Ad Hoc Networks 11 (2013) 182–189

Contents lists available at SciVerse ScienceDirect

Ad Hoc Networks

journal homepage: www.elsevier .com/locate /adhoc

EIBAS: An efficient identity-based broadcast authentication schemein wireless sensor networks

Kyung-Ah Shim, Young-Ran Lee ⇑, Cheol-Min ParkDivision of Fusion and Convergence of Mathematical Sciences, National Institute for Mathematical Sciences, KT Daeduk 2 Research Center, 463-1, Yuseong-gu,Daejeon, Republic of Korea

a r t i c l e i n f o a b s t r a c t

Article history:Received 26 May 2011Received in revised form 13 March 2012Accepted 29 April 2012Available online 23 May 2012

Keywords:Identity-based systemDigital signature with message recoveryBroadcast authenticationMessage integrityBilinear pairing

1570-8705/$ - see front matter � 2012 Elsevier B.Vhttp://dx.doi.org/10.1016/j.adhoc.2012.04.015

⇑ Corresponding author.E-mail addresses: kashim@nims.re.kr (K.-A. Shi

(Y.-R. Lee), mpcm@nims.re.kr (C.-M. Park).

In this paper, we propose an efficient identity-based broadcast authentication scheme,EIBAS, to achieve security requirements in wireless sensor networks. To minimize com-munication and computational costs, we use a pairing-optimal identity-based signaturescheme with message recovery, where the original message of the signature is not requiredto be transmitted together with the signature, as it can be recovered according to the ver-ification/message recovery process. The EIBAS scheme achieves a minimization of com-munication overhead, allowing the total energy consumption to be reduced by up to48.5% compared to previous identity-based broadcast authentication schemes.

� 2012 Elsevier B.V. All rights reserved.

1. Introduction

Wireless sensor networks (WSNs) are rapidly emergingas an important new area in mobile computing research.These networks are typically characterized by a limitedpower supply, low bandwidth, small memory sizes, andlimited energy use. WSNs consist of a large number of re-source-constrained sensor nodes and a variable number ofcontrol nodes, called base stations. Sensor nodes have lim-ited computational and wireless capabilities: a typical sen-sor node uses a microcontroller of 8 MHz with 4 KB of RAMand 128 KB of ROM, and incorporates a RF transceiver com-pliant with IEEE 802.15.4/ZigBee. On the other hand, thebase station is a powerful trusted device that acts as aninterface between the network user and the nodes. In par-ticular, the base station relies on broadcast authenticationto issue legitimate commands or queries to dispersed sen-sor nodes. Due to the open nature of the wireless channel,an adversary with a simple radio receiver/transmitter can

. All rights reserved.

m), yrlee@nims.re.kr

easily eavesdrop on conversations, inject/modify packetsand mount denial-of-service (DoS) attacks. To broadcastmessages to multiple nodes in an authenticated manner,the broadcast authentication (BA) scheme is indispensable.

1.1. Related works

Most existing BA schemes are based on symmetric keycryptography. The lTESLA scheme [23] is well known forits ability to provide source authentication and messageintegrity by utilizing a one-way hash chain and loose timesynchronization between a sender and receivers. However,it has limited scalability due to its unicast-based parameterdistribution to add new receivers. Subsequently, the multi-level lTESLA [24] was proposed to enhance the scalability ofthe lTESLA scheme. Kwon and Hong [20] proposed the X-TESLA scheme, which significantly reduces unnecessarycomputation and buffer occupation. These TESLA-likeschemes [23,24,9,25,20,6,8] are associated with large buf-fers due to the delayed authentication of the messages,which can easily lead to severe energy-depleting DoS at-tacks. The schemes based on symmetric key techniquesare attractive in terms of their energy efficiency, but a secret

K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189 183

key distribution problem between senders and receivers isthe most serious obstacle. On the other hand, BA schemesbased on public key cryptography (PKC) [13,26,40,12] caneliminate this key distribution problem. One of the mostsuitable PKC primitives for a WSN, the Elliptic Curve Cryp-tography (ECC), is widely thought of as the best balance interms of speed, memory requirements and security level.The major benefit of ECC is the size of its key (160 bitsagainst 1024 bits in RSA with an 80-bit security level [28])and its speed. Considering both software and hardware con-figurations, ECC has shown improved performance resultsfor 8-bit mote platforms. Recent works [39,13] have shownthat many well-known PKC schemes are acceptable for sen-sor nodes: it was reported that on an Atmel ATmega 128 at8 MHz, a 160-bit ECC point multiplication took only 0.81 s(second). However, the use of certificates in the Public KeyInfrastructure (PKI) consumes substantial bandwidth andpower due to the transmission and verification of publickey certificates. Therefore, PKI is considered to be unsuitablefor WSN, although it can provide greatly simplified andstronger security solutions. Many researches have also dem-onstrated the efficiency of pairing-based cryptography(PBC) which plays an important role in realizing identity(ID)-based cryptosystems to alleviate the certificate over-head and solve the problems of PKI technology. TinyTate[30] took around 31 s to compute the Tate pairing with anRSA 512-bit security level using TinyECC [21] on the ATmega128L. With NanoECC [37], the gT pairing and Tate pairingwith an RSA 1024-bit security level can be computed in10.96 s and 17.93 s on the ATmega 128L, and in 5.25 s and11.82 s on the MSP430. Ishiguro et al. [16] implementedthe gT pairing over ternary fields in 5.79 s. By translating acritical part of the code into assembly language and thencarefully manipulating registers, Szczechowiak et al. [36]computed the gT pairing in only 2.66 s, 1.71 s and 0.46 s onthe ATmega 128L, the MSP430 and PXA27x, respectively.Oliveira et al. [31] showed how short signatures from pair-ings by Boneh et al. [5] can be used to authenticate sensorsin a WSN and Galindo et al. [11] used TinyPBC to make expli-cit the benefits of using PBC to solve the key distributionproblem in underwater WSNs. More recently, with TinyPBC[29], the gT pairing could be computed in 1.9 s, 1.27 s and0.46 s on the ATmega 128L, the MSP430 and PXA27x plat-forms, respectively. The above results show that, the timeneeded to compute a pairing computation in sensor nodeshas increased by 5 times over the past 3 years. Currently, apairing can be computed in about 0.5 ms on an AMD Phe-nom II X4 940, 3.0 GHz [1]. Furthermore, next-generationsensor nodes such as the Heliomote node [12,17] are ex-pected to facilitate a continuous energy supply to nodes byderiving their power from solar sources. Therefore, we canexpect wider acceptance of PBC for WSNs in the near future.Recently, Ren et al. [34] proposed an ID-based BA schemebased on Hess’s ID-based signature (IBS) scheme [14].Although the broadcast message size can be reduced owingto the elimination of public key certificates for users, thisscheme has very high computational overhead, as two pair-ing computations and aMapToPointoperation are requiredfor each sensor node, where the MapToPoint function isused to map identity information onto a point on an ellipticcurve. On the other hand, Ren et al. [33] presented an Bloom

filter-based BA scheme that adopted a variant ECDSA withthe partial message recovery. Their scheme is the first oneusing a signature scheme with message recovery to achievethe reduction of communication costs. More recently, Caoet al. [7] proposed a more efficient ID-based multi-user BAscheme, IMBAS, based on a pairing-free IBS scheme. The sig-nature scheme requires neither a pairing computation northe MapToPoint function for verification, while its result-ing signature consists of two elements of the underlyinggroup and a 160-bit hash value at an 80-bit security level.Compared to Ren et al.’s scheme, its verification efficiencyis improved, but its signature length is about 30% longer.

1.2. Our contributions

A key challenge in this paper is to reduce the totallength of the broadcast message, so as to minimize the to-tal energy consumption. Considering the energy cost, com-munication overhead is heavier than computationoverhead: rapid advances in computing have resulted indramatic improvements in large number arithmetic com-putation, while communication latency has not improvedappreciably. In this paper, we propose a more efficientID-based BA scheme in WSNs. To improve the communica-tion and signature verification costs, we use a pairing-opti-mal IBS scheme with message recovery, that does not use aMapToPoint function. The MapToPoint function is ineffi-cient and probabilistic, and while there has been much dis-cussion regarding the construction of such a hashalgorithm, there has been no deterministic polynomialtime algorithm proposed for it thus far. In fact, there existsa pairing-optimal IBS scheme that does not rely on aMapToPoint function: that proposed by Barreto et al. [4],which is a submission for IEEE P1363.3: Identity-BasedPublic Key Cryptography. Its resulting signature consistsof a single element of the underlying group and a 160-bithash value at an 80-bit security level. It is the shortestamong IBS schemes. Our idea is to reduce the size of themessage transmitted if we cannot reduce the signaturelength any more. To do this, we use the IBS scheme withmessage recovery proposed by Tso et al. [38] based on Bar-reto et al.’s IBS scheme [4], where the original message ofthe signature is not required to be transmitted togetherwith the signature because it can be recovered accordingto the verification/message recovery process. Conse-quently, the minimum communication overhead is guar-anteed in our scheme: the total length of the broadcastmessage can be reduced by 23% and 49% compared tothe previous ID-based BA schemes [34,7], respectively.Thus, the total energy consumption of our scheme can bereduced by up to 48.5% compared to the scheme in [7].

1.3. Organization

The rest of this paper is organized as follows. In Sec-tion 2, we describe the building blocks for constructing anew ID-based BA schemes. Section 3 presents an efficientID-based BA scheme, EIBAS, in WSNs. Security analysisand quantitative performance analysis of our scheme aregiven in Section 4. Concluding remarks are given inSection 5.

184 K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189

2. Building blocks

In this section, we describe building blocks used to con-struct an efficient ID-based BA scheme intended for useWSNs.

2.1. Elliptic curves and bilinear pairings

Let E=Fp be an elliptic curve y2 = x3 + ax + b over a finitefield Fp such that 4a3 + 27b2 – 0 for some prime p. Let EðFpÞbe the group of points formed by the points of this curveand an extra point O called the point at infinity:

EðFpÞ ¼ fðx; yÞjx; y 2 Fp; ðx; yÞ 2 Eg [ fOg

We denote by + an addition of an elliptic curve group:P þ Q 2 EðFpÞ for P;Q 2 EðFpÞ. Computing kP = P + P + � � � + Pis called point multiplication for an integer k. The numberof points of an elliptic curve EðFpÞ, denoted #EðFpÞ, is calledthe order of the curve over the field Fp. Let q be a primenumber with q2-#EðFpÞ. We denote by G1 a q-order sub-group of EðFpÞ and by G2 a q-order subgroup of the multi-plicative group of a finite field F�pk for some number k. Apairing involves the mapping of e : G1 �G1 ! G2 withthe following properties:

� Bilinear: For 8P;Q 2 G1 and 8a; b 2 Z�; eðaP; bQÞ ¼eðP; bQÞa ¼ eðaP;QÞb ¼ eðP;QÞab.� Non-degenerate: If P is a generator of G1, then e(P, P) is

also a generator of G2.� Computable: There is an efficient algorithm to compute

e(P, Q) for all P;Q 2 G1.

This pairing also has a symmetric property, and e(P,Q) = e(Q, P) can be realized by the Tate pairing [2] or by thegT pairing [3]. There are pairings with a different type or set-ting, such as the Ate pairing [15]. We refer [10] for details.

2.2. ID-based signature scheme with message recovery

In the traditional Public Key Infrastructure (PKI), whenBob wishes to send a message to Alice, he must first obtainher authenticated public key from public directories. ThePKI enables users of a basically unsecure public networksuch as the Internet to exchange data and money securelythrough the use of a public/private cryptographic key pairthat is obtained from a trusted authority. The ID-basedinfrastructure makes deployment practical: it allows auser’s public key to be easily derivable from her knownidentity information such as an email address [35]. TheID-based infrastructure involves users and a Private KeyGenerator (PKG) having a master public/secret key pair,with the PKG responsible for generating private keys forusers. This eliminates the need for certificates as used inthe PKI. Such cryptosystems alleviate the certificate over-head and solve the problems of PKI technology: certificatemanagement including the storage, distribution and thecomputational cost of certificate verification. Barreto et al.[4] proposed a pairing-optimal IBS scheme based on the k-CAA problem using a general hash function such as SHA-1instead of the MapToPoint function, which is a submission

for IEEE P1363.3: Identity-Based Public Key Cryptography.IEEE P1363.3 is a new standard for Identity-Based Cryptog-raphy that was approved as a project of IEEE 1363 in 2006.IEEE P1363.3 covers ID-based cryptographic schemes basedon the bilinear mappings over elliptic curves known as pair-ings. The resulting signature of Barreto et al.’s scheme con-sists of one element of the underlying group and a 160-bithash value at an 80-bit security level. It requires only onepairing computation, a scalar multiplication and an expo-nentiation for verification. Their scheme runs as follows.

2.2.1. Barreto et al.’s ID-based signature scheme

Setup. Given a security parameter k 2 Z, this algorithmworks as follows;

1. Generate a prime q, two groups G1 and G2 oforder q and a bilinear pairing e : G1 �G1 ! G2.Choose a generator P in G1.

2. Pick a random s 2 Z�q, set PPub = sP and computeg = e(P, P).

3. Choose two cryptographic hash functionsH : f0; 1g� ! Zq and H1 : f0; 1g� ! Zq. Thesystem parameters are Params ¼ fq;G1;G2;

e; P; PPub; g;H;H1g.Extract. For a given identity ID 2 {0,1}⁄, computeqID ¼ HðIDÞ 2 Zq and set SID ¼ 1

sþqIDP as a private key of

ID, where s is a master secret.Sign. Given a private key SID and a message m 2 {0,1}⁄,choose a random x 2 Zq, compute r = gx,h ¼ H1ðm; rÞ 2 Zq and V = (r + h) � SID. Output a signaturer = (h, V) on m for ID.Verify. Given a signature r = (h, V) of mfor an identityID, compute qID ¼ HðIDÞ 2 Zq and verify whetherh = H1(m, e(V, PPub + qIDP) � g�h) holds or not. If it holds,accept the signature.

A digital signature scheme with message recovery is asignature scheme in which the original message of the sig-nature is not required to be transmitted together with thesignature, as it can be recovered according to the verifica-tion/message recovery process. This is different from anauthenticated encryption scheme or a signcryptionscheme, as in this scheme, the embedded message can berecovered by anyone without secret information. The pur-pose of this type of signature is to minimize the totallength of the original message and the appended signaturemaking it useful in applications where bandwidth in a ma-jor concern. We describe Tso et al.’s IBS scheme [38] basedon Barreto et al.’s scheme, which can deal with only mes-sages of some fixed length i.e., m 2 f0; 1gl1 for some fixedinteger l1.

2.2.2. Tso et al.’s ID-based signature scheme with messagerecovery

Setup. For a security parameter k 2 Z, output a randomnumber s 2 Z�q as a master secret key, and set PPub = sP asa master public key. The public system parameters are

Params ¼ fG1;G2; e; q; P; PPub;l;H;H1; F1; F2; l1; l2g;

K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189 185

where G1 and G2 denote two cyclic groups of the primeorder q, jqj = l1 + l2, e : G1 �G1 ! G2 is a bilinear pairing,l = e(P, P) and H : f0; 1g� ! Z�q;H1 : G2 ! f0; 1gjqj; F1 :

f0; 1gl1 ! f0; 1gl2 ; F2 : f0; 1gl2 ! f0; 1gl1 are cryptographichash functions.Extract. For a user’s identity ID 2 {0,1}⁄, compute the user’sprivate key as SID ¼ 1

HðIDÞþs P.Sign. Given a private key SID and a message m 2 f0; 1gl1 ,

1. Pick r12RZ�q and compute lr1 and

a ¼ H1ðlr1 Þ 2 f0; 1gjqj

2. Compute b = F1(m)k(F2(F1(m)) �m), r2 = [a � b]10

and U = (r1 + r2)�SID, where [x]10, l2jbj and jbjl1denote the decimal notation of x 2 {0,1}⁄, the firstl2 bits of b from the left side, and the first l1 bits ofb from the right side, respectively. The notationakb denotes a concatenation of two strings a and b.

Then r = (r2, U) is a signature on m for ID.Verify. Given a signature r = (r2, U) on a message m for anidentity ID,

1. Compute ~a ¼ H1ðeðU; PPub þ HðIDÞPÞ � l�r2 Þ and~b ¼ ½r2�2 � ~a, where [x]2 denotes the binary nota-tion of x 2 Z.

2. Recover the message ~m ¼ j~bjl1 � F2ðl2 j~bjÞ.3. Output 1 and accept r as a valid signature of the

message m ¼ ~m if and only if jl2 ~bj ¼ F1ð ~mÞ.

In the Barreto et al.’s scheme, the transmitted data con-sist of a signature r = (h, V), an identity ID, and a messagem. The corresponding length is 88 bytes, assuming the sizeof message and identity are 20 and 2 bytes, respectively.The total length of transmitted data in Tso et al.’s schemeis 68 bytes, because the original message m is nottransmitted.

3. EIBAS: An efficient id-based broadcast authenticationscheme in WSNs

Here, we construct an efficient ID-based BA scheme,EIBAS, based on Tso et al.’s IBS scheme with messagerecovery.

3.1. System model and design goals

The network consists of a fixed sink, network users anda large number of resource-limited sensor motes. There ex-ists one sink in the WSN, which is assumed to be alwaystrustworthy. The sink, which serves as a Private Key Gener-ator (PKG), is responsible for generating the private keysfor users. The sink also has sufficient storage capacity.The WSN aims to offer information services to many net-work users that roam the network. The network usersmay include vehicles, and people with mobile clients: theyare assumed to be more powerful than sensor nodes interms of their computation and communication abilities.The users can join in the WSN dynamically, and theymay be revoked due to either membership changes orcompromises. Each network user is equipped with a tam-per-proof device which prevents an adversary fromextracting any data stored in the device, including the pri-vate key, the data, and the code [18,19]. The users also

store their own private keys corresponding to the identityin the device, which are responsible for signing outgoingmessages. The sink broadcasts administrative commandsand publishes the user revocation list. For example, thenetwork users include emergency medical technicians(EMTs) equipped with PDA, and the sensor devices maybe vital sign sensors and location-tracking tags, in the caseof CodeBlue [22]. The sensors deployed in the networkhave computational, memory, communication, and energyresources similar to current-generation sensor nodes (e.g.,MICA2 motes). An adversary can execute a wide range ofattacks including eavesdrop, modify, forge, or replayattacks.

We aimed to design a scheme that satisfies the follow-ing security and performance requirements: (i) userauthentication and message integrity: all messages broad-casted by the network users of the WSN should be authen-ticated so that bogus messages inserted by illegitimateusers and/or compromised sensor nodes can efficientlybe rejected/filtered. (ii) Minimization of communicationoverhead: we focus on minimizing the communicationoverhead, so as to ensure minimal energy consumptioncompared to previous ID-based BA schemes.

3.2. Our construction: EIBAS

Our EIBAS scheme consists of four phases: System Ini-

tialization, Private Key Extraction, Signature Generation

and Message Broadcast and Broadcast Authentication (Sig-

nature Verification).

System Initialization. Prior to the deployment of theWSN, a sink generates the system parameters asfollows:

1. Given a security parameter k 2 Zþ, generate aprime q, two groups G1, G2 of order q, a generatorP 2 G1, and a bilinear pairing e : G1 �G1 ! G2.

2. Choose a random s2RZ�q, and set PPub = sP as a mas-

ter public key and s is a master secret. Computee(P, P)�1 and set l = e(P, P)�1.

3. Choose four cryptographic hash functionsH : f0; 1g� ! Z�q; H1 : f0; 1g� ! f0; 1gl1þl2 ; F1 :

f0; 1gl1 ! f0; 1gl2 and F2 : f0; 1gl2 ! f0; 1gl1 ,where jqj = l1 + l2. In Section 4, we will setjqj = 252 bits, l1 = 160 bits and l2 = 92 bits forimplementation.

4. The system parameters are Params ¼ fG1;G2;

e; q; P; PPub;l;H;H1; F1; F2; l1; l2g.These public system parameters, Params, are preloaded ineach sensor node consisting of the WSN.Private Key Extraction. If a user with an identityIDi 2 {0,1}⁄ wants to join the WSN, it has to obtain its pri-vate key generated by the sink. When the user requests itsprivate key, the sink computes the user’s private key asSKi ¼ 1

HðIDÞþs P corresponding to IDi. Note that IDi’s publickey required during the verification process is PPub + H(I-Di)P. The sink sends the private key SKi to the user via asecure channel and the user stores it in its tamper-proofdevice.Signature Generation and Message Broadcast. When a userwants to broadcast a message to the WSN, it signs a mes-

186 K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189

sage using the IBS scheme with message recovery of Tsoet al. [38]. To sign a message M 2 f0; 1gl1 , the network userwith a private key SKi corresponding to IDi completes thefollowing steps:

1. Pick a current timestamp tti.2. Choose r12RZ

�q, and compute lr1 and

a ¼ H1ðIDi; tti;lr1 Þ 2 f0; 1gl1þl2 .3. Compute b = F1(M)k(F2(F1(M)) �M), r2 = [a � b]10

and U = (r1 + r2)SKi. Then ri = (r2, U) is a signatureon M for IDi.

The user then broadcasts hIDi, tti,ri in the WSN, where IDi

and tti are taken to be two bytes. For the use of timestamptti, we adopt the time synchronization technique as in thelTESLA-like scheme [32].Broadcast Authentication (Signature Verification). Uponreceiving <IDi,tti, r>, each sensor node verifies its authen-ticity. It first checks whether the timestamp tti is valid ornot. Assuming that d is the predefined message propaga-tion time limit, we should have tt � tti 6 d. Then, for thesender’s identity IDi, the sensor node looks up the revoca-tion list in its local storage to determine the correspondingentry. If it exists, the broadcast message is discarded, as itwas generated by a network user with a revoked IDi. If tti isfresh and IDi is not in the revocation list, the sensor nodeproceeds with the following signature verification:

1. Compute ~a ¼ H1ðIDi; tti; eðU;HðIDiÞP þ PPubÞ � lr2 Þand ~b ¼ ½r2�2 � ~a.

2. Recover the message eM ¼ j~bjl1 � F2ðl2 j~bjÞ andaccept r as a valid signature of the broadcastmessage eMð¼ MÞ if and only if l2 j~bj ¼ F1ð eMÞ.

If this verification process fails, the sensor node discardsthe message. Otherwise, the authenticity of the receivedmessage is guaranteed. Signature verification in this phaserequires only one pairing computation, a scalar multiplica-tion in G1, and an exponentiation in G2.

3.3. Security analysis

We present the security analysis of the EIBAS scheme.

� Source authentication and message integrity. We employTso et al.’s IBS scheme with message recovery [38] toguarantee the authenticity of broadcast messages.Because the underlying signature scheme is existen-tially unforgeable under adaptive chosen-messageattack and adaptive chosen-identity attacks in the ran-dom oracle model under the computational Diffie–Hell-man assumption, source authentication and messageintegrity are guaranteed in our scheme. Therefore, it isimpossible for an adversary to sign or modify a validmessage broadcasted by a legitimate network user.� DoS attack. A DoS attack is an event that weakens or

reduces the network’s capacity to carry out its expectedfunction. Unlike TESLA-like schemes, our scheme doesnot require delayed authentication of the broadcastmessages, so each sensor node need not buffer receivedpackets. More specifically, when an adversary floods thewhole network arbitrarily, the adversary can injectbogus broadcast packets to force sensor nodes to per-form expensive signature verifications, and eventually

deplete the sensor’s battery. However, such attackscan be mitigated in our scheme by limiting the timesof signature verification failures.� User revocation. In our scheme, if a user’s identity IDi is

revoked, the revoked IDi must be broadcasted to thesensor nodes immediately, after which they store onlythe revoked identity. In the schemes based on thePKC, the sensor nodes have to store a certificate revoca-tion list (CRL) containing the revoked user’s certificates.Hence, the number of revoked users increases unceas-ingly as time passes, causing such schemes to incur aconsiderable amount of storage overhead. If we assumethat a user certificate is at least 86 bytes as in [39], only58 users can be supported for a given storage limit of5 KB. In our scheme, 2500 network users are supportedfor the same storage limit, as each sensor node storesonly revoked users’ identities and the size of IDi isrequired to be 2 bytes.

4. Quantitative performance analysis

In this section, we evaluate the performance of ourscheme in terms of communication overhead and energyconsumption on the MICA2 mote. We also give a quantita-tive analysis of our scheme compared to previous ID-basedBA schemes.

We show how the total broadcast message size affectsthe energy consumption during communication in aWSN. We investigate energy consumption as a functionof the size of the WSN (denoted as W). Before this estima-tion, we compare EIBAS with IDBAS [34] and IMBAS [7] interms of the signature size and the computational cost forthe signing and verification process. This is shown in Ta-ble 1. We assume that each sensor node stores all of thecurrent users’ identities and their corresponding publickeys, hIDi,PPub + H(IDi)Pi, which are preloaded in the stor-age of each sensor node during the system initializationphase. In Table 1, P, SM, E, M, H, MH and SR represent apairing computation, a scalar multiplication in G1, anexponentiation in G2, a multiplication in G2, a computa-tion of a hash, a computation of the MapToPoint function,and a square root, respectively. Also, jpj and jqj denote thebit sizes of an element in the subgroup and a subgroup ofthe underlying supersingular curve, respectively.

The IDBAS and EIBAS schemes require pairing-friendlycurves which are elliptic curves with small embedding de-grees. We use the gT pairing defined on a subgroup of the252-bit prime order of the supersingular curvey2 + y = x3 + x over F2271 with an embedding degree of 4[29]. The pairing on this subgroup is the fastest on theMICA2 mote, up to now because the group order has alow hamming weight, an efficient formula to compute 2Pfor P 2 EðFpÞ and a squaring of field elements. However,this curve has no subgroup with a prime order close to160 bits when considering an 80 bit security level. In thiscurve, a square root can be computed at a similar cost ofone squaring. Hence, when one sends a point Q = (x, y) ofthe elliptic curve, it can send only the x-coordinate of Qand a receiver can obtain the y-coordinate computing asquare root in order to reduce the communication over-head. In fact, to reduce signature size, it is more suitable

Table 1Performance evaluation of three broadcast authentication schemes.

Signature Size Sign Verify

IMBAS[7]

2jpj + 2jqj + 192 1SM + 1H 3SM + 2H

IDBAS[34]

jpj + jqj + 192 1MH + 3SM + 1E + 1H 2P + 1H + 1MH+ 1M + 1E + 1SR

EIBAS jpj + jqj + 32 1E + 3H + 1SM 1P + 1E + 1M+ 3H + 1SR

K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189 187

to use an MNT curve or a supersingular curve with anembedding degree of 6. However, the pairing computationtime in these curves is much slower than in the abovesupersingular curve: the pairing computation on the MNTcurve [36] is nearly four times slower than that on thesupersingular curve [29]. Therefore, the above supersingu-lar curve is more competitive in terms of the overall energycost. We assume that the size of a message (M), an identity(ID) and the current timestamp (tt) in IDBAS, IMBAS andEIBAS are 20, 2, and 2 bytes, respectively. In IMBAS, theresulting signature size is 83 bytes because it comprisesone elliptic curve point over Fp and two integers from Zq,where the sizes of p and q are 168 and 166 bits, respec-tively. For comparison, we implement a scalar multiplica-tion, an exponentiation, and the gT pairing on thefollowing curves:

� The IMBAS Schemes: ECC secp160r1, ECC secp224r1[28].� The IDBAS and EIBAS Schemes: the supersingular

curve y2 + y = x3 + x over F2271 [29].

Because we use the supersingular curve with a sub-group of the 252-bit prime order for implementing ourscheme, we also consider IMBAS implemented in ECCsecp224r1 to balance the security level. Considering theIDBAS and EIBAS schemes on the supersingular curve overF2271 with the subgroup G1 of the 252-bit prime order, thetotal broadcast message sizes are 90 bytes including (M, ID,tt) and 70 bytes including (ID, tt), respectively, as follows:

� IMBAS:jrx;yj þ jIDj þ jttj þ jMj ¼

83þ 2þ 2þ 20 ¼ 107 ð80-bit levelÞ112þ 2þ 2þ 20 ¼ 136 ð112-bit levelÞ

�.

� IDBAS: jrx, yj + jh(Mkttkh)j + jIDj + jttj + jMj = 34 + 32 +2 + 2 + 20 = 90.

Table 2Energy consumption on three broadcast authentication schemes.

Security level(bit)

Trans. overhead(byte)

Power for comm. (m(1)

IMBAS [7] 80 169 8.8 + 3.3 � N112 198 10.3 + 3.8 � N

IDBAS[34]

80 121 6.3 + 2.3 � N112 121 6.3 + 2.3 � N

EIBAS 80 101 5.3 + 1.9 � N112 101 5.3 + 1.9 � N

� EIBAS: jrx, yj + jIDj + jttj = 66 + 2 + 2 = 70.

In the IDBAS and EIBAS schemes, total broadcast mes-sage size at an 80-bit security level is the same as that at a112-bit security level. The total broadcast message size ofour scheme is reduced by about 30% and 22.3% comparedto IMBAS and IDBAS, respectively. Now, we investigate en-ergy consumption as a function of N and W, where N and Ware the number of neighbor nodes of one sensor and thesize of network, respectively. Table 2 shows the energyconsumption during the communication and computa-tional processes. We follow the format of the packet: apacket size of 128 bytes, and hop-wise energy consump-tion [7]. The costs to transmit and receive one byte are52.2 lJ and 19.3 lJ, respectively. The energy consumptionamounts when transmitting and receiving using theEIBAS scheme are respectively 101 � 52.2 lJ = 5.3 mJ and101 � 19.3lJ = 1.9 mJ, as the EIBAS scheme uses70 + 31 = 101 bytes for transmission. We also assume thatthe power level of MICA2 is 3.0 V, and the current drawis 8 mA in active mode [27]. In our setting, each sensornode receives the broadcast message hIDi, tti,ri from itssurrounding N nodes, and then retransmits the messageto other nodes if the verification process is successful. Itmeans that every sensor node is a receiver and a senderat the same time. Because the transmitting current draw(27 mA) is more expensive to the receiving one (10 mA),the effect of longer message is serious for the node, i.e.,the more the total length of broadcast message got longer,the more the energy consumption to transmit the messageincreases. For this reason, EIBAS, which requires theshorter packet size compared to previous schemes, savesthe energy to retransmit message. The comparison resultis provided in Table 2. The most time-consuming opera-tions during broadcast authentication are a scalar multipli-cation, an exponentiation and a pairing operation. A pointmultiplication over the supersingular curve requires 0.81 s[13] and the gT pairing computation [29] takes 1.9 s onMICA2. We can compute U = [r1 + h(r2)]�SKi in the signingof the EIBAS scheme using the SHA-1 hash function hand verify it by computing lhðr2Þ. Therefore, we can assumethat the size of r2 is 160 bits only during the exponentia-tion of G2 at an 80-bit security level. However, we assumethat the size of r2 is 252 bits at a 112-bit security levelwithout using the hash function. We assume that a squar-ing is about one tenth of a multiplication and that a multi-plication in the extension field F24�271 is about six times thatin the base field F2271 [29]. Because an exponentiation in G2

constitutes average jG2j-squaring and jG2j=2-multiplica-

J) Comp. time(s)

Power for comp. (mJ)(2)

Total W � {(1) + (2)}(mJ)

2.4 58.3 W � (67.1 + 3.3 � N)6.6 157.7 W � (168.0 + 3.8 � N)

4.7 112.8 W � (119.1 + 2.3 � N)5.3 127.2 W � (133.5 + 2.3 � N)

2.8 67.2 W � (72.5 + 1.9 � N)3.4 81.6 W � (86.9 + 1.9 � N)

0

500

1000

1500

2000

2500

3000

3500

0 2500 5000 7500 10000 12500

Ove

rall

Ener

gy C

onsu

mps

tion

on

Bro

adca

st A

uthe

ntic

atio

n (J

)

W (Network size)

IMBAS

IDBAS

EIBAS

Fig. 2. Overall energy consumption on three schemes at a 112-bitsecurity level.

0

500

1000

1500

2000

2500

0 2500 5000 7500 10000 12500

Ove

rall

Ener

gy C

onsu

mps

tion

on

Bro

adca

st A

uthe

ntic

atio

n (J

)

W (Network size)

IMBAS

IDBASEIBAS

Fig. 1. Overall energy consumption on three schemes at an 80-bitsecurity level.

188 K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189

tion, we can estimate the cost of an exponentiation in theextension field as

jG2jðSþM=2Þ ¼ jG2jðM=10þM=2Þ ¼ 160 � ð0:6MÞ¼ 160 � ð0:6 � 6 MBÞ

where S, M and MB are time for a squaring, a multiplicationin the extension field and a multiplication in the base field,respectively.

Since MB requires 11,727 cycles and a pairing computa-tion takes 14 � 106 cycles (1.9 s) [29], we can estimate thatan exponentiation in the extension field F24�271 takes about0.9 s. Here, we neglect the cost of other operations becausethey are much smaller compared to the above three oper-ations. The EIBAS scheme requires one pairing and oneexponentiation to verify the signature, and the resultingenergy consumption is 3.0 � 8.0 � (1.9 + 0.9) = 67.2 mJ. Tobroadcast a message to the entire WSN, every sensor nodeshould at least retransmit once and receive N times thesame message. Hence, the total energy consumption upona message broadcast in the EIBAS scheme is 72.5 + 1.9N atan 80-bit security level. Similarly, we can estimate the to-tal energy cost of the EIBAS and other schemes at a 112-bit security level. We summarize these results in Table 2,where Trans., Comm. and Comp. abbreviate transmission,communication and computing, respectively. Figs. 1 and2 illustrate the total broadcast energy consumption as afunction of the network size W, assuming N = 20. FromFigs. 1 to 2, we can estimate that the total energy cost of

the EIBAS scheme can be reduced by about 32.8% and15.8% compared to the IDBAS and IMBAS schemes at an80-bit security level. At a 112-bit security level, the totalenergy cost of the EIBAS scheme can be reduced by about30.2% and 48.5% compared to the IDBAS and IMBASschemes, respectively.

5. Conclusion

In this paper, we propose an efficient ID-based broad-cast authentication scheme, EIBAS, to achieve securityrequirements in wireless sensor networks. To minimizecommunication and computational costs, we use a pair-ing-optimal ID-based signature scheme with messagerecovery, where the original message of the signature isnot required to be transmitted together with the signature,as it can be recovered according to the verification/mes-sage recovery process. The EIBAS scheme requires theshortest broadcast message size among all existing ID-based BA schemes, meaning that the total energy con-sumption amount can be reduced by up to 48.5% comparedto other schemes.

Acknowledgements

This research was supported by the National Institutefor Mathematical Sciences (NIMS) grant funded by the Kor-ea government (B21203).

References

[1] D.F. Aranha, K. Karabina, P. Longa, C.H. Gebotys, J. Lopez, Fasterexplicit formulas for computing pairings over ordinary curves, in:Proceedings of Eurocrypt’11, LNCS 6632, Springer-Verlag, 2011, pp.8–68.

[2] P.S.L.M. Barreto, H.Y. Kim, B. Lynn, M. Scott, Efficient algorithms forpairing-based cryptosystems, in: Proceedings of Crypto’02, LNCS2442, Springer-Verlag, 2002, pp. 354–368.

[3] P.S.L.M. Barreto, S. Galbraith, C. ÓhÉigeartaigh, M. Scott, Efficientpairing computation on supersingular abelian varieties, Design,Codes and Cryptography 42 (3) (2007) 239–271.

[4] P.S.L.M. Barreto, B. Libert, N. McCullagh, J. Quisquater, Efficient andprovably-secure identity-based signatures and signcryption frombilinear maps, in: Proceedings of Asiacrypt’05, LNCS 3778, Springer-Verlag, 2005, pp. 515–532.

[5] D. Boneh, B. Lynn, H. Schacham, Short signatures from the weilpairing, Journal of Cryptology 17 (4) (2004) 297–319.

[6] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, B. Pinkas,Multicast security: a taxanomy and some efficient constructions, in:Proceedings of INFOCOMM’99, 1999, pp. 708–710.

[7] X. Cao, W. Kou, L. Dang, B. Zhao, IMBAS: identity-based multi-userbroadcast authentication in wireless sensor networks, Computercommunications 31 (14) (2008) 659–667.

[8] S. Cheng, An efficient message authentication scheme for link staterouting, in: Proceedings of ACSAC’97, 1997, pp. 90–98.

[9] J. Drissi, Q. Gu, Localized broadcast authentication in large sensornetworks, in: Proceeding of ICNS’06, 2007, pp. 341–350.

[10] S.D. Galbraith, Pairings, advances in elliptic curve cryptography,London Mathematical Society Lecture Notes, vol. 317, CambridgeUniversity Press, 2005, pp. 183–213.

[11] D. Galindo, R. Roman, J. Lopez, A killer application for pairings:authenticated key establishment in underwater wireless sensornetworks, in: Proceedings of CANS’08, LNCS 5339, Springer, 2008,pp. 120–132.

[12] G. Gaubatz, J. Kaps, B. Sunar, Public key cryptography in sensornetworks-revisited, in: Proceedings of 1st European Workshop onSecurity in Ad-Hoc and Sensor Networks, LNCS 3313, Springer-Verlag, 2005, pp. 2–18.

K.-A. Shim et al. / Ad Hoc Networks 11 (2013) 182–189 189

[13] N. Gura, A. Patel, A. Wander, H. Eberle, S.C. Shantz, Comparingelliptic curve cryptography and RSA on 8-bit CPUs, in: Proceedings ofCHES’04, 2004, pp. 119–132.

[14] F. Hess, Efficient identity based signature schemes based on pairings,in: Proceedings of SAC’02, LNCS 2595, Springer-Verlag, 2003, pp.310–324.

[15] F. Hess, N.P. Smart, F. Vercauteren, The Eta pairing revisited, IEEETransactions on Information Theory 52 (2006) 4595–4602.

[16] T. Ishiguro, M. Shirase, T. Takagi, Efficient Implementation ofPairings on Sensor Nodes, in: Identity Based Encryption Workshop,NIST, 2008. <http://csrc.nist.gov/groups/ST/IBE/documents/June08/Takagi.pdf>.

[17] A. Kansal, D. Potter, M. Srivastava, Performance aware tasking forenvironmentally powered sensor networks, in: Proceedings ofSIGMETRICS’04, 2004, pp. 223–234.

[18] P. Kocher, Timing attacks on implementations of Diffie–Hellman,RSA, DSS, and other systems, in: Proceedings of Crypto’96, LNCS1109, Springer-Verlag, 1996, pp. 104–113.

[19] P. Kocher, J. Jaffe, B. Jun, Differential power analysis, in: Proceedingsof Crypto’99, LNCS 1666, Springer-Verlag, 1999, pp. 388–397.

[20] T.K. Kwon, J. Hong, Secure and efficient broadcast authentication inwireless sensor networks, IEEE Transactions on Computers 59 (8)(2010) 1120–1133.

[21] A. Liu, P. Kampanakis, P. Ning, TinyECC: Elliptic Curve Cryptographyfor Sensor Networks (Ver. 0.3), 2005. <http://discovery.csc.ncsu.edu/software/TinyECC/>.

[22] K. Lorincz, D. Malan, T. Fulford-Jones, A. Nawoj, A. Clavel, V.Shnayder, G. Mainland, S. Moulton, M. Welsh, Sensor networks foremergency response: challenges and opportunities, IEEE PervasiveComputing Special Issue on Persive Computing for First Response 3(4) (2004) 16–23.

[23] D. Liu, P. Ning, Efficient distribution of key chain commitments forbroadcast authentication in distributed sensor networks, in:Proceedings of NDSS’03, 2003, pp. 263–276.

[24] D. Liu, P. Ning, Multi-level lTESLA: broadcast authentication fordistributed sensor networks, ACM Transactions of EmbeddedComputing Systems 3 (4) (2004) 800–836.

[25] D. Liu, P. Ning, S. Zhu, S. Jajodia, Practical broadcast authentication insensor networks, in: Proceedings of MobiQuitous’05, 2005, pp. 118–132.

[26] D. Malan, M. Welsh, M. Smith, A public-key infrastructure for keydistribution in TinyOS based on elliptic curve cryptography, in:Proceedings of SECON’04, 2004, pp. 71–80.

[27] MICA2 Datasheet, 2006. <http://www.xbow.com/Products/Produc_pdf_files/Wireless_pdf/MICA2_Datasheet.pdf>.

[28] National Institute of Standards and Technology, RecommendedElliptic Curves for Federal Government Use, August, 1999.

[29] L.B. Oliveira, D.F. Aranha, C. Gouvea, M. Scott, D. Camara, J. Lopez, R.Dahab, TinyPBC: pairings for authenticated identity-based non-interactive key distribution in sensor networks, ComputerCommunications 34 (3) (2011) 485–493.

[30] L.B. Oliveira, D.F. Aranha, E. Morais, F. Daguano, J. Lopez, R. Dahab,TinyTate: computing the Tate pairing in resource-constrained nodes,in: Proceedings of NCA’07, 2007, pp. 318–323.

[31] L.B. Oliveira, A. Kansal, B. Priyantha, M. Goraczko, F. Zhao, Secure-TWS: authenticating node to multi-user communication in sharedsensor networks, in: Proceedings of IPSN’08, 2009, pp. 289–300.

[32] A. Perrig, R. Szewczyk, V. Wen, D. Culler, D. Tygar, SPINS: securityprotocols for sensor networks, in: Proceedings of MobiCom’01, 2001,pp. 521–534.

[33] K. Ren, W. Lou, Y. Zhang, Multi-user broadcast authentication inwireless sensor networks, IEEE Transactions on VehicularTechnology 58 (8) (2009) 4554–4564.

[34] K. Ren, K. Zeng, W. Lou, P. Moran, On broadcast authentication inwireless sensor networks, IEEE Transactions on WirelessCommunications 6 (11) (2007) 4136–4144.

[35] A. Shamir, Identity-based cryptosystems and signature schemes, in:Proceedings of Crypto’84, LNCS 0196, Springer-Verlag, 1985, pp. 47–53.

[36] P. Szczechowiak, A. Kargl, M. Scott, M. Collier, On the application ofpairing based cryptography to wireless sensor networks, in:Proceedings of WISE’09, ACM Press, 2009, pp. 1–12.

[37] P. Szczechowiak, L. Oliveira, M. Scott, M. Collier, R. Dahab. NanoECC:testing the limits of elliptic curve cryptography in sensor networks,in: Proceedings of EWSN’08, LNCS 4913, 2008, pp. 305–320.

[38] R. Tso, C. Gu, T. Okamoto, E. Okamoto, Efficient ID-based digitalsignatures with message recovery, in: Proceedings of CANS’07, LNCS4856, Springer-Verlag, 2007, pp. 47–59.

[39] A.S. Wander, N. Gura, H. Eberle, V. Gupta, S.C. Shantz, Energy analysisof public-key cryptography for wireless sensor networks, pervasivecomputing and communications, in: Proceedings of PerCom’05,2005, pp. 324–328.

[40] H. Wang, Q. Li, Efficient implementation of public key cryptosystemson mote sensors, in: Proceedings of ICICS’06, 2006, pp. 519–528.

Kyung-Ah Shim received her M.S. and Ph.D.degrees, both in Mathematics from EwhaWomans University in 1994 and 1999,respectively. In September 2008, she joinedthe National Institute for Mathematical Sci-ences as a senior researcher. Her researchinterests are cryptography and informationsecurity.

Young-Ran Lee received the M.S. and Ph.D.degrees in Mathematical Science from EwhaWomans University, Seoul, Korea, in 1998 and2005, respectively. She is currently aresearcher in the National Institute for Math-ematical Sciences. Her research interestsinclude cryptography and information secu-rity.

Cheol-Min Park received the B.S. degree inmathematics education, and the M.S. degree,Ph.D. degree in mathematics from SeoulNational University, Seoul, Korea, in 1999,2001, 2006 respectively. He has been aresearcher at National Institute for Mathe-matical Sciences since 2011. His researchinterests include elliptic and hyperellipticcurves cryptography.