Practical RSA signature scheme based on ... - Semantic Scholar

Practical RSA Signature Scheme Based on Periodical Rekeying for Wireless Sensor Networks SHIH-YING CHANG, YUE-HSUN LIN, and HUNG-MIN SUN, National Tsing Hua University MU-EN WU, Academia Sinica

Broadcast is an efficient communication channel on wireless sensor networks. Through authentic broadcast, deployed sensors can perform legitimate actions issued by a base station. According to previous literature, a complete solution for authentic broadcast is digital signature based on asymmetric cryptography. However, asymmetric cryptography utilizes expensive operations, which result in computational bottlenecks. Among these cryptosystems, Elliptic Curve Cryptography (ECC) seems to be the most efficient and the most popular choice. Unfortunately, signature verification in ECC is not efficient enough. In this article, we propose an authentic broadcast scheme based on RSA. Unlike conventional approaches, the proposed scheme adopts short moduli to enhance performance. Meanwhile, the weakness of short moduli can be fixed with rekeying strategies. To minimize the rekeying overhead, a Multi-Modulus RSA generation algorithm, which can reduce communication overhead by 50%, is proposed. We implemented the proposed scheme on MICAz. On 512-bit moduli, each verification spends at most 0.077 seconds, which is highly competitive with other public-key cryptosystems. Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General—Security and protection; D.4.6 [Operating Systems]: Security and Protection—Cryptographic controls General Terms: Performance Additional Key Words and Phrases: Message authentication, RSA ACM Reference Format: Chang, S.-Y., Lin, Y.-H., Sun, H.-M., and Wu, M.-E. 2012. Practical RSA signature scheme based on periodical rekeying for wireless sensor networks. ACM Trans. Sensor Netw. 8, 2, Article 13 (March 2012), 13 pages. DOI = 10.1145/2140522.2140526 http://doi.acm.org/10.1145/2140522.2140526

1. INTRODUCTION

Wireless sensor networks (WSNs) [Akyildiz et al. 2002] have been widely developed and investigated recently. The main purpose for deploying WSNs is to gather data. For various applications, sensors gather various data, for example, emergency reports, scientific samples, or surveillance records. Some data require protection mechanisms to satisfy essential security requirements [Wang et al. 2006]: confidentiality, integrity, and authenticity. Confidentiality ensures that only valid receivers have access to the data; integrity prevents unauthorized individuals from tampering with the data; authenticity allows receivers to confirm the source of the data. This work was supported in part by the National Science Council, Taiwan, under Contract NSC 97-2221-E007-055-MY3. Authors’ addresses: S.-Y. Chang, Y.-H. Lin, and H.-M. Sun, Department of Computer Science, National Tsing Hua University, No. 101, Section 2, Kuang-Fu Road, Hsinchu, Taiwan 30013; email: {sychang, tenma}@is. cs.nthu.edu.tw, [email protected]; M.-E. Wu, Institute of Information Science, Academia Sinica, 128 Academia Road, Section 2, Nankang, Taipei 115, Taiwan; email: [email protected]. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies show this notice on the first page or initial screen of a display along with the full citation. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212) 869-0481, or [email protected]. c 2012 ACM 1550-4859/2012/03-ART13 $10.00 DOI 10.1145/2140522.2140526 http://doi.acm.org/10.1145/2140522.2140526 ACM Transactions on Sensor Networks, Vol. 8, No. 2, Article 13, Publication date: March 2012.

13

13:2

S.-Y. Chang et al.

Data transmission from a trusted base station (BS) to all deployed sensors is through a broadcast channel. Through broadcast, the BS can efficiently send messages to multiple sensors for arranging new tasks, assigning new commands, or updating important information. Hence, securing broadcast is both necessary and important. Solutions to the authenticity and integrity of broadcasted data can be based on symmetric or asymmetric cryptography. For better efficiency, most researchers still prefer symmetric cryptography [Perrig et al. 2002; Chan et al. 2003]. In common designs, the BS and all the sensors share a network-wise secret for message authentication. Since all the sensors share the same secret, such an approach does not guarantee source authentication. To provide source authentication, Perrig et al. proposed a well-known scheme called μTESLA [2002]. μTESLA provides source authentication, but its construction only leverages symmetric cryptography. However, μTESLA requires time synchronization of all sensors. Besides that, data authentication must be postponed until the MAC key is disclosed in the next interval such that all data received in the current interval must be buffered. Hence, μTESLA is more prone to Denial of Service (DoS) attacks and not suitable for realtime applications requiring instant verification of sensors. Besides μTESLA, Perrig also proposed another symmetric approach, BiBa (Bin and Ball signature) [Perrig 2001], to building authentic broadcast. However, compared with standard digital signatures, BiBa suffers from slower signing and requires larger storage to maintain its public key. In asymmetric cryptography (also called public-key cryptography), solutions leverage digital signatures. In such a design, sensors must preload the public key of the BS for broadcast verification. By verifying signatures attached to broadcasted messages, the authenticity and integrity of the messages are guaranteed. However, this approach becomes questionable where considering the limited hardware resources of sensors. To demonstrate that certain digital signature schemes (especially ECC) are workable for WSNs, researchers [Gaubatz et al. 2005a, 2005b; Piotrowski and Peter 2006; Roman and Alcaraz 2007; Driessen et al. 2008] implemented several instances of digital signature schemes on physical sensors, including RSA signature, Rabin’s signature, ECDSA [Johnson et al. 2001], and NTRUSign [Hoffstein et al. 2003]. RSA has been the most well-known and most widely applied asymmetric cryptosystem since 1976. However, RSA is not recommended for use on WSNs [Wander et al. 2005; Gaubatz et al. 2005a; Piotrowski and Peter 2006] due to several limitations. First, the key size and the signature size are longer those used in ECC. Second, the maximum payload size per packet for standard WSN communication protocol, IEEE 802.15.4 (ZigBee), is only 102 bytes. If a sensor sends a message attached with a standard 1,024-bit RSA signature, it will require a minimum at two packets, making it prone to packet loss and DoS attacks. Third, performance is limited. Even if we select a small private exponent, a signing operation still takes around ten seconds [Piotrowski and Peter 2006; Gaubatz et al. 2005a, 2005b], making it impractical. Given these limitations, traditional RSA does not seem compatible for WSNs. Comparing the discussed schemes, ECC appears to be the best candidate for authentic broadcast on WSNs. ECC is more efficient than RSA and has a smaller signature size (ECDSA signature size is 320 bits). However, the verification of ECDSA on sensors requires, on average, around two seconds. If the BS broadcasts authentic messages to sensors with high frequency, the processing delay will be significant. For instance, consider the scenarios of data-centric routing [Intanagonwiwat et al. 2000] and mobile code (mobile agent) [Fok et al. 2005]. In data-centric routing, the BS sends its interest to all sensors. After receiving the associated responses, the BS may refresh and reinforce the interest. In mobile code, the BS can remotely redefine the applications of WSNs using some disposable code scripts. Such code mobility enables higher flexibility for dynamically changing applications and better energy savings by reprogramming sensors. ACM Transactions on Sensor Networks, Vol. 8, No. 2, Article 13, Publication date: March 2012.

Practical RSA Signature Scheme Based on Periodical Rekeying for WSNs

13:3

BS Radio Range Message Relay Path Sensors inside radio range Sensors outside radio range

Fig. 1. Broadcast network model on WSNs.

In this article, we propose an authentic broadcast scheme based on RSA signature. We called it Authentic Broadcast Scheme. In Authentic Broadcast Scheme, short moduli ( 1. If a sensor stores ni during the i th slot, the BS sends only about 2τ bits of data to update ni to ni+1 . Instead of transmitting τ bits, the BS only requires 50% communication overhead. To prove the security of MM-RSA, a formal analysis is given in Section 5.2. 4. AUTHENTIC BROADCAST SCHEME

The proposed Authentic Broadcast Scheme consists of three phases. The first phase is the Setup Phase. The BS generates necessary public parameters for each sensor. Once the sensors are deployed, the WSN enters the Broadcast Phase. The BS broadcasts messages to the sensors for regular or on-demand tasks. The last phase is the Update Phase. The BS will renew the modulus via the broadcast channel when the time is about to reach the next slot. Before we give the description of the proposed scheme, several parameters and symbols are defined in Table I. 4.1. Setup Phase

The details are shown in Figure 4. At the end of the phase, each node (i.e., Si ) stores the same public parameters {n1 , e} and a pairwise key Ki that is shared with the BS for long-term use. Once the time reaches the next slot, the modulus would be updated by the BS’s update messages. The update procedure is presented in Section 4.3. In Figure 4, the set N is generated by MM-RSA with the given inputs t and τ . Since τ and t are determined by the security of short-moduli RSA, the suggested values are determined by the security analysis (See Section 5). Set ℵ stores the difference between each modulus and the first modulus n1 . By MM-RSA, |i | is approximately ACM Transactions on Sensor Networks, Vol. 8, No. 2, Article 13, Publication date: March 2012.

13:6

S.-Y. Chang et al.

Fig. 4. Setup procedure for BS and sensors.

equal to half the size of the modulus, that is, |i | ≈ 12 τ, ∀i. The reduced communication overhead is about 50% compared with that of broadcasting a new modulus. 4.2. Broadcast Phase

In this phase, the BS broadcasts messages to all sensors. The broadcasted message has the corresponding signature generated by the RSA-PSS signature scheme [Jonsson and Kaliski 2003] attached to it. For a message m, signature σ (m) is produced by the signature generation procedure, RSA-PSS-Sign, as shown in Definition 1. Definition 1 (Signing function for RSA-PSS). Signature σ (M) = RSA-PSS-Sign(D, N , M), where N is the modulus, D is the private exponent, and M is the message to be signed. If the BS wants to broadcast message m in the j th time slot, it generates σ (m) by executing RSA-PSS-Sign(dj , n j , m), where dj ∈ D and n j ∈ N. The BS then broadcasts m and σ (m) to all sensors. A sensor can check the authenticity and integrity of m by the verification procedure RSA-PSS-Verify given in Definition 2, for example, running RSA-PSS-Verify(e, n j , m, σ (m)) to determine whether m is legitimate or not. Definition 2 (Verifying function for RSA-PSS scheme). Verification result β = RSAPSS-Verify(E, N , M, σ (M)), where E is the public exponent, N is the modulus, M is the message to be verified, σ (M) is the signature of M, and β ∈ {true, f alse}. 4.3. Update Phase

The procedure for updating moduli is illustrated in Figure 5. Without loss of generality, we assume that the present time slot is the i th time slot. When the time is going to reach the (i + 1)th time slot, for example, only 20 seconds left, the BS broadcasts update messages to all sensors. Once the sensors have verified these messages, they update the old modulus. Moreover, each sensor holds a timer κ to prevent updating with belated modulus. κ is reset to 0 at the beginning of every time slot. When the time expires, that is, κ>T , the received messages are no longer authentic. Before approaching timeout, for example, only ten seconds left, the sensors which have not received the correct update messages will first actively request the messages from their neighboring nodes or cluster heads. Note that the time at which the sensors actively request the messages from their neighboring nodes is after the time that the update messages have arrived to all nodes. In this example, the update message should arrive to all nodes within ten seconds. If a sensor Sy still can not complete the update procedure on time (i.e., κ>T ), Sy sends a retransmission request R to the BS. The delay may result from long trip routing, for example, nodes without strokes, as in Figure 1 or malicious jamming. The request R is filled with query ID q, I Dy , and the current time stamp ξ (i.e., R = qI Dy ξ ). For ACM Transactions on Sensor Networks, Vol. 8, No. 2, Article 13, Publication date: March 2012.


13:7

Fig. 5. Update procedure for sensor Sl in time slot i + 1.

authenticity, the sensor Sy computes a MAC on R with the pairwise key Ky . After confirming request R, the BS will send an individual update message filled with the related information (i.e., ζi+1 in Figure 5) to Sy via a unicast channel. Since the modulus ni in the previous i th time slot is no longer secure, the BS authenticates the message by computing a MAC on it with the pairwise key Ky . Like μTESLA, the proposed scheme requires loose time synchronization for all sensors. The time synchronization guarantees that all sensors will not accept an expired signature (i.e., an insecure signature). 5. SECURITY ANALYSIS

In Section 5.1, we evaluate the security of short moduli. This analysis estimates the time the BS takes to trigger rekeying over different size modulus based on the time required to factorize them. Section 5.2 gives a complete proof of MM-RSA. More precisely, we show that breaking modulus ni offers no advantage in breaking another modulus ni , where i = i and ni , ni are generated from MM-RSA. 5.1. Security of Short Modulus

Complexity of Factorizing. Several integer factorization methods are widely used in modern computational environment at which General Number Field Sieve (GNFS) is the fastest [Lenstra et al. 1993]. Using GNFS, the complexities of factorizing an RSA modulus n is shown by 1 2 O exp (c + o(1)) (log n) 3 (log log n) 3 = Ln[1/3, c], where Ln denotes the L-notation, expressing the computational complexity of an algorithm. More precisely, the complexity required to factorize 512-bit, 640-bit, 768-bit, and 1,024-bit n in GNFS are estimated to 249.9 , 255 , 259.6 , 267.5 , respectively. In other words, the time of factorizing a 1,024-bit n is approximately 217.6 times greater than that of factorizing a 512-bit n. Combining the complexity analysis and the estimated time of factorizing a 512-bit n, we can approximate the time of factorizing other larger moduli. Time Required to Factorize Short Modulus. To determine the best rekeying time interval, we estimate the time required to factorize n with modern computational capability. RSA laboratories have published some challenging numbers that are considerably hard to factorize [RSA Laboratories 2007]. We show some of the factorizing results [Cavallar et al. 2000; RSA Laboratories 2007; Kleinjung et al. 2010] using GNFS, as follows. ACM Transactions on Sensor Networks, Vol. 8, No. 2, Article 13, Publication date: March 2012.

13:8

S.-Y. Chang et al.

(a) MM-RSA with a 512-bit n.

(b)MM-RSA with a 640-bit n. (c) MM-RSA with a 768-bit n.

Fig. 6. MM-RSA results for cases of r, where t = 106 .

—The computational capability required to factorize a 640-bit n is about 30 2.2GHzOpteron-CPU years in 2005 [RSA Laboratories 2007]. —The computational capability required to factorize a 768-bit n is about 1500 2.2GHzOpteron-CPU years in 2009 [Kleinjung et al. 2010]. Since both results are estimated in the same computational unit, we find that the computational capability required to factorize a 768-bit n is 50 times greater than factorizing a 640-bit n. On the other hand, the complexity analysis shows that factorizing a 768-bit n is 24.6 (< 32) times harder than factorizing a 640-bit n. It means that the practical result is not faster than the theoretical result. Therefore, it is reasonable that we employ the theoretical results to estimate the time of factorizing a different n. Besides that, we want to highlight a recent result. In 2008, Chen et al. factorized a 512-bit n in 142.9 hours (about six days) [Chen et al. 2008]. For unconditional security, we assume that factorizing a 512-bit n in ten minutes is infeasible for modern computational capability. According to the complexity analysis, we further assume that a 640-bit n is secure in 350 (i.e., 10 × 25.13 ) minutes, and that a 768-bit n is secure in 8,180 (i.e., 10 × 29.676 ) minutes. Even if adversaries can factorize it in the future with more advanced hardware, we can still increase the length of the employed n. Anyway, the size of n employed in the proposed scheme is shorter than that of standard RSA and secure in reasonably long time. In short, a reasonably short n cannot be factorized in a reasonable time period with high probability. 5.2. Security of MM-RSA

To show the security of MM-RSA, we first demonstrate the probability distribution of moduli difference, generated by G(τ, t) in MM-RSA (See Figure 3). LEMMA 3. Let τ be the bit-length of moduli in MM-RSA. Then, ni − n j = τ + ε ± m ≈ 1 , Pr 2 2m ni , n j ←G(τ ) for some constant ε. We show the experimental results for the cases of τ = 512, 640, and 768 in Figure 6a, 6b, and 6c. By observing these figures, if we set ε = 8, the probability distribution of |ni − n j | approximately fits the probability distribution of 21m . Lemma 3 holds because the least significant bits of ni in MM-RSA can be viewed as random. Next, we show that breaking a part of moduli in MM-RSA provides no benefit in factorizing the currently used modulus generated by G(τ, t). This argument also shows that the security of MM-RSA is equivalent to that of the conventional RSA. ACM Transactions on Sensor Networks, Vol. 8, No. 2, Article 13, Publication date: March 2012.


13:9

LEMMA 4. Let N = {n1 , · · · , nk} be moduli generated by G(τ, t) and the factorization of each ni = pi qi in N is known. Let AlgFactor denote any integer-factorizing algorithm, and AlgFactor (n) = 1 means that n is successfully factored. Then, Complexity AlgFactor (nk+1 ) = 1 nk+1 ←G(τ )

=

Complexity nk+1 ←G(τ ) and ni ∈N

n = pi qi is known, AlgFactor (nk+1 ) = 1 | |ni τ i − nk+1 | ≈ 2

.

PROOF. Assume that an oracle accepts the input ( pi , qi , k+1 ), where k+1 = nk+1 − ni is about 2τ bits and then outputs the factorization of nk+1 . Now we claim that oracle can solve the Integer Factorization Problem (IFP). Give an arbitrary integer n, which is the product of two prime numbers pn and qn. Randomly choose a prime pn with 2τ bits, and then find the smallest prime larger than n , denoted as qn . Set n = n− pn qn . Since the factorization of n is known (n = pn qn ), pn and n is about 2τ bits, oracle can output the factorization of n = pn qn + n, which solves the IFP. This argument also shows that the complexity of factorizing modulus in MM-RSA is as hard as factorizing single modulus in RSA. THEOREM 5. Breaking MM-RSA is equivalent to breaking RSA. PROOF. The proof of Theorem 5 is obvious from Lemma 4. 5.3. Security Analysis of the Proposed Scheme

In our scheme, since the RSA-PSS signature is employed, the authenticity and integrity of broadcasted messages are guaranteed. Regarding the impact of compromising sensors, compromising a sensor only reveals initial modulus n1 and presents modulus ni because the sensors obtain subsequent moduli n j , j > i from the subsequently broadcasted j . Besides that, as shown in Theorem 5, knowing ni offers no advantage of breaking subsequent moduli n j , j > i. 6. EVALUATION

To realize the Authentic Broadcast Scheme, the implementation has been conducted on low-end sensors (MICAz) capable of an 8-bit processor with 8MHz computation speed and 128K-byte memory. Software implementation includes the core RSA library and several modules, such as a broadcast module. The RSA library was a reimplementation of the RSAREF library version 2.0 [RSA Laboratories 1994]. For optimization, exponential operations over moduli are optimized by several skills, such as applying Montgomery’s reduction and writing partial assembly codes. To prove the efficiency of Authentic Broadcast Scheme, the summary of experiments are given in the following section. 6.1. Experiments Results

We design two experiments to verify the proposed claims, including high-performance and energy-efficiency, of the Authentic Broadcast Scheme. (1) Evaluate the performance enhancement in the Authentic Broadcast Scheme. (2) Evaluate the benefit and rekeying cost of the Authentic Broadcast Scheme. For each experiment, the results come from 100 rounds over different moduli n, where |n| is 512-, 640-, 768-, and 1024-bit. Performance Evaluation. As we know, signature verification is a major bottleneck during broadcast. This experiment evaluates the performance enhancement when we ACM Transactions on Sensor Networks, Vol. 8, No. 2, Article 13, Publication date: March 2012.

13:10

S.-Y. Chang et al. Table II. Performance of Authentic Broadcast Scheme Modulus Length 512 640 768 1,024

Signing Time [sec] Energy [μJ] 1.320 4,406 2.546 8,318 4.332 14,129 9.812 32,006

Verifying Time [sec] Energy [μJ] 0.077 251 0.099 324 0.156 509 0.238 755

Table III. Impact and Benefit for Rekeying over Different Moduli n 512 640 768 1024

Cost μJ 824.52 1026.16 1339.8 –

Re-keying Impact Period Payload minute bit 10 768 350 960 8180 1152 – –

Packet bit 856 1048 1240 –

Cost μJ 666.4 (−847.04) 825.16 (−688.28) 1095.92 (−417.52) 1513.44

Broadcast Benefit Payload1 Packet2 bit bit 532 620 660 748 788 876 1044 1132

Verify Time second 0.077 0.099 0.156 0.238

adopt short moduli and the standard RSA (i.e., 1,024-bit moduli) in Table II. Performance metrics involve execution time and energy consumption. Execution time is easy to measure but energy consumption is not as simple. Hence, we refer to Wander et al.’s results. They showed that executing 2,090 clock cycles on MICAz nodes consumes approximately 7.4μJ [Wander et al. 2005]. Based on their results, the clock-cycle counts over different moduli can be converted to energy units. With these results, our observations in Section 3 can be proved. Since the complexity of verification is O(|n|2 ), the ratio of the verification time on modulus n to the time on modulus n is ≈ |n |2 : |n|2 . In Table II, the verification takes 0.238s and 0.077s for |n| = 1,024 and |n | = 512, respectively. The experimental ratio is 0.077 : 0.238 = 1:3.09, which is close to the theoretical ratio of 5122 : 1,0242 = 1 : 4. For energy consumption, the experimental ratio is also close to the theoretical one. Similarly, the performance of signing also validates our observations. Based on observations, the complexity of signing is O(|n|3 ). For |n| = 1024 and |n | = 512, the experimental ratio is 1.32 : 9.812 = 1 : 7.43, close to the predicted ratio of 5123 : 1,0243 = 1 : 8. Benefit and Rekeying Impact Evaluation. In an Authentic Broadcast Scheme, rekeying needs additional overhead in sensors, including receiving and verifying the update data from the BS. Therefore, we evaluated the impacts (or cost) brought by rekeying over different moduli: 512-bit, 640-bit, and 768-bit. Similarly, the benefit of adopting an Authentic Broadcast Scheme is also evaluated. The results are given in Table III. To analyze the energy consumption of receiving packets, we use de Meulenaer et al.’s results: receiving 1 bit consumes about 0.67μJ on MICAz nodes [de Meulenaer et al. 2008]. In Table III, the rekeying impact and benefits gained by broadcast are listed on the left-hand side and right-hand side, respectively. First, we discuss the benefits of by short moduli. The standard RSA (1,024-bit n) does not need any rekeying, but each broadcast consumes 1513.44μJ—the sum of the communication cost 758.44μJ (i.e., 1132 × 0.67μJ) and the verification cost 755μJ. While we applied short moduli, each sensor can save at least 417.52μJ, because both the communication and verification costs are reduced. Meanwhile, the data and signature can be fitted into one MICAz packet whose payload is, at most, 102 bytes. On the other hand, rekeying brings additional costs. For 512-bit moduli, the rekeying cost is 824.52μJ; the sum of the communication costs 573.52μJ (i.e., 856 × 0.67μJ); 1 Broadcast 2 Packet

message is assumed as 20 bits. Size = Payload Size + 802.15.4 Header (11 bytes).

ACM Transactions on Sensor Networks, Vol. 8, No. 2, Article 13, Publication date: March 2012.


13:11

Table IV. Comparisons between Existing PKCs and the Proposed Scheme PKC RS A : 512 RS A : 640 RS A : 768 RS A : 1, 024 T inyECC W MECC T inyW MECC NT RU Sign(N = 127)

Sign/Verify Time[sec] 1.320/0.077 2.546/0.099 4.332/0.156 9.812/0.238 2.001/2.436 1.348/2.017 1.348/2.019 0.619/0.078

Sign/Verify Energy[μJ] 4,406/251 8,318/324 14,129/509 32,006/755 7,205/8,770 –3 – 2,230/2,810

|Sig|1 [Bit] 512 640 768 1,024 320 320 320 1,016

Security2 60(∗50) 66(∗55) 70(∗60) 80(∗68) 80(∗68) 80(∗68) 80(∗68) –

and the verification costs 251μJ. If the BS broadcasts at least one message every ten minutes, the proposed scheme is more efficient than the standard RSA, since the energy saved in broadcast is greater than the cost spent on rekeying (847.04 > 824.52). Moreover, broadcasting each extra packet in these ten minutes could save an extra 847.04μJ per broadcast. Consider another condition: broadcast is not frequently performed. For such cases, 640-bit or 768-bit moduli probably fits this requirement. Taking the 768-bit case: a sensor should spend 1,339.8μJ for rekeying every 8,180 minutes (i.e., 235μJ per day). However, it saves 417.52μJ per broadcast, compared with the standard RSA. That is to say, the proposed scheme is much better than standard RSA, even if broadcast is infrequently performed or if broadcast is not a regular task. In addition, for large scale WSNs, frequent rekeying may be cumbersome. In this case, bigger moduli—for example, 640-bit or 768-bit moduli—are also suggested. Besides energy consumption, the payload for updating 512-bit RSA can be estimated as 256-bit δi+1 and 512-bit signature. Note that the identity and some counting information, that is, I Dbs and interval i, can be encapsulated in the packet header, not in the payload. The update packet requires a total of 768 bits (96 bytes) and fits into a single MICAz packet (capability = 102 bytes). On the contrary, the BS broadcasts 960-bit and 1,152-bit information to update 640-bit RSA and 768-bit RSA, respectively. The information must be divided into two packets, making it probable for DoS attacks, for example, flooding the first update packet to sensors. To mitigate this attack, sensor Si will send a retransmission request R, as defined in Section 4.3. These packets are authenticated by the symmetric key Ki , and the sizes of such update data are fitting into a single packet, mitigating DoS attacks. In summary, the Authentic Broadcast Scheme saves more energy when broadcast is a regular task. Most importantly, verification is quite fast (less than 0.2 seconds per verification). Compared with the gained benefits, the rekeying overhead is insignificant, and thus, affordable for sensors. 7. COMPARISONS WITH OTHER PUBLIC-KEY CRYPTOSYSTEMS

To make our study comprehensive, we compared the performance of the proposed scheme with well-known public-key cryptosystems (PKC). Table IV shows the overall results, including performance, energy consumption, signature length, and security strength. ECC is one of the most popular PKCs implemented on WSNs by researchers. Among various ECC implementations, TinyECC is the most famous. For authentic broadcast, an ECC-based signature scheme (i.e., ECDSA) has also been conducted. Besides TinyECC, Wang and Li [2006] provided another implementation, WMECC. 1 |Sig|

presents the length of each signature. 1,024-bit RSA provides 80 bits security against a brute force attack [Kaliski 2004]. Values marked by ∗ denote the security evaluated via the complexity formula (See Section 5). 3 −: this term was not evaluated in previous literature. 2 Commonly,


13:12

S.-Y. Chang et al.

According to their results, WMECC provides better performance but has a larger code size than TinyECC. Afterwards, Roman and Alcaraz proposed TinyWMECC [Roman and Alcaraz 2007] to lighten the code size and keep the performance competitive with WMECC. Therefore, we chose these schemes as candidates for our comparisons. Another famous PKC is NTRU. The first signature scheme based on NTRU was NTRU Signature Scheme (NSS) [Hoffstein et al. 2001]. However, NSS was successfully attacked [Gentry et al. 2001]. To prevent this attack, Hoffstein et al. proposed NTRUSign as a new candidate [Hoffstein et al. 2003]. Unfortunately, researchers have discovered the weaknesses of NTRUSign, including vulnerabilities to key recovery attacks [Nguyen and Regev 2009] and malleability property [Min et al. 2004]. As a result, the security of NTRUSign is still questionable. Concluding the results, we found that NTRUSign is the fastest PKC. Although its performance is outstanding, debatable security is a major concern, and thus, NTRUSign is not recommended for practical use. For ECC, the best candidate, WMECC, spends 1.348s/2.017s on sign/verify operations; however, 2 seconds is an unacceptable processing delay for urgent cases. In addition, the performance will further degrade if the distance between the BS to a sensor is more than one hop away. For RSA:512, sign/verify operations take only 1.320s/0.077s, which lessens delay. Of course, the tradeoff is that sensors must rekey more often (once every ten minutes). Considering the next candidate, RSA:640, each verification takes only 0.099s on a MICAz, which is 20 times faster than WMECC. Better yet, RSA:640 does not require frequent rekeying (once every 350 minutes). In many cases, ECC is still a good PKC for WSN, but if we consider the broadcast scenarios requiring instant verification, our design works better than ECC. 8. CONCLUSION

The main purpose of this article is to investigate the disparities between practical security and theoretical security. To overcome the inefficiencies of conventional RSA, we utilized short moduli and rekeying in our design. To minimize rekeying cost, our proposed MM-RSA provides a better set of moduli than conventional RSA moduli generation. Moreover, our scheme has been conducted on MICAz sensors. Sign/verify on MICAz takes only 1.32s/0.077s over 512-bit moduli, respectively, and 2.546s/0.099s seconds over 640-bit moduli, respectively. Meanwhile, the additional cost for rekeying is still acceptable. Considering how our proposed scheme reduces bandwidth while raising performance, it is worthy to adopt to WSNs. REFERENCES AKYILDIZ, I. F., SU, W., SANKARASUBRAMANIAM, Y., AND CAYIRCI, E. 2002. Wireless sensor networks: a survey. Comput. Netw. 38, 4, 393–422. CAVALLAR, S., DODSON, B., LENSIRA, A., LIOEN, W., MONTGOMERY, P., MURPHY, B., RIELE, H., AARDAL, K., GILCHRIST, J., AND GUILLERM, G. 2000. Factorization of a 512-bit RSA modulus. In Advances in Cryptology (EUROCRYPT). Lecture Notes in Computer Science, vol. 1807, Springer, Berlin, 1–18. CHAN, H., PERRIG, A., AND SONG, D. 2003. Random key predistribution schemes for sensor networks. In Proceedings of the IEEE Symposium on Security and Privacy. 197–215. CHEN, J.-M., YU, S.-I., OU-YANG, Y., WANG, P.-H., LIN, C.-H., HUANG, P.-Y., YANG, B.-Y., AND LAIH, C.-S. 2008. Improved factoring of RSA modulus. In Proceedings of the 25th Workshop on Combinatorial Mathematics and Computation Theory. DE MEULENAER, G., GOSSET, F., STANDAERT, F., AND PEREIRA, O. 2008. On the energy cost of communication and cryptography in wireless sensor networks. In Proceedings of the 4th IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (WIMOB’08). 580–585. DRIESSEN, B., POSCHMANN, A., AND PAAR, C. 2008. Comparison of innovative signature algorithms for WSNs. In Proceedings of the 1st ACM Conference on Wireless Network Security. ACM, 30–35. FOK, C.-L., ROMAN, G.-C., AND LU, C. 2005. Mobile agent middleware for sensor networks: An application case study. In Proceedings of the 4th International Symposium on Information Processing in Sensor Networks. 382–387.



13:13

GAUBATZ, G., KAPS, J., AND SUNAR, B. 2005a. Public key cryptography in sensor networks – revisited. In Security in Ad-hoc and Sensor Networks, Lecture Notes in Computer Science, vol. 3313, Springer, Berlin, 2–18. GAUBATZ, G., KAPS, J. P., OZTURK, E., AND SUNAR, B. 2005b. State of the art in ultra-low power public key cryptography for wireless sensor networks. In Proceedings of the 3rd IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOMW). 146–150. GENTRY, C., JONSSON, J., STERN, J., AND SZYDLO, M. 2001. Cryptanalysis of the NTRU signature scheme. In ASIACRYPT. Lecture Notes in Computer Science, vol. 2248, Springer, Berlin, 1–20. HOFFSTEIN, J., HOWGRAVE-GRAHAM, N., PIPHER, J., SILVERMAN, J. H., AND WHYTE, W. 2003. NTRUSIGN: Digital signatures using the NTRU lattice. In Topics in Cryptology (CT-RSA). Lecture Notes in Computer Science, vol. 2612, Springer, Berlin, 122–140. HOFFSTEIN, J., PIPHER, J., AND SILVERMAN, J. 2001. NSS: An NTRU lattice-based signature scheme. In Advances in Cryptology (EUROCRYPT). Lecture Notes in Computer Science, vol. 2045, Springer, Berlin, 211–228. INTANAGONWIWAT, C., GOVINDAN, R., AND ESTRIN, D. 2000. Directed diffusion: A scalable and robust communication paradigm for sensor networks. In Proceedings of the 6th Annual International Conference on Mobile Computing and Networking. 56–67. JOHNSON, D., MENEZES, A., AND VANSTONE, S. 2001. The elliptic curve digital signature algorithm (ECDSA). Int. J. Info. Secu. 1, 1, 36–63. JONSSON, J. AND KALISKI, B. 2003. Public-key cryptography standards (PKCS)# 1: RSA cryptography specifications version 2.1. RFC 3447. KALISKI, B. 2004. TWIRL and RSA key size. RSA Laboratories Tech. Note. KLEINJUNG, T., AOKI, K., FRANKE, J., LENSTRA, A., THOM, E., BOS, J., GAUDRY, P., KRUPPA, A., MONTGOMERY, P., OSVIK, D. A., TE RIELE, H., TIMOFEEV, A., AND ZIMMERMANN, P. 2010. Factorization of a 768-bit RSA modulus. Cryptology ePrint Archive, Report 2010/006. http://eprint.iacr.org/. LENSTRA, A. K., LENSTRA, JR., H. W., MANASSE, M. S., AND POLLARD, J. M. 1993. The number field sieve. In The Development of the Number Field Sieve. Lecture Notes in Mathematics, vol. 1554, 11–42. LIU, A. AND NING, P. 2008. TinyECC: A configurable library for Elliptic Curve Cryptography in wireless sensor networks. In Proceedings of the 7th International Conference on Information Processing in Sensor Networks (IPSN’08). 245–256. MIN, S., YAMAMOTO, G., AND KIM, K. 2004. Weak property of malleability in ntrusign. In Information Security and Privacy. Lecture Notes in Computer Science, vol. 3108, Springer, Berlin, 379–390. NGUYEN, P. AND REGEV, O. 2009. Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures. J. Crypto. 22, 2, 139–160. PERRIG, A. 2001. The BiBa one-time signature and broadcast authentication protocol. In Proceedings of the 8th ACM Conference on Computer and Communications Security. 28–37. PERRIG, A., SZEWCZYK, R., TYGAR, J., WEN, V., AND CULLER, D. E. 2002. SPINS: Security protocols for sensor networks. Wirel. Netw. 8, 521–534. PIOTROWSKI, K. AND PETER, S. 2006. How public key cryptography influences wireless sensor node lifetime. In Proceedings of the 4th ACM Workshop on Security of Ad Hoc and Sensor Networks. 169–176. ROMAN, R. AND ALCARAZ, C. 2007. Applicability of public key infrastructures in wireless sensor networks. Public Key Infrastructure. Lecture Notes in Computer Science, vol. 4582, 313–320. RSA LABORATORIES. 1994. RSAREF: A cryptographic toolkit (v2.0). Tech. report, RSA. RSA LABORATORIES. 2007. The RSA Factoring Challenge. RSA. WANDER, A., GURA, N., EBERLE, H., GUPTA, V., AND SHANTZ, S. 2005. Energy analysis of public-key cryptography for wireless sensor networks. In Proceedings of the 3rd IEEE International Conference on Pervasive Computing and Communications (PerCom). 324–328. WANG, H. AND LI, Q. 2006. Efficient implementation of public key cryptosystems on mote sensors. In Information and Communications Security, Lecture Notes in Computer Science, vol. 4307, Springer, Berlin, 519–528. WANG, Y., ATTEBURY, G., AND RAMAMURTHY, B. 2006. A survey of security issues in wireless sensor networks. IEEE Comm. Surv. Tutorials 8, 2, 2–23. Received March 2009; revised January, June, October 2010; accepted November 2010
