Secure Key Establishment Mechanism for Smart Sensing System Based Robots Network.

The smart robot is playing an increasingly important role in the social economy, and multi-robot systems will be an important development in robotics. With smart sensing systems, the communications between sensors, actuators, and edge computing systems and robots are prone to be attacked due to the highly dynamic and distributed environment. Since smart robots are often distributed in open environments, as well as due to their limited hardware resources and security protection capabilities, the security requirements of their keys cannot be met with traditional key distribution algorithms. In this paper, we propose a new mechanism of key establishment based on high-order polynomials to ensure the safe key generation and key distribution. Experiments show that the key establishment mechanism proposed in this paper guarantees the security of keys; its storage cost and communication cost are smaller than state-of-the-art mechanisms; and it allows robot components to join and leave the network dynamically, which is more suitable for multi-robot systems.


Introduction
With the fierce competition in the global market and the gradual increase in labor costs, as well as the booming of big data, cloud computing, Internet of Things [1], and artificial intelligence, the robotic industry has become increasingly important. Due to the limitations of its own performance, a single robot cannot successfully complete many tasks, and it must rely on multiple robots to work together. Multi-robots are widely used in real life, such as explosion protection, disaster relief, industrial production, and distribution logistics. The emergence of multi-robot systems is also considered to be one of the top ten robotic technology challenges that will have a major impact on the social economy in the next 5-10 years [2].
With the increasing application of multi-robot systems, there have been many studies in this field, including the study of robot motion trajectories [3], the cooperation of multi-robots [4], and robot safety research. This article focuses on the information security of multi-robot systems. In smart sensing systems, the sensors and the robots need to communicate with each other when performing a task, so that they can complete the task more accurately, efficiently, and intelligently. For some special tasks, such as military operations, personal information collection, etc., robots must maintain the confidentiality of tasks and the security of information [5]. The China Software Testing Center CCID Robot Testing and Certification Center released a report analyzing the information security issues of mainstream public service robots in China. The report shows that service robots are close to the public 3. Comparing with other mechanisms, the mechanism proposed in this paper has high security, high dynamics, and low resource consumption, which is more suitable for multi-robot systems.

Related Work
The multi-robot system refers to acquiring its own state information and surrounding environmental information through a variety of different sensors; merging the acquired information; coordinating the behaviors of multiple robots in combination with the tasks assigned by the system; and cooperating with each other to finally complete the task. The research of multi-robot began in the 1980s, mainly focusing on multi-robot architecture, collaborative communication, motion modeling, and path planning [16].
Key establishment refers to the process of generating an available, shared secret key between one or more entities [17]. Key establishment includes key generation and negotiation, key transmission, etc. Among them, key generation and negotiation refers to a process of establishing a shared secret key between entities, wherein any entity cannot predetermine the value of the key.
Classical cryptographic algorithms are widely used, and their security has been verified, but, with the advancement of technology, the probability of these cryptographic algorithms relying on computing power to ensure security begins to increase. For example, the RSA algorithm has high security due to the difficulty of factoring. With the advent of the SHOR algorithm and the deepening of quantum computer research, the parallelism of quantum computing can be used to quickly resolve large numbers of prime factors. Therefore, the introduction of quantum computing is likely to be able to crack the widely used RSA public key encryption system. The emergence of quantum cryptography algorithms has broken the limitations brought by hash algorithms based on computing power [18]. Therefore, for different applications or systems, more secure and efficient algorithms should be proposed.
The AES algorithm is used in this paper to compute the keys, and it is a symmetric cryptographic algorithm. It has the advantages of strong security, high flexibility, high performance, and high efficiency. It is one of the block cipher algorithms [19]. The block cipher algorithm divides the input data into fixed-length packets. After the encryption is completed, the ciphertext output by each packet has the same length as the packet length of the input plaintext. N r indicates the number of rounds of encryption of a data packet (the number of encryption rounds is related to the length of the key). Each round of encryption requires an extended key whose length is consistent with the length of the input data packet. The encryption key externally input into the encryption algorithm has a limited length. Therefore, in the AES algorithm encryption process, the key extension program length-expands the external key to obtain a longer bit string to generate each round of encryption key and decryption key.

Overall Design
This paper proposes a security key establishment mechanism based on the high-order polynomial. It discusses the key management among the multiple smart components (such as sensors and actuators) on a single robot in the multi-robots network, and it is based on a symmetric key distribution algorithm.
The key-center (or the cloud) sends the key in a time slot to the components by sending the coefficients of a polynomial. The components restore the coefficients to a polynomial and plug the private information themselves into the polynomial to obtain the key. The components are divided into multiple communication groups (or clusters) in the typical bus topological structure, according to the attribution of the components. The keys in a cluster are generated and distributed by the key center periodically.
At the beginning of a period, all keys in this period are generated by the key center and distributed to the components before each time slot begins. The process is presented as follows, and it is shown in Figure 1.
1. At the beginning, the key center calculates the communication session key (K 1,CID , K 2,CID , ..., K N,CID ) of a cluster in the N time slots, based on the cluster identification information CID, and saves them in the key center. 2. The key center generates private information for each communication component in the cluster. The private information is sent to each component through a secure private channel at initialization. It is privately stored by each component, and is used to calculate the keys in the next few time slots. 3. Before the beginning of the next time slot i, or when a component is detected to be attacked, the key center calculates the coefficients of a set of polynomials and generates a key update instruction, which is broadcast to components of a cluster. 4. The key center broadcasts the ID information of the components which are attacked to all components in the key update instruction. 5. After receiving the key update instruction, the component restores the polynomial and calculates the key according to the formula. 6. After the calculation, the component uses the message authentication code to identify whether the received information is true and complete. 7. The component updates the key based on the authentication result.

Key Factor Initialization
attacking the node itself, each component in the cluster needs to hold a common session key to encrypt and decrypt the communication information.
The communication session key between the intra-cluster communication components is distributed by the Key Distribution Center (KDC) located in the cloud, which greatly reduces computing resources for communication components with weak computing power. Each communication component holds a private and unique information identification value N ID, and each cluster has a cluster identification CID. Before the start of communication for one cycle, the KDC generates a communication session key group {K 1,CID , K 2,CID , ..., K N,CID } for each normal communication component within the cluster CID, in the initial stage, the secret value S N ID required to calculate the session key is delivered to each communication component through the private channel.
In the initial stage, the key center uses the AES (Advanced Encryption Standard) algorithm to generate the communication session key of the components in the cluster. The AES algorithm is a highly efficient and high-security symmetric encryption algorithm. The algorithm encrypts the data with low computational cost and high security. Since the data encrypted by the key center do not need to be decrypted, the key center can save the key to ensure the privacy of the information.
Before the key generation begins, the key center first generates a random number R through a reliable random source, which is stored as a root key by the key center and protects its privacy. For the key of the component within the cluster CID in the i time slot, the key center is generated as shown in Equation (1).
where i is the time slot number and CID is the unique identification number of the cluster. The formula is used to generate the key of the component in the cluster, including the flag information of the cluster. The uniqueness of the flag information ensures the uniqueness of the key. Since only the private value of the generated key is stored in the key center, R, the storage cost of the key information is reduced, and the security of the key is greatly enhanced. Definition 1. The private information of the component N ID is S N ID , which is a ciphertext calculated by the AES algorithm by the key center according to the node ID of each component and the random number R generated by the key center. The generation of private information of the component N ID is shown in Equation (2).
In the key factor initialization phase, the private information held by each component S N ID is written by the key center into the corresponding component through the protected channel according to its identification information N ID in a controlled environment. Each component saves and protects its privacy in N time slots. This private information is used by each component for key calculations in subsequent N time slots.

Key Update Instruction
To improve the security of the key of communication session between components, the normal components in the cluster can respond to the attack in time. The key center will distribute the key update instruction to all the components in the cluster before the start of each time slot or when any component is detected to be attacked. The key update instruction sent by the key center to the components mainly carries the coefficient information of the key update polynomial F i (X), the list of attacked components, and the list of random numbers. The key update polynomial is composed by the cluster key K i,CID , the interference polynomial δ(X), and the identification information of each component. The formula is shown in Equation (3).
where S N ID is the private information held by each component, i is the time slot value, and {a 0 , a 1 , ..., a n−1 } is the polynomial coefficient. When the number of normal components in the cluster m is greater than the number of components being attacked, then n = m + 2; otherwise, n = p + 3.
In the key updating, the key center introduces an interference polynomial δ(X) in order to prevent the attacked components from getting the communication session key of the next time slot and excluding the interference of attacked components to the intra-cluster communication. The δ(X) is defined as Equation (4). The coefficients of δ(X) consist of the identification information of the attacked components and some random numbers. The interference polynomial δ(X) lists the identification information of the attacked components, so that the attacked components would not be able to obtain the key of the new time slot, even though they relive the key update instruction. When the number of attacked components p is less than the number of normal components m, the introduction of the random number list makes the highest index of the key update polynomial achieve the number m + 1. When the number of attacked components p is greater than the number of normal components m, the equation only introduces two random numbers b 1 and b 2 , and the highest index of the key update polynomial is p + 2.
where ID 1 , ID 2 , ..., ID p is the ID of the attacked components, p is the number of attacked components, and b 1 , b 2 , ..., b k is a random number generated by a key source random source. When p < m, Equation (3) shows that the key update polynomial is determined by the coefficients {a 0 , a 1 , ..., a n−1 }, and the index of the polynomial coefficient is n. The coefficient calculation of the key update polynomial is performed in the key center. When the number of normal components (m) in the cluster is greater than the number of attacked components (p), the IDs of all normal components in the cluster, the private information value corresponding to the component, and the anti-attack pairs (T 1 , S T 1 ) and (T 2 , S T 2 ), which are generated randomly, are brought into Equation (3) to get Equation (5). In the calculation of polynomial coefficient, the addition of random number pairs makes it impossible for the attacker to obtain the private information of all components, and the key of the next time slot cannot be calculated due to the existence of the random number, thereby improving the security of the key.
When the number of normal components (m) in the cluster is less than the number of the attacked components (p), the key center will automatically generate x pairs of anti-attack number (X j , S X j ), so that m + x = p + 2. The key center can bring the ID of all normal components and their corresponding private information values, together with the x pairs of anti-attack number randomly generated above, into Equation (3), obtaining the equation set shown in Equation (6).
Solving the equation set in a finite field, a set of coefficient vectors [a 0 , a 1 , ..., a n−1 ] can be obtained. The key center composes the coefficient vectors together with the identification information list of the attacked components and the random number list in the interference polynomial δ(X) to form a key update instruction, and then sends it to all communication components in the cluster by broadcast. It should be noted that the attacked components do not receive the key update instruction.

Handling of Key Update Instructions
The process of a component receiving the key update instruction is shown in Algorithm 1. After receiving the key update instruction sent by the key center, the component takes out the coefficient information [a 0 , a 1 , ..., a n−1 ], which is carried in the instruction, to construct the key distribution polynomial F i (X) = a n−1 X n−1 + a n−2 X n−2 + ... + a 1 X + a 0 . The ID list of the attacked components and the random number list which are published by the key center can construct the polynomial According to the formula shown in Equation (7), we can calculate the key C i,CID , which is the session key of cluster CID in the next time slot.
where i is the time slot number. Each component takes its own node identifier N ID, and the private information S N ID saved by the component itself, into Equation (7) to obtain the intra-cluster communication session key C i,CID in the next slot. Since the attacked components have already been published by the key center, even though their own identification information and private information value are brought into Equation (7), they also cannot calculate the key value in the next time slot, due to the interference polynomial δ(N ID) = 0.

Message Authentication and Authentication
To identify the key value calculated above, whether it is distributed from the key center, and whether it has been tampered, the key update instruction carries the information for verification when it is sent by the key center to the components-the message authentication code (MAC). After receiving the key update instruction, each component takes out its last byte as the MAC. After the key is calculated, the MAC is used to verify the authenticity and integrity of the key.
After the key center generates the key update instruction, the message authentication code is added at the end of the instruction. The process is as follows: 1. Assuming that the key update instruction to be sent is the plain text KM, the key center inputs the intra-cluster communication key of the next time slot (C i,CID ) and the plain text into the HMAC algorithm to obtain a message authentication code KC = H(KM).

Key Validity
In the key generation and distribution algorithm proposed in this paper, the key center only generates and distributes a group of keys in a period; the group contains the keys of the next N time slots. This group of keys is valid only in a period, and the key corresponding to each time slot is valid only in that time slot. The key is invalid outside the period or outside the corresponding time slot. The continuous update of the key can guarantee the security of the session to a greater extent because, the longer the key is used, the greater the chance of it being stolen, and the greater the risk of information leakage. Once a key is compromised, the longer is the key's validity period, the greater is the loss. The longer a key is used, the easier it is for an attacker to perform cryptanalysis on multiple ciphertexts encrypted with the same key, and the longer the attack time is left for the attacker.
The validity period setting of the key is related to the parameters of the system. This paper mainly analyzes the three parameters that affect the validity period of the key: (1) The number of communication components. The larger is the size of the communication components, the more resources are consumed by the key distribution, the higher are the security requirements of the key, and the validity period of the key should achieve a balanced value. (2) The system security level. The higher is the security level of the system, the shorter the key validity period should be set, so that the attacker does not have enough time to analyze the key. (3) The network communication capability in system. If a system has good network communication capability, the communication key validity period can be shortened to ensure the security of the key. If the network communication capability is not too strong in a system, the key validity period should be extended to alleviate the communication pressure of the system. Therefore, the key validity period can be set according to the configuration parameters of the system and the practical applications.

Performance Analysis
The key generation and distribution algorithm proposed in this paper has the characteristics of high security, small overhead, and strong scalability. Its performance can be analyzed from the aspects of security, effectiveness, and flexibility.

Security
(1) Key security in component. When an attacker attacks a communication component in the system, the key related information in the component is protected by the component privately and it is difficult for the attacker to obtain. Even if the attacker gets the useful key related information, the key center will broadcast the ID of the attacked components to all relevant components after detecting the abnormality of the component, and start a key update process to distribute the polynomial coefficients about new key to all relevant components. The new key update instruction lists the component above as the attacked component, so that the attacked component cannot calculate the new key of the next time slot. Therefore, after the key update instruction is distributed, all the information sent by the attacked component to the communication bus will not be recognized by other components due to the wrong key, and it will not be able to decrypt all the information in the cluster, making the attacker unable to steal useful information relying on the current information, or to interfere with the communication of other components in the cluster, ensuring that, even if some communication components in the system are attacked, the communication among the other components in the cluster can still perform normally.
(2) Forward and backward security. According to the key generation algorithm, we can find that the key center holds the master key R, and no communication component stores the related information about master key. Therefore, even if an attacker attacks some communication components in the cluster, he only can get the key of current time slot. The key of next time slot cannot be calculated without the master key R, and the information encrypted by the new key cannot be decrypted by attacker. Therefore, the key distribution algorithm proposed in this paper has forward security. Due to the security of the AES algorithm, even if the attacker has obtained the key of this time slot, the attacker cannot break through the AES encryption algorithm to get all the keys before the current time slot. Before the new time slot starts, the component would destroy the key of previous time slot; thus, there are no previous keys stored in the component, and the attacker cannot get all keys before current time slot, which means the key distribution algorithm proposed in this paper has backward security.
(3) Anti-collusion. If attackers successfully break some components in the system, they can conspire and cooperate with each other, and then calculate all the keys, which may eventually break the entire network. Therefore, a perfect key distribution mechanism should be able to resist the collusion between the newly joined node and the attacked node. In our key distribution algorithm, even if the attackers get the private information of some components and know the communication key of the current time slot, there is also no way to calculate the private information of the remaining components, and, after new key update instructions are distributed, they cannot participate in communication within the cluster. Even if the attacker knows the ID and private information of all components, they cannot break the polynomial because they cannot get the random number generated by the key center, and cannot calculate the key for the next time slot.
(4) Invulnerability. When a communication component in the system is attacked, the key center responds immediately, broadcasts the ID of the attacked component to all components in the cluster, and redistributes a new key update instruction to all normal components, to exclude the attacked component quickly. Attackers cannot affect the communication of other components by attacking one or more components; the key distribution algorithm proposed in this paper is high invulnerability.

Effectiveness
(1) Storage cost. The memory space of each communication component on the smart robot in the multi-robots network is limited. When designing the key distribution algorithm, we consider this feature of the component fully in this paper, and only the key related information S N ID is required to store in the component, superadd the ID of itself and time slot number i, thus the memory usage of the component is very low.
(2) Quantity of information. After the key is generated, the key center sends the key related information S N ID to each communication component through the private channel, which has less information and does not occupy the normal communication network bandwidth. Before each time slot starts, the key center would distribute key update instructions to each component. The instruction mainly contains m (m is the number of normal components in the cluster) dimension coefficient vectors [a 0 , a 1 , ..., a m−1 ], the ID list of p (p is the number of attacked components) attacked components, and a one-byte message authentication code.
(3) Energy consumption. The key generation is performed in the key center, and the calculated quantity is negligible compared with the massive storage and large calculation support in the cloud. For the communication component, the calculated quantity of a component to calculate a key is small, and the storage cost is small, so that the configuration requirements of the component are low. During the key distribution process, fewer bytes are transmitted in the key update instructions, which reduces The burden of communication.

Flexibility
The key distribution mechanism proposed in this paper is flexible enough to adapt to various application scenarios in a multi-robot network. It is mainly reflected in the following aspects.
(1) Transferability. In a multi-robot network, many smart robots need to move. In our key distribution algorithm, the key center in the cloud communicates with the components through the network. No matter where the smart robot moves, the key update can perform as normal, as long as the network is still connected to the cloud.
(2) Scalability. Because most work of the key distribution algorithm proposed in this paper is in the cloud, the scale of nodes that it can handle is very large. When the communication components need to be added in the system or deleted, the key center obtains the ID of the added/deleted components. When distributing the key update instruction, the key center recalculates the key update polynomial coefficient based on the current active nodes.

Experiments and Result Analysis
The key distribution algorithm based on high-order polynomial proposed in this paper has great advantages in terms of storage cost and communication cost compared with other algorithms. The cloud-based key center also provides powerful support for the processing of massive communication components. In the simulation experiment of our algorithm, the key center is built on the OpenStack-based cloud host cluster. The communication components involved in communication are composed of intelligent robot readers, PIN keyboards, cameras, and other components. The communication links between the components are one or more in full-duplex, half-duplex communication links such as UART, Ethernet, SPI, I2C, CAN, etc. Table 1 compares the security key establishment mechanism based on high-order polynomial with the existing schemes in terms of storage cost, communication cost, revocation capability, collusion resistance, and robustness. This section compares several key distribution algorithms, including the component exemption time-limited group key distribution scheme [22], the anti-collusion key distribution scheme with revocation ability [23], the limited self-healing key distribution scheme named LiSH [24], and its enhancement scheme Lish+ [20]. Although the solution proposed by Jiang [22] is better in terms of storage cost and communication cost, its revocation capability is limited, and the user cannot be revoked by the key center until the end of its life cycle. In addition, this scheme is also unable to resist collusion attacks. The scheme proposed by Du [23] and Biming [25] can only partially resist collusion attacks. In the following, we perform a detailed performance evaluation of the security key establishment mechanism based on high-order polynomial coefficients proposed in this paper from the perspective of storage and communication.

Storage Cost
In the security key establishment mechanism based on high-order polynomial proposed in this paper, a communication component can store some key related information in a key distribution period, including the component's ID and the key private information S ID received from the key center. During the entire key distribution period, the component only needs to store these two values to calculate the key of next time slot. After the key update instruction is distributed, the communication component fetches the data in the instruction, calculates the key of the next time slot, and keeps it in the component. Then, it deletes the key of the previous time slot. Therefore, during the entire key distribution process, the communication component only needs to store the component identification ID (4 bytes) and the component private information S ID (128 bits, 16 bytes).
The key distribution scheme proposed in [23], as well as the LISH and Lish+ algorithms, their node storage cost is related to the lifetime of the node, and its correlation is shown in Figure 2. Figure 2 shows the comparison of the security key establishment mechanism based on high-order polynomial and the communication cost of the above key distribution schemes. In Figure 2, the security key establishment mechanism based on high-order polynomial requires the smallest storage space, and it does not increase with the node's lifetime. Therefore, the key establishment mechanism based on high-order polynomial is superior to the other schemes on storage cost.

Communication Cost
Using the security key establishment mechanism based on polynomial coefficients proposed in this paper, in a time slot (i.e., a key update period), the information about the key update that needs to be transmitted in the communication channel includes: a key update polynomial coefficients, the list of attacked components, and the list of random numbers. The number of the key update polynomial coefficients is related to the number of normal components m in the cluster. In general, the number of key update polynomial coefficient is m + 2. The list of attacked components lists all the ID of attacked components, and the communication cost about it is related to the number of attacked components p. The random number list contains some random numbers used to construct the key update polynomial; the number of the random number x is related to the number of normal components m and the number of attacked components p in the cluster.
Therefore, when the number of normal communication components is greater than or equal to the number of attacked components in the cluster, that is, m >= p, the communication cost is C = m + 2 + p + x = 2(m + 2). When the number of normal communication components is less than the number of attacked components in the cluster, that is, m < p, the communication cost is C = 2(p + 2). In general, there are several to a dozen components that need to communicate with each other, thus there are not many components communicating with each other within one cluster . Figure 3 shows the relationship between communication cost and the number of components being attacked when the total number of components in the cluster is 10, 15, and 20. Figure 3 shows that the communication cost is the lowest when the number of normal components and the number of attacked components in the cluster are equal. When there are more normal components in the cluster are attacked components, the communication cost is negatively correlated with the number of attacked components. When there are fewer components not being attacked than components being attacked, the communication cost is positively correlated with the number of components being attacked.

Conclusions
This paper focuses on the generation and distribution of communication keys between components in robots. A security key establishment mechanism based on high-order polynomial is proposed, and key generation is performed in a cloud-based key center. Prior to the key update, a key update instruction, which includes the coefficients of a group polynomials and the attacked components list, are broadcast to the components in a cluster. The coefficients ensure that the components which are in the secure state can correctly calculate the key, while the components which are being attacked cannot obtain the key. The key establishment mechanism proposed in this paper guarantees the security of the key. At the same time, the communication components only need to do simple calculation to get the key and the storage cost is small, which is more suitable for the situation where the resources are limited in some of the robots. Compared with the Lish and Lish+ algorithms, our mechanism allows robot components to dynamically join and leave the network, which is more suitable for multi-robot systems.
Author Contributions: Conceptualization, investigation, validation, writing-original draft preparation, and software, Q.X.; formal analysis, funding acquisition, supervision, project administration, and writing-review and editing, Y.Q. and Q.X.; formal analysis, funding acquisition, supervision, R.Y.; and methodology, supervision, and resources, C.X. and K.L. All authors have read and agreed to the published version of the manuscript.