WO2018199847A1 - Method and system for symmetric swarm authentication - Google Patents

Abstract

This invention relates a symmetric swarm authentication system and method for a root node to authenticate with n nodes in a spanning tree network of n+1 nodes organized in y levels where the first level consists of the root node. The method comprising: a first phase comprising the root node to: determine a simplexx code S = {ei} with codewords of size a and Hamming weight h, where a and h are two positive integers; determine a first one-way function f and a second one-way function g; generate n random binary matrices of size ab, M i , n keys k i , one common key K, and a shortcut matrix M, where a and b are positive integers, i refers to the index of the node from 1 to n, and M =⊕n i=1 M i ; transmit K to all n nodes and (M i , k i ) to respective node x i ; a second phase of authenticating the plurality of n nodes comprising the root node to: generate a challenge c, where c is a random number with binary length b; transmit the challenge c to the second level nodes; receive responses r i from the second level nodes; aggregate the responses r i from the second level nodes to obtain an aggregated response r; verify the aggregated response r with the following expression r i = Mf(K, c)⊕r; and determine the aggregated response is acceptable if and only if the Hamming weight of r i is equal to h.

Description

Method and System FOR Symmetric Swarm Authentication

Field of the Invention

This disclosure relates to a method and system for a symmetric authentication scheme. Particularly, the disclosure relates to a method and system that allows a verifying device to collectively authenticate a plurality of proving devices.

Summary of the Prior Art

In a typical wireless network scenario, a number of nodes are connected through wireless connection. One of these nodes being distinguished from the rest is called the "base station", which could be a relatively powerful control device, while other nodes model low-end (loT) devices.

The base station wishes to know whether the network as a whole has been tampered with, and thus engages in an authentication protocol. The network topology is assumed to be known, i.e., each node knows whom it is connected to. Messages on the network are sent from node to node, and relayed in this fashion across the whole connected network. Because of the network's limited bandwidth and the energy cost of long distance transmission, it is usually not a desirable way to interact individually with each node from the base station. Instead, one may need a way to aggregate responses coming from children nodes so that the information sent between nodes can be more compact and effective with respect to network bandwidth and energy consumption. In particular, the result of aggregating all responses (in a certain order depending on the network's topology) can be the final response sent to the base station. Then, the base station could check if the final aggregated response is correct or not. Such a way of collectively authenticating a plurality of nodes (hereafter proving devices/ proving entities/ proving objects) by a verifier (hereafter the base station/ verifying entity/ verifying device/ verifying object/ server) is called aggregate authentication or swarm authentication.

Swarm authentication can be designed by using either asymmetric primitives (say digital signatures) or symmetric primitives (say hash functions, message authentication codes). In particular, aggregate signatures based on public key have been proposed. In such a scheme, multiple signatures signed by multiple singers on multiple messages can be aggregated into one single signature and sent to a verifier who can perform an efficient

l verification algorithm to check the validity of the aggregate signature. However, public key systems are usually too expensive for low-end (loT) devices, without mentioning that the majority of aggregate signatures are constructed from bilinear pairings, which are even slower.

Achieving swarm authentication using symmetric primitives is much more efficient, though the base station shall perform each node's computation, aggregate the results, and check whether the received response matches the expected value. While this is always possible, it is not always optimized. Hence, those skilled in the art are striving to improve the swarm authentication scheme.

Summary of the Invention

The above and other problems are solved and an advance in the art is made by systems and methods provided by embodiments in accordance with the disclosure. A first advantage of embodiments of systems and methods in accordance with the disclosure is that the systems and methods are extremely lightweight, as only elementary operations (namely hash, matrix multiplication and XOR) are employed in the algorithms and protocols. Therefore, the resulting scheme and its variants are much more efficient than aggregated signatures from public key cryptography and aggregated or swarm authentication scheme constructed from MACs. A second advantage of embodiments of systems and methods in accordance with the disclosure is that the verification cost is independent of the number of nodes and so it is very efficient even for scenarios where there are a massive number of nodes or devices being authenticated (a typical case for many loT applications), due to the usage of a shortcut which essentially facilitates the verification computation. A third advantage of embodiments of systems and methods in accordance with the disclosure is that systems and methods the communication cost is independent of the number of nodes in the network thanks to aggregation, though it depends on the height of the tree where the nodes are organized in a tree-type topology. A fourth advantage of embodiments of systems and methods in accordance with the disclosure is that systems and methods can be purely software implemented. Hence, this can be easily implemented on existing devices. A fifth advantage of embodiments of systems and methods in accordance with the disclosure is that systems and methods are capable of fending off against both passive and active adversaries. A first aspect describes a symmetric swarm authentication method for a root node to authenticate with n nodes in a spanning tree network of η+ nodes organized in y levels where the first level consists of the root node. The method comprises a first phase comprising the root node to: determine a simplex^x code S = {<?, } with codewords of size a and Hamming weight h, where a and h are two positive integers; determine a first one-way function f and a second one-way function g; generate n random binary matrices of size ab, Mi , n keys / j , one common key f, and a shortcut matrix M, where a and b are positive integer, /^' refers to the index of the node from 1 to n, and =© ₌₁ j; transmit f to all n nodes and (M k{) to respective node x_t. The method further comprises a second phase of authenticating the plurality of n nodes where the root node is required to: generate a challenge c, where c is a random number with binary length b; transmit the challenge to the second level nodes; receive responses from the second level nodes; aggregate the responses from the second level nodes to obtain an aggregated response r, verify the aggregated response r with the following expression, r' = Mf(K, c)@r; and determine the aggregated response is acceptable if and only if the Hamming weight of r' is equal to h.

In accordance with an embodiment of the first aspect, the step to aggregate the responses from the second level nodes to obtain an aggregated response r, comprises the the root node to combine the responses with an exclusive OR operation.

In accordance with an embodiment of the first aspect, the first phase further comprises n nodes to receive and store the M k and K.

In accordance with an embodiment of the first aspect, the first phase further comprises the root node to transmit S = {e_t } , and the first and second one-way functions to the n nodes χ,.

In accordance with an embodiment of the first aspect, the first phase further comprises n nodes to receive and store the S = {e₍ } , and the first and second one-way functions.

In accordance with an embodiment of the first aspect, the second phase further comprises each of the nodes to: receive the challenge; in response to receiving the challenge, generate a simplex^x codeword, e_q , where q = g(ki, c) and e_q is the q-th codeword of the simplex^x code; generate a response with the following expression, ^ri = ^Mif(K_> c)®e_q; and transmit the response to the root node. In accordance with an embodiment of the first aspect, the second phase further comprises each of the nodes between the second level to y-1 level to: receive responses from lower level nodes; aggregate the response generated with the responses from the lower level nodes; transmit the aggregated response to the upper node.

In accordance with an embodiment of the first aspect, a has a binary length of 1200, h is 320, b has a binary length of 256, and k_t and K have binary length of 128.

In accordance with an embodiment of the first aspect, the simplex^x code is replaced by a simplex- P ® code and the aggregated response r' is determined as acceptable if and only if the Hamming weight of r' is equal to or less than 2/7.

In accordance with an embodiment of the first aspect, the method further comprises the root node to perform identification of error nodes if the aggregated response is not acceptable.

In accordance with an embodiment of the first aspect, the step to perform identification of error nodes comprises the root node to repeat the steps to: generate the challenge c; transmit the challenge to the second level nodes; receive responses from the second level nodes; aggregate the responses from the second level nodes; verify the aggregated response r; and determine the aggregated response is acceptable if and only if the Hamming weight of r is equal to h.

In accordance with an embodiment of the first aspect, the step to perform identification of error nodes comprises the root node to: verify each of the responses received from the second level nodes, the second level nodes being the current level nodes; append an authenticated list to include the index of the authenticated nodes with valid responses and a fault list to include the index of the authenticated nodes with invalid responses.

In accordance with an embodiment of the first aspect, the step to perform identification of error nodes further comprises the root node to: 1) perform the second phase with the current level nodes in the fault list and the next level nodes, being the children nodes of the current level nodes, in the fault list; 2) append the authenticated list to include the index of the authenticated nodes with valid responses and the fault list to include the index of the authenticated nodes with invalid responses; and repeat steps 1 and 2 until y-1 level nodes. In accordance with an embodiment of the first aspect, the step to perform identification of error nodes comprises the root node to: generate the challenge c; transmit the challenge to one of the nodes x_t; receive a response from the one of the nodes x_t; verify the response with the following expression, r' = M_t f{K, c)®ri ; and determine the response is acceptable if and only if the Hamming weight of r' is equal to h.

A second aspect describes a symmetric swarm authentication system for a spanning tree network of η+ nodes organized in y levels where the first level consists of a root node. The system comprises a root node in the first level of the spanning tree network, the root node having a processor, a non-transitory memory and instructions stored on the non- transitory memory executable by the processor to: in a first phase, determine a simplex^x code S = {<?, } with codewords of size a and Hamming weight h, where a and h are two positive integers; determine a first one-way function f and a second one-way function g; generate n random binary matrices of size ab, M n keys / j , one common key f, and a shortcut matrix M, where a and b are positive integer, /^' refers to the index of the node from 1 to n, and M =®f₌₁ M(, transmit f to all n nodes and (M ki) to respective node ^ ; in a second phase, generate a challenge c, where c is a random number with binary length b; transmit the challenge to the second level nodes; receive responses from the second level nodes; aggregate the responses from the second level nodes to obtain an aggregated response r, verify the aggregated response rwith the following expression, r' = Mf(K, c)®r; and determine the aggregated response is acceptable if and only if the Hamming weight of r' is equal to h.

In accordance with an embodiment of the second aspect, the instruction to aggregate the responses r_¾ from the second level nodes to obtain an aggregated response r, comprises instructions to combine the responses with an exclusive OR operation.

In accordance with an embodiment of the second aspect, each of the n nodes comprises a processor, a non-transitory memory and instructions stored on the non- transitory memory executable by the processor to receive and store the M k and K.

In accordance with an embodiment of the second aspect, the instructions in the root node further comprises instruction to transmit S = {e_t } , and the first and second one-way functions to the n nodes. In accordance with an embodiment of the second aspect, the instructions in the n nodes further comprise instructions to receive and store the S = {e₍ } , and the first and second one-way functions.

In accordance with an embodiment of the second aspect, the instructions in each of the n nodes further comprise instructions to: receive the challenge; in response to receiving the challenge, generate a simplex^x codeword, e_q , where q = g(ki, c) and e_q is the q-th codeword of the simplex^x code; generate a response with the following expression, ^ri = ^Mif(K_> c)®e_q; and transmit the response to the root node.

In accordance with an embodiment of the second aspect, the instructions in each of the nodes between the second level to y-1 level comprise instructions to: receive responses from lower level nodes; aggregate the response generated with the responses from the lower level nodes; and transmit the aggregated response to respective upper nodes.

In accordance with an embodiment of the second aspect, a has a binary length of 1200, h is 320, b has a binary length of 256, and ki and K have binary length of 128.

In accordance with an embodiment of the second aspect, the simplex^x code is replaced by a simplex- P ® code and the aggregated response r' is determined as acceptable if and only if the Hamming weight of r' is equal to or less than 2/7.

In accordance with an embodiment of the second aspect, the root node further comprises instructions to perform identification of error nodes if the aggregated response is not acceptable.

In accordance with an embodiment of the second aspect, the instruction to perform identification of error nodes comprises instructions node to repeat the steps to: generate the challenge c; transmit the challenge to the second level nodes; receive responses from the second level nodes; aggregate the responses from the second level nodes; verify the aggregated response r; and determine the aggregated response is acceptable if and only if the Hamming weight of r' is equal to h.

In accordance with an embodiment of the second aspect, the instruction to perform identification of error nodes further comprises instructions to: verify each of the responses received from the second level nodes, the second level nodes being the current level nodes; append an authenticated list to include the index of the authenticated nodes with valid responses and a fault list to include the index of the authenticated nodes with invalid responses. In accordance with an embodiment of the second aspect, the instruction to perform identification of error nodes further comprises instructions to: 1) perform the second phase with the current level nodes in the fault list and the next level nodes being the children nodes of the current level nodes in the fault list; 2) append the authenticated list to include the index of the authenticated nodes with valid responses and the fault list to include the index of the authenticated nodes with invalid responses; and repeat steps 1 and 2 until y-1 level nodes.

In accordance with an embodiment of the second aspect, the instruction to perform identification of error nodes comprises instructions to: generate the challenge c; transmit the challenge to one of the nodes x_t; receive a response from the one of the nodes x_t; verify the response with the following expression, r' = M_t f(K, c @ri ; and determine the response is acceptable if and only if the Hamming weight of r' is equal to h.

A third aspect describes a symmetric swarm authentication method for a root node to authenticate n nodes in a spanning tree network of η+ nodes organized in y levels where the first level consist of the root node. The method comprises a first phase comprising the root node to: determine a simplex^x code S = {<?, } with codewords of size a and Hamming weight h, where a and h are two positive integers; determine a first one-way function f and a second one-way function g; generate n random binary matrices of size ab, M n keys k one common key f, and a shortcut matrix M, where a and b are positive integer, /^' refers to the index of the node from 1 to n, and M =© ₌₁ j; transmit f to all n nodes and (M k ) to respective node x_t; and a second phase of authenticating the plurality of n nodes comprising the root node to: generate a challenge c, where c is a random number with binary length b; transmit the challenge to one of the nodes x_t ; receive a response from the one of the nodes j ; verify the response r_¾ with the following expression, r' = Mi f(K, c)®ri and determine the response is acceptable if and only if the Hamming weight of r' is equal to h.

In accordance with an embodiment of the third aspect, the first phase further comprises each node x_t to receive and store the M k and K.

In accordance with an embodiment of the third aspect, the first phase further comprises the root node to transmit S = {e_t } , and the first and second one-way functions to all n nodes.

In accordance with an embodiment of the third aspect, the first phase further comprises n nodes to receive and store the S = {e,. } , and the first and second one-way functions. In accordance with an embodiment of the third aspect, the second phase further comprises the one of the nodes x_t to: receive the challenge; in response to receiving the challenge, generate a simplex^x code, e_q, where q = g(ki, c) and e_q is the q-th codeword of the simplex^x code; generate a response with the following expression, = Mif{K, c)®e_q; and transmit the response to the root node.

In accordance with an embodiment of the third aspect, the simplex^x code employs a simplex- P ® code and the aggregated response r' is determined as acceptable if and only if the Hamming weight of r' is equal to or less than 2/7.

A fourth aspect describes a symmetric swarm authentication system for a spanning tree network of n+^ nodes organized in y levels where the first level consist of a root node. The system comprises: a root node in the first level of the spanning tree network, the root node having a processor, a non-transitory memory and instructions stored on the non- transitory memory executable by the processor to: in a first phase, determine a simplex^x code S = {<?, } with codewords of size a and Hamming weight h, where a and h are two positive integers; determine a first one-way function f and a second one-way function g; generate n random binary matrices of size ab, M n keys / j , one common key f, and a shortcut matrix , where a and b are positive integers, /^' refers to the index of the node from 1 to n, and M =®f₌₁ M(, transmit f to all n nodes and ( _i; / j) to respective node ^ ; in a second phase, generate a challenge c, where c is a random number with binary length b; transmit the challenge to one of the nodes x(, receive a response from the one of the nodes Xj ; verify the response with the following expression, r' = M_if{K, c)®r_i and determine the response is acceptable if and only if the Hamming weight of r' is equal to h.

In accordance with an embodiment of the fourth aspect, each of the n nodes comprises a processor, a non-transitory memory and instructions stored on the non- transitory memory executable by the processor to receive and store the M k and K.

In accordance with an embodiment of the fourth aspect, the instructions in the root node further comprises instructions to transmit S = {<?, } , and the first and second one-way functions to the n nodes.

In accordance with an embodiment of the fourth aspect, the instructions in the n nodes further comprise instructions to receive and store the S = {e,. } , and the first and second one-way functions. In accordance with an embodiment of the fourth aspect, the instructions in each of the n nodes further comprise instructions to: receive the challenge c ; in response to receiving the challenge c, generate a simplex^x code, e_q, where q = g(ki, c) and e_q is the q- th codeword of the simplex^x code; generate a response with the following expression, ^ri = Mif(K, c)®e_q and transmit the response to the root node.

In accordance with an embodiment of the fourth aspect, the simplex^x code employs a simplex- P ® code and the aggregated response r' is determined as acceptable if and only if the Hamming weight of r' is equal to or less than 2/7.

Brief Description of the Drawings

The above advantages and features in accordance with this invention are described in the following detailed description and are shown in the following drawings:

Figure 1 illustrating a simplified network infrastructure implementing the method and system in accordance with this disclosure;

Figure 2 illustrating a processing system in a server of the simplified network infrastructure that executes the instructions to perform the processes for providing the method and system in accordance with this disclosure;

Figure 3 illustrating a block diagram of a basic network interface of the simplified network infrastructure that executes the instructions to perform the processes for providing the method and system in accordance with this disclosure;

Figure 4 illustrates a timing diagram of the information flow between the server and the nodes in accordance with this disclosure;

Figure 5 illustrating a process performed by the processing system of the server in accordance with the disclosure;

Figure 6 illustrating a process performed by the network interface or a processing system of one of the parent nodes in accordance with the disclosure;

Figure 7 illustrating a process performed by the network interface or a processing system of one of the leaf nodes in accordance with this disclosure; Figure 8 illustrating a process performed by the processing system of the server to select an option to identify the error nodes in accordance with the disclosure; and

Figure 9 illustrating a process performed by the processing system of the server to identify the error nodes in accordance with the disclosure.

Detailed Description

This disclosure relates to a method and system for a symmetric authentication scheme. Particularly, the disclosure relates to a method and system that allows a verifying device to collectively authenticate a plurality of proving devices.

Figure 1 illustrates a simplified network infrastructure 100. Particularly, the network infrastructure 100 shows a server 110 building up connection to link all the nodes 120.

When the server 1 10 wishes to know whether the network infrastructure 100 has been tampered with, the server 110 engages an authentication protocol to authenticate with nodes 1-17. The topology of the network infrastructure 100 is assumed to be known by each node 120. Messages on the network infrastructure 100 are transmitted from node to node, and relayed across the whole connected network. Due to limited bandwidth and the cost of long distance transmission, it is usually not a desirable way for the server 110 to interact directly with each node. Hence, instead of the children nodes 5-17 authenticating directly with the server 1 10, the parent nodes 1-4 may receive the responses from the children nodes 5-17 and aggregate the responses to the server. For example, parent node 1 would receive the responses from the child nodes 5-7, aggregate the responses of child nodes 5-7 together with its response and transmit the aggregated response to the server 110; parent node 2 would receive the responses from the child nodes 8-10, aggregate the responses of child nodes 8-10 together with its response and transmit the aggregated response to the server 1 10; parent node 3 would receive the responses from the child nodes 1 1-13, aggregate the responses of child nodes 11-13 together with its response and transmit the aggregated response to the server 110; parent node 4 would receive the responses from the child nodes 14-17, aggregate the responses of child nodes 14-17 together with its response and transmit the aggregated response to the server 110. The server would then aggregate the responses from the parent nodes 1-4 and check if the aggregated response is correct or not. Such a way of collectively authenticating a plurality of nodes by a server is called swarm authentication. In accordance with this disclosure, a symmetric swarm authentication with a shortcut is provided. Such a symmetric swarm authentication is characterized by a special key (a "shortcut") held by the server 110 which is a verifying entity V, which allows the server 1 10 to authenticate the whole network without having to compute values for each node, therefore saving computation.

For purposes of this disclosure, the server 1 10 may be a base station or an authentication server supplied by a service provider to manage the connectivity of the nodes 120 to servers managed by the service provider or the servers managed by other server providers. The nodes 120 may be a mobile device, or Internet of Things (loT) device that is communicatively connected to the server 110.

Processes stored as instructions in a media that are executed by a processing system or a virtual machine running on processing system in the server 1 10 provide the method and/or system in accordance with this invention. The instructions may be stored as firmware, hardware, or software. Figure 2 illustrates a processing system 200 in the server 1 10 in the simplified network infrastructure 100 that executes the instructions to perform the processes for providing a method and/or system in accordance with this disclosure. One skilled in the art will recognize that the exact configuration of each processing system may be different and the exact configuration of the processing system in each device may vary. Thus, processing system 200 shown in Figure 2 is given by way of example only.

Processing system 200 includes Central Processing Unit (CPU) 205. CPU 205 is a processor, microprocessor, or any combination of processors and microprocessors that execute instructions to perform the processes in accordance with the present invention. CPU 205 connects to memory bus 210 and Input/ Output (I/O) bus 215. Memory bus 210 connects CPU 205 to memories 220 and 225 to transmit data and instructions between the memories and CPU 205. I/O bus 215 connects CPU 205 to peripheral devices to transmit data between CPU 205 and the peripheral devices. One skilled in the art will recognize that I/O bus 215 and memory bus 210 may be combined into one bus or subdivided into many other busses and the exact configuration is left to those skilled in the art.

A non-volatile memory 220, such as a Read Only Memory (ROM), is connected to memory bus 210. Non-volatile memory 220 stores instructions and data needed to operate various sub-systems of processing system 200 and to boot the system at start-up. One skilled in the art will recognize that any number of types of memory may be used to perform this function. A volatile memory 225, such as Random Access Memory (RAM), is also connected to memory bus 210. Volatile memory 225 stores the instructions and data needed by CPU 205 to perform software instructions for processes such as the processes required for providing a system in accordance with this invention. One skilled in the art will recognize that any number of types of memory may be used as volatile memory and the exact type used is left as a design choice to those skilled in the art.

I/O device 230, keyboard 235, display 240, memory 245, network device 250 and any number of other peripheral devices connect to I/O bus 215 to exchange data with CPU 205 for use in applications being executed by CPU 205. I/O device 230 is any device that transmits and/or receives data from CPU 205. Keyboard 235 is a specific type of I/O that receives user input and transmits the input to CPU 205. Display 240 receives display data from CPU 205 and display images on a screen for a user to see. Memory 245 is a device that transmits and receives data to and from CPU 205 for storing data to a media. Network device 250 connects CPU 205 to a network for transmission of data to and from other servers and nodes 120.

For purposes of this disclosure, the term "Internet of Things" (loT) devices refer to any apparatus having a communication interface to allow transferring and receiving of information among the loT devices over a wired or wireless connection. loT devices comprise, but not limited to, sensor devices, embedded systems, network-based cameras, gateways, mobile phones, computers, laptops, personal digital assistants (PDAs), white goods, appliances, etc.

For embedded systems, gateways, mobile phones, computers, laptops, and PDAs, such loT devices are typically equipped with wireless network interface (e.g. Bluetooth, Wi-Fi, Wi-Fi Direct, Long-Term Evolution (LTE) Direct, RF antenna, etc.) or wired network interface (e.g. an Ethernet connection, a USB or Firewire connection, etc. ) to allow transferring and receiving of data.

For white goods such as fridge and washing machine, such appliances may not be equipped with any wired or wireless network interface. Hence, it is common that a network interface module be provided to allow such appliances to be communicatively connected to a mobile device or router so that these loT devices can communicate with the server 1 10. Figure 3 illustrates the block diagram of a basic network interface 300. The network interface 300 can receive and transmit data, execute software applications. Network interface 300 comprises a processor 310, memory 320, transceiver 330 and input/output ports 340. The processor 310 is a processor, microprocessor, microcontroller, application specific integrated circuit, digital signal processor (DSP), programmable logic circuit, or other data processing device that executes instructions to perform the processes in accordance with the disclosure. The processor 310 has the capability to execute various applications that are stored in the memory 320.

The memory 320 may include read-only memory (ROM), random-access memory (RAM), electrically erasable programmable ROM (EEPROM), flash cards, or any memory commonly used for computers. Instructions to perform the processes in accordance with the disclosure are stored on the memory 320.

One or more input/output (I/O) ports 340 can be configured to allow the processor 310 to communicate with and control from various I/O devices for the loT devices. Peripheral devices that may be connected to network interface 300 via the I/O ports 340 include a USB storage device, an SD card or other storage device for transmitting information to or receiving information from the core network 330. In addition to updating applications stored on memory 320 or installing new applications onto the memory via the transceiver 330, a user may alternatively install new applications or update applications on the memory 320 through a user interface such as a USB via the I/O ports 340.

The transceiver 330 comprises a transmitter and a receiver for transmitting data to the server 1 10 and receiving data from the server 1 10, directly or indirectly through a mobile device or a router. The transceiver 330 may transmit and receive data via one or more of the following wireless or wired technology standards, Bluetooth, Wi-Fi, Wi-Fi Direct, Long-Term Evolution (LTE) Direct, RF antenna, Ethernet connection, a USB or Firewire connection, etc.

One skilled in the art will recognize that other features may be included in the network interface 300. Further, the components in network interface 300 may be replaced by other components that perform similar functions. In brief, the network interface 300 as shown in figure 3 is considered merely illustrative and non-limiting.

Embodiments of this disclosure propose a method of registering nodes 120 such as loT devices with the server 1 10 and mutual authentication between the nodes 120 and server 110.

The following describes the symmetric swarm authentication protocol in accordance with the system and method of this disclosure. The symmetric swarm authentication method is based on the simplex^x codes and the learning parity with noise (LPN) problem, in which two keyed hash functions f and g are used. We will now briefly discuss simplex code and LPN before we describes the system and method in accordance with this disclosure.

Simplex Code

A simplex code is a linear code with parameters (2^p - l, p) and encodes p-bit symbols into (2^P - l)-bit codewords, where p is positive integer. Simplex codes satisfy the following two properties:

Property 1 : All non-zero codewords of a simplex code with parameters (2^P - l, p) have Hamming weight p.

Property 2: If e, and e are two codewords of a simplex code, then ej®e₇ (i.e., the XOR of e, and ej) is also a valid codeword.

In another variation, a Simplex^x code of length t(2^p - 1) is defined as concatenation of t codewords belonging to a simplex code with parameters (2^p - l, p) . The Hamming weight of a simplex^x codeword is tp, and Property 2 is also satisfied for a simplex^x code.

In yet another variation, a Simplex- P® code of length (2^P - 1) is constructed as follows from a permutation P and a simplex code S = {s_lr ... , S₂P_₁} . Let 5₀ = {i'(si)' --- , P(.s₂p- !)}, where P operates on the binary strings. The simplex- P® code R is defined as R = {s@s₀ \s e S, s₀ e S₀}.

However, Simplex- P® codes do not satisfy the above two properties. In particular, their Hamming weight varies between 0 and 2p. Furthermore, XORing two codewords does not, in general, yield a valid codeword. Nevertheless, experimental evidence suggests that the distribution of codes obtained by iterating the P® construction has Hamming weight concentrated around 2p.

Learning Parity with Noise (LPN)

The security of the proposed swarm authentication method and its variants relies on the following fundamental hypothesis: the hardness of the Learning Parity with Noise (LPN) problem, which is defined as follows.

Using an example, an attacking algorithm A is given access to an oracle 0 _m,q) with a parameter q satisfying 0 < q < 1 and a secret m e F₂ ^fe. Here, F₂ ^fe is a finite field over 2 with dimension of k. Upon receiving a challenge c e F₂ ^fe, the oracle 0 _m,q) picks a noise bit e at random such that Pr[e = 1] = q, which means that e equals 1 with probability q. Then, the oracle outputs (c, (c · m)®e) to the algorithm A, where c^■ m denotes the dot product of c and m by taking c and m as two binary vectors of dimension k. The goal of attacking the algorithm A is to solve the secret m with access to the oracle It is widely believed that any probabilistic polynomial-time algorithm A has only a negligible advantage for solving the secret m where A is allowed to do a polynomial number of queries to the oracle 0 _mit?). This computational hypothesis is called the LPN assumption.

Note that the bias of e is an important parameter: If q=0 then solving the LPN problem is trivial (linear operation); If, on the other hand cp½ then solving the LPN is impossible (One Time Pad). Hence, the LPN is interesting and non-trivial when 0 < q < 1/2.

There is so far no known efficient algorithm to solve generic LPN problem instances. Therefore the LPN problem is considered to be hard to solve. Many cryptographic primitives are based on the hardness of LPN.

In the proposed primitive, it is assumed that each node x, is equipped with a secret shared with the server which is also known as a verifying entity V or the root node. In practice, additional hardware/software security measures should be implemented to prevent this secret from being compromised by adversaries.

For purposes of this disclosure, it is assumed that the whole network is treated as a spanning tree W with y levels, in which V is the root node in W and all nodes know their parent nodes and their child nodes together with their indexes, if any. For example, the network infrastructure 100 shows a spanning tree l/l with 3 levels of nodes. In particular, level 1 corresponds to the server 110 which is the base verifying entity, V, also known as the root node in l/l/; level 2 corresponds to nodes 1-4; and level 3 corresponds to nodes 5-17 which are the leaf nodes. For purposes of this disclosure, node x₀ refers to server 100, χ_ί-ί7 refers to nodes 1-17 of figure 1. All nodes know their parent nodes and their child nodes together with their indexes. The parent nodes and child nodes are also known as proving nodes/devices/entities.

Figure 4 illustrates a timing diagram 400 of the information flow between the server 1 10 and the nodes 120. Timing diagram 400 comprises two phases. For purposes of this discussion, the server 100 may also be referred to as the root node.

The first phase 405 involves setting up the swarm authentication protocol by running of the following algorithms: 1. Setup(/, n) to setup the system. In this algorithm, the server 1 10 determines the public parameters, pp, necessary to achieve J-bit security for the spanning tree network of n+^ nodes. In particular, the algorithm chooses a simplex^x code S = {e_t } with codewords of size a and Hamming weight h, where a and h are two positive integers. In addition, two keyed one-way functions f and g are also selected. The public parameters pp is defined as the set of {S, a, h, f, g}.

2. KeyGen(pp, n) to generate the necessary keys and matrices. In particular, the server 110 generates n individual keys for each of the nodes, k a common key, K, n random binary matrices, M and a "shortcut" matrix, M, where M is the XOR of all the n random binary matrices (M =®f₌₁ Mi). M is only known to server 1 10.

In step 415, the public parameters, n random binary matrices (Mi), n individual keys (ki ), and common key (K) are then securely distributed to each node x, in the whole spanning tree network where /^' is the index of the nodes in the spanning tree network, i.e. 1-n. The public parameters, S, a, h, f, and g are all supposed to be known to all notes in the network. Hence, instead of sending the public parameter in step 415, the public parameter may be pre-provisioned in the nodes instead. Further details of the first phase would be described below with reference to figure 5.

A second phase 410 involves the nodes in the spanning tree H being triggered to perform a swarm authentication by the server 110 by running the following algorithms:

1. Challenge(pp) to generate and transmit a challenge. Particularly, the server 110 generates and sends out a random vector c with binary length b as an authentication challenge to the second level parent nodes, i.e. nodes 1-4, in the whole spanning tree network W. Recursively, the challenge c is forwarded by each parent node to their children nodes until all leaf nodes receive c in step 420.

2. Response(pp, c, {Mi, ki, K}) by each of the nodes 120 to generate a response in step 425. In particular, based on c and its private secrets ( j, k K) each node computes the value r, as its response to challenge c, where r, is computed by the following equation:

= Mif(K, c)®e_q Equation (1) where index q = g(k c) and e_q is the q-th codeword of the simplex^x code. The simplex^x code S is part of the public parameters pp and it is assumed that each node knows how to generate or identify a specific codeword in S, by running suitable algorithms. After the response is generated by the child nodes, the responses are transmitted to respective parent nodes in step 430.

3. Aggregate(pp, r_1t . . . , r_n) by each of the nodes other than the leaf nodes and transmit the aggregated response to respective parent nodes in steps 435-440. Each of the nodes from the level y-1, aggregates the responses received from their child nodes. Briefly, each node from level y-1 , XORs its own value η _^ with all the responses η received from children nodes together. The algorithm can be expressed with the following equation

r =©?=_! n Equation (2)

The aggregated responses are transmitted to their respective parent nodes until the level 1 node which is the root node.

4. Verify(pp, c, r, {M, K}) by the root node in step 445. Prior to running this algorithm, the root node would also run the aggregate algorithm to combine the responses from the second level nodes to obtain a final aggregated response. The final aggregated response r is verified to be acceptable if and only if

I \Mf(K, c)@r\ I = h Equation (3) where \ \e\ | denotes the Hamming weight of a binary string e.

The main idea of this swarm authentication protocol is that each node shares a secret key with the server and nodes do not interact directly with the server. Instead, the responses from the nodes are combined recursively by the various levels of parent nodes up to the server.

The core interaction between the root node and the rest of the nodes can be described as follows:

1. The root node has ( _i; k M, K, pp) while the rest of the nodes have ( _i; k K, pp) after the first phase.

s

2. The root node generates and transmits a challenge c - {0,1}° which is a random vector c with binary length b as an authentication challenge to the rest of the nodes from second level to the leaf level.

3. A response is generated by each of the nodes as follows:

a. Determining an index q using the one way g function with input being ki and c.

b. Determining Mif{K, c) which is the dot function of its matrix j with the output of one way function fwith the input of common key K and c. c. Determining the response by XORing Mif(K, c) with the q-th codeword of the simplex^x code.

4. The responses are transmitted upwardly from the leaf level to the root node. At each level, the responses are aggregated.

5. The final aggregated response r is XOR with Mf(K, c), which the dot function of the shortcut matrix M with the output of one way function f with the input of common key K and c. If the responses are valid, the end result would be a codeword that satisfies properties 1 and 2 of the simplex^x code.

Further details of the two phases will now be described as follows. The symmetric swarm authentication method is based on the simplex^x codes and the learning parity with noise (LPN) problem, in which two keyed one-way functions f and g are used. One possible way to implement one-way function is to employ hash function.

Figure 5 illustrates a process 500 performed by the processing system 200 of the server 110 in accordance with the disclosure. Process 500 begins with step 505 by setting up the network in the following manner. First, the server 110 determines the public parameters using the algorithm Setup(/, n). Particularly, given a security parameter ] and n (the number of nodes in a network), process 500 generates the public parameters pp necessary to achieve /-bit security for a network of n nodes. In particular, process 500 chooses a simplex^x code S = {e_t } with codewords of size a and Hamming weight h, where a and h are two positive integers. In addition, two keyed one-way functions f and g are also selected. The public parameters pp is defined as the set of {S, a, h, f, g}. In one embodiment, the public parameter is predetermined and can be retrieved from the memory. Further details on the choice of the public parameter would be described below.

Thereafter, the server runs an algorithm, KeyGen(pp, n), to generate the n individual keys for each of the nodes (ki), a common key ( ), n random binary matrixes (Mi), and a "shortcut" matrix M that is only known to server, where /^' is ^ , ... ,n. Particularly, given the public parameters pp and n, the server 110 runs the algorithm to generate n random binary matrices Mj of size ab, where b is another positive integer, n individual keys k one common key f, and a shortcut matrix M =®f₌₁ Mj. Then, (Κ, ρρ) are securely distributed to all nodes in the whole network while (Mj, / _j) are securely distributed to the respective node χ,. The information can be transmitted to the rest of the nodes individually or via swarm approach. In the swarm approach, the parent nodes (i.e. non-leaf node) will be able to identify error children nodes if necessary since the parent nodes would be privy to the secret key of respective children node. One skilled in the art will recognise that the root node may implement various types of transmission to its children node without departing from the disclosure. In one embodiment where the public parameter is pre-provisioned in all the nodes, the public parameter is not required to be transmitted to the nodes.

One method of generating individual keys and a common key is via asymmetric key encryption where a pair of keys is used for authentication. One skilled in the art will recognise that other methods of generating a common key and non-common keys may be implemented without departing from the disclosure and the exact method is left to those skilled in the art.

The random binary matrices M may be generated from a random binary vector of size ab by assigning a segment of b bits in this long binary vector as a row of matrix j. Moreover, this long binary vector of size ab can be generated by using any proper cryptographic primitive (say hash function) from a random root seed, with possible additional inputs. The first phase of generating and transmitting the necessary keys to the nodes 120 ends after step 505.

The second phase begins with step 510 where the server 1 10 generates a challenge with the algorithm Challenge(pp). The challenge c is a random number with binary length b. The challenge is transmitted to all the nodes. Particular, in the swarm authentication method, the challenge is transmitted to the second level nodes where they will in turn transmit the challenge to respective child nodes. This is repeated recursively until the leaf node. In briefly, the challenge c is recursively forwarded by each parent node to their children nodes until all leaf nodes receive the challenge.

In step 515, the server 110 receives the aggregated responses from each of the second level nodes.

In step 520, the server 1 10 aggregates the responses from each of the second level nodes to obtain the final aggregated response. Thereafter, the server verifies whether the final aggregated response for the challenge with respect to the public parameters pp and the shortcut key K is valid in the following manner.

The responses from each of the parent nodes are aggregated using the following algorithm Aggregate(pp, / , . . . , r_n), where η refers to the response from node χ,. Upon receiving the responses (r_1t . . . ,r_n), the server runs the algorithm to generate the following final aggregated response rwith binary length a: r =® ₌₁ n Equation (2) Equation (2) essentially is combining the responses received from the second level nodes with an exclusive or operator.

The final aggregated response r is verified with the following algorithm Verify(pp, c, r, {M, K}). The server accepts r as a valid aggregated response from all the nodes if and only if:

\Mf{K, c)®r\ \ = h, Equation (3) where | |e| | denotes the Hamming weight of a binary string e. Particularly, Equation (3) involves using the shortcut matrix and common key to verify the responses from the nodes. More particularly, the common key K and the challenge c is applied in the /"function and the product of shortcut matrix M with the output of f function with respect to the inputs of common key K and the challenge c is being XORed with the aggregated responses. If all the nodes respond correctly, the end result would generate a simplex^x codeword that satisfy the conditions mentioned above.

In step 525, if the final aggregated response is valid, process 500 proceeds to step 530 and outputs the authenticated nodes (AN). If the final aggregated response is not correct, process 500 proceeds to step 535 to identify the error node. Further details on the process of identifying the error node would be described below with reference to figures 8-9.

Note that this approach fundamentally differs from swarm authentication constructions for aggregate message authentication codes (MACs), in which the verifier recomputes the MAC for each node and then aggregates them for verification.

In one embodiment, it is possible that the root node verifies each child node directly. In this embodiment, the second phase involving steps 510-530 would be modified in the following manner. In step 510, the server 110 generates a challenge with the algorithm Challenge(pp) and transmits the challenge to a relevant node x_t for verification. In step 515, the server 1 10 receives a response from the relevant node xj . Step 520 would not be required to perform aggregation since only one response is received by the root node. Hence, in step 520, the server 110 verifies whether the response with the following algorithm Verify(pp, c, ri, {M, K}). The server accepts from node Xj as a valid response from the relevant node if and only if:

Equation (3') where | |e| | denotes the Hamming weight of a binary string e. Particularly, Equation (3') involves using the matrix associated to the relevant node x_t and common key to verify the response from the relevant node. More particularly, the common key K and the challenge c is applied in the /"function and the product of matrix Mj associated to the relevant node j with the output of f function with respect to the inputs of common key K and the challenge c is being XORed with the response from the relevant node. If the relevant node responds correctly, the end result would generate a simplex^x codeword that satisfy the conditions mentioned above.

In step 525, if the response is valid, process 500 proceeds to step 530 and outputs the authenticated node (AN). If the response is not correct, process 500 proceeds to step 535 to identify the relevant node x_t as an error node.

Figure 6 illustrates a process 600 performed by the network interface 300 or a processing system of one of the levels from second to y-1 level nodes such as parent nodes 1 -4 in accordance with the disclosure. Process 600 begins with step 605 by receiving (Mj, k Κ, ρρ) from the root node or a parent node. In response to receiving (Mj, k Κ, ρρ) from the server 1 10, the node stores pp and K, and the relevant k_t and Mj . For example, node 1 stores ( i, k_t , Κ, ρρ), node 2 stores (M₂ , k₂ , Κ, ρρ), node 3 stores (M₃ , k₃ , Κ, ρρ) and node 4 stores (M₄, / ₄, Κ, ρρ). In one embodiment where the public parameter is pre-provisioned in all the nodes, the public parameter would not be received by the nodes and the nodes should be able to retrieve the public parameter in respective memory.

In step 610, each of the parent nodes forwards the (Mj, k Κ, ρρ) to the respective children nodes. For example, node 1 transmits the (Mj , k_t , Κ, ρρ) to nodes 5-7, node 2 transmits the (Mj, k Κ, ρρ) to nodes 8-10, node 3 transmits the (Mj, k Κ, ρρ) to nodes 1 1 - 13, and node 4 transmits the (Mj, k Κ, ρρ) to nodes 14-17. First phase 405 of the swarm authentication protocol ends after step 610. In such scenario, only parent node knows the secrets of its children. In this way, the parent will be able to identify error children nodes if necessary, as will be described below. Alternatively, if the root node broadcast the information to all nodes individually, step 610 would not be required and the parent nodes would not be able to identify error children nodes. One skilled in the art will recognise that the root node may implement various types of transmission to its children node without departing from the disclosure. In one embodiment where the public parameter is pre- provisioned in all the nodes, the public parameter would not be transmitted to the child nodes. In step 615, process 600 receives a challenge from the root node or a parent node. In response to receiving the challenge from the server or the parent node, process 600 transmits the challenge to the respective child nodes in step 620.

In step 625, process 600 generates a response with the following algorithm, Response(pp, c, {Mi, ki, K}). In particular, each of the parent nodes runs the algorithm to generate a response r, to the root node which is the verifying entity V, where value η is computed by the following equation: n = Mif(K, c)®e_q , Equation (1 ) where index q = g(ki, c) and e_q is the q-th codeword of the simplex^x code. Equation (1 ) involves 2 steps where the first step involves determining q in order to select the q-th codeword from the simplex^x code and the second step involves XORing Mif{K, c) with e_q to form a new simplex^x codeword, .

In step 630, process 600 receives the responses from the child nodes. In response to receiving the responses from the child nodes, the parent node aggregates the responses according to Equation (2) in step 635. In particular, the responses are XORed together. For example, node 1 would aggregate the responses as r_t = ^®^®^®^ , node 2 would aggregate the responses as r₂ = r₂@r₈®r₉®r₁₀, node 3 would aggregate the responses as r₃ = r-i®^®^®^ , and node 4 would aggregate the responses as r₄ = r₄@r₁₄@r₁₅®r₁₆®r₁₇.

In step 640, the aggregated responses are transmitted to the server or the parent nodes. Process 600 ends after step 640.

Figure 7 illustrates a process 700 performed by the network interface 300 or a processing system of one of the leaf nodes 5-17 in accordance with the disclosure. Process 700 begins with step 705 by receiving (M k K) from the parent nodes. In response to receiving the (M k K) from the parent node, the child node stores the relevant j and / j and K.

In step 715, process 700 receives a challenge from the parent node. In response to receiving the challenge from the parent node, process 700 generates a response with the following algorithm, Response(pp, c, {Mi, ki, K}). In particular, each of the leaf nodes 5-17 runs the algorithm to generate a response r, to the parent node, where value r, is computed by Equation (1 ). In step 740, the child nodes transmit their responses to the respective parent nodes. Process 700 ends after step 740. Process 700 is typically performed by a leaf node since the leaf node would not be receiving any responses. Hence, unlike process 600, process 700 is not required to receive responses and aggregate the responses. However, when the root node initiates an error node identification, the current level nodes (which may be a non-leaf node) is required to perform the steps 715-740. Further details will be described below in this regard. It is further noted that in the embodiment where the root node wishes to verify a particular node directly, that particular node, whether or not it is a leaf or non-leaf node, is required to perform the steps 715-740.

Proof of solution

The proposed solution is correct, as this can be verified by simple substitution and properties of the simplex^x codes. For security, first it is easy to see that the false negative rate is zero. Second, for large enough b, it can be proved that the false positive rate, denoted as P_FA , which means that an adversary may attempt to get authenticated by sending a tentative response to the verifying entity, is controlled by the following quantity:

P_FA < a - Equation (4)

In practice, b = 256 is more than sufficient to guarantee that the above inequality holds.

Finally, the protocol resists both passive and active attacks. Namely, it can be proved that for either passive and active attack, breaking the above protocol is at least as hard as solving an instance of the LPN problem. More specifically, this means that by assuming the hardness of LPN problem, a passive attacker who can eavesdrop communications will not be able to learn the secret keys, while an active attacker will not be able to forge a response for a given random challenge c even he/she has been given an oracle of accessing the swarm authentication protocol in polynomial times.

In the second phase, the indexes of all nodes for which their responses have been aggregated are sent together with the partially aggregated value to the up-level node. In this way, the recipient, and finally the verifying entity V, will explicitly know which node's response has been aggregated and which has not. This is particular helpful if it is not rare that some nodes fail to send their own responses to their parent nodes, though it is still expected that the verifying node will be able to quickly decide which nodes in the network are working well by running one instance of swarm authentication. More specifically, in this case, each parent node still follows the same way specified in the second phase to aggregate the responses from its children nodes and then forwards the aggregated response together with their indexes to the next level parent node. So, once the verifying entity V obtains the final aggregated response r' from the node set of N', which denotes all the nodes they responded. Even without receiving the responses from some nodes, V can still validate the correctness of r' by checking if

\M'f{K, c)®r'\ \ = h, Equation (5) where ' = ®_iew, j . If Equation (5) holds, then all nodes in N' (i.e. all nodes they responded) are all authenticated. This is because property 2 of the simplex^x code provides that XOR of two codewords of a simplex^x code is also a valid codeword which would also satisfy property 1 . Hence, the second phase need not require all nodes to send their responses. In brief, the root node would not be able to use the shortcut matrix to verify the responses from the nodes directly. Instead, the root node has to XOR the matrices associated to the index of the nodes that provide a response to form a new shortcut matrix in order to verify the responses. In the above scheme, the simplex^x code can be replaced by a simplex- P ® code, though the verification Equation (3) shall be replaced correspondingly by the following equation:

\Mf(K, c)@r\ \≤ 2h, Equation (6)

The variant specified in proof of solution applies for a scheme when a simplex- Ρ Θ code is used. In this case, similar changes in Equation (5) can be made, i.e., replacing M and r by M' and r' respectivley in Equation (6).

When a simplex^x code is used, the above symmetric swarm authentication actually also implies a (individual) symmetric authentication between a node x, and the verifying entity V (though V can be any normal node as well). Namely, for this variant all algorithms Setup, KeyGen, Challenge, Response are still the same as in the above, and algorithm Aggregate is removed, while verification algorithm for checking x s response η with respect to challenge c is operated as follows:

Verify(pp, c, r„ {Μί, ^, Κ}): The verifying entity V accepts η as a correct response for challenge c from node x, if and only if: r_t≡M_if{K, c)®e_l Equation (7) where index q = g k_u c) and e_q is the q-th codeword of the simplex code S. That is, V just checks the correctness of η by conducting the same computation by node x, when generating η.

Alternatively, verification equation Equation (7) can be replaced by the following simpler one:

I

c)®ri I I = h, Equation (8)

Note that Equation (8) is just the version of Equation (3) for a single node χ,. However, the security level of verification algorithm given by Eq. (8) will be weaker than that given by Equation (7), as Equation (8) does not employ the secret k, to check whether the XOR of MifiK, c) and is exactly the Simplex^x codeword e_q for index q = g(k c) , though this vector's Hamming weight is guaranteed to be h.

When a simplex- P ® code is used, a (individual) symmetric authentication scheme can be obtained similarly as that given above. Namely, all algorithms Setup, KeyGen, Challenge, Response are still the same for the case where a simplex- P ® code is selected, and algorithm Aggregate is removed, while verification algorithm for checking x s response η with respect to challenge c is operated as follows:

Verify(pp, c, r„ {Mi. ki. K}): The verifying entity V accepts η as a correct response for challenge c from node x, if and only if: ≡ MtfiK, c)@e_q, Equation (9) where index q = g(ki, c) and e_q is the q-th codeword of the a simplex- P ® code. That is, \ just checks the correctness of r, by conducting the same computation by node x, when generating η.

Alternatively, verification equation Equation (9) can be replaced by the following simpler one:

I

c)®r_t I I < 2 i, Equation (10)

Again, note that Equation (10) is just the version of Equation (6) for a single node x₍. Similarly, the security level of verification algorithm given by Eq. (10) will be weaker than that given by Equation (9), as Equation (10) does not employ the secret k, to check whether the XOR of MifiK, c) and is exactly the simplex- P ® codeword e^ for index q = g(ki, c) , though this vector's Hamming weight is guaranteed to be no more than 2/7. Choice of Parameters

To achieve a 128-bit security, the value of a is recommended roughly in the range from 600 to 1200. Let ?7= 7/a. The ideal value of η is 0.25, as it keeps the LPN problem hard. As this value also determines simplex^x code's ideal Hamming weight, once the value of a is given. In fact, in this case, according to Equation (4) the following inequality should be satisfied:

?FA≤iA- d = U_v ^aa) ^{≤ 2 ~128} - Equation (1 1)

With respect to b, it is recommended to choose 0=256, as mentioned before. This guarantees the formula for false acceptance rate (e.g, Equation (4) or Equation (11)) is correct, and that the protocol achieves zero-knowledge.

For the secret k, and common key K, these are recommended to be 128 bits or more. For system where weaker security is applicable, these could be 80 bits.

As an example, one can use codes of length a=1200 that have Hamming weight h as close as possible to the ideal value of 300. Therefore, the simplex^x codes with p = 4 and t=80 can be selected, which means that the resulting codewords are of binary length _a=(2⁴-1)x80=1200 and have Hamming weight 7=80*4=320. In this case, η=Μθ=0.26. By taking the consideration of the length of b, k, and k, the following parameters in Table 1 are obtained.

Table 1

The following TABLE 2 provides a number of sets of possible parameter combinations for the protocol, which shows the tradeoffs between security and computation. Note that P_FA indicates the false acceptance probability. For the cases with P 9 codes and the P_FA is only estimated, which is indicated by an asterisk * in the table.

Table 2

Complexity

The total number of operations required to authenticate the network depends on the exact topology at hand, but can safely be bounded by the following computations.

The node's work factor is, in essence, equal to the work factor of the verifying entity V because the proposed protocol is based on symmetric cryptography. The cost consists of:

1 . An evaluation of hash functions f and g. Given that the roles of f and g are similar, their costs can be treated as equal;

2. The generation of e_q; and

3. One matrix by vector multiplication.

Instantiating f and g.

Essentially, functions f and g are used to break the linearity of the matrix by vector multiplication, so both of them can be implemented as a Lehmer random number generator. This generator is easy to implement in a few assembly instructions, especially if the modulus used is the multiplication friendly Λ/=2³¹- 1 =2, 147,483,647. Another option consists in selecting a secret N, using Montgomery multiplication to gain speed and integrate the Montgomery parasite factors in the result.

The generator needs to generate in total enough entropy to key e_q(160 bits) plus enough entropy to form f(k, c) i.e. ^60+b bits. This requires about (160+£>)/32 generator rounds (given that each round produces a 32-bit pseudorandom output). If an loT node has an 8 bit microcontroller (such as a 68HC05), this amounts to 4x(160+ 5)/32=(160+£>)/8 byte multiplications. Doubling this quantity to account for modular reduction and bookkeeping, and assuming that each multiplication takes 5 cycles, the workload for evaluating functions f and g is

clock cycles. The generation of e_q.

The generation of e_q essentially consists in XORing about 80 codewords chosen amongst 160, each of which is a bits long. Each vector XOR requires a/8 XOR byte operations (EOR instruction) which typically claims 4 cycles. The XORed operand must be read and the result of the XOR must be stored back. Taking the upper bound the effort required for these bookkeeping manipulation as 20 extra cycles, a loop doing so will thus claim about w₂=80xa/8x(20+4)=240a clock cycles.

The matrix by vector multiplication.

It remains to perform the final matrix by vector product. Here, an a-bit by b-b t matrix must be XORed with a b bit vector. As just explained, the XOR of an x-bit vector by an x-bit vector costs x/8*24=3x cycles. Hence, the total cost of the matrix phase is w₂=3ab clock cycles.

Total cost. Adding an extra 1000 cycles for the general algorithm bookkeeping, so the following total per-node cost is obtained: w = IOOO+W1 +W2+W3 = 1000+5(160+/5j/4+240a+3a£> = 1200+240a+5£>/4+3a£> (clock cycles).

Assuming, as is customary, a clock frequency of 10MHz, the following global calculation times in TABLE 3 are obtained for the six parameter sets given in TABLE 2. Since b is 256 in all parameter sets, the function tabulated in TABLE 2 boils-down to w=1520+1008a clock cycles.

Table 3

Generating Private Keys from a Random Seed The protocol may be adapted to better fit operational constraints: in the context of loT, for instance, communication outcoming from nodes is a very costly operation. It is a further goal of the invention to describe variants that aim at reducing the amount of information sent, the size of memory and/or the amount of computation by individual nodes, while maintaining security.

Memory is a scarce resource for many lightweight loT devices, so in some scenarios it may be a challenge for each node j to store the secret matrix M which is ab bits. To save memory, each row of M_t can be generated from a random seed s_t by evaluating a cryptographically strong pseudo random function F with respect to s_t and other information. For example, let ( j)₇ = F(si, i,j), where ( j)₇ denotes the y^'-th row of matrix M_t and the random seed s_t is known to node x_t and the verify entity V. In practice, F can be a cryptographic hash function.

Note that as the drawback of this variant, each time of authentication a node needs to recover its secret matrix M_t from the random seed s_t by evaluating function for a times.

Note that alternatively, one can define the columns of M_t in a similar way. Moreover, to save the storage at the verifying node V, all the random seeds Sj's for all nodes can be derived from a common seed s by V, though this master secret s is supposed to be known by V only.

Process of Failed Authentication

We shall now discuss the identification of error nodes in step 535 of process 500. The above symmetric swarm authentication may fail due to different reasons, which can be accidentally or maliciously introduced at any step. As a consequence of information aggregation, a single defective node suffices for authentication to fail. In this case, V can have different choices to act, namely giving up, running the whole process again with all the nodes, identifying the subset of nodes which failed authentication, or performing usual authentication with each node individually. This process of failed authentication is illustrated figure 8.

Figure 8 illustrates a process 800 performed by the server 100 to identify the error nodes in accordance with the disclosure. Process 800 begins with step 805 to select an option to proceed with identifying the error nodes. There are three options to select, namely Option 1) repeats from step 510 of process 500, Option 2) top down elimination approach, and Option 3) authenticates with each node individually. One skilled in the art will recognize that other method of identifying error nodes may be implemented without departing from this disclosure. The selection of option may be user triggered. Alternative, the selection may be predetermined. For example, in a first embodiment, process 800 may proceed with Option 1 and thereafter Option 2 should the result in Option 1 fails. In second embodiment, process 800 may proceed directly with Option 2 only. In a third embodiment, process 800 may proceed with Option 1 and thereafter Option 3 should the result in Option 1 fails. One skilled in the art will recognize that other permutations may be implemented without departing from the disclosure and the exact selection of the option is left to one skilled in the art.

Process 800 proceeds to step 810 if the selection is Option 1. In step 810, process 800 runs the swarm authentication process again with all the nodes. This means that process 800 repeats from step 510 of process 500. With reference to the first embodiment at described above, if the final aggregated response is still not correct, process 800 proceeds to step 815. With reference to the third embodiment at described above, if the final aggregated response is still not correct, process 800 proceeds to step 820.

Process 800 proceeds to step 815 if the selection is Option 2. In step 815, the server authenticates subsets of nodes under each level parent node separately. Further details will be described below with reference to figure 9.

Process 800 proceeds to step 820 if the selection is Option 3. In step 820, the server authenticates each node each node in the whole network individually. Particularly, a node x, will be added to AN once a positive response η is obtained with respect to the challenge c. If a negative response η is obtained with respect to the challenge c, node x, will be added to a fault list instead. The process will continue until all the nodes have been processed.

Figure 9 illustrates a process 900 performed by the server to identify the error nodes in the top down elimination approach. It is noted that under this approach, it is assumed that the server knows or is informed by each second level node about the indexes of all the nodes in each subset. Moreover, if necessary, for a subset of nodes who failed authentication, each second level node can similarly find out which of its child (either a leaf node or a third level parent node) is responsible for the failure, though here the second level parent nodes in this case are assumed to know the private keys of their children. Even more, this procedure can go further with respect to lower parent nodes gradually to exactly identify all the individual nodes who failed authentication one by one.

Process 900 begins with step 905 by verifying the responses from the current node which is the second level nodes separately. This means that the responses from the second level nodes received in step 515 are verified separately. In other words, the process does not aggregate the responses from each of the second level nodes to obtain the final aggregated response. Instead, the root node verifies if the responses from each of the second level node with respect to the public parameters pp and the shortcut key is correct individually. If the response is valid, process 900 proceeds append the authenticated nodes using the index of the authenticated nodes in step 910. If the response received from the second level node is not valid, process 900 updates a fault list containing index of the possible error nodes in step 910.

In step 915, process 900 runs steps 510-525 for the nodes for the current and the next levels identified in the fault list. In other words, the second level nodes identified in the fault list with the nodes in the third level are authenticated to identify the error nodes. Step 510 has to be modified such that for the current level nodes, the challenge indicates that the current level nodes perform steps 715-740 of process 700. This is because the current level nodes are not required to receive responses from respective children nodes. Similar to step 905, process 900 verifies the responses from the nodes from the current and next levels separately. In other words, the process does not aggregate the aggregated responses from each of the nodes in the current and next levels to obtain the final aggregated response. Instead, the root node verifies if the responses from each of the nodes in the second and third levels with respect to the public parameters pp and the shortcut key is correct individually.

In step 920, if the responses received from each of the nodes from the current and next levels are valid, process 900 appends the authenticated nodes using the index of the authenticated nodes. If the responses from the nodes in the second and third levels are not valid, process 900 updates the fault list containing index of the possible error nodes. Alternatively, the fault list is updated by removing the index of the authenticated nodes that are appended to the AN.

In step 930, process 900 determines whether the next level node is the last level node, i.e. leaf node. If the next level node is the leaf node, process 900 proceeds to step 940 and outputs the authenticated nodes. If the next level node is not the leaf node, process 900 proceeds to step 935 and selects the next level node as the current node and repeats from step 915.

Process 900 ends after step 940. The above is a description of embodiments of a method and system of swarm authentication protocol to provide a more efficient way of authenticating a substantial number of proving devices in a spanning tree network. It is foreseeable that those skilled in the art can and will design alternative method and system based on this disclosure that infringe upon this invention as set forth in the following claims.

Claims

CLAIMS:

1. A symmetric swarm authentication system for a spanning tree network of n+'\ nodes organized in y levels where the first level consist of a root node, the system comprising: the root node in the first level of the spanning tree network, wherein the root node is configured to:

determine a simplex^x code S = {<?, } with codewords of size a and Hamming weight h, where a and h are two positive integers;

determine a first one-way function f and a second one-way function g;

generate n random binary matrices with a rows and b columns, M n keys / j, one common key f, and a shortcut matrix , where a and b are positive integers, /^' refers to the index of the node from 1 to n, and M =®f₌₁ M(, where the k^ is a key shared between node /^' and the root node, and the K is a key shared between the n nodes and root node;

transmit K, S = {e_t } , the first and second one-way functions to all n nodes and

(Mi, ki) to respective node x(,

generate a challenge c, where c is a random number with binary length b; transmit the challenge to the second level nodes; wherein anyone node of the second level nodes is configured to :

generate a simplex^x code, e_q, where q = g(ki, c) and e_q is the q-th codeword of the simplex^x code in response to receiving the challenge c;

generate a response with the following expression, = Mif(K, c)®e_q;

transmit the response to the root node;

wherein the root node is further configured to:

receive responses from the second level nodes;

aggregate the responses from the second level nodes to obtain an aggregated response r,

verify the aggregated response rwith the following expression, r' = Mf(K, c)®r; and

determine the aggregated response is acceptable if and only if the Hamming weight of r' is equal to h.

2. The symmetric swarm authentication system according to claim 1 wherein the step of aggregating the responses from the second level nodes to obtain an aggregated response r, comprises:

combine the responses with an exclusive OR operation.

3. The symmetric swarm authentication system according to claim 1 or 2 wherein each of the nodes between the second level to y-1 level is configured to:

receive responses from lower level nodes;

aggregate the response generated with the responses from the lower level nodes; and

transmit the aggregated response to respective upper nodes.

4. The symmetric swarm authentication system according to any one of claims 1-3 wherein a has a binary length of 1200, h is 320, b has a binary length of 256, and ki and K have binary length of 128.

5. The symmetric swarm authentication system according to any one of claims 1-4 wherein the root node is further configured to:

perform identification of error nodes if the aggregated response is not acceptable.

6. The symmetric swarm authentication system according to claim 5 wherein the step to perform identification of error nodes comprises:

repeat the steps to:

generate the challenge c;

transmit the challenge to the second level nodes;

receive responses from the second level nodes;

aggregate the responses from the second level nodes;

verify the aggregated response r ; and

determine the aggregated response is acceptable if and only if the Hamming weight of r' is equal to h.

7. The symmetric swarm authentication system according to claim 6 wherein the root node is further configured to:

verify each of the responses received from the second level nodes, the second level nodes being the current level nodes; append an authenticated list to include the index of the authenticated nodes with valid responses and a fault list to include the index of the authenticated nodes with invalid responses.

8. The symmetric swarm authentication system according to any one of claims 1-7 wherein the simplex^x code is replaced by a simplex- P ® code and the aggregated response r' is determined as acceptable if and only if the Hamming weight of r' is equal to or less than

2 7.

9 A symmetric swarm authentication method for a root node to authenticate with n nodes in a spanning tree network of η+ nodes organized in y levels where the first level consist of the root node, the method comprising:

generating a challenge c, where c is a random number with binary length b; transmitting the challenge to the second level nodes;

receiving responses from the second level nodes;

aggregating the responses from the second level nodes to obtain an aggregated response r,

verifying the aggregated response rwith the following expression,

r' = Mf(K, c)®r; wherein the f is a one-way function; wherein the M is a shortcut matrix, and M =®f₌₁ M(, wherein jis a binary matrix with a rows and b columns, and , /^' refers to the index of the node from 1 to n;

and

determining the aggregated response is acceptable if and only if the Hamming weight of r' is equal to h; where h is a positive integers.

10. The symmetric swarm authentication method according to claim 9 wherein method further comprises:

determining a simplex^x code S = {e_t } with codewords of size a and Hamming weight h, where a is a positive integer;

determining a second one-way function g and the first one-way function f ; generating n random binary matrices with a rows and b columns, M_t , n keys / j, one common key f, and a shortcut matrix M, where b is a positive integer; where the k_t is a key shared between node /^' and the root node, and the K is a key shared between the n nodes and root node; transmitting f , S = {e_t } , the first and second one-way functions to all n nodes and (M ki) to respective node x_t .

1 1 . The symmetric swarm authentication method according to claims 9 or 10, further comprising:

performing identification of error nodes if the aggregated response is not acceptable.

12. The symmetric swarm authentication method according to claim 1 1 wherein the step of performing identification of error nodes comprises the root node to:

repeat the steps to:

generate the challenge c;

transmit the challenge to the second level nodes;

receive responses from the second level nodes;

aggregate the responses from the second level nodes;

verify the aggregated response r ; and

determine the aggregated response is acceptable if and only if the Hamming weight of r' is equal to h.

13. The symmetric swarm authentication method according to claim 12 wherein the step of performing identification of error nodes comprises the root node to:

verify each of the responses received from the second level nodes, the second level nodes being the current level nodes;

append an authenticated list to include the index of the authenticated nodes with valid responses and a fault list to include the index of the authenticated nodes with invalid responses.

14 A symmetric swarm authentication system for a spanning tree network of η+ nodes organized in y levels where the first level consist of a root node, the system comprising: a root node in the first level of the spanning tree network, the root node having a processor, a non-transitory memory and instructions stored on the non-transitory memory executable by the processor to:

generate a challenge c, where c is a random number with binary length b; transmit the challenge to the second level nodes;

receive responses from the second level nodes; aggregate the responses from the second level nodes to obtain an aggregated response r,

verify the aggregated response rwith the following expression, r' = Mf(K, c)®r; and

determine the aggregated response is acceptable if and only if the Hamming weight of r' is equal to h.

15. The symmetric swarm authentication method according to claim 14 wherein the root node further comprises instructions to:

determine a simplex^x code S = {<?, } with codewords of size a and Hamming weight h, where a is a positive integer;

determine a second one-way function g and the first one-way function f ; generate n random binary matrices with a rows and b columns, M n keys / j, one common key K, and a shortcut matrix , where b is a positive integer; where the ki is a key shared between node /^' and the root node, and the K is a key shared between the n nodes and root node; transmit s, S = {<?, } , the first and second one-way functions to all n nodes and (Mi, ki) to respective node x_{.

16. The symmetric swarm authentication method according to claims 14 or 15, wherein the root node further comprises instructions to:

perform identification of error nodes if the aggregated response is not acceptable.

17. The symmetric swarm authentication method according to claim 16 wherein the instruction to perform identification of error nodes comprises instructions to:

repeat the steps to:

generate the challenge c;

transmit the challenge to the second level nodes;

receive responses from the second level nodes;

aggregate the responses from the second level nodes;

verify the aggregated response r ; and

determine the aggregated response is acceptable if and only if the Hamming weight of r' is equal to h.

18. The symmetric swarm authentication method according to claim 17 wherein the instruction to perform identification of error nodes further comprises instructions to: verify each of the responses received from the second level nodes, the second level nodes being the current level nodes;

append an authenticated list to include the index of the authenticated nodes with valid responses and a fault list to include the index of the authenticated nodes with invalid responses.

19. A symmetric swarm authentication method for a spanning tree network of η+ nodes organized in y levels where the first level consist of a root node, the method for one One node in the second level comprising:

receiving M k K, S = {e_t } , a first one-way function f and a second one-way function g from the root node, wherein the S = {e_t } is a simplex^x code with codewords of size a and

Hamming weight h, where a and h are two positive integers; wherein the j is a binary matrix with a rows and b columns; where a and b are positive integers and /^' refers to the index of the node from 1 to n; where the ki is a key shared between node /^' and the root node, and the K is a key shared between the n nodes and root node;

receiving a challenge c from the root node;

generating a simplex^x code, e_q, where q = g(k_ir c) and e_q is the q-th codeword of the simplex^x code in response to receiving the challenge c, where c is a random number with binary length b;

generating a response with the following expression, = Mif{K, c)®e_q; and transmitting the response to the root node.

20. The symmetric swarm authentication system according to claim 19 wherein the method further comprises:

receiving responses from lower level nodes;

aggregating the response generated with the responses from the lower level nodes; and

transmitting the aggregated response to respective upper nodes.

21 . A symmetric swarm authentication system for a spanning tree network of n+^ nodes organized in y levels where the first level consists of a root node, the system comprising: one node in the second level of the spanning tree network, the one node having a processor, a non-transitory memory and instructions stored on the non-transitory memory executable by the processor to:

receive M k K, S = {e_i } , a first one-way function f and a second one-way function g from the root node, wherein the S = {e_t } is a simplex^x code with codewords of size a and

Hamming weight h, where a and h are two positive integers; wherein the j is a binary matrix with a rows and b columns; where a and b are positive integers and /^' refers to the index of the node from 1 to n; where the ki is a key shared between node /^' and the root node, and the K is a key shared between the n nodes and root node;

receive a challenge c from the root node;

generate a simplex^x code, e_q, where q = g(ki, c) and e_q is the q-th codeword of the simplex^x code in response to receiving the challenge c, where c is a random number with binary length b;

generate a response with the following expression, = Mif{K, c)®e_q; and transmit the response to the root node.

22 . The symmetric swarm authentication system according to claim 21 wherein the instructions in the one node further comprises instructions to:

receive responses from lower level nodes;

aggregate the response generated with the responses from the lower level nodes; and

transmit the aggregated response to respective upper nodes.