Implementation of ECDSA in WSN

Ravi Kishore Kodali

Department of E. and C. E.

National Institute of Technology, Warangal

506004, Andhra Pradesh, India

Email:ravikkodali@gmail.com

Abstract—Wireless sensor networks (WSN’s) have been

finding their application in diversified fields. Certain

WSN applications used in military and commercial fields

require the data communication within the network

to be secure and confidentiality of the data needs to

be maintained. Any WSN security model requires key

services, authentication and integrity. As WSN nodes

are resource constrained, in terms of limited battery

energy and less CPU capabilities, energy efficient crypto-

algorithms need to be chosen. Elliptic curve (EC) based

algorithms have proven to be computationally efficient

and provide the same security level when compared with

traditional crypto-algorithms for the given key size. This

work provides implementation details of ECDSA, making

use of the low-cost SHA-1. The WSN implementation

of SHA-1 involves 8-bit operations as the IRIS node

supports an 8- bit micro-controller. The SHA-1 and

ECDSA algorithms have been implemented using IRIS

WSN node.

Keywords:- ECC, SHA-1, ECDSA, WSN

I. INTRODUCTION

Wireless sensor networks (WSNs) are being widely

used in various application fields. In certain military

and commercial WSN applications needing security, the

data confidentiality is of utmost importance, and only

authorized users should be able to gain access to the data.

The transmitted data through multiple wireless links is to

be received at the recipient’s end unmodified. A security

model supporting these requirements needs to be used. In

WSN applications the nodes are randomly deployed over

vast areas. Various sensors present in a node measure

the physical phenomena related parameters and post-

digitization these values are forwarded towards the base

station (BS) involving multi-hop wireless connectivity

links. The transmitted data can be captured by a potential

attacker to launch an attack and compromise the WSN

later. To support integrity and authentication services in

a WSN, the related security algorithms need to be made

use of [1].

A WSN node is supported with limited computational

resources, which include a 8- or 32- bit micro-controller

with few KB’s of ROM and RAM and a battery with

limited energy. Certain security algorithms such as SHA-

1 involve 32- bit operations. In the WSN implementation

of this algorithm, it is required to make use of 8-bit

operations. Energy efficient algorithms suited for WSN

applications are to be chosen [2] and the same need

to be implemented efficiently on these nodes. Tradi-

tional algorithms like Digital Signature Algorithm (DSA)

and RSA are highly compute intensive. Hence, these

algorithms are unsuitable in WSNs [3]. Elliptic curve

(EC) based algorithms, Elliptic Curve Cryptography

(ECC) and Elliptic Curve Digital Signature Algorithm

(ECDSA) provide high security, when compared to the

RSA/DSA algorithms for the same key size as given in

Table I. The rest of the paper is organized as follows:

Section II discusses the ECDSA, section III gives SHA-

1 algorithm and its implementation, section IV presents

the hardware implementation and section V concludes

the work.

II. ECDSA

Miller [4] and Koblitz [5] independently proposed

elliptic curve crypto systems. The high level of security

in ECC is due to the difficulty level of the Elliptic Curve

Discrete Logarithm Problem (ECDLP). Let P and Q be

two points on an elliptic curve, such that k*P = Q, where

k is a scalar and a large number. No sub-exponential

algorithm, solving the ECDLP, has been reported so far

to find the value of k. The scalar multiplication operation

is used in EC based crypto algorithms [6].

TABLE I: Key size comparison of ECC and RSA

ECC RSA

(Key size in bits) (Key size in bits)

160 1024

256 3072

384 7680

2013 International Conference on Control Communication and Computing (ICCC)

978-1-4799-0575-1/13/$31.00 ©2013 IEEE 310

ECDSA consists of signature generation and signature

verification phases [7]. During the signature generation

phase, a random value, k, is chosen and the SHA-1

algorithm is used to compute the hash value of the

message and the same is converted into an integer, e.

Various operations, as given in Algorithm 1, using ellip-

tic curve points, are carried out to generate the signature

point (r,s). Algorithm 1 provides the ECDSA generation

procedure. During the signature verification phase, the

values r,s and e, are used to verify the signature.

The signature generation and signature verification

phases are shown in Algorithms 1 and 2, respectively.

Algorithm 1 ECDSA Signature Generation

1. Generate a random number k such that 1 ≤ k ≤(p− 1)2. Compute point kPB = (x1, y1)3. Compute r = x1(mod p).

if r=0 then

Go to step 1.

end if

4. Compute k−1(modp) .

5. Compute SHA-1(m) and convert this to an integer

e.

6. Compute s = k−1(e+ nAr).if s = 0 then

Go to step 1

end if

7. Signature for message m is S = (r,s).

Algorithm 2 ECDSA Signature Verification

1. Verify r and s are integers over the interval [1,p-1].

2. Compute SHA-1(m) and convert this to integer e.

3. Compute w = s−1(modp)4. Compute u1 = ew(modp) and u2 = rw(modp).5. Compute X = u1PB + u2PA

6.

if X=0 then

Reject S

elsecompute v = x1(modp)end if

7. Accept if and only if v = r.

ECDSA ensures authentication and integrity in WSN

and it is suitable for WSNs due to its small size of the

signature [10].

III. SHA-1 AND ITS IMPLEMENTATION

A. SHA-1

Secure Hash Algorithm (SHA-1), proposed by US

National Institute of Standards and Technology (NIST),

operates on a message of length < 264 in 512- bit size

blocks and cycles through 80 iterations of a hash com-

putation to produce a 160-bit message digest value. This

algorithm has three main steps: message pre-processing,

message processing and computation of hash value [11].

Algorithm 3 Generation of Hash value using SHA1

algorithm - Pre-processing

1. Append the bit ’1’ to the message

2. Append 0 ≤ k < 512 0’s, such that the resulting

message length (in bits) is congruent to 448 (mod 512)

3. Append length of message (before pre-processing),

in bits, as 64-bit big-endian integer

Algorithm 4 Generation of Hash value using SHA1

algorithm - Processing

1. Break message into 512-bit chunks and break chunk

into sixteen 32-bit big-endian words w[i]

2. Extend the sixteen 32-bit words into eighty 32-bit

words and compute W for i ranging from 16 to 79

w[i] = left− rotate(w[i−3]⊕w[i−8]⊕w[i−14]⊕w[i − 16]) by 1- bit

3. Initialize hash value for this chunk:

a = h0, b = h1, c = h2, d = h3, e = h44. The calculation of f and the values of k, for i 0 to

79 is shown in the following table:

Range of i Calculation of f k value

0 to 19 (b & c) | (( b) & d) 0X5A827999

20 to 39 b ⊕ c ⊕ d 0X6ED9EBA1

40 to 59 (b & c) or (b & d) 0X8F1BBCDC

or (c & d)

60 to 79 b ⊕ c ⊕ d 0XCA62C1D6

5. Finally compute temp = ROTL(A, 5) + F +E +k+w[i] E = D, D = C , C = ROTL(30, B) B = A,

A = temp

B. Low cost SHA-1

The SHA-1 algorithm is generally implemented using

32-bit platforms. The rotate functions and XOR use 32-

bit operands. However, in this work 8-bit operations are

used keeping in view of the limited data sizes supported

311

Algorithm 5 Generation of Hash value using SHA1

algorithm - Hashing

1. Update the hash values:

h0 = h0 +A,

h1 = h1 +B,

h2 = h2 + C,

h3 = h3 +D

h4 = h4 + E

2. The final 160- bit hash value of the message is:

h4||h3||h2||h1||h0

by the micro-controller in the WSN node. The required

32-bit operations are implemented by mapping them into

8-bit operations. The message is loaded into 64 blocks

with 8- bit size each. The preprocessing of these blocks

is carried out as in 32- bit SHA-1 algorithm.

In low-cost SHA-1 32-bit XOR operations can be

easily carried out in 4 cycles. The following equation

illustrates the X-or operation of a 32- bit number in 8-

bit mode.

Wt = Messaget ∀ 0 ≤ t ≤ 63 (1)

Wt = Wt−12⊕Wt−32⊕Wt−56⊕Wt−64 ∀ 63 ≤ t ≤ 319(2)

One of the operations involved during the computation

of a SHA-1 value is rotate left. The rotate left operation

in 8-bit mode has to be carefully performed as carry bit

is also involved and the resultant value must be same as

in 32-bit architecture. Figure 1 illustrates the rotation of

a 32- bit number in 8- bit mode.

a0a1a2a3a4a5a7a8a9

a0a1a6a7a8a9

a6a15 a14 a13 a12 a11 a10

a15 a14a5 a4 a3 a2a10a11a12a13

Fig. 1: Rotation of 32-bit numbers in 8-bit architecture

In 32- bit SHA-1 architecture five 32- bit numbers,

A,B,C,D and E, are used to compute the hash value of

a message. In 8- bit architecture, these 32- bit values

are considered as four 8- bit numbers, a0,a1,a2,a3;

b0,b1,b2,b3; and so on. Using these values and by

applying relevant 8- bit addition operations, the hash

value of a message is calculated. Figure 2 illustrates the

same.

a0a1a2a3b0b1a4a5 b2b7 b6 b5 b4 a7 a6

c0c1c2c3c4c5c6c7

b3

CARRY GENERATED SUMSUM

Fig. 2: Addition of 32- bit numbers in 8- bit architecture

The 8-bit implementation design of the hash computa-

tion requires 320 cycles. The initial 8-bit values, a0, a1,

a2, a3 through e0, e1, e2, e3 are stored in the memory

for the final summation. Since the output of the message

schedule is unavailable for 4 cycles and the resultant 160-

bit hash value is outputted in 8- bit size data blocks after

20 cycles. Hence, the 8- bit SHA-1 architecture requires

344 clock cycles [11].

E[3]

E[2]

E[1]

E[0]

D[3]

D[2]

D[1]

D[0]

C[3]

C[2]

C[1]

C[0]

B[3]

B[2]

B[1]

B[0]

A[3]

A[2]

A[1]

A[0]

SUM

HASH(i)

320 ITERATIONS

K[t]W[t]

Hash(i+1)160 bit

Fig. 3: SHA-1 in 8-bit architecture

C. Calculation of W in 8- bit implementation

Since the index of W is 64 in 32- bit implementation

of SHA-1, the index of W would be 320 in 8-bit

implementation. For an efficient 8- bit implementation,

the index of W should be less than 255. Hence, W is

split into W1, with an index value of 240 and W2, with

an index value of 80. Algorithm- 6 provides the steps

involved.

Figure 4 shows an example output.

Figure 5 gives a sample output, providing the com-

puted ECDSA signature making use of 8- bit implemen-

tation of the SHA-1.

312

Algorithm 6 Calculation of W1 and W2 in 8 bit

implementation

1. Load each input message block into W1 i.e.., W1[t]

= mess[t] for t from 0 to 63

2. Generate the values for W1[t] for t from 64 to 239

by initializing a variable temp where for t ranging

from 64 to 239 and for i ranging from 0 to 3

temp[i] = W1[(t-12) + i] ∧ W1[(t-32) + i] ∧ W1[(t-56)

+ i] ∧ W1[(t-64) + i] and

W1[t + i] = ((temp[i] ≪ 1) & 0xFF) | ((temp[(i+1)

mod4] & 0xFF) ≫ 7) which completes the generation

of W1.

3. The generation of W2 involves the following cal-

culations for i ranging from 0 to 3

W2 is calculated from W2[t + i] = ((temp[i] ≪ 1) &

0xFF) | ((temp[(i+1) mod4] & 0xFF) ≫ 7);

where temp is calculated by the following steps

3a. For t ranging from 0 to 11, temp[i] = W1[240 +

(t-12) + i] ∧ W1[240 + (t-32) + i] ∧ W1[240 + (t-56)

+ i] ∧ W1[240+(t-64) + i];

3b. For t ranging from 12 to 31, temp[i] = W2[(t-12)

+ i] ∧ W1[240 + (t-32) + i] ∧ W1[240 + (t-56) + i]

∧ W1[240+(t-64) + i];

and the process continues until W2[63] is calculated.

Now W1 and W2 which holds array lengths of less

than 255 can be used in the place of W which has an

array length of 320 (> 255)

Fig. 4: SHA1- 8 bit and 32 bit implementation

Fig. 5: ECDSA generation

IV. HARDWARE IMPLEMENTATION

An IRIS node has been made use of while implement-

ing the ECDSA algorithm. Figure 6 shows an IRIS node

and its components.

An IRIS WSN node is used for enabling low-power

wireless sensor networks. The features of this node

(a) IRIS node

(b) Sensor board

(c) Programming board

Fig. 6: IRIS mote and components

TABLE II: Specifications of the MEMSIC IRIS node

Parameter Value

Program Flash Memory 128KB

Serial Flash 512KB

RAM 8 KB

Config. EEPROM 4 KB

Serial Comm. UART

Frequency bands 2,405 to 2,480 MHz

Transmit data rate 250 kbps

RF power 3 dBm

Receive Sensitivity -10 dbm

Battery 2 X AA Batteries

include several added functionalities that improve the

overall performance of the WSN. The processor used is

Atmel ATmega1281, which is a low power 8- bit micro-

controller. Table II gives the specifications of the IRIS

node [12].

A comparison of both the 8- bit and 32- bit imple-

mentations of SHA-1 is made and the same is presented

in Table III along with those of ECDSA. The IRIS node,

a TinyOS platform, uses XMesh as its routing protocol.

313

TABLE III: Implementation analysis of SHA-1 and

ECDSA using IRIS node

Algorithm Execution time RAM used

SHA-1 (32- bit) 2ms 1.9KB

SHA-1 (8- bit) 39ms 2.09 KB

ECDSA 941ms 3.07 KB

V. CONCLUSION

The WSN implementation details of ECDSA are

presented in this work. As the IRIS WSN node, with

low computational power supporting 8- bit operations,

the 8- bit implementation of the SHA-1 algorithm has

been carried out. The same implementation of SHA-

1 has been used while implementing the ECDSA to

compute the signature using a WSN node. The execution

times and the memory overheads of both the SHA-1

and ECDSA algorithms when implemented using the

IRIS node, are also given. As ECDSA results in small

signatures, this algorithm is implementable on a WSN

node. Future work includes the implementation of the

ECDSA signature algorithm using higher key sizes,

which can support WSNs having a large number of nodes

and where the security concerns are high.

REFERENCES

[1] M. S. Asha Rani Mishra, “Elliptic curve cryptography (ecc) for

security in wireless sensor network.”

[2] Z. Li and G. Gong, “A survey on security in wireless sensor net-

works,” Department of Electrical and Computer Engineering,

University of Waterloo, Canada, pp. 2008–20, 2011.

[3] X. Zhang, H. M. Heys, and C. Li, “Energy efficiency of

symmetric key cryptographic algorithms in wireless sensor

networks,” in Communications (QBSC), 2010 25th Biennial

Symposium on. IEEE, 2010, pp. 168–172.

[4] V. S. Miller, “Use of elliptic curves in cryptography,” in

Advances in CryptologyCRYPTO85 Proceedings. Springer,

1986, pp. 417–426.

[5] N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of

computation, vol. 48, no. 177, pp. 203–209, 1987.

[6] S. Mane, L. Judge, and P. Schaumont, “An integrated prime-

field ecdlp hardware accelerator with high-performance modular

arithmetic units,” in Reconfigurable Computing and FPGAs

(ReConFig), 2011 International Conference on. IEEE, 2011,

pp. 198–203.

[7] A. Khalique, K. Singh, and S. Sood, “Implementation of elliptic

curve digital signature algorithm,” Int J Comput Appl, vol. 2,

no. 2, pp. 21–27, 2010.

[8] A. S. Bhala, V. P. Kshirsagar, M. B. Nagori, and M. K.

Deshmukh, “Performance comparison of elliptical curve and

rsa digital signature on arm7,” in Proceedings of International

Conference on Information and Network Technology (ICINT

2011), 2011.

[9] J.-H. Han, Y.-J. Kim, S.-I. Jun, K.-I. Chung, and C.-H. Seo,

“Implementation of ecc/ecdsa cryptography algorithms based

on java card,” in Distributed Computing Systems Workshops,

2002. Proceedings. 22nd International Conference on. IEEE,

2002, pp. 272–276.

[10] E. Dahmen and C. Krauß, “Short hash-based signatures for

wireless sensor networks,” in Cryptology and Network Security.

Springer, 2009, pp. 463–476.

[11] M. ONeill, “Low-cost sha-1 hash function architecture for rfid

tags,” in Workshop on RFID Security RFIDsec, 2008.

[12] “Memsic,” http://www.memsic.com/wireless-sensor-networks.

314