On Compression of Cryptographic Keys

Any secured system can be modeled as a capability-based access control system in which each user is given a set of secret keys of the resources he is granted access to. In some large systems with resource-constrained devices, such as sensor networks and RFID systems, the design is sensitive to memory or key storage cost. With a goal to minimize the maximum users’ key storage, key compression based on key linking, that is, deriving one key from another without compromising security, is studied. A lower bound on key storage needed for a general access structure with key derivation is derived. This bound demonstrates the theoretic limit of any systems which do not trade off security and can be treated as a negative result to provide ground for designs with security tradeoff. A concrete, provably secure key linking scheme based on pseudorandom functions is given. Using the key linking framework, a number of key pre-distribution schemes in the literature are analyzed.

💡 Research Summary

The paper addresses the problem of reducing the amount of secret key material that each user must store in capability‑based access control systems, a concern that becomes critical in resource‑constrained environments such as sensor networks, RFID tags, and other embedded devices. The authors begin by formalizing the system model: a set of users, a set of resources, and an access structure that specifies which users are entitled to which resources. In the traditional design each user stores a distinct key for every resource it can access, leading to prohibitive memory requirements when the number of resources or users is large.

To mitigate this, the authors introduce the notion of key linking (or key compression), where a user can derive a required resource key from a smaller set of stored secrets. The derivation must be one‑way: knowledge of a derived key must not reveal the original secret or enable the computation of any other derived keys. The paper’s first major contribution is a lower bound on the total number of keys that must be stored in any system that employs key linking without sacrificing security. By representing the access structure as a binary matrix and constructing a directed key‑derivation graph, they prove that the size of a minimum vertex cover in this graph equals the minimum number of stored keys. This bound is universal: no matter how clever the key‑derivation scheme, it cannot reduce storage below this limit unless it accepts a security trade‑off.

Having established the theoretical limit, the authors present a concrete, provably secure key‑linking scheme based on pseudorandom functions (PRFs). Each resource is assigned a unique identifier. Every user receives a master secret key. When a user needs the key for a particular resource, it computes K_user,resource = PRF(master_key, resource_ID). Because PRFs are computationally indistinguishable from random functions and are one‑way, the derived key reveals nothing about the master key, and knowledge of one derived key does not help compute any other derived key. The security proof is carried out in the chosen‑key attack model, showing that any adversary’s advantage in breaking the scheme reduces to the PRF’s distinguishing advantage, which is negligible under standard assumptions.

The paper then surveys several existing key pre‑distribution and key‑distribution schemes from the literature—Bloom‑filter‑based, polynomial‑based, and graph‑based constructions—and reinterprets them within the key‑linking framework. In each case the authors identify the implicit key‑derivation mechanism, compare its storage efficiency to the derived lower bound, and evaluate whether its security assumptions are at least as strong as those of a PRF. The analysis reveals that many prior schemes approach the theoretical optimum but often rely on additional assumptions (e.g., low collision probability in Bloom filters) or incur higher computational overhead.

Experimental results demonstrate that the PRF‑based key‑linking method reduces per‑user key storage by roughly 40‑60 % compared with naïve storage, while incurring only minimal latency in key derivation even on low‑power microcontrollers. The authors also discuss implementation considerations such as choice of PRF (e.g., HMAC‑SHA‑256, AES‑CMAC) and memory layout to further optimize performance.

In conclusion, the paper provides both a negative result—the impossibility of beating the vertex‑cover lower bound without weakening security—and a positive construction—a simple, efficient PRF‑based key‑linking scheme that meets this bound. It offers a clear quantitative foundation for designers of secure, memory‑constrained systems and suggests future work on parameterized schemes that can deliberately trade a small amount of security for additional storage savings.