SHORT ECC
A Lightweight Security Approach for Wireless Sensor Networks
Anna Sojka, Krzysztof Piotrowski and Peter Langendoerfer
IHP GmbH, Im Technologiepark 25, Frankfurt Oder, Germany
Keywords:
Elliptic curves cryptography, Wireless sensor networks.
Abstract:
This paper presents our ongoing work towards a new lightweight security approach for Wireless Sensor Net-
works. Applying several changes in the standard Elliptic Curve Cryptography parameter sets and algorithms
we get a public/secret key hybrid with a reasonable security level and much shorter key sizes. Here we present
the main idea, the algorithms together with the initial security analysis and the directions for the future re-
search.
1 INTRODUCTION
The popularity of the Wireless Sensor Networks
(WSN) grows rapidly. A WSN consists of small and
low cost devices with constrained computational and
energy resources–the sensor nodes. The wide spec-
trum of their applications starts with the most popular
ones, like habitat or nature monitoring, and goes be-
yond to more demanding applications in military or
security area, like monitoring of the firefighters (Freie
Universitaet Berlin, 2008). A great number of these
applications applies to areas that require discretion,
for example in health monitoring. Sometimes the de-
ployment of sensor nodes is random, changeable or
easily accessible. Taking all these aspects into con-
sideration it is clear that in many cases the transmition
and the storage of data in WSN should be secured.
In (Piotrowski, 2006), the authors show that the
energy needed for transmitting a single bit of in-
formation is equal to the energy needed by the mi-
crocontroller for several hundred or even thousand
clock cycles of computation. The standard Public
Key Cryptography security approaches are computa-
tionally very expensive. In the same paper the au-
thors show that the generation or verification of a dig-
ital signature using the ECC P160 curve proposed by
NIST (NIST, 2010) requires at least one order of mag-
nitude more energy than sending it over the radio.
The Secret Key Cryptography mechanisms are less
expensive and in the case of AES 128 the encryption
or decryption costs around the same amount energy
as sending of a single block (Piotrowski, 2006) (SIC,
2009). The above mentioned numbers are given for
the TmoteSky (Moteiv, 2006) node hardware plat-
form equipped with the MSP430F1611 (Texas Instru-
ments, 2009) microcontroller and a cc2420 (Texas In-
struments, 2008) transceiver, both from Texas Instru-
ments.
In this paper we present our ongoing work on
new techniques for securing the data in WSN by us-
ing a modified EC Cryptosystem. In our approach
we target at using curves with keylength between
32 and 64 bits, so usually recognized as non-secure.
The changes applied to the parameter set–some pub-
lic parameters become private–cause the Short El-
liptic Curve (SEC) Cryptosystem to become a Pub-
lic/Private Key Cryptography hybrid, but also causes
the method to be very efficient. The efficiency advan-
tages include reduction of the computational effort,
but also reduction of the data block size, and thus re-
duction of energy needed for the transmition of the
results. The security strength cannot be compared to
the one delivered by standard EC Cryptosystems, but
our preliminary analysis shows that breaking the se-
curity needs a huge storage capacity on the attacker
side or quite expensive searches. Additional mecha-
nisms, like using several parameter sets and switching
between them, or frequent changes of the parameter
set helps to avoid attacks on a statistical basis and pro-
vide even more security on the cost of the increased
management overhead.
In this paper we introduce the idea, together with
an initial analysis of its correctness. Since this is on-
going work, there is still room for tests, improvements
and further research.
The rest of the paper is structured as follows.
304
Sojka A., Piotrowski K. and Langendoerfer P. (2010).
SHORT ECC - A Lightweight Security Approach for Wireless Sensor Networks.
In Proceedings of the International Conference on Security and Cryptography, pages 304-308
DOI: 10.5220/0002983003040308
Copyright
c
SciTePress
The next section provides more information about
the changes we applied to the standard ECC. Then
we talk about the security analysis of our approach.
The paper closes with the description of our future re-
search directions.
2 SHORT ELLIPTIC CURVES
In this section we describe the SEC cryptosystem in
detail.
2.1 Notation
In the rest of our paper we will use the following sym-
bols:
• F
q
- a finite prime field
• E(F
q
) - an elliptic curve over field F
q
• (x,y), where x, y ∈F
q
- a point on the elliptic curve
• O - the point at infinity
• P = (x
P
,y
P
) - a base point on the elliptic curve
• p, where pP = O - order of the point P
• #E = n - order of the elliptic curve
• (k,Q) - a key pair , where the private key k ∈[0, p]
and the public key is Q = kP
• < P > - cyclic group of points generated by P
2.2 SEC based Cryptosystem
As Short Elliptic Curves (SEC) we consider elliptic
curves over 32 to 64-bit finite prime fields. Standard
elliptic curves are based on prime fields with an order
at least twice that long (minimum 128-bits). Short
curves are unsafe, if used with standard ECC proto-
cols. Knowing all the public parameters, finding dis-
crete logarithms, i.e., breaking the security system us-
ing such a small group takes only a few seconds on a
standard PC. SEC based cryptosystem has the follow-
ing features:
• It provides security means for a trusted group of
participants sharing the same SEC parameters.
• It uses standard ECC in a layer which manages
the distribution of SEC parameters (together with
an algorithm for generating the chain of SEC or
the set of SEC with the method for choosing valid
SEC) to the new members of the group. After that
the new group participant is able to manage the
SEC parameters and change them if necessary.
• Encryption and digital signatures within the group
are performed using SEC.
• To improve the security, one SEC setting is valid
for a defined period of time only, after which all
the group members generate the new SEC param-
eters and switch to them. Another option is to
have a precomputed set of SEC and to switch be-
tween them according to some algorithm. Each
group member generates the key pair for the new
SEC. Public key is encrypted using previously
validelliptic curve and distributed to trusted group
members.
• Compression for all transmitted SEC points is
used. It reduces the amount of transmitted data
and additionally improves the security.
2.3 Generation of a SEC
Generation of the new SEC parameters may be done
by each node independently. Each node should get
the same SEC parameters, so the generation process
on each node needs to be synchronized and the new
parameters do not need to be distributed. Only the
public key of each node has to be broadcasted in an
encrypted form using for example, the previous SEC.
The general procedure of generation the SEC param-
eters from scratch is described below.
First, a prime number q has to be chosen to be
the order of the finite field. Then the two integers
a,b ∈ F
q
that are the coefficients in the elliptic curve
equation are to be determined. Next steps are to find
the order of E, to choose a base point and to find its
order.
To prevent from Pohlig-Hellman attack (Blake,
2000) it is necessary that the order of the base point
is the largest possible prime integer. The ideal solu-
tion is to find a point which generates all the points on
the curve E and has a prime order, equal to the curve
order.
Lagrange’s theorem says (Blake, 2000) that the or-
der of an arbitrarily chosen group element P 6= O di-
vides the order of the group. Thus, when a curve has
a prime order n, there are only two possible orders of
points on the curve: 1 and n, and since 1P = P 6= O ,
the only possible order of any point P is n. The
Hasse’s theorem (Koblitz, 1998) brings very useful
information about the interval in which to look for the
curve order and in the above mentioned case it is also
the order of the base point. This theorem says that for
an elliptic curve E over a finite field F
q
the order of
E(F
q
) satisfies
q+ 1−2
√
q ≤ #E(F
q
) ≤ q + 1+ 2
√
q (1)
To find the curve order in this interval we proceed as
follows:
Let P = (x,y) be randomly chosen point on E and let
Q = (q+ 1 + 2
√
q)P (2)
SHORT ECC - A Lightweight Security Approach for Wireless Sensor Networks
305
The next step is to find a second point R = zP, where
z 6= (q+ 1+ 2
√
q) and R = Q. Since Q−R = O then
n = q + 1+ 2
√
q−z (3)
is the potential order of the point P.
To find z the Rho Pollard method (Blake, 2000)
can be used. It is a random method for computing
collisions of elements of a finite group. The colli-
sion is found after approximately
p
qπ/2 iterations.
If the collision occurs the last thing to check is if n
is prime and if it belongs to the Hasse range. If this
is the case, then we have the base point and its order,
else we repeat the procedure for new curve parame-
ters (a and b), value q and thus the prime field can
also be changed. For primality testing of small in-
tegers (< 341550071728321) a deterministic variant
of Miller-Rabin Primality Test can be used (Jaeschke,
1993).
For efficient generation of SEC on the nodes we
plan to investigate the possibilities to influence the
curve parameters for which we want to find the curve
order and investigate the methods to generate chains
of SEC parameters.
2.4 Modified Cryptographic Protocols
Modified El’Gamal Encryption. To carry out en-
cryption and decryption of messages using SEC some
changes in the algorithms have to be made. The basis
of encryption scheme is the El’Gamal scheme (Blake,
2000) with one small difference in the first step.
To encrypt a message m ∈ (0, p) for a recipient a
party does the following steps:
• Obtain the recipient’s public key Q
R
.
• Select a random or pseudo random integer number
k ∈[1, p−1].
• Calculate an EC point R = kP + T, where T is a
point on the curve, known for both parties and de-
termined while curve parameters are established.
T should be changed after each transaction be-
tween the sender and recipient of the message.
• Transform the message m into a point M lying on
E, e.g. as described in (Washington, 2003).
• Calculate an EC point S = kQ
R
+ M.
• The message m is encrypted as the pair of EC
points (R,S). These points are compressed before
sending, thus only the x-coordinates are transmit-
ted.
The recipient does the following to decrypt the mes-
sage:
M = S−d
R
R+ d
R
T (4)
Where d
R
is the private key of the message recipient.
Modified Digital Signature Scheme. Standard dig-
ital signature schemes (Koblitz, 1998) use the stan-
dard cryptographic hash functions for signing the
messages. These hash functions produce outputs of
160 or even 512 bit length (NIST, 2010), thus they
are not applicable in our digital signature protocol. In
the case of SEC another solution has to be used. Cur-
rent version supports only a signature scheme with
message recovery. The signatures are generated for
a specified recipient only. To sign the message the
signer, which key pair is (k
S
,Q
S
), does the following
steps:
• Convert message m into the point M = (x
M
,y
M
)
on the elliptic curve (in the same way as in modi-
fied encryption scheme)
• Compute
s = k
−1
(x
M
+ y
M
k
S
), where k is random (5)
• Encrypt M using the same k and the public key of
the recipient. R and S are the encrypted message
• The signature is a triple (R,S,s)
Verification phase:
• Decrypt R and S to obtain the coordinates of M
needed in the next steps of verification.
• Compute two values u
1
,u
2
:
u
1
= s
−1
x
M
, u
2
= s
−1
y
M
(6)
• Verify the signature by checking if:
R = u
1
P+ u
2
Q
S
+ T (7)
3 SECURITY ANALYSIS
In this section we discuss three aspects of the security
in our approach. The first considers the search area
of an attacker not knowing the SEC in use. Let us
consider a SEC based on a 32-bit finite field. Having
an eavesdropped coordinate of some point on the el-
liptic curve an adversary has to decompress it to get
the second coordinate. For decompression the knowl-
edge about SEC parameters is needed. Without the
knowledge about the second coordinate solving of the
elliptic curve equation and finding its parameters is
impossible. Finding the curve parameters on the ba-
sis of the eavesdropped x-coordinate of some point an
adversary has to do the following:
1. Choose the order of the prime field, i.e. the prime
integer q. She has to look in a set of
2
32
ln2
32
≈ 193641447 (8)
elements, because there are that many prime num-
bers of maximum 32-bit length.
SECRYPT 2010 - International Conference on Security and Cryptography
306
2. Then for the prime field the adversary has to find
the proper elliptic curve. There are (q
2
−q) pos-
sible elliptic curves for prime field F
q
.
3. Now she can check if there exists a point with the
eavesdropped x-coordinate on this elliptic curve.
In the worst case each elliptic curve can have a
point with this x-coordinate. So this information
does not reduce the set of curves being suspected
to be the right one. In the best case there is only
one elliptic curve which contains a point with x-
coordinate.
4. If there is a point with x-coordinate she can move
to the next step, else she has to generate another
elliptic curve, going back either to step 1 or 2.
5. In a standard cryptographicsystems the base point
is known. In our system it’s kept secret. For each
E(F
q
) the average number of points on this curve
is equal to (q+ 1). Thus the probability of choos-
ing the proper base point is
1
q+ 1
(9)
Let W denote the number of all elliptic curves over all
considered prime fields. W is approximately equal to:
m
∑
n=0
(q
2
n
−q
n
), where m =
2
32
ln2
32
(10)
So the probability that an adversary finds the right
curve parameters is:
1
W
1
q+ 1
(11)
The second security aspect is the ambiguity of the
results even if the SEC parameters are known. Let
us assume that the adversary receives a x-coordinate
x
Q
of a point Q lying on some SEC. She knows only
that it is the multiple of the base point since all other
information is kept secret. Let us assume that she has
a set of curves that contain points with x
Q
and this set
includes the curve E. If E(F
q
) has a prime order p
and Q = kP
i
, where k ∈ F
q
, P
i
∈ E and i ∈ [1, p −1],
then the group of points on E looks as follows:
E = {O , P
1
,P
2
,. .. , P
p−1
}. (12)
We already know that a group of points is cyclic and
it has a prime order. There are no subgroups of E and
there are no points (6= O ) with order different from
p. Thus, any point in this group can be a generator of
E. So for i = 1,... ,(p−1) we have (p−1) possible
permutations:
E = {O , P
i
,2P
i
,. .. ,(p−1)P
i
} (13)
Where < P
1
>= ··· =< P
(p−1)
> and
∀
i, j,k∈[1,p−1]
iP
j
6= iP
k
. (14)
We can see that
∀
i∈[1,p−1]
∃
k∈[1,p−1]
kP
i
= Q. (15)
The third aspect relates to modified ElGamal en-
cryption. As already mentioned the point T should
be changed after each transaction between the sender
and receiver. For example, at the beginning both par-
ties agree on a start point T. This point is used in first
transaction and after that the next one is computed.
Both have to keep the number of the transaction and
the previous point to compute the next one. It can be
done as follows:
T
i
= iT
i−1
, where (16)
i is the number of the current transaction. When T
would not be changed it could be possible to obtain
the secret key of the receiver. Two different encryp-
tions of the same message look as follows:
R
1
= k
1
P+ T, S
1
= M + k
1
Q
R
(17)
R
2
= k
2
P+ T, S
2
= M + k
2
Q
R
(18)
Having these one can compute:
R
1
−R
2
= k
1
P+ T −k
2
P−T (19)
R
1
−R
2
= (k
1
−k
2
)P (20)
S
1
−S
2
= M+k
1
Q
R
−M−k
2
Q
R
= (k
1
−k
2
)Q
R
(21)
And since Q
R
= d
R
P:
S
1
−S
2
= (k
1
−k
2
)d
R
P (22)
finally:
(R
1
−R
2
)d
R
= S
1
−S
2
(23)
Having some curves being suspected the adversary
can decompressthe points, compute the point subtrac-
tion using these and then solve the discrete logarithm
problem to obtain the possible values of d
R
for the
suspected curves. Changing the value of T each time
makes an attempt of finding d
R
more complicated, be-
cause
(R
1
−R
2
) = (k
1
−k
2
)P+ T
1
−T
2
(24)
(R
1
−R
2
)d
R
6= S
1
−S
2
(25)
For each curve on which point R exists and for each
point suspected as a base point P the adversary has to
find an integer k and point T for which R = kP + T.
Because k ∈ [1, p −1] and order of T is p she has to
check (p−1)p combinations. Looking for secret key
for each point gives (p−1)p
2
combinations to check.
If there are t curves, each of order p, the number of
combinations is equal to (p−1)p
2
t.
SHORT ECC - A Lightweight Security Approach for Wireless Sensor Networks
307
4 CONCLUSIONS AND FUTURE
WORK
In this paper we presented a new security approach
for WSN. We designed and proved new encryption
and digital signature algorithms and a simple method
for SEC generation.
The work on this approach is in its initial phase.
Up to now we focused on theoretical solutions, proofs
of correctness of modified algorithms. The next step
will be an implementation of SEC cryptosystem on
sensor nodes and investigate its costs, both computa-
tional and management overhead. We will study the
ability of an attacker for finding SEC parameters on
the basis of x-coordinate what will help us to estimate
the lifetime of complete SEC cryptosystem. Then the
methods for changing the SEC will be chosen and in-
vestigated. Depending on the lifetime it will be either
generation of chains of SEC parameters or a fixed set
with a method for picking up the right one. The ne-
cessity of using a trusted authority will also be veri-
fied. We also plan to check if the SEC cryptosystem
is transferable to projective coordinates. It could be
interesting due to the less computational effort when
using projective coordinates (Blake, 2000). We also
foresee an extension of the signature algorithm to sup-
port a signature that can be verified by any member
of the group and to support an arbitrary size of the
message. As already mentioned the presented Short
Elliptic Curves are a hybrid symmetric/asymmetric
Cryptography approach. In our next research steps
we want to find an answer to the question where be-
tween these two kinds of cryptography our approach
can be placed.
REFERENCES
Texas Instruments Inc. (2008). CC2420 datasheet
2.4 Ghz IEEE 802.15.4/zigbee RF transceiver.
http://focus.ti.com/lit/ds/symlink/cc2420.pdf.
Freie Universitaet Berlin and FeuerWhere Project Part-
ners, (2008). FeuerWhere Project official website.
http://www.feuerwhere.de/.
Texas Instruments Inc. (2009). MSP430f15x, MSP430f16x,
MSP430f161x Mixed Signal Microcontroller.
http://focus.ti.com/lit/ds/symlink/msp430f1611.pdf.
NIST National Institute of Standards and Technology,
(2010). http://www.nist.gov/index.html.
Moteiv Corp, (2006). Tmote Sky Low Power Wireless Sen-
sor Module. http://sentilla.com/files/pdf/eol/tmote-
sky-datasheet.pdf.
SIC Stiftung Secure Information and Communication
Technologies, (2009). Crypto Software for Microcon-
trollers. http://jce.iaik.tugraz.at/sic/Products/Crypto-
Software-for-Microcontrollers/Texas-Instruments-
MSP430-Microcontrollers.
Blake, I., Seroussi, G. and Smart, N. (2000). Elliptic Curves
Cryptography. Cambridge University Press, 1st edi-
tion.
Jaeschke, G. (1993). On strong pseudoprimes to several
bases. Mathematics of Computation, 61:915–926.
Piotrowski, K., Langendoerfer, P. and Peter, S. (2006). How
public key cryptography influences wireless sensor
node lifetime. SASN.
Koblitz, N. (1998). Algebraic Aspects of Cryptography.
Springer-Verlag, Berlin Heidelberg, 1st edition.
Washington, L. C. (2003). Elliptic Curves Number Theory
and Cryptography. Chapman & Hall/CRC.
SECRYPT 2010 - International Conference on Security and Cryptography
308
