Multi-user Broadcast Authentication in Wireless

Sensor Networks

Kui RenWorcester Polytechnic Institute,

Worcester, MA 01609kren@ece.wpi.edu

Wenjing LouWorcester Polytechnic Institute,

Worcester, MA 01609wjlou@ece.wpi.edu

Yanchao ZhangNew Jersey Institute of Technology,

Newark, NJ 07102yczhang@njit.edu

Abstract- Broadcast authentication is a critical securityservice in wireless sensor networks (WSNs), as it allows themobile users of WSNs to broadcast messages to multiplesensor nodes in a secure way. Although symmetric-key-based solutions such as ,uTESLA and multilevel ,uTESLAhave been proposed, they all suffer from severe energy-depletion attacks resulted from the nature of delayed mes-sage authentication. This paper presents several efficientpublic-key-based schemes to achieve immediate broadcastauthentication and thus avoid the security vulnerabilityintrinsic to uTESLA-like schemes. Our schemes are builtupon the unique integration of several cryptographictechniques, including the Bloom filter, the partial messagerecovery signature scheme and the Merkle hash tree. Weprove the effectiveness and efficiency of the proposedschemes by a comprehensive quantitative analysis of theirenergy consumption in both computation and communi-cation.

I. INTRODUCTION

Wireless sensor networks (WSNs) have enabled datagathering from a vast geographical region and presentunprecedented opportunities for a wide range of track-ing and monitoring applications from both civilian andmilitary domains [1], [2]. In these applications, WSNsare expected to process, store, and provide the senseddata to the network users upon their demands [20]. Asthe most common communication paradigm, the networkusers are expected to issue the queries to the networkin order to obtain the information of their interest.Furthermore, in wireless sensor and actuator networks(WSANs) [2], the network users may need to issuetheir commands to the network (probably based on theinformation they received from the network). In bothcases, there could be a large number of users in theWSNs, which might be either mobile or static; and theusers may use their mobile clients to query or commandthe sensor nodes from anywhere in the WSN. Obviously,

broadcast/multicast' operations are fundamental to therealization of these network functions. Hence, it is alsohighly important to ensure broadcast authentication forthe security purpose.

Broadcast authentication in WSNs was first addressedby ,uTESLA [26]. In ,uTESLA, users of WSNs areassumed to be one or a few fixed sinks, which are alwaysassumed to be trustworthy. The scheme adopts a one-way hash function ho and uses the hash preimages askeys in a message authentication code (MAC) algorithm.Initially, sensor nodes are preloaded with Ko = V(x),where x is the secret held by the sink. Then, K1 =

hn-l(x) is used to generate MACs for all the broadcastmessages sent within time interval I1. During time inter-val 12, the sink broadcasts K1, and sensor nodes verifyh(K1) = Ko. The authenticity of messages receivedduring time interval I1 are then verified using K1. Thisdelayed disclosure technique is used for the entire hashchain and thus demands loosely synchronized clocksbetween the sink and sensor nodes. ,uTESLA is laterenhanced in [17] to overcome the length limit of the hashchain. Most recently, ,uTESLA is also extended in [18]to support multiuser scenario but the scheme assumesthat each sensor node only interacts with a very limitednumber of users.

It is generally held that ,uTESLA-like schemes havethe following shortcomings even in the single-user sce-nario: 1) all the receivers have to buffer all the messagesreceived within one time interval; 2) they are subjectto Wormhole attacks [11], where messages could beforged due to the propagation delay of the disclosedkeys. However, here we point out a much more seriousvulnerability of ,uTESLA-like schemes when they areapplied in multi-hop WSNs. Since sensor nodes buffer

'For our purpose, we do not distinguish multicast from broadcastin this paper.

1-4244-1268-4/07/$25.00 t2007 IEEE

Thiisfull textpaper waspeer reviewed at the direction ofIEEE Communications Society subject matter expertsfor publication in the IEEE SECON 2007proceedings.223

all the messages received within one time interval, anadversary can hence flood the whole network arbitrarily.All he has to do is to claim that the flooding messagesbelong to the current time interval which should bebuffered for authentication until the next time interval.Since wireless transmission is very expensive in WSNs,and WSNs are extremely energy constrained, the abilityto flood the network arbitrarily could cause devastatingDenial of Service (DoS) attacks. Moreover, this type ofenergy-depletion DoS attacks become more devastatingin multiuser scenario as the adversary now can havemore targets and hence more chances to generate bogusmessages without being detected. Obviously, all theseattacks are due to delayed authentication of the broadcastmessages. In [11], TIK is proposed to achieve immediatekey disclosure and hence immediate message authenti-cation based on precise time synchronization betweenthe sink and receiving nodes. However, this techniqueis not applicable in WSNs as pointed out by the au-thors. Therefore, multiuser broadcast authentication stillremains a wide open problem in WSNs.When ,uTESLA was proposed, sensor nodes were

assumed to be extremely resource-constrained, especiallywith respect to computation capability, bandwidth avail-ability, and energy supply [26]. Therefore, public keycryptography (PKC) was thought to be too computation-ally expensive for WSNs, though it could provide muchsimpler solutions with much stronger security resilience.At the same time, the computationally efficient one-time signature schemes are also considered unsuitable forWSNs, as they usually involve intense communications[26]. However, recent studies [8], [28], [31] showedthat, contrary to widely held beliefs, PKC with evensoftware implementations only is very viable on sensornodes. For example [31], Elliptic Curve Cryptography(ECC) signature verification takes 1.61s with 160-bitkeys on ATmegal28 8MHz, a processor used in currentCrossbow motes platform [7]. Furthermore, the com-putational cost is expected to fall faster than the costto transmit and receive. For example, ultra-low-powermicrocontrollers such as the 16-bit Texas InstrumentsMSP430 [30] can execute the same number of instruc-tions at less than half the power required by the 8-bitATmega128L. The benefits of transmitting shorter ECCkeys and hence shorter messages/signatures will in turnbe more significant. Moreover, next generation sensornodes are expected to combine ultra-low power circuitrywith so-called power scavengers such as Heliomote [15],which allow continuous energy supply to the nodes.At least 8- 20uW of power can be generated using

MEMS-based power scavengers [3]. Other solar-basedsystems are even able to deliver power up to 100mW forthe MICA Motes [15], [16]. These results indicate that,with the advance of fast growing technology, PKC isno longer impractical for WSNs, though still expensivefor the current generation sensor nodes, and its wideacceptance is expected in the near future [8].

Having this observation and knowing that symmetric-key-based solutions such as ,uTESLA are insufficient forbroadcast authentication in WSNs, we resort to PKCfor more effective solutions. In this paper, we addressmultiuser broadcast authentication problem in WSNs bydesigning PKC-based solutions with minimized compu-tational and communication costs.Overview of the paper: In this paper, we propose fourdifferent public-key-based approaches and provide in-depth analysis of their advantages and disadvantages.In all the four approaches, the users are always au-thenticated through their public keys. We first proposea straightforward certificate-based approach and pointout its high energy inefficiency with respect to bothcommunication and computation costs. We then proposea direct storage based scheme, which has high efficiencybut suffers from the scalability problem. A Bloom filterbased scheme is further proposed to improve the memoryefficiency over the direct storage based scheme. Furthertechniques are also developed to increase the securitystrength of the proposed scheme. Lastly, we propose ahybrid scheme to support a larger number of networkusers by employing the Merkle hash tree technique. Wegive an in-depth quantitative analysis of the proposedschemes and demonstrate their effectiveness and effi-ciency in WSNs in terms of energy consumption.Contributions: This paper makes the following contri-butions: 1) We identify the problem of multiuser broad-cast authentication in WSNs and point out a serious se-curity vulnerability inherent to the symmetric-key based,uTESLA-like schemes. 2) We come up with severalPKC-based schemes to address the proposed problemwith minimized computational and communication costs.We achieve our goal by integrating several cryptographicbuilding blocks, such as the Bloom filter, the partialmessage recovery signature scheme, and the Merklehash tree, in an innovative manner. 3) We analyze boththe performance and security resilience of the proposedschemes. A quantitative energy consumption analysis isgiven in detail and demonstrates the effectiveness andefficiency of the proposed schemes.Organization of the paper: The remaining part ofthis paper is as follows: In Section II, we introduce

224

the cryptographic mechanisms to be used. Section IIIpresents the system assumption, adversary model, andsecurity objectives. In Section IV, we introduce two basicschemes. We further propose two advanced schemes anddetail the underlying design logic in Section V. SectionVI analyzes the performance of the proposed schemes,and we conclude our paper in Section VII.

II. PRELIMINARIES

The Bloom Filter: A Bloom filter is a simple space-efficient randomized data structure for representing a setin order to support membership queries [23]. A Bloomfilter for representing a set S = sI, S2, ..., sn of nelements is described by a vector V of m bits, initiallyall set to 0. A Bloom filter uses k independent hashfunctions h1, ..., hk with range 0, ..., m- 1, which mapeach item in the universe to a random number uniformover [0, ..., m- 1]. For each element s E S, the bits hi(s)are set to 1 for 1 < i < k. Note that a bit of V can beset to 1 multiple times. To check if an item x is in S,we check whether all bits hi (x) are set to 1. If not, x isnot a member of S for certain, that is, no false negativeerror. If yes, x is assumed to be in S. A Bloom filter mayyield a false positive. It may suggest that an element x

is in S even though it is not. The probability of a falsepositive for an element not in the set can be calculated asfollows. After all the elements of S are hashed into theBloom filter, the probability that a specific bit is still 0 is(1 1)k e-k/m* The probability of a false positivef is then f = (1 -(1 - )k)k (1_ e-km)kThe Merkle Hash Tree: A Merkle Tree is a con-

struction introduced by Merkle in 1979 to build secureauthentication schemes from hash functions [22]. It is atree of hashes where the leaves in the tree are hashesof the authentic data values nI, n2, ..., n,. Nodes furtherup in the tree are the hashes of their respective children.For instance, assuming that w = 4 in Fig. 1, the valuesof the four leaf nodes are the hashes of the data values,h(ni), i = 1, 2, 3, 4, respectively, under a one-way hashfunction ho (e.g., SHA-1 [25]). The value of an internalnode A is ha= h(h(ni) Ih(n2)), and the value of theroot node is hr h(ha Ihb). hr is used to commit to theentire tree to authenticate any subset of the data valuesni, n2, n3, and n4 in conjunction with a small amountof auxiliary authentication information AAI (i.e., log2 Nhash values where N is the number of leaf nodes). Forexample, a receiver with the authentic hr requests for n3and requires the authentication of the received n3. Thesource sends the AAI :< ha, h(n4) > to the receiver. Thereceiver can then verify n3 by first computing h(n3),

Root

he, ~~~~~~~~b

h(ni) h(n2) h(n3) h(n4)

n1 X n2 n3X n44

Fig. 1. An example of Merkle hash tree

hb = h(h(n3)lh(n4)) and hr = h(ha Jhb), and thenchecking if the calculated hr is the same as the authenticroot value hr

III. SYSTEM MODEL, ADVERSARY MODEL, ANDDESIGN GOALS

System Model: In this paper, we consider a largespatially distributed WSN, consisting of a fixed sink(s)and a large number of sensor nodes. The sensor nodesare usually resource-constrained with respect to memoryspace, computation capability, bandwidth, and powersupply. The WSN is aimed to offer information servicesto many network users that roam in the network, inaddition to the fixed sink(s) [20]. The network usersmay include mobile sinks, vehicles, and people withmobile clients, and they are assumed to be more pow-erful than sensor nodes in terms of computation andcommunication abilities. For example, the network userscould consist of a number of doctors, nurses, medicalequipment (acting as actuators) and so on, in the caseof CodeBlue [19], where the WSN is used for emer-gency medical response. These network users broadcastqueries/commands through sensor nodes in the vicinity,and expect the replies that reflect the latest networkinformation. The network users can also communicatewith the sink or the backend server directly withoutgoing through the WSN if necessary. We assume thatthe sink is always trustworthy but the sensor nodes aresubject to compromise. At the same time, the users ofthe WSN may be dynamically revoked due to eithermembership changes or compromise, and the revocationpattern is not restricted. We also assume that the WSNis loosely synchronized.

Adversary Model: In this paper, we assume that theadversary's goal is to inject bogus messages into thenetwork, attempt to deceive sensor nodes, and obtainthe information of his interest. Additionally, Denial ofService (DoS) attacks such as bogus message flooding,aiming at exhausting constrained network resources, isanother important focus of the paper. We assume that

225

the adversary is able to compromise both network usersand the sensor nodes. The adversary hence could exploitthe compromised users/nodes for such attacks. However,we do assume that adversary cannot compromise anunlimited number of sensor nodes.

Design Goals: Our security goal is straightforward:all messages broadcasted by the network users of theWSN should be authenticated so that the bogus onesinserted by the illegitimate users and/or compromisedsensor nodes can be efficiently rejected/filtered. We alsofocus on minimizing the overheads of the security de-sign. Especially, energy efficiency (with respect to bothcommunication and computation) and storage overheadare given priority to cope with the resource-constrainednature of WSNs.

IV. THE BASIC SCHEMES

A. The Certificate-Based Authentication Scheme (CAS)CAS works as follows. Each user (not a sensor) of

the WSN is equipped with a public/private key pair(PK/SK), and signs every message he broadcasts withhis SK using a digital signature scheme such as ECDSA[10]. Note that in all our designs, we do not requiresensors to have public/private key pairs for themselves.To prove the user's ownership over his public key, thesink2 is also equipped with a public/private key pair andserves as the certification authority (CA). The sink issueseach user a public key certificate, which, to its simplestform, consists of the following contents: CertuIDUID, PKUID, ExpT, SIGSKsikA{h(UID ExpT PKUID)},where UID denotes the user's ID, PKUID denotes itspublic key, ExpT denotes certificate expiration time,and SIGSKsink{h(UIDJJExpT||PKUID)} is a signatureover h(UID lExpTI PKUID) with SKSink. Hence, a

broadcast message is now of the form as follows:

< M, tt, SIGSK(ID{h(UID JttJ M)},CertUID > (I)

Here, M denotes the broadcast message and tt de-notes the current time. For the purpose of messageauthentication, sensor nodes are preloaded with PKsinkbefore the network deployment; and message verificationcontains two steps: the user certificate verification andthe message signature verification.CAS suffers from two main drawbacks. First and

foremost, it is not efficient in communication, as thecertificate has to be transmitted along with the mes-sage across every hop as the message propagates inthe WSN. A large per message overhead will result

2We assume that the sink represents the network planner.

in more energy consumption on every single sensornode. In CAS, the per message overhead is as highas |tt| + ISIGSKu D{h(UID||M)}j + ICertuID = 128bytes. As in [31], the user certificate is at least 86bytes, when ECDSA-160 [10] is used. Here, we assumethat tt and UID are both two bytes, in which case thescheme supports up to 65, 535 network users. Moreover,

ISIGSKUID {h(UID M)} = 40 bytes, when ECDSA-160[10] is assumed. Second, to authenticate each message,it always takes two expensive signature verification op-erations. This is because the certificate should always beauthenticated in the first place.B. The Direct Storage Based Authentication Scheme(DAS)One way to reduce the per message overhead and

the computational cost is to eliminate the existenceof the certificate. A straightforward approach is thento let sensor nodes simply store all the current users'ID information and their corresponding public keys. Inthis way, a broadcast message now only contains thefollowing contents:

< M, tt, SIGSKUID {h(UID lItt JM)}, UID, PKUID > (II)

Verifying the authenticity of a user public key is reducedto finding out whether or not the attached user/publickey pair is contained in the local memory. Upon userrevocation, the sink simply sends out ID informationof the revoked user, and every sensor node deletes thecorresponding user/public key pair in its memory.The drawbacks of DAS are obvious. Given a storage

limit of 5 KB, only 232 users can be supported at most;even with a memory space of 19.5 KB, DAS can onlysupport up to 1, 000 users. At the same time, CAS cansupport up to 2, 560 users given the same storage limit 5KB. The reason is that in CAS only the ID informationof the revoked users are stored by the sensor nodes.Therefore, DAS is neither memory efficient nor scalable.However, the advantage of DAS is also significant ascompared to CAS. It successfully reduces the per mes-sage overhead down to tt + SIGSKuID {h(UID JM) } +IUIDI + PKUID I= 64 bytes. The above analysis clearlyshows that more advanced schemes are needed other thanDAS and CAS. And the direction to seek is to improvestorage efficiency while retaining or further reducing theper message overhead.

V. THE ADVANCED SCHEMES

A. The Bloom Filter Based Authentication Scheme (BAS)

226

System Preparation: The sink generates the publickeys for all network users, and constructs the set:

S = {< UIDl: PKUID. >~< UID2, PKUID2 > ,}.where #{S} = N, and #{} denotes the cardinality ofthe set. Using the Bloom filter, the sink can apply ksystem-wide hash functions (cf. Section II.B) to map theelements of S (each with L + 2 bytes, that is, UIDI = 2bytes, and IPKUIDI= L bytes) to an m-bit vector Vwith V = vovl...Vmv, where we have m < N(L + 2)to reduce the filter size and m > kN to retain a smallprobability of a false positive. These k hash functionsare known by every node and the sink. For each vi, i E[0, m- 1], we have

The Bloom Filter The CountingBloom Filter

hi(*) I

.,h2(*) '

hk(*)

lei ukese

public keys

Fig. 2. An example of the Bloom filter and Counting Bloom Filter

Vi=

if 3 1 c [1, k],j c [1, N],s.t. hl (UIDj II PKUID)otherwise

Additionally, the sink constructs a counting Bloom filterV of mr*c bits with V = VOV1...Vm- , where each vi, i E[0, m- 1] is a c-bit counter, i.e., IviI = c bits. The valueof vi is determined as follows:

vi #{(IDj, PKUID3j) lh(UIDj |PKUID))

for 3 1 C [1,k],j C [1,N]}.

And c [log2 (max(vi, i E [0, m- 1]))] bits, which isusually of 4 bits for most applications [9]. The aboveoperations are illustrated in Fig. 2. The sink finallypreloads each sensor node with V (not including V), as

well as the sink's public key and the common domainparameters of the ECDSA signature scheme.Message Signing and Authentication: Let PKuID

Wpub = sG, be the public key of user UID, where s isthe private key of the signer, and G is the generatorof a subgroup of an elliptic curve group of order r.

Let SK (.) be a symmetric key cipher such as AES. Tobroadcast a message M (IMI > 10 bytes), UID takes thesteps below following [24], a variant of ECDSA with thepartial message recovery property:

Concatenate < M Itt UID >, and break it into twoparts, M1 and M2, where IMlI < 10 bytes.Generate a random key pair {u, V}, where u c

[1, r -1], V = uG = (x1, yi), and (xi mod r) z0.Encode-and-hash V into an integer I [24].Form F1 from M1 by adding the proper redundancy[12].Compute C = (I + F1) mod r, and make sure thatC z 0 or repeat the above steps otherwise.

Compute F2 h(M2), and Dmod r.

. Repeat all the above steps if Dsignature as < C, D > otherwise.

Then, UID broadcasts

u-(F2 +sC)

0; Output the

<AM2, C, D, Wpub>, (III)

where tt and UID are parts of M2. And this is the knownsimplest message format that can be achieved usingPKC3. Now, upon receiving a broadcast message (notfrom the sink), a sensor node checks the authenticity ofthe message in two steps. First, it checks the authenticityof the corresponding public key by verifying its mem-bership in S. To do so, the sensor node checks whether

V[hl(UID |PKUID) 1, I E [1, k], and a negative result

will lead to the discarding of the message. We note thathere a false positive may happen due to the probabilisticnature of the Bloom filter, but only with a very small(negligible) probability when appropriate parameters are

chosen as we will analyze later. Second, it verifies theattached signature as follows:

Discard the message if C [1, r- 1] or D [1, r-1].* Compute F2= h(M2), H D- mod r, and HIF2H mod r.

Compute H2 = CH mod r, and P = H1G +H2Wpub.

. Discard the message if P 0.

3The claim is true only when ID-based cryptography [29] isexcluded from consideration, in which case the user's ID is also hispublic key. Furthermore, the shortest signature size possibly obtainedfrom pairing is around 22 bytes [6], which is shorter than 40 bytesobtained from ECDSA. However, to apply a pairing-based scheme(i.e., a ID-based signature or short signature) on sensor nodes, theknown reachable signature size has to be 84 bytes, even when a 32-bit microprocessor can be used [32]. And the energy cost is alsomultiple times higher than that of an ECDSA-160 signature.

227

m-bitvector

* Encode-and-hash P into an integer I [24] andcompute F1 = C -I mod r.

. Discard the message if the redundancy of F1 isincorrect.

. Otherwise accept M1 (obtained from F1) and thesignature and reconstruct M |tt UID = M1 IM2.

User Revocation/Addition: To revoke a user, sayUIDj, the sink follows the steps below:

* First, it hashes h, (UIDj PKUD)= i and decreasesvi by 1. It repeats this operation for all hl, I E [1, k].

. From the updated counting Bloom filter V, the sinkobtains the corresponding updated Bloom filter V'with V' = v'v ...vl_,. Here, v' = 1 only whenvi > 1, and vl = 0 otherwise.

* The sink further calculates VA = V' (DV and deletesV afterwards. Here D denotes bitwise exclusiveOR operation. Obviously, VA is an m-bit vectorwith at most k bits set to 1. Hence, VA can besimply represented by enumerating its 1-valued bits,requiring k [log2 m] bits for indexing (k < k). Thisrepresentation is efficient for a small k as will beanalyzed in Section VI.B.

. The sink finally broadcasts VA after signing it. Themessage format follows (III) but with the sink'spublic key omitted, as every sensor already has it.

. Upon receiving and successfully authenticating thebroadcast message, every sensor node updates itsown Bloom filter accordingly, that is, if vA,i = 1,then vi = 0, iC [0, m-1].

BAS also supports simultaneous multiuser revocation.Suppose that Nrev users are revoked simultaneously.The sink follows the same manner to construct VAwith k bits set 1. Now we have k < kNrev. Further-more, the compressed message for representing VA nowcould achieve mH(p) bits theoretically, where H(p) =

plog2 p -(1 p)log2 (1 -p) is the entropy functionand p = (1 - k is the probability of each bit being 0in VA. As pointed out in [23], using arithmetic codingtechnique can efficiently approach this lower bound.BAS supports dynamic user addition in two ways.

First, it enables a later binding of network users and their(ID, public key) pairs. In this approach, the sink maygenerate more (ID, public key) pairs than needed duringsystem preparation. When a new network user joins theWSN, it will be assigned an unused ID and public keypair by the sink. Second, BAS could add new networkusers after the revocation of old members. This approach,however, could only add the same number of new usersas that of the revoked. This requirement ensures that the

Fig. 3. The minimum probability of a false positive regarding m

probability of a false positive never increases in BAS.To do so, the sink updates its counting Bloom filterby hashing the new user's information into the currentBloom filter. The sink then obtains a VA in the sameway as in the revocation case, and broadcasts it aftercompression. This time, if vA,i = 1, sensor nodes willset vi = 1, i c [0, m- 1] to update their current Bloomfilters.B. Minimize the Probability of a False Positive

Since the Bloom filter provides probabilistic member-ship verification only, it is important to make sure thatthe probability of a false positive is as small as possible.Theorem 1: Given the number of network users N

and the storage space m bits for a single Bloom filter,the minimum probability of a false positive f that canbe achieved is 2 with k Iin 2. that is,

f (0.6185) N

Proof: since f = (1-(1 )N)k (1_ ewe then have f = ekln( e_-k/m). Let g =

e-kNlin). Hence, minimizing f is equivalentmizing g with respect to k. We find

-kNITn)k

kln(l-to mini-

d ln( ekNm)+ kN e-kNImdk m 1 - -kN1m

It is easy to check that the derivative is 0 when kinIn 2. And it is not hard to show that this is a globalminimum [23]. Note that in practice, k must be aninteger. D

Fig. 3 shows the probability of a false positive f asa function of TN' i.e., bits per element. We see that fdecreases sharply as Tn increases. When N increasesN ~~~Nfrom 8 to 96 bits, f decreases from 2.1 * 10-2 to9.3*10-21. Obviously, f determines the security strengthof our design. For example, when Tn 92 bits, theadversary has to generate around 263.8 public/private keypairs on average before finding a valid one to pass theBloom filter. This is almost computationally infeasible,

228

k. .n /N)h2

.w9

u-

f6636*10

DO - leq,'- f = 2.03*-7,f°ie= 4.4210

Do -o(C,

DO*- C/

Do-'-" ;DO-

Fig. 4. Maximum supported number of network users with respectto storage limit

at least within the lifetime of the WSN (usually atmost several years). However, when m 64 bits,Nthe adversary is now expected to generate around 244.4public/private key pairs before finding a valid pair. Theanalysis below shows the time and cost of the attack.To generate a public/private key pair in ECDSA-160, apoint multiplication operation has to be performed, forwhich the fastest known implementation speed is 0.21msthrough a specialized FPGA design [14]. Suppose theadversary could afford 100,000 such FPGAs, whichwould cost no less than one million dollars. Then, byexecuting 100,000 FPGAs simultaneously, to generateone valid key pair still takes 13.2 hours roughly. Withthe above analysis, we suggest to select the value of fcarefully according to the security requirements of thedifferent types of applications. Given a highly securitysensitive military application, we suggest that f shouldbe no larger than 6.36 * 10-20, i.e., m/N > 92 bits.On the other hand, when the targeted applications areless security sensitive as in the civilian scenario, wecan tolerate a larger f. This is because the adversaryis now generally much less resourceful as compared tothe former case.C. Maximum Number of Network Users Supported

It is important to know how many network users canbe supported in BAS so that the WSN can be wellplanned. The following theorem provides the answer.Theorem 2: Given the storage space m bits for a

single Bloom filter and the required probability of a falsepositive freq (freq C (0,1)), the maximum number ofnetwork users that can be supported is m(In 2)2, that is,

In f,,q

N <-0.4805mIn freq

Proof: Since the minimal probability of a false positivef = 2-k is achieved with k = Nn2, we have freq2- N 2 Then, we can easily get N = Tn2) in this

case; and this is the maximum number of users that canbe supported given freq and m. D

Fig. 4 illustrates the maximum supported number ofnetwork users as a function of the storage limit. Fig. 4shows that BAS supports up to 1,250 users when freq =4.42 * 10-14, 1,000 users when freq 2.03 * 10-17, and869 users when freq= 6.36 * 10-20, for a storage spaceof 9.8 KB. Obviously, BAS also allows tradeoff betweenthe maximum supported number of network users andthe probability of a false positive given a fixed storagelimit.D. Supporting More Users using the Merkle Hash Tree:The Hybrid Authentication Scheme (HAS)Through the above analysis, we know that the max-

imum supported number of network users is usuallylimited given the storage limit and the probability of afalse positive. For example, if freq = 6.36 * 10-20 andthe storage limit is 4.9 KB, the maximum number ofusers supported by BAS is 434. Therefore, an additionalmechanism has to be employed to support more userswhen necessary. HAS achieves this goal by employingthe Merkle hash tree technique, which trades the messagelength for the storage space. That is, by increasing theper message overhead, HAS can support more networkusers. Specifically, HAS works as follows.

The sink first calculates the maximum number of userssupported in case of BAS according to the given storagelimit and the desired probability of a false positive. Itthen collects all the public keys of the current networkusers and constructs a Merkel hash tree. In fact, the sinkconstructs N leaves with each leaf corresponding to acurrent user of the WSN. For our problem, each leaf nodecontains the binding between the corresponding user IDand his public key, that is, h(UID, PKUID). The valuesof the internal nodes are determined by the methodintroduced in Section II.C. The sink further prunes theMerkle hash tree into a set of equal-sized smaller trees.We denote the value of the root node of a small hashtree as h', i = 1,..., S, where ISI equals the maximumnumber of supported users the sink calculates in BAS.

Next, the sink constructs a Bloom filter V followingthe same way as described in the last section. The differ-ence is that now the member set S {hl, h2, ..., h 1}.Then, the sink preloads each sensor node with V. At thesame time, each user should obtain its AAI accordingto his corresponding leaf node's location in the smallerMerkle hash tree. Let T denote all the nodes along thepath from a leaf node to the root (not including the root),and A be the set of nodes corresponding to the siblingsof the nodes in T. Then, AAI further corresponds to the

229

l--1-CAS ,N < = 5 ,0 0 0

0--O-DAS,N <= 454BAS,N <= 869, f 6636110 /

o N <= 1,OOO,f = 2.03-10 /

,0 N<= 1,250, f = 4A2110l4O----HAS ,N <= 1,739, f~ 6 36g /

HAS N <=3,4.8, f 6̀.

Fig. 5. Energy consumption in communication regarding differentschemes

values associated with the nodes in A. Obviously, AAIis of size (L * log2 Sl ) bytes, where L is the length ofthe hash values. Upon user revocation, the sink simplyupdates all the sensor nodes with the ID informationof the revoked users. And each node directly stores therevoked IDs as described earlier. Now a message sent bya user UID is of form

< M2, C, D, Wpub, AAIUID >. (IV)

Each node verifies the authenticity of a user public key intwo steps. First, it calculates the corresponding root nodevalue h' using AAIUID attached in the message. Second,it checks whether or not the calculated h' is a member ofV stored by itself. By checking Message (IV), we caneasily find that HAS doubles the maximum supportednumber of users as compared to BAS at the cost of 20more bytes per message overhead, assuming SHA-1 isused [25]. And the number can be further doubled with40 more bytes per message overhead.

VI. PERFORMANCE ANALYSIS

A. Communication OverheadWe study how the message size affects the energy

consumption in communication in a WSN. We inves-tigate the energy consumption as the function of thesize of the WSN (denoted as W). We denote by Etrthe hop-wise energy consumption for transmitting andreceiving one byte. As reported in [31], a ChipconCC1000 radio used in Crossbow MICA2DOT motesconsumes 28.6 and 59.2 p,J to receive and transmit onebyte, respectively, at an effective data rate of 12.4 Kb/s.Furthermore, we assume a packet size of 41 bytes, 32bytes for the payload and 9 bytes for the header [31] . Theheader, ensuing an 8-byte preamble, consists of source,destination, length, packet ID, CRC, and a control byte[31]. We also assume that IMI = 20 bytes.

Then, for BAS, the signature size is still the sameas that of ECDSA, but only part of the message nowhas to be transmitted, with the saving of up to 10 bytes.Therefore, the per message overhead of BAS is 54 bytes,which is 10 bytes less than that of DAS. As Message (III)is 74 bytes, there should be 3 packets in total, amongwhich two of them are 41 bytes, and one is 19 bytes.Therefore, there should be 41 * 2 + 19 * 1 + 8 * 3 =

125 bytes for transmission (including 8-byte preambleper packet). Hence, the hop-wise energy consumptionof message transmission is 125 * 59.2 ,uJ = 7.40 mJ;and the energy consumption of message reception is125 * 28.6 p,J = 3.58 mJ. For each message broadcast,every sensor node should retransmit the message onceand receive w' times of the same message assuming theblind flooding is used4. Here, w' denotes node densityin terms of the total number of sensor nodes within oneunit disc, where a unit disc is a circle area with radiusequal to the transmission range of sensor nodes5. Hence,the total energy consumption in communication will beW * (7.4 + 3.58 * w') mJ.

Fig. 5 illustrates the energy consumption in commu-nication as a function of W with w' = 20. Clearly, BASconsumes a much lower energy as compared to others.For example, when W = 15, 000, CAS always costs 2.20KJ, while BAS costs only 1.18 KJ. The energy savingfor a single broadcast can be more than 1,000 J betweenBAS and CAS. Note that although DAS also consumesmuch less energy than CAS, DAS only supports up to10000/22 454 users. At the same time, BAS canhandle 869 users even when freq = 6.36 * 10-20. CAShandles more users than BAS and DAS, however, atthe cost of much higher energy consumption. Moreover,HAS can handle a large number of users but with a muchlower energy consumption when compared to CAS. Insummary, BAS demonstrates the highest communicationefficiency, as well as a desirable storage efficiency. FromFig. 5, we also find that the energy consumption incommunication is the critical cost for WSNs, as a singlebroadcast of a message of only 20 bytes in length couldcost energy on the order of KJ. This also exposes thesevere vulnerability of the ,uTESLA-like schemes, asthey allow the adversary to flood the WSN arbitrarily.

4In an idealized lossless network, blind flooding, i.e., every nodealways retransmits exactly once every unique message it receives, iswasteful, as individual nodes are likely to receive the same broadcastmultiple times. In practice, however, blind flooding is a commonlyused technique, as its inherent redundancy provides some protectionfrom unreliable (lossy) wireless networks [21].5We assume an uniform transmission range for all sensor nodes.

230

B. Computational OverheadIt was previously widely held that PKC is not suitable

in WSNs, as sensor nodes are extremely computationconstrained. However, recent studies [8], [31] showedthat PKC with only software implementations, is veryviable on sensor nodes. For example in [31], an ECCsignature verification takes 1.61s with 160-bit keyson ATmega128 8MHz processor used in a Crossbowmote. We analyze the computation cost of the proposedschemes to further justify the suitability of PKC-basedschemes in WSNs. In all our proposed schemes, themajor computational cost is due to the signature ver-ification operation. In the following analysis we omitthe cost of other operations such as hash operations andtable lookup, as they are negligible as compared to thesignature verification operation [31].

In CAS, two ECDSA signature verifications areneeded for each broadcast message. In BAS, to ver-ify a message takes k In 2 hash operations andone ECDSA signature verification. It was reported in[31] that an ECDSA- 160 signature verification opera-tion costs 45.09 mJ on a 8-bit ATmega128L processorrunning at 4 MHz. If we assume that the sensor CPUis a low-power high-performance 32-bit Intel PXA255processor, the energy cost can be further minimized.Note that the PXA255 has been widely used in manysensor products such as Sensoria WINS 3.0 and Cross-bow Stargate running at 400 MHz. According to [13],the typical power consumption of PXA255 in active andidle modes are 411 and 121 mW, respectively. It wasreported in [4] that it takes 92.4 ms to verify an ECDSA-160 signature with the similar parameters on a 32-bitARM microprocessor at 80 MHz. Therefore, the samecomputation on PXA255 roughly needs 80/400 x 92.418.48 ms, and the energy cost is hence around 7.6 mJ.Therefore, we can obtain the computational costs of theproposed CAS and BAS schemes on different sensorplatforms6. The results are summarized below.

Scheme ATmega128L PXA255CAS 90.18 mJ 15.4 mJBAS 45.09 mJ 7.6 mJ

BAS is obviously also more computationally efficientthan CAS. Furthermore, when we compare the compu-tational cost with the communication cost on hop-wisemessage transmission, we can find that both are on the

6DAS and HAS consume similar amount of energy as BAS does,as they both require one signature verification.

same order, which justifies the suitability of PKC-basedschemes in WSNs.C. Security StrengthThe Bloom filter based public key verification ensures

the security strength of the proposed scheme by en-abling immediate message authentication. That is, thereis no authentication delay on messages being broadcast.Therefore, it is very hard for the adversary to performnetwork wide flooding in the WSN. As we analyzedabove, by appropriately choosing a suitable value offreq, such as 6.36 * 10-20 in military applications, itis infeasible to forge a valid public/private key pairduring the lifetime of the WSN. Furthermore, by em-bedding a time stamp into the message, the messagereplay attack is also effectively prevented, as WSN isassumed to be loosely synchronized [27]. Therefore, theimmediate message authentication capability providedby the proposed schemes can effectively protect theWSN from network wide flooding attacks. This is themost significant security strength over the ,uTESLA-likeschemes, in which network wide flooding attacks arealways possible.

Moreover, since the public key operation is expensive,it is also important that sensor nodes can be resistantto the local jamming attacks. Under such attacks, theadversary may simply broadcast random bit strings tothe sensor nodes within his transmission range. If theseneighbor sensors have to perform the expensive signatureverification operation for all received messages, it will bea heavy burden on them. CAS obviously suffers from thistype of attacks, as the signature verification operation hasto be performed for every received message. However,in both BAS and HAS, such an attack can be effectivelymitigated. This is because in both schemes, a sensor nodefirst verifies the authenticity of the attached user publickey through hash operations, so it performs signatureverification operation for a bogus public key only witha negligible probability (e.g., 6.36 * 10-20). As reportedin [31], the energy cost of SHA-1 is only 5.9 ,uJ/byteon a 8-bit ATmegal28L processor, while ECDSA-160could consume 45.09 mJ on signature verification. Anadversary may also flood the sensor nodes with forgedmessages but containing valid user public keys, whichcan be obtained by eavesdropping the network traffic. Inthis case, the forged messages can only be discardedafter signature verification, and sensor nodes that arephysically close to the adversary can thus be abused.We note that this type of attacks is always possible forPKC-based security mechanisms. However, this attackcan still be mitigated in BAS by implementing an alert

231

report mechanism. If a sensor node fails to authenticatethe received messages multiple times in a row, it willderive that an attack is going on and alert the sink aboutthe attack. The sink further carries out field investiga-tions or other means to detect the adversary and takecorresponding remedy actions that are outside the scopeof this paper.

VII. CONCLUDING REMARKS

In this paper, we studied the problem of multiuserbroadcast authentication in WSNs. We pointed out thatsymmetric-key-based solutions such as ,uTESLA areinsufficient for this problem by identifying a serioussecurity vulnerability inherent to these schemes: thedelayed authentication of the messages can easily lead tosevere energy-depletion DoS attacks. We then came upwith several effective PKC-based schemes to address theproblem. Both computational and communication costsof the schemes are minimized through a novel integra-tion of several cryptographic techniques. A quantitativeenergy consumption analysis, as well security strengthanalysis were further given in detail, demonstrating theeffectiveness and efficiency of the proposed schemes.

ACKNOWLEDGEMENT

This work was supported in part by the US NationalScience Foundation under grant CNS-0626601.

REFERENCES

[1] I. Akyildiz, W. Su, Y Sankarasubramaniam, and E. Cayirci, "ASurvey on Sensor Networks, IEEE Communications Magazine,"Vol. 40, No. 8, pp. 102-116, August 2002.

[2] I. Akyildiz and I. Kasimoglu, "Wireless sensor and actornetworks: research challenges," Ad Hoc Networks 2(4): 351-367, 2004

[3] R. Amirtharajah, A. Chandrakasan, "Self-powered signal pro-cessing using vibration-based power generation," IEEE Journalof Solid-State Circuits, Vol. 33, pp. 687-695, 1998

[4] M. Aydos, T. Yanik, and C. Koc. "An high-speed ECC-basedwireless authentication protocol on an ARM microprocessor," InProc. of ACSAC, pp. 401-409, New Orleans, Louisiana, 2000.

[5] J. Baek, J. Newmarch, R. Naini and W. Susilo, "A Survey ofIdentity-Based Cryptography," AUUG 2004, pp. 95-102, 2004.

[6] D. Boneh, H. Shacham, and B. Lynn, "Short signatures from theWeil pairing," J. of Cryptology, Vol. 17-4, pp. 297-319, 2004.

[7] Crossbow Technology Inc, Wireless sensor networks,http://www.xbow.com/. 2004.

[8] W. Du, R. Wang, and P. Ning "An Efficient Scheme forAuthenticating Public Keys in Sensor Networks," In Proc.MobiHoc'05, pp.58-67, May 25-28, 2005.

[9] L. Fan, P. Cao, J. Almeida, and A. Z. Broder, "SummaryCache: A Scalable Wide-Area Web Cache Sharing Protocol,"IEEE/ACM Transactions on Networking 8:3, 281-293, 2000

[10] D. Hankerson, A. Menezes, S. Vanstone, "Guide to EllipticCurve Cryptography," ISBN 0-387-95273-X, 2004.

[11] Y Hu, A. Perrig, and D. Johnson, "Packet Leashes: A Defenseagainst Wormhole Attacks in Wireless Ad Hoc Networks," Inproceedings of INFOCOM, 2003.

[12] IEEE P1363a Standard, "Standard spec-ifications for public key cryptography,"(http://grouper.ieee.org/groups/1363/index.html), 2000.

[13] "Intel PXA255 Processor Electrical, Mechanical, and ThermalSpecification," http://www.intel.com/design/pca/applicationsprocessors/manuals/278780.htm

[14] T. Itoh and S. Tsujii, " A fast algorithm for computing multi-plicative inverse in GF(2') using normal bases," Informationand Communication, 78:171-177, 1988.

[15] A. Kansal, D. Potter and M. Srivastava, "Performance AwareTasking for Environmentally Powered Sensor Networks," InProc. of ACM SIGMETRICS'04, 2004

[16] A. Kansal and M. Srivastava, "An Environmental Energy Har-vesting Framework for Sensor Networks," ACM/IEEE ISLPED,2003.

[17] D. Liu and P. Ning, "Multi-level mTESLA: Broadcast authen-tication for distributed sensor networks," ACMTransactions inEmbedded Computing Systems (TECS), vol. 3, no. 4, 2004.

[18] D. Liu, P. Ning, S. Zhu, and S. Jajodia, "Practical BroadcastAuthentication in Sensor Networks," In Proc. of MobiQuitous2005, July 2005.

[19] K. Lorincz, D. Malan, T. Fulford-Jones, A. Nawoj, A. Clavel,V. Shnayder, G. Mainland, S. Moulton, and M. Welsh, "SensorNetworks for Emergency Response: Challenges and Opportu-nities," In IEEE Pervasive Computing, 2004.

[20] C. Lu, G. Xing, 0. Chipara, C. Fok, and S. Bhattacharya,"A Spatiotemporal Query Service for Mobile Users in SensorNetworks, In Proc. of ICDCS, Columbus, 2005

[21] J. McCune, E. Shi, A. Perrig, and M. Reiter, "Detection ofdenial-of-message attacks on sensor network broadcasts," IEEESymposium on Security and Privacy, pp.64-78, 2005.

[22] R. Merkle, "Protocols for public key cryptosystems," in Pro-ceedings of the IEEE Symposium on Research in Security andPrivacy, Apr 1980.

[23] M. Mitzenmacher, "Compressed Bloom Filters," IEEE/ACMTransactions on Networks, 10:5, pp. 613-620, October 2002.

[24] D. Naccache and J. Stern, "Signing on a Postcard," In Proc. ofFinancial Cryptography'00, LNCS vol. 1962, pp.121-135, 2000.

[25] NIST, "Digital hash standard," Federal Information ProcessingStandards PUBlication 180-1, April 1995.

[26] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and D. Tygar,"SPINS: Security protocols for sensor networks," in Proc. ofMobiCom'01, 2001.

[27] A. Perrig, R. Canetti, J. Tygar, and D. Song, "The TESLABroadcast Authentication Protocol," RSA CryptoBytes, 5, 2002.

[28] K. Ren, K. Zeng, W. Lou, and P. Moran, "On BroadcastAuthentication in Wireless Sensor Networks," Accepted, IEEETransactions on Wireless Communications

[29] A. Shamir, "Identity based cryptosystems and signatureschemes," CRYPTO'84, LNCS vol. 196, pp. 47-53, 1984.

[30] Texas Instruments Inc., "MSP430 Family of Ultra-lowpower16-bit RISC Processors," http://www.ti.com

[31] A. Wander, N. Gura, H. Eberle, V. Gupta, and S. Shantz. "En-ergy Analysis of Public-Key Cryptography on Small WirelessDevices," IEEE PerCom, March 2005.

[32] Y. Zhang, W. Liu, W. Lou, and Y. Fang, "Location basedsecurity mechanisms in wireless sensor networks," IEEE JSAC,Special Issue on Security in Wireless Ad Hoc Networks, vol.24, no. 2, pp. 247-260, Feb. 2006

232