Construction

Initially, our network system is constructed from a special form of BIBD: (q², q(q+1), q+1, q, 1) – BIBD, and we call it (q, 1) – BIBD. From section 2.6.3, we know that for any prime power q, there exists an affine plane of order q. Furthermore, an affine plane of order q can construct a (q, 1) – BIBD. Because q² ≣ 0 mod q, it is also a resolvable BIBD. Let w be an integer such that w ≥ 2. Suppose q is a prime power and . Then, based on Corollary 2.6.12, there exists a PHF(q + 1; q

1 2

q ⎛ ⎞w + > ⎜ ⎟

⎝ ⎠

2, q, w), and we call it (q, w) – PHF. When we want to construct the system, we therefore first consider the security parameter w that we want to achieve and the system secret S. After both variables are determined, we then get a minimal random prime power q such that . Finally, we use this prime power q to create a (q, w) – PHF. The following two figures show the construction algorithm of this PHF.

The program of the construction is appended in Appendix B. Figure 3.1.1 provides the procedure of finding the minimal prime power q that satisfies the requirement .

1 2

That is is a prime power and +1 >

min{ | w2 }

q x x x ⎛ ⎞

= ⎜ ⎟

⎝ ⎠ . Figure 3.1.2 then illustrates how the appropriate (q, w) – PHF is generated [20].

// Finding the minimal prime power q // Input: the security parameter w

// Output: prime power q

Finding_q( w )

Figure 3.1.1 Finding the minimal prime power q

// Construction algorithm of PHF // Input: the prime power q // Output: A (q, w) - PHF

Construct_PHF(q)

1 Use the prime power q to construct a finite field 2 Derive an affine plane of order q from the

.

Figure 3.1.2 Construction Algorithm of PHF

The meaning of every parameter in the PHF(q + 1; q², q, w) is explained as follows: q² means the number of nodes owning the secret shares in our system. We call this kind of nodes as the server nodes. (q + 1) represents the number of secret shares each server node should hold. Besides, it also implies that this PHF has (q + 1) hash functions, and we have to create (q + 1) polynomial functions with degree (w - 1) for secret sharing. Each polynomial function has the same secret S. Also, a set of secret shares can be combined for every w server nodes to reconstruct the system secret S and use S as the secret key to sign a certification

collaboratively. In other words, w is the minimum number of server nodes required to retrieve the original S. Finally, q refers to the number of disjoint sets in each partition when we

partition q² sever nodes. That is, each partition has q disjoint sets. Furthermore, it also implies the number of secret shares that each polynomial function has to generate.

When we divide the system secret S into several secret shares, we have to send these secret shares to the sever nodes. The coefficient of the corresponding hash functions determines which serve node gets which secret share.

Take the PHF(4; 9, 3, 3) we mentioned above for example. From this PHF, we know that the system has nine sever nodes. We denote them as from Ser1 to Ser9. Then we would

generate four polynomial functions with degree 2, and each would individually generate three secret shares. Each sever node would then have four secret shares from different polynomial functions. Any three randomly chosen server nodes could use a set of secret shares to

reconstruct the system secret. We distribute the secret shares to the nine server nodes according to the four hash functions, which is summarized below in Table 3.1.1.

X 1 2 3 4 5 6 7 8 9

F1(x) 1 1 1 2 2 2 3 3 3

F2(x) 1 2 3 1 2 3 1 2 3

F3(x) 1 2 3 3 1 2 2 3 1

F4(x) 1 2 3 2 3 1 3 1 2

Table 3.1.1 A PHF(4; 9, 3, 3)

Suppose we denote the four polynomial functions as P1, P2, P3 and P4. Furthermore, we mark the secret shares generated from P1 as S11, S12, S13, those from P2 as S21, S22, S23, and so on and so forth.

Assuming the distribution of secret shares generated from P1 corresponds to hash function f1(x), and those generated from P2, P3 and P4 are based on f2(x), f3(x) and f4(x) respectively to do the distribution. Table 3.1.1 shows that for the hash function f1(x), Ser1, Ser2 and Ser3 map to the same coefficient – that is, 1. For this reason, these three server nodes get the same secret share S11 from P1. Similarly, Ser4, Ser5 and Ser6 map to the same

coefficient of f1(x), which is 2, so they get the same secret share S12 from P1. Lastly, the secret share S13 from P1 is sent to Ser7, Ser8 and Ser9 because these server nodes have the same coefficient. Likewise, the secret shares generated from P2 are distributed based on f2(x). Thus, S21 is sent to Ser1, Ser4, and Ser7; S22 is sent to Ser2, Ser5, and Ser8; and S23 is sent to Ser3, Ser6 and Ser9. As for all other secret shares from the last two polynomial functions, they are distributed to the remaining nine server nodes based on f3(x) and f4(x). Finally, the

distribution of all secret shares is completed.

In the following section, we describe how w server nodes can recover the system secret.

Since the degree of the polynomial function is w-1, we know that we can retrieve the constant, or say the system secret, of that function by getting w different secret shares from that

polynomial function. Each server node has q+1 secret shares, so the question is how to determine which secret share to use for recovering the secret. The answer is that according to

the definition of a PHF, when we randomly select a subset of order w, there must exist at least one hash function that makes this subset injective. We, therefore, take the secret shares that corresponded with this specific hash function to reconstruct the system secret. Since this hash function makes the subset of order w injective, the w server nodes map to w coefficients accordingly. In other words, all w server nodes get different secret shares from the polynomial function that is mapped to this hash function. Therefore, we derive the system secret by using Lagrange interpolation method with these secret shares. Here we also take the above example to illustrate. If we randomly select three sever nodes – for example Ser1, Ser5, and Ser8 – then we can find at least one hash function that creates one-to-one mapping. That is, they have different coefficients. The above table demonstrates that f1(x) satisfies this requirement. As a result, these three server nodes can use the secret shares that they got from polynomial

function P1 to recover the system secret. More precisely, they use S11, S12 and S13 respectively to complete the reconstruction.

In our system, we do not have to ensure that there exists connections among all q² sever nodes. Specifically, we do not have to promise a full connection among server nodes. Full connection is, in fact, not a reasonable requirement in MANET environment. Instead, we only have to guarantee that each sever node has connections with at least the other (w-1) sever nodes. In this way, we can be certain that there is enough sever nodes to participate in recovering the system secret. So, referring back to the above example, we only have to maintain the requirement that each server node has links with at least two other sever nodes.

In sum, our system can handle the dynamic characteristics of a MANET well.