(19)
(11)EP 3 379 766 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
26.06.2019 Bulletin 2019/26

(21)Application number: 17161898.6

(22)Date of filing:  20.03.2017
(51)International Patent Classification (IPC): 
H04L 9/08(2006.01)

(54)

A WIRELESS COMMUNICATION DEVICE FOR COMMUNICATION IN A WIRELESS COMMUNICATION NETWORK

DRAHTLOSKOMMUNIKATIONSVORRICHTUNG FÜR KOMMUNIKATION IN EINEM DRAHTLOSKOMMUNIKATIONSNETZ

DISPOSITIF DE COMMUNICATION SANS FIL POUR LA COMMUNICATION DANS UN RÉSEAU DE COMMUNICATION SANS FIL


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(43)Date of publication of application:
26.09.2018 Bulletin 2018/39

(73)Proprietor: HUAWEI TECHNOLOGIES CO., LTD.
Shenzhen Guangdong 518129 (CN)

(72)Inventors:
  • QUAGLIA, Elizabeth
    80992 Munich (DE)
  • SMYTH, Benjamin
    80992 Munich (DE)
  • TSZ HON, Yuen
    80992 Munich (DE)

(74)Representative: Thun, Clemens et al
Mitscherlich PartmbB Patent- und Rechtsanwälte Sonnenstraße 33
80331 München
80331 München (DE)


(56)References cited: : 
  
  • ZHONGYUAN QIN ET AL: "An Efficient Identity-Based Key Management Scheme for Wireless Sensor Networks Using the Bloom Filter", SENSORS, vol. 14, no. 10, 26 September 2014 (2014-09-26), pages 17937-17951, XP55386447, DOI: 10.3390/s141017937
  • JIANG SHUNRONG ET AL: "An Efficient Anonymous Batch Authentication Scheme Based on HMAC for VANETs", IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, IEEE, PISCATAWAY, NJ, USA, vol. 17, no. 8, 1 August 2016 (2016-08-01) , pages 2193-2204, XP011618104, ISSN: 1524-9050, DOI: 10.1109/TITS.2016.2517603 [retrieved on 2016-07-29]
  • MALHI AVLEEN ET AL: "Privacy-preserving authentication framework using bloom filter for secure vehicular communications", INTERNATIONAL JOURNAL OF INFORMATION SECURITY (IJIS), SPRINGER, HEIDELBERG, DE, vol. 15, no. 4, 7 September 2015 (2015-09-07), pages 433-453, XP036011689, ISSN: 1615-5262, DOI: 10.1007/S10207-015-0299-4 [retrieved on 2015-09-07]
  
Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


Description

TECHNICAL FIELD



[0001] In general, the present invention relates to security in wireless communication systems. In particular, the present invention relates to a wireless communication device for communication in a wireless communication network.

BACKGROUND



[0002] In an all-connected world, the Internet of Things (loT) is becoming more and more important. A lot of devices can establish contact and communicate with each other, and the security of such communications is of paramount importance. Typically, in such an environment, there is a disparity between the resources associated to each device, for instance power and memory, which can range from large devices e.g., base stations or fixed readers, to small devices e.g., mobile nodes or sensors. Developing security protocols which successfully take such disparity into consideration is very important in order to allow a secure communication among different devices.

[0003] For the development of the loT, several proposals for Future Network Architectures (FNA) are being put forth, and a clear common trait among such proposals is the importance of the identities of the communication devices. The basic idea of such proposals is to associate to each device an identity, and, therefore, the field of Identity-Based Cryptography (IBC) can play a key role.

[0004] The problem of authenticating a group of entities in an efficient way has also been studied in the prior art. In particular, the idea of aggregating signatures, i.e., putting together several signatures so that only a single signature should be verified, has emerged both in the symmetric and asymmetric setting of cryptography.

[0005] In the work "Aggregate message authentication codes", Topics in Cryptology - CT-RSA (2008) by Katz and Lindell, aggregate message authentication codes (MAC) are proposed. The basic idea is to have multiple MAC tags, computed by (possibly) different senders on multiple (possibly different) messages, which can be aggregated into a shorter tag that can still be verified by a recipient who shares a distinct key with each sender.

[0006] In the work "HB#: Increasing the Security and Efficiency of HB+", Eurocrypt (2008) by Gilbert H. et al., symmetric solutions are discussed and a lightweight three-pass symmetric key authentication protocol is introduced that extends a protocol by Hopper and Blum (HB) to fix a security problem. Furthermore, the aggregate message authentication codes (MAC), as discussed above, belong to the symmetric solutions as well.

[0007] Asymmetric solutions can make use of public-key aggregate signatures as presented, for example, in the work "Aggregate and verifiably encrypted signatures from bilinear maps", Eurocrypt (2003), by Boneh et al. and in the work "Sequential aggregate signatures and multi-signatures without random oracles", Eurocrypt (2006), by Lu et al. The verifying entity or base station only needs to know the public key of the senders (instead of a shared key between the verifier and each sender). Most of the existing solutions rely on bilinear pairings and, therefore, are inefficient and inadequate for the loT setting.

[0008] Further, prior art document ZHONGYUAN QIN et al: "An efficient Identity-based key management scheme for wireless sensor networks using the bloom filter" refers to an identity-based key management (IBKM) scheme, which exploits a Bloom filter to authenticate a communication sensor node with storage efficiency.

[0009] Although the above mentioned solutions address the problem of authenticating a group of resource-constrained devices to a verifying entity or base station with larger resources, they, however, are not group authentication schemes, they are inefficient, and they are not identity-based in the case of symmetric solutions.

[0010] Therefore, there is a need for improved devices for communication in a wireless communication network, which, in particular, allow to solve the problem of authenticating a group of resource-constrained devices to a base station with larger resources, where all the entities are equipped with identities, and are immerged in an identity-based cryptography (IBC) infrastructure.

SUMMARY



[0011] It is an object of the invention to provide for improved devices for communication in a wireless communication network.

[0012] The foregoing and other objects are achieved by the subject matter of the independent claims. Further implementation forms are apparent from the dependent claims, the description and the figures.

[0013] In a first aspect a wireless communication device of a group of wireless communication devices configured to communicate with a base station is provided, the wireless communication device comprising:

a transceiver configured to receive a token from the base station; and

a processor configured to generate a first data structure on the basis of a function of the token and of a key ki of the wireless communication device and a second data structure comprising an identity idi of the wireless communication device;

wherein the transceiver is further configured to broadcast the first data structure and the second data structure to the group of wireless communication devices and the base station, wherein the processor is further configured to compute the key ki of the wireless communication device on the basis of the following equation:

wherein r is the token, H' and H are cryptographic hash functions, idBS is an identity of the base station, e is a bilinear pairing function, and s is a master key.



[0014] In a second aspect a wireless communication device of a group of wireless communication devices configured to communicate with a base station is provided, the wireless communication device comprising:

a transceiver configured to receive a token from the base station; and

a processor configured to generate a first data structure on the basis of a function of the token and of a key ki of the wireless communication device and a second data structure comprising an identity idi of the wireless communication device;

wherein the transceiver is further configured to broadcast the first data structure and the second data structure to the group of wireless communication devices and the base station, wherein the processor is further configured to compute the key ki of the wireless communication device on the basis of the following equation:

wherein t is a random integer, P is a public parameter, tP is the token, (x, (P, Y = xP)) is a key pair, s = r + xH(R,idi), H is a cryptographic hash function, and



[0015] In a third aspect a wireless communication device of a group of wireless communication devices configured to communicate with a base station is provided, the wireless communication device comprising:

a transceiver configured to receive a token from the base station; and

a processor configured to generate a first data structure on the basis of a function of the token and of a key ki of the wireless communication device and a second data structure comprising an identity idi of the wireless communication device;

wherein the transceiver is further configured to broadcast the first data structure and the second data structure to the group of wireless communication devices and the base station, wherein the processor is further configured to compute the key ki of the wireless communication device on the basis of the following equation:

wherein (R,s) is a private key of the wireless communication device (101i), (R',s') is a private key of the base station (106), t is the token,

(x, (P,Y = xP)) is a key pair, s = r + xH(R,idi), and H' and H are cryptographic hash functions.



[0016] In a first implementation form of the first to third aspect the function of the token and of the key ki of the wireless communication device has a uniform output distribution.

[0017] In a second implementation form of the first to third aspects the first data structure is a Bloom filter.

[0018] In a third implementation form of the first to third aspects a length of the Bloom filter is m, L is a number of wireless communication devices of the group of wireless communication devices, and n is a number of cryptographic hash functions for adding an element to the Bloom filter, being related by the following equation:



[0019] In a fourth aspect a wireless communication device of a group of wireless communication devices configured to communicate with a base station and the group of wireless communication devices is provided, the wireless communication device comprising:

a transceiver configured to receive a token from the base station, a first data structure generated on the basis of a function of the token and of a key ki of a further wireless communication device and a second data structure comprising an identity idi of the further wireless communication device; and

a processor configured to add a data element based on a function of the token and of a key kj of the wireless communication device to the first data structure, and to add an identity idj of the wireless communication device to the second data structure for obtaining a modified first data structure and a modified second data structure;

wherein the transceiver is further configured to broadcast the modified first data structure and the modified second data structure to the group of wireless communication devices and the base station,

wherein the processor is further configured to compute the key kj of the wireless communication device on the basis of the following equation:

wherein r is the token, H' and H are cryptographic hash functions, idBS is an identity of the base station (106), e is a bilinear pairing function, and s is a master key.



[0020] In a fifth aspect a wireless communication device of a group of wireless communication devices configured to communicate with a base station and the group of wireless communication devices is provided, the wireless communication device comprising:

a transceiver configured to receive a token from the base station, a first data structure generated on the basis of a function of the token and of a key ki of a further wireless communication device and a second data structure comprising an identity idi of the further wireless communication device; and

a processor configured to add a data element based on a function of the token and of a key kj of the wireless communication device to the first data structure, and to add an identity idj of the wireless communication device to the second data structure for obtaining a modified first data structure and a modified second data structure;

wherein the transceiver is further configured to broadcast the modified first data structure and the modified second data structure to the group of wireless communication devices and the base station,

wherein the processor is further configured to compute the key kj of the wireless communication device on the basis of the following equation:

wherein t is an integer, P is a public parameter, tP is the token, (x, (P, Y = xP)) is a key pair, s = r + xH(R,idj), H is a cryptographic hash function, and



[0021] In a sixth aspect a wireless communication device of a group of wireless communication devices configured to communicate with a base station and the group of wireless communication devices, the wireless communication device comprising:

a transceiver configured to receive a token from the base station, a first data structure generated on the basis of a function of the token and of a key ki of a further wireless communication device and a second data structure comprising an identity idi of the further wireless communication device; and

a processor configured to add a data element based on a function of the token and of a key kj of the wireless communication device to the first data structure, and to add an identity idj of the wireless communication device to the second data structure for obtaining a modified first data structure and a modified second data structure;

wherein the transceiver is further configured to broadcast the modified first data structure and the modified second data structure to the group of wireless communication devices and the base station,

wherein the processor is further configured to compute the key kj of the wireless communication device on the basis of the following equation:

wherein (R,s) is a private key of the wireless communication device (101j), (R',s') is a private key of the base station (106), t is the token,

R = rP, (x, (P, Y = xP)) is a key pair, s = r + xH(R,idj), and H' and H are cryptographic hash functions.



[0022] In a first implementation form of the fourth to sixth aspect the function of the token and of the key kj of the wireless communication device (101j) has a uniform output distribution.

[0023] In a second implementation form of the fourth to sixth aspect at least one of the first data structure or modified first data structure is a Bloom filter.

[0024] In a seventh aspect a base station configured to communicate with at least one wireless communication device of a group of wireless communication devices in a wireless communication network is provided, the base station comprising:

a transceiver configured to receive a first data structure and a second data structure generated by the at least one wireless communication device, wherein the first data structure is based on a function of a token provided by the base station and of a key ki of the at least one wireless communication device, and wherein the second data structure comprises an identity idi of the at least one wireless communication device; and

a processor configured to derive the key ki of the at least one wireless communication device on the basis of the second data structure and to authenticate the at least one wireless communication device on the basis of the key ki and of the first data structure of the at least one wireless communication device,

wherein the processor is further configured to derive the key ki of the at least one wireless communication device on the basis of the following equation:

wherein r is the token, H' and H are cryptographic hash functions, idBS is an identity of the base station (106), and s is a master key.



[0025] In an eighth aspect a base station configured to communicate with at least one wireless communication device of a group of wireless communication devices in a wireless communication network, the base station comprising:

a transceiver configured to receive a first data structure and a second data structure generated by the at least one wireless communication device, wherein the first data structure is based on a function of a token provided by the base station and of a key ki of the at least one wireless communication device, and wherein the second data structure comprises an identity idi of the at least one wireless communication device; and

a processor configured to derive the key ki of the at least one wireless communication device on the basis of the second data structure and to authenticate the at least one wireless communication device on the basis of the key ki and of the first data structure of the at least one wireless communication device,

wherein the processor is further configured to derive the key ki of the at least one wireless communication device on the basis of the following equation:

wherein t is an integer, P is a public parameter, tP is the token, (x, (P, Y = xP)) is a key pair, s = r + xH(R,idi), H is a cryptographic hash function, and

R = rP.



[0026] In a ninth aspect a base station configured to communicate with at least one wireless communication device of a group of wireless communication devices in a wireless communication network is provided, the base station comprising:

a transceiver configured to receive a first data structure and a second data structure generated by the at least one wireless communication device, wherein the first data structure is based on a function of a token provided by the base station and of a key ki of the at least one wireless communication device, and wherein the second data structure comprises an identity idi of the at least one wireless communication device; and

a processor configured to derive the key ki of the at least one wireless communication device on the basis of the second data structure and to authenticate the at least one wireless communication device on the basis of the key ki and of the first data structure of the at least one wireless communication device,

wherein the processor is further configured to derive the key ki of the at least one wireless communication device on the basis of the following equation:

wherein (R,s) is a private key of the at least one wireless communication device (101i), (R',s') is a private key of the base station (106), t is the token,

R = rP, (x, (P, Y = xP)) is a key pair, s = r + xH(R,idi), and H' and H are cryptographic hash functions.


BRIEF DESCRIPTION OF THE DRAWINGS



[0027] Further embodiments of the invention will be described with respect to the following figures, wherein:

Fig. 1 shows a schematic diagram of a wireless communication system comprising a wireless communication device, a further wireless communication device, and a base station according to embodiments of the invention;

Fig. 1a shows an exemplary first data structure according to an embodiment of the invention; and

Fig. 2 shows a schematic diagram of a wireless communication system comprising a plurality of wireless communication devices, a base station, an exemplary modified first data structure and an exemplary modified second data structure according to embodiments of the invention.


DETAILED DESCRIPTION OF THE EMBODIMENTS



[0028] In the following description, reference is made to the accompanying drawings, which form part of the disclosure, and in which are shown, by way of illustration, specific aspects in which the present invention may be placed. It is understood that other aspects may be utilized and structural or logical changes may be made without departing from the scope of the present invention. The following detailed description, therefore, is not to be taken in a limiting sense, as the scope of the present invention is defined by the appended claims.

[0029] For instance, it is understood that a disclosure in connection with a described method may also hold true for a corresponding device or system configured to perform the method and vice versa. For example, if a specific method step is described, a corresponding device may include a unit to perform the described method step, even if such unit is not explicitly described or illustrated in the figures. Further, it is understood that the features of the various exemplary aspects described herein may be combined with each other, unless specifically noted otherwise.

[0030] Fig. 1 shows a schematic diagram of a wireless communication system 100 comprising a wireless communication device 101i, a further wireless communication device 101j, and a base station 106 according to embodiments of the invention.

[0031] The wireless communication device 101i is configured to communicate with the base station 106 and the wireless communication device 101j. The wireless communication device 101i comprises a transceiver 101i-1 configured to receive a token from the base station 106, and a processor 101i-2 configured to generate a first data structure 102a (see Fig. 1a (b)) on the basis of a function of the token and of a key ki of the wireless communication device 101i, and a second data structure comprising an identity idi of the wireless communication device 101i. The transceiver 101i-1 is further configured to broadcast the first data structure 102a and the second data structure to the further wireless communication device 101j and the base station 106.

[0032] The further wireless communication device 101j is configured to communicate with the base station 106 and the wireless communication device 101i. The further wireless communication device 101j comprises a transceiver 101j-1 configured to receive the token from the base station 106, the first data structure 102a generated on the basis of the function of the token and of the key ki of the wireless communication device 101i, and the second data structure comprising the identity idi of the wireless communication device 101i, and a processor 101j-2 configured to add a data element based on a function of the token and of a key kj of the further wireless communication device 101j to the first data structure 102a, and to add an identity idj of the further wireless communication device 101j to the second data structure for obtaining a modified first data structure and a modified second data structure. The transceiver 101j-1 is further configured to broadcast the modified first data structure and the modified second data structure to the wireless communication device 101 i and the base station 106.

[0033] The base station 106 is configured to communicate with the wireless communication device 101i and the further wireless communication device 101j. The base station 106 comprises a transceiver 106-1 configured to receive the first data structure 102a and the second data structure generated by the wireless communication device 101i (or the modified first data structure and the modified second data structure generated by the further wireless communication device 101j), wherein the first data structure 102a is based on the function of the token provided by the base station 106 and of the key ki of the wireless communication device 101i, and wherein the second data structure comprises the identity idi of the wireless communication device 101i, and a processor 106-2 configured to derive the key ki of the wireless communication device 101i on the basis of the second data structure and to authenticate the wireless communication device 101i on the basis of the key ki and of the first data structure 102a of the wireless communication device 101i.

[0034] In an embodiment, the function applied to the token and the key ki of the wireless communication device 101i has a uniform output distribution and, preferably, is collision resistant, namely it is difficult to find two different tokens that result in the same output.

[0035] In an embodiment, the first data structure 102a is a Bloom Filter (BF) (see Fig. 1a), which is a space-efficient data structure that can be used to perform a set-membership test, wherein the set-membership test allows to check if, for example, the wireless communication device 101 i is a legitimate device, i.e., an identifiable wireless communication device that shares a secret key, e.g. ki, with the base station 106.

[0036] In particular, a BF is an array of length m, with all entries set to 0 (see Fig. 1a (a)). To perform the set-membership test, the processor 101i-2 can be configured to select n hash functions mapping elements from the set to values 1 to m uniformly at random (see Fig. 1a (b)). In embodiments of the invention, n is much smaller than m.

[0037] Moreover, in order to add an element e to the BF, the processor 101i-2 can be configured to compute the value of all hash functions on e, and to set the entry of the BF equal to one accordingly (see Fig. 1a (b)). Furthermore, for testing the set-membership of e, the processor 101i-2 can be configured to re-compute the hashes (see Fig. 1a (c)): if at least one value corresponds to a 0-entry, then e is not in the BF; and if all values correspond to 1-entries, then e may be in the BF, i.e., false positives are possible.

[0038] In embodiments of the invention, the false positive rate of the BF can be kept low in order to avoid attempts from an adversary to get authenticated to the base station 106 while not being authorized to. This can be ensured by selecting the parameters (m,n,L) defining the BF accordingly, wherein m is the length of the BF, n is the number of hashes for adding an element to the BF, and L is the number of the wireless communication devices authenticating to the base station 106. In an embodiment, the number of hash functions n to minimize the probability of false positives is given by the following equation:



[0039] In embodiments of the invention, in order to maintain the secrecy of the key ki added to the BF, cryptographic hash functions can be used with the Bloom Filter.

[0040] In embodiments of the invention, the processor 101i-2 can be configured to use, for example, the parameters (m,n,L) shown in table 1 in order to define the BF.
Table 1: Parameters (m,n,L) defining the BF according to an embodiment.
nmL
9 128 15
18 256 50


[0041] Embodiments of the invention making use of BFs as first data structures have the advantage of providing very efficient data structures in terms of space, since the time to add elements or test membership is constant, namely it does not depend on the number of elements in the BF or the set. Moreover, this has the advantage of improving the performance of the authentication protocol. Another advantage of using a BF is due to the fact that there are no false negatives, namely the membership test for the secret values, e.g., keys ki and kj, shared between the wireless communication devices 101i, 101j and the base station 106, and which have been added to the Bloom Filter, will always succeed.

[0042] In another embodiment, the first data structure 102a is an aggregate message authentication code (MAC).

[0043] In an embodiment of the invention, the processor 106-2 of the base station 106 is configured to generate by means of a Private Key Generator (PKG) a pair of master keys (msk, mpk) = (s, (g, gs)). In this embodiment, the wireless communication devices 101i, 101j, and the base station 106 comprise a private key H(idi)s provided by the PKG, wherein H is a cryptographic hash function. In this embodiment, the following steps take place:

1st step: the base station 106 broadcasts the token r;

2nd step: in order to authenticate, the processor 101i-2 of the wireless communication device 101i computes its key ki on the basis of the following equation:

wherein r is the token, H' and H are cryptographic hash functions, idBS is the identity of the base station 106, e is a bilinear pairing function, and s is a master key. For example, s is the master secret key hold by the base station 106. The processor 101i-2 of the wireless communication device 101i is configured to add ki to the first data structure 102a, e.g., the BF, to append the identity idi of the wireless communication device 101i to the second data structure, and to pass the two arrays or data structures (the BF and the one containing the identities) to the further wireless communication device 101j.

3rd step: in order to verify whether the wireless communication devices that populate the BF are legitimate, for each identity idi/j in the second data structure, the processor 106-2 of the base station 106 computes the key ki/j on the basis of the following equation:

wherein H' and H are cryptographic hash functions, idBS is the identity of the base station 106, and s is the key of the pair of master keys. Then, the processor 106-2 checks if the key ki/j belongs to the BF. Namely, if any of the entries of the BF is 0, then the key ki/j is rejected, and if all and only those entries are 1, then the key ki/j is accepted.



[0044] This embodiment has the advantage of introducing a separate PKG, which decouples the role of the base station 106 and of the master key holder, which can be useful in many scenarios (e.g., group authentication between a base station and mobile nodes). Moreover, this embodiment maintains the lightweight performance in terms of communication, while adding some computational costs due to the use of pairings.

[0045] In another embodiment of the invention the PKG generates a master key pair (msk,mpk) = (x, (P,Y = xP)), wherein P is a public parameter. In this embodiment, each wireless communication device 101i/101j is equipped with an identity idi/j and the private key (R, s) such that:

and

wherein H is a cryptographic hash function. In this embodiment, the following steps take place:

1st step: the base station 106 broadcasts the token tP, wherein t is an integer chosen uniformly at random;

2nd step: in order to authenticate, the processor 101i-2 of the wireless communication device 101i with identity idi computes its key ki on the basis of the following equation:


Then, the processor 101i-2 of the wireless communication device 101i adds the key ki to the BF, and appends its identity (idi,R) to the second data structure, and passes the two arrays (the first data structure 102a, in this embodiment the BF, and the second data structure containing the identities) to the further wireless communication device 101j;

3rd step: in order to verify whether the wireless communication devices 101i and 101j that have populated the BF are legitimate, the processor 106-2 of the base station 106, for each (idi/j,R) appended in the second data structure, computes the key ki/j of the wireless communication device 101i/j on the basis of the following equation:

and checks if it belongs to the first data structure 102a, which in this embodiment is a BF. In other words, if any of the entries of the BF is 0, then the key ki/j is rejected, and if all and only those entries are 1, then the key ki/j is accepted.



[0046] This embodiment of the invention provides the advantage of having a separate PKG, which decouples the role of the base station 106 and master key holder, and of recovering computation efficiency by eliminating the need for pairings. Communication costs are slightly increased since in the appended array devices have to transmit their identity together with their value R.

[0047] In another embodiment of the invention the PKG generates a master key pair (msk,mpk) = (x, (P, Y = xP)). In this embodiment, each wireless communication device 101i, 101j, and the base station 106 are equipped with the respective identities (idi, idj, and idBS) and the private key (R,s) provided by the PKG in such a way that:

and

wherein H' and H are cryptographic hash functions. In this embodiment, the following steps take place:

1st step: the transceiver 106-1 of the base station 106 broadcasts the token t. The base station 106 has a private key (R',s');

2nd step: in order to authenticate, the processor 101i-2 of the wireless communication device 101i computes the key ki of the wireless communication device 101i on the basis of the following equation:


Then, the processor 101i-2 adds ki to the BF, appends its identity (idi,R) to the second data structure, and passes the two data structures (the BF and the one containing the identities) to the further wireless communication device 101j;

3rd step: in order to verify whether the wireless communication devices 101i and 101j are legitimate, the processor 106-2 of the base station 106, for each (idi/j,R) in the second data structure, derives the key ki/j of the wireless communication device 101i/101j on the basis of the following equation:

and checks if it belongs to the first data structure 102a, which in this embodiment is a BF. In other words, if any of the entries of the BF is 0, then the key ki/j is rejected, and if all and only those entries are 1, then the key ki/j is accepted.



[0048] This embodiment of the invention provides the advantage of having a separate PKG, which decouples the role of the base station 106 and of the master key holder, and of recovering computation efficiency by eliminating the need for pairings. Communication costs are slightly increased since in the first data structure 102a and in the second data structure the wireless communication devices 101i and 101j should transmit their identities idi and idj together with their value R. Moreover, if there is any subsequent session with a new token t', then the wireless communication devices 101i and 101j and the base station 106 can simply recompute H' by changing the second input only. Therefore, the computation involved is minimized.

[0049] In another embodiment of the invention, the wireless communication devices 101i and 101j are a set of sensors which want to communicate with a local reader (e.g., in a smart home) and, in order to do so, should authenticate to the reader. In this embodiment, the nodes may be static, and the network topology would be typically known.

[0050] The aforementioned embodiments of the invention solve the problem of lightweight group authentication in a network in which the wireless communication devices 101i and 101j are equipped with identities. Moreover, embodiments of the invention advantageously overcome the limitations of prior art solutions since, simultaneously, they are lightweight, they handle group authentication and they are suitable for an identity-based setting.

[0051] Fig. 2 shows a schematic diagram of a wireless communication system 100 comprising a plurality of wireless communication devices 101i, 101j, 101l, 101m, 101n, and the base station 106, an exemplary modified first data structure 202a, and an exemplary modified second data structure 202b according to embodiments of the invention.

[0052] In this embodiment of the invention, the base station 106 broadcasts the token r, which is received by the wireless communication devices 101i, 101j, 101l, 101m, and 101n. Then, the processor 101i-2 of the wireless communication device 101i adds its key ki to the first data structure 102a, which in this embodiment is a BF, and appends its identity idi to the second data structure, and passes the first data structure 102a and the second data structure to the wireless communication device 101 l. Afterwards, the wireless communication device 101l, similarly to the wireless communication device 101i, adds its key kl to the first data structure 102a and appends its identity idl to the second data structure. Then, the wireless communication device 101j, similarly to the wireless communication devices 101i and 101l, adds its key kj to the BF 202a, so that the modified first data structure 202a is obtained, and appends its identity idj to the second data structure 202b, so that the modified second data structure 202b is obtained. Finally, the wireless communication device 101j sends the modified first data structure 202a and the modified second data structure 202b to the base station 106.

[0053] While a particular feature or aspect of the disclosure may have been disclosed with respect to only one of several implementations or embodiments, such feature or aspect may be combined with one or more other features or aspects of the other implementations or embodiments as may be desired and advantageous for any given or particular application. Furthermore, to the extent that the terms "include", "have", "with", or other variants thereof are used in either the detailed description or the claims, such terms are intended to be inclusive in a manner similar to the term "comprise". Also, the terms "exemplary", "for example" and "e.g." are merely meant as an example, rather than the best or optimal. The terms "coupled" and "connected", along with derivatives may have been used. It should be understood that these terms may have been used to indicate that two elements cooperate or interact with each other regardless whether they are in direct physical or electrical contact, or they are not in direct contact with each other.

[0054] Although specific aspects have been illustrated and described herein, it will be appreciated by those of ordinary skill in the art that a variety of alternate and/or equivalent implementations may be substituted for the specific aspects shown and described without departing from the scope of the present disclosure. This application is intended to cover any adaptations or variations of the specific aspects discussed herein.

[0055] Although the elements in the following claims are recited in a particular sequence with corresponding labeling, unless the claim recitations otherwise imply a particular sequence for implementing some or all of those elements, those elements are not necessarily intended to be limited to being implemented in that particular sequence.

[0056] Many alternatives, modifications, and variations will be apparent to those skilled in the art in light of the above teachings. Of course, those skilled in the art readily recognize that there are numerous applications of the invention beyond those described herein. While the present invention has been described with reference to one or more particular embodiments, those skilled in the art recognize that many changes may be made thereto without departing from the scope of the present invention. It is therefore to be understood that within the scope of the appended claims and their equivalents, the invention may be practiced otherwise than as specifically described herein.


Claims

1. A wireless communication device (101i) of a group of wireless communication devices configured to communicate with a base station (106), the wireless communication device (101i) comprising:

a transceiver (101i-1) configured to receive a token from the base station (106); and

a processor (101i-2) configured to generate a first data structure (102a) on the basis of a function of the token and of a key ki of the wireless communication device (101i) and a second data structure comprising an identity idi of the wireless communication device (101i);

wherein the transceiver (101i-1) is further configured to broadcast the first data structure (102a) and the second data structure to the group of wireless communication devices and the base station (106),

characterized in that the processor (101i-2) is further configured to compute the key ki of the wireless communication device (101i) on the basis of the following equation:

wherein r is the token, H' and H are cryptographic hash functions, idBS is an identity of the base station, e is a bilinear pairing function, and s is a master key.


 
2. A wireless communication device (101i) of a group of wireless communication devices configured to communicate with a base station (106), the wireless communication device (101i) comprising:

a transceiver (101i-1) configured to receive a token from the base station (106); and

a processor (101i-2) configured to generate a first data structure (102a) on the basis of a function of the token and of a key ki of the wireless communication device (101i) and a second data structure comprising an identity idi of the wireless communication device (101i);

wherein the transceiver (101i-1) is further configured to broadcast the first data structure (102a) and the second data structure to the group of wireless communication devices and the base station (106),

characterized in that

the processor (101i-2) is further configured to compute the key ki of the wireless communication device (101i) on the basis of the following equation:

wherein t is a random integer, P is a public parameter, tP is the token, (x, (P,Y = xP)) is a key pair, s = r + xH(R,idi), H is a cryptographic hash function, and

R = rP.


 
3. A wireless communication device (101i) of a group of wireless communication devices configured to communicate with a base station (106), the wireless communication device (101i) comprising:

a transceiver (101i-1) configured to receive a token from the base station (106); and

a processor (101i-2) configured to generate a first data structure (102a) on the basis of a function of the token and of a key ki of the wireless communication device (101i) and a second data structure comprising an identity idi of the wireless communication device (101i);

wherein the transceiver (101i-1) is further configured to broadcast the first data structure (102a) and the second data structure to the group of wireless communication devices and the base station (106),

characterized in that the processor (101i-2) is further configured to compute the key ki of the wireless communication device (101i) on the basis of the following equation:

wherein (R,s) is a private key of the wireless communication device (101i), (R',s') is a private key of the base station (106), t is the token,

R = rP, (x, (P,Y = xP)) is a key pair, s = r + xH(R,idi), and H' and H are cryptographic hash functions.


 
4. The wireless communication device (101i) of one of claims 1 - 3, wherein the function of the token and of the key ki of the wireless communication device (101i) has a uniform output distribution.
 
5. The wireless communication device (101i) of one of claims 1 - 4, wherein the first data structure (102a) is a Bloom filter.
 
6. The wireless communication device (101i) of claim 5, wherein a length of the Bloom filter is m, L is a number of wireless communication devices of the group of wireless communication devices, and n is a number of cryptographic hash functions for adding an element to the Bloom filter, being related by the following equation:


 
7. A wireless communication device (101j) of a group of wireless communication devices configured to communicate with a base station (106) and the group of wireless communication devices, the wireless communication device (101j) comprising:

a transceiver (101j-1) configured to receive a token from the base station (106), a first data structure (102a) generated on the basis of a function of the token and of a key ki of a further wireless communication device (101i) and a second data structure comprising an identity idi of the further wireless communication device (101i); and

a processor (101j-2) configured to add a data element based on a function of the token and of a key kj of the wireless communication device (101j) to the first data structure (102a), and to add an identity idj of the wireless communication device (101j) to the second data structure for obtaining a modified first data structure (202a) and a modified second data structure (202b);

wherein the transceiver (101j-1) is further configured to broadcast the modified first data structure (202a) and the modified second data structure (202b) to the group of wireless communication devices and the base station (106),

characterized in that the processor (101j-2) is further configured to compute the key kj of the wireless communication device (101j) on the basis of the following equation:

wherein r is the token, H' and H are cryptographic hash functions, idBS is an identity of the base station (106), e is a bilinear pairing function, and s is a master key.


 
8. A wireless communication device (101j) of a group of wireless communication devices configured to communicate with a base station (106) and the group of wireless communication devices, the wireless communication device (101j) comprising:

a transceiver (101j-1) configured to receive a token from the base station (106), a first data structure (102a) generated on the basis of a function of the token and of a key ki of a further wireless communication device (101i) and a second data structure comprising an identity idi of the further wireless communication device (101i); and

a processor (101j-2) configured to add a data element based on a function of the token and of a key kj of the wireless communication device (101j) to the first data structure (102a), and to add an identity idj of the wireless communication device (101j) to the second data structure for obtaining a modified first data structure (202a) and a modified second data structure (202b);

wherein the transceiver (101j-1) is further configured to broadcast the modified first data structure (202a) and the modified second data structure (202b) to the group of wireless communication devices and the base station (106),

characterized in that the processor (101j-2) is further configured to compute the key kj of the wireless communication device (101j) on the basis of the following equation:

wherein t is an integer, P is a public parameter, tP is the token, (x, (P,Y = xP)) is a key pair, s = r + xH(R,idj), H is a cryptographic hash function, and

R = rP.


 
9. A wireless communication device (101j) of a group of wireless communication devices configured to communicate with a base station (106) and the group of wireless communication devices, the wireless communication device (101j) comprising:

a transceiver (101j-1) configured to receive a token from the base station (106), a first data structure (102a) generated on the basis of a function of the token and of a key ki of a further wireless communication device (101i) and a second data structure comprising an identity idi of the further wireless communication device (101i); and

a processor (101j-2) configured to add a data element based on a function of the token and of a key kj of the wireless communication device (101j) to the first data structure (102a), and to add an identity idj of the wireless communication device (101j) to the second data structure for obtaining a modified first data structure (202a) and a modified second data structure (202b);

wherein the transceiver (101j-1) is further configured to broadcast the modified first data structure (202a) and the modified second data structure (202b) to the group of wireless communication devices and the base station (106),

characterized in that the processor (101j-2) is further configured to compute the key kj of the wireless communication device (101j) on the basis of the following equation:

wherein (R,s) is a private key of the wireless communication device (101j), (R',s') is a private key of the base station (106), t is the token,

R = rP, (x, (P, Y = xP)) is a key pair, s = r + xH(R, idj), and H' and H are cryptographic hash functions.


 
10. The wireless communication device (101j) of one of claims 7 - 9, wherein the function of the token and of the key kj of the wireless communication device (101j) has a uniform output distribution.
 
11. The wireless communication device (101j) of one of claims 7 - 10 wherein at least one of the first data structure (102a) or modified first data structure (202a) is a Bloom filter.
 
12. A base station (106) configured to communicate with at least one wireless communication device (101i) of a group of wireless communication devices in a wireless communication network (100), the base station (106) comprising:

a transceiver (106-1) configured to receive a first data structure (102a) and a second data structure generated by the at least one wireless communication device (101i), wherein the first data structure (102a) is based on a function of a token provided by the base station (106) and of a key ki of the at least one wireless communication device (101i), and wherein the second data structure comprises an identity idi of the at least one wireless communication device (101i); and

a processor (106-2) configured to derive the key ki of the at least one wireless communication device (101i) on the basis of the second data structure and to authenticate the at least one wireless communication device (101i) on the basis of the key ki and of the first data structure (102a) of the at least one wireless communication device (101i),

characterized in that the processor (106-2) is further configured to derive the key ki of the at least one wireless communication device (101i) on the basis of the following equation:

wherein r is the token, H' and H are cryptographic hash functions, idBS is an identity of the base station (106), and s is a master key.


 
13. A base station (106) configured to communicate with at least one wireless communication device (101i) of a group of wireless communication devices in a wireless communication network (100), the base station (106) comprising:

a transceiver (106-1) configured to receive a first data structure (102a) and a second data structure generated by the at least one wireless communication device (101i), wherein the first data structure (102a) is based on a function of a token provided by the base station (106) and of a key ki of the at least one wireless communication device (101i), and wherein the second data structure comprises an identity idi of the at least one wireless communication device (101i); and

a processor (106-2) configured to derive the key ki of the at least one wireless communication device (101i) on the basis of the second data structure and to authenticate the at least one wireless communication device (101i) on the basis of the key ki and of the first data structure (102a) of the at least one wireless communication device (101i),

characterized in that the processor (106-2) is further configured to derive the key ki of the at least one wireless communication device (101i) on the basis of the following equation:

wherein t is an integer, P is a public parameter, tP is the token, (x, (P,Y = xP)) is a key pair, s = r + xH(R,idi), H is a cryptographic hash function, and

R = rP.


 
14. A base station (106) configured to communicate with at least one wireless communication device (101i) of a group of wireless communication devices in a wireless communication network (100), the base station (106) comprising:

a transceiver (106-1) configured to receive a first data structure (102a) and a second data structure generated by the at least one wireless communication device (101i), wherein the first data structure (102a) is based on a function of a token provided by the base station (106) and of a key ki of the at least one wireless communication device (101i), and wherein the second data structure comprises an identity idi of the at least one wireless communication device (101i); and

a processor (106-2) configured to derive the key ki of the at least one wireless communication device (101i) on the basis of the second data structure and to authenticate the at least one wireless communication device (101i) on the basis of the key ki and of the first data structure (102a) of the at least one wireless communication device (101i),

characterized in that the processor (106-2) is further configured to derive the key ki of the at least one wireless communication device (101i) on the basis of the following equation:

wherein (R,s) is a private key of the at least one wireless communication device (101i), (R',s') is a private key of the base station (106), t is the token,

R = rP, (x, (P,Y = xP)) is a key pair, s = r + xH(R,idi), and H' and H are cryptographic hash functions.


 


Ansprüche

1. Drahtlose Kommunikationseinrichtung (101i) aus einer Gruppe drahtloser Kommunikationseinrichtungen, die konfiguriert ist, mit einer Basisstation (106) zu kommunizieren, wobei die drahtlose Kommunikationseinrichtung (101i) Folgendes umfasst:

eine Sende-/Empfangseinrichtung (101i-1), die konfiguriert ist, einen Token von der Basisstation (106) zu empfangen; und

einen Prozessor (101i-2), der konfiguriert ist, eine erste Datenstruktur (102a) auf der Grundlage einer Funktion des Tokens und eines Schlüssels ki der drahtlosen Kommunikationseinrichtung (101i) und eine zweite Datenstruktur, die eine Identität idi der drahtlosen Kommunikationseinrichtung (101i) umfasst, zu erzeugen; wobei die Sende-/Empfangseinrichtung (101i-1) ferner konfiguriert ist, die erste Datenstruktur (102a) und die zweite Datenstruktur zur Gruppe drahtloser Kommunikationseinrichtungen und zur Basisstation (106) zu übertragen,

dadurch gekennzeichnet, dass

der Prozessor (101i-2) ferner konfiguriert ist, den Schlüssel ki der drahtlosen Kommunikationseinrichtung (101i) auf der Grundlage der folgenden Gleichung zu berechnen:

wobei

r der Token ist, H' und H kryptographische Prüfsummenfunktionen sind, idBS eine Identität der Basisstation ist, e eine bilineare Paarfunktion ist und s ein Hauptschlüssel ist.


 
2. Drahtlose Kommunikationseinrichtung (101i) aus einer Gruppe drahtloser Kommunikationseinrichtungen, die konfiguriert ist, mit einer Basisstation (106) zu kommunizieren, wobei die drahtlose Kommunikationseinrichtung (101i) Folgendes umfasst:

eine Sende-/Empfangseinrichtung (101i-1), die konfiguriert ist, einen Token von der Basisstation (106) zu empfangen; und

einen Prozessor (101i-2), der konfiguriert ist, eine erste Datenstruktur (102a) auf der Grundlage einer Funktion des Tokens und eines Schlüssels ki der drahtlosen Kommunikationseinrichtung (101i) und eine zweite Datenstruktur, die eine Identität idi der drahtlosen Kommunikationseinrichtung (101i) umfasst, zu erzeugen; wobei die Sende-/Empfangseinrichtung (101i-1) ferner konfiguriert ist, die erste Datenstruktur (102a) und die zweite Datenstruktur zur Gruppe drahtloser Kommunikationseinrichtungen und zur Basisstation (106) zu übertragen,

dadurch gekennzeichnet, dass

der Prozessor (101i-2) ferner konfiguriert ist, den Schlüssel ki der drahtlosen Kommunikationseinrichtung (101i) auf der Grundlage der folgenden Gleichung zu berechnen:

wobei

t eine zufällige ganze Zahl ist, P ein öffentlicher Parameter ist, tP der Token ist, (x, (P, Y = xP)) ein Schlüsselpaar ist, s = r + xH(R, idi), H eine kryptographische Prüfsummenfunktion ist und rR Zq*, R = rP.


 
3. Drahtlose Kommunikationseinrichtung (101i) aus einer Gruppe drahtloser Kommunikationseinrichtungen, die konfiguriert ist, mit einer Basisstation (106) zu kommunizieren, wobei die drahtlose Kommunikationseinrichtung (101i) Folgendes umfasst:

eine Sende-/Empfangseinrichtung (101i-1), die konfiguriert ist, einen Token von der Basisstation (106) zu empfangen; und

einen Prozessor (101i-2), der konfiguriert ist, eine erste Datenstruktur (102a) auf der Grundlage einer Funktion des Tokens und eines Schlüssels ki der drahtlosen Kommunikationseinrichtung (101i) und eine zweite Datenstruktur, die eine Identität idi der drahtlosen Kommunikationseinrichtung (101i) umfasst, zu erzeugen; wobei die Sende-/Empfangseinrichtung (101i-1) ferner konfiguriert ist, die erste Datenstruktur (102a) und die zweite Datenstruktur zur Gruppe drahtloser Kommunikationseinrichtungen und zur Basisstation (106) zu übertragen,

dadurch gekennzeichnet, dass

der Prozessor (101i-2) ferner konfiguriert ist, den Schlüssel ki der drahtlosen Kommunikationseinrichtung (101i) auf der Grundlage der folgenden Gleichung zu berechnen:

wobei

(R, s) ein privater Schlüssel der drahtlosen Kommunikationseinrichtung (101i) ist, (R', s') ein privater Schlüssel der Basisstation (106) ist, t der Token ist, rR Zq*, R = rP, (x, (P, Y = xP)) ein Schlüsselpaar ist, s = r + xH(R, idi) und H' und H kryptographische Prüfsummenfunktionen sind.


 
4. Drahtlose Kommunikationseinrichtung (101i) nach einem der Ansprüche 1-3, wobei die Funktion des Tokens und des Schlüssels ki der drahtlosen Kommunikationseinrichtung (101i) eine gleichförmige Ausgangsverteilung besitzt.
 
5. Drahtlose Kommunikationseinrichtung (101i) nach einem der Ansprüche 1-4, wobei die erste Datenstruktur (102a) ein Bloomfilter ist.
 
6. Drahtlose Kommunikationseinrichtung (101i) nach Anspruch 5, wobei die Länge des Bloomfilters m ist, L die Anzahl drahtloser Kommunikationseinrichtungen aus der Gruppe drahtloser Kommunikationseinrichtungen ist und n die Anzahl kryptographischer Prüfsummenfunktionen zum Hinzufügen eines Elements des Bloomfilters ist, die durch folgende Funktion in Beziehung stehen:


 
7. Drahtlose Kommunikationseinrichtung (101j) aus einer Gruppe drahtloser Kommunikationseinrichtungen, die konfiguriert ist, mit einer Basisstation (106) und der Gruppe drahtloser Kommunikationseinrichtungen zu kommunizieren, wobei die drahtlose Kommunikationseinrichtung (101j) Folgendes umfasst:

eine Sende-/Empfangseinrichtung (101j-1), die konfiguriert ist, einen Token von der Basisstation (106), eine erste Datenstruktur (102a), die auf der Grundlage einer Funktion des Tokens und eines Schlüssels ki einer weiteren drahtlosen Kommunikationseinrichtung (101i) erzeugt wurde, und eine zweite Datenstruktur, die eine Identität idi der weiteren drahtlosen Kommunikationseinrichtung (101i) umfasst, zu empfangen; und

einen Prozessor (101j-2), der konfiguriert ist, auf der Grundlage einer Funktion des Tokens und eines Schlüssels kj der drahtlosen Kommunikationseinrichtung (101j) der ersten Datenstruktur (102a) ein Datenelement hinzuzufügen, und der zweiten Datenstruktur eine Identität idj der drahtlosen Kommunikationseinrichtung (101j) hinzuzufügen, um eine geänderte erste Datenstruktur (202a) und eine geänderte zweite Datenstruktur (202b) zu erhalten; wobei

die Sende-/Empfangseinrichtung (101j-1) ferner konfiguriert ist, die geänderte erste Datenstruktur (202a) und die geänderte zweite Datenstruktur (202b) zur Gruppe drahtloser Kommunikationseinrichtungen und zur Basisstation (106) zu übertragen,

dadurch gekennzeichnet, dass

der Prozessor (101j-2) ferner konfiguriert ist, den Schlüssel kj der drahtlosen Kommunikationseinrichtung (101j) auf der Grundlage der folgenden Gleichung zu berechnen:

wobei

r der Token ist, H' und H kryptographische Prüfsummenfunktionen sind, idBS eine Identität der Basisstation (106) ist, e eine bilineare Paarfunktion ist und s ein Hauptschlüssel ist.


 
8. Drahtlose Kommunikationseinrichtung (101j) aus einer Gruppe drahtloser Kommunikationseinrichtungen, die konfiguriert ist, mit einer Basisstation (106) und der Gruppe drahtloser Kommunikationseinrichtungen zu kommunizieren, wobei die drahtlose Kommunikationseinrichtung (101j) Folgendes umfasst:

eine Sende-/Empfangseinrichtung (101j-1), die konfiguriert ist, einen Token von der Basisstation (106), eine erste Datenstruktur (102a), die auf der Grundlage einer Funktion des Tokens und eines Schlüssels ki einer weiteren drahtlosen Kommunikationseinrichtung (101i) erzeugt wurde, und eine zweite Datenstruktur, die eine Identität idi der weiteren drahtlosen Kommunikationseinrichtung (101i) umfasst, zu empfangen; und

einen Prozessor (101j-2), der konfiguriert ist, auf der Grundlage einer Funktion des Tokens und eines Schlüssels kj der drahtlosen Kommunikationseinrichtung (101j) der ersten Datenstruktur (102a) ein Datenelement hinzuzufügen, und der zweiten Datenstruktur eine Identität idj der drahtlosen Kommunikationseinrichtung (101j) hinzuzufügen, um eine geänderte erste Datenstruktur (202a) und eine geänderte zweite Datenstruktur (202b) zu erhalten; wobei

die Sende-/Empfangseinrichtung (101j-1) ferner konfiguriert ist, die geänderte erste Datenstruktur (202a) und die geänderte zweite Datenstruktur (202b) zur Gruppe drahtloser Kommunikationseinrichtungen und zur Basisstation (106) zu übertragen,

dadurch gekennzeichnet, dass

der Prozessor (101j-2) ferner konfiguriert ist, den Schlüssel kj der drahtlosen Kommunikationseinrichtung (101j) auf der Grundlage der folgenden Gleichung zu berechnen:

wobei

t eine ganze Zahl ist, P ein öffentlicher Parameter ist, tP der Token ist, (x, (P, Y = xP)) ein Schlüsselpaar ist, s = r + xH(R, idj), H eine kryptographische Prüfsummenfunktion ist und rR Zq*, R = rP.


 
9. Drahtlose Kommunikationseinrichtung (101j) aus einer Gruppe drahtloser Kommunikationseinrichtungen, die konfiguriert ist, mit einer Basisstation (106) und der Gruppe drahtloser Kommunikationseinrichtungen zu kommunizieren, wobei die drahtlose Kommunikationseinrichtung (101j) Folgendes umfasst:

eine Sende-/Empfangseinrichtung (101j-1), die konfiguriert ist, einen Token von der Basisstation (106), eine erste Datenstruktur (102a), die auf der Grundlage einer Funktion des Tokens und eines Schlüssels ki einer weiteren drahtlosen Kommunikationseinrichtung (101i) erzeugt wurde, und eine zweite Datenstruktur, die eine Identität idi der weiteren drahtlosen Kommunikationseinrichtung (101i) umfasst, zu empfangen; und

einen Prozessor (101j-2), der konfiguriert ist, auf der Grundlage einer Funktion des Tokens und eines Schlüssels kj der drahtlosen Kommunikationseinrichtung (101j) der ersten Datenstruktur (102a) ein Datenelement hinzuzufügen, und der zweiten Datenstruktur eine Identität idj der drahtlosen Kommunikationseinrichtung (101j) hinzuzufügen, um eine geänderte erste Datenstruktur (202a) und eine geänderte zweite Datenstruktur (202b) zu erhalten; wobei

die Sende-/Empfangseinrichtung (101j-1) ferner konfiguriert ist, die geänderte erste Datenstruktur (202a) und die geänderte zweite Datenstruktur (202b) zur Gruppe drahtloser Kommunikationseinrichtungen und zur Basisstation (106) zu übertragen,

dadurch gekennzeichnet, dass

der Prozessor (101j-2) ferner konfiguriert ist, den Schlüssel kj der drahtlosen Kommunikationseinrichtung (101j) auf der Grundlage der folgenden Gleichung zu berechnen:

wobei

(R, s) ein privater Schlüssel der drahtlosen Kommunikationseinrichtung (101j) ist, (R', s') ein privater Schlüssel der Basisstation (106) ist, t der Token ist, rRZq*, R = rP, (x, (P, Y = xP)) ein Schlüsselpaar ist, s = r + xH(R, idj) und H' und H kryptographische Prüfsummenfunktionen sind.


 
10. Drahtlose Kommunikationseinrichtung (101j) nach einem der Ansprüche 7-9, wobei die Funktion des Tokens und des Schlüssels kj der drahtlosen Kommunikationseinrichtung (101j) eine gleichförmige Ausgangsverteilung besitzt.
 
11. Drahtlose Kommunikationseinrichtung (101j) nach einem der Ansprüche 7-10, wobei die erste Datenstruktur (102a) und/oder die geänderte erste Datenstruktur (202a) ein Bloomfilter ist.
 
12. Basisstation (106), die konfiguriert ist, mit mindestens einer drahtlosen Kommunikationseinrichtung (101i) aus einer Gruppe drahtloser Kommunikationseinrichtungen in einem drahtlosen Kommunikationsnetz (100) zu kommunizieren, wobei die Basisstation (106) Folgendes umfasst:

eine Sende-/Empfangseinrichtung (106-1), die konfiguriert ist, eine erste Datenstruktur (102a) und eine zweite Datenstruktur, die durch die mindestens eine drahtlose Kommunikationseinrichtung (101i) erzeugt wurden, zu empfangen, wobei die erste Datenstruktur (102a) auf einer Funktion eines Tokens, der durch die Basisstation (106) bereitgestellt wird, und eines Schlüssels ki der mindestens einen drahtlosen Kommunikationseinrichtung (101i) basiert und die zweite Datenstruktur eine Identität idi der mindestens einen drahtlosen Kommunikationseinrichtung (101i) umfasst; und

einen Prozessor (106-2), der konfiguriert ist, den Schlüssel ki der mindestens einen drahtlosen Kommunikationseinrichtung (101i) auf der Grundlage der zweiten Datenstruktur herzuleiten und die mindestens eine drahtlose Kommunikationseinrichtung (101i) auf der Grundlage des Schlüssels ki und der ersten Datenstruktur (102a) der mindestens einen drahtlosen Kommunikationseinrichtung (101i) zu authentifizieren,

dadurch gekennzeichnet, dass

der Prozessor (106-2) ferner konfiguriert ist, den Schlüssel ki der mindestens einen drahtlosen Kommunikationseinrichtung (101i) auf der Grundlage der folgenden Gleichung zu berechnen:

wobei

r der Token ist, H' und H kryptographische Prüfsummenfunktionen sind, idBS eine Identität der Basisstation (106) ist und s ein Hauptschlüssel ist.


 
13. Basisstation (106), die konfiguriert ist, mit mindestens einer drahtlosen Kommunikationseinrichtung (101i) aus einer Gruppe drahtloser Kommunikationseinrichtungen in einem drahtlosen Kommunikationsnetz (100) zu kommunizieren, wobei die Basisstation (106) Folgendes umfasst:

eine Sende-/Empfangseinrichtung (106-1), die konfiguriert ist, eine erste Datenstruktur (102a) und eine zweite Datenstruktur, die durch die mindestens eine drahtlose Kommunikationseinrichtung (101i) erzeugt wurden, zu empfangen, wobei die erste Datenstruktur (102a) auf einer Funktion eines Tokens, der durch die Basisstation (106) bereitgestellt wird, und eines Schlüssels ki der mindestens einen drahtlosen Kommunikationseinrichtung (101i) basiert und die zweite Datenstruktur eine Identität idi der mindestens einen drahtlosen Kommunikationseinrichtung (101i) umfasst; und

einen Prozessor (106-2), der konfiguriert ist, den Schlüssel ki der mindestens einen drahtlosen Kommunikationseinrichtung (101i) auf der Grundlage der zweiten Datenstruktur herzuleiten und die mindestens eine drahtlose Kommunikationseinrichtung (101i) auf der Grundlage des Schlüssels ki und der ersten Datenstruktur (102a) der mindestens einen drahtlosen Kommunikationseinrichtung (101i) zu authentifizieren,

dadurch gekennzeichnet, dass

der Prozessor (106-2) ferner konfiguriert ist, den Schlüssel ki der mindestens einen drahtlosen Kommunikationseinrichtung (101i) auf der Grundlage der folgenden Gleichung zu berechnen:

wobei

t eine ganze Zahl ist, P ein öffentlicher Parameter ist, tP der Token ist, (x, (P, Y = xP)) ein Schlüsselpaar ist, s = r + xH(R, idi), H eine kryptographische Prüfsummenfunktion ist und rRZq*, R = rP.


 
14. Basisstation (106), die konfiguriert ist, mit mindestens einer drahtlosen Kommunikationseinrichtung (101i) aus einer Gruppe drahtloser Kommunikationseinrichtungen in einem drahtlosen Kommunikationsnetz (100) zu kommunizieren, wobei die Basisstation (106) Folgendes umfasst:

eine Sende-/Empfangseinrichtung (106-1), die konfiguriert ist, eine erste Datenstruktur (102a) und eine zweite Datenstruktur, die durch die mindestens eine drahtlose Kommunikationseinrichtung (101i) erzeugt wurden, zu empfangen, wobei die erste Datenstruktur (102a) auf einer Funktion eines Tokens, der durch die Basisstation (106) bereitgestellt wird, und eines Schlüssels ki der mindestens einen drahtlosen Kommunikationseinrichtung (101i) basiert und die zweite Datenstruktur eine Identität idi der mindestens einen drahtlosen Kommunikationseinrichtung (101i) umfasst; und

einen Prozessor (106-2), der konfiguriert ist, den Schlüssel ki der mindestens einen drahtlosen Kommunikationseinrichtung (101i) auf der Grundlage der zweiten Datenstruktur herzuleiten und die mindestens eine drahtlose Kommunikationseinrichtung (101i) auf der Grundlage des Schlüssels ki und der ersten Datenstruktur (102a) der mindestens einen drahtlosen Kommunikationseinrichtung (101i) zu authentifizieren,

dadurch gekennzeichnet, dass

der Prozessor (106-2) ferner konfiguriert ist, den Schlüssel ki der mindestens einen drahtlosen Kommunikationseinrichtung (101i) auf der Grundlage der folgenden Gleichung zu berechnen:

wobei

(R, s) ein privater Schlüssel der mindestens einen drahtlosen Kommunikationseinrichtung (101i) ist, (R', s') ein privater Schlüssel der Basisstation (106) ist, t der Token ist, rR Zq*, R = rP, (x, (P, Y = xP)) ein Schlüsselpaar ist, s = r + xH(R, idi) und H' und H kryptographische Prüfsummenfunktionen sind.


 


Revendications

1. Dispositif de communication sans fil (101i) d'un groupe de dispositifs de communication sans fil configuré pour communiquer avec une station de base (106), le dispositif de communication sans fil (101i) comprenant :

un émetteur-récepteur (101i-1) configuré pour recevoir un jeton depuis la station de base (106) ; et

un processeur (101i-2) configuré pour générer une première structure de données (102a) sur la base d'une fonction du jeton et d'une clé ki du dispositif de communication sans fil (101i) et une seconde structure de données comprenant une identité idi du dispositif de communication sans fil (101i) ;

dans lequel l'émetteur-récepteur (101i-1) est configuré en outre pour diffuser la première structure de données (102a) et la seconde structure de données au groupe de dispositifs de communication sans fil et à la station de base (106),

caractérisé en ce que

le processeur (101i-2) est configuré en outre pour calculer la clé ki du dispositif de communication sans fil (101i) sur la base de l'équation suivante :

dans lequel r est le jeton, H' et H sont des fonctions de hachage cryptographiques, idBS est une identité de la station de base, e est une fonction de pairage bilinéaire, et s est une clé maîtresse.


 
2. Dispositif de communication sans fil (101i) d'un groupe de dispositifs de communication sans fil configuré pour communiquer avec une station de base (106), le dispositif de communication sans fil (101i) comprenant :

un émetteur-récepteur(101i-1) configuré pour r ecevoir un jeton depuis la station de base (106) ; et

un processeur (101i-2) configuré pour générer une première structure de données (102a) sur la base d'une fonction du jeton et d'une clé ki du dispositif de communication sans fil (101i) et une seconde structure de données comprenant une identité idi du dispositif de communication sans fil (101i) ;

dans lequel l'émetteur-récepteur (101i-1) est configuré en outre pour diffuser la première structure de données (102a) et la seconde structure de données au groupe de dispositifs de communication sans fil et à la station de base (106),

caractérisé en ce que

le processeur (101i-2) est configuré en outre pour calculer la clé ki du dispositif de communication sans fil (101i) sur la base de l'équation suivante :

dans lequel t est un entier aléatoire, P est un paramètre public, tP est le jeton, (x, (P, Y = xP)) est une paire de clés, s = r + xH (R,idi), H est une fonction de hachage cryptographique, et

R= rP.


 
3. Dispositif de communication sans fil (101t) d'un groupe de dispositifs de communication sans fil configuré pour communiquer avec une station de base (106), le dispositif de communication sans fil (101i) comprenant :

un émetteur-récepteur (101i-1) configuré pour recevoir un jeton depuis la station de base (106) ; et

un processeur (101i-2) configuré pour générer une première structure de données (102a) sur la base d'une fonction du jeton et d'une clé ki du dispositif de communication sans fil (101i) et une seconde structure de données comprenant une identité idi du dispositif de communication sans fil (101i) ;

dans lequel l'émetteur-récepteur (101i-1) est configuré en outre pour diffuser la première structure de données (102a) et la seconde structure de données au groupe de dispositifs de communication sans fil et à la station de base (106),

caractérisé en ce que

le processeur (101i-2) est configuré en outre pour calculer la clé du dispositif de communication sans fil (101j) sur la base de l'équation suivante :

dans lequel (R, s) est une clé privée du dispositif de communication sans fil (101i), (R', s') est une clé privée de la station de base (106), t est le jeton,

R= rP,(x,(P,Y = xP)) est une paire de clés, s = r + xH(R, idi), et H' et H sont des fonctions de hachage cryptographiques.


 
4. Dispositif de communication sans fil (101i) selon l'une des revendications 1 à 3, dans lequel la fonction du jeton et de la clé ki du dispositif de communication sans fil (101i) a une distribution de sortie uniforme.
 
5. Dispositif de communication sans fil (101i) selon l'une des revendications 1 à 4, dans lequel la première structure de données (102a) est un filtre de Bloom.
 
6. Dispositif de communication sans fil (101i) selon la revendication 5, dans lequel une longueur du filtre de Bloom est m, L est un nombre de dispositifs de communication sans fil du groupe de dispositifs de communication sans fil, et n est un nombre de fonctions de hachage cryptographiques pour ajouter un élément au filtre de Bloom, lié à l'équation suivante :


 
7. Dispositif de communication sans fil (101j) d'un groupe de dispositifs de communication sans fil configuré pour communiquer avec une station de base (106), le dispositif de communication sans fil (101j) comprenant :

un émetteur-récepteur (101j-1) configuré pour recevoir un jeton depuis la station de base (106), une première structure de données (102a) générée sur la base d'une fonction du jeton et d'une clé ki d'un autre dispositif de communication sans fil (101j) et une seconde structure de données comprenant une identité idi du dispositif de communication sans fil (101i) ; et

un processeur (101j-2) configuré pour ajouter un élément de données sur la base d'une fonction du jeton et d'une clé kj du dispositif de communication sans fil (101j) à la première structure de données (102a), et jouer une identité idj du dispositif de communication sans fil (101j) à la seconde structure de données pour obtenir une première structure de données modifiée (202a) et une seconde structure de données modifiée (202b) ;

dans lequel l'émetteur-récepteur (101i-1) est configuré en outre pour diffuser la première structure de données modifiée (202a) et la seconde structure de données modifiée (202b) au groupe de dispositifs de communication sans fil et à la station de base (106),

caractérisé en ce que

le processeur (101j-2) est configuré en outre pour calculer la clé kj du dispositif de communication sans fil (101j) sur la base de l'équation suivante :

dans lequel r est le jeton, H' et H sont des fonctions de hachage cryptographiques, idBS est une identité de la station de base (106), e est une fonction de pairage bilinéaire, et s est une clé maîtresse.


 
8. Dispositif de communication sans fil (101j) d'un groupe de dispositifs de communication sans fil configuré pour communiquer avec une station de base (106), le dispositif de communication sans fil (101j) comprenant :

un émetteur-récepteur (101j-1) configuré pour recevoir un jeton depuis la station de base (106), une première structure de données (102a) générée sur la base d'une fonction du jeton et d'une clé ki d'un autre dispositif de communication sans fil (101i) et une seconde structure de données comprenant une identité idi du dispositif de communication sans fil (101i) ; et

un processeur (101j-2) configuré pour ajouter un élément de données sur la base d'une fonction du jeton et d'une clé kj du dispositif de communication sans fil (101j) à la première structure de données (102a), et ajouter une identité idj du dispositif de communication sans fil (101j) à la seconde structure de données pour obtenir une première structure de données modifiée (202a) et une seconde structure de données modifiée (202b) ;

dans lequel l'émetteur-récepteur (101j-1) est configuré en outre pour diffuser la première structure de données modifiée (202a) et la seconde structure de données modifiée (202b) au groupe de dispositifs de communication sans fil et à la station de base (106),

caractérisé en ce que

le processeur (101j-2) est configuré en outre pour calculer la clé kj du dispositif de communication sans fil (101j) sur la base de l'équation suivante :

dans lequel t est un entier, P est un paramètre public, tP est le jeton, (x, (P,Y = xP)) est une paire de clés, s = r + xH(R,idj), H est une fonction de hachage cryptographique, et

R= rP.


 
9. Dispositif de communication sans fil (101j) d'un groupe de dispositifs de communication sans fil configuré pour communiquer avec une station de base (106) et le groupe de dispositifs de communication sans fil, le dispositif de communication sans fil (101j) comprenant :

un émetteur-récepteur (101j-1) configuré pour recevoir un jeton depuis la station de base (106), une première structure de données (102a) générée sur la base d'une fonction du jeton et d'une clé ki d'un autre dispositif de communication sans fil (101i) et une seconde structure de données comprenant une identité idi du dispositif de communication sans fil (101i) ; et

un processeur (101j-2) configuré pour ajouter un élément de données sur la base d'une fonction du jeton et d'une clé kj du dispositif de communication sans fil (101j) à la première structure de données (102a), et ajouter une identité idj du dispositif de communication sans fil (101j) à la seconde structure de données pour obtenir une première structure de données modifiée (202a) et une seconde structure de données modifiée (202b) ;

dans lequel l'émetteur-récepteur (101j-1) est configuré en outre pour diffuser la première structure de données modifiée (202a) et la seconde structure de données modifiée (202b) au groupe de dispositifs de communication sans fil et à la station de base (106),

caractérisé en ce que

le processeur (101j-2) est configuré en outre pour calculer la clé kj du dispositif de communication sans fil (101j) sur la base de l'équation suivante :

dans lequel (R, s) est une clé privée du dispositif de communication sans fil (101j), (R', s') est une clé privée de la station de base (106), t est le jeton,

R=rP,(x, (P,Y = xP)) est une paire de clés, s = r + xH(R, idj), et H' et H sont des fonctions de hachage cryptographiques.


 
10. Dispositif de communication sans fil (101j) selon l'une des revendications 7 à 9, dans lequel la fonction du jeton et de la clé kj du dispositif de communication sans fil (101j) a une distribution de sortie uniforme.
 
11. Dispositif de communication sans fil (101j) selon l'une des revendications 7 à 10 dans lequel au moins une de la première structure de données (102a) ou de la première structure de données modifiée (202a) est un filtre de Bloom.
 
12. Station de base (106) configurée pour communiquer avec au moins un dispositif de communication sans fil (101i) d'un groupe de dispositifs de communication sans fil dans un réseau de communication sans fil (100), la station de base (106) comprenant :

un émetteur-récepteur (106-1) configuré pour recevoir une première structure de données (102a) et une seconde structure de données générée par l'au moins un dispositif de communication sans fil (101i), dans lequel la première structure de données (102a) est basée sur une fonction d'un jeton fourni par la station de base (106) et d'une clé ki de l'au moins un dispositif de communication sans fil (101i), et dans lequel la seconde structure de données comprend une identité idi de l'au moins un dispositif de communication sans fil (101i) ; et

un processeur (106-2) configuré pour dériver la clé ki de l'au moins un dispositif de communication sans fil (101i) sur la base de la seconde structure de données et authentifier l'au moins un dispositif de communication sans fil (101i) sur la base de la clé ki et de la première structure de données (102a) de l'au moins un dispositif de communication sans fil (101i),

caractérisé en ce que

le processeur (106-2) est configuré en outre pour dériver la clé ki de l'au moins un dispositif de communication sans fil (101i) sur la base de l'équation suivante :

dans lequel r est le jeton, H' et H sont des fonctions de hachage cryptographiques, idBS est une identité de la station de base (106), et s est une clé maîtresse.


 
13. Station de base (106) configurée pour communiquer avec au moins un dispositif de communication sans fil (101i) d'un groupe de dispositifs de communication sans fil dans un réseau de communication sans fil (100), la station de base (106) comprenant :

un émetteur-récepteur (106-1) configuré pour recevoir une première structure de données (102a) et une seconde structure de données générée par l'au moins un dispositif de communication sans fil (101i), dans lequel la première structure de données (102a) est basée sur une fonction d'un jeton fourni par la station de base (106) et d'une clé ki de l'au moins un dispositif de communication sans fil (101i), et dans lequel la seconde structure de données comprend une identité idi de l'au moins un dispositif de communication sans fil (101i) ; et

un processeur (106-2) configuré pour dériver la clé ki de l'au moins un dispositif de communication sans fil (101i) sur la base de la seconde structure de données et authentifier l'au moins un dispositif de communication sans fil (101i) sur la base de la clé ki et de la première structure de données (102a) de l'au moins un dispositif de communication sans fil (101i),

caractérisé en ce que

le processeur (106-2) est configuré en outre pour dériver la clé ki de l'au moins un dispositif de communication sans fil (101i) sur la base de l'équation suivante :

dans lequel t est un entier, P est un paramètre public, tP est le jeton, (x, (P, Y = xP)) est une paire de clés, s = r + xH(R,idi), H est une fonction de hachage cryptographique, et


 
14. Station de base (106) configurée pour communiquer avec au moins un dispositif de communication sans fil (101i) d'un groupe de dispositifs de communication sans fil dans un réseau de communication sans fil (100), la station de base (106) comprenant :

un émetteur-récepteur (106-1) configuré pour recevoir une première structure de données (102a) et une seconde structure de données générée par l'au moins un dispositif de communication sans fil (101i), dans lequel la première structure de données (102a) est basée sur une fonction d'un jeton fourni par la station de base (106) et d'une clé ki de l'au moins un dispositif de communication sans fil (101i), et dans lequel la seconde structure de données comprend une identité idi de l'au moins un dispositif de communication sans fil (101i) ; et

un processeur (106-2) configuré pour dériver la clé ki de l'au moins un dispositif de communication sans fil (101i) sur la base de la seconde structure de données et authentifier l'au moins un dispositif de communication sans fil (101i) sur la base de la clé ki et de la première structure de données (102a) de l'au moins un dispositif de communication sans fil (101i),

caractérisé en ce que

le processeur (106-2) est configuré en outre pour dériver la clé ki de l'au moins un dispositif de communication sans fil (101i) sur la base de l'équation suivante :

dans lequel (R, s) est une clé privée du dispositif de communication sans fil (101i), (R' ,s') est une clé privée de la station de base (106), t est le jeton,

R=rP,(x,(P,Y = xP)) est une paire de clés, s = r + xH(R, idi), et H' et H sont des fonctions de hachage cryptographiques.


 




Drawing














Cited references

REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Non-patent literature cited in the description