A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography

TL;DR: It is demonstrated that public keys can be generated within 34 seconds, and that shared secrets can be distributed among nodes in a sensor network within the same, using just over 1 kilobyte of SRAM and 34 kilobytes of ROM.

Abstract: We present the first known implementation of elliptic curve cryptography over F/sub 2p/ for sensor networks based on the 8-bit, 7.3828-MHz MICA2 mote. Through instrumentation of UC Berkeley's TinySec module, we argue that, although secret-key cryptography has been tractable in this domain for some time, there has remained a need for an efficient, secure mechanism for distribution of secret keys among nodes. Although public-key infrastructure has been thought impractical, we argue, through analysis of our own implementation for TinyOS of multiplication of points on elliptic curves, that public-key infrastructure is, in fact, viable for TinySec keys' distribution, even on the MICA2. We demonstrate that public keys can be generated within 34 seconds, and that shared secrets can be distributed among nodes in a sensor network within the same, using just over 1 kilobyte of SRAM and 34 kilobytes of ROM.

Figures

TABLE VI MEMORY OVERHEAD OF MODULAR EXPONENTIATION, DETERMINED

Fig. 3. Time required to compute 2x (mod p), where p is prime, on the MICA2.

TABLE VII ENERGY CONSUMPTION OF MODULAR EXPONENTIATION, DETERMINED

Fig. 4. Typical exchange of a shared secret under Diffie-Hellman based on ECDLP.

Fig. 5. Running time for EccM 1.0, a TinyOS module which selected for a node at random, using a polynomial basis over F2p , a curve, a point, and a private key, thereafter computing the node’s public key. Points are labelled with running times. For larger keys (e.g., 63-bit), the module failed to produce results.

Fig. 6. Primary memory used by EccM 1.0, a TinyOS module which, using a polynomial basis over F2p , selected for a node at random a curve, a point, and a private key, thereafter computing the node’s public key. Although the sizes of the .bss and .data segments are fixed during execution, stack is defined here as the maximum of the application’s stack size during execution. Keys of 63 bits or more exhaust the MICA2’s 4,096 B of SRAM.

Fig. 1. Actual throughput versus desired throughput for acknowledged (ACKed) and unacknowledged (unACKed) transmissions between a sender and a receiver, averaged over ten minutes of transmission per level of desired throughput, where desired throughput is the rate at which calls to SendMsg.send(·,·,·) were scheduled by Timer.start(·,·). ACKed actual throughput is the rate at which 29-byte, random payloads from a sender were received and subsequently acknowledged by an otherwise passive recipient. UnACKed actual throughput is the rate at which the sender actually sent such packets, acknowledged or not (i.e., the rate at which calls to SendMsg.send(·,·,·) were actually processed). For clarity, where ACKed and unACKed throughput begins to diverge are points labelled with values for actual throughput. In environments with less contention for medium access than in ours, higher throughput is possible, with and without TinySec enabled.

TABLE III TIMES REQUIRED TO TO ENCRYPT A 29-BYTE, RANDOM PAYLOAD, AND TO COMPUTE THAT PAYLOAD’S MAC, AVERAGED OVER 1,000 TRIALS. THE IMPLIED OVERHEAD OF TINYSEC IS GIVEN AS THE SUM OF THE DATA’S

TABLE IX ENERGY CONSUMPTION OF ECCM 2.0, A TINYOS MODULE WHICH ALLOWS TWO NODES TO GENERATE PUBLIC AND PRIVATE KEYS (AND, THEREAFTER, TO USE THE SAME TO EXCHANGE A SHARED SECRET), DURING GENERATION OF A NODE’S PUBLIC AND PRIVATE KEYS.

TABLE VIII MEMORY USAGE OF ECCM 1.0 VERSUS ECCM 2.0. WITH ECCM 2.0, WE

TABLE V STRENGTH OF DIFFIE-HELLMAN BASED ON DLP FOR VARIOUS MODULI AND EXPONENTS. “AN ALGORITHM THAT HAS A ‘Y ’ BIT KEY, BUT WHOSE STRENGTH IS EQUIVALENT TO AN ‘X ’ BIT KEY OF SUCH A SYMMETRIC ALGORITHM IS SAID TO PROVIDE ‘X BITS OF SECURITY’ OR TO PROVIDE ‘X -BITS OF STRENGTH’. AN ALGORITHM THAT PROVIDES X BITS OF STRENGTH WOULD, ON AVERAGE, TAKE 2X−1T TO ATTACK, WHERE T IS

TABLE IV MEMORY OVERHEAD OF TINYSEC, DETERMINED THROUGH INSTRUMENTATION OF CNTTORFM, AN APPLICATION WHICH SIMPLY BROADCASTS A COUNTER’S VALUES OVER THE MICA2’S RADIO. THE .BSS AND .DATA SEGMENTS CONSUME SRAM WHILE THE .TEXT SEGMENT CONSUMES ROM. STACK IS DEFINED HERE AS THE MAXIMUM OF THE APPLICATION’S STACK SIZE DURING EXECUTION.

Fig. 2. Typical exchange of a shared secret under Diffie-Hellman based on DLP [21].