Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
AbstractMessage authentication is one of the most effective ways to thwart unauthorized and corrupted messages from being
forwarded in wireless sensor networks (WSNs). For this reason, many message authentication schemes have been developed, based
on either symmetric-key cryptosystems or public-key cryptosystems. Most of them, however, have the limitations of high computational
and communication overhead in addition to lack of scalability and resilience to node compromise attacks. To address these issues, a
polynomial-based scheme was recently introduced. However, this scheme and its extensions all have the weakness of a built-in
threshold determined by the degree of the polynomial: when the number of messages transmitted is larger than this threshold, the
adversary can fully recover the polynomial. In this paper, we propose a scalable authentication scheme based on elliptic curve
cryptography (ECC). While enabling intermediate nodes authentication, our proposed scheme allows any node to transmit an unlimited
number of messages without suffering the threshold problem. In addition, our scheme can also provide message source privacy. Both
theoretical analysis and simulation results demonstrate that our proposed scheme is more efficient than the polynomial-based
approach in terms of computational and communication overhead under comparable security levels while providing message source
privacy.
Index TermsHop-by-hop authentication, symmetric-key cryptosystem, public-key cryptosystem, source privacy, simulation, wireless
sensor networks (WSNs), distributed algorithm, decentralized control
1 INTRODUCTION
computational complexity, memory usage, and security through multi-hop communications. We assume there is a
resilience, since public-key based approaches have a sim- security server (SS) that is responsible for generation, stor-
ple and clean key management [9]. age and distribution of the security parameters among the
In this paper, we propose an unconditionally secure network. This server will never be compromised. How-
and efficient source anonymous message authentication ever, after deployment, the sensor nodes may be captured
(SAMA) scheme based on the optimal modified ElGamal and compromised by attackers. Once compromised, all
signature (MES) scheme on elliptic curves. This MES information stored in the sensor nodes can be accessed by
scheme is secure against adaptive chosen-message attacks the attackers. The compromised nodes can be reprog-
in the random oracle model [10]. Our scheme enables the rammed and fully controlled by the attackers. However,
intermediate nodes to authenticate the message so that all the compromised nodes will not be able to create new
corrupted message can be detected and dropped to con- public keys that can be accepted by the SS and other
serve the sensor power. While achieving compromise- nodes.
resiliency, flexible-time authentication and source identity Based on the above assumptions, this paper considers
protection, our scheme does not have the threshold prob- two types of attacks launched by the adversaries:
lem. Both theoretical analysis and simulation results dem-
onstrate that our proposed scheme is more efficient than Passive attacks. Through passive attacks, the adver-
the polynomial-based algorithms under comparable secu- saries could eavesdrop on messages transmitted in
rity levels. the network and perform traffic analysis.
The major contributions of this paper are the following: Active attacks. Active attacks can only be launched
from the compromised sensor nodes. Once the sen-
1. We develop a source anonymous message authenti- sor nodes are compromised, the adversaries will
cation code (SAMAC) on elliptic curves that can pro- obtain all the information stored in the compromised
vide unconditional source anonymity. nodes, including the security parameters of the com-
2. We offer an efficient hop-by-hop message authenti- promised nodes. The adversaries can modify the
cation mechanism for WSNs without the threshold contents of the messages, and inject their own
limitation. messages.
3. We devise network implementation criteria on
source node privacy protection in WSNs. 2.2 Design Goals
4. We propose an efficient key management framework Our proposed authentication scheme aims at achieving the
to ensure isolation of the compromised nodes. following goals:
5. We provide extensive simulation results under ns-2
and TelosB on multiple security levels. Message authentication. The message receiver should
To the best of our knowledge, this is the first scheme that be able to verify whether a received message is sent
provides hop-by-hop node authentication without the by the node that is claimed, or by a node in a particu-
threshold limitation, and has performance better than the lar group. In other words, the adversaries cannot
symmetric-key based schemes. The distributed nature of pretend to be an innocent node and inject fake mes-
our algorithm makes the scheme suitable for decentralized sages into the network without being detected.
networks. Message integrity. The message receiver should be
The remainder of this paper is organized as follows: able to verify whether the message has been modi-
Section 2 presents the terminology and the preliminary fied en-route by the adversaries. In other words, the
that will be used in this paper. Section 3 discusses the adversaries cannot modify the message content
related work, with a focus on polynomial-based schemes. without being detected.
Section 4 describes the proposed source anonymous mes- Hop-by-hop message authentication. Every forwarder
sage authentication scheme on elliptic curves. Section 5 on the routing path should be able to verify the
discusses the ambiguity set (AS) selection strategies for authenticity and integrity of the messages upon
source privacy. Section 6 describes key management and reception.
compromised node detection. Performance analysis and Identity and location privacy. The adversaries cannot
simulation results are provided in Section 7. We conclude determine the message senders ID and location by
in Section 8. analyzing the message contents or the local traffic.
Node compromise resilience. The scheme should be
resilient to node compromise attacks. No matter how
2 TERMINOLOGY AND PRELIMINARY many nodes are compromised, the remaining nodes
In this section, we will briefly describe the terminology and can still be secure.
the cryptographic tools that will be used in this paper. Efficiency. The scheme should be efficient in terms of
both computational and communication overhead.
2.1 Threat Model and Assumptions
The WSNs are assumed to consist of a large number of 2.3 Terminology
sensor nodes. We assume that each sensor node knows its Privacy is sometimes referred to as anonymity. Commu-
relative location in the sensor domain and is capable of nication anonymity in information management has been
communicating with its neighboring nodes directly using discussed in a number of previous works [11], [12], [13],
geographic routing. The whole network is fully connected [14], [15], [16]. It generally refers to the state of being
LI ET AL.: HOP-BY-HOP MESSAGE AUTHENTICATION AND SOURCE PRIVACY IN WIRELESS SENSOR NETWORKS 1225
unidentifiable within a set of subjects. This set is called each symmetric authentication key is shared by a group
the AS. Sender anonymity means that a particular message of sensor nodes. An intruder can compromise the key by
is not linkable to any sender, and no message is linkable capturing a single sensor node. Therefore, these schemes
to a particular sender. are not resilient to node compromise attacks. Another
We will start with the definition of the unconditionally type of symmetric-key scheme requires synchronization
secure SAMA. among nodes. These schemes, including TESLA [5] and
Definition 1 (SAMA). A SAMA consists of the following two its variants, can also provide message sender authentica-
algorithms: tion. However, this scheme requires initial time synchro-
nization, which is not easy to be implemented in large
Generate (m; Q1 ; Q2 ; . . . ; Qn ). Given a message m scale WSNs. In addition, they also introduce delay in
and the public keys Q1 ; Q2 ; . . . ; Qn of the AS message authentication, and the delay increases as the
S fA1 ; A2 ; . . . ; An g, the actual message sender network scales up.
At ; 1 t n, produces an anonymous message Sm A secret polynomial based message authentication
using its own private key dt . scheme was introduced in [3]. This scheme offers infor-
Verify Sm. Given a message m and an anonymous mation-theoretic security with ideas similar to a thresh-
message Sm, which includes the public keys of all old secret sharing, where the threshold is determined by
members in the AS, a verifier can determine whether the degree of the polynomial. When the number of mes-
Sm is generated by a member in the AS. sages transmitted is below the threshold, the scheme
The security requirements for SAMA include: enables the intermediate node to verify the authenticity
of the message through polynomial evaluation. However,
Sender ambiguity. The probability that a verifier suc- when the number of messages transmitted is larger than
cessfully determines the real sender of the anonymous the threshold, the polynomial can be fully recovered and
message is exactly 1=n, where n is the total number of the system is completely broken. To increase the thresh-
members in the AS. old and the complexity for the intruder to reconstruct
Unforgeability. An anonymous message scheme is the secret polynomial, a random noise, also called a per-
unforgeable if no adversary, given the public keys of all turbation factor, was added to the polynomial in [4] to
members of the AS and the anonymous messages thwart the adversary from computing the coefficient of
m1 ; m2 ; . . . ; mn adaptively chosen by the adversary, the polynomial. However, the added perturbation factor
can produce in polynomial time a new valid anony- can be completely removed using error-correcting code
mous message with non-negligible probability. techniques [6].
In this paper, the user ID and the user public key will be For the public-key based approach, each message is
used interchangeably without making any distinctions. transmitted along with the digital signature of the mes-
sage generated using the senders private key. Every
2.4 Modified ElGamal Signature Scheme intermediate forwarder and the final receiver can authen-
ticate the message using the senders public key. The
Definition 2 (MES). The modified ElGamal signature scheme recent progress on ECC shows that the public-key
[17] consists of the following three algorithms: schemes can be more advantageous in terms of memory
Key generation algorithm. Let p be a large prime and g be usage, message complexity, and security resilience, since
a generator of ZZp : Both p and g are made public. For a random public-key based approaches have a simple and clean key
private key x 2 ZZp , the public key y is computed from management [9].
y gx mod p. The existing anonymous communication protocols are
Signature algorithm. The MES can also have many var- largely stemmed from either mixnet [11] or DC-net [12].
iants [18], [19]. For the purpose of efficiency, we will describe A mixnet provides anonymity via packet re-shuffling
the variant, called optimal scheme. To sign a message m, one through a set of mix servers (with at least one being
chooses a random k 2 ZZp1 , then computes the exponentiation trusted). In a mixnet, a sender encrypts an outgoing mes-
r gk mod p and solves s from: sage, and the ID of the recipient, using the public key of
the mix. The mix accumulates a batch of encrypted mes-
s rxhm; r k mod p 1; (1) sages, decrypts and reorders these messages, and for-
wards them to the recipients. Since mixnet-like protocols
rely on the statistical properties of the background traffic,
where h is a one-way hash function. The signature of message they cannot provide provable anonymity. DC-net [12],
m is defined as the pair r; s. [16] is an anonymous multi-party computation scheme.
Verification algorithm. The verifier checks whether the Some pairs of the participants are required to share
signature equation gs ryrhm;r mod p: If the equality holds secret keys. DC-net provides perfect (information-theo-
true, then the verifier Accepts the signature, and Rejects retic) sender anonymity without requiring trusted serv-
otherwise. ers. However, in DC-net, only one user can send at a
time, so it takes additional bandwidth to handle collision
and contention.
3 RELATED WORK Recently, message sender anonymity based on ring sig-
In [1], [2], symmetric key and hash based authentication natures was introduced [20]. This approach enables the
schemes were proposed for WSNs. In these schemes, message sender to generate a source anonymous message
1226 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 5, MAY 2014
l
signature with content authenticity assurance. To gener- 2. Calculate hA hm; r, where h is the same func-
ate a ring signature, a ring member randomly selects an tion used in the signature generation.
AS and forges a message signature for all other members. 3. Calculate x1 ; x2 sG rhA QA mod N.
Then he uses his trap-door information to glue the ring 4. The signature is valid if r x1 mod N, invalid
together. The original scheme has very limited flexibility otherwise.
and very high complexity. Moreover, the original paper In fact, if the signature is correctly generated, then:
only focused on the cryptographic algorithm, and the rel-
evant network issues were left unaddressed. x1 ; x2 sG rhA QA
rdA hA kA G rhA QA
4 PROPOSED SOURCE ANONYMOUS MESSAGE kA G rhA QA rhA QA
AUTHENTICATION ON ELLIPTIC CURVES
kA G:
In this section, we propose an unconditionally secure and
efficient SAMA. The main idea is that for each message m
Therefore, we have x1 r, and the verifier should Accept
to be released, the message sender, or the sending node,
the signature.
generates a source anonymous message authenticator for
the message m. The generation is based on the MES
scheme on elliptic curves. For a ring signature, each ring 4.2 Proposed SAMA on Elliptic Curves
member is required to compute a forgery signature for all Suppose that the message sender (say Alice) wishes to
other members in the AS. In our scheme, the entire transmit a message m anonymously from her network node
SAMA generation requires only three steps, which link to any other nodes. The AS includes n members,
all non-senders and the message sender to the SAMA A1 ; A2 ; . . . ; An , for example, S fA1 ; A2 ; . . . ; An g, where the
alike. In addition, our design enables the SAMA to be ver- actual message sender Alice is At , for some value
ified through a single equation without individually veri- t; 1 t n. In this paper, we will not distinguish between
fying the signatures. the node Ai and its public key Qi . Therefore, we also have
S fQ1 ; Q2 ; . . . ; Qn g.
4.1 Proposed MES Scheme on Elliptic Curves Authentication generation algorithm. Suppose m is a mes-
Let p > 3 be an odd prime. An elliptic curve E is defined by sage to be transmitted. The private key of the message
an equation of the form: sender Alice is dt ; 1 t N. To generate an efficient SAMA
for message m, Alice performs the following three steps:
E : y2 x3 ax b mod p;
1. Select a random and pairwise different ki for each
1 i n 1; i 6 t and compute ri from ri ; yi
where a; b 2 IFp , and 4a3 27b2 6 0 mod p. The set EIFp
ki G.
consists of all points x; y 2 IFp on the curve, together with
a special point O, called the point at infinity.
2. Choose a random P ki 2 ZZp and compute rt from
rt ; yt kt G i6t ri hi Qi such that rt 6 0 and
Let G xG ; yG be a base point on EIFp whose order is l
rt 6 ri for any i 6P t; where hi hm; ri :
a very large value N. User A selects a random integer
3. Compute s kt i6t ki rt dt ht mod N.
dA 2 1; N 1 as his private key. Then, he can compute his
The SAMA of the message m is defined as:
public key QA from QA dA G.
Signature generation algorithm. For Alice to sign a message Sm m; S; r1 ; y1 ; . . . ; rn ; yn ; s:
m, she follows these steps:
X
n
reference [10]. The basic idea of the Splitting Lemma is that
x0 ; y0 sG ri hi Qi
when a subset Z is large in a product space X Y , it will
i1
X X have many large sections. Lemma 2 is a slight modifica-
kt ki rt dt ht G ri hi Qi tion of the Forking Lemma presented in [10]. The proofs of
i6t i the two lemmas are mainly probability theory related. We
X X
will skip the proofs of these two lemmas here.
ki G kt G ri hi Qi
i6t i6t
Lemma 1 (The Splitting Lemma). Let Z X Y such that
X Prx; y 2 Z
". For any a < ", define W fx; y 2
ri ; yi rt ; yt X Y jPry0 2Y x; y0 2 Z
" ag, and W X Y nW ,
i6t
X then the following statements hold:
ri ; yi :
i 1. PrW
a.
2. 8x; y 2 W ; Pry0 2Y x; y0 2 Z
" a.
Therefore, the verifier should always Accept the SAMA. 3. PrW jZ
a=".
Remark 1. It is apparent that when n 1, SAMA becomes a Lemma 2 (The Forking Lemma). Let A be a Probabilistic Poly-
simple signature algorithm. nomial Time (PPT) Turing machine. Given only the public
data as input, if A can find, with non-negligible probability, a
4.4 Security Analysis valid SAMA m; S; r1 ; y1 ; . . . ; rn ; yn ; h1 ; . . . ; hn ; s within a
In this section, we will prove that the proposed SAMA bounded polynomial time T , then with non-negligible probabil-
scheme can provide unconditional source anonymity and ity, a replay of this machine, which has control over A and a
provable unforgeability against adaptive chosen-message different oracle, outputs another valid SAMA m; S; r1 ;
attacks. y1 ; . . . ; rn ; yn ; h01 ; . . . ; h0n ; s, such that hi h0i , for all
1 i v; i 6 j for some fixed j.
4.4.1 Anonymity Theorem 2. The proposed SAMA is secure against adaptive cho-
sen-message attacks in the random oracle model.
In order to prove that the proposed SAMA can ensure
unconditional source anonymity, we have to prove that: Proof. (Sketch) If an adversary can forge a valid SAMA with
1) for anybody other than the members of S, the probability non-negligible probability, then according to the Forking
to successfully identify the real sender is 1=n, and 2) any- Lemma, the adversary can obtain two valid SAMAs
body from S can generate SAMAs. Sm m; S; r1 ; y1 ; . . . ; rn ; yn ; h1 ; . . . ; hn ; s, and Sm
m; S; r1 ; y1 ; . . . ; rn ; yn ; h01 ; . . . ; h0n ; P
s, such that for P1 i
Theorem 1. The proposed SAMA can provide unconditional n
n; i 6 j;Phi h0i ; hj 6 hP 0
and sG r i hi Q i i ri ; yi ;
message sender anonymity. j i1
s0 G ni1 ri h0i Qi i ri ; yi :
Proof. The identity of the message sender is uncondition-
ally protected with the proposed SAMA scheme. This Subtracting these two equations, we obtain s s0
is because, regardless of the senders identity, there are G rj hj h0j Qj : Equivalently, we have:
exactly N 1N 2 . . . N n different options to s s0
generate the SAMA. All of them can be chosen by any Qj G:
rj hj h0j
members in the AS during the SAMA generation proce-
dure with equal probability without depending on any
complexity-theoretic assumptions. The proof for the Therefore, we can compute the elliptic curve discrete
second part, that anybody from S can generate the logarithm of Qj in base G with non-negligible probabil-
SAMA, is straightforward. This finishes the proof of ity, which contradicts the assumption that it is compu-
this theorem. u
t tationally infeasible to compute the elliptic discrete
logarithm of Qj in base G. Therefore, it is computation-
4.4.2 Unforgeability ally infeasible for any adversary to forge a valid
The design of the proposed SAMA relies on the ElGamal SAMA. u
t
signature scheme. Signature schemes can achieve differ-
ent levels of security. Security against existential forgery
under adaptive-chosen message attacks is the maximum 5 AS SELECTION AND SOURCE PRIVACY
level of security. The appropriate selection of an AS plays a key role in mes-
In this section, we will prove that the proposed sage source privacy, since the actual message source node
SAMA is secure against existential forgery under adap- will be hidden in the AS. In this section, we will discuss
tive-chosen message attacks in the random oracle model techniques that can prevent the adversaries from tracking
[21]. The security of our result is based on ECC, which the message source through the AS analysis in combination
assumes that the computation of discrete logarithms on with local traffic analysis.
elliptic curves is computationally infeasible. In other Before a message is transmitted, the message source node
words, no efficient algorithms are known for non-quan- selects an AS from the public key list in the SS as its choice.
tum computers. This set should include itself, together with some other
We will introduce two lemmas. Lemma 1 is the Splitting nodes. When an adversary receives a message, he can possi-
Lemma, which is a well-known probabilistic lemma from bly find the direction of the previous hop, or even the real
1228 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 5, MAY 2014
Any node in the active routing path can verify the con-
tents authenticity and integrity. However, anybody who
receives a packet in the transmission can possibly exclude
some of the nodes in the WSNs as the possible source
node. Inclusion of these nodes in the AS will not increase
the source privacy. Nevertheless, the more the nodes
included in the AS are, the higher the energy cost will be.
Therefore, the selection of the AS has to be done with care
Fig. 1. Anonymous set selection in active routing.
so that the energy cost and the source privacy can both be
optimized.
node of the previous hop. However, the adversary is unable In addition, to balance the power consumption between
to distinguish whether the previous node is the actual authenticity and integrity verification, and the possibility
source node or simply a forwarder node if the adversary is that corrupted messages are being forwarded, the verifica-
unable to monitor the traffic of the previous hop. Therefore, tion service may not have to take place in every hop;
the selection of the AS should create sufficient diversity so instead, it may be configured to take place in every other
that it is infeasible for the adversary to find the message hop, for instance.
source based on the selection of the AS itself.
Some basic criteria for the selection of the AS can be 6 KEY MANAGEMENT AND COMPROMISED NODE
described as follows: DETECTION
To provide message source privacy, the message In our scheme, we assume that there is an SS whose respon-
source needs to select the AS to include nodes from sibilities include public-key storage and distribution in the
all directions of the source node. In particular, the WSNs. We assume that the SS will never be compromised.
AS should include nodes from the opposite direction However, after deployment, the sensor node may be cap-
of the successor node. In this way, even the immedi- tured and compromised by the attackers. Once compro-
ate successor node will not be able to distinguish the mised, all information stored in the sensor node will be
message source node from the forwarder based on accessible to the attackers. We further assume that the com-
the message that it receives. promised node will not be able to create new public keys
Though the message source node can select any node that can be accepted by the SS.
in the AS, some nodes in the AS may not be able to For efficiency, each public key will have a short identity.
add any ambiguity to the message source node. For The length of the identity is based on the scale of the WSNs.
instance, the nodes that are apparently impossible or
very unlikely to be included in the AS based on the 6.1 Compromised Node Detection
geographic routing. Therefore, these nodes are not As a special scenario, we assume that all sensor informa-
appropriate candidates for the AS. They should be tion will be delivered to a sink node, which can be co-
excluded from the AS for energy efficiency. located with the SS. As described in Section 5, when a mes-
To balance the source privacy and efficiency, we sage is received by the sink node, the message source is
should try to select the nodes to be within a prede- hidden in an AS. Since the SAMA scheme guarantees that
fined distance range from the routing path. We rec- the message integrity is untampered, when a bad or mean-
ommend selecting an AS from the nodes in a band ingless message is received by the sink node, the source
that covers the active routing path. However, the AS node is viewed as compromised. If the compromised
does not have to include all the nodes in the routing source node only transmits one message, it would be very
path. difficult for the node to be identified without additional
The AS does not have to include all nodes in that network traffic information. However, when a compro-
range, nor does it have to include all the nodes in the mised node transmits more than one message, the sink
active routing path. In fact, if all nodes are included node can narrow the possible compromised nodes down
in the AS, then this may help the adversary to iden- to a very small set.
tity the possible routing path and find the source As shown in Fig. 2, we use the circle to represent an AS.
node. When only one message is transmitted, the sink node can
As an example, suppose we want to transmit a packet only obtain the information that the source node will be in
from source node S to destination node D in Fig. 1. We a set, say AS1 . When the compromised source node trans-
select the AS to include only nodes marked with , while mits two messages, the sink node will be able to narrow
nodes marked as will not be included in the AS. Of all the source node down to the set with both vertical lines
these nodes, some of them are on the active routing path, and horizontal lines. When the compromised source node
while others are not. However, all these nodes are located transmits three messages, the source node will be further
within the shaded band area surrounding the active routing narrowed down to the shaded area. Therefore, if the sink
path. Suppose node A is compromised, unless node A col- node keeps tracking the compromised message, there is a
laborates with other nodes and can fully monitor the traffic high probability that the compromised node can be
of the source node S, it will not be able to determine isolated.
whether S is the source node, or simply a forwarder. Similar If the compromised nodes repeatedly use the same AS, it
analysis is also true for other nodes. makes traffic analysis of the compromised nodes feasible,
LI ET AL.: HOP-BY-HOP MESSAGE AUTHENTICATION AND SOURCE PRIVACY IN WIRELESS SENSOR NETWORKS 1229
TABLE 1 contain more than 216 nodes in our simulation, which is rea-
Performance Comparison of the Bivariate Polynomial-Based sonably large. For size n of the AS, we choose three values
Scheme in Two Different Scenarios: (a) The Original in the simulation: 10, 15 and 20.
Implementation under 8 MHz Mica2 Platform, and
(b) Our Implementation under 4 MHz Telosb We will compare the computational overhead, communica-
tion overhead, delivery ratio, energy consumption, transmission
delay, and memory consumption of our proposed scheme with
the bivariate polynomial-based scheme.
TABLE 2
Process Time (s) for the Two Schemes (16-bit, 4 MHz TelosB Mote)
LI ET AL.: HOP-BY-HOP MESSAGE AUTHENTICATION AND SOURCE PRIVACY IN WIRELESS SENSOR NETWORKS 1231
Fig. 3. Performance comparison of our proposed scheme and bivariate polynomial-based scheme.
TABLE 3
Memory (KB) for the Two Schemes (TelosB) (F Stands for Flash Memory)
dy 1 coefficients Mi 2 ZZp ; 0 i dy , where p 2 2l1 ; 2l is privacy, SAMA can be applied to any message to provide
a large prime number. The total length of the message is message content authenticity. To provide hop-by-hop
ldy 1. message authentication without the weakness of the built-
For our scheme, the message format is: m; S; r1 ; y1 ; . . . ; in threshold of the polynomial-based scheme, we then
rn ; yn ; s, where m; s; ri ; yi are all numbers with length proposed a hop-by-hop message authentication scheme
L 2l. S is the ID list for all the nodes included in the AS. based on the SAMA. When applied to WSNs with fixed
Assuming the network is composed of nodes in total, each sink nodes, we also discussed possible techniques for com-
ID will be of the length: dlog2 e. When n nodes are included promised node identification. We compared our proposed
in the AS, the length of S is ndlog2 e. Therefore, the total scheme with the bivariate polynomial-based scheme
length of one message for our scheme is: 4ln 1 ndlog2 e: through simulations using ns-2 and TelosB. Both theoreti-
The large communication overhead of the polynomial- cal and simulation results show that, in comparable sce-
based scheme will increase the energy consumption and narios, our proposed scheme is more efficient than the
message delay. The simulation results in Figs. 3a and 3b bivariate polynomial-based scheme in terms of computa-
demonstrate that our proposed scheme has a much lower tional overhead, energy consumption, delivery ratio, mes-
energy consumption and message transmission delay. sage delay, and memory consumption.
These simulations were carried out in ns-2 on RedHat Linux
system. The security levels 1, 2, 3, 4 correspond to symmet- ACKNOWLEDGMENTS
ric key sizes 24, 32, 40, and 64 bits, and elliptic curves key
size 48, 64, 80, and 128 bits, respectively. This research was supported in part by NSF grants CNS-
We also conduct simulations to compare the delivery 0845812, CNS-1117831, CNS-1217206, ECCS-1232109.
ratios using ns-2 on RedHat Linux system. The results
show that our scheme is slightly better than the bivariate REFERENCES
polynomial-based scheme in delivery ratio. The results are [1] F. Ye, H. Lou, S. Lu, and L. Zhang, Statistical En-Route Filtering
given in Fig. 3c. of Injected False Data in Sensor Networks, Proc. IEEE INFOCOM,
Our simulation on memory consumption derived in Mar. 2004.
TelosB, see Table 3, shows the overall memory consumption [2] S. Zhu, S. Setia, S. Jajodia, and P. Ning, An Interleaved Hop-By-
Hop Authentication Scheme for Filtering False Data in Sensor
for bivariate polynomial-based scheme is at least five times Networks, Proc. IEEE Symp. Security and Privacy, 2004.
larger than our proposed scheme. [3] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, and
M. Yung, Perfectly-Secure Key Distribution for Dynamic Confer-
ences, Proc. Advances in Cryptology (Crypto 92), pp. 471-486, Apr.
8 CONCLUSION 1992.
[4] W. Zhang, N. Subramanian, and G. Wang, Lightweight and
In this paper, we first proposed a novel and efficient Compromise-Resilient Message Authentication in Sensor
SAMA based on ECC. While ensuring message sender Networks, Proc. IEEE INFOCOM, Apr. 2008.
1232 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 5, MAY 2014
[5] A. Perrig, R. Canetti, J. Tygar, and D. Song, Efficient Authentica- Yun Li received the BE degree from Xidian Uni-
tion and Signing of Multicast Streams over Lossy Channels, Proc. versity, Xian, China, in 2005, and the PhD
IEEE Symp. Security and Privacy, May 2000. degree in electrical and computer engineering
[6] M. Albrecht, C. Gentry, S. Halevi, and J. Katz, Attacking Crypto- from Michigan State University, East Lansing, in
graphic Schemes Based on Perturbation Polynomials, Report May 2010. He joined the Network Operating Sys-
2009/098, http://eprint.iacr.org/, 2009. tem Technology Group of Cisco System in 2010.
[7] R. Rivest, A. Shamir, and L. Adleman, A Method for Obtaining He also joined the Server & Tools Division of
Digital Signatures and Public-Key Cryptosystems, Comm. ACM, Microsoft in 2012. His current research interests
vol. 21, no. 2, pp. 120-126, 1978. include wireless sensor networks, network secu-
[8] T.A. ElGamal, A Public-Key Cryptosystem and a Signature rity and cloud based data services.
Scheme Based on Discrete Logarithms, IEEE Trans. Information
Theory, vol. IT-31, no. 4, pp. 469-472, July 1985.
[9] H. Wang, S. Sheng, C. Tan, and Q. Li, Comparing Symmetric-Key Jian Ren received the BS and MS degrees both
and Public-Key Based Security Schemes in Sensor Networks: A in mathematics from Shaanxi Normal University,
Case Study of User Access Control, Proc. IEEE 28th Intl Conf. Dis- China, and the PhD degree in electrical engineer-
tributed Computing Systems (ICDCS), pp. 11-18, 2008. ing from Xidian University, China. He is an asso-
[10] D. Pointcheval and J. Stern, Security Proofs for Signature ciate professor in the Department of Electrical
Schemes, Proc. Advances in Cryptology (EUROCRYPT), pp. 387- Communication Engineering at Michigan State
398, 1996. University, East Lansing. His current research
[11] D. Chaum, Untraceable Electronic Mail, Return Addresses, and interests include cryptography, network security,
Digital Pseudonyms, Comm. ACM, vol. 24, no. 2, pp. 84-88, Feb. energy efficient sensor network security protocol
1981. design, privacy-preserving communications, and
[12] D. Chaum, The Dinning Cryptographer Problem: Unconditional cognitive networks. He received the US National
Sender and Recipient Untraceability, J. Cryptology, vol. 1, no. 1, Science Foundation Faculty Early Career Development (CAREER)
pp. 65-75, 1988. Award in 2009. He is a senior member of the IEEE.
[13] A. Pfitzmann and M. Hansen, Anonymity, Unlinkability,
Unobservability, Pseudonymity, and Identity Management
a Proposal for Terminology, http://dud.inf.tu-dresden.de/ Jie Wu is the chair and a professor in the Depart-
literatur/Anon_Terminology_v0.31.pdf, Feb. 2008. ment of Computer and Information Sciences,
[14] A. Pfitzmann and M. Waidner, Networks without User Observ- Temple University, Philadelphia, Pennsylvania.
abilityDesign Options., Proc. Advances in Cryptology (EURO- Prior to joining Temple University, he was a pro-
CRYPT), vol. 219, pp. 245-253, 1985. gram director at National Science Foundation.
[15] M. Reiter and A. Rubin, Crowds: Anonymity for Web Trans- His research interests include wireless networks
action, ACM Trans. Information and System Security, vol. 1, no. 1, and mobile computing, routing protocols, fault-
pp. 66-92, 1998. tolerant computing, and interconnection net-
[16] M. Waidner, Unconditional Sender and Recipient Untraceability works. He serves in the editorial board of the
in Spite of Active Attacks, Proc. Advances in Cryptology (EURO- IEEE Transactions on Computers and Journal of
CRYPT), pp. 302-319, 1989. Parallel and Distributed Computing. He is a pro-
[17] D. Pointcheval and J. Stern, Security Arguments for Digital Sig- gram cochair for IEEE INFOCOM 2011. He was also the general cochair
natures and Blind Signatures, J. Cryptology, vol. 13, no. 3, pp. 361- for IEEE MASS 2006, IEEE IPDPS 2008, and DCOSS 2009. He cur-
396, 2000. rently serves as an ACM distinguished speaker and is the chairman of
[18] L. Harn and Y. Xu, Design of Generalized ElGamal Type Digital the IEEE Technical Committee on Distributed Processing. He is a fellow
Signature Schemes Based on Discrete Logarithm, Electronics Let- of the IEEE.
ters, vol. 30, no. 24, pp. 2025-2026, 1994.
[19] K. Nyberg and R.A. Rueppel, Message Recovery for Signature
Schemes Based on the Discrete Logarithm Problem, Proc. Advan- " For more information on this or any other computing topic,
ces in Cryptology (EUROCRYPT), vol. 950, pp. 182-193, 1995. please visit our Digital Library at www.computer.org/publications/dlib.
[20] R. Rivest, A. Shamir, and Y. Tauman, How to Leak a Secret,
Proc. Advances in Cryptology (ASIACRYPT), 2001.
[21] M. Bellare and P. Rogaway, Random Oracles are Practical: A Par-
adigm for Designing Efficient Protocols, Proc. ACM First Conf.
Computer and Comm. Security (CCS 93), pp. 62-73, 1993.
[22] Cryptographic Key Length Recommendation, http://www.
keylength.com/en/3/, 2013.