A probabilistic key agreement scheme for sensor networks without key predistribution

A probabilistic k ey agreemen t sc heme for sensor net w orks without k ey predistribution ⋆ V. Liagk ou 1 , 3 , E. Makri 4 , P . Spirakis 1 , 3 , and Y.C. Stamatiou 2 , 3 1 Universit y of P atras, Dept. of computer Engineering, 26500, Rio, P atras, Greece 2 Mathematics Department, 451 10, Ioannina, Greece. e- mail: istamat@uoi.gr 3 Researc h and Academic Computer T ec hnology Institute, N. Kazantzaki, Universit y of Patras, 26500, R io, Patras, Greece 4 Universit y of th e Aegean, Dep artment of Mathematics, 83000, K arlov assi, Samos, Greece. Abstract. The dy n amic establishmen t of shared in formation (e.g. se- cret k ey) betw een t wo entitie s is particularly imp ortant in net works with no pre-determined structure such as wireless sensor netw orks (and in general wireless mobile ad-ho c netw orks). In such netw orks, no des es- tablish and terminate communication sessions dynamically with other nod es which ma y hav e never been encountered before, in order to some- how exchange informa tion w h ic h will en able them to subseq uently com- municate in a secure mann er. In this p ap er we giv e and theoretically analyze a series of proto cols that enables tw o entiti es that ha ve never encountered eac h other b efore t o establish a shared piece of information for use as a k ey in s ettin g up a secure communication session with the aid of a shared key encryption algori th m. These protocols do not req uire previous pre-distribution of cand idate keys or some other piece of infor- mation of sp ecialized form except a small seed v alue, from whic h the tw o entitie s can pro duce arbitrarily long strings with many similarities. 1 In tro duction Wireless Sensor Net works (WSNs) hav e some constrain ts, with regard to battery life, pro cessing, memory and commnication ([3]) capacit y , and as such a r e deemed un suitable for pub lic crypto-based systems. Thus, symmetric k ey cryptosystems are more appr op r iate for these t yp es of net wo r ks, but lead to problems with key distribu tion. These problems are mitigated with k ey pr e-distribution schemes , in wh ic h candidate k eys are distributed to mem b ers of the net work b efore the start communicatio n . Man y in no v ativ e and in tu itiv e key pr e-distr ib ution schemes for WSNs ha ve b een pr op osed for solving the p roblem of k ey distr ibution in sen- sor net works. On the t wo ends of the sp ectrum are key pre-distribution sc hemes that use a s in gle master k ey as the encryption k ey distrib uted amongst all th e no des, and all p airwise ke ys , where a un ique k ey exists for every pair of sensors. The former pro vid es the most efficien t usage of memory and scales we ll, but an attac k on one no de compromises the ⋆ P artially supp orted by the I S T Programme of t h e Europ ean Union under contac t num b er IST-2005-15964 (AEOLUS ) and by the ICT Programme of the Europ ean Union u nder con tract number I CT-2008-215 270 ( FRO NTS ). whole netw ork, wh ereas the latter provides excellen t resilience b ut do es not sca le w ell. In add ition, schemes exist whic h a r e in essence p r oba- bilistic, relying on the fact that an y t wo neighbour ing no des hav e some probabilit y p of successfully completing key establishmen t. Some suc h sc hemes are pr esen ted in the sequel, but the list is by n o means exhaus- tiv e. The authors of [10] prop ose a ke y distr ib ution scheme whic h con- sists of three phases. In the first phase, namely the key pr e-distribution phase , k random keys are dra w n f r om a generated p o ol of P ke ys, and are preloaded on to the sensor no des b efore their deplo yment. These k ke ys constitute th e k ey ring of eac h sensor no de. The key iden tifiers of the k ey rings are loaded onto controll er no des, along with the identifiers of the corresp ondin g no d es and the keys shared b et w een the con troller no des and the sensor no des. Once the no des are deplo ye d , the second phase tak es place, the shar e d-key disc overy phase , whic h allo ws no des to dis- co v er th eir neigh b ours w ith in comm u n ication range and w ith wh ic h th ey share keys. This phase establishes the top ology of the sensor net work, as seen b y the routing lay er. The third , and final ph ase, is the p ath-key establishment ph ase which assigns a p ath-k ey to pairs of sensor no des in wireless comm un ication range that d o not share a common key . The au- thors of [4] present an alternativ e to this scheme, the q-c omp osite r ando m key pr e distribution scheme , whereby in stead of one single common key to b e shared b et ween t wo n o des, q keys are required, resu lting in strength- ened securt y un der small scale attac ks, trading off increased vulnerabilit y on large scale attac ks. The authors also prop ose the establishmen t of the key- p ath along m u ltiple paths, and a rand om-pairw aise k eys sc heme whic h pro vides, amongst others, no d e-to-nod e authenti cation. The au- thors of [5] also take the sc heme of [10 ] and mod ify it b y ta kin g int o consideration that different lo cations of no des requir e differen t security needs, and as suc h pr op ose a s ubgrouping approac h in order to isolate any no de captures th at might tak e p lace in sp ecific subgroups. T h e s c heme also pro vid es scalabilit y f or k ey pre-distribution, by taking into accoun t the pr obabilit y of no de compromise for eac h of th e subgroups . Ch an an d P errig ([6]) addr ess the lac k of scalabilit y of existing symmetric-k ey key distribution p r otocols, and increase the securit y aga ins t no de compro- mise. In their pr op osed P IKE proto ccol, sensor n o des are used as trusted in termediaries to establish shared k eys b et we en no des in the wir eless sen- sor net work. The authors of [8] prop ose a pair-wise k ey pre-distribution sc heme, whic h is based on the s cheme prop osed by [1]. Their wo r k in- v olv es the the pre-loading of cryp to shares fr om multiple k ey sp aces on to eac h sensor no de, and after deplo yment, t w o n o des ma y establish a shared k ey b et w een them only if they con tain crypto shares from the same key space, leading to an imp r o v ement in scala b ilit y . Finally , the same au- thors ([9]) p r op ose a sc heme which u tilises deplo yment knowledge , and generates pairwise k eys b et w een n o des and their n eighb ours, guaran tee- ing that eac h no de can establish a secure communications link with its 2 neigh b ours p ost deplo yment, with a high probability . The pr evious solu- tions all pre-supp ose that the sensor no des ha ve b een loaded with s ome pre-existing information (i.e. the k ey , or sets of keys) p rior to n et w ork de- plo yment, except for Liu and Cheng ([11]). T hey prop ose a self-co n figured sc heme whereby no prior kno wledge is loaded onto th e sensor no des, but shared keys are computed amongst th e neighbour s. The authors pr op ose SBK whic h is also a top ology adaptiv e sc heme, ac h iev es high connectivit y with a s m all storage o verhead, an d i SBK , and impr o v ed version of SBK . In this pap er, we prop ose a k ey agreemen t scheme whereb y net work no des are not p re-loaded with candidate keys, bu t generate pairs of sym- metric k eys from tw o, initially , random bits strings. The initial researc h conducted ([12]) prop osed a proto col that in volv ed th e examination of random p ositions of s u bsets of size k , and the elimination of a random p osition if the t wo bit strings were found to disagree on more than h alf the examined p ositions. In that pap er, ho wev er, the n o des cannot secretly compute the n umber of differing p ositions, a problem that is resolv ed in the pr esen t pap er usin g secret circu it computations. In addition, the present proto cols do not eliminate differing bits but fl ips them, dep end- ing on the n u m b er of bit d ifference in the examined su bset of k bits. T his leads to a different sto c h astic pro cess that call ed for a differen t theoret- ical analysis. The sc heme we prop ose h as the follo win g four prop erties: (i) scala b ility , since new no d es ma y en ter the n etw ork whenev er they desire without the n eed to equip them with s ome su itable key set (ii) connectivit y , since an y t wo n o des of th e netw ork can reac h a large degree of s imilarities on the strings the p ossess (iii) no storage ov erhead, since the str ing sizes are indep end en t on the net wo r k s ize and (iv) resilience against no d e captures, since capturing any n u mb er of n o des of the n et- w ork d o es not affect the strings other no des p ossess. On the nega tive side, the p roto col we giv e hav e some in creased comm unication o verhead. Ho w ever, once tw o no des reac h a p osition where their tw o strings ha ve sufficien tly muc h similarit y , they can create from them a large num b er of candidate k eys (p ossibly using err or correction tec hn iques to create eve n more similarities) for their cur ren t and futur e communicat ion needs. 2 The bit-similarit y problem Tw o en tities, sa y 0 and 1, initially p ossess an N -bit string, X 0 N and X 1 N resp ectiv ely . The entitie s’ goa l is to co op erativ ely tr an s form their strings so as to increase the p ercen tage of p ositions at wh ic h their strings con tain the same bits, wh ic h we denote b y X ( i ), with i b eing the time step of the proto col they execute. Th en X (0) is the initial p ercen tage of the p ositions at w hic h the t wo strings are the same. Belo w we p ro vide a rand omized p roto col in whic h the tw o en tities examine randomly c hosen subsets of their strings in order to see w hether they differ in at least half of the places. If they do, one of the entit ies (in turn) randomly fl ips a su b set of these p ositions. This pro cess con tinues 3 up to a certain, predetermined n umb er of steps. T he in tuition b ehind this proto col is that wh en tw o rand om sub strings of t wo strin gs differ in at least half of their p ositions, then flipping some bits at random in one of the substrings is more lik ely to increase the p ercen tage of similarities b et ween the strin gs than to d ecrease it. I n the description of the proto col X c N [ S ] denotes a su bstring of string X c N defined by the p osition s et S . Protocol for u ser U c , c = 0 , 1 Protocol p arameters known to b oth comm unicating parties: (i) k , l , the su b set sizes, (ii) T , the num b er of proto col execution steps, (iii) the index (bit p osition) set N , (iv) The circuit C with which the tw o entities jointly compute whether there are at least ⌈ k/ 2 ⌉ similariti es b etw een randomly chos en su bsets of their strings. 1. i ← 1 /* The step counter. */ 2. while i ≤ T /* T is a predetermined time step limit (discussed in Section 5).*/ 3. be gin /* while */ 4. S ← JOINT RAND( k , { 1 , . . . , N } ) /* Shared random set of k p ositions. See text. */ 5. same p os ← C ( X c N [ S ] , X ( c +1 mo d 2) N [ S ]) /* A secret computation of num b er of p ositions with same con t ents (see Section 3). */ 6. if (same p os ≥ ⌈ k 2 ⌉ and odd( i + c )) then /* Users 0 and 1 alternate. */ 7. be gin 8. S F ← RA ND( l, S ) /* Random set of l p ositions from within S to b e flipp ed by the user whose turn it is to flip. */ 9. flip the bits of X c N [ S F ] 10. end 11. SYNCHRONIZE /* Users 0 and 1 wa it to reach th is p oint simultaneously (barrier synchronizati on) . */ 12. i ← i + 1 13. end /* while */ An imp ortant requirement of the proto col is the existence of a random n u mb er generator at eac h party wh ic h p ro duces the same v alues, started from a (small) see d v alue s hared by b oth parties. This is in ord er to allo w the t wo parties to av oid send ing o ver the communicatio n c h annel the c hosen substr in g p ositions, as they are generated in synchron y b y the t wo parties (see Line 4 of th e p roto col). With regard to the proto col, we are int erested in th e ev olution of the random v ariable X ( i ) , i.e. the p ercenta ge of the p ositions of X 0 N and X 1 N at w hic h they are the same, after the i th s tep of the p roto col. 3 Secret tw o-part y function computation During the execution of th e proto col, it is n ecessary for the tw o comm u - nicating parties to see whether they agree on at least half of the p ositions they hav e c hosen to compare (line 13-14 of the proto col). T h u s, the t w o parties n eed to p erform a computation: compute the n u m b er of p ositions on wh ic h the corresp onding b its in the t wo c hosen subsets of k b its are the same. T his is an instance of an imp ortant, general problem in cryp - tograph y: Se cur e Comp u tation . Secure computation tec hn iqu es allo w t w o (or more) communicating parties to compute a function on their inputs so th at nothing is rev ealed to 4 eac h p art y except what can b e inferred fr om o wn input and the compu ted v alue. Moreo ver, no in formation is rev ealed about the bit v alues to a p art y not in volv ed in the compu tation (e.g. ea v esd r opp er). More formally , let A and B b e tw o parties with in puts of n A and n B bits resp ectiv ely . The ob j ectiv e is to join tly compu te a function f : { 0 , 1 } n A × { 0 , 1 } n B → { 0 , 1 } on their inp uts. The iss u e, here, is that A and B cannot, simply , exc hange th eir inpu ts and compute th e function since they will learn eac h other’s inputs, something that is n ot desirable in a secure computation setting. More imp ortantly , ev en it A and B are willing to share their inp uts, they would n ot allo w an ea vesdropp er to acquire these inp uts to o. This leads to the problem of se cur e function c omputa tion . In our con text, we consider the follo wing t w o Bo olean fu nctions: f r : { 0 , 1 } k × { 0 , 1 } k → { 0 , 1 } w ith w A , w B ∈ { 0 , 1 } k and 0 ≤ r ≤ k : f ( w A , w B ) = { 1 , if X ( w A , w B ) ≥ r 0 , otherwise (1) W e are in terested in r = ⌈ k 2 ⌉ . f X : { 0 , 1 } k × { 0 , 1 } k → { 0 , 1 } ⌈ log 2 ( k ) ⌉ with w A , w B ∈ { 0 , 1 } k : f X ( w A , w B ) = x, with x = X ( w A , w B ) written in binary . (2) The fun ction f X is, strictly , an ordered tuple ( f 0 X , f 1 X , . . . , f ⌈ log 2 ( k ) ⌉− 1 X ) of ⌈ log 2 ( k ) ⌉ 1-bit Bo olean functions, wh ere the fun ction f i X computes th e i th most significan t bit of x = X ( w A , w B ) (with i = 0 we tak e the most significan t bit and w ith i = ⌈ log 2 ( k ) ⌉ − 1 w e tak e the least significan t bit). Using tec hniques f rom oblivious fun ction computation (see [7] for a surve y on these tec hniques), w e can prov e that the computation of f r and f X can b e done w ith randomized protocols using O ( | C f r | ) and O ( | C f X | ) comm unication steps resp ectiv ely , with C f r and C f X b eing the Bo olean circuits that are employ ed f or the computation of f and f X resp ectiv ely . Since b oth f r and f X are easily seen to b e p olynomial time computable Bo olean functions, w e can construct for their computations circuits of size p olynomial in their inpu t sizes, i.e. circuits C f r and C f X suc h that | C f r | = O ( k c 1 ) and | C f X | = O ( k c 2 ), with constan ts c 1 , c 2 ≥ 0. Since k is considered a fixed constan t, w e conclude that w e can compute f k and f X in a constan t num b er of roun ds. The num b er of random bits n eeded b y eac h step of the randomized proto col is in b oth cases O ( k ) and, th us , constan t. T o sum up, the fun ctions f r and f X can, b oth, b e ev aluated on tw o k -bit inpu ts w A , w B held b y tw o p arties A, B us in g a constan t num b er of rounds and a constan t num b er of un iformly r andom bits. In w hat follo ws, w e will assum e that the comm un icating p arties use th e fun ction f ⌈ k 2 ⌉ . With regard to the required randomness, we assu me that eac h of the t wo parties has a true randomn ess source, i.e. a source of uniformly ran- dom bits. Suc h a rand omness source ca n b e easily built in to mo d ern 5 devices. This r an d omness source is necessary in order to implement the randomized oblivious compu tation proto cols for the computation of th e function f ⌈ k 2 ⌉ . In addition, it will b e u sed in order to p ro duce the ran- domly chosen p ositions, are required by Step 6 of the p roto col. Since eac h p osition can range f r om 1 up to N (the string size), to form a p osition index we need to d ra w ⌈ log 2 ( N ) ⌉ rand om bits. Alternativ ely , if we allo w the t wo parties to sh are a small (in relation to N ) seed, they can pr o duce the random p ositions in syn c hronization and, thus, av oid send in g them o v er the communicati on c hann el. 4 Theoretical analysis of the proto col In order to trac k the den sit y of p ositions where t w o strings agree, we will m ak e use of W ormald’s theorem (see [13]) to mo d el the probabilis- tic ev olution of the proto col describ ed in Section 2 u sing a deterministic function w hic h s ta ys prov ably close to the real ev olution of the algorithm. The statemen t of the theorem is in the App en d ix for completeness. What the theorem essential ly states is that if we are confront ed with a num b er of (p ossibly) in terrelated random v ariables (asso ciated with some random pro cess) such that they satisfy a Lip sc hitz condition and their exp ected fluctuation at eac h time step is kno wn, then the v alue of th ese v ariables can b e appr o ximated using the solution of a system of differen tial equa- tions. F urtherm ore, the system of differential equations results directly from the expressions f or the exp ected flu ctuation of the random v ariables describing the random p ro cess. W e will fir s t pro ve a general lemma that gives the probability of in- creasing the similarit y b etw een tw o strings thr ough flip ping, at random, the con tent s of a certain num b er of p ositions. Lemma 1. L et w 1 , w 2 b e two strings of 0s and 1s of length k . L et also j , 0 ≤ j ≤ k , b e the numb er of plac es in which the two strings differ. Then if l p ositions of one string ar e r andomly flipp e d, the pr ob ability that s of them ar e differing p ositions is the f ol lowing: P k ,j,l ,s =  j s  k − j l − s   k l  . (3) Pro of I n Equ ation (3) the denominator is the num b er of all sub sets of p ositions of cardinalit y l of the k string p ositions w h ile the numerator is equal to th e n u m b er of partitions of the l chosen p ositions such th at s of them fall int o the j differing p ositions and th e r emaining l − s fall in to the remaining k − j non-differing p ositions of the tw o strings. Thus their ratio give s the desired probability .  The follo wing lemma, which is easy to pr o v e based on general p rop- erties of the binomial co efficien ts, provides a closed form expression for a sum that will app ear later in some probability computations. 6 Lemma 2. The fol lowing identity holds: l X s =0 (2 s − l )  j s  k − j l − s   k l  =  2 j k − 1  l. (4) W e will no w derive th e deterministic differen tial equation that go v erns the ev olution of the random v ariable X ( i ) manipulated by the p roto col in S ection 2 us in g W ormald’s theorem. Theorem 1. The differ ential e quation that r esults f r om the applic ation of Wormald’s the or em on the quantity X ( i ) (plac es of agr e ement at pr oto c ol step i ) as it evolves in the agr e ement pr oto c ol is the fol lowing: E [ X ( i + 1) − X ( i ) ] = k X j = ⌈ k 2 ⌉ l X s =0 [( s − ( l − s )) P k ,j,l ,s ] P n,n − X ( i ) ,k ,j . (5) Pro of W e will d etermine the p ossible v alues of th e difference X ( i + 1) − X ( i ) along with the probability of o ccurrence for eac h of them. The p roto col describ ed in Section 2 flips l p ositions w ithin the k ex- amined p ositions, when ever these k p ositions cont ain j ≥ ⌈ k 2 ⌉ d ifferin g p ositions in th e t wo strings. F rom the flipp ed l p ositions, is s of them (0 ≤ s ≤ l ) are disagreement p ositions, then the tw o strings will ha v e gained s agreemen t p ositions, losing l − s . The net total is s − ( l − s ). The probabilit y that this total o ccurs, for a sp ecific v al u e of s and a sp ecific v alue of j is equal to P k ,j,l ,s P n,n − X ( i ) ,k ,j . S umming u p o v er all p ossible v alues of s, j we obtain (5).  Corollary 1. The fol lowing holds: E [ X ( i + 1) − X ( i )] = k X j = ⌈ k 2 ⌉ l  2 j k − 1   n − X ( i ) j  X ( i ) k − j   n k  . (6) Pro of Equation (6) f ollo ws from (5) u sing Equ ation (3) of Lemma 1 with k = n, l = k , s = j, n − j = X ( i ), in conju n ction with Lemma 2. Corollary 2. Using Wormald’s The or em (The or em 3), the evolution of the r andom variable X ( i ) whose me an fluctuation is given in (6) c an b e 7 appr oximate d by the f ol lowing differ ential e quation: dx ( t ) dt = k X j = ⌈ k 2 ⌉ l  2 j k − 1   k j  [1 − x ( t )] j x ( t ) k − j . (7) Pro of By applying the appro xim ation  N k  = N k k !  1 + O  1 N  of the bin omial coefficien ts whic h is v alid for k = O (1) on the three binomials whic h app ear on the the righ t-hand side of (6), w e obtain the follo wing:  n − X ( i ) j  X ( i ) k − j   n k  ≃  k j   1 − X ( i ) n  j  X ( i ) n  k − j . Using W ormald’s theorem, we make the corresp ondence x ( t ) = X ( i ) n and dx ( t ) dt = E [ X ( i + 1) − X ( i ) ], which r esults in the required differen tial equation (7).  5 Efficiency of the proto col F rom Equation (7) we see that the p ercenta ge of s im ilar p ositions, rep- resen ted by the function x ( t ), is a monotone increasing function since its first deriv ativ e is alwa ys p ositiv e. In wh at follo ws, we will estimate ho w fast this p ercen tage in cr eases dep end ing on its initial v alue x (0) as well as the p arameters l and k . Lemma 3. The solution x ( t ) to the differ ential e quation given in (7) is monotone incr e asing. Pro of F rom the differentia l equation, we see th at the first deriv ativ e of the function x ( t ), whic h is equal to the r ight-hand side of the d ifferen tial equation, is strictly p ositiv e, since 0 < x ( t ) < 1. Thus, the function x ( t ) is monotone increasing.  Lemma 4. L et x ( t 1 ) b e the value of the function x ( t ) at time instanc e t 1 and x ( t 2 ) b e the value at time instanc e t 2 , t 1 < t 2 . L e t, also , c ( t 1 ) b e the absolute value of the p oint at which the tangent line to the p oint ( t 1 , x ( t 1 )) of x ( t 1 ) cuts the t -axis and c ( t 2 ) the c orr esp onding value f or t 2 . L et, also, p ( x ) = k X j = ⌈ k 2 ⌉ l  2 j k − 1   k j  (1 − x ) j x k − j . ( 8) 8 Then p ( x ( t 1 )) = x ( t 1 ) c ( t 1 ) + t 1 , p ( x ( t 2 )) = x ( t 2 ) c ( t 2 ) + t 2 . (9) Pro of Let ǫ 1 and ǫ 2 b e the t wo tangent lines to the f u nction x ( t ) at the p oint s ( t 1 , x ( t 1 )) and ( t 2 , x ( t 2 )) resp ectiv ely , as shown in Figure 1. Due to the monotonicit y of x ( t ), the p oin ts at w h ic h the tw o lines in tersect with the t -axis are negativ e. L et c ( t 1 ) and c ( t 2 ) b e th e absolute v alues of these tw o p oints for lines ǫ 1 and ǫ 2 resp ectiv ely . Then fr om the tw o 1 t 2 t ( ) 2 t x ( ) 1 t x ( ) 1 t c ( ) 2 t c 1 ε 2 ε 0 x 2 φ 1 φ Fig. 1. The tw o tangent lines for the p roof of the Theorem righ t angle triangles that are formed w e h a v e tan( φ 1 ) = x ( t 1 ) c ( t 1 )+ t 1 and tan( φ 2 ) = x ( t 2 ) c ( t 2 )+ t 2 . F rom the definition of the deriv ativ e, tan( φ 1 ) = dx ( t ) dt | t 1 and tan ( φ 2 ) = dx ( t ) dt | t 2 . F rom (7) and (8), w e h av e dx ( t ) dt = p ( x ( t )) and, th us, the statemen t of the lemma follo ws.  Theorem 2. L et t ′ b e the time instanc e at which x ( t ′ ) = hx (0) , with 1 ≤ h ≤ 1 x (0) . Then t 2 ≤ x (0) p ( hx (0)) · ( h − 1) . (10) Pro of W e set t 1 = 0 , t 2 = t ′ and x ( t ′ ) = hx (0) in Lemma 4 and we obtain, from Equations (9) th e f ollo wing: p ( x (0)) = x (0) c (0) , p ( hx (0)) = hx (0) c ( t ′ ) + t ′ . F rom these equations we obtain the follo wing: p ( x (0)) p ( hx (0)) = c ( t ′ ) + t ′ hc (0) . 9 Solving for t ′ w e obtain the follo w ing: t ′ = hp ( x (0)) c ( 0) p ( hx (0)) − c ( t ′ ) . (11) Since p ( x (0)) is the inclination of the tangen t line to x ( t ) at the p oin t (0 , x (0)), it holds that p ( x (0)) = x (0) c (0) . Thus, (11) b ecomes t ′ = hx (0) p ( hx (0)) − c ( t ′ ) . (12) Since x ( t ) is monotone increasing, the p oin t at whic h the tangen t to this fu nction cuts the x ( t )-axis at any p oint is greater than or equal to x (0) (see Figure 1). Let x c b e th is p oint. Then p ( x ( t ′ )) = x c c ( t ′ ) or, s ince x ( t ′ ) = hx (0), p ( hx (0)) = x c c ( t ′ ) . Since x c ≥ x (0), c ( t ′ ) ≥ x (0) p ( hx (0)) . Thus, from (12), we obtain t ′ ≤ hx (0) p ( hx (0)) − x (0) p ( hx (0)) = x (0) p ( hx (0)) · ( h − 1) whic h is the required .  Lemma 5. The fol lowing lower b ounds hold for the p olynomial in (8): If x < 1 / 2 then p ( x ) ≥ l [ x k + 1 − 2 x ] . (13) If x ≥ 1 / 2 then p ( x ) ≥ l k (1 − x ) k  k ⌈ k 2 ⌉  ⌈ k 2 ⌉ . (14) Pro of In (8), allo wing the sum in dex to co ver all the range fr om 1 to k reduces the v alue of the sum since it adds n egativ e terms. Thus p ( x ) ≥ l k X j =1  2 j k − 1   k j  (1 − x ) j x k − j . Since the su m ev aluates to l [ x k + 1 − 2 x ] the firs t statement of the lemma follo ws. If, on the other hand, x ≥ 1 / 2, then lo wer b oun d give n for the first statemen t of the lemma is not goo d since it ma y eve n b ecome negativ e. In this case we observ e that the term (1 − x ) j x k − j is minimized for j = k . Setting j = k in (8) we obtain the second stateme nt of th e lemma.  Corollary 3. The fol lowing b ounds hold for the time i nstanc e t ′ : If hx (0) < 1 / 2 then t ′ ≤ x (0)( h − 1) l [ hx (0)) k + 1 − 2 hx (0)] . (1 5) 10 If hx (0) ≥ 1 / 2 then t ′ ≤ k x (0)( h − 1) l [1 − hx (0)] k  k ⌈ k 2 ⌉  ⌈ k 2 ⌉ . (16) F rom (15) we see that th e p ercen tage of similarities gro ws fast, if w e start from x (0) aiming at hx (0), with h ≥ 1 and hx (0) < 1 / 2 (and (15) is only a very coarse u pp er b oun d). I f the target is, how ev er, at hx (0) with x ≥ 1 / 2 the upp er b ound is n ot goo d as the d enominator tends to 0 fast. Ho w ever, sin ce this denominator is simply the first deriv ativ e of x ( t ) at hx (0), this deriv ativ e f ast tends to 0 if hx (0) ≥ 1 / 2 and, thus, the tangen t at th is p oin t tends to b ecome parallel to the t -axis. Thus, we hav e again fast con ve r gence. 6 Conclusions In th is pap er we describ ed a series of pr otocols that can b e u sed in or- der to increase th e p ercent age of similarities b et wee n t wo strings held by t wo comm un icating parties without revea ling their v alues. Th e proto cols in vol ve the examination of r andom p osition su b sets of size k and the flip- ping of a r andomly chosen subset of these p ositions if the t wo strings are found to disagree in more than half th e p ositions. I n this wa y , the random pro cess go verning the proto col is d irected to wa r ds fl ipping dis- agreemen t p ositions more than the fl ip ping of agreemen t p ositions. The prop ose pr otocols are, in fact, g en er al and ma y be u sed in any situa- tion in vol vin g either wir eless or con v entional netw orks in which th ere is no tru sted thir d party or k ey management authority among the net wo r k no des. References 1. R. Blom, “An optimal class of symmetric key generatio n systems,” Pr o c e e dings of EUROCR YPT 84 (Thomas Beth, Norb ert C ot and Ingemar Ingemarsson, e ds.), L e ctur e Notes in Computer Scienc e, Springer-V erlag , 209:335 - 338. 1985. 2. C. Blund o, C. Galdi, and G. Persi ano, “Low-randomness constant-round priva te XOR computations,” Int. J. Se cur. , 6:15–26, 2007. 3. D.W Carmen, P .S. Kruss, B.J. Matt, “Constrain ts and approac h es for distribut ed sensor n et work security ,” NAI L abs T e chnic al R ep ort #00-010 , September 2000. 4. H. Chan, A. Perrig, D. Song, “Random Key Predistribution S chemes for Sensor Netw orks,” Pr o c e e dings of the IEE Symp osium of Privacy and Se curity , Ma y 2003. pp. 197-213. 5. S-P . Chan, R . Poo vendran, M-T S un, “A key management scheme in distributed sensor netw orks u sing attac k probabilities,” IEEE Glob al T el e c ommunic ations Con- fer enc e (GLOBECOM ’05) , December 2005. 6. H. Chan, A. Perrig , “PIKE: Peer intermediarie s for k ey establishment in sensor netw orks,” Pr o c e e dings of the IEEE Info c om , March 2005. 7. R. Cramer, “Introdu ction to secure computation,” in Pr o c. L e ctur es on Data Se- curity , pp. 16–42. LN CS, Springer-V erlag, 1999. 11 8. W. Du, J. Deng, Y. S. Han, P . V arshney , “A pairwise key pre-distribution scheme for wireless sensor netw orks,” CCS’03. , pp. 42–51, ACM Press, New Y ork, NY, 2003. 9. W. Du, J. Deng, Y . S. Han, S. Chen, P . V arshney , “A key management scheme for wireless sensor net works u sing d eplo y ment knowl edge,” Pr o c e e di ngs of the IEEE Info c om , March 2004. pp. 586-597. 10. L. Eschenauer, V.D. Gligor, “A key-management sc heme for distribu t ed sensor netw orks”, Pr o c e e dings of the 9th ACM Conf. Computing and Comm. Se curity (CCS ’02) , Nov. 2002 11. F. Liu, X. Cheng, “A Self-Configured Key Establishment Scheme for Large-Scale Sensor Netw orks,” Pr o c e e dings of the 3r d IEEE International Confer enc e on Mobil e A d-ho c and Sensor Systems (MASS 2006) , Octob er 2006. pp. 447-456. 12. E. Makri, Y. Stamatiou, “Distributively increasing the p ercentag e of similarities b etw een strings with application to key agreement”, 5th International Confer enc e on AD-HOC Networks and Wir eless, Augu st 2006. 13. N.C. W ormald, “The d ifferenti al equation metho d for random gra p h pro cesses and greedy algorithms,” Ann. Appl. Pr ob ab. 5 , 1217–12 35, 1995. 12 APPENDIX Appro ximating sto c ha st ic pro cesses with deterministic functions: W ormald’s Theorem [13] Definition 1. A function f satisfies a Lipschitz c ondition on D ⊂ ℜ j if ther e exists some c onstant L > 0 such that | f ( u 1 , . . . , u j ) − f ( v 1 , . . . , v j ) | ≤ L j X i =1 | u i − v i | for al l ( u 1 , . . . , u j ) and ( v 1 , . . . , v j ) in D . Definition 2. Given a r andom variable X dep e nding on n , denote d by X ( n ) , we say that X ( n ) = o ( f ( n )) always if max { x | Pr [ X ( n ) = x ] 6 = 0 } = o ( f ( n )) . Theorem 3. L et Y ( n ) i ( t ) , n ≥ 1 , b e a se quenc e of r e al-value d r ando m variables, 1 ≤ i ≤ k for some fixe d k , such that for al l i , al l t and al l n , | Y ( n ) i ( t ) | ≤ B n ( n > 0 ) for som e c onstant B . L et H ( t ) b e the history of the se quenc e, i.e. the matrix h − → Y (0) , . . . , − → Y ( t ) i , wher e − → Y ( t ) = ( Y ( n ) 1 ( t ) , . . . , Y ( n ) k ( t )) . L et I = { ( y 1 , . . . , y k ) : Pr [ − → Y (0) = ( y 1 n, . . . , y k n )] 6 = 0 for some n } . L et D b e some b ounde d c onne cte d op en set c onta ining the interse ction of { ( s, y 1 , . . . , y k ) : s ≥ 0 } with a neighb orho o d of { ( t/n, y 1 , . . . , y k ) : ( y 1 , . . . , y k ) ∈ I } . (That is, after taking a b al l ar ound the set I , D i s r e qui r e d to c ontain the p art of the b al l in the half-sp ac e c orr esp onding to s = t/n , s ≥ 0 .) L et f i : ℜ k +1 → ℜ , 1 ≤ i ≤ k , and supp ose that for some m = m ( n ) , (i) for al l i and uniformly over al l t < m , always E [ Y ( n ) i ( t + 1) − Y ( n ) i ( t ) | H ( t )] = f i ( t/n, Y ( n ) 0 ( t ) /n, . . . , Y ( n ) k ( t ) /n ) + o (1) , (ii) for al l i and uniformly over al l t < m , Pr [ | Y ( n ) i ( t + 1) − Y ( n ) i ( t ) | > n 1 / 5 ] = o ( n − 3 ) , always , (iii) for e ach i , the function f i is c ontinuous and satisfies a Lipschitz c on- dition on D . Then (a) for (0 , ˆ z (0) , . . . , ˆ z ( k ) ) ∈ D the system of differ ential e quations dz i ds = f i ( s, z 0 , . . . , z k ) , 1 ≤ i ≤ k has a unique solution in D for z i : ℜ → ℜ p assing thr ough z i (0) = ˆ z ( i ) , 1 ≤ i ≤ k , and which extends to p oints arbitr arily close to the b oundar y of D ; 13 (b) almost sur ely Y ( n ) i ( t ) = z i ( t/n ) · n + o ( n ) , uniformly for 0 ≤ t ≤ min { σ, m } and for e ach i , wher e z i ( s ) is the solution in (a) with ˆ z ( i ) = Y ( n ) i (0) /n , and σ = σ ( n ) is the supr emum of those s to which the solution c an b e extende d. 14