research article an rsa-like scheme for multiuser...

Research ArticleAn RSA-Like Scheme for Multiuser Broadcast Authentication inWireless Sensor Networks

Chen-Yang Cheng1 Iuon-Chang Lin23 and Shu-Yan Huang2

1Department of Industrial Engineering and Management National Taipei University of Technology Taipei 106 Taiwan2Department of Management Information Systems National Chung Hsing University Taichung 402 Taiwan3Department of Photonics and Communication Engineering Asia University Taichung 413 Taiwan

Correspondence should be addressed to Iuon-Chang Lin iclinnchuedutw

Received 13 March 2015 Revised 3 August 2015 Accepted 24 August 2015

Academic Editor Alessandro Nordio

Copyright copy 2015 Chen-Yang Cheng et al This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited

For network users roaming in a wireless sensor network (WSN) they can broadcast queries toWSNs to obtain the latest sensed datafrom sensor nodes using theirmobile devices In such a scenario each sensor node has to verify the validity of every query sent fromusers In this paper RSA-like public key cryptography is employed to design a mechanism for multiuser broadcast authenticationin WSNs Within the proposed scheme the use of certificates becomes optional When users broadcast queries to WSNs eachsensor node can verify every query immediately without buffering any one As a result the energy cost for verifying a query by asensor node is very small Furthermore our scheme provides enough scalability and security The quantitative analyses show thatour scheme is efficient in terms of storage and computational overheads

1 Introduction

Wireless sensor networks (WSNs) are widely used in variousapplications such as building automation mobile objecttracking and habitat monitoring [1 2] A WSN usuallyconsists of one or more base stations and a large numberof sensor nodes Because the sensor nodes are resource-constrained and usually deployed in hostile environmentsthey are vulnerable to malicious attacks Thus broadcastauthentication becomes a critical issue in WSNs which canprevent adversaries from injecting bogus queries Traditionalschemes [3ndash8] applied the key pools space pools of matrixor polynomials to establish the pairwise key between anytwo neighboring sensor nodes Although these schemescan establish a secure communication channel they cannotwithstand injecting bogus queries

Thus three scenarios are considered in this paper Thefirst scenario is that users broadcast messages to WSNs usingtheir own mobile device dynamically and then each sensornode will verify these messages The second scenario is thatonce malicious users are revoked by the base station theaction of rekeying will be triggered by the base station The

third scenario is that when new users join WSNs the basestation will take some appropriate actions for these users

In this paper an RSA-like scheme is employed toconstruct a multiuser broadcast authentication mechanismAlthough it is usually thought that RSA is expensive forsensor nodes in terms of computational overhead howeverthe authors in the work in [9] showed that the cost of theRSA signature verification is not really expensive Becauseeach sensor node only needs to verify the RSA signaturethe computational cost for a sensor node to verify a messageis acceptable As reported in [10] public key cryptographyis viable on an Atmel ATmega128 at 8MHz for resource-constrained sensor nodes The authors tested and imple-mented elliptic curve point multiplication and RSA opera-tions on two 8-bit microcontrollers with assembly languagesElliptic Curve Cryptography (ECC) is more computationallyefficient than RSA but RSA can still be implemented forsensor nodes such as Crossbow MICA Motes For examplein the implementation of [10] it requires 081 s for 160-bitECC point multiplication and 043 s and 1099 s for RSA-1024public key operation and private key operation respectivelyFurthermore the Chinese Remainder Theorem (CRT) can

Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2015 Article ID 743623 11 pageshttpdxdoiorg1011552015743623

2 International Journal of Distributed Sensor Networks

accelerate RSA private key operations namely decryptionand signature generation

Broadcast authentication enables each sensor node toverify the received messages which are originated with theauthorized source and were not modified In our schemewhen a user broadcasts a querymessage toWSNs each sensornode only has to verify the signature attached in the messageusing the public key computed by the base station At thebeginning of network initialization the base station generatesRSA public key and private key for each sensor node and eachuser respectively Once a user is revoked the base station hasto regenerate a new RSA public key for each sensor node Atthe same time other users do not have to change their ownprivate key So sensor nodes do not have to store a revocationlist in their own memory The main contributions of thispaper are described as follows

(1) We propose an RSA-like scheme to secure the mul-tiuser broadcast Our scheme provides enough secu-rity with 1024-bit RSA and great scalability

(2) In our scheme each sensor node does not buffer anymessage and it can verify everymessage immediatelyThus the impact of DoS attacks can be mitigated

(3) Once illegal network users are revoked by the basestation all the current users do not have to obtain newauthentication information from the base station Onthe other hand there is no need for each current userto reobtain hisher private key from the base stationafter heshe has participated in WSN

(4) Each sensor node only has to store one networkpublic key which is 1024 bits No matter how manynetwork users are there in WSNs each sensor nodecan verify these messages Therefore our schemeis more efficient in terms of storage overhead ascompared with the previous schemes

(5) A quantitative energy consumption analysis on com-putational cost for verifying a message shows that ourscheme indeed outperforms the previous schemes

The rest of this paper is organized as follows In Section 2the related work will be introduced In Section 3 the networkand adversary models used in this paper are presentedSubsequently RSA cryptosystem and the concept of RSAmaster-key will be described in Section 3 In Section 4the proposed multiuser broadcast authentication schemeis presented Section 5 is the discussions of our proposedscheme Section 6 is the performance evaluation in terms ofcommunication storage and computational overheads Theconclusion is made in Section 6

2 Related Work

In order to prevent adversaries from injecting bogus queriesthe authors in the work in [11] first proposed a schemecalled 120583TESLA to overcome this problem They employeda one-way hash function to generate a key chain for theauthentication of broadcast messages However a sourcerequires maintaining a long chain of keys for the long-term

uses In addition 120583TESLA suffers from serious DoS attacksEach sensor node has to buffer all received messages within atime interval and then it can verify these messages by usingthe delayed disclosure key broadcasted by the base station atthe next time interval The base station and sensor nodes areassumed to be loosely time synchronized

Furthermore the authors in the work in [12] proposeda novel protocol called BABRA to address the problem ofbroadcast authentication in WSNs Unlike 120583TESLA BABRAcan support broadcast for infinite rounds At the same timeit eliminates the requirement of key chain NeverthelessBABRA also suffers from serious DoS attacks since each sen-sor node has to buffer all messages before the correspondingkey is disclosed

In [13] the authors proposed a broadcast source authen-tication mechanism based on multiple MACs (MessageAuthentication Codes) The scheme requires sensor nodes tohave different overlapping set of keysWhen the source wantsto broadcast a query it uses its keys to compute multipleMACs and appends them to the message Then the recipientcan verify the message based on the MACs by using thecommon keys shared with the source In comparison withthe above schemes each recipient could verify a messageimmediately Therefore the impact of DoS attacks can bemitigated However the key predistribution under a hierar-chical structure results in scalability issuesThe authors in thework in [14 15] proposed broadcast authentication schemesusing one-time signature As compared with the aboveschemes each sensor node can verify a query immediatelywithout buffering others However the number of signaturesis limited when a lot of queries are signed by the source

The authors in the work in [16] first proposed a protocolfor multiuser broadcast authentication in which any unau-thorized user cannot broadcast queries to a WSN arbitrarilyEach authorized user may be equipped with a powerfulmobile device and then heshe can broadcast queries toWSNs for the purpose of obtaining the latest sensed data fromsensor nodes in WSNs Whenever a WSN processes a querysensor nodes are able to verify the query However the userrsquospublic key certificate incurs additional communication andcomputational overheads

In [17ndash19] the main idea of these schemes is to preloadeach sensor nodenetwork user with some secret informa-tion After that sensor nodes can compute session keysshared between them and users Hence the authenticity ofusers can be verified through these session keys All theabove schemes are based on challenge-response protocolsAlthough the above schemes have been proposed for userauthentication most of them do not provide adequate effi-ciency By contrast some schemes in [20ndash22] focus on themechanism in which each sensor node can verify everyquery directly without challenging any nonceThese schemesprovide adequate efficiency for multiuser broadcast authenti-cation However it is still difficult to deal with the resource-constrained problem and sensor nodes compromise attackAn efficient scheme is proposed to address the problemswithout incurring much overhead

The authors in the work in [16] proposed the first solutionto the problem called authenticated querying They utilized

International Journal of Distributed Sensor Networks 3

Elliptic Curve Cryptography (ECC) to construct the userauthentication scheme which only considered the situationthat a userrsquos query involves a single sensor node Besides thisscheme incurs additional communication overhead becausethe userrsquos certificate needs to be transmitted Furthermoreeach sensor node has to verify the userrsquos certificate andsignature Obviously it also incurs additional computationaloverhead A fully symmetric key based solutionwas proposedfor authenticated querying [17] The authors used a bivariatepolynomial to establish shared keys between the user and thesensor nodes that should process the userrsquos queryThen thesesensor nodes can verify the authenticity of the user by usingthe shared keys between them and the user The scheme iseffectively tolerant of the sensor node compromise attack butit still incurs additional communication overhead because thecollection of MACs needs to be transmitted In particularwhen there are a large number of sensor nodes that shouldprocess the userrsquos query the collection of MACs will be big

The authors in the work in [19] proposed a distributeduser access control scheme which includes local authentica-tion and remote authentication Unfortunately this schemeincurs significant communication overhead especially whenthe userrsquos access control list is heavy The reason is thatthe access control list needs to be transmitted In [18]the authors proposed a user authentication scheme withthe self-certified key (SCK) cryptosystem The main ideais to establish pairwise keys between the user and hisherlocal sensor nodes Then these sensor nodes can verifythe authenticity of the user Because each sensor node ispreloaded with a publicprivate key pair the scheme suffersfrom serious sensor node compromise attack An adversarymayutilize the keyingmaterial of a compromised sensor nodeto impersonate a legal user to destroy the WSNs

In [22] the authors initially proposed two basic schemescalled CAS and DAS In CAS each user is equipped witha publicprivate key pair and hisher public key certificatesigned by the base station and then heshe signs everybroadcast message with hisher private key Upon receivingthe message each sensor node can verify the public keycertificate of the user by using the public key of the basestation Finally each sensor node can verify the message theuser broadcasts in the WSNs However the certificate hasto be transmitted and verified by each sensor node CASintroduces additional communication and computationaloverheads In DAS each sensor node has to store all theusersrsquo ID information and their corresponding public keysHowever the storage of DAS is neither efficient nor scalableThis scheme is not suitable for storage-constrained sensornodes when there are a large number of users

Subsequently the authors proposed two advancedschemes called BAS and HAS In BAS each sensor node isrequired to store a Bloom filter and 119896 hash functions Uponreceiving a message each sensor node can check whether theuserrsquos ID and hisher corresponding public key are authenticby using the Bloom filter and 119896 hash functions Howeverthe probability of a false positive (119891req) may happen eventhough it is very small It may suggest that an illegal useris authentic Besides BAS supports up to 1000 users when119891req = 203 times 10

minus17 for a Bloom filter of 98 KB It incurs

a large amount of storage overhead and the maximumsupported number of users is limited by the storage limitand 119891req Therefore an improved scheme called HAS wasproposed to support more users To achieve this goal HASutilizes the Bloom filter and Merkle hash tree Neverthelessit still incurs a large amount of storage overhead and lacksscalability

The authors in the work in [21] proposed three broadcastauthentication schemes The first scheme is CAS as men-tioned before and the second scheme is based onMerkle hashtree The base station first constructs a Merkel hash tree inwhich each leaf node contains the hash value of a userrsquos IDandhisher corresponding public keyThen each sensor nodehas to store the value of the final root node of the hash treeAt the same time each user has to obtain hisher auxiliaryauthentication information (AAI) When a user broadcasts amessage to the WSNs heshe signs the message and appendshisher AAI to the message Upon receiving this messageeach sensor node can verify the userrsquos public key by usingAAI If the final hash value is equal to the value of the finalroot node each sensor node can verify the userrsquos public keyThe Merkle hash tree based scheme does not require theusersrsquo public key certificate to be transmitted In additionthis scheme can be improved by increasing the number ofstored hash values in each sensor node Thus the size of AAIcan be reduced However once a user is revoked by the basestation each current user has to obtain hisher updated AAIfrom the base station It is impractical for the current usersThe third scheme is an ID-based authentication scheme Theconcept of ID-based cryptography originated from [23] Auserrsquos ID is just like the userrsquos public key In this scheme theuserrsquos public key is 119880ID V

119894

where 119880ID is the userrsquos ID andV119894

is the current time interval Each sensor node can verifythe message broadcasted by the user using 119880ID V

119894

andthe network public key However this scheme requires eachsensor node to perform two expensive pairing operationsIn addition each user has to obtain a new private key fromthe base station at the beginning of each time interval Oncesome users are revoked each sensor node needs to store arevocation list only within the current time interval

An ID-based signature scheme called BNN-IBS [24] isbased on Schnorr signature [25] and the authors in the workin [20] proposed a variant of BNN-IBS called vBNN-IBS witha smaller signature size The proposed scheme called IMBAS[20] is also used to secure the multiuser broadcast Whena user wants to broadcast a message to WSNs heshe signsthe message using vBNN-IBS signature The base station canalso broadcast a message to WSNs with a smaller messagesize Upon receiving a message broadcasted by the user (orthe base station) each sensor node can verify it immediatelyFurthermore each sensor node also has to store the IDs of therevoked users as a revocation list infinitely when the numberof revoked users increases unceasingly As a result it can befound that the public key cryptography is easier to be used formultiuser broadcast authentication than the symmetric keycryptography

In [20ndash22] the authors used Elliptic Curve Cryptography(ECC) based schemes to secure multiuser broadcast authen-tication 119864119865

119901

used in [20ndash22] denotes the elliptic curve over


the finite field 119865119901

where 119901 is a large odd prime The ellipticcurve 119864119865

119901

is defined by the equation 1199102 = 1199093 +119886119909+119887 where119886 119887 isin 119865

119902

1198661

is a 119902-order subgroup of the additive group ofpoints of 119864119865

119901

[21]

3 Preliminaries

First the concepts of the proposed network model andadversary model are introduced Then the review of RSApublic key cryptosystem and the concept of RSA master-keyare presented in the section

31 The Network Model In this model the sensor networkconsists of a base station and a large number of sensor nodesThe base station is assumed to be powerful while sensornodes are resource-constrained Furthermore there are alarge number of network users These users who roam inWSNs can use their mobile devices to broadcast queries toWSNs for the purpose of obtaining the latest sensed dataThe mobile devices of the users are more powerful thanresource-constrained sensor nodes in terms of computationcommunication storage and energy abilities The number ofnetwork users may be dynamic In this paper theWSNs timeis assumed to be loosely synchronized

32 The Adversary Model We assume that the base station isalways trustworthy but sensor nodesmay be compromised byan adversary Therefore there may be some malicious sensornodes in the WSNs The adversary is able to compromise orcapture not only sensor nodes but also usersrsquo mobile devicesand then all the secret information (eg keying materialor secret data) held by them is known by the adversary Inaddition the adversarymay impersonate these captured usersto broadcast bogus messages to WSNs So these users ofWSNs have to be revoked by the base station to prevent themfromdestroyingWSNs Furthermore the adversary can floodbogus messages into WSNs to exhaust the precious energy ofsensor nodes Note that the adversary can also eavesdrop andresend the messages

33 RSA Public Key Cryptosystem We give an introductionto RSA public key cryptosystem In RSA cryptosystem eachparticipant holds a publicprivate key pair which is generatedby a certificate authority (CA) The steps of generating thepublicprivate key pair are described as follows

(1) Two large primes 119901 and 119902 are randomly chosenand then119873 = 119901 times 119902 can be computed(2) To choose a parameter 119890 (1) have to be satisfied

119866119862119863 (oslash (119873) 119890) = 1

1 lt 119890 lt oslash (119873) (1)

where oslash(119873) = (119901minus1)(119902minus1) is Eulerrsquos totient functionof 119873 Consequently a parameter 119889 can be computedthrough Extended Euclidean algorithm such that

119890 times 119889 equiv 1 mod oslash (119873) (2)

(3) Finally (119873 119890) is the public key and 119889 is the privatekey

Now assume that 119860 wants to send a message 119872 to 119861 If 119860wants to prove the confidentiality of 119872 heshe can use 119861rsquospublic key (119890

119861

119873119861

) to encrypt the message119872 Then 119860 sendsthe encrypted message 119862 to 119861 where 119862 = 119872

119890119861 mod 119873119861

Upon receiving the encrypted message 119862 119861 can use hisherprivate key 119889

119861

to recover the message119872 by computing

119872 = 119862119889119861 mod 119873

119861

(3)

On the other hand if119860wants to prove the origin and integrityof 119872 heshe can use hisher private key 119889

119860

to sign themessage119872 Then119860 sends the message119872 with the signature119878 to 119861 where 119878 = 119872119889119860 mod 119873

119860

Upon receiving the message119872 and the signature 119878 119861 can use 119860rsquos public key (119890

119860

119873119860

) toverify the signature by computing

1198721015840

= 119878119890119860 mod 119873

119860

(4)

And then 119861 checks whether119872 = 1198721015840 or not The signature is

accepted if so and rejected otherwise

34 RSA Master-Key The authors in the work in [26]proposed an RSA master-key scheme which is built on RSAcryptosystem Suppose that there are 119899 entities 119891

1

1198912

119891119899

(1) CA randomly chooses large primes 1199011

1199021

1199012

1199022

119901119899

119902119899

and a positive integer 119890119867

which is relativelyprime to 119871 where 119871 = 119871119862119872119871

1

1198712

119871119899

and 119871119894

=

oslash(119901119894

times 119902119894

) for 119894 = 1 2 119899(2) Let 119898

119894

= 119901119894

times 119902119894

for 119894 = 1 2 119899 CA computes thecorresponding 119889

119867

such that 119890119867

times 119889119867

equiv 1 (mod119871)Then let 119890

119894

equiv 119890119867

(mod119871119894

) and 119889119894

equiv 119889119867

(mod119871119894

) foreach 119894

(3) For 119894 = 1 2 119899 let (119898119894

119890119894

119889119894

) be defined asthe 119894th entityrsquos RSA system with elementary encryp-tion key 119890

119894

and decryption key 119889119894

The sequence(119890119867

119889119867

1199011

1199021

1199012

1199022

119901119899

119902119899

) is called the master-key of the system This master-key is only known byCA

(4) Therefore each119891119894

can be encrypted into119891119894

where119891119894

equiv

119891119890119894

119894

(mod119898119894

) It can also be 119891119894

equiv 119891119894

119889119894 (mod119898119894

) In factwe have119891

119894

equiv 119891119894

119889119867 (mod119898119894

) for all 119894due to the equation119890119867

times 119889119867

equiv 1 (mod119871)

4 The Proposed Multiuser BroadcastAuthentication Scheme

In this section a scheme for multiuser broadcast authentica-tion which is based onRSA cryptosystem and themaster-keyscheme [26] is presented The detailed steps of our schemeare described in the following sections

41 Our Scheme We assume that there are 119898 network usersin WSNs and the base station is the highest authority The


task of the base station is to generate a private key for eachuser and assign a public key for each sensor node We usethe RSA-like scheme to secure themultiuser broadcastWhenthe event which a user joins or leaves happens our schemecan cope with the situation Furthermore once a user iscompromised the base station will take an appropriate actionto cope with such a situation The steps of our scheme aredescribed as follows

411 The Setup Phase First the base station randomlychooses 2119898 + 2 distinct large primes 119901

119894

119902119894

(0 le 119894 le 119898)and it also chooses two distinct large primes 119901bs 119902bs for itselfSecond the base station computes 119873

0

= 1199010

times 1199020

for eachsensor node119873bs = 119901bs times119902bs for itself and1198731 = 1199011 times11990211198732 =1199012

times 1199022

119873119898

= 119901119898

times 119902119898

for users User1

User2

User119898

Note that 2119898 + 4 distinct large primes are only known by thebase station but119873

1

1198732

119873119898

and119873bs are public

412 The Key Generation Phase The base station com-putes the least common multiple 119871

0

of 119898 + 2 integersoslash(1198730

) oslash(1198731

) oslash(119873119898

) oslash(119873bs) such that

1198710

= 119871119862119872oslash (1198730

) oslash (1198731

) oslash (119873119898

) oslash (119873bs) (5)

where oslash(119873119894

) is Eulerrsquos totient function of119873119894

and oslash(119873119894

) = (119901119894

minus

1) times (119902119894

minus 1) The base station chooses a parameter 1198890

whichis relatively prime to 119871

0

(1 lt 1198890

lt 1198710

) Then it can compute1198900

through Extended Euclidean algorithm such that

1198890

times 1198900

equiv 1 mod 1198710

(6)

Note that the bit-length of 1198900

can be first chosen as short aspossible because each sensor node uses 119890

0

to verify signaturesThenotations119889

0

and 1198900

used here are opposite to the commonnotations of RSAThe reason is thatwe use119889

119894

to signmessagesand 119890

0

to verify signatures After generating 1198890

the basestation uses it to generate the private keys 119889

1

1198892

119889119898

forusers User

1

User2

User119898

and 119889bs for itself by computing

119889119894

= 1198890

mod oslash (119873119894

)

119889bs = 1198890 mod oslash (119873bs) (7)

where 119894 = 1 2 119898

413 The Key Assignment Phase After finishing the abovekey generation the base station can preloadbroadcast eachsensor node with 119890

0

prior to the WSNs deployment orduring WSNs operation time This method is similar to themethod used in [21] For users User

1

User2

User119898

thebase station delivers (119889

1

1198731

) (1198892

1198732

) (119889119898

119873119898

) to themthrough a secure channel The base station keeps its privatekey 119889bs Hence each user has two parameters (119889

119894

119873119894

) where119889119894

must be kept secret and public119873119894

can be used to representhisher ID The two parameters (119889bs 119873bs) have the samemeaning as above for the base station

414Multiuser Broadcast Authentication Assume that a user119873119894

wants to broadcast a message119872 to theWSNs heshe uses

hisher private key 119889119894

to sign119872 and broadcasts the followingmessage

119872TS 119873119894

Sign (8)

where TS is the timestamp and Sign = ℎ(119872TS 119873119894

)119889119894 mod

119873119894

ℎ(lowast) is a one-way hash function which maps arbitraryinputs to fixed length outputs After receiving the message asensor node first checks whether TS is fresh If so the sensornode will verify the signature Sign by computing

ℎ (119872TS 119873119894

) = Sign1198900 mod 119873119894

(9)

where 1198900

is the public key generated by the base stationIf the above equation holds the signature will be acceptedOtherwise it will be rejected For the sake of simplicity werefer to ℎ(119872TS 119873

119894

) as 119875 Because 119871119900

is a multiple of oslash(119873119894

)we can show that

1198900

times 119889119894

mod 1198710

= 1198900

times (1198890

mod oslash (119873119894

)) mod 1198710

= 1198900

times 1198890

mod oslash (119873119894

) = 1

(10)

Therefore 1198900

times 119889119894

= 1 + 119905 times oslash(119873119894

) where 119905 isin 119873 Accordingto Eulerrsquos Theorem 119875oslash(119873119894) mod 119873

119894

= 1 we can show that theabove equation is correct as the following equation

Sign1198900 mod 119873119894

= (119875119889119894 mod 119873

119894

)1198900 mod 119873

119894

= 119875119889119894times1198900 mod 119873

119894

= 1198751+119905timesoslash(119873119894) mod 119873

119894

119905 isin 119873

= 119875 times 119875119905timesoslash(119873119894) mod 119873

119894

= 119875

(11)

The structure can be described according to Figure 1 Therelation between users and sensor nodes belongs to a two-layer structure Every sensor node can verify the signaturessigned by users Besides the messages broadcasted by thebase station can still be verified by every sensor node usingthe same manner so we do not describe it again

42 User Revocation In our scheme once a user is revokedthe base station has to regenerate a corresponding publickey 119890

1015840

0

for sensor nodes Suppose that a user User119888

iscompromised and then the base station takes the steps asfollows

421 The LCM Regeneration The base station computes theleast common multiple 1198711015840

0

of 119898 + 1 integers oslash(1198730

) oslash(1198731

) oslash(119873

119898

) oslash(119873bs) which do not include oslash(119873119888

) such that1198711015840

0

= 119871119862119872(oslash(1198730

) oslash(1198731

) oslash(119873119898

) oslash(119873bs))

422 The Public Key Regeneration To update 1198900

with 1198901015840

0

the base station uses the equation 119889

0

times 1198901015840

0

equiv 1 mod 11987110158400

toregenerate 1198901015840

0

Note that 1198890

is unchanging The reason is that1198890

is relatively prime to 1198710

Once 1198710

is changed into 11987110158400

1198890

isstill relatively prime to 1198711015840

0


Sensor node

User1 User2 User3 Userm

middot middot middot

Figure 1 The two-layer structure

423 The Public Key Broadcast After regenerating 11989010158400

thebase station has to broadcast 1198901015840

0

to WSNs First 11989010158400

is signedby the base station with the base stationrsquos private key 119889bsfor the purpose of proving its authenticity Second the basestation broadcasts 119890

1015840

0

with its signature TS and 119873bs toWSNsThird upon the receipt of this message a sensor nodecan use the public key 119890

0

to verify the authenticity of 11989010158400

Finally the sensor node updates 119890

0

with 1198901015840

0

if the signatureverification succeeds Note that 119889

0

is unchanging so thevalues 119889

1

1198892

119889119898

of legal users are still unchanging tooSuppose that an adversary forges the message broadcasted bythe base station this attack will be detected by sensor nodesbecause the private key 119889bs is only known by the base station

43 User Join When a new user wants to joinWSN the stepsare similar to the process of user revocation Once a new userUser119898+1

wants to join WSN the base station chooses twodistinct large primes 119901

119898+1

and 119902119898+1

and computes 119873119898+1

=

119901119898+1

times 119902119898+1

Then 1198710

can be recomputed by (5) and119889119898+1

= 1198890

mod oslash(119873119898+1

) Finally the base station delivers(119889119898+1

119873119898+1

) to User119898+1

through a secure channel

5 Discussion

In this section the scheme in terms of security DoS attacksand scalability is analyzed

(1) The Problem of Factoring 119873119894

The security of our schemeis based on the difficulty of factoring 119873

119894

into 119901119894

and 119902119894

Sup-pose an adversary knows 119873

1

1198732

119873119898

but heshe cannotcompute 119871

0

such that 1198710

= 119871119862119872(oslash(1198730

) oslash(1198731

) oslash(119873119898

))The adversary cannot obtain 119889

0

from the equation 1198890

times 1198900

equiv

1 mod 1198710

and use 1198890

to compute 119889119894


=

1198890

mod oslash(119873119894

) Hence we believe that it is extremely difficultto obtain the private key 119889

119894

of user119873119894

(2)TheProblemof Preventing theUnauthorizedUserWhen anadversary impersonates a legal user 119873

119894

to sign a message 119872with the key 119889

119888

sensor nodes will fail to verify the signature

attached in the message We show the result as the followingequation

Sign1198900 mod 119873119894

= (119875119889119888 mod 119873

119894

)1198900 mod 119873

119894

= 119875119889119888times1198900 mod 119873

119894

= 119875119889119888times1198900 mod oslash(119873119894) mod 119873

119894

= 119875

(12)

where 119875 = ℎ(119872TS 119873119894

) Because 119889119888

= 1198890

mod oslash(119873119894

) thesignature verification fails Therefore the adversary cannotimpersonate any legal user to inject bogus messages intoWSNs successfully Furthermore the timestamp used in themessage can also prevent the replay attack

(3) Denial of Service (DoS) Attacks According to [21 27]120583TESLA suffers from seriousDoS attacks because each sensornode has to buffer all the messages received within one timeinterval This problem can be mitigated by the immediateverification of messages In our scheme each sensor nodecan verify messages sent by legal or illegal users immediatelyso our scheme can mitigate the impact of DoS attacks If anadversary wants to broadcast forged messages to WSNs thisattack will be detected by the sensor nodes And then theymay notify the base station of such a situation

(4) ScalabilityWhen old sensor nodes exhaust their energy orthe sensing region of a WSN has to be enlarged new sensornodes have to be deployed Our scheme can deal with thisproblem by preloading these sensor nodes with the networkpublic key 119890

0

If a new user wants to join WSNs the basestation will generate two distinct large primes 119901new and 119902newfor himher Subsequently the new userrsquos ID 119873new = 119901new times119902new is computed by the base station At the same time thebase station has to regenerate the new network public key 1198901015840

0

Then it broadcasts 1198901015840

0

and its signature to the WSNs Userscan join WSNs without much overhead

6 Performance Evaluations

In this section the performance of our scheme in termsof communication storage and computational overheadsis evaluated Moreover the scheme is compared with theprevious schemes that were proposed formultiuser broadcastauthentication

61 Communication Overhead In this section our schemeand the previous schemes in terms of the communicationoverhead are evaluated In [20ndash22] the authors used EllipticCurve Cryptography (ECC) based schemes to secure mul-tiuser broadcast authentication To provide the same level ofsecurity strength as 1024-bit RSA ECC requires 119901 of 160 bitsif 1198662

is a 119902-order subgroup of the multiplicative group of thefinite field 119865lowast

119901

2 [28]Like the assumptions used in [21] |119901| and |119902| are assumed

to be 512 bits and 160 bits respectively And the embeddeddegree of 119864119865

119901

is equal to 2 According to [21] supposethat a point is over 119864119865

119901

and only one of its 119883 and 119884

coordinates needs to be transmitted because the other can be


Table 1 Comparisons of communication overhead for the relatedschemes

Schemes Message sizeCAS [21] 148 bytesMAS [21] 84 + 20 times log

2

119898 bytesIAS [21] 108 bytesHAS [22] (74 + 20 times log

2

119898)1000 bytes

IMBAS [20] 84 bytes (1)54 bytes (2)

Our scheme 278 bytes

easily derived using the curve equation We do not take thiscomputational cost into account

In this paper 1024-bit RSA are applied to compareour scheme with the previous schemes We recall that ourbroadcast message includes a userrsquos ID 119873

119894

a message 119872 atimestamp TS and the signature attached in the message Weassume that the message119872 is 20 bytes the timestamp TS is2 bytes the userrsquos ID is 2 bytes and a one-way hash functionwith 20 bytesrsquo outputs is used In our scheme both119873

119894

and thesignature are 128 bytes with 1024-bit RSA

In the remaining part of this paper we refer to thecertificate-based Merkle hash tree based and ID-basedauthentication schemes [21] as CAS MAS and IAS respec-tively The parameter119898 denotes the total number of users

In CAS a broadcast message includes a message 119872a timestamp TS the signature (40 bytes) attached in themessage and the userrsquos certificate (at least 86 bytes [9]) ifElliptic Curve Digital Signature Algorithm (ECDSA) is usedHence the total message size of CAS is 148 bytes Similarlythe message sizes of MAS and IAS can also be evaluated byusing the above parameters

In HAS [22] the broadcast message includes a partmessage119872

2

(|1198722

| ge 14 bytes) two values over the finite field119885119902

the public key of the user and an AAI We set |1198721

| = 10

with the saving of up to 10 bytes Then the resulting messagesize of HAS is (74 + 20 times log

2

119898)1000 bytes (supporting upto 1000 users and the probability of a false positive 119891req =

203 times 10minus17)

In IMBAS [20] the message broadcasted by a user(situation (1)) includes a message119872 a timestamp TS a userrsquosID one point of 119864119865

119901

and two values over the finite field 119885119902

Hence the resultingmessage size is 84 bytes If the message isbroadcasted by the base station (situation (2)) it will includea part message 119872

2

(|1198722

| ge 14 bytes) and two values overthe finite field 119885

119902

Therefore the message size is 54 bytes(assuming that |119872

1

| = 10 bytes)Table 1 shows the comparisons of the different schemes

in terms of message size Furthermore Figure 2 shows theevaluation results of the impact of the total number ofnetwork users onmessage sizeWhen the number of networkusers varies from 0 to 10 000 the message sizes of MAS andHAS increase with the number of network users Instead themessage sizes of the other schemes are still unchanging

In addition we quantify the performance on messagebroadcast for the six schemes We use the MICA2DOT mote

050

100150200250300350400450500

Mes

sage

size

(byt

e)

1000 2000 3000 4000 5000 6000 7000 8000 9000 100000m (total number of network users)

CASIAS

Our schemeIMBAS p = 06

MASHASIMBAS p = 08

Figure 2 Message size versus the total number of network users

which is a popular platform forWSNsTheMICA2DOTmoteis equipped with the Atmel ATmega128L 8-bit microcon-troller at 4MHz and theChipconCC1000 low-powerwirelesstransceiver [9] As reported in [9] the energy consumption ofMICA2DOT mote in active and power-down modes is 138and 00075mW respectively Furthermore the MICA2DOTmote consumes 592 and 286120583J to transmit and receive onebyte respectively

In our scheme the broadcasting message is 119872TS 119873119894

Sign and the size is 20 bytes (message 119872) + 2 bytes(timestamp TS) + 128 bytes (119873

119894

) + 128 bytes (Sign) = 278bytesThe payload for each packet is 32 bytes sincewe require9 packets to transmit the broadcasting message And eachpacket requires a 9 bytesrsquo header ensuing 8 bytesrsquo preamblewhich consists of source destination length packet ID CRCand control bytes [9] Therefore it requires transmitting 441bytes ((32 + 9 + 8) bytestimes 9 = 441 bytes) In addition energyconsumption on transmitting and receiving a broadcast mes-sage of our scheme is 441 times 592 120583J = 2611 and 441 times 286120583J= 1261mJ respectively To estimate the energy consumptionof broadcasting a message to the entire network each sensornode has to retransmit once and receive V times the samemessage where V is the number of neighbors for a sensornode Eventually the total energy consumption of our schemeis 119881 times (2611 + V times 1261) mJ where 119881 is the total numberof sensor nodes Similarly the energy consumption of CASMAS IAS and IMBAS schemes on message broadcast canalso be estimated In order to have a consistent comparisonenvironment the parameters are chosen as the same as[21] Figure 3 shows energy consumption of the schemes onmessage broadcast where V = 20 119901 is the probability of theuser broadcast the probability of the base station broadcast is1minus119901 and there are 1024 users (119898 = 1024) Figure 4 shows theenergy consumption of the schemes onmessage broadcast fora sensor node when V varies Therefore we can find that theother schemes except for MAS outperform our scheme sinceour scheme has larger message size


0

500

1000

1500

2000

2500

3000

Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (J

)

1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 0V (total number of sensor nodes)

CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08

Figure 3 Energy consumption on message broadcast versus thetotal number of sensor nodes

Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (m

J)

0

100

200

300

400

500

600

700

5 10 15 20 25 30 35 40 45 500v (number of neighbors for a sensor node)

CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08

Figure 4 Energy consumption on message broadcast versus thenumber of neighbors for a sensor node

62 Storage Overhead In the comparison the same settingsare used as in Section 61 In CAS each sensor node isrequired to store the ECCrsquos parameters (119901 119902 119864119865

119901

1198661

ℎ 119875and 119875pub) if ECDSA is used ℎ is a one-way hash functionsuch as SHA-1 119875 is a generator of 119866

1

and 119875pub is the networkpublic key of the base station Note that 119875pub and 119875 are twopoints over 119864119865

119901

among which only one of their 119883 and 119884coordinates needs to be stored

In MAS it requires each sensor node to keep the value ℎ119903

which is the final root node of the hash tree Furthermoreeach sensor node has to store the ECCrsquos parameters if anupdated ℎ

119903

should be signed by the base station to prove itsauthenticity

Table 2 Comparisons of storage overhead for the six schemes

Schemes Memory size Quantitative resultCAS [21] 119901 119902 119886 119887 119875 119875pub asymp120 bytesMAS [21] 119901 119902 119886 119887 ℎ

119903

119875 119875pub asymp140 bytesIAS [21] 119901 119902 119886 119887 119875 119875pub asymp120 bytesHAS [22] A Bloom filter 119901 119902 119886 119887 119875 119875pub asymp10155 bytesIMBAS [20] 119901 119902 119886 119887 119875 119875pub asymp120 bytesOur scheme 119890

0

128 bytes

0500

1000150020002500300035004000450050005500

Stor

age s

ize (

byte

)

100 200 300 400 5000m (total number of network users)

CAS

IASMAS

HAS

Our schemeIMBAS

Figure 5 Storage size per sensor node versus the total number ofnetwork users

In IAS each sensor node also has to be preloaded withthe ECCrsquos parameters (119901 119902 119864119865

119901

1198661

1198662

119890119867 ℎ 119875 and119875pub)where 119867 is the MapToPoint hash function which can mapstrings to nonzero elements in119866

1

When HAS supports up to1000 users each sensor node is required to store 98 KBytesfor a single Bloom filter [22] (119891req = 203 times 10

minus17)The parameters used by IMBAS [20] are similar to IASrsquos

parameters not including 1198662

119890 and119867 so we do not describethem again For our scheme only the public key 119890

0

has to bestored by each sensor node For the sake of simplicity we onlyquantify the parameters (119901 119902 119886 119887 119875 and 119875pub) for the ECCbased schemes to compare our scheme with them

The comparisons of the different schemes are shown inTable 2 Clearly it can be observed that most of the schemesoutperformHAS in terms of storage overhead for each sensornode In addition from Figure 5 it can be observed that thestorage size of our scheme is much less than HAS Moreoverthe storage size of HAS increases significantly when thenumber of network users varies from 0 to 1000 Thereforeit can be inferred that the scalability of HAS is not good ascompared with the other schemes

63 Storage Overhead on Revocation List An adversary maycapture the devices of legal users and then heshe can


0200400600800

100012001400160018002000

Addi

tiona

l sto

rage

size

(byt

e)

100 200 300 400 500 600 700 800 900 10000Number of revoked users

CAS

IASMAS

HAS

Our schemeIMBAS

Figure 6 Storage size per sensor node versus the number of revokedusers

Table 3 A table illustrating whether or not current users have toobtain new authentication information from the base station for thesix schemes

CAS [21] MAS [21] IAS [21] HAS [22] IMBAS [20] Ourscheme

YesorNo

No Yes Yes No No No

impersonate these legal users to broadcast bogus messages toWSNs for the purpose of exhausting the precious energy ofsensor nodes So the base station has to revoke these illegalusers in WSNs The previous schemes require each sensornode to store the IDs of revoked users infinitely when thenumber of revoked users increases unceasingly For exampleCAS HAS and IMBAS require each sensor node to store therevoked IDs Therefore the three schemes may incur a largeamount of storage overhead

In IAS each sensor node stores the revoked IDs onlywithin one time interval and removes them at the beginningof the next time interval because each user has to obtain a newprivate key from the base station at the beginning of each timeinterval Instead MAS and our scheme do not require eachsensor node to store any revoked ID due to the update of ℎ

119903

and 1198900

We assume that there are two hundred users that arerevoked by the base station within each time interval

Figure 6 shows the comparisons of the storage size forthe six schemes with respect to the number of revoked usersIn addition once an illegal user is revoked MAS requirescurrent users to obtain the updated AAIs regenerated by thebase station This may be impractical for the current usersroaming inWSNs In IAS each current user also has to obtaina new private key from the base station at the beginning ofeach time interval so it is still impractical for the currentusers Table 3 illustrates whether or not current users have toobtain new authentication information from the base station

64 Computational Overhead In this section the compu-tational overhead of each sensor node will be evaluated byus We focus on the computational overhead of verifying amessage broadcasted by a user for each sensor nodeNote thatwe still use the same assumptions asmentioned before for ourevaluations In order to compare our scheme with the otherschemes in terms of computational overhead we define sevennotations as follows

(i) 119879119898

is the time to perform one point multiplicationoperation over an elliptic curve

(ii) 119879119901

is the time to perform one pairing operation(iii) 119879

119864

is the time to perform one signature verification(ECDSA-160)

(iv) 119879ℎ

is the time to perform one one-way hash functionoperation

(v) 119879119867

is the time to perform one MapToPoint hashfunction operation

(vi) 119879119890

is the time to perform onemodular exponentiationoperation in 119866

2

(vii) 119879RSA is the time to perform one signature verification

(RSA-1024)

In CAS each sensor node has to perform two ECDSAsignature verification procedures and two hash functionoperations In MAS to verify the userrsquos public key it requiresa chain of hash function operations and we assume thatthere are 120582 hash function operations to be performed InIAS it requires one modular exponentiation operation in 119866

2

one MapToPoint hash function operation and two pairingoperations We simply assume that the total number ofhash function operations for each sensor node to verifythe userrsquos public key is 1205821015840 in HAS Furthermore the maincomputational overhead of HAS is based on one ECDSAsignature verification When the message is broadcasted bythe user IMBAS takes three point multiplication operationsand one hash function operation In addition IMBAS takesone ECDSA signature verification if the message is broad-casted by the base station In our scheme each sensor nodeis required to perform one hash function operation and oneRSA signature verification

According to [9] the energy cost to verify an ECDSAsignature is 4509mJ in a MICA2DOT mote Thus we canestimate the time to performanECDSA signature verificationis 4509mJ138mW = 3267 s We recall that 138mW isthe energy consumption of the MICA2DOT mote in activemode Besides assume that SHA-1 is used and its energyconsumption is 59120583Jbyte [9]Therefore the time to performthe SHA-1 hash function is 001 s when the input size is 24bytes Obviously the time is very small so it can be ignored

For a MICA2 mote at 8MHz it takes 081 s to performone point multiplication operation over an elliptic curve [10]ThusMICA2DOTmote roughly needs 081 times 84 = 162 s toperform such an operation As reported in [29] the time toperform the Tate pairing on a 32-bit ST22 smartcard micro-processor at 33MHz is 0752 s Thus for the MICA2DOTmote it roughly needs 6204 s (0752 times 334) to perform theTate pairing


Table 4 Comparisons of computational overhead for the sixschemes

Schemes Computational overhead Quantitative resultCAS [21] 2119879

119864

+ 2119879ℎ

asymp6534 sMAS [21] 119879

119864

+ (120582 + 1)119879ℎ

asymp3267 sIAS [21] 2119879

119901

+ 119879119867

+ 119879119890

asymp13209 sHAS [22] 119879

119864

+ 1205821015840

119879ℎ

asymp3267 s

IMBAS [20] 119901(3119879119898

+ 119879ℎ

) + (1 minus 119901)119879119864

asymp42228 s (119901 = 06)asymp45414 s (119901 = 08)

Our scheme 119879RSA + 119879ℎ asymp0862 s

According to [21] the MapToPoint hash function takes30ms a modular exponentiation operation in 119866

2

takes313ms and a Tate pairing operation takes 4740ms on aPentium IV 226GHz processor with 256M RAM Similarlyfor the MICA2DOT mote the times of performing theMapToPoint hash function and a modular exponentiationoperation in 119866

2

are 6204 times 304740 = 0392 and 6204 times3134740 = 0409 s respectively In addition the energyconsumption of the MICA2DOT mote to sign and verifya signature of 1024-bit RSA is 304 and 119mJ respectively[9] We can also estimate the time to perform RSA signatureverification is 119mJ138mW = 0862 s In 160-bit ECDSAthe energy consumption to sign and verify a signature is 2282and 4509mJ respectively [9]

The cost of generating an RSA signature is higher thanthat of verifying an RSA signature but it does not matter inour scheme The reason is that signatures are generated byusers who are equipped with mobile devices or the powerfulbase station In our scheme each sensor node is required toperform only one RSA signatures verification

Table 4 shows the computational time of the six schemesfor verifying a message We can observe that the computa-tional time of our scheme is significantly less than that ofthe remaining schemes Furthermore it can also be inferredthat IAS introduces amuchhigher computational overhead ascompared to the remaining schemes because it requires eachsensor node to perform two pairing operations

Figure 7 also shows the energy consumption of theschemes for verifying a message when the total number ofsensor nodes varies from 0 to 10 000 Obviously our schemeis better than previous schemes

7 Conclusions

In this paper we propose an RSA-like multiuser broadcastauthentication scheme in WSNs Although it is assumed thatRSA is unsuitable for resource-constrained sensor nodes theenergy cost to verify an RSA signature is still acceptable forthe sensor nodesThe quantitative analysis on computationalcost for verifying a message shows that our scheme is moreefficient than the previous schemes Moreover the maincost of computation always falls in the base station whichis trustworthy and powerful In our scheme the storagecost for each sensor node takes a network public key onlyNo matter how many users are compromised in WSNs the

0200400600800

100012001400160018002000

Ener

gy co

nsum

ptio

n fo

r ver

ifyin

g a m

essa

ge (J

)

1000 2000 3000 4000 5000 6000 7000 8000 9000 100000V (total number of sensor nodes)

CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08

Figure 7 Energy consumption for verifying a message versus thetotal number of sensor nodes

storage cost for each sensor node is still invariable becauseit only needs to update the network public key On theother hand each sensor node is able to verify every messageimmediately so our scheme can mitigate the impact of DoSattacks As a result although our scheme has bigger messagesize it is still adoptable for the WSNs in terms of storageoverhead computational overhead scalability and securityrequirements

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

References

[1] H-WTsai C-P Chu andT-S Chen ldquoMobile object tracking inwireless sensor networksrdquo Computer Communications vol 30no 8 pp 1811ndash1825 2007

[2] W-L Yeow C-K Tham and W-C Wong ldquoEnergy efficientmultiple target tracking in wireless sensor networksrdquo IEEETransactions onVehicular Technology vol 56 no 2 pp 918ndash9282007

[3] H Chan A Perrig and D Song ldquoRandom key predistributionschemes for sensor networksrdquo in Proceedings of the IEEESymposium on Security And Privacy pp 197ndash213 May 2003

[4] W Du J Deng Y S Han and P K Varshney ldquoA pairwisekey pre-distribution scheme for wireless sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 42ndash51 ACM DenverColo USA October 2003

[5] W Du J Deng Y S Han P K Varshney J Katz and AKhalili ldquoA pairwise key predistribution scheme for wirelesssensor networksrdquoACMTransactions on Information and SystemSecurity vol 8 no 2 pp 228ndash258 2005

[6] L Eschenauer and V D Gligor ldquoA key-management schemefor distributed sensor networksrdquo in Proceedings of the 9th ACM


Conference on Computer and Communications Security (CCSrsquo02) pp 41ndash47 ACM Washington DC USA November 2002

[7] D Liu and P Ning ldquoEstablishing pairwise keys in distributedsensor networksrdquo in Proceedings of the 10th ACMConference onComputer and Communications Security (CCS rsquo03) pp 52ndash61ACM Washington DC USA October 2003

[8] D Liu P Ning and L I Rongfang ldquoEstablishing pairwisekeys in distributed sensor networksrdquo ACM Transactions onInformation and System Security vol 8 no 1 pp 41ndash77 2005

[9] A S Wandert N Gura H Eberle V Gupta and S C ShantzldquoEnergy analysis of public-key cryptography for wireless sensornetworksrdquo in Proceedings of the 3rd IEEE International Con-ference on Pervasive Computing and Communications (PerComrsquo05) pp 324ndash328 March 2005

[10] N Gura A Patel A Wander H Eberle and S C ShantzldquoComparing elliptic curve cryptography and RSA on 8-bitCPUsrdquo in Proceedings of the 6th International Workshop onCryptographic Hardware and Embedded Systems pp 119ndash132Boston Mass USA August 2004

[11] A Perrig R Szewczyk V Wen D Culler and J D TygarldquoSPINS security protocols for sensor networksrdquo in Proceedingsof the 7th Annual International Conference onMobile Computingand Networking (MobiCom rsquo01) pp 189ndash199 Rome Italy July2001

[12] Y Zhou and Y Fang ldquoWSN09-1 BABRA batch-based broad-cast authentication in wireless sensor networksrdquo in Proceedingsof the 49th Annual IEEE Global Telecommunications Conference(GLOBECOM rsquo06) pp 1ndash5 San Francisco Calif USA Decem-ber 2006

[13] T Wu Y Cui B Kusy et al ldquoA fast and efficient sourceauthentication solution for broadcasting in wireless sensornetworksrdquo in Proceedings of the IFIP International Conferenceon New Technologies Mobility and Security (NTMS rsquo07) pp 53ndash63 Paris France May 2007

[14] S-M Chang S ShiehWW Lin and C-MHsieh ldquoAn efficientbroadcast authentication scheme in wireless sensor networksrdquoin Proceedings of the ACM Symposium on Information Com-puter and Communications Security (ASIACCS rsquo06) pp 311ndash320Taipei Taiwan March 2006

[15] A Perrig ldquoThe BiBa one-time signature and broadcast authen-tication protocolrdquo in Proceedings of the 8th ACM Conference onComputer and Communications Security (CCS rsquo01) pp 28ndash37Philadelphia Pa USA November 2001

[16] Z Benenson N Gedicke and O Raivio ldquoRealizing robust userauthentication in sensor networksrdquo in Proceedings of the 1stWorkshop on Real-World Wireless Sensor Networks (REALWSNrsquo05) Stockholm Sweden June 2005

[17] S Banerjee and D Mukhopadhyay ldquoSymmetric key basedauthenticated querying inwireless sensor networksrdquo inProceed-ings of the 1st International Conference on Integrated Internet Adhoc and Sensor Networks pp 213ndash229 Nice France May 2006

[18] C Jiang B Li and H Xu ldquoAn efficient scheme for userauthentication in wireless sensor networksrdquo in Proceedingsof the 21st International Conference on Advanced InformationNetworking andApplicationsWorkshopsSymposia (AINAW rsquo07)vol 1 pp 438ndash442 Ontario Canada May 2007

[19] H Wang and Q Li ldquoDistributed user access control in sensornetworksrdquo in Proceedings of the IEEE International ConferenceDistributed Computing in Sensor Systems pp 305ndash320 Fran-cisco Calif USA June 2006

[20] X Cao W Kou L Dang and B Zhao ldquoIMBAS identity-based multi-user broadcast authentication in wireless sensor

networksrdquo Computer Communications vol 31 no 4 pp 659ndash667 2008

[21] K Ren W Lou K Zeng and P J Moran ldquoOn broadcastauthentication in wireless sensor networksrdquo IEEE Transactionson Wireless Communications vol 6 no 11 pp 4136ndash4144 2007

[22] K Ren W Lou and Y Zhang ldquoMulti-user broadcast authen-tication in wireless sensor networksrdquo in Proceedings of the 4thAnnual IEEE Communications Society Conference on SensorMesh and Ad Hoc Communications and Networks (SECON rsquo07)pp 223ndash232 San Diego Calif USA June 2007

[23] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology Proceedings of CRYPTO84 vol 196 of Lecture Notes in Computer Science pp 47ndash53Springer Berlin Germany 1985

[24] M Bellarea C Namprempre and G Neven ldquoSecurity proofsfor identity-based identification and signature schemesrdquo inProceedings of the International Conference on Advances inCryptology (EUROCRYPT rsquo04) Interlaken Switzerland May2004 pp 268ndash286 Springer 2004

[25] C P Schnorr ldquoEfficient signature generation by smart cardsrdquoJournal of Cryptology vol 4 no 3 pp 161ndash174 1991

[26] C-C Chang and C-W Chan ldquoA database record encryptionscheme using the RSA public key cryptosystem and its masterkeysrdquo in Proceedings of the International Conference on Com-puter Networks and Mobile Computing (ICCNMC rsquo03) pp 345ndash348 Shanghai China October 2003

[27] A Perrig R Szewczyk J D Tygar V Wen and D E CullerldquoSPINS security protocols for sensor networksrdquo Wireless Net-works vol 8 no 5 pp 521ndash534 2002

[28] D Boneh and M Franklin ldquoIdentity-based encryption fromthe weil pairingrdquo in Advances in CryptologymdashCRYPTO 200121st Annual International CryptologyConference Santa BarbaraCalifornia USA August 19-23 2001 Proceedings vol 2139 ofLectureNotes in Computer Science pp 213ndash229 Springer BerlinGermany 2001

[29] G M Bertoni L Chen P Fragneto K A Harrison and GPelosi ldquoComputing tate pairing on smartcardsrdquo White PaperSTMicroelectronics 2005

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



accelerate RSA private key operations namely decryptionand signature generation

Broadcast authentication enables each sensor node toverify the received messages which are originated with theauthorized source and were not modified In our schemewhen a user broadcasts a querymessage toWSNs each sensornode only has to verify the signature attached in the messageusing the public key computed by the base station At thebeginning of network initialization the base station generatesRSA public key and private key for each sensor node and eachuser respectively Once a user is revoked the base station hasto regenerate a new RSA public key for each sensor node Atthe same time other users do not have to change their ownprivate key So sensor nodes do not have to store a revocationlist in their own memory The main contributions of thispaper are described as follows

(1) We propose an RSA-like scheme to secure the mul-tiuser broadcast Our scheme provides enough secu-rity with 1024-bit RSA and great scalability

(2) In our scheme each sensor node does not buffer anymessage and it can verify everymessage immediatelyThus the impact of DoS attacks can be mitigated

(3) Once illegal network users are revoked by the basestation all the current users do not have to obtain newauthentication information from the base station Onthe other hand there is no need for each current userto reobtain hisher private key from the base stationafter heshe has participated in WSN

(4) Each sensor node only has to store one networkpublic key which is 1024 bits No matter how manynetwork users are there in WSNs each sensor nodecan verify these messages Therefore our schemeis more efficient in terms of storage overhead ascompared with the previous schemes

(5) A quantitative energy consumption analysis on com-putational cost for verifying a message shows that ourscheme indeed outperforms the previous schemes

The rest of this paper is organized as follows In Section 2the related work will be introduced In Section 3 the networkand adversary models used in this paper are presentedSubsequently RSA cryptosystem and the concept of RSAmaster-key will be described in Section 3 In Section 4the proposed multiuser broadcast authentication schemeis presented Section 5 is the discussions of our proposedscheme Section 6 is the performance evaluation in terms ofcommunication storage and computational overheads Theconclusion is made in Section 6

2 Related Work

In order to prevent adversaries from injecting bogus queriesthe authors in the work in [11] first proposed a schemecalled 120583TESLA to overcome this problem They employeda one-way hash function to generate a key chain for theauthentication of broadcast messages However a sourcerequires maintaining a long chain of keys for the long-term

uses In addition 120583TESLA suffers from serious DoS attacksEach sensor node has to buffer all received messages within atime interval and then it can verify these messages by usingthe delayed disclosure key broadcasted by the base station atthe next time interval The base station and sensor nodes areassumed to be loosely time synchronized

Furthermore the authors in the work in [12] proposeda novel protocol called BABRA to address the problem ofbroadcast authentication in WSNs Unlike 120583TESLA BABRAcan support broadcast for infinite rounds At the same timeit eliminates the requirement of key chain NeverthelessBABRA also suffers from serious DoS attacks since each sen-sor node has to buffer all messages before the correspondingkey is disclosed

In [13] the authors proposed a broadcast source authen-tication mechanism based on multiple MACs (MessageAuthentication Codes) The scheme requires sensor nodes tohave different overlapping set of keysWhen the source wantsto broadcast a query it uses its keys to compute multipleMACs and appends them to the message Then the recipientcan verify the message based on the MACs by using thecommon keys shared with the source In comparison withthe above schemes each recipient could verify a messageimmediately Therefore the impact of DoS attacks can bemitigated However the key predistribution under a hierar-chical structure results in scalability issuesThe authors in thework in [14 15] proposed broadcast authentication schemesusing one-time signature As compared with the aboveschemes each sensor node can verify a query immediatelywithout buffering others However the number of signaturesis limited when a lot of queries are signed by the source

The authors in the work in [16] first proposed a protocolfor multiuser broadcast authentication in which any unau-thorized user cannot broadcast queries to a WSN arbitrarilyEach authorized user may be equipped with a powerfulmobile device and then heshe can broadcast queries toWSNs for the purpose of obtaining the latest sensed data fromsensor nodes in WSNs Whenever a WSN processes a querysensor nodes are able to verify the query However the userrsquospublic key certificate incurs additional communication andcomputational overheads

In [17ndash19] the main idea of these schemes is to preloadeach sensor nodenetwork user with some secret informa-tion After that sensor nodes can compute session keysshared between them and users Hence the authenticity ofusers can be verified through these session keys All theabove schemes are based on challenge-response protocolsAlthough the above schemes have been proposed for userauthentication most of them do not provide adequate effi-ciency By contrast some schemes in [20ndash22] focus on themechanism in which each sensor node can verify everyquery directly without challenging any nonceThese schemesprovide adequate efficiency for multiuser broadcast authenti-cation However it is still difficult to deal with the resource-constrained problem and sensor nodes compromise attackAn efficient scheme is proposed to address the problemswithout incurring much overhead

The authors in the work in [16] proposed the first solutionto the problem called authenticated querying They utilized









119894



119894




119901





119901


119902

1198661


119901

[21]

3 Preliminaries






119866119862119863 (oslash (119873) 119890) = 1

1 lt 119890 lt oslash (119873) (1)





119861

119873119861


119890119861 mod 119873119861


119861


119872 = 119862119889119861 mod 119873

119861

(3)


119860


119860


119860

119873119860


1198721015840

= 119878119890119860 mod 119873

119860

(4)




1

1198912

119891119899


1199021

1199012

1199022

119901119899

119902119899



1

1198712

119871119899

and 119871119894

=

oslash(119901119894

times 119902119894

) for 119894 = 1 2 119899(2) Let 119898

119894

= 119901119894

times 119902119894


119867

such that 119890119867

times 119889119867


119894

equiv 119890119867

(mod119871119894

) and 119889119894

equiv 119889119867

(mod119871119894

) foreach 119894

(3) For 119894 = 1 2 119899 let (119898119894

119890119894

119889119894


119894



119889119867

1199011

1199021

1199012

1199022

119901119899

119902119899




where119891119894

equiv

119891119890119894

119894

(mod119898119894

) It can also be 119891119894

equiv 119891119894

119889119894 (mod119898119894


119894

equiv 119891119894

119889119867 (mod119898119894


times 119889119867

equiv 1 (mod119871)







119894

119902119894


0

= 1199010

times 1199020


times 1199022

119873119898

= 119901119898

times 119902119898

for users User1

User2

User119898


1

1198732

119873119898



0


) oslash(1198731

) oslash(119873119898


1198710

= 119871119862119872oslash (1198730

) oslash (1198731

) oslash (119873119898

) oslash (119873bs) (5)



and oslash(119873119894

) = (119901119894

minus

1) times (119902119894



0

(1 lt 1198890

lt 1198710



1198890

times 1198900

equiv 1 mod 1198710

(6)



0


0

and 1198900


119894


0



1

1198892

119889119898

forusers User

1

User2

User119898


119889119894

= 1198890

mod oslash (119873119894

)

119889bs = 1198890 mod oslash (119873bs) (7)

where 119894 = 1 2 119898


0


1

User2

User119898


1

1198731

) (1198892

1198732

) (119889119898

119873119898


119894

119873119894

) where119889119894







119872TS 119873119894

Sign (8)


)119889119894 mod

119873119894


ℎ (119872TS 119873119894

) = Sign1198900 mod 119873119894

(9)

where 1198900


119894

) as 119875 Because 119871119900


)we can show that

1198900

times 119889119894

mod 1198710

= 1198900

times (1198890

mod oslash (119873119894

)) mod 1198710

= 1198900

times 1198890

mod oslash (119873119894

) = 1

(10)

Therefore 1198900

times 119889119894

= 1 + 119905 times oslash(119873119894


119894


Sign1198900 mod 119873119894

= (119875119889119894 mod 119873

119894

)1198900 mod 119873

119894

= 119875119889119894times1198900 mod 119873

119894

= 1198751+119905timesoslash(119873119894) mod 119873

119894

119905 isin 119873


119894

= 119875

(11)



1015840

0




0


) oslash(1198731

) oslash(119873

119898


) such that1198711015840

0

= 119871119862119872(oslash(1198730

) oslash(1198731

) oslash(119873119898

) oslash(119873bs))


with 1198901015840

0


0

times 1198901015840

0

equiv 1 mod 11987110158400


0

Note that 1198890



Once 1198710


1198890


0


Sensor node






0

to WSNs First 11989010158400


1015840

0


0



0

with 1198901015840

0


0


1

1198892

119889119898




119898+1

and 119902119898+1


=

119901119898+1

times 119902119898+1

Then 1198710


= 1198890

mod oslash(119873119898+1


119873119898+1

) to User119898+1


5 Discussion




119894

into 119901119894

and 119902119894


1

1198732

119873119898


0

such that 1198710

= 119871119862119872(oslash(1198730

) oslash(1198731

) oslash(119873119898


0


times 1198900

equiv

1 mod 1198710

and use 1198890

to compute 119889119894


=

1198890

mod oslash(119873119894


119894

of user119873119894


119894


119888



Sign1198900 mod 119873119894

= (119875119889119888 mod 119873

119894

)1198900 mod 119873

119894

= 119875119889119888times1198900 mod 119873

119894


119894

= 119875

(12)

where 119875 = ℎ(119872TS 119873119894

) Because 119889119888

= 1198890

mod oslash(119873119894




0


0


0






119901



119901


119901






2


2

119898)1000 bytes





119894


119894





2

(|1198722



| = 10


2




119901



2

(|1198722


119902


1




050

100150200250300350400450500

Mes

sage

size

(byt

e)


CASIAS


MASHASIMBAS p = 08





119894



0

500

1000

1500

2000

2500

3000

Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08


Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (m

J)

0

100

200

300

400

500

600

700


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08



119901

1198661


1


119901




119903




119903


0

128 bytes

0500

1000150020002500300035004000450050005500

Stor

age s

ize (

byte

)


CAS

IASMAS

HAS

Our schemeIMBAS



119901

1198661

1198662


1





0





0200400600800

100012001400160018002000

Addi

tiona

l sto

rage

size

(byt

e)


CAS

IASMAS

HAS

Our schemeIMBAS




YesorNo

No Yes Yes No No No



119903

and 1198900




(i) 119879119898


(ii) 119879119901


119864


(iv) 119879ℎ


(v) 119879119867


(vi) 119879119890


2


(RSA-1024)


2







119864

+ 2119879ℎ

asymp6534 sMAS [21] 119879

119864

+ (120582 + 1)119879ℎ

asymp3267 sIAS [21] 2119879

119901

+ 119879119867

+ 119879119890

asymp13209 sHAS [22] 119879

119864

+ 1205821015840

119879ℎ

asymp3267 s

IMBAS [20] 119901(3119879119898

+ 119879ℎ

) + (1 minus 119901)119879119864

asymp42228 s (119901 = 06)asymp45414 s (119901 = 08)



2


2





7 Conclusions


0200400600800

100012001400160018002000

Ener

gy co

nsum

ptio

n fo

r ver

ifyin

g a m

essa

ge (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08





References



































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

















119894



119894




119901





119901


119902

1198661


119901

[21]

3 Preliminaries






119866119862119863 (oslash (119873) 119890) = 1

1 lt 119890 lt oslash (119873) (1)





119861

119873119861


119890119861 mod 119873119861


119861


119872 = 119862119889119861 mod 119873

119861

(3)


119860


119860


119860

119873119860


1198721015840

= 119878119890119860 mod 119873

119860

(4)




1

1198912

119891119899


1199021

1199012

1199022

119901119899

119902119899



1

1198712

119871119899

and 119871119894

=

oslash(119901119894

times 119902119894

) for 119894 = 1 2 119899(2) Let 119898

119894

= 119901119894

times 119902119894


119867

such that 119890119867

times 119889119867


119894

equiv 119890119867

(mod119871119894

) and 119889119894

equiv 119889119867

(mod119871119894

) foreach 119894

(3) For 119894 = 1 2 119899 let (119898119894

119890119894

119889119894


119894



119889119867

1199011

1199021

1199012

1199022

119901119899

119902119899




where119891119894

equiv

119891119890119894

119894

(mod119898119894

) It can also be 119891119894

equiv 119891119894

119889119894 (mod119898119894


119894

equiv 119891119894

119889119867 (mod119898119894


times 119889119867

equiv 1 (mod119871)







119894

119902119894


0

= 1199010

times 1199020


times 1199022

119873119898

= 119901119898

times 119902119898

for users User1

User2

User119898


1

1198732

119873119898



0


) oslash(1198731

) oslash(119873119898


1198710

= 119871119862119872oslash (1198730

) oslash (1198731

) oslash (119873119898

) oslash (119873bs) (5)



and oslash(119873119894

) = (119901119894

minus

1) times (119902119894



0

(1 lt 1198890

lt 1198710



1198890

times 1198900

equiv 1 mod 1198710

(6)



0


0

and 1198900


119894


0



1

1198892

119889119898

forusers User

1

User2

User119898


119889119894

= 1198890

mod oslash (119873119894

)

119889bs = 1198890 mod oslash (119873bs) (7)

where 119894 = 1 2 119898


0


1

User2

User119898


1

1198731

) (1198892

1198732

) (119889119898

119873119898


119894

119873119894

) where119889119894







119872TS 119873119894

Sign (8)


)119889119894 mod

119873119894


ℎ (119872TS 119873119894

) = Sign1198900 mod 119873119894

(9)

where 1198900


119894

) as 119875 Because 119871119900


)we can show that

1198900

times 119889119894

mod 1198710

= 1198900

times (1198890

mod oslash (119873119894

)) mod 1198710

= 1198900

times 1198890

mod oslash (119873119894

) = 1

(10)

Therefore 1198900

times 119889119894

= 1 + 119905 times oslash(119873119894


119894


Sign1198900 mod 119873119894

= (119875119889119894 mod 119873

119894

)1198900 mod 119873

119894

= 119875119889119894times1198900 mod 119873

119894

= 1198751+119905timesoslash(119873119894) mod 119873

119894

119905 isin 119873


119894

= 119875

(11)



1015840

0




0


) oslash(1198731

) oslash(119873

119898


) such that1198711015840

0

= 119871119862119872(oslash(1198730

) oslash(1198731

) oslash(119873119898

) oslash(119873bs))


with 1198901015840

0


0

times 1198901015840

0

equiv 1 mod 11987110158400


0

Note that 1198890



Once 1198710


1198890


0


Sensor node






0

to WSNs First 11989010158400


1015840

0


0



0

with 1198901015840

0


0


1

1198892

119889119898




119898+1

and 119902119898+1


=

119901119898+1

times 119902119898+1

Then 1198710


= 1198890

mod oslash(119873119898+1


119873119898+1

) to User119898+1


5 Discussion




119894

into 119901119894

and 119902119894


1

1198732

119873119898


0

such that 1198710

= 119871119862119872(oslash(1198730

) oslash(1198731

) oslash(119873119898


0


times 1198900

equiv

1 mod 1198710

and use 1198890

to compute 119889119894


=

1198890

mod oslash(119873119894


119894

of user119873119894


119894


119888



Sign1198900 mod 119873119894

= (119875119889119888 mod 119873

119894

)1198900 mod 119873

119894

= 119875119889119888times1198900 mod 119873

119894


119894

= 119875

(12)

where 119875 = ℎ(119872TS 119873119894

) Because 119889119888

= 1198890

mod oslash(119873119894




0


0


0






119901



119901


119901






2


2

119898)1000 bytes





119894


119894





2

(|1198722



| = 10


2




119901



2

(|1198722


119902


1




050

100150200250300350400450500

Mes

sage

size

(byt

e)


CASIAS


MASHASIMBAS p = 08





119894



0

500

1000

1500

2000

2500

3000

Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08


Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (m

J)

0

100

200

300

400

500

600

700


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08



119901

1198661


1


119901




119903




119903


0

128 bytes

0500

1000150020002500300035004000450050005500

Stor

age s

ize (

byte

)


CAS

IASMAS

HAS

Our schemeIMBAS



119901

1198661

1198662


1





0





0200400600800

100012001400160018002000

Addi

tiona

l sto

rage

size

(byt

e)


CAS

IASMAS

HAS

Our schemeIMBAS




YesorNo

No Yes Yes No No No



119903

and 1198900




(i) 119879119898


(ii) 119879119901


119864


(iv) 119879ℎ


(v) 119879119867


(vi) 119879119890


2


(RSA-1024)


2







119864

+ 2119879ℎ

asymp6534 sMAS [21] 119879

119864

+ (120582 + 1)119879ℎ

asymp3267 sIAS [21] 2119879

119901

+ 119879119867

+ 119879119890

asymp13209 sHAS [22] 119879

119864

+ 1205821015840

119879ℎ

asymp3267 s

IMBAS [20] 119901(3119879119898

+ 119879ℎ

) + (1 minus 119901)119879119864

asymp42228 s (119901 = 06)asymp45414 s (119901 = 08)



2


2





7 Conclusions


0200400600800

100012001400160018002000

Ener

gy co

nsum

ptio

n fo

r ver

ifyin

g a m

essa

ge (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08





References



































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












119901


119902

1198661


119901

[21]

3 Preliminaries






119866119862119863 (oslash (119873) 119890) = 1

1 lt 119890 lt oslash (119873) (1)





119861

119873119861


119890119861 mod 119873119861


119861


119872 = 119862119889119861 mod 119873

119861

(3)


119860


119860


119860

119873119860


1198721015840

= 119878119890119860 mod 119873

119860

(4)




1

1198912

119891119899


1199021

1199012

1199022

119901119899

119902119899



1

1198712

119871119899

and 119871119894

=

oslash(119901119894

times 119902119894

) for 119894 = 1 2 119899(2) Let 119898

119894

= 119901119894

times 119902119894


119867

such that 119890119867

times 119889119867


119894

equiv 119890119867

(mod119871119894

) and 119889119894

equiv 119889119867

(mod119871119894

) foreach 119894

(3) For 119894 = 1 2 119899 let (119898119894

119890119894

119889119894


119894



119889119867

1199011

1199021

1199012

1199022

119901119899

119902119899




where119891119894

equiv

119891119890119894

119894

(mod119898119894

) It can also be 119891119894

equiv 119891119894

119889119894 (mod119898119894


119894

equiv 119891119894

119889119867 (mod119898119894


times 119889119867

equiv 1 (mod119871)







119894

119902119894


0

= 1199010

times 1199020


times 1199022

119873119898

= 119901119898

times 119902119898

for users User1

User2

User119898


1

1198732

119873119898



0


) oslash(1198731

) oslash(119873119898


1198710

= 119871119862119872oslash (1198730

) oslash (1198731

) oslash (119873119898

) oslash (119873bs) (5)



and oslash(119873119894

) = (119901119894

minus

1) times (119902119894



0

(1 lt 1198890

lt 1198710



1198890

times 1198900

equiv 1 mod 1198710

(6)



0


0

and 1198900


119894


0



1

1198892

119889119898

forusers User

1

User2

User119898


119889119894

= 1198890

mod oslash (119873119894

)

119889bs = 1198890 mod oslash (119873bs) (7)

where 119894 = 1 2 119898


0


1

User2

User119898


1

1198731

) (1198892

1198732

) (119889119898

119873119898


119894

119873119894

) where119889119894







119872TS 119873119894

Sign (8)


)119889119894 mod

119873119894


ℎ (119872TS 119873119894

) = Sign1198900 mod 119873119894

(9)

where 1198900


119894

) as 119875 Because 119871119900


)we can show that

1198900

times 119889119894

mod 1198710

= 1198900

times (1198890

mod oslash (119873119894

)) mod 1198710

= 1198900

times 1198890

mod oslash (119873119894

) = 1

(10)

Therefore 1198900

times 119889119894

= 1 + 119905 times oslash(119873119894


119894


Sign1198900 mod 119873119894

= (119875119889119894 mod 119873

119894

)1198900 mod 119873

119894

= 119875119889119894times1198900 mod 119873

119894

= 1198751+119905timesoslash(119873119894) mod 119873

119894

119905 isin 119873


119894

= 119875

(11)



1015840

0




0


) oslash(1198731

) oslash(119873

119898


) such that1198711015840

0

= 119871119862119872(oslash(1198730

) oslash(1198731

) oslash(119873119898

) oslash(119873bs))


with 1198901015840

0


0

times 1198901015840

0

equiv 1 mod 11987110158400


0

Note that 1198890



Once 1198710


1198890


0


Sensor node






0

to WSNs First 11989010158400


1015840

0


0



0

with 1198901015840

0


0


1

1198892

119889119898




119898+1

and 119902119898+1


=

119901119898+1

times 119902119898+1

Then 1198710


= 1198890

mod oslash(119873119898+1


119873119898+1

) to User119898+1


5 Discussion




119894

into 119901119894

and 119902119894


1

1198732

119873119898


0

such that 1198710

= 119871119862119872(oslash(1198730

) oslash(1198731

) oslash(119873119898


0


times 1198900

equiv

1 mod 1198710

and use 1198890

to compute 119889119894


=

1198890

mod oslash(119873119894


119894

of user119873119894


119894


119888



Sign1198900 mod 119873119894

= (119875119889119888 mod 119873

119894

)1198900 mod 119873

119894

= 119875119889119888times1198900 mod 119873

119894


119894

= 119875

(12)

where 119875 = ℎ(119872TS 119873119894

) Because 119889119888

= 1198890

mod oslash(119873119894




0


0


0






119901



119901


119901






2


2

119898)1000 bytes





119894


119894





2

(|1198722



| = 10


2




119901



2

(|1198722


119902


1




050

100150200250300350400450500

Mes

sage

size

(byt

e)


CASIAS


MASHASIMBAS p = 08





119894



0

500

1000

1500

2000

2500

3000

Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08


Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (m

J)

0

100

200

300

400

500

600

700


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08



119901

1198661


1


119901




119903




119903


0

128 bytes

0500

1000150020002500300035004000450050005500

Stor

age s

ize (

byte

)


CAS

IASMAS

HAS

Our schemeIMBAS



119901

1198661

1198662


1





0





0200400600800

100012001400160018002000

Addi

tiona

l sto

rage

size

(byt

e)


CAS

IASMAS

HAS

Our schemeIMBAS




YesorNo

No Yes Yes No No No



119903

and 1198900




(i) 119879119898


(ii) 119879119901


119864


(iv) 119879ℎ


(v) 119879119867


(vi) 119879119890


2


(RSA-1024)


2







119864

+ 2119879ℎ

asymp6534 sMAS [21] 119879

119864

+ (120582 + 1)119879ℎ

asymp3267 sIAS [21] 2119879

119901

+ 119879119867

+ 119879119890

asymp13209 sHAS [22] 119879

119864

+ 1205821015840

119879ℎ

asymp3267 s

IMBAS [20] 119901(3119879119898

+ 119879ℎ

) + (1 minus 119901)119879119864

asymp42228 s (119901 = 06)asymp45414 s (119901 = 08)



2


2





7 Conclusions


0200400600800

100012001400160018002000

Ener

gy co

nsum

ptio

n fo

r ver

ifyin

g a m

essa

ge (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08





References



































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












119894

119902119894


0

= 1199010

times 1199020


times 1199022

119873119898

= 119901119898

times 119902119898

for users User1

User2

User119898


1

1198732

119873119898



0


) oslash(1198731

) oslash(119873119898


1198710

= 119871119862119872oslash (1198730

) oslash (1198731

) oslash (119873119898

) oslash (119873bs) (5)



and oslash(119873119894

) = (119901119894

minus

1) times (119902119894



0

(1 lt 1198890

lt 1198710



1198890

times 1198900

equiv 1 mod 1198710

(6)



0


0

and 1198900


119894


0



1

1198892

119889119898

forusers User

1

User2

User119898


119889119894

= 1198890

mod oslash (119873119894

)

119889bs = 1198890 mod oslash (119873bs) (7)

where 119894 = 1 2 119898


0


1

User2

User119898


1

1198731

) (1198892

1198732

) (119889119898

119873119898


119894

119873119894

) where119889119894







119872TS 119873119894

Sign (8)


)119889119894 mod

119873119894


ℎ (119872TS 119873119894

) = Sign1198900 mod 119873119894

(9)

where 1198900


119894

) as 119875 Because 119871119900


)we can show that

1198900

times 119889119894

mod 1198710

= 1198900

times (1198890

mod oslash (119873119894

)) mod 1198710

= 1198900

times 1198890

mod oslash (119873119894

) = 1

(10)

Therefore 1198900

times 119889119894

= 1 + 119905 times oslash(119873119894


119894


Sign1198900 mod 119873119894

= (119875119889119894 mod 119873

119894

)1198900 mod 119873

119894

= 119875119889119894times1198900 mod 119873

119894

= 1198751+119905timesoslash(119873119894) mod 119873

119894

119905 isin 119873


119894

= 119875

(11)



1015840

0




0


) oslash(1198731

) oslash(119873

119898


) such that1198711015840

0

= 119871119862119872(oslash(1198730

) oslash(1198731

) oslash(119873119898

) oslash(119873bs))


with 1198901015840

0


0

times 1198901015840

0

equiv 1 mod 11987110158400


0

Note that 1198890



Once 1198710


1198890


0


Sensor node






0

to WSNs First 11989010158400


1015840

0


0



0

with 1198901015840

0


0


1

1198892

119889119898




119898+1

and 119902119898+1


=

119901119898+1

times 119902119898+1

Then 1198710


= 1198890

mod oslash(119873119898+1


119873119898+1

) to User119898+1


5 Discussion




119894

into 119901119894

and 119902119894


1

1198732

119873119898


0

such that 1198710

= 119871119862119872(oslash(1198730

) oslash(1198731

) oslash(119873119898


0


times 1198900

equiv

1 mod 1198710

and use 1198890

to compute 119889119894


=

1198890

mod oslash(119873119894


119894

of user119873119894


119894


119888



Sign1198900 mod 119873119894

= (119875119889119888 mod 119873

119894

)1198900 mod 119873

119894

= 119875119889119888times1198900 mod 119873

119894


119894

= 119875

(12)

where 119875 = ℎ(119872TS 119873119894

) Because 119889119888

= 1198890

mod oslash(119873119894




0


0


0






119901



119901


119901






2


2

119898)1000 bytes





119894


119894





2

(|1198722



| = 10


2




119901



2

(|1198722


119902


1




050

100150200250300350400450500

Mes

sage

size

(byt

e)


CASIAS


MASHASIMBAS p = 08





119894



0

500

1000

1500

2000

2500

3000

Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08


Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (m

J)

0

100

200

300

400

500

600

700


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08



119901

1198661


1


119901




119903




119903


0

128 bytes

0500

1000150020002500300035004000450050005500

Stor

age s

ize (

byte

)


CAS

IASMAS

HAS

Our schemeIMBAS



119901

1198661

1198662


1





0





0200400600800

100012001400160018002000

Addi

tiona

l sto

rage

size

(byt

e)


CAS

IASMAS

HAS

Our schemeIMBAS




YesorNo

No Yes Yes No No No



119903

and 1198900




(i) 119879119898


(ii) 119879119901


119864


(iv) 119879ℎ


(v) 119879119867


(vi) 119879119890


2


(RSA-1024)


2







119864

+ 2119879ℎ

asymp6534 sMAS [21] 119879

119864

+ (120582 + 1)119879ℎ

asymp3267 sIAS [21] 2119879

119901

+ 119879119867

+ 119879119890

asymp13209 sHAS [22] 119879

119864

+ 1205821015840

119879ℎ

asymp3267 s

IMBAS [20] 119901(3119879119898

+ 119879ℎ

) + (1 minus 119901)119879119864

asymp42228 s (119901 = 06)asymp45414 s (119901 = 08)



2


2





7 Conclusions


0200400600800

100012001400160018002000

Ener

gy co

nsum

ptio

n fo

r ver

ifyin

g a m

essa

ge (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08





References



































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










Sensor node






0

to WSNs First 11989010158400


1015840

0


0



0

with 1198901015840

0


0


1

1198892

119889119898




119898+1

and 119902119898+1


=

119901119898+1

times 119902119898+1

Then 1198710


= 1198890

mod oslash(119873119898+1


119873119898+1

) to User119898+1


5 Discussion




119894

into 119901119894

and 119902119894


1

1198732

119873119898


0

such that 1198710

= 119871119862119872(oslash(1198730

) oslash(1198731

) oslash(119873119898


0


times 1198900

equiv

1 mod 1198710

and use 1198890

to compute 119889119894


=

1198890

mod oslash(119873119894


119894

of user119873119894


119894


119888



Sign1198900 mod 119873119894

= (119875119889119888 mod 119873

119894

)1198900 mod 119873

119894

= 119875119889119888times1198900 mod 119873

119894


119894

= 119875

(12)

where 119875 = ℎ(119872TS 119873119894

) Because 119889119888

= 1198890

mod oslash(119873119894




0


0


0






119901



119901


119901






2


2

119898)1000 bytes





119894


119894





2

(|1198722



| = 10


2




119901



2

(|1198722


119902


1




050

100150200250300350400450500

Mes

sage

size

(byt

e)


CASIAS


MASHASIMBAS p = 08





119894



0

500

1000

1500

2000

2500

3000

Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08


Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (m

J)

0

100

200

300

400

500

600

700


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08



119901

1198661


1


119901




119903




119903


0

128 bytes

0500

1000150020002500300035004000450050005500

Stor

age s

ize (

byte

)


CAS

IASMAS

HAS

Our schemeIMBAS



119901

1198661

1198662


1





0





0200400600800

100012001400160018002000

Addi

tiona

l sto

rage

size

(byt

e)


CAS

IASMAS

HAS

Our schemeIMBAS




YesorNo

No Yes Yes No No No



119903

and 1198900




(i) 119879119898


(ii) 119879119901


119864


(iv) 119879ℎ


(v) 119879119867


(vi) 119879119890


2


(RSA-1024)


2







119864

+ 2119879ℎ

asymp6534 sMAS [21] 119879

119864

+ (120582 + 1)119879ℎ

asymp3267 sIAS [21] 2119879

119901

+ 119879119867

+ 119879119890

asymp13209 sHAS [22] 119879

119864

+ 1205821015840

119879ℎ

asymp3267 s

IMBAS [20] 119901(3119879119898

+ 119879ℎ

) + (1 minus 119901)119879119864

asymp42228 s (119901 = 06)asymp45414 s (119901 = 08)



2


2





7 Conclusions


0200400600800

100012001400160018002000

Ener

gy co

nsum

ptio

n fo

r ver

ifyin

g a m

essa

ge (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08





References



































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












2


2

119898)1000 bytes





119894


119894





2

(|1198722



| = 10


2




119901



2

(|1198722


119902


1




050

100150200250300350400450500

Mes

sage

size

(byt

e)


CASIAS


MASHASIMBAS p = 08





119894



0

500

1000

1500

2000

2500

3000

Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08


Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (m

J)

0

100

200

300

400

500

600

700


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08



119901

1198661


1


119901




119903




119903


0

128 bytes

0500

1000150020002500300035004000450050005500

Stor

age s

ize (

byte

)


CAS

IASMAS

HAS

Our schemeIMBAS



119901

1198661

1198662


1





0





0200400600800

100012001400160018002000

Addi

tiona

l sto

rage

size

(byt

e)


CAS

IASMAS

HAS

Our schemeIMBAS




YesorNo

No Yes Yes No No No



119903

and 1198900




(i) 119879119898


(ii) 119879119901


119864


(iv) 119879ℎ


(v) 119879119867


(vi) 119879119890


2


(RSA-1024)


2







119864

+ 2119879ℎ

asymp6534 sMAS [21] 119879

119864

+ (120582 + 1)119879ℎ

asymp3267 sIAS [21] 2119879

119901

+ 119879119867

+ 119879119890

asymp13209 sHAS [22] 119879

119864

+ 1205821015840

119879ℎ

asymp3267 s

IMBAS [20] 119901(3119879119898

+ 119879ℎ

) + (1 minus 119901)119879119864

asymp42228 s (119901 = 06)asymp45414 s (119901 = 08)



2


2





7 Conclusions


0200400600800

100012001400160018002000

Ener

gy co

nsum

ptio

n fo

r ver

ifyin

g a m

essa

ge (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08





References



































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










0

500

1000

1500

2000

2500

3000

Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08


Ener

gy co

nsum

ptio

n on

mes

sage

bro

adca

st (m

J)

0

100

200

300

400

500

600

700


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08



119901

1198661


1


119901




119903




119903


0

128 bytes

0500

1000150020002500300035004000450050005500

Stor

age s

ize (

byte

)


CAS

IASMAS

HAS

Our schemeIMBAS



119901

1198661

1198662


1





0





0200400600800

100012001400160018002000

Addi

tiona

l sto

rage

size

(byt

e)


CAS

IASMAS

HAS

Our schemeIMBAS




YesorNo

No Yes Yes No No No



119903

and 1198900




(i) 119879119898


(ii) 119879119901


119864


(iv) 119879ℎ


(v) 119879119867


(vi) 119879119890


2


(RSA-1024)


2







119864

+ 2119879ℎ

asymp6534 sMAS [21] 119879

119864

+ (120582 + 1)119879ℎ

asymp3267 sIAS [21] 2119879

119901

+ 119879119867

+ 119879119890

asymp13209 sHAS [22] 119879

119864

+ 1205821015840

119879ℎ

asymp3267 s

IMBAS [20] 119901(3119879119898

+ 119879ℎ

) + (1 minus 119901)119879119864

asymp42228 s (119901 = 06)asymp45414 s (119901 = 08)



2


2





7 Conclusions


0200400600800

100012001400160018002000

Ener

gy co

nsum

ptio

n fo

r ver

ifyin

g a m

essa

ge (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08





References



































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










0200400600800

100012001400160018002000

Addi

tiona

l sto

rage

size

(byt

e)


CAS

IASMAS

HAS

Our schemeIMBAS




YesorNo

No Yes Yes No No No



119903

and 1198900




(i) 119879119898


(ii) 119879119901


119864


(iv) 119879ℎ


(v) 119879119867


(vi) 119879119890


2


(RSA-1024)


2







119864

+ 2119879ℎ

asymp6534 sMAS [21] 119879

119864

+ (120582 + 1)119879ℎ

asymp3267 sIAS [21] 2119879

119901

+ 119879119867

+ 119879119890

asymp13209 sHAS [22] 119879

119864

+ 1205821015840

119879ℎ

asymp3267 s

IMBAS [20] 119901(3119879119898

+ 119879ℎ

) + (1 minus 119901)119879119864

asymp42228 s (119901 = 06)asymp45414 s (119901 = 08)



2


2





7 Conclusions


0200400600800

100012001400160018002000

Ener

gy co

nsum

ptio

n fo

r ver

ifyin

g a m

essa

ge (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08





References



































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












119864

+ 2119879ℎ

asymp6534 sMAS [21] 119879

119864

+ (120582 + 1)119879ℎ

asymp3267 sIAS [21] 2119879

119901

+ 119879119867

+ 119879119890

asymp13209 sHAS [22] 119879

119864

+ 1205821015840

119879ℎ

asymp3267 s

IMBAS [20] 119901(3119879119898

+ 119879ℎ

) + (1 minus 119901)119879119864

asymp42228 s (119901 = 06)asymp45414 s (119901 = 08)



2


2





7 Conclusions


0200400600800

100012001400160018002000

Ener

gy co

nsum

ptio

n fo

r ver

ifyin

g a m

essa

ge (J

)


CAS

IASMAS

HASOur scheme

IMBAS p = 06

IMBAS p = 08





References



































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation





































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









research article an rsa-like scheme for multiuser...

Documents