EIBAS : An efficient identity-based broadcast authentication scheme in wireless sensor networks

EIBAS : An efficient identity-based broadcast authentication scheme in wireless sensor networks

Ad Hoc Networks 11 (2013) 182–189 Contents lists available at SciVerse ScienceDirect Ad Hoc Networks journal homepage: www.elsevier.com/locate/adhoc...
Download PDF
368KB Sizes 0 Downloads 78 Views
Report

Ad Hoc Networks 11 (2013) 182–189

Contents lists available at SciVerse ScienceDirect

Ad Hoc Networks journal homepage: www.elsevier.com/locate/adhoc

EIBAS: An efficient identity-based broadcast authentication scheme in wireless sensor networks Kyung-Ah Shim, Young-Ran Lee ⇑, Cheol-Min Park Division of Fusion and Convergence of Mathematical Sciences, National Institute for Mathematical Sciences, KT Daeduk 2 Research Center, 463-1, Yuseong-gu, Daejeon, Republic of Korea

a r t i c l e

i n f o

Article history: Received 26 May 2011 Received in revised form 13 March 2012 Accepted 29 April 2012 Available online 23 May 2012 Keywords: Identity-based system Digital signature with message recovery Broadcast authentication Message integrity Bilinear pairing

a b s t r a c t In this paper, we propose an efficient identity-based broadcast authentication scheme, EIBAS, to achieve security requirements in wireless sensor networks. To minimize communication and computational costs, we use a pairing-optimal identity-based signature scheme with message recovery, where the original message of the signature is not required to be transmitted together with the signature, as it can be recovered according to the verification/message recovery process. The EIBAS scheme achieves a minimization of communication overhead, allowing the total energy consumption to be reduced by up to 48.5% compared to previous identity-based broadcast authentication schemes. Ó 2012 Elsevier B.V. All rights reserved.

1. Introduction Wireless sensor networks (WSNs) are rapidly emerging as an important new area in mobile computing research. These networks are typically characterized by a limited power supply, low bandwidth, small memory sizes, and limited energy use. WSNs consist of a large number of resource-constrained sensor nodes and a variable number of control nodes, called base stations. Sensor nodes have limited computational and wireless capabilities: a typical sensor node uses a microcontroller of 8 MHz with 4 KB of RAM and 128 KB of ROM, and incorporates a RF transceiver compliant with IEEE 802.15.4/ZigBee. On the other hand, the base station is a powerful trusted device that acts as an interface between the network user and the nodes. In particular, the base station relies on broadcast authentication to issue legitimate commands or queries to dispersed sensor nodes. Due to the open nature of the wireless channel, an adversary with a simple radio receiver/transmitter can ⇑ Corresponding author. E-mail addresses: [email protected] (K.-A. Shim), [email protected] (Y.-R. Lee), [email protected] (C.-M. Park). 1570-8705/$ - see front matter Ó 2012 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.adhoc.2012.04.015

easily eavesdrop on conversations, inject/modify packets and mount denial-of-service (DoS) attacks. To broadcast messages to multiple nodes in an authenticated manner, the broadcast authentication (BA) scheme is indispensable. 1.1. Related works Most existing BA schemes are based on symmetric key cryptography. The lTESLA scheme [23] is well known for its ability to provide source authentication and message integrity by utilizing a one-way hash chain and loose time synchronization between a sender and receivers. However, it has limited scalability due to its unicast-based parameter distribution to add new receivers. Subsequently, the multilevel lTESLA [24] was proposed to enhance the scalability of the lTESLA scheme. Kwon and Hong [20] proposed the XTESLA scheme, which significantly reduces unnecessary computation and buffer occupation. These TESLA-like schemes [23,24,9,25,20,6,8] are associated with large buffers due to the delayed authentication of the messages, which can easily lead to severe energy-depleting DoS attacks. The schemes based on symmetric key techniques are attractive in terms of their energy efficiency, but a secret

K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189

key distribution problem between senders and receivers is the most serious obstacle. On the other hand, BA schemes based on public key cryptography (PKC) [13,26,40,12] can eliminate this key distribution problem. One of the most suitable PKC primitives for a WSN, the Elliptic Curve Cryptography (ECC), is widely thought of as the best balance in terms of speed, memory requirements and security level. The major benefit of ECC is the size of its key (160 bits against 1024 bits in RSA with an 80-bit security level [28]) and its speed. Considering both software and hardware configurations, ECC has shown improved performance results for 8-bit mote platforms. Recent works [39,13] have shown that many well-known PKC schemes are acceptable for sensor nodes: it was reported that on an Atmel ATmega 128 at 8 MHz, a 160-bit ECC point multiplication took only 0.81 s (second). However, the use of certificates in the Public Key Infrastructure (PKI) consumes substantial bandwidth and power due to the transmission and verification of public key certificates. Therefore, PKI is considered to be unsuitable for WSN, although it can provide greatly simplified and stronger security solutions. Many researches have also demonstrated the efficiency of pairing-based cryptography (PBC) which plays an important role in realizing identity (ID)-based cryptosystems to alleviate the certificate overhead and solve the problems of PKI technology. TinyTate [30] took around 31 s to compute the Tate pairing with an RSA 512-bit security level using TinyECC [21] on the ATmega 128L. With NanoECC [37], the gT pairing and Tate pairing with an RSA 1024-bit security level can be computed in 10.96 s and 17.93 s on the ATmega 128L, and in 5.25 s and 11.82 s on the MSP430. Ishiguro et al. [16] implemented the gT pairing over ternary fields in 5.79 s. By translating a critical part of the code into assembly language and then carefully manipulating registers, Szczechowiak et al. [36] computed the gT pairing in only 2.66 s, 1.71 s and 0.46 s on the ATmega 128L, the MSP430 and PXA27x, respectively. Oliveira et al. [31] showed how short signatures from pairings by Boneh et al. [5] can be used to authenticate sensors in a WSN and Galindo et al. [11] used TinyPBC to make explicit the benefits of using PBC to solve the key distribution problem in underwater WSNs. More recently, with TinyPBC [29], the gT pairing could be computed in 1.9 s, 1.27 s and 0.46 s on the ATmega 128L, the MSP430 and PXA27x platforms, respectively. The above results show that, the time needed to compute a pairing computation in sensor nodes has increased by 5 times over the past 3 years. Currently, a pairing can be computed in about 0.5 ms on an AMD Phenom II X4 940, 3.0 GHz [1]. Furthermore, next-generation sensor nodes such as the Heliomote node [12,17] are expected to facilitate a continuous energy supply to nodes by deriving their power from solar sources. Therefore, we can expect wider acceptance of PBC for WSNs in the near future. Recently, Ren et al. [34] proposed an ID-based BA scheme based on Hess’s ID-based signature (IBS) scheme [14]. Although the broadcast message size can be reduced owing to the elimination of public key certificates for users, this scheme has very high computational overhead, as two pairing computations and a MapToPoint operation are required for each sensor node, where the MapToPoint function is used to map identity information onto a point on an elliptic curve. On the other hand, Ren et al. [33] presented an Bloom

183

filter-based BA scheme that adopted a variant ECDSA with the partial message recovery. Their scheme is the first one using a signature scheme with message recovery to achieve the reduction of communication costs. More recently, Cao et al. [7] proposed a more efficient ID-based multi-user BA scheme, IMBAS, based on a pairing-free IBS scheme. The signature scheme requires neither a pairing computation nor the MapToPoint function for verification, while its resulting signature consists of two elements of the underlying group and a 160-bit hash value at an 80-bit security level. Compared to Ren et al.’s scheme, its verification efficiency is improved, but its signature length is about 30% longer. 1.2. Our contributions A key challenge in this paper is to reduce the total length of the broadcast message, so as to minimize the total energy consumption. Considering the energy cost, communication overhead is heavier than computation overhead: rapid advances in computing have resulted in dramatic improvements in large number arithmetic computation, while communication latency has not improved appreciably. In this paper, we propose a more efficient ID-based BA scheme in WSNs. To improve the communication and signature verification costs, we use a pairing-optimal IBS scheme with message recovery, that does not use a MapToPoint function. The MapToPoint function is inefficient and probabilistic, and while there has been much discussion regarding the construction of such a hash algorithm, there has been no deterministic polynomial time algorithm proposed for it thus far. In fact, there exists a pairing-optimal IBS scheme that does not rely on a MapToPoint function: that proposed by Barreto et al. [4], which is a submission for IEEE P1363.3: Identity-Based Public Key Cryptography. Its resulting signature consists of a single element of the underlying group and a 160-bit hash value at an 80-bit security level. It is the shortest among IBS schemes. Our idea is to reduce the size of the message transmitted if we cannot reduce the signature length any more. To do this, we use the IBS scheme with message recovery proposed by Tso et al. [38] based on Barreto et al.’s IBS scheme [4], where the original message of the signature is not required to be transmitted together with the signature because it can be recovered according to the verification/message recovery process. Consequently, the minimum communication overhead is guaranteed in our scheme: the total length of the broadcast message can be reduced by 23% and 49% compared to the previous ID-based BA schemes [34,7], respectively. Thus, the total energy consumption of our scheme can be reduced by up to 48.5% compared to the scheme in [7]. 1.3. Organization The rest of this paper is organized as follows. In Section 2, we describe the building blocks for constructing a new ID-based BA schemes. Section 3 presents an efficient ID-based BA scheme, EIBAS, in WSNs. Security analysis and quantitative performance analysis of our scheme are given in Section 4. Concluding remarks are given in Section 5.

184

K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189

2. Building blocks In this section, we describe building blocks used to construct an efficient ID-based BA scheme intended for use WSNs. 2.1. Elliptic curves and bilinear pairings Let E=Fp be an elliptic curve y2 = x3 + ax + b over a finite field Fp such that 4a3 + 27b2 – 0 for some prime p. Let EðFp Þ be the group of points formed by the points of this curve and an extra point O called the point at infinity:

EðFp Þ ¼ fðx; yÞjx; y 2 Fp ;

ðx; yÞ 2 Eg [ fOg

We denote by + an addition of an elliptic curve group: P þ Q 2 EðFp Þ for P; Q 2 EðFp Þ. Computing kP = P + P +    + P is called point multiplication for an integer k. The number of points of an elliptic curve EðFp Þ, denoted #EðFp Þ, is called the order of the curve over the field Fp . Let q be a prime number with q2 -#EðFp Þ. We denote by G1 a q-order subgroup of EðFp Þ and by G2 a q-order subgroup of the multiplicative group of a finite field Fpk for some number k. A pairing involves the mapping of e : G1  G1 ! G2 with the following properties:  Bilinear: For 8P; Q 2 G1 and 8a; b 2 Z ; eðaP; bQ Þ ¼ eðP; bQ Þa ¼ eðaP; Q Þb ¼ eðP; Q Þab .  Non-degenerate: If P is a generator of G1 , then e(P, P) is also a generator of G2 .  Computable: There is an efficient algorithm to compute e(P, Q) for all P; Q 2 G1 . This pairing also has a symmetric property, and e(P, Q) = e(Q, P) can be realized by the Tate pairing [2] or by the gT pairing [3]. There are pairings with a different type or setting, such as the Ate pairing [15]. We refer [10] for details. 2.2. ID-based signature scheme with message recovery In the traditional Public Key Infrastructure (PKI), when Bob wishes to send a message to Alice, he must first obtain her authenticated public key from public directories. The PKI enables users of a basically unsecure public network such as the Internet to exchange data and money securely through the use of a public/private cryptographic key pair that is obtained from a trusted authority. The ID-based infrastructure makes deployment practical: it allows a user’s public key to be easily derivable from her known identity information such as an email address [35]. The ID-based infrastructure involves users and a Private Key Generator (PKG) having a master public/secret key pair, with the PKG responsible for generating private keys for users. This eliminates the need for certificates as used in the PKI. Such cryptosystems alleviate the certificate overhead and solve the problems of PKI technology: certificate management including the storage, distribution and the computational cost of certificate verification. Barreto et al. [4] proposed a pairing-optimal IBS scheme based on the kCAA problem using a general hash function such as SHA-1 instead of the MapToPoint function, which is a submission

for IEEE P1363.3: Identity-Based Public Key Cryptography. IEEE P1363.3 is a new standard for Identity-Based Cryptography that was approved as a project of IEEE 1363 in 2006. IEEE P1363.3 covers ID-based cryptographic schemes based on the bilinear mappings over elliptic curves known as pairings. The resulting signature of Barreto et al.’s scheme consists of one element of the underlying group and a 160-bit hash value at an 80-bit security level. It requires only one pairing computation, a scalar multiplication and an exponentiation for verification. Their scheme runs as follows. 2.2.1. Barreto et al.’s ID-based signature scheme Setup. Given a security parameter k 2 Z, this algorithm works as follows; 1. Generate a prime q, two groups G1 and G2 of order q and a bilinear pairing e : G1  G1 ! G2 . Choose a generator P in G1 . 2. Pick a random s 2 Zq , set PPub = sP and compute g = e(P, P). 3. Choose two cryptographic hash functions H : f0; 1g ! Zq and H1 : f0; 1g ! Zq . The system parameters are Params ¼ fq; G1 ; G2 ; e; P; P Pub ; g; H; H1 g. Extract. For a given identity ID 2 {0, 1}⁄, compute qID ¼ HðIDÞ 2 Zq and set SID ¼ sþq1 P as a private key of ID ID, where s is a master secret. Sign. Given a private key SID and a message m 2 {0, 1}⁄, choose a random x 2 Zq , compute r = gx, h ¼ H1 ðm; rÞ 2 Zq and V = (r + h)  SID. Output a signature r = (h, V) on m for ID. Verify. Given a signature r = (h, V) of mfor an identity ID, compute qID ¼ HðIDÞ 2 Zq and verify whether h = H1(m, e(V, PPub + qIDP)  gh) holds or not. If it holds, accept the signature. A digital signature scheme with message recovery is a signature scheme in which the original message of the signature is not required to be transmitted together with the signature, as it can be recovered according to the verification/message recovery process. This is different from an authenticated encryption scheme or a signcryption scheme, as in this scheme, the embedded message can be recovered by anyone without secret information. The purpose of this type of signature is to minimize the total length of the original message and the appended signature making it useful in applications where bandwidth in a major concern. We describe Tso et al.’s IBS scheme [38] based on Barreto et al.’s scheme, which can deal with only messages of some fixed length i.e., m 2 f0; 1gl1 for some fixed integer l1. 2.2.2. Tso et al.’s ID-based signature scheme with message recovery Setup. For a security parameter k 2 Z, output a random number s 2 Zq as a master secret key, and set PPub = sP as a master public key. The public system parameters are

Params ¼ fG1 ; G2 ; e; q; P; PPub ; l; H; H1 ; F 1 ; F 2 ; l1 ; l2 g;

K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189

where G1 and G2 denote two cyclic groups of the prime order q, jqj = l1 + l2, e : G1  G1 ! G2 is a bilinear pairing, l = e(P, P) and H : f0; 1g ! Zq ; H1 : G2 ! f0; 1gjqj ; F 1 : f0; 1gl1 ! f0; 1gl2 ; F 2 : f0; 1gl2 ! f0; 1gl1 are cryptographic hash functions. Extract. For a user’s identity ID 2 {0, 1}⁄, compute the user’s 1 private key as SID ¼ HðIDÞþs P. Sign. Given a private key SID and a message m 2 f0; 1gl1 , 1. Pick r 1 2R Zq and compute lr 1 and a ¼ H1 ðlr1 Þ 2 f0; 1gjqj 2. Compute b = F1(m)k(F2(F1(m))  m), r2 = [a  b]10 and U = (r1 + r2)SID, where [x]10, l2jbj and jbjl1 denote the decimal notation of x 2 {0, 1}⁄, the first l2 bits of b from the left side, and the first l1 bits of b from the right side, respectively. The notation akb denotes a concatenation of two strings a and b. Then r = (r2, U) is a signature on m for ID. Verify. Given a signature r = (r2, U) on a message m for an identity ID, ~ ¼ H1 ðeðU; P Pub þ HðIDÞPÞ  lr2 Þ and 1. Compute a ~ ¼ ½r2   a ~ , where [x]2 denotes the binary notab 2 tion of x 2 Z. ~  F 2 ðl jbjÞ. ~ ~ ¼ jbj 2. Recover the message m l1

2

3. Output 1 and accept r as a valid signature of the ~ ¼ F 1 ðmÞ. ~ if and only if jl2 bj ~ message m ¼ m In the Barreto et al.’s scheme, the transmitted data consist of a signature r = (h, V), an identity ID, and a message m. The corresponding length is 88 bytes, assuming the size of message and identity are 20 and 2 bytes, respectively. The total length of transmitted data in Tso et al.’s scheme is 68 bytes, because the original message m is not transmitted. 3. EIBAS: An efficient id-based broadcast authentication scheme in WSNs Here, we construct an efficient ID-based BA scheme, EIBAS, based on Tso et al.’s IBS scheme with message recovery. 3.1. System model and design goals The network consists of a fixed sink, network users and a large number of resource-limited sensor motes. There exists one sink in the WSN, which is assumed to be always trustworthy. The sink, which serves as a Private Key Generator (PKG), is responsible for generating the private keys for users. The sink also has sufficient storage capacity. The WSN aims to offer information services to many network users that roam the network. The network users may include vehicles, and people with mobile clients: they are assumed to be more powerful than sensor nodes in terms of their computation and communication abilities. The users can join in the WSN dynamically, and they may be revoked due to either membership changes or compromises. Each network user is equipped with a tamper-proof device which prevents an adversary from extracting any data stored in the device, including the private key, the data, and the code [18,19]. The users also

185

store their own private keys corresponding to the identity in the device, which are responsible for signing outgoing messages. The sink broadcasts administrative commands and publishes the user revocation list. For example, the network users include emergency medical technicians (EMTs) equipped with PDA, and the sensor devices may be vital sign sensors and location-tracking tags, in the case of CodeBlue [22]. The sensors deployed in the network have computational, memory, communication, and energy resources similar to current-generation sensor nodes (e.g., MICA2 motes). An adversary can execute a wide range of attacks including eavesdrop, modify, forge, or replay attacks. We aimed to design a scheme that satisfies the following security and performance requirements: (i) user authentication and message integrity: all messages broadcasted by the network users of the WSN should be authenticated so that bogus messages inserted by illegitimate users and/or compromised sensor nodes can efficiently be rejected/filtered. (ii) Minimization of communication overhead: we focus on minimizing the communication overhead, so as to ensure minimal energy consumption compared to previous ID-based BA schemes. 3.2. Our construction: EIBAS Our EIBAS scheme consists of four phases: System Initialization, Private Key Extraction, Signature Generation and Message Broadcast and Broadcast Authentication (Signature Verification). System Initialization. Prior to the deployment of the WSN, a sink generates the system parameters as follows: 1. Given a security parameter k 2 Zþ , generate a prime q, two groups G1 , G2 of order q, a generator P 2 G1 , and a bilinear pairing e : G1  G1 ! G2 . 2. Choose a random s2R Zq , and set PPub = sP as a master public key and s is a master secret. Compute e(P, P)1 and set l = e(P, P)1. 3. Choose four cryptographic hash functions H : f0; 1g ! Zq ; H1 : f0; 1g ! f0; 1gl1 þl2 ; F 1 : f0; 1gl1 ! f0; 1gl2 and F 2 : f0; 1gl2 ! f0; 1gl1 , where jqj = l1 + l2. In Section 4, we will set jqj = 252 bits, l1 = 160 bits and l2 = 92 bits for implementation. 4. The system parameters are Params ¼ fG1 ; G2 ; e; q; P; PPub ; l; H; H1 ; F 1 ; F 2 ; l1 ; l2 g. These public system parameters, Params, are preloaded in each sensor node consisting of the WSN. Private Key Extraction. If a user with an identity IDi 2 {0, 1}⁄ wants to join the WSN, it has to obtain its private key generated by the sink. When the user requests its private key, the sink computes the user’s private key as 1 SK i ¼ HðIDÞþs P corresponding to IDi. Note that IDi’s public key required during the verification process is PPub + H(IDi)P. The sink sends the private key SKi to the user via a secure channel and the user stores it in its tamper-proof device. Signature Generation and Message Broadcast. When a user wants to broadcast a message to the WSN, it signs a mes-

186

K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189

sage using the IBS scheme with message recovery of Tso et al. [38]. To sign a message M 2 f0; 1gl1 , the network user with a private key SKi corresponding to IDi completes the following steps: 1. Pick a current timestamp tti. 2. Choose r1 2R Zq , and compute lr1 and a ¼ H1 ðIDi ; tti ; lr1 Þ 2 f0; 1gl1 þl2 . 3. Compute b = F1(M)k(F2(F1(M))  M), r2 = [a  b]10 and U = (r1 + r2)SKi. Then ri = (r2, U) is a signature on M for IDi. The user then broadcasts hIDi, tti, ri in the WSN, where IDi and tti are taken to be two bytes. For the use of timestamp tti, we adopt the time synchronization technique as in the lTESLA-like scheme [32]. Broadcast Authentication (Signature Verification). Upon receiving , each sensor node verifies its authenticity. It first checks whether the timestamp tti is valid or not. Assuming that d is the predefined message propagation time limit, we should have tt  tt i 6 d. Then, for the sender’s identity IDi, the sensor node looks up the revocation list in its local storage to determine the corresponding entry. If it exists, the broadcast message is discarded, as it was generated by a network user with a revoked IDi. If tti is fresh and IDi is not in the revocation list, the sensor node proceeds with the following signature verification: ~ ¼ H1 ðIDi ; tt i ; eðU; HðIDi ÞP þ P Pub Þ  lr2 Þ 1. Compute a ~ ~. and b ¼ ½r 2 2  a e ¼ jbj ~  F 2 ðl jbjÞ ~ 2. Recover the message M and l1 2 accept r as a valid signature of the broadcast e e ~ ¼ F 1 ð MÞ. message Mð¼ MÞ if and only if l jbj 2

If this verification process fails, the sensor node discards the message. Otherwise, the authenticity of the received message is guaranteed. Signature verification in this phase requires only one pairing computation, a scalar multiplication in G1 , and an exponentiation in G2 . 3.3. Security analysis We present the security analysis of the EIBAS scheme.  Source authentication and message integrity. We employ Tso et al.’s IBS scheme with message recovery [38] to guarantee the authenticity of broadcast messages. Because the underlying signature scheme is existentially unforgeable under adaptive chosen-message attack and adaptive chosen-identity attacks in the random oracle model under the computational Diffie–Hellman assumption, source authentication and message integrity are guaranteed in our scheme. Therefore, it is impossible for an adversary to sign or modify a valid message broadcasted by a legitimate network user.  DoS attack. A DoS attack is an event that weakens or reduces the network’s capacity to carry out its expected function. Unlike TESLA-like schemes, our scheme does not require delayed authentication of the broadcast messages, so each sensor node need not buffer received packets. More specifically, when an adversary floods the whole network arbitrarily, the adversary can inject bogus broadcast packets to force sensor nodes to perform expensive signature verifications, and eventually

deplete the sensor’s battery. However, such attacks can be mitigated in our scheme by limiting the times of signature verification failures.  User revocation. In our scheme, if a user’s identity IDi is revoked, the revoked IDi must be broadcasted to the sensor nodes immediately, after which they store only the revoked identity. In the schemes based on the PKC, the sensor nodes have to store a certificate revocation list (CRL) containing the revoked user’s certificates. Hence, the number of revoked users increases unceasingly as time passes, causing such schemes to incur a considerable amount of storage overhead. If we assume that a user certificate is at least 86 bytes as in [39], only 58 users can be supported for a given storage limit of 5 KB. In our scheme, 2500 network users are supported for the same storage limit, as each sensor node stores only revoked users’ identities and the size of IDi is required to be 2 bytes. 4. Quantitative performance analysis In this section, we evaluate the performance of our scheme in terms of communication overhead and energy consumption on the MICA2 mote. We also give a quantitative analysis of our scheme compared to previous ID-based BA schemes. We show how the total broadcast message size affects the energy consumption during communication in a WSN. We investigate energy consumption as a function of the size of the WSN (denoted as W). Before this estimation, we compare EIBAS with IDBAS [34] and IMBAS [7] in terms of the signature size and the computational cost for the signing and verification process. This is shown in Table 1. We assume that each sensor node stores all of the current users’ identities and their corresponding public keys, hIDi, PPub + H(IDi)Pi, which are preloaded in the storage of each sensor node during the system initialization phase. In Table 1, P, SM, E, M, H, MH and SR represent a pairing computation, a scalar multiplication in G1 , an exponentiation in G2 , a multiplication in G2 , a computation of a hash, a computation of the MapToPoint function, and a square root, respectively. Also, jpj and jqj denote the bit sizes of an element in the subgroup and a subgroup of the underlying supersingular curve, respectively. The IDBAS and EIBAS schemes require pairing-friendly curves which are elliptic curves with small embedding degrees. We use the gT pairing defined on a subgroup of the 252-bit prime order of the supersingular curve y2 + y = x3 + x over F2271 with an embedding degree of 4 [29]. The pairing on this subgroup is the fastest on the MICA2 mote, up to now because the group order has a low hamming weight, an efficient formula to compute 2P for P 2 EðFp Þ and a squaring of field elements. However, this curve has no subgroup with a prime order close to 160 bits when considering an 80 bit security level. In this curve, a square root can be computed at a similar cost of one squaring. Hence, when one sends a point Q = (x, y) of the elliptic curve, it can send only the x-coordinate of Q and a receiver can obtain the y-coordinate computing a square root in order to reduce the communication overhead. In fact, to reduce signature size, it is more suitable

187

K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189

 EIBAS: jrx, yj + jIDj + jttj = 66 + 2 + 2 = 70.

Table 1 Performance evaluation of three broadcast authentication schemes.

IMBAS [7] IDBAS [34] EIBAS

Signature Size

Sign

Verify

2jpj + 2jqj + 192

1SM + 1H

3SM + 2H

jpj + jqj + 192

1MH + 3SM + 1E + 1H

jpj + jqj + 32

1E + 3H + 1SM

2P + 1H + 1MH + 1M + 1E + 1SR 1P + 1E + 1M + 3H + 1SR

to use an MNT curve or a supersingular curve with an embedding degree of 6. However, the pairing computation time in these curves is much slower than in the above supersingular curve: the pairing computation on the MNT curve [36] is nearly four times slower than that on the supersingular curve [29]. Therefore, the above supersingular curve is more competitive in terms of the overall energy cost. We assume that the size of a message (M), an identity (ID) and the current timestamp (tt) in IDBAS, IMBAS and EIBAS are 20, 2, and 2 bytes, respectively. In IMBAS, the resulting signature size is 83 bytes because it comprises one elliptic curve point over Fp and two integers from Zq , where the sizes of p and q are 168 and 166 bits, respectively. For comparison, we implement a scalar multiplication, an exponentiation, and the gT pairing on the following curves:  The IMBAS Schemes: ECC secp160r1, ECC secp224r1 [28].  The IDBAS and EIBAS Schemes: the supersingular curve y2 + y = x3 + x over F2271 [29]. Because we use the supersingular curve with a subgroup of the 252-bit prime order for implementing our scheme, we also consider IMBAS implemented in ECC secp224r1 to balance the security level. Considering the IDBAS and EIBAS schemes on the supersingular curve over F2271 with the subgroup G1 of the 252-bit prime order, the total broadcast message sizes are 90 bytes including (M, ID, tt) and 70 bytes including (ID, tt), respectively, as follows:  IMBAS: jrx;y j þ jIDj þ jttj þ jMj ¼  83 þ 2 þ 2 þ 20 ¼ 107 ð80-bit levelÞ 112 þ 2 þ 2 þ 20 ¼ 136 ð112-bit levelÞ .  IDBAS: jrx, yj + jh(Mkttkh)j + jIDj + jttj + jMj = 34 + 32 + 2 + 2 + 20 = 90.

In the IDBAS and EIBAS schemes, total broadcast message size at an 80-bit security level is the same as that at a 112-bit security level. The total broadcast message size of our scheme is reduced by about 30% and 22.3% compared to IMBAS and IDBAS, respectively. Now, we investigate energy consumption as a function of N and W, where N and W are the number of neighbor nodes of one sensor and the size of network, respectively. Table 2 shows the energy consumption during the communication and computational processes. We follow the format of the packet: a packet size of 128 bytes, and hop-wise energy consumption [7]. The costs to transmit and receive one byte are 52.2 lJ and 19.3 lJ, respectively. The energy consumption amounts when transmitting and receiving using the EIBAS scheme are respectively 101  52.2 lJ = 5.3 mJ and 101  19.3lJ = 1.9 mJ, as the EIBAS scheme uses 70 + 31 = 101 bytes for transmission. We also assume that the power level of MICA2 is 3.0 V, and the current draw is 8 mA in active mode [27]. In our setting, each sensor node receives the broadcast message hIDi, tti, ri from its surrounding N nodes, and then retransmits the message to other nodes if the verification process is successful. It means that every sensor node is a receiver and a sender at the same time. Because the transmitting current draw (27 mA) is more expensive to the receiving one (10 mA), the effect of longer message is serious for the node, i.e., the more the total length of broadcast message got longer, the more the energy consumption to transmit the message increases. For this reason, EIBAS, which requires the shorter packet size compared to previous schemes, saves the energy to retransmit message. The comparison result is provided in Table 2. The most time-consuming operations during broadcast authentication are a scalar multiplication, an exponentiation and a pairing operation. A point multiplication over the supersingular curve requires 0.81 s [13] and the gT pairing computation [29] takes 1.9 s on MICA2. We can compute U = [r1 + h(r2)]SKi in the signing of the EIBAS scheme using the SHA-1 hash function h and verify it by computing lhðr2 Þ . Therefore, we can assume that the size of r2 is 160 bits only during the exponentiation of G2 at an 80-bit security level. However, we assume that the size of r2 is 252 bits at a 112-bit security level without using the hash function. We assume that a squaring is about one tenth of a multiplication and that a multiplication in the extension field F24271 is about six times that in the base field F2271 [29]. Because an exponentiation in G2 constitutes average jG2 j-squaring and jG2 j=2-multiplica-

Table 2 Energy consumption on three broadcast authentication schemes. Security level (bit)

Trans. overhead (byte)

Power for comm. (mJ) (1)

Comp. time (s)

Power for comp. (mJ) (2)

Total W  {(1) + (2)} (mJ)

IMBAS [7]

80 112

169 198

8.8 + 3.3  N 10.3 + 3.8  N

2.4 6.6

58.3 157.7

W  (67.1 + 3.3  N) W  (168.0 + 3.8  N)

IDBAS [34]

80 112

121 121

6.3 + 2.3  N 6.3 + 2.3  N

4.7 5.3

112.8 127.2

W  (119.1 + 2.3  N) W  (133.5 + 2.3  N)

EIBAS

80 112

101 101

5.3 + 1.9  N 5.3 + 1.9  N

2.8 3.4

67.2 81.6

W  (72.5 + 1.9  N) W  (86.9 + 1.9  N)

K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189

Broadcast Authentication (J)

Overall Energy Consumpstion on

188

the EIBAS scheme can be reduced by about 32.8% and 15.8% compared to the IDBAS and IMBAS schemes at an 80-bit security level. At a 112-bit security level, the total energy cost of the EIBAS scheme can be reduced by about 30.2% and 48.5% compared to the IDBAS and IMBAS schemes, respectively.

2500 IMBAS

2000

IDBAS

1500

EIBAS

1000 500 0

5. Conclusion 0

2500

5000

7500

10000

12500

W (Network size)

Overall Energy Consumpstion on Broadcast Authentication (J)

Fig. 1. Overall energy consumption on three schemes at an 80-bit security level.

3500

IMBAS

3000

IDBAS

2500

EIBAS

2000 1500

In this paper, we propose an efficient ID-based broadcast authentication scheme, EIBAS, to achieve security requirements in wireless sensor networks. To minimize communication and computational costs, we use a pairing-optimal ID-based signature scheme with message recovery, where the original message of the signature is not required to be transmitted together with the signature, as it can be recovered according to the verification/message recovery process. The EIBAS scheme requires the shortest broadcast message size among all existing IDbased BA schemes, meaning that the total energy consumption amount can be reduced by up to 48.5% compared to other schemes.

1000 500 0

Acknowledgements 0

2500

5000

7500

10000

12500

W (Network size)

Fig. 2. Overall energy consumption on three schemes at a 112-bit security level.

This research was supported by the National Institute for Mathematical Sciences (NIMS) grant funded by the Korea government (B21203). References

tion, we can estimate the cost of an exponentiation in the extension field as

jG2 jðS þ M=2Þ ¼ jG2 jðM=10 þ M=2Þ ¼ 160  ð0:6MÞ ¼ 160  ð0:6  6 M B Þ where S, M and MB are time for a squaring, a multiplication in the extension field and a multiplication in the base field, respectively. Since MB requires 11,727 cycles and a pairing computation takes 14  106 cycles (1.9 s) [29], we can estimate that an exponentiation in the extension field F24271 takes about 0.9 s. Here, we neglect the cost of other operations because they are much smaller compared to the above three operations. The EIBAS scheme requires one pairing and one exponentiation to verify the signature, and the resulting energy consumption is 3.0  8.0  (1.9 + 0.9) = 67.2 mJ. To broadcast a message to the entire WSN, every sensor node should at least retransmit once and receive N times the same message. Hence, the total energy consumption upon a message broadcast in the EIBAS scheme is 72.5 + 1.9N at an 80-bit security level. Similarly, we can estimate the total energy cost of the EIBAS and other schemes at a 112bit security level. We summarize these results in Table 2, where Trans., Comm. and Comp. abbreviate transmission, communication and computing, respectively. Figs. 1 and 2 illustrate the total broadcast energy consumption as a function of the network size W, assuming N = 20. From Figs. 1 to 2, we can estimate that the total energy cost of

[1] D.F. Aranha, K. Karabina, P. Longa, C.H. Gebotys, J. Lopez, Faster explicit formulas for computing pairings over ordinary curves, in: Proceedings of Eurocrypt’11, LNCS 6632, Springer-Verlag, 2011, pp. 8–68. [2] P.S.L.M. Barreto, H.Y. Kim, B. Lynn, M. Scott, Efficient algorithms for pairing-based cryptosystems, in: Proceedings of Crypto’02, LNCS 2442, Springer-Verlag, 2002, pp. 354–368. [3] P.S.L.M. Barreto, S. Galbraith, C. ÓhÉigeartaigh, M. Scott, Efficient pairing computation on supersingular abelian varieties, Design, Codes and Cryptography 42 (3) (2007) 239–271. [4] P.S.L.M. Barreto, B. Libert, N. McCullagh, J. Quisquater, Efficient and provably-secure identity-based signatures and signcryption from bilinear maps, in: Proceedings of Asiacrypt’05, LNCS 3778, SpringerVerlag, 2005, pp. 515–532. [5] D. Boneh, B. Lynn, H. Schacham, Short signatures from the weil pairing, Journal of Cryptology 17 (4) (2004) 297–319. [6] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, B. Pinkas, Multicast security: a taxanomy and some efficient constructions, in: Proceedings of INFOCOMM’99, 1999, pp. 708–710. [7] X. Cao, W. Kou, L. Dang, B. Zhao, IMBAS: identity-based multi-user broadcast authentication in wireless sensor networks, Computer communications 31 (14) (2008) 659–667. [8] S. Cheng, An efficient message authentication scheme for link state routing, in: Proceedings of ACSAC’97, 1997, pp. 90–98. [9] J. Drissi, Q. Gu, Localized broadcast authentication in large sensor networks, in: Proceeding of ICNS’06, 2007, pp. 341–350. [10] S.D. Galbraith, Pairings, advances in elliptic curve cryptography, London Mathematical Society Lecture Notes, vol. 317, Cambridge University Press, 2005, pp. 183–213. [11] D. Galindo, R. Roman, J. Lopez, A killer application for pairings: authenticated key establishment in underwater wireless sensor networks, in: Proceedings of CANS’08, LNCS 5339, Springer, 2008, pp. 120–132. [12] G. Gaubatz, J. Kaps, B. Sunar, Public key cryptography in sensor networks-revisited, in: Proceedings of 1st European Workshop on Security in Ad-Hoc and Sensor Networks, LNCS 3313, SpringerVerlag, 2005, pp. 2–18.

K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189 [13] N. Gura, A. Patel, A. Wander, H. Eberle, S.C. Shantz, Comparing elliptic curve cryptography and RSA on 8-bit CPUs, in: Proceedings of CHES’04, 2004, pp. 119–132. [14] F. Hess, Efficient identity based signature schemes based on pairings, in: Proceedings of SAC’02, LNCS 2595, Springer-Verlag, 2003, pp. 310–324. [15] F. Hess, N.P. Smart, F. Vercauteren, The Eta pairing revisited, IEEE Transactions on Information Theory 52 (2006) 4595–4602. [16] T. Ishiguro, M. Shirase, T. Takagi, Efficient Implementation of Pairings on Sensor Nodes, in: Identity Based Encryption Workshop, NIST, 2008. . [17] A. Kansal, D. Potter, M. Srivastava, Performance aware tasking for environmentally powered sensor networks, in: Proceedings of SIGMETRICS’04, 2004, pp. 223–234. [18] P. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems, in: Proceedings of Crypto’96, LNCS 1109, Springer-Verlag, 1996, pp. 104–113. [19] P. Kocher, J. Jaffe, B. Jun, Differential power analysis, in: Proceedings of Crypto’99, LNCS 1666, Springer-Verlag, 1999, pp. 388–397. [20] T.K. Kwon, J. Hong, Secure and efficient broadcast authentication in wireless sensor networks, IEEE Transactions on Computers 59 (8) (2010) 1120–1133. [21] A. Liu, P. Kampanakis, P. Ning, TinyECC: Elliptic Curve Cryptography for Sensor Networks (Ver. 0.3), 2005. . [22] K. Lorincz, D. Malan, T. Fulford-Jones, A. Nawoj, A. Clavel, V. Shnayder, G. Mainland, S. Moulton, M. Welsh, Sensor networks for emergency response: challenges and opportunities, IEEE Pervasive Computing Special Issue on Persive Computing for First Response 3 (4) (2004) 16–23. [23] D. Liu, P. Ning, Efficient distribution of key chain commitments for broadcast authentication in distributed sensor networks, in: Proceedings of NDSS’03, 2003, pp. 263–276. [24] D. Liu, P. Ning, Multi-level lTESLA: broadcast authentication for distributed sensor networks, ACM Transactions of Embedded Computing Systems 3 (4) (2004) 800–836. [25] D. Liu, P. Ning, S. Zhu, S. Jajodia, Practical broadcast authentication in sensor networks, in: Proceedings of MobiQuitous’05, 2005, pp. 118– 132. [26] D. Malan, M. Welsh, M. Smith, A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography, in: Proceedings of SECON’04, 2004, pp. 71–80. [27] MICA2 Datasheet, 2006. . [28] National Institute of Standards and Technology, Recommended Elliptic Curves for Federal Government Use, August, 1999. [29] L.B. Oliveira, D.F. Aranha, C. Gouvea, M. Scott, D. Camara, J. Lopez, R. Dahab, TinyPBC: pairings for authenticated identity-based noninteractive key distribution in sensor networks, Computer Communications 34 (3) (2011) 485–493. [30] L.B. Oliveira, D.F. Aranha, E. Morais, F. Daguano, J. Lopez, R. Dahab, TinyTate: computing the Tate pairing in resource-constrained nodes, in: Proceedings of NCA’07, 2007, pp. 318–323. [31] L.B. Oliveira, A. Kansal, B. Priyantha, M. Goraczko, F. Zhao, SecureTWS: authenticating node to multi-user communication in shared sensor networks, in: Proceedings of IPSN’08, 2009, pp. 289–300. [32] A. Perrig, R. Szewczyk, V. Wen, D. Culler, D. Tygar, SPINS: security protocols for sensor networks, in: Proceedings of MobiCom’01, 2001, pp. 521–534. [33] K. Ren, W. Lou, Y. Zhang, Multi-user broadcast authentication in wireless sensor networks, IEEE Transactions on Vehicular Technology 58 (8) (2009) 4554–4564. [34] K. Ren, K. Zeng, W. Lou, P. Moran, On broadcast authentication in wireless sensor networks, IEEE Transactions on Wireless Communications 6 (11) (2007) 4136–4144. [35] A. Shamir, Identity-based cryptosystems and signature schemes, in: Proceedings of Crypto’84, LNCS 0196, Springer-Verlag, 1985, pp. 47– 53.

189

[36] P. Szczechowiak, A. Kargl, M. Scott, M. Collier, On the application of pairing based cryptography to wireless sensor networks, in: Proceedings of WISE’09, ACM Press, 2009, pp. 1–12. [37] P. Szczechowiak, L. Oliveira, M. Scott, M. Collier, R. Dahab. NanoECC: testing the limits of elliptic curve cryptography in sensor networks, in: Proceedings of EWSN’08, LNCS 4913, 2008, pp. 305–320. [38] R. Tso, C. Gu, T. Okamoto, E. Okamoto, Efficient ID-based digital signatures with message recovery, in: Proceedings of CANS’07, LNCS 4856, Springer-Verlag, 2007, pp. 47–59. [39] A.S. Wander, N. Gura, H. Eberle, V. Gupta, S.C. Shantz, Energy analysis of public-key cryptography for wireless sensor networks, pervasive computing and communications, in: Proceedings of PerCom’05, 2005, pp. 324–328. [40] H. Wang, Q. Li, Efficient implementation of public key cryptosystems on mote sensors, in: Proceedings of ICICS’06, 2006, pp. 519–528.

Kyung-Ah Shim received her M.S. and Ph.D. degrees, both in Mathematics from Ewha Womans University in 1994 and 1999, respectively. In September 2008, she joined the National Institute for Mathematical Sciences as a senior researcher. Her research interests are cryptography and information security.

Young-Ran Lee received the M.S. and Ph.D. degrees in Mathematical Science from Ewha Womans University, Seoul, Korea, in 1998 and 2005, respectively. She is currently a researcher in the National Institute for Mathematical Sciences. Her research interests include cryptography and information security.

Cheol-Min Park received the B.S. degree in mathematics education, and the M.S. degree, Ph.D. degree in mathematics from Seoul National University, Seoul, Korea, in 1999, 2001, 2006 respectively. He has been a researcher at National Institute for Mathematical Sciences since 2011. His research interests include elliptic and hyperelliptic curves cryptography.