Broadcast Authentication in Sensor Networks Using ... - Springer Link

Broadcast Authentication in Sensor Networks Using Compressed Bloom Filters Yu-Shian Chen1 , I-Lun Lin2 , Chin-Laung Lei3 , and Yen-Hua Liao4 Department of Electrical Engineering National Taiwan University No. 1, Sec. 4, Roosevelt Rd., Taipei, Taiwan 106 {ethan1 ,grail2 ,radha4 }@fractal.ee.ntu.edu.tw, [email protected]

Abstract. We propose a light-weight and scalable broadcast authentication scheme, Curtain, for sensor network. Instead of using Merkel tree to combine multiple μTESLA instance, we apply compressed Bloom filters to multiple μTESLA. Our scheme can support longer duration and prolong the self-healing property. We greatly reduce the communication overhead at the cost of allocating a moderate space in each receiver. Combing with PKC computation like ECC, our scheme can guarantee the long-term security and also mitigate energy consumption. Moreover, our methods can be extend to the situation of multiple senders, offering efficient user addition and revocation. Keywords: sensor networks, network security, broadcast authentication, μTESLA, Bloom filters.

1

Introduction

Broadcast authentication is probably the most critical security primitive in sensor network, since it is the most basic approach to defend against attackers in wireless environments. Especially, the central server relies on broadcast authentication to issue legitimate commands or queries to all or partial motes in the network. Broadcast authentication becomes a trivial problem when using public key cryptography (PKC). Through digital signatures, motes could verify message authenticity as communication on Internet does. However, due to the nature that most sensor motes are resource-constrained devices, PKC was thought inappropriate for a long time. Extensive research have used only symmetric primitives to achieve light-weight broadcast authentication in sensor networks. Following the prevalent μTESLA protocol [1], a diversity of schemes based on hash chain techniques are proposed [2,3]. μTESLA is a light-weight and self-healing protocol for sensor motes. By self-healing it means that a receiver who has been off-line for some period is able to recover the lost keys immediately after coming back on-line. Despite these advantages, μTESLA or μTESLA-like protocols all have their own drawbacks. Recent research shows an 160-bits elliptic curve cryptography (ECC) [4] signature can be verified in about one second [5,6]. This dramatic improvement S. Nikoletseas et al. (Eds.): DCOSS 2008, LNCS 5067, pp. 99–111, 2008. c Springer-Verlag Berlin Heidelberg 2008 

100

Y.-S. Chen et al.

indicates that the protocol designers now may include PKC in their security schemes. We have the following observations. – Nowadays public key cryptography (PKC) like ECC is no longer timeconsuming operations for sensor motes, therefore it shall be included in security protocol design. However, we shall not use PKC too frequently since energy consumption is still a critical issue. PKC shall play the role to guarantee the long-term security, for example, generating digital signature on the session key used during an hour. It is reasonable for a mote to spend one second for verifying this session key. Within the middle-term session, the system shall utilize symmetric cryptography against various attacks. – Considering energy cost, communication is more critical than computation, since computation could be improved with the advance of hardware but radio transmission would always require an minimum power. Besides, wireless environments are always unstable and difficult to predict. Therefore, practical protocols shall work on lowering down communication first, then computation. – μTESLA-like schemes that binding multiple μTESLA instance to extend their using time all suffer their weakness. They either cause greater authentication delays or induce greater communication overhead. Based on this observation, our design goal is to minimize the communication overhead in the μTESLA-like schemes whereas remain in the same security level. In this paper, we propose Curtain: an efficient and flexible broadcast authentication protocol combing μTESLA and Bloom filter techniques. Curtain extends the self-healing property across multiple key chains by storing a moderate size of Bloom bitmap. Working together with ECC, our schemes can guarantee the long-term security of broadcast authentication with lower communication overhead. Curtain highly reduces the communication overhead by compressing the bitmaps and scales up in dimension of time and senders. Our Contribution: We employ Bloom filters technique, especially compressed Bloom filters, to broadcast authentication based on μTESLA and demonstrate that it is a viable and scalable solution compared with former research. We also point out the shortcoming and impracticality of former μTESLA-like schemes and overcome these drawbacks. Our scheme supports multiuser broadcast authentication and has great performance in updating or revoking users.

2 2.1

Preliminaries System Model and Attack Model

System Model: In this paper, we consider the problem of long-term and scalable broadcast authentication in sensor networks. The network consists of a base station or gateway which is directly controlled by the administrator and a large number of resource-limited sensor motes which could be compromised by the adversary. The administrator is allowed to pre-load secret information into each

Broadcast Authentication in Sensor Networks

101

motes before network deployment. The base station usually acts as a broadcast sender since the administrator make commands or queries to other motes through it. We assume the sensor motes are capable to verify ECC signatures in a few seconds [5,6]. There are applications where regular motes also need to broadcast authenticated messages. We will first consider the basic situation that only the base station as sender and the other motes as receivers. Later in Section 4 we will extend our approach to accommodate multiple senders in the same network. We use the same assumption that sender and all receivers have loose time synchronization with accuracy in the range of few μs as all μTESLA-like schemes did. Throughout this paper, we will use 160 bits as the length of all hash values. Attack Model: An adversary can execute a wide range of attacks including eavesdrop, modify, forge, or replay. Basically the adversary can compromise some sensor motes and obtain their secret information. Note that denial-of-service (DoS) attack which jams the wireless channel is not our concern in this paper since there is no effective way to prevent such attack being launched due to the nature of wireless communication. We assume the adversary has computation resource equivalent to several personal computers, which means it is computationally infeasible for the adversary to break the underlying cryptographic primitives like hash and encryption. In the language of cryptanalysis, the probability that the adversary breaks the primitives in one time should be less than 2−κ where κ is the security parameter. For example, the probability to find a collision in 160-bits hash function should be less than 2−80 (approximately ≤ 10−24 ). An typical attack to broadcast authentication is that an adversary intercepts all broadcast information from legitimate sender and forwards falsified message to compromised receivers. 2.2

μTESLA and μTESLA-Like Schemes

Standard μTESLA: μTESLA protocol uses only symmetric cryptographic primitives but provides very efficient solution for resource-limited sensor motes. To create the asymmetry for verification, μTESLA utilizes delay disclosure of MAC keys. Before deployment, the sender randomly chooses the last-used key Kn then generates a μTESLA key chain according to Ki = F (Ki+1 ) or Ki = F n−i (Kn ) where F is a cryptographic one-way hash function, such as SHA-11 or MD5. The key chain is called a μTESLA instance and the fist-used but last-generated key K0 is called the commitment of the μTESLA instance. The commitment is preloaded into each receiver’s memory before deployment. The sender splits time into consecutive μTESLA interval Ii corresponding to the μTESLA instance. Each key 1

SHA-1 is considered not secure enough since Wang et al. had greatly reduced its complexity in [7]. We could switch to the stronger alternatives such as SHA-2 for stronger security.

102

Y.-S. Chen et al.

Ki in the chain is used for Message Authentication Code (MAC) during Ii but will not be disclosed until some later interval Ii+Δ . (e.g. Δ = 2) All broadcast messages during Ii will be attached with its MAC generated by Ki . Also the sender sends out the most recent key it can disclose Ki−Δ in Ii . Later in Ii+Δ the receivers can verify the messages queued during Ii by the new-released key. Also μTESLA is self-healing in the sense that a receiver who has been offline for some period is able to recover the lost keys immediately after coming back on-line. In some applications, a receiver may wait for a long time for the next broadcast message from sender. Despite that the receiver has missed many intermediate keys, he can still recursively compute hash to derive former MAC keys. Figure 1 illustrates an example of μTESLA. A typical μTESLA interval

Fig. 1. An Example of μTESLA

is about 100 ms, and one key chain consists of 1000 keys, thus one key chain can sustain about 100 seconds. Following the basic μTESLA approach, there were many research working on extending the lifetime of μTESLA by combining multiple instances. Multi-level μTESLA branches the key chains in more dimensions [2]. The higher-level μTESLA instances are used to generate lower-level instances and the lowest-level instances are used to authenticate data packets. However, it also induces multi-level authentication delays, which means even the receiver has obtained the MAC keys of those queued messages, it can not completely verify the messages because the validity of the very MAC keys relies on the higher-level key which will not be disclosed until current instance is out of usage. To be fully verify the messages and the MAC keys, the receiver has to queue at least all messages received during the instances, which is not desirable in practice. Tree-based μTESLA: Contrary to multi-level μTESLA which binds key chains in their heads, Several research use Merkle tree to bundle multiple μTESLA instances in their tails [3,8]. The example in Figure 2 encompasses a window of W = 8 μTESLA instances. Every receiver is pre-loaded with the root key C18 instead of the last-generated keys on each μTESLA instance. To activate next instance, for example the fourth key chain, the receivers need the commitment C4 , so the sender broadcasts the commitment and all sibling keys of those nodes on the path from the commitment to the root, that is, C4 , C3 , C12 , and C58 . Then the receivers can verify whether C18 = F  (F  (C12 F  (C3 C4 ))C58 ).

Broadcast Authentication in Sensor Networks

103

Fig. 2. Example of tree-based μTESLA. Commitments are hashed by another F  function.

Tree-based method does not have the drawback of longer authentication delays in multi-level schemes because all commitments are downward related to the root commitment. Nevertheless, the sender has to periodically broadcast authentication information for every instance, and therefore induces more traffic than na¨ıve method. It takes lg W |h| bits to update to next instance where |h| is the size of hashed key. Regarding the bundle as a whole, tree-based method’s overhead will be W lg W |h| whereas the na¨ıve method only W |h|. μTESLA-like schemes all share the same philosophy: the security of all MAC keys rely on the first key, the pre-loaded commitment. Multi-level μTESLA bases on the framework of key generation, whereas tree-based μTESLA binds many commitments to create deeper commitments. The challenge in broadcast is how to construct the connection between keys for long-term usage. Therefore the basic principle is to generate sufficient connected keys beforehand and make the last-generated key be the loaded commitment. The whole protocol will be robust as long as the hash functions used are computationally infeasible. 2.3

Compressed Bloom Filters

Bloom filters: Bloom filters succinctly represent a set of entries in order to support membership queries with minor false positive and zero false negative rate. Bloom filters are used to represent a set S = {s1 , ...sn } of n entries, and consists of a bitmap with m-bits, initially all set to 0. Bloom filters use k independent random hash functions H1 , ..., Hk with range {0, ..., m − 1}. For each entry sj , the bits Hi (sj ) are set to 1 for 1 ≤ j ≤ n and 1 ≤ i ≤ k. After all entry in S are hashed into the bitmap, the probability p that a specific bit is 0 is (1 − 1/m)kn . To check if a new entry x is in S, we check whether all Hi (x)-th bits the bitmap are 1. If not, x is absolutely not in S. If yes, we can only mistake with a minor false positive rate f = (1−p)k , depending on the values of m/n and k. Given

104

Y.-S. Chen et al.

fixed ratio m/n, the optimized f is 0.5k = 0.6185m/n when k = ln 2(m/n) and p ≈ 0.5; meanwhile the bitmap is about half 1 and half 0. Compressed Bloom filters: Mitzenmacher showed that compressed Bloom filters can achieve smaller false positive rate as a function of the compressed size over a Bloom filter without compression [9]. It based on the insight that if we allow larger size of uncompressed bitmap m and use few hash functions, then the bitmap will have extremely asymmetric distribution of 0 and 1 bits. Thus we can compress the large bitmap into a small message of size z for transmission. Moreover the same size of message using as a standard Bloom bitmap turns out to have higher false positive rate than the compressed one. Compared with original ones, compressed Bloom filters intend to optimize transmission size instead of false positive rate as they use bitmaps of the same size. The essence of compressed Bloom filters is that it reduces the transmission size at the cost of using more bits to store the Bloom filters at both ends and requiring compression and decompression. Compressed Bloom filters are very efficient options when we need to transmit the bitmap as a message. In particular, compressed approach has greater improvement when we only need to transmit the updated information of a periodically changing Bloom filters. More detailed discussions and analysis please refer to [9].

3

Proposed Schemes

3.1

Overview

Figure 3 illustrates the basic of our schemes. To bundle W independent μTESLA instances, Curtain takes the last N keys as entries to be hashed into the mbits Bloom bitmap. The bitmap replaces the last-generated key in standard μTESLA or the root key in tree-based μTESLA as the commitment. Pre-loaded by the sender to each receiver, the bitmap provides the computationally security during the usage of W μTESLA instances. For the receiver to activate next instance, it just checks the last-generated N keys are all successfully hashed into the Bloom bitmap. Before the end of the W instances, the sender broadcasts the compressed bitmap of next W instance with an ECC signature to enter next session. According to the analysis and implementation in [9], the size after compression is only a slight bigger than z = H(p)m where H(·) is the entropy function.2 An adversary may try to break the system by forging key chains which can be successfully mapped unto the bitmaps. Since the adversary can not reverse hash function, it can only by brute force continuously generate a longer key chain until the last N keys are all false positive in the b bitmaps. In order to amplify the robustness against forgery, the sender can use b rather than one Bloom filter with independent hash sets to process the N W entries into b bitmaps. Figure 4 illustrates the adversary’s chance to forge a valid μTESLA instance in 2

H(p) = −p lg p − (1 − p) lg(1 − p).

Broadcast Authentication in Sensor Networks

105

Fig. 3. Curtain. Gray μTESLA keys are entries of the Bloom filters.

different setting. Recall that the security condition of 160-bit hash function is about 10−24 . Therefore those points below the dashed line will be sufficient for most application. It also demonstrates that with proper parameters using Bloom filters is a viable solution. We find the chance of the adversary to success is adv = f N b = (1 − p)kN b

(1)

Unlike tree-based method where receivers have to wait for the sender’s periodical messages, Curtain spans the self-healing property of a single μTESLA instance to W instances. Even though the receiver is off-line over several instances, it is able to immediately verify the new-arrived packets. 3.2

Analysis

There are three performance metrics needed to be considered in Curtain: (1) The adversary’s advantage (2) Communication overhead (3) Computation overhead. First we consider the adversary’s chance to break the protocol. This advantage adv shall not be greater than 2−κ , which means b≥

κ −1 · . lg(1 − p) kN

(2)

At first sight, this seems indicate that we should use more bitmaps to surpass κ. Nevertheless, there is a tradeoff between the advantage and communication overhead. The communication overhead of each session is zb, which seems to multiply significantly if we try to increase b. But z itself, like b, is also a function of k and N and interestingly they are driving in different direction.

Y.-S. Chen et al.

500

1000

1500

−20 −40 −60 −80 −100

log(adv), Attacker’s advantage in logarithmic scale

−20 −30 −40 −50 −60 0

m = 8192, k = 1 b=1 b=2 b=3 b=4 b=5

−120

m = 8192, b = 1 k=1 k=2 k=4 k=8 k = 16

−10

log(adv), Attacker’s advantage in logarithmic scale

0

0

106

100

n, The number of entries in the Bloom filters

200

300

400

500

n, The number of entries in the Bloom filters

(b)

(a)

Fig. 4. The attacker’s chance to break Curtain when m = 8192 and W = 32. (The dashed line indicates 10−24 minimum security condition.)

If we fix at specific security condition κ, then the overhead would be zb =

−p lg p − (1 − p) lg(1 − p) mκ · − lg(1 − p) kN

(3)

Note that p = (1−1/m)nk is also a function of k, therefore directly analyzing the dependency between zb and k from the above formula would be a cumbersome work. We can get the intuitive idea from Figure 5(a) which shows that using more hash in Bloom filters will dramatically reduce the overhead, but eventually rise up after specific threshold. The remaining question is how b changes when we try to optimize communication overhead with respect to k. Here a little modification will clarify the mystery. In Figure 5(a), b is treated as continuous variable. In fact, b should be like this, b≥

κ 1 ·  − lg(1 − p) kN

(4)

After making b to be discrete, Figure 5(a) is transformed to Figure 5(b). Looking at the optimized points in Figure 5(b) for each setting, we get an interesting result: these are the turning points where b becomes one from two. It clarifies that to achieve the same security condition and communication overhead, extra bitmaps are actually redundant. One might wonder what is lost when communication is optimized. In fact, computation overhead is exactly the third force which pulls against the other metrics. It costs N k hash operations for each receiver to authenticate next μTESLA instance. Despite of the increment in computation, the benefit is greater than the cost. Since hash function can be executed by sensor mote efficiently and costs minor energy, it is absolutely worth to exchange more hash for less transmission. The following example reinforces this argument.

10000

107

6000

8000

m=8192, W=32 n=32 n=64 n=96 n=128

2000

4000

zb. Size of updated bitmaps (in bits)

4000

6000

8000

m=8192, W=32 n=32 n=64 n=96 n=128

2000

zb. Size of updated bitmaps (in bits)

10000

Broadcast Authentication in Sensor Networks

0

10

20

30

40

50

0

k. Number of hash functions

10

20

30

40

50

k. Number of hash functions

(b)

(a)

Fig. 5. Communication overhead for updating the bitmaps

3.3

An Example

By bundling W = 32 instances together, we can run for 32×100 seconds which is almost one hour. It is reasonable to spend 1 second on ECC computation for an hour light-weight security. We choose m = 8192 bits Bloom filter, which is moderate for motes to store and maintain. Let n = 128 and N = n/W = 4. The optimal value occurs when k = 6 and we find z ≈ 2242 bits which can be packed into 3 4 packets according to IEEE 802.15.4 standard.Compared this example with na¨ıve approach, which is 160 × 32 = 5120 bits, we save around 50%. Compared with tree-based approach, which requires the sender to broadcast extra lg(W )|h| = 5×160 = 800 bits every 100 seconds and totally W lg(W )|h| = 25600 bits during the session, obviously Curtain is more economic. The computation overhead to authenticate a new key chain is N k = 24 hash operations which costs about 24 ms.

4

Implementation

We implement Curtain on Crossbow TelosB platform which comes with 16-bit 8 MHz processor and 10KB RAM. Following the analysis from the last section, we test the case of using one bitmap with size equal to 16284, 8192, and 4096 bits, then adjust the number of hash functions to fit in with minimum security condition 2−80 . Table 1. shows the compressed bitmap size, decompression time, and verification time in different setting. We also include a situation where the security is not sufficient in Table 1. All hash functions are based on SHA1-160, which averagely takes about 5.48 ms each time. Further optimization on SHA-1 computation should improve the verification time. Here we only concern about the verification time of first-used key since the successive N − 1 keys will take additional one SHA-1 computation and the rest cost only one SHA-1 for each

108

Y.-S. Chen et al.

key. Note that the larger bitmap results in smaller compression size is due to less hash functions so less bits are marked as one in larger bitmap. We use a variant of first-order difference compression to compress the bitmap. Other compression techniques are possible to achieve the better compression ratio considering the size and entropy of different bitmaps. Table 1. Curtain overhead with W = 32 and b = 1 Bitmap size (bits) 16284 16284 8192 4096 Number of hash per bitmap 2 4 6 12 security condition (2−x ) 48.09 80.36 83.57 80.49 Compressed bitmap size (bytes) 270 515 745 1310 Ideal compressed bitmap size (bytes) 237 406 446 459 Decompression time (ms) 5 9 18 31 First-used key verification time (ms) 12 25 42 68

Comparison. We compare the communication overhead when bundling W = 32 instances using na¨ıve, Merkle tree, and Curtain. Applying na¨ıve way to preload all commitments takes 640 bytes. With Merkle tree it costs 3200 bytes overall by contraries. Even though the receivers cache earlier keys, the overhead will not less than 640 bytes. In our implementation with bitmap size equal to 16284 bytes, transmission overhead is only 270 bytes. Compared with the other approaches, Curtain has better potentiality in the future. The reason is that 160 bit hash such as SHA-1 would be deprecated in near future. Researchers are gradually resorting to longer hash size like SHA256 as security guarantee. When the time comes the expansion in hash size will cause the same expansion in na¨ıve or Merkle methods. However Curtain does not suffer from this problem provided that the minimum security condition κ remains.

5 5.1

Extension Curtain on Multiple Senders

Curtain possesses another advantage: it is not only scalable in terms of time but also scalable in terms of the number of senders. In simple application, the base station might be the only one doing broadcast. But there are cases where regular motes need to communicate with each other such that individual broadcast authentication from motes is required. Another scenario is that many users share the sensor network but want to use individual broadcast authentication to isolate their services. In either case, to install all commitments of different senders or services to receivers is not a feasible way. The methodology of Curtain can be extended to bundle multiple broadcast services, and the receiver need only store one bitmap hashed from these services.

Broadcast Authentication in Sensor Networks

109

1.0

0.8

Moreover, the administrator now can add and revoke senders or services at a very low cost with Curtain. This benefit cames from the nature of compressed Bloom filters. When the network changes and the administrator need to update the user and revocation list to all receivers. Because most change are partial, the difference between the old and new bitmap is minor. According to [9,10], the administrator can exclusive-or the two bitmap, that is, the delta bitmap, and furthermore compress it then update. The compressed delta bitmap will be more succinct than compressed Bloom one. If c is the fraction of entries in Bloom bitmap that have changed, then q = 2p(1 − pc ) of delta will be bit 0, resulting in H(q)m compressed size. Figure 6 illustrates how the compression ratio varies with the fraction of change.

0.6

m = 8192, k = 4 n = 32 n = 64 n = 96 n = 128 n = 256

0.2

0.4

H(q). Compression ratio

0.6 0.4

0.0

0.0

0.2

H(q). Compression ratio

0.8

m = 8192, n = 64 k=1 k=2 k=4 k=8 k = 16 k = 32

0.0

0.2

0.4

0.6

0.8

1.0

0.0

c. Fraction of entries have changed

(a)

0.2

0.4

0.6

0.8

1.0

c. Fraction of entries have changed

(b)

Fig. 6. The compressed ratio of delta with respect to the fraction of change. (W = 32).

5.2

Curtain with Merkle Tree

Even though we emphasize that ECC is a practical tool for authentication, there is still possibility to completely deprecate PKC in Curtain. Turning back to treebased μTESLA, it is not ideal because the sender has to broadcast extra messages every a shot-term (100 seconds). Nevertheless we have successfully merged a middle-term period (one hour) into one commitment without more routine communication. Using Curtain as building block, we can construct Merkle tree of bitmaps at higher level, that is, now the hashes of bitmaps corresponding to their sessions will be the leaf nodes of the Merkle tree and the root node becomes the ultimate commitment. For example, a Merkle tree with 32 hashes on leafs node which encompassing a W = 32 session respectively will sustain more than one day, but it only needs to renew every one hour. However, the sender has to generate all the keys on all chains before determining the root, making the system not flexible. An merits of using PKC is allowing the users to dynamically decide the security policy and generate keys on the fly. We argue that the best

110

Y.-S. Chen et al.

solution for short-term broadcast authentication is Curtain, long-term security shall be left to PKC, and tree-base approaches can serve as an intermediate framework.

6

Related Work

Adapted from TESLA protocol over Internet [11], μTESLA [1] is the first lightweight broadcast authentication in sensor networks using only symmetric primitives. In [2], the authors proposed multi-level μTESLA Merkle tree methods can be found in several research [3,12,8]. MiniSec [13] is a network layer security protocol operating in two modes, one tailored for single-source communication, and another tailored for multi-source broadcast communication. In particular, MiniSec uses Bloom filters to maintain the legitimate packet information. Recently, Ren et al. [14] proposed a multi-user broadcast authentication scheme built on Bloom filters to store the users’ public keys. PKC and Merkle hash tree techniques are also used in their scheme. However, it is fully based on PKC therefore the energy consumption is much higher than μTESLA series. In [8], the authors investigated the problem of broadcast authentication from various aspects and list out seven fundamental properties for designing protocols. The work in [15] discussed DoS attack which aims at exhausting the energy then increasing its response time to broadcast authentication.

7

Conclusion

We propose an efficient broadcast authentication protocol, Curtain, in sensor networks. It has the following advantages: (1) scalability in time and senders. (2) lower communication overhead than former schemes. (3) extending the selfhealing property across multiple μTESLA instance. (4) dynamic sender addition and revocation. The implementation shows that Curtain outperforms previous tree-based methods. Curtain is an efficient way to bind the low-level μTESLA instances. But we argue that neither Curtain nor Merkle tree shall work solely without PKC. PKC is plausible in WSN and is the last resort for security. Not only in wireless sensor networks, Curtain is potential to other applications of broadcast authentication, such as in video broadcast over Internet. Acknowledgments. The authors would like to thank the anonymous reviewers for their valuable comments. The work is partly supported by Taiwan Information Security Center (TWISC), under the grants NSC 96-2219-E-001-001 and NSC 96-2219-E-011-008, and by iCAST project under the grant NSC 96-3114P-001-002-Y, sponsored by the National Science Council, Taiwan.

References 1. Perrig, A., Szewczyk, R., Wen, V., Culler, D., Tygar, J.D.: SPINS: Security Protocols for Sensor Networks. In: 7th ACM Annual International Conference on Mobile Computing and Networking, pp. 189–199. ACM Press, New York (2001)

Broadcast Authentication in Sensor Networks

111

2. Liu, D., Ning, P.: Multilevel μTESLA: Broadcast Authentication for Distributed Sensor Networks. Trans. on Embedded Computing Sys. 3, 800 (2004) 3. Liu, D., Ning, P., Zhu, S., Jajodia, S.: Practical Broadcast Authentication in Sensor Networks. In: 2nd Annual International Conference on Mobile and Ubiquitous Systems (MobiQuitous 2005), pp. 118–132. IEEE Computer Society, Los Alamitos (2005) 4. Menezes, A.J., Oorschot, P.C.v., Vanstone, S.A.: Handbook of Applied Cryptography, http://www.cacr.math.uwaterloo.ca/hac/ 5. Eberle, H., Wander, A., Gura, N., Shantz, S.C., Gupta, V.: Architectural Extensions for Elliptic Curve Cryptography over GF (2m ) on 8-bit Microprocessors. In: 16th IEEE International Conference on Application-Specific Systems, Architectures, and Processors (ASAP 2005), pp. 343–349. IEEE Computer Society, Los Alamitos (2005) 6. Gupta, V., Millard, M., Fung, S., Zhu, Y., Gura, N., Eberle, H., Shantz, S.C.: Sizzle: A Standards-Based End-to-end Security Architecture for the Embedded Internet. In: Third IEEE International Conference on Pervasive Computing and Communications, pp. 247–256. IEEE Computer Society, Los Alamitos (2005) 7. Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005) 8. Luk, M., Perrig, A., Whillock, B.: Seven Cardinal Properties of Sensor Network Broadcast Authentication. In: Zhu, S., Liu, D. (eds.) SASN 2006, pp. 147–156. ACM Press, New York (2006) 9. Mitzenmacher, M.: Compressed Bloom Filters. IEEE/ACM Trans. Netw. 10, 604 (2002) 10. Fan, L., Cao, P., Almeida, J., Broder, A.Z.: Summary Cache: A Scalable Wide-Area Web Cache Sharing Protocol. IEEE/ACM Trans. Netw. 8, 281 (2000) 11. Perrig, A., Canetti, R., Tygar, D., Song, D.: The TESLA Broadcast Authentication Protocol. In: Cryptobytes, vol. 5(2), pp. 2–13. RSA Laboratories (2002) 12. Chang, S.-M., Shieh, S., Lin, W.W., Hsieh, C.-M.: An Efficient Broadcast Authentication Scheme in Wireless Sensor Networks. In: Lin, F.-C., Lee, D.-T., Lin, B.-S., Shieh, S., Jajodia, S. (eds.) ASIACCS 2006, pp. 311–320. ACM, New York (2006) 13. Luk, M., Ghita, M., Perrig, A., Gligor, V.: Minisec: A Secure Sensor Network Communication Architecture. In: Abdelzaher, T.F., Guibas, L.J., Welsh, M. (eds.) IPSN 2007, pp. 479–488. ACM Press, New York (2007) 14. Ren, K., Lou, W., Zhang, Y.: Multi-user Broadcast Authentication in Wireless Sensor Networks. In: 4th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks, pp. 223–232. IEEE Computer Society, Los Alamitos (2007) 15. Wang, R., Du, W., Ning, P.: Containing Denial-of-Service Attacks in Broadcast Authentication in Sensor Networks. In: Kranakis, E., Belding, E., Modiano, E. (eds.) MobiHoc 2007, pp. 71–79. ACM Press, New York (2007)