1 Introduction
The Topology Authenticated Key Scheme (TAKS) is a cryptographic protocol, proposed in phdpugliese ; pugliese08 for the first time and successively generalised pugl13 ; pugliese13 ; pugliese2012secure , providing security over a resourceconstrained network (typically adhoc networks, e.g. sensor networks for monitoring services). Its authentication mechanism is based on node topology rather than on node identity, due to the limited lifetime of nodes in a resourceconstrained network. Indeed, while nodes in infrastructured networks can rely on a external power supply and on a stable planned maintenance service with human intervention, the nodes in adhoc networks can rely only on their own battery or some other energy harvesting mechanism, and maintenance services are usually remotely performed without human intervention. When an offduty node is replaced with a new node, the new node identity enters in the network, but node topology remains unchanged and the authentication mechanism does not need any updating. Other examples of networkbased key predistribution schemes may be found in alsubaie ; arjmandi ; haowen ; Kuchipudi ; liuning
. Vector spaces, rather than scalars, are introduced to allow the setup of a truly scalable pointtomultipoint communication sessions, hence without setting up multiple pointtopoint sessions: the added dimensionality introduces a further degree of freedom for the
in the procedure of parameters computation and assignment. From an engineering point of view, pointtomultipoint sessions provide a relevant feature, especially for clustered networks, where time syncronisation in data transmission is required as well as lighter memory storage: pointtomultipoint sessions avoid traffic flooding, hence wasting of energy, when maintenance services are activated on such clustered networks (e.g. the updating of some configuration parameters in a specific portion of the network).The scheme we propose in this paper, called Elliptic Curve based Topology Authenticated Key Scheme (ECTAKS), is derived from TAKS and is defined as a hybrid deterministic Key Establishment Protocol (KEP) over elliptic curves, and is designed to establish both pointtopoint and pointtomultipoint secure links among nodes. Security features of ECTAKS may include confidentiality (data encryption), data integrity and sender authentication (signature). Other examples of hybrid KEPs may be found in kavitha ; kimyun ; manjunath . In ECTAKS the shared secret is a symmetric key generated by each party involved in the communication session upon a successful authentication process, where each party verifies if the other party belongs to its authenticated network. Such a network is represented as a graph, where parties (network nodes) are the vertices and the communication links are the edges. The assignment parameter to each node is carried out by an external Certification Authority (); the scheme parameter are successively preloaded into the nodes.
While TAKS pugliese08 provides only key establishment facilities for pointtopoint communications by means of a DiffieHellmanlike scheme and its generalisation pugl13 extends to pointtomultipoint sessions, the improvements implemented in this paper directly provide ECTAKS with key establishment capabilities for both pointtopoint and pointtomultipoint communications. More importantly, elliptic curve cryptography allows achieving comparable security levels using reduced key lenghts gupta2002performance .
In this paper we provide a rigorous description of ECTAKS and address a security analysis of the scheme. In this regard, we will show that ECTAKS can be broken if an adversary can solve the intractable Discrete Logarithm problem over elliptic curves, provided that it also manage to solve a linear system of equations.
The paper is organised as follows: in Sec. 2 we introduce the notation and some auxiliary results. The scheme is defined in Sec. 3, together with the authenticatedencryption methods which is derived from it. The security analysis of the scheme is carried out in Sec. 4. Sec. 5 concludes the paper with some considerations on open problems.
2 Notation
ECTAKS is a scheme based on elliptic curves as well as vector spaces over finite fields. The networks of nodes where ECTAKS is built is modeled by a graph. In order to provide a rigorous description of the scheme and of its model, let us define the following elements.
Spaces
Let be a prime number, and let be the finite field with elements. We denote by an uniformly random generated element in . The scheme presented is this paper is mainly based on the 2dimensional vector space . Scalar elements in are usually denoted by lowercase greek letters, whereas vectors in are denoted by bold latin letters. Given two vectors we define the scalar product over of and as
Elliptic curves
Let be the power of a prime number. An elliptic curve over is the abelian group of rational points satisfying a Weierstrass equation Sil09 , i.e.
where . Throughout this paper we will denote by the generator of a subgroup of of order , called the base point. Given a vector and we define
and
The following result is easily checked.
Lemma 1
Let . Then we have
Proof
Let and . Then
∎
We assume the security of the scheme we propose in this paper to be relying on the following security assumption KoblitzECC ; MillerECC .
Problem 1 (ECDL problem)
Let be an elliptic curve over the finite field , let and . The (computational) Elliptic Curve Discrete Logarithm problem (ECDL problem) is the problem of finding the integer when the points and are given.
Provided that the curve meets some wellestablished requirements (see e.g Bernsteincurve ; FIPS186 ; Koblitzcurve ; weakfields ), the ECDL problem is assumed to be computationally intractable Bach ; koblitz2010intractable . For some overviews on algorithms solving the ECDL problem and related problems, see e.g. Galbrath ; menstate .
Graphs
A directed graph is a pair of sets , where and . We call arrows the elements of , and for each arrow we denote the tail of the arrow as and the head of the arrow as . In order to keep the notation cleaner, we will sometimes denote the arrow by writing “”. If , we say that and are connected in if and .
3 The scheme
The Elliptic Curve Topology Authenticated Key Scheme (ECTAKS) is a cryptographic protocol based on a network of users who want to communicate with each others. The network is modeled by means of a graph where users are represented as nodes. Two users can communicate if and only if they are connected in the corresponding graph. The communication between two users can start if they manage to exchange a shared secret which can be used to instantiate a DiffieHellmanlike protocol. In this setting, if the arrow from node to node exists, then user is allowed to start a communication session with user . The external assigns a set of parameters, called Local Configuration Data (), to each node of the network. For each node, is composed by two secret components, that remain unchanged once generated, and a public component, which is updated every time a new node joins the dynamic network. With respect to classical solutions of keyassignment schemes on network, the scheme proposed in this paper does not only rely on predistribution of keys in nodes. Indeed, the proposed protocol is rather based on a dynamic assignment of the public components to each node and on a static assignment of secret components. The shared secret in ECTAKS is in fact a function of both sender and receiver private key components, while in ephemeral DiffieHellmanlike schemes the shared secret is usually a function of the complete sender private key and the receiver public key. Moreover, the generates in such a way communications among nodes are allowed only if their topology is compliant to the planned network topology.
3.1 Parameter definition
Let be a positive integer and let . The authenticated network topology is a symmetric directed graph , i.e. a graph where and if , then . We furthermore assume that is loopfree, i.e. without cycles of length 1. For each , is the (nonsymmetric and cyclefree) directed subgraph of such that
In the point of view of our application, is the subgraph of the users which user is entitled to communicate to. An example of network topology network is depicted in Fig. 1.
Let us now denote by an elliptic curve over , where , and is the base point, whose order is prime number . From now on we will assume . Once the has been established, the is in charge of the assignment of the scheme parameters to each node. For each node , its assigned local configuration data is such that
where is called the local key component corresponding to the node , is called the transmitted key component corresponding to the node , and is called the topology vector corresponding to the arrow . The component represents the private information assigned to node , whereas represents its public information.
The assigns the parameters to each node in a sequential way, once it has chosen an arbitrary root node for each connected component of the graph. Starting from the parameters assigned to the root node, the computes the parameters for the other nodes of the graph according to some constraints which allow each pair of topologically admissible nodes to compute a shared secret, that we called Elliptic Curve Topology Authenticated Key ().
3.2 Parameter assignment and shared secrets
For sake of simplicity the root node where parameter assignment starts is here assumed to be node .
Node 1
The parameters and are generated randomly from and assigned to the secret component of node .
Node 2
Let us assume that the second node chosen by the is node in . Then, the parameter is generated randomly by the , provided that , and the corresponding topology vector is appended to the public component of node . Notice that can generate a random vector until the previous condition is satisfied. Once the topology vector related to the arrow has been defined, the parameter generation for node is complete and the parameters for node can be defined running the following steps:

the parameter is randomly chosen by the from the solutions of the linear equation
(1) and it is assigned to node 2;

the parameter related to the arrow is generated randomly, provided that
the corresponding topology vector is assigned to node 2;

is randomly chosen by the from the solutions of the linear equation
(2) and it is assigned to node 2.
At the end of this process the has assigned:

, to node ,

and to node .
Assume now that node wants to start a session with node 2. Then node and node can agree on an ephemeral shared secret, performing the following operations:

node generates a random nonzero element ;

node sends to node ;

node defines .
Now node can compute
where the second equality is obtained from Eq. (1). Consequently node and node have shared the nonzero secret . Similarly, node can agree with node on the shared secret
where is again an ephemeral random chosen nonzero element in generated by node , and the second equality is derived from Eq. (2).
Node 3
Assume now that node wants to agree on a shared secret with another node in , e.g. node . Then the secret component of node remains unchanged and, proceeding as for node 2, the parameter is generated randomly by the , provided that , and the corresponding topology vector is appended to the public component of node .
Once the topology vector related to the arrow has been defined, the parameters , and for node can be defined proceeding as for node .
At the end of this process the secret and public components are respectively

and for node , and

and for node .
Consequently, as in the case of the shared secret between node and node , node and node can share the nonzero secret
where is an ephemeral random chosen nonzero element in generated by node . Similarly, node can agree with node on the shared secret
where is again an ephemeral random chosen nonzero element in generated by node .
Generic node
In the general case, suppose that the has generated for node , as described above, and wants to agree on a shared secret with node in . Then, the parameter is generated randomly by the , provided that , and the corresponding topology vector is appended to the public component of node . Once the topology vector related to the arrow has been defined, the parameters for node can be defined running the following steps:

the parameter is randomly chosen by the from the solutions of the linear equation
(3) and it is assigned to node ;

the parameter related to the arrow is generated randomly, provided that
the corresponding topology vector is assigned to node ;

is randomly chosen by the from the solutions of the linear equation
(4) and it is assigned to node .
At the end of this process we have that

and is appended to for node , and

and is appended to for node .
Assume now that node wants to start a session with node . Then node and node can agree on an ephemeral shared secret, performing the following operations:

node generates a random nonzero element ;

node sends to node ;

node defines .
Now node can compute
where the second equality is obtained from Eq. (3). Consequently node and node have shared the nonzero secret . Similarly, node can agree with node on the shared secret
where is again an ephemeral random chosen nonzero element in generated by node , and the second equality is derived from Eq. (4).
Remark 1
For each , the component , which is generated by the in order to define the public component , is not accessible by any user (belonging or not to the network), unless they can solve the ECDL problem, as better explained in Section 4.
Remark 2
When the session between node and node has timed out or is not anymore valid, node and node can again agree on a disposable shared secret by selecting a new random parameter . The same happens if node is damaged and needs to be replaced by another sensor. The assigns to the new node the same secret parameter of the former node , and the communication with node is again established by selecting a new random parameter .
Remark 3
The parameter assignment is highly scalarproduct based. For this reason, it is important to point out that for each , the products of Eq. (3) defining
are uniformly distributed over
, since, by definition, its inputs are nonzero elements of . Moreover, the secret components and can be chosen from the solutions of Eq. (3) and Eq. (4) respectively. In other words, the constraints defined in Eq. (3) and Eq. (4) reduce the complexity of guessing the secret component (respectively ) from to , since the value to be guessed needs to satisfy a linear equation. However, this does not represent a security issue since the parameter is chosen to be a secure parameters, therefore the security of the scheme should rely on the size of and not on the size of .3.3 ECTAKbased authenticated encryption
We show here a classical way to provide authenticated encryption, using the as shared secret. In the following we denote by and a keyed hash function and a keyderivation function respectively, whereas and respectively denotes the encryption and the decryption procedures using the key of a symmetric encryption method, where .
Assume now that node 1 wants to send a signed encrypted message to node 2. Then node 1 performs the following operations:

generates ;

computes ;

computes ;

computes ;

computes ;

sends to node 2,
where the size of and suits respectively the domain of encryption and hash functions.
Node 2 can perform the following steps:

computes ;

recovers by computing ;

recovers computing ;

checks that .
4 Considerations on security
In this section we present some security properties of the scheme. We will show, in Theorem 4.1, in which way an attacker can successfully determine the secret parameters of a target node . We will prove that, in order the attack to be successful, the attacker needs to recover the secret information of at least two nodes connected to node
. The success probability of the attack is calculated in Theorem
4.2. The attack relies on the ability of the attacker to solve an instance of the intractable ECDL problem. To the best of our current state of knowledge, it is not possible to provide a formal reduction from one problem to the other.Let us now prove our result showing that if an attacker can solve the ECDL problem and can recover the secret components and , for some nodes connected to , then it can recover only if an algebraic condition on the coordinates is satisfied. In particular, from this follows that compromising one and only node is not enough to recover . Without any loss of generality, let us denote by node 1, node 2 and node 3 the three nodes previously mentioned. Let us assume that node 1 is targeted by the attacker, which has successfully recovered data from node 2 and node 3. Moreover, to further simplify, let us assume , where and , as depicted in Fig. 2.
We assume that and are known to the attacker aiming at recovering , recalling that are publicly available.
Since the attacker has access to an algorithm which solves the ECDL problem, it can access and . Therefore, denoting by , , and , the previous equations correspond to the following system in the unknowns and :
(5) 
where and . Therefore, denoting by
(6) 
and , the system in Eq.(5) is equivalent to the linear equation
(7) 
Theorem 4.1
Let be an adversary then can solve the ECDL problem. If , then can recover .
Proof
Since the adversary can solve the ECDL problem, it can build the system of Eq.(7). The result trivially follows, since implies that the system admits one and only one solution. ∎
Remark 4
Notice that, due to the requirements on the on each node, the first and the second row of are linearly independent, and the same holds for the third and the fourth. If can access the secret components of two nodes, then, since , the system in Eq.(5) as at least one solution. Moreover, if , the system admits solutions, then the method of Theorem 4.1 leads to an attack to the scheme with success probability . Indeed, if the attacker selects one of the solutions of the system which do not match the correct secret component of node 1, then the attempted impersonation attack is easily disclosed in the authenticatedencryption phase of the protocol (see Sec. 3.3). The same holds if only one node is compromised by , since only two equations of the system are known.
We will now show that the success probability of the attack described in Theorem 4.1 approaches 1 when the prime is sufficiently large.
Theorem 4.2
Let be the probability that successfully recovers the secret component of using the method of Theorem 4.1. Then
Proof
Let us recall that, for each parameter assignment in a scheme with 3 nodes, we can construct a matrix as in Eq. (6). We call such a matrix an admissible matrix for the scheme. Let us denote by be the set of matrices in which are admissible, and by the subset of those which are invertible. Then we have
(8) 
Let us now count . The parameters and are chosen randomly in , whereas is chosen such that . The coefficient is chosen such that , since . Notice that, if , then we need to rule out from the possible choices of those which satisfy . This reduces to the possibilities for the vector . Now, can be chosen making sure that . Since is not fixed, we have possible choices for Analogously, can be chosen in ways, since the value is fixed and . Hence, if the solution is fixed, we obtain in way. The same holds when considering . Noticing that in this argument we are using the fact that the constructed matrix is invertible, since we are assuming that is the unique solution of the problem, we obtain
The result follows from Eq. (8), considering the limit for . ∎
Notice that ECTAKS can be defined over an vector space of dimension similarly to the way it was built in Section 3 for an vector space of dimension , and Theorems 4.1 and 4.2 can be extended to the dimensional case as well. In particular, it is possible to construct a triangular block matrix that, for a large , is invertible with probability close to . Moreover, an attacker who can solve the ECDL problem can successfully determine the secret parameters of a target node , provided that it can recover the secret components of at least nodes connected to node and .
5 Conclusion and future works
In this paper we have introduced the protocol ECTAKS, derived from pugliese08 and here adapted to the case of ellipticcurve cryptography. We have studied some security issues of the scheme, with a focus on the underlying ECDL problem. We have proven that, even though the secret and public components of the scheme are linked by means of linear equations, an attacker who wants to make use of the linear algebra method (explained in Sec. 4) to recover the secret components to a target node needs to be able to solve the ECDL problem and to access the secret components of at least two nodes connected to the target node. Although at the time of writing we understand that the scheme lacks of a general and complete security proof, the search for an argument showing that an attack to ECTAKS can be converted into an attack to the underlying ECDL problem remains open.
References

[1]
M. AlSubaie and M. Zulkernine.
Efficacy of Hidden Markov Models Over Neural Networks in Anomaly Intrusion Detection.
In 30th Annual International Computer Software and Applications Conference (COMPSAC’06), volume 1, pages 325–332, 2006.  [2] H. Arjmandi and F. Lahouti. A key predistribution scheme based on multiple block codes for wireless sensor networks. In 7’th International Symposium on Telecommunications (IST’2014), pages 857–860, 2014.
 [3] E. Bach. Intractable problems in number theory. In S. Goldwasser, editor, Advances in Cryptology – CRYPTO’ 88, pages 77–93, New York, NY, 1990. Springer New York.
 [4] D. J. Bernstein. Curve25519: New DiffieHellman Speed Records. In M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, editors, Public Key Cryptography – PKC 2006, pages 207–228, Berlin, Heidelberg, 2006. Springer Berlin Heidelberg.
 [5] .. FIPS PUB. Digital Signature Standard (DSS). NIST, 2013.
 [6] S. D. Galbraith and P. Gaudry. Recent progress on the elliptic curve discrete logarithm problem. Designs, Codes and Cryptography, 78(1):51–72, 2016.
 [7] V. Gupta, S. Gupta, S. Chang, and D. Stebila. Performance analysis of elliptic curve cryptography for ssl. In Proceedings of the 1st ACM workshop on Wireless security, pages 87–94, 2002.
 [8] Haowen Chan, A. Perrig, and D. Song. Random key predistribution schemes for sensor networks. In 2003 Symposium on Security and Privacy, 2003., pages 197–213, 2003.
 [9] R. J. Kavitha and B. E. Caroline. Hybrid cryptographic technique for heterogeneous wireless sensor networks. In 2015 International Conference on Communications and Signal Processing (ICCSP), pages 1016–1020, 2015.
 [10] D. Kim, J. Yun, and S. Kim. Hybrid public key authentication for wireless sensor networks. In 2017 12th International Conference for Internet Technology and Secured Transactions (ICITST), pages 142–143, 2017.
 [11] N. Koblitz. Elliptic Curve Cryptosystems. Mathematics of Computation, 48(177):203–209, 1987.
 [12] N. Koblitz. CMCurves with Good Cryptographic Properties. In J. Feigenbaum, editor, Advances in Cryptology – CRYPTO ’91, pages 279–287, Berlin, Heidelberg, 1992. Springer Berlin Heidelberg.
 [13] N. Koblitz and A. Menezes. Intractable problems in cryptography. In Proceedings of the 9th Conference on Finite Fields and Their Applications. Contemporary Mathematics, volume 518, pages 279–300, 2010.
 [14] R. Kuchipudi, A. A. M. Qyser, and V. V. S. S. S. Balaram. A dynamic key distribution in wireless sensor networks with reduced communication overhead. In 2016 International Conference on Electrical, Electronics, and Optimization Techniques (ICEEOT), pages 3651–3654, 2016.
 [15] D. Liu and P. Ning. Establishing Pairwise Keys in Distributed Sensor Networks. In Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS Õ03, pages 52–61, New York, NY, USA, 2003. Association for Computing Machinery.
 [16] Manjunath CR, S. Anand, and G. Nagaraja. An hybrid secure scheme for secure transmission in grid based Wireless Sensor Network. In 2015 IEEE International Advance Computing Conference (IACC), pages 472–475, 2015.
 [17] S. Marchesani, L. Pomante, M. Pugliese, and F. Santucci. Definition and Development of a TopologyBased Cryptographic Scheme for Wireless Sensor Networks. In M. Zuniga and G. Dini, editors, Sensor Systems and Software, pages 47–64, Cham, 2013. Springer International Publishing.
 [18] S. Marchesani, L. Pomante, F. Santucci, and M. Pugliese. A Cryptographic Scheme for RealWorld Wireless Sensor Networks Applications. In Proceedings of the ACM/IEEE 4th International Conference on CyberPhysical Systems, ICCPS Õ13, page 249, New York, NY, USA, 2013. Association for Computing Machinery.
 [19] A. Menezes. The Elliptic Curve Discrete Logarithm Problem: State of the Art. In K. Matsuura and E. Fujisaki, editors, Advances in Information and Computer Security, pages 218–218, Berlin, Heidelberg, 2008. Springer Berlin Heidelberg.
 [20] A. Menezes, E. Teske, and A. Weng. Weak Fields for ECC. In T. Okamoto, editor, Topics in Cryptology – CTRSA 2004, pages 366–386, Berlin, Heidelberg, 2004. Springer Berlin Heidelberg.
 [21] V. S. Miller. Use of Elliptic Curves in Cryptography. In H. C. Williams, editor, Advances in Cryptology – CRYPTO ’85 Proceedings, pages 417–426, Berlin, Heidelberg, 1986. Springer Berlin Heidelberg.
 [22] M. Pugliese. Managing Security Issues inÊAdvanced Applications of Wireless Sensor Networks. PhD thesis, Department of Electrical Engineering and Computer Science, University of L’Aquila, 2008. https://mpugliese.webnode.it/_files/200000061a7608a760b/24.%20phd_thesis.pdf.
 [23] M. Pugliese, L. Pomante, and F. Santucci. Secure platform over wireless sensor networks. In Applied Cryptography and Network Security. IntechOpen, 2012.
 [24] M. Pugliese and F. Santucci. Pairwise network topology authenticated hybrid cryptographic keys for Wireless Sensor Networks using vector algebra. In 2008 5th IEEE International Conference on Mobile Ad Hoc and Sensor Systems, pages 853–859, 2008.
 [25] J. H. Silverman. The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics. SpringerVerlag, New York, 2009.