Improved Elliptic Curve Cryptography-Based Broadcast Authentication in Wireless Sensor Networks

MISSING IMAGE

Material Information

Title:
Improved Elliptic Curve Cryptography-Based Broadcast Authentication in Wireless Sensor Networks
Physical Description:
1 online resource (123 p.)
Language:
english
Creator:
Chuchaisri, Panoat
Publisher:
University of Florida
Place of Publication:
Gainesville, Fla.
Publication Date:

Thesis/Dissertation Information

Degree:
Doctorate ( Ph.D.)
Degree Grantor:
University of Florida
Degree Disciplines:
Computer Engineering, Computer and Information Science and Engineering
Committee Chair:
Newman, Richard E
Committee Members:
Chow, Yuan-Chieh R
Chen, Shigang
Xia, Ye
Latchman, Haniph A

Subjects

Subjects / Keywords:
cryptography -- ecc -- wsn
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre:
Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract:
Public Key-based (PKC) approaches have gained popularity in Wireless Sensor Network (WSN) broadcast authentication due to their simpler protocol operations and higher tolerance to node capture attack. With PKC's security strength, a sensor node that authenticates messages before forwarding them can detect a bogus message immediately. While this prevents forged traffic from wasting the sensor nodes' energy, performing PKC operations in the limited resource nodes can result in undesirably long delay. At the other extreme, the sensor node can forward messages to other nodes prior to authenticating them. This approach diminishes propagation time at the expense of allowing forged messages to propagate through the network. To achieve swift and energy efficient broadcast operation, sensor nodes need to decide wisely when to forward first and when to authenticate first. In this work, we address this problem at two different stages of the authentication process. The first proposed solution adds extra verification procedures to eliminate unnecessary handling of fake packets. The second proposed solution addresses the digital signature scheme by extending an existing digital signature scheme to support a set signatures with different strengths. First, we present two broadcast pre-authentication schemes, called the key pool and the key chain scheme, to solve this dilemma. Both schemes utilize a Bloom filter and the distribution of secret keys among sensor nodes to create fast and capture-resistant PKC-based broadcast authentication protocols. Two generic improvements to these schemes are also described. One reduces the marking limit on the Bloom filter vector (BFV) while the other limits broadcast forwarding to a spanning tree. Next, we present a digital signature scheme, called Multi-Resolution Elliptic Curve Signature (MRECS) that allows the signer to create signatures of different sizes from the same key set. Comparing to an implementation using a set of different keys, MRECS requires less storage overhead and has longer key lifetime with the cost of higher but acceptable communication overhead. MRECS can reduce up to one third of the full-size signature’s computational overhead. We also present several improvements to enhance MRECS’s security using a second key set. The added security can be adjusted on-the-fly by the signer.
General Note:
In the series University of Florida Digital Collections.
General Note:
Includes vita.
Bibliography:
Includes bibliographical references.
Source of Description:
Description based on online resource; title from PDF title page.
Source of Description:
This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility:
by Panoat Chuchaisri.
Thesis:
Thesis (Ph.D.)--University of Florida, 2012.
Local:
Adviser: Newman, Richard E.
Electronic Access:
RESTRICTED TO UF STUDENTS, STAFF, FACULTY, AND ON-CAMPUS USE UNTIL 2013-02-28

Record Information

Source Institution:
UFRGP
Rights Management:
Applicable rights reserved.
Classification:
lcc - LD1780 2012
System ID:
UFE0044094:00001


This item is only available as the following downloads:


Full Text

PAGE 1

IMPROVEDELLIPTICCURVECRYPTOGRAPHY-BASEDBROADCASTAUTHENTICATIONINWIRELESSSENSORNETWORKSByPANOATCHUCHAISRIADISSERTATIONPRESENTEDTOTHEGRADUATESCHOOLOFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENTOFTHEREQUIREMENTSFORTHEDEGREEOFDOCTOROFPHILOSOPHYUNIVERSITYOFFLORIDA2012

PAGE 2

c2012PanoatChuchaisri 2

PAGE 3

Tomyfamily,friendsandeveryoneinbetween 3

PAGE 4

ACKNOWLEDGMENTS Gratitudeisnotonlythegreatestofthevirtuesbuttheparentofallothers.Cicero,'ProPlancio,'54B.C.Whilethisdissertationisofciallycontributedandcompletedbymyself,itcannotbeaccomplished,byanymeans,withouttheassistanceofotherswhomIwouldliketomentioninthissection.Firstandforemost,Iwouldliketoexpressappreciationtomyadvisorandcommitteechair,Dr.RichardNewman,forhisutmostpatiencewiththestudentwhocanbeconsideredhavingthemostdeliberatepaceintransforminginterestingideasintoacademicarticles.1Hisadviceandthoughtsalwaysstimulatenewideasandimprovemyresearch.Iwouldalsoliketothankmycommittee:Dr.ShigangChen,Dr.RandyY.C.Chow,Dr.YeXiaandDr.HaniphLatchman.ParticularthankfulnessgoestoDr.Chenforrecommendingmetoread[ 1 ],whichstartsmyinterestinthisresearchtopic.Inaddition,IalsothankDr.KevinKeatingfromDepartmentofMathematicsforprovidingmehisinsightsinEllipticCurvetheory.Duringmylasttwoyearsintheprogram,IhavehadawonderfulopportunitytoworkintheECE'sAdvancedComputingandInformationSystems(ACIS)Laboratory.Iamthankfulforalltheknowledgeandguidancefromtwofacultymemberswhooperatethelab,Dr.JoseA.B.FortesandDr.RenatoFigueiredo.ItisimpossibleformetoforgetallmyPh.D.friendswho,overtheyears,stillmaintainourfriendshipseventhoughtheymightgettiredofmysillyjokes.MythankgoestofellowsattheCONSLab,Dr.PiyushHarsh,Dr.InkwanYuandDr.MahendraKumar;weshouldberememberedasthenerdiestresearchgroupintheCISEdepartmenthistory.1ToallmyfriendsattheACISlab,Dr.DavidWolinsky,YuChuTong,Dr.MingZhao,SelviKadirvel,JiangYanXu,KyungyongLee,PiereSt.Juste,YounggangLiuandHeungsikEom,Iwanttothankthemforacceptingmeasapartof 1Author'spersonalopinion 4

PAGE 5

theirgroupandregularlyplayingthosewonderfulbadmintonmatchesthatweenjoyedtogether.Anyonewhohaslivedinaforeigncountryforanextendedperiodoftimeknowshowpleasantthethoughtofcomingbacktoyourhomecountrycouldbe.ThaicommunityinGainesvillehasmademefeellikeIhaveneverleftmyhomeinThailand.IwouldliketoprovideaspecialthanktoDr.PrapapornRattanatamrongforallthecaresandsupportsshehadgivenme.IwanttosaythankyoutoallmyThaifriends,Dr.DonruethaiLaphasradakul,Dr.SiripornKobnithikulwongandherhusband,WuthichaiLeelavorawong,Dr.KittipatandSutheenatKampa,Dr.SiripornKamontum,Dr.RisaPatarasuk,Dr.WuttichaiLerdsitsomboonandeverymemberofThaiStudentAssociationforconstantlyprovidingdeliciousThaifoodandorganizingamazingevents.SeveralThaifamiliesinGainesvillewhoselesslyhelpThaistudentshere(includingme)forcountlesstimesincludeDr.RatreeWayland's,Dr.AmaratSimone's,Dr.VincentandNiSchroderandtheirthreelovelychildren(Boone,IsanaandTy),andNipapatandMarkMcDowandtheirbabygirl(Maryn).Lastbutnotleast,Iwouldnotevenhaveachancetowritethisacknowledgmentpagewithoutthegeneroussupportfrommyfamily.IcannotdescribehowgratefulIamforeverythingtheyhavedoneforme.Thankyousomuch. 5

PAGE 6

TABLEOFCONTENTS page ACKNOWLEDGMENTS .................................. 4 LISTOFTABLES ...................................... 9 LISTOFFIGURES ..................................... 10 ABSTRACT ......................................... 12 CHAPTER 1INTRODUCTION ................................... 14 1.1BroadcastPacketPre-Authentication ..................... 16 1.2MultiplePublicKeyDigitalSignatureScheme ................ 17 1.2.1Ellipticcurve ............................... 17 1.2.2Ellipticcurvecryptosystem(ECC) ................... 19 1.2.3Ellipticcurvedigitalsignaturealgorithm(ECDSA) .......... 20 1.2.4EllipticcurvePintsov-Vanstonesignatures(ECPVS) ........ 21 1.3Summary .................................... 23 2SPEEDINGUPBROADCASTAUTHENTICATIONINWIRELESSSENSORNETWORKSUSINGBLOOMFILTER ....................... 26 2.1RelatedWork .................................. 27 2.2SystemandThreatModel ........................... 30 2.3BloomFilter ................................... 31 2.4KeyPoolScheme ................................ 32 2.4.1Protocoldescription .......................... 32 2.4.2Protocolanalysis ............................ 34 2.4.2.1Securityconsideration .................... 34 2.4.2.2Protocoloverheads ..................... 35 2.4.3Reducingcommunicationoverhead .................. 36 2.5KeyChainScheme ............................... 38 2.5.1Protocoldescription .......................... 39 2.5.2Protocolanalysis ............................ 40 2.5.2.1Securityconsiderations ................... 40 2.5.2.2Protocoloverheads ..................... 41 2.6SimulationandResults ............................ 42 2.6.1Parameterselection .......................... 42 2.6.1.1Keypoolscheme ....................... 42 2.6.1.2Keychainscheme ...................... 43 2.6.2Attackresistance ............................ 44 2.6.3Authenticationdelay .......................... 45 2.7ProtocolImprovements ............................ 45 6

PAGE 7

2.7.1ReducingmaximumBloomltermarkinglimit ............ 46 2.7.2Improvingattackresistancewithbroadcasttree ........... 48 2.8Conclusion ................................... 50 3MULTI-RESOLUTIONELLIPTICCURVEDIGITALSIGNATURE(MRECS) ... 63 3.1RelatedWork .................................. 63 3.2DesignOverview ................................ 68 3.2.1Protocoldescription .......................... 69 3.2.2Protocol'scorrectness ......................... 70 3.3AttacksonMRECS ............................... 71 3.3.1Forginganewsignature ........................ 71 3.3.2Preimageattack ............................ 71 3.3.3Preimageattackondifferentkeyselections ............. 72 3.3.4Preimageattackfromcombinedkeyselections ........... 74 3.3.5Birthdayattack ............................. 75 3.4ParameterSelection .............................. 76 3.4.1Cryptographicstrength ......................... 76 3.4.2Resolution ................................ 77 3.4.3Usablekeycombination ........................ 77 3.4.4Overheads ............................... 78 3.4.4.1Storageoverhead ...................... 78 3.4.4.2Communicationoverhead .................. 79 3.4.4.3Computationaloverhead .................. 79 3.5KeyLifetime ................................... 80 3.6MRECSrekeying ................................ 82 3.6.1Traditionalapproach .......................... 82 3.6.2Additionapproach ........................... 83 3.6.3Chainingapproach ........................... 83 3.6.4Doublecyclicchainingapproach ................... 83 3.7Conclusion ................................... 84 4IMPROVINGMRECSWITHDUALSECRETKEYSETS ............. 91 4.1DesignOverview ................................ 91 4.2TheSecondKeySetOrganization ...................... 92 4.2.1Thesecondkeysetsize ........................ 93 4.2.2Multiplesizeshashextensionsupport ................ 95 4.3MRECS/DSDescription ............................ 95 4.4AttacksonMRECS/DS'hash ......................... 98 4.5ProtocolAnalysis ................................ 100 4.5.1Keycollision ............................... 100 4.5.2Storageoverhead ............................ 101 4.5.3Computationaloverhead ........................ 102 4.6Conclusion ................................... 104 7

PAGE 8

5CONCLUSIONSANDFUTUREWORK ...................... 108 5.1SummaryofContributions ........................... 108 5.1.1Bloomlterpre-authenticationschemes ............... 108 5.1.2Multi-resolutionellipticcurvesignature(MREC)schemes ..... 109 5.2ListofPublications ............................... 110 5.3OpenProblemsandFutureWork ....................... 110 APPENDIX APROBABILITYOFCOLLISIONBETWEENTWORANDOMSETS ....... 111 BBREAKINGDOWNECPVS/MRECS'RESIDUEELEMENT ........... 114 B.1Keysetgeneration ............................... 114 B.2Generatinganarbitrarymodulonnumberfromakeyset .......... 115 REFERENCES ....................................... 117 BIOGRAPHICALSKETCH ................................ 123 8

PAGE 9

LISTOFTABLES Table page 2-1WSNbroadcastauthenticationprotocolcomparison ............... 58 2-2Overheadsofthekeypool,bothwithandwithouttheimprovement,andthekeychainscheme .................................. 59 2-3Averagedelayofvariousbroadcastauthenticationschemes ........... 60 2-4Parameterssummary ................................ 61 3-1Numberofusablesignaturesofafewpossiblehashpartitioning(g)withf=112 ........................................... 86 3-2OverheadcomparisonbetweentheMRECSandSFIschemeswhereCy(x)isthecomputationalcostofascalarmultiplicationwithanx-bitintegeronay-bitcurve ....................................... 88 3-3Numberofrekeyingoperationsfordifferentvaluesofgandkeysize(n)thatSFIandMRECSrequiretoperformduringtheirlifetimeswheren=224. 89 4-1Asamplekeymappingtableforakeysetofsize3 ................ 105 4-2Asamplekeymappingtableforakeysetofsize3withsubtraction ....... 105 9

PAGE 10

LISTOFFIGURES Figure page 1-1Forwarding-rstandauthentication-rstbroadcasttimingdiagram. ....... 25 2-1Keypoolscheme'sBFVgenerationalgorithm ................... 51 2-2TheKeyPoolscheme'sBFVgenerationforq=1 ................ 51 2-3Sender'salgorithmforrandomlypickingkkeysfromhashnc)]TJ /F10 7.97 Tf 6.59 0 Td[(1 ......... 52 2-4Receiver'salgorithmforreconstructingIg ..................... 52 2-5Portionofnodesforwardingforgedmessagesundervariouspercentagesofcompromisedkey ................................... 53 2-6ApoolofNkeychainswiththecurrentkeysenclosedinabox(i.e.,thekeyindexc).Eacharrowrepresentsleft-to-righthashfunctionapplication. ..... 54 2-7Keychainscheme'sBFVgenerationalgorithm .................. 54 2-8ProbabilitythatasensornodeneedstoperformDSvericationduetothefailuretosatisfytherequirement. ......................... 54 2-9Paofallpossiblehandkvaluesinthethekeypoolschemewithm=40. ... 55 2-10PbofallpossiblekandNvaluesinthekeychainschemewithr=64anda=0. ......................................... 55 2-11PaandPwithr=64bit,hnq=r=0.56and(h+k)=m=0.325 .......... 56 2-12AveragenumberofpaddingsfordifferentPandt ................ 56 2-13Averagenumberofsensornodesreceivingandforwardingforgedpacketswithandwithoutbroadcasttreetechnique ..................... 57 3-1Hashpartitioning ................................... 85 3-2StorageoverheadcomparisonbetweenMRECSandSFI,f=112 ....... 85 3-3CommunicationoverheadcomparisonbetweenMRECSandSFI,f=112,g=16 ......................................... 87 3-4ComputationaloverheadcomparisonbetweenMRECSandSFI,f=112,n=224 ........................................ 87 3-5KeylifetimecomparisonbetweenSFIandMRECSwithdifferentkeypartitionsg ............................................ 88 3-6Are-keyingdiagramfortheadditionapproach ................... 89 10

PAGE 11

3-7Are-keyingdiagramforthechainingapproach .................. 90 3-8Are-keyingdiagramforthecyclicchainingapproach ............... 90 4-1Storageoverheadofthesecondkeysetforvarioushashextensionsizes(fx),wheref=112 ................................. 106 4-2ExpectednumberofpointadditionoperationstobeperformedinQ2calculationprocessforvariousrvalues ............................. 106 4-3KeylifetimecomparisonbetweenSFI,MRECS,andMRECS/DSwithdifferenthashextensionbit-length(fm)withn=224andg=16 ............. 107 B-1AlgorithmforndingasignatureresidueelementsetS .............. 116 11

PAGE 12

AbstractofDissertationPresentedtotheGraduateSchooloftheUniversityofFloridainPartialFulllmentoftheRequirementsfortheDegreeofDoctorofPhilosophyIMPROVEDELLIPTICCURVECRYPTOGRAPHY-BASEDBROADCASTAUTHENTICATIONINWIRELESSSENSORNETWORKSByPanoatChuchaisriAugust2012Chair:RichardNewmanMajor:ComputerEngineeringPublicKey-based(PKC)approacheshavegainedpopularityinWirelessSensorNetwork(WSN)broadcastauthenticationduetotheirsimplerprotocoloperationsandhighertolerancetonodecaptureattack.WithPKC'ssecuritystrength,asensornodethatauthenticatesmessagesbeforeforwardingthemcandetectabogusmessageimmediately.Whilethispreventsforgedtrafcfromwastingthesensornodes'energy,performingPKCoperationsinthelimitedresourcenodescanresultinundesirablylongdelay.Attheotherextreme,thesensornodecanforwardmessagestoothernodespriortoauthenticatingthem.Thisapproachdiminishespropagationtimeattheexpenseofallowingforgedmessagestopropagatethroughthenetwork.Toachieveswiftandenergyefcientbroadcastoperation,sensornodesneedtodecidewiselywhentoforwardrstandwhentoauthenticaterst.Inthiswork,weaddressthisproblemattwodifferentstagesoftheauthenticationprocess.Therstproposedsolutionaddsextravericationprocedurestoeliminateunnecessaryhandlingoffakepackets.Thesecondproposedsolutionaddressesthedigitalsignatureschemebyextendinganexistingdigitalsignatureschemetosupportasetsignatureswithdifferentstrengths.First,wepresenttwobroadcastpre-authenticationschemes,calledthekeypoolandthekeychainscheme,tosolvethisdilemma.BothschemesutilizeaBloomlterandthedistributionofsecretkeysamongsensornodestocreatefastandcapture-resistant 12

PAGE 13

PKC-basedbroadcastauthenticationprotocols.Twogenericimprovementstotheseschemesarealsodescribed.OnereducesthemarkinglimitontheBloomltervector(BFV)whiletheotherlimitsbroadcastforwardingtoaspanningtree.Next,wepresentadigitalsignaturescheme,calledMulti-ResolutionEllipticCurveSignature(MRECS)thatallowsthesignertocreatesignaturesofdifferentsizesfromthesamekeyset.Comparingtoanimplementationusingasetofdifferentkeys,MRECSrequireslessstorageoverheadandhaslongerkeylifetimewiththecostofhigherbutacceptablecommunicationoverhead.MRECScanreduceuptoonethirdofthefull-sizesignaturescomputationaloverhead.WealsopresentseveralimprovementstoenhanceMRECSssecurityusingasecondkeyset.Theaddedsecuritycanbeadjustedon-the-ybythesigner. 13

PAGE 14

CHAPTER1INTRODUCTIONAsensornetworkisacomputingplatformthatemergesfromtheadvancementintechnologicalminiaturizationandtheexponentialgrowthrateofprocessingpower.Theresultisadisposablesensing,computation,storage,andcommunicationnodethatischeapandsmallenoughtobedeployedinlargenumbersoveratargetarea.Thisnetworkofnodesissuitableforapplicationsthatneedtocoveralargeareawithrelativelowcomputingpowerdevices.Themostprevailingapplicationforthistypeofnetworkisenvironmentmonitoringapplicationsthatuseeachnodeasasensingplatform.Duetothescatteringnatureofthenodedeployment,thecommunicationbetweennodesisnormallydoneviawirelesslinks.InatypicalWSN,alargenumberofnodesaredeployedoveratargetareawithafewnodescalledaccesspoints,powernodes,orbasestationsactingasdatasinks.Iftheaccesspointwantstogatherdatafromthesensors,itneedstobroadcastoneormorequerycommandstoallsensornodesinthenetwork.Toavoidunnecessaryradiotransmissionamongresource-constrainedsensornodes,eachbroadcastingpacketmustbeveriedbyabroadcastauthenticationprotocolpriortoforwarding.Broadcastauthenticationinaregularnetworkcanbeperformedeitherbyusingapublickeybaseddigitalsignaturetosignthebroadcastpacket,thusallowingintermediatenodestoverifyitsauthenticity,orbyusingamessageauthenticationcode(MAC)generatedfromasharedsecretkeybetweennodes.SinceWSNsareusuallydeployedinhostileorunmonitoredlocations,sensornodesarehighlyvulnerabletocaptureandtampering;wecannotguaranteethatlocallystoredsecretkeyswillstaysecure.Inaddition,usingaPKC-baseddigitalsignaturealsoposessomechallengesbecausesensornodeshaveverylimitedresources.EventhoughPKCoperationsonasensornodeplatformarepossible,theyarestillconsideredtobeverycomputationalintensiveandtimeconsuming;signaturevericationtimecantakeupto1.6seconds[ 2 ]. 14

PAGE 15

AsstatedbyWangetal.in[ 1 ],ifPKCistheonlymechanismusedforWSN'sbroadcastauthentication,sensornodeswillhavetochoosebetweenforwardingeachbroadcastmessagebeforeverifyingitsauthenticity(forwarding-rstapproach)orverifyingthemessage'sdigitalsignaturebeforespreadingitfurther(authentication-rstapproach).Theforwarding-rst(FF)approachissusceptibletoDenialofService(DoS)attacks,ascenarioinwhichanattackerimpersonatesanaccesspointandbroadcastsforgedmessages.Messageswillsuccessfullyreacheverynodeinthenetworkthusdrainingeachnode'sshort-suppliedbatterypower.Ontheotherhand,theauthentication-rst(AF)approachcanpreventtheDoSattacksbecauseanyforgedmessageswillbestoppedatthersthop.However,duetosensornodes'limitedcomputingpower,signaturevericationateveryhopwillimposelongdelays,whichinturnwillincreasetheoveralldelayofthebroadcastoperations.ThegoalofthisresearchistoprovidenewPKC-basedauthenticationprocessesthatcansecurelyperformbroadcastauthenticationoperationwith: 1. Lowcomputationaloverheadatthereceiverssincethesensornodeshavelimitedresourcesbuttheaccesspoint(thesender)doesnotsharethislimitation. 2. Smallerbroadcastoperationdelaywhichallowsabroadcastmessagetoreachanentiresensornetworkfasterthanintheauthentication-rstmethod.Atthesametime,theintroducedcommunicationandstorageoverheadshouldalsobereasonable. 3. ProtectionagainstDoSattacksoattackerscannotfreelybroadcastfakemessagestodrainsensornodes'power. 4. Resistanceagainstnodecapturingduetothenatureofsensornodedeployment.Toachievethisgoal,wetacklethisproblemattwodifferentstagesofasensornode'svericationprocess.First,wedesigntwonewpre-authenticationprocessestolteroutanyfakebroadcastmessagebeforehandingittothedigitalsignaturescheme.Second,wecreatetwonewdigitalsignatureschemesbasedonellipticcurvecryptography(ECC)thatcanadjustthevericationdelaybyusingmultiplepublickeys. 15

PAGE 16

1.1BroadcastPacketPre-AuthenticationCurrentattemptstosolvethebroadcastauthenticationproblemcanbecategorizedintoeitherhardwareorprotocolapproaches.Thehardwareapproachpreventsadversariesfromlearninganysensitiveinformationfromcapturednodesbyequippingthemwithtamper-resistancememory[ 3 ].Securingallsecretkeysstoredinsidethesensornodesremovesanyriskthatcanjeopardizebroadcastauthenticationprotocols,thusallowingtheMACapproachtobeusedsecurelyinaWSN[ 4 ].Duetothehighercostoftamper-resistanthardware,thisapproachwillbelimitedtocriticalapplicationsorsmall-sizeWSNs[ 5 ].Fortheprotocolapproach,thereareseveralresearcheffortsfocusingoncreatingnewprotocolsthatcanwithstandnodecapturing.TESLA[ 6 ]anditsvariousextensions[ 7 9 ]useadelayedkeydisclosuretechnique,inwhichmessagevericationmustbedelayedforsomeperiodoftime,toprotectthekeys'freshness.Unfortunately,TESLA'ssymmetrickey-onlyapproach,whichaimstocreatealowcomputationalcostprotocol,isunsuitableforquickresponseapplicationsduetoitslackofimmediateauthentication.Inaddition,italsorequiressomelevelofsynchronizationbetweenallnodesinthenetwork,whichitselfmustbeachievedbyperiodicbroadcasting.InconsequenceofseveralemergingPKCapplications,especiallyEllipticCurveCryptography(ECC),insensornodes[ 10 11 ],anumberofresearchershavebeendevelopingbroadcastprotocolsthatincorporatePKCasaprimarymeansforsourceauthentication[ 1 12 14 ].BecausethePKC-basedapproacheliminatesthedelayvericationtechniqueusedinthesymmetrickeyapproach,themainfocusoftheseresearcheffortsistospeedupthetime-consumingPKCoperations.However,theseprotocolsstillrelyonlocalkeypairestablishmentorperiodickeyredistributiontolteroutbogusmessages.Weproposetwonewtechniques,whichconformtoourresearchgoals,tobeusedtogetherwithtraditionaldigitalsignatureschemes.Bothapproachesutilizea 16

PAGE 17

per-messageBloomlter[ 15 ]andaglobalkeypooltopre-authenticatethebroadcastpacketpriortoforwardingitfurther.ThemaindifferencesbetweentwoproposedschemesaretheglobalkeypoolmanagementandtheconstructionoftheBloomltervectorforthebroadcastmessage.Therstapproach,calledtheKeyPoolscheme,partitionsthekeypoolintoseveralequal-sizedsetsbeforedistributedthemamongsensornodes.Thesecondapproach,calledtheKeyChainscheme,replacesthenode'skeysetintheKeyPoolschemewithasinglehashchainthusreducingbothcommunicationandstorageoverhead.BothKeyPoolandKeyChainschemesaugmentthedigitalsignatureschemewithpre-authenticationprocessesusingefcientandlowoverheadhashoperations.Thisprovidesafastlteringtechniquewithoutintroducingalargedelayintotheoverallbroadcastingprocess(goal 1 and 2 ).Theseschemesalsouseaprobabilisticapproachtodistributesecrethashelementsamongsensornodesthatwillpreventtheattackersfromgainingenoughinformationtosuccessfullybroadcastfakemessages(goal 3 and 4 ). 1.2MultiplePublicKeyDigitalSignatureSchemeBeforegoingintothedetailofmultiplepublickeyschemes,werstneedtounderstandtheunderlyingmechanismbehindECC.ThissectionprovidesanoverviewoftheellipticcurveitselfaswellasthedetailofcurrentECCbaseddigitalsignatureprotocols,namelyECDSAandECPVS.WealsolookintoECPVS'limitationthatwillaffectontheperformanceoftheproposedscheme.ThedetaildescriptionofourproposeddigitalsignatureschemeswillbedeferreduntilChapter 3 andChapter 4 1.2.1EllipticcurveAnellipticcurveisthegraphthatrepresentthesolutionofanequationy2=x3+ax+b 17

PAGE 18

whereaandbareconstantcurveparameters.Theellipticcurvecanbedenedoverdifferenttypesofnumbere.g.,realnumberR,complexnumbersCetc.However,acurvedenedoverniteeld(aprime(Fp)orbinary(F2m)eld1)isthemostsuitableforcryptographicapplicationsduetoitsspeedandprecision.Anellipticcurveoveraniteeldthatcontainsnorepeatedfactors2togetherwiththepointatinnity(animaginarypointOatcoordinate(1,1),whichactsastheidentity)formsanAbeliangroupwithrespecttopointadditionandpointdoublingoperations.ForanypointPiwithcoordinate(xi,yi)andthepointatinnityOofanellipticcurveoverniteelds,wecandenedcurveoperationsasfollows[ 16 ]: NegativePoint.GivenpointP1=(x1,y1),P2whichisanegativeofpointP1(P2=)]TJ /F5 11.955 Tf 9.3 0 Td[(P1)isdenedas:P2=8><>:(x1,)]TJ /F5 11.955 Tf 9.3 0 Td[(y1modp)forFp(x1,x1+y1)forF2m PointAddition.GivenpointP1=(x1,y1)andP2=(x2,y2),ifP16=P2,apointP3=(x3,y3)whichistheresultofP1+P2isdenedas:x3=8><>:m2)]TJ /F5 11.955 Tf 11.96 0 Td[(x1)]TJ /F5 11.955 Tf 11.95 0 Td[(x2forFpm2+m+x1+x2+aforF2my3=8><>:m(x1)]TJ /F5 11.955 Tf 11.95 0 Td[(x3))]TJ /F5 11.955 Tf 11.96 0 Td[(y1forFpm(x1+x3)+x3+y1forF2mwheremisaslopeofalinethatdrawsthroughP1andP2.misdenedasy2)]TJ /F8 7.97 Tf 6.59 0 Td[(y1 x2)]TJ /F8 7.97 Tf 6.59 0 Td[(x1forFpandy2+y1 x2+x1forF2m. 1Thecurveequationchangetoy2+xy=x3+ax2+bforF2m2Requireallrootstobedistincti.e.aandbaresatisfying4a3+27b26=0foraprimeeldorb6=0forabinaryeld 18

PAGE 19

PointDoubling.GivenanellipticcurvepointP1=(x1,y1),apointP2=(x2,y2)whichP2=2P1isdenedas:x2=8><>:m2)]TJ /F6 11.955 Tf 11.95 0 Td[(2x1forFpm2+m+aforF2my2=8><>:m(x1)]TJ /F5 11.955 Tf 11.95 0 Td[(x2))]TJ /F5 11.955 Tf 11.96 0 Td[(y1forFpm(x1+x2)+x2+y1forF2mwheremisatangentlineatpointP1.misdenedas(3x21+a 2y1)forFpand(x1+x1 y1)forF2m.TheseellipticcurvepointoperationsconstituteafundamentalofpointarithmeticwhichwillbefurtherusedintheECCoperations. 1.2.2Ellipticcurvecryptosystem(ECC)ECCisanasymmetrickeycryptographyscheme,whichwasdiscoveredbyKoblitz[ 17 ]andMiller[ 18 ],basedontheEllipticCurveDiscreteLogarithmProblem(ECDLP)oftheellipticcurveoveraniteeld.Theellipticcurvepointoperationsdescribedin 1.2.1 areusedtocalculatethemainoperationinECC,thescalarmultiplication.Ascalarmultiplication(SM)ofpointPisaddingPtoitselfktimes(writtenaskP).ThisoperationisconsideredthemostcomputationalexpensiveECCoperation,andthecalculationtimedependsonthesizeofscalark.AnotherimportantcharacteristicofECCthatisaresultfromprojectingacurveoveranitegroupisthepoint'sorder.TheorderofpointPisthesmallestintegernthatsatisestheequationnP=O.ThisalsomakesuP=vP()uvmodnwhereu,v2Z.ThesizeofnisconsideredtobetheECC'scryptographicstrength.TheECDLPisdenedasfollows.Giventwoellipticcurvepoints(Q,G),ndanintegerdsuchthatQ=dG.Thereisnoknownsub-exponentialalgorithmtosolvethisproblem.Currently,thefastestandmoststoragespaceefcientalgorithmthatcanbeusedtoattackECDLPisthecombinationofthePolig-HellmanalgorithmandPollard'sRhoalgorithm[ 19 ].Thisattackhasafullyexponentialruntimerelativetothe 19

PAGE 20

curveorderbitsize.Therearealsoseveralotherattacks,e.g.,MOVattack,WeilParingandTate-LichtenbaumParing[ 16 ],thatrunfaster,buttheycanonlybeusedagainstsomespecictypesofellipticcurves.Thesenon-genericcurveattackscanbeeasilyavoidedbychoosinganappropriatecurveduringthecurveselectionprocessorbyusingstandardellipticcurveparameterssuchasNISTcurvesin[ 20 ].BasedontheECDLP,ECCusesdasaprivatekeyandQasapublickey.Allotherellipticcurveparameterssuchasabasepoint(G),curveconstantparameters(a,b),andtheorderofG(n)areuniversallyknownbyallinvolvedparties.Recently,ECChasgainedpopularityamongWSNandembeddedsystemsbecauseECDLPismathematicallyharderthanRSA'sprimefactorizationproblem.Consequently,ECCneedsasignicantlysmallerkeythantheRSAscheme,e.g.,160-bitECChassimilarcryptographicstrengthto1024-bitRSA[ 21 ].Thesmallerkeysizealsotranslatesintosmallerstoragerequirementsandfastercryptographicoperationsthatgreatlybenetlow-powereddevicesprominentlypresentintheaforementionedsystems. 1.2.3Ellipticcurvedigitalsignaturealgorithm(ECDSA)ECDSAisastandarddigitalsignatureschemeutilizingellipticcurvesoriginallyproposedtoNIST'srequestbyVanstone[ 22 ].ItiscurrentlyanellipticcurvedigitalsignaturestandardinANSI,IEEE,andNIST[ 23 ].AccordingtoECDSA,AlicecansignamessageMwithprivatekeydforherpublickeyQwhereQ=dGwiththesesteps: 1. Randomlyselectapermessagesecretintegerkfrom[1,n)]TJ /F6 11.955 Tf 11.95 0 Td[(1] 2. Computer=[kG]xwhere[kG]xisthex-coordinateofpointkG.Ifr=0,gobacktostep1. 3. Calculatee=hash(M) 4. Calculate s=k)]TJ /F10 7.97 Tf 6.59 0 Td[(1(e+rd)modn(1) 5. ThesignatureofMis(r,s) 20

PAGE 21

AreceiverwithAlice'spublickeyQandcurveparameterGcanverifythesignatureasfollows: 1. Calculatee=hash(M) 2. Calculatew=s)]TJ /F10 7.97 Tf 6.59 0 Td[(1modn 3. Calculateu1=ewmodn 4. Calculateu2=rwmodn 5. Findr0whichisthex-coordinateofpointu1G+u2Q 6. Thesignatureisveriedifandonlyifr0=r 1.2.4EllipticcurvePintsov-Vanstonesignatures(ECPVS)ECPVSschemeisasignatureschemethatimprovesuponECDSAintermsofsignaturesize[ 21 ].ECPVS'ssignaturelengthisonlyhalfthatoftheECDSA'sforshortmessages.ECPVShasbeenproposedtobeusedinadigitalpostagemarkduetothelimitationofthesizeofamailingpackage'ssurfacearea[ 24 ].TogenerateasignatureforamessageMwithaprivatekeydandabasepointG,onemustfollowthesesteps: 1. SplitmessageMinto2partsM1andM2whereM1containsacondentialpartofthemessage(forshortmessages,thewholemessagecanbetintoM1thusjM2j=0) 2. Randomlyselectapermessagesecretintegerkfrom[1,n)]TJ /F6 11.955 Tf 12.7 0 Td[(1]wherenisthecurveorder 3. CalculateR=kGandmakesureR6=O 4. Calculatee=ER(M1)whereERisasymmetricencryptionalgorithmwithkeybasedonR 5. Calculatef=hash(ekM2) 6. Calculate s=(df+k)modn(1) 7. Thesignature(s,e)issentalongwithM2 21

PAGE 22

ToverifyanECPVSsignature,areceiverwiththecorrespondingpublickeyQandabasepointG(whereQ=dG)mustperformthefollowingsteps: 1. Calculatef=hash(ekM2) 2. Calculate U=sG)]TJ /F5 11.955 Tf 11.95 0 Td[(fQ(1) 3. CalculateM01=E)]TJ /F10 7.97 Tf 6.58 0 Td[(1U(e)(DecrypteusingU) 4. CheckthatM01containscorrectinformation PreimageattackonECPVS.Atrst,ECPVSseemstoreducecomputationaloverheadbyhavingasmallerscalarmultiplicationinEquation 1 inthesignaturevericationphase.Itseemslikethesizeoffcanbearbitrarilychosen.However,BrownandJohnsonhaveprovedthatthesecurityofECPVSisreducedtothestrengthofthehashvaluef[ 25 ].Ifthesizeoffissmallenough,theattackercanexploititbygeneratingavalidsignaturefromanyforgedmessageusingthefollowingsteps. 1. AnattackercaneavesdropanyvalidECPVSsignature(s,e)anduseittogenerateakeyRandahashvaluef.Withthesender'spublickeyQandacurveparameterG,theECPVSmainequationR=sG)]TJ /F5 11.955 Tf 11.95 0 Td[(fQisobtained. 2. HethenaddsanarbitrarypointaG,a2ZtoEquation 1 toobtain R+aG=(s+a)G)]TJ /F5 11.955 Tf 11.95 0 Td[(fQ(1) 3. UsinganewrandompointR=R+aGandanarbitrarymessageM0,hecalculatesanewencryptedmessagee=ER(M01)anditshashvaluef=hash(ekM02) 4. Atthisstage,theonlyunknownvariablethatpreventstheattackerfromgeneratingacompletesignatureisanewresiduevaluesintheequation R=sG)]TJ /F6 11.955 Tf 12.06 2.66 Td[(fQ(1) 5. Tosolvefortheunknownvalues,hecombinesEquation 1 andEquation 1 asfollows:sG)]TJ /F6 11.955 Tf 12.05 2.66 Td[(fQ=(s+a)G)]TJ /F5 11.955 Tf 11.96 0 Td[(fQsG=(s+a)G)]TJ /F6 11.955 Tf 11.96 0 Td[((f)]TJ /F6 11.955 Tf 12.05 2.65 Td[(f)Qs=(s+a))]TJ /F6 11.955 Tf 11.95 0 Td[((f)]TJ /F6 11.955 Tf 12.06 2.66 Td[(f)d (1) 22

PAGE 23

6. TheattackercanavoidsolvingtheinfeasibleECDLP(ndingddirectlyfromQ)inEquation 1 byndingapointaGthatcausesahashcollision(f=f).Ifthecollisionisfound,anewvalidECPVSsignatureforM0is(s,e)wheres=s+a.Withthisprocess,thestrengthofECPVSsignatureisreducedtothestrengthofhashvalue(f,thebitlengthoff).Tomaintainthesamesecuritylevelofthewholesignaturescheme,fneedstohaveatleastthesamecryptographicstrengthasthekeysizen(thecurrentrecommendedvaluefrom[ 26 ]is224bitsforanyEllipticCurvecryptographicscheme).Sincethepreimageattackonhashftakeafullf-bitsearchspace,thecryptographicstrengthoffisfbits.BecausethecryptographicstrengthofECCisalsohalfthesignature'sbitlength,thehashvaluecanbehalfofthesignaturesizei.e.f=0.5n,thusprovidingsomereceiving-sidecomputationaloverheadadvantageoverECDSA. 1.3SummaryBroadcastauthenticationprocessinWSNposesseveralchallenges.Fromtheexpose-to-capturingsensornodehardware,limitedbatterypowerandtheunderpoweredprocessingcapability,ndingabroadcastprocessthatcanachievebothspeedandsecuritywhileintroducingminimaloverheadisadifculttask.Aimingtoachievethesaidobjectives,weprovidetwonewprotocolstopre-authenticatethesignatureandtwonewdigitalsignatureschemesthatsupportne-grainedcontroloverthecomputationneededatthereceivers.Tokeepbroadcastingsimple,ourprotocolsaredesignedtooperatewithoutanyofthefollowing: Specializednodesthatactastrustedauthorities Synchronizationbetweennodesandtheaccesspoint Periodicbroadcastfromtheaccesspoint Establishmentofsecretkeysamongneighboringnodes Tamperproofhardware 23

PAGE 24

Requirementthatsensornodescontacttheaccesspoint3ThecontributionofthisproposedworkwillallowWSNtoperformECC-basedbroadcastauthenticationwithlessdelayandminimalcommunicationoverheadamongsensornodes.Therestofthedissertationisorganizedasfollows.Chapter 2 providesmoredetailonusingBloomltertopre-authenticatethebroadcastmessage.Chapter 3 proposesanewellipticcurvedigitalsignatureschemewithmultiplepublickeystoaccommodateadjustablevericationtime.Then,Chapter 4 describesamodicationtoimprovetheprotocolinChapter 3 .Finally,Chapter 5 providesourconclusionandpotentialfutureresearchtopics. 3Sensornodescancommunicatebacktotheaccesspointbutnotforbroadcastauthenticationpurposes 24

PAGE 25

Figure1-1. Forwarding-rstandauthentication-rstbroadcasttimingdiagram. 25

PAGE 26

CHAPTER2SPEEDINGUPBROADCASTAUTHENTICATIONINWIRELESSSENSORNETWORKSUSINGBLOOMFILTERInthischapter,weproposetwonewbroadcastauthenticationschemesusingadigitalsignatureasamainauthenticationmechanismtogetherwithaBloomltertoscreenoutbogusbroadcastmessages.OurschemesmakeuseofWSN'slargenumberofnodestolimittheamountofinformationthatadversariescangainwhencapturingthem.ThistechniquereliesondiffusingaWSN'ssecretsintosensornodes,witheachnodepossessingonlyaportionofthekeysrequiredforsuccessfullycreatinganauthenticbroadcastmessage.Bothschemesuseaprobabilisticapproach,sotheydonotrequiresynchronization,localkeypairs,orperiodickeyredistribution.Therstproposedscheme,thekeypoolscheme,separatesallsensornodesintodifferentgroups,andeachgrouppossessesapartitionofthenetwork'sglobalkeypool.Anauthenticbroadcastmessagecontainsasubsetoftheglobalkeypool,whichcanbequicklyveriedbyeachintermediatenodebeforethemessageisforwarded.Thesecondproposedscheme,thekeychainscheme,reliesonhashchainsthatarestoredoneachnodetopre-verifyeachpacket.Ourdesignaimstocreatebroadcastprocessesthatcanachievebothspeedandsecuritywhileintroducingminimaloverhead.Tokeepbroadcastingsimple,ourprotocolsaredesignedtooperatewithoutanyofthefollowing: Specializednodesthatactastrustedauthorities Synchronizationbetweennodesandtheaccesspoint Periodicoodingofthenetwork Localsecretkeypairsamongneighboringnodes Tamperproofhardware Requirementthatsensornodescontacttheaccesspointforbroadcastauthenticationpurposes 26

PAGE 27

ThecontributionoftheseproposedschemeswillallowWSNtoperformPKC-basedbroadcastauthenticationwithlessdelayandminimalcommunicationoverheadamongsensornodes.Therestofthischapterisorganizedasfollows.First,Section 2.1 reviewsrelatedworkonWSNbroadcastauthentication.Then,Section 2.2 presentsourassumptionsaboutthesystemandthethreatmodel.Section 2.3 explainsthebasicconceptofBloomlters.Next,Section 2.4 and 2.5 explainbothproposedprotocolsindetailtogetherwiththeirtheoreticalperformanceinlteringboguspackets.Section 2.4 alsoincludesanimprovementtothekeypoolscheme.SimulationresultsanddiscussionareincludedinSection 2.6 .InSection 2.7 ,weproposetwogenericimprovementsthatcanbeappliedtoourprotocolsandtheireffects.Finally,Section 2.8 concludesthischapter. 2.1RelatedWorkManyresearchershaveworkedonmitigatingandpreventingdenialofserviceattacksinsensornetworkenvironments.Woodetal.providedataxonomyofWSNdenialofserviceattacksin[ 27 ].Luketal.pointedoutkeypropertiesofdesigningDoScountermeasuresin[ 28 ].TESLA[ 6 ]utilizesaone-wayhashchainanddelayeddisclosuretimetoguaranteeakey'ssecrecywithintheundisclosedperiod.Basically,theaccesspointwillrevealthekeytoauthenticatethecurrentmessageaftersomewaitingperiodtoallowthemessagetocompletelypropagatethroughthenetwork.BycarefullymeasuringtheRTTbetweensenderandreceiver,itcanguaranteethateachbroadcastmessagecannotbeforgedin-transitbecausethemessagehasbeentransmittedandencryptedwithanunrevealedkey.TESLAimplementsthedelayeddisclosuremechanismbycreatingtimeslotsofanequalintervalandassigningasecretkeyforeachslot.Everymessagebroadcastinaparticularslotisencryptedusingacorrespondingslotkey,whichcanberevealedinthefuturetimeslot.Whenanodereceivesamessagewithanembeddedslotkey,itveries 27

PAGE 28

thekeycorrectnessusingtheone-waykeychainandlaterusesthekeytoauthenticatethebufferedmessage.Atthesametime,themessagefromcurrentslotneedstobebufferedlocallyuntilitskeyhasbeendisclosed.ThemainshortcomingofTESLA,authenticationdelay,hasbeenaddressedinthesubsequentTESLAextension[ 7 ]byallowingimmediateauthentication;howeveritrequiressendingratetoremainconstant.Wangetal.rstproposedadynamicwindowscheme[ 1 ]usingadditiveincreasemultiplicativedecrease(AIMD)toregulatethewindowsize,which,inturn,allowsanodetoswitchadaptivelybetweenauthentication-rstandforwarding-rstbehavior.Inthisapproach,eachsensornodemaintainsanauthenticationwindowsize,whichisinitiallysettothemaximumvalue.Thewindowsizeisathresholdvaluetodeterminewhethertouseauthentication-rstorforwarding-rstapproachforeachmessage.Eachbroadcastmessagealsocontainsaeld,calleddistance,whichwillbeincreasedeverytimeitisforwardedwithoutauthenticating.Whenasensornodereceivesabroadcastmessage,itcomparesthedistanceagainstitswindowsize.Ifthedistanceislargerthanthewindowsize,itincreasesthemessage'sdistanceandforwardsit.Otherwise,itauthenticatesthemessagerstbeforeforwarding.Asuccessfulauthenticationwillincreasethewindowsizewhilefailuredecreasesit.ThewindowsizeadjustmentusestheAIMDtechniquesoitdecreasesaggressivelybutincreasesslowlyresultinginpushingeachnodetowardanauthentication-rstmodefasterthanrecoveringfromit.TheAIMDschemeallowsattackpacketstopropagateduringthetransitionalperiod.Moreover,agoodstrategicplacementofmultiplemaliciousnodescanforceanentireWSNintoanauthentication-rstmode.Thisshortcomingwasaddressedbyusingapre-authenticationlter[ 12 ]byDongetal.Thisschemereliesonestablishingagroup-keywithanode'sneighborsandlteringoutmisbehavingnodes.However,itonlyfocusesonpreventingunnecessarysignaturevericationsanddoesnotaddressthemessagepropagationdelayissue.Additionally,theproposedprotocolstillallowsmaliciousnodestosuccessfullybroadcastfakemessagesatacertainrate. 28

PAGE 29

Ningetal.providedweakauthenticationtopre-lterbogusmessagesusingaone-waykeychainin[ 29 ]whichcanbeusedintandemwithanyexistingdigitalsignature-basedbroadcastauthenticationprotocol.Beforesendingouttheithmessage,thesenderhastondthesolutionPisuchthattherstlbitsofH(ijMijDSijKijPi)matchaspecicpattern.ThereceiverauthenticatesthemessagebyverifyingthatkeyKiisanauthentickeyonthekeychainandthencomputesahashtoconrmthattherstlbitsoftheresultmatchtheagreedpattern.LikeTESLA,whichalsousesaone-waykeychain,thisapproachrequiressynchronizationandperiodicbroadcastingbetweenthesenderandsensornodeswhenitisusedwithsignature-basedauthentication.Renetal.[ 13 ]implementedmulti-userauthenticationforWSNbyusingaBloomltertostoremultipleuserIDsandpublickeys.Inthesystempreparationphase,allsensornodesareloadedwithaBloomlterlledwiththepublickeyofeveryuser.TheBloomlterwilllaterbeusedtoverifytheauthenticityofthepublickeypresentedinthebroadcastmessage.Becausealltheinformationrequiredtoconstructanauthentic-lookingBloomlterispubliclyavailabletoallnodes,theBloomlteritselfcanbeeasilyforgedandthuscannotbeusedtopreventbroadcastdenialofserviceattacks.Fundamentally,ourkeypool-basedtechniqueissimilartowhatStatisticalEn-routeFiltering(SEF)[ 30 ]usesforpreventingabogusmessagefromamaliciousnodefromreachingtheaccesspoint.Whenaneventoccurs,multiplesensornodesprepareareportandcomputeaMACwiththeirlocalkeyschosenfromaglobalkeypool.Asensornodefromthegroupiselectedtopreparethenalreport,whichistheaggregationofallsurroundingsensornodes'reportsandMACs.Whilethenalreportistravelingtowardtheaccesspoint,eachnodethatforwardsitveriesaMACinthereportifitpossessesoneofthem.Unlikewhatwearesolving,theextentofdamageintermsofresourceexhaustionforthistypeofattackismoreconnedcomparedtothenetwork-wideattackinbroadcastauthentication. 29

PAGE 30

OurproposedprotocolscanpreventbroadcastauthenticationDoSwithoutrelyingoneithernodesynchronizationorperiodicbroadcastingwhilemostexistingPKC-basedprotocolsrelyonthosefeaturesasshowninTable 2-1 .Moreover,theycanresistnodecapturinguntilaconsiderablylargefractionofnodesinthenetworkiscompromised.Atthesametime,theprotocoloverheadislowenoughtobepracticalwhilethepropagationdelayisclosetotheforwardingrstscheme. 2.2SystemandThreatModelInthiswork,weassumesensornodestobelow-costdeviceswithouttamper-resistanthardware.Anodeiscapableofperformingbasiccryptographicoperations(e.g.,hash,MAC)andalsopublickeyoperations(e.g.,signatureverication)althoughwithconsiderablymoredelaycomparedtotheformer.Aregularbroadcastprotocolisusedfornetwork-widemessageooding.Theprotocol'spacketsizeisassumedtobeabletoaccommodatebothdigitalsignatureandBloomFilterVector(BFV).OurWSN'saccesspointworksasanetwork'sdatasinkandcannotbecompromised.ItalsohasenoughCPUpowertogeneratedigitalsignaturesandBFVswithreasonabledelay.Sensornodespassivelygatherdatamostofthetimeuntiltheyreceiveabroadcastmessagefromtheaccesspointthattheymustverify.Ourgoalsare1)tominimizebroadcastdelayand2)topreventsuccessfulbroadcastauthenticationDoSwithacceptablecommunicationandcomputingoverhead.Attackers,typicallypossessingsignicantlymorepowerfulcomputingpowerthansensornodes,arecapableofperformingbothsymmetrickeyandpublickeyoperationwithease.WealsoassumethatthePKCmechanismssuchasEllipticCurveDigitalSignatureAlgorithm(ECDSA)andhasharesecureenoughtohinderanyattacker'sattempttocircumventthem.However,anattackercancapturesensornodesandlearnallsecretinformationinsidethemthusallowingthemtocreateanauthentic-lookingBFVofthelearnedkeyset.Theattacker'sobjectiveistofoolsensornodesintoforwarding 30

PAGE 31

forgedaccesspointbroadcastmessagesthroughoutthenetworkandwastingthesesensornodes'batterypower. 2.3BloomFilterBloomlterisawell-knownandpopularmethodforsetmembershipverication.Withthistechnique,abitvector(calledBFVinthisarticle)isconstructedtorepresentanentiresetandlatercanbeusedtotestwhetheragivenelementbelongstothatsetornot.Toconstructabitvectorforagivenset,werstinitializeanr-bitarraytozero,thenpasseverymemberofthesetintoqdistincthashfunctions.Byusinghashfunctionsthatuniformlydistributedoverarangeof0tor)]TJ /F6 11.955 Tf 11.51 0 Td[(1,eachhashvalueismappedtoasinglebitinthearray.Aftersettingcorrespondingbitpositionsofallhashvaluesproducedfromtheprevioussteptoone,thebitvectorisreadyformembershipquery.Toverifysetmembershipofanelement,wepasstheelementthroughthesamesetofhashfunctionsfromtheconstructionprocess.Ifallthecorrespondingbitpositionsinthebitvectorareones,theelementispossiblyamember(withsomefalsepositiverate).Otherwise,itisdenitelynotamemberoftheset.WechooseaBloomlterduetoitsspaceandcomputationalefciencywithatrade-offinfalsepositiverate.Inourschemes,weneedtotransmitadatastructurethatcanrepresentasetofsecretkeysfromthesenderwithoutincludingtheactualkeys.Additionally,areceivermustbeabletoverifyquicklywhetheritslocallystoredkeysarepartsofthekeysetornot.Bloomlterpossessesnotonlyalltherelevantfeaturesbutalsosavesspace,whichiscrucialtopowerconstrainedsensornodes,overotherstructuressuchastreesorhashtables.WehandletheBloomlter'smaindrawback,thefalsepositiverate,byincludingtheattacker'sexploitationofthisweaknessinouranalysis(Section 2.4.2 and 2.5.2 )andsuggestingparametercongurationinSection 2.6.1 tocounterit. 31

PAGE 32

2.4KeyPoolSchemeInthekeypoolscheme,theaccesspointpossessesallthesecretkeys,whileeachsensornodeonlyknowsasubsetofthem.Thiskeypartitioninghelpslimittheamountofsecretstheadversariescanlearnfromnodecapturing.ThisschemeassumesthataglobalkeypoolofsizeNisknowntotheaccesspointwhileeachsensornodehasmemorylargeenoughtostorekkeyslocally.Ourkeypoolschemecomprisesofthreephases:pre-deployment,signaturegeneration,andmessagevericationandforwarding.Intherstphase,eachsensornodeisloadedwithlocalkeyspriortodeployment.Thesecondphasedescribeshowthebroadcastmessageandthesignaturecanbegenerated.Thelastphasedealswitheachnode'svericationandforwardingdecision,whenabroadcastmessagearrives. 2.4.1ProtocoldescriptionPre-deploymentphase 1. AglobalkeypoolKofsizeNwithkeysfKlj1lNgmustbegeneratedandpartitionedintonnon-overlappingequal-sizedsetsS1,S2,...,Snthuseachsethasm=N=nkeys.Forexample,wecanpartitionKintoSi=fKjj(i)]TJ /F6 11.955 Tf 12.23 0 Td[(1)mm)]TJ /F5 11.955 Tf 11.95 0 Td[(k;1otherwise.wherehisthenumberofkeystobeselectedfromeachkeysetforBFVgeneration(explainedinmoredetailinstep 2 ofthesignaturegenerationphase). 5. Lastly,theaccesspointisloadedwithallthekeysinthekeypool. 32

PAGE 33

Signaturegenerationphase 1. Afterdeployment,whenanaccesspointwantstobroadcastamessagetoallnodes,itconstructsapacketfromamessagebodyM,atimestampttandadigitalsignature DS=Eprv(H(Mktt))(2)whereEprvissigningwiththeaccesspoint'sprivatekeyandkdenotesconcatenation. 2. TheaccesspointcreatesaBFVfromDS,whichwillbeusedbysensornodestopre-verifythesignature.TocreateaBFV,theaccesspointrandomlypickshkeys,wherehm,fromeachkeysetandcomputesanr-bitBFVusingthealgorithminFigure 2.8 whichhasbeenadaptedfrom[ 30 ](thediagramisshowninFigure 2-2 ).BecauseeachkeyonlyturnsonasinglebitintheBFV,thisalgorithmensuresthatthemaximumnumberof1-bitinthevectorwillnotexceedhnq. 3. Finally,themessageisbroadcastasfM,tt,DS,I,BFVgwhereI=flj8Kl2CgandC=Sni=1Ri.IisthesetofallkeyindicesthathavebeenincludedintheBFV.Messagevericationandforwardingphase 1. Wedeneaper-messagekeyintersectionsetXasasetintersectionbetweennode'slocalkeysandallthekeysthathavebeenincludedinthemessage'sBFV.AsensornodecanderiveXfromIinthebroadcastmessage. 2. Whenasensornodereceivesabroadcastmessage,itrstconrmsthatthetimestampisfresh(i.e.,ithasnotbeenseenpreviously)andthemessagehasatmosthnqbitsintheBFV.ThiscanpreventtheattackerfromdeliberatelymarkingallbitsinBFVtocircumventourscheme. 3. IftheBFVisplausible,asensornodendsthemessage'sXandcomparesjXjwith.IfjXj<,asensornodewillforwardthemessageonlywhentheDSvericationissuccessful.Consequently,asensornodewilloperateintheauthentication-rstmodewheneveritdoesnotshareenoughkeyswiththemessage. 4. Ontheotherhand,ifthethresholdisachieved(jXj),eachnodewillcomputeaBFVofDSwithallthekeysinXandthencheckswhethereachbitintheBFVhasacorrespondingintheBFVfromthemessageornot.ItonlyforwardsthemessagewhenBFVvericationissuccessful. 33

PAGE 34

5. Thesensornodeperformsdigitalsignaturevericationbeforeacceptingthemessage. 2.4.2Protocolanalysis 2.4.2.1SecurityconsiderationOneofthemainobjectivesofthisprotocolistomakeWSNsmoreresistanttonodecapturing,thuswewillanalyzetheeffectivenessofourprotocolinthesituationthatanattackerhaslearnedsomeofthekeysfromnodecapturing.Weassumethataoutofnkeysetshasbeencompromised.Whentheattackerforgesanewmessage,hecancorrectlymarkhaqbitsandrandomlymarkh(n)]TJ /F5 11.955 Tf 12.36 0 Td[(a)qbitstofullyexploithnq-bitlimitoftheBFV.Sincethelocationoffromakeyinther-bitBFVisuniformlydistributed,theprobabilityoftheattackercorrectlymarkstheBFVforanyunlearnedkeyis Pk=8><>:hnq rqifhnq
PAGE 35

onanynodeinthenetworkisPb=a n2666664minfh,kgXi=him)]TJ /F5 11.955 Tf 11.96 0 Td[(hk)]TJ /F5 11.955 Tf 11.95 0 Td[(i mk3777775+n)]TJ /F5 11.955 Tf 11.95 0 Td[(a nPa=a n2666664minfh,kgXi=him)]TJ /F5 11.955 Tf 11.96 0 Td[(hk)]TJ /F5 11.955 Tf 11.95 0 Td[(i(1)]TJ /F6 11.955 Tf 11.96 0 Td[((Pk)i) mk3777775+Pa (2)Equation 2 showsthatPbgrowslinearlywiththeproportionofcompromisedkeys(a=n),withy-interceptatPawhichislaterconrmedinFigure 2-5A inSection 2.6.2 .WenowhavetheaveragenumberofnodesforwardingtheforgedmessageequalsPbNtwhereNtisthetotalnumberofnodesinthenetwork.Ifweconsiderabroadcastpathasatreewiththeaccesspointastheroot,theestimatednumbercanbefurtherreducedbecausewehavenotyetconsideredthecasewherethewholebranchhasbeencutoffbyanodethatsuccessfullydetectsanddropsaforgedpacket.WewillexplorethisscenariofurtherinSection 2.7.2 whenweconsiderapplyingbroadcasttreestoourprotocols. 2.4.2.2ProtocoloverheadsThekeypoolschemeaddsbothcomputationaloverheadfromhashoperationsandcommunicationoverheadfromsendingadditionalbitsinthebroadcastmessage.Letthelengthoftheoriginalbroadcastmessage,whichincludesmessagebody,timestampanddigitalsignature,beandleteverykeyindexbeind=dlog2Nebitslong,thenthelengthofourbroadcastmessagewillbe b=+hnind+r(2)Insomeparticularcases,itisbettertouseabitmaptorepresentkeyindicesthanincludingthemonebyoneintothebroadcastmessage.Tobespecic,thebitmap 35

PAGE 36

methodhaslessoverheadwhenthenumberofkeysintheglobalkeypoolissmallerthanthebitlengthofhnkeysi.e.,dlog2Ne>m hasshownbelow.Nm hNext,thecomputationaloverheadforeachsensornodedependsonhowmanykeysabroadcastmessageandanodeshare,i.e.,jXj.GivenanysensornodewithklocalkeysandamessagethatincorporateshkeysfromeachsetintoitsBFV,theprobabilitythatasensornodeandabroadcastmessageshareexactlyxnumberofkeys(P(jXj=x))is:P(jXj=x)=hxm)]TJ /F5 11.955 Tf 11.96 0 Td[(hk)]TJ /F5 11.955 Tf 11.96 0 Td[(x mkIfM=minfk,hg,thentheexpectednumberofkeyseachsensornodehastoverifywillbe:Ek=MXi=iP(jXj=i)Hence,eachsensornodeisexpectedtoperformonaverageqEkandatmostqMhashoperationspermessage.Ontheotherhand,theaccesspointisexpectedtoperformonesignaturegenerationandhnqhashoperationsfortheBFV. 2.4.3ReducingcommunicationoverheadThemaindrawbackoftheKeyPoolschemeisitscommunicationoverheadduetothepotentiallylargesizeofitsbroadcastpacket.ThisiscausedbytheneedtoincludeallkeyindicesinthebroadcastpacketsosensornodescanverifytheBFVasdescribedinSection 2.4.1 .Thus,toreducetheoverheadbyexcludingtheindicesfromthepacket,thesensornodeshavetoderivethoseindicesfromaveriablerandomelementsentbytheaccesspoint. 36

PAGE 37

Insteadofrandomlyselectingmultipleindicesforeachbroadcastpacket,theaccesspointcangenerateindicesfromhashingasinglerandomnumberwithmultiplehashfunctionsorrepeatedlywiththesamehashfunction.Ifthehashfunctionsareknownbyallthesensornodes,theaccesspointonlyneedstoincludethatnumberinthebroadcastpacketandhaveallsensornodesdeterminetheindicesfromit.Anotherconcernishowtoprotecttherandomnumberfrombeingforgedwhichmeansthenumbermustbeveriablebythesensornodes.Thisproblemcanbesolvedbyusingaone-wayhashchaintoprotectthesecrecyoftherandomnumber,whichcanpreventtheattackerfromdeceivingasensornodeintoverifyingaforgedpacketwithanarbitrarynumber.Toimplementthisimprovement,theaccesspointrstpicksarandomnumbern0andcalculatesahashvalueatthepositionionthechainusinganetwork-widehashfunctionH()asni=H(ni)]TJ /F10 7.97 Tf 6.59 0 Td[(1).Thelengthofthehashchain(l)isdeterminedbythenumberofbroadcastpacketsexpectedtobetransmittedthroughouttheWSN'slifetime.Thesensornodesarethenloadedwiththelastnumberonthechain(nl)whichservesasastartingvaluebeforedeployingthemintotheeld.Foreachbroadcastpackettransmittedbytheaccesspoint,ahashvaluefromthechainisusedtorandomlypickkeysfromthekeypool.Ifthelastbroadcastpacketusesahashvalueatapositionc,theaccesspointmustuseanewvalueonepositionupthechain(nc)]TJ /F10 7.97 Tf 6.59 0 Td[(1)forthenextbroadcastpacket.LetHi()andIibeahashfunctionandasetofselectedindicesofkeysetirespectively.Usingonemorenetwork-widehashfunctionH(),thealgorithmtorandomlypickkkeysfromeachkeysetforagivennc)]TJ /F10 7.97 Tf 6.58 0 Td[(1isshowninFigure 2.8 .AfterobtainingallthekeyindicesI1,I2,...,In,theaccesspointcannowgeneratethebroadcastpacket'sBFVwiththesamealgorithmdescribedinSection 2.4.1 .However,insteadofrandomlypickinghkeysforeachset,theaccesspointusestheindexsetIitoidentifywhichkeysareusedforthesetSi.OncetheBFVisgenerated,thebroadcastpacketisfM,tt,DS,nc)]TJ /F10 7.97 Tf 6.59 0 Td[(1,BFVg. 37

PAGE 38

Whenasensornodereceivesabroadcastpacket,itrstveriesthelegitimacyofnc)]TJ /F10 7.97 Tf 6.59 0 Td[(1byconrmingthatnc=H(nc)]TJ /F10 7.97 Tf 6.59 0 Td[(1)wherencisthecurrenthashvalueinthechain.Ifthehashvalueisveried,nc)]TJ /F10 7.97 Tf 6.59 0 Td[(1cannowbeusedtocalculatetheindexsetIi.AsensornodewithakeysetgcannowusethealgorithminFigure 2.8 tondIgThesensornodethenfollowthesameBFVvericationprocedureinSection 2.4.1 withI=Sni=1Iiastheindexset.Theadvantageofusingthisapproachisthatthepacketsizebecomesindependentfromparametersh,nandN,thusallowingustoincreasethekeypoolsizewithoutincreasingthecommunicationoverhead.Lettherandomnumbernibenbitslong,thenthemessagelengthofthekeypoolschemewiththisimprovementwillbeb=+n+rConsequently,thistechniqueimprovesforgedpacketdetectionandreducespacketsizeattheexpenseofhavingmorecomputationaloverheadatthesensornodes. 2.5KeyChainSchemeThekeychainschemeaimstoeliminatethecommunicationoverheadinthekeypoolschemebyusingmultipleone-wayhashchains.Therandomnessofeachhashvalueonthechainpreventskeypredictionand,atthesametime,eliminatestheneedtoincludekeyindicesinthebroadcastmessages.Inthisscheme,aglobalkeypoolofsizeNisusedtostoreNindependentkeychainswithoutanypartitioning.Givenanetwork-widehashfunctionH()andstartingkeyK0,wecanndakeyatpositioniinthechain(Ki)asKi=H(Ki)]TJ /F10 7.97 Tf 6.59 0 Td[(1).Normally,theone-wayhashchainmustbegeneratedinadvanceandthelastkey(thekeywiththehighestposition)istherstkeytobeusedforauthentication.Typically,thekeychainisconsumedbackwardsuntilreachingK0beforeanewchainisgeneratedandredistributed.Ourscheme,ontheotherhand,usestheone-waykeychainintheforwardmannerwhereeverynodestartsfromkeyindexzeroand 38

PAGE 39

progressestowardhigherkeyindices.Withthisapproach,ourprotocoldoesnotrequirekeyredistributionanddoesnotneedtoincludeanykeyindexinthebroadcastmessage.However,onceakeyiscompromised,thewholekeychainisalsocompromised.Thekeychainscheme,whichconsistsofthreedifferentphases,similartothekeypoolscheme,willbedescribednext. 2.5.1ProtocoldescriptionPre-deploymentphase 1. First,aglobalkeypool,whichcontainsNstartingkeys(denotedby0inthesubscript)K10,K20,...,KN0ofNindependentkeychains,mustbegenerated(showninFigure 2-6 ). 2. Eachsensornoderandomlypickskstartingkeys,1kN,andstorestheminthenode'smemory.Similartothekeypoolscheme,everynodemustbeloadedwiththeaccesspoint'spublickey,anetwork-widehashfunctionH()andBloomlterparametersincludingqindependenthashfunctionsfH1,H2,...,Hqg.Signaturegenerationphase 1. TheaccesspointgeneratesDSfromamessagebodyM,atimestampttandEprvbyusingEquation 2 2. EverykeychainintheglobalkeypoolmustbeadvancedfromKijtoKi(j+1);8i2[1,N]. 3. TheaccesspointtheninsertsallthenewkeysintoBFVusingthealgorithmshowninFigure 2.8 whichguaranteesthatthenumberofbitsintheBFVwillnotexceedNq. 4. ThenalmessagetobebroadcastisfM,tt,DS,c,BFVgwherecisthecurrentkeyindexinthechain.Messagevericationandforwardingphase 1. Similartothekeypoolscheme,wheneachsensornodereceivesanewmessage,itmakessurethetimestampisfreshandthenchecksforBFVplausibilitybyconrmingthatthenumberofsdoesnotexceedNq. 39

PAGE 40

2. IftheBFVpassesthetestandthekeyindexcisnewerthanthelastseenindexc0,thesensornodeadvancesallitsklocalkeychainstothatindex. 3. IfallthecorrespondingbitsinBFVforthenewlocalkeysareveried,thesensornodeforwardsthemessagefurther.Ifthevericationfails,thepacketisdropped. 4. Lastly,eachsensornodemustverifythedigitalsignaturebeforeacceptingthepacket.Ifthevericationfailsatthisstage,asensornodemustrevertcbacktoc0andalllocalkeysbacktotheirpreviousvalues. 2.5.2Protocolanalysis 2.5.2.1SecurityconsiderationsThemainsecurityconcernsforthisschemeishowwellitcanresistnodecaptureandhoweasilytheattackercancircumventourBloomlterchecking.Wewillalsoexplorewhatwillhappeniftheattackermanipulatesthevalueofcinthebroadcastmessage.WeassumethattheattackeralwayssetsthemaximumNqbitsintheBFVtomaximizinghischanceofdeceivingthekeycheckingmechanism.ForauniformlydistributedBFV,theattackercancorrectlymarkr-bitBFVforanunknownkeywithprobability Pk=8><>:Nq rqifNq
PAGE 41

chainschemeevenwhentheattacker'swirelesssignalisstrongenoughtocoveranentireWSN'sdeploymentarea,whichcanbeproblematicinsomeschemessuchas[ 1 ].Anotherissuethatneedstobediscussedishowtheattackercanmanipulatekeyindexctohisadvantage.Iftheattackermodiescinto^candchoosesasmallervaluethantheoriginalone,i.e.,^c
PAGE 42

Theoptimalcforagiven!isdlog2!e+1.Theseequationsdisplayoneofthebenetsofthekeychainscheme,i.e.,themessagelengthremainsconstantwhilethekeypoolscheme'smessagegrowsproportionallytohnind.SincetheaccesspointincludesallkeysintotheBFVcalculation,eachsensornodehastoperformexactlyk((c)]TJ /F5 11.955 Tf 12.2 0 Td[(c0)+q)hashoperationsperbroadcastmessage.Ontheotherhand,theaccesspointitselfneedstoperformNhashoperationsforkeychainadvancement,NqhashoperationsforBFVgenerationandaDSsigning. 2.6SimulationandResultsWesimulateourprotocolsinNS-2version2.33withtheManaSimWSNmoduleextension[ 32 ].Werandomlydeploy3,000stationarynodesinsideasimulatedareaofsize200mby200mwithasingleaccesspointlocatedatthecenter.Eachsensornodehasatransmissionrangeof7.7459mandthehardwarespecicationofaMICA2mote[ 33 ].Bothprotocolschemesareimplementedusing64-bitBFV,1.6svericationtimefora20-bytedigitalsignature[ 2 ]and0.6msdelayperhashoperationperonebyteofdata[ 34 ].Unlessstatedotherwise,werunoursimulation30timesforeachdatapointonthegraph. 2.6.1Parameterselection 2.6.1.1KeypoolschemeSeveralparametersofthekeypoolschemeneedtobeadjustedtocreateoptimaloperatingconditionsforthesensornetwork.First,thechoicesofrandNaredeterminedbythenetwork'smaximumpacketsize.BecausethetypicalWSNpacketsizeislessthan100bytes,theappropriatevalueofrisbetween32and64bits.Thetotalnumberofkeys(N)andthenumberofkeysets(n)affectthesizeofkeyindexsetIthustheyarelimitedbythemaximumpacketsizeaswell.LargernandNvalueshinderattackersfromlearningthecompletekeysetfromnodecapturingbuttheyalsoincreasethecommunicationoverhead.Thenumberofkeysineachset(m)isthencalculatedfromN=n. 42

PAGE 43

Next,theh+ktomratioischosensuchthatitbalancestheforgedmessagedetectionpowerwiththenetwork'sbroadcastdelay.Withlowh+ktomratio,forgedmessageswillbeeasilydetectedaseachsensornodeismorelikelytooperateintheauthentication-rstmode.Ontheotherhand,italsoincreasesthebroadcastdelaywhichisundesirableforWSNapplicationsthatrequirefastresponsetime.FromFigure 2-8 ,adesirable(h+k)=mvalueistheareaaroundthekneeofthecurves(between0.5and0.6),whichminimizesboth(h+k)=mandtheprobabilitythatasensornodefailstherequirement.Afterchoosinganh+kvalue,wehavetodeterminehowmanykeys(k)willbelocallystoredinthesensornodes'memoryandhowmanykeys(h)willbeincludedinthemessages.Therearetwomainbenetsofhavingarelativelysmallhvalueforagivenh+k.First,lowhvalueshavelowPaforalmosteverypossiblekvaluesasshowninFigure 2-9 (thelightershadedarea).Second,ithaslowercommunicationoverheadaccordingtoEquation 2 .Thekvaluecanthenbechosentomatchthepreferredh+ktomratio.ThelastparameterqcanbeoptimizedbyndingavaluethatminimizesthePkinEquation 2 .Byperformingarst-orderpartialderivativetestonPkwithrespecttoq,wehavelnhnq r+1hnq rq=0)q=r hneBecauseqmustbeapositiveinteger,theoptimumvalueforqismax(nint)]TJ /F8 7.97 Tf 11.36 -4.97 Td[(r hne,1),wherenintisthenearestintegerfunction. 2.6.1.2KeychainschemeThekeychainschemehassignicantlyfewernumbersofparameterstobechosenbecauseitskeyassignmentislesscomplicatedincomparisontothekeypoolscheme. 43

PAGE 44

First,theselectionofrissimilartothekeypoolschemebutalargerrisalsopossibleduetothekeychainscheme'sloweroverhead.Thetotalnumberofkeychains(N)mustbeselectedsuchthatNq
PAGE 45

weusetheparametersh=2,n=10,q=1,m=40andk=10.Totightenthetestscenario,weassumetheattackercompromisesanentirekeyset;toachievethisinarealsituation,theattackerwillneedtocaptureseveralnodesofthesameset.Forthekeychainscheme,weusetheparameterN=30,q=1andk=3.TheresultinFigure 2-5 alsoshowsthatthekeypoolschemeperformsbetterunderahigherpercentageofcompromisedkeysthanthekeychainscheme.Thisadvantagecomesatahighercostinpacketlengthandpropagationdelay. 2.6.3AuthenticationdelayUnderstandingtheimpactofourprotocolsonauthenticationdelayisalsocrucial.WeusethesamesetupasinSection 2.6.2 tosimulateandrecordthetimesthatasensornodereceivesandforwardsamessage.Wealsorecordthetimewhenourprotocolpassesthemessagetotheapplicationlayerafteritveriedthedigitalsignature.Inthisscenario,weonlyusedauthenticbroadcastmessagestosimulatethedelayintroducedbyourschemesundernormalWSNoperations.AsshowninTable 2-3 ,bothproposedschemesintroduceverylittlepropagationdelaycomparedtothetimingoftheauthentication-rstapproach.Thekeypoolandkeychainscheme'sapplicationlayertimingsare46.7%and39.4%slowerthantheforwarding-rstscheme.Thisisasignicantimprovementovertheauthentication-rstschemewhichismorethan10timesslower.Thekeypoolschemehasmoredelaybecauseitskeyintersectionrequirement()causessomeofthenodestoactliketheauthentication-rstschemewhilethekeychainschemedoesnot. 2.7ProtocolImprovementsHavingseenthesimulationresults,wenowproposetwogenericimprovementsthatcanbeappliedtobothprotocols.Therstimprovementtradesoffsmallsignaturegenerationspeedandpacketoverheadforbetterforgedpacketdetectionrate.Thesecondimprovementgreatlyreducesforgedpacketpropagationattheexpenseof 45

PAGE 46

creatingandmaintainingabroadcasttreeinthesensornetwork.Theseimprovementsareindependentofoneanother;eitherorbothmaybeappliedtoeitherscheme. 2.7.1ReducingmaximumBloomltermarkinglimitFromEquations 2 and 2 ,wenoticethatthehigherthehnq-bitlimit,theeasiertheforgedbroadcastmessagescanpassthroughtheBFVverication.Thenaivesolutioncanbedonebysimplyreducingh,nand/orq.However,reducingnwillincreasethechancethateachsensornodesharesthesamekeyset,thusmakingtheWSNmorevulnerabletonodecapturing.Ontheotherhand,reducinghdecreasestheh+ktomkeyintersectionratio,whichsubsequentlyincreasesthechancethatasensornodeneedstoperformDSvericationasshowninFigure 2-8 .Tomaintainthekeyintersectionratio,kmustbeincreased,whichalsoincreasesthenumberofkeystheattackercanlearnfromcapturinganode.Inthissection,wedescribeatechniquetoreducethelimitwithoutalteringthoseparameterswithaminimaltrade-offincommunicationoverheadandinitialsendingdelay.SincethemarkedbitsareuniformlydistributedovertheBFV,theprobabilitythatexactlythemaximumhnqbitsaresettoissmall,hencewecanreducethemaximumbitlimitwiththeriskofhavingalegitimatebroadcastmessageexceedthisnewlimit.Inordertodecidehowmuchwearegoingtoreducethemaximumbitlimit,wehavetodetermineP(x,y,r),theprobabilitythatxnumbersofbitsoccurintheprocessofmarkingybitsoutofr-bitBFV.Ifallymarkingsareuniformlydistributed,wehave P(x,y,r)=rx)]TJ /F8 7.97 Tf 6.78 4.34 Td[(xy ry(2)where )]TJ /F8 7.97 Tf 6.78 4.94 Td[(xy=XallpossibleAyAxB(2) 46

PAGE 47

A=fa1,a2,...,axjxXi=1ai=y,1aiy,aiaj()i
PAGE 48

andstartstheprocessagain.Theoretically,thenumberofextrabitscangrowuptoinnity.However,theactualnumberofpaddingsfollowsageometricdistributionwiththeexpectednumberequaltolP t(1)]TJ /F8 7.97 Tf 6.59 0 Td[(P)m.Figure 2-12 showstheaveragenumberofw-bitpaddingswhichcanbeconsideredcausingonlyminimalcommunicationoverhead.Theoptimumchoiceofwforanychosentwillbedlog2(t+1)e.Forthekeypoolscheme,ifweusethistechniquetoreducethemaximumBFVmarkingbybitwithw-bitpadding,theexpectednalmessagelengthcanbecalculatedas b=+hni+wP t(1)]TJ /F5 11.955 Tf 11.96 0 Td[(P)+r(2)TheaccesspointisalsoexpectedtoperformdP 1)]TJ /F8 7.97 Tf 6.59 0 Td[(PesignatureandBFVgenerationswhencomparetothoseifwearenotusingthistechnique.Similarly,applyingthistechniqueinthekeychainschemereducesPbbyloweringtheNq-bitlimitbybits.ThefalsenegativeprobabilityPcanbecalculatedbysimplyreplacinghnqwithNqinEquation 2 .P=NqXi=Nq)]TJ /F12 7.97 Tf 6.58 0 Td[(+1P(i,Nq,r)Also,theprobabilityofcorrectlymarkinganunknownkeyPkischangedto)]TJ /F8 7.97 Tf 6.67 -4.65 Td[(Nq)]TJ /F12 7.97 Tf 6.59 0 Td[( rq.Atthesametime,thenumberofsignatureandBFVgenerationsfortheaccesspointincreasestoanaverageofdP 1)]TJ /F8 7.97 Tf 6.58 0 Td[(Pe.ThisimprovementmaybeappliedtoanyschemeusingBFVstodetectandlteroutbogusmessagessuchas[ 30 ]. 2.7.2ImprovingattackresistancewithbroadcasttreeBroadcasttreeshavebeenpreviouslyusedtoreducetheoverallenergyconsumptionofbroadcastoperationsinWSN[ 35 37 ].Thistechniquecreatesandmaintainsaspanningtreethatminimizesthenetwork'scommunicationoverheadwhenpacketsarebroadcastalongthepathofthetree.Thishelpseliminateanywastefulandunoptimizedtransmissioninbroadcastoperations. 48

PAGE 49

Tothispoint,theevaluationofourbroadcastauthenticationschemesonlyconsidersasimpleandunstructuredapproach,i.e.,eachnodeisallowedtoforwardabroadcastpacketthatarrivesfromanyofitsneighboraslongasthepacketisnew.Thisapproachcreatesahighlyinterconnectedmeshnetworkwhichhasgoodconnectionredundancybutpoorqualityforlteringoutforgedpackets.Tocompletelypreventaforgedpacketfromreachinganodeinameshnetwork,allofitsneighborsmustsuccessfullylteroutthepacket.Ifonlyoneoftheneighborsfails,theforgedpacketwillreachthenodeandithasachancetopropagatefurther.Usingabroadcasttree,ontheotherhand,eliminatesthemeshconnectionsandallowsonlyoneincomingpathforeachnode.Weimplementthebroadcasttreetechniqueinoursimulatortoexamineitsadditionalbenetsinlteringoutforgedmessageswhenusedincombinationwithourschemes.ThesimulationparametersremainthesameasthoseinSection 2.6 forbothschemeswithonlyoneexception,thateachdatapointisanaverageof50runsinsteadof30.Thesourcecodeandtestingscriptsofthesimulationareavailableforinterestedreadersat[ 38 ].FromtheresultinFigure 2-13 ,wecanconcludethatusingbroadcasttreeswithourschemessignicantlyreducesforgedpacketpropagation.Theimprovementofthekeypoolschemeisoutstandingespeciallyinthecaseofmediumtohighcompromisedkeypercentage(>50%).Onaverage,only24outof3,000nodesreceiveboguspacketsand9nodesforwardthemwhilemorethanhalfofthenodesreceiveand/orforwardthepacketifthebroadcasttreeapproachisnotused.Thekeychainschemeisalsoabletomaintain90%improvementoverthenon-broadcasttreeapproachupuntiltherateofcompromisedkeysisapproximately80%.Beyondthatpoint,thenumberofnodesthatreceivesorforwardsboguspacketsrapidlyincreases.Despitethesignicantimprovementgainedfromtheuseofthebroadcasttree,furtherinvestigationisrequiredtojustifywhetherornotthisimprovementcanovercomethepracticaloverheadofcreatingandmaintainingabroadcasttreeinlarge-scalesensor 49

PAGE 50

networks.Thisbroadcasttreeapproachwillbenetanyschemethatprobabilisticallydetectsbogusmessagesbeforeforwardingthem. 2.8ConclusionWehavedemonstratedtwonewbroadcastauthenticationschemes,whichutilizeBloomlterstoenhancePKC-basedbroadcastauthenticationinWSN.TheBloomlterisusedbyeachsensornodetoverifyquicklytheauthenticityofthemessage'sdigitalsignature.BecausetheBloomlteriscomputedfrommultiplesecretkeysthatarerandomlydistributedtoeachsensornode,theattackerisrequiredtocaptureandlearnsecretsfromalargeportionofthesensornodesbeforehecaneffectivelylaunchbroadcastauthenticationDoSagainstthenetwork.Thisapproachalsoeliminatesthetimesynchronization,localkeypairestablishment,andkeyredistributionrequirementspresentinotherschemes.Moreover,sinceeachnodeindependentlyveriesthemessage,bothschemesremaineffectiveeventhoughthemaliciousnode'swirelesstransmissionareacoverstheentireWSN.Thekeypoolschemewhichisbasedonkeypartitioninghasimprovednodecapturingresistancewithatrade-offincommunicationoverhead.Thekeychainschemeconsiderablyreducestheoverheadbutunderperformsthekeypoolschemewhenthecompromisedkeyproportionishigh.ThetheoreticalanalysisofbothprotocolsisvalidatedbyourNS-2simulationresult.Inourfutureresearch,weneedtostudytheeffectsofdifferentkeypartitioningtechniquesandprobabilistickeydistributionmodelsontherateofwhichtheattackercanlearntheglobalkeypool. 50

PAGE 51

BFV 0 fori=1tondo Ri randomlypickedhkeysfromSi forallkeysKl2Rido forallHjj1jqdo b rstdlog2(r)ebitsofHj(KlkttkDS) bthbitofBFV 1 endfor endfor endfor Figure2-1. Keypoolscheme'sBFVgenerationalgorithm Figure2-2. TheKeyPoolscheme'sBFVgenerationforq=1 51

PAGE 52

H(nc)]TJ /F10 7.97 Tf 6.59 0 Td[(1) fori=1tondo Ii S f1,2,...,mgfinittoallindicesofthekeysetig Hi() whilejIij
PAGE 53

AKeypoolscheme BKeychainscheme Figure2-5. Portionofnodesforwardingforgedmessagesundervariouspercentagesofcompromisedkey 53

PAGE 54

Figure2-6. ApoolofNkeychainswiththecurrentkeysenclosedinabox(i.e.,thekeyindexc).Eacharrowrepresentsleft-to-righthashfunctionapplication. BFV 0 fori=1toNdo forallHjj1jqdo c currentkeychainnumber b rstdlog2(r)ebitsofHj(KickttkDS) bthbitofBFV 1 endfor endfor Figure2-7. Keychainscheme'sBFVgenerationalgorithm Figure2-8. ProbabilitythatasensornodeneedstoperformDSvericationduetothefailuretosatisfytherequirement. 54

PAGE 55

Figure2-9. Paofallpossiblehandkvaluesinthethekeypoolschemewithm=40. Figure2-10. PbofallpossiblekandNvaluesinthekeychainschemewithr=64anda=0. 55

PAGE 56

Figure2-11. PaandPwithr=64bit,hnq=r=0.56and(h+k)=m=0.325 Figure2-12. AveragenumberofpaddingsfordifferentPandt 56

PAGE 57

AKeypoolscheme BKeychainscheme Figure2-13. Averagenumberofsensornodesreceivingandforwardingforgedpacketswithandwithoutbroadcasttreetechnique 57

PAGE 58

Table2-1. WSNbroadcastauthenticationprotocolcomparison PKCRequirelooseRequireperiodicRequirelocalDelayRemarksupportsynchronizationbroadcastkeypairsauthentication TESLA[ 6 ]XXXTESLAExtension[ 7 ]XXRequireconstantbroadcasttoachievefastvericationDynamicwindowscheme[ 1 ]XPre-authenticationFilter[ 12 ]XXNotfocusonreducingpropagationdelayWeak-authentication[ 29 ]XXXShortPK[ 14 ]XXFastSignature-based[ 39 ]XXXOurschemesX 58

PAGE 59

Table2-2. Overheadsofthekeypool,bothwithandwithouttheimprovement,andthekeychainscheme Computationaloverhead(#ofhashoperations)MessagelengthStorageoverheadAccesspointSensornode#ofkeys#ofhashfunctions Keypool(KP)hnqC=qPminfk,hgi=i(hi)(m)]TJ /F13 5.978 Tf 5.75 0 Td[(hk)]TJ /F13 5.978 Tf 5.76 0 Td[(i) (mk)1+hnind+rkqKPwithimprovementhnq+nk+1C+n 2+k+11+n+rkq+3Keychain(KC)N(q+1)k((c)]TJ /F5 11.955 Tf 11.96 0 Td[(c0)+q)+c+rkq+1 1 Anaveragecase 59

PAGE 60

Table2-3. Averagedelayofvariousbroadcastauthenticationschemes ReceivingForwardingPassingtotheapplicationTime(sec)%ofFFtimeTime(sec)%ofFFtimeTime(sec)%ofFFtime Forwarding-rst(FF)0.422100.0%0.422100.0%2.022100.0%Authentication-rst(AF)20.1454773.7%21.7455152.8%27.7451372.2%Keypool(KP)1.306309.5%2.262536.0%2.966146.7%Keychain(KC)1.147271.8%1.219288.9%2.819139.4% 60

PAGE 61

Table2-4. Parameterssummary SymbolDescription CommonparametersEprv()Signingwithaccesspoint'sprivatekeyPkProbabilityofattackerscorrectlymarkBFVforanunlearnedkeyPbProbabilityofaforgedmessagebypassesasensornodeNtTotalnumberofnodesintheWSNbThetotalbitlengthofabroadcastpacketThebitlengthofabroadcastmessage(M),atimestamp(tt)andaDScombinedqNumberofindependenthashfunctionsusedinBFVgenerationKP'sparametersKGlobalkeypoolsetKiTheithkeyintheglobalkeypoolNNumberofkeysintheglobalkeypoolSiTheithkeysetnNumberofkeysetsmNumberofkeysineachsetkNumberoflocalkeysstoredineachsensornodehNumberofkeyspersetselectedintheBFVgenerationKeyintersectionthresholdrBFV'sbitlengthH()Network-widehashfunctionIAsetofallkeyindicesincludedintheBFVIiAsetofselectedkeyindicesfromkeysetiXPer-messagekeyintersectionsetaNumberofcompromisedkeysetsPaProbabilityofaforgedmessagebypassesanodethatpossessesasecuredkeysetindKeyindex'sbitlengthEkExpectednumberofkeysasensornodehastoverifyperbroadcastmessage 61

PAGE 62

Table 2-4 .Continued SymbolDescription ImprovedKP'sparametersH(),H()Network-widehashfunctionforgeneratingrandomnumbersHiHashfunctionforkeysetiniTheithrandomnumberonthechainKC'sparametersNNumberofglobalkeychainsKijThejthkeyoftheithkeychainkNumberofkeychainslocallystoredoneachsensornodecKeyindexincludedintheBFVc0Sensornode'slastseenkeyindex^cModiedkeyindex(byattackers)!Maximumallowanceofc)]TJ /F5 11.955 Tf 11.96 0 Td[(c0tostillperformBFVvericationcCurrentkeyindex(c)'sbitlengthGenericimprovement'sparametersNumberofbitsreducedfrommaximumallowablemarkedbitsintheBFVPProbabilitythataBFVcontainsmorethanhnq)]TJ /F7 11.955 Tf 23.34 0 Td[(markings(Nq)]TJ /F7 11.955 Tf 11.95 0 Td[(forKC)wPadding'sbitlengthtNumberoffailedBFVgenerationattemptsbeforeappendinganotherpaddingtothemessage 62

PAGE 63

CHAPTER3MULTI-RESOLUTIONELLIPTICCURVEDIGITALSIGNATURE(MRECS)InChapter 2 ,weimprovedbroadcastauthenticationbyincorporatingBloomlterspre-authenticationprocessintoanyexistingdigitalsignaturescheme.Inthischapter,weimproveWSN'sbroadcastauthenticationbyproposingabrandnewdigitalsignatureschemeintendedtoprovidemorene-grainedcontroloverthevericationdelayatthereceivers.Thisnewscheme,whichisbasedontheexistingellipticcurveddigitalsignatureschemeECPVS,providesthesenderachoiceofhowmuchcomputationreceiversneedtoperformforsignatureverication.Thebasicprinciplebehindtheproposedprotocolissimilartothekeysplittingtechniqueusedinvariouspublickeysecretsharingschemessuchas[ 40 ]and[ 41 ].TheproposedschemepartitionsthehashvalueffromtheECPVSprotocoldescribedinsection 1.2.4 intosmallerparts.Eachpartitionoffisthenmultipliedwithadifferentprivatekeyfromanestablishedkeyset.Therestofthechapterisorganizedasfollows.First,Section 3.1 presentsallrelatedworkonEllipticCurveCryptosystemsandthetechniquestospeedupitsscalarmultiplication.Next,Section 3.2 explainsthedesignofMRECSintuitivelyanddescribestheprotocoldetails.Section 3.3 exploresdifferenttypesofpotentialattacksagainstMRECS.Sections 3.4 and 3.5 discusshoweachparametereffectstheprotocolandkeys'lifetime.Then,Section 3.6 proposesseveralrekeyingtechniquestobeusedwithMRECS.Finally,section 3.7 concludesthischapter. 3.1RelatedWorkAscalarmultiplication(SM)ofanellipticcurvepointPisdenedasaddingPtoitselfktimes(writtenaskP),i.e.,kP=Pki=1P.Thishasbeenaprominentresearchinterestwithintheellipticcurveresearchcommunitybecausetheoperationisnotonlythemosttimeconsumingoperationbutalsopresentsinallellipticcurvecryptosystems.SeveralalgorithmshavebeenproposedsinceECCwasindependentlyconceivedby 63

PAGE 64

Koblitz[ 17 ]andMiller[ 18 ].Lopezelal.provideanoverviewofvarioustechniquesusedinECCscalarmultiplication[ 42 ].ThemostbasicapproachtoperformSMisadouble-and-add(DnA)method.Thismethodrepresentstheintegerkinabinaryformat(bitstring)andperformspointdoublingandpointadditionoperationsaccordingly.Sincethedouble-and-addtechniqueissimilartotheexponentiationbysquaringmethod,multiplesmallSMstheoreticallyhavethesamecostasalargeonewiththesametotalbit-sizeonthesamecurve,i.e.,mCy(x)=Cy(mx)whereCy(x)isthecomputationalcostofSMwithanx-bitscalaronay-bitcurveandm2Z+.TheactualSMtimingsfromECCimplementationsin[ 43 ],[ 2 ]and[ 44 ]alsosuggestthatincreasingxandyquadraticallyincreasesthecost,i.e.,Cmy(mx)=m2Cy(x).Mostimprovementtechniquesfocusonrecodingthescalarvaluekwithadifferentrepresentationthatreducesthenumberofpointoperations.Ifthescalarkcanberepresentedwithanlk-bitbinarynumberwithaHammingweightofwk,thisapproachrequiresatotaloflkpointdoublingoperationsandwk)]TJ /F6 11.955 Tf 12.75 0 Td[(1pointadditions[ 42 ].MostimprovementsonSMfocusonreducingtheHammingweightofthescalarktoachievefastercalculationtime.Oneoftheimprovementsisconvertingkintoanon-adjacentform(NAF)representation,whichhasnoconsecutivenon-zerovalues[ 45 ],thusloweringk'sHammingweight.NAFalsochangesthebasicDnAalgorithmintotheaddition-subtractionmethodbecauseNAFcanaccommodatenegativevalues.BecauseanellipticcurvepointsubtractionoperationhasthesamecostasapointadditionandtheexpectedHammingweightofanlk-bitnumberislk=3,NAFcanbeusedtoreducenumbersofpointdoublingsoverthenormalbinaryrepresentationofk. 64

PAGE 65

SolinasfurtherimprovesSMbyproposingtheslidingwindowmethod[ 46 ].Theso-calledwidth-wNAFmethodcombinestheslidingwidowtechniqueandtheNAFrepresentationbyrstusingNAFtorepresentkandthenexecutingtheDnAalgorithmwbitsatatime.Withthewidth-wwindowmethod,thescalarkisturnedintoa2w-aryrepresentationandprocessedwbitsatatimeintheDnAalgorithm.AsetofprecomputedpointsP,2P,...,(2w)]TJ /F6 11.955 Tf 12.32 0 Td[(1)PisalsoneededinordertoexecuteamodiedDnAalgorithm.Forexample,ifkis1101110100001001111inbinaryformatandwis4bits,kcanberepresentedasa16-ary(hexadecimal)number6E84F.TheSMcannowbecarriedonusingtheDnAcomputation2(2(2(2(6P)+14P)+8P)+4P)+15Pwithpoints6P,4P,8P,14P,15Pcomputedandstoredinadvance.Thewindowmethodcanbefurtherimprovedbyallowingdynamicallysizedwindowsthatcanbeadjustedaccordingtothezerobitpositionsinthescalarvalue.Theadjustedwindowsizewillgroupallzerobitstogetherasmuchasitcanbyonlyallowingeach2w-arynumbertostartandendwithanon-zerobitwhilethelengthisstilllessthanw.Cietetal.[ 47 ]proposednewpointdoubling,triplingandquadruplingalgorithmsthatperformbetterthantraditionalmethodsiftheyareusedtogetherwithadouble-basednumberrepresentationofk1.LongaandGebotys[ 48 ]generalizedtheideafurtherandproposedthemethodtondanoptimizedrepresentationofkinmultibasenumbercalledmbNAF.Mishraetal.[ 49 ]alsousedmultibaserepresentationandquintuplingoperationstospeedupSM.Wongetal.[ 50 ]combinedthedouble-basednumberrepresentationwiththepointhalvingtechniquefromKnudsen[ 51 ].TotakeadvantageofKnudsen'spointhalvingmethod,theellipticcurvemustbedenedoverF2mandhasmodularinversionthatcostmorethansixmodularmultiplications.Furthermore,Knudsen'smethodcanonlybeusedwhenaparameteraofanF2mcurvesatises 1Thedouble-basednumberinthisparticulararticleisf2,3gwhichisoptimizedforthearticle'sfastbinary/ternarymethods. 65

PAGE 66

Pm)]TJ /F10 7.97 Tf 6.59 0 Td[(1i=0a2i=1condition.Thisrestrictionmeansthetechniquecanonlybeappliedtoapproximatelyhalfoftheavailableellipticcurves.Cohenetal.convertedellipticcurve'stypicalafnecoordinatesystem,i.e.,wherepointsarerepresentedinx,yformat,withamixofseveralcoordinatesystems,namelyProjective,Jacobian,ChudnovskyJacobianandModiedJacobiancoordinatesystems[ 43 ].Whiletheafnesystemhasthesmallestamountofdatarequiredtorepresentapoint,othersystemsarefasterwhichwithtoperformpointoperations.ThusCohenetal.usetheafnesystemforcommunication,thenperformedanypointoperationusingadifferentsystem.Theyalsoproposedthatamixedsystemisusedtoachieveanoptimizedcomputationaltimebyutilizingdifferentcoordinatesystematdifferentstagesofthepointoperations.Thisimprovementofswitchingcoordinatesystemstoaccommodatedifferentoperationswaslaterconrmedbytheimplementationin[ 52 ].AlltheaforementionedSMimprovementsonlyapplytopointoperations,whichthemselvesareindependentfromECCprotocols,thusallowingthemtobeusedtogetherwithourproposedprotocols.Mostoftheresearcheffortsinmultiplepublickeysystemfocusonprovidingthresholdcryptographyforthesensornetwork.Forexample,Wangetal.[ 53 ]designedathresholdcryptographyschemetogetherwithestablishingpair-wisekeystolteroutafakereportinWSN.Wongetal.[ 54 ]usedthresholdECDSAtopreventcompromisedcerticateauthoritiesfromauthenticatingamaliciousnode.SimilarworkwasalsodoneviasigncryptionschemebyPengetal.[ 55 ].Changetal.[ 56 ]andHanetal.[ 11 ],ontheotherhand,appliedthesametechniquetopreventamaliciousnodefromsuccessfullydeceivinganinnocentco-signerintosigningamessage.Ertauletal.[ 57 ]combinedthresholdcryptographyandmessagesplittingtosecurelydeliveramessageacrossthenetwork.Notonlydoallofthearticlessharethesamemulti-keygenerationtechnique,Shamir'ssecretsharingalgorithm[ 40 ],theyalsorequiresomecerticateauthoritynodes 66

PAGE 67

tobepresentinthenetwork.Onlyafewarticlesemphasizeusingmultiplepublickeystoreducesignaturevericationdelayinbroadcastauthenticationscenarios.OneofthearticlesisShortPK[ 14 ]proposedbyWangetal.,whichaimstoreducesignaturevericationtimebyusingmultipleshort-livedpublickeysinsteadofasinglekey.Withthisapproach,themainproblemtobesolvedishowpublickeyscanbeperiodicallyandsecurelydistributedtothesensornodes.Becausesimplybroadcastingpublickeystothenetworkissusceptibletoaman-in-the-middleattack,theauthorproposedProgressivePublicKeyDistributionscheme(PPKD).ThebasicideabehindthisdistributionschemeisdividingtheWSN'slifetimeintoseveralphasesandfurtherdividingeachphaseintomultipletimeslots.Eachshort-livedpublickeyisassignedtoacertaintimeslotandeachphaseisalsoassignedasecretkey,whichisprotectedbyaone-wayhashchain.Whenanaccesspointbroadcastsamessage,itwillincludeallthepublickeysforthenextphaseencryptedwithcurrentphase'ssecretkey.Aftereachsensornodeveriesthesecretkeyusingthehashchain,itdecryptsthepublickeysandkeepsthemformessagevericationinthefollowingphase.Usingthetimeslotapproach,PPKDrequirestheaccesspointtoperiodicallybroadcastandredistributepublickeystotheentirenetworkoncethelifetimeofthekeyshasexpired.Onbilgeretal.[ 58 ]usedbothElGamalandRSAsecretsplittingtechniquesdescribedin[ 59 ]tobuildaremotedigitalsigningsysteminmobileagents.Inthisresearch,themultiplesignatureschemewasusedbetweenaserverandmobileagentstoauthenticateandsignadigitalcommercialtransaction.Thesecretsplittingtechniquewasusedtoallowmulti-partyauthenticationandspeedupthetransactionthroughparallelsigning.Themultisignature(asitiscalledin[ 59 ])approachcanbeusedtocreateasystemsimilartowhatwepropose,howeverRSAislessefcientandhashighercommunication,computation,andstorageoverheadthantheECC-basedprotocol.Moreover,theseRSAoverheaddisadvantages,someofwhichareseverelyunsuitablefortheWSNenvironment,willgrowovertimesincethereisanexisting 67

PAGE 68

sub-exponentialalgorithmtosolveprimefactorizationusedagainstRSA[ 60 ].Theaddition-multiplicationkeysplittingtechniqueinRSAalsocannotbeapplieddirectlytoECCbecauseECCencryptionanddecryptionoperationsarenotsymmetrical.Fanetal.[ 39 ]proposedanunorthodoxmethodtoaccelerateECDSAsignaturevericationspecicallyinWSNs.Thespeedupresultsfromeachnodeprobabilisticallyforwardingapartially-calculatedsignaturetoitsneighbors.Thisschemerequiressecretkeypairstobeestablishedamongneighboringnodesbeforehandtopreventattackersfrominjectingboguspartialsignaturesintothenetwork.Furthermore,sensornodesneedtocollectacertainnumberofsignaturesineachperiodbeforestartingthesignatureverication.Ourproposedellipticcurvedigitalsignatureschemesincorporatemultiplepublickeystoallowatrade-offbetweenvericationdelayandcryptographicstrength.Theseapproacheshavethesamecommunicationoverheadasthetraditionalellipticcurveschemeswithnoextracomputationaloverheadonthereceivingside.Theonlytypeofoverheadpostedtosensornodesisastorageoverhead,whichisalsocustomizable.Additionally,ourapproachesdonotrequireanytrustedcerticateauthority,localkeypairestablishment,periodicallykeyupdates,locallystoredhashchain,orsynchronizationwithaccesspoints. 3.2DesignOverviewWeobservethatECPVSneedstwoSMs;onewithapublickeyQandanotherwithabasepointG,tocompletethesignaturevericationprocess.EachofthemproducesanellipticcurvepointthatislatercombinedintoarandompointR.Toreducethecomputationaloverhead,thosetwoSMscanbecombinedintooneifthesameellipticcurvepointisusedonbothoperations.However,bydoingso,wewillalsocompromisethedigitalsignatureitself.Tomaintainsomelevelofsecurity,weneedtoconsolidatesome,butnotall,partsofthetwoSMstogether.Wecanachievethatbybreakingthehashfintoseveral 68

PAGE 69

smalleronesandmultiplyingeachonewithadifferentsecretkey.ThismodicationreplacesalargesingleSMwithseveralsmallerSMsinthevericationprocesswithoutchangingthecomputationaloverheadandthesecuritylevel.Inaddition,ifweonlyselectsomehashestobemultipliedwiththesecretkeysandmultiplytherestwithG,thevericationtimecanbereduced.Basedonthismainidea,wemodifyECPVStoincludethemulti-resolutionfeature. 3.2.1ProtocoldescriptionPre-deployment 1. GenerateaprivatekeysetDofsizegwithrandomkeysfd1,d2,...,dggwheredi2[1,n)]TJ /F6 11.955 Tf 12.52 0 Td[(1]anditscorrespondingpublickeysetQ=fQ1,Q2,...,QggwhereQi=diG 2. DistributethepublickeysetQtothereceiversSignaturegeneration(signing) 1. SplitamessageMintotwoparts,M1andM2,whereM1containsinformationthatcanidentifyM2andjM1jn. 2. Pickaper-messagerandomintegerkfrom[1,n)]TJ /F6 11.955 Tf 11.96 0 Td[(1] 3. ComputeR=kG.IfR=O,gobacktostep 2 4. Calculatee=ER(M1)whereERissymmetrickeyencryptionusingakeyderivedfromR 5. LetsetIcontainalltheindicesofthekeysets.Then,letIIbeasetthatcontainsindicesofDwhichwillbeincludedinthesignature. 6. AfterIischosen,thesendergenerateshashf=hash(ekM2kI)ofsizefbitswherekdenotesconcatenation. 7. Partitionfintogequally-sizedd-bitnumbers,f1,f2,...,fg,asshowninFigure 3-1 .Eachpartitionfiisdenedasfi=bf=2idcmod2d. 8. Computethesignaturesfromthefollowingequation. s=k)]TJ /F15 11.955 Tf 11.95 11.36 Td[(XIfidimodn(3) 9. SendthemessageM2outwiththesignatures,eandI. 69

PAGE 70

Signatureverication 1. Computehashf=hash(ekM2kI)andpartitionitwiththesameprocedurefromtheprevioussection. 2. Computeanellipticcurvepoint R0=sG+XIfiQi(3)andmakesureR06=O. 3. ThesignatureisveriedifandonlyifM1canbedecryptedfromeusingthekeyderivedfromR0andtheinformationcorrectlyidentiesM2. 3.2.2Protocol'scorrectness Proposition3.1. s,eandIarevalid()R0=R Proof. s,eandIarevalid)R0=RR0=sG+XIfiQiFromEquation 3 =sG+XIfidiG=s+XIfidiG=kGFromEquation 3 R0=R Proof. s,eandIareinvalid)R06=Rs+XIfidi6=ksandeareinvalidsG+XIfiQi6=kGR06=R 70

PAGE 71

3.3AttacksonMRECSThissectionpresentsmathematicalanalysisofseveralpossibleattackscenariosagainsttheMRECSprotocol.TherearetwopossiblepointsofattackonMRECSsignature;theprivatekeysdiandthehashvaluef.Successfulattackonthehashfwillresultinasingleforgedsignaturebeingcreated.Asuccessfulattackontheprivatekeys,though,isconsiderablymoreserioussinceitallowsanarbitrarynumberofsignaturestobegeneratedandcanonlybeaddressedbyrekeying.Section 3.3.1 explainstheattackagainstprivatekeyswhilevariousattackingtechniquesagainstfareexploredinSections 3.3.2 through 3.3.5 3.3.1Forginganewsignature Bycreatinganewmessage.Inorderforattackerstoforgeasignaturesuccessfully,theyhavetofollowthesignaturegenerationstepswiththeirownfakemessages.Whentheyhavetocalculates,theywillfailduetotheunknownprivatekeysdiinEquation 3 .ThusthisapproachhasthesamedifcultyassolvingtheECDLPofpointsQitondprivatekeysdi. Bymodifyingfromanauthenticmessage.BymodifyingM,theattackerisforcedtorecalculateeandfwiththeoriginalRfromthemessage.WithouttheknowledgeofkandD,theattackercannotproceedwiththecalculationofsforthemodiedmessageinEquation 3 .HeneedstosolvetheECDLPofpointRtondk. 3.3.2PreimageattackAsidefromdirectlyattackingECDLP,theattackercanlaunchapreimageattackonhashfbyndingahashcollisionofanexistingsignature.HecanachievethatbyaddinganarbitraryellipticcurvepointtoRofanauthenticsignature,i.e.,addingaG,a2ZtoEquation 3 .ThiswillresultasifanewrandompointRiscreatedas 71

PAGE 72

follows:R+aG=sG+aG+XIfiQiR=(s+a)G+XIfiQi (3)TheattackerthenusesthenewrandompointRandanewmessageMtocalculateanewhashf=hash(ER(M)kI).Subsequently,hemustndanewsthattsintoanewsignatureequation. R=sG+XIfiQi(3)HecancombineEquation 3 withEquation 3 togetthefollowing:sG+XIfiQi=(s+a)G+XIfiQisG=(s+a)G+XI(fi)]TJ /F6 11.955 Tf 12.05 2.66 Td[(fi)Qis=(s+a)+XI(fi)]TJ /F6 11.955 Tf 12.06 2.65 Td[(fi)di (3)WithouttheknowledgeofdiinEquation 3 ,theattackercannotndthenewsthatcanbecorrectlyveried.However,thesecretkeysdiinEquation 3 canbebypassedifahashcollisionoccursbetweenfiandfi,8i2I.Thenewsignaturescanthenbeobtainedfroms=s+aAhashcollisionwillallowattackerstocreateasinglevalidsignaturewithkeyselectionIforanarbitrarymessageM.SinceonlyhashcollisionsthatoccurredwithinImatter,thesearchspacetondanMRECSmatchforaparticularsignatureisdjIjbits.Section 3.4 furtherexploreshowthechoiceofIaffectsMRECS. 3.3.3PreimageattackondifferentkeyselectionsInthissection,weshowthatapreimageattackisnotfeasibleifIofbothsignaturesarenotthesamebecausetheattackreliesoncancelingoutthesecretkeypart(the 72

PAGE 73

summationtermwithQi).AssumingtheattackereavesdropsacollisionbetweentwosignatureswithkeyselectionsI1andI2whereI16=I2,hewillhavetwoequationsasfollows.R1=s1G+XI1f1iQi (3)R2=s2G+XI2f2iQi (3)SubtractEquation 3 withEquation 3 ,wegetR1)]TJ /F5 11.955 Tf 11.96 0 Td[(R2=(s1)]TJ /F5 11.955 Tf 11.95 0 Td[(s2)G+XI1)]TJ /F10 7.97 Tf 6.04 1.77 Td[(I2f1iQi+XI1\I2(f1i)]TJ /F5 11.955 Tf 11.96 0 Td[(f2i)Qi)]TJ /F15 11.955 Tf 12.73 11.36 Td[(XI2)]TJ /F10 7.97 Tf 6.04 1.77 Td[(I1f2iQik1)]TJ /F5 11.955 Tf 11.96 0 Td[(k2=(s1)]TJ /F5 11.955 Tf 11.95 0 Td[(s2)+XI1)]TJ /F10 7.97 Tf 6.04 1.78 Td[(I2f1idi+XI1\I2(f1i)]TJ /F5 11.955 Tf 11.95 0 Td[(f2i)di)]TJ /F15 11.955 Tf 12.73 11.35 Td[(XI2)]TJ /F10 7.97 Tf 6.04 1.78 Td[(I1f2idiSinceahashcollisionisassumed,thesummationofall(f1i)]TJ /F5 11.955 Tf 11.23 0 Td[(f2i)fromI1\I2iszero.Thisresultsinthefollowingequation.k1)]TJ /F5 11.955 Tf 11.96 0 Td[(k2=(s1)]TJ /F5 11.955 Tf 11.95 0 Td[(s2)+XI1)]TJ /F10 7.97 Tf 6.04 1.77 Td[(I2f1idi)]TJ /F15 11.955 Tf 12.73 11.36 Td[(XI2)]TJ /F10 7.97 Tf 6.05 1.77 Td[(I1f2idiToavoidsolvingECDLPfordi,thesummationofallthetermswithdiintheaboveequationneedstobezero,i.e., XI1)]TJ /F10 7.97 Tf 6.04 1.77 Td[(I2f1idi)]TJ /F15 11.955 Tf 12.73 11.35 Td[(XI2)]TJ /F10 7.97 Tf 6.04 1.77 Td[(I1f2idi0(modn)(3)Inwhich,wecanshowthatI1)]TJ /F6 11.955 Tf 11.22 2.66 Td[(I2andI2)]TJ /F6 11.955 Tf 11.22 2.66 Td[(I1willneverbe;atthesametimeinEquation 3 unlessI1=I2inthefollowingproof. Proposition3.2. I16=I2)I1)]TJ /F6 11.955 Tf 11.21 2.65 Td[(I2andI2)]TJ /F6 11.955 Tf 11.21 2.65 Td[(I1cannotbe;atthesametime. 73

PAGE 74

Proof. Usingproofbycontradiction,weassumeI1)]TJ /F6 11.955 Tf 11.2 2.66 Td[(I2=I2)]TJ /F6 11.955 Tf 11.2 2.66 Td[(I1=;.I1)]TJ /F6 11.955 Tf 11.2 2.66 Td[(I2=;I1\Ic2=;I1\Ic2=I2\Ic2I1=I2Similarly,I2)]TJ /F6 11.955 Tf 11.2 2.65 Td[(I1=;I2\Ic1=;I2\Ic1=I1\Ic1I2=I1ThiscontradictsourinitialassumptionofI16=I2. Wecanconcludethatapreimageattackcannotbeusedbetweentwodifferentkeyselections. 3.3.4PreimageattackfromcombinedkeyselectionsAnotherapproachtoneutralizethesecretkeysetstillremains.Theattackercantrytojoinseveraldisjointsetstogetherandusethemtocanceloutalargerset.Assumingsignatureswiththreedifferentkeysets,I1,I2andI3whereI3=I1[I2andI1\I2=;,havebeeneavesdropped,theattackercansubtractR3withR1andR2andgetthefollowingequation.R3)]TJ /F5 11.955 Tf 11.96 0 Td[(R1)]TJ /F5 11.955 Tf 11.96 0 Td[(R2=(s3)]TJ /F5 11.955 Tf 11.96 0 Td[(s1)]TJ /F5 11.955 Tf 11.95 0 Td[(s2)G+XI3f3iQi)]TJ /F15 11.955 Tf 11.95 11.36 Td[(XI1f1iQi)]TJ /F15 11.955 Tf 11.95 11.36 Td[(XI2f2iQik3)]TJ /F5 11.955 Tf 11.96 0 Td[(k1)]TJ /F5 11.955 Tf 11.95 0 Td[(k2=(s3)]TJ /F5 11.955 Tf 11.96 0 Td[(s1)]TJ /F5 11.955 Tf 11.95 0 Td[(s2)+XI3f3idi)]TJ /F15 11.955 Tf 11.95 11.36 Td[(XI1f1idi)]TJ /F15 11.955 Tf 11.95 11.36 Td[(XI2f2idi 74

PAGE 75

SinceweassumeI1andI2partitionI3,thetermsPI3f3idi)]TJ /F15 11.955 Tf 12.36 8.97 Td[(PI1f1idi)]TJ /F15 11.955 Tf 12.36 8.97 Td[(PI2f2idicanberewrittenasfollows. XI1(f3i)]TJ /F5 11.955 Tf 11.95 0 Td[(f1i)di)]TJ /F15 11.955 Tf 11.95 11.36 Td[(XI2(f3i)]TJ /F5 11.955 Tf 11.95 0 Td[(f2i)di(3)InordertocancelallthediinEquation 3 ,theattackernowcanmatchupanyexistingI1hashwiththersttermandI2hashwiththesecond.ThepartitioningofI3allowsthecollisionspacetobesplitintosmallerkeysetsandindependentlysearchedwithinthosesets.ThistypeofpreimagecollisionismorelikelytooccurthanthosedescribedinSection 3.3.2 andSection 3.3.3 sincealargehashvaluecanbebrokenintoseveralsmallerones.However,havingfoundacollisionstilldoesnotprovideanyinformationtotheattackerbesidesthesummationofthreeormoreper-messagesecrets. 3.3.5BirthdayattackBirthdayattack,unliketheattackdescribedintheprevioussection,aimstondtwodistinctmessagesthathavethesamehashfwhich,inturn,createsthesameMRECSsignature.Aftersuchmessagesarefound,thesignatureofonemessagecanbeusedtoauthenticatetheothermessageorviceversa.Thesignercanthenbetrickedintosigninganunseenandunapprovedmessage.WeassumethattheattackerfeedsM1andM2tothesignerandhasfullcontroloverbothmessages.Sincetheper-messagesecretkissecuredandonlyknownbythesigner,theattackercannotpredicthowalteringM1isgoingtoaffecteandf.AnymodicationattemptsonM2arealsouselessbecausethecondentialityofkpreventsffrombeingcalculatedinadvance.Withouttheabilitytogeneratefbeforehand,theattackercannotefcientlysearchforamatch,hencetheO(2n=2)boundforn-bithashbirthdayattackisunachievable.Alternatively,theattackercanbypassthehashgenerationphasebyeavesdroppingtwodifferentsignatureswiththesamekeyselectionIandinwhichallcorrespondinghashesarematched,i.e.,f1i=f2i,8i2Iwheref1iandf2iaretheithhashpartitionofthe 75

PAGE 76

rstandsecondsignaturesrespectively.Then,hederivesrandompointsR1andR2forbothsignaturesfromEquation 3 .R1=s1G+XIfiQiR2=s2G+XIfiQiCombiningbothequationstoeliminateQi,theattackerendsupwithtwounknownvaluesk1andk2thatcanonlybesolvedviaECDLPasfollows:R1)]TJ /F5 11.955 Tf 11.96 0 Td[(s1G=R2)]TJ /F5 11.955 Tf 11.96 0 Td[(s2Gk1G)]TJ /F5 11.955 Tf 11.95 0 Td[(k2G=s1G)]TJ /F5 11.955 Tf 11.96 0 Td[(s2Gk1)]TJ /F5 11.955 Tf 11.96 0 Td[(k2=s1)]TJ /F5 11.955 Tf 11.95 0 Td[(s2Therefore,wecanconcludethatMRECSanditsprecursor,ECPVS,areresistantagainsttheBirthdayAttackonhashf.Theattackresistanceandbitlength(f)requirementoffareanalyzedinthenextsection. 3.4ParameterSelectionThissectionanalyzeshowMRECSparametersaffecttheprotocolinmoredetail. 3.4.1CryptographicstrengthTherearetwoparametersthatdeterminethemaximumcryptographicstrengthofasignature.Therstparameteristhebit-lengthofthecurveorder(n).SinceanECCprotocolwithan-bitcurveprovidesn 2bitsofsecurity[ 42 ],nshouldbechosentobetwicethedesiredsecuritybit-length.2Theotherparameteristhehashsizef.WithoutthesusceptibilitytotheBirthdayAttack,exhaustiveattackonftakesafullf-bitsearchspace.Consequently,fcanbeequaltotheECCcryptographicstrength,i.e.,halfofn. 2Thecurrentrecommendedvaluefornis224bits[ 26 ]. 76

PAGE 77

ItisalsoworthpointingoutthedifferencebetweenMRECSandthestraightforwardimplementation(SFI)outlinedintheintroduction.WhenaweakMRECSsignatureischosen,onlythestrengthofhashfisreducedwhiletheECDLPstrengthstillremainsatthefullnbits.Incontrast,aweakSFIsignaturebearsacomparableweakECDLPwhich,asmentionedearlierinSection 3.3 ,hasaseriousconsequencewhenitfails. 3.4.2ResolutionTheMRECSschemeisnotonlyabletosupportasignaturewithfulln-bitECCsecuritybutalsocangenerateasignaturewithweakercryptographicstrengthandfastervericationtime.Thenumberofavailableresolutionsisdeterminedbythenumberofkeypairs(g)whereeachkeypairisresponsibleford=f gbitsofthesignature'ssecurity.Ifgislarge,eachkeypairbindstoasmallportionofthehashfduringthesigningprocess.Thisallowsanerresolutionsignaturetobecreatedwiththecostofmaintainingahighernumberofkeypairs.Whilegdetermineshowmanyresolutionsareavailable,itisthesigner'schoiceofIduringthesigningprocessthatcontrolstheactualsecuritylevelofthesignature.IfallthekeysinthekeysetDarechosen,i.e.,I=I,thesignaturehasfullf-bitsecurity.Iffewerkeysarechosen,i.e.,II,thesecuritywillbedjIjbitsaspreviouslyshowninSection 3.3.2 .ThesignaturewithI=;hasnosecurityandmustbeavoided. 3.4.3UsablekeycombinationAccordingtoouranalysisinSections 3.3.2 and 3.3.3 ,onceahashcollisionforaparticularIisfound,anattackercancreateaforgedsignatureforthatI.Tocounteractthissituation,thesignercanchangeIoncethecryptoperiodofthatparticulardjIj-bitsecurityisexpired.ThenumberofavailablekeyselectionscanbecomputedasthebinomialcoefcientofgchoosejIj,i.e.,)]TJ /F8 7.97 Tf 7.12 -4.36 Td[(gjIj.Table 3-1 showssomesampleparametersettingsandtheircorrespondingnumberofusableIcombinations. 77

PAGE 78

3.4.4OverheadsWhilealargegallowsne-grainedcontrolofthesignaturestrengthandalargenumberofavailablesignatures,italsoincreasesprotocoloverhead.Inthissection,weanalyzedifferentoverheadsofMRECSandcomparethemwiththoseofSFI.Throughoutthissection,weassumethehashsizeishalfoftheellipticcurvesize,i.e.,n=2f,andthesizeofanencryptedmessageeisthesameasthecurvesize[ 24 ].3Bothapproachesareassumedtosupportgdifferentbitstrengthsrangingfromf=gtofbits.Lettheactualstrengthofthesignatureequaltofbits,whereisasecurityfractionequaltojIj g,jIj2f1,2,...,gg. 3.4.4.1StorageoverheadTheMRECSstoragerequirementgrowsproportionallytogsincethenumberofkeysinthekeysetisdeterminedbyit.TheSFIapproachhasanadvantageoverMRECSinthisaspectsinceitrequiresstorageofasetofgdecreasingsizekeyswhileMRECSneedstostoregfull-sizedkeys.Tobespecic,anMRECSkeysetrequiresgn=2gfbitswhileSFIrequiresgXi=1i2d=2dgXi=1i=2dg(g+1) 2=(g+1)fbitsofstoragespace.Ontheotherhand,allMRECSkeyssharethesamecurveparameterswhichareeasiertomanageandrequirelessstoragethanSFI'sgparametersets,whereeachofthemdenesadifferentellipticcurve.Theparametersofan-bitcurverequireatleast 3Amoredetailedanalysis,whichproposesthattheencryptedmessagesizecanbesmallerthann,canbefoundin[ 25 ]. 78

PAGE 79

6nbitsforFpand4nbitsforF2m[ 20 ].Usingbinarycurves,SFIhastostore4gXi=1(i(2d))=8dgXi=1i=8dg(g+1) 2=4(g+1)fbitsofparameterswhileMRECSonlyneeds4n=8fbits.Figure 3-2 showsthatMRECS'storageoverheadadvantageoverSFIlinearlyincreaseswithg. 3.4.4.2CommunicationoverheadThecommunicationoverheadalsoslightlyincreasesfromtransmittingIasapartofMRECSsignature.TransmittingIcanbedoneusingeitherabitmaporasetofindiceswiththeoverheadofgandjIjlog2gbitsrespectively.MRECSalsodoesnotbenetfromsignaturesizereductionwhentransmittingaweakersignature;instead,italwaystransmitsafull-sizedsignatureregardlessofitscryptographicstrength.Hence,thesignatureofMRCESisxedat2n=4fbitswithanextragbitsfortransmittingI;meanwhile,anSFIsignaturewithf-bitsecurityhasasizeof4fbitsasshowninFigure 3-3 .However,theMRECSdisadvantageismitigatedbyhavingalongercryptoperiodthanSFIwhichisexplainedinthenextsection. 3.4.4.3ComputationaloverheadThemainpurposeofMRECSisprovidingsignersanoptiontoreducereceiver-sidecomputationaloverhead,whichisachievedthroughdecreasingtheSMofQi.Sincethesignaturecomponentscannotbereduced,MRECSvericationoverheadwillhaveaxedcostofCn(n)ineverysignatures.Forf-bitsecurityprotection,anMRECS 79

PAGE 80

signaturecarriesacomputationaloverheadofCn(n)+jIjCn(d)=Cn(2gd)+jIjCn(d)=(2g+jIj)Cn(d)=g(2+)Cn(d)=(2+)Cn(f),whileSFIcarriestwoSMswiththecostofCn(n)+Cn(f)=Cn(2f)+Cn(f)=22Cn(f)+2Cn(f)=32Cn(f).AsshowninFigure 3-4 ,themaximumoverheadreductionofMRECSisapproximately33%sinceanMRECS'signaturestillretainsafulln-bitECDLPregardlessofitssecurityfraction.AssumingallcurvesareoverF2mandthebitmaptechniqueisusedtorepresentI,Table 3-2 summarizestheoverheadsofMRECSandSFIdiscussedinthissection. 3.5KeyLifetimeKeylifetimeisdifculttoestimateaccuratelyduetovariousfactors,e.g.,thediscoveryofanewattackingtechnique,hardwarecost,theattacker'sbudget,inationadjustment,etc.Hence,thekeylifetimeanalysispresentedhereisintendedasacomparisonbetweenMRECSandSFIonly,notasakeymanagementguideline.SincethenumberofstepstosolveECDLPusingPollard'sRhomethodisp (2n)=4[ 26 ],weassumethatT(n)acryptoperiodofan-bitellipticcurvesignaturealsogrowsproportionallytothenumberofsteps,i.e., T(n)=r 2n 4(3) 80

PAGE 81

AsimilartimecomplexityhasbeenconrmedbyBernsteinetal.intheirPollard'sRhoimplementationforCerticom'sECC2K-130challenge[ 61 ].FromEquation 3 ,wecanderivethecryptoperiodofan-bitsignatureasT(n)=r 2(n) 4=r 2(n+()]TJ /F10 7.97 Tf 6.58 0 Td[(1)n) 4=r 2n 42()]TJ /F10 7.97 Tf 6.58 0 Td[(1)n=20.5n()]TJ /F10 7.97 Tf 6.59 0 Td[(1)r 2n 4=20.5n()]TJ /F10 7.97 Tf 6.59 0 Td[(1)T(n)whichalsorepresentsthecryptoperiodofanSFIkeyofthesamelength.Meanwhile,anMRECSsignatureofthesamestrengthlastsgjIjtimeslongerthanSFIaccordingtotheanalysisinSection 3.4.3 .UsingtheECDLPbreakingspeedwith20,000GPUsandn=224from[ 61 ],wecalculatethekeylifetimegraphinFigure 3-5 thatshowstheincreasingofMRECS'keylifetimeadvantageoverSFIwhengincreases.ThenumberofrekeyingoperationsrequiredduringtheT(n)periodforan-bitkeycansimplybecalculatedfromjT(n) T(n)k.ForSFI,ThenumberofrekeyingoperationsisT(n) T(n)=T(n) 20.5n()]TJ /F10 7.97 Tf 6.59 0 Td[(1)T(n)=20.5n(1)]TJ /F12 7.97 Tf 6.59 0 Td[()timesforthedurationofitslifetime.SinceMRECSkeyslastgjIjtimeslongerthanSFI'skeys,thenumberofrekeyingoperationsthatMRECSneedtoperformduringitslifetimeis$20.5n(1)]TJ /F12 7.97 Tf 6.59 0 Td[() )]TJ /F8 7.97 Tf 7.12 -4.36 Td[(gjIj% 81

PAGE 82

Dependingonthekeysizeandg,therekeyingadvantageMRECShasoverSFIvariesfromasingletoseveralordersofmagnitudeasshowninTable 3-3 .Theimprovementmaximizeswhenkeysizeequalsto0.5nduetothebinomialdistributioncharacteristicofIselectionprocess. 3.6MRECSrekeyingWhenanyMRECSsignaturereachesitlifetime,theprivatekeyownerneedstorecalculateandredistributeanewMRECSpublickeysettotheintendedreceivers.Inthetraditionaldigitalsignaturewithasinglekey,thesignersendsoutanewpublickeysignedwiththesoontobediscardedkey.Oncethereceiververiestheauthenticityofthesignedmessage,itreplacestheoldkeywiththenewoneitjustreceived.Thisconventionalapproachworkwellenoughsincethereisonlyonekeytobereplaced.However,MRECSschemeshavesignicantlymorekeystopropagatetothenetworkdependsonthevalueg.Thisisnotsuitableforoperatinginsensornetworkenvironmentduetotherelativelyhighenergyconsumptionofwirelesstransmission.Inthissection,weexploresthreedifferentre-keyingapproachestoreducethecommunicationoverheadinMRECSschemes.First,letQbeapublickeysetwithgkeysi.e.Q=fQi,Q2,...,Qgg.Theobjectiveofthere-keyingprocessistoreplaceQwithanewkeysetQ0Next,letanarrow(()betheassignmentoperatorwhereA(BmeansanellipticcurvepublickeyAisreplacedbythevalueofanotherellipticcurvepublickeyB. 3.6.1TraditionalapproachUsingthesameapproachasasinglekeyreplacement,thesendersignsandbroadcastsanewkeysetN=fN1,N2,...,Nggtothereceivers.Afterverifyingthemessage,therecipientssimplyreplacetheoldkeysetwithanewonei.e.Q0i(Ni,i=f1,2,...,gg.ThisapproachrequiresthesendertotransmitgkeysoverthenetworkwithnoneECoperationrequiredatthereceivingend. 82

PAGE 83

3.6.2AdditionapproachBecauseanECCpublickeyisapointonanellipticcurvethatsupportstheaddoperation,thesendercansendonlyonenewkeyQninsteadoftransmittingseveralkeystothereceiver.AllthecurrentpublickeysarethenaddedtoQntoderiveanewsetofkeysi.e.Qi(Qi+Qn,i2f1,2,...,ggasshowninFigure 3-6 .Thisapproachreducesthecommunicationoverheadtoonlyonekeybutrequiresatotalofgellipticpointadditionstobeperformed.ThenewellipticpointQnbecomeasinglepointoffailureandanattackercanbenetfromfocusingmoreeffortonbreakingit. 3.6.3ChainingapproachThisapproachimproveupontheadditionapproachbyconnectingallthekeystogetherviachainadditioni.e.,Q01(Q1+QnandQ0i(Qi+Qi)]TJ /F10 7.97 Tf 6.59 0 Td[(1,i2f2,3,...gg.Thismethodremovethesinglepointoffailureinthepreviousapproachbyhavingthekeydownthechainderivedfromthekeysbeforethem.AsshowninFigure 3-7 ,thisapproachhasthesamecommunicationandcomputationaloverheadastheadditionapproachbuttheattackersnowhavetobreakatotalofikeysinordertobreakthekeyQi. 3.6.4DoublecyclicchainingapproachThechainingapproachcreatesdependenciesamongpublickeysintheset,buttheyareunbalancedbecauseakeyfartherdownthechainhasmorekeysfromwhichitisderived.ThedoublecyclicchainingapproachalleviatesthisproblembyapplyingchainadditiontwicewhileapplyingthelastkeyonthechainbacktotherstkeyatthebeginningofthenextroundasshowninFigure 3-8 .Thisapproachstillrequiresthesendertobroadcastonlyonekeybutthecomputationaloverheadisnow2gpointadditionoperations.ThereisnobenetinaddingmoreroundstothisapproachsincenonewinformationisintroducedintothesystemandtworoundsareenoughtodiffuseQnintoallthekeys. 83

PAGE 84

3.7ConclusionInthischapter,wehaveproposedanovelellipticcurvedigitalsignatureschemecalledMRECSthatsupportsmulti-resolutionsignatures.BasedontheECPVSprotocol,wepartitionthehashvalueandassigneachpartitiontoadifferentkeyduringthesigningprocess.Thesignature'sstrengthcanthenbeadjustedbychoosinghowmanykeysareincludedinthesignaturecalculation.Theresultisasignatureschemethatrequireslessstorageandhaslongerkeylifetime.MRECS'communicationoverheaddoesnotbenetfromsizereductionandremainsataconstantsize,howeveralongercryptoperiodcanreducethecostwhencomparedtothestraightforwardimplementation.TheMRECSschemecanachievemoderatereductionincomputationalcostbyone-thirdofthefull-sizedsignaturewhilemaintainingafullstrengthECDLPregardlessofasignaturestrength.FutureresearchshouldfocusonfurtherreducingthecomputationalcostbyweakeningMRECS'ECDLP.Anotherpotentialimprovementisincreasingtheusablenumberofkeycombinations,especiallyforsmalljIjsignatures,whosekeylifetimesarerelativelyshort. 84

PAGE 85

Figure3-1. Hashpartitioning Figure3-2. StorageoverheadcomparisonbetweenMRECSandSFI,f=112 85

PAGE 86

Table3-1. Numberofusablesignaturesofafewpossiblehashpartitioning(g)withf=112 gCryptographicStrength(bits) 112105989184777063564942352821147 41464818285670562881611612056018204368800811440128701144080084368182056012016 86

PAGE 87

Figure3-3. CommunicationoverheadcomparisonbetweenMRECSandSFI,f=112,g=16 Figure3-4. ComputationaloverheadcomparisonbetweenMRECSandSFI,f=112,n=224 87

PAGE 88

Figure3-5. KeylifetimecomparisonbetweenSFIandMRECSwithdifferentkeypartitionsg Table3-2. OverheadcomparisonbetweentheMRECSandSFIschemeswhereCy(x)isthecomputationalcostofascalarmultiplicationwithanx-bitintegeronay-bitcurve ProtocolStorageCommunicationComputation(verify)(bits)(bits) MRECS2(g+4)f4f+g(2+)Cn(f)SFI5(g+1)f4f32Cn(f) 88

PAGE 89

Table3-3. Numberofrekeyingoperationsfordifferentvaluesofgandkeysize(n)thatSFIandMRECSrequiretoperformduringtheirlifetimeswheren=224. n#ofrekeying (bits)SFIg=16g=8g=4 144.0610312.541030283.1710292.6410273.961028422.4810274.421024561.9310251.0610226.9110234.841024701.5110233.461019841.1810211.4710172.111019989.2210188.0610141127.2110165.6010121.0310151.2010161265.6310144.9210101404.4010105.491087.8510101543.441087.871061682.681081.471059.591066.711071822.0910637441961638413620482101288 Figure3-6. Are-keyingdiagramfortheadditionapproach 89

PAGE 90

Figure3-7. Are-keyingdiagramforthechainingapproach Figure3-8. Are-keyingdiagramforthecyclicchainingapproach 90

PAGE 91

CHAPTER4IMPROVINGMRECSWITHDUALSECRETKEYSETSOnemajordrawbackoftheMRECSprotocolinChapter 3 istheinsufcientnumberofusablekeycombinationsforweaksignaturessincethebinomial)]TJ /F8 7.97 Tf 7.13 -4.36 Td[(gjIjpeaksatjIj=g=2andrapidlydeclineswhenjIjapproachesone.ThissituationsignicantlylimitsthebenetofusingshortMRECSsignatures.Theproposedimprovementinthischapterdirectlyaddressesthisshortcomingbyextendingthelifetimeofallsignaturesizes.ByintroducinganadditionalkeysettoMRECS,weallowMRECSsignaturetobestrengthenedwhilemaintainingthesamescalarmultiplicationsize.Theadditionalkeysetalsofeaturesanewstoragereductiontechniquetomitigatetheimpactofthesecondkeysetonstoragespace.ThenewprotocoliscalledMRECSwithdualsecretkeysets(MRECS/DS).Therestofthechapterisorganizedasfollows.First,Section 4.1 explainstherationalbehindtheMRECS/DSdesign.Section 4.2 thenlayssomegroundworkontheorganizationandkeygenerationofthesecondkeyset.Next,Section 4.3 describesMRECS/DSprotocolindetail.Section 4.4 analyzesthepotentialattacksandcomparestheresultswithMRECS.Section 4.5 analyzesandcomparesseveralfeaturesofMRECS/DSwithMRECS.Finally,Section 4.6 concludesthischapterandsuggestssomepotentialfutureresearchtopics. 4.1DesignOverviewAsshowninEquation 3 ,theprimaryreasonMRECSsignaturesaresusceptibletoattacksagainsthashvaluefisthatthebindingsbetweensecretkeysdiandhashpartitionsfionlyoccurwithintheselectedkeysetI.Onceacollisionhasbeenfound,theattackercaneliminateallthehashesinIandbypasstheECDLPsinceallthehashesexcludedfromIarediscardedandprovidenoprotectionforMRECS.InMRECS/DS,wemultiplytheresidueelementsinEquation 3 withaprivatekeyrandomlyselectedfromasecondkeyset.Thissecondkeyselectionisdeterminedusing 91

PAGE 92

thehashvaluesexcludedfromtherstkeyselection,i.e.,fi,i2I)]TJ /F6 11.955 Tf 11.86 2.66 Td[(I.Tocompletelycompromisethehash,theattackerisnowrequiredtondnotonlycollisionswithallthehashesinIbutalsothehashthatpickthesamekeytobemultipliedwiths.Withthismodication,thecollisionspaceofthepreimageattackisextendedfromtheoriginalfbitofMRECStoincludesomehashesinI)]TJ /F6 11.955 Tf 11.42 2.66 Td[(I.Thenumberofbitsextendedbythisimprovementdependsonhowmanykeysareavailabletobepickedinthesecondkeyset.Ifthekeyselectionfollowsastraightforwardhashselection,thesecondkeysethastobeprohibitivelylargetoaccommodateanysignicantnumberofhashextensions.Extendingthehashbyxbitsrequires2xkeys,sothenumberofkeysgrowsexponentiallyasxincreases.TheextrastorageoverheadimposedbythisbasickeyselectionprocesslimitstheusabilityofMRECS/DS.Byusingellipticcurve'spointaddition,wecreateanewkeyselectionprocessthatcangeneratemorekeychoicesthanthebasicapproachwithminimalcomputationalimpactonthevericationprocess. 4.2TheSecondKeySetOrganizationBeforeMRECS/DScanbedescribedinmoredetail,theorganizationandkeyselectionofthesecondkeysethavetobeexplainedrst.LetD2bethesecondkeysetwithrprivatekeysd21,d22,...,d2r(jD2j=r)whered2i2[1,n)]TJ /F6 11.955 Tf 12.56 0 Td[(1]andnisthecurveorder.LetQ2=fQ21,Q22,...,Q2rgbeacorrespondingpublickeysetwhereQ2i=d2iG.Letfxbeafx-bithashvaluethatD2hastoaccommodate,i.e.,D2mustbeabletoprovide2fx)]TJ /F6 11.955 Tf 12.15 0 Td[(1distinctkeys:auniquekeyforeachhashvalue(ahashvalueof0isnotused).Anaiveapproachtoachieve2fx)]TJ /F6 11.955 Tf 11.96 0 Td[(1possiblekeyselectionsistogenerater=2fx)]TJ /F6 11.955 Tf 11.96 0 Td[(1keysforD2andQ2.Toavoidstoringthisprohibitivelylargenumberofkeys,weproposeanewkeycombiningtechniquewhosestorageoverheadgrowslinearlywithfx. 92

PAGE 93

4.2.1ThesecondkeysetsizeSinceellipticcurvesoverniteeldshaveadistributivepropertyforscalarmultiplication,wecanaddmultipleprivatekeystogethertocreateanewprivatekeyforthesigner.Forexample,wehavetwopublic/privatekeypairsQa=daGandQb=dbGwhereGisacurve'sbasepoint.AnewkeypairQcanddccanbecreatedbyaddingbothkeystogetherasdc=da+dbandQc=Qa+Qbbecausethepublic/privatekeypairrelationshipisnotaffectedbythepointadditionasshownbythefollowingcalculation:dc=da+dbdcG=(da+db)GdcG=daG+dbGQc=Qa+QbUsingthistechniquetocreatenewkeys,akeysetwithrkeyscangenerateatotalofrXi=0ri 93

PAGE 94

possiblekeycombinations.Sinceacombinationwithoutanykey,i.e.,i=0,cannotbeused,thenumberofkeysrrequiredtocreate2fx)]TJ /F6 11.955 Tf 11.96 0 Td[(1selectionsisrXi=1ri=2fx)]TJ /F6 11.955 Tf 11.96 0 Td[(1 rXi=0ri!)]TJ /F6 11.955 Tf 11.96 0 Td[(1=2fx)]TJ /F6 11.955 Tf 11.96 0 Td[(12r)]TJ /F6 11.955 Tf 11.96 0 Td[(1=2fx)]TJ /F6 11.955 Tf 11.96 0 Td[(1r=fxUsingthepointadditiontocreatenewpoints,D2andQ2'ssizenowcanbesmallerthanthenumberofallpossiblevaluesoffx.Tomaintainamappingbetweenhashvaluesandellipticcurvekeys,wedeneatableT2tobeakeymappingtablewhichmatchesall2fx)]TJ /F6 11.955 Tf 12.24 0 Td[(1valuesoffxtoasetofkeyindicestobeincludedinthecalculation.ThekeymappingtableT2allowssignersandsignatureverierstoagreeuponwhichkeysfromD2(signer)orQ2(verier)areusedforkeycalculationforaparticularhashvalue.Forexample,anMRECS/DSsignaturewithT2asshowninTable 4-1 andfx=5willused21+d23forthesigningprocessandQ21+Q23fortheverication.Thenumberofkeycombinationscanbeincreasedfurtherbymixingpointsubtractionsintothecalculation.Thismodicationdoesnotintroduceanyadditionaloverheadtotheaddition-onlyapproachsincethecomputationalcostofnegatingapointisnegligible[ 42 ].Withtwopossiblevalues,+diand)]TJ /F5 11.955 Tf 9.3 0 Td[(di,foreachkeydi,asummationwithikeysnowhas2idifferentvalues,e.g.,therearefourdifferentkeysconstructedfromd1andd2;d1+d2,d1)]TJ /F5 11.955 Tf 13.02 0 Td[(d2,)]TJ /F5 11.955 Tf 9.3 0 Td[(d1+d2,and)]TJ /F5 11.955 Tf 9.3 0 Td[(d1)]TJ /F5 11.955 Tf 13.03 0 Td[(d2.However,noteverykeycalculatedfrompointsubtractioncanbeused.Tobemorespecic,twokeysthatcantotallynegateeachotherareconsideredequivalentandonlyoneofthemcanbepresentedinT2,e.g.,)]TJ /F5 11.955 Tf 9.29 0 Td[(d1)]TJ /F5 11.955 Tf 12.08 0 Td[(d2canbewrittenas)]TJ /F6 11.955 Tf 9.3 0 Td[((d1+d2)whichisanadditiveinverse 94

PAGE 95

ofd1+d2.Hence,halfofthe2ikeysareunusablewhichgivesD2andQ2anewsizeofrXi=1&)]TJ /F8 7.97 Tf 5.48 -4.38 Td[(ri2i 2'=2fx)]TJ /F6 11.955 Tf 11.96 0 Td[(11 2 rXi=0ri2i!=2fx1 2(1+2)r=2fxr=dlog3(2)(fx+1)e (4)keys.Table 4-2 showsanexampleofT2withthekeysubtractiontechniqueapplied.Forexample,asignaturewithfx=5inthisscenariowillused21)]TJ /F5 11.955 Tf 11.96 0 Td[(d22forthesigningprocessandQ21)]TJ /F5 11.955 Tf 11.96 0 Td[(Q22forthesignatureverication. 4.2.2MultiplesizeshashextensionsupportAkeymappingtableT2thatsupportsuptofxbitshashvaluecanalsobeusedtomapasmallerhashvalue.Afy-bithashfywherefy
PAGE 96

keysetD=fd1,d2,...,dggtoD1=fd11,d12,...,d1gganditscorrespondingpublickeysetQtoQ1tobeconsistentwiththenamingconventionofthesecondkeysetsD2andQ2.Pre-deployment 1. FollowtheMRECSpre-deploymentprocedureinSection 3.2.1 tosetupD1andQ1andalsotodecideonthechoiceofg 2. ChooseamaximumhashextensionsizefxforMRECS/DS,inwhichthetotalbitsizeofthehashextensionanddshouldnotexceedf,i.e.,fxg)]TJ /F10 7.97 Tf 6.58 0 Td[(1 gf 3. GeneraterprivatekeysforD2=fd21,d22,...,d2rg,whereriscalculatedfromEquation 4 andd2i2[1,n)]TJ /F6 11.955 Tf 11.96 0 Td[(1] 4. GenerateapublickeysetQ2=fQ21,Q22,...,Q2rg,whereQ2i=d2iG 5. CreateakeymappingtableT2accordingtoSection 4.2 6. DistributeQ1,Q2andT2tothereceiversSignaturegeneration(Signing) 1. SplitamessageMintotwoparts,M1andM2,whereM1containsinformationthatcanidentifyM2andjM1jn. 2. Pickaper-messagerandomintegerkfrom[1,n)]TJ /F6 11.955 Tf 11.96 0 Td[(1] 3. ComputeR=kG.IfR=O,gobacktostep 2 4. Calculatee=ER(M1)whereERrepresentssymmetrickeyencryptionwithkeybasedonR 5. LetsetIcontainalltheindicesofthekeysets.Then,letIIbeasetthatcontainsindicesofD1thatwillbeincludedinthesignatureandIcbeasetofexcludedindicesi.e.Ic=I)]TJ /F6 11.955 Tf 11.2 2.66 Td[(I. 6. Letfmbeabitsizeofahashextensionchosenforthisparticularsignature.Thefmshouldbesmallerthan(g)-233(jIj)dsincealargervaluecreatesasignaturewithahashstrengththatexceedsfbits.TheMRECS/DShashstrengthcalculationwillbefurtherexplainedinSection 4.4 7. AfterIischosen,thesendergenerateshashf=hash(ekM2kIkfm)ofsizefbitswherekdenotesconcatenation. 8. Partitionfintogequally-sizedd-bitnumbers,f1,f2,...,fg,asshowninFigure 3-1 .Eachpartitionfiisdenedasfi=bf=2idcmod2d.Consequently,fiwillcontainb(i)]TJ /F10 7.97 Tf 6.58 0 Td[(1)dthroughbid)]TJ /F6 11.955 Tf 11.96 0 Td[(1wherebiistheithbitoff. 96

PAGE 97

9. DeriveahashfmofsizefmbitsfromallthehashvaluesinIc. 10. PerformatablelookupoffmonT2.Generatearandomizedsecretkeyd2fromD2accordingtotheT2entry. 11. Computetheresidueelementsfromthefollowingequation. s(d2))]TJ /F10 7.97 Tf 6.58 0 Td[(1(k)]TJ /F15 11.955 Tf 11.96 11.35 Td[(XIfid1i)(modn)(4) 12. ThedigitalsignatureofmessageMiss,e,I,andfm.Signatureverication 1. Computehashf0=hash(ekM2kIkfm)andpartitionitwiththesameprocedurefromthesigningprocess. 2. Deriveafm-bithashf0mfromf0partitionsinIc. 3. PerformaT2lookupwithf0mandcalculateQ2fromQ2accordingtotheresult. 4. Computeanellipticcurvepoint R0=sQ2+XIfiQ1i(4)andmakesureR06=O 5. ThesignatureisveriedifandonlyifM1canbedecryptedfromeusingtheR0andtheinformationcorrectlyidentifyM2.MRECS/DS'scorrectness Proposition4.1. R0=R()s,e,Iandfmarevalid. 97

PAGE 98

Proof. s,e,Iandfmarevalid)R0=RR0=sQ2+XIfiQ1iFromEquation 4 =sd2G+XIfid1iG=sd2+XIfid1iG=kGFromEquation 4 =R Proof. s,e,Iandfmareinvalid)R06=Rsd2+XIfid1i6=ks,e,Iandfmareinvalidsd2+XIfid1iG6=kGsQ2+XIfiQ1i6=RR06=R 4.4AttacksonMRECS/DS'hashSimilartoMRECS.TherearetwopossiblepointsofattackonMRECS/DSsignature:bothprivatekeysetsD1,D2andthehashvaluef.AttackingMRECS/DS'ECDLPiscomparabletothatofMRECS.Ontheotherhand,ndinghashf'scollisionisharderwithMRECS/DS'hashextension.SinceattackingECDLPinMRECS/DSissimilartoMRECS,weonlyfocusonhashcollisionattacksinthissection.ThepreimageattackagainsthashfcanbeanalyzedinamannersimilartotheattackagainstMRECS'hash.Theattacker'sgoalistogenerateasignaturesandefromanauthenticoneusingthevulnerabilitydescribedin 1.2.4 .First,hecreatesanECpointfromRbyaddingarandomECpointaQ2,a2ZtoEquation 4 .Thismethodwillresult 98

PAGE 99

asifanewrandompointRiscreatedasfollows:R+aQ2=sQ2+aQ2+XIfiQ1iR=(s+a)Q2+XIfiQ1i (4)TheattackerthenusesanewrandomECpointRandanewmessageMtocalculateanewhashf=hash(ER(M)kIkfm).Anewm-bithashextensionfmisgeneratedfromfwhich,inturn,producesanewrandomizedsecondpublickeyQ2throughaT2lookup.Subsequently,hemustndanewsthattsintoanewsignatureequation. R=sQ2+XIfiQ1i(4)Then,hecombinesEquation 4 withEquation 4 togetthefollowingequations:sQ2+XIfiQ1i=(s+a)Q2+XIfiQ1isQ2=(s+a)Q2+XI(fi)]TJ /F6 11.955 Tf 12.05 2.66 Td[(fi)Q1isd2=(s+a)d2+XI(fi)]TJ /F6 11.955 Tf 12.06 2.66 Td[(fi)d1i (4)whered2andd2arethecorrespondingprivatekeysofQ2andQ2respectively.WithouttheknowledgeofD1andD2inEquation 4 ,theattackercannotndanewswithoutsolvingECDLPfortheprivatekeys.IftheattackerusethehashcollisionattacksimilartothatofMRECS,i.e.,ndingathatcausesahashcollision(fi=fi,8i2I),hewillhavethefollowingequations:sd2=(s+a)d2Thenewresidueelementsstillcannotbedeterminedduetotheunknownprivatekeysd2andd2.However,iftheattackercanndathatgeneratesfm=fmwhichresultsind2=d2,hecancalculatesfroms=s+a 99

PAGE 100

andsuccessfullycompromisethesignature.Inconclusion,ahashcollisionoffmandallfiinImustbeachievedinordertocompromiseanMRECS/DSsignature.ThesearchspaceforthehashattackonMRECS/DSisfm+fbitscomparedtofbitsinMRECS.Inotherwords,anMRECS/DSsignercanextendtheMRECSsignature'shashstrengthbyfmbitsandfmisalsoadjustablefromtheminimumof0tothemaximumof(g)]TJ /F6 11.955 Tf 12.09 0 Td[(1)dbits.TheeffectofaddedhashstrengthtothekeylifetimeisshowninFigure 4-3 usingthesamesettingsasFigure 3-5 4.5ProtocolAnalysisWhileMRECS/DSsignaturesprovidemoresecuritythanthoseofMRECS,theyalsointroducecomputationalandstorageoverheadintotheprotocol.Inthissection,weanalyzehowD2andfmaffectthesecurityandoverheadofMRECS/DS. 4.5.1KeycollisionAswealreadystatedinSection 4.4 ,theMRECS/DS'resistanceagainsthashcollisionattacksisfm+jIjdbitslarge.Theadditionalm-bitsecuritycomesfromanextracollisionspacebetweend2andd2.However,westillhavenotaddressedthepossibilityofcollisionbetweentwodifferentkeycombinations,i.e.,twodifferententriesfromT2,thatresultinthesamed2value.Tocalculatetheprobabilityofcollision,weneedtondthenumberofpossiblekeycombinationsthatcanbegeneratedfromD2ofsizer.FromthemaximumvalueoffxoutlinedinSection 4.3 ,wecanderivethenumberofpossiblekeycombinationsintermsofellipticcurvesizenasfollows:2fx=2((g)]TJ /F16 5.978 Tf 5.75 0 Td[(1) gf)=2((g)]TJ /F16 5.978 Tf 5.75 0 Td[(1) 2gn) (4) 100

PAGE 101

FollowingtheBirthdayproblemanalysisin[ 62 ],wedeneCP(N,q)asaprobabilityofhavingatleastonecollisionamongqrandomintegersselectedfrom[1,N]asCP(N,q)1)]TJ /F5 11.955 Tf 11.96 0 Td[(e)]TJ /F13 5.978 Tf 5.75 0 Td[(q2 2NwhereqisthevaluefromEquation 4 andNisthe2ncollisionspace.Withn=224andg=16,theprobabilityofcollisionis3.05110)]TJ /F10 7.97 Tf 6.58 0 Td[(5whichisapproximatelyaonein32,000chanceofoccurring.Thecollisionprobabilitiesforsmallergvaluesarelowerandcanbeneglected.Evenifacollisionoccurs,itcanbeeasilydetectedduringthekeysetgenerationprocessanddoesnotproduceanyoverheadduringMRECS/DSoperations. 4.5.2StorageoverheadThesecondkeysetisamajorcontributingfactortotheextrastorageoverheadMRECS/DShasoverMRECS.However,thekeycombinationapproachusedbyD2andQ2signicantlyreducestheoverheadrequiredbythesecondkeyset.TheMRECS/DS'storageoverheadforthesecondkeysetisdlog3(2)(fx+1)enwhichgrowslinearlywithfxasshowninFigure 4-1 .ToaccommodatejD2j=r,anaiveT2implementationrequiresrbitstorepresentkeyselectionandanotherrbitstorepresentsignsforatotalof2rbitsperentry.ThisapproachcreatesaprohibitivelylargestoragerequirementsincethenumberofentriesinT2growsexponentiallywithfx.However,T2canbeeasilyreplacedbyanr-bitrandomnumbergeneratorthatcancontroltheoutput'sHammingweight.Usingfmandrasinputs,theverierdetermineshowmanykeysshouldbeinthekeycombinationandthengeneratesanoutputwithHammingweightequalstothatnumber.EachbitoftheoutputdetermineswhetheracorrespondingkeyfromD2isincludedinthekeycombinationornot.Theaddition/subtractioncombinationcanberandomizedbygeneratingaq-bitrandomnumberwhereqisonelessthantheHammingweightofther-bitrandomnumber.Usingthisalgorithmicapproach,wecaneliminatethestoragerequirementforT2. 101

PAGE 102

4.5.3ComputationaloverheadUsingthekeycombinationtechniquetoreducethestoragesizeofD2andQ2alsointroducesadditionalcomputationaloverheadtoMRECS/DS.AnumberofpointadditionoperationsarerequiredtobeperformedinordertoobtainQ2forthesignaturevericationprocess.SinceeachT2entryhasadifferentnumberofpointadditionoperations,weneedtoanalyzetheoverheadusinganexpectedvalue.TheexpectednumberofECpointadditionoperationsinQ2calculationisrXi=1Probabilityofhavingtoaddikeystogether(i)]TJ /F6 11.955 Tf 11.96 0 Td[(1)=rXi=1NumberofT2entrieswithikeys TotalnumberofT2entries(i)]TJ /F6 11.955 Tf 11.95 0 Td[(1)=rXi=1")]TJ /F8 7.97 Tf 5.48 -4.38 Td[(ri2i 22 3r(i)]TJ /F6 11.955 Tf 11.96 0 Td[(1)#=1 3rrXi=1ri2i(i)]TJ /F6 11.955 Tf 11.96 0 Td[(1)=1 3r"rXi=1ri2ri)]TJ /F8 7.97 Tf 18.67 14.94 Td[(rXi=1ri2r# (4)Fromthebinomialgeneratingfunction,wehavenXi=0nixi=(1+x)n (4)nXi=1nixi+n0x0=(1+x)nnXi=1nixi=(1+x)n)]TJ /F6 11.955 Tf 11.95 0 Td[(1 (4) 102

PAGE 103

ApplyEquation 4 tothesecondsummationinEquation 4 ,wenowhave1 3r"rXi=1ri2ri)]TJ /F6 11.955 Tf 11.95 0 Td[(((1+2)r)]TJ /F6 11.955 Tf 11.96 0 Td[(1)#=1 3r"rXi=1ri2ri)]TJ /F6 11.955 Tf 11.96 0 Td[(3r+1# (4)Toeliminatethelastsummation,wetakeapartialderivationofEquation 4 withrespecttox:@ @x nXi=0nixi!=@ @x(1+x)nnXi=0niixi)]TJ /F10 7.97 Tf 6.59 0 Td[(1=n(1+x)n)]TJ /F10 7.97 Tf 6.59 0 Td[(1nXi=0niixi=xn(1+x)n)]TJ /F10 7.97 Tf 6.59 0 Td[(1Substitutex=2,wethenhavenXi=0nii2i=2n3n)]TJ /F10 7.97 Tf 6.58 0 Td[(1nXi=1nii2i=2n3n)]TJ /F10 7.97 Tf 6.58 0 Td[(1 (4)CombineEquation 4 withEquation 4 ,wenallyhave1 3r2r3r)]TJ /F10 7.97 Tf 6.59 0 Td[(1)]TJ /F6 11.955 Tf 11.95 0 Td[(3r+1=(2 3r)]TJ /F6 11.955 Tf 11.95 0 Td[(1+1 3r) (4)AsshowninFigure 4-2 ,theexpectednumberofECpointadditionoperationsachievesanalmostlineargrowthrelativetorsincetheterm1 3rquicklyapproacheszeroasrincreases.Furthermore,thecomputationalcostofanECpointadditionoperationisapproximatelyahundredtimeslowerthanthescalarmultiplication[ 63 64 ].Hence,improvingthesignature'ssecuritywithMRCES/DSinictslesscomputational 103

PAGE 104

overheadthanincreasingthesecurityfraction,althoughwithacostofhigherstoragerequirements. 4.6ConclusionWithagoaltosupplementthehashsecurityofMRECS'signature,wehaveproposedanimprovementtotheprotocolinthischapter.UsingthehashvaluesexcludedfromI,webindthesignatureresidueelementswithasecondkeysettoexpandthehashcollisiondomain.Akeycombinationtechniqueisalsoproposedtopreventanexponentiallylargespacerequirementbythesecondkeyset.Withacceptablecomputationaloverhead,thistechniqueachievesalineargrowthofbothstorageandthenumberofpointadditionoperations.Oneofthefutureresearchtopicsisapplyingthekeycombinationtechniquefromthesecondkeysettotherstkeyset. 104

PAGE 105

Table4-1. Asamplekeymappingtableforakeysetofsize3 hashvaluekeycombination 11223341,251,362,371,2,3 Table4-2. Asamplekeymappingtableforakeysetofsize3withsubtraction hashvaluekeycombination 11223341,251,)]TJ /F6 11.955 Tf 9.3 0 Td[(261,371,)]TJ /F6 11.955 Tf 9.3 0 Td[(382,392,)]TJ /F6 11.955 Tf 9.3 0 Td[(3101,2,3111,2,)]TJ /F6 11.955 Tf 9.3 0 Td[(3121,)]TJ /F6 11.955 Tf 9.3 0 Td[(2,3131,)]TJ /F6 11.955 Tf 9.3 0 Td[(2,)]TJ /F6 11.955 Tf 9.3 0 Td[(3 105

PAGE 106

Figure4-1. Storageoverheadofthesecondkeysetforvarioushashextensionsizes(fx),wheref=112 Figure4-2. ExpectednumberofpointadditionoperationstobeperformedinQ2calculationprocessforvariousrvalues 106

PAGE 107

Figure4-3. KeylifetimecomparisonbetweenSFI,MRECS,andMRECS/DSwithdifferenthashextensionbit-length(fm)withn=224andg=16 107

PAGE 108

CHAPTER5CONCLUSIONSANDFUTUREWORKThisdissertationaddressesthePKC-basedbroadcastauthenticationprobleminwirelesssensornetworks.Inthese,asensornodeneedstoeitherforwardthebroadcastmessagersttoachievefasterpropagationspeedattheriskofwastingbatterypoweronunnecessarytransmissions,orauthenticatethemessagerstandintroducesignicantdelayinthebroadcastprocess.Eachsensornode'sdecisiononabroadcastmessagewillaffectthebatterylife,overallbroadcastdelay,andthechanceofsuccessfulDoSattackofthesensornetworkasawhole.Weneedtohaveprotocolsthatalloweachnodetomakeasmartdecisiontominimizebroadcastpropagationdelayandpreventunnecessarydrainingofbatterypower. 5.1SummaryofContributionsThisdissertationprovidesthefollowingcontributionstosolveaforementionedproblem:Bloomlterpre-authenticationschemesandMulti-resolutionellipticcurvesignature(MRECS)schemes. 5.1.1Bloomlterpre-authenticationschemesWeproposedtwopre-authenticationschemesthatallowsensornodestoverifybroadcastmessagesquicklyusingprobabilisticdistributionofsecretkeysamongsensornodetoresistnodecapturingbytheattackers.Therstprotocolpartitionssecretkeysintoseveralkeysetsanddistributesthemamongthesensornodes.Theauthenticationprocessreliesonprobabilisticintersectionofthekeysinthemessageandthekeysinthesensornodes.Thesecondprotocolusesonewayhashchainsinsteadofkeysetsthustheoverheads,bothcommunicationandcomputationaldelay,aresignicantlyreduced.However,thekeychainschemeismoresusceptibletonodecapturingthreatthanthekeypoolscheme.Wealsodevelopedtwogenericimprovementsfortheseprotocols.Therstimprovementincreasesthechancetodetectaforgedmessagebyreducingthe 108

PAGE 109

maximumnumberofallowablemarkedbitsintheBloomltervector.ThistechniquecanbeappliedtoanyprotocolsthatuseBloomlterstoenforcemaximummembershipcount.Thesecondimprovementusesabroadcasttreetopropagatethemessageandlimittheforwardingpathseachsensornodehas.Withthistechnique,theprobabilityofforgedmessagespassingthroughthepre-authenticationprocessarereducedbytwoordersofmagnitude. 5.1.2Multi-resolutionellipticcurvesignature(MREC)schemesWeproposedadigitalsignatureschemecalledMulti-ResolutionEllipticCurveSignature(MRECS)thatallowsthesignertheabilitytocreatesignaturesofdifferentstrengthsfromthesamepublickeyset.Comparedtoanimplementationusingasetofdifferentkeys,MRECSrequireslessstorageoverheadandhaslongerkeylifetimeatthecostofslightlyhigherbutacceptablecommunicationoverhead.MRECSyieldsupto33%computationaloverheadreductioncomparedtothatofthefull-sizesignaturewhilemaintainingafullellipticcurvestrengthregardlessofasignaturestrength.WealsoproposedseveralimprovementstotheoriginalMRECSprotocoltoenhancethesecurityofitssignaturewithoutincreasingthesizeofscalarconstantsinMRECS'scalarmultiplicationoperations.TheimprovedprotocoliscalledMRECSwithdualsecretkeysetsorMRECS/DS.ThesecurityenhancementisachievedbytakingtheoriginallydiscardedhashpartitionsinMRECSandbindingthemwiththeresidueelementthroughasecondkeyset.Therandomnessofsecondkeysetselectionhelpsexpandthehashcollisionspaceofthesignaturewhich,inturn,increasesthesignaturestrength.Themaximumhashextensionbit-lengthcanbedeterminedduringthekeysetgenerationphase;additionally,theamountofsecurityaddedtoasignaturecanalsobeadjustedon-the-y,providedthatitdoesnotexceedthemaximumbit-lengthsetearlier.Tocounterexponentiallyhighstorageoverheadofthesecondkeyset,weproposedanovelkeycombinationapproachtoincreasethenumberofavailablekeyswhilekeepingthestoragerequirementlow. 109

PAGE 110

5.2ListofPublications P.ChuchaisriandR.Newman,FastresponsePKC-basedbroadcastauthenticationinwirelesssensornetworks,inMobileNetworksandApplications,2012,pp.1.[Online].Available:SpringerLink,doi:10.1007/s11036-011-0349-8[Accessed:9May.2012]. P.ChuchaisriandR.Newman,FastresponsePKC-basedbroadcastauthenticationinwirelesssensornetworks,inCollaborateCom.IEEE,2010,pp.1. 5.3OpenProblemsandFutureWorkThereareseveralinterestingquestionsthatcanbefurtherstudiedtoimprovebothpre-authenticationandmulti-resolutionprotocols.Someexamplesofsuchpotentialresearchtopicsandpreliminaryinvestigationsareoutlinedbelow. Currentkeypartitioningprocessisuniformlydistributedamongsensornodes.Otherprobabilisticdistributionsshouldbetestedandamorestructuredkeydistributionshouldbeanalyzed.TheremaybesomebenettotheKeyPoolschemeifthenumberofintersectedkeysisdeterministicinsteadofprobabilistic. Thesensornodedeploymentstrategyandpost-deploymentlocationshouldbeincludedinthekeydistributiondecision. ThekeycombinationtechniqueusedinMRECS/DS'secondkeysetcanbeappliedtotherstkeysetaswell.ThiswillpotentiallyreducethestorageoverheadofbothMRECSandMRECS/DS.Onemajorconcernforusingthistechniqueinbothkeysetsistheprobabilityofkeycollisionbetweentwosets.Wehavedonesomepreliminaryanalysisonthecollisionprobabilitybetweentworandomsets,whichisdescribedinAppendix A MRECSsignatures'ECDLPremainsconstantregardlessofthesignaturestrengthsinceonlythehashpartinMRECScanbepartitionedintosmallerpieces.UnlikethehashpartoftheECPVSandMRECSsignature,theresidueelementsisresultedfromacalculationoftheprotocols'mainequation.Anymodicationtoswilldisturbtheequation'sbalanceandrenderthesignatureinvalid.Insteadofmodifyingtheresidueelementdirectly,ourtechniquedescribedinAppendix B canbeusedtobreakdownsintoseveralequally-sizedpartitionswhilestillpreservingitscondentiality.Inthesigningandverifyingprocess,thosepartitionscanthenmultiplywithdifferentkeys.However,thosekeysarenottotallyrandomandhavetobecarefullycalculated.Ourpreliminaryresearchachievestheresidueelementpartitioningbutmoreresearchhastobedonebeforewecanindependentlyremoveormodifyeachofthosepartitions. 110

PAGE 111

APPENDIXAPROBABILITYOFCOLLISIONBETWEENTWORANDOMSETS TheoremA.1. (Probabilityofccollisionsbetweentworandomsets)Theprobabilityofccollisionbetweentwosetsofrandomvariableswithxandymembers,assumingallvariablesareuniformlydistributedoverrdiscretevalues,isPc(x,y,r)=c! rx+yrcxXi=cyXj=cicjcxiyj"x)]TJ /F8 7.97 Tf 6.59 0 Td[(iXm=0y)]TJ /F8 7.97 Tf 6.59 0 Td[(jXn=0x)]TJ /F5 11.955 Tf 11.96 0 Td[(imy)]TJ /F5 11.955 Tf 11.96 0 Td[(jnr)]TJ /F5 11.955 Tf 11.96 0 Td[(cm+n#whereabrepresentsStirlingnumbersofthesecondkind,)]TJ /F8 7.97 Tf 5.62 -4.38 Td[(abrepresentsbinomialcoefcientandabrepresentspermutation. Proof. Wecanndtheprobabilitythatccollisionsoccurfrom Pc(x,y,r)=Numberofeventswithccollisions Numberofallpossibleevents(A)LetAandBbeasetwithxandymembersrespectively.IfeverymembersofAareuniformlydistributedoverr,therewillbeatotalofrxpossiblewaystochoosethem.Usingthesameprinciple,Bwillhaverypossiblearrangements.Duetobothsetsbeingindependentlypicked,wehave Numberofallpossibleevents=rxry=rx+y(A)Foraparticularc,thereare)]TJ /F8 7.97 Tf 5.88 -4.38 Td[(rcpossiblewaystochoosecvaluesoutofr.Eachchoiceofc,atleastcdistinctmembersfromeachsethastosharethesamevaluewitheachothers.Thenumberofdistinctvaluescanbeaslargeasthesetmembershipitselfi.e.everymemberonbothsetsaregroupedintocdistinctvalues.BecauseStirlingnumberofthesecondkindabrepresentsthenumberofwaystogroupamembersintobnon-emptysets,thenumberofpossiblescenariosthatanxmemberssethascdistinctvaluesisc!xXi=cicxi 111

PAGE 112

Sincebothsetsarechosenindependently,wehavethenumberofpossiblearrangementsofbothsetsas(c!)2xXi=cyXj=cicjcxiyjForeachoftheoverlappedeventsabove,weneedtoconsidertheremainingnon-overlappedpartofbothsets,whichareindependentofthepreviousevents.IfthereareimembersfromAandjmembersfromBoverlappingeachother,theremainingx)]TJ /F5 11.955 Tf 11.96 0 Td[(iandy)]TJ /F5 11.955 Tf 11.96 0 Td[(jmemberscanbedistributedovertherangeofr.Aportionofthoseremainingmemberscanbearrangedintoeithertheleftoverr)]TJ /F5 11.955 Tf 12.34 0 Td[(cvalueswithoutanyintersectionormergedintotheoverlappingpartwithpossibleintersection.Withtherangeof0tox)]TJ /F5 11.955 Tf 12.45 0 Td[(iory)]TJ /F5 11.955 Tf 12.45 0 Td[(jpossiblevalues,thenumberofwaysnon-overlappedmembersfrombothsetscanbearrangedisx)]TJ /F8 7.97 Tf 6.58 0 Td[(iXm=0y)]TJ /F8 7.97 Tf 6.59 0 Td[(jXn=0x)]TJ /F5 11.955 Tf 11.95 0 Td[(imy)]TJ /F5 11.955 Tf 11.96 0 Td[(jnFornon-overlappedmembersmandn,theycanalsobearrangedin(r)]TJ /F5 11.955 Tf 11.96 0 Td[(c)(r)]TJ /F5 11.955 Tf 11.95 0 Td[(c)]TJ /F6 11.955 Tf 11.96 0 Td[(1)...(r)]TJ /F5 11.955 Tf 11.95 0 Td[(c)]TJ /F5 11.955 Tf 11.96 0 Td[(m)]TJ /F5 11.955 Tf 11.95 0 Td[(n+1)=r)]TJ /F5 11.955 Tf 11.95 0 Td[(cm+ndifferentwaysfrompossibler)]TJ /F5 11.955 Tf 13.77 0 Td[(cvalues.Combiningalltheaforementionedarrangements,wewillhaveNumberofeventswithccollisionsequalto(c!)2xXi=cyXj=cicjcxiyj"x)]TJ /F8 7.97 Tf 6.59 0 Td[(iXm=0y)]TJ /F8 7.97 Tf 6.59 0 Td[(jXn=0x)]TJ /F5 11.955 Tf 11.96 0 Td[(imy)]TJ /F5 11.955 Tf 11.96 0 Td[(jnr)]TJ /F5 11.955 Tf 11.96 0 Td[(cm+n#rc=(c!)2r! c!(r)]TJ /F5 11.955 Tf 11.96 0 Td[(c)!xXi=cyXj=cicjcxiyj"x)]TJ /F8 7.97 Tf 6.58 0 Td[(iXm=0y)]TJ /F8 7.97 Tf 6.59 0 Td[(jXn=0x)]TJ /F5 11.955 Tf 11.95 0 Td[(imy)]TJ /F5 11.955 Tf 11.95 0 Td[(jnr)]TJ /F5 11.955 Tf 11.95 0 Td[(cm+n#=(c!)rcxXi=cyXj=cicjcxiyj"x)]TJ /F8 7.97 Tf 6.59 0 Td[(iXm=0y)]TJ /F8 7.97 Tf 6.59 0 Td[(jXn=0x)]TJ /F5 11.955 Tf 11.96 0 Td[(imy)]TJ /F5 11.955 Tf 11.96 0 Td[(jnr)]TJ /F5 11.955 Tf 11.96 0 Td[(cm+n# (A) 112

PAGE 113

SubstitutingEquation A andEquation A inEquation A ,wehavePc(x,y,r)=c! rx+yrcxXi=cyXj=cicjcxiyj"x)]TJ /F8 7.97 Tf 6.59 0 Td[(iXm=0y)]TJ /F8 7.97 Tf 6.59 0 Td[(jXn=0x)]TJ /F5 11.955 Tf 11.96 0 Td[(imy)]TJ /F5 11.955 Tf 11.96 0 Td[(jnr)]TJ /F5 11.955 Tf 11.96 0 Td[(cm+n# 113

PAGE 114

APPENDIXBBREAKINGDOWNECPVS/MRECS'RESIDUEELEMENTTherststeptowardreducingtheresidueelementsinECPVSandMRECSprotocolistheabilitytopartitionitintoseveralsmallpieces.Inthisappendix,wedescribetheproceduretopartitionswithoutcompromisingtheprotocolsecurityorintroducinglargecomputationaloverhead.OurapproachisbasedonthecharacteristicofZ=nZcyclicgroupwherenisprime.Aswithanycyclicgroup,anynumberrsuchthatgcd(r,n)=1(risaco-primeofn,whichisalwaystrueinthecaseofr2[1,n)]TJ /F6 11.955 Tf 12.97 0 Td[(1])willbeageneratorofthegroup.Eachrwillgenerateauniquesequenceoff0,r,2r,...,(n)]TJ /F6 11.955 Tf 13.1 0 Td[(1)rgthatvisitseverypossibleelementofZ=nZbeforewrappingaroundoncetheendofsequenceisreached,i.e.,nr=0.Thefollowingsectionswillprovidemoredetailonkeypairselectionandsignaturegenerationbasedonthiscyclicgroup'scharacteristic. B.1KeysetgenerationInordertoproperlygenerateakeyset,wersthavetodeterminethenumberofkeypairsintheset(g)andthecryptographicstrengthofourdigitalsignature(f).Thesevalueswillaffectthenumberofbitsthateachkeycontributestothesignature.Onceweknowgandf,wecangeneratekeypairsasfollows: 1. RandomlychooseabasekeydBfrom[1,n)]TJ /F6 11.955 Tf 11.95 0 Td[(1]. 2. Withgkeypairs,eachpairwillberesponsibleford=lf gmbitsinthesignature. 3. TheprivatekeysetwillbeD=fdijdi=2(i)]TJ /F10 7.97 Tf 6.59 0 Td[(1)ddB,i=f1,2,...,ggg 4. ThecorrespondingpublickeysetwillbefQijQi=diG,i=f1,2,...,gggForexample,supposewewanttogeneratea16pairskeysetfora112-bitstrengthdigitalsignaturescheme.Eachkeywillberesponsibleford=112 16=7bitsinthesignature.AfterdBselection,theprivatekeysetwillbefd1=dB,d2=27dB,d3=214dB,...,d16=2105dBg.Fornow,wewillassumethatgischosensuchthatitalwaysdividesf,i.e.,fjg,forthesakeofsimplerprocedureinthedigitalsignatureschemes. 114

PAGE 115

ThecryptographicstrengthofthistechniquereliesonthedifcultyofsolvingECDLPforthebasekeydB.Eventhoughtheattackerhasgainedtheknowledgeofhoweachkeyinthesetrelatetoeachother,i.e.,allthecijindi=cijdj8i,j2[1,g]areknown,hestillneedstosolveECDLPintheequationQi=2(i)]TJ /F10 7.97 Tf 6.59 0 Td[(1)ddBGtolearnthebasekeydB.Eventhoughthecryptographicstrengthofthesecretkeysetgeneratedbythistechniqueisnotassecureasasetofrandomlyassignedkeys,itsstrengthisguaranteedtobeatleastthestrengthofthebasekeydB.IfwechoosedBtobeasstrongasECPVSorMRECS'keys,thesecurityofasignaturewillnotbecompromised. B.2GeneratinganarbitrarymodulonnumberfromakeysetThecrucialoperationingeneratingasignatureisthecalculationofaresidueelementthatcanbettedintotheDSA'smainequation.ExamplesofthisoperationareEquation 1 inECDSAandEquation 1 inECPVSsigningprocess.Itcalculatesaresidueelementstobalanceanymodulonnumberresultingfromtherighthandsideoftheequation.Themethodweareusingismorecomplex,sinceweneedtobuildtheresidueelementoutofakeysetinsteadofndingsdirectly.Inotherwords,wewouldliketondasetofcoefcientS=fs1,s2,...,sggforakeysetD=fd1,d2,...,dggandanarbitrarynumberx2[1,n)]TJ /F6 11.955 Tf 11.96 0 Td[(1]whichfollowstheequation. gXi=1sidix(modn)(B) 1. WerstneedtondthepositionofxinthecyclicgroupZ=nZaccordingtoageneratordBi.e.WhatisyintheequationydBxmodn? 2. ByusingthewellknownExtendedEuclideanAlgorithmandthefactthatnisprime,wecansolvey0inthefollowingequationy0dBgcd(dB,n)(modn)y0dB1(modn) (B) 115

PAGE 116

3. Accordingtoresiduearithmetic,wecanmultiplybothsidesofEquation B withxandstillretaintheequivalence.Hence,wehavethepositionyasxy0fromtheequationxy0dBx(modn) 4. Onceweknowy,wecanusealgorithminFigure B.2 ,whichrunsinlineartimerelativetog,todetermineSfromakeysetDandanyxthattsintoEquation B .TheimportantaspectbehindthelinearrunningtimeofalgorithminFigure B.2 isthekeyselectionprocessinsection B.1 .Theprocesspartitionsthecyclicgroupsuchthateachkeydirepresentsadifferentexponentiationofabase-2dnumber. 1: si 0,8i 2: i g 3: whiley>0andi1do 4: si by=2(id)c 5: y ymod2(id) 6: i i)]TJ /F6 11.955 Tf 11.96 0 Td[(1 7: endwhile FigureB-1. AlgorithmforndingasignatureresidueelementsetS 116

PAGE 117

REFERENCES [1] R.Wang,W.Du,andP.Ning,Containingdenial-of-serviceattacksinbroadcastauthenticationinsensornetworks,inMobiHoc'07:Proceedingsofthe8thACMinternationalsymposiumonMobileadhocnetworkingandcomputing.NewYork,NY,USA:ACM,2007,pp.71. [2] N.Gura,A.Patel,A.Wander,H.Eberle,andS.C.Shantz,ComparingellipticcurvecryptographyandRSAon8-bitCPUs,CryptographicHardwareandEmbeddedSystems-CHES2004,pp.119,2004. [3] P.Pecho,J.Nagy,P.Hanacek,andM.Drahansky,Securecollectiontreeprotocolfortamper-resistantwirelesssensors,CommunicationsinComputerandInformationScience,vol.58,pp.217,2009. [4] S.Basagni,K.Herrin,D.Bruschi,andE.Rosti,Securepebblenets,inMobiHoc.ACM,2001,pp.156. [5] A.Perrig,J.Stankovic,andD.Wagner,Securityinwirelesssensornetworks,CommunicationsoftheACM,vol.47,no.6,pp.53,jun2004. [6] A.Perrig,R.Szewczyk,V.Wen,D.Culler,andJ.D.Tygar,SPINS:securityprotocolsforsensornetworks,inMobiCom'01:Proceedingsofthe7thannualinternationalconferenceonMobilecomputingandnetworking.NewYork,NY,USA:ACM,2001,pp.189. [7] A.Perrig,R.Canetti,D.Song,andJ.D.Tygar,Efcientandsecuresourceauthenticationformulticast,inInNetworkandDistributedSystemSecuritySymposium,NDSS01,2001,pp.35. [8] D.LiuandP.Ning,Multi-levelTESLA:Abroadcastauthenticationsystemfordistributedsensornetworks,DepartmentofComputerScience,NorthCarolinaStateUniversity,Tech.Rep.TR-2003-08,12003,sat,01Mar200322:54:54GMT. [9] Q.LiandW.Trappe,Reducingdelayandenhancingdosresistanceinmulticastauthenticationthroughmultigradesecurity,IEEEJournalofIntelligentandFuzzySystems,vol.1,no.2,pp.190,2006. [10] E.Mykletun,J.Girao,andD.Westhoff,Publickeybasedcryptoschemesfordataconcealmentinwirelesssensornetworks,inICC2006,vol.5,2006,pp.2288. [11] P.Han,Y.Zhu,andY.Hu,Designofmulti-signatureschemeinwirelessnetworks,inACIS-ICIS.IEEEComputerSociety,2007,pp.247. [12] Q.Dong,D.Liu,andP.Ning,Pre-authenticationlters:providingdosresistanceforsignature-basedbroadcastauthenticationinsensornetworks,inWiSec'08:ProceedingsoftherstACMconferenceonWirelessnetworksecurity.NewYork,NY,USA:ACM,2008,pp.2. 117

PAGE 118

[13] K.Ren,S.Yu,W.Lou,andY.Zhang,Multi-userbroadcastauthenticationinwirelesssensornetworks,IEEETransactionsonVehicularTechnology,vol.PP,no.99,p.1,2009. [14] W.D.RonghuaWangandX.Liu,ShortPK:Ashort-termpublickeyschemeforbroadcastauthenticationinsensornetworks,ACMTrans.SensorNetw.,vol.6,no.1,p.29,December2009. [15] B.Bloom,Space/timetrade-offsinhashcodingwithallowableerrors,CommunicationsoftheACM,vol.13,no.7,pp.422,jul1970. [16] L.C.Washington,EllipticCurves:NumberTheoryandCryptography,1sted.,ser.DiscreteMathematicsandItsApplication.BocaRaton,Florida:Chapman&Hall/CRC,2003. [17] N.Koblitz,Ellipticcurvecryptosystems,MathematicsofComputation,vol.48,no.177,pp.203,1987. [18] V.Miller,Useofellipticcurvesincryptography,inAdvancesinCryptologyCRYPTO85Proceedings,ser.LectureNotesinComputerScience,H.Williams,Ed.SpringerBerlin/Heidelberg,1986,vol.218,pp.417. [19] D.Hankerson,A.J.Menezes,andS.Vanstone,GuidetoEllipticCurveCryptography.pub-SV:adr:Springer-Verlag,2004. [20] P.Gallagher,D.D.Foreword,andC.F.Director,FEDERALINFORMATIONPROCESSINGSTANDARDSPUBLICATIONDigitalSignatureStandard(DSS),U.S.DepartmentofCommerceStd.FIPSPUB186-3,June2009. [21] L.A.PintsovandS.A.Vanstone,Postalrevenuecollectioninthedigitalage,inInProceedingsofFinancialCryptography.Springer-Verlag,2000,pp.105. [22] D.B.Johnson,A.J.Menezes,andS.Vanstone,Theellipticcurvedigitalsignaturealgorithm(ECDSA),InternationalJournalofInformationSecurity,vol.1,no.1,pp.36,2001. [23] I.Blake,G.Seroussi,N.Smart,andJ.W.S.Cassels,AdvancesinEllipticCurveCryptography,ser.LondonMathematicalSocietyLectureNote.NewYork,NY,USA:CambridgeUniversityPress,2005,no.317. [24] Code&Cipher:Certicom'sBulletinofSecurityandCryptography,vol.1,no.3,2004,publishedquarterly.[Online].Available: http://www.certicom.com/images/pdfs/codeandcipher3.pdf [25] D.R.L.BrownandD.B.Johnson,Formalsecurityproofsforasignatureschemewithpartialmessagerecovery,inCT-RSA,ser.LectureNotesinComputerScience,D.Naccache,Ed.,vol.2020.Springer,2001,pp.126. 118

PAGE 119

[26] D.R.L.Brown,SEC1:EllipticCurveCryptography,CerticomCorporationStd.,Rev.2.0,May2009.[Online].Available: http://www.secg.org/download/aid-780/sec1-v2.pdf [27] A.D.WoodandJ.A.Stankovic,Denialofserviceinsensornetworks,Computer,vol.35,no.10,pp.54,Oct.2002.[Online].Available: http://dx.doi.org/10.1109/MC.2002.1039518 [28] M.Luk,A.Perrig,andB.Whillock,Sevencardinalpropertiesofsensornetworkbroadcastauthentication,inSASN'06.NewYork,NY,USA:ACM,2006,pp.147. [29] P.Ning,A.Liu,andW.Du,MitigatingDoSattacksagainstbroadcastauthenticationinwirelesssensornetworks,ACMTransactionsonSensorNetworks,vol.4,no.1,Jan2008. [30] F.Ye,H.Luo,S.Lu,andL.Zhang,Statisticalen-routelteringofinjectedfalsedatainsensornetworks,SelectedAreasinCommunications,IEEEJournalon,vol.23,no.4,pp.839850,Apr2005. [31] J.Postel,TransmissionControlProtocol,RFC793(Standard),InternetEngineeringTaskForce,Sep.1981,updatedbyRFCs1122,3168.[Online].Available: http://www.ietf.org/rfc/rfc793.txt [32] MannaResearchGroup.(2010,May)Mannasimframework.[Online].Available: http://www.mannasim.dcc.ufmg.br/index.htm [33] CrossbowTechnology.(2010,May)MICA2motedatasheet.[Online].Available: http://65.61.157.23/Products/Wireless Sensor Networks.htm [34] C.Karlof,N.Sastry,andD.Wagner,TinySec:Alinklayersecurityarchitectureforwirelesssensornetworks,inSenSys2004,J.A.Stankovic,A.Arora,andR.Govindan,Eds.ACM,nov2004,pp.162. [35] I.KangandR.Poovendran,Maximizingnetworklifetimeofbroadcastingoverwirelessstationaryadhocnetworks,Mob.Netw.Appl.,vol.10,no.6,pp.879,Dec2005. [36] A.JuttnerandA.Magi,Treebasedbroadcastinadhocnetworks,Mob.Netw.Appl.,vol.10,no.5,pp.753,Oct.2005. [37] J.-P.Sheu,C.-S.Hsu,andY.-J.Chang,Efcientbroadcastingprotocolsforregularwirelesssensornetworks,WirelessCommunicationsandMobileComputing,vol.6,pp.35,2006.[Online].Available: http://dx.doi.org/10.1002/wcm.241 [38] P.Chuchaisri,Simulatorsourcecode,2010.[Online].Available: https://github.com/panoat/Alpha-Sim 119

PAGE 120

[39] X.FanandG.Gong,Acceleratingsignature-basedbroadcastauthenticationforwirelesssensornetworks,inAdHocNetworks,ser.LectureNotesoftheInstituteforComputerSciences,SocialInformaticsandTelecommunicationsEngineering,J.Zheng,D.Simplot-Ryl,andV.C.M.Leung,Eds.SpringerBerlinHeidelberg,2010,vol.49,pp.328. [40] A.Shamir,Howtoshareasecret,Commun.ACM,vol.22,no.11,pp.612,1979. [41] G.R.Blakley,Safeguardingcryptographickeys,in1979NationalComputerConference:June4,1979,NewYork,NewYork,ser.AFIPSConferenceproceedings,R.E.Merwin,J.T.Zanca,andM.Smith,Eds.,vol.48.pub-AFIPS:adr:AFIPSPress,1979,pp.313. [42] J.LopezandR.Dahab,Anoverviewofellipticcurvecryptography,StateUniversityofCampinas,Tech.Rep.,2000. [43] H.Cohen,A.Miyaji,andT.Ono,Efcientellipticcurveexponentiationusingmixedcoordinates,inASIACRYPT,ser.LectureNotesinComputerScience,K.OhtaandD.Pei,Eds.,vol.1514.Springer,1998,pp.51. [44] N.Guillermin,AhighspeedcoprocessorforellipticcurvescalarmultiplicationsoverFp,inCHES,ser.LectureNotesinComputerScience,S.MangardandF.-X.Standaert,Eds.,vol.6225.Springer,2010,pp.48. [45] G.W.Reitwiesner,Binaryarithmetic,AdvancesinComputers,vol.1,pp.231,1960. [46] J.A.Solinas,Animprovedalgorithmforarithmeticonafamilyofellipticcurves,inCRYPTO,ser.LectureNotesinComputerScience,B.S.K.Jr,Ed.,vol.1294.Springer,1997,pp.357. [47] M.Ciet,M.Joye,K.Lauter,andP.L.Montgomery,Tradinginversionsformultiplicationsinellipticcurvecryptography,Designs,Codes,andCryptography,vol.39,no.2,pp.189,may2006. [48] P.LongaandC.H.Gebotys,Fastmultibasemethodsandotherseveraloptimizationsforellipticcurvescalarmultiplication,inPublicKeyCryptography,ser.LectureNotesinComputerScience,S.JareckiandG.Tsudik,Eds.,vol.5443.Springer,2009,pp.443. [49] P.K.MishraandV.S.Dimitrov,Efcientquintupleformulasforellipticcurvesandefcientscalarmultiplicationusingmultibasenumberrepresentation,inISC,ser.LectureNotesinComputerScience,J.A.Garay,A.K.Lenstra,M.Mambo,andR.Peralta,Eds.,vol.4779.Springer,2007,pp.390. 120

PAGE 121

[50] K.W.Wong,E.C.W.Lee,L.M.Cheng,andX.Liao,Fastellipticscalarmultiplicationusingnewdouble-basechainandpointhalving,AppliedMathematicsandComputation,vol.183,no.2,pp.1000,Dec2006. [51] E.W.Knudsen,Ellipticscalarmultiplicationusingpointhalving,inASIACRYPT,ser.LectureNotesinComputerScience,K.-Y.Lam,E.Okamoto,andC.Xing,Eds.,vol.1716.Springer,1999,pp.135. [52] Y.Hitchcock,E.Dawson,A.Clark,andP.Montague,ImplementinganefcientellipticcurvecryptosystemoverGF(p)onasmartcard,inProc.of10thComputationalTechniquesandApplicationsConferenceCTAC-2001,K.BurrageandR.B.Sidje,Eds.,vol.44,apr2003,pp.C354C377. [53] H.WangandQ.Li,PDF:Apublic-keybasedfalsedatalteringschemeinsensornetworks,inWirelessAlgorithms,SystemsandApplications,2007.WASA2007.InternationalConferenceon,Aug.2007,pp.129. [54] H.Wang,Z.Wu,andX.Tan,AnewsecureauthenticationschemebasedthresholdECDSAforwirelesssensornetwork,inSecurityandManagement,H.R.ArabniaandS.Aissi,Eds.CSREAPress,2006,pp.129. [55] P.ChanggenandL.Xiang,Thresholdsigncryptionschemebasedonellipticcurvecryptosystemandveriablesecretsharing,inWirelessCommunications,NetworkingandMobileComputing,2005.Proceedings.2005InternationalConferenceon,vol.2,Sep.2005,pp.11821185. [56] Y.-S.Chang,T.-C.Wu,andS.-C.Huang,ElGamal-likedigitalsignatureandmultisignatureschemesusingself-certiedpublickeys,TheJournalofSystemsandSoftware,vol.50,no.2,pp.99,Feb2000.[Online].Available: http://dx.doi.org/10.1016/S0164-1212(99)00080-1 [57] L.ErtaulandW.Lu,ECCbasedthresholdcryptographyforsecuredataforwardingandsecurekeyexchangeinMANET(I),inNETWORKING,ser.LectureNotesinComputerScience,R.Boutaba,K.C.Almeroth,R.Puigjaner,S.X.Shen,andJ.P.Black,Eds.,vol.3462.Springer,2005,pp.102. [58] O.K.Onbilger,R.Chow,andR.Newman,RemoteDigitalSigningforMobileCommerce,ser.AdvancesinSecurityandPaymentMethodsforMobileCommerce.IGIGlobal,2005,ch.12,pp.263. [59] C.Boyd,Digitalmultisignatures,inCryptographyandCoding,H.J.BekerandF.C.Piper,Eds.OxfordUniversityPress,1989,pp.241.[Online].Available: http://sky.scitech.qut.edu.au/boydc/papers/ima89.pdf [60] S.A.Vanstone,Nextgenerationsecurityforwireless:ellipticcurvecryptography,Computers&Security,vol.22,no.5,pp.412415,Jul2003.[Online].Available: http://dx.doi.org/10.1016/S0167-4048(03)00507-8 121

PAGE 122

[61] D.J.Bernstein,H.-C.Chen,C.-M.Cheng,T.Lange,R.Niederhagen,P.Schwabe,andB.-Y.Yang,ECC2K-130onNVIDIAGPUs,inINDOCRYPT,ser.LectureNotesinComputerScience,G.GongandK.C.Gupta,Eds.,vol.6498.Springer,2010,pp.328. [62] M.BellareandT.Kohno,Hashfunctionbalanceanditsimpactonbirthdayattacks,inAdvancesinCryptologyEUROCRYPT04,LectureNotesinComputerScience.Springer-Verlag,2004,pp.401. [63] C.Walter,FastscalarmultiplicationforECCoverGF(p)usingdivisionchains,inInformationSecurityApplications,ser.LectureNotesinComputerScience,Y.ChungandM.Yung,Eds.SpringerBerlin/Heidelberg,2011,vol.6513,pp.61. [64] N.MeloniandM.A.Hasan,Exponentiationusingalarge-digitrepresentationandECCapplications,UniversityofWaterloo,Tech.Rep.CACR2009-14,2009. 122

PAGE 123

BIOGRAPHICALSKETCH PanoatChuchaisrireceivedhisbachelordegreeinComputerEngineeringwiththerstclasshonorsin2001fromKasetsartUniversityinThailand.In2004,HeobtainedaMasterofComputerSciencedegreewithspecializationincomputernetworksfromUniversityofSouthernCalifornia.HecompletedhisPh.D.inComputerEngineeringatUniversityofFlorida(UF)undersupervisionofDr.RichardE.NewmaninAugust2012.Hisresearchisprimarilyinnetworksecurityandcryptographywithemphasisontheellipticcurvecryptosystem.Inaddition,heworkedasamemberoftheACISlabintheElectricalandComputerEngineeringDepartmentatUFontheFutureGridprojectduringhisPh.D.program.HispersonalinterestisinworldhistoryandimportanteventsespeciallyWorldWar2.Healsolikestobuildplasticairplane/helicoptermodels(mostly,modernmilitaryaircraftsin1:72scale)andsolvenonogrampuzzlesinhisleisuretime. 123