Lightweight Swarm Authentication

Abstract

In this paper we describe a provably secure authentication protocol for resource limited devices. The proposed algorithm performs whole-network authentication using very few rounds and in a time logarithmic in the number of nodes. Compared to one-to-one node authentication and previous proposals, our protocol is more efficient: it requires less communication and computation and, in turn, lower energy consumption.

Computational Bilinear Diffie-Hellman Swarm Protocol

In this section we provide the reader with a swarm protocol based on a different security assumption. Namely, the computational bilinear Diffie-Hellman assumption.

Definition 5

(Computational Bilinear Diffie-Hellman -cbdh). Let \(\mathbb {G}\) be a cyclic group of order q, P a generator of \(\mathbb {G}\) and \(e : \mathbb {G} \,\times \, \mathbb {G} \rightarrow \mathbb {G}_T\) a cryptographic bilinear map, where \(G_T\) is a cyclic group of order q. We will use the convention of writing \(\mathbb {G}\) additively and \(\mathbb {G}_T\) multiplicatively. Let A be a probabilistic PPT algorithm that returns an element from \(\mathbb {G}_T\). We define the advantage

If \({ADV}_{\mathbb {G},g,e}^{\textsc {cbdh}}(A)\) is negligible for any PPT algorithm A, we say that the computational bilinear Diffie-Hellman problem is hard in \(\mathbb {G}\).

We further assume that the group \(\mathbb {G}\) admits a computationally efficient bilinear map \(e(\cdot , \cdot )\) such that cbdh is hard in \(\mathbb {G}\). Using the same setup⁴ as in the case of \(CDH\text {-}Swarm\), we present below the full details of the bilinear version of the swarm protocol (denoted by \(CBDH\text {-}Swarm\)):

1. 1.

   Let be the private keys given to node \(\mathcal {N}_i\) and \(z_i \leftarrow x_iP\), \(w_i \leftarrow y_iP\) the node’s public keys. After the network is set, \(\mathcal {T}\) sends an authentication request message to all the \(\mathcal {N}_i\) nodes directly connected to it. The request message contains a challenge \(c \leftarrow kP\), where .

2. 2.

   After receiving an authentication request message:

   • Each \(\mathcal {N}_i\) computes \(t_i \leftarrow e(c, P)^{x_iy_i}\);

   • The \(\mathcal {N}_i\) nodes send authentication messages to all their (existing) children;

   • After the children respond, \(\mathcal {N}_i\) nodes compute \(t_i \leftarrow t_i \cdot \left( \prod _j t_j \right) \) and send the result up to their parents. Note that the \(t_j\) values are sent by the nodes’ children.

   Such a construction permits the network to compute the product of all the \(t_i\) values and send the result \(t_c\) to the top of the tree in d steps, where d represents the degree of the spanning tree.

3. 3.

   After receiving the response \(t_c\), \(\mathcal {T}\) authenticates the whole network if and only if \(t_c = \left( \prod _{i=1}^{n} e(z_i, w_i)\right) ^k\) holds.

Remark 3

Note that the hash based variant of the \(CDH\text {-}Swarm\) protocol can also be easily adapted to the \(CBDH\text {-}Swarm\) version.

We further link the security of the \(CBDH\text {-}Swarm\) protocol to the cbdh assumption.

Theorem 3

The \(CBDH\text {-}Swarm\) protocol is a proof of knowledge if and only if the cbdh assumption holds. Moreover, the protocol is zero knowledge.

Proof

(sketch). We will only prove that the scheme is sound, since the remaining security requirements are proven similarly to Theorem 2. Hence, we have

$$\begin{aligned} t_c&= \prod _{i=1}^{n} t_i = \prod _{i=1}^{n} e(c, P)^{x_iy_i} = \prod _{i=1}^{n} e(P, P)^{x_iy_ik} \\&= \prod _{i=1}^{n} e(x_iP, y_iP)^{k} = \left( \prod _{i=1}^{n} e(z_i, w_i)\right) ^k. \end{aligned}$$

   \(\square \)