An ultra-lightweight ID-based pairwise key establishment scheme aiming at full collusion resistance Oscar Garc´ ıa-Morch´ on 1 , Ronald Rietman 1 , Ludo Tolhuizen 1 , Domingo G´ omez-P´ erez 2 , Jaime Guti´ errez 2 , and Santos Merino del Pozo 2 1 Philips Group Innovation, Research, Eindhoven, The Netherlands 2 Univ. of Cantabria, Santander, Spain Abstract. This paper introduces a new key establishment scheme aiming at fully collusion-resistant identity-based symmetric-key agreement. In an identity- based pairwise key agreement scheme, a Trusted Third Party (TTP) manages the system and securely provides any node, e.g., Alice or Bob, with private keying materials. Alice can generate a pairwise key with Bob given her own secret keying material and Bob’s identity. The full collusion resistance property would ensure that the scheme remains secure even if arbitrarily many devices collude or are compromised. Our scheme, the HIMMO algorithm, relies on two design concepts: Hiding In- formation and Mixing Modular Operations. Hiding information is related to the Noisy Interpolation Problem; the Mixing Modular Operations problem seems to be a new hard problem. We describe our scheme, the security of its un- derlying design principles and give order of magnitude estimations for secure configuration parameters. For these parameters, we show that our prototypic implementation of HIMMO on the 8-bit CPU ATmega128L can generate 128- bit keys in less than 7 ms based on an algorithm fitting in 428 B and with secret keying materials of size 656 B. Keywords: ID-based symmetric-key generation, collusion resistance, mixing modular operations, noisy interpolation problem. 1 Introduction This paper deals with the classical problem of key establishment. We focus on an identity-based (ID-based) scheme for symmetric-key agreement between pairs of devices in a network. That is, each node in the network has an identifier, and a Trusted Third Party (TTP) provides it with secret keying material - linked to the device identifier - in a secure way. A node that wishes to communicate with another node uses its own secret keying material and the identity of the other node to generate a common pairwise key. The key distribution problem - as discussed in this paper - was first described by Matsumoto and Imai [1]. They propose that a TTP chooses a secret function f (X, Y ) that is symmetric, that is, f (X, Y )= f (Y,X). Each node with identifier η receives a secret keying material - a function - KM η (X)= f (X, η) such that KM η (η ′ )= f (η,η ′ ) for any other η ′ . In [2], Blundo et al. choose the secret function f (X, Y ) to be a symmetric bivariate polynomial over a finite field of degree α in each variable and show that their scheme offers information-theoretic security if an attacker knows the secret keying material of c colluding nodes whenever c ≤ α. If c ≥ α+1, an attacker can recover f (X, Y ) by means of Lagrange interpolation. Zhang et al. [3] proposed a “noisy” version