[IEEE 2013 International Conference on Control Communication and Computing (ICCC) -...
-
Upload
ravi-kishore -
Category
Documents
-
view
214 -
download
2
Transcript of [IEEE 2013 International Conference on Control Communication and Computing (ICCC) -...
Implementation of ECDSA in WSN
Ravi Kishore Kodali
Department of E. and C. E.
National Institute of Technology, Warangal
506004, Andhra Pradesh, India
Email:[email protected]
Abstract—Wireless sensor networks (WSN’s) have been
finding their application in diversified fields. Certain
WSN applications used in military and commercial fields
require the data communication within the network
to be secure and confidentiality of the data needs to
be maintained. Any WSN security model requires key
services, authentication and integrity. As WSN nodes
are resource constrained, in terms of limited battery
energy and less CPU capabilities, energy efficient crypto-
algorithms need to be chosen. Elliptic curve (EC) based
algorithms have proven to be computationally efficient
and provide the same security level when compared with
traditional crypto-algorithms for the given key size. This
work provides implementation details of ECDSA, making
use of the low-cost SHA-1. The WSN implementation
of SHA-1 involves 8-bit operations as the IRIS node
supports an 8- bit micro-controller. The SHA-1 and
ECDSA algorithms have been implemented using IRIS
WSN node.
Keywords:- ECC, SHA-1, ECDSA, WSN
I. INTRODUCTION
Wireless sensor networks (WSNs) are being widely
used in various application fields. In certain military
and commercial WSN applications needing security, the
data confidentiality is of utmost importance, and only
authorized users should be able to gain access to the data.
The transmitted data through multiple wireless links is to
be received at the recipient’s end unmodified. A security
model supporting these requirements needs to be used. In
WSN applications the nodes are randomly deployed over
vast areas. Various sensors present in a node measure
the physical phenomena related parameters and post-
digitization these values are forwarded towards the base
station (BS) involving multi-hop wireless connectivity
links. The transmitted data can be captured by a potential
attacker to launch an attack and compromise the WSN
later. To support integrity and authentication services in
a WSN, the related security algorithms need to be made
use of [1].
A WSN node is supported with limited computational
resources, which include a 8- or 32- bit micro-controller
with few KB’s of ROM and RAM and a battery with
limited energy. Certain security algorithms such as SHA-
1 involve 32- bit operations. In the WSN implementation
of this algorithm, it is required to make use of 8-bit
operations. Energy efficient algorithms suited for WSN
applications are to be chosen [2] and the same need
to be implemented efficiently on these nodes. Tradi-
tional algorithms like Digital Signature Algorithm (DSA)
and RSA are highly compute intensive. Hence, these
algorithms are unsuitable in WSNs [3]. Elliptic curve
(EC) based algorithms, Elliptic Curve Cryptography
(ECC) and Elliptic Curve Digital Signature Algorithm
(ECDSA) provide high security, when compared to the
RSA/DSA algorithms for the same key size as given in
Table I. The rest of the paper is organized as follows:
Section II discusses the ECDSA, section III gives SHA-
1 algorithm and its implementation, section IV presents
the hardware implementation and section V concludes
the work.
II. ECDSA
Miller [4] and Koblitz [5] independently proposed
elliptic curve crypto systems. The high level of security
in ECC is due to the difficulty level of the Elliptic Curve
Discrete Logarithm Problem (ECDLP). Let P and Q be
two points on an elliptic curve, such that k*P = Q, where
k is a scalar and a large number. No sub-exponential
algorithm, solving the ECDLP, has been reported so far
to find the value of k. The scalar multiplication operation
is used in EC based crypto algorithms [6].
TABLE I: Key size comparison of ECC and RSA
ECC RSA
(Key size in bits) (Key size in bits)
160 1024
256 3072
384 7680
2013 International Conference on Control Communication and Computing (ICCC)
978-1-4799-0575-1/13/$31.00 ©2013 IEEE 310
ECDSA consists of signature generation and signature
verification phases [7]. During the signature generation
phase, a random value, k, is chosen and the SHA-1
algorithm is used to compute the hash value of the
message and the same is converted into an integer, e.
Various operations, as given in Algorithm 1, using ellip-
tic curve points, are carried out to generate the signature
point (r,s). Algorithm 1 provides the ECDSA generation
procedure. During the signature verification phase, the
values r,s and e, are used to verify the signature.
The signature generation and signature verification
phases are shown in Algorithms 1 and 2, respectively.
Algorithm 1 ECDSA Signature Generation
1. Generate a random number k such that 1 ≤ k ≤(p− 1)2. Compute point kPB = (x1, y1)3. Compute r = x1(mod p).
if r=0 then
Go to step 1.
end if
4. Compute k−1(modp) .
5. Compute SHA-1(m) and convert this to an integer
e.
6. Compute s = k−1(e+ nAr).if s = 0 then
Go to step 1
end if
7. Signature for message m is S = (r,s).
Algorithm 2 ECDSA Signature Verification
1. Verify r and s are integers over the interval [1,p-1].
2. Compute SHA-1(m) and convert this to integer e.
3. Compute w = s−1(modp)4. Compute u1 = ew(modp) and u2 = rw(modp).5. Compute X = u1PB + u2PA
6.
if X=0 then
Reject S
elsecompute v = x1(modp)end if
7. Accept if and only if v = r.
ECDSA ensures authentication and integrity in WSN
and it is suitable for WSNs due to its small size of the
signature [10].
III. SHA-1 AND ITS IMPLEMENTATION
A. SHA-1
Secure Hash Algorithm (SHA-1), proposed by US
National Institute of Standards and Technology (NIST),
operates on a message of length < 264 in 512- bit size
blocks and cycles through 80 iterations of a hash com-
putation to produce a 160-bit message digest value. This
algorithm has three main steps: message pre-processing,
message processing and computation of hash value [11].
Algorithm 3 Generation of Hash value using SHA1
algorithm - Pre-processing
1. Append the bit ’1’ to the message
2. Append 0 ≤ k < 512 0’s, such that the resulting
message length (in bits) is congruent to 448 (mod 512)
3. Append length of message (before pre-processing),
in bits, as 64-bit big-endian integer
Algorithm 4 Generation of Hash value using SHA1
algorithm - Processing
1. Break message into 512-bit chunks and break chunk
into sixteen 32-bit big-endian words w[i]
2. Extend the sixteen 32-bit words into eighty 32-bit
words and compute W for i ranging from 16 to 79
w[i] = left− rotate(w[i−3]⊕w[i−8]⊕w[i−14]⊕w[i − 16]) by 1- bit
3. Initialize hash value for this chunk:
a = h0, b = h1, c = h2, d = h3, e = h44. The calculation of f and the values of k, for i 0 to
79 is shown in the following table:
Range of i Calculation of f k value
0 to 19 (b & c) | (( b) & d) 0X5A827999
20 to 39 b ⊕ c ⊕ d 0X6ED9EBA1
40 to 59 (b & c) or (b & d) 0X8F1BBCDC
or (c & d)
60 to 79 b ⊕ c ⊕ d 0XCA62C1D6
5. Finally compute temp = ROTL(A, 5) + F +E +k+w[i] E = D, D = C , C = ROTL(30, B) B = A,
A = temp
B. Low cost SHA-1
The SHA-1 algorithm is generally implemented using
32-bit platforms. The rotate functions and XOR use 32-
bit operands. However, in this work 8-bit operations are
used keeping in view of the limited data sizes supported
311
Algorithm 5 Generation of Hash value using SHA1
algorithm - Hashing
1. Update the hash values:
h0 = h0 +A,
h1 = h1 +B,
h2 = h2 + C,
h3 = h3 +D
h4 = h4 + E
2. The final 160- bit hash value of the message is:
h4||h3||h2||h1||h0
by the micro-controller in the WSN node. The required
32-bit operations are implemented by mapping them into
8-bit operations. The message is loaded into 64 blocks
with 8- bit size each. The preprocessing of these blocks
is carried out as in 32- bit SHA-1 algorithm.
In low-cost SHA-1 32-bit XOR operations can be
easily carried out in 4 cycles. The following equation
illustrates the X-or operation of a 32- bit number in 8-
bit mode.
Wt = Messaget ∀ 0 ≤ t ≤ 63 (1)
Wt = Wt−12⊕Wt−32⊕Wt−56⊕Wt−64 ∀ 63 ≤ t ≤ 319(2)
One of the operations involved during the computation
of a SHA-1 value is rotate left. The rotate left operation
in 8-bit mode has to be carefully performed as carry bit
is also involved and the resultant value must be same as
in 32-bit architecture. Figure 1 illustrates the rotation of
a 32- bit number in 8- bit mode.
a0a1a2a3a4a5a7a8a9
a0a1a6a7a8a9
a6a15 a14 a13 a12 a11 a10
a15 a14a5 a4 a3 a2a10a11a12a13
Fig. 1: Rotation of 32-bit numbers in 8-bit architecture
In 32- bit SHA-1 architecture five 32- bit numbers,
A,B,C,D and E, are used to compute the hash value of
a message. In 8- bit architecture, these 32- bit values
are considered as four 8- bit numbers, a0,a1,a2,a3;
b0,b1,b2,b3; and so on. Using these values and by
applying relevant 8- bit addition operations, the hash
value of a message is calculated. Figure 2 illustrates the
same.
a0a1a2a3b0b1a4a5 b2b7 b6 b5 b4 a7 a6
c0c1c2c3c4c5c6c7
b3
CARRY GENERATED SUMSUM
Fig. 2: Addition of 32- bit numbers in 8- bit architecture
The 8-bit implementation design of the hash computa-
tion requires 320 cycles. The initial 8-bit values, a0, a1,
a2, a3 through e0, e1, e2, e3 are stored in the memory
for the final summation. Since the output of the message
schedule is unavailable for 4 cycles and the resultant 160-
bit hash value is outputted in 8- bit size data blocks after
20 cycles. Hence, the 8- bit SHA-1 architecture requires
344 clock cycles [11].
E[3]
E[2]
E[1]
E[0]
D[3]
D[2]
D[1]
D[0]
C[3]
C[2]
C[1]
C[0]
B[3]
B[2]
B[1]
B[0]
A[3]
A[2]
A[1]
A[0]
SUM
HASH(i)
320 ITERATIONS
K[t]W[t]
Hash(i+1)160 bit
Fig. 3: SHA-1 in 8-bit architecture
C. Calculation of W in 8- bit implementation
Since the index of W is 64 in 32- bit implementation
of SHA-1, the index of W would be 320 in 8-bit
implementation. For an efficient 8- bit implementation,
the index of W should be less than 255. Hence, W is
split into W1, with an index value of 240 and W2, with
an index value of 80. Algorithm- 6 provides the steps
involved.
Figure 4 shows an example output.
Figure 5 gives a sample output, providing the com-
puted ECDSA signature making use of 8- bit implemen-
tation of the SHA-1.
312
Algorithm 6 Calculation of W1 and W2 in 8 bit
implementation
1. Load each input message block into W1 i.e.., W1[t]
= mess[t] for t from 0 to 63
2. Generate the values for W1[t] for t from 64 to 239
by initializing a variable temp where for t ranging
from 64 to 239 and for i ranging from 0 to 3
temp[i] = W1[(t-12) + i] ∧ W1[(t-32) + i] ∧ W1[(t-56)
+ i] ∧ W1[(t-64) + i] and
W1[t + i] = ((temp[i] ≪ 1) & 0xFF) | ((temp[(i+1)
mod4] & 0xFF) ≫ 7) which completes the generation
of W1.
3. The generation of W2 involves the following cal-
culations for i ranging from 0 to 3
W2 is calculated from W2[t + i] = ((temp[i] ≪ 1) &
0xFF) | ((temp[(i+1) mod4] & 0xFF) ≫ 7);
where temp is calculated by the following steps
3a. For t ranging from 0 to 11, temp[i] = W1[240 +
(t-12) + i] ∧ W1[240 + (t-32) + i] ∧ W1[240 + (t-56)
+ i] ∧ W1[240+(t-64) + i];
3b. For t ranging from 12 to 31, temp[i] = W2[(t-12)
+ i] ∧ W1[240 + (t-32) + i] ∧ W1[240 + (t-56) + i]
∧ W1[240+(t-64) + i];
and the process continues until W2[63] is calculated.
Now W1 and W2 which holds array lengths of less
than 255 can be used in the place of W which has an
array length of 320 (> 255)
Fig. 4: SHA1- 8 bit and 32 bit implementation
Fig. 5: ECDSA generation
IV. HARDWARE IMPLEMENTATION
An IRIS node has been made use of while implement-
ing the ECDSA algorithm. Figure 6 shows an IRIS node
and its components.
An IRIS WSN node is used for enabling low-power
wireless sensor networks. The features of this node
(a) IRIS node
(b) Sensor board
(c) Programming board
Fig. 6: IRIS mote and components
TABLE II: Specifications of the MEMSIC IRIS node
Parameter Value
Program Flash Memory 128KB
Serial Flash 512KB
RAM 8 KB
Config. EEPROM 4 KB
Serial Comm. UART
Frequency bands 2,405 to 2,480 MHz
Transmit data rate 250 kbps
RF power 3 dBm
Receive Sensitivity -10 dbm
Battery 2 X AA Batteries
include several added functionalities that improve the
overall performance of the WSN. The processor used is
Atmel ATmega1281, which is a low power 8- bit micro-
controller. Table II gives the specifications of the IRIS
node [12].
A comparison of both the 8- bit and 32- bit imple-
mentations of SHA-1 is made and the same is presented
in Table III along with those of ECDSA. The IRIS node,
a TinyOS platform, uses XMesh as its routing protocol.
313
TABLE III: Implementation analysis of SHA-1 and
ECDSA using IRIS node
Algorithm Execution time RAM used
SHA-1 (32- bit) 2ms 1.9KB
SHA-1 (8- bit) 39ms 2.09 KB
ECDSA 941ms 3.07 KB
V. CONCLUSION
The WSN implementation details of ECDSA are
presented in this work. As the IRIS WSN node, with
low computational power supporting 8- bit operations,
the 8- bit implementation of the SHA-1 algorithm has
been carried out. The same implementation of SHA-
1 has been used while implementing the ECDSA to
compute the signature using a WSN node. The execution
times and the memory overheads of both the SHA-1
and ECDSA algorithms when implemented using the
IRIS node, are also given. As ECDSA results in small
signatures, this algorithm is implementable on a WSN
node. Future work includes the implementation of the
ECDSA signature algorithm using higher key sizes,
which can support WSNs having a large number of nodes
and where the security concerns are high.
REFERENCES
[1] M. S. Asha Rani Mishra, “Elliptic curve cryptography (ecc) for
security in wireless sensor network.”
[2] Z. Li and G. Gong, “A survey on security in wireless sensor net-
works,” Department of Electrical and Computer Engineering,
University of Waterloo, Canada, pp. 2008–20, 2011.
[3] X. Zhang, H. M. Heys, and C. Li, “Energy efficiency of
symmetric key cryptographic algorithms in wireless sensor
networks,” in Communications (QBSC), 2010 25th Biennial
Symposium on. IEEE, 2010, pp. 168–172.
[4] V. S. Miller, “Use of elliptic curves in cryptography,” in
Advances in CryptologyCRYPTO85 Proceedings. Springer,
1986, pp. 417–426.
[5] N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of
computation, vol. 48, no. 177, pp. 203–209, 1987.
[6] S. Mane, L. Judge, and P. Schaumont, “An integrated prime-
field ecdlp hardware accelerator with high-performance modular
arithmetic units,” in Reconfigurable Computing and FPGAs
(ReConFig), 2011 International Conference on. IEEE, 2011,
pp. 198–203.
[7] A. Khalique, K. Singh, and S. Sood, “Implementation of elliptic
curve digital signature algorithm,” Int J Comput Appl, vol. 2,
no. 2, pp. 21–27, 2010.
[8] A. S. Bhala, V. P. Kshirsagar, M. B. Nagori, and M. K.
Deshmukh, “Performance comparison of elliptical curve and
rsa digital signature on arm7,” in Proceedings of International
Conference on Information and Network Technology (ICINT
2011), 2011.
[9] J.-H. Han, Y.-J. Kim, S.-I. Jun, K.-I. Chung, and C.-H. Seo,
“Implementation of ecc/ecdsa cryptography algorithms based
on java card,” in Distributed Computing Systems Workshops,
2002. Proceedings. 22nd International Conference on. IEEE,
2002, pp. 272–276.
[10] E. Dahmen and C. Krauß, “Short hash-based signatures for
wireless sensor networks,” in Cryptology and Network Security.
Springer, 2009, pp. 463–476.
[11] M. ONeill, “Low-cost sha-1 hash function architecture for rfid
tags,” in Workshop on RFID Security RFIDsec, 2008.
[12] “Memsic,” http://www.memsic.com/wireless-sensor-networks.
314