as most directions are on the higher genus curves or hyperelliptic curves instead of the ordinary curves that are being treated in this chapter. Genus 2 curve for instance, is a hyperelliptic curve, which possesses different properties from the ordinary elliptic curve. Points on hyperelliptic curves do not forms a group, instead the corresponding jacobian takes the role. Some properties in the ordinary curves could be extended to those higher genus curves. In the future, we might probably have a situation where hyperelliptic curve cryptography comes into play.

### **9. Acknowledgment**

This article was written under the funding of the Universiti Sains Malaysia Short Term Grant, 2010-2012, account number 304/PMaths/6310075.

### **10. References**


114 Cryptography and Security in Computing

addition law as well as the doubling operations are part of the discussion topics in this chapter. This chapter also includes the arithmetic of elliptic curves defined over the real numbers as well as on a finite field and some examples are shown to enhance understanding. Several schemes such as elliptic curve Diffie-Hellman key exchange scheme, elliptic curve ElGamal cryptosystem and elliptic curve digital signature scheme are discussed along with some examples. Concept of point counting algorithms is also treated quite rigorously in terms of the mathematical aspects, and the discussion is restricted to two types of algorithms, the Schoof and the Schoof-Elkies-Atkin (SEA) point counting algorithms. Building on the discussion of the point counting algorithms, several comparisons are derived along with some literatures on the development of these two point counting algorithms especially on the Schoof-Elkies-Atkin (SEA) algorithm. This chapter has shown the procedures in the Schoof and the Schoof-Elkies-Atkin (SEA) algorithms. Extensive mathematical concepts explaining these two algorithms are displayed in this chapter. The Schoof point counting algorithm is regarded as an initiative effort towards producing efficient point counting algorithm, where several modification has emerges from the idea of this algorithm, and the immediate improvement were produced by Elkies and Atkin. The most recent known modification build on Schoof algorithm is the one from Pierrick Gaudry, David Kohel, Benjamin Smith (Schoof-Pila algorithm), presented in the Elliptic Curve Cryptography workshop, held in Nancy,

 The arithmetic on elliptic curve plays a very important role in cryptography and this chapter has highlighted some mathematical aspects needed in the development of elliptic curve cryptography. Many studies have been devoted to finding fast algorithms on performing group operations on elliptic curves as well as algorithms to compute number of points on elliptic curves. So far elliptic curve cryptography seems to out perform other cryptographic schemes. Interest groups working on elliptic curve cryptography are seen to have more ideas to explore as most directions are on the higher genus curves or hyperelliptic curves instead of the ordinary curves that are being treated in this chapter. Genus 2 curve for instance, is a hyperelliptic curve, which possesses different properties from the ordinary elliptic curve. Points on hyperelliptic curves do not forms a group, instead the corresponding jacobian takes the role. Some properties in the ordinary curves could be extended to those higher genus curves. In the future, we might probably have a

This article was written under the funding of the Universiti Sains Malaysia Short Term

Blake, I. F., Csirik, J. A., Rubinstein, M., & Seroussi, (n.d.), G. On the Computation of Modular Polynomials for Elliptic Curves. *HP Laboratories Technical Report.* Chen, R. J. (2008). Lecture Notes on Elliptic Curve Crytography. Department of Computer

situation where hyperelliptic curve cryptography comes into play.

Grant, 2010-2012, account number 304/PMaths/6310075.

Science, National Chiao Tung University.

France, in September 2011.

**9. Acknowledgment** 

**10. References** 


**6** 

*Canada* 

Abdulah Abdulah Zadeh

*Memorial University of Newfoundland,* 

**Division and Inversion Over Finite Fields** 

Arithmetic operation such as addition, multiplication, division and inversion are widely used in data communication systems, coding and cryptography particularly public key cryptography. Since 1976, when the principles of public key cryptography were introduced (by Whitfield Diffie and Martin Hellman) (Diffie & Hellman 1976), RSA was the most well-known public key cryptographic system. Rivest, Shamir and Adleman (RSA) algorithm composes a public key considered sufficiently long enough to be recognized as secure. The security of RSA is based on difficulty of factoring large numbers to its prime components. For many years, RSA was the leading method for industrial encryption. RSA cryptographic algorithm includes addition, squaring and multiplication operations. Addition and squaring are two simple operations over finite fields; hence, the most important arithmetic operation for RSA

With the advances of computer computational power, RSA is becoming more and more vulnerable. In 1985, Victor S. Miller (Miller 1985) and Neal Koblitz (Koblitz 1987) proposed Elliptic Curve Cryptography (ECC), independently. ECC offer higher security in compare

The security of ECC relies on the difficulty of solving Elliptic Curve Discrete Logarithm Problem or ECDLP. So far not any efficient method has been offered to solve ECDLP and its complexity is higher than factoring large numbers to its prime components (where the security of RSA relies on that). Hence, ECC can offer higher security with smaller key size and designers can use it to save storage space, consumed power in the circuit and increase the bandwidth.

Elliptic Curve Cryptographic algorithm includes addition, squaring, multiplication and division (or inversion). Many research and studies have been done on multiplication. However, division and inversion research are becoming more relevant to cryptographic systems. In the terms of implementation area, complexity and executing time; division (or inversion) is the most costly operation in public key cryptography. For many years hardware implementations of division or inversion were an ambitious goal. However, recent advances in technology of ASIC circuits and the ability to provide high capacity

In this chapter we study two main classes of proposed algorithms for division (and inversion). The first class of dividers is based on Fermat's little theorem. This class of dividers also called as multiplicative based dividers. In the next chapter we introduce the principles of these algorithms and the proposed methods to improve their efficiency.

**1. Introduction** 

with RSA.

based cryptographic systems is multiplication.

FPGAs, let circuit designers to achieve this goal.


## **Division and Inversion Over Finite Fields**

### Abdulah Abdulah Zadeh

*Memorial University of Newfoundland, Canada* 

### **1. Introduction**

116 Cryptography and Security in Computing

Schoof, R. (1985). Elliptic Curves over Finite Fields and the Computation of Square

Silverman, J. H. (1986). *Graduate Texts in Mathematics*: *The Arithmetic of Elliptic Curves,*

Springer-Verlag, ISBN: 0-387-96203-4, USA.

483-494.

Roots Mod *p*, *Mathematics of Computation, Volume* 44, No. 170, (April 1985), pp.

Arithmetic operation such as addition, multiplication, division and inversion are widely used in data communication systems, coding and cryptography particularly public key cryptography.

Since 1976, when the principles of public key cryptography were introduced (by Whitfield Diffie and Martin Hellman) (Diffie & Hellman 1976), RSA was the most well-known public key cryptographic system. Rivest, Shamir and Adleman (RSA) algorithm composes a public key considered sufficiently long enough to be recognized as secure. The security of RSA is based on difficulty of factoring large numbers to its prime components. For many years, RSA was the leading method for industrial encryption. RSA cryptographic algorithm includes addition, squaring and multiplication operations. Addition and squaring are two simple operations over finite fields; hence, the most important arithmetic operation for RSA based cryptographic systems is multiplication.

With the advances of computer computational power, RSA is becoming more and more vulnerable. In 1985, Victor S. Miller (Miller 1985) and Neal Koblitz (Koblitz 1987) proposed Elliptic Curve Cryptography (ECC), independently. ECC offer higher security in compare with RSA.

The security of ECC relies on the difficulty of solving Elliptic Curve Discrete Logarithm Problem or ECDLP. So far not any efficient method has been offered to solve ECDLP and its complexity is higher than factoring large numbers to its prime components (where the security of RSA relies on that). Hence, ECC can offer higher security with smaller key size and designers can use it to save storage space, consumed power in the circuit and increase the bandwidth.

Elliptic Curve Cryptographic algorithm includes addition, squaring, multiplication and division (or inversion). Many research and studies have been done on multiplication. However, division and inversion research are becoming more relevant to cryptographic systems. In the terms of implementation area, complexity and executing time; division (or inversion) is the most costly operation in public key cryptography. For many years hardware implementations of division or inversion were an ambitious goal. However, recent advances in technology of ASIC circuits and the ability to provide high capacity FPGAs, let circuit designers to achieve this goal.

In this chapter we study two main classes of proposed algorithms for division (and inversion). The first class of dividers is based on Fermat's little theorem. This class of dividers also called as multiplicative based dividers. In the next chapter we introduce the principles of these algorithms and the proposed methods to improve their efficiency.

$$a^p \equiv a \pmod{P}$$

$$a^{P-1} \equiv 1 \pmod{P} \quad \text{or} \quad a \times a^{P-2} \equiv 1 \pmod{P}$$

$$2 \times 4 \equiv 8 \equiv 1 \pmod{7}$$

$$a^{2^m - 1} = a \times a^{2^m - 2} = 1 \text{ (over } GF(2^m)\text{)}\text{)}\text{.}$$

$$2^m - 2 = 2(2^{m-1} - 1)$$

$$= 2(2^{m-1} - 2 + 1)$$

$$= 2(1 + 2(2^{m-2} - 1))$$

$$\vdots$$

$$a^{2^m - 2} = a^{2(2^{m-1} - 1)} = (a^{(2^{m-1} - 1)})^2$$

$$= (a^{(2^{m-1} - 2 + 1)})^2 = (a \times a^{(2^{m-1} - 2)})^2$$

$$a \times a^{2(2^{m-2} - 1)})^2 = (a \times (a^{(2^{m-2} - 1)})^2)^2$$

$$\vdots$$

$$= (a(a \times a \times a^2)^2 \quad \chi^2 \chi^2)^2$$



$$
\boldsymbol{\beta}\_{j+k} = \boldsymbol{\beta}\_k^{2^j} \times \boldsymbol{\beta}\_j
$$
 
$$
\boldsymbol{\beta}\_{2k} = \boldsymbol{\beta}\_k^{2^k+1} \text{ or } \boldsymbol{\beta}\_k^{2^k} \times \boldsymbol{\beta}\_k^{2^k}
$$


$$GCD(18, 30) = \\\\GCD(30 - 18, 18) = \\\\GCD(12, 18) = \\\\GCD(18 - 12, 12) = \\\\GCD(6, 12) = \\\\GCD(12 - 6, 6) = \\\\GCD(6, 6) = 6$$

$$a \times \mathbf{x} + b \times \mathbf{y} = d$$

$$a\_l \times x\_l + b\_l \times y\_l = d.$$

$$a\_l \times x\_{l+1} + (b\_l - a\_l q\_l) \times y\_{l+1} = d.$$

$$a\_l \times \chi\_{l+1} - a\_l q\_l \times \mathcal{y}\_{l+1} + b\_l \times \mathcal{y}\_{l+1} = $$
 
$$a\_l \times (\chi\_{l+1} - q\_l \times \mathcal{y}\_{l+1}) + b\_l \times \mathcal{y}\_{l+1} = d$$

$$\begin{aligned} \mathbf{x}\_{l} &= \mathbf{x}\_{l+1} - q\_{l} \times \mathbf{y}\_{l+1} \\\\ \mathbf{y}\_{l} &= \mathbf{y}\_{l+1}. \end{aligned} \tag{1}$$

$$y\_l = y\_{l+1} - q\_l \times \mathbf{x}\_{l+1} \tag{2}$$

$$\mathbf{x}\_l = \mathbf{x}\_{l+1}. \tag{2}$$

$$a\_n \times \mathbf{x}\_n + b\_n \times \mathbf{y}\_n = $$

$$a\_n \times \mathbf{x}\_n + a\_n q\_n \times \mathbf{y}\_n = a\_n = d\_n$$

$$37\chi\_0 + 17\chi\_0 = 1$$

$$(37 - 2 \times 17)\chi\_0 + 17\chi\_0 = 1 \qquad q\_0 = 2$$

$$3\chi\_1 + 17\chi\_1 = 1$$

$$3\chi\_1 + (17 - 5 \times 3)\chi\_1 = 1 \qquad \qquad q\_1 = 5$$

$$3\mathbf{x}\_2 + 2\mathbf{y}\_2 = \mathbf{1}$$

$$(3 - 1 \times 2)\mathbf{x}\_2 + 2\mathbf{y}\_2 = \mathbf{1} \qquad \mathbf{q}\_2 = \mathbf{1}$$

$$\mathbf{x}\_3 + 2\mathbf{y}\_3 = \mathbf{1}$$

$$\mathbf{x}\_3 + (2 - 2 \times 1)\mathbf{y}\_3 = \mathbf{1} \qquad \mathbf{q}\_3 = \mathbf{2}$$

$$\mathbf{x}\_4 = \mathbf{1}$$


$$37 \times 6 + 17 \times (-13) = 1$$





**Part 2** 

**Applications of Cryptographic** 

**Algorithms and Protocols** 


## **Part 2**

## **Applications of Cryptographic Algorithms and Protocols**

130 Cryptography and Security in Computing

Koblitz N., (1987), "Elliptic curve cryptosystems", Mathematics of Computation, vol. 48, pp:

Miller V. S., (1985), "Use of elliptic curves in cryptography", H.C. Wiliams, Ed., Advances in

Morii M., Kasahara M., Whiting D. L., (Nov. 1989), "Efficient bit serial multiplication and the

Rodrguez-Henrquez Francisco, Morales-Luna Guillermo, Saqib Nazar A., Cruz-Cortes

Takagi N., (May 1998), "a vlsi algorithm for modular division based on the binary GCD algorithm", IEICE Transaction on Fundamentals, vol. E81-A, No.5, pp: 724—728. Takagi N., Yoshika J., Takagi K., (May 2001), "A fast algorithm for multiplicative inversion

Tawalbeh L. A., Tenca A. F., (Sep. 2004), "An algorithm and hardware architecture for

Specific Systems, Architectures and Processors 2004, IEEE, pp: 247—257. Tenca A. F., Tawalbeh L.A., (March 2004), "Algorithm for unied modular division in GF(P)

Wolkerstorfer Johannes, (2002), "Dual-field arithmetic unit for GF(P) and GF(2�)",

Wu C., Wu C., Shieh M., Hwang Y., (2001), "Systolic VLSI realization of a novel iterative

Wu C., Wu C., Shieh M., Hwang Y., (2004), "High speed, low complexity systolic designs of

Wu C. H., Wu C. M., Shieh M. D., Hwanng Y. T. , (Aug 2000), "Novel iterative division

Zadeh Abdulah Abdulah, (2007), "High speed modular divider based on GCD algorithm", Information and Communications Security, ICICS, LNCS, pp: 189—200.

discrete time Wiener Hopf equation over finite fields", IEEE Transaction on

Nareli, (2007), "Parallel Itoh-Tsujii multiplicative inversion algorithm for a special

in GF(2�) using normal basis", IEEE Transaction on Computers, vol. 50, No. 5, pp:

integrated modular division and multiplication in GF(P) and GF(2�)", Application

and GF(2�) suitable for cryptographic hardware", Electronics Letters, vol. 40, No.

International Workshop on Cryptographic Hardware and Embedded Systems

division algorithm over GF(2�): a high-speed, low-complexity design", ISCAS, pp:

novel iterative division algorithms in GF(2�)", IEEE Transaction on Computers, pp:

algorithm over GF(2�) and its systolic VLSI realization", Circuits and Systems, pp:

Cryptology, CRYPTO 85, LNCS, vol. 218, pp: 417–426.

class of trinomials", Des. Codes Cryptography, pp: 19—37.

Information Theory, vol. 35, pp:1177—1183.

CHES 2002, LNCS, vol. 2523, pp: 500—514.

203–209.

394—398.

5, pp: 304—306.

33—36.

375—380.

280—283.

**7** 

Jaydip Sen

*India* 

**Secure and Privacy-Preserving Data Aggregation Protocols for** 

In recent years, wireless sensor networks (WSNs) have drawn considerable attention from the research community on issues ranging from theoretical research to practical applications. Special characteristics of WSNs, such as resource constraints on energy and computational power and security have been well-defined and widely studied (Akyildiz et al., 2002; Sen, 2009). What has received less attention, however, is the critical privacy concern on information being collected, transmitted, and analyzed in a WSN. Such private and sensitive information may include payload data collected by sensors and transmitted through the network to a centralized data processing server. For example, a patient's blood pressure, sugar level and other vital signs are usually of critical privacy concern when monitored by a medical WSN which transmits the data to a remote hospital or doctor's office. Privacy concerns may also arise beyond data content and may focus on context information such as the location of a sensor initiating data communication. Effective countermeasure against the disclosure of both data and context-oriented private information is an indispensable prerequisite for deployment of WSNs in real-world applications (Sen,

Privacy protection has been extensively studied in various fields such as wired and wireless networking, databases and data mining. However, the following inherent features of WSNs introduce unique challenges for privacy preservation of data and prevent the existing

 *Uncontrollable environment*: sensors may have to be deployed in an environment that is uncontrollable by the defender, such as a battlefield, enabling an adversary to launch physical attacks to capture sensor nodes or deploy counterfeit ones. As a result, an adversary may retrieve private keys used for secure communication and decrypt any

 *Sensor-node resource constraints*: battery-powered sensor nodes generally have severe constraints on their ability to store, process, and transmit the sensed data. As a result, the computational complexity and resource consumption of public-key ciphers is

**1. Introduction** 

2010a; Bandyopadhyay & Sen, 2011).

techniques from being directly implemented in these networks.

communication eavesdropped by the adversary.

usually considered unsuitable for WSNs.

**Wireless Sensor Networks** 

*Innovation Lab, Tata Consultancy Services Ltd.* 

## **Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks**

Jaydip Sen *Innovation Lab, Tata Consultancy Services Ltd. India* 

### **1. Introduction**

In recent years, wireless sensor networks (WSNs) have drawn considerable attention from the research community on issues ranging from theoretical research to practical applications. Special characteristics of WSNs, such as resource constraints on energy and computational power and security have been well-defined and widely studied (Akyildiz et al., 2002; Sen, 2009). What has received less attention, however, is the critical privacy concern on information being collected, transmitted, and analyzed in a WSN. Such private and sensitive information may include payload data collected by sensors and transmitted through the network to a centralized data processing server. For example, a patient's blood pressure, sugar level and other vital signs are usually of critical privacy concern when monitored by a medical WSN which transmits the data to a remote hospital or doctor's office. Privacy concerns may also arise beyond data content and may focus on context information such as the location of a sensor initiating data communication. Effective countermeasure against the disclosure of both data and context-oriented private information is an indispensable prerequisite for deployment of WSNs in real-world applications (Sen, 2010a; Bandyopadhyay & Sen, 2011).

Privacy protection has been extensively studied in various fields such as wired and wireless networking, databases and data mining. However, the following inherent features of WSNs introduce unique challenges for privacy preservation of data and prevent the existing techniques from being directly implemented in these networks.


Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 135

Keeping this requirement in mind, we also present a secure and robust aggregation protocol for WSNs where aggregation algorithm does not preserve the privacy of the individual sensor data but guarantees high level of security in the aggregation process so that a potential malicious insider node cannot inject false data during the aggregation process.

The rest of this chapter is organized as follows. Section 2 provides a brief background discussion on the CPDA scheme. In Section 3, we present a cryptanalysis on CPDA and demonstrate a security vulnerability of the scheme. In Section 4, we present some design modifications of the CPDA scheme. Section 4.1 presents an efficient way to compute the aggregation operation so as to make CPDA more efficient. Section 4.2 briefly discusses how the identified security vulnerability can be addressed. Section 5 presents a comparative analysis of the overhead of the original CPDA protocol and its proposed modified version. Section 5.1 provides a comparison of the communication overheads in the network, and Section 5.2 provides an analysis of the computational overheads in the sensor nodes in the sensor nodes. Section 6 discusses the importance of security in designing aggregation schemes for WSNs. Section 7 presents some related work in the field of secure aggregation protocols in WSNs. In Section 8, a secure aggregation algorithm for WSNs is proposed. Section 9 presents some simulation results to evaluate the performance of the proposed secure aggregation protocol. Section 10 concludes the chapter while highlighting some

The basic idea of CPDA is to introduce noise to the raw data sensed by the sensor nodes in a WSN, such that an aggregator can obtain accurate aggregated information but not individual sensor data (He et al., 2007). This is similar to the *data perturbation* approach extensively used in privacy-preserving data mining. However, unlike in privacy-preserving data mining, where noises are independently generated (at random) leading to imprecise aggregated results, the noises in CPDA are carefully designed to leverage the cooperation between different sensor nodes, such that the precise aggregated values can be obtained by the aggregator. The CPDA protocol classifies sensor nodes into two types: cluster leaders and cluster members. There is a one-to-many mapping between the cluster leaders and cluster members. The cluster leaders are responsible for aggregating data received from the cluster members. For security, the messages communicated between the cluster leaders and the cluster members are encrypted using different symmetric keys for each pair of nodes.

The details of the CPDA scheme are provided briefly in the following sub-sections.

The sensor network is modeled as a connected graph *G(V, E)*, where *V* represents the set of senor nodes and *E* represents the set of wireless links connecting the sensor nodes. The

A data aggregation function is taken that aggregates the individual sensor readings. CPDA

individual sensor reading at time instant *t* for node *i*. For computation of the aggregate

1 ( ) ( ), *N i i f t dt* 

where *di(t)* is the

future directions of research in privacy and security in WSNs.

**2. The CPDA scheme for data aggregation in WSNs** 

**2.1 The network model** 

number of sensor nodes is taken as |*V*| = *N*.

scheme has focused on additive aggregation function:

 *Topological constraints*: the limited communication range of sensor nodes in a WSN requires multiple hops in order to transmit data from the source to the base station. Such a multi-hop scheme demands different nodes to take diverse traffic loads. In particular, a node closer to the base station (i.e., data collecting and processing server) has to relay data from nodes further away from base station in addition to transmitting its own generated data, leading to higher transmission rate. Such an unbalanced network traffic pattern brings significant challenges to the protection of contextoriented privacy information. Particularly, if an adversary has the ability to carry out a global traffic analysis, observing the traffic patterns of different nodes over the whole network, it can easily identify the sink and compromise context privacy, or even manipulate the sink node to impede the proper functioning of the WSN.

The unique challenges for privacy preservation in WSNs call for development of effective privacy-preserving techniques. Supporting efficient in-network data aggregation while preserving data privacy has emerged as an important requirement in numerous wireless sensor network applications (Acharya et al., 2005; Castelluccia et al., 2009; Girao et al., 2005; He et al., 2007; Westhoff et al., 2006). As a key approach to fulfilling this requirement of private data aggregation, *concealed data aggregation* (CDA) schemes have been proposed in which multiple source nodes send encrypted data to a sink along a *converge-cast tree* with aggregation of cipher-text being performed over the route (Acharya et al., 2005; Armknecht et al., 2008; Castelluccia et al., 2009; Girao et al., 2005; Peter et al., 2010; Westhoff et al., 2006).

He et al. have proposed a *cluster-based private data aggregation* (CPDA) scheme in which the sensor nodes are randomly distributed into clusters (He et al., 2007). The cluster leaders carry out aggregation of the data received from the cluster member nodes. The data communication is secured by using a shared key between each pair of communicating nodes for the purpose of encryption. The aggregate function leverages algebraic properties of the polynomials to compute the desired aggregate value in a cluster. While the aggregation is carried out at the aggregator node in each cluster, it is guaranteed that no individual node gets to know the sensitive private values of other nodes in the cluster. The intermediate aggregate value in each cluster is further aggregated along the routing tree as the data packets move to the sink node. The privacy goal of the scheme is two-fold. First, the privacy of data has to be guaranteed end-to-end. While only the sink could learn about the final aggregation result, each node will have information of its own data and does not have any information about the data of other nodes. Second, to reduce the communication overhead, the data from different source nodes have to be efficiently combined at the intermediate nodes along the path. Nevertheless, these intermediate nodes should not learn any information about the individual nodes' data. The authors of the CPDA scheme have presented performance results of the protocol to demonstrate the efficiency and security of the protocol. The CPDA protocol has become quite popular, and to the best of our knowledge, there has been no identified vulnerability of the protocol published in the literature so far. In this chapter, we first demonstrate a security loophole in the CPDA protocol and then proceed to show how the protocol can be made more secure and efficient.

Some WSN application may not require privacy of the individual sensor data. Instead, the data aggregation scheme may need high level of security so that no malicious node should be able to introduce any fake data during the execution of the aggregation process. This requirement introduces the need for design of secure aggregation protocols for WSNs. Keeping this requirement in mind, we also present a secure and robust aggregation protocol for WSNs where aggregation algorithm does not preserve the privacy of the individual sensor data but guarantees high level of security in the aggregation process so that a potential malicious insider node cannot inject false data during the aggregation process.

The rest of this chapter is organized as follows. Section 2 provides a brief background discussion on the CPDA scheme. In Section 3, we present a cryptanalysis on CPDA and demonstrate a security vulnerability of the scheme. In Section 4, we present some design modifications of the CPDA scheme. Section 4.1 presents an efficient way to compute the aggregation operation so as to make CPDA more efficient. Section 4.2 briefly discusses how the identified security vulnerability can be addressed. Section 5 presents a comparative analysis of the overhead of the original CPDA protocol and its proposed modified version. Section 5.1 provides a comparison of the communication overheads in the network, and Section 5.2 provides an analysis of the computational overheads in the sensor nodes in the sensor nodes. Section 6 discusses the importance of security in designing aggregation schemes for WSNs. Section 7 presents some related work in the field of secure aggregation protocols in WSNs. In Section 8, a secure aggregation algorithm for WSNs is proposed. Section 9 presents some simulation results to evaluate the performance of the proposed secure aggregation protocol. Section 10 concludes the chapter while highlighting some future directions of research in privacy and security in WSNs.

### **2. The CPDA scheme for data aggregation in WSNs**

The basic idea of CPDA is to introduce noise to the raw data sensed by the sensor nodes in a WSN, such that an aggregator can obtain accurate aggregated information but not individual sensor data (He et al., 2007). This is similar to the *data perturbation* approach extensively used in privacy-preserving data mining. However, unlike in privacy-preserving data mining, where noises are independently generated (at random) leading to imprecise aggregated results, the noises in CPDA are carefully designed to leverage the cooperation between different sensor nodes, such that the precise aggregated values can be obtained by the aggregator. The CPDA protocol classifies sensor nodes into two types: cluster leaders and cluster members. There is a one-to-many mapping between the cluster leaders and cluster members. The cluster leaders are responsible for aggregating data received from the cluster members. For security, the messages communicated between the cluster leaders and the cluster members are encrypted using different symmetric keys for each pair of nodes.

The details of the CPDA scheme are provided briefly in the following sub-sections.

### **2.1 The network model**

134 Cryptography and Security in Computing

 *Topological constraints*: the limited communication range of sensor nodes in a WSN requires multiple hops in order to transmit data from the source to the base station. Such a multi-hop scheme demands different nodes to take diverse traffic loads. In particular, a node closer to the base station (i.e., data collecting and processing server) has to relay data from nodes further away from base station in addition to transmitting its own generated data, leading to higher transmission rate. Such an unbalanced network traffic pattern brings significant challenges to the protection of contextoriented privacy information. Particularly, if an adversary has the ability to carry out a global traffic analysis, observing the traffic patterns of different nodes over the whole network, it can easily identify the sink and compromise context privacy, or even

manipulate the sink node to impede the proper functioning of the WSN.

The unique challenges for privacy preservation in WSNs call for development of effective privacy-preserving techniques. Supporting efficient in-network data aggregation while preserving data privacy has emerged as an important requirement in numerous wireless sensor network applications (Acharya et al., 2005; Castelluccia et al., 2009; Girao et al., 2005; He et al., 2007; Westhoff et al., 2006). As a key approach to fulfilling this requirement of private data aggregation, *concealed data aggregation* (CDA) schemes have been proposed in which multiple source nodes send encrypted data to a sink along a *converge-cast tree* with aggregation of cipher-text being performed over the route (Acharya et al., 2005; Armknecht et al., 2008; Castelluccia et al., 2009; Girao et al., 2005; Peter et al., 2010; Westhoff et al., 2006). He et al. have proposed a *cluster-based private data aggregation* (CPDA) scheme in which the sensor nodes are randomly distributed into clusters (He et al., 2007). The cluster leaders carry out aggregation of the data received from the cluster member nodes. The data communication is secured by using a shared key between each pair of communicating nodes for the purpose of encryption. The aggregate function leverages algebraic properties of the polynomials to compute the desired aggregate value in a cluster. While the aggregation is carried out at the aggregator node in each cluster, it is guaranteed that no individual node gets to know the sensitive private values of other nodes in the cluster. The intermediate aggregate value in each cluster is further aggregated along the routing tree as the data packets move to the sink node. The privacy goal of the scheme is two-fold. First, the privacy of data has to be guaranteed end-to-end. While only the sink could learn about the final aggregation result, each node will have information of its own data and does not have any information about the data of other nodes. Second, to reduce the communication overhead, the data from different source nodes have to be efficiently combined at the intermediate nodes along the path. Nevertheless, these intermediate nodes should not learn any information about the individual nodes' data. The authors of the CPDA scheme have presented performance results of the protocol to demonstrate the efficiency and security of the protocol. The CPDA protocol has become quite popular, and to the best of our knowledge, there has been no identified vulnerability of the protocol published in the literature so far. In this chapter, we first demonstrate a security loophole in the CPDA protocol and then proceed to show how the protocol can be made more secure and efficient. Some WSN application may not require privacy of the individual sensor data. Instead, the data aggregation scheme may need high level of security so that no malicious node should be able to introduce any fake data during the execution of the aggregation process. This requirement introduces the need for design of secure aggregation protocols for WSNs.

The sensor network is modeled as a connected graph *G(V, E)*, where *V* represents the set of senor nodes and *E* represents the set of wireless links connecting the sensor nodes. The number of sensor nodes is taken as |*V*| = *N*.

A data aggregation function is taken that aggregates the individual sensor readings. CPDA scheme has focused on additive aggregation function: 1 ( ) ( ), *N i i f t dt* where *di(t)* is the individual sensor reading at time instant *t* for node *i*. For computation of the aggregate

Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 137

more number of nodes which will elect themselves as cluster leaders. This will result in higher number of clusters in the network. On the other hand, smaller values of *p* will lead to less number of clusters due to fewer number of cluster leader nodes. Hence, the value of the parameter *p* can be suitably chosen to control the number of clusters in the network. If a node becomes a cluster leader, it forwards the *HELLO* message to its neighbors; otherwise, it waits for a threshold period of time to check whether any *HELLO* message arrives at it from any of its neighbors. If any *HELLO* message arrives at the node, it decides to join the cluster formed by its neighbor by broadcasting a *JOIN* message as shown in Fig. 2. This process is repeated and multiple clusters are formed so that the entire WSN becomes a collection of a set of clusters.

Fig. 1. The query server *Q* sends *HELLO* messages for initiating the cluster formation procedure to its neighbors *A*, *D*, *E* and *F*. The query server is shaded in the figure.

compute the sum of *a*, *b* and *c* without revealing the private values of the nodes.

Fig. 2. *A* and *D* elect themselves as the cluster leaders randomly and in turn send *HELLO* messages to their neighbors. *E* and *F* join the cluster formed by *Q*. *B* and *C* join the cluster formed with *A* as the cluster leader, while *G* and *H* join the cluster with *D* as the cluster

leader. All the cluster leaders and the query server are leader.

**Computation within clusters:** In this phase, aggregation is done in each cluster. The computation is illustrated with the example of a simple case where a cluster contains three members: *A*, *B*, and *C*, where *A* is the assumed to be the cluster leader and the aggregator node, whereas *B* and *C* are the cluster member nodes. Let *a*, *b*, *c* represent the private data held by the nodes *A*, *B*, and *C* respectively. The goal of the aggregation scheme is to

functions, the following requirements are to be satisfied: (i) privacy of the individual sensor data is to be protected, i.e., each node's data should be known to no other nodes except the node itself, (ii) the number of messages transmitted within the WSN for the purpose of data aggregation should be kept at a minimum, and (iii) the aggregation result should be as accurate as possible.

### **2.2 Key distribution and management**

CPDA uses a random key distribution mechanism proposed in (Eschenauer & Gligor, 2002) for encrypting messages to prevent message eavesdropping attacks. The key distribution scheme has three phases: (i) key pre-distribution, (ii) shared-key discovery, and (iii) pathkey establishment. These phases are described briefly as follows.

A large key-pool of *K* keys and their identities are first generated in the key pre-distribution phase. For each sensor nodes, *k* keys out of the total *K* keys are chosen. These *k* keys form a *key ring* for the sensor node.

During the key-discovery phase, each sensor node identifies which of its neighbors share a common key with itself by invoking and exchanging discovery messages. If a pair of neighbor nodes share a common key, then it is possible to establish a secure link between them.

In the path-key establishment phase, an end-to-end path key is assigned to the pairs of neighboring nodes who do not share a common key but can be connected by two or more multi-hop secure links at the end of the shared-key discovery phase.

At the end of the key distribution phase, the probability that any pair of nodes possess at least one common key is given by (1).

$$p\_{\text{connect}} = 1 - \frac{\left( (K - k)! \right)^2}{(K - 2k)! K!} \tag{1}$$

If the probability that any other node can overhear the encrypted message by a given key is denoted as *poverhear,* then *poverhear* is given by (2).

$$p\_{overbar} = \frac{k}{K} \tag{2}$$

It has been shown in (He et al., 2007) that the above key distribution algorithm is efficient for communication in a large-scale sensor network and when a limited number of keys are available for encryption of the messages to prevent eavesdropping attacks.

### **2.3 Cluster-based private data aggregation (CPDA) protocol**

The CPDA scheme works in three phases: (i) cluster formation, (ii) computation of aggregate results in clusters, and (ii) cluster data aggregation. These phases are described below.

Cluster formation: Fig. 1 depicts the cluster formation process. A query server *Q* triggers a query by sending a *HELLO* message. When the *HELLO* message reaches a sensor node, it elects itself as a cluster leader with a pre-defined probability *p*. If the value of *p* is large, there will be 136 Cryptography and Security in Computing

functions, the following requirements are to be satisfied: (i) privacy of the individual sensor data is to be protected, i.e., each node's data should be known to no other nodes except the node itself, (ii) the number of messages transmitted within the WSN for the purpose of data aggregation should be kept at a minimum, and (iii) the aggregation result should be as

CPDA uses a random key distribution mechanism proposed in (Eschenauer & Gligor, 2002) for encrypting messages to prevent message eavesdropping attacks. The key distribution scheme has three phases: (i) key pre-distribution, (ii) shared-key discovery, and (iii) path-

A large key-pool of *K* keys and their identities are first generated in the key pre-distribution phase. For each sensor nodes, *k* keys out of the total *K* keys are chosen. These *k* keys form a

During the key-discovery phase, each sensor node identifies which of its neighbors share a common key with itself by invoking and exchanging discovery messages. If a pair of neighbor nodes share a common key, then it is possible to establish a secure link between

In the path-key establishment phase, an end-to-end path key is assigned to the pairs of neighboring nodes who do not share a common key but can be connected by two or more

At the end of the key distribution phase, the probability that any pair of nodes possess at

*<sup>p</sup> K kK*

If the probability that any other node can overhear the encrypted message by a given key is

*overhear*

available for encryption of the messages to prevent eavesdropping attacks.

**2.3 Cluster-based private data aggregation (CPDA) protocol** 

It has been shown in (He et al., 2007) that the above key distribution algorithm is efficient for communication in a large-scale sensor network and when a limited number of keys are

The CPDA scheme works in three phases: (i) cluster formation, (ii) computation of aggregate results in clusters, and (ii) cluster data aggregation. These phases are described below.

Cluster formation: Fig. 1 depicts the cluster formation process. A query server *Q* triggers a query by sending a *HELLO* message. When the *HELLO* message reaches a sensor node, it elects itself as a cluster leader with a pre-defined probability *p*. If the value of *p* is large, there will be

<sup>2</sup> (( )!) <sup>1</sup> ( 2 )! ! *connect*

*K k*

*k*

(1)

*<sup>p</sup> <sup>K</sup>* (2)

accurate as possible.

*key ring* for the sensor node.

least one common key is given by (1).

denoted as *poverhear,* then *poverhear* is given by (2).

them.

**2.2 Key distribution and management** 

key establishment. These phases are described briefly as follows.

multi-hop secure links at the end of the shared-key discovery phase.

more number of nodes which will elect themselves as cluster leaders. This will result in higher number of clusters in the network. On the other hand, smaller values of *p* will lead to less number of clusters due to fewer number of cluster leader nodes. Hence, the value of the parameter *p* can be suitably chosen to control the number of clusters in the network. If a node becomes a cluster leader, it forwards the *HELLO* message to its neighbors; otherwise, it waits for a threshold period of time to check whether any *HELLO* message arrives at it from any of its neighbors. If any *HELLO* message arrives at the node, it decides to join the cluster formed by its neighbor by broadcasting a *JOIN* message as shown in Fig. 2. This process is repeated and multiple clusters are formed so that the entire WSN becomes a collection of a set of clusters.

Fig. 1. The query server *Q* sends *HELLO* messages for initiating the cluster formation procedure to its neighbors *A*, *D*, *E* and *F*. The query server is shaded in the figure.

**Computation within clusters:** In this phase, aggregation is done in each cluster. The computation is illustrated with the example of a simple case where a cluster contains three members: *A*, *B*, and *C*, where *A* is the assumed to be the cluster leader and the aggregator node, whereas *B* and *C* are the cluster member nodes. Let *a*, *b*, *c* represent the private data held by the nodes *A*, *B*, and *C* respectively. The goal of the aggregation scheme is to compute the sum of *a*, *b* and *c* without revealing the private values of the nodes.

Fig. 2. *A* and *D* elect themselves as the cluster leaders randomly and in turn send *HELLO* messages to their neighbors. *E* and *F* join the cluster formed by *Q*. *B* and *C* join the cluster formed with *A* as the cluster leader, while *G* and *H* join the cluster with *D* as the cluster leader. All the cluster leaders and the query server are leader.

Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 139

Node *A* encrypts *vBA* and sends it to node *B* using the shared key between node *A* and node *B*. Node *A* also encrypts *vCA* and sends it to node *C* using the shared key between node *A* and node *C*. In the same manner, node *B* sends encrypted *vAB* to node *A* and *vCB* to node *C*; node *C* sends encrypted *vAC* and *vBC* to node *A* and node *B* respectively. The exchanges of these encrypted messages are depicted in Fig. 4. On receiving *vAB* and *vAC*, node *A* computes the sum of *vAA* (already computed by node *A*), *vAB* and *vAC*. Now, node

Fig. 4. Exchanges of encrypted messages among nodes A, B and C using shared keys

Node *B* and node *C* broadcast *FB* and *FC* to the cluster leader node *A*, so that node *A* has the knowledge of the values of *FA*, *FB* and *FC*. From these values the cluster leader node *A* can

*FC* respectively, where *FB* and *FC* are given by (7) and (8) respectively.

<sup>2</sup>

compute the aggregated value (*a* + *b* + *c*) as explained below.

The equations (6), (7), and (8) can be rewritten as in (9).

2

2

<sup>1</sup> *U GF* (9)

1 2 ( ) *ABC F v v v a b c rx rx AAAA* (6)

*<sup>A</sup> B C rr r r* . Similarly, node *B* and node *C* compute *FB* and

1 2 ( ) *ABC F v v v abc r BB BB <sup>y</sup> <sup>r</sup> <sup>y</sup>* (7)

1 2 ( ) *ABC F v v v a b c rz rz CC CC* (8)

*A* computes *FA* using (6).

In (6), 11 1 1

*<sup>A</sup> B C rr r r* and 22 2 2

As shown in Fig. 3, for the privacy-preserving additive aggregation function, the nodes *A*, *B*, and *C* are assumed to share three public non-zero distinct numbers, which are denoted as *x*, *y*, and *z* respectively. In addition, node *A* generates two random numbers *r1A* and *r2 <sup>A</sup>*, which are known only to node *A*. Similarly, nodes *B* and *C* generate *r1 <sup>B</sup>*, *r2B* and *r1 <sup>C</sup>*, *r2 <sup>C</sup>* respectively, which are private values of the nodes which have generated them.

Fig. 3. Nodes *A*, *B* and *C* broadcast their distinct and non-zero public seeds *x*, *y* and *z* respectively

Node *A* computes *vAA*, *vBA*, and *vCA* as shown in (3).

$$\begin{aligned} \boldsymbol{w}\_A^A &= \boldsymbol{a} + \boldsymbol{r}\_1^A \boldsymbol{\chi} + \boldsymbol{r}\_2^A \boldsymbol{\chi}^2 \\ \boldsymbol{w}\_B^A &= \boldsymbol{a} + \boldsymbol{r}\_1^A \boldsymbol{y} + \boldsymbol{r}\_2^A \boldsymbol{y}^2 \\ \boldsymbol{w}\_C^A &= \boldsymbol{a} + \boldsymbol{r}\_1^A \boldsymbol{z} + \boldsymbol{r}\_2^A \boldsymbol{z}^2 \end{aligned} \tag{3}$$

Similarly, node *B* computes *vAB*, *vBB*, and *vCB* as in (4).

$$\begin{cases} \upsilon\_A^B = b + r\_1^B \mathbf{x} + r\_2^B \mathbf{x}^2 \\ \upsilon\_B^B = b + r\_1^B y + r\_2^B y^2 \\ \upsilon\_C^B = b + r\_1^B z + r\_2^B z^2 \end{cases} \tag{4}$$

Likewise, node *C* computes *vAC*, *vBC*, and *vCC* as in (5).

$$\begin{cases} \boldsymbol{\upsilon}\_{A}^{\complement} = \boldsymbol{c} + \boldsymbol{r}\_{1}^{\complement} \boldsymbol{x} + \boldsymbol{r}\_{2}^{\complement} \boldsymbol{x}^{2} \\ \boldsymbol{\upsilon}\_{B}^{\complement} = \boldsymbol{c} + \boldsymbol{r}\_{1}^{\complement} \boldsymbol{y} + \boldsymbol{r}\_{2}^{\complement} \boldsymbol{y}^{2} \\ \boldsymbol{\upsilon}\_{C}^{\complement} = \boldsymbol{c} + \boldsymbol{r}\_{1}^{\complement} \boldsymbol{z} + \boldsymbol{r}\_{2}^{\complement} \boldsymbol{z}^{2} \end{cases} \tag{5}$$

138 Cryptography and Security in Computing

As shown in Fig. 3, for the privacy-preserving additive aggregation function, the nodes *A*, *B*, and *C* are assumed to share three public non-zero distinct numbers, which are denoted as *x*, *y*, and *z* respectively. In addition, node *A* generates two random numbers *r1A* and *r2A*, which

*<sup>C</sup>*, *r2C* respectively,

are known only to node *A*. Similarly, nodes *B* and *C* generate *r1B*, *r2B* and *r1*

Fig. 3. Nodes *A*, *B* and *C* broadcast their distinct and non-zero public seeds *x*, *y* and *z*

*A*

*B*

*C*

*A*

*B*

*C*

*A*

*B*

*C*

2

2

(3)

(4)

(5)

2

2

2

2

2

2

2

1 2

*A AA*

*v a rx rx v a ry ry v a rz rz*

 

*A AA*

*A AA*

*B BB*

*v b rx rx v b ry ry v b rz rz*

 

*B BB*

*B BB*

*C CC*

*v c rx rx v c ry ry v c rz rz*

 

*C CC*

*C CC*

1 2

1 2

1 2

1 2

1 2

1 2

1 2

1 2

Node *A* computes *vAA*, *vBA*, and *vCA* as shown in (3).

Similarly, node *B* computes *vAB*, *vBB*, and *vCB* as in (4).

Likewise, node *C* computes *vAC*, *vBC*, and *vCC* as in (5).

respectively

which are private values of the nodes which have generated them.

Node *A* encrypts *vBA* and sends it to node *B* using the shared key between node *A* and node *B*. Node *A* also encrypts *vCA* and sends it to node *C* using the shared key between node *A* and node *C*. In the same manner, node *B* sends encrypted *vAB* to node *A* and *vCB* to node *C*; node *C* sends encrypted *vAC* and *vBC* to node *A* and node *B* respectively. The exchanges of these encrypted messages are depicted in Fig. 4. On receiving *vAB* and *vAC*, node *A* computes the sum of *vAA* (already computed by node *A*), *vAB* and *vAC*. Now, node *A* computes *FA* using (6).

Fig. 4. Exchanges of encrypted messages among nodes A, B and C using shared keys

$$F\_A = \upsilon\_A^A + \upsilon\_A^B + \upsilon\_A^C = (a+b+c) + r\_1\infty + r\_2\infty^2 \tag{6}$$

In (6), 11 1 1 *<sup>A</sup> B C rr r r* and 22 2 2 *<sup>A</sup> B C rr r r* . Similarly, node *B* and node *C* compute *FB* and *FC* respectively, where *FB* and *FC* are given by (7) and (8) respectively.

$$F\_B = \upsilon\_B^A + \upsilon\_B^B + \upsilon\_B^C = (a+b+c) + r\_1y + r\_2y^2 \tag{7}$$

$$F\_{\mathbb{C}} = \upsilon\_{\mathbb{C}}^{A} + \upsilon\_{\mathbb{C}}^{B} + \upsilon\_{\mathbb{C}}^{C} = \{a + b + c\} + r\_1 z + r\_2 z^2 \tag{8}$$

Node *B* and node *C* broadcast *FB* and *FC* to the cluster leader node *A*, so that node *A* has the knowledge of the values of *FA*, *FB* and *FC*. From these values the cluster leader node *A* can compute the aggregated value (*a* + *b* + *c*) as explained below.

The equations (6), (7), and (8) can be rewritten as in (9).

$$
\mathcal{U}\mathcal{U} = \mathcal{G}^{-1}F \tag{9}
$$

Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 141

*Av b rx rx* from node *B*. Since *x* is very large compared to *b* and *r1B* node *A* can

2 2 2 22 0 0 *B B v br <sup>A</sup> B BB r rr*

*<sup>B</sup>* as derived in (10), and using <sup>2</sup>

*B B v rx b <sup>A</sup> B BB r rr*

In the same manner, node *A* derives the values of *r1C* and *r2C* from *vAC* received from node *C*.

compute the values of *r1* and *r2* (*r1B*, *r2B*, *r1C*, and *r2C* are derived as shown above, and *r1A* and

At this stage, node *A* uses the values of *FB* and *FC* received from node *B* and node *C* respectively as shown in (7) and (8). Node *A* has now two linear simultaneous equations with two unknowns: *b* and *c*, the values of *y* and *z* being public. Solving (7) and (8) for *b* and

In this scenario, let us assume that the cluster member node *B* is malicious and it tries to access the private values of the cluster leader node *A* and the cluster member node *C*. Node *B* chooses a very large value of *y* so that *y* >> *x*, *z*. Once the value of *FB* is computed in (7),

> 1 2 2 2 2 ( ) 0 0 *F abc r <sup>B</sup> r r*

*c*, the malicious cluster leader node *A* can get the access to the private information.

*y y y*

*y y*

( ) <sup>0</sup> *F ry <sup>B</sup> abc*

1

2 2

*y y*

Using (12), (13), (14}) and (15) node *B* can compute 1 11 1

Now, node *B* can compute the value of *a* using <sup>2</sup>

2 2 2 22 0 0 *C C v cr <sup>B</sup> C CC r rr*

*C C v ry <sup>B</sup> <sup>c</sup> C CC r rr*

2 2

As per the CPDA scheme, node *B* receives <sup>2</sup>

1 11 0

*x x <sup>x</sup>* (10)

(11)

*<sup>A</sup> B C rr r r* , as shown in (6), (7) and (8), node *A* can

(12)

(13)

*Bv cr y r y* from node *C*. Since the

*<sup>C</sup>*, it is easy for node *B* to derive the

*<sup>A</sup> B C r rr r* and 2 22 2

*Av ar y r y* (received from node *A*),

*<sup>A</sup> B C r rr r* .

1 2 *C CC*

*y y <sup>y</sup>* (14)

1 2 *B AA*

(15)

1 11

*r rr*

1 11 0

1 2 *B BB*

*Av b rx rx* , node *A* can now

1

2 2

*x x*

derive the value of *r2B* using (10) where we consider integer division.

*<sup>B</sup>* by solving (11).

*<sup>A</sup> B C rr r r* , and 22 2 2

**3.2 Privacy attack by a malicious cluster member node** 

node *B* derives the value of *r2* and *r1* using (12) and (13).

magnitude of *y* is very large compared to *c*, *r1C* and *r2*

values of *r2C* and *r1C* using (14) and (15) respectively.

2

1 2 *B BB*

Using the value of *r2*

compute the value of *r1*

Since 11 1 1

*r2A* were generated by node *A*).

$$\text{In (9), }\begin{array}{c} \text{Cl}=\begin{bmatrix} 1 & \text{x} & \text{x}^2\\ 1 & \text{y} & \text{y}^2\\ 1 & \text{z} & \text{z}^2 \end{bmatrix}, \text{ }\mathcal{U} = \begin{bmatrix} a+b+c\\ r\_1\\ r\_2 \end{bmatrix} \text{ and } \begin{array}{c} \text{F}=\begin{bmatrix} F\_A & F\_B & F\_c \end{bmatrix}^T \text{ } . \end{array}$$

Since *x*, *y*, *z*, *FA*, *FB*, and *FC* are known to the cluster leader node *A*, it can compute the value of (*a* + *b* + *c*) without having any knowledge of *b* and *c*.

In order to avoid eavesdropping attack by neighbor nodes, it is necessary to encrypt the values of *vBA*, *vCA*, *vAB*, *vCB*, *vAC*, and *vBC*. If node *B* overhears the value of *vCA*, then node *B*  gets access to the values of *vCA*, *vBA* and *FA*. Then node *B* can deduce: *<sup>A</sup> A A <sup>A</sup> AB C v Fv v* . Having the knowledge of *vAA*, node *B* can further obtain the value of *a* if *x*, *vAA*, *vAB* and *vAC* are known. However, if node *A* encrypts *vCA* and sends it to node *C*, then node *B* cannot get *vCA*. With the knowledge of *vBA*, *FA*, and *x* from node *A*, node *B* cannot deduce the value of *a*. If node *B* and node *C* collude and reveal node *A*'s information (i.e., *vBA* and *vCA*), to each other, then node *A*'s privacy will be compromised and its private value *a* will be revealed. In order to reduce the probability of such collusion attacks, the cluster size should be as large as possible, since in a cluster of size *m*, at least (*m* - 1) nodes should collude in order to successfully launch the attack. Higher values of *m* will require larger number of colluding nodes thereby making the attack more difficult.

Cluster data aggregation The CPDA scheme has been implemented on top of a protocol known as *Tiny Aggregation* (TAG) protocol (Madden et al., 2002). Using the TAG protocol, each cluster leader node routes the sum of the values in the nodes in its cluster to the query server through a TAG routing tree whose root is situated at the server.

### **3. An Attack on the CPDA scheme**

In this section, we present an efficient attack (Sen & Maitra, 2011) on the CPDA aggregation scheme. The objective of the attack is to show the vulnerability of the CPDA scheme which can be suitably exploited by a malicious participating sensor node. The intention of the malicious node is to participate in the scheme in such a way that it can get access to the private values (i.e., *a*, *b* and *c*) of the participating sensor nodes. For describing the attack scenario, we use the same example cluster consisting of three sensor nodes *A*, *B* and *C*. Node *A* is the cluster leader whereas node *B* and node *C* are the cluster members. We distinguish two types of attacks: (i) attack by a malicious cluster leader (e.g., node *A*) and (ii) attack by a malicious cluster member (e.g., either node *B* or node *C*). These two cases are described in detail in the following sub-sections.

### **3.1 Privacy attack by a malicious cluster leader node**

Let us assume that the cluster leader node *A* is malicious. Node *A* chooses a very large value of *x* such that *x* >> *y*, *z*. Since *y* and *z* are public values chosen by node *B* and node *C* which are broadcast in the network by node *B* and node *C* respectively, it is easy for node *A* to choose a suitable value for *x*.

Nodes *A*, *B* and *C* compute the values of *vAA*, *vBA*, *vCA*, *vAB*, *vBB*, *vCB*, *vAC*, *vBC*, and *vCC* using (3), (4) and (5) as described in Section 2.3. As per the CPDA scheme, node *A* receives: 140 Cryptography and Security in Computing

Since *x*, *y*, *z*, *FA*, *FB*, and *FC* are known to the cluster leader node *A*, it can compute the value

In order to avoid eavesdropping attack by neighbor nodes, it is necessary to encrypt the values of *vBA*, *vCA*, *vAB*, *vCB*, *vAC*, and *vBC*. If node *B* overhears the value of *vCA*, then node *B*  gets access to the values of *vCA*, *vBA* and *FA*. Then node *B* can deduce: *<sup>A</sup> A A*

Having the knowledge of *vAA*, node *B* can further obtain the value of *a* if *x*, *vAA*, *vAB* and *vAC* are known. However, if node *A* encrypts *vCA* and sends it to node *C*, then node *B* cannot get *vCA*. With the knowledge of *vBA*, *FA*, and *x* from node *A*, node *B* cannot deduce the value of *a*. If node *B* and node *C* collude and reveal node *A*'s information (i.e., *vBA* and *vCA*), to each other, then node *A*'s privacy will be compromised and its private value *a* will be revealed. In order to reduce the probability of such collusion attacks, the cluster size should be as large as possible, since in a cluster of size *m*, at least (*m* - 1) nodes should collude in order to successfully launch the attack. Higher values of *m* will require larger number of colluding

Cluster data aggregation The CPDA scheme has been implemented on top of a protocol known as *Tiny Aggregation* (TAG) protocol (Madden et al., 2002). Using the TAG protocol, each cluster leader node routes the sum of the values in the nodes in its cluster to the query

In this section, we present an efficient attack (Sen & Maitra, 2011) on the CPDA aggregation scheme. The objective of the attack is to show the vulnerability of the CPDA scheme which can be suitably exploited by a malicious participating sensor node. The intention of the malicious node is to participate in the scheme in such a way that it can get access to the private values (i.e., *a*, *b* and *c*) of the participating sensor nodes. For describing the attack scenario, we use the same example cluster consisting of three sensor nodes *A*, *B* and *C*. Node *A* is the cluster leader whereas node *B* and node *C* are the cluster members. We distinguish two types of attacks: (i) attack by a malicious cluster leader (e.g., node *A*) and (ii) attack by a malicious cluster member (e.g., either node *B* or node *C*). These two cases are described in

Let us assume that the cluster leader node *A* is malicious. Node *A* chooses a very large value of *x* such that *x* >> *y*, *z*. Since *y* and *z* are public values chosen by node *B* and node *C* which are broadcast in the network by node *B* and node *C* respectively, it is easy for node *A* to

Nodes *A*, *B* and *C* compute the values of *vAA*, *vBA*, *vCA*, *vAB*, *vBB*, *vCB*, *vAC*, *vBC*, and *vCC* using (3), (4) and (5) as described in Section 2.3. As per the CPDA scheme, node *A* receives:

server through a TAG routing tree whose root is situated at the server.

and *<sup>T</sup> FFFF ABc* .

*<sup>A</sup> AB C v Fv v* .

In (9),

2 2 2

, 1

of (*a* + *b* + *c*) without having any knowledge of *b* and *c*.

nodes thereby making the attack more difficult.

**3. An Attack on the CPDA scheme** 

detail in the following sub-sections.

choose a suitable value for *x*.

**3.1 Privacy attack by a malicious cluster leader node** 

*U r*

2

*r* 

*abc*

*x x*

 

*z z*

1 1 1

*G yy*

2 1 2 *B BB Av b rx rx* from node *B*. Since *x* is very large compared to *b* and *r1B* node *A* can derive the value of *r2B* using (10) where we consider integer division.

$$\frac{\upsilon r\_A^B}{\chi^2} = \frac{b}{\chi^2} + \frac{r\_1^B}{\chi} + r\_2^B = 0 + 0 + r\_2^B = r\_2^B \tag{10}$$

Using the value of *r2 <sup>B</sup>* as derived in (10), and using <sup>2</sup> 1 2 *B BB Av b rx rx* , node *A* can now compute the value of *r1 <sup>B</sup>* by solving (11).

$$\frac{\left(r\_A^B - r\_2^B \mathbf{x}^2\right)}{\mathbf{x}} = \frac{b}{\mathbf{x}} + r\_1^B = \mathbf{0} + r\_1^B = r\_1^B \tag{11}$$

In the same manner, node *A* derives the values of *r1C* and *r2C* from *vAC* received from node *C*. Since 11 1 1 *<sup>A</sup> B C rr r r* , and 22 2 2 *<sup>A</sup> B C rr r r* , as shown in (6), (7) and (8), node *A* can compute the values of *r1* and *r2* (*r1 <sup>B</sup>*, *r2B*, *r1C*, and *r2 <sup>C</sup>* are derived as shown above, and *r1A* and *r2A* were generated by node *A*).

At this stage, node *A* uses the values of *FB* and *FC* received from node *B* and node *C* respectively as shown in (7) and (8). Node *A* has now two linear simultaneous equations with two unknowns: *b* and *c*, the values of *y* and *z* being public. Solving (7) and (8) for *b* and *c*, the malicious cluster leader node *A* can get the access to the private information.

### **3.2 Privacy attack by a malicious cluster member node**

In this scenario, let us assume that the cluster member node *B* is malicious and it tries to access the private values of the cluster leader node *A* and the cluster member node *C*. Node *B* chooses a very large value of *y* so that *y* >> *x*, *z*. Once the value of *FB* is computed in (7), node *B* derives the value of *r2* and *r1* using (12) and (13).

$$\frac{F\_B}{y^2} = \frac{(a+b+c)}{y^2} + \frac{r\_1}{y} + r\_2 = 0 + 0 + r\_2 \tag{12}$$

$$\frac{\left(F\_B - r\_2 y\right)^2}{y} = \frac{\left(a + b + c\right)}{y} + r\_1 = 0 + r\_1 = r\_1 \tag{13}$$

As per the CPDA scheme, node *B* receives <sup>2</sup> 1 2 *C CC Bv cr y r y* from node *C*. Since the magnitude of *y* is very large compared to *c*, *r1C* and *r2C*, it is easy for node *B* to derive the values of *r2C* and *r1 <sup>C</sup>* using (14) and (15) respectively.

$$\frac{\sigma\_B^{\mathbb{C}}}{y^2} = \frac{c}{y^2} + \frac{r\_1^{\mathbb{C}}}{y} + r\_2^{\mathbb{C}} = 0 + 0 + r\_2^{\mathbb{C}} = r\_2^{\mathbb{C}} \tag{14}$$

$$\frac{\upsilon\_B^{\mathbb{C}} - r\_2^{\mathbb{C}}y^2}{y} = \frac{c}{y} + r\_1^{\mathbb{C}} = 0 + r\_1^{\mathbb{C}} = r\_1^{\mathbb{C}} \tag{15}$$

Using (12), (13), (14}) and (15) node *B* can compute 1 11 1 *<sup>A</sup> B C r rr r* and 2 22 2 *<sup>A</sup> B C r rr r* . Now, node *B* can compute the value of *a* using <sup>2</sup> 1 2 *B AA Av ar y r y* (received from node *A*),

Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 143

In this section, we discuss the modifications required on the existing CPDA scheme so that a

It may be noted that, the vulnerability of the CPDA scheme lies essentially in the unrestricted freedom delegated on the participating nodes for generating their public seed values. For example, nodes *A*, *B* and *C* have no restrictions on their choice for values of *x*, *y* and *z* respectively while they generate these values. A malicious attacker can exploit this freedom to generate an arbitrarily large public seed value, and can thereby launch an attack

In order to prevent such an attack, the CPDA protocol needs to be modified. In this modified version, the nodes in a cluster make a check on the generated public seed values so that it is not possible for a malicious participant to generate any arbitrarily large seed value. For a cluster with three nodes, such a constraint may be imposed by the requirement that the sum of any two public seeds must be greater than the third seed. In other words: *x* + *y* > *z*, *z* + *x* > *y*, and *y* + *z* > *x*. If these constraints are satisfied by the generated values of *x*, *y* and *z*, it will be impossible for any node to launch the attack and get access to the private values

However, even if the above restrictions on the values of *x*, *y* and *z* are imposed, the nodes should be careful in choosing the values for their secret random number pairs. If two nodes happen to choose very large values for their random numbers compared to those chosen by the third node, then it will be possible for the third node to get access to the private values of the other two nodes. For example, let us assume that nodes *A* and *C* have chosen the values of *r1A*, *r2A* and *r1C*, *r2C* such that they are all much larger than *r1B* and *r2B* - the private random number pair chosen by node *B*. It will be possible for node *B* to derive the values of *a* and *c*:

*Bv ar y r y* from node *A* and computes the values of *r1A* and *r2A*

1 11 0

(21)

(22)

*<sup>A</sup> B C rr r r* , since it has access to the values

*<sup>C</sup>* from *vBC* received from node *C*.

the private values of nodes *A* and *C* respectively. This is explained in the following.

1 2 2 2 2 0 0 *A A v ar <sup>B</sup> <sup>A</sup> <sup>A</sup> r r*

*A A v ry <sup>B</sup> <sup>a</sup> <sup>A</sup> A A r rr*

of all these variables. In the original CPDA scheme in (He et al., 2007), the values of *FB* and *FC* are broadcast by nodes *B* and *C* in unencrypted from. Hence, node *B* has access to both these values. Using (7) and (8), node *B* can compute the values of *a* and *c*, since these are the

In order to defend against the above vulnerability, the CPDA protocol needs further modification. In this modified version, after the values *vAA*, *vAB*, and *vAC* are generated and

*y y y*

2 2

*y y*

*<sup>A</sup> B C rr r r* and 22 2 2

**4.2 Modification of the CPDA scheme for resisting the attack** 

as discussed in Section 3.

of the other participating nodes.

Node *B* receives <sup>2</sup>

Now, node *B* computes 11 1 1

using (21) and (22).

1 2 *A AA*

In a similar fashion, node *B* derives the values of *r1C* and *r2*

only unknown variables in the two linear simultaneously equations.

malicious participant node cannot launch the attack described in Section 3.

in which the values of all the variables are known except that of *a*. In a similar fashion, node *B* derives the value of *c* using <sup>2</sup> 1 2 *C CC Bv cr y r y* (received from node *C*).

Since the private values of the nodes *A* and *C* are now known to node *B*, the privacy attack launched by participating cluster member node *B* is successful on the CPDA aggregation scheme.

### **4. Modification of the CPDA Scheme**

In this section, we present two modifications of CPDA scheme: one towards making the protocol more efficient and the other for making it more secure.

### **4.1 Modification of CPDA scheme for enhanced efficiency**

In this section, a modification is proposed for the CPDA protocol for achieving enhanced efficiency in its operation. The modification is based on suitable choice for the value of *x* (the public seed) done by the aggregator node *A*.

Let us assume that the node *A* chooses a large value of *x* such that the following conditions in (16) and (17) are satisfied.

$$r\_2 \mathbf{x}^2 \gg r\_1 \mathbf{x} \tag{16}$$

$$\mathbf{r}\_1 \mathbf{x} >> (\mathbf{a} + \mathbf{b} + \mathbf{c}) \tag{17}$$

In (16) and (17), 11 1 1 *<sup>A</sup> B C rr r r* and 22 2 2 *<sup>A</sup> B C rr r r* . Now, node *A* has computed the value of *FA* as shown in (6). In order to efficiently compute the value of (*a* + *b* + *c*), node *A* divides the value of *FA* by *x2* as shown in (18).

$$\frac{F\_A}{\chi^2} = \frac{(a+b+c)}{\chi^2} + \frac{r\_1\chi}{\chi^2} + r\_2 = 0 + 0 + r\_2 = r\_2 \tag{18}$$

Using (18), node *A* derives the value of *r2*. Once the value of *r2* is deduced, node *A* attempts to compute the value of *r1* using (19) and (20).

$$F\_A - r\_2 \mathbf{x}^2 = (a + b + c) + r\_1 \mathbf{x} \tag{19}$$

$$r\_1 = \frac{\left(F\_A - r\_2 \mathbf{x}^2\right)}{\mathbf{x}} - \frac{\left(a + b + c\right)}{\mathbf{x}} = \frac{\left(F\_A - r\_2 \mathbf{x}^2\right)}{\mathbf{x}} - 0 = \frac{\left(F\_A - r\_2 \mathbf{x}^2\right)}{\mathbf{x}}\tag{20}$$

Since, the values of *FA*, *r2* and *x* are all known to node *A*, it can compute the value of *r1* using (20). Once the values of *r1* and *r2* are computed by node *A*, it can compute the value of (*a* + *b* + *c*) using (6). Since the computation of the sum (*a* + *b* + *c*) by node *A* involves two division operations (involving integers) only (as done in (18) and (20)), the modified CPDA scheme is light-weight and it is much more energy-efficient hence much more energy- and time-efficient as compared to the original CPDA scheme. The original CPDA scheme involved additional computations of the values of *FB* and *FC*, and an expensive matrix inversion operation as described in Section 2.3.

### **4.2 Modification of the CPDA scheme for resisting the attack**

142 Cryptography and Security in Computing

in which the values of all the variables are known except that of *a*. In a similar fashion, node

Since the private values of the nodes *A* and *C* are now known to node *B*, the privacy attack launched by participating cluster member node *B* is successful on the CPDA aggregation

In this section, we present two modifications of CPDA scheme: one towards making the

In this section, a modification is proposed for the CPDA protocol for achieving enhanced efficiency in its operation. The modification is based on suitable choice for the value of *x* (the

Let us assume that the node *A* chooses a large value of *x* such that the following conditions

of *FA* as shown in (6). In order to efficiently compute the value of (*a* + *b* + *c*), node *A* divides

1 222 2 22 ( ) 0 0 *F a b c rx <sup>A</sup> r rr*

2

Using (18), node *A* derives the value of *r2*. Once the value of *r2* is deduced, node *A* attempts

( )( )( ) ( ) <sup>0</sup> *F rx a b c F rx F rx A A <sup>A</sup> <sup>r</sup> xxx x*

Since, the values of *FA*, *r2* and *x* are all known to node *A*, it can compute the value of *r1* using (20). Once the values of *r1* and *r2* are computed by node *A*, it can compute the value of (*a* + *b* + *c*) using (6). Since the computation of the sum (*a* + *b* + *c*) by node *A* involves two division operations (involving integers) only (as done in (18) and (20)), the modified CPDA scheme is light-weight and it is much more energy-efficient hence much more energy- and time-efficient as compared to the original CPDA scheme. The original CPDA scheme involved additional computations of the values of *FB* and *FC*, and an expensive matrix inversion operation as

2 2 2 2 2 2

(20)

2 1 *rx rx* (16)

<sup>1</sup>*rx a b c* ( ) (17)

*<sup>A</sup> B C rr r r* . Now, node *A* has computed the value

(18)

2 1 ( ) *F rx a b c rx <sup>A</sup>* (19)

2

*Bv cr y r y* (received from node *C*).

1 2 *C CC*

*B* derives the value of *c* using <sup>2</sup>

**4. Modification of the CPDA Scheme** 

public seed) done by the aggregator node *A*.

in (16) and (17) are satisfied.

In (16) and (17), 11 1 1

the value of *FA* by *x2* as shown in (18).

to compute the value of *r1* using (19) and (20).

1

described in Section 2.3.

protocol more efficient and the other for making it more secure.

**4.1 Modification of CPDA scheme for enhanced efficiency** 

*<sup>A</sup> B C rr r r* and 22 2 2

*xxx*

scheme.

In this section, we discuss the modifications required on the existing CPDA scheme so that a malicious participant node cannot launch the attack described in Section 3.

It may be noted that, the vulnerability of the CPDA scheme lies essentially in the unrestricted freedom delegated on the participating nodes for generating their public seed values. For example, nodes *A*, *B* and *C* have no restrictions on their choice for values of *x*, *y* and *z* respectively while they generate these values. A malicious attacker can exploit this freedom to generate an arbitrarily large public seed value, and can thereby launch an attack as discussed in Section 3.

In order to prevent such an attack, the CPDA protocol needs to be modified. In this modified version, the nodes in a cluster make a check on the generated public seed values so that it is not possible for a malicious participant to generate any arbitrarily large seed value. For a cluster with three nodes, such a constraint may be imposed by the requirement that the sum of any two public seeds must be greater than the third seed. In other words: *x* + *y* > *z*, *z* + *x* > *y*, and *y* + *z* > *x*. If these constraints are satisfied by the generated values of *x*, *y* and *z*, it will be impossible for any node to launch the attack and get access to the private values of the other participating nodes.

However, even if the above restrictions on the values of *x*, *y* and *z* are imposed, the nodes should be careful in choosing the values for their secret random number pairs. If two nodes happen to choose very large values for their random numbers compared to those chosen by the third node, then it will be possible for the third node to get access to the private values of the other two nodes. For example, let us assume that nodes *A* and *C* have chosen the values of *r1A*, *r2 <sup>A</sup>* and *r1 <sup>C</sup>*, *r2 <sup>C</sup>* such that they are all much larger than *r1 <sup>B</sup>* and *r2B* - the private random number pair chosen by node *B*. It will be possible for node *B* to derive the values of *a* and *c*: the private values of nodes *A* and *C* respectively. This is explained in the following.

Node *B* receives <sup>2</sup> 1 2 *A AA Bv ar y r y* from node *A* and computes the values of *r1A* and *r2A* using (21) and (22).

$$\frac{\upsilon v\_B^A}{y^2} = \frac{a}{y^2} + \frac{r\_1^A}{y} + r\_2^A = 0 + 0 + r\_2^A \tag{21}$$

$$\frac{w\_B^A - r\_2^A y^2}{y} = \frac{a}{y} + r\_1^A = 0 + r\_1^A = r\_1^A \tag{22}$$

In a similar fashion, node *B* derives the values of *r1C* and *r2C* from *vBC* received from node *C*. Now, node *B* computes 11 1 1 *<sup>A</sup> B C rr r r* and 22 2 2 *<sup>A</sup> B C rr r r* , since it has access to the values of all these variables. In the original CPDA scheme in (He et al., 2007), the values of *FB* and *FC* are broadcast by nodes *B* and *C* in unencrypted from. Hence, node *B* has access to both these values. Using (7) and (8), node *B* can compute the values of *a* and *c*, since these are the only unknown variables in the two linear simultaneously equations.

In order to defend against the above vulnerability, the CPDA protocol needs further modification. In this modified version, after the values *vAA*, *vAB*, and *vAC* are generated and

Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 145

messages from each cluster member) in a cluster of three nodes. Therefore, in a cluster of three nodes, the modified CPDA protocol presented in Section 4.1 will involve 3 less message communications. Since in a large-scale WSN the number of clusters will be quite high, there will be an appreciable reduction in the communication overhead in the modified

The secure version of the modified CPDA protocol presented in Section 4.2 involves the same communication overhead as the original CPDA protocol. However, if any node chooses abnormally higher values for its public seed or its private random numbers, the secure version of the modified CPDA protocol will involve 2 extra messages from each of the participating sensor nodes. Therefore, in a cluster of three nodes, the secure version of the modified CPDA protocol will involve 6 extra messages in the worst case scenario when

If *pc* is the probability of a sensor node electing itself as a cluster leader, the average number of messages sent by a sensor node in the original CPDA protocol is: 4 3(1 ) 3 *c cc p p p* . Thus, the message overhead in the original CPDA is less than twice as that in TAG. However, in the modified CPDA protocol presented in Section 4.1, the average number of messages communicated by a sensor node is: 3 2(1 ) 2 *c cc p p p* . As mentioned in Section 2.3, in order to prevent collusion attack by sensor nodes, the cluster size in the CPDA protocol should be as large as possible. This implies that the value of *pc* should be small. Since the value of *pc* is small, it is clear that the message overhead in the modified CPDA protocol presented in Section 4.1 is almost the same as that in TAG and it is much less (one message less for each sensor node) than that of the original CPDA protocol. In the secure version of the protocol in Section 4.2, the communication overhead, in the average case, will be the same as in the original CPDA protocol. However, in the worst case, the number of messages sent by a sensor node in this protocol will be: 6 5(1 ) 5 *c cc p p p* . This is 2.5 times the average communication overhead in the TAG protocol and 1.67 times the average communication overhead in the original CPDA protocol. The secure protocol, therefore, will involve 67% more overhead in the worst case scenario (where a malicious participant sensor node chooses abnormally higher values for its public seed as well as for its private random numbers).

In this section, we present a comparative analysis of the computational overheads incurred by the sensor nodes in the original CPDA protocol and in the proposed efficient version of

**Computational overhead of the original CPDA protocol:** The computational overhead of the CPDA protocol can be broadly classified into four categories: (i) computation of the parameters, (ii) computation for encrypting messages, (iii) computation of the intermediate results, and (iv) computation of the final aggregate result at the cluster leader node. The

i. *Computation of the parameters at the sensor nodes:* Each sensor node in a three member cluster computes three parameters. For example, the cluster leader node *A* computes *vAA*, *vBA*, *vCA*. Similarly, the cluster member node *B* computes *vAB*, *vBB* and *vCB*. We first

CPDA protocol presented in Section 4.1.

compared with the original CPDA protocol.

**5.2 Computational overhead** 

details of these computations are presented below:

compute the overhead due these computations.

the protocol.

shared by nodes *A*, *B* and *C* respectively, the nodes check whether the following constraints are satisfied: *vAA* + *vAB* > *vAC*, *vAB* + *vAC* > *vAA*, and *vAC* + *vAA* > *vAB*. The nodes proceed for further execution of the algorithm only if the above three inequalities are satisfied. If all three inequalities are not satisfied, there will be a possibility that the random numbers generated by one node is much larger than those generated by other nodes - a scenario which indicates a possible attack by a malicious node.

### **5. Performance analysis**

In this section, we present a brief comparative analysis of the overheads of the original CPDA protocol and the proposed modified CPDA protocols that we have discussed in Section 4.1 and Section 4.2. Our analysis is based on two categories of overheads: (i) overhead due to message communication in the network and (ii) computational overhead at the sensor nodes.

### **5.1 Communication overhead**

We compare communication overheads of three protocols - the *tiny aggregation protocol* (TAG), the original CPDA protocol and the proposed modified CPDA protocols. In TAG, each sensor node needs to send 2 messages for the data aggregation protocol to work. One *HELLO* message communication from each sensor node is required for forming the aggregation tree, and one message is needed for data aggregation. However, this protocol only performs data aggregation and does not ensure any privacy for the sensor data. In the original CPDA protocol, each cluster leader node sends 4 messages and each cluster member node sends 3 messages for ensuring that the aggregation protocol works in a privacy-preserving manner. In the example cluster shown in Fig. 3, the 4 messages sent by the cluster leader node *A* are: one *HELLO* message for forming the cluster, one message for communicating the public seed *x*, one message for communicating *vBA* and *vCA* to cluster member nodes *B* and *C* respectively, and one message for sending the aggregate result from the cluster. Similarly, the 3 messages sent by the cluster member node *B* are: one message for communicating its public seed *y*, one message for communicating *vAB* and *vCB* to cluster leader node *A* and cluster member node *C* respectively, and one message for communicating the intermediate result *FB* to the cluster leader node *A*.

In contrast to the original CPDA protocol, the modified CPDA protocol in Section 4.1 involves 3 message communications from the cluster leader node and 2 message communications from each cluster member node. The 3 messages sent by the cluster leader node *A* are: one *HELLO* message for forming the cluster, one message for broadcasting its public seed *x*, and one message for sending the final aggregate result. It may be noted that in this protocol, the cluster leader node *A* need not send *vBA* and *vCA* to the cluster member nodes *B* and *C* respectively. Each cluster member node needs to send 2 messages. For example, the cluster member node *B* needs to broadcast its public seed *y*, and also needs to send *vAB* to the cluster leader node *A*. Unlike in the original CPDA protocol, the cluster member node *B* does not send *FB* to the cluster leader. Similarly, the cluster member node *C* does not send *FC* to the cluster leader node *A*. In a cluster consisting of three members, the original CPDA protocol would involve 10 messages (4 messages from the cluster leader and 3 messages from each cluster member). The modified CPDA protocol presented in Section 4.1, on the other hand, would involve 7 messages (3 messages from the cluster leader and 2 messages from each cluster member) in a cluster of three nodes. Therefore, in a cluster of three nodes, the modified CPDA protocol presented in Section 4.1 will involve 3 less message communications. Since in a large-scale WSN the number of clusters will be quite high, there will be an appreciable reduction in the communication overhead in the modified CPDA protocol presented in Section 4.1.

The secure version of the modified CPDA protocol presented in Section 4.2 involves the same communication overhead as the original CPDA protocol. However, if any node chooses abnormally higher values for its public seed or its private random numbers, the secure version of the modified CPDA protocol will involve 2 extra messages from each of the participating sensor nodes. Therefore, in a cluster of three nodes, the secure version of the modified CPDA protocol will involve 6 extra messages in the worst case scenario when compared with the original CPDA protocol.

If *pc* is the probability of a sensor node electing itself as a cluster leader, the average number of messages sent by a sensor node in the original CPDA protocol is: 4 3(1 ) 3 *c cc p p p* . Thus, the message overhead in the original CPDA is less than twice as that in TAG. However, in the modified CPDA protocol presented in Section 4.1, the average number of messages communicated by a sensor node is: 3 2(1 ) 2 *c cc p p p* . As mentioned in Section 2.3, in order to prevent collusion attack by sensor nodes, the cluster size in the CPDA protocol should be as large as possible. This implies that the value of *pc* should be small. Since the value of *pc* is small, it is clear that the message overhead in the modified CPDA protocol presented in Section 4.1 is almost the same as that in TAG and it is much less (one message less for each sensor node) than that of the original CPDA protocol. In the secure version of the protocol in Section 4.2, the communication overhead, in the average case, will be the same as in the original CPDA protocol. However, in the worst case, the number of messages sent by a sensor node in this protocol will be: 6 5(1 ) 5 *c cc p p p* . This is 2.5 times the average communication overhead in the TAG protocol and 1.67 times the average communication overhead in the original CPDA protocol. The secure protocol, therefore, will involve 67% more overhead in the worst case scenario (where a malicious participant sensor node chooses abnormally higher values for its public seed as well as for its private random numbers).

### **5.2 Computational overhead**

144 Cryptography and Security in Computing

shared by nodes *A*, *B* and *C* respectively, the nodes check whether the following constraints are satisfied: *vAA* + *vAB* > *vAC*, *vAB* + *vAC* > *vAA*, and *vAC* + *vAA* > *vAB*. The nodes proceed for further execution of the algorithm only if the above three inequalities are satisfied. If all three inequalities are not satisfied, there will be a possibility that the random numbers generated by one node is much larger than those generated by other nodes - a scenario

In this section, we present a brief comparative analysis of the overheads of the original CPDA protocol and the proposed modified CPDA protocols that we have discussed in Section 4.1 and Section 4.2. Our analysis is based on two categories of overheads: (i) overhead due to message communication in the network and (ii) computational overhead at the sensor nodes.

We compare communication overheads of three protocols - the *tiny aggregation protocol* (TAG), the original CPDA protocol and the proposed modified CPDA protocols. In TAG, each sensor node needs to send 2 messages for the data aggregation protocol to work. One *HELLO* message communication from each sensor node is required for forming the aggregation tree, and one message is needed for data aggregation. However, this protocol only performs data aggregation and does not ensure any privacy for the sensor data. In the original CPDA protocol, each cluster leader node sends 4 messages and each cluster member node sends 3 messages for ensuring that the aggregation protocol works in a privacy-preserving manner. In the example cluster shown in Fig. 3, the 4 messages sent by the cluster leader node *A* are: one *HELLO* message for forming the cluster, one message for communicating the public seed *x*, one message for communicating *vBA* and *vCA* to cluster member nodes *B* and *C* respectively, and one message for sending the aggregate result from the cluster. Similarly, the 3 messages sent by the cluster member node *B* are: one message for communicating its public seed *y*, one message for communicating *vAB* and *vCB* to cluster leader node *A* and cluster member node *C* respectively, and one message for

In contrast to the original CPDA protocol, the modified CPDA protocol in Section 4.1 involves 3 message communications from the cluster leader node and 2 message communications from each cluster member node. The 3 messages sent by the cluster leader node *A* are: one *HELLO* message for forming the cluster, one message for broadcasting its public seed *x*, and one message for sending the final aggregate result. It may be noted that in this protocol, the cluster leader node *A* need not send *vBA* and *vCA* to the cluster member nodes *B* and *C* respectively. Each cluster member node needs to send 2 messages. For example, the cluster member node *B* needs to broadcast its public seed *y*, and also needs to send *vAB* to the cluster leader node *A*. Unlike in the original CPDA protocol, the cluster member node *B* does not send *FB* to the cluster leader. Similarly, the cluster member node *C* does not send *FC* to the cluster leader node *A*. In a cluster consisting of three members, the original CPDA protocol would involve 10 messages (4 messages from the cluster leader and 3 messages from each cluster member). The modified CPDA protocol presented in Section 4.1, on the other hand, would involve 7 messages (3 messages from the cluster leader and 2

communicating the intermediate result *FB* to the cluster leader node *A*.

which indicates a possible attack by a malicious node.

**5. Performance analysis** 

**5.1 Communication overhead** 

In this section, we present a comparative analysis of the computational overheads incurred by the sensor nodes in the original CPDA protocol and in the proposed efficient version of the protocol.

**Computational overhead of the original CPDA protocol:** The computational overhead of the CPDA protocol can be broadly classified into four categories: (i) computation of the parameters, (ii) computation for encrypting messages, (iii) computation of the intermediate results, and (iv) computation of the final aggregate result at the cluster leader node. The details of these computations are presented below:

i. *Computation of the parameters at the sensor nodes:* Each sensor node in a three member cluster computes three parameters. For example, the cluster leader node *A* computes *vAA*, *vBA*, *vCA*. Similarly, the cluster member node *B* computes *vAB*, *vBB* and *vCB*. We first compute the overhead due these computations.

Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 147

ii. *Computations for encrypting messages*: The nodes *B* and *C* will need to encrypt the messages *vAB* and *vAC* respectively before sending them to the cluster leader node *A*.

iii. *Computation of intermediate result*: The cluster leader node *A* will only compute *FA* in the modified CPDA. The cluster member nodes *B* and *C* need not perform any computations here. As discussed earlier, computation of *FA* needs 4 addition operations. iv. *Aggregate computation at the cluster leader*: For computation of the final result at the cluster leader node, 2 integer division and 2 subtraction operations will be required. v. The summary of various operations in the modified CPDA protocol are presented in

Operation Type No. of operations

It is clearly evident from Table 1 and Table 2 that the modified version of the CPDA protocol

The purpose of any WSN deployment is to provide the users with access to the information of interest from the data gathered by spatially distributed sensor nodes. In most applications, users require only certain aggregate functions of this distributed data. Examples include the average temperature in a network of temperature sensors, a particular trigger in the case of an alarm network, or the location of an event. Such aggregate functions could be computed under the end-to-end information flow paradigm by communicating all relevant data to a central collector node. This, however, is a highly inefficient solution for WSNs which have severe constraints in energy, memory and bandwidth, and where tight latency constraints are to be met. As mentioned in Section 1 of this chapter, an alternative solution is to perform in-network computations (Madden et al., 2005). However, in this case, the question that arises is how best to perform the distributed computations over a network of nodes with wireless links. What is the optimal way to compute, for example, the average, min, or max of a set of statistically correlated values stored in different nodes? How would such computations be performed in the presence of unreliability such as noise, packet drops, and node failures? Such questions combine the complexities of multi-terminal information theory, distributed source coding, communication complexity, and distributed computation. This makes development of an efficient in-network computing framework for WSNs very

Apart from making a trade-off between the level of accuracy in aggregation and the energy expended in computation of the aggregation function, another issue that needs serious attention in WSN is security. Unfortunately, even though security has been identified as a

involves much less computational overhead than the original version of the protocol.

**6. Security requirements in data aggregation protocols for WSNs** 

Therefore, 2 encryption operations will be required.

Addition Subtraction Multiplication Division Exponentiation Encryption

Table 2. Operation in the proposed modified CPDA protocol

Table 2.

challenging.

Since <sup>2</sup> 1 2 *A AA Av a rx rx* , for computation of *vAA*, node *A* needs to perform 2 addition, 2 multiplication and 1 exponentiation operations. Hence, for computing *vAA*, *vBA* and *vCA*, node *A* needs to perform 6 addition, 6 multiplication and 3 exponentiation operations. Therefore, in a cluster consisting of three members, for computation of all parameters, the original CPDA protocol requires 18 addition, 18 multiplication and 9 exponentiation operations.


The summary of various operations in the original CPDA protocol are presented in Table 1.


Table 1. Operation in the CPDA protocol

**Computational overhead of the modified CPDA protocol:** The overhead of the efficient version of the CPDA protocol presented in Section 4.1 are due to: (i) computation of the parameters at the sensor nodes, (ii) computation of the intermediate result at the cluster leader node, and (iii) computation of the aggregated result at the cluster leader node. The details of these computations are presented below.

i. *Computation of the parameters at the sensor nodes*: In the modified version of the CPDA protocol, the nodes *A*, *B* and *C* need to only compute *vAA*, *vAB*, and *vAC* respectively. As shown earlier, each parameter computation involves 2 addition, 2 multiplication and 1 exponentiation operations. Therefore, in total, 6 addition, 6 multiplication, and 3 exponentiation operations will be needed.

146 Cryptography and Security in Computing

ii. *Computations for encrypting messages*: Some of the messages in the CPDA protocol need to be communicated in encrypted form. The encryption operation involves computational overhead. For example, node *A* needs to encrypt *vBA* and *vCA* before sending them to nodes *B* and *C* respectively. Therefore, 2 encryption operations are required at node *A*. For a cluster consisting of three members, the CPDA protocol will

iii. *Computations of intermediate results*: The nodes *A*, *B*, and *C* need to compute the intermediate values *FA*, *FB* and *FC* respectively for computation of the final aggregated

Therefore, for a cluster of three members, 12 addition operations will be needed. iv. *Aggregate computation at the cluster leader*: For computing the final aggregated result in a privacy-preserving way, the cluster leader node *A* needs to perform one matrix

The summary of various operations in the original CPDA protocol are presented in Table 1.

**Computational overhead of the modified CPDA protocol:** The overhead of the efficient version of the CPDA protocol presented in Section 4.1 are due to: (i) computation of the parameters at the sensor nodes, (ii) computation of the intermediate result at the cluster leader node, and (iii) computation of the aggregated result at the cluster leader node. The

i. *Computation of the parameters at the sensor nodes*: In the modified version of the CPDA protocol, the nodes *A*, *B* and *C* need to only compute *vAA*, *vAB*, and *vAC* respectively. As shown earlier, each parameter computation involves 2 addition, 2 multiplication and 1 exponentiation operations. Therefore, in total, 6 addition, 6 multiplication, and 3

Operation Type No. of operations

*<sup>A</sup> B C rr r r* , for computing *FA*, node *A* will need to perform 4 addition operations.

1 2 ( ) *ABC F v v v a b c rx rx AAAA* and 11 1 1

*<sup>A</sup> B C rr r r* and

*Av a rx rx* , for computation of *vAA*, node *A* needs to perform 2 addition, 2 multiplication and 1 exponentiation operations. Hence, for computing *vAA*, *vBA* and *vCA*, node *A* needs to perform 6 addition, 6 multiplication and 3 exponentiation operations. Therefore, in a cluster consisting of three members, for computation of all parameters, the original CPDA protocol requires 18 addition, 18 multiplication and 9 exponentiation

Since <sup>2</sup>

need 6 encryption operations.

result. Since <sup>2</sup>

inversion operation and one matrix multiplication operation.

Addition Multiplication Exponentiation Encryption

details of these computations are presented below.

exponentiation operations will be needed.

Table 1. Operation in the CPDA protocol

Matrix multiplication Matrix inversion

operations.

22 2 2

1 2 *A AA*



Table 2. Operation in the proposed modified CPDA protocol

It is clearly evident from Table 1 and Table 2 that the modified version of the CPDA protocol involves much less computational overhead than the original version of the protocol.

### **6. Security requirements in data aggregation protocols for WSNs**

The purpose of any WSN deployment is to provide the users with access to the information of interest from the data gathered by spatially distributed sensor nodes. In most applications, users require only certain aggregate functions of this distributed data. Examples include the average temperature in a network of temperature sensors, a particular trigger in the case of an alarm network, or the location of an event. Such aggregate functions could be computed under the end-to-end information flow paradigm by communicating all relevant data to a central collector node. This, however, is a highly inefficient solution for WSNs which have severe constraints in energy, memory and bandwidth, and where tight latency constraints are to be met. As mentioned in Section 1 of this chapter, an alternative solution is to perform in-network computations (Madden et al., 2005). However, in this case, the question that arises is how best to perform the distributed computations over a network of nodes with wireless links. What is the optimal way to compute, for example, the average, min, or max of a set of statistically correlated values stored in different nodes? How would such computations be performed in the presence of unreliability such as noise, packet drops, and node failures? Such questions combine the complexities of multi-terminal information theory, distributed source coding, communication complexity, and distributed computation. This makes development of an efficient in-network computing framework for WSNs very challenging.

Apart from making a trade-off between the level of accuracy in aggregation and the energy expended in computation of the aggregation function, another issue that needs serious attention in WSN is security. Unfortunately, even though security has been identified as a

Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 149

using the query language, and the sensor nodes send their reply using routes constructed based on a *routing tree*. At each point in the routing tree, the data is aggregated using some aggregation function that was defined in the initial query sent by the BS. In (Shrivastava et al., 2004), a summary structure for supporting fairly complex aggregate functions, such as median and range quires have been proposed. Computation of relatively easier function such as min/max, sum, and average are also supported in the proposed framework. However, more complex aggregates, such as the most frequently reported data values are not supported. The computed aggregate functions are approximate but the estimate errors are statistically bounded. There are also propositions based on programmable sensor networks for aggregation based on snapshot algorithms (Jaikaeo et al., 2000). In (Zhao et al., 2002), the authors have focussed their attention into the problem of providing a residual energy map of a WSN. They have proposed a scheme for computing the equi-potential curves of residual energy with certain acceptable margin of error. A simple but efficient aggregation function is proposed where the location approximation of the nodes are not computed. A more advanced aggregate function can be developed for this purpose that will encompass an accurate convex curve. For periodic update of the residual energy map, the authors have proposed a naïve scheme of incremental updates. Thus if a node changes its value beyond the tolerance limit its value is transmitted and aggregated again by some nodes before the final change reaches the user. No mechanism exists for prediction of changes or for estimation of correlation between sensed values for the purpose of setting the tolerance threshold. In (Goel & Imielinski, 2001), a scheme has been proposed for the purpose of monitoring the sensed values of each individual sensor node in a WSN. There is no aggregation algorithm in the scheme; however, the spatial-temporal correlation between the sensed data can be extrapolated to fit an aggregation function. The authors have also attempted to modify the techniques of MPEG-2 for sensor network monitoring to optimize communication overhead and energy. A central node computes predictions and transmits them to all the nodes. The nodes send their update only if their sensed data deviate significantly from the predictions. A distributed computing framework is developed by establishing a hierarchical dependency among the nodes. An energy efficient aggregation algorithm is proposed by the authors in (Boulis et al., 2003), in which each node in a WSN senses the parameter and there is no hierarchical dependency among the nodes. The nodes in a neighbourhood periodically broadcast their information

As mentioned earlier in this section, none of the above schemes consider security aspects in the aggregation schemes. Security in aggregation schemes for WSNs has also attracted attention from the researchers and a considerable number of propositions exist in the literature in this perspective. We discuss some of the well-known mechanisms below.

Evans, 2003). The protocol is resilient to both intruder devices and single device key compromises. In the proposition, the sensor nodes are organized into a tree where the internal nodes act as the aggregators. However, the protocol is vulnerable if a parent and one of its child nodes are compromised, since due to the delayed disclosure of symmetric keys, the parent node will not be able to immediately verify the authenticity of the data sent

*TESLA* protocol (Hu &

A *secure aggregation* (SA) protocol has been proposed that uses the

based on a threshold value.

by its children nodes.

major challenge for sensor networks (Karlof & Wagner, 2003), most of the existing proposals for data aggregation in WSNs have not been designed with security in mind. Consequently, these schemes are all vulnerable to various types of attacks (Sen, 2009). Even when a single sensor node is captured, compromised or spoofed, an attacker can often manipulate the value of an aggregate function without any bound, gaining complete control over the computed aggregate. In fact, any protocol that computes the average, sum, minimum, or maximum function is insecure against malicious data, no matter how these functions are computed. To defend against these critical threats, in this chapter, an energy-efficient aggregation algorithm based on distributed estimation approach. The algorithm is secure and robust against malicious attacks in WSNs. The main threat that has been considered while designing the proposed scheme is the *injection of malicious data* in the network by an adversary who has compromised a sensor's sensed value by subjecting it to unusual temperature, lighting, or other spoofed environmental conditions. In designing the proposed algorithm, a WSN is considered as a collective entity that performs a sensing task and have proposed a distributed estimation algorithm that can be applied to a large class of aggregation problems.

In the proposed scheme (Sen, 2011), each node in a WSN has complete information about the parameter being sensed. This is in contrast to the snapshot aggregation, where the sensed parameters are aggregated at the intermediate nodes till the final aggregated result reaches the root. Each node, in the proposed algorithm, instead of unicasting its sensed information to its parent, broadcasts its estimate to all its neighbors. This makes the protocol more fault-tolerant and increases the information availability in the network. The scheme is an extension of the one suggested in (Boulis et al., 2003). However, it is more secure and reliable even in presence of compromised and faulty nodes in a WSN.

In the following section, we provide a brief discussion on some of the well-known secure aggregation schemes for WSNs.

### **7. Overview of some aggregation protocols for WSNs**

Extensive work has been done on aggregation applications in WSNs. However, security and energy- two major aspects for design of an efficient and robust aggregation algorithm have not attracted adequate attention. Before discussing some of the existing secure aggregation mechanisms, we present a few well-known aggregation schemes for WSNs.

In (Heidemann, 2001), a framework for flexible aggregation in WSNs has been presented following snapshot aggregation approach without addressing issues like energy efficiency and security in the data aggregation process. A cluster-based algorithm has been proposed in (Estrin et al., 1999) that uses *directed diffusion* technique to gather a global perspective utilizing only the local nodes in each cluster. The nodes are assigned different level – level 0 being assigned to the nodes lying at the lowest level. The nodes at the higher levels can communicate with the nodes in the same cluster and the cluster head node. This effectively enables *localized cluster computation*. The nodes at the higher level communicate the local information of the cluster to get a global picture of the network aggregation. In (Madden et al., 2002), the authors have proposed a mechanism called TAG – a generic data aggregation scheme that involves a language similar to SQL for generating queries in a WSN. In this scheme, the *base station* (BS) generates a query 148 Cryptography and Security in Computing

major challenge for sensor networks (Karlof & Wagner, 2003), most of the existing proposals for data aggregation in WSNs have not been designed with security in mind. Consequently, these schemes are all vulnerable to various types of attacks (Sen, 2009). Even when a single sensor node is captured, compromised or spoofed, an attacker can often manipulate the value of an aggregate function without any bound, gaining complete control over the computed aggregate. In fact, any protocol that computes the average, sum, minimum, or maximum function is insecure against malicious data, no matter how these functions are computed. To defend against these critical threats, in this chapter, an energy-efficient aggregation algorithm based on distributed estimation approach. The algorithm is secure and robust against malicious attacks in WSNs. The main threat that has been considered while designing the proposed scheme is the *injection of malicious data* in the network by an adversary who has compromised a sensor's sensed value by subjecting it to unusual temperature, lighting, or other spoofed environmental conditions. In designing the proposed algorithm, a WSN is considered as a collective entity that performs a sensing task and have proposed a distributed estimation algorithm that can be applied to a large class of

In the proposed scheme (Sen, 2011), each node in a WSN has complete information about the parameter being sensed. This is in contrast to the snapshot aggregation, where the sensed parameters are aggregated at the intermediate nodes till the final aggregated result reaches the root. Each node, in the proposed algorithm, instead of unicasting its sensed information to its parent, broadcasts its estimate to all its neighbors. This makes the protocol more fault-tolerant and increases the information availability in the network. The scheme is an extension of the one suggested in (Boulis et al., 2003). However, it is more secure and

In the following section, we provide a brief discussion on some of the well-known secure

Extensive work has been done on aggregation applications in WSNs. However, security and energy- two major aspects for design of an efficient and robust aggregation algorithm have not attracted adequate attention. Before discussing some of the existing secure aggregation

In (Heidemann, 2001), a framework for flexible aggregation in WSNs has been presented following snapshot aggregation approach without addressing issues like energy efficiency and security in the data aggregation process. A cluster-based algorithm has been proposed in (Estrin et al., 1999) that uses *directed diffusion* technique to gather a global perspective utilizing only the local nodes in each cluster. The nodes are assigned different level – level 0 being assigned to the nodes lying at the lowest level. The nodes at the higher levels can communicate with the nodes in the same cluster and the cluster head node. This effectively enables *localized cluster computation*. The nodes at the higher level communicate the local information of the cluster to get a global picture of the network aggregation. In (Madden et al., 2002), the authors have proposed a mechanism called TAG – a generic data aggregation scheme that involves a language similar to SQL for generating queries in a WSN. In this scheme, the *base station* (BS) generates a query

reliable even in presence of compromised and faulty nodes in a WSN.

mechanisms, we present a few well-known aggregation schemes for WSNs.

**7. Overview of some aggregation protocols for WSNs** 

aggregation problems.

aggregation schemes for WSNs.

using the query language, and the sensor nodes send their reply using routes constructed based on a *routing tree*. At each point in the routing tree, the data is aggregated using some aggregation function that was defined in the initial query sent by the BS. In (Shrivastava et al., 2004), a summary structure for supporting fairly complex aggregate functions, such as median and range quires have been proposed. Computation of relatively easier function such as min/max, sum, and average are also supported in the proposed framework. However, more complex aggregates, such as the most frequently reported data values are not supported. The computed aggregate functions are approximate but the estimate errors are statistically bounded. There are also propositions based on programmable sensor networks for aggregation based on snapshot algorithms (Jaikaeo et al., 2000). In (Zhao et al., 2002), the authors have focussed their attention into the problem of providing a residual energy map of a WSN. They have proposed a scheme for computing the equi-potential curves of residual energy with certain acceptable margin of error. A simple but efficient aggregation function is proposed where the location approximation of the nodes are not computed. A more advanced aggregate function can be developed for this purpose that will encompass an accurate convex curve. For periodic update of the residual energy map, the authors have proposed a naïve scheme of incremental updates. Thus if a node changes its value beyond the tolerance limit its value is transmitted and aggregated again by some nodes before the final change reaches the user. No mechanism exists for prediction of changes or for estimation of correlation between sensed values for the purpose of setting the tolerance threshold. In (Goel & Imielinski, 2001), a scheme has been proposed for the purpose of monitoring the sensed values of each individual sensor node in a WSN. There is no aggregation algorithm in the scheme; however, the spatial-temporal correlation between the sensed data can be extrapolated to fit an aggregation function. The authors have also attempted to modify the techniques of MPEG-2 for sensor network monitoring to optimize communication overhead and energy. A central node computes predictions and transmits them to all the nodes. The nodes send their update only if their sensed data deviate significantly from the predictions. A distributed computing framework is developed by establishing a hierarchical dependency among the nodes. An energy efficient aggregation algorithm is proposed by the authors in (Boulis et al., 2003), in which each node in a WSN senses the parameter and there is no hierarchical dependency among the nodes. The nodes in a neighbourhood periodically broadcast their information based on a threshold value.

As mentioned earlier in this section, none of the above schemes consider security aspects in the aggregation schemes. Security in aggregation schemes for WSNs has also attracted attention from the researchers and a considerable number of propositions exist in the literature in this perspective. We discuss some of the well-known mechanisms below.

A *secure aggregation* (SA) protocol has been proposed that uses the *TESLA* protocol (Hu & Evans, 2003). The protocol is resilient to both intruder devices and single device key compromises. In the proposition, the sensor nodes are organized into a tree where the internal nodes act as the aggregators. However, the protocol is vulnerable if a parent and one of its child nodes are compromised, since due to the delayed disclosure of symmetric keys, the parent node will not be able to immediately verify the authenticity of the data sent by its children nodes.

Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 151

Deng et al. proposed a collection of mechanisms for *securing in-network processing* (SINP) for WSNs (Deng et al., 2003). Security mechanisms have been proposed to address the downstream requirement that sensor nodes authenticate commands disseminated from parent aggregators and the upstream requirement that aggregators authenticate data produced by sensors before aggregating that data. In the downstream stage, two techniques

Cam et al. proposed an *energy-efficient secure pattern-based data aggregation* (ESPDA) protocol for wireless sensor networks (Cam et al., 2003; Cam et al., 2005; Cam et al., 2006a). ESPDA is applicable for hierarchy-based sensor networks. In ESPDA, a cluster-head first requests sensor nodes to send the corresponding pattern code for the sensed data. If multiple sensor nodes send the same pattern code to the cluster-head, only one of them is permitted to send the data to the cluster-head. ESPDA is secure because it does not require encrypted data to

Cam et al. have introduced another *secure differential data aggregation* (SDDA) scheme based on pattern codes (Cam et al., 2006b). SDDA prevents redundant data transmission from sensor nodes by implementing the following schemes: (1) SDDA transmits differential data rather than raw data, (2) SDDA performs data aggregation on pattern codes representing the main characteristics of the sensed data, and (3) SDDA employs a sleep protocol to coordinate the activation of sensing units in such a way that only one of the sensor nodes capable of sensing the data is activated at a given time. In the SDDA data transmission scheme, the raw data from the sensor nodes is compared with the reference data and the difference of them is transmitted in the network. The reference data is obtained by taking

In (Sanli et al., 2004 ), a *secure reference-based data aggregation* (SRDA) protocol is proposed for cluster-based WSNs, in which raw data sensed by sensor nodes are compared with reference data values and then only difference data is transmitted to conserve sensor energy. Reference data is taken as the average of a number of historical (i.e. past) sensor readings. However, a serious drawback of the scheme is that does not allow aggregation at the

To defend against attacks by malicious aggregator nodes in WSNs which may falsely manipulate the data during the aggregation process, a cryptographic mechanism has been proposed in (Wu et al., 2007). In the proposed mechanism, a *secure aggregation tree* (SAT), is constructed that enables monitoring of the aggregator nodes. The child nodes of the aggregators can monitor the incoming data to the aggregators and can invoke a voting

A *secure hop-by-hop data aggregation protocol* (SDAP) has been proposed in (Yang et al., 2006), in which a WSN is dynamically partitioned into multiple logical sub-trees of almost equal sizes using a probabilistic approach. In this way, fewer nodes are located under a high-level sensor node, thereby reducing potential security threats on nodes at higher level. Since a compromised node at higher level in a WSN will cause more adverse effect on data aggregation than on a lower-level node, the authors argue that by reducing number of nodes at the higher level in the logical tree, aggregation process becomes more secure.

scheme in case any suspicious activities by the aggregator nodes are observed.

*TESLA*. The upstream stage requires that a pair-wise

key be shared between an aggregator and its sensor nodes.

be decrypted by cluster-heads to perform data aggregation.

are involved: one way functions and

the average of previously transmitted data.

intermediate nodes.

Przydatek et al. have presented a *secure information aggregation* (SIA) framework for sensor networks (Przydatek et al., 2003; Chan et al., 2007). The framework consists of three categories of node: a home server, base station and sensor nodes. A base station is a resource-enhanced node which is used as an intermediary between the home server and the sensor nodes, and it is also the candidate to perform the aggregation task. SIA assumes that each sensor has a unique identifier and shares a separate secret cryptographic key with both the home server and the aggregator. The keys enable message authentication and encryption if data confidentiality is required. Moreover, it further assumes that the home server and the base station can use a mechanism, such as *μTESLA*, to broadcast authenticated messages. The proposed solution follows *aggregatecommit-prove* approach. In the *first phase*: *aggregate*- the aggregator collects data from sensors and locally computes the aggregation result using some specific aggregate function. Each sensor shares a key with the aggregator. This allows the aggregator to verify whether the sensor reading is authentic. However, there is a possibility that a sensor may have been compromised and an adversary has captured the key. In the proposed scheme there is no mechanism to detect such an event. In the *second phase*: *commit*- the aggregator commits to the collected data. This phase ensures that the aggregator actually uses the data collected from the sensors, and the statement to be verified by the home server about the correctness of computed results is meaningful. One efficient mechanism for committing is a *Merkle hash-tree* construction (Merkle, 1980). In this method, the data collected from the sensors is placed at the leaves of a tree. The aggregator then computes a binary hash tree staring with the leaf nodes. Each internal node in the hash tree is computed as the hash value of the concatenation of its two children nodes. The root of the tree is called the commitment of the collected data. As the hash function in use is collision free, once the aggregator commits to the collected values, it cannot change any of the collected values. In the *third and final phase*, the aggregator and the home server engage in a protocol in which the aggregator communicates the aggregation result. In addition, aggregator uses an interactive proof protocol to prove correctness of the reported results. This is done in two logical steps. In the first step, the home server ensures that the committed data is a good representation of the sensor data readings collected. In the second step, the home server checks the reliability of the aggregator output. This is done by checking whether the aggregation result is close to the committed results. The interactive proof protocol varies depending on the aggregation function is being used. Moreover, the authors also presented efficient protocols for secure computation of the median and the average of the measurements, for the estimation of the network size, and for finding the minimum and maximum sensor reading.

In (Mahimkar & Rappaport, 2004), a protocol is proposed that uses elliptic curve cryptography for encrypting the data in WSNs. The scheme is based on clustering where all nodes within a cluster share a secret cluster key. Each sensor node in a cluster generates a partial signature over its data. Each aggregator aggregates its cluster data and broadcasts the aggregated data in its cluster. Each node in a cluster checks its data with the aggregated data broadcast by the aggregator. A sensor node puts its partial signature to authenticate a message only if the difference between its data and aggregated data is less than a threshold. Finally, the aggregator combines all the partially signed message s to form a full signature with the authenticated result.

150 Cryptography and Security in Computing

Przydatek et al. have presented a *secure information aggregation* (SIA) framework for sensor networks (Przydatek et al., 2003; Chan et al., 2007). The framework consists of three categories of node: a home server, base station and sensor nodes. A base station is a resource-enhanced node which is used as an intermediary between the home server and the sensor nodes, and it is also the candidate to perform the aggregation task. SIA assumes that each sensor has a unique identifier and shares a separate secret cryptographic key with both the home server and the aggregator. The keys enable message authentication and encryption if data confidentiality is required. Moreover, it further assumes that the home server and the base station can use a mechanism, such as *μTESLA*, to broadcast authenticated messages. The proposed solution follows *aggregatecommit-prove* approach. In the *first phase*: *aggregate*- the aggregator collects data from sensors and locally computes the aggregation result using some specific aggregate function. Each sensor shares a key with the aggregator. This allows the aggregator to verify whether the sensor reading is authentic. However, there is a possibility that a sensor may have been compromised and an adversary has captured the key. In the proposed scheme there is no mechanism to detect such an event. In the *second phase*: *commit*- the aggregator commits to the collected data. This phase ensures that the aggregator actually uses the data collected from the sensors, and the statement to be verified by the home server about the correctness of computed results is meaningful. One efficient mechanism for committing is a *Merkle hash-tree* construction (Merkle, 1980). In this method, the data collected from the sensors is placed at the leaves of a tree. The aggregator then computes a binary hash tree staring with the leaf nodes. Each internal node in the hash tree is computed as the hash value of the concatenation of its two children nodes. The root of the tree is called the commitment of the collected data. As the hash function in use is collision free, once the aggregator commits to the collected values, it cannot change any of the collected values. In the *third and final phase*, the aggregator and the home server engage in a protocol in which the aggregator communicates the aggregation result. In addition, aggregator uses an interactive proof protocol to prove correctness of the reported results. This is done in two logical steps. In the first step, the home server ensures that the committed data is a good representation of the sensor data readings collected. In the second step, the home server checks the reliability of the aggregator output. This is done by checking whether the aggregation result is close to the committed results. The interactive proof protocol varies depending on the aggregation function is being used. Moreover, the authors also presented efficient protocols for secure computation of the median and the average of the measurements, for the estimation of the

network size, and for finding the minimum and maximum sensor reading.

with the authenticated result.

In (Mahimkar & Rappaport, 2004), a protocol is proposed that uses elliptic curve cryptography for encrypting the data in WSNs. The scheme is based on clustering where all nodes within a cluster share a secret cluster key. Each sensor node in a cluster generates a partial signature over its data. Each aggregator aggregates its cluster data and broadcasts the aggregated data in its cluster. Each node in a cluster checks its data with the aggregated data broadcast by the aggregator. A sensor node puts its partial signature to authenticate a message only if the difference between its data and aggregated data is less than a threshold. Finally, the aggregator combines all the partially signed message s to form a full signature Deng et al. proposed a collection of mechanisms for *securing in-network processing* (SINP) for WSNs (Deng et al., 2003). Security mechanisms have been proposed to address the downstream requirement that sensor nodes authenticate commands disseminated from parent aggregators and the upstream requirement that aggregators authenticate data produced by sensors before aggregating that data. In the downstream stage, two techniques are involved: one way functions and *TESLA*. The upstream stage requires that a pair-wise key be shared between an aggregator and its sensor nodes.

Cam et al. proposed an *energy-efficient secure pattern-based data aggregation* (ESPDA) protocol for wireless sensor networks (Cam et al., 2003; Cam et al., 2005; Cam et al., 2006a). ESPDA is applicable for hierarchy-based sensor networks. In ESPDA, a cluster-head first requests sensor nodes to send the corresponding pattern code for the sensed data. If multiple sensor nodes send the same pattern code to the cluster-head, only one of them is permitted to send the data to the cluster-head. ESPDA is secure because it does not require encrypted data to be decrypted by cluster-heads to perform data aggregation.

Cam et al. have introduced another *secure differential data aggregation* (SDDA) scheme based on pattern codes (Cam et al., 2006b). SDDA prevents redundant data transmission from sensor nodes by implementing the following schemes: (1) SDDA transmits differential data rather than raw data, (2) SDDA performs data aggregation on pattern codes representing the main characteristics of the sensed data, and (3) SDDA employs a sleep protocol to coordinate the activation of sensing units in such a way that only one of the sensor nodes capable of sensing the data is activated at a given time. In the SDDA data transmission scheme, the raw data from the sensor nodes is compared with the reference data and the difference of them is transmitted in the network. The reference data is obtained by taking the average of previously transmitted data.

In (Sanli et al., 2004 ), a *secure reference-based data aggregation* (SRDA) protocol is proposed for cluster-based WSNs, in which raw data sensed by sensor nodes are compared with reference data values and then only difference data is transmitted to conserve sensor energy. Reference data is taken as the average of a number of historical (i.e. past) sensor readings. However, a serious drawback of the scheme is that does not allow aggregation at the intermediate nodes.

To defend against attacks by malicious aggregator nodes in WSNs which may falsely manipulate the data during the aggregation process, a cryptographic mechanism has been proposed in (Wu et al., 2007). In the proposed mechanism, a *secure aggregation tree* (SAT), is constructed that enables monitoring of the aggregator nodes. The child nodes of the aggregators can monitor the incoming data to the aggregators and can invoke a voting scheme in case any suspicious activities by the aggregator nodes are observed.

A *secure hop-by-hop data aggregation protocol* (SDAP) has been proposed in (Yang et al., 2006), in which a WSN is dynamically partitioned into multiple logical sub-trees of almost equal sizes using a probabilistic approach. In this way, fewer nodes are located under a high-level sensor node, thereby reducing potential security threats on nodes at higher level. Since a compromised node at higher level in a WSN will cause more adverse effect on data aggregation than on a lower-level node, the authors argue that by reducing number of nodes at the higher level in the logical tree, aggregation process becomes more secure.

Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 153

boundaries (e.g., maxima, minima), and hence the aggregation result is determined by the values of few nodes. However, the proposed algorithm does not assume any knowledge

In the proposed distributed estimation algorithm, a sensor node instead of transmitting a partially aggregated result, maintains and if required, transmits an estimation of the global aggregated result. The global aggregated description in general will be a vector since it represents multi-dimensional parameters sensed by different nodes. A global estimate will thus be a probability density function of the vector that is being estimated. However, in most of the practical situations, due to lack of sufficient information, complex computational requirement or unavailability of sophisticated estimation tools, an estimate is represented as: (*estimated value*, *confidence indication*), which in computational terms can be represented as: (*average of estimated vector*, *covariance matrix of estimated vector*). For the sake of manipulability with tools of estimation theory, we have chosen to represent estimates in the form of (*A*, *PAA*) with *A* being the mean of the aggregated vector and *PAA* being the covariance matrix of vector *A*. For the *max* aggregation function, vector *A* becomes a scalar

denoting the mean of the estimated max, and *PAA* becomes simply the variance of *A.*

mobile users, faulty nodes and transient network partition situations.

based on a threshold value as explained in Section 8.4.

then decides whether it should broadcast the new estimate.

The proposed algorithm has the following steps:

threshold.

In the snapshot aggregation, a node does not have any control on the rate at which it send information to its parents; it has to always follow the rate specified the user application. Moreover, every node has little information about the global parameter, as it has no idea about what is happening beyond its parent. In proposed approach, a node accepts estimations from all of its neighbors, and gradually gains in knowledge about the global information. It helps a node to understand whether its own information is useful to its neighbors. If a node realizes that its estimate could be useful to its neighbors, it transmits the new estimate. Unlike snapshot aggregation where the node transmits its estimate to its parent, in the proposed scheme, the node broadcasts its estimate to all its neighbors. Moreover, there is no need to establish and maintain a hierarchical relationship among the nodes in the network. This makes the algorithm particularly suitable for multiple user,

1. Every node has an estimate of the global aggregated value (global estimate) in the form of (mean, covariance matrix). When a node makes a new local measurement, it makes an aggregation of the local observation with its current estimate. This is depicted in the block *Data Aggregation 1* in Fig. 5. The node computes the new global estimate and decides whether it should broadcast the new estimate to its neighbors. The decision is

2. When a node receives a global estimate from a neighbor, it first checks whether the newly received estimate differs from its current estimate by more than a pre-defined

a. If the difference does not exceed the threshold, the node makes an aggregation of the global estimates (its current value and the received value) and computes a new global estimate. This is depicted in the block *Data Aggregation 2* in Fig. 5. The node

about the underlying physical process.

**8.1 The proposed secure aggregation algorithm** 

In (Ozdemir, 2007), a secure and reliable data aggregation scheme – SELDA- is proposed that makes use of the concept of web of trust. Trust and reputation based schemes have been extensively used for designing security solutions for multi-hop wireless networks like *mobile ad hoc networks* (MANETs), *wireless mesh networks* (WMNs) and WSNs (Sen, 2010b; Sen, 2010c; Sen 2010d). In this scheme, sensor nodes exchange trust values in their neighborhood to form a *web of trust* that facilitates in determining secure and reliable paths to aggregators. Observations from the sensor nodes which belong to a web of trust are given higher weights to make the aggregation process more robust.

A *data aggregation and authentication* (DAA) protocol is proposed in (Cam & Ozdemir, 2007), to integrate false data detection with data aggregation and confidentiality. In this scheme, a monitoring algorithm has been proposed for verifying the integrity of the computed aggregated result by each aggregator node.

In order to minimize false positives (a scenario where an alert is raised, however there is no attack), in a WSN, a dynamic threshold scheme is proposed in (Parkeh & Cam, 2007), which dynamically varies the threshold in accordance with false alarm rate. A data aggregation algorithm is also proposed to determine the detection probability of a target by fusing data from multiple sensor nodes.

Du et al. proposed a *witness-based data aggregation* (WDA) scheme for WSNs to assure the validation of the data fusion nodes to the base station (Du et al., 2003). To prove the validity of the fusion results, the fusion node has to provide proofs from several witnesses. A witness is one who also conducts data fusion like a data fusion node, but does not forward its result to the base station. Instead, each witness computes the MAC of the result and then provides it to the data fusion node, which must forward the proofs to the base station. This scheme can defend against attacks on data integrity in WSNs.

Wagner studied secure data aggregation in sensor networks and proposed a mathematical framework for formally evaluating their security (Wagner, 2004). The robustness of an aggregation operator against malicious data is quantified. Ye et al. propose a *statistical enroute filtering mechanism* to detect any forged data being sent from the sensor nodes to the base station of a WSN using multiple MACs along the path from the aggregator to the base station (Ye et al., 2004; Ye et al., 2005).

### **8. The proposed distributed secure aggregation protocol**

In this section, we propose a distributed estimation algorithm that is secure and resistant to insider attack by compromised and faulty nodes. There are essentially two categories of aggregation functions (Boulis et al., 2003):


However, computation of both these types of functions are adversely affected by wrong sensed result sent by even a very few number of compromised nodes. In this chapter, we consider only the first case, i.e., aggregation function that find or approximate some kind of boundaries (e.g., maxima, minima), and hence the aggregation result is determined by the values of few nodes. However, the proposed algorithm does not assume any knowledge about the underlying physical process.

### **8.1 The proposed secure aggregation algorithm**

152 Cryptography and Security in Computing

In (Ozdemir, 2007), a secure and reliable data aggregation scheme – SELDA- is proposed that makes use of the concept of web of trust. Trust and reputation based schemes have been extensively used for designing security solutions for multi-hop wireless networks like *mobile ad hoc networks* (MANETs), *wireless mesh networks* (WMNs) and WSNs (Sen, 2010b; Sen, 2010c; Sen 2010d). In this scheme, sensor nodes exchange trust values in their neighborhood to form a *web of trust* that facilitates in determining secure and reliable paths to aggregators. Observations from the sensor nodes which belong to a web of trust are given higher weights

A *data aggregation and authentication* (DAA) protocol is proposed in (Cam & Ozdemir, 2007), to integrate false data detection with data aggregation and confidentiality. In this scheme, a monitoring algorithm has been proposed for verifying the integrity of the computed

In order to minimize false positives (a scenario where an alert is raised, however there is no attack), in a WSN, a dynamic threshold scheme is proposed in (Parkeh & Cam, 2007), which dynamically varies the threshold in accordance with false alarm rate. A data aggregation algorithm is also proposed to determine the detection probability of a target by fusing data

Du et al. proposed a *witness-based data aggregation* (WDA) scheme for WSNs to assure the validation of the data fusion nodes to the base station (Du et al., 2003). To prove the validity of the fusion results, the fusion node has to provide proofs from several witnesses. A witness is one who also conducts data fusion like a data fusion node, but does not forward its result to the base station. Instead, each witness computes the MAC of the result and then provides it to the data fusion node, which must forward the proofs to the base station. This

Wagner studied secure data aggregation in sensor networks and proposed a mathematical framework for formally evaluating their security (Wagner, 2004). The robustness of an aggregation operator against malicious data is quantified. Ye et al. propose a *statistical enroute filtering mechanism* to detect any forged data being sent from the sensor nodes to the base station of a WSN using multiple MACs along the path from the aggregator to the base

In this section, we propose a distributed estimation algorithm that is secure and resistant to insider attack by compromised and faulty nodes. There are essentially two categories of

Aggregation functions that are dependent on the values of a few nodes (e.g., the *max*

Aggregation functions whose values are determined by all the nodes (e.g., the average

However, computation of both these types of functions are adversely affected by wrong sensed result sent by even a very few number of compromised nodes. In this chapter, we consider only the first case, i.e., aggregation function that find or approximate some kind of

to make the aggregation process more robust.

aggregated result by each aggregator node.

scheme can defend against attacks on data integrity in WSNs.

**8. The proposed distributed secure aggregation protocol** 

from multiple sensor nodes.

station (Ye et al., 2004; Ye et al., 2005).

aggregation functions (Boulis et al., 2003):

result is based on one node).

function).

In the proposed distributed estimation algorithm, a sensor node instead of transmitting a partially aggregated result, maintains and if required, transmits an estimation of the global aggregated result. The global aggregated description in general will be a vector since it represents multi-dimensional parameters sensed by different nodes. A global estimate will thus be a probability density function of the vector that is being estimated. However, in most of the practical situations, due to lack of sufficient information, complex computational requirement or unavailability of sophisticated estimation tools, an estimate is represented as: (*estimated value*, *confidence indication*), which in computational terms can be represented as: (*average of estimated vector*, *covariance matrix of estimated vector*). For the sake of manipulability with tools of estimation theory, we have chosen to represent estimates in the form of (*A*, *PAA*) with *A* being the mean of the aggregated vector and *PAA* being the covariance matrix of vector *A*. For the *max* aggregation function, vector *A* becomes a scalar denoting the mean of the estimated max, and *PAA* becomes simply the variance of *A.*

In the snapshot aggregation, a node does not have any control on the rate at which it send information to its parents; it has to always follow the rate specified the user application. Moreover, every node has little information about the global parameter, as it has no idea about what is happening beyond its parent. In proposed approach, a node accepts estimations from all of its neighbors, and gradually gains in knowledge about the global information. It helps a node to understand whether its own information is useful to its neighbors. If a node realizes that its estimate could be useful to its neighbors, it transmits the new estimate. Unlike snapshot aggregation where the node transmits its estimate to its parent, in the proposed scheme, the node broadcasts its estimate to all its neighbors. Moreover, there is no need to establish and maintain a hierarchical relationship among the nodes in the network. This makes the algorithm particularly suitable for multiple user, mobile users, faulty nodes and transient network partition situations.

The proposed algorithm has the following steps:

	- a. If the difference does not exceed the threshold, the node makes an aggregation of the global estimates (its current value and the received value) and computes a new global estimate. This is depicted in the block *Data Aggregation 2* in Fig. 5. The node then decides whether it should broadcast the new estimate.

Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 155

For *max* aggregation function, covariance matrices are simple scalars. It can be observed from (23) and (24) that in such a case *ω* can be either 1 or 0. Subsequently, *PCC* is equal to the minimum of *PAA* and *PBB*, and *C* is equal to either *A* or *B* depending on the value of *PCC*. Even when the estimates are reasonably small-sized vectors, there are efficient algorithms to

This module corresponds to the block *Data Aggregation 2* in Fig. 5. Aggregation of a local observation with a global estimate involves a statistical computation with two probability

**Case 1:** Mean of the local observation is greater than the mean of the current global estimate: In case of *max* aggregation function, if the mean of the local observation is greater than the mean of the current global estimate, the local observation is taken as the new estimate. The distribution of the new estimate is arrived at by multiplying the distribution of the current global estimate by a positive fraction (*w1*) and summing it with the distribution of the local observation. The fractional value determines the relative weight assigned to the value of the

**Case 2**: Mean of the local observation is smaller than the mean of the current global estimate: If a node observes that the mean of the local observation is smaller than its current estimate, it combines the two distributions in the same way as in *Case 1* above, but this time a higher weight (*w2*) is assigned to the distribution having the higher mean (i.e. the current estimate). However, as observed in (Boulis et al., 2003), this case should be handled more carefully if there is a sharp fall in the value of the global maximum. We follow the same approach as proposed in (Boulis et al., 2003). If the previous local measurement does not differ from the global estimate beyond a threshold value, a larger weight is assigned to the local measurement as in *Case 1*. In this case, it is believed that the specific local measurement

For computation of the weights *w1* and *w2* in *Case 1* and *Case 2* respectively, we follow the same approach as suggested in (Boulis et al., 2003). Since all the local measurements and the global estimates are assumed to follow Gaussian distribution, almost all the observations are bounded within the interval [*μ* ± 3\**σ*]. When the mean of the local measurement is larger than the mean of the global estimate, the computation of the weight (*w1*) is done as follows. Let us suppose that *l(x)* and *g(x)* are the probability distributions for the local measurement and the global estimate respectively. If *l(x)* and *g(x)* can take non-zero values in the intervals [*x1*, *x2*] and [*y1, y2*] respectively, then the

When the mean of the local measurement is smaller than the mean of the global estimate, the computation of the weight *w2* is carried out as follows. The value of *w2(x)* is assigned to

*2*, where

*2* – 3\* *1* – 3\*

*2* and 

. Here, *x1* is equal to *μ1* – 3\**σ1*, where *μ1* and *σ1* are the mean

*<sup>2</sup>*}. *w2(x)* is assigned a value of 1 for all *x max* {

and *w1(x)* will be assigned a

*<sup>2</sup>* represent the mean and the

*<sup>1</sup>* –

**8.3 Aggregation of a local observation with a global estimate** 

global estimate. The weight assigned to the local observation being unity.

determine *ω*.

distributions.

is still the global aggregated value.

value of 1 for all *x*

be 0 for all *x max* {

3\**1*, *2* – 3\*

weight *w1(x)* will be assigned a value of 0 for all *x*

*1* – 3\*

*1* – 3\**1*, *2* – 3*\**

standard deviation of *g(x)* respectively.

*2*}. Here, *y1* is equal to

and the standard deviation of *l(x)* respectively.


Fig. 5. A Schematic flow diagram of the proposed aggregation algorithm

### **8.2 Aggregation of two global estimates**

In Fig. 5, the block *Data Aggregation 1* corresponds to this activity. For combining two global estimates to produce a single estimate, *covariance intersection* (CI) algorithm is used. CI algorithm is particularly suitable for this purpose, since it has the capability of aggregating two estimates without requiring any prior knowledge about their degree of correlation. This is more pertinent to WSNs, as we cannot guarantee statistical independence of observed data in such networks.

Given two estimates (*A*, *PAA*) and (*B*, *PBB*), the combined estimate (*C*, *PCC*) by CI is given by (23) and (24):

$$P\_{\rm CC} = \left( oo \, \, ^\*P\_{AA}^{-1} + (1 - oo)P\_{BB}^{-1} \right)^{-1} \tag{23}$$

$$C = P\_{\text{CC}}(oo^\* P\_{AA}^{-1} \ast A + (1 - o)P\_{BB}^{-1} \ast B) \tag{24}$$

Here, *PAA*, *PBB*, and *PCC* represent the covariance matrices associated with the estimates *A*, *B*, and *C* respectively. The main computational problem with CI is the computation of *ω*. The value of *ω* lies between 0 and 1. The optimum value of *ω* is arrived at when the trace of the determinant of *PCC* is minimized.

For *max* aggregation function, covariance matrices are simple scalars. It can be observed from (23) and (24) that in such a case *ω* can be either 1 or 0. Subsequently, *PCC* is equal to the minimum of *PAA* and *PBB*, and *C* is equal to either *A* or *B* depending on the value of *PCC*. Even when the estimates are reasonably small-sized vectors, there are efficient algorithms to determine *ω*.

### **8.3 Aggregation of a local observation with a global estimate**

154 Cryptography and Security in Computing

global estimate.

b. If the difference exceeds the threshold, the node performs the same function as in step (a). Additionally, it requests its other neighbors to send their values of the

c. If the estimates sent by the majority of the neighbors differ from the estimate sent by the first neighbor by a threshold value, then the node is assumed to be

3. If a node is identified to be compromised, the global estimate previously sent by it is ignored in the computation of the new global estimate and the node is isolated from the

compromised. Otherwise, it is assumed to be normal.

Fig. 5. A Schematic flow diagram of the proposed aggregation algorithm

In Fig. 5, the block *Data Aggregation 1* corresponds to this activity. For combining two global estimates to produce a single estimate, *covariance intersection* (CI) algorithm is used. CI algorithm is particularly suitable for this purpose, since it has the capability of aggregating two estimates without requiring any prior knowledge about their degree of correlation. This is more pertinent to WSNs, as we cannot guarantee statistical independence of observed

Given two estimates (*A*, *PAA*) and (*B*, *PBB*), the combined estimate (*C*, *PCC*) by CI is given by

1 1 <sup>1</sup> ( \* (1 ) ) *PP P CC*

1 1 ( \* \* (1 ) \* ) *CP P A P B CC AA*

Here, *PAA*, *PBB*, and *PCC* represent the covariance matrices associated with the estimates *A*, *B*, and *C* respectively. The main computational problem with CI is the computation of *ω*. The value of *ω* lies between 0 and 1. The optimum value of *ω* is arrived at when the trace of the

 *AA BB*

> *BB*

(23)

(24)

**8.2 Aggregation of two global estimates** 

data in such networks.

determinant of *PCC* is minimized.

(23) and (24):

network by a broadcast message in its neighborhood.

This module corresponds to the block *Data Aggregation 2* in Fig. 5. Aggregation of a local observation with a global estimate involves a statistical computation with two probability distributions.

**Case 1:** Mean of the local observation is greater than the mean of the current global estimate: In case of *max* aggregation function, if the mean of the local observation is greater than the mean of the current global estimate, the local observation is taken as the new estimate. The distribution of the new estimate is arrived at by multiplying the distribution of the current global estimate by a positive fraction (*w1*) and summing it with the distribution of the local observation. The fractional value determines the relative weight assigned to the value of the global estimate. The weight assigned to the local observation being unity.

**Case 2**: Mean of the local observation is smaller than the mean of the current global estimate: If a node observes that the mean of the local observation is smaller than its current estimate, it combines the two distributions in the same way as in *Case 1* above, but this time a higher weight (*w2*) is assigned to the distribution having the higher mean (i.e. the current estimate). However, as observed in (Boulis et al., 2003), this case should be handled more carefully if there is a sharp fall in the value of the global maximum. We follow the same approach as proposed in (Boulis et al., 2003). If the previous local measurement does not differ from the global estimate beyond a threshold value, a larger weight is assigned to the local measurement as in *Case 1*. In this case, it is believed that the specific local measurement is still the global aggregated value.

For computation of the weights *w1* and *w2* in *Case 1* and *Case 2* respectively, we follow the same approach as suggested in (Boulis et al., 2003). Since all the local measurements and the global estimates are assumed to follow Gaussian distribution, almost all the observations are bounded within the interval [*μ* ± 3\**σ*]. When the mean of the local measurement is larger than the mean of the global estimate, the computation of the weight (*w1*) is done as follows. Let us suppose that *l(x)* and *g(x)* are the probability distributions for the local measurement and the global estimate respectively. If *l(x)* and *g(x)* can take non-zero values in the intervals [*x1*, *x2*] and [*y1, y2*] respectively, then the weight *w1(x)* will be assigned a value of 0 for all *x 1* – 3\* and *w1(x)* will be assigned a value of 1 for all *x 1* – 3\*. Here, *x1* is equal to *μ1* – 3\**σ1*, where *μ1* and *σ1* are the mean and the standard deviation of *l(x)* respectively.

When the mean of the local measurement is smaller than the mean of the global estimate, the computation of the weight *w2* is carried out as follows. The value of *w2(x)* is assigned to be 0 for all *x max* {*1* – 3\**1*, *2* – 3*\*<sup>2</sup>*}. *w2(x)* is assigned a value of 1 for all *x max* {*<sup>1</sup>* – 3\**1*, *2* – 3\**2*}. Here, *y1* is equal to *2* – 3\**2*, where *2* and *<sup>2</sup>* represent the mean and the standard deviation of *g(x)* respectively.

Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 157

greater load on the estimation algorithm thereby demanding more energy for the same level of accuracy (Boulis et al., 2003). If the user has no information about the physical process, he can determine the level of accuracy of the aggregation and the amount of energy spent

The security module of the proposed scheme assumes that the sensing results for a set of sensors in the same neighborhood follows a normal (Gaussian) distribution. Thus, if a node receives estimates from one (or more) of its neighbors that deviates from its own local estimate by more than three times its standard deviation, then the neighbor node is suspected to have been compromised or failed. In such a scenario, the node that first detected such an anomaly sends a broadcast message to each of its neighbors requesting for the values of their estimates. If the sensing result of the suspected node deviates significantly (i.e., by more than three times the standard deviation) from the observation of the majority of the neighbor nodes, then the suspected node is detected as malicious. Once a node is identified as malicious, a broadcast message is sent in the neighborhood of the node that detected the malicious node and the

However, if the observation of the node does not deviate significantly from the observations made by the majority of its neighbors, the suspected node is assumed to be not malicious. In such a case, the estimate sent by the node is incorporated in the computation of the new

In this section, we describe the simulations that have been performed on the proposed scheme. As the proposed algorithm is an extension of the algorithm presented in (Boulis et al., 2003), we present here the results that are more relevant to our contribution, i.e., the performance of the security module. The results related to the energy consumption of nodes and aggregation accuracy for different threshold values (discussed in Section 8.4) are presented in detail in (Boulis

In the simulated environment, the implemented application accomplishes temperature monitoring, based on network simulator (*ns-2*) and its sensor network extension *Mannasim* (Mannasim, 2002). The nodes sense the temperature continuously and send the maximum sensed temperature only when it differs from the last data sent by more than 2%.In order to simulate the temperature behaviour of the environment, random numbers are generated following a Gaussian distribution, taking into consideration standard deviation of 1C from

To evaluate the performance of the security module of the proposed algorithm, two different scenarios are simulated. In the first case, the aggregation algorithm is executed in the nodes without invoking the security module to estimate the energy consumption of the aggregation algorithm. In the second case, the security module is invoked in the nodes and some of the nodes in the network are intentionally compromised. This experiment allows us to estimate the overhead associated with the security module of the algorithm and its

an average temperature of 25C. The simulation parameters are presented in Table 3.

estimate and a new global estimate is computed in the neighborhood of the node.

et al., 2003) and therefore these are not within the scope of this work.

dynamically as the process executes.

**8.5 Security in aggregation scheme** 

**9. Simulation results** 

detection effectiveness.

suspected node is isolated from the network activities.

In all these computations, it assumed that the resultant distribution after combination of two bounded Gaussian distributions is also a Gaussian distribution. This is done in order to maintain the consistency of the estimates. The mean and the variance of the new Gaussian distribution represent the new estimate and the confidence (or certainty) associated with this new estimate respectively.

### **8.4 Optimization of communication overhead**

Optimization of communication overhead is of prime importance in resource constrained and bandwidth-limited WSNs. The block named *Decision Making* in Fig. 5 is involved in this optimization mechanism of the proposed scheme. This module makes a trade-off between energy requirement and accuracy of the aggregated results.

To reduce the communication overhead, each node in the network communicates its computed estimate only when the estimate can bring a significant change in the estimates of its neighbors. For this purpose, each node stores the most recent value of the estimate it has received from each of its neighbors in a table. Every time a node computes its new estimate, it checks the difference between its newly computed estimate with the estimates of each of its neighbors. If this difference exceeds a pre-set threshold for any of its neighbors, the node broadcasts its newly computed estimate. The determination of this threshold is crucial as it has a direct impact on the level of accuracy in the global estimate and the energy expenditure in the WSN. A higher overhead due to message broadcast is optimized by maintaining two-hop neighborhood information in each node in the network (Boulis et al., 2003). This eliminates communication of redundant messages. This is illustrated in the following example.

Suppose that nodes *A*, *B* and *C* are in the neighborhood of each other in a WSN. Let us assume that node *A* makes a local measurement and this changes its global estimate. After combining this estimate with the other estimates of its neighbors as maintained in its local table, node *A* decides to broadcast its new estimate. As node *A* broadcasts its computed global estimate, it is received by both nodes *B* and *C*. If this broadcast estimate changes the global estimate of node *B* too, then it will further broadcast the estimate to node *C*, as node *B* is unaware that the broadcast has changed the global estimate of node *C* also. Thus the same information is propagated in the same set of nodes in the network leading to a high communication overhead in the network.

To avoid this message overhead, every node in the network maintains its two-hop neighborhood information. When a node receives information from another node, it not only checks the estimate values of its immediate neighbors as maintained in its table but also it does the same for its two-hop neighbors. Thus in the above example, when node *B* receives information from node *A*, it does not broadcast as it understands that node *C* has also received the same information from node *A*, since node *C* is also a neighbor of node *A*. The two-hop neighborhood information can be collected and maintained by using algorithms as proposed in (McGlynn & Borbash, 2001).

The choice of the threshold value is vital to arrive at an effective trade-off between the energy consumed for computation and the accuracy of the result of aggregation. For a proper estimation of the threshold value, some idea about the degree of dynamism of the physical process being monitored is required. A more dynamic physical process puts a

### **8.5 Security in aggregation scheme**

156 Cryptography and Security in Computing

In all these computations, it assumed that the resultant distribution after combination of two bounded Gaussian distributions is also a Gaussian distribution. This is done in order to maintain the consistency of the estimates. The mean and the variance of the new Gaussian distribution represent the new estimate and the confidence (or certainty) associated with

Optimization of communication overhead is of prime importance in resource constrained and bandwidth-limited WSNs. The block named *Decision Making* in Fig. 5 is involved in this optimization mechanism of the proposed scheme. This module makes a trade-off between

To reduce the communication overhead, each node in the network communicates its computed estimate only when the estimate can bring a significant change in the estimates of its neighbors. For this purpose, each node stores the most recent value of the estimate it has received from each of its neighbors in a table. Every time a node computes its new estimate, it checks the difference between its newly computed estimate with the estimates of each of its neighbors. If this difference exceeds a pre-set threshold for any of its neighbors, the node broadcasts its newly computed estimate. The determination of this threshold is crucial as it has a direct impact on the level of accuracy in the global estimate and the energy expenditure in the WSN. A higher overhead due to message broadcast is optimized by maintaining two-hop neighborhood information in each node in the network (Boulis et al., 2003). This eliminates

communication of redundant messages. This is illustrated in the following example.

Suppose that nodes *A*, *B* and *C* are in the neighborhood of each other in a WSN. Let us assume that node *A* makes a local measurement and this changes its global estimate. After combining this estimate with the other estimates of its neighbors as maintained in its local table, node *A* decides to broadcast its new estimate. As node *A* broadcasts its computed global estimate, it is received by both nodes *B* and *C*. If this broadcast estimate changes the global estimate of node *B* too, then it will further broadcast the estimate to node *C*, as node *B* is unaware that the broadcast has changed the global estimate of node *C* also. Thus the same information is propagated in the same set of nodes in the network leading to a high

To avoid this message overhead, every node in the network maintains its two-hop neighborhood information. When a node receives information from another node, it not only checks the estimate values of its immediate neighbors as maintained in its table but also it does the same for its two-hop neighbors. Thus in the above example, when node *B* receives information from node *A*, it does not broadcast as it understands that node *C* has also received the same information from node *A*, since node *C* is also a neighbor of node *A*. The two-hop neighborhood information can be collected and maintained by using

The choice of the threshold value is vital to arrive at an effective trade-off between the energy consumed for computation and the accuracy of the result of aggregation. For a proper estimation of the threshold value, some idea about the degree of dynamism of the physical process being monitored is required. A more dynamic physical process puts a

this new estimate respectively.

**8.4 Optimization of communication overhead** 

communication overhead in the network.

algorithms as proposed in (McGlynn & Borbash, 2001).

energy requirement and accuracy of the aggregated results.

The security module of the proposed scheme assumes that the sensing results for a set of sensors in the same neighborhood follows a normal (Gaussian) distribution. Thus, if a node receives estimates from one (or more) of its neighbors that deviates from its own local estimate by more than three times its standard deviation, then the neighbor node is suspected to have been compromised or failed. In such a scenario, the node that first detected such an anomaly sends a broadcast message to each of its neighbors requesting for the values of their estimates. If the sensing result of the suspected node deviates significantly (i.e., by more than three times the standard deviation) from the observation of the majority of the neighbor nodes, then the suspected node is detected as malicious. Once a node is identified as malicious, a broadcast message is sent in the neighborhood of the node that detected the malicious node and the suspected node is isolated from the network activities.

However, if the observation of the node does not deviate significantly from the observations made by the majority of its neighbors, the suspected node is assumed to be not malicious. In such a case, the estimate sent by the node is incorporated in the computation of the new estimate and a new global estimate is computed in the neighborhood of the node.

### **9. Simulation results**

In this section, we describe the simulations that have been performed on the proposed scheme. As the proposed algorithm is an extension of the algorithm presented in (Boulis et al., 2003), we present here the results that are more relevant to our contribution, i.e., the performance of the security module. The results related to the energy consumption of nodes and aggregation accuracy for different threshold values (discussed in Section 8.4) are presented in detail in (Boulis et al., 2003) and therefore these are not within the scope of this work.

In the simulated environment, the implemented application accomplishes temperature monitoring, based on network simulator (*ns-2*) and its sensor network extension *Mannasim* (Mannasim, 2002). The nodes sense the temperature continuously and send the maximum sensed temperature only when it differs from the last data sent by more than 2%.In order to simulate the temperature behaviour of the environment, random numbers are generated following a Gaussian distribution, taking into consideration standard deviation of 1C from an average temperature of 25C. The simulation parameters are presented in Table 3.

To evaluate the performance of the security module of the proposed algorithm, two different scenarios are simulated. In the first case, the aggregation algorithm is executed in the nodes without invoking the security module to estimate the energy consumption of the aggregation algorithm. In the second case, the security module is invoked in the nodes and some of the nodes in the network are intentionally compromised. This experiment allows us to estimate the overhead associated with the security module of the algorithm and its detection effectiveness.

Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 159

To evaluate the detection effectiveness of the security scheme, further experiments are conducted. For this purpose, different percentage of nodes in the network is compromised and the detection effectiveness of the security scheme is evaluated. Fig. 6 and Fig. 7 present the results for 10% and 20% compromised node in the network respectively. In these diagrams, the false positives refer to the cases where the security scheme wrongly identifies a sensor node as faulty while it is actually not so. False negatives, on the other hand, are the cases where the detection scheme fails to identify a sensor node which is actually faulty. It is observed that even when there are 20% compromised nodes in the network the scheme has a very high detection rate with very low false positive and false negative rate. The results show that the proposed mechanism is quite effective in detection of failed and compromised nodes in the network.

Fig. 7. Detection effectiveness with 20% of the nodes in the network faulty

In-network data aggregation in WSNs is a technique that combines partial results at the intermediate nodes en route to the base station (i.e. the node issuing the query), thereby reducing the communication overhead and optimizing the bandwidth utilization in the wireless links. However, this technique raises privacy and security issues of the sensor nodes which need to share their data with the aggregator node. In applications such as health care and military surveillance where the sensitivity of the private data of the sensors is very high, the aggregation has to be carried out in a privacy-preserving way, so that the sensitive data are not revealed to the aggregator. A very popular scheme for this purpose exists in the literature which is known as CPDA. Although CPDA is in literature for quite some time now, no vulnerability of the protocol has been identified so far. In this chapter, we have first demonstrated a security vulnerability in the CPDA protocol, wherein a malicious sensor node can exploit the protocol is such a way that it gets access to the private values of its neighbors while participating in data aggregation process. A suitable modification of the CPDA protocol is further proposed so as to plug the identified vulnerability and also to make the protocol computationally more efficient. We have also made an analysis of the communication and computational overhead in the original CPDA protocol and the proposed modified version of the CPDA protocol. It has been found from the analysis that the modified version of the protocol involves appreciably less message communication overhead in the network and computational load on the sensor nodes.

**10. Conclusion and future research issues** 


Table 3. Simulation parameters

Fig. 6. Detection effectiveness with 10% of the nodes in the network faulty

It is observed that *delivery ratio* (ratio of the packets sent to the packets received by the nodes) is not affected by invocation of the security module. This is expected, as the packets are transmitted in the same wireless environment, introduction of the security module should not have any influence on the delivery ratio.

Regarding energy consumption, it is observed that the introduction of the security module has introduced an average increase of 105.4% energy consumption in the nodes in the network. This increase is observed when 20% of the nodes chosen randomly are compromised intentionally when the aggregation algorithm was executing. This increase in energy consumption is due to additional transmission and reception of messages after the security module is invoked.

158 Cryptography and Security in Computing

160 200 s 120 m \* 120 m 5 Joules IEEE 802.11 None Uniform random 12 mW 15 m 5 buffers 0.75 W 0.25 mW 10 mW 0.5 s Stationary

Parameter Value

No. of nodes Simulation time Coverage area

MAC protocol Routing protocol Node distribution

Table 3. Simulation parameters

Transmission range Node capacity

Initial energy in each node

Transmission power of each node

Fig. 6. Detection effectiveness with 10% of the nodes in the network faulty

should not have any influence on the delivery ratio.

security module is invoked.

It is observed that *delivery ratio* (ratio of the packets sent to the packets received by the nodes) is not affected by invocation of the security module. This is expected, as the packets are transmitted in the same wireless environment, introduction of the security module

Regarding energy consumption, it is observed that the introduction of the security module has introduced an average increase of 105.4% energy consumption in the nodes in the network. This increase is observed when 20% of the nodes chosen randomly are compromised intentionally when the aggregation algorithm was executing. This increase in energy consumption is due to additional transmission and reception of messages after the

Energy spent in transmission Energy spent in reception Energy spent in sensing Sampling period Node mobility

To evaluate the detection effectiveness of the security scheme, further experiments are conducted. For this purpose, different percentage of nodes in the network is compromised and the detection effectiveness of the security scheme is evaluated. Fig. 6 and Fig. 7 present the results for 10% and 20% compromised node in the network respectively. In these diagrams, the false positives refer to the cases where the security scheme wrongly identifies a sensor node as faulty while it is actually not so. False negatives, on the other hand, are the cases where the detection scheme fails to identify a sensor node which is actually faulty. It is observed that even when there are 20% compromised nodes in the network the scheme has a very high detection rate with very low false positive and false negative rate. The results show that the proposed mechanism is quite effective in detection of failed and compromised nodes in the network.

Fig. 7. Detection effectiveness with 20% of the nodes in the network faulty

### **10. Conclusion and future research issues**

In-network data aggregation in WSNs is a technique that combines partial results at the intermediate nodes en route to the base station (i.e. the node issuing the query), thereby reducing the communication overhead and optimizing the bandwidth utilization in the wireless links. However, this technique raises privacy and security issues of the sensor nodes which need to share their data with the aggregator node. In applications such as health care and military surveillance where the sensitivity of the private data of the sensors is very high, the aggregation has to be carried out in a privacy-preserving way, so that the sensitive data are not revealed to the aggregator. A very popular scheme for this purpose exists in the literature which is known as CPDA. Although CPDA is in literature for quite some time now, no vulnerability of the protocol has been identified so far. In this chapter, we have first demonstrated a security vulnerability in the CPDA protocol, wherein a malicious sensor node can exploit the protocol is such a way that it gets access to the private values of its neighbors while participating in data aggregation process. A suitable modification of the CPDA protocol is further proposed so as to plug the identified vulnerability and also to make the protocol computationally more efficient. We have also made an analysis of the communication and computational overhead in the original CPDA protocol and the proposed modified version of the CPDA protocol. It has been found from the analysis that the modified version of the protocol involves appreciably less message communication overhead in the network and computational load on the sensor nodes.

Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 161

Acharya, M.; Girao, J. & Westhohh, D. (2005). Secure Comparison of Encrypted Data in

Akyildiz, I. F.; Su, W.; Sankarasubramaniam, Y. & Cayirci, E. (2002). Wireless Sensor Networks: A Survey. *IEEE Computer*, Vol 38, No 4, pp. 393-422, March 2002. Armknecht, F.; Westhoff, D.; Girao, J. & Hessler, A. (2008). A Lifetime-Optimized End-to-

Bandyopadhyay, D. & Sen, J. (2011). Internet of Things: Applications and Challenges in

Boulis, A.; Ganeriwal, S. & Srivastava, M. B. (2003). Aggregation in Sensor Networks: An

Cam, H.; Muthuavinashiappan, D. & Nair, P. (2003). ESPDA: Energy-Efficient and Secure

Cam, H. & Ozdemir, S. (2007). False Data Detection and Secure Aggregation in Wireless

Cam, H.; Ozdemir, S.; Nair, P.; Muthuavinashiappan, D. & Sanli, H. O. (2006a). Energy-

Castelluccia, C.; Chan, A. C-F.; Mykletun, E. & Tsudik, G. (2009). Efficient and Provably

Castelluccia, C. Mykletun, E. & Tsudik, G. (2005). Efficient Aggregation of Encrypted Data

Chan, H.; Perrig, A.; Przydatek, B. & Song, D. (2007). SIA: Secure Information Aggregation

Chaum, D. (1988). The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. *Journal of Cryptology*, Vol 1, No 1, pp. 65–75, 1988. Deng, J.; Han, R. & Mishra, S. (2003). Security Support for In-network Processing in Wireless

*Sensor Networks (SASN'03)*, pp. 83-93, Fairfax, Virginia, USA, October 2003.

*Computer Communications*, Vol 29, No 4, pp. 446-455, February 2006. Cam, H.; Ozdemir, S.; Sanli, H. O. & Nair, P. (2006b). Secure Differential Data Aggregation

*Computer Communications*, Vol 31, No 4, pp. 734-749, March 2008.

*(VTC'05)*, pp. 2981-2984, Orlando, Florida, October 2005.

Xiao (ed.), Auerbach Publications, CRC Press, April 2007.

*Transactions on Sensor Networks*, Vol 5, No 3, May 2009.

*and Sensor Networks*, Vol 15, No 1, pp. 69-102, January 2007.

422-441, Wiley-IEEE Press, May 2006.

San Diego, California, USA, July 2005.

Wireless Sensor Networks. *Proceedings of the 3rd International Symposium on Modelling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WIOPT)*, pp. 47-

End Encryption Scheme for Sensor Networks Allowing In-Network Processing.

Technology and Standardization. *International Journal of Wireless Personal Communications- Special Issue; Distributed and Secure Cloud Clustering (DISC)*, Vol 58,

Energy-Accuracy Trade-Off. *Ad Hoc Networks*, Vol 1, No 2-3, pp. 317-331,

Pattern-Based Data Aggregation for Wireless Sensor Networks. *Proceedings of IEEE International Conference on Sensors*, pp. 732-736, Toronto, Canada, October 2003. Cam, H.; Muthuavinashiappan, D. & Nair, P. (2005). Energy-Efficient Security Protocol for

Wireless Sensor Networks. *Proceedings of the IEEE Vehicular Technology Conference* 

Sensor Networks. *Security in Distributed Grid Mobile and Pervasive Computing*, Yang

Efficient Secure Pattern Based Data Aggregation for Wireless Sensor Networks.

for Wireless Sensor Networks. *Sensor Network Operations*, Phoha et al. (eds.), pp.

Secure Aggregation of Encrypted Data in Wireless Sensor Networks. *ACM* 

in Wireless Sensor Networks. *Proceedings of the 2nd Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services (MobiQuitous'05)*, pp. 109-117,

in Sensor Networks. *Journal of Computer Security – Special Issue on Security of Ad Hoc* 

Sensor Networks. *Proceedings of the 1st ACM Workshop on Security of Ad Hoc and* 

**11. References** 

53, Washington, DC, USA, 2005.

No 1, pp. 49-69, May 2011.

September 2003.

We have also presented a comprehensive discussion on the existing secure aggregation protocols for WSNs and proposed a secure aggregation protocol for defending against attacks by malicious insider nodes that may introduce fake messages/data or alter data of honest nodes in the network. The performance of the proposed scheme has been evaluated on a network simulator and results have shown that the scheme is effective for defending attacks launched by malicious insider nodes in a WSN.

It may be noted that over the past few years, several schemes have been proposed in the literature for privacy preserving data aggregation in WSNs. A very popular and elegant approach in this direction is *homomorphic encryption* (Fontaine & Galand, 2007). Westhoff et al. have proposed additive privacy homomorphic functions that allow for end-to-end encryption between the sensors and the sink node and simultaneously enable aggregators to apply aggregation functions directly over the ciphertexts (Westhoff et al., 2006). This has the advantage of eliminating the need for intermediate aggregators to carry out decryption and encryption operations on the sensitive data. Armknecht et al. have presented a symmetric encryption scheme for sensor data aggregation that is homomorphic both for data and the keys (Armknecht et al., 2008). This is called *bi-homomorphic encryption*, which is also essentially an additive homomorphic function. Castellucia et al. have proposed an approach that combines inexpensive encryption techniques with simple aggregation methods to achieve efficient aggregation of encrypted data in WSNs (Castelluccia et al., 2009). The method relies on end-to-end encryption of data and hop-by-hop authentication of nodes. Privacy is achieved by using additive homomorphic functions. A very simple approach for privacy-preserving multi-party computation has been discussed by Chaum (Chaum, 1988). The protocol is known as *Dining Cryptographers Problem* which describes the way a channel is created so that it is difficult to trace (i.e. identify) the sender of any message through that channel.

The approaches based on privacy homomorphic functions are more elegant than CPDA for the purpose of carrying out sensor data aggregation in a privacy preserving way. However, they involve large computational overhead due to complexities involved in computing the homomorphic encryption functions and the associated key management related issues. Most of the existing public key cryptography-based privacy homomorphic functions are too heavy for resource-constrained battery-operated sensor nodes. Some secure data aggregation schemes use elliptic curve cryptography (Westhoff et al., 2006). However, these schemes work only for some specific query-based aggregation functions, e.g., sum, average etc. A more elegant scheme that works for all types of functions is clearly in demand. In (Gentry, 2009), a fully homomorphic function has been presented. However, this scheme is too complex and heavy-weight for deployment in WSNs. In addition, in some WSN environment, symmetric cryptography-based privacy homomorphic encryption schemes are more suitable (Castelluccia, 2005; Castelluccia, 2009; Ozdemir, 2008). However, most of the current homomorphic encryption schemes are based on public key encryption. Hence, exploration of symmetric key cryptography based privacy homomorphism functions is an interesting research problem. Another emerging research problem is the use of *digital watermarking* schemes in place of privacy homomorphic encryption functions (Zhang et al., 2008). However, this method allows only one-way authentication of sensor data at the base station only. To defend against *rogue base station attacks* on sensor nodes, this scheme would not be applicable. Design of mutual authentication scheme using watermarking techniques for secure and privacy-preserving data aggregation protocols is another research problem that needs attention of the research community.

### **11. References**

160 Cryptography and Security in Computing

We have also presented a comprehensive discussion on the existing secure aggregation protocols for WSNs and proposed a secure aggregation protocol for defending against attacks by malicious insider nodes that may introduce fake messages/data or alter data of honest nodes in the network. The performance of the proposed scheme has been evaluated on a network simulator and results have shown that the scheme is effective for defending

It may be noted that over the past few years, several schemes have been proposed in the literature for privacy preserving data aggregation in WSNs. A very popular and elegant approach in this direction is *homomorphic encryption* (Fontaine & Galand, 2007). Westhoff et al. have proposed additive privacy homomorphic functions that allow for end-to-end encryption between the sensors and the sink node and simultaneously enable aggregators to apply aggregation functions directly over the ciphertexts (Westhoff et al., 2006). This has the advantage of eliminating the need for intermediate aggregators to carry out decryption and encryption operations on the sensitive data. Armknecht et al. have presented a symmetric encryption scheme for sensor data aggregation that is homomorphic both for data and the keys (Armknecht et al., 2008). This is called *bi-homomorphic encryption*, which is also essentially an additive homomorphic function. Castellucia et al. have proposed an approach that combines inexpensive encryption techniques with simple aggregation methods to achieve efficient aggregation of encrypted data in WSNs (Castelluccia et al., 2009). The method relies on end-to-end encryption of data and hop-by-hop authentication of nodes. Privacy is achieved by using additive homomorphic functions. A very simple approach for privacy-preserving multi-party computation has been discussed by Chaum (Chaum, 1988). The protocol is known as *Dining Cryptographers Problem* which describes the way a channel is created so that it is

difficult to trace (i.e. identify) the sender of any message through that channel.

The approaches based on privacy homomorphic functions are more elegant than CPDA for the purpose of carrying out sensor data aggregation in a privacy preserving way. However, they involve large computational overhead due to complexities involved in computing the homomorphic encryption functions and the associated key management related issues. Most of the existing public key cryptography-based privacy homomorphic functions are too heavy for resource-constrained battery-operated sensor nodes. Some secure data aggregation schemes use elliptic curve cryptography (Westhoff et al., 2006). However, these schemes work only for some specific query-based aggregation functions, e.g., sum, average etc. A more elegant scheme that works for all types of functions is clearly in demand. In (Gentry, 2009), a fully homomorphic function has been presented. However, this scheme is too complex and heavy-weight for deployment in WSNs. In addition, in some WSN environment, symmetric cryptography-based privacy homomorphic encryption schemes are more suitable (Castelluccia, 2005; Castelluccia, 2009; Ozdemir, 2008). However, most of the current homomorphic encryption schemes are based on public key encryption. Hence, exploration of symmetric key cryptography based privacy homomorphism functions is an interesting research problem. Another emerging research problem is the use of *digital watermarking* schemes in place of privacy homomorphic encryption functions (Zhang et al., 2008). However, this method allows only one-way authentication of sensor data at the base station only. To defend against *rogue base station attacks* on sensor nodes, this scheme would not be applicable. Design of mutual authentication scheme using watermarking techniques for secure and privacy-preserving data aggregation protocols is another research problem

attacks launched by malicious insider nodes in a WSN.

that needs attention of the research community.


Secure and Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks 163

Mahimkar, A. & Rappaport, T. S. (2004). SecureDAV: A Secure Data Aggregation and

Mannasim. (2002). Mannasim *Wireless Network Simulation Environment*. URL:

McGlynn, M. J. & Borbash, S. A. (2001). Birthday Protocols for Low-Energy Deployment and

Ozdemir, S. (2007). Secure and Reliable Data Aggregation for Wireless Sensor Networks.

Ozdemir, S. (2008). Secure Data Aggregation in Wireless Sensor Networks via

*Gazi University*, Ankara, Turkey, Vol 23, No 2, pp. 365-373, September 2008. Parekh, B. & Cam, H. (2007). Minimizing False Alarms on Intrusion Detection for Wireless

Peter, S.; Westhoff, D. & Castelluccia, C. (2010). A Survey on the Encryption of Convergecast

Przydatek, B.; Song, D. & Perrig, A. (2003). SIA: Secure Information Aggregation in Sensor

Sen, J. (2009). A Survey on Wireless Sensor Network Security. *International Journal of* 

Sen, J. (2010a). Privacy Preservation Technologies for Internet of Things. *Proceedings of the* 

*Management*, pp. 496-504, Shantiniketan, West Bengal, India, January 2010. Sen, J. (2010b). A Distributed Trust and reputation Framework for Mobile Ad Hoc

Sen, J. (2010c). A Trust-Based Detection Algorithm of Selfish Packet Dropping Nodes in a

pp. 102-109, Springer-Verlag Berlin, Heidelberg, Germany2007.

*Computing*, Vol 7, No 1, pp. 20–34, February 2010.

California, USA, September 2004.

*(MobiHoc'01)*, pp. 137-145, Long beach, California, USA, October 2001. Merkle, R. C. (1980). Protocols for Public Key Cryptosystems. *Proceedings of the IEEE* 

Texas, USA, November- December, 2004.

http://www.mannasim.dcc.ufmg.br.

1980.

2007.

August 2009.

July 2010.

Verification Protocol for Wireless Sensor Networks. *Proceedings of the 47th IEEE Global Telecommunications Conference (GLOBECOM)*, Vol 4, pp. 2175-2179, Dallas,

Flexible Neighbour Discovery in Ad Hoc Wireless Networks. *Proceedings of the 2nd ACM International Symposium on Mobile Ad Hoc Networking and Computing* 

*Symposium on Security and Privacy*, pp. 122-134, Oakland, California, USA, April

*Proceedings of the 4th International Conference on Ubiquitous Computing Systems (UCS'07)*. *Lecture Notes in Computer Science (LNCS)*, Ichikawa et al. (eds.), Vol 4836,

Homomorphic Encryption. *Journal of The Faculty of Engineering and Architecture of* 

Sensor Networks in Realistic Environments. *Proceedings of the IEEE Military Communications Conference (MILCOM'07)*, pp. 1-7, Orlando, Florida, USA, October

Traffic with In-Network Processing. *IEEE Transactions on Dependable and Secure* 

Networks. *Proceedings of the 1st International Conference on Embedded Networked Systems (SenSys'03)*, pp. 255-265, Los Angeles, California, USA, November 2003. Sanli, H. O.; Ozdemir, S. & Cam, H. (2004). SRDA: Secure Reference-Based Data

Aggregation Protocol for Wireless Sensor Networks. *Proceedings of the 60th IEEE Vehicular Technology Conference (VTC'04 Fall)*, Vol 7, pp. 4650-4654, Los Angeles,

*Communication Networks and Information Security (IJCNIS)*, Vol 1, No 2, pp. 59-82,

*International Conference on Emerging Trends in Mathematics, Technology and* 

Networks. *Proceedings of the 1st International Conference on Network Security and its Applications (CNSA'10)*, Chennai, India, July 2010. *Recent Trends in Network Security and its Applications*, Meghanathan et al. (eds.), pp. 528–537, *Communications in Computer and Information Science (CCIS)*, Springer-Verlag, Heidelberg, Germany,

Peer-to-Peer Wireless Mesh Networks. *Proceedings of the 1st International Conference* 


162 Cryptography and Security in Computing

Du, W.; Deng, J.; Han, Y. S. & Varshney, P. K. (2003). A Witness-Based Approach for Data

Eschenauer, L. & Gligor, V. D. (2002). A Key-Management Scheme for Distributed Sensor

Fontaine, C. & Galand, F. (2007). A Survey of Homomorphic Encryption for Nonspecialists. *EURASIP Journal on Information Security*, Vol 2007, Article ID 13801, January 2007. Gentry, C. (2009). *A Fully Homomorphic Encryption Scheme*. Doctoral Dissertation, Department of Computer Science, Stanford University, USA, September 2009. Girao, J.; Westhoff, D. & Schneider, M. (2005) CDA: Concealed Data Aggregation for

Goel, S. & Imielinski. (2001). Prediction-Based Monitoring in Sensor Networks: Taking

He, W.; Liu, X.; Nguyen, H.; Nahrstedt, K. & Abdelzaher, T. (2007). PDA: Privacy-

Heidemann, J.; Silva, F.; Intanagonwiwat, C.; Govindan, R.; Estrin, D. & Ganesan, D. (2001).

Hu, L. & Evans, D. (2003). Secure Aggregation for Wireless Networks. *Proceedings of the* 

Jaikaeo, C.; Srisathapomphat, C. & Shen, C. (2000). Querying and Tasking of Sensor

Karlof, C. & Wagner, D. (2003). Secure Routing in Sensor Networks: Attacks and

Madden, S. R.; Franklin, M. J.; Hellerstein, J. M. & Hong, W. (2002). TAG: A Tiny

Madden, S. R.; Franklin, M. J.; Hellerstein, J. M & Hong, W. (2005). TinyDB: An

Countermeasures. *AD Hoc Networks*, Vol 1, pp, 293-315, May, 2003.

*Database Systems*, Vol 30, No 1, pp. 122-173, March 2005.

*Security (CCS'02)*, pp. 41- 47, Washington, DC, USA, November 2002. Estrin, D.; Govindan, R.; Heidemann, J. S. & Kumar, S. (1999). Next Century Challenges:

270, Seattle, Washington, USA, August 1999.

USA, December 2003.

May 2005.

October 2001.

Press, New York, October 2001.

2053, Anchorage, Alaska, USA, May 2007.

Orlando, Florida, USA, January 2003.

Massachusetts, USA, December 2002.

pp. 26-27, Orlando, Florida, USA, April 2000.

Fusion Assurance in Wireless Sensor Networks. *Proceedings of IEEE Global Telecommunications Conference (GLOBECOM'03)*, Vol 3, pp. 1435-1439, San Fransisco,

Networks. *Proceedings of the 9th ACM Conference on Computing and Communications* 

Scalable Coordination in Sensor Networks. *Proceedings of the 5th ACM/IEEE International Conference on Mobile Computing and Networking (MobiCom'99)*, pp. 263-

Reverse Multicast Traffic in Wireless Sensor Networks. *Proceedings of the 40th IEEE Conference on Communications (IEEE ICC'05)*, Vol. 5, pp. 3044–3049, Seoul, Korea,

Lessons from MPEG. *ACM SIGCOMM Computing and Communication Review-Special Issue on Wireless Extensions to the Internet*, Vol 31, No 5, pp. 82-98, ACM

Preserving Data Aggregation in Wireless Sensor Networks. *Proceedings of the 26th IEEE International Conference on Computer Communications (INFOCOM'07)*, pp. 2045-

Building Efficient Wireless Sensor Networks with Low-Level Naming. *Proceedings the 18th ACM Symposium of Operating Systems Principles (SOS'01)*, Banff, Canada,

*Symposium on Applications and the Internet Workshops (SAINT'03)*, pp. 384-391,

Networks. *Proceedings of SPIE's 14th Annual International Symposium on Aerospace/Defence Sensing, Simulation and Control (Digitization of the Battlespace V)*,

Aggregation Service for Ad-Hoc Sensor Networks. *Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI'02)*, pp. 131-146, Boston,

Acquisitional Query Processing System for Sensor Networks. *ACM Transactions on* 


**0**

**8**

*Japan*

*Waseda University*

**Scan-Based Side-Channel Attack**

Ryuta Nara, Masao Yanagisawa and Nozomu Togawa

Individual authentication increases in importance as network technology advances. IC passport, SIM card and ID card used in entering and leaving management systems are dependent on a cryptography circuit for keeping their security. LSI chips used there usually include cryptography circuits and encrypt/decrypt important data such as ID numbers and electronic money information. However, there is a threat that a secret key may be retrieved from the cryptography LSI chip. Recently, side-channel attacks against a cryptosystem LSI has been reported (Boneh et al., 1997; Brier et al., 2004; Kocher, 1996; Kocher el al., 1999; Schramm el al., 2003). For example, scan-based side-channel attacks which retrieve secret keys in a cryptography LSI have attracted attention over the five years. A scan path is one of the most important testing techniques, where registers are connected in serial so that they can be controlled and observed directly from outside the LSI. Test efficiency can be increased significantly. On the other hand, one can have register data easily by using a scan path, which implies that one can retrieve a secret key in a cryptography LSI. This is a *scan-based side-channel*

One of the difficulties in the scan-based side-channel attack is how to retrieve a secret key from obtained scanned data from a cryptosystem LSI. In a scan path, registers inside a circuit have to be connected so that its interconnection length will be shortened to satisfy timing constraints. This means that no one but a scan-path designer knows correspondence between registers and scanned data. To succeed a scan-based side-channel attack against a cryptography LSI, an attacker needs to retrieve secret keys from the scanned data almost

Symmetric-key cryptosystems such as DES and AES are very popular and widely used. They make use of the same secret key in encryption and decryption. However, it may be difficult to securely share the same secret key, such as in communicating on the Internet. Public-key cryptosystems, on the other hand, make use of different keys to encrypt and decrypt. One of the most popular public-key cryptography algorithms is RSA (Rivest et al., 1978), which is used by many secure technologies such as secure key agreement and digital signature.

Yang et al. first showed a scan-based side-channel attack against DES in 2004 and retrieved a secret key in DES (Yang et al., 2004). They also proposed a scan-based side-channel attack against AES in 2006 (Yang et al., 2006). Nara et al. proposed an improved scan-based side-channel attack method against AES in 2009 (Nara et al., 2009). A scan-based side-channel

**1. Introduction**

*attack.*

"randomly" connected.

**on the RSA Cryptosystem**

*on Network Security and its Applications (CNSA'10)*, Chennai, India, July 2010. *Recent Trends in Network Security and its Applications*, Meghanathan et al. (eds.), pp. 538– 547, *Communications in Computer and Information Science (CCIS)*, Springer-Verlag, Heidelberg, Germany, July 2010.


## **Scan-Based Side-Channel Attack on the RSA Cryptosystem**

Ryuta Nara, Masao Yanagisawa and Nozomu Togawa *Waseda University Japan*

### **1. Introduction**

164 Cryptography and Security in Computing

Sen, J. (2010d). Reputation- and Trust-Based Systems for Wireless Self-Organizing

Sen, J. (2011). A Robust and Secure Aggregation Protocol for Wireless Sensor Networks.

Shrivastava, N; Buragohain, C.; Agrawal, D. & Suri. (2004). Medians and Beyond: New

Wagner, D. (2004). Resilient Aggregation in Sensor Networks. *Proceedings of the 2nd ACM* 

Westhoff, D.; Girao, J. & Acharya, M. (2006). Concealed Data Aggregation for Reverse

Wu, K.; Dreef, D.; Sun, B. & Xiao, Y. (2007). Secure Data Aggregation without Persistent

Yang, Y.; Wang, X.; Zhu, S. & Cao, G. (2006). SDAP: A Secure Hop-by-Hop Data

Ye, F.; Luo, H. & Lu, S. & Zhang, L. (2004). Statistical En-Route Filtering of Injected False

Ye, F.; Luo, H.; Lu, S. & Zhang, L. (2005). Statistical En-route Filtering of Injected False Data

Zhang, W.; Liu, Y.; Das, S. K. & De, P. (2008). Secure Data Aggregation in Wireless Sensor

*Mobile Computing*, Vol 4, No 5, pp. 658-680, Elsevier Press, October 2008. Zhao, Y. J.; Govindan, R. & Estrin, D. (2002). Residual Energy Scan for Monitoring Sensor

Heidelberg, Germany, July 2010.

Press, New York, November 2004.

Press, New York, USA, October 2004.

No 1, pp. 100–111, January 2007.

pp. 839-850, April 2005.

*(MOBIHOC'06)*, Florence, Italy, May 2006.

*(WCNC'02),* Vol 1, pp. 356-362, March *2002*.

2010.

Germany.

October 2006.

*on Network Security and its Applications (CNSA'10)*, Chennai, India, July 2010. *Recent Trends in Network Security and its Applications*, Meghanathan et al. (eds.), pp. 538– 547, *Communications in Computer and Information Science (CCIS)*, Springer-Verlag,

Networks, pp. 91-122. *Security of Self-Organizing Networks: MANET, WSN, WMN, VANET*, A-S. K. Pathan (ed.), Aurbach Publications, CRC Press, USA, December

*Proceedings of the 6th International Symposium on Electronic Design, Test and Applications (DELTA'11)*, pp. 222-227, Queenstown, New Zealand, January, 2011. Sen, J. & Maitra, S. (2011). An Attack on Privacy-Preserving Data Aggregation Protocol for

Wireless Sensor Networks. *Proceedings of the 16th Nordic Conference in Secure IT Systems (NordSec'11)*, Tallin, Estonia, October, 2011. *Lecture Notes in Computer Science (LNCS)*, Laud, P. (ed.), Vol 7161, pp. 205-222, Springer, Heidelberg,

Aggregation Configuration techniques for Sensor Networks. *Proceedings of the 2nd International Conference on Embedded Networked Sensor Systems*, pp. 239-249, ACM

*Workshop on Security of Ad Hoc and Sensor Networks (SASN'04)*, pp. 78-87, ACM

Multicast Traffic in Sensor Networks: Encryption, Key Distribution, and Routing Adaptation. *IEEE Transactions on Mobile Computing*, Vol 5, No 10, pp. 1417-1431,

Cryptographic Operations in Wireless Sensor Networks. *Ad Hoc Networks*, Vol 5,

Aggregation Protocol for Sensor Networks. *ACM Transactions on Information and System Security (TISSEC)*, Vol 11, No 4, July 2008. *Proceedings of the 7th ACM International Symposium on Mobile Ad Hoc Networking and Computing* 

Data in Sensor Networks. *Proceedings of the 23rd IEEE Annual International Computer and Communications (INFOCOM'04)*, Vol 4, pp. 2446-2457, Hong Kong, March 2004.

in Sensor Networks. *IEEE Journal on Selected Areas in Communications*, Vol 23, No 4,

Networks: A Watermark Based Authentication Supportive Approach. *Pervasive* 

Networks. *Proceedings of IEEE Wireless Communications and Networking Conference* 

Individual authentication increases in importance as network technology advances. IC passport, SIM card and ID card used in entering and leaving management systems are dependent on a cryptography circuit for keeping their security. LSI chips used there usually include cryptography circuits and encrypt/decrypt important data such as ID numbers and electronic money information. However, there is a threat that a secret key may be retrieved from the cryptography LSI chip. Recently, side-channel attacks against a cryptosystem LSI has been reported (Boneh et al., 1997; Brier et al., 2004; Kocher, 1996; Kocher el al., 1999; Schramm el al., 2003). For example, scan-based side-channel attacks which retrieve secret keys in a cryptography LSI have attracted attention over the five years. A scan path is one of the most important testing techniques, where registers are connected in serial so that they can be controlled and observed directly from outside the LSI. Test efficiency can be increased significantly. On the other hand, one can have register data easily by using a scan path, which implies that one can retrieve a secret key in a cryptography LSI. This is a *scan-based side-channel attack.*

One of the difficulties in the scan-based side-channel attack is how to retrieve a secret key from obtained scanned data from a cryptosystem LSI. In a scan path, registers inside a circuit have to be connected so that its interconnection length will be shortened to satisfy timing constraints. This means that no one but a scan-path designer knows correspondence between registers and scanned data. To succeed a scan-based side-channel attack against a cryptography LSI, an attacker needs to retrieve secret keys from the scanned data almost "randomly" connected.

Symmetric-key cryptosystems such as DES and AES are very popular and widely used. They make use of the same secret key in encryption and decryption. However, it may be difficult to securely share the same secret key, such as in communicating on the Internet. Public-key cryptosystems, on the other hand, make use of different keys to encrypt and decrypt. One of the most popular public-key cryptography algorithms is RSA (Rivest et al., 1978), which is used by many secure technologies such as secure key agreement and digital signature.

Yang et al. first showed a scan-based side-channel attack against DES in 2004 and retrieved a secret key in DES (Yang et al., 2004). They also proposed a scan-based side-channel attack against AES in 2006 (Yang et al., 2006). Nara et al. proposed an improved scan-based side-channel attack method against AES in 2009 (Nara et al., 2009). A scan-based side-channel

**Algorithm 1** Binary method (MSB to LSB).

**Input:** *c*, *d*, and *n*. **Output:** *c<sup>d</sup>* mod *n*. *i* = *L* − 1. *m* = 1.

> **while** *i* ≥ 0 **do** *m* = *m*<sup>2</sup> mod *n*. **if** *di* = 1 **then**

**end if** *i* = *i* − 1. **end while return** *m*.

**2.2 Binary method**

*m* = *m* × *c* mod *n*.

multiplying *p* by *q*, which is used as the modulus for both a public key and a secret key. To

Scan-Based Side-Channel Attack on the RSA Cryptosystem 167

Let us select an integer *e* satisfying the conditions that 1 < *e* < *ϕ*(*pq*) and, *e* and *ϕ*(*pq*) is coprime, where *e* is an exponent of a public key. Let us determine an integer *d* satisfying the congruence relation *de* ≡ 1 mod *ϕ*(*pq*). That is to say, the public key consists of the modulus

Let us consider that Alice secretly sends a message *m* to Bob. First, Alice receives his public

Then Alice transmits *c* to Bob. Bob decrypts *c* by using his private key and receive her message

The bit length of an RSA key must be more than 1,024 bits because its security depends on its key length. It is currently recommended that *n* be at least 2,048 bits long (Silverman, 2002). This means that the exponent *d* in Equation 2 is at least 1,024 bits long. When we decrypt a cyphertext, its computation amount becomes quite large without modification. Since modulo exponentiation dominates the execution time of decrypting a cyphertext, efficient algorithms have been proposed. The binary method (Stein, 1967), as shown in Algorithm 1, is one of the most typical exponent algorithms. In Algorithm 1, the exponent *d* is represented by *d* = *dL*−12*<sup>L</sup>*−<sup>1</sup> <sup>+</sup> *dL*−22*<sup>L</sup>*−<sup>2</sup> <sup>+</sup> ··· <sup>+</sup> *<sup>d</sup>*12 <sup>+</sup> *<sup>d</sup>*0, where *<sup>L</sup>* shows the maximum key bit length. Fig. 1

A scan path connects registers in an circuit serially and makes us access to them directly so that a tester can observe register values inside the circuit easily. A scan path model is shown

*c* = *m<sup>e</sup>* mod *n* (1)

*<sup>m</sup>* <sup>≡</sup> *<sup>c</sup><sup>d</sup>* mod *<sup>n</sup>* (2)

determine exponents of them, we calculate *<sup>ϕ</sup>*(*pq*)<sup>1</sup> for multiplying (*<sup>p</sup>* <sup>−</sup> <sup>1</sup>) by (*<sup>q</sup>* <sup>−</sup> <sup>1</sup>).

*n* and the exponent *e*. The private key consists of the modulus *n* and the exponent *d*.

key (*n*,*e*). Second, she calculates the ciphertext *c* with Equation 1.

*m*. Equation 2 represents a decryption computation.

shows an example of the binary method in case of *d* = 10112.

**3. Scan-based attack against RSA**

<sup>1</sup> *ϕ*() is Euler's totient function.

attack against elliptic curve cryptography (Koblitz, 1987; Miller, 1986) was proposed by Nara et al. (Nara et al., 2011). On the other hand, any scan-based side-channel attacks against RSA have not been proposed yet in spite of the fact that RSA is a de-facto standard for a public-key cryptosystem. Since public-key cryptosystems have complicated algorithm compared with that of symmetric-key cryptosystems such as DES and AES, we cannot apply the scan-based side-channel attacks against symmetric-key cryptosystems to an RSA circuit. An elliptic curve cryptography algorithm is completely different from an RSA algorithm although they both are public-key algorithms. We cannot apply the scan-based side-channel attacks against elliptic curve cryptosystem to RSA, either.

In this paper, we propose a scan-based side-channel attack against an RSA circuit, which is almost independent of a scan-path structure. The proposed method is based on detecting intermediate values calculated in an RSA circuit. We focus on a 1-bit time-sequence which is specific to some intermediate value. We call it a *scan signature* because its value shows their existence in the scanned data obtained from an RSA circuit. By checking whether a scan signature is included in the scanned data or not, we can retrieve a secret key in the target RSA circuit even if we do not know a scan path structure, as long as a scan path is implemented on an RSA circuit and it includes at least 1-bit of each intermediate value.

The purpose of our proposed method is, not to make secure scan architecture ineffective but to retrieve a secret key using scanned data in an RSA circuit with as few limitations as possible. In fact, our scan-based side-channel attack method without any modification might not work against RSA circuits using some secure scan architecture. Several secure scan architectures without consideration of our proposed scan signature cannot protect our method as discussed in Section 6.

This paper is organized as follows: Section 2 introduces RSA encryption and decryption algorithms; Section 3 shows an algorithm of retrieving a secret key in an RSA circuit using intermediate values and explains problems to retrieve a secret key using a scan path; Section 4 proposes our scan-based side-channel attack method based on a *scan signature*; Section 5 demonstrates experimental results and performance analysis; Section 7 gives several concluding remarks.

### **2. RSA algorithm**

RSA cryptography (Rivest et al., 1978) was made public in 1978 by Ronald Linn Rivest, Adi Shamir, Leonard Max Adleman. The RSA is known as the first algorithm which makes public-key cryptography practicable. It is commonly used to achieve not only encryption/decryption but also a digital signature and a digital authentication, so that most cryptography LSIs in the market implement and calculate the RSA cryptography.

The security of an RSA cryptography depends on the difficulty of factoring large numbers. To decrypt a ciphertext of an RSA cryptography will be almost impossible on the assumption that no efficient algorithm exists for solving it.

### **2.1 Encryption and decryption**

An RSA algorithm encrypts a plaintext with a public key (*n*,*e*) and decrypts a ciphertext with a secret key (*n*, *d*). Let us select two distinct prime numbers *p* and *q*. We calculate *n* by

### **Algorithm 1** Binary method (MSB to LSB).

```
Input: c, d, and n.
Output: cd mod n.
  i = L − 1.
  m = 1.
  while i ≥ 0 do
    m = m2 mod n.
    if di = 1 then
       m = m × c mod n.
    end if
    i = i − 1.
  end while
  return m.
```
2 Will-be-set-by-IN-TECH

attack against elliptic curve cryptography (Koblitz, 1987; Miller, 1986) was proposed by Nara et al. (Nara et al., 2011). On the other hand, any scan-based side-channel attacks against RSA have not been proposed yet in spite of the fact that RSA is a de-facto standard for a public-key cryptosystem. Since public-key cryptosystems have complicated algorithm compared with that of symmetric-key cryptosystems such as DES and AES, we cannot apply the scan-based side-channel attacks against symmetric-key cryptosystems to an RSA circuit. An elliptic curve cryptography algorithm is completely different from an RSA algorithm although they both are public-key algorithms. We cannot apply the scan-based side-channel attacks against elliptic

In this paper, we propose a scan-based side-channel attack against an RSA circuit, which is almost independent of a scan-path structure. The proposed method is based on detecting intermediate values calculated in an RSA circuit. We focus on a 1-bit time-sequence which is specific to some intermediate value. We call it a *scan signature* because its value shows their existence in the scanned data obtained from an RSA circuit. By checking whether a scan signature is included in the scanned data or not, we can retrieve a secret key in the target RSA circuit even if we do not know a scan path structure, as long as a scan path is implemented on

The purpose of our proposed method is, not to make secure scan architecture ineffective but to retrieve a secret key using scanned data in an RSA circuit with as few limitations as possible. In fact, our scan-based side-channel attack method without any modification might not work against RSA circuits using some secure scan architecture. Several secure scan architectures without consideration of our proposed scan signature cannot protect our method as discussed

This paper is organized as follows: Section 2 introduces RSA encryption and decryption algorithms; Section 3 shows an algorithm of retrieving a secret key in an RSA circuit using intermediate values and explains problems to retrieve a secret key using a scan path; Section 4 proposes our scan-based side-channel attack method based on a *scan signature*; Section 5 demonstrates experimental results and performance analysis; Section 7 gives several

RSA cryptography (Rivest et al., 1978) was made public in 1978 by Ronald Linn Rivest, Adi Shamir, Leonard Max Adleman. The RSA is known as the first algorithm which makes public-key cryptography practicable. It is commonly used to achieve not only encryption/decryption but also a digital signature and a digital authentication, so that most

The security of an RSA cryptography depends on the difficulty of factoring large numbers. To decrypt a ciphertext of an RSA cryptography will be almost impossible on the assumption

An RSA algorithm encrypts a plaintext with a public key (*n*,*e*) and decrypts a ciphertext with a secret key (*n*, *d*). Let us select two distinct prime numbers *p* and *q*. We calculate *n* by

cryptography LSIs in the market implement and calculate the RSA cryptography.

an RSA circuit and it includes at least 1-bit of each intermediate value.

curve cryptosystem to RSA, either.

in Section 6.

concluding remarks.

**2. RSA algorithm**

that no efficient algorithm exists for solving it.

**2.1 Encryption and decryption**

multiplying *p* by *q*, which is used as the modulus for both a public key and a secret key. To determine exponents of them, we calculate *<sup>ϕ</sup>*(*pq*)<sup>1</sup> for multiplying (*<sup>p</sup>* <sup>−</sup> <sup>1</sup>) by (*<sup>q</sup>* <sup>−</sup> <sup>1</sup>).

Let us select an integer *e* satisfying the conditions that 1 < *e* < *ϕ*(*pq*) and, *e* and *ϕ*(*pq*) is coprime, where *e* is an exponent of a public key. Let us determine an integer *d* satisfying the congruence relation *de* ≡ 1 mod *ϕ*(*pq*). That is to say, the public key consists of the modulus *n* and the exponent *e*. The private key consists of the modulus *n* and the exponent *d*.

Let us consider that Alice secretly sends a message *m* to Bob. First, Alice receives his public key (*n*,*e*). Second, she calculates the ciphertext *c* with Equation 1.

$$
\mathcal{L} = \mathfrak{m}^{\varepsilon} \mod \mathfrak{n} \tag{1}
$$

Then Alice transmits *c* to Bob. Bob decrypts *c* by using his private key and receive her message *m*. Equation 2 represents a decryption computation.

$$m \equiv c^d \mod n \tag{2}$$

### **2.2 Binary method**

The bit length of an RSA key must be more than 1,024 bits because its security depends on its key length. It is currently recommended that *n* be at least 2,048 bits long (Silverman, 2002). This means that the exponent *d* in Equation 2 is at least 1,024 bits long. When we decrypt a cyphertext, its computation amount becomes quite large without modification. Since modulo exponentiation dominates the execution time of decrypting a cyphertext, efficient algorithms have been proposed. The binary method (Stein, 1967), as shown in Algorithm 1, is one of the most typical exponent algorithms. In Algorithm 1, the exponent *d* is represented by *d* = *dL*−12*<sup>L</sup>*−<sup>1</sup> <sup>+</sup> *dL*−22*<sup>L</sup>*−<sup>2</sup> <sup>+</sup> ··· <sup>+</sup> *<sup>d</sup>*12 <sup>+</sup> *<sup>d</sup>*0, where *<sup>L</sup>* shows the maximum key bit length. Fig. 1 shows an example of the binary method in case of *d* = 10112.

### **3. Scan-based attack against RSA**

A scan path connects registers in an circuit serially and makes us access to them directly so that a tester can observe register values inside the circuit easily. A scan path model is shown

<sup>1</sup> *ϕ*() is Euler's totient function.

**3.1 Retrieving a secret exponent using intermediate values (Messerges et al., 1999)**

in a polynomial time (Messerges et al., 1999).

for RSA:

exponent can be represented by

*di* as one. If not, we determine *di* as zero.

*<sup>d</sup>*<sup>−</sup>1, *<sup>d</sup>*<sup>−</sup>2, ··· , *di*+1.

case, *m*(*i*) is equal to Equation 3 below, if and only if *di* = 0:

Similarly, *m*(*i*) is equal to Equation 4 below, if and only if *di* = 1:

*c* ∑*L*−<sup>1</sup> *<sup>j</sup>*=*i*+<sup>1</sup> *dj*2*j*−*<sup>i</sup>*

*c* ∑*L*−<sup>1</sup> *<sup>j</sup>*=*i*+<sup>1</sup> *dj*2*j*−*<sup>i</sup>*

*SF*(*i*) = *c*

*we use a message c* = 10011100*, whose parameters are shown in Table 1. Now we try to retrieve the 8-bit secret exponent d using intermediate values.*

In order to retrieve a secret exponent *d*, we have to solve the integer factorization in RSA. If the bit length of a secret exponent *d* is more than 1,024 bits or more than 2,048 bits, it is impossible to solve this problem within a realistic time. However, if we know all the "intermediate values" during the binary method shown in Algorithm 1, we can retrieve a secret exponent *d*

Scan-Based Side-Channel Attack on the RSA Cryptosystem 169

Let *<sup>d</sup>* <sup>=</sup> *dL*−12*<sup>L</sup>*−<sup>1</sup> <sup>+</sup> *dL*−22*<sup>L</sup>*−<sup>2</sup> <sup>+</sup> ··· <sup>+</sup> *<sup>d</sup>*12 <sup>+</sup> *<sup>d</sup>*0, where *<sup>L</sup>* is the maximum key bit length of *d*. Assume that all the intermediate values in Algorithm 1 are obtained. Let *m*(*i*) be the intermediate value of *m* at the end of loop *i* in Algorithm 1. Assume also that *dL*−1, *dL*−2, ··· , *di*<sup>+</sup><sup>1</sup> are already retrieved. An attacker tries to reveal the next bit *di*. In this

Based on the above discussion, we employ *SF*(*i*) defined by Equation 5 as a *selective function*

represents a significant key length, or key length in left-align representation, i.e., the secret

When using the selective function for RSA above, we have to know in advance

*SF*(*i*) �= *SF*(*j*) always holds true for *i* �= *j* for 0 ≤ *i*, *j* ≤ − 1. Given a message *c* and bit values of secret component *<sup>d</sup>*<sup>−</sup>1, *<sup>d</sup>*<sup>−</sup>2, ··· , *di*+1, we assume that *di* = 1 and check whether *SF*(*i*) appears somewhere in intermediate values. If it appears in them, we really determine

**Example 1.** *Let us consider that the public key* (*n*,*e*)=(101111001, 1011) *and the secret key* (*n*, *d*) = (101111001, 10111)*. The maximum key length L is 8 bits and the secret exponent d* = 10111*, i.e, d*<sup>7</sup> = 0*, d*<sup>6</sup> = 0*, d*<sup>5</sup> = 0*, d*<sup>4</sup> = 1*, d*<sup>3</sup> = 0*, d*<sup>2</sup> = 1*, d*<sup>1</sup> = 1*, d*<sup>0</sup> = 1*. We assume that we do not know d and a significant key length . The intermediate values in Algorithm 1 are summarized in Table 2 when*

*First we try to retrieve the first bit d*<sup>−</sup><sup>1</sup> *(i* = − <sup>1</sup>*). We find d*<sup>−</sup><sup>1</sup> = <sup>1</sup> *by the definition of a significant key length . Then SF*( − 1) *is calculated as SF*( − 1) = *c* = 10011100*. Since* 10011100 *appears in Table 2, we confirm that d*<sup>−</sup><sup>1</sup> *is retrieved as one. Now we assume that the secret exponent d* = **<sup>1</sup>***. We*

 

*dL*−<sup>1</sup>=0,...,*d*=0 <sup>=</sup> *<sup>d</sup>*<sup>−</sup><sup>12</sup><sup>−</sup><sup>1</sup> <sup>+</sup> ··· <sup>+</sup> *<sup>d</sup>*<sup>12</sup> <sup>+</sup> *<sup>d</sup>*0. (6)

∑<sup>−</sup><sup>1</sup> *<sup>j</sup>*=*i*+<sup>1</sup> *dj*2*j*−*<sup>i</sup>*

*<sup>d</sup>* <sup>=</sup> *dL*−12*<sup>L</sup>*−<sup>1</sup> <sup>+</sup> ··· <sup>+</sup> *<sup>d</sup>*<sup>12</sup> <sup>+</sup> *<sup>d</sup>*<sup>0</sup>

mod *n*. (3)

<sup>+</sup><sup>1</sup> mod *n*. (4)

<sup>+</sup><sup>1</sup> mod *n*. (5)

Fig. 1. Binary method example (*d* = 10112).

in Fig. 2. A scan path test is widely used in recent circuit implementations due to its testability and easiness of implementation.

Fig. 2. Scan path model.

The purpose of a scan-based attack against RSA is to retrieve a secret exponent *d* from scanned data in an RSA circuit. Scan-based attack here requires several assumptions as in the previous researches in (Nara et al., 2009; 2011; Yang et al., 2004; 2006), which are summarized as shown below:


In addition to these, they need to be able to predict the intermediate values of the binary method using an off-line simulation.

In this section, we explain the scan-based attack against an RSA circuit (Section 3.1) and its problems in a practical case (Section 3.2).

<sup>2</sup> Note that, since the public key consists of the modulus *n* and the public exponent *e*, attackers can easily know the modulus *n*.

4 Will-be-set-by-IN-TECH

m=1 m=1 c mod n <sup>2</sup> m=c mod n <sup>2</sup> m=(c ) c mod n <sup>2</sup> <sup>2</sup> m=(c ) c mod n <sup>5</sup> <sup>2</sup>

in Fig. 2. A scan path test is widely used in recent circuit implementations due to its testability

Combinational circuits

Scan-FF Scan-FF

Scan in Scan out

The purpose of a scan-based attack against RSA is to retrieve a secret exponent *d* from scanned data in an RSA circuit. Scan-based attack here requires several assumptions as in the previous researches in (Nara et al., 2009; 2011; Yang et al., 2004; 2006), which are summarized as shown

1. Attackers can encrypt/decrypt arbitrary data using the secret key on a target RSA circuit.

4. Attackers know that the binary method in Algorithm 1 is used in a target RSA circuit.

In addition to these, they need to be able to predict the intermediate values of the binary

In this section, we explain the scan-based attack against an RSA circuit (Section 3.1) and its

<sup>2</sup> Note that, since the public key consists of the modulus *n* and the public exponent *e*, attackers can easily

2. Attackers can obtain scanned data from a target RSA circuit.

3. Scanned data is not modified with compactors aimed at test efficiency.

5. Attackers also know the modulus *n* used in a target RSA circuit.<sup>2</sup>

Scan-FF Scan-FF

To other circuits

c c c

Fig. 1. Binary method example (*d* = 10112).

and easiness of implementation.

Control

From other circuits

Fig. 2. Scan path model.

method using an off-line simulation.

know the modulus *n*.

problems in a practical case (Section 3.2).

below:

### **3.1 Retrieving a secret exponent using intermediate values (Messerges et al., 1999)**

In order to retrieve a secret exponent *d*, we have to solve the integer factorization in RSA. If the bit length of a secret exponent *d* is more than 1,024 bits or more than 2,048 bits, it is impossible to solve this problem within a realistic time. However, if we know all the "intermediate values" during the binary method shown in Algorithm 1, we can retrieve a secret exponent *d* in a polynomial time (Messerges et al., 1999).

Let *<sup>d</sup>* <sup>=</sup> *dL*−12*<sup>L</sup>*−<sup>1</sup> <sup>+</sup> *dL*−22*<sup>L</sup>*−<sup>2</sup> <sup>+</sup> ··· <sup>+</sup> *<sup>d</sup>*12 <sup>+</sup> *<sup>d</sup>*0, where *<sup>L</sup>* is the maximum key bit length of *d*. Assume that all the intermediate values in Algorithm 1 are obtained. Let *m*(*i*) be the intermediate value of *m* at the end of loop *i* in Algorithm 1. Assume also that *dL*−1, *dL*−2, ··· , *di*<sup>+</sup><sup>1</sup> are already retrieved. An attacker tries to reveal the next bit *di*. In this case, *m*(*i*) is equal to Equation 3 below, if and only if *di* = 0:

$$c^{\sum\_{j=l+1}^{l-1} d/2^{j-l}} \mod n. \tag{3}$$

Similarly, *m*(*i*) is equal to Equation 4 below, if and only if *di* = 1:

$$c^{\sum\_{j=i+1}^{l-1} d\_j 2^{j-l} + 1} \mod n. \tag{4}$$

Based on the above discussion, we employ *SF*(*i*) defined by Equation 5 as a *selective function* for RSA:

$$SF(i) = c^{\sum\_{j=i+1}^{\ell-1} d\_j 2^{j-i} + 1} \mod n. \tag{5}$$

 represents a significant key length, or key length in left-align representation, i.e., the secret exponent can be represented by

$$d = \left. d\_{L-1} 2^{L-1} + \dots + d\_1 2 + d\_0 \right|\_{d\_{L-1} = 0, \dots, d\_\ell = 0}$$
 
$$= d\_{\ell-1} 2^{\ell-1} + \dots + d\_1 2 + d\_0. \tag{6}$$

When using the selective function for RSA above, we have to know in advance *<sup>d</sup>*<sup>−</sup>1, *<sup>d</sup>*<sup>−</sup>2, ··· , *di*+1.

*SF*(*i*) �= *SF*(*j*) always holds true for *i* �= *j* for 0 ≤ *i*, *j* ≤ − 1. Given a message *c* and bit values of secret component *<sup>d</sup>*<sup>−</sup>1, *<sup>d</sup>*<sup>−</sup>2, ··· , *di*+1, we assume that *di* = 1 and check whether *SF*(*i*) appears somewhere in intermediate values. If it appears in them, we really determine *di* as one. If not, we determine *di* as zero.

**Example 1.** *Let us consider that the public key* (*n*,*e*)=(101111001, 1011) *and the secret key* (*n*, *d*) = (101111001, 10111)*. The maximum key length L is 8 bits and the secret exponent d* = 10111*, i.e, d*<sup>7</sup> = 0*, d*<sup>6</sup> = 0*, d*<sup>5</sup> = 0*, d*<sup>4</sup> = 1*, d*<sup>3</sup> = 0*, d*<sup>2</sup> = 1*, d*<sup>1</sup> = 1*, d*<sup>0</sup> = 1*. We assume that we do not know d and a significant key length . The intermediate values in Algorithm 1 are summarized in Table 2 when we use a message c* = 10011100*, whose parameters are shown in Table 1.*

*Now we try to retrieve the 8-bit secret exponent d using intermediate values.*

*First we try to retrieve the first bit d*<sup>−</sup><sup>1</sup> *(i* = − <sup>1</sup>*). We find d*<sup>−</sup><sup>1</sup> = <sup>1</sup> *by the definition of a significant key length . Then SF*( − 1) *is calculated as SF*( − 1) = *c* = 10011100*. Since* 10011100 *appears in Table 2, we confirm that d*<sup>−</sup><sup>1</sup> *is retrieved as one. Now we assume that the secret exponent d* = **<sup>1</sup>***. We*

Maximum key length *L* 8 bits

Scan-Based Side-Channel Attack on the RSA Cryptosystem 171

Table 2. Intermediate values at the end of *i*-th loop of Algorithm 1 (message *c* = 100111002).

In order to solve the problem that attackers do not know the correspondence between registers of the scanned data and ones storing intermediate values during the binary method, we focus on the general property on scan paths: *a bit position of a particular register r in a scanned data when giving one input data is exactly the same as that when giving another input data.* This is clearly true, since a scan path is fixed in an LSI chip and the order of connected registers in its scan

If we execute the binary method for each of *N* messages on an RSA circuit, a bit pattern of a *particular* bit position in scanned data for these *N* messages gives *N*-bit data. Based on the above property, this *N*-bit data may give a bit pattern of a particular bit in an intermediate

We can calculate *SF*(*i*) from the same *<sup>N</sup>* messages and *<sup>d</sup>*<sup>−</sup><sup>1</sup> down to *<sup>d</sup>*<sup>0</sup> of the secret exponent *d* by using an off-line simulation. By picking up a particular bit (LSB, for example) in each of *SF*(*i*) values for *N* messages, we also have an *N*-bit data (see Fig. 3). If *N* is large enough, this *N*-bit data gives information completely unique to *SF*(*i*). We can use this *N*-bit data as a *scan*

Our main idea in this section is that we find out a scan signature *SSi* to *SF*(*i*) in scanned data (see Fig. 4) to retrieve the secret exponent *<sup>d</sup>* from *<sup>d</sup>*<sup>−</sup><sup>1</sup> down to *<sup>d</sup>*0. If an *<sup>N</sup>*-bit scan signature *SSi* appears in the scanned data for *N* messages, *di* is determined as one. If not, it is

In the rest of this section, we firstly propose a scan signature *SSi* to *SF*(*i*). Secondly we propose an overall method to retrieve a secret exponent *d* using scan signatures. Thirdly we analyze

the probabilities of successfully retrieving a secret exponent by using our method.

value when we give each of these *N* messages to the RSA circuit.

Table 1. Example parameters in Algorithm 1.

**4. Analysis scanned data**

*signature SSi* to *SF*(*i*) in scanned data.

path is unchanged.

determined as zero.

Modulus *n* 101111001 Public exponent *e* 1011 Secret exponent *d* 10111

*compare m*( <sup>−</sup> <sup>1</sup>)=(*c*<sup>1</sup> mod *<sup>n</sup>*) = <sup>10011100</sup> *with the binary method result* <sup>10001111</sup>*. Since they are not equal, d* �= 1*.*

*Next, we try to retrieve the second bit d*<sup>−</sup><sup>2</sup> *(i* = − <sup>2</sup>*). We have already known that d*<sup>−</sup><sup>1</sup> = <sup>1</sup>*. We assume here that d*<sup>−</sup><sup>2</sup> = <sup>1</sup>*. In this case, SF*( − <sup>2</sup>) *is calculated as SF*( − <sup>2</sup>) = <sup>11010</sup>*. Since* <sup>11010</sup> *does not appear in Table 2, then d*<sup>−</sup><sup>2</sup> *is retrieved not as one but as zero, i.e., d*<sup>−</sup><sup>2</sup> = <sup>0</sup>*. Now we assume that d* <sup>=</sup> <sup>1</sup>**0***. We compare m*( <sup>−</sup> <sup>2</sup>)=(*c*<sup>10</sup> mod *<sup>n</sup>*)=(*m*( <sup>−</sup> <sup>1</sup>)<sup>2</sup> mod *<sup>n</sup>*) = <sup>11010000</sup> *with the binary method result* 10001111*. Since they are not equal, d* �= 10*.*

*Next, we try to retrieve the third bit d*<sup>−</sup><sup>3</sup> *(i* = − <sup>3</sup>*). We have already known that d*<sup>−</sup><sup>1</sup> = <sup>1</sup> *and <sup>d</sup>*<sup>−</sup><sup>2</sup> = <sup>0</sup>*. We assume here that d*<sup>−</sup><sup>3</sup> = <sup>1</sup>*. In this case, SF*( − <sup>3</sup>) *is calculated as SF*( − <sup>3</sup>) = <sup>10000010</sup>*. Since* <sup>10000010</sup> *appears in Table 2, then d*<sup>−</sup><sup>3</sup> *is retrieved as one, i.e., d*<sup>−</sup><sup>3</sup> = <sup>1</sup>*. Now we assume that d* <sup>=</sup> <sup>10</sup>**1***. We compare m*( <sup>−</sup> <sup>3</sup>)=(*c*<sup>101</sup> mod *<sup>n</sup>*) = *SF*( <sup>−</sup> <sup>3</sup>) = <sup>10000010</sup> *with the binary method result* 10001111*. Since they are not equal, d* �= 101*.*

*Next, we try to retrieve the fourth bit d*<sup>−</sup><sup>4</sup> *(i* = − <sup>4</sup>*). We have already known that d*<sup>−</sup><sup>1</sup> = <sup>1</sup>*, <sup>d</sup>*<sup>−</sup><sup>2</sup> = <sup>0</sup> *and d*<sup>−</sup><sup>3</sup> = <sup>1</sup>*. We assume here that d*<sup>−</sup><sup>4</sup> = <sup>1</sup>*. In this case, SF*( − <sup>4</sup>) *is calculated as SF*( − <sup>4</sup>) = <sup>100111</sup>*. Since* <sup>100111</sup> *appears in Table 2, then d*<sup>−</sup><sup>1</sup> *is retrieved as one, i.e., d*<sup>−</sup><sup>4</sup> = <sup>1</sup>*. Now we assume that d* <sup>=</sup> <sup>101</sup>**1***. We compare m*( <sup>−</sup> <sup>4</sup>)=(*c*<sup>1011</sup> mod *<sup>n</sup>*) = *SF*( <sup>−</sup> <sup>4</sup>) = <sup>100111</sup> *with the binary method result* 10001111*. Since they are not equal, d* �= 1011*.*

*We have already known that d*<sup>−</sup><sup>1</sup> = <sup>1</sup>*, d*<sup>−</sup><sup>2</sup> = <sup>0</sup>*, d*<sup>−</sup><sup>3</sup> = <sup>1</sup> *and d*<sup>−</sup>4=1*. We assume here that <sup>d</sup>*<sup>−</sup><sup>5</sup> = <sup>1</sup>*. SF*( − <sup>5</sup>) *is calculated as SF*( − <sup>5</sup>) = <sup>10001111</sup> *(i* = − <sup>5</sup>*). Since* <sup>10001111</sup> *appears in Table 2, then d*<sup>−</sup><sup>5</sup> *is retrieved as one, i.e., d*<sup>−</sup><sup>5</sup> = <sup>1</sup>*. Now we assume that d* = <sup>1011</sup>**1***. We compare <sup>m</sup>*( <sup>−</sup> <sup>5</sup>)=(*c*<sup>10111</sup> mod *<sup>n</sup>*) = *SF*( <sup>−</sup> <sup>5</sup>) = <sup>10001111</sup> *with the binary method result* <sup>10001111</sup>*. Since they are equal to each other, we find that the secret exponent d is* 10111 *and a significant bit is five.*

### **3.2 Problems to retrieve a secret key using scan path**

If we retrieve an *L*-bit secret exponent *d* using an exhaustive search, we have to try 2*<sup>L</sup>* possible values to do it. On the other hand, the method explained in Section 3.1 retrieves a secret exponent one-bit by one-bit from MSB to LSB. It tries at most 2*L* possible values to retrieve an *L*-bit secret exponent. Further, the method just checks whether *SF*(*i*) exists in the intermediate value *m*(*i*) in Algorithm 1.

In order to apply this method to a scan-based attack, we have to know which registers store intermediate values, i.e., we have to know correspondence between scanned data and *SF*(*i*).

However, scan paths are usually designed automatically by EDA tools so that nearby registers are connected together to shorten the scan path length. Only designers can know the correspondence between scanned data and registers and thus retrieved scanned data can be considered to be "random" for attackers. Therefore, it is very difficult to find out the values of *SF*(*i*) in scanned data for attackers.

Messerges (Messerges et al., 1999) only shows the correspondence between intermediate values and a bit of a secret exponent. It does not indicate the method how to discover the intermediate value from scanned data. For that reason, its analysis method cannot directly apply to scan-based attacks against an RSA LSI.

We have to find out only *SF*(*i*) somehow in the scanned data to retrieve a secret exponent *d* using the method in Section 3.1.


Table 1. Example parameters in Algorithm 1.

6 Will-be-set-by-IN-TECH

*compare m*( <sup>−</sup> <sup>1</sup>)=(*c*<sup>1</sup> mod *<sup>n</sup>*) = <sup>10011100</sup> *with the binary method result* <sup>10001111</sup>*. Since they*

*Next, we try to retrieve the second bit d*<sup>−</sup><sup>2</sup> *(i* = − <sup>2</sup>*). We have already known that d*<sup>−</sup><sup>1</sup> = <sup>1</sup>*. We assume here that d*<sup>−</sup><sup>2</sup> = <sup>1</sup>*. In this case, SF*( − <sup>2</sup>) *is calculated as SF*( − <sup>2</sup>) = <sup>11010</sup>*. Since* <sup>11010</sup> *does not appear in Table 2, then d*<sup>−</sup><sup>2</sup> *is retrieved not as one but as zero, i.e., d*<sup>−</sup><sup>2</sup> = <sup>0</sup>*. Now we assume that d* <sup>=</sup> <sup>1</sup>**0***. We compare m*( <sup>−</sup> <sup>2</sup>)=(*c*<sup>10</sup> mod *<sup>n</sup>*)=(*m*( <sup>−</sup> <sup>1</sup>)<sup>2</sup> mod *<sup>n</sup>*) = <sup>11010000</sup> *with the*

*Next, we try to retrieve the third bit d*<sup>−</sup><sup>3</sup> *(i* = − <sup>3</sup>*). We have already known that d*<sup>−</sup><sup>1</sup> = <sup>1</sup> *and <sup>d</sup>*<sup>−</sup><sup>2</sup> = <sup>0</sup>*. We assume here that d*<sup>−</sup><sup>3</sup> = <sup>1</sup>*. In this case, SF*( − <sup>3</sup>) *is calculated as SF*( − <sup>3</sup>) = <sup>10000010</sup>*. Since* <sup>10000010</sup> *appears in Table 2, then d*<sup>−</sup><sup>3</sup> *is retrieved as one, i.e., d*<sup>−</sup><sup>3</sup> = <sup>1</sup>*. Now we assume that d* <sup>=</sup> <sup>10</sup>**1***. We compare m*( <sup>−</sup> <sup>3</sup>)=(*c*<sup>101</sup> mod *<sup>n</sup>*) = *SF*( <sup>−</sup> <sup>3</sup>) = <sup>10000010</sup> *with the*

*Next, we try to retrieve the fourth bit d*<sup>−</sup><sup>4</sup> *(i* = − <sup>4</sup>*). We have already known that d*<sup>−</sup><sup>1</sup> = <sup>1</sup>*, <sup>d</sup>*<sup>−</sup><sup>2</sup> = <sup>0</sup> *and d*<sup>−</sup><sup>3</sup> = <sup>1</sup>*. We assume here that d*<sup>−</sup><sup>4</sup> = <sup>1</sup>*. In this case, SF*( − <sup>4</sup>) *is calculated as SF*( − <sup>4</sup>) = <sup>100111</sup>*. Since* <sup>100111</sup> *appears in Table 2, then d*<sup>−</sup><sup>1</sup> *is retrieved as one, i.e., d*<sup>−</sup><sup>4</sup> = <sup>1</sup>*. Now we assume that d* <sup>=</sup> <sup>101</sup>**1***. We compare m*( <sup>−</sup> <sup>4</sup>)=(*c*<sup>1011</sup> mod *<sup>n</sup>*) = *SF*( <sup>−</sup> <sup>4</sup>) = <sup>100111</sup>

*We have already known that d*<sup>−</sup><sup>1</sup> = <sup>1</sup>*, d*<sup>−</sup><sup>2</sup> = <sup>0</sup>*, d*<sup>−</sup><sup>3</sup> = <sup>1</sup> *and d*<sup>−</sup>4=1*. We assume here that <sup>d</sup>*<sup>−</sup><sup>5</sup> = <sup>1</sup>*. SF*( − <sup>5</sup>) *is calculated as SF*( − <sup>5</sup>) = <sup>10001111</sup> *(i* = − <sup>5</sup>*). Since* <sup>10001111</sup> *appears in Table 2, then d*<sup>−</sup><sup>5</sup> *is retrieved as one, i.e., d*<sup>−</sup><sup>5</sup> = <sup>1</sup>*. Now we assume that d* = <sup>1011</sup>**1***. We compare <sup>m</sup>*( <sup>−</sup> <sup>5</sup>)=(*c*<sup>10111</sup> mod *<sup>n</sup>*) = *SF*( <sup>−</sup> <sup>5</sup>) = <sup>10001111</sup> *with the binary method result* <sup>10001111</sup>*. Since they are equal to each other, we find that the secret exponent d is* 10111 *and a significant bit is*

If we retrieve an *L*-bit secret exponent *d* using an exhaustive search, we have to try 2*<sup>L</sup>* possible values to do it. On the other hand, the method explained in Section 3.1 retrieves a secret exponent one-bit by one-bit from MSB to LSB. It tries at most 2*L* possible values to retrieve an *L*-bit secret exponent. Further, the method just checks whether *SF*(*i*) exists in the intermediate

In order to apply this method to a scan-based attack, we have to know which registers store intermediate values, i.e., we have to know correspondence between scanned data and *SF*(*i*). However, scan paths are usually designed automatically by EDA tools so that nearby registers are connected together to shorten the scan path length. Only designers can know the correspondence between scanned data and registers and thus retrieved scanned data can be considered to be "random" for attackers. Therefore, it is very difficult to find out the values

Messerges (Messerges et al., 1999) only shows the correspondence between intermediate values and a bit of a secret exponent. It does not indicate the method how to discover the intermediate value from scanned data. For that reason, its analysis method cannot directly

We have to find out only *SF*(*i*) somehow in the scanned data to retrieve a secret exponent *d*

*binary method result* 10001111*. Since they are not equal, d* �= 10*.*

*binary method result* 10001111*. Since they are not equal, d* �= 101*.*

**3.2 Problems to retrieve a secret key using scan path**

*with the binary method result* 10001111*. Since they are not equal, d* �= 1011*.*

*are not equal, d* �= 1*.*

*five.*

value *m*(*i*) in Algorithm 1.

of *SF*(*i*) in scanned data for attackers.

using the method in Section 3.1.

apply to scan-based attacks against an RSA LSI.


Table 2. Intermediate values at the end of *i*-th loop of Algorithm 1 (message *c* = 100111002).

### **4. Analysis scanned data**

In order to solve the problem that attackers do not know the correspondence between registers of the scanned data and ones storing intermediate values during the binary method, we focus on the general property on scan paths: *a bit position of a particular register r in a scanned data when giving one input data is exactly the same as that when giving another input data.* This is clearly true, since a scan path is fixed in an LSI chip and the order of connected registers in its scan path is unchanged.

If we execute the binary method for each of *N* messages on an RSA circuit, a bit pattern of a *particular* bit position in scanned data for these *N* messages gives *N*-bit data. Based on the above property, this *N*-bit data may give a bit pattern of a particular bit in an intermediate value when we give each of these *N* messages to the RSA circuit.

We can calculate *SF*(*i*) from the same *<sup>N</sup>* messages and *<sup>d</sup>*<sup>−</sup><sup>1</sup> down to *<sup>d</sup>*<sup>0</sup> of the secret exponent *d* by using an off-line simulation. By picking up a particular bit (LSB, for example) in each of *SF*(*i*) values for *N* messages, we also have an *N*-bit data (see Fig. 3). If *N* is large enough, this *N*-bit data gives information completely unique to *SF*(*i*). We can use this *N*-bit data as a *scan signature SSi* to *SF*(*i*) in scanned data.

Our main idea in this section is that we find out a scan signature *SSi* to *SF*(*i*) in scanned data (see Fig. 4) to retrieve the secret exponent *<sup>d</sup>* from *<sup>d</sup>*<sup>−</sup><sup>1</sup> down to *<sup>d</sup>*0. If an *<sup>N</sup>*-bit scan signature *SSi* appears in the scanned data for *N* messages, *di* is determined as one. If not, it is determined as zero.

In the rest of this section, we firstly propose a scan signature *SSi* to *SF*(*i*). Secondly we propose an overall method to retrieve a secret exponent *d* using scan signatures. Thirdly we analyze the probabilities of successfully retrieving a secret exponent by using our method.

If *SSi* appears in scanned data, *di* is determined as one. If not, *di* is determined as zero. After *di* is correctly determined, we can continue to determine the next bit of the secret exponent *d*

Scan-Based Side-Channel Attack on the RSA Cryptosystem 173

Our proposed method has an advantage compared to conventional scan-based attacks (Yang et al., 2004; 2006). Our method is effective in the case of partial scan architecture. As long as a scan path includes at least 1-bit of each intermediate value, we can check whether the scan

First we prepare *N* messages *c*1, ··· , *cN* and give them to an RSA circuit. For each of these messages, we obtain all the scanned data from the scan out of the RSA circuit until it outputs the binary method result. As Fig. 4 shows, the size of scanned data for each of these messages

Now we check whether a scan signature *SSi* to *SF*(*i*) appears in the obtained scanned data under the assumption that we do not know a secret exponent *d* in the RSA circuit as follows:

**Step 2:** Input *cr* (1 ≤ *r* ≤ *N*) into the target RSA circuit and obtain scanned data every one cycle while the binary method works, until the RSA circuit outputs the result. Let *sdr*

**Step 3:** From the definition, we have *<sup>d</sup>*<sup>−</sup><sup>1</sup> = 1. Compare *<sup>m</sup>*( − <sup>1</sup>)=(*c*<sup>1</sup> mod *<sup>n</sup>*) with its binary method result. If they are equal, then we find that the secret exponent *d* is one and

**Step 4:** Calculate *SF*( − <sup>2</sup>)*<sup>r</sup>* assuming *<sup>d</sup>*<sup>−</sup><sup>2</sup> = 1 for each *cr* (1 ≤ *<sup>r</sup>* ≤ *<sup>N</sup>*) and obtain the scan

**Step 5:** Check whether the scan signature *SS*<sup>−</sup><sup>2</sup> exists in the scanned data *sd*1, ··· ,*sdN*, which includes the scanned data in all the cycles while the binary method runs. If it exists, then we can find out that *<sup>d</sup>*<sup>−</sup><sup>2</sup> is equal to 1, and if it does not exist, then we can find out

**Step 6:** Calculate *<sup>m</sup>*( <sup>−</sup> <sup>2</sup>) = ((*c*1)*<sup>d</sup>*<sup>−</sup><sup>1</sup>×2+*<sup>d</sup>*<sup>−</sup><sup>2</sup> mod *<sup>n</sup>*) and compare it with its binary method result. If they are equal, then we find that the secret exponent *d* is retrieved and terminate

**Step 7:** We determine *<sup>d</sup>*<sup>−</sup>3, *<sup>d</sup>*<sup>−</sup>4, ··· in the same way as Step 4–Step 6 until the analysis flow

**Example 2.** *As in Example 1, let us consider that the public key* (*n*,*e*)=(101111001, 11) *and the secret key* (*n*, *d*)=(101111001, 10111)*. The maximum key length L is 8 bits and the secret exponent d* = 1011110 = 101112*, i.e, d*<sup>7</sup> = 0*, d*<sup>6</sup> = 0*, d*<sup>5</sup> = 0*, d*<sup>4</sup> = 1*, d*<sup>3</sup> = 0*, d*<sup>2</sup> = 1*, d*<sup>1</sup> = 1*, d*<sup>0</sup> = 1*. We assume that we do not know d and a significant key length . The parameters are shown in Table 1. Assume that the cycle counts of binary method are 16 and the size of the scan path is 128 in the target*

*(***Step 1***) First we prepare* 8 *messages c*1, *c*2, ··· , *c*8*, where cr* � *cs for* 1 ≤ *r*,*s* ≤ 8 *and r* � *s. The*

**Step 1:** Prepare *N* messages *c*1, *c*2, ··· , *cN*, where *cr* � *cs* for 1 ≤ *r*,*s* ≤ *N* and *r* � *s*.

denote the obtained scanned data for the message *cr* (1 ≤ *r* ≤ *N*).

We show the example below to explain how the method above works.

*target RSA circuit executes the binary method as in Table 2.*

in the same way.

signature exists or not in the scanned data.

is ("scan path length" × "number of binary method cycles.")

**4.2 Scanned data analysis method**

stop. If not, go to the next step.

signature *SS*<sup>−</sup>2.

that *<sup>d</sup>*<sup>−</sup><sup>2</sup> is equal to 0.

is terminated at Step 6.

the analysis flow.

*RSA circuit.*

Fig. 3. Scan signature *SSi*.

All cycles during binary method

Fig. 4. Scanned data.

### **4.1 Calculating a scan signature to** *SF*(*i*)

Assume that *N* messages *c*1, ··· , *cN* are given. Also assume that we have already known *<sup>d</sup>*<sup>−</sup>1, ··· , *di*<sup>+</sup><sup>1</sup> for a secret exponent *<sup>d</sup>*. Let *SF*(*i*)*<sup>r</sup>* be the selective function for RSA when giving the message *cr* for 1 ≤ *r* ≤ *N*. Assuming that *di* = 1, we can calculate *SF*(*i*)*<sup>r</sup>* for 1 ≤ *r* ≤ *N*.

Let us focus on a particular bit of *SF*(*i*)*r*. If *N* is large enough, a set of these bits for *SF*(*i*)*<sup>r</sup>* (1 ≤ *r* ≤ *N*) gives information unique to *SF*(*i*)*r*. By using it, we can check whether *SF*(*i*)*<sup>r</sup>* are calculated or not in the target. As Fig. 3 shows, we define a *scan signature SSi* to be a set of *SF*(*i*)*<sup>r</sup>* LSBs for the sake of convenience.

If *SSi* appears in scanned data, *di* is determined as one. If not, *di* is determined as zero. After *di* is correctly determined, we can continue to determine the next bit of the secret exponent *d* in the same way.

Our proposed method has an advantage compared to conventional scan-based attacks (Yang et al., 2004; 2006). Our method is effective in the case of partial scan architecture. As long as a scan path includes at least 1-bit of each intermediate value, we can check whether the scan signature exists or not in the scanned data.

### **4.2 Scanned data analysis method**

8 Will-be-set-by-IN-TECH

(N bits)

N bits

SS

SF(i) = 0 0 1 … 1 1 … 0 1 1 SF(i) = 1 1 1 … 0 1 … 0 1 1 SF(i) = 0 1 1 … 0 0 … 1 0 0 SF(i) = 0 1 1 … 0 1 … 1 1 0 SF(i) = 1 0 0 … 1 0 … 1 0 1

Input: SF(i) (1 r N), Output: Scan Signature SS

Fig. 3. Scan signature *SSi*.

sd = sd = sd = sd = sd =

sd =

Fig. 4. Scanned data.

1 ≤ *r* ≤ *N*.

**4.1 Calculating a scan signature to** *SF*(*i*)

*SF*(*i*)*<sup>r</sup>* LSBs for the sake of convenience.

SF(i) = 0 1 0 … 1 1 … 1 1 0

L bits

…001100001011……110011011000……010000111110… …111100101100……101101000110……010101001101… …101110011110……101110011110……110111010110… …111000101101……111000101101……001110100101… …010111001110……010111001110……000110001111…

FF th

Scan path

FF th

FF th

…001000101101……001000101101……011010101000…

Size of scan path

All cycles during binary method

Assume that *N* messages *c*1, ··· , *cN* are given. Also assume that we have already known *<sup>d</sup>*<sup>−</sup>1, ··· , *di*<sup>+</sup><sup>1</sup> for a secret exponent *<sup>d</sup>*. Let *SF*(*i*)*<sup>r</sup>* be the selective function for RSA when giving the message *cr* for 1 ≤ *r* ≤ *N*. Assuming that *di* = 1, we can calculate *SF*(*i*)*<sup>r</sup>* for

Let us focus on a particular bit of *SF*(*i*)*r*. If *N* is large enough, a set of these bits for *SF*(*i*)*<sup>r</sup>* (1 ≤ *r* ≤ *N*) gives information unique to *SF*(*i*)*r*. By using it, we can check whether *SF*(*i*)*<sup>r</sup>* are calculated or not in the target. As Fig. 3 shows, we define a *scan signature SSi* to be a set of First we prepare *N* messages *c*1, ··· , *cN* and give them to an RSA circuit. For each of these messages, we obtain all the scanned data from the scan out of the RSA circuit until it outputs the binary method result. As Fig. 4 shows, the size of scanned data for each of these messages is ("scan path length" × "number of binary method cycles.")

Now we check whether a scan signature *SSi* to *SF*(*i*) appears in the obtained scanned data under the assumption that we do not know a secret exponent *d* in the RSA circuit as follows:


We show the example below to explain how the method above works.

**Example 2.** *As in Example 1, let us consider that the public key* (*n*,*e*)=(101111001, 11) *and the secret key* (*n*, *d*)=(101111001, 10111)*. The maximum key length L is 8 bits and the secret exponent d* = 1011110 = 101112*, i.e, d*<sup>7</sup> = 0*, d*<sup>6</sup> = 0*, d*<sup>5</sup> = 0*, d*<sup>4</sup> = 1*, d*<sup>3</sup> = 0*, d*<sup>2</sup> = 1*, d*<sup>1</sup> = 1*, d*<sup>0</sup> = 1*. We assume that we do not know d and a significant key length . The parameters are shown in Table 1. Assume that the cycle counts of binary method are 16 and the size of the scan path is 128 in the target RSA circuit.*

*(***Step 1***) First we prepare* 8 *messages c*1, *c*2, ··· , *c*8*, where cr* � *cs for* 1 ≤ *r*,*s* ≤ 8 *and r* � *s. The target RSA circuit executes the binary method as in Table 2.*

Input: SF("-1) (1 r 8) Output: Scan signature SS

SF("-1) = 1 0 1 1 0 0 1 1 SF("-1) = 1 0 0 1 1 0 0 1 SF("-1) = 0 0 1 0 1 1 0 1 SF("-1) = 0 1 0 1 0 0 1 0 SF("-1) = 1 0 1 0 1 1 0 1 SF("-1) = 0 0 0 1 0 0 1 0 SF("-1) = 1 1 1 1 1 0 0 0 SF("-1) = 0 0 0 1 1 0 0 1

(a) Scan signature

SF("-3) = 0 1 1 0 0 1 1 0 SF("-3) = 1 1 1 1 1 0 0 0 SF("-3) = 0 1 1 0 0 1 0 0 SF("-3) = 1 0 0 1 0 0 1 1 SF("-3) = 0 0 0 0 1 1 0 0 SF("-3) = 0 0 0 1 0 0 1 1 SF("-3) = 0 1 1 1 0 0 0 1 SF("-3) = 0 0 0 1 1 0 0 0

(c) Scan signature

Fig. 6. Example of scan signatures.

*the secret exponent d is* 10111 *and a significant bit is five.*

Input: SF("-3) (1 r 8) Output: Scan signature SS SS

Scan-Based Side-Channel Attack on the RSA Cryptosystem 175

SS

SF("-5) = 0 0 1 0 1 1 1 1 SF("-5) = 0 0 0 1 1 0 0 1 SF("-5) = 0 0 1 0 0 1 0 1 SF("-5) = 0 1 1 1 0 1 0 0 SF("-5) = 0 1 1 1 1 0 1 1 SF("-5) = 1 0 1 0 0 0 0 1 SF("-5) = 0 1 1 0 1 1 1 0 SF("-5) = 1 0 1 1 1 0 1 1

(e) Scan signature

*(e) shows, the scan signature SS*<sup>−</sup><sup>5</sup> *becomes "11101101". Since we find out that the scan signature SS*<sup>−</sup><sup>5</sup> *exists in bit patterns of scanned data sdr* (<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>)*, we can determine that d*<sup>−</sup><sup>5</sup> *is equal to one, i.e., d*<sup>−</sup><sup>5</sup> <sup>=</sup> <sup>1</sup>*. Now we assume that d* <sup>=</sup> <sup>1011</sup>**1***. We compare m*( <sup>−</sup> <sup>5</sup>)=(*m*( <sup>−</sup> <sup>4</sup>)<sup>2</sup> <sup>×</sup> *<sup>c</sup>*<sup>1</sup> mod *n*) = *SF*( − 5)<sup>1</sup> *with its binary method result. In case they are equal to each other, we find that*

Input: SF("-5) (1 r 8) Output: Scan signature SS

SF("-2) = 0 0 0 0 1 0 1 0 SF("-2) = 1 1 1 1 0 1 0 1 SF("-2) = 0 1 1 0 0 1 1 1 SF("-2) = 1 1 0 0 1 1 0 1 SF("-2) = 1 1 0 0 1 0 1 1 SF("-2) = 0 0 1 1 1 0 1 1 SF("-2) = 0 1 1 0 0 1 1 0 SF("-2) = 0 1 1 1 0 1 0 0

(b) Scan signature

SF("-4) = 1 1 0 0 1 0 1 0 SF("-4) = 0 1 0 1 1 1 0 1 SF("-4) = 1 1 1 0 0 1 1 1 SF("-4) = 0 1 1 0 0 1 0 0 SF("-4) = 1 1 0 1 1 0 1 1 SF("-4) = 1 0 1 1 0 0 1 1 SF("-4) = 0 1 1 0 0 1 1 1 SF("-4) = 1 0 1 1 0 0 0 0

(d) Scan signature

SS

Input: SF("-4) (1 r 8) Output: Scan signature SS SS

SS

Input: SF("-2) (1 r 8) Output: Scan signature SS

*(***Step 2***) We input cr (*1 ≤ *r* ≤ 8*) into the target RSA circuit and obtain scanned data every one cycle while the binary method works, until the RSA circuit outputs the result. Let sdr denote the obtained scanned data for the messages cr* (1 ≤ *r* ≤ 8)*. The total size of scanned data is* 16 × 128 = 2, 048 *(see Fig. 5).*


Fig. 5. Scanned data example.

*(***Step 3***) Let us start to determine d*<sup>−</sup>1*. We find d*<sup>−</sup><sup>1</sup> = <sup>1</sup> *by the definition of . It is not necessary to check whether d*<sup>−</sup><sup>1</sup> = <sup>1</sup> *or not, but we can check it as follows: we calculate SF*( − <sup>1</sup>)*<sup>r</sup>* = *cr for each cr (*<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>*) and obtain the scan signature SS*<sup>−</sup><sup>1</sup> *(see Fig. 6). As Fig. 6 (a) shows, the scan signature SS*<sup>−</sup><sup>1</sup> *becomes "11101001". Since we find out that the scan signature SS*<sup>−</sup><sup>1</sup> *exists in bit patterns of scanned data sdr* (<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>) *in Fig. 5, we confirm that d*<sup>−</sup><sup>1</sup> *is retrieved as one, i.e., d*<sup>−</sup><sup>1</sup> = <sup>1</sup>*. Now we assume that d* <sup>=</sup> **<sup>1</sup>***. We compare m*( <sup>−</sup> <sup>1</sup>) = ((*c*1)<sup>1</sup> mod *<sup>n</sup>*) *with its binary method result. In case they are not equal, d* �= 1*.*

*(***Step 4***,* **Step 5***,* **Step 6***, and* **Step 7***) Next let us determine d*<sup>−</sup>2*. We calculate SF*( − <sup>2</sup>)*<sup>r</sup> assuming <sup>d</sup>*<sup>−</sup><sup>2</sup> = <sup>1</sup> *for each cr (*<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>*) and obtain the scan signature SS*<sup>−</sup><sup>2</sup> *(see Fig. 6 (b)). As Fig. 6 (b) shows, the scan signature SS*<sup>−</sup><sup>2</sup> *becomes "01111100". Since we find out that the scan signature SS*<sup>−</sup><sup>2</sup> *does not exist in bit patterns of scanned data sdr* (<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>) *in Fig. 5, we can determine that d*<sup>−</sup><sup>2</sup> *is equal to zero, i.e., d*<sup>−</sup><sup>2</sup> <sup>=</sup> <sup>0</sup>*. Now we assume that d* <sup>=</sup> <sup>1</sup>**0***. We compare m*( <sup>−</sup> <sup>2</sup>)=(*m*( <sup>−</sup> <sup>1</sup>)<sup>2</sup> mod *n*) *with its binary method result. In case they are not equal, d* �= 10*.*

*(***Step 4***,* **Step 5***,* **Step 6***, and* **Step 7***) Next let us determine d*<sup>−</sup>3*. We calculate SF*( − <sup>3</sup>)*<sup>r</sup> assuming <sup>d</sup>*<sup>−</sup><sup>3</sup> = <sup>1</sup> *for each cr (*<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>*) and obtain the scan signature SS*<sup>−</sup><sup>3</sup> *(see Fig. 6 (c)). As Fig. 6 (c) shows, the scan signature SS*<sup>−</sup><sup>3</sup> *becomes "00010110". Since we find out that the scan signature SS*<sup>−</sup><sup>3</sup> *exists in bit patterns of scanned data sdr* (<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>) *in Fig. 5, we can determine that d*<sup>−</sup><sup>3</sup> *is equal to one, i.e., d*<sup>−</sup><sup>3</sup> <sup>=</sup> <sup>1</sup>*. Now we assume that d* <sup>=</sup> <sup>10</sup>**1***. We compare m*( <sup>−</sup> <sup>3</sup>)=(*m*( <sup>−</sup> <sup>2</sup>)<sup>2</sup> <sup>×</sup> *<sup>c</sup>*<sup>1</sup> mod *n*) = *SF*( − 3)<sup>1</sup> *with its binary method result. In case they are not equal, d* �= 101*.*

*(***Step 4***,* **Step 5***,* **Step 6***, and* **Step 7***) Next let us determine d*<sup>−</sup>4*. We calculate SF*( − <sup>4</sup>)*<sup>r</sup> assuming <sup>d</sup>*<sup>−</sup><sup>4</sup> = <sup>1</sup> *for each cr (*<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>*) and obtain the scan signature SS*<sup>−</sup><sup>4</sup> *(see Fig. 6 (d)). As Fig. 6 (d) shows, the scan signature SS*<sup>−</sup><sup>4</sup> *becomes "01101110". Since we find out that the scan signature SS*<sup>−</sup><sup>4</sup> *exists in bit patterns of scanned data sdr* (<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>)*, we can determine that d*<sup>−</sup><sup>4</sup> *is equal to one, i.e., d*<sup>−</sup><sup>4</sup> <sup>=</sup> <sup>1</sup>*. Now we assume that d* <sup>=</sup> <sup>101</sup>**1***. We compare m*( <sup>−</sup> <sup>4</sup>)=(*m*( <sup>−</sup> <sup>3</sup>)<sup>2</sup> <sup>×</sup> *<sup>c</sup>*<sup>1</sup> mod *n*) = *SF*( − 4)<sup>1</sup> *with its binary method result. In case they are not equal, d* �= 1011*.*

*(***Step 4***,* **Step 5***,* **Step 6***, and* **Step 7***) Finally let us determine d*<sup>−</sup>5*. We calculate SF*( − <sup>5</sup>)*<sup>r</sup> assuming <sup>d</sup>*<sup>−</sup><sup>5</sup> = <sup>1</sup> *for each cr (*<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>*) and obtain the scan signature SS*<sup>−</sup><sup>5</sup> *(see Fig. 6 (e)). As Fig. 6* 10 Will-be-set-by-IN-TECH

*(***Step 2***) We input cr (*1 ≤ *r* ≤ 8*) into the target RSA circuit and obtain scanned data every one cycle while the binary method works, until the RSA circuit outputs the result. Let sdr denote the obtained scanned data for the messages cr* (1 ≤ *r* ≤ 8)*. The total size of scanned data is* 16 × 128 = 2, 048 *(see*

> ……101110011110……1011…1101…1110… ……001110111101……1010…0110…0110… ……101110111100……0011…0111…0111… ……110011001111……0110…1100…0100… ……100011110000……0011…0110…0110… ……101000100110……1111…1111…0110… ……011011000000……0111…0111…0100… ……110010111010……1011…0100…1111…

SS SS SS SS

16 x 128 = 2,048 bits

*(***Step 3***) Let us start to determine d*<sup>−</sup>1*. We find d*<sup>−</sup><sup>1</sup> = <sup>1</sup> *by the definition of . It is not necessary to check whether d*<sup>−</sup><sup>1</sup> = <sup>1</sup> *or not, but we can check it as follows: we calculate SF*( − <sup>1</sup>)*<sup>r</sup>* = *cr for each cr (*<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>*) and obtain the scan signature SS*<sup>−</sup><sup>1</sup> *(see Fig. 6). As Fig. 6 (a) shows, the scan signature SS*<sup>−</sup><sup>1</sup> *becomes "11101001". Since we find out that the scan signature SS*<sup>−</sup><sup>1</sup> *exists in bit patterns of scanned data sdr* (<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>) *in Fig. 5, we confirm that d*<sup>−</sup><sup>1</sup> *is retrieved as one, i.e., d*<sup>−</sup><sup>1</sup> = <sup>1</sup>*. Now we assume that d* <sup>=</sup> **<sup>1</sup>***. We compare m*( <sup>−</sup> <sup>1</sup>) = ((*c*1)<sup>1</sup> mod *<sup>n</sup>*) *with its binary method result. In*

*(***Step 4***,* **Step 5***,* **Step 6***, and* **Step 7***) Next let us determine d*<sup>−</sup>2*. We calculate SF*( − <sup>2</sup>)*<sup>r</sup> assuming <sup>d</sup>*<sup>−</sup><sup>2</sup> = <sup>1</sup> *for each cr (*<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>*) and obtain the scan signature SS*<sup>−</sup><sup>2</sup> *(see Fig. 6 (b)). As Fig. 6 (b) shows, the scan signature SS*<sup>−</sup><sup>2</sup> *becomes "01111100". Since we find out that the scan signature SS*<sup>−</sup><sup>2</sup> *does not exist in bit patterns of scanned data sdr* (<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>) *in Fig. 5, we can determine that d*<sup>−</sup><sup>2</sup> *is equal to zero, i.e., d*<sup>−</sup><sup>2</sup> <sup>=</sup> <sup>0</sup>*. Now we assume that d* <sup>=</sup> <sup>1</sup>**0***. We compare m*( <sup>−</sup> <sup>2</sup>)=(*m*( <sup>−</sup> <sup>1</sup>)<sup>2</sup>

*(***Step 4***,* **Step 5***,* **Step 6***, and* **Step 7***) Next let us determine d*<sup>−</sup>3*. We calculate SF*( − <sup>3</sup>)*<sup>r</sup> assuming <sup>d</sup>*<sup>−</sup><sup>3</sup> = <sup>1</sup> *for each cr (*<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>*) and obtain the scan signature SS*<sup>−</sup><sup>3</sup> *(see Fig. 6 (c)). As Fig. 6 (c) shows, the scan signature SS*<sup>−</sup><sup>3</sup> *becomes "00010110". Since we find out that the scan signature SS*<sup>−</sup><sup>3</sup> *exists in bit patterns of scanned data sdr* (<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>) *in Fig. 5, we can determine that d*<sup>−</sup><sup>3</sup> *is equal to one, i.e., d*<sup>−</sup><sup>3</sup> <sup>=</sup> <sup>1</sup>*. Now we assume that d* <sup>=</sup> <sup>10</sup>**1***. We compare m*( <sup>−</sup> <sup>3</sup>)=(*m*( <sup>−</sup> <sup>2</sup>)<sup>2</sup> <sup>×</sup> *<sup>c</sup>*<sup>1</sup>

*(***Step 4***,* **Step 5***,* **Step 6***, and* **Step 7***) Next let us determine d*<sup>−</sup>4*. We calculate SF*( − <sup>4</sup>)*<sup>r</sup> assuming <sup>d</sup>*<sup>−</sup><sup>4</sup> = <sup>1</sup> *for each cr (*<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>*) and obtain the scan signature SS*<sup>−</sup><sup>4</sup> *(see Fig. 6 (d)). As Fig. 6 (d) shows, the scan signature SS*<sup>−</sup><sup>4</sup> *becomes "01101110". Since we find out that the scan signature SS*<sup>−</sup><sup>4</sup> *exists in bit patterns of scanned data sdr* (<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>)*, we can determine that d*<sup>−</sup><sup>4</sup> *is equal to one, i.e., d*<sup>−</sup><sup>4</sup> <sup>=</sup> <sup>1</sup>*. Now we assume that d* <sup>=</sup> <sup>101</sup>**1***. We compare m*( <sup>−</sup> <sup>4</sup>)=(*m*( <sup>−</sup> <sup>3</sup>)<sup>2</sup> <sup>×</sup> *<sup>c</sup>*<sup>1</sup>

*(***Step 4***,* **Step 5***,* **Step 6***, and* **Step 7***) Finally let us determine d*<sup>−</sup>5*. We calculate SF*( − <sup>5</sup>)*<sup>r</sup> assuming <sup>d</sup>*<sup>−</sup><sup>5</sup> = <sup>1</sup> *for each cr (*<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>*) and obtain the scan signature SS*<sup>−</sup><sup>5</sup> *(see Fig. 6 (e)). As Fig. 6*

mod *n*) = *SF*( − 3)<sup>1</sup> *with its binary method result. In case they are not equal, d* �= 101*.*

mod *n*) = *SF*( − 4)<sup>1</sup> *with its binary method result. In case they are not equal, d* �= 1011*.*

mod *n*) *with its binary method result. In case they are not equal, d* �= 10*.*

8 bits

*Fig. 5).*

sd = sd = sd = sd = sd = sd = sd = sd =

Fig. 5. Scanned data example.

*case they are not equal, d* �= 1*.*

Fig. 6. Example of scan signatures.

*(e) shows, the scan signature SS*<sup>−</sup><sup>5</sup> *becomes "11101101". Since we find out that the scan signature SS*<sup>−</sup><sup>5</sup> *exists in bit patterns of scanned data sdr* (<sup>1</sup> ≤ *<sup>r</sup>* ≤ <sup>8</sup>)*, we can determine that d*<sup>−</sup><sup>5</sup> *is equal to one, i.e., d*<sup>−</sup><sup>5</sup> <sup>=</sup> <sup>1</sup>*. Now we assume that d* <sup>=</sup> <sup>1011</sup>**1***. We compare m*( <sup>−</sup> <sup>5</sup>)=(*m*( <sup>−</sup> <sup>4</sup>)<sup>2</sup> <sup>×</sup> *<sup>c</sup>*<sup>1</sup> mod *n*) = *SF*( − 5)<sup>1</sup> *with its binary method result. In case they are equal to each other, we find that the secret exponent d is* 10111 *and a significant bit is five.*

4-th secret exponent *d*

4E4585225AC42E8ECB7BB1847498D62F BA696CDD226EE9195F4E58A89321721F 021C4511E6C994301363706058FF3765 E29EEBA03E370A201BA5B60A356682A5 1D05EE10DF8CB75D7B4578B3D29A515E 2F86DEC487AB6BCD88C7351908D71851 6C11B2419BD8C05739214E6CF44D12F

> 1024 2048 4096

1,024 bits 0x3AD29CF2FC6CB6B0C010B17DF98C5081

Scan-Based Side-Channel Attack on the RSA Cryptosystem 177

Key bit length *bit* 1,024 2,048 4,096 # of retrieving secret exponents 1,000 1,000 100 # of required messages (average) 29.5 32 37

25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

**Size of Ki**

We consider secure scan architecture proposed so far against our proposed scan-based attack. Firstly, the secure scan architecture proposed in (Sengar et al., 2007) cannot protect our proposed method from retrieving a secret key. (Sengar et al., 2007) inserts some inverters into a scan path to invert scanned data. However, since inverted positions of scanned data are always fixed, the value of a 1-bit register sequence is only changed to its inverted value. By checking whether *SSi* or inverted *SSi* exist in the scanned data, our proposed method can

Inoue's secure scan architecture (Inoue et al., 2009) adds unrelated data to scanned data to confuse attackers. A sequence of scanned data to which unrelated data are added is fixed and it is not always true that they confuse all the bits to protect the scanned data in order to reduce area overhead. If the register storing scan signature *SSi* is not confused, our proposed method

Secondly, (Chandran & Zhao, 2009; Gomułkiewicz et al., 2006; Hely et al., 2005; 2006; 2007; Lee et al., 2006; 2007; Paul et al., 2007; Yang et al., 2006) require authentication to transfer

Table 3. Secret exponent example.

Table 4. Experimental results.

1 1.2

0.4 0.6 0.8

0 0.2

Fig. 7. Number of required messages to retrieve secret exponents.

**g keys**

**retrieving**

**retrieving**

**of**

**Ratio**

**6. Discussions**

easily make it ineffective.

can easily make it ineffective, too.

### **4.3 Possibility of successfully retrieving a secret key**

Given that the scan size is *α* bits and the cycle counts to obtain the binary method result is *T*. Assume that scanned data are completely random data.

Even though *SF*(*i*)*<sup>r</sup>* for 1 ≤ *r* ≤ *N* is not calculated in the target RSA circuit, its scan signature may exist in scanned data. When *αT* < 2*N*, the probability that the scan signature *SSi* to *SF*(*i*)*<sup>r</sup>* exists in somewhere in bit patterns of scanned data *sdr* (<sup>1</sup> <sup>≤</sup> *<sup>r</sup>* <sup>≤</sup> *<sup>N</sup>*) is *<sup>α</sup>T*/2*<sup>N</sup>* despite we do not calculate *SF*(*i*)*r*.

Sufficiently large *N* can decrease the probability that we mistakenly find out the scan signature *SSi* in scanned data. For instance, if *α* is 3,072, *T* is 1,024, and *N* is 303, then the probability that we mistakenly find out the scan signature *SSi* in scanned data is 3, 072 <sup>×</sup> 1, 024/230 � 2.93 <sup>×</sup> <sup>10</sup>−3. If *<sup>α</sup>* is 6,144, *<sup>T</sup>* is 2,048, and *<sup>N</sup>* is 35, then the probability that we mistakenly find out the scan signature *SSi* in scanned data is 6, 144 <sup>×</sup> 2, 048/235 � 3.66 <sup>×</sup> <sup>10</sup>−4.

### **5. Experiments and analysis**

We have implemented our analysis method proposed in Section 4 in the C language on Red Hat Enterprise Linux 5.5, AMD Opteron 2360SE 2.5GHz, and 16GB memories and performed the following experiments:


Fig. 7 and Table 4 show the results. Fig. 7 shows the number *N* of required messages to retrieve each secret exponent when giving each of the secret exponents. For example, the 4th 1,024-bit secret exponent is shown in Table 3. In order to retrieve this secret exponent, we need 29 messages, i.e., *n* = 29. In this case, we can successfully retrieve the 4th secret exponent using 29 messages but fail to retrieve it using 28 messages or less.

Throughout this experiment, the required number of messages is approximately 29.5 on average for 1,024-bit secret exponents and is approximately 32 for 2,048-bit secret exponents and is approximately 37 for 4,096-bit secret exponents. A running time is 98.3 seconds to retrieve a 1,024-bit secret exponent and 634.0 seconds to retrieve a 2,048-bit secret exponent.

<sup>3</sup> These values are derived from the experiments in Section 5.


Table 3. Secret exponent example.

12 Will-be-set-by-IN-TECH

Given that the scan size is *α* bits and the cycle counts to obtain the binary method result is *T*.

Even though *SF*(*i*)*<sup>r</sup>* for 1 ≤ *r* ≤ *N* is not calculated in the target RSA circuit, its scan signature may exist in scanned data. When *αT* < 2*N*, the probability that the scan signature *SSi* to *SF*(*i*)*<sup>r</sup>* exists in somewhere in bit patterns of scanned data *sdr* (<sup>1</sup> <sup>≤</sup> *<sup>r</sup>* <sup>≤</sup> *<sup>N</sup>*) is *<sup>α</sup>T*/2*<sup>N</sup>* despite we do

Sufficiently large *N* can decrease the probability that we mistakenly find out the scan signature *SSi* in scanned data. For instance, if *α* is 3,072, *T* is 1,024, and *N* is 303, then the probability that we mistakenly find out the scan signature *SSi* in scanned data is 3, 072 <sup>×</sup> 1, 024/230 � 2.93 <sup>×</sup> <sup>10</sup>−3. If *<sup>α</sup>* is 6,144, *<sup>T</sup>* is 2,048, and *<sup>N</sup>* is 35, then the probability that we mistakenly find

We have implemented our analysis method proposed in Section 4 in the C language on Red Hat Enterprise Linux 5.5, AMD Opteron 2360SE 2.5GHz, and 16GB memories and performed

1. First, we have generated secret exponents randomly. Thousand of them have a bit length of 1,024 and 2,048, respectively. The other hundred of them have a bit length of 4,096. 2. Next, we have given each of the secret exponents into the target RSA circuit based on Algorithm 1 and obtained scanned data. The target RSA circuit obtains binary method results in 1,024 cycles for a 1,024-bit secret exponent, in 2,048 cycles for a 2,048-bit secret exponent, and in 4,096 cycles for a 4,096-bit secret exponent. Scan path length for a 1,024-bit secret exponent is 3,072 bits, that for a 2,048-bit secret exponent is 6,144 bits, and that for a 4,096-bit secret exponent is 12,192 bits. Then total size of the obtained scanned data for 1,024-bit secret exponent is 3, 072 × 1, 024 = 3, 145, 728 bits, that for 2,048-bit secret exponent is 6, 144 × 2, 048 = 12, 582, 912 bits, and that for 4,096-bit secret exponent is

3. Finally, we have retrieved each of the secret exponents by our proposed analysis method

Fig. 7 and Table 4 show the results. Fig. 7 shows the number *N* of required messages to retrieve each secret exponent when giving each of the secret exponents. For example, the 4th 1,024-bit secret exponent is shown in Table 3. In order to retrieve this secret exponent, we need 29 messages, i.e., *n* = 29. In this case, we can successfully retrieve the 4th secret

Throughout this experiment, the required number of messages is approximately 29.5 on average for 1,024-bit secret exponents and is approximately 32 for 2,048-bit secret exponents and is approximately 37 for 4,096-bit secret exponents. A running time is 98.3 seconds to retrieve a 1,024-bit secret exponent and 634.0 seconds to retrieve a 2,048-bit secret exponent.

exponent using 29 messages but fail to retrieve it using 28 messages or less.

<sup>3</sup> These values are derived from the experiments in Section 5.

out the scan signature *SSi* in scanned data is 6, 144 <sup>×</sup> 2, 048/235 � 3.66 <sup>×</sup> <sup>10</sup>−4.

**4.3 Possibility of successfully retrieving a secret key**

Assume that scanned data are completely random data.

not calculate *SF*(*i*)*r*.

**5. Experiments and analysis**

12, 192 × 4, 096 = 49, 938, 432 bits

using the obtained scanned data.

the following experiments:


Table 4. Experimental results.

Fig. 7. Number of required messages to retrieve secret exponents.

### **6. Discussions**

We consider secure scan architecture proposed so far against our proposed scan-based attack.

Firstly, the secure scan architecture proposed in (Sengar et al., 2007) cannot protect our proposed method from retrieving a secret key. (Sengar et al., 2007) inserts some inverters into a scan path to invert scanned data. However, since inverted positions of scanned data are always fixed, the value of a 1-bit register sequence is only changed to its inverted value. By checking whether *SSi* or inverted *SSi* exist in the scanned data, our proposed method can easily make it ineffective.

Inoue's secure scan architecture (Inoue et al., 2009) adds unrelated data to scanned data to confuse attackers. A sequence of scanned data to which unrelated data are added is fixed and it is not always true that they confuse all the bits to protect the scanned data in order to reduce area overhead. If the register storing scan signature *SSi* is not confused, our proposed method can easily make it ineffective, too.

Secondly, (Chandran & Zhao, 2009; Gomułkiewicz et al., 2006; Hely et al., 2005; 2006; 2007; Lee et al., 2006; 2007; Paul et al., 2007; Yang et al., 2006) require authentication to transfer

Inoue, M.; Yoneda, T.; Hasegawa, M. & Fujiwara, H. (2009). Partial scan approach for secret information protection, *Proceedings of European Test Symposium*, pp. 143–148. Kocher, P. C. (1996). Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and

Scan-Based Side-Channel Attack on the RSA Cryptosystem 179

Koblitz, N. (1987). Elliptic curve cryptosystems, *Mathematics of Computation*, Vol. 48, pp.

Kocher, P. C.; Jaffe, J. & Jun, B. (1999). Differential power analysis, *Proceedings of 19th Annual International Cryptology Conference on Advances in Cryptology*, pp. 388–397. Lee, J.; Tehranipoor, M. & Plusquellic, J. (2006). A low-cost solution for protecting IPs against

Lee, J.; Tehranipoor, M.; Patel, J. & Plusquellic, J. (2007). Securing designs against scan-based

Messerges, T. S.; Dbbish, E. A. & Sloan, R. H. (1999). Power analysis attacks of modular

Miyamoto, A.; Homma, N.; Aoki, T. & Satoh, A. (2008). Systematic design of high-radix

Mukhopadhyay, D.; Banerjee, S.; RoyChowdhury, D. & Bhattacharya, B. B. (2005). CryptoScan:

Nara, R.; Togawa, N.; Yanagisawa, M. & Ohtsuki, T. (2009). A scan-based side-channel

Nara, R.; Togawa, N.; Yanagisawa, M. & Ohtsuki, T. (2011). Scan vulnerability in elliptic curve

Paul, S.; Chakraborty, R. S. & Bhunia, S. (2007). Vim-scan: a low overhead scan design

Rivest, R. L.; Shamir, A. & Adelman, L. (1978). A method for obtaining digital signature and public-key cryptosystems, *Communications of the ACM*, Vol. 21, pp. 120–126. Schramm, K.; Wollinger, T. & Paar, C. (2003). A new class of collision attacks and its application

Sengar, G.; Mukhopadhyay, D. & Chowdhury, D. R. (2007). Secured flipped scan-path model

Sengar, G.; Mukhopadhyay, D. & RoyChowdhury, D. (2007). An efficient approach to develop

*Conference on Computer Design (ICCD 2008)*, pp. 416–421.

*25th IEEE VLSI Test Symposium* pp. 455–460.

*Advanced Computing and Communications*, pp. 21–26.

Computer Science, Vol. 1109, pp. 104–113.

203–209.

94–99.

325–336.

348–358.

47–59.

206–222.

26, No. 11, pp. 2080–2084.

12, pp. 3229–3237.

Williams, pp. 417–426.

other systems, *Proceedings of Advances in Cryptology - Crypto '96*, Lecture Notes in

scan-based side-channel attacks, *Proceedings of 24th IEEE VLSI Test Symposium*, pp.

side-channel attacks, *IEEE Transactions on Dependable and Secure Computing*, pp.

exponentiation in smartcards, *Proceedings of Workshop on Cryptographic Hardware and Embedded Systems*, Lecture Notes in Computer Science, Vol. 1717, pp. 144–157. Miller, V. (1986). Uses of elliptic curves in cryptography, *the Advances in Cryptology*, ed. H.

montgomery multipliers for RSA processors, *Proceedings of IEEE International*

a secured scan path architecture, *Proceedings of 14th Asian Test Symposium*, pp.

attack based on scan signatures for AES cryptosystems, *IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences*, Vol. E92–A, No.

cryptosystems, *IPSJ Transactions on System LSI Design Methodology*, Vol. 4, Sep., pp.

approach for protection of secret key in scan-based secure chips, *Proceedings of the*

to DES, *T. Johansson (ed.) FSE 2003*, Lecture Notes in Computer Science, Vol. 2887, pp.

for crypto-architecture, *IEEE Transactions on Very Large Scale Integration System*, Vol.

secure scan tree for crypto-hardware, *Proceedings of 15th International Conference of*

between system mode and test mode, and their security depends on authentication methods. If authentication would be broken-through and attackers could obtain scanned data, a secret key in an RSA circuit could be retrieved by using our proposed method. We consider that authentication strength is a different issue from the purpose of this chapter.

Finally, (Mukhopadhyay, et al.; Sengar et al., 2007; Shi el al., 2008) use a compactor so as not to output scanned data corresponding to registers directly. (Doulcier el al., 2007) proposes AES-based BIST, whereby there is no need for scan path test. However, applying these methods effectively to an RSA circuit is quite unclear because these methods are implemented only on an AES circuit or just on a sample circuit not for cryptography.

### **7. Concluding remarks**

Our proposed scan-based attack can effectively retrieve a secret key in an RSA circuit, since we just focus on the variation of 1-bit of intermediate values named a scan signature. By monitoring it in the scan path, we can find out the register position specific to intermediate values. The experimental results demonstrate that a 1,024-bit secret key can be retrieved by using 29.5 messages, a 2,048-bit secret key by using 32 input, and a 4,096-bit secret key can be retrieved by using 37 messages.

In the future, we will develop a new scan-based side-channel attack against compressed scan data for RSA. In this paper, we only pick up one RSA LSI implementation but there can be other implementations available such as in (Miyamoto et al., 2008). We will attack these RSA implementations and successfully retrieve a secret key. Developing countermeasures against the proposed scan-based side-channel attacking method is another future work.

### **8. References**


14 Will-be-set-by-IN-TECH

between system mode and test mode, and their security depends on authentication methods. If authentication would be broken-through and attackers could obtain scanned data, a secret key in an RSA circuit could be retrieved by using our proposed method. We consider that

Finally, (Mukhopadhyay, et al.; Sengar et al., 2007; Shi el al., 2008) use a compactor so as not to output scanned data corresponding to registers directly. (Doulcier el al., 2007) proposes AES-based BIST, whereby there is no need for scan path test. However, applying these methods effectively to an RSA circuit is quite unclear because these methods are implemented

Our proposed scan-based attack can effectively retrieve a secret key in an RSA circuit, since we just focus on the variation of 1-bit of intermediate values named a scan signature. By monitoring it in the scan path, we can find out the register position specific to intermediate values. The experimental results demonstrate that a 1,024-bit secret key can be retrieved by using 29.5 messages, a 2,048-bit secret key by using 32 input, and a 4,096-bit secret key can be

In the future, we will develop a new scan-based side-channel attack against compressed scan data for RSA. In this paper, we only pick up one RSA LSI implementation but there can be other implementations available such as in (Miyamoto et al., 2008). We will attack these RSA implementations and successfully retrieve a secret key. Developing countermeasures against

Boneh, D.; DeMillo, R. A. & Lipton, R. J. (1997). On the importance of checking cryptographic

Brier, E.; Clavier, C. & Olivier, F. (2004). Correlation power analysis with a leakage model,

Chandran, U. & Zhao, D. (2009). SS-KTC: a high-testability low-overhead scan architecture

Doulcier, M.; Flottes, M. L. & Rouzeyre, B. (2007). AES-based BIST: self-test, test pattern

Gomułkiewicz, M.; Nikodem, M. & Tomczak, T. (2006). Low-cost and universal secure

Hely, D.; Bancel, F.; Flottes, M. L. & Rouzeyre, B. (2005), Test control for secure scan designs,

Hely, D.; Bancel, F.; Flottes, M. L. & Rouzeyre, B. (2006). Secure scan techniques: a comparison, *Proceedings of 12th IEEE International On-Line Testing Symposium*, pp. 119–124. Hely, D.; Bancel, F.; Flottes, M. L. & Rouzeyre, B. (2007). Securing scan control in crypto chips,

protocols for faults, *Proceedings of Advances in Cryptology - EUROCRYPTO '97*, Lecture

*Proceedings of Cryptography Hardware Embedded Systems 2004*, Lecture Notes in

with multi-level security integration, *Proceedings of 27th IEEE VLSI Test Symposium*,

generation and signature analysis, *Proceedings of 25th IEEE VLSI Test Symposium*, pp.

scan: a design-architecture for crypto chips, *Proceedings of International Conference on*

the proposed scan-based side-channel attacking method is another future work.

Notes in Computer Science, Vol. 1233, pp. 37–51.

*Dependability of Computer Systems*, pp. 282–288.

*Journal of Electron Test*, pp. 457–464.

*Proceedings of European Test Symposium*, pp. 190–195.

Computer Science, Vol. 3156, pp. 16–29.

authentication strength is a different issue from the purpose of this chapter.

only on an AES circuit or just on a sample circuit not for cryptography.

**7. Concluding remarks**

retrieved by using 37 messages.

pp. 321–326.

94–99.

**8. References**


**9** 

*Iraq* 

**PGP Protocol and Its Applications** 

Abdul Monem S. Rahma2 and Hala Bhjat Abdul Wahab2

Every few years, computer security has to re-invent itself. New technologies and new application bring new threats, especially with the ever-increasing growth of data communication, the need for security and privacy has become a necessity. Cryptography and data security are an essential requirement for communication privacy. One of the newest hot spots in security research is curve security. The forms produced by graphic systems are much harder to counterfeit, especially when the counterfeiter has no

The main goal of this chapter is combining the curve security methods with cryptography algorithms in order to increase the capability of cryptography. The weakness of the cryptographic key generated from normal color image is clear due to the nearest pixel values of image. This led to propose in this chapter a new method in order to generate a cryptographic key depending on generated (2D & 3D) mathematical models (digital image)

Conventional encryption has benefits; most notably speed. It is especially useful for encrypting data which will not be transmitted. However, conventional encryption alone, as a means for transmitting secure data, can be expensive simply due to the difficulty of secure key distribution (Droste, 1996). For a sender and recipient to communicate securely using conventional encryption, they must agree upon a key and keep it secret between themselves. If they are in different physical locations, they must trust a courier or some other secure communications medium to prevent the disclosure of the secret key during transmission

The concept of public-key cryptography was introduced in 1976 by Whitfield Diffie and Martin Hellman and, independently, by Ralph Markle, to solve the key management problem in secret-key cryptography. Each person receives a pair of different but related

information about algorithm and the data that are used in design the shape.

and clipping the key according to algorithm and the data of curve generation.

**2. Key management cryptographic systems** 

**2.1 Conventional encryption** 

(Sauer & Chandy, 1981).

**2.2 Public-key cryptography** 

**1. Introduction** 

*2Computer Science Depart , University of Technology, Baghdad,* 

Hilal M. Yousif Al-Bayatti1,

*1Applied Science University, Kingdom of Bahrain* 


http://www.rsa.com/rsalabs/node.asp?id=2007, RSA Laboratories, April 8.


## **PGP Protocol and Its Applications**

Hilal M. Yousif Al-Bayatti1,

Abdul Monem S. Rahma2 and Hala Bhjat Abdul Wahab2 *1Applied Science University, Kingdom of Bahrain 2Computer Science Depart , University of Technology, Baghdad, Iraq* 

### **1. Introduction**

16 Will-be-set-by-IN-TECH

180 Cryptography and Security in Computing

Shi, Y.; Togawa, N.; Yanagisawa, M. & Ohtsuki, T. (2008). A secure test technique for pipelined

Silverman, R. D. (2002). Has the RSA algorithm been compromised as a result of Bernstein's

http://www.rsa.com/rsalabs/node.asp?id=2007, RSA Laboratories, April 8. Stein, J. (1967). Computational problems associated with Racah algebra, *Journal of*

Yang, B.; Wu, K. & Karri, R. (2004). Scan based side-channel attack on dedicated hardware

Yang, B.; Wu, K. & Karri, R. (2006). Secure scan: a design-for-test architecture for crypto chips,

E91–D, No. 3, pp. 776–780.

*Conference*, pp. 339–344.

No. 10, pp. 2287–2293.

*Computational Physics*, Vol. 1, pp. 397–405.

Paper?

advanced encryption standard, *IEICE Transactions on Information and Systems*, Vol.

implementations of data encryption standard, *Proceedings of The International Test*

*IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems*, Vol. 25,

Every few years, computer security has to re-invent itself. New technologies and new application bring new threats, especially with the ever-increasing growth of data communication, the need for security and privacy has become a necessity. Cryptography and data security are an essential requirement for communication privacy. One of the newest hot spots in security research is curve security. The forms produced by graphic systems are much harder to counterfeit, especially when the counterfeiter has no information about algorithm and the data that are used in design the shape.

The main goal of this chapter is combining the curve security methods with cryptography algorithms in order to increase the capability of cryptography. The weakness of the cryptographic key generated from normal color image is clear due to the nearest pixel values of image. This led to propose in this chapter a new method in order to generate a cryptographic key depending on generated (2D & 3D) mathematical models (digital image) and clipping the key according to algorithm and the data of curve generation.

### **2. Key management cryptographic systems**

### **2.1 Conventional encryption**

Conventional encryption has benefits; most notably speed. It is especially useful for encrypting data which will not be transmitted. However, conventional encryption alone, as a means for transmitting secure data, can be expensive simply due to the difficulty of secure key distribution (Droste, 1996). For a sender and recipient to communicate securely using conventional encryption, they must agree upon a key and keep it secret between themselves. If they are in different physical locations, they must trust a courier or some other secure communications medium to prevent the disclosure of the secret key during transmission (Sauer & Chandy, 1981).

### **2.2 Public-key cryptography**

The concept of public-key cryptography was introduced in 1976 by Whitfield Diffie and Martin Hellman and, independently, by Ralph Markle, to solve the key management problem in secret-key cryptography. Each person receives a pair of different but related

PGP Protocol and Its Applications 183

Several techniques have been proposed for the distribution of public keys. Almost all these

Once public keys have been distributed or have become accessible, secure communication that thwarts eavesdropping, tampering, or both is possible. However, few users will wish to make exclusive use of public-key encryption for communication because of the relatively slow data rates that can be achieved. Accordingly, public-key encryption allows the

A further application of public-key encryption used to distribute secret keys is a hybrid approach based on IBM mainframes .This scheme retains the use of a key distribution centre (KDC) that shares a secret master key with each user and distributes secret session keys encrypted with the master key. A public key scheme is used to distribute the master keys.

**Performance**: There are many applications, especially transaction-oriented applications, in which the session keys change frequently. Distribution of session keys by public-key encryption could degrade overall system performance because of the relatively high computational load of public-key encryption and decryption. With a three-level hierarchy, public-key encryption is

**Backward compatibility**: The hybrid scheme is easily overlaid on an existing KDC scheme, with minimal disruption or software changes. The addition of a public-key layer provides a secure, efficient means of distributing master keys. This is of advantage in a configuration

Pretty Good Privacy (PGP) is a public key system for encrypting electronic mail using the RSA public key cipher (Schaefer, 1999). PGP is a hybrid cryptosystem and combines some of the

1. The distribution of public keys

**2.3.1 Distribution of public keys** 

For more details see (Stalings,2005).

1. Simple Secret Key Distribution

**2.3.3 A hybrid schema** 

3. A hybrid schema

1. Public announcement 2. Publicly available directory 3. Public-key authority 4. Public-key certificates

2. The use of public-key encryption to distribute secret keys

proposals can be grouped within the following general schemes:

**2.3.2 Distribution of secret keys using public-key cryptography** 

distribution of secret keys to be used for conventional encryption.

2. Secret Key Distribution with Confidentiality and Authentication.

The following rationale is provided for using this three-level approach:

used only occasionally to update the master key between a user and the KDC.

where a single KDC serves a widely distributed set of users.

**3. Cryptographic protocol (Pretty Good Privacy)** 

keys; the public-key and the private key (Schneir, 1996). The public key is published, while the private key is kept secret. Anyone can send a confidential message using public information, but the message can only decrypted by someone who has the private key. It is not possible to determine the secret key from the public key.

Public-key cryptography is based on the idea of a trapdoor function:

$$\begin{array}{c} \bullet \quad f:X \to Y \\ \end{array}$$


Public-key cryptography ensures a secret key exists between communicating parties, without the need to distribute secret keys. The most famous public-key cryptosystem is that devised by Rivest et al. (RSA). The RSA scheme relies on the inability to factor n where n=pq; p and q are large strong prime numbers, and when p and q are of roughly equal length, the modules become harder to factor. Factoring is assumed to be a difficult problem upon which several public-key cryptosystems are based. However, no known polynomial time algorithm can decipher the keys using the public information.

In RSA, algorithm encryption and decryption take the following forms:

$$\begin{aligned} \text{C} &= \text{M}^{\epsilon} \mod n \\\\ \text{M} &= \text{C}^{d} \mod n \end{aligned}$$

Where *M*: plain text, *C*: cipher text, *e*: encryption key, and *d*: decryption key. Finding the factors of an RSA modulus depends on finding the encryption key. If an adversary discovers the factors of *n*, he or she can easily compute the decryption key using the following steps (Guan, 1987):

$$n = p \times q$$

$$\theta(n) = (p-1)(q-1) \text{ , then }$$

$$d = e^{-1}(\theta(n)) \text{mod } n$$

The RSA algorithm has the following characteristics (Menezes et al.,1996):


### **2.3 Use of multi keys (huge) in a public-key cryptography system**

One of the major roles of public-key encryption has been to address the problem of key distribution. There are two distinct aspects involving the use of public-key cryptography in this regard:


182 Cryptography and Security in Computing

keys; the public-key and the private key (Schneir, 1996). The public key is published, while the private key is kept secret. Anyone can send a confidential message using public information, but the message can only decrypted by someone who has the private key. It is

Public-key cryptography ensures a secret key exists between communicating parties, without the need to distribute secret keys. The most famous public-key cryptosystem is that devised by Rivest et al. (RSA). The RSA scheme relies on the inability to factor n where n=pq; p and q are large strong prime numbers, and when p and q are of roughly equal length, the modules become harder to factor. Factoring is assumed to be a difficult problem upon which several public-key cryptosystems are based. However, no known polynomial

mod *<sup>e</sup> CM n*

mod *MC n <sup>d</sup>*

Where *M*: plain text, *C*: cipher text, *e*: encryption key, and *d*: decryption key. Finding the factors of an RSA modulus depends on finding the encryption key. If an adversary discovers the factors of *n*, he or she can easily compute the decryption key using the following steps

*n pq*

( ) ( 1)( 1) *np q* , then

<sup>1</sup> *de n n* ( ( ))mod 

It is computationally infeasible to determine the decryption key given only knowledge

One of the major roles of public-key encryption has been to address the problem of key distribution. There are two distinct aspects involving the use of public-key cryptography in

Either of the two keys can be used for encryption, with the other used for decryption.

not possible to determine the secret key from the public key.

<sup>1</sup> *f* becomes easy to compute if a trapdoor is known.

time algorithm can decipher the keys using the public information.

In RSA, algorithm encryption and decryption take the following forms:

The RSA algorithm has the following characteristics (Menezes et al.,1996):

**2.3 Use of multi keys (huge) in a public-key cryptography system** 

of the algorithm and the encryption key.

*fX Y* :

(Guan, 1987):

this regard:

*f* is one-to-one,

*f* is easy to compute,

<sup>1</sup> *f* is difficult to compute, and

Public-key cryptography is based on the idea of a trapdoor function:

### **2.3.1 Distribution of public keys**

Several techniques have been proposed for the distribution of public keys. Almost all these proposals can be grouped within the following general schemes:


For more details see (Stalings,2005).

### **2.3.2 Distribution of secret keys using public-key cryptography**

Once public keys have been distributed or have become accessible, secure communication that thwarts eavesdropping, tampering, or both is possible. However, few users will wish to make exclusive use of public-key encryption for communication because of the relatively slow data rates that can be achieved. Accordingly, public-key encryption allows the distribution of secret keys to be used for conventional encryption.


### **2.3.3 A hybrid schema**

A further application of public-key encryption used to distribute secret keys is a hybrid approach based on IBM mainframes .This scheme retains the use of a key distribution centre (KDC) that shares a secret master key with each user and distributes secret session keys encrypted with the master key. A public key scheme is used to distribute the master keys. The following rationale is provided for using this three-level approach:

**Performance**: There are many applications, especially transaction-oriented applications, in which the session keys change frequently. Distribution of session keys by public-key encryption could degrade overall system performance because of the relatively high computational load of public-key encryption and decryption. With a three-level hierarchy, public-key encryption is used only occasionally to update the master key between a user and the KDC.

**Backward compatibility**: The hybrid scheme is easily overlaid on an existing KDC scheme, with minimal disruption or software changes. The addition of a public-key layer provides a secure, efficient means of distributing master keys. This is of advantage in a configuration where a single KDC serves a widely distributed set of users.

### **3. Cryptographic protocol (Pretty Good Privacy)**

Pretty Good Privacy (PGP) is a public key system for encrypting electronic mail using the RSA public key cipher (Schaefer, 1999). PGP is a hybrid cryptosystem and combines some of the

PGP Protocol and Its Applications 185

The combination of the two encryption methods combines the convenience of public-key encryption with the speed of conventional encryption. Conventional encryption is approximately 10,000 times faster than public-key encryption. Public-key encryption in turn provides a solution to key distribution and data transmission issues. Used together, performance and key distribution are improved without any compromise in security.

Computer graphics is a topic of rapidly growing importance in the field of information technology. It has always been one of the most visually spectacular branches of computer technology, producing images whose appearance and motion make them quite unlike any other form of computer output . Computer graphics are also an extremely effective medium for communication between man and computer; the human eye can absorb the information content of a diagram or perspective view much faster than it can scan a table of numbers

It is important to achieve consensus about what *computer graphics* and *visualisation* are. The word *graphics* is associated with charts, graphs, images, pictures and patterns, often in the context of art, design or animation; *visualisation* is the process of converting data into images (Gomes & Velho, 1997) .In order to understand computer graphics, we must study the methods used to create and structure data in the computer, as well as the methods for turning these into images. These two steps correspond to the two main areas of research in computer graphics: modelling and visualisation (Egerton & Hall,1998). Computer graphics

Firstly, algorithms that interpolate the control points: the algorithm returns points along a curve which pass exactly through the control points at specific instants and form a smooth

Secondly, algorithms that approximate the control points: this algorithm returns points from a curve that are attracted toward each control point in turn, but do not actually pass through

Interpolation techniques are of great importance in numerical analysis since they are widely used in a variety of science and engineering domains where numerical methods are the only way to predict the value of tabulated functions for new input data. There are three reasons for using interpolation: firstly, interpolation methods are the basis of many other procedures, such as numerical differentiation, integration and solution methods for ordinary and partialdifferential equations. Secondly, these methods demonstrate important theories about polynomials and the accuracy of numerical methods. Thirdly, interpolating with polynomials

serves as an excellent introduction to techniques for drawing smooth curves . Several methods of interpolation and approximation exist, some of which are:-

**4. Generate randomness digital images** 

are pictures generated by a computer (Hill, 2000)

There are two main classes of curve generation algorithms:

**4.1 Introduction** 

(Demel & Miller, 1984).

**4.2 Curve fitting generation** 

curve for points in between.

**4.3 Interpolation techniques** 

all of them (Hill, 2000 ).

best features of both conventional and public-key cryptography. When a user encrypts plaintext, PGP first compresses that plaintext. Data compression saves modem transmission time and disk space and, more importantly, strengthens cryptographic security. The majority of cryptanalysis techniques exploit patterns found in the plaintext to crack the cipher. Compression reduces these patterns in the plaintext, thereby greatly enhancing resistance to cryptanalysis (files which are too short to compress or which do not compress well are not compressed). PGP then creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of the mouse and the keystrokes. The session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient's public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient. Figure (1) shows the send process.

Fig. 1. Send Process.

Decryption works in the reverse way. The recipient's copy of PGP uses his or her private key to recover the session key, which PGP then uses to decrypt the conventionally encrypted ciphertext. Figure (2) shows the receiving process.

Fig. 2. Received Process

The combination of the two encryption methods combines the convenience of public-key encryption with the speed of conventional encryption. Conventional encryption is approximately 10,000 times faster than public-key encryption. Public-key encryption in turn provides a solution to key distribution and data transmission issues. Used together, performance and key distribution are improved without any compromise in security.

### **4. Generate randomness digital images**

### **4.1 Introduction**

184 Cryptography and Security in Computing

best features of both conventional and public-key cryptography. When a user encrypts plaintext, PGP first compresses that plaintext. Data compression saves modem transmission time and disk space and, more importantly, strengthens cryptographic security. The majority of cryptanalysis techniques exploit patterns found in the plaintext to crack the cipher. Compression reduces these patterns in the plaintext, thereby greatly enhancing resistance to cryptanalysis (files which are too short to compress or which do not compress well are not compressed). PGP then creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of the mouse and the keystrokes. The session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient's public key. This public key-encrypted session key is transmitted along with

Decryption works in the reverse way. The recipient's copy of PGP uses his or her private key to recover the session key, which PGP then uses to decrypt the conventionally

the ciphertext to the recipient. Figure (1) shows the send process.

encrypted ciphertext. Figure (2) shows the receiving process.

Fig. 1. Send Process.

Fig. 2. Received Process

Computer graphics is a topic of rapidly growing importance in the field of information technology. It has always been one of the most visually spectacular branches of computer technology, producing images whose appearance and motion make them quite unlike any other form of computer output . Computer graphics are also an extremely effective medium for communication between man and computer; the human eye can absorb the information content of a diagram or perspective view much faster than it can scan a table of numbers (Demel & Miller, 1984).

It is important to achieve consensus about what *computer graphics* and *visualisation* are. The word *graphics* is associated with charts, graphs, images, pictures and patterns, often in the context of art, design or animation; *visualisation* is the process of converting data into images (Gomes & Velho, 1997) .In order to understand computer graphics, we must study the methods used to create and structure data in the computer, as well as the methods for turning these into images. These two steps correspond to the two main areas of research in computer graphics: modelling and visualisation (Egerton & Hall,1998). Computer graphics are pictures generated by a computer (Hill, 2000)

### **4.2 Curve fitting generation**

There are two main classes of curve generation algorithms:

Firstly, algorithms that interpolate the control points: the algorithm returns points along a curve which pass exactly through the control points at specific instants and form a smooth curve for points in between.

Secondly, algorithms that approximate the control points: this algorithm returns points from a curve that are attracted toward each control point in turn, but do not actually pass through all of them (Hill, 2000 ).

### **4.3 Interpolation techniques**

Interpolation techniques are of great importance in numerical analysis since they are widely used in a variety of science and engineering domains where numerical methods are the only way to predict the value of tabulated functions for new input data. There are three reasons for using interpolation: firstly, interpolation methods are the basis of many other procedures, such as numerical differentiation, integration and solution methods for ordinary and partialdifferential equations. Secondly, these methods demonstrate important theories about polynomials and the accuracy of numerical methods. Thirdly, interpolating with polynomials serves as an excellent introduction to techniques for drawing smooth curves .

Several methods of interpolation and approximation exist, some of which are:-

PGP Protocol and Its Applications 187

A B-spline of order k=3 consisting of n-k+2 segments is defined by a linear combination of

3 2

3 2

3 2

( ) 1 /6( 3 3 2)

( ) 1 /6( 3 3 3 1)

A B-spline curve exhibits local control- a control point is connected to four segments (in the case of a cubic) and moving a control point can influence only these segments. In figure (4) that shows the effect of changing control points P1. This pulls the segments of curve in the appropriate direction and also affects, to a lesser extent, parts of the curve, thus

3

( ) 1 /6(3 6 4)

*bu u u u*

*bu u u*

*bu u u u*

 

1 10 1 12 2 () () () () () *C u b uv b uv b uv b uv i i ii i* (3)

basic functions *Ci* using n+1

Where the base functions are defined by (Pham, 1988):

1

0

1

2

Fig. 4. The effect of changing the position of control point P1.

The image generated must have the following properties:-

curve and rolling circle movement.

generating the digital image.

**movement** 

**5. Generating 2D and 3D digital images using curve fitting techniques** 

**5.1 Generating 2D images using the parametric lagrange curve and rolling circle** 

A new method is proposed to generate 2D and 3D images using the parametric Lagrange

In this section a new method is proposed for generating a 2D image (digital image); it involves using a rolling circle moved around the parametric Lagrange curve as a tool for

( ) 1/6

*bu u*

demonstrating the important locality property of B-spline (Watt, 1999).

Control points *<sup>i</sup> v*

### **4.3.1 Lagrangian polynomials**

The Lagrange polynomial is the simplest way to exhibit the existence of a polynomial for interpolation with unevenly spaced data. The Lagrange interpolating polynomial , *LN K* has degree N and is one at *<sup>k</sup> x x* and *j k* zero at *<sup>j</sup> x x* where

$$\begin{aligned} \text{i.i.}\_{N,K}(\mathbf{x}) &= \frac{(\mathbf{x} - \mathbf{x}\_0)(\mathbf{x} - \mathbf{x}\_1)...(\mathbf{x} - \mathbf{x}\_{K-1})(\mathbf{x} - \mathbf{x}\_{K+1})...(\mathbf{x} - \mathbf{x}\_N)}{(\mathbf{x}\_K - \mathbf{x}\_0)(\mathbf{x}\_K - \mathbf{x}\_1)...(\mathbf{x}\_K - \mathbf{x}\_{K+1})...(\mathbf{x}\_K - \mathbf{x}\_N)} \\ &= \frac{\prod\_{j=0}^N (\mathbf{x} - \mathbf{x}\_j)}{\prod\_{\substack{j=0\\j\neq K}}^N (\mathbf{x}\_K - \mathbf{x}\_j)} \end{aligned} \tag{1}$$

Note that 1 1.2.3 . *<sup>N</sup> <sup>K</sup> K N*

=The interpolating polynomial may be written:

$$P\_N(\mathbf{x}) = \sum\_{K=0}^{N} y\_k L\_{N,K}(\mathbf{x}) = y\_0 L\_{N,0}(\mathbf{x}) + y\_1 L\_{N,1}(\mathbf{x}) + \dots + y\_N L\_{N,N}(\mathbf{x}) \tag{2}$$

It is just a linear combination of the Lagrange interpolation polynomials

, *L x N K*( ) with the *Ky* as the coefficients (Goldman, 2002).

### **4.3.2 B-spline polynomials**

Although Bezier curves and surfaces are well suited to many shape-modelling problems, complex geometric constructions are required to guarantee continuity when piecing curves together (Harrington, 1987). The use of spline functions avoids this by using mathematical constraints to allow only those curves that possess the required continuity at joints. The Bspline function generates a curve section which has continuous slopes so that they fit together smoothly: see figure (3).

Fig. 3. B-Spline curve segment.

A B-spline of order k=3 consisting of n-k+2 segments is defined by a linear combination of basic functions *Ci* using n+1

Control points *<sup>i</sup> v*

186 Cryptography and Security in Computing

The Lagrange polynomial is the simplest way to exhibit the existence of a polynomial for interpolation with unevenly spaced data. The Lagrange interpolating polynomial , *LN K* has

> 01 1 1 01 1

*K K KK KN*

, 0 ,0 1 ,1 ,

(2)

() () () () ( )

*N k NK N N N NN*

*P x yL x yL x yL x y L x*

Although Bezier curves and surfaces are well suited to many shape-modelling problems, complex geometric constructions are required to guarantee continuity when piecing curves together (Harrington, 1987). The use of spline functions avoids this by using mathematical constraints to allow only those curves that possess the required continuity at joints. The Bspline function generates a curve section which has continuous slopes so that they fit

*KK N*

(1)

 

 

( )( ) ( )( ) ( ) ( ) , ( )( ) ( ) ( )

*xx xx xx xx xx L x N K x xx x x x x x*

**4.3.1 Lagrangian polynomials**

Note that 1 1.2.3 . *<sup>N</sup>*

**4.3.2 B-spline polynomials** 

together smoothly: see figure (3).

Fig. 3. B-Spline curve segment.

*<sup>K</sup> K N*

=The interpolating polynomial may be written:

0

, *L x N K*( ) with the *Ky* as the coefficients (Goldman, 2002).

*N*

*K*

degree N and is one at *<sup>k</sup> x x* and *j k* zero at *<sup>j</sup> x x* where

0

*N <sup>j</sup> <sup>j</sup> j K*

 

*N*

( )

*x x*

( )

*x x*

*<sup>j</sup> K j j K*

It is just a linear combination of the Lagrange interpolation polynomials

0

$$C\_i(\mu) = b\_{-1}(\mu)v\_{i-1} + b\_0(\mu)v\_i + b\_1(\mu)v\_{i+1} + b\_2(\mu)v\_{i+2} \tag{3}$$

Where the base functions are defined by (Pham, 1988):

$$\begin{aligned} b\_{-1}(\mu) &= 1 \;/\; 6(-\mu^3 + 3\mu^2 - 3\mu + 2) \\ b\_0(\mu) &= 1 \;/\; 6(3\mu^3 - 6\mu^2 + 4) \\ b\_1(\mu) &= 1 \;/\; 6(-3\mu^3 + 3\mu^2 + 3\mu + 1) \\ b\_2(\mu) &= 1 \;/\; 6\mu^3 \end{aligned}$$

A B-spline curve exhibits local control- a control point is connected to four segments (in the case of a cubic) and moving a control point can influence only these segments. In figure (4) that shows the effect of changing control points P1. This pulls the segments of curve in the appropriate direction and also affects, to a lesser extent, parts of the curve, thus demonstrating the important locality property of B-spline (Watt, 1999).

Fig. 4. The effect of changing the position of control point P1.

### **5. Generating 2D and 3D digital images using curve fitting techniques**

A new method is proposed to generate 2D and 3D images using the parametric Lagrange curve and rolling circle movement.

### **5.1 Generating 2D images using the parametric lagrange curve and rolling circle movement**

In this section a new method is proposed for generating a 2D image (digital image); it involves using a rolling circle moved around the parametric Lagrange curve as a tool for generating the digital image.

The image generated must have the following properties:-

PGP Protocol and Its Applications 189

(a) (b)

After executing stage two, the generated image boundaries are determined. A large number of recursive pixels will be obtained and spread across the computer screen according to the isolation movement of the generated curve. Determining the image boundaries is achieved by deleting all the pixels outside the fixed boundaries of the image. The size of the image

Described below are the proposed complete algorithms for generating a 2D image using a

Input: Input a first control point, increment value (Inc), size of mesh control points (N×N)

Step 1. Initialise the mesh of control points according to the start control points; increment

Step 4. Take the sequence of output from the generator to represent the addresses of the

Step 6. Repeat step 4 with new sequence of numbers and step 5 until obtaining the recursive pixels that covers the image size that need to generate.

Fig. 6. Examples for marking meshes of control points.

(boundaries) is kept secret between the sender and the receiver.

parametric Lagrange curve with a rolling circle moved around it.

Step 3. Enter the number of marks to simple pseudo-random generator.

Step 5. draw the parametric Lagrange curve with rolling circle.

Step 7. Clip the image according to the size the user entered.

**5.1.1 Algorithm (1): Generate a 2D image** 

the value and the size of the mesh. Step 2. Mark the control points of the mesh.

set of control points in the mesh.

Step 8. Obtain the 2D generated image.

Output: Generate a 2D digital image.

and the image size desired.

**Stage Three** 

Process:

Step 9. End.


The process to generate such a 2D image consists of the following stages:

### **Stage One**


### **Stage Two**

The generated curve is then moved according to algorithm (1) through the 2D mesh initialised in stage one. This process is achieved by marking the control points on the mesh using a simple method , for example 1, 2, 3… etc, and entering the number of control points from the 2D mesh into a simple pseudo-random generator. The pseudo-random generator produces a set of numbers represented as addresses of the control points in the 2D mesh; it does this in a random way and these are used to generate (interpolate) the curve. Figure (6) shows two examples of marking a 2D mesh; figure (2a) shows a mesh of size (4×4) with control points, and figure (2b) shows a mesh of size (5×5).

188 Cryptography and Security in Computing

a. The image must not be regular; i.e. does not contain identifiable objects or pattern and

b. Reproduction of the image by counterfeiters will be difficult or infeasible unless all the algorithms used to generate the image are known, as well as all the parameter values. c. The image must have the property of random colour (pixel values), allowing the image

 Initialising a 2D mesh is achieved by selecting a set of control points according to a determined increment value between control points. This increment value, as well as those of the x-coordinate and y- coordinate, may be fixed or variable. These choices were all studied and the conclusion drawn was that the increment value plays an important role in the generated image, since any change in its value generates a new mesh of control points and will lead to a new image with new features. This property gives security to the image, because counterfeiters would have difficulty guessing the starting control points and the increment values of the x- or y-coordinates. Figure (5) shows an example of a 2D mesh of control points with equal increments to the x- and y-

The generated curve is then moved according to algorithm (1) through the 2D mesh initialised in stage one. This process is achieved by marking the control points on the mesh using a simple method , for example 1, 2, 3… etc, and entering the number of control points from the 2D mesh into a simple pseudo-random generator. The pseudo-random generator produces a set of numbers represented as addresses of the control points in the 2D mesh; it does this in a random way and these are used to generate (interpolate) the curve. Figure (6) shows two examples of marking a 2D mesh; figure (2a) shows a mesh of size (4×4) with

The process to generate such a 2D image consists of the following stages:

Initialise a 2D mesh of control points to generate a curve.

cannot be described to anyone by anybody.

to be used in the security field.

**Stage One** 

coordinates*.* 

Fig. 5. Mesh of control points (p).

control points, and figure (2b) shows a mesh of size (5×5).

**Stage Two** 

### **Stage Three**

After executing stage two, the generated image boundaries are determined. A large number of recursive pixels will be obtained and spread across the computer screen according to the isolation movement of the generated curve. Determining the image boundaries is achieved by deleting all the pixels outside the fixed boundaries of the image. The size of the image (boundaries) is kept secret between the sender and the receiver.

Described below are the proposed complete algorithms for generating a 2D image using a parametric Lagrange curve with a rolling circle moved around it.

### **5.1.1 Algorithm (1): Generate a 2D image**

Input: Input a first control point, increment value (Inc), size of mesh control points (N×N) and the image size desired.

Output: Generate a 2D digital image.

Process:


PGP Protocol and Its Applications 191

Many variations on the circular helix are possible. For example, the conical helix, with equation P (t) = (t cos (t), t sin (t), bt). Any 2D curve (x(t), y(t)) can, of course, be converted

**5.2.2 Algorithm2: (Move a 3D rolling circle around a 3D parametric Lagrange curve)**  Input: Take the triple data (New-xi, New-yi, New-zi), i= 0,…,h-1, that was computed in algorithm (1) to represent the circle centre coordinates (x-c, y-c, z-c),and the radius circle

Output: Moving a 3D rolling circle around the 3D parametric Lagrange curve that

In section (7.2.1) the method for generating the 3D image by using 3D mathematical models was described and the algorithms needed to perform this generation were explained. In addition, it was suggested that the 3D image resembles an empty cube and the aim is to fill the cube completely with random colour pixels. This process involved a set of different stages, including: initialising a 3D mesh of control points; marking the control points to produce a sequence of control points by using a pseudo-random generator; implementation of algorithm (2) to move the 3D Lagrange curve with a 3D rolling circle through the 3D mesh of control points; deleting all the pixels outside the cube; and the final stage is obtaining the cube (image) which is completely filled with random colour pixels. The

into a helix by appending z(t)= bt, or some other form for z(t).

Set x-c= New-x, y-c=New-y, z-c=New-z

following illustrates the stages for generating a 3D image:-

Fig. 8. Circular helix.

generated in algorithm (1).

Step 1. Set radius=15, b=10 Step 2. For i= 0 to h-1

For index=0 to 360

Z=index\*b+z-c

**5.2.3 Generating 3D image stages** 

Step 3. Plot (X, Y, Z) Step 4. Next index Step 5. Next i Step 6. End.

X=radius\*cos (index) +x-c Y=radius\*sin (index) +y-c

value.

Process:

### **Example:**

In the following example a 2D image is generated using a mesh size of (25×25) with the same increment value of x- and y-coordinates equal to (10), using a radius for the rolling circle equal to (15), and the image size required to be generated is equal to (256×256) pixels. Figure (7a) shows the random oscillation curve movement through the 2D mesh is due to the movement of the curve path out of the mesh boundary. Figure (7b) shows the final stage of generating the 2D image by clipping the image size to (256×256) pixels.

Fig. 7. (a) The random oscillation curve movement through the 2D mesh, (b) image of size (256x256) pixels

### **5.2 Generating a 3D image**

This section introduces a new idea for generating a 3D image by inserting a third coordinate (z) to all the mathematical equations that were used to generate the 2D image. Generating a 3D image is very useful for increasing the key space and thus renders the process of estimating the key infeasible. This is because searching in 3D increases the number of possible control points the counterfeiter needs to estimate. In order to imagine working with 3D, it is suggested that the image be viewed as an empty cube which is to be filled completely with random colour pixels, then slides from the cube will be clipped in different ways. The clipped slide from the three-dimensional image can be used directly as a secret key, or by clipping a curve from this slide according to a secret set of control points by using a parametric Bezier curve (control curve) to represent the secret key between the sender and receiver.

### **5.2.1 Proposed algorithm to move a 3D rolling circle around a 3D parametric Lagrange curve**

To create a parametric form from a 3D curve, it is necessary to invent three functions, x(.), y(.), z(.), and say that the curve is "at" P(t)=(x(t),y(t),z(t)) at time t (Hill, 2000). The circular helix is given parametrically by: x (t) = cos (t), y (t) =sin (t) and z (t)=bt. For some constant b. The curve is illustrated in figure (8):

190 Cryptography and Security in Computing

In the following example a 2D image is generated using a mesh size of (25×25) with the same increment value of x- and y-coordinates equal to (10), using a radius for the rolling circle equal to (15), and the image size required to be generated is equal to (256×256) pixels. Figure (7a) shows the random oscillation curve movement through the 2D mesh is due to the movement of the curve path out of the mesh boundary. Figure (7b) shows the final stage

(a) (b)

Fig. 7. (a) The random oscillation curve movement through the 2D mesh, (b) image of size

This section introduces a new idea for generating a 3D image by inserting a third coordinate (z) to all the mathematical equations that were used to generate the 2D image. Generating a 3D image is very useful for increasing the key space and thus renders the process of estimating the key infeasible. This is because searching in 3D increases the number of possible control points the counterfeiter needs to estimate. In order to imagine working with 3D, it is suggested that the image be viewed as an empty cube which is to be filled completely with random colour pixels, then slides from the cube will be clipped in different ways. The clipped slide from the three-dimensional image can be used directly as a secret key, or by clipping a curve from this slide according to a secret set of control points by using a parametric Bezier curve (control curve) to represent the secret key between the sender and

**5.2.1 Proposed algorithm to move a 3D rolling circle around a 3D parametric Lagrange** 

To create a parametric form from a 3D curve, it is necessary to invent three functions, x(.), y(.), z(.), and say that the curve is "at" P(t)=(x(t),y(t),z(t)) at time t (Hill, 2000). The circular helix is given parametrically by: x (t) = cos (t), y (t) =sin (t) and z (t)=bt. For some constant b.

of generating the 2D image by clipping the image size to (256×256) pixels.

**Example:** 

(256x256) pixels

receiver.

**curve** 

**5.2 Generating a 3D image** 

The curve is illustrated in figure (8):

Fig. 8. Circular helix.

Many variations on the circular helix are possible. For example, the conical helix, with equation P (t) = (t cos (t), t sin (t), bt). Any 2D curve (x(t), y(t)) can, of course, be converted into a helix by appending z(t)= bt, or some other form for z(t).

### **5.2.2 Algorithm2: (Move a 3D rolling circle around a 3D parametric Lagrange curve)**

Input: Take the triple data (New-xi, New-yi, New-zi), i= 0,…,h-1, that was computed in algorithm (1) to represent the circle centre coordinates (x-c, y-c, z-c),and the radius circle value.

Output: Moving a 3D rolling circle around the 3D parametric Lagrange curve that generated in algorithm (1).

Process:

Step 1. Set radius=15, b=10 Step 2. For i= 0 to h-1 Set x-c= New-x, y-c=New-y, z-c=New-z For index=0 to 360 X=radius\*cos (index) +x-c Y=radius\*sin (index) +y-c Z=index\*b+z-c Step 3. Plot (X, Y, Z) Step 4. Next index

Step 5. Next i

Step 6. End.

**5.2.3 Generating 3D image stages** 

In section (7.2.1) the method for generating the 3D image by using 3D mathematical models was described and the algorithms needed to perform this generation were explained. In addition, it was suggested that the 3D image resembles an empty cube and the aim is to fill the cube completely with random colour pixels. This process involved a set of different stages, including: initialising a 3D mesh of control points; marking the control points to produce a sequence of control points by using a pseudo-random generator; implementation of algorithm (2) to move the 3D Lagrange curve with a 3D rolling circle through the 3D mesh of control points; deleting all the pixels outside the cube; and the final stage is obtaining the cube (image) which is completely filled with random colour pixels. The following illustrates the stages for generating a 3D image:-

PGP Protocol and Its Applications 193

This stage eliminates all the pixels drawn out of the cube due to the isolation of the moving Lagrange curve. The deleting process aims to remove all the pixels outside the 3D shape, and this is implicitly implemented in the algorithm which computes pixels and tests

The complete algorithm below shows how to generate a 3D image using 3D mathematical

**Input:** Identify the first control point, increment value, size of mesh control points (N×N×N)

Step 1. Initialise a 3D mesh of control points according to the starting control point;

Step 3. Enter the number of marks from 3D mesh into a simple pseudo-random generator. Step 4. Take a sequence of numbers from the pseudo-random generator to represent the

Step 5. Execute algorithms (1) and (2) to draw the parametric Lagrange curve with a rolling

Step 6. Repeat step4 with a new sequence of control point numbers and step 5 until the

Step 7. Delete all the pixels which were placed outside the cube due to the isolation-

circle and save the resulting colour pixel values for points in 3D array size

**Output:** Generate 3D image and save the colour values in 3D array size (N×N×N).

whether their coordinates are outside the boundaries of the 3D coordinates.

**Algorithm 3: Generating a 3D Image Using 3D Mathematical Model** 

increment the value and the size of the 3D mesh.

addresses of the control points in the mesh.

cube is completely filled with recursive pixels.

Fig. 11. Example of moving curve through cube.

and size of the 3D image that need to be generated.

Step 2. Mark the control points of the 3D mesh.

(N×N×N).

moving curve. Step 8. Obtain 3D generated image.

Step 9. End.

**Stage Four** 

models.

Process:

### **Stage One**

3D shape is to be divided into slides (planes) as each slide takes a 2D matrix, its axes are x and y, and the number of their slides will be equal to the depth z-axis of the shape. Figure (9 shows an example of an initialised 3D mesh.

Fig. 9. Initialised 3D mesh.

The initialising of a 3D mesh is achieved using the same algorithm that was used to generate the 2D mesh of control points, but by inserting the third coordinate (z) to the control point coordinates, and determining the increment values of the x-, y-, and z-coordinates. In addition, when changing the increment values of the x-, y-, and z-coordinates, we obtain different types of 3D mesh control points, which makes the process of estimating the mesh more difficult for counterfeiters. Figure (10) shows an example of the cubic mesh (3D mesh) with equal increment values (x, y and z) between the control points.

Fig. 10. Example of cube mesh.

### **Stage Two**

Marking the 3D mesh is achived by counting the 3D mesh control points. The cube mesh can be visualised as resembling a set of 2D mesh slides marked with page numbers (zcoordinates), or an array of three dimensional coordinates.

### **Stage Three**

A pesudo-random generator is used to produce the random addresses of control points from the 3D mesh, which are then used as a set of control points to implement algorithm (2) for moving the 3D curve (parametric Lagrange curve) with the 3D rolling circle through the 3D mesh. Figure (11) shows an example of the curve moving through the 3D cube.

192 Cryptography and Security in Computing

3D shape is to be divided into slides (planes) as each slide takes a 2D matrix, its axes are x and y, and the number of their slides will be equal to the depth z-axis of the shape. Figure (9

The initialising of a 3D mesh is achieved using the same algorithm that was used to generate the 2D mesh of control points, but by inserting the third coordinate (z) to the control point coordinates, and determining the increment values of the x-, y-, and z-coordinates. In addition, when changing the increment values of the x-, y-, and z-coordinates, we obtain different types of 3D mesh control points, which makes the process of estimating the mesh more difficult for counterfeiters. Figure (10) shows an example of the cubic mesh (3D mesh)

Marking the 3D mesh is achived by counting the 3D mesh control points. The cube mesh can be visualised as resembling a set of 2D mesh slides marked with page numbers (z-

A pesudo-random generator is used to produce the random addresses of control points from the 3D mesh, which are then used as a set of control points to implement algorithm (2) for moving the 3D curve (parametric Lagrange curve) with the 3D rolling circle through the

3D mesh. Figure (11) shows an example of the curve moving through the 3D cube.

with equal increment values (x, y and z) between the control points.

coordinates), or an array of three dimensional coordinates.

**Stage One** 

shows an example of an initialised 3D mesh.

Fig. 9. Initialised 3D mesh.

Fig. 10. Example of cube mesh.

**Stage Two** 

**Stage Three** 

Fig. 11. Example of moving curve through cube.

### **Stage Four**

This stage eliminates all the pixels drawn out of the cube due to the isolation of the moving Lagrange curve. The deleting process aims to remove all the pixels outside the 3D shape, and this is implicitly implemented in the algorithm which computes pixels and tests whether their coordinates are outside the boundaries of the 3D coordinates.

The complete algorithm below shows how to generate a 3D image using 3D mathematical models.

### **Algorithm 3: Generating a 3D Image Using 3D Mathematical Model**

**Input:** Identify the first control point, increment value, size of mesh control points (N×N×N) and size of the 3D image that need to be generated.

**Output:** Generate 3D image and save the colour values in 3D array size (N×N×N).

Process:


PGP Protocol and Its Applications 195

**6.1 Proposed algorithm for clipping symmetric key from the (2D and 3D) images using** 

Control points play an important role in curve generation as well as in clipping cryptography keys from 2D images and from the slides of 3D images. Control points are used to clip a curve or part of the generated images (2D & 3D). For this reason the control point must remain secret between the sender and receiver, (i.e. control points represent the master key used to clip the secondary key formed by a curve from random pixel colour

According to cryptography principles, it is assumed that all algorithms used are public to the attacker and only the key is secret. The secret key consists of a number of control points used to clip the key, and the coordinates of the control points; for example (4,10,10,20,15,30,60,100) which means using 4 control points to clip the curve and use the coordinates respectively (10,10),(20,15),(15,30),(60,100). Additionally, we can change any one of the parameters for the secret key to obtain a new secret key; this makes the process of

There are different ways to select the control points from a 2D mesh or from a 3D mesh with different increment values between the control points and the control points themselves; this makes the counterfeiter's process of estimating the primary key infeasible. Figure (13) shows an example for selecting a set of control points to clip the curve of points using the

The size of the clipped key from the generated image is flexible depending on the flexibility of the generated image size; for example in the 2D image, the image size used is 256×256 pixels, which is equal to 65,536 pixels with each pixel represented by 24 bits (i.e. the key size is 1,572,864 bits), and the key space used in the 3D image is (100×100×100) pixels, which is

In this example, samples of different key sizes were clipped, and the randomness of the keys

Figure (14) shows an example of how to clip slides from a 3D image; figure (15) shows how

was tested according to the five popular tests for randomness mentioned above.

**the bezier curve method** 

generating the key more flexible and efficient.

Fig. 13. Example for clip key from 2D mesh using Bezier Curve.

equal to 1,000,000 pixels (i.e. the key space size is 24,000,000 bits).

to clip a curve as a key from a 3D slide.

values).

Bezier method.

### **Example**

To explain the work of the algorithm, figure (5) shows the implementation of algorithm (8). This example used the 3D size (100×100×10), (i.e. the 3D consisted of 100,000 random colour pixels) that was used to generate a 3D mesh of control points, and the 3D mesh of size (50×50×50), (i.e. the mesh consisted of 125,000 control points), and equal increment values between the control points. Figure (12) shows the results:

Fig. 12. Example to generate 3D-image

### **6. Clipping symmetric keys from the 2D and 3D images using the bezier curve method**

The weakness of a key that is generated from a normal colour image is clear due to the nearest pixel values of the image. A new method for generating a symmetric cryptographic key is proposed which works by generating 2D and 3D images according to mathematical curve equations which will make the key sufficiently robust. A symmetric key is a string of random bits, and the number of random bits in it determine the key's variability and strength. Cryptographers recommend that to be reasonably secure, keys should be at least 90 bits long. The world standard is 128 bits because this is a convenient size for computers; there is no technical reason to use a shorter key. The second type of encryption is the public key or asymmetric systems, which uses separate keys for encryption and decryption: private key and the public key.

194 Cryptography and Security in Computing

To explain the work of the algorithm, figure (5) shows the implementation of algorithm (8). This example used the 3D size (100×100×10), (i.e. the 3D consisted of 100,000 random colour pixels) that was used to generate a 3D mesh of control points, and the 3D mesh of size (50×50×50), (i.e. the mesh consisted of 125,000 control points), and equal increment values

**6. Clipping symmetric keys from the 2D and 3D images using the bezier** 

The weakness of a key that is generated from a normal colour image is clear due to the nearest pixel values of the image. A new method for generating a symmetric cryptographic key is proposed which works by generating 2D and 3D images according to mathematical curve equations which will make the key sufficiently robust. A symmetric key is a string of random bits, and the number of random bits in it determine the key's variability and strength. Cryptographers recommend that to be reasonably secure, keys should be at least 90 bits long. The world standard is 128 bits because this is a convenient size for computers; there is no technical reason to use a shorter key. The second type of encryption is the public key or asymmetric systems, which uses separate keys for encryption and decryption: private

between the control points. Figure (12) shows the results:

Fig. 12. Example to generate 3D-image

**curve method** 

key and the public key.

**Example** 

### **6.1 Proposed algorithm for clipping symmetric key from the (2D and 3D) images using the bezier curve method**

Control points play an important role in curve generation as well as in clipping cryptography keys from 2D images and from the slides of 3D images. Control points are used to clip a curve or part of the generated images (2D & 3D). For this reason the control point must remain secret between the sender and receiver, (i.e. control points represent the master key used to clip the secondary key formed by a curve from random pixel colour values).

According to cryptography principles, it is assumed that all algorithms used are public to the attacker and only the key is secret. The secret key consists of a number of control points used to clip the key, and the coordinates of the control points; for example (4,10,10,20,15,30,60,100) which means using 4 control points to clip the curve and use the coordinates respectively (10,10),(20,15),(15,30),(60,100). Additionally, we can change any one of the parameters for the secret key to obtain a new secret key; this makes the process of generating the key more flexible and efficient.

There are different ways to select the control points from a 2D mesh or from a 3D mesh with different increment values between the control points and the control points themselves; this makes the counterfeiter's process of estimating the primary key infeasible. Figure (13) shows an example for selecting a set of control points to clip the curve of points using the Bezier method.

Fig. 13. Example for clip key from 2D mesh using Bezier Curve.

The size of the clipped key from the generated image is flexible depending on the flexibility of the generated image size; for example in the 2D image, the image size used is 256×256 pixels, which is equal to 65,536 pixels with each pixel represented by 24 bits (i.e. the key size is 1,572,864 bits), and the key space used in the 3D image is (100×100×100) pixels, which is equal to 1,000,000 pixels (i.e. the key space size is 24,000,000 bits).

In this example, samples of different key sizes were clipped, and the randomness of the keys was tested according to the five popular tests for randomness mentioned above.

Figure (14) shows an example of how to clip slides from a 3D image; figure (15) shows how to clip a curve as a key from a 3D slide.

PGP Protocol and Its Applications 197

Step 1. Assignment of the set of control points entered by sender to two arrays x (.), y (.). Step 2. The user inputs his choice for clipping key from 2D or 3D and using curve equations for clipping the key or clipping part from the generated image directly.

If (Clipped Key Using Bezier Curve Equation) then go to step3.

1 23 (1 ) 3(1 ) 3(1 ) *X u x u ux u u x u x i i ii*

Step 9. Convert the Contents the files (Clip.txt) to the binary digits (Bin.txt), which

Step 10. Execute the five-randomness test on the binary files (Bin.txt) for checking the randomness of the key (i.e. Step10 is an optional step the user can cancel this step).

Step 12. (Clipped part from generated image to represent the key).

Step 17. Convert the Contents of files (Clip-p.txt) to binary digits (Bin.txt), which represent

{Work with a 3D image requires user to determine the level of (z)- coordinate from the cube, which is represented in this case by the slide number from the cube to clip

{When the sender decides to clip directly from the 2D-generated image, he chooses only two corner coordinates from the mesh that represent the two corners of a

Let 3 2 2 3 1 23 (1 ) 3(1 ) 3(1 ) *Y u y u uy u u y u y i i ii*

Step 6. Open file (Clip.txt) to save the pixel colour for pairs (*X, Y*).

If (clipped the key from 2D-image) then go to (**A**)

(**A**) (Clipped Key From 2D-Generated Image).

Step 3. (Clipped Key Using Bezier Curve Generation).

Step 4. Let 3 2 2 3

represent stream of bits (symmetric key).

Step 13. Input the two control points (x1, y1) and (x2, y2).

stream of bits (symmetric key).

*(Clipped Key From 3D-generated Image)* 

2D slide from 3D image.}

Step 15. Open file (Clip-p.txt) to save the pixel colour for pairs (i,j).

Otherwise, go to (**B**)

Set i=0 i<= N-1 do

Step 5. Get Pixel (*X, Y*),

Loop

rectangle}.

 For j= y1 to y2 Get pixel (i,j)

Step 14. For i= x1 to x2

Next i

Step 16. Next j

Step 18. End.

Step 7. Next u Step 8. i=i-1,

Step 11. End.

Otherwise, go to step 12.

For u= 0 to 1 step 0.01

Process:

Fig. 14. Example of clipping slides from a 3D image.

Fig. 15. Example of clipping a curve from slide of cube.

The following illustrates the algorithm for clipping a key from a 2D image and clipping a key from slides of a 3D image.

### **6.1.1 Algorithm(4): Generating key from generated image using Bezier curve method or by clipping parts of the generated images directly**

**Input:** The sender inputs the number of control points to be used for the generation of the key (N), then inputs the chosen set of control point coordinates (x,y,z) from the mesh of the 2D or 3D image according to the boundaries of the images (i.e. the sender must know the boundaries of the generated image before clipping the keys).

**Output:** Clip stream of colour pixels from generated image (2D or 3D) using the Bezier Curve method or clip part (slide) from the generated image directly.

### Process:

196 Cryptography and Security in Computing

Fig. 14. Example of clipping slides from a 3D image.

Fig. 15. Example of clipping a curve from slide of cube.

**or by clipping parts of the generated images directly** 

boundaries of the generated image before clipping the keys).

Curve method or clip part (slide) from the generated image directly.

key from slides of a 3D image.

The following illustrates the algorithm for clipping a key from a 2D image and clipping a

**6.1.1 Algorithm(4): Generating key from generated image using Bezier curve method** 

**Input:** The sender inputs the number of control points to be used for the generation of the key (N), then inputs the chosen set of control point coordinates (x,y,z) from the mesh of the 2D or 3D image according to the boundaries of the images (i.e. the sender must know the

**Output:** Clip stream of colour pixels from generated image (2D or 3D) using the Bezier


### *(Clipped Key From 3D-generated Image)*

{Work with a 3D image requires user to determine the level of (z)- coordinate from the cube, which is represented in this case by the slide number from the cube to clip 2D slide from 3D image.}

PGP Protocol and Its Applications 199

The strong cryptography employed by PGP is the best available today. The PGP protocol is a hybrid cryptosystem that combines some of the best features of both conventional and public-key cryptography. In this section, we propose to insert the generated digital image capability into the PGP protocol stages in order to increase protocol robustness in the face of counterfeiters. According to the tests in the previous sections, the generated 2D or 3D images have the randomness property and can clip many keys with different sizes. These properties make the generated images very useful as a source of clipping randomness session keys, and there is the capability to generate many keys from the images. We propose to use the generated (3D or 3D) images facility to generate a session key instead of using movement of the mouse or keystrokes. The session key clipped from the generated image in this case consists of two session keys; a *primary session key* and a *secondary session key*. The primary session key represents the Bezier curve coordinates and the secondary session key represents the stream of randomness bits sequence that is clipped according to curve equations. The work with New-PGP begins when a user encrypts plaintext. *Firstly,* the plaintext is compressed. *Secondly,* a session key is created by generating 2D or 3D images according to the proposed algorithms. *Thirdly,* the user enters the primary session key to the clip secondary key from the digital image. *Fourthly,* the user XOR the stream of bits sequence (secondary session key) with the plaintext after the compression process. *Fifthly***,** the sender uses the public key from the RSA algorithm to encrypt the primary session key. *Sixthly,* the sender transmits the encrypt primary session key along with the ciphertext to the recipient. Decryption works in the reverse order. The recipient's copy of new-PGP uses his or her private key from the RSA algorithm to recover the primary session key which is used to generate the secondary key from the generated image to decrypt the conventionally encrypted ciphertext. Figures (16) and (17) show the send and receive process according to new-PGP protocol.

**6.3 Using generated digital images to modify cryptography protocol (PGP)** 

Fig. 16. Send Process


For i= x1 to x2 For j= y1 to y2 slide (i, j) =3D(i , j, z) Next j, Next i.

Step 21. Go to (A).

### **6.2 Tests of randomness for the clipped keys**

Different sizes of keys are used in these tests and the results prove that the keys have the randomness property and can be used as a symmetric key in the cryptography field.


Table 1. the results of randomness test for the keys clipped from 2D & 3D images.

198 Cryptography and Security in Computing

Step 19. Step19: Input the level of z-coordinate (z-coordinate), and the two control points

Different sizes of keys are used in these tests and the results prove that the keys have the

Frequency test 0.098 0.498 1.000 0.964 Must be

Poker test 7.409 1.568 3.077 3.497 Must be

Serial test 4.016 1.705 6.504 5.899 Must be

0.079 3.068 0.024 0.004 0.048 0.035 0.048 0.476 0.616 0.063

Table 1. the results of randomness test for the keys clipped from 2D & 3D images.

Shift 1 Shift 2 Shift 3 Shift 4 Shift 5 Shift 6 Shift 7 Shift 8 Shift 9 Shift 10

Key6= 2604 bit

T0 9.289 13.028 20.680 13.249

T1 6.656 3.867 5.475 8.127

0.031 3.086 0.019 0.886 0.010 0.006 0.003 0.006 0.420 1.124 0.075 1.268 0.094 1.667 0.115 0.104 0.284 0.652 1.102 0.104 0.087 2.240 0.044 1.196 0.884 0.911 0.640 0.013 0.331 0.133

Key7= 3844 bit

Key 8= 5084 bit

Pass value

≤ 3.84

Must be ≤ 22.362

≤ 11.1

≤5.99

Must be ≤3.48

randomness property and can be used as a symmetric key in the cryptography field.

1024 bit

dimensions array (3D).

**6.2 Tests of randomness for the clipped keys** 

Tests Key5=

Step 20. Set z= z-coordinate For i= x1 to x2 For j= y1 to y2 slide (i, j) =3D(i , j, z) Next j, Next i.

Step 21. Go to (A).

Run test

Auto correlation test for ten bits

(x1, y1) and (x2, y2) from z-slide, and clipped slide of colour pixels from the three

### **6.3 Using generated digital images to modify cryptography protocol (PGP)**

The strong cryptography employed by PGP is the best available today. The PGP protocol is a hybrid cryptosystem that combines some of the best features of both conventional and public-key cryptography. In this section, we propose to insert the generated digital image capability into the PGP protocol stages in order to increase protocol robustness in the face of counterfeiters. According to the tests in the previous sections, the generated 2D or 3D images have the randomness property and can clip many keys with different sizes. These properties make the generated images very useful as a source of clipping randomness session keys, and there is the capability to generate many keys from the images. We propose to use the generated (3D or 3D) images facility to generate a session key instead of using movement of the mouse or keystrokes. The session key clipped from the generated image in this case consists of two session keys; a *primary session key* and a *secondary session key*. The primary session key represents the Bezier curve coordinates and the secondary session key represents the stream of randomness bits sequence that is clipped according to curve equations. The work with New-PGP begins when a user encrypts plaintext. *Firstly,* the plaintext is compressed. *Secondly,* a session key is created by generating 2D or 3D images according to the proposed algorithms. *Thirdly,* the user enters the primary session key to the clip secondary key from the digital image. *Fourthly,* the user XOR the stream of bits sequence (secondary session key) with the plaintext after the compression process. *Fifthly***,** the sender uses the public key from the RSA algorithm to encrypt the primary session key. *Sixthly,* the sender transmits the encrypt primary session key along with the ciphertext to the recipient. Decryption works in the reverse order. The recipient's copy of new-PGP uses his or her private key from the RSA algorithm to recover the primary session key which is used to generate the secondary key from the generated image to decrypt the conventionally encrypted ciphertext. Figures (16) and (17) show the send and receive process according to new-PGP protocol.

Fig. 16. Send Process

PGP Protocol and Its Applications 201

The proposed methods in this chapter are starts by studying most of the curve fitting methods and selects the curve fitting methods that are suitable to the work. Secondly developing the curve security algorithm and proposed algorithm to generate (2D & 3D) digital images, thirdly producing algorithm to clipping symmetric cryptographic key from 2D or 3D generated image, fourthly proposing algorithm to modify PGP cryptographic

Finally implementing the proposed generated digital image in image cryptography technique and then testing the results according to the authorized measures that are used in

In this chapter proved a combine curve security with cryptography algorithms increase the cryptography capability. The proposed methods gives reasonable results in generating many randomness keys with different sizes. The 2D & 3D mathematical models succeed to generate randomness digital images that can play important role in cryptography according to the results that obtain from authorized randomness tests and from image cryptography

1. The process of guessing the primary session key from the secondary key is infeasible,

2. If the counterfeiter succeed in solving the factorisation problem from RSA and found the private key from public key, the key obtained would not help him to recover the plaintext from the primary session key unless the secondary session key was known. 3. All the secondary session keys have the property of randomness according to the

4. The New-PGP increased the security of the PGP protocol, making the protocol more

From the New-PGP method, we obtained the following information:-

because there is no correlation between the two session keys.

Fig. 19. Receive Process.

protocol by using 2D or 3D generated images.

tests, which gave reasonable tests.

randomness tests.

robust and efficient.

**7. Conclusions** 

this field.

### **Example:-**

To explain how the New-Protocol works and indicate the protocol behaviour, we proposed to generate a 3D-image size (100×100 ×100) pixels, by using a mesh size of (50×50×50) control points, and a primary session key (PSK) that consists of (4) control points with the coordinates (10,10), (20,20), (30,30), (40,40), with increment step u equal to 0.01. According to the primary session key, we clipped a secondary session key size (SSK) equal to 260 random bits. According to the randomness tests in table (1), the public key (PK) of RSA algorithm consists of (n=997517,e=193) where (secret p=977) and (secret q=1021), and the private key of RSA algorithm equals (d=727297).

Figures (18) and (19) illustrate the proposed protocol with the example values:

Fig. 18. Send Process.

200 Cryptography and Security in Computing

To explain how the New-Protocol works and indicate the protocol behaviour, we proposed to generate a 3D-image size (100×100 ×100) pixels, by using a mesh size of (50×50×50) control points, and a primary session key (PSK) that consists of (4) control points with the coordinates (10,10), (20,20), (30,30), (40,40), with increment step u equal to 0.01. According to the primary session key, we clipped a secondary session key size (SSK) equal to 260 random bits. According to the randomness tests in table (1), the public key (PK) of RSA algorithm consists of (n=997517,e=193) where (secret p=977) and (secret q=1021), and the private key

Figures (18) and (19) illustrate the proposed protocol with the example values:

Fig. 17. Receive Process.

Fig. 18. Send Process.

of RSA algorithm equals (d=727297).

**Example:-** 

Fig. 19. Receive Process.

### **7. Conclusions**

The proposed methods in this chapter are starts by studying most of the curve fitting methods and selects the curve fitting methods that are suitable to the work. Secondly developing the curve security algorithm and proposed algorithm to generate (2D & 3D) digital images, thirdly producing algorithm to clipping symmetric cryptographic key from 2D or 3D generated image, fourthly proposing algorithm to modify PGP cryptographic protocol by using 2D or 3D generated images.

Finally implementing the proposed generated digital image in image cryptography technique and then testing the results according to the authorized measures that are used in this field.

In this chapter proved a combine curve security with cryptography algorithms increase the cryptography capability. The proposed methods gives reasonable results in generating many randomness keys with different sizes. The 2D & 3D mathematical models succeed to generate randomness digital images that can play important role in cryptography according to the results that obtain from authorized randomness tests and from image cryptography tests, which gave reasonable tests.

From the New-PGP method, we obtained the following information:-


**10** 

**Frameworks** 

*Malaysia*

*Universiti Teknologi Malaysia* 

**Comparative Analysis of Master-Key and** 

Saman Shojae Chaeikar, Azizah Bt Abdul Manaf and Mazdak Zamani

The process of generating, distributing and revoking a cryptographic key is called key management (Piper & Murphy, 2002; Fumy & Landrock, 1993). Key management is a very challenging area between cryptographers and attackers, and since finding keys of approved cryptographic techniques computationally is impossible, attackers prefer to somehow breach the key management process instead of trying to crack keys (Techateerawat & Jennings, 2007). Today many techniques like DES, 3DES, RSA etc. have emerged for protecting data secrecy. One internationally approved and widely used key management method is master-key which empowers a computer to generate keys from a Key Derivation Key (KDK), the parties' identity, labels and some other information (Chen, 2009). By utilizing master-key a computer can generate new keys and distribute them among its nodes, sometimes even

IKM has developed from performing some changes on workflow and key generation algorithms of master-key to achieving more dynamism and some advanced features like

Master-key and IKM have many features in common. In both there are algorithms of key generation, both use environmental parameters as key generation parameters, both generate symmetric keys, both generate keys of variable length and so on. Therefore it was felt that there was a need for guidelines on both schemes to facilitate making a choice regarding requirements. The purpose of this article is to provide a guideline for helping researchers and developers to choose the proper cryptographic scheme between master-key and IKM regarding their goal of application and working criteria. To do so, master-key and IKM are compared according their

The second section of this chapter explains the process of master-key key generation in three modes. The third part discusses IKM key generation workflow and algorithms concisely. The fourth part compares these two methods in terms of security and performance to help researchers and developers to choose the most convenient technique between master-key and IKM with regard to their required features and criteria. The last section summarizes the

security features and amount of imposed traffic load on the server and network.

results of this analysis in a few paragraphs for fast review of this article.

**1. Introduction** 

establishing a hierarchy among them (Onmez, 2009).

intelligent attack resiliency (Chaeikar et al., 2010b, 2010a).

**Interpretative Key Management (IKM)** 

### **8. References**

Watt, A. (1999). *3D Computer Graphics (3rd edition)*, Addison Wesley, ISBN 978-0201398557


www.clear.rice.edu/comp360/lectures/lagra.pdf


http://math.scu.edu/-eschaefe/crylec.pdf-united states

Schneir, B. (1996). *Applied Cryptography (2nd edition)*, John Wiley & Sons, ISBN 978- 0471117094

## **Comparative Analysis of Master-Key and Interpretative Key Management (IKM) Frameworks**

Saman Shojae Chaeikar, Azizah Bt Abdul Manaf and Mazdak Zamani *Universiti Teknologi Malaysia Malaysia*

### **1. Introduction**

202 Cryptography and Security in Computing

Watt, A. (1999). *3D Computer Graphics (3rd edition)*, Addison Wesley, ISBN 978-0201398557 Demel, J. & Miller, M. (1984). *Introduction to Computer Graphics*, Brook/Cole Pub Co, ISBN

Droste, S. (1996). *New Result on Visual Cryptography*, CRYPTO 96, Proceedings of the 16th

Egerton, P.A. & Hall, W.S. (1998). *Computer Graphics: Mathematical First Steps,* Prentice Hall,

Goldman, R. (2002). *Lagrange Interpolation and Neville's Algorithm,* Department of Computer

Gomes, J.; Velho, L. (1997). *Image Processing for Computer Graphics,* Springer-Verlag, ISBN 0-

Guan, P. C. (1987). *Cellular Automaton Public-key Cryptosystem,* Complex Systems, Vol1, Issue 1, (1987), pp.51-57, Available from,www.complex-systems.com/pdf/01-1-4.pdf Harrington, S. (1987). *Computer Graphics a Programming Approach*, McGraw-Hill, ISBN 978-

Hill, F. S. (2000). *Computer Graphics Using OPENGL (2nd* edition), Prentice Hall, ISBN 978-

Menezes, A.; Van Oorschot, P. & Vanstone, S. (1996). *Handbook of Applied Cryptography (1st*

Pham B. (1988). *Offset Approximation of Uniform B-splines*, Computer Aided design, Vol 20,

Stallings, W. (2005). *Cryptography and Network Security: Principles and Practice (4th edition)*,

Sauer, C.; Chandy, K. (1981). *Computer Systems Performance Modeling*, Prentice-Hall, ISBN

Schaefer, E. (1999). *An introduction to Cryptography and Cryptanalysis*, Santa Clara University,

Schneir, B. (1996). *Applied Cryptography (2nd edition)*, John Wiley & Sons, ISBN 978-

Annual International Cryptology Conference, pp. 401-415, Santa Barbara, CA, USA,

**8. References** 

978-0534030537, USA

August 18-22, 1996

0070267534

0023548567

978-0131651753

Available from

0471117094

ISBN 978-0135995723, London, UK

387-94854-6, New York, USA

Science, Rice University, Available from

*edition)*, CRC Press, ISBN 978-0849385230

Prentice-Hall, ISBN 978-0131873162, USA

Issue 8, (October 1988), Elsevier Ltd, pp. 471-474

http://math.scu.edu/-eschaefe/crylec.pdf-united states

www.clear.rice.edu/comp360/lectures/lagra.pdf

The process of generating, distributing and revoking a cryptographic key is called key management (Piper & Murphy, 2002; Fumy & Landrock, 1993). Key management is a very challenging area between cryptographers and attackers, and since finding keys of approved cryptographic techniques computationally is impossible, attackers prefer to somehow breach the key management process instead of trying to crack keys (Techateerawat & Jennings, 2007).

Today many techniques like DES, 3DES, RSA etc. have emerged for protecting data secrecy. One internationally approved and widely used key management method is master-key which empowers a computer to generate keys from a Key Derivation Key (KDK), the parties' identity, labels and some other information (Chen, 2009). By utilizing master-key a computer can generate new keys and distribute them among its nodes, sometimes even establishing a hierarchy among them (Onmez, 2009).

IKM has developed from performing some changes on workflow and key generation algorithms of master-key to achieving more dynamism and some advanced features like intelligent attack resiliency (Chaeikar et al., 2010b, 2010a).

Master-key and IKM have many features in common. In both there are algorithms of key generation, both use environmental parameters as key generation parameters, both generate symmetric keys, both generate keys of variable length and so on. Therefore it was felt that there was a need for guidelines on both schemes to facilitate making a choice regarding requirements. The purpose of this article is to provide a guideline for helping researchers and developers to choose the proper cryptographic scheme between master-key and IKM regarding their goal of application and working criteria. To do so, master-key and IKM are compared according their security features and amount of imposed traffic load on the server and network.

The second section of this chapter explains the process of master-key key generation in three modes. The third part discusses IKM key generation workflow and algorithms concisely. The fourth part compares these two methods in terms of security and performance to help researchers and developers to choose the most convenient technique between master-key and IKM with regard to their required features and criteria. The last section summarizes the results of this analysis in a few paragraphs for fast review of this article.

Comparative Analysis of Master-Key and Interpretative Key Management (IKM) Frameworks 205

Counter mode result of PRF will use a counter as iteration value. Counter mode is

In every round of iteration constant input values are Label||0x00||Context||�L�� and iteration variables are K(i-1){||�i��}. The structure of counter mode is illustrated in Fig. 1.

In feedback mode the result of the PRF is generated according the results of last iteration

and counter of number of iterations. Feedback mode is structured as follows:

**2.1 Counter mode key derivation function (KDF)** 

*Input data*: K�, L, Context, and Label *Output*: K�

4.1. K(i):= PRF(K�,�i��||Label||0x00||Context||�L��)

structured as follows:

1. n=�L/h�

3. result(0):= ∅ 4. for i=1 to n do

*h*: PRF result length in bits.

Counter mode KDF algorithm:

2. if n > 2� − 1 then error

*r*: length of binary format of counter i.

4.2. Result(i):= result(i-1)||K(i) 5. Return: K�:= first L bits of result(n)

Fig. 1. Counter mode KDF structure (Chen, 2009)

**2.2 Feedback mode key derivation function (KDF)** 

*Input data***:** K�, L, IV, Context, and Label. *Output*: K�.

*h*: PRF result length in bits.

*r*: length of binary format of counter i.

### **2. Master-key**

A key derivation function is a function that uses an input key and some other input data to produce keying material which will be employed by a cryptographic algorithm. A key that is input of key derivation function is called a Key Derivation Key (KDK). This key either can be generated by an automated key generation process (Piper & Murphy, 2002; Fumy & Landrock, 1993) or by an approved random bit generator function (Onmez, 2009). If a KDK is generated through an automated key generation process then it will be considered as part of secret keying material of that process.

Any chosen part of derived keying material which meets the needed key length can be used as input of cryptographic algorithm. To ensure that all parties using the same Key Derivation Function (KDF) are synchronized they must agree on the way that the keying material will convert into a cryptographic key. For instance, if derived keying material length is 256 bits then the first segment (first 128 bits) can be used as an authentication key and the second segment (second 128 bits) as an encryption key.

If KDF uses Pseudo Random Function (PRF) then based on desired length of keying material the KDF might require calling PRF several times to achieve the desired length. This article explains three types of master-key key generation modes. The following notations are described concisely for a better understanding of algorithms.

��: a key which will be fed into a KDF for deriving the keying material.

��: binary string output of KDF.

*Label*: a binary string that explains the goal of key derivation.


*r*: an integer smaller or equal to 32 which shows binary length of counter i.

*{X}*: shows that the value of X is an optional value for KDF.

*0x00*: separator of different parts of variable length data fields.

A PRF type KDF concatenates n times output of PRF until it achieves the L bits of desired length where n=�L/h�. In counter mode n should not exceed 2� − 1 while r ≤ 32. For doublepipeline iteration and feedback mode maximum value of n is 2�� − 1. In every iteration of PRF the KDK K� will be used as key and the input data includes both fixed input data and an iteration variable. Iteration value depending on iteration mode can be a counter, the result of last iteration of PRF, a mix of both or the result of first iteration if the mode is double pipeline.

### **2.1 Counter mode key derivation function (KDF)**

Counter mode result of PRF will use a counter as iteration value. Counter mode is structured as follows:

*h*: PRF result length in bits. *r*: length of binary format of counter i.

*Input data*: K�, L, Context, and Label *Output*: K�

Counter mode KDF algorithm:

1. n=�L/h�

204 Cryptography and Security in Computing

A key derivation function is a function that uses an input key and some other input data to produce keying material which will be employed by a cryptographic algorithm. A key that is input of key derivation function is called a Key Derivation Key (KDK). This key either can be generated by an automated key generation process (Piper & Murphy, 2002; Fumy & Landrock, 1993) or by an approved random bit generator function (Onmez, 2009). If a KDK is generated through an automated key generation process then it will be considered as part

Any chosen part of derived keying material which meets the needed key length can be used as input of cryptographic algorithm. To ensure that all parties using the same Key Derivation Function (KDF) are synchronized they must agree on the way that the keying material will convert into a cryptographic key. For instance, if derived keying material length is 256 bits then the first segment (first 128 bits) can be used as an authentication key

If KDF uses Pseudo Random Function (PRF) then based on desired length of keying material the KDF might require calling PRF several times to achieve the desired length. This article explains three types of master-key key generation modes. The following notations are

*Context*: a binary string including information such as identities of parties which are deriving/using derived keying material and sometimes a nonce which is known by

*IV*: initial binary string value of first iteration of feedback mode which either can be kept

*L*: an integer which shows length of derived keying material K� in bits. Length of binary

*n*: an integer which shows the number of needed PRF iterations to achieve L bits of keying

A PRF type KDF concatenates n times output of PRF until it achieves the L bits of desired length where n=�L/h�. In counter mode n should not exceed 2� − 1 while r ≤ 32. For doublepipeline iteration and feedback mode maximum value of n is 2�� − 1. In every iteration of PRF the KDK K� will be used as key and the input data includes both fixed input data and an iteration variable. Iteration value depending on iteration mode can be a counter, the result of last iteration of PRF, a mix of both or the result of first iteration if the mode is

**2. Master-key** 

of secret keying material of that process.

��: binary string output of KDF.

materials.

double pipeline.

those parties who derived the keys.

*i*: binary string input of PRF in each iteration.

and the second segment (second 128 bits) as an encryption key.

described concisely for a better understanding of algorithms.

*Label*: a binary string that explains the goal of key derivation.

public or secret. IV also might be an empty string.

*{X}*: shows that the value of X is an optional value for KDF. *0x00*: separator of different parts of variable length data fields.

*h*: an integer which shows length of PRF output in bits.

string varies based on the encoding method of input data.

*r*: an integer smaller or equal to 32 which shows binary length of counter i.

��: a key which will be fed into a KDF for deriving the keying material.


Fig. 1. Counter mode KDF structure (Chen, 2009)

In every round of iteration constant input values are Label||0x00||Context||�L�� and iteration variables are K(i-1){||�i��}. The structure of counter mode is illustrated in Fig. 1.

### **2.2 Feedback mode key derivation function (KDF)**

In feedback mode the result of the PRF is generated according the results of last iteration and counter of number of iterations. Feedback mode is structured as follows:

*h*: PRF result length in bits.

*r*: length of binary format of counter i.

*Input data***:** K�, L, IV, Context, and Label. *Output*: K�.

Comparative Analysis of Master-Key and Interpretative Key Management (IKM) Frameworks 207

The first iteration pipeline uses the result of feedback mode with the initial value of A(0)=IV=Label||0x00||Context||(L)�. K(i) by using A(i), and as an optional choice, counter (i)� are iteration variables in every iteration of the second pipeline. The following

In some of KDFs length of KDK depends on PRF. For instance, if Cipher-based Message Authentication Code (CMAC) was being used as PRF then key length directly depends on length of the respective block cipher. Therefore, at application time, consistency of PRF and

In contrast to CMAC if Keyed-hash Message Authentication Code (HMAC) was being used as PRF then the KDK can be almost any length. To provide consistency of PRF output and block length, if the key is longer than hash function block length then the key will be hashed

4. A(0):=IV=Label||0x00||Context||�L��

6. Return:K�, i.e., first L bits of result(n)

figure illustrates double pipeline KDF.

5.2 K(i) := PRF (KI, A(i){|| �i��}||Label||0x00||Context||�L��)

Fig. 3. Double pipeline mode KDF structure (Chen, 2009)

**2.4 Key derivation key (KDK) length** 

into the length of the hash function output.

KDK must be checked.

5. For i=1 to n do 5.1 A(i) := PRF (K�, A(i-1))

5.3 Result (i) := result(i-1)||K(i)

Feedback mode KDF algorithm:


In every round of iteration constant input values are Label||*0x00*||Context||���� and iteration variables are *K(i-1)*{||����}. The structure of feedback mode is illustrated in Fig. 2.

Fig. 2. Feedback mode KDF structure (Chen, 2009)

### **2.3 Double pipeline iteration mode key derivation function (KDF)**

In counter mode or feedback mode the PRF iterates in a single pipeline while in double pipeline iteration mode there are two pipelines. In the first pipeline series of secret values A(i) will be generated which then will be fed into respective PRF iteration of the second pipeline. Double pipeline iteration mode is structured as follows:

*h*: PRF result length in bits. *r*: length of binary format of counter i.

*Input data***:** K�, L, Context, and Label *output*: K�.

*Double pipeline mode KDF algorithm:* 


206 Cryptography and Security in Computing

In every round of iteration constant input values are Label||*0x00*||Context||���� and iteration variables are *K(i-1)*{||����}. The structure of feedback mode is illustrated in Fig. 2.

4.1 K(i):= PRF (K�,K(i-1){||�i��}||Label||0x00||Context||(L)�)

Feedback mode KDF algorithm:

4.2 Result(i):=result(i-1)||K(i) 5. Return: K�:= first L bits of result(n)

Fig. 2. Feedback mode KDF structure (Chen, 2009)

*h*: PRF result length in bits.

2. if n ≤2�� then error 3. result(0):= ∅

1. n= �L/h�

*r*: length of binary format of counter i.

*Double pipeline mode KDF algorithm:* 

*Input data***:** K�, L, Context, and Label *output*: K�.

**2.3 Double pipeline iteration mode key derivation function (KDF)** 

pipeline. Double pipeline iteration mode is structured as follows:

In counter mode or feedback mode the PRF iterates in a single pipeline while in double pipeline iteration mode there are two pipelines. In the first pipeline series of secret values A(i) will be generated which then will be fed into respective PRF iteration of the second

2. If n > 2�� − 1 then error 3. Result(0):= ∅ and K(0):= IV

4. For i = 1 to n, do

1. n=�L/h�


The first iteration pipeline uses the result of feedback mode with the initial value of A(0)=IV=Label||0x00||Context||(L)�. K(i) by using A(i), and as an optional choice, counter (i)� are iteration variables in every iteration of the second pipeline. The following figure illustrates double pipeline KDF.

Fig. 3. Double pipeline mode KDF structure (Chen, 2009)

### **2.4 Key derivation key (KDK) length**

In some of KDFs length of KDK depends on PRF. For instance, if Cipher-based Message Authentication Code (CMAC) was being used as PRF then key length directly depends on length of the respective block cipher. Therefore, at application time, consistency of PRF and KDK must be checked.

In contrast to CMAC if Keyed-hash Message Authentication Code (HMAC) was being used as PRF then the KDK can be almost any length. To provide consistency of PRF output and block length, if the key is longer than hash function block length then the key will be hashed into the length of the hash function output.

Comparative Analysis of Master-Key and Interpretative Key Management (IKM) Frameworks 209

One of the main key management issues is the existence of key storage, but in IKM because keys will be generated when they are needed and keys are constantly changing then no key storage is required. IKM keys expire automatically after the lifetime expires and a new one will replace automatically. But once the server issues a revocation call this means that the interpreter is expired and generated keys will no longer be valid. The following sections

The server role starts with generating the interpreter. To generate it a time zone, a calendar, a bit-stream source, a revocation code, a key generation algorithm and 24 digits must be selected and embedded into it. Once it has been generated then through an established

Every generated key will be expired when its lifetime expires, but the interpreter will continue working until it receives a revocation call which means one of the interpreters is either compromised or is suspected to be compromised. In such a case all nodes will stop

Once the interpreter has been generated and distributed then the server will supervise the security status of nodes. Because the interpreter is in charge of encryption and decryption, and keys are time-dependent then it can distinguish genuine packets from attack packets and report the number and type of attacks to the server. The server, based on received security reports, will decide whether the node can continue working, temporarily must stop

The interpreter's task is to generate fresh synchronized keys and to send security status reports to the server. The interpreter's components and important points are as follows.

The bit-stream source is the address of a file on the network, the first 512 bits of which will be downloaded to construct a bit matrix to be fed into the key generation algorithm. The first 512 bits of the file, regardless of file type, will be downloaded and arranged into a 22\*23 matrix. One of the most important criteria for choosing a bit-stream source is its updating intervals which, if not long enough, will result in inconsistency of keys among different interpreters because they may download different bit-streams at different times and eventually generate different keys. If the IKM being deployed is on a WAN then a shared

The bit-stream source can either be placed on the network or can be a file with its update intervals known by the administrator of the established encrypted sessions. For instance, if the administrator decides to use the available sources then an online PDF version of a newspaper which updates at particular times would be the proper choice. In this case the chosen source will be changed every day at a particular time and all nodes must update their bit-stream every time it changes. But if the updating interval of the chosen source is longer than our needed time

or the source is located on the server, then renewing the bit-stream is not necessary.

secure channel, like Diffie-Hellman, it must be distributed among authorized parties.

using the current interpreter and will wait until they receive a new version.

explain the detailed responsibilities of IKM components.

working or must shut down completely.

file via FTP service can be utilized as a bit-stream source.

**3.1 Server** 

**3.2 Interpreter** 

**3.2.1 Bit-stream source** 

### **2.5 Conversion of keying material into cryptographic keys**

The derived keying material length depends on the chosen cryptographic algorithm. The algorithm that will apply generated cryptographic key, like message authentication code, will determine its length. If no limitation is defined by the application then any portion of derived keying material, which has needed length, can be employed as a cryptographic key only if there is no overlapping among derived keys from KDF output. Therefore, length of derived keying material must be more or equal with the sum of keys.

### **3. Interpretative key management (IKM)**

Core of Interpretative Key Management (IKM) workflow is a key server which is responsible for:

Producing the interpreter Distributing the produced interpreter among nodes Supervising nodes' activities for higher security Declaration of revocation of the interpreter to nodes when it expires

The first responsibility of the server is generating the interpreter to be distributed among the nodes. The interpreter includes a time zone, a calendar, a bit-stream source address, a 24 digit number, a key generation algorithm and a revocation code. Once the interpreter has been created then it must be distributed among authorized nodes through a secure channel. When the interpreter is installed on nodes then the first 512 bits of the defined file from the given address will be downloaded. Since keys are time-dependent and key generation components which are bit-stream source, defined time zone and calendar, 24 digits and key generation algorithm are the same among all computers and they will be able to generate identical time-dependent keys in future without any coordination or key distribution. Also because keys have a predefined lifetime then without a key revocation call they will expire.

Fig. 4. Interpretative key management (IKM) workflow

One of the main key management issues is the existence of key storage, but in IKM because keys will be generated when they are needed and keys are constantly changing then no key storage is required. IKM keys expire automatically after the lifetime expires and a new one will replace automatically. But once the server issues a revocation call this means that the interpreter is expired and generated keys will no longer be valid. The following sections explain the detailed responsibilities of IKM components.

### **3.1 Server**

208 Cryptography and Security in Computing

The derived keying material length depends on the chosen cryptographic algorithm. The algorithm that will apply generated cryptographic key, like message authentication code, will determine its length. If no limitation is defined by the application then any portion of derived keying material, which has needed length, can be employed as a cryptographic key only if there is no overlapping among derived keys from KDF output. Therefore, length of

Core of Interpretative Key Management (IKM) workflow is a key server which is

The first responsibility of the server is generating the interpreter to be distributed among the nodes. The interpreter includes a time zone, a calendar, a bit-stream source address, a 24 digit number, a key generation algorithm and a revocation code. Once the interpreter has been created then it must be distributed among authorized nodes through a secure channel. When the interpreter is installed on nodes then the first 512 bits of the defined file from the given address will be downloaded. Since keys are time-dependent and key generation components which are bit-stream source, defined time zone and calendar, 24 digits and key generation algorithm are the same among all computers and they will be able to generate identical time-dependent keys in future without any coordination or key distribution. Also because keys have a predefined lifetime then without a key revocation call they will expire.

**2.5 Conversion of keying material into cryptographic keys** 

derived keying material must be more or equal with the sum of keys.

Declaration of revocation of the interpreter to nodes when it expires

**3. Interpretative key management (IKM)** 

Distributing the produced interpreter among nodes Supervising nodes' activities for higher security

Fig. 4. Interpretative key management (IKM) workflow

responsible for:

Producing the interpreter

The server role starts with generating the interpreter. To generate it a time zone, a calendar, a bit-stream source, a revocation code, a key generation algorithm and 24 digits must be selected and embedded into it. Once it has been generated then through an established secure channel, like Diffie-Hellman, it must be distributed among authorized parties.

Every generated key will be expired when its lifetime expires, but the interpreter will continue working until it receives a revocation call which means one of the interpreters is either compromised or is suspected to be compromised. In such a case all nodes will stop using the current interpreter and will wait until they receive a new version.

Once the interpreter has been generated and distributed then the server will supervise the security status of nodes. Because the interpreter is in charge of encryption and decryption, and keys are time-dependent then it can distinguish genuine packets from attack packets and report the number and type of attacks to the server. The server, based on received security reports, will decide whether the node can continue working, temporarily must stop working or must shut down completely.

### **3.2 Interpreter**

The interpreter's task is to generate fresh synchronized keys and to send security status reports to the server. The interpreter's components and important points are as follows.

### **3.2.1 Bit-stream source**

The bit-stream source is the address of a file on the network, the first 512 bits of which will be downloaded to construct a bit matrix to be fed into the key generation algorithm. The first 512 bits of the file, regardless of file type, will be downloaded and arranged into a 22\*23 matrix. One of the most important criteria for choosing a bit-stream source is its updating intervals which, if not long enough, will result in inconsistency of keys among different interpreters because they may download different bit-streams at different times and eventually generate different keys. If the IKM being deployed is on a WAN then a shared file via FTP service can be utilized as a bit-stream source.

The bit-stream source can either be placed on the network or can be a file with its update intervals known by the administrator of the established encrypted sessions. For instance, if the administrator decides to use the available sources then an online PDF version of a newspaper which updates at particular times would be the proper choice. In this case the chosen source will be changed every day at a particular time and all nodes must update their bit-stream every time it changes. But if the updating interval of the chosen source is longer than our needed time or the source is located on the server, then renewing the bit-stream is not necessary.

Comparative Analysis of Master-Key and Interpretative Key Management (IKM) Frameworks 211

The revocation code is an embedded secret code in the interpreter that once received from the server means that the current version of the interpreter either is compromised or, according to the decision of the IKM server administrator for security reasons, is no longer valid and must stop working. All nodes will send their security reports to the IKM server for monitoring purposes and regarding received reports it can decide whether the current version is compromised, is suspected of being compromised or can continue working. Also

Regarding the IKM structure and level of desired secrecy, three types of key lifetime are introduced in IKM. Because of utilizing time and date in key generation process, period of

A new key will be produced and employed every minute, hour or day. If a new key every minute is chosen then a new key will be generated and employed every minute. If the hourly key is selected then a specific minute of every hour will be considered as the parameter of key generation regardless of whether the nodes are going to join before or after it. For a daily key, a specific hour and minute will be considered as the time parameter of

Early seconds of changing key, both new and previous keys will be valid for decryption. Those packets which are encrypted and sent at the last moments of the changing minute will most likely be received in the early seconds of the following minute. Therefore, those packets are encrypted with the last key and cannot be decrypted with the new key. The maximum time needed for sending a packet between two distant nodes will be the time of double key checking. Once a packet is received in the first seconds of the changing key firstly an attempt will be made at being decrypted with the new key, but if this process fails then it will be decrypted with the last key. If neither new key nor the last key could decrypt it then this packet runs the likelihood of being a running replay attack against the node and

Fig. 6. Conversion process of current time and date into 24 digits

for enhancing security it is better to renew interpreter periodically.

updating keys can be every minute, hour, or day.

**3.2.3 Revocation code** 

**3.2.4 IKM key lifetime** 

the key generation process.

Fig. 5. IKM key generation process

### **3.2.2 Time, date and 24 digits**

Date and time are two parameters used in the process of synchronized key generation, but because nodes might be distributed around the world then they will use different regions' time and calendar. So to unify the time and date of all nodes they must agree to the same time zone and calendar. For instance, the UTC time and Gregorian calendar can be chosen so that computers have the same parameters. Then each computer will compute the difference of time and date to be used at the key generation process.

Time and date unification is a very important process because firstly using time and date will lead to having time-dependent keys that can resist against attacks like replay attack. Secondly if there are any problems for a node in synchronizing itself then it will not be able to communicate with other nodes. The IKM server, designated web site or any publicly available time server can be utilized for synchronizing nodes.

From the viewpoint of attackers, guessing date and time is a very easy step to achieving two important key generation factors. Therefore, for tightening IKM key generation security, full format time and date will be repeated twice to achieve 24 digits. Then the 24 embedded digits will be added to the time and date 24 digits to make it unbreakable for attackers. For example, if the current date and time is 27/7/2010, 5:44 then its twice repeated full format will be 270720100544270720100544. Then the 24 randomly generated and embedded digits will produce 24 new digits that are not guessable by attackers and will change every minute. Fig. 6 illustrates process of converting date, time and 24 digits into new 24 digits.

Fig. 6. Conversion process of current time and date into 24 digits

### **3.2.3 Revocation code**

210 Cryptography and Security in Computing

Date and time are two parameters used in the process of synchronized key generation, but because nodes might be distributed around the world then they will use different regions' time and calendar. So to unify the time and date of all nodes they must agree to the same time zone and calendar. For instance, the UTC time and Gregorian calendar can be chosen so that computers have the same parameters. Then each computer will compute the

Time and date unification is a very important process because firstly using time and date will lead to having time-dependent keys that can resist against attacks like replay attack. Secondly if there are any problems for a node in synchronizing itself then it will not be able to communicate with other nodes. The IKM server, designated web site or any publicly

From the viewpoint of attackers, guessing date and time is a very easy step to achieving two important key generation factors. Therefore, for tightening IKM key generation security, full format time and date will be repeated twice to achieve 24 digits. Then the 24 embedded digits will be added to the time and date 24 digits to make it unbreakable for attackers. For example, if the current date and time is 27/7/2010, 5:44 then its twice repeated full format will be 270720100544270720100544. Then the 24 randomly generated and embedded digits will produce 24 new digits that are not guessable by attackers and will change every minute. Fig. 6 illustrates process of converting date, time and 24 digits

difference of time and date to be used at the key generation process.

available time server can be utilized for synchronizing nodes.

Fig. 5. IKM key generation process

**3.2.2 Time, date and 24 digits** 

into new 24 digits.

The revocation code is an embedded secret code in the interpreter that once received from the server means that the current version of the interpreter either is compromised or, according to the decision of the IKM server administrator for security reasons, is no longer valid and must stop working. All nodes will send their security reports to the IKM server for monitoring purposes and regarding received reports it can decide whether the current version is compromised, is suspected of being compromised or can continue working. Also for enhancing security it is better to renew interpreter periodically.

### **3.2.4 IKM key lifetime**

Regarding the IKM structure and level of desired secrecy, three types of key lifetime are introduced in IKM. Because of utilizing time and date in key generation process, period of updating keys can be every minute, hour, or day.

A new key will be produced and employed every minute, hour or day. If a new key every minute is chosen then a new key will be generated and employed every minute. If the hourly key is selected then a specific minute of every hour will be considered as the parameter of key generation regardless of whether the nodes are going to join before or after it. For a daily key, a specific hour and minute will be considered as the time parameter of the key generation process.

Early seconds of changing key, both new and previous keys will be valid for decryption. Those packets which are encrypted and sent at the last moments of the changing minute will most likely be received in the early seconds of the following minute. Therefore, those packets are encrypted with the last key and cannot be decrypted with the new key. The maximum time needed for sending a packet between two distant nodes will be the time of double key checking. Once a packet is received in the first seconds of the changing key firstly an attempt will be made at being decrypted with the new key, but if this process fails then it will be decrypted with the last key. If neither new key nor the last key could decrypt it then this packet runs the likelihood of being a running replay attack against the node and

Comparative Analysis of Master-Key and Interpretative Key Management (IKM) Frameworks 213

For a new node joining it must send its request to the IKM server and if it passes the authentication process then it will be eligible to download the interpreter to start communicating securely with other parties. Those nodes which have already downloaded the interpreter, but for a while were inactive, must send a test packet to a neighbour node. If the test packet replied then it shows the current interpreter is still valid, but if no response is received then the process of downloading a new version is the same as joining a new node. If a node is going to leave sessions permanently then the installed interpreter must be removed to reduce the likelihood of compromising the interpreter. If the disjoined node is trustworthy and the interpreter is removed successfully then other nodes can continue utilizing the current version, or else revoking the current version and installing the new version is a compulsory process. To renew the interpreter version, only replacing the old 24 digits with new 24 digits is enough. For example, if three counterpart companies are going to establish secure sessions then they can utilize IKM for providing security. Therefore, all computers must install the same interpreter to enable them to communicate securely. While they are working together, nodes can join and disjoin sessions, but if one of companies decides to disjoin permanently then the current interpreter must be revoked and a new

**4. Security and performance comparison between IKM and master-key** 

compare IKM and Master-Key methods in term of security and performance.

To compare two methods, their features and capabilities must be compared to help readers choose more convenient choice regarding their requirements. To do so, in this section we

Fig. 8. Matrix technique bit-extraction illustration

**3.2.6 Nodes' joining and disjoining process** 

version must be distributed among authorized parties.

if it is repeated many times then it will be reported as an attack to the IKM server. Fig. 7 shows the process of decryption of received packets.

Fig. 7. Double key checking diagram

### **3.2.5 Key generation algorithm**

IKM utilizes many key generation schemes and one of them is the matrix technique. The matrix technique is downloading a bit-stream, arranging it in a matrix and surveying the matrix according to 24 generated digits. The 24 digits explain how the matrix must be surveyed from the start point of (0,0). If the digit is even then it means that the matrix must be surveyed vertically and for odd numbers surveyed horizontally. This process will continue until the desired key length is being produced. For odd numbers if while key generation algorithm is picking up bits from the matrix reaches to the end of row, then the algorithm will pick up bits from beginning of next row. For even numbers if it reaches to end of column then will continue form beginning of next column. In the case of finishing 24 digits before producing the desired key length then the 24 digits will be used again and if it obtains the desired length before finishing the numbers then the remaining digits will be ignored. Fig. 8 illustrates the survey of a matrix with the first 12 digits if the digits are 493148769486.

In addition to different key generation intervals, the interpreter can produce keys of different lengths. A combination of different key lengths and three key lifetime types produces a variety of key types which vary from long minute keys to short daily keys that are convenient for different purposes. The strongest type is the long minute key which can guaranty security of top secret data encryption and the weakest type is the short daily key which is suitable for providing the lowest level of security.

Fig. 8. Matrix technique bit-extraction illustration

### **3.2.6 Nodes' joining and disjoining process**

212 Cryptography and Security in Computing

if it is repeated many times then it will be reported as an attack to the IKM server. Fig. 7

IKM utilizes many key generation schemes and one of them is the matrix technique. The matrix technique is downloading a bit-stream, arranging it in a matrix and surveying the matrix according to 24 generated digits. The 24 digits explain how the matrix must be surveyed from the start point of (0,0). If the digit is even then it means that the matrix must be surveyed vertically and for odd numbers surveyed horizontally. This process will continue until the desired key length is being produced. For odd numbers if while key generation algorithm is picking up bits from the matrix reaches to the end of row, then the algorithm will pick up bits from beginning of next row. For even numbers if it reaches to end of column then will continue form beginning of next column. In the case of finishing 24 digits before producing the desired key length then the 24 digits will be used again and if it obtains the desired length before finishing the numbers then the remaining digits will be ignored. Fig. 8 illustrates the survey of a matrix with the first 12 digits if the digits are

In addition to different key generation intervals, the interpreter can produce keys of different lengths. A combination of different key lengths and three key lifetime types produces a variety of key types which vary from long minute keys to short daily keys that are convenient for different purposes. The strongest type is the long minute key which can guaranty security of top secret data encryption and the weakest type is the short daily key

which is suitable for providing the lowest level of security.

shows the process of decryption of received packets.

Fig. 7. Double key checking diagram

**3.2.5 Key generation algorithm** 

493148769486.

For a new node joining it must send its request to the IKM server and if it passes the authentication process then it will be eligible to download the interpreter to start communicating securely with other parties. Those nodes which have already downloaded the interpreter, but for a while were inactive, must send a test packet to a neighbour node. If the test packet replied then it shows the current interpreter is still valid, but if no response is received then the process of downloading a new version is the same as joining a new node.

If a node is going to leave sessions permanently then the installed interpreter must be removed to reduce the likelihood of compromising the interpreter. If the disjoined node is trustworthy and the interpreter is removed successfully then other nodes can continue utilizing the current version, or else revoking the current version and installing the new version is a compulsory process. To renew the interpreter version, only replacing the old 24 digits with new 24 digits is enough. For example, if three counterpart companies are going to establish secure sessions then they can utilize IKM for providing security. Therefore, all computers must install the same interpreter to enable them to communicate securely. While they are working together, nodes can join and disjoin sessions, but if one of companies decides to disjoin permanently then the current interpreter must be revoked and a new version must be distributed among authorized parties.

### **4. Security and performance comparison between IKM and master-key**

To compare two methods, their features and capabilities must be compared to help readers choose more convenient choice regarding their requirements. To do so, in this section we compare IKM and Master-Key methods in term of security and performance.

Comparative Analysis of Master-Key and Interpretative Key Management (IKM) Frameworks 215

Since IKM keys have a predefined validity term, they will expire automatically and there is no need for a revocation call unless for revoking the interpreter. But each key of the masterkey technique must be expired by issuing a revocation call from the server. Therefore, no

To compare performance between IKM and master-key, imposed traffic load on network for specific duration and imposed traffic load on network per generated key are calculated and

To make an analogy about imposed key management traffic between IKM and master-key we can assume each key will last for one day and bit-stream reloading happens once a week. The contents of table 1 represent load of activities in the real world and the following formulas are used to calculate table 2 and table 3, and Fig. 9 values are used to make an analogy between these two methods. Table 3 and table 4 show differences of running

**Item explanation Metric Symbol**  Key distribution load (master-key) 1KB k�� Key revocation load (master-key) 0.5KB k�� Interpreter distribution load (IKM) 50KB i�� Interpreter revocation load (IKM) 0.5KB i�� Bit-stream downloading load 0.5KB b�� Number of weeks - n�

**Number of weeks Master-key IKM**  1 10.5 51 4 42 52.5 13 136.5 57 26 273 63.5 52 546 76.5

Table 2. Daily key imposed load on server and network per node

Master-key load for n� = (k�� + k��) \* 7 \* n� (1)

IKM load for n� = (i�� + i��) + (n� \* b��) (2)

necessity for a key revocation is counted as an advantage of IKM versus master-key.

**4.2 Performance comparison between IKM and master-key** 

**4.2.1 Key management imposed traffic load** 

Table 1. Traffic load and symbol of activities

master-key and IKM for minutely, hourly and daily keys.

**4.1.5 No key revocation** 

compared.

### **4.1 Security comparison between master-key and IKM**

To compare security between master-key and IKM, five important features are analyzed and compared.

### **4.1.1 Key storage**

One issue in key management is storing keys for future use which means encrypting the key and restoring it after going through a password check. This process increases the probability of compromising keys, but IKM only produces the key when needed and never saves it as the keys are changing continuously. Even at double valid key time after a few seconds the interpreter eliminates the old key from the memory.

### **4.1.2 Replacing multiple key distribution with one time interpreter distribution**

Some attacks like man in the middle attack, known plain text attack, replay attack and brute force attack endanger the safety of the key distribution process (Techateerawat & Jennings, 2007). By increasing key distribution times, the likelihood of attacks happening will also increase. IKM only needs interpreter distribution to be done once and afterwards will deploy unlimited fresh keys without any necessity for key distribution. In current practices to have unique key per session for n sessions, n times key distribution is needed which n times increases the likelihood of compromising. But for IKM this process will only be run once and there is less likelihood of compromising. By reducing n times to once, compromising likelihood reduces to 1/n as well. Since IKM only once goes through key distribution process and establishes more complicated secure channels then it can provide higher level of security.

### **4.1.3 Utilizing unique or multiple key per session**

Ideally in cryptography every transaction must be encrypted with a unique key, but in light of cost and difficulties in implementation it is not practiced widely yet. IKM nodes produce keys instead of receiving them and generating key makes less traffic than distributing it over the network. Since generating keys does not impose traffic on the network and has less cost, therefore node-side key production is cheaper and easier, and converts the ideal of cryptography into reality. For example, if every ATM user took 90 seconds to do a transaction and the ATM uses a per minute IKM key, then every ATM transaction would be encrypted with a unique key meaning the ideal encryption becomes reality.

### **4.1.4 Attack resistance capability**

During the running time the interpreter records the amount and type of incorrect packets received and sends this to the IKM server. Depending on the received statistics the IKM server will decide whether that specific interpreter must continue working, stop temporarily or stop working completely. Also regarding received statistics the IKM server will decide whether is better to renew the current interpreter or whether it is still safe to produce a key.

The IKM structure enables resistance to some attacks that endanger the safety of key production and distribution, and reacts intelligently against attacks while there is no same feature in master-key.

### **4.1.5 No key revocation**

214 Cryptography and Security in Computing

To compare security between master-key and IKM, five important features are analyzed and

One issue in key management is storing keys for future use which means encrypting the key and restoring it after going through a password check. This process increases the probability of compromising keys, but IKM only produces the key when needed and never saves it as the keys are changing continuously. Even at double valid key time after a few seconds the

Some attacks like man in the middle attack, known plain text attack, replay attack and brute force attack endanger the safety of the key distribution process (Techateerawat & Jennings, 2007). By increasing key distribution times, the likelihood of attacks happening will also increase. IKM only needs interpreter distribution to be done once and afterwards will deploy unlimited fresh keys without any necessity for key distribution. In current practices to have unique key per session for n sessions, n times key distribution is needed which n times increases the likelihood of compromising. But for IKM this process will only be run once and there is less likelihood of compromising. By reducing n times to once, compromising likelihood reduces to 1/n as well. Since IKM only once goes through key distribution process and establishes more complicated secure channels then it can provide

Ideally in cryptography every transaction must be encrypted with a unique key, but in light of cost and difficulties in implementation it is not practiced widely yet. IKM nodes produce keys instead of receiving them and generating key makes less traffic than distributing it over the network. Since generating keys does not impose traffic on the network and has less cost, therefore node-side key production is cheaper and easier, and converts the ideal of cryptography into reality. For example, if every ATM user took 90 seconds to do a transaction and the ATM uses a per minute IKM key, then every ATM transaction would be

During the running time the interpreter records the amount and type of incorrect packets received and sends this to the IKM server. Depending on the received statistics the IKM server will decide whether that specific interpreter must continue working, stop temporarily or stop working completely. Also regarding received statistics the IKM server will decide whether is better to renew the current interpreter or whether it is still safe to produce a key. The IKM structure enables resistance to some attacks that endanger the safety of key production and distribution, and reacts intelligently against attacks while there is no same

encrypted with a unique key meaning the ideal encryption becomes reality.

**4.1.2 Replacing multiple key distribution with one time interpreter distribution** 

**4.1 Security comparison between master-key and IKM** 

interpreter eliminates the old key from the memory.

**4.1.3 Utilizing unique or multiple key per session** 

compared.

**4.1.1 Key storage** 

higher level of security.

**4.1.4 Attack resistance capability** 

feature in master-key.

Since IKM keys have a predefined validity term, they will expire automatically and there is no need for a revocation call unless for revoking the interpreter. But each key of the masterkey technique must be expired by issuing a revocation call from the server. Therefore, no necessity for a key revocation is counted as an advantage of IKM versus master-key.

### **4.2 Performance comparison between IKM and master-key**

To compare performance between IKM and master-key, imposed traffic load on network for specific duration and imposed traffic load on network per generated key are calculated and compared.

### **4.2.1 Key management imposed traffic load**

To make an analogy about imposed key management traffic between IKM and master-key we can assume each key will last for one day and bit-stream reloading happens once a week. The contents of table 1 represent load of activities in the real world and the following formulas are used to calculate table 2 and table 3, and Fig. 9 values are used to make an analogy between these two methods. Table 3 and table 4 show differences of running master-key and IKM for minutely, hourly and daily keys.

$$\text{Master-key load for } \mathbf{n}\_{\text{w}} = (\mathbf{k}\_{\text{dl}} + \mathbf{k}\_{\text{rl}}) \, \text{\* } \nabla \, ^\ast \mathbf{n}\_{\text{w}} \tag{1}$$

$$\text{IKM load for n}\_{\text{w}} = (\text{i}\_{\text{dl}} + \text{i}\_{\text{rl}}) + (\text{n}\_{\text{w}} \text{ \* b}\_{\text{dl}}) \tag{2}$$


Table 1. Traffic load and symbol of activities


Table 2. Daily key imposed load on server and network per node

Comparative Analysis of Master-Key and Interpretative Key Management (IKM) Frameworks 217

Figure 9 is drawn based on table 1 and table 2 values. It shows that employing IKM would be more beneficial if the number of needed fresh keys is over 34. When the number of fresh keys for sessions is less than 34, utilizing master-key is easier and more cost effective, but when it exceeds this threshold then IKM would be more secure and economic. As the number of needed keys increases, IKM imposes less traffic and even after one year for IKM's

The second important point is the level of desired security. IKM reacts more intelligently than master-key against attacks. Because of IKM's structure, running brute force and replay

Altogether, if terms of running encrypted sessions longer than 34 keys (34 days for daily key, 34 hours for hourly key or 34 minutes for minutely key) and if a safer technique is needed then IKM is the more convenient choice, but for short-term sessions the master-key

Cryptography is the technique of making information unintelligible for unauthorized parties. To do so many techniques have been developed which guaranty secrecy of encrypted information. Master-key is one internationally approved technique that can generate cryptographic keys using some environmental parameters like parties' information. Interpretative key management (IKM) framework is a newly devised method that has many similarities with master-key such as the power of key generation and using

Since both techniques have some features in common, this article gives a comparative analysis to help researchers or developers who are going to utilize one of them and gives a

A comparison of the results shows that for short-term or temporary secured sessions utilizing master-key is easier and more cost effective. But in the long run, utilizing IKM is not only more beneficial but also, because of its intelligent attack resiliency features, is more secure. Regarding imposed traffic load on the network, threshold of moving from master key to IKM is using 34 keys which depend on chosen IKM key generation method would vary from 34 minutes to 34 days. From the point of view of equipment needed both schemes need to have a server. For master-key the server is responsible of generating and distributing fresh keys and with regard to providing a key per session it is almost steadily in the process of generating and distributing fresh keys. While for IKM the server generates and distributes the interpreter once

To sum up the main criteria for choosing either master-key or IKM is the period of running

Chen, L. 2009. *Recommendation for Key Derivation Using Pseudorandom Functions,* National

Institute of Standards and Technology (NIST), Retrieved from

guide for choosing between these two regarding their requirements and criteria.

and then afterwards only supervises the security status of nodes.

secured sessions and the necessity for intelligent security features.

attacks against IKM is impossible, but for man in the middle master-key is safer.

**4.2.2 Analysis of comparison results** 

environmental parameters in key generation.

is more reasonable.

**5. Conclusion** 

**6. References** 

minutely key it would be less than one bit per generated key.

Fig. 9. Analogy of IKM and master-key traffic load on key management server for daily key

As is visible in the results of table 3 and table 4 after one year IKM's imposed traffic for the daily key is <sup>ଵ</sup> , for the hourly key is <sup>ଵ</sup> ଵଵ, and for the minutely key is <sup>ଵ</sup> ଵଷସହ of master-key imposed traffic.


Table 3. Number and imposed traffic load of key per session after 52 weeks


Table 4. Number and imposed traffic load of IKM keys after 52 weeks for minutely, hourly and daily keys


Table 5. IKM and master-key features comparison

### **4.2.2 Analysis of comparison results**

Figure 9 is drawn based on table 1 and table 2 values. It shows that employing IKM would be more beneficial if the number of needed fresh keys is over 34. When the number of fresh keys for sessions is less than 34, utilizing master-key is easier and more cost effective, but when it exceeds this threshold then IKM would be more secure and economic. As the number of needed keys increases, IKM imposes less traffic and even after one year for IKM's minutely key it would be less than one bit per generated key.

The second important point is the level of desired security. IKM reacts more intelligently than master-key against attacks. Because of IKM's structure, running brute force and replay attacks against IKM is impossible, but for man in the middle master-key is safer.

Altogether, if terms of running encrypted sessions longer than 34 keys (34 days for daily key, 34 hours for hourly key or 34 minutes for minutely key) and if a safer technique is needed then IKM is the more convenient choice, but for short-term sessions the master-key is more reasonable.

### **5. Conclusion**

216 Cryptography and Security in Computing

Fig. 9. Analogy of IKM and master-key traffic load on key management server for daily key

As is visible in the results of table 3 and table 4 after one year IKM's imposed traffic for the

**Key per session**  No. of keys Load per key 364 1.5KB

**IKM**  Minutely key Hourly key Daily key No. of keys Load per key No. of keys Load per key No. of keys Load per key 524160 0.000145KB 8736 0.00875 KB 364 0.208 KB Table 4. Number and imposed traffic load of IKM keys after 52 weeks for minutely, hourly

**Feature IKM Master-key** 

Man in the middle resistance

Table 3. Number and imposed traffic load of key per session after 52 weeks

Replay attack resistance

Brute force attack resistance Less key management traffic Intelligent reaction against attackers Easy key distribution Easy key revocation Dynamism Less traffic per key

Table 5. IKM and master-key features comparison

ଵଵ, and for the minutely key is <sup>ଵ</sup>

After First week After 4 weeks After 13 weeks After 26 weeks After 52 weeks

ଵଷସହ of master-key

daily key is <sup>ଵ</sup>

imposed traffic.

and daily keys

Master Key

IKM

, for the hourly key is <sup>ଵ</sup>

> Cryptography is the technique of making information unintelligible for unauthorized parties. To do so many techniques have been developed which guaranty secrecy of encrypted information. Master-key is one internationally approved technique that can generate cryptographic keys using some environmental parameters like parties' information. Interpretative key management (IKM) framework is a newly devised method that has many similarities with master-key such as the power of key generation and using environmental parameters in key generation.

> Since both techniques have some features in common, this article gives a comparative analysis to help researchers or developers who are going to utilize one of them and gives a guide for choosing between these two regarding their requirements and criteria.

> A comparison of the results shows that for short-term or temporary secured sessions utilizing master-key is easier and more cost effective. But in the long run, utilizing IKM is not only more beneficial but also, because of its intelligent attack resiliency features, is more secure. Regarding imposed traffic load on the network, threshold of moving from master key to IKM is using 34 keys which depend on chosen IKM key generation method would vary from 34 minutes to 34 days. From the point of view of equipment needed both schemes need to have a server. For master-key the server is responsible of generating and distributing fresh keys and with regard to providing a key per session it is almost steadily in the process of generating and distributing fresh keys. While for IKM the server generates and distributes the interpreter once and then afterwards only supervises the security status of nodes.

> To sum up the main criteria for choosing either master-key or IKM is the period of running secured sessions and the necessity for intelligent security features.

### **6. References**

Chen, L. 2009. *Recommendation for Key Derivation Using Pseudorandom Functions,* National Institute of Standards and Technology (NIST), Retrieved from

**11** 

*Romania* 

**Potential Applications of IPsec in** 

IPsec is one of the most secure technologies nowadays. It is used in almost all institutions that are concerned with protecting their communications. Although IPsec is not a very hard set of protocols to understand and use, once you get into its details and try to understand how it works, what is its applicability and what are its limitations, you will find yourself surrounded by mathematics, cryptography and network protocol design challenges. Because IPsec is not just another "encryption" protocol. It is actually an entire stack of protocols, ranging from negotiation protocols, to authentication protocols, to access network technologies, tunnelling protocols, PKI availability, routing and last, but not least, a good deal of cryptography. Companies use IPsec to securely connect their branches to the headquarters or between each other, over the Internet. Just the same, the remote workers have the possibility to securely access their data located at their work place premises no matter where they are. One of the most important aspects of this technology is its authentication role. By itself, IPsec does not provide network authentication. The authentication role of this stack of protocols is reserved for the IKE procedures. Currently at version 2, IKE has managed to simplify the authentication process of a peer and at the same time has managed to increase the security of this process. One of the latest additions to these authentication procedures is the support for mobile subscriber authentication. This functionality is achieved by incorporating the UMTS-SIM and UMTS-AKA key exchange

Authentication functionality is closely related to identity protection and identification. In a world of mobile devices and wireless communication, the identity theft and impersonation are a continuously raising concern. The NGN technologies require the provisioning of services at an end-to-end guaranteed quality of experience, provided through high data rates and aggressive SLAs. The aim of the future technologies is to provide multimedia services no matter the location of the subscribers, which assumes inter-operator agreements all over the Globe, location and presence services. In order to maintain a high level of quality and availability, proper authentication, correct authorization and detailed and rigorous accounting are essential. Examples of NGN networks range from 4G access networks, like WiMAX and SAE to the converged services core, as it is IMS. These technologies are still under development. Even though there are already a number of production implementations, the technologies are still perfecting; one aspect of this process

**1. Introduction** 

protocols, useful in the NGN world.

**Next Generation Networks** 

*Military Technical Academy, Bucharest,* 

Cristina-Elena Vintilă

http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf


http://www.emsec.rub.de/media/crypto/attachments/files/2011/03/soenmez.pdf Piper, F. 2002 , Murphy, S. *Cryptography: A Very Short Introduction,* Oxford University Press


## **Potential Applications of IPsec in Next Generation Networks**

Cristina-Elena Vintilă

*Military Technical Academy, Bucharest, Romania* 

### **1. Introduction**

218 Cryptography and Security in Computing

http://www.emsec.rub.de/media/crypto/attachments/files/2011/03/soenmez.pdf

Proceedings of 2010 Second International Conference on Computer Research and

of The 2010 Congress in Computer science, Computer engineering, and Applied Computing (The 2010 International Conference on Security and Management

Sensor. Proceedings of Springer Innovative Algorithms and Techniques in

Piper, F. 2002 , Murphy, S. *Cryptography: A Very Short Introduction,* Oxford University Press Chaeikar, S. S. 2010. Interpretative Key Management (IKM), A Novel Framework,

Chaeikar, S. S. 2010. Node Based Interpretative Key Management Framework, Proceedings

Techateerawat, P. 2007, Analyzing the Key Distribution from Security Attacks in Wireless

http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf Fumy, W.z & Landrock, P. (1993). Principles of Key Management. *IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS,* Vol. 11, No. 5, pp. 785-793 Onmez, O. 2009. *Symmetric Key Management: Key Derivation and Key Wrap*, Ruhr-Universit¨at

Bochum, Retrieved from

Automation 2007*,* pp 353-357

Development, Kuala Lumpur, Malaysia, 2010

SAM'10), WORLDCOMP'2010, Las Vegas, USA, July 2010

IPsec is one of the most secure technologies nowadays. It is used in almost all institutions that are concerned with protecting their communications. Although IPsec is not a very hard set of protocols to understand and use, once you get into its details and try to understand how it works, what is its applicability and what are its limitations, you will find yourself surrounded by mathematics, cryptography and network protocol design challenges. Because IPsec is not just another "encryption" protocol. It is actually an entire stack of protocols, ranging from negotiation protocols, to authentication protocols, to access network technologies, tunnelling protocols, PKI availability, routing and last, but not least, a good deal of cryptography. Companies use IPsec to securely connect their branches to the headquarters or between each other, over the Internet. Just the same, the remote workers have the possibility to securely access their data located at their work place premises no matter where they are. One of the most important aspects of this technology is its authentication role. By itself, IPsec does not provide network authentication. The authentication role of this stack of protocols is reserved for the IKE procedures. Currently at version 2, IKE has managed to simplify the authentication process of a peer and at the same time has managed to increase the security of this process. One of the latest additions to these authentication procedures is the support for mobile subscriber authentication. This functionality is achieved by incorporating the UMTS-SIM and UMTS-AKA key exchange protocols, useful in the NGN world.

Authentication functionality is closely related to identity protection and identification. In a world of mobile devices and wireless communication, the identity theft and impersonation are a continuously raising concern. The NGN technologies require the provisioning of services at an end-to-end guaranteed quality of experience, provided through high data rates and aggressive SLAs. The aim of the future technologies is to provide multimedia services no matter the location of the subscribers, which assumes inter-operator agreements all over the Globe, location and presence services. In order to maintain a high level of quality and availability, proper authentication, correct authorization and detailed and rigorous accounting are essential. Examples of NGN networks range from 4G access networks, like WiMAX and SAE to the converged services core, as it is IMS. These technologies are still under development. Even though there are already a number of production implementations, the technologies are still perfecting; one aspect of this process

Potential Applications of IPsec in Next Generation Networks 221

way of achieving the security agreement between the IPsec aware devices is to dynamically negotiate the session information between the IPsec peers. This method has the advantage of dynamic keying, but it may also be susceptible to man-in-the-middle attacks in the first phases of the negotiation. The generic protocol employed to do the negotiation is called ISAKMP (Internet Security Association and Key Management Protocol), represented most commonly by the IKE (Internet Key Exchange) protocol, which has reached its second version. When discussion the use-cases that can take place in an IPsec environment, the IPsec peers may find themselves in one of these two scenarios: one is called *site-to-site* and the other one is called *remote-access*. These two scenarios both refer to the situation where the IPsec computation takes place either between two security gateways or between a security gateway and a stand-alone unit (laptop, pda, smartphone...) called *roadwarrior*; this scenario is also called *dial-up vpn* by some security vendors. There is a separate case where the IPsec peers want to transmit information between each-other in a secure manner, but without the use of an external

service provider (as it is a security gateway). This case is called *transport mode*.

a. the Policy Agent: this component has the responsibility of negotiating the IPsec cryptographic parameters; these parameters refer to traffic identifiers (also called traffic

b. the Security Policy Database(SPD): this component is a database (considering it as a stand-alone database implementation or part of an operating system kernel); it consists of tuples that represent the traffic selectors of an IPsec agreement: the IP addresses or the subnet which the traffic to be secured belongs to, or, for some of the IPsec equipment on the market, it may also contain port numbers in order to identify the

c. the Security Association Database(SAD): this component is a database as well (standalone or part of a kernel implementation); it contains the IKE and IPsec security parameters that are negotiated: cryptographic algorithms, authentication information

Tuples in both databases are indexed and retrieved at run-time via their index, called SPI (Security Parameter Index), a value transmitted at run-time in each IPsec packet, in order for the receiver to select the proper tuple for decryption of the packet. The traffic logic flow of an IPsec use-case is the following: the Policy Agent is the one to start the IKE negotiation process, which consists of two phases (for each IKEv1 and IKEv2 protocols). The output of the Phase 1 is called ISAKMP SA(Security Association). The output of the Phase 2 is called IPsec SA. The IPsec processing engine adds a new layer of transformation for the actual network traffic; the engine is integrated to the TCP/IP stack of the system and it is called when a particular IP or a layer 4 segment matches the conditions for IPsec. Depending on each implementation, there may be available the configuration of different keys per traffic direction or a single set of keys for each IPsec tunnel. Also, there are ways to configure the Policy Agent to function based on the policy configured for that equipment (*policy-based tunnelling*), or to be triggered by a route

The main components of the IPsec architecture are the following:

selectors) that are input as a tuple in the Security Policy Database

**2.1 IPsec architecture and traffic logic** 

and identification information

utilization (*route-based tunnelling*).

traffic

is security. IPsec is an important part of the design of any NGN system, for its proved security in the wireline industry (Liu, 2010). It supports IPv4 a set of protocols on top of layer 3 design and it is natively integrated into IPv6. The development of IPv6 considered this technology as a native part of the layer 3 design, in order to provide for security mechanism of the future networks. IMS design (TS 24.229) was originally described as running only over IPv6.

This paper does a brief analysis of the security issues faced by the NGN mobile equipment users, as well as the ones faced by the NGN operators. As it describes the security challenges the NGN is going to face, it explores the areas where IPsec has been described as the answer to the question for a secure communication environment in the near future. The paper goes over the IPsec applications in a near future access network as WiMAX and SAE are, as well as the usage of this technology in the IMS world. IPsec integrates technologies like key agreement and management via the EAP and PKI frameworks. One goal of this paper is to identify use cases and scenarios where the IPsec of the future is going to take effect. Even though the NGN mobile terminals are already powerful enough to support the cryptographic computations necessary to function as an IPsec peer, these terminals may make use of the ECC technology to improve their performances. While encrypting the traffic with IPsec is a good security practice, applying this practice to VoIP or Video traffic, sensitive to delays and latencies, poses a number of efficiency challenges. This is when the IKE capabilities come into play; IPsec provides key exchange functionality for SIP negotiation, so that the IMS voice and video traffic is to be protected (RFC4475, 2006; Vrakas, 2010; Wang, 2009). While reviewing the role and capabilities of the IPsec, as well as its possible applications in the next generation architectures, this paper also identifies some of the challenges and limitations this framework faces in the NGN context: mobile IP and mobility management, resistance to denial of service attacks, multimedia protocols, IPv6 control protocols and so on. Though a classic security solution for wireline technologies, IPsec diversifies and evolves, acquires new features and capabilities, while at the same time getting lighter to accommodate the requirements of the mobile subscribers. This paper proposes a journey of understanding how the technology that secures our communications works and how it can be applied in the near-future applications and network design.

### **2. IPsec technologies**

IPsec (Internet Protocol Security) can be defined as a complex set of protocols on top of IP, supported on both IPv4 and IPv6. By itself, IPsec refers to the technology employed in order to secure the transmission of information over an unprotected medium. The security of the transmission may be achieved by using two sets of protocols: ESP (Encapsulated Security Payload) and AH (Authentication Header). In order to be able to use one of these two protocols, or both of them at the same time, security information in the form of encryption and/or authentication keys must be available. This information may be statically pre-configured by a security administrator or it may be dynamically negotiated between the IPsec entities/peer. The first case is referred to as *manual keying*. In this case, the security administrator has already configured security information on both end of the IPsec communication channel; the traffic passing through the IPsec equipment and matching several conditions is to be protected using this information. The second 220 Cryptography and Security in Computing

is security. IPsec is an important part of the design of any NGN system, for its proved security in the wireline industry (Liu, 2010). It supports IPv4 a set of protocols on top of layer 3 design and it is natively integrated into IPv6. The development of IPv6 considered this technology as a native part of the layer 3 design, in order to provide for security mechanism of the future networks. IMS design (TS 24.229) was originally described as

This paper does a brief analysis of the security issues faced by the NGN mobile equipment users, as well as the ones faced by the NGN operators. As it describes the security challenges the NGN is going to face, it explores the areas where IPsec has been described as the answer to the question for a secure communication environment in the near future. The paper goes over the IPsec applications in a near future access network as WiMAX and SAE are, as well as the usage of this technology in the IMS world. IPsec integrates technologies like key agreement and management via the EAP and PKI frameworks. One goal of this paper is to identify use cases and scenarios where the IPsec of the future is going to take effect. Even though the NGN mobile terminals are already powerful enough to support the cryptographic computations necessary to function as an IPsec peer, these terminals may make use of the ECC technology to improve their performances. While encrypting the traffic with IPsec is a good security practice, applying this practice to VoIP or Video traffic, sensitive to delays and latencies, poses a number of efficiency challenges. This is when the IKE capabilities come into play; IPsec provides key exchange functionality for SIP negotiation, so that the IMS voice and video traffic is to be protected (RFC4475, 2006; Vrakas, 2010; Wang, 2009). While reviewing the role and capabilities of the IPsec, as well as its possible applications in the next generation architectures, this paper also identifies some of the challenges and limitations this framework faces in the NGN context: mobile IP and mobility management, resistance to denial of service attacks, multimedia protocols, IPv6 control protocols and so on. Though a classic security solution for wireline technologies, IPsec diversifies and evolves, acquires new features and capabilities, while at the same time getting lighter to accommodate the requirements of the mobile subscribers. This paper proposes a journey of understanding how the technology that secures our communications works and how it can be applied in

IPsec (Internet Protocol Security) can be defined as a complex set of protocols on top of IP, supported on both IPv4 and IPv6. By itself, IPsec refers to the technology employed in order to secure the transmission of information over an unprotected medium. The security of the transmission may be achieved by using two sets of protocols: ESP (Encapsulated Security Payload) and AH (Authentication Header). In order to be able to use one of these two protocols, or both of them at the same time, security information in the form of encryption and/or authentication keys must be available. This information may be statically pre-configured by a security administrator or it may be dynamically negotiated between the IPsec entities/peer. The first case is referred to as *manual keying*. In this case, the security administrator has already configured security information on both end of the IPsec communication channel; the traffic passing through the IPsec equipment and matching several conditions is to be protected using this information. The second

running only over IPv6.

the near-future applications and network design.

**2. IPsec technologies** 

way of achieving the security agreement between the IPsec aware devices is to dynamically negotiate the session information between the IPsec peers. This method has the advantage of dynamic keying, but it may also be susceptible to man-in-the-middle attacks in the first phases of the negotiation. The generic protocol employed to do the negotiation is called ISAKMP (Internet Security Association and Key Management Protocol), represented most commonly by the IKE (Internet Key Exchange) protocol, which has reached its second version. When discussion the use-cases that can take place in an IPsec environment, the IPsec peers may find themselves in one of these two scenarios: one is called *site-to-site* and the other one is called *remote-access*. These two scenarios both refer to the situation where the IPsec computation takes place either between two security gateways or between a security gateway and a stand-alone unit (laptop, pda, smartphone...) called *roadwarrior*; this scenario is also called *dial-up vpn* by some security vendors. There is a separate case where the IPsec peers want to transmit information between each-other in a secure manner, but without the use of an external service provider (as it is a security gateway). This case is called *transport mode*.

### **2.1 IPsec architecture and traffic logic**

The main components of the IPsec architecture are the following:


Tuples in both databases are indexed and retrieved at run-time via their index, called SPI (Security Parameter Index), a value transmitted at run-time in each IPsec packet, in order for the receiver to select the proper tuple for decryption of the packet. The traffic logic flow of an IPsec use-case is the following: the Policy Agent is the one to start the IKE negotiation process, which consists of two phases (for each IKEv1 and IKEv2 protocols). The output of the Phase 1 is called ISAKMP SA(Security Association). The output of the Phase 2 is called IPsec SA. The IPsec processing engine adds a new layer of transformation for the actual network traffic; the engine is integrated to the TCP/IP stack of the system and it is called when a particular IP or a layer 4 segment matches the conditions for IPsec. Depending on each implementation, there may be available the configuration of different keys per traffic direction or a single set of keys for each IPsec tunnel. Also, there are ways to configure the Policy Agent to function based on the policy configured for that equipment (*policy-based tunnelling*), or to be triggered by a route utilization (*route-based tunnelling*).

Potential Applications of IPsec in Next Generation Networks 223

The second version of IKE, IKEv2 is not fully supported by all equipments on the market, but it is starting to get more and more attention, due to its capabilities: faster tunnel setup, more secure negotiations, more consistent authentication and identification rules, simpler implementation etc. There is only one type of so-called Phase 1 and Phase 2 in IKEv2. The







The first four messages can be assimilated as Phase 1 of the IKEv2, and the last two messages as Phase 2 of the IKEv2. Nevertheless, at tunnel establishment time, only the first four messages appear in the negotiation, as usually the information provided by the last two messages is comprised in messages 3 and 4. The last 2 messages are used for the re-keying

After having established the secure parameters to be employed in order to protect the transmission of the data, two protocols can be used to achieved this security, either separate or both at the same time. These protocols are AH (RFC 4302) and ESP (RFC 4303). AH protocol number is 51 and the purpose of this protocol is to ensure protection against replay attacks, due to the integrity check and sequencing it employs. AH method makes a hash of the entire IP packet (both headers and data payload) and adds this has value to the packet sent over the wire. The only fields not taken into consideration when computing the hash value are the ones that are expected to change when routing occurs in a normal network: TTL, TOS, CRC etc. The ESP protocol number is 50 and this method encrypts the data using

the material and algorithms negotiated earlier. ESP only encapsulates the payload.

Two of the most important aspects of the IPsec negotiation are the authentication and identification. Not only do they perform two important functions (authenticating the IPsec peers to each other and identifying the peers to each other), but they are a crucial point for interoperability between different IPsec implementations. Not all networks worldwide happen to use exactly the same equipment as IPsec peers, so interoperability issues arise in many situations. RFC 2409 defines only two types of authentication available for IKEv1: PSK

other party, SA and traffic selectors of the Initiator as well as the Responder

SA (IPsec SA) with the nonces, DH keys and traffic selectors indicated

containing the cryptographic parameters, DH keys and a nonce

having the possibility to ask for a digital certificate at this point

IKEv2 exchange is the following:

the Responder's side

Responder's side

**2.3 Secure data transmission** 

**2.4 Authentication and Identification** 

process.

### **2.2 Secure tunnel negotiation**

In order to securely establish a dynamic IPsec tunnel, the ISAKMP – IKE protocol is used, whether its version 1 or version 2. Version 1 is considered less safe than version 2, where multiple security vulnerabilities where covered by safer implementation. IKEv1 is considered more difficult to implement. IKEv1 is described in RFC 2409 and it is currently implemented by all the major security equipment providers. Both IKEv1 and IKEv2 negotiate the IPsec SA in two phases. Phase 1 in IKEv1 can be accomplished in two separate and incompatible flows. One of them is referred to as *Main Mode* and it has 6 messages (or 3 exchanges), and the second one is called *Aggressive Mode* and it consists of 3 messages. Phase 2 of IKEv1 is referred to as *Quick Mode* and it has 3 messages.

The Main Mode messages are the following:


Because the 5th and 6th messages are preceded by the exchange of cryptographic information and DH groups, the identities exchanged by them are already encrypted; this makes Main Mode exchange referred to as providing Identity Protection. This protection if identity does not happen for Aggressive Mode, where the phase 1 of IKEv1 has only 3 messages:


In the notations above, the "i" refers to the initiator of the IPsec negotiation, while the "r" refers to the responder of the IPsec negotiation offer.

Phase 1 is followed by Phase 2, also called *Quick Mode*. The purpose of this exchange is to negotiate the traffic selectors and the cryptographic information for the actual data-plane encapsulation. This traffic is referred to as *non-ISAKMP* by RFC 2409. Quick Mode is composed of three messages:


222 Cryptography and Security in Computing

In order to securely establish a dynamic IPsec tunnel, the ISAKMP – IKE protocol is used, whether its version 1 or version 2. Version 1 is considered less safe than version 2, where multiple security vulnerabilities where covered by safer implementation. IKEv1 is considered more difficult to implement. IKEv1 is described in RFC 2409 and it is currently implemented by all the major security equipment providers. Both IKEv1 and IKEv2 negotiate the IPsec SA in two phases. Phase 1 in IKEv1 can be accomplished in two separate and incompatible flows. One of them is referred to as *Main Mode* and it has 6 messages (or 3 exchanges), and the second one is called *Aggressive Mode* and it consists of 3 messages. Phase





Because the 5th and 6th messages are preceded by the exchange of cryptographic information and DH groups, the identities exchanged by them are already encrypted; this makes Main Mode exchange referred to as providing Identity Protection. This protection if identity does not happen for Aggressive Mode, where the phase 1 of IKEv1 has only 3



In the notations above, the "i" refers to the initiator of the IPsec negotiation, while the "r"

Phase 1 is followed by Phase 2, also called *Quick Mode*. The purpose of this exchange is to negotiate the traffic selectors and the cryptographic information for the actual data-plane encapsulation. This traffic is referred to as *non-ISAKMP* by RFC 2409. Quick Mode is




Responder, containing the encryption and authentication algorithms

**2.2 Secure tunnel negotiation** 

2 of IKEv1 is referred to as *Quick Mode* and it has 3 messages.


The Main Mode messages are the following:

encryption and authentication methods

as well as the Initiator nonce

capabilities

Initiator – in clear

composed of three messages:

Responder's information - HDR Hashi2 – the Initiator's hash

refers to the responder of the IPsec negotiation offer.

messages:

The second version of IKE, IKEv2 is not fully supported by all equipments on the market, but it is starting to get more and more attention, due to its capabilities: faster tunnel setup, more secure negotiations, more consistent authentication and identification rules, simpler implementation etc. There is only one type of so-called Phase 1 and Phase 2 in IKEv2. The IKEv2 exchange is the following:


The first four messages can be assimilated as Phase 1 of the IKEv2, and the last two messages as Phase 2 of the IKEv2. Nevertheless, at tunnel establishment time, only the first four messages appear in the negotiation, as usually the information provided by the last two messages is comprised in messages 3 and 4. The last 2 messages are used for the re-keying process.

### **2.3 Secure data transmission**

After having established the secure parameters to be employed in order to protect the transmission of the data, two protocols can be used to achieved this security, either separate or both at the same time. These protocols are AH (RFC 4302) and ESP (RFC 4303). AH protocol number is 51 and the purpose of this protocol is to ensure protection against replay attacks, due to the integrity check and sequencing it employs. AH method makes a hash of the entire IP packet (both headers and data payload) and adds this has value to the packet sent over the wire. The only fields not taken into consideration when computing the hash value are the ones that are expected to change when routing occurs in a normal network: TTL, TOS, CRC etc. The ESP protocol number is 50 and this method encrypts the data using the material and algorithms negotiated earlier. ESP only encapsulates the payload.

### **2.4 Authentication and Identification**

Two of the most important aspects of the IPsec negotiation are the authentication and identification. Not only do they perform two important functions (authenticating the IPsec peers to each other and identifying the peers to each other), but they are a crucial point for interoperability between different IPsec implementations. Not all networks worldwide happen to use exactly the same equipment as IPsec peers, so interoperability issues arise in many situations. RFC 2409 defines only two types of authentication available for IKEv1: PSK

Potential Applications of IPsec in Next Generation Networks 225

leftid="C=RO, ST=Romania, L=Bucharest, O=Company, OU=Department,

rightid="C=US, ST=California, L=Calabasas, O=Company, OU=Department,

A particular case is IEKv2-EAP. This protocol is described by RFC 3748 and it supports the following internal EAP methods: MD5, TLS, SIM, AKA etc. While MD5 is a simple protocol that can be implemented locally on the IPsec peer, TLS, SIM or AKA usually require an external Radius server, like ACS, FreeRadius or NPS. This is not a mandatory condition, but it is a good practice to have the authentication server separated from the IPsec peer. TLS can be used for almost any type of connection and it may also only authentication the server to the client, as per the TLS specifications. SIM protocol was defined for authentication in 2G networks, used for proving the GSM Subscriber Identity of the client to the 3G access network; this protocol is described in RFC 4186. EAP-AKA (Authentication and Key Agreement) has been defined for authentication of the 3G subscribers to the 3G networks which have a Radius server. Further on, the EAP-AKA is the preferred method of the 4G network authentication procedures, when the mobile equipment to be authenticated is a non-native 4G equipment. LTE uses the native AKA procedure for authenticating the native 4G handset, using the AAA proxy for mobile devices connecting from WiFi or WLAN areas. An example of an EAP-SIM and EAP-AKA users as they are defined in a FreeRadius

Other equipment has a more or less similar way of defining this set of parameters.

user1 Auth-Type := EAP, EAP-Type := EAP-TLS, Password == "p@ssw0rd"

As for the moment, the IPsec technology is mature enough and considered stable. Improvements have been made to IKEv2 to support a large range of scenarios. What is of interest in this paper is how much of IPsec can actually be used in the Next Generation Networks, with emphasis on 4G-SAE, the mobile technology that has the greatest area of attention at the moment. We can use IPsec in a peer-to-peer manner for providing hop-byhop security between core network elements, but we should be able to learn a lot from its authentication and negotiation stages in order to secure the 4G access level, which is of bigger interest due to the large number of devices that will try to connect, as well as due to

the large number of connectivity and mobility scenarios employed (Wang, 2008).

CN=DebianTest/emailAddress=debian@test.com"

conn connection1 left=192.168.0.1 right=192.168.0.2

CN=Test1"

implementation is described below.

EAP-Sim-SRES1 = 0xd2d2d3d4, EAP-Sim-KC1 = 0xa0a2a2a3a4a5a6a7,

eapsim1 Auth-Type := EAP, EAP-Type := SIM

eapaka1 Auth-Type := EAP, EAP-Type := AKA

EAP-Sim-RAND1 = 0x201112131415161718191a1b1c1d1e1f,

EAP-Sim-AUTN = 0xa0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0, EAP-Aka-IK = 0xb0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0, EAP-Aka-CK = 0xc0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0, EAP-Sim-RES = 0xd0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0, EAP-Sim-RAND = 0xe0e0e0e0e0e0e0e0e0e0e0e0e0e0e0e0,

(pre-shared key) and digital certificates/RSA, while RFC 4306 for IKEv2 defines four authentication types: PSK, RSA, DSS and EAP (Extensible Authentication Protocol). The way these options are combined it is a totally different discussion. Most of the site-to-site implementations use a symmetrical authentication scheme (both peers use the same type of authentication for the tunnel being established). On the other hand, the remote-access scenarios many times use a hybrid authentication scheme, where the security gateway authenticates to the road-warriors via a digital certificate, while the clients are authenticated via a password. At the same time, if we are discussing IKEv2, where the EAP method is available, there are many more ways of authentication of the road-warriors.

Configuring PSK on devices is many time straight forward. The RSA configuration tends to be more difficult, as it assume the existence of a PKI infrastructure. As an example, on Strongswan, by default, there is a dedicated directory where the root certificates should reside (*/etc/ipsec.d/cacerts*). In */etc/ipsec.d/certs* the administrator should copy the IPsec certificates for the local machine. All these files paths may be changed from a configuration file (*/etc/ipsec.conf*). The certificates are usually supplied in *pem* format, but they can also be parsed in *der* format (this option is default for Windows CA servers) and the administrator can convert a certificate from one format to another using a tool like *openssl*. When exporting a certificate generated on the CA, both the public and the private keys are downloaded (because the *csr* file has been directly generated on the CA). In this case, the format presented is PKCS12. From PKCS12, the administrator is able to extract both the public key (in a digital certificate) and the private key, in separate files.


openssl x509 -inform DER -in local.cer -outform PEM -out local.pem


openssl pkcs12 -in myFile.p12 -out cert.pem -clcerts –nokeys

IOS, JunOS or StokeOS network operating systems usually keep the certificate information in their non-volatile memory.

The next step after achieve peer authentication is the proper identification of the peers to each other. This step is very important and it is also very important that the identities of the peers are not disclosed to unauthorized parties. This is one reason why Aggressive Mode method, which does not provide Identity Protection, is no longer included in IKEv2. RFC 2407 identifies the syntax for the identification variables in IKEv1, and RFC 4306 describes this syntax for IKEv2. The identification payload types for IKEv1 are the following: ID\_IPv4\_ADDR, ID\_FQDN, ID\_USER\_FQDN, ID\_IPV4\_ADDR\_SUBNET, ID\_IPV6\_ADDR, ID\_IPV6\_ADDR\_SUBNET, ID\_IPV4\_ADDR\_RANGE, IP\_IPV6\_ADDR\_RANGE, ID\_DER\_ASN1\_DN, ID\_DER\_ASN1\_GN, ID\_KEY\_ID, and the ones for IKEv2 are the following: ID\_IPV4\_ADDR, ID\_IPV6\_ADDR, ID\_FQDN, ID\_RFC822\_ADDR, ID\_DER\_ASN1\_DN, ID\_DER\_ASN1\_GN, ID\_KEY\_ID.

Identification is one of the major aspects when it comes to interoperability issues, especially when the administrator has to configure a particular type of identification mechanism which is not supported on the peer equipment. Strongswan for instance accepts ID\_IP\_ADDR (and ID\_IP\_ADDR\_SUBNET for IKEv1), both v4 and v6, ID\_FQDN, as in the certificate. The file also permits the configuration of an ID\_ASN1\_DER\_CN, where the administrator can enter the entire subject of the certificate or only certain fields.

224 Cryptography and Security in Computing

(pre-shared key) and digital certificates/RSA, while RFC 4306 for IKEv2 defines four authentication types: PSK, RSA, DSS and EAP (Extensible Authentication Protocol). The way these options are combined it is a totally different discussion. Most of the site-to-site implementations use a symmetrical authentication scheme (both peers use the same type of authentication for the tunnel being established). On the other hand, the remote-access scenarios many times use a hybrid authentication scheme, where the security gateway authenticates to the road-warriors via a digital certificate, while the clients are authenticated via a password. At the same time, if we are discussing IKEv2, where the EAP method is

Configuring PSK on devices is many time straight forward. The RSA configuration tends to be more difficult, as it assume the existence of a PKI infrastructure. As an example, on Strongswan, by default, there is a dedicated directory where the root certificates should reside (*/etc/ipsec.d/cacerts*). In */etc/ipsec.d/certs* the administrator should copy the IPsec certificates for the local machine. All these files paths may be changed from a configuration file (*/etc/ipsec.conf*). The certificates are usually supplied in *pem* format, but they can also be parsed in *der* format (this option is default for Windows CA servers) and the administrator can convert a certificate from one format to another using a tool like *openssl*. When exporting a certificate generated on the CA, both the public and the private keys are downloaded (because the *csr* file has been directly generated on the CA). In this case, the format presented is PKCS12. From PKCS12, the administrator is able to extract both the public key

IOS, JunOS or StokeOS network operating systems usually keep the certificate information

The next step after achieve peer authentication is the proper identification of the peers to each other. This step is very important and it is also very important that the identities of the peers are not disclosed to unauthorized parties. This is one reason why Aggressive Mode method, which does not provide Identity Protection, is no longer included in IKEv2. RFC 2407 identifies the syntax for the identification variables in IKEv1, and RFC 4306 describes this syntax for IKEv2. The identification payload types for IKEv1 are the following: ID\_IPv4\_ADDR, ID\_FQDN, ID\_USER\_FQDN, ID\_IPV4\_ADDR\_SUBNET, ID\_IPV6\_ADDR, ID\_IPV6\_ADDR\_SUBNET, ID\_IPV4\_ADDR\_RANGE, IP\_IPV6\_ADDR\_RANGE, ID\_DER\_ASN1\_DN, ID\_DER\_ASN1\_GN, ID\_KEY\_ID, and the ones for IKEv2 are the following: ID\_IPV4\_ADDR, ID\_IPV6\_ADDR, ID\_FQDN, ID\_RFC822\_ADDR,

Identification is one of the major aspects when it comes to interoperability issues, especially when the administrator has to configure a particular type of identification mechanism which is not supported on the peer equipment. Strongswan for instance accepts ID\_IP\_ADDR (and ID\_IP\_ADDR\_SUBNET for IKEv1), both v4 and v6, ID\_FQDN, as in the certificate. The file also permits the configuration of an ID\_ASN1\_DER\_CN, where the administrator can enter

available, there are many more ways of authentication of the road-warriors.

(in a digital certificate) and the private key, in separate files.

openssl pkcs12 -in myFile.p12 -out cert.pem -clcerts –nokeys

ID\_DER\_ASN1\_DN, ID\_DER\_ASN1\_GN, ID\_KEY\_ID.

the entire subject of the certificate or only certain fields.

openssl x509 -inform DER -in local.cer -outform PEM -out local.pem


in their non-volatile memory.


conn connection1 left=192.168.0.1 right=192.168.0.2 leftid="C=RO, ST=Romania, L=Bucharest, O=Company, OU=Department, CN=DebianTest/emailAddress=debian@test.com" rightid="C=US, ST=California, L=Calabasas, O=Company, OU=Department, CN=Test1"

Other equipment has a more or less similar way of defining this set of parameters.

A particular case is IEKv2-EAP. This protocol is described by RFC 3748 and it supports the following internal EAP methods: MD5, TLS, SIM, AKA etc. While MD5 is a simple protocol that can be implemented locally on the IPsec peer, TLS, SIM or AKA usually require an external Radius server, like ACS, FreeRadius or NPS. This is not a mandatory condition, but it is a good practice to have the authentication server separated from the IPsec peer. TLS can be used for almost any type of connection and it may also only authentication the server to the client, as per the TLS specifications. SIM protocol was defined for authentication in 2G networks, used for proving the GSM Subscriber Identity of the client to the 3G access network; this protocol is described in RFC 4186. EAP-AKA (Authentication and Key Agreement) has been defined for authentication of the 3G subscribers to the 3G networks which have a Radius server. Further on, the EAP-AKA is the preferred method of the 4G network authentication procedures, when the mobile equipment to be authenticated is a non-native 4G equipment. LTE uses the native AKA procedure for authenticating the native 4G handset, using the AAA proxy for mobile devices connecting from WiFi or WLAN areas.

An example of an EAP-SIM and EAP-AKA users as they are defined in a FreeRadius implementation is described below.

user1 Auth-Type := EAP, EAP-Type := EAP-TLS, Password == "p@ssw0rd" eapsim1 Auth-Type := EAP, EAP-Type := SIM EAP-Sim-RAND1 = 0x201112131415161718191a1b1c1d1e1f, EAP-Sim-SRES1 = 0xd2d2d3d4, EAP-Sim-KC1 = 0xa0a2a2a3a4a5a6a7, eapaka1 Auth-Type := EAP, EAP-Type := AKA EAP-Sim-AUTN = 0xa0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0, EAP-Aka-IK = 0xb0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0, EAP-Aka-CK = 0xc0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0, EAP-Sim-RES = 0xd0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0, EAP-Sim-RAND = 0xe0e0e0e0e0e0e0e0e0e0e0e0e0e0e0e0,

As for the moment, the IPsec technology is mature enough and considered stable. Improvements have been made to IKEv2 to support a large range of scenarios. What is of interest in this paper is how much of IPsec can actually be used in the Next Generation Networks, with emphasis on 4G-SAE, the mobile technology that has the greatest area of attention at the moment. We can use IPsec in a peer-to-peer manner for providing hop-byhop security between core network elements, but we should be able to learn a lot from its authentication and negotiation stages in order to secure the 4G access level, which is of bigger interest due to the large number of devices that will try to connect, as well as due to the large number of connectivity and mobility scenarios employed (Wang, 2008).

Potential Applications of IPsec in Next Generation Networks 227

The 4G-LTE architectures comprises two main components: the radio access network and the EPC (Evolved Packet Core). The radio access network is the eNodeB(the antenna) and the radio medium. The core network contains multiple devices, with roles in signaling, authentication, routing, providing quality of service and so on. The following elements are the most common devices located in the LTE core network (TS 23.203, TS 23.401, TS 29.274,

a. MME (Mobility Management Entity): it deals with user registration to the network, signalling and mobility management; it can be partially assimilated with the SGSN (Serving GPRS Support Node) from the UMTS architecture, with two major differences: the MME, unlike the SGSN, only does signalling, and, unlike SGSN, additionally has a management position towards the antennas; the MME connects to the database that holds the subscriber authentication information, having a very important role in the user authentication; in 3G, the RNC (Radio Network Controller) had the dedicated

b. SGW (Serving Gateway): unlike the MME, this entity does both signalling and traffic plane and it is responsible for routing data traffic to a particular set of radio cells (called

c. PGW (Packet Data Network Gateway): this component is the one connecting the access network (LTE network) to the services network (IMS, Internet, Intranet etc); it is also one of the QoS enforcement points, together with the antenna; the PGW is connected to the database that holds the subscriber information; this entity may be assimilated to the

d. PCRF (Policy Charging and Rules Function): the policy database holding the

e. HSS (Home Subscriber Server): the database holding information about the mobile

The picture below is a schematic representation of a typical 4G network (TS 29.061), where the access side is done via native 4G environment, as well as via 3G and non-3GPP media.

The antenna is the first point of contact of the user to the LTE network. The mobile equipment connects to the network, identifies this network and upon the user signalling to the network, the LTE starts the authentication process. The entities involved in this process are the mobile equipment, as one of the authentication peers (the client), the HSS, as the second authentication peer (the server), the MME as the authenticator and the eNB, as a sort of authentication relay. The MME is the one requesting the UE (User Equipment) its identity information, when downloading credentials from the HSS, in order to start the authentication process and secure key establishment with the mobile. The protocol used for this process is AKA (in native 4G and 3G) and EAP-AKA for the non-3GPP access. Once the authentication is complete, there take place several keys determination, based on mathematical functions defined by 3GPP. The key hierarchy is different for each case: 3G. 4G and non-3GPP. In the 4G case, there are keys for securing and/or authenticating both signalling and data-plane traffic flows, unlike 3G, where only the data-plane was secured. Also, there are specific requirements on how to assure a safe interoperability function between these types of access levels. For instance, the handover from a 4G network to a 3G

**3.1 3GPP LTE architecture and services network** 

function of antenna management;

3G GGSN (Gateway GPRS Support Node) (Good, 2007);

subscription information material (Yang, 2011);

equipment identity and credentials;

Tracking Areas);

TS 33.401):

There are multiple studies regarding the security of the IPsec, and specially the IKE protocols. One of them (Cremers, 2011) identifies the following vulnerabilities: Reflection attack on IKEv1 Main Mode with digital signatures or pre-shared keys, Reflection attack on IKEv1 Quick Mode, Reflection attack on IKEv1 Main Mode with public key encryption, Authentication failure on IKEv1 Aggressive Mode with digital signatures, Authentication failure on IKEv1 Main Mode with digital signatures that does not require selfcommunication, Reflection attack on IKEv2 phase 2 exchange. Another important aspect of the IPsec protocol is the computational overhead, described in detail in (Xenakis, 2006). The factors taken into account are the encryption type and the authentication mechanism, and the resultants reflect in the system throughput, total delay and rate increase of the protected data. (Shue, 2007) Overall, the throughput overhead is larger than the overhead brought in by upper layer security protocols, like SSL or TLS, but the security offered by IPsec is also higher and the protocol can tunnel and secure a larger variety of traffic protocols than SSL or TLS can.

### **3. 4G and services networks technologies**

4G is the next generation network technology at the moment. 4G is a generic term that defines a set of features and capabilities for a radio network, as well as for quality of service, mobility and services provided to the customer. It is not strictly related to a particular technology. It has been declared that both WiMAX and LTE are considered 4G technologies. WiMAX is being standardized by the WiMAX forum, being developed from the 802.16 family of wireless standards. The 802.16 is also being called *fixed* WiMAX and was published in 2001. In 2005, the 802.16e family was deployed, called *mobile* WiMAX. In 2011, there have begun to appear implementations of 802.16m. At the same time, the 3GPP forum also worked on improving the UMTS technology, which is considered a 3G generation. This is how the LTE (Long Term Evolution) technology came into existence. LTE is considered a 4G technology and it proposes an all-IP network, simplifying the access level of the network, as well as providing support for higher transmission rates due to improvements on the radio side and dynamic or seamless handover to both 3G networks, as well as to non-3GPP networks, like WiMAX or WLAN. Both 4G technologies are aiming at providing a simple and transparent access to the services network, for their subscribers. One example of services network is the IMS (IP Multimedia Subsystem), developed by 3GPP. IMS supports a large area of services, from simple data, voice and video to sms, mms, push-to-talk, conferencing and presence. A different approach to connecting to an IMS network is the direct access to Internet, where the services accessed may be the same ones as accessed from a wireless connection, without being provided in a unified manner, as in IMS. There is also possible an intermediary solution, where the services network is only referring to the Application Servers (AS) part of the IMS, overlooking the call session functions (Plewes, 2007; Sayyad, 2011).

From now on, the paper will provide a short introduction into the 3GPP LTE technology and discuss the security issues that appear at the access layer of this architecture (Kowtarapu, 2009). We will see what decisions the 3GPP forum has made in terms of protocols to use, their advantages and vulnerabilities and investigate how we can use the lessons learnt from our experience with IPsec.

226 Cryptography and Security in Computing

There are multiple studies regarding the security of the IPsec, and specially the IKE protocols. One of them (Cremers, 2011) identifies the following vulnerabilities: Reflection attack on IKEv1 Main Mode with digital signatures or pre-shared keys, Reflection attack on IKEv1 Quick Mode, Reflection attack on IKEv1 Main Mode with public key encryption, Authentication failure on IKEv1 Aggressive Mode with digital signatures, Authentication failure on IKEv1 Main Mode with digital signatures that does not require selfcommunication, Reflection attack on IKEv2 phase 2 exchange. Another important aspect of the IPsec protocol is the computational overhead, described in detail in (Xenakis, 2006). The factors taken into account are the encryption type and the authentication mechanism, and the resultants reflect in the system throughput, total delay and rate increase of the protected data. (Shue, 2007) Overall, the throughput overhead is larger than the overhead brought in by upper layer security protocols, like SSL or TLS, but the security offered by IPsec is also higher and the protocol can tunnel and secure a larger variety of traffic protocols than SSL

4G is the next generation network technology at the moment. 4G is a generic term that defines a set of features and capabilities for a radio network, as well as for quality of service, mobility and services provided to the customer. It is not strictly related to a particular technology. It has been declared that both WiMAX and LTE are considered 4G technologies. WiMAX is being standardized by the WiMAX forum, being developed from the 802.16 family of wireless standards. The 802.16 is also being called *fixed* WiMAX and was published in 2001. In 2005, the 802.16e family was deployed, called *mobile* WiMAX. In 2011, there have begun to appear implementations of 802.16m. At the same time, the 3GPP forum also worked on improving the UMTS technology, which is considered a 3G generation. This is how the LTE (Long Term Evolution) technology came into existence. LTE is considered a 4G technology and it proposes an all-IP network, simplifying the access level of the network, as well as providing support for higher transmission rates due to improvements on the radio side and dynamic or seamless handover to both 3G networks, as well as to non-3GPP networks, like WiMAX or WLAN. Both 4G technologies are aiming at providing a simple and transparent access to the services network, for their subscribers. One example of services network is the IMS (IP Multimedia Subsystem), developed by 3GPP. IMS supports a large area of services, from simple data, voice and video to sms, mms, push-to-talk, conferencing and presence. A different approach to connecting to an IMS network is the direct access to Internet, where the services accessed may be the same ones as accessed from a wireless connection, without being provided in a unified manner, as in IMS. There is also possible an intermediary solution, where the services network is only referring to the Application Servers (AS) part of the IMS, overlooking the call session functions (Plewes,

From now on, the paper will provide a short introduction into the 3GPP LTE technology and discuss the security issues that appear at the access layer of this architecture (Kowtarapu, 2009). We will see what decisions the 3GPP forum has made in terms of protocols to use, their advantages and vulnerabilities and investigate how we can use the

or TLS can.

2007; Sayyad, 2011).

lessons learnt from our experience with IPsec.

**3. 4G and services networks technologies** 

### **3.1 3GPP LTE architecture and services network**

The 4G-LTE architectures comprises two main components: the radio access network and the EPC (Evolved Packet Core). The radio access network is the eNodeB(the antenna) and the radio medium. The core network contains multiple devices, with roles in signaling, authentication, routing, providing quality of service and so on. The following elements are the most common devices located in the LTE core network (TS 23.203, TS 23.401, TS 29.274, TS 33.401):


The picture below is a schematic representation of a typical 4G network (TS 29.061), where the access side is done via native 4G environment, as well as via 3G and non-3GPP media.

The antenna is the first point of contact of the user to the LTE network. The mobile equipment connects to the network, identifies this network and upon the user signalling to the network, the LTE starts the authentication process. The entities involved in this process are the mobile equipment, as one of the authentication peers (the client), the HSS, as the second authentication peer (the server), the MME as the authenticator and the eNB, as a sort of authentication relay. The MME is the one requesting the UE (User Equipment) its identity information, when downloading credentials from the HSS, in order to start the authentication process and secure key establishment with the mobile. The protocol used for this process is AKA (in native 4G and 3G) and EAP-AKA for the non-3GPP access. Once the authentication is complete, there take place several keys determination, based on mathematical functions defined by 3GPP. The key hierarchy is different for each case: 3G. 4G and non-3GPP. In the 4G case, there are keys for securing and/or authenticating both signalling and data-plane traffic flows, unlike 3G, where only the data-plane was secured. Also, there are specific requirements on how to assure a safe interoperability function between these types of access levels. For instance, the handover from a 4G network to a 3G

Potential Applications of IPsec in Next Generation Networks 229

selecting the AS (Application Server) that is to serve the subscriber. Assigning a particular S-CSCF to a certain subscriber is the task of the HSS, which is interrogated by the I-CSCF to provide this information. Just as for the 4G network, the IMS relies on the existence of HSS and PCRF databases. The standards move towards a more intimate and efficient integration

The security aspects in such a complex environment are many and complex. 3GPP has defined five security levels in order to separate the areas that are somehow independent of

a. Network Access Security: this area deals with granting access to the (core) network only to those users that prove their identity, that identity matching a network's registered user, with valid authentication credentials and with a subscription that allows services

b. Network Domain Security: this area deals with the secure interoperation between the Evolved Packet Core (EPC) network entities; this security is described by the protocols involved in securing the communications between EPC nodes: IPsec (recommended by Specs to take place within an operator's premises) and TLS (usually for inter-operator

c. User Domain Security: this area deals with the secure access to the mobile stations; d. d. Application Domain Security: this area is concerned with how to secure the communication between the applications that reside on the user's mobile device and the core network application servers; as a layer 7 application, this area may implement a

e. Visibility and Configurability of Security: this is an informational area, for the user; the subscriber must have constant access to the information concerning the security features available on his device, whether or not they are functioning properly and

When it comes to access to the 4G network, there are two aspects that threaten the security of the model. These aspects are related to the EPS-AKA procedures and there are the lack of identity protection at the first Initial Attach to the network (where the user must send its IMSI over the air, unencrypted) and the lack of the PFS (Perfect Forward Secrecy) property of the AKA algorithm. Sending the IMSI over the air is a problem only for the very first Attach Request, because the subsequent requests are done using a temporary global identity

This attach request message is sent by the UE to the MME; this request may be a TAU (Tracking Area Update), procedure mandatory when moving between areas of radio cells. When the new MME receives this message, it retrieves the identity of the previous MME from the message, and contacts this previous MME. In the message, the new MME requests the IMSI for the GUTI it provides. This way, under the fair assumption that the connection between MMEs is secured (via IPsec for instance), the IMSI identity of the UE

With regards to the services network, there are a lot of vulnerabilities, some related directly to the security capabilities of the SIP and RTP protocols, while some other to the network

whether or not they are required for the secure operation of a certain service

of the 4G and IMS networks.

**3.2 Security aspects** 

each other (TS 33.203).

(GUTI).

is protected.

to be delivered to this user;

secure communications);

large variety of security structures;

network is simpler and does not require additional cryptographic computation, while the handover from a 3G network to a 4G network is more cumbersome. In order to achieve authentication for the non-3GPP devices, one or more 3GPP-AAA servers are needed and a ePDG (Evolved Packet Data Gateway). This ePDG entity is the other end of the authentication scenario, the peer the mobile connects to for authentication (Guo, 2010).

Fig. 1. NGN architecture; local breakout with home & visited network operator's functions

Roaming is an aspect with importance when it comes to security (authentication, authorization as well as accounting and charging). Generically, there are three types of roaming: home routed traffic (the PGW is located in the home network), local breakout with home operator's application functions only (the PGW is located in the visited network, but the services the user accesses are provided by its home network, as it is the example of using an e-mail service) and local breakout with visited operator's application functions only (the PGW is in the visited network as well, but the visited network also provides the services in this case, having a roaming agreement with the home network, in order for that; the home network only serves at assuring the authentication of the user and the policy verification).

Independent of the details of implementation of the access network, the PGW ultimately connects the UE to an APN (Access Point Name) via the SGi interface, an IP-based logical interface. The APN is the services network, no matter the actual format of this network: Internet, Intranet, IMS etc. The typical case considered in this paper is the IMS network. In this case, the PGW connects to the P-CSCF equipment of the IMS core.

The centre of the IMS functionality is the CSCF (Call Session Control Function), provided via three different logical entities: a Proxy (P-CSCF), an Interrogating unit (I-CSCF) and a Serving unit (S-CSCF). The P-CSCF is the first point of contact in the IMS network, staying always in the SIP signalling path and being able to do traffic inspection, SIP header compression (SigComp) and secure tunnelling to the UE: this is the entity the mobile IMSaware handset establishes and IPsec session with. The P-CSCF can also do media-plane QoS enforcement. The S-CSCF is responsible for registration, message inspection and for selecting the AS (Application Server) that is to serve the subscriber. Assigning a particular S-CSCF to a certain subscriber is the task of the HSS, which is interrogated by the I-CSCF to provide this information. Just as for the 4G network, the IMS relies on the existence of HSS and PCRF databases. The standards move towards a more intimate and efficient integration of the 4G and IMS networks.

### **3.2 Security aspects**

228 Cryptography and Security in Computing

network is simpler and does not require additional cryptographic computation, while the handover from a 3G network to a 4G network is more cumbersome. In order to achieve authentication for the non-3GPP devices, one or more 3GPP-AAA servers are needed and a ePDG (Evolved Packet Data Gateway). This ePDG entity is the other end of the authentication scenario, the peer the mobile connects to for authentication (Guo, 2010).

Fig. 1. NGN architecture; local breakout with home & visited network operator's functions

this case, the PGW connects to the P-CSCF equipment of the IMS core.

Roaming is an aspect with importance when it comes to security (authentication, authorization as well as accounting and charging). Generically, there are three types of roaming: home routed traffic (the PGW is located in the home network), local breakout with home operator's application functions only (the PGW is located in the visited network, but the services the user accesses are provided by its home network, as it is the example of using an e-mail service) and local breakout with visited operator's application functions only (the PGW is in the visited network as well, but the visited network also provides the services in this case, having a roaming agreement with the home network, in order for that; the home network only serves at assuring the authentication of the user and the policy verification). Independent of the details of implementation of the access network, the PGW ultimately connects the UE to an APN (Access Point Name) via the SGi interface, an IP-based logical interface. The APN is the services network, no matter the actual format of this network: Internet, Intranet, IMS etc. The typical case considered in this paper is the IMS network. In

The centre of the IMS functionality is the CSCF (Call Session Control Function), provided via three different logical entities: a Proxy (P-CSCF), an Interrogating unit (I-CSCF) and a Serving unit (S-CSCF). The P-CSCF is the first point of contact in the IMS network, staying always in the SIP signalling path and being able to do traffic inspection, SIP header compression (SigComp) and secure tunnelling to the UE: this is the entity the mobile IMSaware handset establishes and IPsec session with. The P-CSCF can also do media-plane QoS enforcement. The S-CSCF is responsible for registration, message inspection and for The security aspects in such a complex environment are many and complex. 3GPP has defined five security levels in order to separate the areas that are somehow independent of each other (TS 33.203).


When it comes to access to the 4G network, there are two aspects that threaten the security of the model. These aspects are related to the EPS-AKA procedures and there are the lack of identity protection at the first Initial Attach to the network (where the user must send its IMSI over the air, unencrypted) and the lack of the PFS (Perfect Forward Secrecy) property of the AKA algorithm. Sending the IMSI over the air is a problem only for the very first Attach Request, because the subsequent requests are done using a temporary global identity (GUTI).

This attach request message is sent by the UE to the MME; this request may be a TAU (Tracking Area Update), procedure mandatory when moving between areas of radio cells. When the new MME receives this message, it retrieves the identity of the previous MME from the message, and contacts this previous MME. In the message, the new MME requests the IMSI for the GUTI it provides. This way, under the fair assumption that the connection between MMEs is secured (via IPsec for instance), the IMSI identity of the UE is protected.

With regards to the services network, there are a lot of vulnerabilities, some related directly to the security capabilities of the SIP and RTP protocols, while some other to the network

Potential Applications of IPsec in Next Generation Networks 231

The 3GPP forum defines a generic authentication scheme, named GAA (Generic Authentication Architecture), which as two main components: the component responsible for authentication via shared secrets, GBA (Generic Bootstrapping Authentication) and the component responsible for authentication via digital certificates, SSC (Support for Subscriber Certificates). There are six entities as defined by the GAA: HSS, BSF, NAF, ZnProxy, SLF and UE. The figure below describes an authentication scenario where the UE is located in roaming,

The HSS is the database holding the USS (User Security Settings). It has the purpose of mapping the USS to one or more private user identities, which in IMS is called IMPI (IP Multimedia Private Identity). An example of USS is the GUSS (GBA User Security Settings), which may contain the following parameters: type of UICC, lifetime of the subscriber's key, timestamp etc. The BSF (Bootstrapping Server Function) has the role to authenticate the UE, via the AKA method. Before that, it communicates to the HSS in order to download AV (Authentication Vector) parameters used to derive the keying material for AKA. A native 4G handset should support discussion EPS-AKA with the BSF. The NAF (Network Application Function) is a generic server that the UE tries to connect to. The BSF derives the Ks\_NAF key and sends it to the NAF. The UE also generates also a Ks\_NAF key. For this procedure to function properly, the BSF should have connectivity to the NAF the user connects to. The BSF should keep a list of NAFs and a list of groups of NAFs, in order to be able to identify at any given moment which NAF should be chosen if an application-specific USS appears. (Aiash, 2010; Keromytis, 2010) The ZnProxy appears in the roaming cases, and it may be a stand-alone device or part of the functionality of an existing device, like the visited NAF, visited AAA server or an application server. This entity has the role of locating the user's home BSF device. In cases where there are multiple HSS databases, the SLF (Subscriber Location Function) is the entity queried by the BSF in order to locate the HSS containing the authentication information. The following steps describe the bootstrapping procedure:

and there is a third, untrusted, network between the visited and the home network.

**4. Security solutions and alternative models** 

**4.1 4G GAA security solution** 

Fig. 2. GBA simplified architecture

design, authentication, authorization and user profile. ETSI has developed the TVRA model in order to organize a table of security vulnerabilities description. The table below proposes a summary of the VoIP networks vulnerabilities, organized on the TVRA model (Edwards 2007; Karopoulos, 2010; VoIPSA, 2011).


Table 1. VoIP TVRA model example

Along with the list of vulnerabilities, there are organizations that discuss these security issues in more details and also present the current status of the security tools available for assessing the level of security of this type of networks (Plewes, 2007).

### **4. Security solutions and alternative models**

### **4.1 4G GAA security solution**

230 Cryptography and Security in Computing

design, authentication, authorization and user profile. ETSI has developed the TVRA model in order to organize a table of security vulnerabilities description. The table below proposes a summary of the VoIP networks vulnerabilities, organized on the TVRA model (Edwards

**No. Asset Weakness Threat Location Incident Objective** 

SIP Bye

configuration

P-CSCF-inthe-middle attack

SIP Register

Message

RTP insert

SIP SQL

Along with the list of vulnerabilities, there are organizations that discuss these security issues in more details and also present the current status of the security tools available for

confidentiality SIP sniffer Gm Loss of

Scan Gm/Mw Loss or

attack Gm Session

Gm

Spoofing Gm Impersonation

attack Gm Session

streams Media theft UE-UE Service theft Accountability

tampering UE DoS Availability

attacks Gm DoS Availability

flooding Gm DoS Availability

SPIT UE-UE User exhaust Controllability

injection HSS DoS Availability

Impersonation attack (P-CSCF)

privacy Confidentiality

privacy Confidentiality

damage Integrity

attack (user) Authentication

damage Integrity

Authentication

2007; Karopoulos, 2010; VoIPSA, 2011).

Weak authentication and control mechanism

confidentiality

UE configuration

Register DNS reliability DNS cache

Weak authentication and control mechanism

Lack of DoS/DDoS prevention

Weak authentication and control mechanism

No integrity protection

Weak control of

Weak authentication and control mechanism

Weak authentication and control mechanism

assessing the level of security of this type of networks (Plewes, 2007).

Table 1. VoIP TVRA model example

**<sup>1</sup>**SIP Session Signal w/o

**<sup>3</sup>**SIP Session Signal w/o

**<sup>2</sup>**Network topology

**<sup>4</sup>**SIP Register

**<sup>5</sup>**SIP

**<sup>6</sup>**SIP Register

**7** SIP

**8** SIP Session

**<sup>9</sup>**RTP Session

**<sup>10</sup>**RTP Session

**<sup>11</sup>**RTP Session

**<sup>12</sup>**User profile The 3GPP forum defines a generic authentication scheme, named GAA (Generic Authentication Architecture), which as two main components: the component responsible for authentication via shared secrets, GBA (Generic Bootstrapping Authentication) and the component responsible for authentication via digital certificates, SSC (Support for Subscriber Certificates). There are six entities as defined by the GAA: HSS, BSF, NAF, ZnProxy, SLF and UE. The figure below describes an authentication scenario where the UE is located in roaming, and there is a third, untrusted, network between the visited and the home network.

Fig. 2. GBA simplified architecture

The HSS is the database holding the USS (User Security Settings). It has the purpose of mapping the USS to one or more private user identities, which in IMS is called IMPI (IP Multimedia Private Identity). An example of USS is the GUSS (GBA User Security Settings), which may contain the following parameters: type of UICC, lifetime of the subscriber's key, timestamp etc. The BSF (Bootstrapping Server Function) has the role to authenticate the UE, via the AKA method. Before that, it communicates to the HSS in order to download AV (Authentication Vector) parameters used to derive the keying material for AKA. A native 4G handset should support discussion EPS-AKA with the BSF. The NAF (Network Application Function) is a generic server that the UE tries to connect to. The BSF derives the Ks\_NAF key and sends it to the NAF. The UE also generates also a Ks\_NAF key. For this procedure to function properly, the BSF should have connectivity to the NAF the user connects to. The BSF should keep a list of NAFs and a list of groups of NAFs, in order to be able to identify at any given moment which NAF should be chosen if an application-specific USS appears. (Aiash, 2010; Keromytis, 2010) The ZnProxy appears in the roaming cases, and it may be a stand-alone device or part of the functionality of an existing device, like the visited NAF, visited AAA server or an application server. This entity has the role of locating the user's home BSF device. In cases where there are multiple HSS databases, the SLF (Subscriber Location Function) is the entity queried by the BSF in order to locate the HSS containing the authentication information. The following steps describe the bootstrapping procedure:

Potential Applications of IPsec in Next Generation Networks 233

protocol identifier. All the values possible and structure of these components are defined in

The IMS network is the NAF server from the above topology (more exactly, the P-CSCF plays the role of the NAF server). Another method to do subscriber authentication is the SIP-AKA procedure. The purpose of this procedure is to authenticate the user and exchange

I have executed several tests, using an IMS client and an IMS CSCF solution. The figure below describes the theoretical exchange, while some of the traffic captures are included

The first packet of the conversation is the SIP REGISTER, which at first does not contain any

Allow: INVITE, ACK, CANCEL, BYE, MESSAGE, OPTIONS, NOTIFY, PRACK, UPDATE,

keying material for IPsec (Chen, 2008; MSF, 2011; Nasser, 2009; TR 33.978).

references.

**4.2 IMS AKA procedure** 

following the theoretical description.

Fig. 4. SIP-IMS-AKA authentication procedure

Request-Line: REGISTER sip:open-ims.test SIP/2.0

Via: SIP/2.0/UDP 172.20.1.1:1143;rport;branch=z9hG4bK1275411663890

authentication methods, nor information.

From: <sip:11111@open-ims.test>;tag=6334 To: <sip:11111@open-ims.test> Call-ID: M-50a5456166f246b78f081ac2453ee4ea

Method: REGISTER

[Resent Packet: False] Message Header

Max-Forwards: 70

REFER

Request-URI: sip:open-ims.test

CSeq: 901 REGISTER


Then the BSF tries to locate the HSS and retrieve the GUSS and the AV from it, where AV=(RAND||AUTN||XRES||CK||IK), over Zh;


Fig. 3. GBA procedure


At this point, both the UE and the BSF derive the Ks\_NAF key, the actual key that will be used to secure the communication between the UE and the NAF.

Ks\_NAF = KDF (Ks, "gba-me", RAND, IMPI, NAF\_Id), where KDF is the key derivation function and the NAF\_Id looks like this: NAF\_Id = FQDN of the NAF || Ua security protocol identifier. All the values possible and structure of these components are defined in references.

### **4.2 IMS AKA procedure**

232 Cryptography and Security in Computing

1. UE sends the HTTP request to the BSF, inserting an user identity, either its IMPI or its

2. The BSF identifies whether it received a TMPI or an IMPI; if it was a TMPI, it looks for the corresponding IMPI in its cache, and if it's not found, it gives an error to the UE,

4. The UE uses AUTN to authenticate the network, then computes the XRES, CK and IK

1. the BSF verifies the XRES against its already computed RES; if they match, the UE is

At this point, both the UE and the BSF derive the Ks\_NAF key, the actual key that will be

Ks\_NAF = KDF (Ks, "gba-me", RAND, IMPI, NAF\_Id), where KDF is the key derivation function and the NAF\_Id looks like this: NAF\_Id = FQDN of the NAF || Ua security

2. The BSF obtains the Ks by concatenating CK and IK, same as the UE and

3. replies to the UE with a B-TID in the 200 OK message; 4. The UE also obtains the Ks by concatenating its CK and IK

used to secure the communication between the UE and the NAF.

requesting the IMPI, otherwise it continues authenticating the UE to the HSS. Then the BSF tries to locate the HSS and retrieve the GUSS and the AV from it, where

3. BSF forwards the RAND and AUTN to the UE, in order to authenticate it;

5. sends the XRES to the BSF, in order to be authenticated by this entity and

TMPI, if it has a temporary ID available;

AV=(RAND||AUTN||XRES||CK||IK), over Zh;

and

Fig. 3. GBA procedure

authenticated;

The IMS network is the NAF server from the above topology (more exactly, the P-CSCF plays the role of the NAF server). Another method to do subscriber authentication is the SIP-AKA procedure. The purpose of this procedure is to authenticate the user and exchange keying material for IPsec (Chen, 2008; MSF, 2011; Nasser, 2009; TR 33.978).

I have executed several tests, using an IMS client and an IMS CSCF solution. The figure below describes the theoretical exchange, while some of the traffic captures are included following the theoretical description.

Fig. 4. SIP-IMS-AKA authentication procedure

The first packet of the conversation is the SIP REGISTER, which at first does not contain any authentication methods, nor information. Request-Line: REGISTER sip:open-ims.test SIP/2.0 Method: REGISTER Request-URI: sip:open-ims.test [Resent Packet: False] Message Header Via: SIP/2.0/UDP 172.20.1.1:1143;rport;branch=z9hG4bK1275411663890 From: <sip:11111@open-ims.test>;tag=6334 To: <sip:11111@open-ims.test> Call-ID: M-50a5456166f246b78f081ac2453ee4ea CSeq: 901 REGISTER Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, BYE, MESSAGE, OPTIONS, NOTIFY, PRACK, UPDATE, REFER

Potential Applications of IPsec in Next Generation Networks 235

Allow: INVITE, ACK, CANCEL, BYE, MESSAGE, OPTIONS, NOTIFY, PRACK, UPDATE,

Contact: <sip:11111@172.20.1.1:1143;transport=udp>;expires=600000;+deviceID="3ca50bcb-

ims.test",nonce="qxZ3KUqjXlvgogK8aNtyHL4yoDzYBwAAFNpK0YllC1w=",uri="sip:open-

Upon the receipt of this message, the P-CSCF authenticates the user by comparing the RES

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, PUBLISH,

Warning: 392 172.21.119.1:6060 "Noisy feedback tells: pid=2027 req\_src\_ip=172.21.118.1 req\_src\_port=5060 in\_uri=sip:scscf.open-ims.test:6060 out\_uri=sip:scscf.open-ims.test:6060

The two parties (the UE and the P-CSCF) may use the CK and IK keys to establish an IPsec

Request-Line: REGISTER sip:open-ims.test SIP/2.0

From: <sip:11111@open-ims.test>;tag=6334

Call-ID: M-50a5456166f246b78f081ac2453ee4ea

7a67-44f1-afd0-994a55f930f4";mobility="fixed"

From: <sip:11111@open-ims.test>;tag=6334

Call-ID: M-50a5456166f246b78f081ac2453ee4ea

P-Associated-URI: <sip:11111@open-ims.test>

Path: <sip:term@pcscf.open-ims.est:4060;lr>

Service-Route: <sip:orig@scscf.open-ims.test:6060;lr>

User-Agent: IM-client/OMA1.0 Mercuro-Bronze/v4.0.1624.0

P-Preferred-Identity: <sip:11111@open-ims.test>

Authorization: Digest algorithm=AKAv1-MD5,username="11111@open-

ims.test",response="974679fa1f988670b52ebd3b058cf42a",qop=auth-in

P-Access-Network-Info: ADSL;eutran-cell-id-3gpp=00000000

and XRES values, and sends a reply back to acknowledge this fact. Status-Line: SIP/2.0 200 OK - SAR successful and registrar saved

Contact: <sip:11111@172.20.1.1:1143;transport=udp>;expires=600000

Server: Sip EXpress router (2.1.0-dev1 OpenIMSCore (i386/linux))

Via: SIP/2.0/UDP 172.20.1.1:1143;rport=1143;branch=z9hG4bK1275411663891

To: <sip:11111@open-ims.test>;tag=925746a962736b96138042b427df6549-5b6b

To: <sip:11111@open-ims.test>

Via: SIP/2.0/UDP 172.20.1.1:1143;rport;branch=z9hG4bK1275411663891

Message Header

CSeq: 902 REGISTER Max-Forwards: 70

ims.test", realm= "open-

Supported: path

Privacy: none Content-Length: 0

Message Header

CSeq: 902 REGISTER

MESSAGE, INFO

Content-Length: 0

via\_cnt==3"

tunnel.

REFER

Contact: <sip:11111@172.20.1.1:1143;transport=udp>;expires=600000;+deviceID="3ca50bcb-7a67-44f1-afd0-994a55f930f4";mobility="fixed" User-Agent: IM-client/OMA1.0 Mercuro-Bronze/v4.0.1624.0 P-Preferred-Identity: <sip:11111@open-ims.test> Supported: path P-Access-Network-Info: ADSL;eutran-cell-id-3gpp=00000000 Privacy: none Content-Length: 0 The P-CSCF locates the S-CSCF assigned by the HSS and collects the AKA information from there, one or more AVs, containing the following parameters: RAND, AUTN, XRES, IK, CK. The RAND and AUTN are passed on to the UE, via the 401 Unauthorized SIP message, while the XRES is kept for comparison. Status-Line: SIP/2.0 401 Unauthorized - Challenging the UE Message Header Via: SIP/2.0/UDP 172.20.1.1:1143;rport=1143;branch=z9hG4bK1275411663890 From: <sip:11111@open-ims.test>;tag=6334 SIP from address: sip:11111@open-ims.test SIP from address User Part: 11111 SIP from address Host Part: open-ims.test SIP tag: 6334 To: <sip:11111@open-ims.test>;tag=925746a962736b96138042b427df6549-2212 SIP to address: sip:11111@open-ims.test SIP to address User Part: 11111 SIP to address Host Part: open-ims.test SIP tag: 925746a962736b96138042b427df6549-2212 Call-ID: M-50a5456166f246b78f081ac2453ee4ea CSeq: 901 REGISTER Path: <sip:term@pcscf.open-ims.test:4060;lr> Service-Route: <sip:orig@scscf.open-ims.test:6060;lr> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, PUBLISH, MESSAGE, INFO Server: Sip EXpress router (2.1.0-dev1 OpenIMSCore (i386/linux)) Content-Length: 0 Warning: 392 172.21.119.1:6060 "Noisy feedback tells: pid=2028 req\_src\_ip=172.21.118.1 req\_src\_port=5060 in\_uri=sip:scscf.open-ims.test:6060 out\_uri=sip:scscf.open-ims.test:6060 via\_cnt==3" WWW-Authenticate: Digest realm="open-ims.test", nonce = "qxZ3KUqjXlvgogK8aNtyH L4yoDzYBwAAFNpK0YllC1w=", algorithm = AKAv1-MD5, qop="auth,auth-int" Authentication Scheme: Digest realm="open-ims.test" nonce="qxZ3KUqjXlvgogK8aNtyHL4yoDzYBwAAFNpK0YllC1w=" algorithm=AKAv1-MD5 qop="auth

SIP-AKA provides mutual authentication. The UE uses the AUTN to authenticate the network and if this authentication is successful, it then computes the RES (response) and sends it to the P-CSCF. It also derives the CK and IK keys.

234 Cryptography and Security in Computing

Contact: <sip:11111@172.20.1.1:1143;transport=udp>;expires=600000;+deviceID="3ca50bcb-

The P-CSCF locates the S-CSCF assigned by the HSS and collects the AKA information from there, one or more AVs, containing the following parameters: RAND, AUTN, XRES, IK, CK. The RAND and AUTN are passed on to the UE, via the 401 Unauthorized SIP message,

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, PUBLISH,

Warning: 392 172.21.119.1:6060 "Noisy feedback tells: pid=2028 req\_src\_ip=172.21.118.1 req\_src\_port=5060 in\_uri=sip:scscf.open-ims.test:6060 out\_uri=sip:scscf.open-ims.test:6060

WWW-Authenticate: Digest realm="open-ims.test", nonce = "qxZ3KUqjXlvgogK8aNtyH

SIP-AKA provides mutual authentication. The UE uses the AUTN to authenticate the network and if this authentication is successful, it then computes the RES (response) and

L4yoDzYBwAAFNpK0YllC1w=", algorithm = AKAv1-MD5, qop="auth,auth-int"

7a67-44f1-afd0-994a55f930f4";mobility="fixed"

while the XRES is kept for comparison.

From: <sip:11111@open-ims.test>;tag=6334

SIP from address User Part: 11111

SIP to address User Part: 11111

SIP from address: sip:11111@open-ims.test

SIP from address Host Part: open-ims.test

SIP to address: sip:11111@open-ims.test

SIP to address Host Part: open-ims.test

Call-ID: M-50a5456166f246b78f081ac2453ee4ea

Path: <sip:term@pcscf.open-ims.test:4060;lr>

Service-Route: <sip:orig@scscf.open-ims.test:6060;lr>

SIP tag: 925746a962736b96138042b427df6549-2212

Server: Sip EXpress router (2.1.0-dev1 OpenIMSCore (i386/linux))

nonce="qxZ3KUqjXlvgogK8aNtyHL4yoDzYBwAAFNpK0YllC1w="

sends it to the P-CSCF. It also derives the CK and IK keys.

Supported: path

Message Header

SIP tag: 6334

CSeq: 901 REGISTER

MESSAGE, INFO

Content-Length: 0

Authentication Scheme: Digest

realm="open-ims.test"

algorithm=AKAv1-MD5

via\_cnt==3"

qop="auth

Privacy: none Content-Length: 0

P-Preferred-Identity: <sip:11111@open-ims.test>

User-Agent: IM-client/OMA1.0 Mercuro-Bronze/v4.0.1624.0

P-Access-Network-Info: ADSL;eutran-cell-id-3gpp=00000000

Status-Line: SIP/2.0 401 Unauthorized - Challenging the UE

Via: SIP/2.0/UDP 172.20.1.1:1143;rport=1143;branch=z9hG4bK1275411663890

To: <sip:11111@open-ims.test>;tag=925746a962736b96138042b427df6549-2212

```
Request-Line: REGISTER sip:open-ims.test SIP/2.0 
Message Header 
Via: SIP/2.0/UDP 172.20.1.1:1143;rport;branch=z9hG4bK1275411663891 
From: <sip:11111@open-ims.test>;tag=6334 
To: <sip:11111@open-ims.test> 
Call-ID: M-50a5456166f246b78f081ac2453ee4ea 
CSeq: 902 REGISTER 
Max-Forwards: 70 
Allow: INVITE, ACK, CANCEL, BYE, MESSAGE, OPTIONS, NOTIFY, PRACK, UPDATE, 
REFER 
Contact: <sip:11111@172.20.1.1:1143;transport=udp>;expires=600000;+deviceID="3ca50bcb-
7a67-44f1-afd0-994a55f930f4";mobility="fixed" 
User-Agent: IM-client/OMA1.0 Mercuro-Bronze/v4.0.1624.0 
Authorization: Digest algorithm=AKAv1-MD5,username="11111@open-
ims.test", realm= "open-
ims.test",nonce="qxZ3KUqjXlvgogK8aNtyHL4yoDzYBwAAFNpK0YllC1w=",uri="sip:open-
ims.test",response="974679fa1f988670b52ebd3b058cf42a",qop=auth-in 
    P-Preferred-Identity: <sip:11111@open-ims.test> 
    Supported: path 
    P-Access-Network-Info: ADSL;eutran-cell-id-3gpp=00000000 
    Privacy: none 
    Content-Length: 0
```
Upon the receipt of this message, the P-CSCF authenticates the user by comparing the RES and XRES values, and sends a reply back to acknowledge this fact.

Status-Line: SIP/2.0 200 OK - SAR successful and registrar saved Message Header Via: SIP/2.0/UDP 172.20.1.1:1143;rport=1143;branch=z9hG4bK1275411663891 From: <sip:11111@open-ims.test>;tag=6334 To: <sip:11111@open-ims.test>;tag=925746a962736b96138042b427df6549-5b6b Call-ID: M-50a5456166f246b78f081ac2453ee4ea CSeq: 902 REGISTER P-Associated-URI: <sip:11111@open-ims.test> Contact: <sip:11111@172.20.1.1:1143;transport=udp>;expires=600000 Path: <sip:term@pcscf.open-ims.est:4060;lr> Service-Route: <sip:orig@scscf.open-ims.test:6060;lr> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, PUBLISH, MESSAGE, INFO Server: Sip EXpress router (2.1.0-dev1 OpenIMSCore (i386/linux)) Content-Length: 0 Warning: 392 172.21.119.1:6060 "Noisy feedback tells: pid=2027 req\_src\_ip=172.21.118.1 req\_src\_port=5060 in\_uri=sip:scscf.open-ims.test:6060 out\_uri=sip:scscf.open-ims.test:6060 via\_cnt==3"

The two parties (the UE and the P-CSCF) may use the CK and IK keys to establish an IPsec tunnel.

Potential Applications of IPsec in Next Generation Networks 237

For the VoIP networks, there can be used up to five different security mechanisms: digest, TLS, IPsec-IKE, IPsec-man and IPsec-3gpp, the latter being specified by 3GPP. This end-toend security mechanism should not be influenced by the handover scenarios. This is because the local security association between the UE, the MME and eNB are refreshed during handover and/or TAU procedures, while the "application" security associations are maintained. This assumption holds as long as the UE is attached to a particular PGW. If the UE detaches, there is no guarantee it will get the same IP the next time it attaches and even

In the NAT scenarios, the issues that impact the wireline IPsec are the same in the NGN

The mobile device has to follow specific steps to get authenticated in the 4G network. Similar or totally different steps must be taken to authenticate to each services network. The process for 4G is EPS-AKA or EAP-AKA. In the IMS network it can authenticate via IMS-AKA and secure the traffic via TLS or IPsec. But, because IMS is a special kind of services network, being closely described by 3GPP in conjunction with the access network, some part of the security weight already established can be used to secure the access to the services network. The following scheme tries to lessen the cryptographic and message exchange burden of the UE to IMS authentication process, by using the PGW as an authentication proxy. This happens because the PGW is the closest 4G entity to the IMS network. It should be in direct connection to the P-CSCF. The PGW unpacks both the signaling GTPv2-c packets as well as the GTPv1-u data-plane packets that arrive on the S5/S8 interface. Being at the edge of the 4G network, it is also able to inspect the content of these message or forward packets that match some particular criteria (port number, protocol number, ToS value etc) to a separate, dedicated, inspection entity. It is fairly simple to identity the IMS SIP packets (for instance by the port number, usually 5060). In the classic model, the SIP packets would simply be forwarded to the P-CSCF, as the PGW (GGSN) has no specific

In the proposed scheme, before the Initial Attach procedure, the UE selects 'p' and 'g' primes non-null and a secret 'a', then uses these values to derive value A from the Diffie-Hellman procedure: A=g^a mod p. Then the UE inserts value A, p and g (or only A if p and g are somehow agreed upon from a pre-configured setting), then adds them to the PCO (Protocol Configuration Options) IE in the Attach Request message to the MME, PCO IE that propagates to the PGW in the Create Session Request message. This entity looks at the values received and computes value B=g^b mod p, where b is its key. After it verifies that the UE is valid and sends it an IP (or an empty IP, if it is to be configured later dynamically), and includes also the B value in the PCO from the Create Session Response. The response gets back to the UE in the Attach Accept message. At this moment, the UE and the PGW derive a common Diffie-Hellman key K, which they can use as a symmetrical encryption key or as a master key to derive further key for securing traffic between them. The UE sends the SIP Register message and includes its secret key SIP-K, encrypted with K. This message

The P-CSCF discovery procedure follows next, while the PGW acts on behalf of the UE during the IMS authentication. If the authentication is successful, the PGW will announce

the UE (via a 200 OK message) that the UE is connected to the IMS core.

in that case, the IPsec tunnel is torn down.

IMS-aware functionality (Vintilă, 2011).

arrives at the PGW.

case.

### **4.3 IPsec in end-to-end security**

The most common case of the IPsec usage in a 4G network is the simple end-to-end implementation of the protocol between the mobile device and the services network peer (a security gateway, server or another peer) (Vintilă, 2010). A representation of this scenario is pictured in the figure below.

Fig. 5. IPsec scheme in LTE topology

The ends of the IPsec tunnels are the UE and the P-CSCF. The IMS negotiation messages would look the following. The first REGISTER message contains the IPsec declaration. Some of the headers have been excluded to save editing space.

Request-Line: REGISTER sip:open-ims.test SIP/2.0 Security-Client: ipsec-3gpp; alg=hmac-sha-1-96; spi-c=666; spi-s=777; port-c=1234; ports=5678 Require: sec-agree Proxy-Require: sec-agree The reply from the P-CSCF is initially a 401 Unauthorized. Status-Line: SIP/2.0 401 Unauthorized - Challenging the UE Message Header Security-Server: ipsec-3gpp; q=0.1; alg=hmac-sha-1-96;spi-c=222;spe-s=333;port-c=2345;ports=3456

The second REGISTER message looks like this:

Request-Line: REGISTER sip:open-ims.test SIP/2.0 Security-Client: ipsec-3gpp; alg=hmac-sha-1-96; spi-c=666; spi-s=777; port-c=1234; ports=5678 Security-Verify: ipsec-3gpp; q=0.1; alg=hmac-sha-1-96;spi-c=222;spe-s=333;port-c=2345;ports=3456 Require: sec-agree Proxy-Require: sec-agree

The IPsec tunnel is thus negotiated.

236 Cryptography and Security in Computing

The most common case of the IPsec usage in a 4G network is the simple end-to-end implementation of the protocol between the mobile device and the services network peer (a security gateway, server or another peer) (Vintilă, 2010). A representation of this scenario is

The ends of the IPsec tunnels are the UE and the P-CSCF. The IMS negotiation messages would look the following. The first REGISTER message contains the IPsec declaration. Some

Security-Client: ipsec-3gpp; alg=hmac-sha-1-96; spi-c=666; spi-s=777; port-c=1234; port-

Security-Server: ipsec-3gpp; q=0.1; alg=hmac-sha-1-96;spi-c=222;spe-s=333;port-c=2345;port-

Security-Client: ipsec-3gpp; alg=hmac-sha-1-96; spi-c=666; spi-s=777; port-c=1234; port-

Security-Verify: ipsec-3gpp; q=0.1; alg=hmac-sha-1-96;spi-c=222;spe-s=333;port-c=2345;port-

**4.3 IPsec in end-to-end security** 

Fig. 5. IPsec scheme in LTE topology

s=5678

s=3456

s=5678

s=3456

Require: sec-agree Proxy-Require: sec-agree

The IPsec tunnel is thus negotiated.

Require: sec-agree Proxy-Require: sec-agree

Message Header

of the headers have been excluded to save editing space.

The reply from the P-CSCF is initially a 401 Unauthorized. Status-Line: SIP/2.0 401 Unauthorized - Challenging the UE

Request-Line: REGISTER sip:open-ims.test SIP/2.0

The second REGISTER message looks like this:

Request-Line: REGISTER sip:open-ims.test SIP/2.0

pictured in the figure below.

For the VoIP networks, there can be used up to five different security mechanisms: digest, TLS, IPsec-IKE, IPsec-man and IPsec-3gpp, the latter being specified by 3GPP. This end-toend security mechanism should not be influenced by the handover scenarios. This is because the local security association between the UE, the MME and eNB are refreshed during handover and/or TAU procedures, while the "application" security associations are maintained. This assumption holds as long as the UE is attached to a particular PGW. If the UE detaches, there is no guarantee it will get the same IP the next time it attaches and even in that case, the IPsec tunnel is torn down.

In the NAT scenarios, the issues that impact the wireline IPsec are the same in the NGN case.

The mobile device has to follow specific steps to get authenticated in the 4G network. Similar or totally different steps must be taken to authenticate to each services network. The process for 4G is EPS-AKA or EAP-AKA. In the IMS network it can authenticate via IMS-AKA and secure the traffic via TLS or IPsec. But, because IMS is a special kind of services network, being closely described by 3GPP in conjunction with the access network, some part of the security weight already established can be used to secure the access to the services network. The following scheme tries to lessen the cryptographic and message exchange burden of the UE to IMS authentication process, by using the PGW as an authentication proxy. This happens because the PGW is the closest 4G entity to the IMS network. It should be in direct connection to the P-CSCF. The PGW unpacks both the signaling GTPv2-c packets as well as the GTPv1-u data-plane packets that arrive on the S5/S8 interface. Being at the edge of the 4G network, it is also able to inspect the content of these message or forward packets that match some particular criteria (port number, protocol number, ToS value etc) to a separate, dedicated, inspection entity. It is fairly simple to identity the IMS SIP packets (for instance by the port number, usually 5060). In the classic model, the SIP packets would simply be forwarded to the P-CSCF, as the PGW (GGSN) has no specific IMS-aware functionality (Vintilă, 2011).

In the proposed scheme, before the Initial Attach procedure, the UE selects 'p' and 'g' primes non-null and a secret 'a', then uses these values to derive value A from the Diffie-Hellman procedure: A=g^a mod p. Then the UE inserts value A, p and g (or only A if p and g are somehow agreed upon from a pre-configured setting), then adds them to the PCO (Protocol Configuration Options) IE in the Attach Request message to the MME, PCO IE that propagates to the PGW in the Create Session Request message. This entity looks at the values received and computes value B=g^b mod p, where b is its key. After it verifies that the UE is valid and sends it an IP (or an empty IP, if it is to be configured later dynamically), and includes also the B value in the PCO from the Create Session Response. The response gets back to the UE in the Attach Accept message. At this moment, the UE and the PGW derive a common Diffie-Hellman key K, which they can use as a symmetrical encryption key or as a master key to derive further key for securing traffic between them. The UE sends the SIP Register message and includes its secret key SIP-K, encrypted with K. This message arrives at the PGW.

The P-CSCF discovery procedure follows next, while the PGW acts on behalf of the UE during the IMS authentication. If the authentication is successful, the PGW will announce the UE (via a 200 OK message) that the UE is connected to the IMS core.

Potential Applications of IPsec in Next Generation Networks 239

IPsec is considered one of the most secure protocols in the Internet. It is being successfully used in securing traffic all over the Internet, in the wireline technologies. Whether the use case involves companies trying to secure traffic between their branches or trying to assure a secure remote connection for its mobile workers, the IPsec is one of the preferred protocols. IPsec is a complex set of protocols, and none of the solutions right now on the market actually implement all of it. This situation leads to many incompatibility cases between different IPsec implementations. Nonetheless, IPsec is widely implemented and the

As it is so popular in wireline technologies, industry and researchers investigate ways to implement IPsec or parts of it in the wireless technologies, as well, in order to export its benefits to the telecommunications world. Protocols used in IPsec are already implemented in technologies like WiMAX and UMTS: AKA, used as an EAP method in IPsec – IKEv2 authentication procedures. In 4G, the 3GPP forum looks into the EAP-AKA procedure for authenticating mobile handsets that attach to the 4G network from non-3GPP access radio networks. 3GPP also makes use of the IPsec in the IMS security: IPsec-3GPP, negotiated not via IKE, but via SIP signaling. Other IPsec alternatives appear as IPsec-man and IPsec-IKE in

The examples provided using open-source implementations in tools like OpenIMSCore, Strongswan or FreeRadius demonstrate how the IPsec protocols can be configured. Although different security equipment producers provide alternative configuration methods, the overall input aspect is similar, according to the purpose served. Adapting IPsec onto mobile devices would mean a significant work on improving its computational overhead and also some of the security aspects. One idea would be to use elliptic curve cryptography, used already in IPsec, but not implemented extensively in the industry so

The model proposed in this paper does a very short incursion in a scenario where the PGW, a very powerful device of the LTE core network, takes up part of the cryptographic burden of the authentication process of a mobile device to an IMS network. There is no doubt IPsec has gained a powerful sit in the NGN world and there are to be expected many improvements that address the shortcomings of its implementation in the mobile

Mahdi Aiash, Glenford Mapp, Aboubaker Lasebae, Raphael Phan, Providing Security in 4G

Chi-Yuan Chen, Tin-Yu Wu, Yueh-Min Huang, Han-Chieh Chao, An efficient end-to-end

Cas Cremers, Key Exchance in IPsec revisited: Formal Analysis of IKEv1 and IKEv2, ETH

Volume 31 Issue 18, December, 2008 [last access: June 2011]

Zurich, Switzerland, *ESORICS 2011, Leuven, September 2011*

Systems: Unveiling the Challenges, *AICT '10 Proceedings of the 2010 Sixth Advanced International Conference on Telecommunications*, ISBN: 978-0-7695-4021-4 [last access:

security mechanism for IP multimedia subsystem, *Computer Communications*,

differences in implementation many times constitute market differentiators.

the SIP negotiation, along with digest and TLS.

**5. Conclusion** 

far.

world.

**6. References** 

June 2011]

### Fig. 6. Proposed scheme

Although it saves only a few messages, this scheme has the main advantage of decreasing both the network load, as well as the cryptographic computation on the UE. One of the disadvantages of this scheme is that the cryptographic computation actually increases in the beginning, due to the DH procedure. The advantage is that the DH key can be used as a master key for further exchanges and this key remains valid for duration of the attach. Another disadvantage is that the model produces small functionality changes in the UE functionality. The SIP implementation will need to store the secret key in a dedicated header. This should not be a great impediment in the implementation of this feature, as the SIP protocol is highly flexible and there is no 100% agreed implementation in the industry, at this moment. Another advantage is that the IMS model, being relatively mature and stable, is not needed to implement this mode. The internal IMS-AKA procedure remains unchanged. The PGW replies to the 401 Unauthorized message; it verifies the AUTN, computes the RES and replies to P-CSCF. A secondary benefit is the generation of a secret key which can be used as a master key to derive cryptographically resistant session keys for later use.

### **5. Conclusion**

238 Cryptography and Security in Computing

Although it saves only a few messages, this scheme has the main advantage of decreasing both the network load, as well as the cryptographic computation on the UE. One of the disadvantages of this scheme is that the cryptographic computation actually increases in the beginning, due to the DH procedure. The advantage is that the DH key can be used as a master key for further exchanges and this key remains valid for duration of the attach. Another disadvantage is that the model produces small functionality changes in the UE functionality. The SIP implementation will need to store the secret key in a dedicated header. This should not be a great impediment in the implementation of this feature, as the SIP protocol is highly flexible and there is no 100% agreed implementation in the industry, at this moment. Another advantage is that the IMS model, being relatively mature and stable, is not needed to implement this mode. The internal IMS-AKA procedure remains unchanged. The PGW replies to the 401 Unauthorized message; it verifies the AUTN, computes the RES and replies to P-CSCF. A secondary benefit is the generation of a secret key which can be used as a master key to derive cryptographically resistant session keys for

Fig. 6. Proposed scheme

later use.

IPsec is considered one of the most secure protocols in the Internet. It is being successfully used in securing traffic all over the Internet, in the wireline technologies. Whether the use case involves companies trying to secure traffic between their branches or trying to assure a secure remote connection for its mobile workers, the IPsec is one of the preferred protocols. IPsec is a complex set of protocols, and none of the solutions right now on the market actually implement all of it. This situation leads to many incompatibility cases between different IPsec implementations. Nonetheless, IPsec is widely implemented and the differences in implementation many times constitute market differentiators.

As it is so popular in wireline technologies, industry and researchers investigate ways to implement IPsec or parts of it in the wireless technologies, as well, in order to export its benefits to the telecommunications world. Protocols used in IPsec are already implemented in technologies like WiMAX and UMTS: AKA, used as an EAP method in IPsec – IKEv2 authentication procedures. In 4G, the 3GPP forum looks into the EAP-AKA procedure for authenticating mobile handsets that attach to the 4G network from non-3GPP access radio networks. 3GPP also makes use of the IPsec in the IMS security: IPsec-3GPP, negotiated not via IKE, but via SIP signaling. Other IPsec alternatives appear as IPsec-man and IPsec-IKE in the SIP negotiation, along with digest and TLS.

The examples provided using open-source implementations in tools like OpenIMSCore, Strongswan or FreeRadius demonstrate how the IPsec protocols can be configured. Although different security equipment producers provide alternative configuration methods, the overall input aspect is similar, according to the purpose served. Adapting IPsec onto mobile devices would mean a significant work on improving its computational overhead and also some of the security aspects. One idea would be to use elliptic curve cryptography, used already in IPsec, but not implemented extensively in the industry so far.

The model proposed in this paper does a very short incursion in a scenario where the PGW, a very powerful device of the LTE core network, takes up part of the cryptographic burden of the authentication process of a mobile device to an IMS network. There is no doubt IPsec has gained a powerful sit in the NGN world and there are to be expected many improvements that address the shortcomings of its implementation in the mobile world.

### **6. References**


Potential Applications of IPsec in Next Generation Networks 241

http://www.3gpp.org/ftp/specs/archive/23\_series/23.203/ [last access: June 2011]

http://www.3gpp.org/ftp/specs/archive/23\_series/23.401/ [last access: June 2011]

http://www.3gpp.org/ftp/specs/archive/24\_series/24.229/ [last access: June 2011]

http://www.3gpp.org/ftp/specs/archive/29\_series/29.061/ [last access: June 2011]

http://www.3gpp.org/ftp/specs/archive/29\_series/29.274 [last access: June 2011]

http://www.3gpp.org/ftp/specs/archive/33\_series/33.203/ [last access: June 2011]

http://www.3gpp.org/ftp/Specs/archive/33\_series/33.401/ [last access: June 2011]

http://www.3gpp.org/ftp/specs/archive/33\_series/33.978/ [last access: June 2011]

*TRANSACTIONS on COMMUNICATIONS*, Volume 9 Issue 7, July 2010 [last access:

authentication in a 4G network, *NEHIPISIC'11 Proceeding of 10th WSEAS international conference on electronics, hardware, wireless and optical communications*, and *10th WSEAS international conference on signal processing, robotics and automation*, and *3rd WSEAS international conference on nanotechnology*, and *2nd WSEAS international conference on Plasma-fusion-nuclear physics*, 2011 ISBN: 978-960-474-276-9

Cristina-Elena Vintilă, A solution for secure SIP conferencing over IMS and SAE, *WSEAS* 

Cristina-Elena Vintilă, Victor-Valeriu Patriciu, Ion Bica, A J-PAKE based solution for secure

N. Vrakas, D. Geneiatakis, C. Lambrinoudakis, A Call Conference Room Interception Attack

Dong Wang, Chen Liu, Model-based Vulnerability Analysis of IMS Network, *Journal of* 

Yong Yang, Fernandez Alonso, Charging correlation for dedicated bearers, WIPO Patent

http://www.3gpp.org/ftp/specs/archive/23\_series/23.228/ [last access: June 2011] Christos Xenakis, Nikolaos Laoutaris, Lazaros Merakos, Ioannis Stavrakakis, A generic

characterization of the overheads imposed by IPsec and associated cryptographic algorithms, *Computer Networks*, Volume 50, Issue 17, 5 December 2006, Pages 3225-

and Detection, *Proceedings of the 7th International Conference on Trust, Privacy & Security in Digital Business* (TrustBus 2010), Bilbao, Spain, 2010, Lecture Notes in

http://www.ietf.org/rfc/rfc4475.txt [last access: June 2011]

TS 29.061, Interworking between PLMN supporting packet-based services and PDN,

TS 23.203, Policy and Charging control architecture,

TS 23.401, GPRS enhancements for E-UTRAN access,

TS 24.229, IMS Call Control based on SIP and SDP,

SIP Torture Test Messages

TS 29.274, EPS – GTPv2-C

June 2011]

TS 23.228, IMS Release 8,

TS 33.401, SAE – Security Architecture,

TR 33.978, Security Aspects of Early IMS,

[last access: June 2011] VoIPSA – Voice over IP Security Alliance

http://www.voipsa.org/ [last access: June 2011]

*Networks*, Vol. 4, No. 4, June 2009 [last access: June 2011]

Application WO/2011/039348 [last access: June 2011]

Computer Science LNCS, Springer

3241 [last access: September 2011]

TS 33.203, 3G security,


240 Cryptography and Security in Computing

Richard Good, Fabricio Carvalho Gouveia, Shengyao Chen,Neco Ventura, Thomas

Xiaogang Guo, Hao Xue, Shuguang Chen, The optimized data network security system

Giorgos Karopoulos, Georgios Kambourakis, Stefanos Gritzalis, Elisavet Konstantinou, A

Angelos D. Keromytis, Voice over IP: Risks, Threats and Vulnerabilities, *5th Ph.D. School on* 

Chakravarthy Kowtarapu, Chetan Anand, Guruprasad K.G., Shishir Sharma, Network

Yang Liu, Zhikui Chen, Feng Xia, Xiaoning Lv, Fanyu BuA, Trust Model Based on Service

http://www.voip-news.com/feature/voip-security-threat-021407/ [last access: June

Magedanz, Critical Issues for QoS Management and Provisioning in the IP Multimedia Subsystem, *Journal of Network and Systems Management*, Volume 16

based on 4G system for power grid system, *GMC '10 Proceedings of the 2010 Global* 

framework for identity privacy in SIP, *Journal of Network and Computer Applications*,

*Security in Wireless Networking (SWING),* Bertinoro, Italy, June/July 2010 [last

separation and IPsec CA certificates-based security management for 4G networks, *Bell Labs Technical Journal - 4G Wireless Technologies*, Volume 13 Issue 4, February

Classification in Mobile Services, *GREENCOM-CPSCOM '10 Proceedings of the 2010 IEEE/ACM Int'l Conference on Green Computing and Communications & Int'l Conference on Cyber, Physical and Social Computing*, ISBN: 978-0-7695-4331-4 [last

http://www.msforum.org/interoperability/MSF-VoLTE-SCN-001-FINAL.pdf

*'09 Proceedings of the 2009 conference on Information Science, Technology and* 

http://www.silicon.com/legacy/research/specialreports/voipsecurity/0,3800013

subsystem, *ICWET '11 Proceedings of the International Conference & Workshop on Emerging Trends in Technology*, ISBN: 978-1-4503-0449-8 [last access: June 2011] Craig A. Shue, Minaxi Gupta, Stefan A. Myers, IPSec: Performance Analysis and

http://www.cs.indiana.edu/cgi-pub/cshue/research/icc07.pdf [last access:

Nidal Nasser, Ming Shang, Policy control framework for IP Multimedia Subsystem, *ISTA* 

http://www.silicon.com/special-features/voip-security/2007/03/09/voip-

M. Sayyad, N. Ansari, S. Burli, H. Shah Thakur, A. Khatanhar, Review of IP multimedia

Anthony Plewes, The biggest VoIP security threats - and how to stop them, March 2007,

*Applications*, ISBN: 978-1-60558-478-2 [last access: June 2011]

threats-to-watch-out-for-39166244/ [last access: June 2011]

656,39166479,00.htm [last access: June 2011] Anthony Plewes, VoIP threats to watch out for, March 2007,

John Edwards, A Guide to Understanding the VoIP Security Threat, February 2007,

*Mobile Congress*, ISBN: 978-1-4244-9001-1 [last access: June 2011]

Volume 33 Issue 1, January, 2010 [last access: June 2011]

Issue 2, June 2008 [last access: June 2011]

2011]

access: June 2011]

access: June 2011] MSF forum – VoLTE seminar

[last access: June 2011]

Enhancements, CiteSeer,

September 2011]

2009 [last access: June 2011]

SIP Torture Test Messages


http://www.3gpp.org/ftp/specs/archive/33\_series/33.978/ [last access: June 2011]


http://www.voipsa.org/ [last access: June 2011]


http://www.3gpp.org/ftp/specs/archive/23\_series/23.228/ [last access: June 2011]


Yu-mei Wang, Jian Qin, Rong-jun Li,Jia-Jia Wen, Managing feature interaction based on service broker in IP multimedia subsystem, *Proceeding Mobility '08 Proceedings of the International Conference on Mobile Technology, Applications, and Systems*, ISBN: 978-1- 60558-089-0 [last access: June 2011]

242 Cryptography and Security in Computing

Yu-mei Wang, Jian Qin, Rong-jun Li,Jia-Jia Wen, Managing feature interaction based on

60558-089-0 [last access: June 2011]

service broker in IP multimedia subsystem, *Proceeding Mobility '08 Proceedings of the International Conference on Mobile Technology, Applications, and Systems*, ISBN: 978-1-

## *Edited by Jaydip Sen*

The purpose of this book is to present some of the critical security challenges in today's computing world and to discuss mechanisms for defending against those attacks by using classical and modern approaches of cryptography and other defence mechanisms. It contains eleven chapters which are divided into two parts. The chapters in Part 1 of the book mostly deal with theoretical and fundamental aspects of cryptography. The chapters in Part 2, on the other hand, discuss various applications of cryptographic protocols and techniques in designing computing and network security solutions. The book will be useful for researchers, engineers, graduate and doctoral students working in cryptography and security related areas. It will also be useful for faculty members of graduate schools and universities.

Photo by AmazingDream / iStock

Cryptography and Security in Computing

Cryptography and Security in

Computing

*Edited by Jaydip Sen*