SN-SEC: a secure wireless sensor platform with hardware cryptographic primitives
-
Upload
william-phillips -
Category
Documents
-
view
213 -
download
0
Transcript of SN-SEC: a secure wireless sensor platform with hardware cryptographic primitives
ORIGINAL ARTICLE
SN-SEC: a secure wireless sensor platform with hardwarecryptographic primitives
Abidalrahman Moh’d • Nauman Aslam •
William Phillips • William Robertson •
Hosein Marzi
Received: 20 November 2011 / Accepted: 15 March 2012
� Springer-Verlag London Limited 2012
Abstract Security was not considered when current
wireless sensor nodes were designed. As a result, providing
high level of security on current WSNs platforms is unat-
tainable, especially against attacks based on key resolving
and node compromise. In this paper, we scrutinize the
security holes in current WSNs platforms and compare the
main approaches to implementing their cryptographic
primitives in terms of security, time, and energy efficiency.
To secure these holes and provide more efficiency, we
propose SN-SEC, a 32-bit RISC secure wireless sensor
platform with hardware cryptographic primitives. The
choice of cryptographic primitives for SN-SEC is based on
their compatibility with the constrained nature of WSNs
and their security. SN-SEC is implemented using very
high-speed integrated circuit hardware description lan-
guage. Experimental results using synthesis for Spartan-6
low-power FPGA show that the proposed design has a very
reasonable computational time and energy consumption
compared to well-known WSN processers.
Keywords Wireless sensor networks � Security platform �Advanced encryption standard � Elliptic curve
cryptography � Secure hash algorithm
1 Introduction
The future of wireless sensor networks (WSNs) is prom-
ising; they are being deployed in many real-world appli-
cations and smart objects in the context of Ubiquitous
Computing and The Internet of Things (IoT) [1]. It is
expected that new WSNs applications will have greater
share of the embedded systems market, with a growth rate
of up to 50 % per year [2]. These types of applications
force the need of securing WSNs, which is very difficult to
realize, due to scarceness of energy, constrained nature of
the sensor platforms, openness of wireless communication,
and the intensive mathematical computations of crypto-
graphic primitives. Because of these unique challenges, the
security of these networks became a very important
research field.
Many researchers proposed mechanisms to provide
security for WSNs in the literature. Regardless of the
efficiency of these mechanisms, they do not provide suf-
ficient security if implemented on unsecure platforms. The
current WSN nodes are being made using ‘‘off the shelf’’
components designed for other environments. Secure
design for unique WSNs environment was not considered
when they were manufactured.
Generally, three types of cryptographic primitives are
used to provide security services, public key primitives,
private key primitives, and hash functions. Efficient
A. Moh’d (&) � W. Phillips � W. Robertson
Department of Engineering Mathematics and Internetworking,
Dalhousie University, Halifax, NS, Canada
e-mail: [email protected]
W. Phillips
e-mail: [email protected]
W. Robertson
e-mail: [email protected]
N. Aslam
School of Computing Engineering and Information Sciences,
Northumbria University, Newcastle Upon Tyne, UK
e-mail: [email protected]
H. Marzi
Department of Information systems, St. Francis Xavier
University, Antigonish, NS, Canada
e-mail: [email protected]
123
Pers Ubiquit Comput
DOI 10.1007/s00779-012-0563-9
implementations of these primitives for WSNs have been
addressed by many researchers in the literature. These
implementations can be done either in software or hard-
ware. In this paper, we review both approaches and discuss
their security and efficiency. We also propose a custom
hardware platform that guarantees maximum security and
energy efficiency. Being closed and fully separated from
operating system (OS) helps to avoid the threats and
security holes in the OS security. In addition, implementing
it in hardware is more secure and energy efficient. The
choice of cryptographic primitives for our suggested plat-
form is based on their compatibility with the constrained
nature of WSNs and their security status. The work in this
paper can be seen as an initial step in redesigning the
wireless sensor node from scratch with security as a main
design goal.
The rest of the paper is organized as follows; In Sect. 2,
we review previous approaches to WSNs security, their
advantages, disadvantages, and security holes. SE-SEC
secure hardware platform is presented in Sect. 3. In Sect. 4,
we overview the most appropriate cryptographic primitives
for WSNs, discuss their security status, and review their
specialized implementations for WSNs in recent literature.
Experimental energy and time results for SN-SEC VHDL
implementation using synthesis for Spartan-6 low-power
FPGA are provided in Sect. 5. Finally, the conclusion and
directions for future work are presented in Sect. 6.
2 Approaches to WSNs security
To implement cryptographic algorithms, researchers fol-
lowed two approaches, software implementations and
hardware implementations. The main advantage of soft-
ware implementations is their flexibility, because changing
them does not require any modification in the hardware
architecture of wireless sensor nodes. However, these
implementations have large processing overhead on weak
WSN processors. Table 1 shows the energy consumption
and execution time of elliptic curve-based operations
implemented in software on the Mica2 wireless node [3].
The relatively high processing time could result in missing
some events or not reporting them in a timely manner. It
also affects the execution of other programs running on the
node, and most importantly it consumes a large amount of
energy.
Software implementations are not only less efficient in
terms of energy and time, but also they are less secure. As
Fig. 1 illustrates, the security of software implementations
is dependent on the security of the OS and the underlying
wireless node hardware platform, neither of which was
designed to be secure. Because software implementations
are run on top of the OS and share memory space with
other running programs, they are vulnerable to ease of
modification and compromising keys. A clear example of
such attacks is the cache-collision timing attacks [4] on
software implementations of advanced encryption standard
(AES) algorithm. This attack is based on exploiting the
characteristics of AES table lookups. It requires direct
observation of memory before and after encryption by
running the attacking process and the AES algorithm on the
same OS.
Compared to software implementations of cryptographic
algorithms, hardware implementations are not only much
faster, but they also consume less energy up to a factor of
10-3 [3]. Some researchers tried to use ‘‘off the shelf’’
hardware components to provide security services for
WSNs, like using the Chipcon CC2420 transceiver chip
that includes a hardware implementation of the AES
algorithm [5], and the use of commodity trusted platform
module (TPM) chip for RSA public key encryption [6]. In
both cases, the communication between the security chip
and other wireless node hardware components (i.e., the
data bus between the TPM chip, controller, and external
memory) is done in plaintext. Spying on this communica-
tion will reveal valuable data such as the encryption keys.
Other attacks on hardware like cold boot attack [7] can
also be used to get the content of the memory and resolve the
Table 1 Energy and time results for elliptic curve-based operations using software implementations on Mica2 wireless node [3]
Operation Key generation ECDSA signature ECDSA verification D–H key exchange El-Gamal encryption El-Gamal decryption
Time (s) 6.74 6.88 24.17 17.28 24.07 17.87
Energy (mJ) 101.1 103.2 362.6 259.2 361.1 268.1
Fig. 1 Wireless node design using software cryptography over
unsecure platform and OS
Pers Ubiquit Comput
123
encryption keys, since the keys are stored in plaintext.
Software attacks through the OS are possible as well,
because the keys are accessible by the OS in plaintext. Figure
2 illustrates the security view of these implementations.
3 Secure hardware platform design for WSNs
In order to avoid design weaknesses in previous approaches
and guarantee maximum security and energy efficiency for
WSNs, we suggest a custom hardware platform that pro-
vides hardware-based key generation, storage, and
encryption. This design not only avoids high processing
overhead and energy consumption of the software imple-
mentations, but also it is an advantage over other related
hardware implementations because of the careful selection
of encryption primitives and their efficient implementa-
tions. It also avoids the security weaknesses in previous
approaches by being closed and fully separated from the
OS security.
The suggested hardware secure platform for WSNs is
shown in Fig. 3. The only part of the data that can be in
plaintext is the data being processed inside the main pro-
cessor, part of the internal memory, and input data from
sensors through the analog–digital converter (ADC).
Pushing the ADC inside the processor chip enhances
security, but this could be impractical. The confidentiality
of input data from sensors is not important, because it is
already accessible for everyone in the environment in the
analog form. All the other data outside the scope of the
main processor chip is encrypted, including external
memory, transceiver, communication between WSN com-
ponents on board, and the traffic in the wireless medium.
The overhead of decrypting data for aggregation and then
encrypting it again has been addressed by researchers.
Some of them suggested schemes based on homomorphic
encryption, in which the encrypted data can be aggregated
without the need of decryption, like the concealed data
aggregation scheme [8]. However, homomorphic
encryption is malleable by design, and it is not suited for
secure data transmission [9]. Our suggested scheme is more
efficient in this matter, because it essentially minimizes the
overhead of encryption using efficient hardware imple-
mentations. This will make it more feasible to decrypt the
data, aggregate it, and then encrypt it again. Sending all
copies of encrypted data without aggregation is still a valid
option. A comprehensive study of the trade-off between the
cost of decrypting the data for aggregation and encrypting
it again verses transmitting it without aggregation has to be
done to specify the threshold upon which it can decide to
aggregate or not.
The security view of our scheme is shown in Fig. 4.
Our scheme can be seen as the first step to redesign
hardware and software components of the WSNs from
scratch with the security as the main design goal. The
additional design job and additional hardware for the
security platform will increase manufacturing cost. We
argue that a standardized robust design that is reliable
enough to be used in a mass production manner is capable
of reducing this cost.
Fig. 2 Wireless node design using hardware cryptography over
unsecure platform and OS
Fig. 3 Proposed platform
Fig. 4 Secure node platform design with hardware cryptography
Pers Ubiquit Comput
123
4 Cryptographic primitives review
The selection of cryptographic primitives for SN-SEC
hardware platform should comply with WSNs constraints.
The implementation of these primitives should be opti-
mized for energy per encryption, static power consump-
tion, and hardware area. Speed and throughput were the
optimization goals for many implementations, and these
optimization goals are not considered for WSNs because of
their sparse and loose real-time communication. In this
section, we will discuss the most efficient configurations
and implementation methods of these primitives, their
security status, and review their specialized implementa-
tions for WSNs in recent literature.
4.1 Symmetric primitives
Many symmetric algorithms exist in the literature, the most
efficient and secure ones are the AES finalists selected in
the second AES conference to replace the data encryption
standard (DES) [10]. The security and efficiency of the
AES finalist algorithms have been intensively scrutinized
by a large number of cryptanalytic experts. In the third
AES conference, the Rijndael algorithm won the compe-
tition and was announced by the National Institute of
Standards and Technology (NIST) as the AES algorithm
[11].
Many hardware architectures for AES were proposed in
the literature. Loop-unrolled architectures are the fastest,
and pipelined architectures are the best in terms of high
throughput. However, the energy and area requirements of
these architectures exceed the limitations of WSNs. The
best choice for small area and energy constrained imple-
mentations are iterated architectures.
Two main variations between iterated architectures
exist in the literature. The first one is the datapath width;
8-, 32-, and 128-bit architectures were proposed. In gen-
eral, higher datapath width architectures will have larger
area and power requirements but smaller latencies. The
authors in [12] provided energy per encryption compari-
sons between the three datapath width choices using
implementations on UMC 0.25 lm 1.8v hardware. As
Table 2 shows, although the 128-bit data path has the
largest area and power usage, it has the smallest energy
consumption per encryption. The 32-bit architecture has
medium area and power consumption, but the worst
energy consumption per encryption.
Although 128-bit architecture has the least energy con-
sumption per encryption, we consider the 8-bit architecture
to be a better choice, because it is the best in terms of area
and power. As a result, it will be the best choice in terms of
static energy consumption (energy consumed while the
hardware is idle). The second variant between iterated
architectures is the number of S-boxes used and their
architectures. The 8-bit datapath design in Table 2 uses 2
S-boxes, and it completes one encryption in 160 cycles.
Feldhofer et al. [13] implemented another 8-bit datapath
architecture with one S-box. Their design has an area size
of 3,400 gates, but it takes 1016 clock cycles to perform
one encryption, resulting in a higher energy per encryption
for their design compared to the design with 2 S-boxes in
[12]. A larger number of S-boxes is used with higher
datapath widths. However, this will lead to an increase in
the area and energy consumption and that is not suitable for
WSNs constrained.
Implementing the S-box in the GF ððð22Þ2Þ2Þ composite
field rather than the GF (28) field is more energy efficient as
shown in [14]. For SN-SEC platform, we chose an 8-bit
datapath architecture with two S-boxes as shown in Fig. 5
and implement the S-boxes in the GF ððð22Þ2Þ2Þ composite
field.
Table 2 Different AES datapath width comparison form [12]
Data–path width Area (gates) Power (mW) Clock cycles Throughput (Mbps) Energy/enc. (nJ)
8-bit 4,023 1.06 160 8.1 169.6
32-bit 7,732 3.73 54 23.7 200.5
128-bit 15,980 11.61 11 116.4 127.7
Fig. 5 AES datapath design
Pers Ubiquit Comput
123
4.2 Hash functions
Most WSN security protocols use encryption algorithms
with cipher block chaining mode to produce the message
authentication code (MAC). This method does not require
implementing a separate MAC algorithm; however, it is not
secure for variable-length messages [15]. Because of that,
we select a standard hashing algorithm to produce the
MAC. Another advantage of using separate hash algorithm
is that it can run in parallel with the encryption algorithm,
which saves computation time and energy.
The two most commonly used cryptographic hash
functions in the literature are MD5 and SHA-1. However,
MD5 was recently broken with an attack against it used to
break SSL in 2008 [16]. Some theoretical weaknesses in
SHA-1 were discovered [17, 18], and two successful
attacks were reported in 2005. As a result, it was decided
that it will not be used by USA government agencies after
2010 [19].
New security systems will be using more advanced hash
functions, such as SHA-2, or techniques that do not require
collision resistance, such as randomized hashing [20].
NIST started a new competition to design a replacement for
SHA-2 to ensure the long-term robustness of hash func-
tions. The new algorithm will be given the name SHA-3,
and it will become a FIPS standard in 2012 [21].
Compared to the 128-bit MD5 and the 160-bit SHA-1,
-2 has larger message digests, that is, 256-, 384-, and
512-bit, which imply higher energy consumption for
transmitting them and larger hardware area for their
implementation. There are no specialized implementations
of SHA-2 for WSNs in the literature at this time; most of its
current implementations are optimized for speed and
throughput.
Figure 6 shows the SHA-2 iteration as described in the
FIPS standard [22]. Eight 32-bit constants are used to ini-
tialize the first iteration (i.e., A–F). As Table 3 shows,
SHA-256 has 64 iterations, and it uses 64 different 32-bit
constants Kt for each iteration. SHA-384 and SHA-512
have 80 iterations and they use 80 different 64-bit constants
for each iteration. The larger size and number of constants
require more memory to store them, resulting in higher
energy consumption per block compared to SHA-256 [23].
This makes it the best choice for SN-SEC platform.
4.3 Asymmetric primitives
Many security mechanisms proposed for WSNs in the lit-
erature avoided asymmetric primitives because of their
high energy and time costs, especially for software
implementations. The notion of infeasibility of these
primitives has been changed partially due to the develop-
ment of new asymmetric algorithms that are more efficient
than RSA [24]. For example, the Rabin signature algorithm
[25] is very similar to RSA; its main advantage is the speed
of its encryption and signature verification operations. A
disadvantage is the signature size, as a single signature
requires 512 bits. NTRU [26] is much faster, for both
encryption and verification operations than RSA. On the
other hand, it also shares the Rabin scheme disadvantage;
its signature requires 1,169 bits.
The secFleck is the first recognized hardware platform
that was used to provide asymmetric encryption for WSNs
[6]. It is based on a commodity TPM chip that extends the
capability of a standard node. Although this implementa-
tion can perform 2,048 bit RSA encryption in 500 ms with
11mJ of energy, it has many shortcomings. Firstly, RSA
has a large key size; this results in large hardware area and
energy consumption for the implementation. Secondly,
transmitting a large key on the wireless medium isFig. 6 SHA-2 iteration
Table 3 SHA algorithms comparison
Algorithm Block size Iterations Word size Round constants Digest size Equivlant security
SHA-1 512 80 32 5 160 Broken
SHA-256 512 64 32 64 256 128
SHA-384 1,024 80 64 80 384 192
SHA-512 1,024 80 64 80 512 256
Pers Ubiquit Comput
123
expensive in terms of energy consumption. Thirdly, storing
the keys on an EEPROM makes it easy to compromise the
node by resolving the keys.
The elliptic curve cryptography (ECC) [27] is the most
suitable asymmetric cryptographic primitive for WSNs.
The per-bit security for ECC is higher than other asym-
metric algorithms. For example, the security of a 160-bit
key for ECC is equivalent to 1,024 bit key of RSA [28].
This relatively small key size results in a small hardware
area, short running time, and most importantly it reduces
the energy needed to transmit the key in a wireless med-
ium. The energy cost of transmitting one bit is equivalent
to the energy consumed in more than a thousand CPU
cycles of a standard WSN node processor [29].
Elliptic curve cryptography (ECC) is based on algebraic
concepts related with elliptic curves over Galois fields.
These fields can be binary fields GF (2n) or prime fields GF
(P). Choosing binary fields is more attractive for energy
efficient hardware implementations because it reduces
both, the hardware area and energy consumption. They also
offer more options in terms of bases, irreducible polyno-
mials, and fields [30].
Choosing the domain parameters of the elliptic curve is
another matter of efficiency. The NIST and Securities
Exchanges Guarantee Corporation (SEGC) proposed
curves and domain parameters for ECC [28, 31]. Choosing
a curve within a field size that is larger than 160 bits is
recommended for both prime and binary fields. In July
2009, a 112-bit prime field ECC case was broken using a
cluster of over 200 PlayStation 3 game consoles within
3.5 months [32]. Before that, a 109-bit key binary field
case was broken in April 2004 using 2,600 computers for
17 months [32]. The Certicom ECC challenge [33] clas-
sified the curves in to two levels. Level I curves are con-
sidered feasible to break and could be broken within a few
months. Level II curves are considered computationally
infeasible. Table 4 shows the curve field sizes, their sym-
metric equivalent strength, and level classification.
The main ECC primitive operation is the scalar point
multiplication. It consists of a series of point additions and
doublings, which are of a series of modular: addition,
multiplication, squaring, and inversion operations,
according to a specific coordinate system. Many projective
coordinate systems were proposed in the literature to avoid
the high cost of modular inversion that is repeated in each
point addition and doubling in the affine coordinates. Many
new curve representations associated with projective
coordinates systems are being proposed. Montgomery
coordinates are the most efficient so far [34]. Table 5
shows some common coordinate systems and their costs in
terms of number of inversions (I), multiplications (M), and
squaring (S).
Redundant interleaved modular multiplications [35],
Barrett multiplication [36], and Montgomery modular
multiplication [37] with carry save addition are the most
efficient modular multiplication algorithms proposed.
Redundant interleaved multipliers are reported to have
some advantage over Montgomerys in area and speed.
However, using one carry save adder with Montgomery
algorithm makes it similar to redundant interleaved mul-
tipliers in area with small advantage over higher precision
[38]. Barrett multiplication and Montgomery multiplication
have similar area and timing results [39].
Some specialized ECC hardware implementations for
WSNs have been proposed recently. An ECC processor is
proposed in the 163-bit binary extension field in [40]. It
Table 4 Security status of curves in GF (P) and GF (2n)
GF (112) GF (128) GF (160) GF (192) GF (224) GF (256)
Prime fields
Strength 56 65 80 96 112 128
Level I I II II II II
Broken In 2009 No No No No No
GF (109) GF (131) GF (163) GF (193) GF (233) GF (239)
Binary fields
Strength 47 64 80 96 112 128
Level I I II II II II
Broken In 2009 No No No No No
Table 5 Elliptic curve coordinates systems comparison
Coordinate system EC doubling EC addition
Affine 1I ? 2M ? 2S 1I ? 2M ? 1S
Standard projective 7M ? 3S 12M ? 2S
Jacobian 4M ? 4S 12M ? 4S
Lpez–Dahab 2M ? 4S 4M ? 2S
Montgomery 2M ? 4S 4M ? 1S
Pers Ubiquit Comput
123
uses Montgomery coordinators and Shamirs trick to resist
simple power analysis attack. A processor with a special
high speed inverter in the affine coordinates and 4-bit digit-
serial multiplier in the 191-bit binary extension field was
proposed by Aigner et al. [41]. It has 25k gate count,
0.16 mm2 chip area on 0.13 lm CMOS technology, and it
can perform an ECC scalar multiplication in 342k cycles at
10 MHz. Batina et al. [42] proposed a hardware-based
ECC architecture that can perform an ECC scalar multi-
plication in 292k cycles in the 163-bit binary extension
field. It consumes 11.33 lW and uses 14,566 kgates of the
UMC 0.13 lm CMOS technology.
Figure 7 shows the elliptic curve processor design for
SN-SEC platform, and it was implemented using the
Montgomery coordinate system in the 163-bit binary
extension field. Redundant interleaved modular multiplier
was used for modular multiplication, a modular squarer
[43], a binary modular inversion unit [44], and a modular
adder. The elliptic curve point multiplication can be com-
puted in 80,000 cycles using this design.
5 SN-SEC implementation
Figure 8 shows the design of the SN-SEC platform. It
consists of three main parts, a 32-bit reduced instruction set
computing (RISC) processor; an encryption processor that
can contain the hardware implementation of AES, ECC,
and SHA with its own 32 kB dual port memory; and a 512
kB internal memory module.
The 32-bit RISC processor is a modified version of the
open source zylin processor unit (ZPU) [45]. New
instructions were added to the instruction set architecture
(ISA) to control each of the crypto-primitives implemented
in the encryption processor and to provide the input
plaintext and encryption keys to it. This is done by writing
to specific locations in the dual port memory of the
encryption processor, the main processor can only write to
that memory using the write only port of the dual port
memory. This is done by keeping the read/write input of
the memory port connected to the RISC processor on the
write mode by physically connecting it to the VCC. We
assume that the main processor is programmed to delete the
keys after they are loaded to that memory. This makes it
difficult for the attacker to get the keys, because physically
it can not read them back from the dual port memory using
any program running on the OS. This will help secure the
key storage. The output of the encryption processor can be
written to specific locations on the internal memory.
The SN-SEC platform was implemented in VHDL using
the ModelSim digital simulation and functional verification
tool. The energy and time using synthesizes for the Spartan
6 xc6slx25 FPGA are shown in Table 6. The design con-
sumed \64 % of the device resources.
Table 7 shows a list of well-known WSN processor
platforms; the SN-SEC platform outperforms them in terms
of the achieved level of security with a reasonable security-
related energy and time consumptions. This allows
implementing highly secure wireless nodes, with security
protocols based on complex cryptographic primitives that
can run in short periods of time, without affecting the
execution of other programs running and without signifi-
cantly affecting the life time of the wireless sensor node.
Fig. 7 ECC design
Fig. 8 SN-SEC architicture
Table 6 Hardware implementations results
Component Frequency
(MHz)
Power
(mw)
Clock
cycles
Time
(ls)
Energy
(nJ)
ECC-163 80,000 1,330.71 3,5929.34
AES-128 60.118 27 160 1.66 71.86
SHA-256 64 1.06 28.74
Pers Ubiquit Comput
123
6 Conclusion and future work
In this paper, we scrutinized the security holes in current
WSN platforms and proposed SN-SEC as a secure wireless
sensor platform with hardware cryptographic primitives to
secure these holes and provide more energy and time
efficiency.
We reviewed the most efficient configurations and spe-
cialized implementations of the cryptographic primitives in
the literature and selected the most suitable of them for the
SN-SEC platform based on their compatibility with con-
strained nature of WSNs and their security. We also pro-
vided a VHDL implementation of SN-SEC platform and
synthesis results for Spartan-6 low-power FPGA.
In the future, we will continue to implement a complete
and secure wireless sensor node. This includes building
robust security protocols and services based on the pro-
posed hardware platform that minimizes the amount of
energy consumption due to security-related communication
and processing.
References
1. Sanchez T, Ranasinghe DC, Harrison M, McFarlane D Adding
sense to the internet of things—an architecture framework for
smart object systems. Pers Ubiquitous Comput 16(3):291–308
2. Harrop P (2008) Wireless sensor networks 2009–2019. Technical
report. IDTechEx
3. Bla E, Zitterbart M (2005) Efficient implementation of ECC for
wireless sensor networks, telematics. Technical reports. Univer-
sity of Karlsruhe
4. Joseph B, Ilya M (2006) Cache-collision timing attacks against
AES. In: Proceedings of the cryptographic hardware and
embedded systems—CHES 2006, vol 4249. LNCS, pp 201–215
5. Healy M, Newe T, Lewis E (2007) Efficiently securing data on a
wireless sensor network. J Phys Conf Ser 76
6. Hu W, Corke P, Shih WC, Overs L (2009) secFleck: a public key
technology platform for wireless sensor networks. In: European
conference on wireless sensor networks (EWSN), pp 296–311
7. Alex Halderman J et al (2008) LestWe remember: cold boot
attacks on encryption keys. In: Proceedings of the 17th USENIX
security symposium, San Jose, CA
8. Girao J, Westhoff D, Schneider M (2004) CDA: concealed data
aggregation in wireless sensor networks. In: Proceedings of ACM
workshop on wireless security (WiSe ‘04)
9. Yamada A, Schneider W (2009) Survey on the current status of
research and development (R&D) of cryptographic technology in
the European Commission
10. Nechvatal J, Barker E, Bassham L, Burr W, Dworkin M, Foti J,
Roback E (2000) Report on the development of the advanced
encryption standard (AES). National Institute of Standards and
Technology
11. FIPS PUB 197 (2001) Advanced encryption standard (AES).
National Institute of Standards and Technology, U.S. Department
of Commerce. http://csrc.nist.gov/publications/fips/fips197/fips-
197.pdf
12. Huai L, Zou X, Liu Z, Han Y (2009) An energy-efficient AES-
CCM implementation for IEEE802.15.4 wireless sensor net-
works. In: International conference on networks security, wireless
communications and trusted computing
13. Feldhofer M, Wolkerstorfer J, Rijmen V (2005) AES imple-
mentation on a grain of sand. IEE Proc 152:13–20
14. Mentens N, Batina L, Preneel B, Verbauwhede I (2005) A sys-
tematic evaluation of compact hardware implementations for the
Rijndael S-box. In: Proceedings of the CT-RSA, pp 323–333
15. Bellare M, Kilian J, Rogaway P (1994) The security of cipher
block chaining. In: Desmedt Y (ed) Advances in cryptology
crypto ‘94 proceedings, vol 839. Lecture Notes in Computer
Science, Springer, pp 340–358
16. Sotirov A, Stevens M, Appelbaum J, Lenstra A, Molnar D, Dag
AO, de Weger B (2008) MD5 considered harmful today: creating
a rogue CA certificate
17. Wang X, Yin YL, Yu H (2005) Finding collisions in the full
SHA1. Crypto 2005
18. Sugita M, Kawazoe M, Imai H, Grobner (2006) Basis based crypt-
analysis of SHA-1. Cryptology ePrint archive. Report 2006/098
19. National Institute on Standards and Technology Computer
Security Resource Center (2011) NIST’s policy on hash func-
tions. Retrieved 15 Nov 2011
20. Halevi S, Krawczyk H (2006) Strengthening digital signatures via
randomized hashing. Advances in cryptology—CRYPTO ‘06, vol
4117. LNCS, Springer, pp 41–59
21. Tentative Timeline of the Development of New Hash Functions
(2008) NIST. Retrieved 15 Nov 2011
22. NIST (2002) FIBS-PUB 180-2. Secure hash standard
23. Mohammad A, Marzi H, Aslam N, Tawalbeh L (2010) Hardware
implementation of secure hasing functions on FPGAs for WSNs.
In: Third international conference on the applications of digital
information and web technologies (ICADIWT), Turkey
24. Rivest R, Shamir A, Adleman L (1978) A method for obtaining
digital signatures and public-key cryptosystems. Commun ACM
21(2):120–126
Table 7 Comparison with other WSNs processors
Processor Power
(mw)
Datapath
width (bit)
Memory
(kB)
Frequency
(MHz)
Energy
(pJ/Ins)
Technology
(nm)
Hardwre
Cryptography
SN-SEC 27 32 512 60 450 45 Yes
Intel strongARM 400 32 16 206 1942 350 No
Texas instruments MSP 430 6 16 10 8 750 350 No
BitSNAP [46] 43.6 16 8 200 218 180 No
[47] 1.78 16 128 0.434 27 65 No
Atmel ATmega 128L 75 8 4 16 3,200 350 No
[48] 0.768 8 68 8 96 130 No
Pers Ubiquit Comput
123
25. Rabin MO (1979) Digital signatures and public key functions as
intractable as factoring technical memo TM-212. Laboratory for
Computer Science, MIT
26. Hoffstein J, Pipher J, Silverman JH (1998) NTRU: a ring based
public key cryptosystem. In: Buhler JP (ed) Algorithmic number
theory (ANTS III), vol 1423, Portland, OR, USA. Lecture Notes
in Computer Science, Springer, Berlin
27. Blake G, Seroussi N, Smart P (1999) Elliptic curves in cryptog-
raphy. Cambridge University Press, Cambridge, ISBN: 0-521-
65374-6
28. National Institute of Standards and Technology (1999) Recom-
mended elliptic curves for federal government use
29. Karl H, Willig A (2005) Protocols and architectures for wireless
sensor networks. Wiley, Chichester, p 44, ISBN: 978-0-470-
09510-2
30. Batina L, Guajardo J, Preneel B, Tuyls P, Verbauwhede I (2008)
Public-key cryptography for RFID tags and applications. In:
Kitsos P, Zhang Y (eds) RFID security: techniques,protocols and
system-on-chip design. Springer, pp 317–348
31. Standards for Efficient Cryptography Group (SECG) (2000)
Recommended elliptic curve domain parameters. SEC 2
32. U.S. National Security Agency (2009) Fact sheet NSA suite
B cryptography. http://www.nsa.gov/ia/programs/suiteb_crypto
graphy/index.shtml
33. Certicom ECC Challenge (2009) Update. http://www.certicom.com/
images/pdfs/challenge-2009.pdf
34. Bernstein D, Lange T (2007) Faster addition and doubling on
elliptic curves. In: Advances in cryptology (ASIACRYPT) 2007.
Lecture Notes in Computer Science, vol 4833. Springer, New York
35. Blakley G (1983) A computer algorithm for calculating the
product AB modulo M. IEEE Transact Comput C-32(5):497–500
36. Barrett PD (1987) Implementing the Rivest Shamir and Adleman
public key encryption algorithm on a standard digital signal
processor. Advances in cryptology—crypto 86. LNCS, vol 263.
Springer, pp 311–323
37. Montgomery P (1985) Multiplication without trial division. Math
Comput 44:519–521
38. Amanor DN, Paar C, Pelzl J, Bunimov V, Schimmler M (2005)
Efficient hardware architectures for modular multiplication on
FPGAs. In: Proceedings of the FPL 2005
39. Knezevic M, Batina L, Verbauwhede I (2009) Modular reduction
without precomputational phase. In: Proceedings of the IEEE
international symposium on circuits and systems (ISCAS)
40. Batina L, Guajardo J, Kerins T, Mentens N, Tuyls P, Verba-
uwhede I (2007) Public-key cryptography for RFID-tags PerCom
workshops
41. Aigner H, Bock H, Hutter M, Wolkerstorfer J (2004) A low-cost
ECC coprocessor for smartcards. In: Cryptographic hardware and
embedded systems—CHES 2004, vol 3156. LNCS, pp 107–118
42. Batina L, Lee YK, Seys S, Singele D, Verbauwhede I (2012)
Extending ECC-based RFID authentication protocols to privacy-
preserving multi-party grouping proofs. J Pers Ubiquitous Com-
put 16(3):323–335
43. Ercegovac M, Lang T (2004) Digital arithmetic. Morgan Kauf-
mann, San Francisco, pp 221–223
44. Brent Richard P, Zimmermann P (N2010) Modern computer
arithmetic, vol 18. Cambridge monographs on computational and
applied mathematics. Cambridge University Press, Cambridge,
pp 65–67
45. Zylin Processor Unit (ZPU) (2011) http://repo.or.cz/w/zpu.git?a=
blob_plain;f=zpu/docs/zpu_arch.html. Retrieved 15 Nov 2011
46. Ekanayake V, Kelly C, Manohar R (2005) BitSNAP: dynamic
signicance compression for a low-energy sensor network asyn-
chronous processor. In: Proceedings of the 11th international
symposium on asyncronous circuits and systems
47. Kwong J, Ramadass Y, Verma N, Koesler M, Huber K, Moor-
mann H, Chandrakasan A (2008) A 65 nm sub-Vt, microcon-
troller with integrated SRAM and switched-capacitor DC–DC
converter. In: IEEE international solid-state circuits conference
(ISSCC)
48. Zhai B, Nazhandali L, Olson J, Reeves A, Minuth M, Helfand R,
Pant S, Blaauw D, Austin T (2006) A 2.60 pJ/Inst subthreshold
sensor processor for optimal energy efciency. In: IEEE sympo-
sium on VLSI circuits (VLSI-symposium)
Pers Ubiquit Comput
123