Log In Sign Up

An Authenticated Key Scheme over Elliptic Curves for Topological Networks

Nodes of sensor networks may be resource-constrained devices, often having a limited lifetime, making sensor networks remarkably dynamic environments. Managing a cryptographic protocol on such setups may require a disproportionate effort when it comes to update the secret parameters of new nodes that enter the network in place of dismantled sensors. For this reason, the designers of schemes for sensor network are always concerned with the need of scalable and adaptable solutions. In this work, we present a novel elliptic-curve based solution, derived from the previously released cryptographic protocol TAKS, which addresses this issue. We give a formal description of the scheme, built on a two-dimensional vector space over a prime field and over elliptic curves, where node topology is more relevant than node identity, allowing a dynamic handling of the network and reducing the cost of network updates. We also study some security concerns and their relation to the related discrete logarithm problem over elliptic curves.


An Authenticated Key Scheme over Elliptic Curves and Security Considerations

Nodes of sensor networks may be resource-constrained devices, often havi...

Multiparty Non-Interactive Key Exchange and More From Isogenies on Elliptic Curves

We describe a framework for constructing an efficient non-interactive ke...

Murmurations of elliptic curves

We investigate the average value of the pth Dirichlet coefficients of el...

Accelerating the Couveignes Rostovtsev Stolbunov key exchange protocol

We study a key exchange protocol based on isogenies between ordinary ell...

A Key-Agreement Protocol Based on Static Parameters and Hash Functions

Wireless Body Sensor Network (WBSN) is a developing technology with cons...

A new ECDLP-based PoW model

We lay the foundations for a blockchain scheme, whose consensus is reach...

1. Introduction

The Topology Authenticated Key Scheme (TAKS) is a cryptographic protocol, proposed in [22, 23] for the first time and successively generalised [17, 18], providing security over a resource-constrained network (typically ad-hoc networks, e.g. sensor networks for monitoring services). Its authentication mechanism is based on node topology rather than on node identity, due to the limited lifetime of nodes in a resource-constrained network. Indeed, while nodes in infra-structured networks can rely on a external power supply and on a stable planned maintenance service with human intervention, the nodes in ad-hoc networks can rely only on their own battery or some other energy harvesting mechanism, and maintenance services are usually remotely performed without human intervention. When an off-duty node is replaced with a new node, the new node identity enters in the network, but node topology remains unchanged and the authentication mechanism does not need any updating. Other examples of network-based key pre-distribution schemes may be found in [1, 2, 8, 14, 15].

The scheme we propose in this paper, called Elliptic Curve based Topological Authenticated Key Scheme (), is derived from TAKS and is defined as a hybrid deterministic Key Establishment Protocol (KEP) over elliptic curves, and is designed to establish both point-to-point and point-to-multipoint secure links among nodes. Security features of may include confidentiality (data encryption), data integrity and sender authentication (signature). Other examples of hybrid KEPs may be found in [9, 10, 16]. In the shared secret is a symmetric key generated by each party involved in the communication session upon a successful authentication process, where each party verifies if the other party belongs to its authenticated network. Such a network is represented as a graph, where parties (network nodes) are the vertices and the communication links are the edges. The assignment parameter to each node is carried out by an external Certification Authority (); the scheme parameter are successively preloaded into the nodes.

While TAKS [23] provides only key establishment facilities for point-to-point communications by means of a Diffie-Hellman-like scheme and its generalisation [17] extends to point-to-multipoint sessions, the improvements implemented in this paper directly provide with key establishment capabilities for both point-to-point and point-to-multipoint communications. More importantly, elliptic curve cryptography allows achieving comparable security levels using reduced key lenghts [7].

In this paper we provide a rigorous description of and address a security analysis of the scheme. In this regard, we will show that can be broken if an adversary can solve the intractable Discrete Logarithm problem over elliptic curves, provided that it also manage to solve a linear system of equations.
The paper is organised as follows: in Sec. 2 we introduce the notation and some auxiliary results. The scheme is defined in Sec. 3, together with the authenticated-encryption methods which is derived from it. An early security analysis of the scheme is carried out in Sec. 4. Sec. 5 concludes the paper with some considerations on open problems.

2. Notation

is a scheme based on elliptic curves as well as vector spaces over finite fields. The network of nodes where is built is modeled by a graph. In order to provide a rigorous description of the scheme and of its model, let us define the following elements.


Let be a prime number, and let be the finite field with elements. We denote by an uniformly random generated element in . The scheme presented is this paper is mainly based on the 2-dimensional vector space . Scalar elements in are usually denoted by lower-case greek letters, whereas vectors in are denoted by bold latin letters. Given two vectors we define the scalar product over of and as

Elliptic curves

Let be the power of a prime number. An elliptic curve over is the abelian group of -rational points satisfying a Weierstrass equation [24], i.e.

where . Throughout this paper we will denote by the generator of a subgroup of of order , called the base point. Given a vector and we define


The following result is easily checked.

Lemma 2.1.

Let . Then we have


Let and . Then

We assume the security of the scheme we propose in this paper to be relying on the following security assumption [11, 21].

Problem 1 (ECDL problem).

Let be an elliptic curve over the finite field , let and . The (computational) Elliptic Curve Discrete Logarithm problem (ECDL problem) is the problem of finding the integer when the points and are given.

Provided that the curve meets some well-established requirements (see e.g   [4, 5, 12, 20]), the ECDL problem is assumed to be computationally intractable [3, 13]. For some overviews on algorithms solving the ECDL problem and related problems, see e.g. [6, 19].


A directed graph is a pair of sets , where and . We call arrows the elements of , and for each arrow we denote the tail of the arrow as and the head of the arrow as . In order to keep the notation cleaner, we will sometimes denote the arrow by writing “”. If , we say that and are connected in if and .

3. The scheme

The scheme is a cryptographic protocol based on a network of users who want to communicate with each others. The network is modeled by means of a graph where users are represented as nodes. A node models whatever physical device equipped with a processing unit together to sensors/detectors and a radio chip for TX/RX operations. Two users can communicate if and only if they are connected in the corresponding graph. In this setting, if the arrow from node to node exists, then user is allowed to start a communication session with user . The communication between two users can start if they manage to exchange a shared secret which they will use to create an authenticated-encryption session (see Sec. 3.3). The external assigns a set of parameters, called Local Configuration Data (), to each node of the network. For each node, is composed by two secret components, that remain unchanged once generated, and a public component, which is updated every time a new node joins the dynamic network. Moreover, the generates in such a way communications among nodes are allowed only if their topology is compliant to the planned network topology.

The scheme presents some relevant features which makes it quite different from classical Diffie-Hellman-like schemes based on elliptic curves (ECDH schemes).

  1. With respect to classic ECDH-like solutions, the scheme proposed in this paper does not only rely on pre-distribution of keys in nodes. As a matter of fact, the proposed protocol is rather based on a dynamic assignment of the public components to each node and on a static assignment of secret components. The shared secret in is in fact a function of both sender and receiver private key components, while in ephemeral ECDH-like schemes the shared secret is usually a function of the complete sender private key and receiver public key and this is a nice property from a robustness point of view.

  2. Vector spaces, rather than scalars, are introduced to allow the setup of authenticated truly point-to-multipoint communication sessions, i.e. sessions from a master root node to leaf nodes, without setting up multiple point-to-point sessions. The added dimensionality introduces a further degree of freedom for the CA in the procedure of parameters computation and assignment. From an engineering point of view, point-to-multipoint sessions provide a relevant feature especially for clustered networks, when management services, such as the updating of some configuration parameters in a specific cluster of the network, are activated.

  3. The activation of an authenticated point-to-multipoint communication session is truly scalable in , since any new communication link from the master node to a new member added to an already established point-to-multipoint session will not imply any parameter update. This relevant feature is due to the fact that the generated shared secret for any new communication link results the same shared secret of the existing point-to-multipoint session, differently from classical ECDH-like schemes, where the addition of a communication link implies a newly generated and different shared secret, which depends on the public key of the new member node. Therefore, a point-to-multipoint communication session results in the aggregation of multiple point-to-point sessions, each one from the master to a member. From an engineering point of view, scalable point-to-multipoint sessions not only mean lighter requirements for memory storage and protocol complexity, but also the availability of syncronised transmissions within the nodes in the cluster as encryption / authentication operations on transmitted data can be performed by the master at the same time using a unique key.

Let us know give a formal description of the scheme. At the end of the following session, an example over a simple network is shown.

3.1. Parameter definition

Let be a positive integer and let . The authenticated network topology is a symmetric directed graph , i.e. a graph where and if , then . We furthermore assume that is loop-free, i.e. without cycles of length 1. For each , is the (non-symmetric and cycle-free) directed subgraph of such that

In the point of view of our application, is the subgraph of the users which user is entitled to communicate to. An example of network topology network is depicted in Fig. 1.

Figure 1. An example of , where red nodes represent .

Let us now denote by an elliptic curve over , where , and is the base point, whose order is prime number . From now on we will assume . Once the has been established, the is in charge of the assignment of the scheme parameters to each node. For each node , its assigned local configuration data is such that

where is called the local key component corresponding to the node , is called the transmitted key component corresponding to the node , and is called the topology vector corresponding to the arrow . The component represents the private information assigned to node , whereas represents its public information.

The assigns the parameters to each node in a sequential way, once it has chosen an arbitrary root node for each connected component of the graph. Starting from the parameters assigned to the root node, the computes the parameters for the other nodes of the graph according to some constraints which allow each pair of topologically admissible nodes to compute a shared secret, that we called Elliptic Curve Topology Authenticated Key ().

3.2. Parameter assignment and shared secrets

Let be the planned topology. As already mentioned, the parameter assignment is carried out in a sequential way by the , starting from a root node in each connected component of the graph.

3.2.1. Parameters from a root node

Let node be the first root node chosen by the . Then the parameters and are generated randomly from and assigned to the secret component of node . Now, for each node to be connected to node , two cases need to be distinguished:

is not defined:

the parameter is generated randomly by the , provided that , and the corresponding topology vector is appended to the public component of node . Once the topology vector related to the arrow has been defined, the parameters for node can be defined running the following steps:

  • the parameter is randomly chosen by the from the solutions of the linear equation


    and it is assigned to node ;

  • the parameter related to the arrow is generated randomly, provided that

    the corresponding topology vector is assigned to node ;

  • is randomly chosen by the from the solutions of the linear equation


    and it is assigned to node .

At the end of this process we have that

  • is appended to for node ,

  • and is appended to for node .

is already defined:

the topology vector related to the arrows and are defined as follows:

  • the parameter is randomly chosen by the from the solutions of the linear equation

  • the parameter is randomly chosen by the from the solutions of the linear equation


At the end of this process we have that

  • is appended to for node ,

  • is appended to for node .

This process is completed when the has assigned secret and public components to each node of the graph.

3.2.2. The shared secret

Assume now that node wants to start a session with node . Then node and node can agree on an ephemeral shared secret, performing the following operations:

  • node generates a random non-zero element ;

  • node sends to node ;

  • node defines .

Now node can compute

where the second equality is obtained from Eq. (1). Consequently node and node have shared the non-zero secret . Similarly, node can agree with node on the shared secret

where is again an ephemeral random chosen non-zero element in generated by node , and the second equality is derived from Eq. (2).

Remark 3.1.

For each , the component , which is generated by the in order to define the public component , is not accessible by any user (belonging or not to the network), unless they can solve the ECDL problem, as better explained in Section 4.

Remark 3.2.

When the session between node and node has timed out or is not anymore valid, node and node can again agree on a disposable shared secret by selecting a new random parameter . The same happens if node is damaged and needs to be replaced by another sensor. The assigns to the new node the same secret parameter of the former node , and the communication with node is again established by selecting a new random parameter .

Remark 3.3.

The parameter assignment is highly scalar-product based. For this reason, it is important to point out that for each , the products of Eq. (1) defining

are uniformly distributed over

, since, by definition, its inputs are non-zero elements of . Moreover, the secret components and can be chosen from the solutions of Eq. (1) and Eq. (2) respectively. In other words, the constraints defined in Eq. (1) and Eq. (2) reduce the complexity of guessing the secret component (respectively ) from to , since the value to be guessed needs to satisfy a linear equation. However, this does not represent a security issue since the parameter is chosen to be a secure parameters, therefore the security of the scheme should rely on the size of and not on the size of .

Example 3.4.

As an example, let us describe the parameter assignment on the simple of Fig. 2, where

and the root node where parameter assignment starts is assumed to be node .

Figure 2. Key assignment on a simple ANT, the root node is highlighted.

Node 1

The parameters and are generated randomly from and assigned to the secret component of node .

Node 2

Let us assume that the second node chosen by the is node in . Then, the parameter is generated randomly by the , provided that , and the corresponding topology vector is appended to the public component of node . According to the description of Sec. 3.2.1:

  • the parameter is chosen by the from the solutions of

  • the parameter related to the arrow is generated randomly, provided that

  • is chosen by the from the solutions of

At the end of this process the has assigned:

  • to node ,

  • and to node .

Node 3

Let us assume that the third node chosen by the is node in . Then the secret component of node remains unchanged and, proceeding as for node 2, the parameter is generated randomly by the , provided that , and the corresponding topology vector is appended to the public component of node . Once the topology vector related to the arrow has been defined, the parameters , and for node can be defined proceeding as for node . At the end of this process the secret and public components are respectively

  • and for node ,

  • and for node ,

  • and for node .

Arrows and

In the topology under consideration, the communication between node and node is allowed. Since the secret components and have already been defined to link node 1 to node 2 and node 3, the parameter generation for and needs to be carried out as described in Sec. 3.2.1 in the second case. For this reason

  • the parameter is chosen by the from the solutions of

  • the parameter is chosen by the from the solutions of

At the end of this process we have that

  • is appended to for node ,

  • is appended to for node .

In conclusion, we have

  • and for node ,

  • and for node ,

  • and for node ,

and the parameter generation is complete.

3.3. ECTAK-based authenticated encryption

We show here a classical way to provide authenticated encryption, using the as shared secret. In the following we denote by and a keyed hash function and a key-derivation function respectively, whereas and respectively denotes the encryption and the decryption procedures using the key of a symmetric encryption method, where .
Assume now that node 1 wants to send a signed encrypted message to node 2. Then node 1 performs the following operations:

  • generates ;

  • computes ;

  • computes ;

  • computes ;

  • computes ;

  • sends to node 2,

where the size of and suits respectively the domain of encryption and hash functions.
Node 2 can perform the following steps:

  • computes ;

  • recovers by computing ;

  • recovers computing ;

  • checks that .

4. Considerations on security

In this section we present some security properties of the scheme. We will show, in Theorem 4.1, in which way an attacker can successfully determine the secret parameters of a target node . Our interest in this case scenario is due to the occurrence that typical deployment of sensor nodes in the operation environment is generally unattended and therefore the risk of physical attacks such as the brute capture of a node should be seriously taken into consideration. We will prove that, in order the attack to be successful, the attacker needs to recover the secret information of at least two nodes connected to node

. The success probability of the attack is calculated in Theorem 

4.3. The attack relies on the ability of the attacker to solve an instance of the intractable ECDL problem. To the best of our current state of knowledge, it is not possible to provide a formal reduction from one problem to the other.

Let us now prove our result showing that if an attacker can solve the ECDL problem and can recover the secret components and , for some nodes connected to , then it can recover only if an algebraic condition on the coordinates is satisfied. In particular, from this follows that compromising one and only node is not enough to recover . Without any loss of generality, let us denote by node 1, node 2 and node 3 the three nodes previously mentioned. Let us assume that node 1 is targeted by the attacker, which has successfully recovered data from node 2 and node 3. Moreover, to further simplify, let us assume , where and , as depicted in Fig. 3.

Figure 3. The network targeted by the attacker, where the target node 1 is highlighted.

We assume that and are known to the attacker aiming at recovering , recalling that are publicly available.

Since the attacker has access to an algorithm which solves the ECDL problem, it can access and . Therefore, denoting by , , and , the previous equations correspond to the following system in the unknowns and :


where and . Therefore, denoting by


and , the system in Eq.(5) is equivalent to the linear equation

Theorem 4.1.

Let be an adversary then can solve the ECDL problem. If , then can recover .


Since the adversary can solve the ECDL problem, it can build the system of Eq.(7). The result trivially follows, since implies that the system admits one and only one solution. ∎

Remark 4.2.

Notice that, due to the requirements on the on each node, the first and the second row of are linearly independent, and the same holds for the third and the fourth. If can access the secret components of two nodes, then, since , the system in Eq.(5) as at least one solution. Moreover, if , the system admits solutions, then the method of Theorem 4.1 leads to an attack to the scheme with success probability . Indeed, if the attacker selects one of the solutions of the system which do not match the correct secret component of node 1, then the attempted impersonation attack is easily disclosed in the authenticated-encryption phase of the protocol (see Sec. 3.3). The same holds if only one node is compromised by , since only two equations of the system are known.

We will now show that the success probability of the attack described in Theorem 4.1 approaches 1 when the prime is sufficiently large.

Theorem 4.3.

Let be the probability that successfully recovers the secret component of using the method of Theorem 4.1. Then


Let us recall that, for each parameter assignment in a scheme with 3 nodes, we can construct a matrix as in Eq. (6). We call such a matrix an admissible matrix for the scheme. Let us denote by be the set of matrices in which are admissible, and by the subset of those which are invertible. Then we have


Let us now count . The parameters and are chosen randomly in , whereas is chosen such that . The coefficient is chosen such that , since . Notice that, if , then we need to rule out from the possible choices of those which satisfy . This reduces to the possibilities for the vector . Now, can be chosen making sure that . Since is not fixed, we have possible choices for Analogously, can be chosen in ways, since the value is fixed and . Hence, if the solution is fixed, we obtain in way. The same holds when considering . Noticing that in this argument we are using the fact that the constructed matrix is invertible, since we are assuming that is the unique solution of the problem, we obtain

The result follows from Eq. (8), considering the limit for . ∎

Notice that can be defined over an -vector space of dimension similarly to the way it was built in Section 3 for an -vector space of dimension , and Theorems 4.1 and 4.3 can be extended to the -dimensional case as well. In particular, it is possible to construct a triangular block matrix that, for a large , is invertible with probability close to . Moreover, an attacker who can solve the ECDL problem can successfully determine the secret parameters of a target node , provided that it can recover the secret components of at least nodes connected to node and .

5. Conclusion and future works

In this paper we have introduced the protocol , derived from [23] and here adapted to the case of elliptic-curve cryptography. We have studied some security issues of the scheme, with a focus on the underlying ECDL problem. We have proven that, even though the secret and public components of the scheme are linked by means of linear equations, an attacker who wants to make use of the linear algebra method (explained in Sec. 4) to recover the secret components to a target node needs to be able to solve the ECDL problem and to access the secret components of at least two nodes connected to the target node. Although at the time of writing we understand that the scheme lacks of a general and complete security proof, the search for an argument showing that an attack to can be converted into an attack to the underlying ECDL problem remains open.


The authors wish to thank prof. Fortunato Santucci, director of the Centre of EXcellence on Connected Geolocalized and Cybersecure Vehicles (ExEMERGE) at University of L’Aquila, for his contributions in the development of TAKS and for stimulating the further research steps. Studies on the elliptic curve extension of TAKS and the on going implementation of ECTAKS algorithms on hardware chipset for fast automotive applications are part of the research activities in ExEMERGE.


  • [1] M. Al-Subaie and M. Zulkernine.

    Efficacy of Hidden Markov Models Over Neural Networks in Anomaly Intrusion Detection.

    In 30th Annual International Computer Software and Applications Conference (COMPSAC’06), volume 1, pages 325–332, 2006.
  • [2] H. Arjmandi and F. Lahouti. A key pre-distribution scheme based on multiple block codes for wireless sensor networks. In 7’th International Symposium on Telecommunications (IST’2014), pages 857–860, 2014.
  • [3] E. Bach. Intractable problems in number theory. In Shafi Goldwasser, editor, Advances in Cryptology – CRYPTO’ 88, pages 77–93, New York, NY, 1990. Springer New York.
  • [4] D. J. Bernstein. Curve25519: New Diffie-Hellman Speed Records. In Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, editors, Public Key Cryptography – PKC 2006, pages 207–228, Berlin, Heidelberg, 2006. Springer Berlin Heidelberg.
  • [5] 186-4 FIPS PUB. Digital Signature Standard (DSS). NIST, 2013.
  • [6] S. D. Galbraith and P. Gaudry. Recent progress on the elliptic curve discrete logarithm problem. Designs, Codes and Cryptography, 78(1):51–72, 2016.
  • [7] Vipul Gupta, Sumit Gupta, Sheueling Chang, and Douglas Stebila. Performance analysis of elliptic curve cryptography for ssl. In Proceedings of the 1st ACM workshop on Wireless security, pages 87–94, 2002.
  • [8] Haowen Chan, A. Perrig, and D. Song. Random key predistribution schemes for sensor networks. In 2003 Symposium on Security and Privacy, 2003., pages 197–213, 2003.
  • [9] R. J. Kavitha and B. E. Caroline. Hybrid cryptographic technique for heterogeneous wireless sensor networks. In 2015 International Conference on Communications and Signal Processing (ICCSP), pages 1016–1020, 2015.
  • [10] D. Kim, J. Yun, and S. Kim. Hybrid public key authentication for wireless sensor networks. In 2017 12th International Conference for Internet Technology and Secured Transactions (ICITST), pages 142–143, 2017.
  • [11] N. Koblitz. Elliptic Curve Cryptosystems. Mathematics of Computation, 48(177):203–209, 1987.
  • [12] N. Koblitz. CM-Curves with Good Cryptographic Properties. In Joan Feigenbaum, editor, Advances in Cryptology – CRYPTO ’91, pages 279–287, Berlin, Heidelberg, 1992. Springer Berlin Heidelberg.
  • [13] N. Koblitz and A. Menezes. Intractable problems in cryptography. In Proceedings of the 9th Conference on Finite Fields and Their Applications. Contemporary Mathematics, volume 518, pages 279–300, 2010.
  • [14] R. Kuchipudi, A. A. M. Qyser, and V. V. S. S. S. Balaram. A dynamic key distribution in wireless sensor networks with reduced communication overhead. In 2016 International Conference on Electrical, Electronics, and Optimization Techniques (ICEEOT), pages 3651–3654, 2016.
  • [15] D. Liu and P. Ning. Establishing Pairwise Keys in Distributed Sensor Networks. In Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS Õ03, pages 52–61, New York, NY, USA, 2003. Association for Computing Machinery.
  • [16] Manjunath CR, S. Anand, and G. Nagaraja. An hybrid secure scheme for secure transmission in grid based Wireless Sensor Network. In 2015 IEEE International Advance Computing Conference (IACC), pages 472–475, 2015.
  • [17] S. Marchesani, L. Pomante, M. Pugliese, and F. Santucci. Definition and Development of a Topology-Based Cryptographic Scheme for Wireless Sensor Networks. In Marco Zuniga and Gianluca Dini, editors, Sensor Systems and Software, pages 47–64, Cham, 2013. Springer International Publishing.
  • [18] S. Marchesani, L. Pomante, F. Santucci, and M. Pugliese. A Cryptographic Scheme for Real-World Wireless Sensor Networks Applications. In Proceedings of the ACM/IEEE 4th International Conference on Cyber-Physical Systems, ICCPS Õ13, page 249, New York, NY, USA, 2013. Association for Computing Machinery.
  • [19] A. Menezes. The Elliptic Curve Discrete Logarithm Problem: State of the Art. In Kanta Matsuura and Eiichiro Fujisaki, editors, Advances in Information and Computer Security, pages 218–218, Berlin, Heidelberg, 2008. Springer Berlin Heidelberg.
  • [20] A. Menezes, E. Teske, and A. Weng. Weak Fields for ECC. In Tatsuaki Okamoto, editor, Topics in Cryptology – CT-RSA 2004, pages 366–386, Berlin, Heidelberg, 2004. Springer Berlin Heidelberg.
  • [21] V. S. Miller. Use of Elliptic Curves in Cryptography. In Hugh C. Williams, editor, Advances in Cryptology – CRYPTO ’85 Proceedings, pages 417–426, Berlin, Heidelberg, 1986. Springer Berlin Heidelberg.
  • [22] M. Pugliese. Managing Security Issues inÊAdvanced Applications of Wireless Sensor Networks. PhD thesis, Department of Electrical Engineering and Computer Science, University of L’Aquila, 2008.
  • [23] M. Pugliese and F. Santucci. Pair-wise network topology authenticated hybrid cryptographic keys for Wireless Sensor Networks using vector algebra. In 2008 5th IEEE International Conference on Mobile Ad Hoc and Sensor Systems, pages 853–859, 2008.
  • [24] J. H. Silverman. The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics. Springer-Verlag, New York, 2009.