13. a survey on the encryption of convergecast traffic with in-network processing
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 4, OCTOBER-DECEMBER 2008 1 A Survey on the Encryption of Convergecast Traffic with In-Network Processing Steffen Peter, Dirk Westhoff, Member, IEEE, and Claude Castelluccia Abstract—We present an overview of end-to-end encryption solutions for convergecast traffic in wireless sensor networks that support in-network processing at forwarding intermediate nodes. Other than hop-by-hop based encryption approaches, aggregator nodes can perform in-network processing on encrypted data. Since it is not required to decrypt the incoming ciphers before aggregating, substantial advantages are 1) neither keys nor plaintext is available at aggregating nodes, 2) the overall energy consumption of the backbone can be reduced, 3) the system is more flexible with respect to changing routes, and finally 4) the overall system security increases. We provide a qualitative comparison of available approaches, point out their strengths, respectively weaknesses, and investigate opportunities for further research. Index Terms—Cryptography, wireless sensor networks, convergecast, concealed data aggregation. Ç1 INTRODUCTION initiate some action. Analysis in most scenarios presumesW IRELESS sensor networks (WSNs) are a particular class of ad hoc networks that attract more and moreattention both in academia and industry. The sensor nodes computation of an optimum, e.g., the minimum or maximum, the computation of the average, or thethemselves are preferably cost-cheap, tiny, and consisting of detection of movement pattern. The precomputation of these operations may be either fulfilled at a central point 1. application-specific sensors, or by the network itself. The latter is beneficial in order to 2. a wireless transceiver, reduce the amount of data to be transmitted over the 3. a simple processor, and wireless connection. Since the energy consumption in- 4. an energy unit, which may be battery or solar creases linearly with the amount of transmitted data, an driven. aggregation approach helps increase the WSN’s overallIn particular, we cannot assume a sensor node to comprise lifetime. Another way to save energy is to only maintain aa tamper-resistant unit. Such sensor nodes are envisioned connected backbone for forwarding traffic, whereas nodesto be spread out over a geographical area to form in an that perform no forwarding task persist in idle mode untilindeed self-organizing manner a multihop network. Most they are reactivated.frequently, such WSNs are stationary, although mobile It is the aim of this survey to consider WSNs in whichWSNs are also conceivable. Potential applications for messages should be transferred in a confidential way. MoreWSNs—besides military ones—can be found in monitoring precisely, adversaries that eavesdrop communication be-environmental data with the objective to understand tween the sensors, aggregators, and the sink shall not obtaincomplex and geographical widespread interdependencies the exchanged information. This is achieved by encryptingof nature. Examples are the detection of fire in huge forest transmitted data. Other security goals, such as integrity, areareas, the monitoring of wildlife animals’ movement outside the scope. We assume that adversaries can at leastpatterns, or the incremental shift of snow and rocks in carry out ciphertext-only attacks. However, we will alsothe alpine mountains. Further applications for WSNs are analyze available solutions according to their protectionenvisioned to be on the biomedical sector, public safety, against more powerful attacks. In principle, there are severaland safety support for vehicles. possibilities in order to achieve the above security goal. If One major application scenario for a WSN is to monitor end-to-end encryption is desired, then applying usualenvironmental data and to transmit it to a central point. encryption algorithms implies that intermediate nodes haveHere, the data are analyzed and eventually serve to no possibility for efficient aggregation allowing to shrink the size of messages to be forwarded. The application of usual. S. Peter is with IHP GmBH, Im Technologiepark 25, 15236 Frankfurt encryption algorithms combined with the requirement of (Oder), Germany. E-mail: email@example.com. efficient data aggregation provides only the possibility of. D. Westhoff is with NEC Europe Ltd., Kurfu ¨rsten-Anlage 36, encrypting the messages hop-by-hop. However, this means 69115 Heidelberg, Germany. E-mail: firstname.lastname@example.org.. C. Castelluccia is with the Institut National de Recherche en Informatique that an aggregator has to decrypt each received message, et en Automatique (INRIA) Grenoble - Rhone-Alpes, Inovallee, then aggregate the messages according to the corresponding 655 Avenue de l’Europe Montbonnot, 38334 Saint Ismier Cedex, France. aggregation function and, finally, encrypt the aggregation E-mail: Claude.Castelluccia@inrialpes.fr. result before forwarding it. Furthermore, hop-by-hop en-Manuscript received 26 Feb. 2007; revised 18 Dec. 2007; accepted 22 Feb. cryption possesses that intermediate aggregators require2008; published online 20 Mar. 2008.For information on obtaining reprints of this article, please send e-mail to: keys for decryption and email@example.com, and reference IEEECS Log Number TDSC-0025-0207. It is the contribution of this survey to provide end-to-endDigital Object Identifier no. 10.1109/TDSC.2008.23. encryption for reverse multicast traffic between the sensors 1545-5971/08/$25.00 ß 2008 IEEE Published by the IEEE Computer Society Authorized licensed use limited to: UR Rh?ne Alpes. Downloaded on December 18, 2009 at 08:30 from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.2 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 4, OCTOBER-DECEMBER 2008 additively homomorphic with a single secret key and a þ b ¼ Dfðk1 ;k2 Þ ðEk1 ðaÞ È Ek2 ðbÞÞ ð2Þ additively homomorphic with multiple secret keys. We denote an asymmetric additively homomorphic encryption transforma- tion as À Á a þ b ¼ Dp Eq ðaÞ È Eq ðbÞ ð3Þ with ðp; qÞ being a private, public key pair. The first work on PHs was done in a seminal paper by Rivest et al. .Fig. 1. CDA for WSNs with symmetric PH and multiple secret keys. Meanwhile, a set of other candidates, both symmetric and asymmetric, has been proposed as we will see.and the sink node. We evaluate a set of approaches, whichprovides aggregators with the possibility to carry out 2.2 Concealed Data Aggregationaggregation functions that are applied to ciphertexts. This In WSNs, the above introduced PH can be prominentlyprovides the advantage that intermediate aggregators do not applied for concealing convergecast traffic with simple in-have to carry out costly decryption and encryption opera- network processing at aggregating intermediate nodes.tions and, thus, do not require storing sensitive crypto- Lgraphic keys. The latter ensures an unrestricted aggregator Such an approach is termed as CDA. We denote asnode election process for each epoch during the WSN’s the summing up of n ! 2 encrypted operands with thelifetime, which is impossible in case of hop-by-hop encryp- additive operations È. Under such a setting, an aggre-tion. Here, only nodes that have stored sensitive key gator node A is not required to perform decryption andmaterial can act as an aggregator node, and thus, balancing subsequent encryption operations in order to do aggrega-the energy consumption over several nodes is restricted. tion operations on the incoming data from sensing nodes In the remainder of this paper, we present a survey of SuccðAÞ ¼ fN1 ; N2 ; . . . ; Nn g with corresponding keysend-to-end encryption solutions with in-network proces- kN1 ; kN2 ; . . . ; kNn like it is required when using conven-sing, which is known as Concealed Data Aggregation (CDA). tional hop-by-hop encryption (see Fig. 1). This increasesWe outline the main problems that have been solved and the overall system security since there is no lack ofpresent solutions currently available. security at the aggregating nodes. Note that CDA, which has originally been proposed in2 BASIC PRINCIPLES, VALUE, AND CLASSIFICATION , supports various aggregation operations. They areBefore we describe the basic concept of CDA as well as the listed in Table 1 with an overview on what needs to bearising requirements regarding the key management, we computed at a sensor node, an aggregating node, and aintroduce a particular encryption transformation named sink node. CDA also supports a hierarchy of aggregatingprivacy homomorphic encryption transformation. A classifica- nodes as long as the aggregation function itself supportstion of available CDA building blocks completes this section. such a cascaded adjustment. Consequently, the approach is best suited for large-scaled WSNs. Note that depending2.1 Privacy Homomorphisms on what concrete PH [see (1), (2), and (3)] we areA privacy homomorphism (PH) is an encryption transforma- applying for the CDA solution, a different key managementtion that allows direct computation on encrypted data. LetQ and R denote two rings, and þ and È denote addition becomes necessary.operations on the rings. Let K be the key space. We denote 2.3 Benefitsan encryption transformation E : K Â Q ! R and the Compared to data aggregation with hop-by-hop encryption,corresponding decryption transformation D : K Â R ! Q. we see the substantial advantages of CDA in thatGiven a, b 2 Q and k, k1 , k2 2 K, we term 1. neither the encryption keys nor the sensed plaintext a þ b ¼ Dk ðEk ðaÞ È Ek ðbÞÞ ð1Þ information need to be available at aggregating TABLE 1 Summary of Known Aggregation Functions Using Addition Authorized licensed use limited to: UR Rh?ne Alpes. Downloaded on December 18, 2009 at 08:30 from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.PETER ET AL.: A SURVEY ON THE ENCRYPTION OF CONVERGECAST TRAFFIC WITH IN-NETWORK PROCESSING 3 nodes. This differs from a hop-by-hop encryption approach, where a captured aggregator node would reveal this information. 2. the overall energy consumption of the actual con- nected backbone can be reduced. For hop-by-hop encryption, each aggregator node needs to first decrypt multiple incoming messages, then aggregate these before encrypting the aggregated data. The CDA approach significantly reduces the energy consumption at aggregator nodes since no encryption and decryption is performed . It is essential to provide overall energy-efficient solutions for the nodes that make up the backbone, since these nodes are most critical for the overall lifetime and connec- tivity of a WSN. Fig. 2. CDA building blocks and criteria for classification. 3. CDA-based end-to-end encryption is much more flexible for varying connected backbones over where the same secret key is distributed to a subset of different epochs. With hop-by-hop encryption, only nodes, and public/private keying in case a PH satisfying (3) is nodes storing the corresponding key can perform the used for CDA. Unique keying can further be subdivided decryption and thus aggregate data. With CDA, into random unique keying and unique keying that supports every node can be elected as an aggregator node, an algebraic structuring of the unique keys within the WSN. since the aggregating nodes do not need to store the Within the class of concepts supporting a groupwise key to operate on the incoming ciphertext message. keying, we want to highlight a branch that takes the region Thus, the election process per epoch is purely based of the nodes into account when distributing keys. To the on the remaining energy levels of the nodes. CDA best of our knowledge, this classification reflects all the key provides confidentiality by not restricting these aggregator-node-election algorithms. This increases management concepts that are currently available for CDA. the robustness and reliability of the WSN. 4. with CDA, the overall system security level of the 3 ATTACK SCENARIOS WSN increases. Clearly, currently proposed cryp- Although many of the following attacks can be repelled by toschemes for WSNs such as RC5, AES, IDEA, or protocols and technologies other than cryptographic algo- RC4 provide a higher security level and/or require rithms (e.g., secure routing, safe infrastructure), we focus on much less execution time compared to any currently the resistance of the actual CDA scheme. The potential available PH. Unfortunately, when applied to WSNs, targets of an adversary are the deduction of these schemes run into a security/flexibility trade- off. With a single networkwide key, the aggregator 1. the secret key (total break of the system), node election remains as flexible as possible at the 2. plaintexts not previously known (corresponds to the cost of almost no security. With group keying or classical unauthorized decryption), and even pairwise keying, the security level of the WSN 3. additional ciphertexts (usually used to forge mal- increases at the cost of almost static routing paths icious ciphertexts). and a fixed set of aggregators in the backbone. The Obviously, the revealing of the secret key, i.e., the total above observation is based on the fact that in break, is the worst case scenario. It allows the attacker to systems without tamper-resistant units, the weakest decrypt and encrypt every message in the system. The security component is not the cryptoscheme itself deduction of plaintexts usually from transmitted cipher- but instead the storage policy of sensitive data. texts compromises the secrecy. In contrast, the deduction of2.4 Classification additional ciphertexts can imply a loss of any trust in theWe are now in the position to name CDA building blocks network, since every received message can be forged by anand derive criteria for their classification. A classification of adversary.the CDA building blocks is depicted in Fig. 2. CDA includes 3.1 Passive Attacksthe encryption transformation itself plus a solution for key Passive attacks comprise all attacks that do not require themanagement. Since most of the available work is addres- adversary to actively interfere with the connection. In ordersing key distribution solutions mainly for unicast traffic, new to perform such an attack, the adversary needs to doapproaches are required here. nothing but listen to transmitted packets. The eavesdropped For the encryption transformation, we categorize solu- information can be evaluated and usually cryptoanalyzedtions regarding whether they satisfy (1), (2), or (3). We in order to obtain secret information. Though the worst casefurther differentiate deterministic and probabilistic encryption result of such an attack would be the deduction of the secrettransformations since this impacts the additional require- key, most attacks aim at revealing the plaintexts or atments of the key management for CDA. Basically on the key gathering information for further actions.management side, we classify unique keying where indivi- Passive attacks can be performed relatively easy. Givendual keys per sensor node are distributed, groupwise keying the characteristics of the broadcast medium those attacks Authorized licensed use limited to: UR Rh?ne Alpes. Downloaded on December 18, 2009 at 08:30 from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.4 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 4, OCTOBER-DECEMBER 2008are not detectable, which make them highly dangerous. It much more severe. A successful attack that allows anmust be the primary security goal of a cryptoscheme that an adversary to change or forge any packet can render theadversary is not able to gain any information by simple whole network useless. In such a case, every receivedeavesdropping. With regard to these properties, the packet could be malicious so that every sensed value andrequirements are very similar to classic cryptoschemes. every action could have been modified in the interest of an adversary. As we will see also (or especially), CDA3.1.1 Ciphertext Analysis algorithms are vulnerable to active attacks.A very common and actually the most basic attack is theanalysis of encrypted packets. In such an analysis, the 3.2.1 Replay Attacksadversary wants to obtain information only by interpreting Replay attacks are the easiest variation of active attacks.ciphertexts. A secure cryptographic system must ensure Valid packets that have been sent before are transmittedthat it is not possible to gain any inappropriate information later in order to achieve a malicious effect. For CDA in(plaintext, key, statistical information). Additionally, it must WSNs, it is considerable to record the ciphertext in abe provided that an attacker cannot decide whether an situation where the plaintext is known or causes a notice-encrypted packet corresponds to a specific plaintext or not. able specific reaction of the system. The recorded packet canIn particular, in WSNs with a scarce domain of values, the be resent later in order to initiate a desired action of thelatter attack can very efficiently result in a deduction of the system or to pretend a situation that is not actually sensed.plaintexts. For example, in a movement detection scenario, a trespasser can keep sending the previously recorded “no3.1.2 Known Plaintext Attack movement” signal while he is moving in the protected area.In this kind of attack, the adversary tries to determine secret The system receives the correctly encoded messages andinformation with the additional knowledge of plaintexts. does not trigger the alarm. Another variation of this attackWith known plaintext and corresponding ciphertext, it is is not to replay a previously sent message but to replay thethe aim of the adversary either to reveal the secret key or at messages of a different node in order to cover that one nodeleast to gather additional information that can be exploited is either disabled or would sense undesired values. Thisto deduct malicious ciphertexts or decrypt other messages. way a recorded “movement detected” signal could be In a WSN scenario, such an attack is very likely since an replicated on every node in the system so that the actualadversary can obtain plaintexts corresponding to the intrusion cannot be detected in time.ciphertexts that are sent via the air on various ways, e.g., by Though there are several possible countermeasures that are based on protocols (e.g., time stamps, node ID), it would . guessing the values of the plaintext (e.g., be desirable to have a resistance to this kind of attack in the temperature), initial CDA algorithm. It means that it is not possible to take . by an own sensor that determines the plaintext a correctly encoded message recorded at different time or values, another place without being noticed by the decryption . physically accessing the deployed sensor, or algorithm. . manipulating the sensor readings (e.g., heat the sensor). 3.2.2 Malleability Assuming the cryptoscheme uses the same secret key on The idea of this very dangerous attack is to alter the contentevery node (see (1)) this sort of attacks is a serious threat if of a valid encrypted packet without leaving marks. Athe scheme does not provide resistance. Resistance to simple variation of that attack would be randomlyknown plaintext attacks means that, even with a large set generated ciphertexts that are syntactically correct. In suchof corresponding plain- and ciphertexts, it is not possible to case, the adversary does not know the actual effect of thededuce secret keys or additional cipher- or plaintexts out of modification, but its intention is to harm the system. A morethe known set. sophisticated variation is a specific alternation of a In case of a deterministic cryptoscheme, recorded ciphertext. For example, the adversary knows that a sensordatabase of ciphertexts for every possible plaintext destroys transmits the current temperature of about 20 C and heany security. In particular for WSNs with a scarce domain wants to increase the encrypted value to 40 C. For someof sensed or transmitted values, such a straightforward PH schemes, it is possible to alter the content (i.e., theattack is not only considerable but also very threatening. plaintext) of an encrypted packet without knowing the concrete content. Here, the attacker can increase the3.2 Active Attacks transmitted temperature by 20 C even without being ableThe described passive attacks do not require the adversary to decrypt the original message. Due to their algebraicto actively interfere the communication. In case of active properties, PH schemes may be very vulnerable to this kindattacks, the adversary is assumed to be able to perform such of malleability.interferences, i.e., to catch, destroy, modify, and send Additionally for CDA algorithms, that weakness be-packets. An attacker could catch a packet, analyze it, comes more severe because the decrypting unit receivesmodify the content, and even replace the original packet only a derivation (i.e., the aggregate) of the sensed values.in the network. Such attacks require the attacker to have a This means that the modified value is aggregated severallot more knowledge and technical instruments. Though times before it finally will be decrypted. Consequently,such attacks are much more complicated and expensive possible marks of the modification can be blurred and eventhan passive attacks, their potential damage can be also if the sink node realizes the modification, it does not know Authorized licensed use limited to: UR Rh?ne Alpes. Downloaded on December 18, 2009 at 08:30 from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.PETER ET AL.: A SURVEY ON THE ENCRYPTION OF CONVERGECAST TRAFFIC WITH IN-NETWORK PROCESSING 5the source of it. Additionally, it can be assumed that most node could also be a problem because it allows theapproaches of Resilient Data Aggregation (RDA) are not adversary to collect a set of plaintext/ciphertext pairs withapplicable to CDA networks because only the sink node known plaintexts. It could be the basis for further actions,becomes aware of the content. Thus, aggregating nodes e.g., known plaintext attacks. It would be desirable thatcannot detect unreasonable content, and even worse with under any circumstances a captured node cannot turn outthe aggregation the modification will be covered. to be a threat for the rest of the system, i.e., it is not possible to extract information that could be applied in a further3.2.3 Unauthorized Aggregation attack.Actually, the unauthorized aggregation is a variation of themalicious modification. However, since it is a very specific 4 REQUIREMENTS ANALYSISweakness of PH schemes, we will treat them separately. Theidea of such an attack is to take two or more proper Prior to presenting available solutions for CDA, we willciphertexts and aggregate them in order to inject the result outline the criteria and desired design requirements of ansomewhere into the network. Like the normal aggregation appropriate CDA solution. Beneficial requirements regard-nodes, the attacking aggregator does not need to know the ing the security of the system are given as follows:plaintexts of the individual messages in order to aggregate . Provable Security: The security level of the encryptionthem to a properly looking ciphertext. An adversary could scheme should be measurable and it should be baseduse that property to vandalize the system, but it is also upon the commonly agreed hardness of a mathe-considerable to apply it more specifically. With known or matical problem to be provably computationallyassumed ciphertext/plaintext combinations, an attacker can secure.1modify packets that are well directed. For example, an . Sensor Compromise: The compromise of a subset ofadversary knows the ciphertext C1 for the temperature of sensor nodes should not assist in revealing aggre-about 20 C. In order to increase the current sensed gated data.temperature with the ciphertext C2 by 40 C, he could . System Security: From the two points mentionedaggregate C3 ¼ C2 þ C1 þ C1 and replace C2 with C3. above, we can define the overall system security as There are two considerable ways of protecting a being the weakest of the two.PH scheme from unauthorized aggregation. First, the . Key Management: The key management should beaggregation may need a secret key in order to be performed. kept simple enough to avoid bandwidth intensiveThus, an adversary cannot execute the aggregation without techniques needed to identify the encryption keysknowing or breaking the secret key. The second approach being used by sensors.would be to ensure that every ciphertext cannot be used . Ciphertext Expansion: The expansion in bit sizemore than once so that the decryption unit can detect the attributed to encryption should be moderate.unauthorized aggregation. . Probabilistic Encryption: Encryption of the same plaintext should not, with high probability, yield3.2.4 Forge Packets the same ciphertext.An adversary does not need to modify existing packets if In addition to the security requirements, the design spaceshe is able to create properly encoded ciphertexts with a for an appropriate CDA approach should also considerspecific content. The attacker could simply substitute the requirements regarding the lifetime, flexibility, and robust-packet of the actually sensed value with the forged one. If ness of the system:there is no protection to this issue, the receiving unit cannever be sure whether the received packet was really . Efficient Computations: Cryptographic operationssensed. It can be assumed that every public key approach, performed at sensors should not be overly expensive.where a public key is used to encrypt the plaintexts, is . Aggregator Node Election: The algorithm for electinginitially vulnerable to this attack. A PH scheme that is aggregator nodes should not need to take intoresistant to maliciously forged packets must not allow any account security parameters, thereby allowing it tothird party to create properly encoded messages at least not make selections purely based on lower layers’without being able to detect the interference during parameter, e.g., the remaining energy level of thedecryption. nodes. . Network Topology: Each sensor node is aware of its3.3 Physical Attacks aggregator node and each aggregator node knows itsPhysical attacks as they are meant here embrace attacks reporting sensor nodes. If a node changes its group,against the hardware of the node. In the context of it is considered to be announced in the network.PH schemes, it does not include the attack of disabling a Note that the second security criterion rules out a hop-by-node, because this would not implicitly be a threat against hop encryption approach, as the compromise of a few nodesthe security of the cryptoscheme. A serious threat is the may be enough to render the WSN insecure. While the thirdcapturing of nodes. The access to the flash and the memory point reveals the weaknesses of symmetric key schemesmay reveal key information that can compromise the entire according to (1) in WSN settings when assuming non-network. In particular, symmetric encryption schemes that tamper-resistant sensors. Probabilistic encryption provesuse the same key on every node are vulnerable. A capturedand completely revealed node with all its key information 1. A cryptoscheme is said to be computationally secure if the cost of ancorresponds to a total break of the network. A captured attack outweighs the value of the encrypted data. Authorized licensed use limited to: UR Rh?ne Alpes. Downloaded on December 18, 2009 at 08:30 from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.6 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 4, OCTOBER-DECEMBER 2008useful to avoid divulging information from ciphertexts secret key is applied on every node in the network thatonly, as identical environment values may often be needs to encrypt data. The message size is d Á n bit. For verymeasured and encrypted by neighboring nodes. We note secure parameter combinations (d 100), the messagesthat non-tamper-resistant sensor nodes can be compro- become very big . However, Girao et al.  showedmised and have their contents revealed by an attacker (such that with reasonable parameters it also fits the needs ofas public keys and current unencrypted measurements). constrained devices.However, it should not be possible to learn (encrypted)aggregated values from the compromise of a single node or 5.1.2 Castelluccia-Mykletun-Tsudik Schemea minor fraction of the WSN. The lifetime criteria relate to Castelluccia, Mykletun, and Tsudik  propose a simplethe lifetime of nodes, as computations and especially and provably secure additively homomorphic streamcommunication are energy intensive. By performing in- cipher that allows efficient aggregation of encrypted data.network aggregation, nodes avoid having to forward every The main idea of the scheme is to replace the exclusive-ORreceived packet toward the reader, thereby drastically (XOR) operation typically found in stream ciphers withreducing the overall bandwidth consumption. modular addition ðþÞ. Since this new cipher only uses Next, we will examine potential cryptoscheme candi- modular additions (with very small moduli), it is very welldates that meet some of the desired criteria outlined in this suited for CPU-constrained devices.section. None of the discussed candidates meets all the Castelluccia, Mykletun, Tsudik (CaMyTs) algorithm desired criteria. Parameter: select large integer M Encryption: Message m 2 ½0; M À 1,5 ENCRYPTION TRANSFORMATIONS randomly generated keystream k 2 ½0; M À 15.1 Symmetric Homomorphic Encryption c ¼ ðm þ kÞ mod M Transformations Decryption: Decðc; k; MÞ ¼ c À kðmod MÞSymmetric PH schemes require identical secret information Aggregation: Let c1 ¼ Encðm1 ; k1 ; MÞ andfor encryption and decryption. In this section, we present c2 ¼ Encðm2 ; k2 ; MÞfour schemes that have the additive PH property and For k ¼ k1 þ k2 , Decðc1 þ c2 ; k; MÞ ¼ m1 þ m2promise to be suitable for the application in WSNs. It is assumed that 0 m M. Due to the commutative property of addition, the above scheme is additively5.1.1 Domingo-Ferrer Scheme homomorphic. In fact, if c1 ¼ Encðm1 ; k1 ; MÞ and c2 ¼In , Domingo-Ferrer introduced a symmetric PH scheme Encðm2 ; k2 ; MÞ, then c1 þ c2 ¼ Encðm1 þ m2 ; k1 þ k2 ; MÞ.(DF) that has been proposed as efficient PH cryptographic Note that if n different ciphers ci are added, then M must Pnsystem for WSNs in . The PH is probabilistic, which be larger than i¼1 mi ; otherwise, correctness is not Pmeans that the encryption transformation involves some provided. In fact, if n mi is larger than M, decryption i¼1randomness that chooses the ciphertext corresponding to a will result in a value m0 that is smaller than M. In practice, ifgiven cleartext from a set of possible ciphertexts. p ¼ maxðmi Þ, then M should be selected as M ¼ 2dlog2 ðpÃnÞe .Domingo-Ferrer (DF) algorithm  The keystream k can be generated by using a stream cipher, such as RC4, keyed with a node’s secret key si and aParameter: public key: integer d ! 2, large integer M unique message ID. This secret key is precomputed and secret key: k ¼ ðr; gÞ shared between the node and the sink, while the message ID small g that divides M; r so that rÀ1 exists in Z M Z can either be included in the query from the sink or it can beEncryption: split m into d parts m1 . . . md that Pd derived from the time period in which the node is sending i¼1 ðmi Þ mod g ¼ m its values in (assuming some form of synchronization). C ¼ ½c1 ; . . . ; cd ¼ ½m1 r mod M; m2 r2 mod M; . . . ; md rd mod M 5.1.3 Authenticated Interleaved Encryption-BasedDecryption: m ¼ ðc1 rÀ1 þ c2 rÀ2 þ . . . þ cd rÀd Þ mod g SchemeAggregation: Scalar addition modulo M One limitation of the previous proposal is that the identities C12 ¼ C1 þ C2 ¼ ½ðc11 þ c21 Þ mod M; . . . ; of the nonresponding nodes (or responding nodes, which- ðc1d þ c2d Þ mod M ever is expected to be smaller) need to be sent along with The set of cleartext is Z g , and the set of ciphertext is Z the aggregate to the sink. If the network is unreliable, thisðZ M Þd . Z can represent an important overhead and scalability DF has both the additive and the multiplicative problem. It is therefore important to devise methods forPH properties. For the ciphertext multiplication, all terms reducing this cost.are cross-multiplied in Z g , with the d1 -degree term by a Z In Authenticated Interleaved Encryption (AIE) , or, veryd2 -degree term yielding a ðd1 þ d2 Þ-degree term. Terms similar, in , each node shares a pairwise key with itshaving the same degree are added up. direct parent, its two-hop parent, three-hop parent, . . . , and DF is a symmetric algorithm that requires the same n-hop parent, where n is a system parameter. These keyssecret key for encryption and decryption. The aggregation is can be established using a scheme such as .performed with a key that can be publicly known, i.e., the When a sensor, Ni , sends a message, it encrypts it n-timeaggregator nodes do not need to be able to decrypt the using the additively homomorphic scheme described in .encrypted messages. However, it is required that the same The first time with the key it shares with its direct parent, Authorized licensed use limited to: UR Rh?ne Alpes. Downloaded on December 18, 2009 at 08:30 from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.PETER ET AL.: A SURVEY ON THE ENCRYPTION OF CONVERGECAST TRAFFIC WITH IN-NETWORK PROCESSING 7the second time with the key it shares with its two-hop andparent, . . . , the nth time with the key its shares with itsn-hop parent. The sensor sends the result ci to its parent a þ b ¼ DK 1 ðDK 2 ðEK 2 ðEK 1 ðaÞÞ È EK 2 ðEK 1 ðbÞÞÞÞ:along with its identifier. EK 1 stands for the inner cryptographic algorithm and EK 2 An aggregator Ai adds up all the ciphers cl it receives for the outer one. This means that the plaintext a isfrom all of its direct children. It then decrypts the encrypted with algorithm E1 and the resulting ciphertext isresults using the sum of the pairwise keys it shares with encrypted again with algorithm E2 , while preserving theeach of its direct children, two-hop children, . . . , n-hop homomorphic property corresponding to the algebraicchildren. The result is then encrypted n times with thekeys it shares with its parent, two-hop parent, . . . , and operation þ.nth. The result is forwarded to Ai ’s parent along with Such a chain has some requirements on the encryptionthe identifiers of the children that have contributed to transformation: both encryption schemes must be additivethe resulting cipher. The messages get then securely PH, and the ranges of results of inner encryption E1 must fitaggregated hop-by-hop until the sink. to the domain of E2 , i.e., R1 ¼ Q2 . With the AIE scheme, each aggregator has to forward As an example, the combination of CaMyTs and DF is PnÀ1 iat most i¼1 d identities, where d is the degree of the demonstrated. As we will see in Section 7, this combinationtree, i.e., number of children per node. This is much less results in a very secure CDA approach that is still suitablethan the CaMyTs scheme. In the original CaMyTs scheme, to lightweight devices.the number of identities to be forwarded increases as the The DF/CaMyTs combination is algebraically soundaggregated message gets closer to the root. At the level h since CaMyTs as E1 encryption maps the plaintexts that areof the tree (h ¼ 0 being the leaves), Oðdh Þ identities have in Z n E1 : Z n ! Z n , and DF uses the resulting ciphertexts Z Z Zto be forwarded by each aggregator. If the aggregator tree for its encryption E2 : Z n ! C while C is a usual known Z C, Chas many levels, this can become problematic. In contrast, DF ciphertext.with AIE, the number of identities to be forwarded is It should be mentioned that an aggregation operationbounded and only depends on the parameters n and d, for DF/CaMyTs performed on an aggregation nodewhere d is smaller than h. requires exactly the same effort as for the standalone DF. Note, however, that the AIE-based scheme is less secure It is not necessary to consider the embedded CaMyTsthan the original scheme. An attacker that corrupts encryption. Since most security concerns are alreadyn consecutive nodes can actually retrieve the aggregated covered by CaMyTs, the DF parameters, especially thevalue at the lowest corrupted aggregator in the tree. With setting parameter d, do not need to be too big. Thus, thethe original scheme, corrupting aggregators does not reveal potential ciphertext expansion is moderate.any information about the aggregated value. However, with both encryption methods, there are There is a clear trade-off between the number of indeed the technical problems of both approaches. Withidentities to be forwarded (i.e., bandwidth cost) and d 1, the encrypted message size increases and there is stillsecurity. By decreasing n, the bandwidth cost decreases the ID issue to indicate nonresponding nodes.but so does the security. By increasing n, the bandwidthcost and security increase. If n ¼ 1, the AIE scheme is CaMyTs þ Domingo-Ferrer (CaMyTs/DF) algorithm similar to hop-by-hop encryption. This configuration is Parameter: public key: large integer M, d ! 2optimal in terms of bandwidth but very weak security-wise. secret key: g that divides M; r so that rÀ 1 existsOn the other hand, if n ¼ h (where h is the number of level in Z MZin the tree), the AIE scheme is similar to the original Encryption: randomly generated keystream k 2 ½0; M À 1aggregation scheme in . Its bandwidth cost is high, but its e1 ¼ ðk þ mÞ mod Msecurity is maximum. P split e1 into d parts m1 . . . md that d ðmi Þ mod i¼15.1.4 Hybrid Symmetric PH Approach g ¼ e1 C ¼ ½c1 ; . . . ; cd ¼ ½m1 r mod M; m2 r2 modIn , an approach has been proposed that combines two M; . . . ; md rd mod Mknown PH algorithms. It is the notion to increase the Aggregation: scalar addition modulo M (like DF)security and cope with security issues of single PHs by Decryption: d1 ¼ ðc1 rÀ1 þ . . . þ cd rÀd Þ mod gperforming cascaded encryptions. The idea of this action is m ¼ ðd1 À kÞ mod Mto combine the advantages of both cryptoschemes. Con- where k is the sum of aggregatedsidering that one scheme is vulnerable to one attack and keystreamsanother scheme has another weakness, the combinedalgorithm can cover both issues. 5.2 Asymmetric Homomorphic Encryption Considering we have two PH encryption transforma- Transformationstions E1 : K1 Â Q1 ! R1 and E2 : K2 Â Q2 ! R2 with cor- In light of inevitable problems connected with keyresponding decryption and properties as described in distribution and synchronization required for symmetricSection 2. A cascaded PH is the successively performed encryption schemes, we are encouraged to revisit the use ofexecution of both encryption functions that results in the public key encryption schemes thattransformation EC : K2 Â K1 Â Q1 ! R2 sustaining thehomomorphic property: 1. are additively homomorphic (allowing for in- network aggregation of particular aggregation EK 2 ðEK 1 ðaÞÞ È EK 2 ðEK 1 ðbÞÞ ¼ EK 2 ðEK 1 ða þ bÞÞ functions), Authorized licensed use limited to: UR Rh?ne Alpes. Downloaded on December 18, 2009 at 08:30 from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.8 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 4, OCTOBER-DECEMBER 2008 2. exert the required security levels, elliptic curve variants of the previously described public 3. involve relatively cheap computations, key encryption algorithms, namely those proposed by 4. are probabilistic, Naccache and Stern , Okamoto and Uchiyama , 5. produce relatively short ciphertexts, and and Paillier . Since the encryption schemes in  are 6. by nature of public key methodology, require no implemented over elliptic curves and meet some of our sensitive key material to be stored at encrypting desired criteria, we describe each and investigate their sensors. applicability for aggregation in WSNs. Common to each We are especially interested in the use of elliptic curve scheme is that the elliptic curve is defined over Z n or Z 2 ,Z Zncryptoschemes, due to 1) their use of small keys, which where n is the product of large primes, and that they areleads to short ciphertexts, 2) the smaller real estate required provably secure against chosen plaintext attacks. All threefor hardware implementations (number of gates), and 3) a schemes provide additive homomorphic capabilitiesbetter security-per-bit ratio. through the summation of ciphertexts. The reader is A large subgroup of asymmetric PHs is the family of referred to  for more detailed descriptions of thehigh degree residuosity class-based cryptographic algo- cryptosystems.rithms, for example from Paillier , Benaloh , Naccache Elliptic Curve Okamoto-Uchiyama Encryption. The Ellipticand Stern , and Okamoto and Uchiyama (OU) . Curve Okamoto-Uchiyama (EC-OU) Encryption uses theThough all these public key schemes provide the additive fact that discrete logarithms are easy to compute in curvesPH, we only describe the latter one, since all algorithmsexploit similar mathematical problems. Additionally, due to Ep ðap ; bp Þ over Fp , which have trace of Frobenius onetheir long keys that imply large messages and high (anomalous curves)2, where values ap , bp denote a particularcomputation efforts, the application of these schemes in a curve. Paillier extends this discrete logarithm recover abilityWSN scenario is at least questionable, while the OU scheme property to a p-subgroup of Ep2 ða; bÞ such that the projectionshows the most promising results . onto Fp gives the twist of an anomalous curve. Define n ¼ p2 q, where p, q are large 341-bit primes, and5.2.1 Okamoto-Uchiyama Scheme p 2ðmod 3Þ. Values ap , bp 2 Fp are chosen such thatIn Eurocrypt ’98, Okamoto and Uchiyama proposed a new Ep ðap ; bp Þ is of order p þ 2. A random curve Eq ðaq ; bq Þ alongpublic-key cryptosystem (OU) as secure as factoring and with a lift Ep2 ðap ; bp Þ of Ep ððap ; bp Þ to Fp2 is chosen. Then, bybased on the ability of computing discrete logarithms in a using the Chinese Remainder Theorem (CRT), Ep2 ðap ; bp Þparticular subgroup . Their scheme is characterized by and Eq ðaq ; bq Þ are combined to get the curve En ¼ En ða; bÞ,probabilistic encryption, additive homomorphic properties, where a; b 2 Z n . A base point G 2 En of maximal order Zand relating the computational complexity of the encryp- lcmðjEp2 j; jEq jÞ is chosen and H ¼ nG. The cryptosystem’stion function to the size of the plaintext. security can be shown equivalent to factoring n ¼ p2 q. Specifically, for an odd prime p, the p-Sylow sub- Elliptic Curve Okamoto-Uchiyama (EC-OU) algorithmgroup is defined as p ¼ fx p2 j x ¼ 1ðmod pÞg, and Parameter: Public key: n ¼ p2 q; G; H; Enjp j ¼ p. A function L that maps elements from p to Z pZis defined as LðxÞ ¼ ðx À 1Þ=p. Function L has homo- Private key: pmorphic properties from multiplication to addition. For Encryption: plaintext m 2kÀ1 ,elements a; b 2 p , Lða Ã bÞ ¼ LðaÞ þ LðbÞðmod pÞ, and for r 2R 22k ,c 2 Z p , Lðac Þ ¼ c Ã LðaÞ. Z ciphertext C ¼ mG þ rH p ððpþ2ÞCÞ Now, let p and q be random k-bit primes and set Decryption: compute m ¼ p ððpþ2ÞGÞ ðmod pÞn ¼ p2 q. For an n of approximately 1,024 bits, a choice of where p ðx; yÞ ¼ À x ðmod p2 Þ and has the yk could be 341. Next, randomly choose a g 2R Z n such Z propertythat element gp ¼ gpÀ1 ðmod p2 Þ has order p. Finally, seth ¼ gn ðmod nÞ. The additive homomorphic property is that if P ¼ mG for arbitrary points P , G, then p ðP Þachieved through the multiplication of ciphertexts: m¼ p ðGÞ ðmod pÞEncðm1 þ m2 Þ ¼ Encðm1 Þ Â Encðm2 Þ. provided that G 6¼ Op2 .Okamoto-Uchiyama (OU) algorithm  Elliptic Curve Naccache-Stern Encryption. Elliptic CurveParameter: public key: n ¼ p2 q; g; h Naccache-Stern Encryption (EC-NS) is constructed in a Private key: ðp; qÞ manner similar to KMOV , whereby factoring-basedEncryption: plaintext m 2 2k , algorithms are exported to particular families of elliptic r 2R Z n , Z curves.3 The applicable curves have the following ciphertext c ¼ gm hr ðmod nÞ specific form:Decryption: c0 ¼ cpÀ1 ðmod p2 Þ compute m ¼ Lðc0 ÞLðgp ÞÀ1 ðmod pÞ En ð0; bÞ : y2 ¼ x3 þ bðmod nÞ; for b 2 Z Ã ZnNote that c ðmod p2 Þ ¼ gmðpÀ1Þ gnrðpÀ1Þ ¼ gm ðmod p2 Þ pÀ1 p 2. Specifically, such a computation of discrete logarithms requires Oðlog3 pÞ-bit operations.5.2.2 ECC Schemes Suggested by Paillier 3. The KMOV paper introduced elliptic curve schemes that, like the RSAIn , Paillier describes three new probabilistic encryption cryptosystem, base their security of the difficulty of factoring a value n ¼ pq, where p and q are large primes. This differs from typical ECCschemes that use elliptic curves over rings and exhibit solutions that base themselves on the computationally hard discreteadditive homomorphic properties. All three schemes are logarithm problem. Authorized licensed use limited to: UR Rh?ne Alpes. Downloaded on December 18, 2009 at 08:30 from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.PETER ET AL.: A SURVEY ON THE ENCRYPTION OF CONVERGECAST TRAFFIC WITH IN-NETWORK PROCESSING 9with p q 2ðmod 3Þ and ¼ jEn ð0; bÞj ¼ lcmðp þ 1; q þ 1Þ. It is important to note that in , Galbraith shows thatFurther requirements are given as follows: the use of anomalous curves in the way it is described in the Y two schemes above is insecure. The attack reveals the p þ 1 ¼ 6 Â u Â p0 ; where u ¼ pi i private key by efficiently extracting it from the public key. Y Although the same author proposes a variation of the EC- q þ 1 ¼ 6 Â u Â q0 ; where u ¼ qi j P scheme, this new scheme is not as efficient and, therefore, requires too much computation for the scenarios we arefor B-smooth integers4 u and v of (roughly) equal bit considering.size such that gcdð6; u; v; p0 ; q0 Þ ¼ 1, primes p0 ; q0 , andB ¼ Oðlog nÞ. By the properties of primes p and q, the 5.2.3 Elliptic Curve ElGamal Encryption Schemetwo curves Ep ð0; bÞ and Eq ð0; bÞ are cyclic groups of A very different cryptoscheme working on elliptic curves isorders p þ 1 and q þ 1, respectively. the elliptic curve ElGamal encryption scheme (EC-EG). It is Let G be a (base) point of En ð0; bÞ such that its order is a equivalent to the original ElGamal scheme  butmultiple of ¼ uv. Then, encryption of a plaintext m 2 Z Z transformed to an additive group. Key setup consists ofcan be realized as choosing an elliptic curve E together with a prime p and EncðmÞ ¼ C ¼ ðm þ rÞG; where r 2R En ð0; bÞ: generator G. Its security is based upon the Elliptic Curve Discrete Log Problem (ECDLP).Because is B-smooth, it is possible to efficiently computediscrete logarithms for a base of degree by using a Elliptic Curve ElGamal (EC-EG) algorithm combination of the baby-step giant-step and Pohlig- Parameter: Public key: E, p, G, Y ¼ xG, where G; Y 2 FpHellman algorithms . Thus, with the knowledge of Private key: x 2 Fp, decryption can be accomplished by computing the Encryption: plaintext M ¼ mapðmÞ,discrete logarithm of ð=ÞC with respect to the base k 2 Fp ,G0 ¼ ð=ÞG. The security of the scheme is equivalent to ciphertext C ¼ ðR; SÞ, wherecomputing residue classes on En ð0; bÞ. The following R ¼ kG, S ¼ M þ kYoutlines the cryptosystem: Decryption: M ¼ ÀxR þ S ¼ ÀxkG þ M þ xkG, m ¼ rmapðMÞElliptic Curve Naccache-Stern (EC-NS) algorithm EC-EG is additively homomorphic, and ciphertexts areParameter: Public key: n ¼ pq; b; ; G; Enð0;bÞ combined through addition. The summation of two EC-EG Private key: ðp; qÞ or ¼ lcmðp þ 1; q þ 1Þ ciphertexts requires two point additions, namely one forEncryption: plaintext m 2 Z , Z each of the ciphertext components R and S. r 2R Z n , Z map() refers to the mapping function used to map values ciphertext C ¼ ðm þ rÞG (e.g., plaintexts) into points on the curve and vice versa. ThisDecryption: compute u ¼ ð=ÞC ¼ mG0 . mapping needs to be deterministic such that the same Use Pohlig-Hellman and baby-step giant-step plaintext always maps to the same point. Additionally, the to compute the discrete log of u in base G0 function needs the following property to hold: for all Elliptic Curve Paillier Encryption. The cryptoscheme a1 ; a2 2 Fp , mapða1 þ a2 Þ ¼ mapða1 Þ þ mapða2 Þ. An applic- able homomorphic mapping function is proposed byElliptic Curve Paillier (EC-P) extends the settings of EC- VoteHere in  and is based upon using multiples of aOU to curves defined over Z n2 , where n ¼ pq and p, q are Z generator element to represent mapped values. The ap-large primes with the properties that p q 2ðmod 3Þ. proach is to map plaintext value j to the EC point jG, andValues ap ; bp 2 Fp and aq ; bq 2 Fq are chosen such that reverse mapping entails extracting j from jG. This realizesEp ðap ; bp Þ is of order p þ 2 and Eq ðaq ; bq Þ is of order q þ 2. our desire for a homomorphic mapping function as theThe lifted curves Ep2 ðap ; bp Þ and Eq2 ðaq ; bq Þ are chosen and following operations hold: for i; j 2 Fp ; ði þ jÞG ¼ iG þ jG, where p is the prime defining the curve. However, thecombined to get En2 ða; bÞ. A base point G 2 En2 of order demapping of the mapped point jG back to j is not trivial.divisible by n is chosen, possibly of maximal order n, Since it is the fundamental property of ECC that the pointwhere ¼ ðnÞ ¼ lcmðp þ 2; q þ 2Þ. The security of EC-P is multiplication is not efficiently invertible, the only solutionbased upon the problem of computing residuosity classes is a brute force computation that relies on a limited domainover En2 . Here is the scheme: of the mapping. In most cases, this approach is very reasonable.Elliptic Curve Paillier (EC-P) algorithmParameter: Public key: n ¼ pq; G; En2 5.2.4 Comparison of Asymmetric Schemes Private key: ¼ lcmðp þ 2; q þ 2Þ or Table 2 compares the performance of the described public key equivalently ðp; qÞ homomorphic encryption candidates applying the resultsEncryption: plaintext m 2 Z m , Z from . All table entries consist of two values: 1) the r 2R Z n , Z formulas used to determine the respective costs and 2) the ciphertext C ¼ ðm þ nrÞ actual number of computations and bits transmitted when n ðCÞ applying the formulas to our set of assumed values, asDecryption: compute m ¼ n ðGÞ ðmod nÞ described below. The formulas refer to parameters of the 4. An integer is said to be B-smooth if all its prime factors are B. respective schemes, i.e., the p in EC-EG refers to the 163-bit Authorized licensed use limited to: UR Rh?ne Alpes. Downloaded on December 18, 2009 at 08:30 from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.10 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 5, NO. 4, OCTOBER-DECEMBER 2008 TABLE 2 Performance Comparison of Candidates: 1) Formulas and 2) Number of Computations (1,024-Bit Modular Multiplications) and Bandwidth (Number of Bits)modulus defining the elliptic curve, while the p in EC-OU is for CDA by following the classification introduced inthe (typically) 341-bit prime that is used to construct the Section 2.modulus n. All computations (the second part of the entries)are converted to and measured in terms the number of base 6.1 KPD for Groupwise Keyingunits (1,024-bit modular multiplications). Note that the Currently, only one KPD for groupwise keying is known,formulas for EC-EG and EC-P reflect the number of 163-bit which supports encryption transformations fulfilling (1).and 2,048-bit modular multiplications, respectively.5 6.1.1 Topology Aware Groupwise Keying Parameters have been selected such as to obtain an equal1,024-bit security level among all schemes and to reflect an The Topology Aware Group Keying (TAGK)  supports theenvisioned WSN setting. For EC-NS, EC-OU, EC-P, and usage of a symmetric privacy homomorphic encryptionOU, primes p and q are selected such that jnj ¼ 1;024, while transformation for securing convergecast traffic with in-we use one of the standard (IEEE) ECC curves over F163 network processing. TAGK distributes keys per “routable” region. The scheme is extremely robust against exhaustingdefined in . Random nonces are assumed to be 80 bits nodes, and it provides a higher system security comparedwhile plaintexts m are 8-bit values. to single-hop-based encryption approaches. However, since The results show that EC-EG benefits from its smaller TAGK is designed to support a symmetric privacy homo-modulus operations in both ciphertext size and computation morphic encryption transformation that requires the sameefforts. However, the table does not reflect the costs for the key for all the encrypting parties that originate convergecastdemapping function. In a scenario where thousands of traffic, in particular for WSN applications requestingnodes send values in a big domain, EC-EG requires highest system security, there is a strong need forsignificantly more computation power for the decryption conceptual enhancements.than other schemes, unless an improved mapping/demap- Before nodes are spread out over a geographical region,ping function can be found. In small WSNs, EC-EG can be the manufacturer preconfigures at each node the same poolrecommended, especially if the decryption is performed on a of keys and their key IDs. The key pool is limited by thepowerful base station. storage space of the destination platform. Next, the WSN is Further, the table shows that OU is the best scheme if rolled out such that all nodes are randomly distributed overEC-EG cannot be applied, e.g., in very large networks. a region, placing nodes in approximately uniform positions.EC-P provides the fastest decryption, while encryption Each node stores the same key pool and its key IDs. Onceand required bandwidth are not acceptable for con- the nodes are spread out over a region, they remain staticstrained devices. and the bootstrapping phase starts. This phase includes the election of active nodes, e.g., the first run of the adaptive self-6 KEY MANAGEMENT configuring sensor networks topologies (ASCENT) protocol , and the election of aggregator nodes, e.g., with the lowVarious key predistribution (KPD) schemes for wireless energy adaptive clustering hierarchy (LEACH) protocol multihop ad hoc networks have been proposed. Although and a simple “going down” routing protocol initialization.different KPD proposals support varying keying models In addition, a subset of nodes with distance i ¼ 1 to the sinklike pairwise keying, groupwise keying, or a single node randomly chooses a key list fk1 ; . . . ; kr g 2 K Ã andnetwork-wide key, the majority of the KPD proposals are locally broadcasts the key identifiers to nodes withindesigned for securing pairwise unicast traffic . More distance i þ 1. As a probability function of the distance iconcretely, by e.g., applying the concept of key rings, they and the maximum expected distance l to the sink node,ensure with a reasonable high probability the establishment receiving nodes either delete the whole key pool orof a trust relationship over various intermediate nodes to randomly choose one k 2 fk1 ; . . . ; kr g and delete theallow a secured unicast multihop channel. Such KPDs are remaining keys. Nodes that did not receive a messagemost valuable in MANETs. Only a few KPDs have been IDk1 k . . . kIDkr during a particular time frame after theproposed that support the encryption of convergecast network’s roll out delete their key pool. This ensures thattraffic with in-network processing. We describe some KPDs unreachable nodes do not store sensitive data. 5. As modular multiplications with 2,048-bit moduli are approximately 6.2 KPD for Unique Keyingfour times more expensive than with 1,024-bit moduli, we convert thefourteen 2,048-bit modular multiplications in the decryption in EC-P to A KPD that supports unique keying is required in case thefifty-six 1,024-bit modular multiplications. CDA encryption transformation is a PH from (2). Since Authorized licensed use limited to: UR Rh?ne Alpes. Downloaded on December 18, 2009 at 08:30 from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.PETER ET AL.: A SURVEY ON THE ENCRYPTION OF CONVERGECAST TRAFFIC WITH IN-NETWORK PROCESSING 11pairwise keys are used, the highest achievable systemsecurity is provided. Available candidates are given inSections 6.2.1 and 188.8.131.52.2.1 Random Unique KeyingIn this KPD, keys are randomly distributed  to the nodesand only the sink node needs to store all the keys. Since thestorage of keys on the nodes is independent of the finalposition of the nodes, the KPD reduces to a simple storageof different unique keys before the nodes’ deployment.Obviously, such a simple KPD is nearly perfect for highlyself-organizing distributed environments. In addition, fromthe security perspective, a pairwise keying model forconvergecast traffic is preferable since it provides a highersystem security. However, the benefit of the overall systemsecurity comes at the cost of additional overhead. First, the Fig. 3. Taxonomy of symmetric privacy homomorphic encryptionnodes’ configuration before node deployment requires a schemes and their relation to KPD schemes.pairwise pairing between each sensor node and the sinknode to agree on the shared key. Second, since we are contributed or due to interference on the wireless transmis-aiming at security solutions over a highly unreliable sion medium packets may get lost, each intermediate nodemedium, one cannot ignore the impact of packet loss on adds those stored default ciphers to the aggregatedthe wireless broadcast medium. Revealing per data trans- ciphered sum, which correspond to its direct children andmission the key IDs, respectively, node IDs of all the which have not provided their input. During an aggrega-currently involved nodes therefore becomes mandatory.The usage of the CaMyTs scheme in the AIE operation tion phase, the system is secure against passive and activemode is aiming at reducing the data overhead at the cost of attacks.reduced security. The required KPD for such a key setting 6.3 Public Private Keyingcan be achieved, e.g., by running the key managementscheme from Eshenauer and Gligor . In cases where an asymmetric additively homomorphic encryption transformation [see (3)] shall be applied to6.2.2 Unique Keying with Algebraic Structuring secure convergecast traffic within the WSN, it is preferableThe Topology Aware Unique Keying (TAUK)  solution does that a public/private key pair is generated at the sink nodeneither require additional data overhead for key IDs when and the public key is loaded on each sensor node. Typically,sending encrypted convergecast traffic nor does it require this happens before the rollout of the sensor nodes.an extensive key setting before the node deployment. It can However, even a flooding of the public key after thebe used for a double homomorphic encryption transformation deployment of the WSN is possible.(DHET) . One derivate of DHET is derived from theCaMyTs approach. At the same time, this approach is 6.4 Classificationrobust against exhausted nodes and an unreliable broadcast Fig. 3 classifies the discussed KPDs and the correspondingmedium where sometimes data from a child node may not encryption transformations with respect to their providedreach an aggregator node. system security and its data overhead. Since a key manage- In the initialization phase, it is assumed that each sensor ment based on public private keys does not fit to the criterianode N already knows its direct neighbors P redðNÞ and depicted in this figure, we do not consider it here. Note thatSuccðNÞ. Subsequently, each node receives a single sym-metric key, whereas all keys from the sensor nodes are a detailed discussion on the provided security of thederived from a master key, which is solely stored at the sink concrete encryption transformation follows in Section 8.node. In addition to its key, each node stores encrypted The CaMyTs  together with KPD unique keys providesdefault values. Each of such ciphers corresponds to an strong security at the cost of high data overhead. It thereforeN 0 2 SuccðNÞ. They provide robustness during the aggre- belongs to category 2. Running it in the modes “n-hop keygation phase. During the initialization phase, the system is relation” with AIE  and OeMo  reduces the datahighly vulnerable, even to passive attacks. During an overhead while it weakens the system security at the sameaggregation phase, convergecast traffic is encrypted end-to- time. We therefore see it at the edge between category 2 andend from the sensing nodes to the sink node. Each node N category 4. The approaches  and  provide a moderateapplies a PH by encrypting its monitored value with its system security at a moderate to high data overhead duringown unique key and by subsequently summing up the an aggregation phase. Whereas for PH  the KPD is asresulting ciphertext to the received ciphertexts from itschildren SuccðNÞ. Since each node purely stores its own simple as possible since keys can be randomly stored on thekey, it cannot decrypt the incoming ciphers from its node before deployment, OeMo  and AIE  require achildren. Only the sink node is enabled to decrypt the final complex and structured storing policy of keys withoutaggregated value by applying the master key to the providing a clear solution how keys can be distributed inreceived ciphers. Since not always all nodes may have such a way. Authorized licensed use limited to: UR Rh?ne Alpes. Downloaded on December 18, 2009 at 08:30 from IEEE Xplore. Restrictions apply.