sign in sign up
<<
Home , Digital signature, NTRUSign, XTR

Comparison of Innovative Signature for WSNs

Benedikt Driessen Axel Poschmann Christof Paar escrypt GmbH Horst-Görtz-Institute for Horst-Görtz-Institute for Lise-Meitner-Allee 4 IT-Security IT-Security 44801 Bochum, Germany Ruhr-University Bochum, Ruhr-University Bochum, [email protected] Germany Germany [email protected] [email protected]

ABSTRACT the sensor nodes very efficiently. However, one problem with For many foreseen applications of Wireless Sensor Networks symmetric solutions is the management: neither an in- (WSN) – for example monitoring the structural health of a dividual key (shared only between a sensor and the sink) nor bridge – message integrity is a crucial requirement. Usu- a network-wide key (shared between all sensors) is a suitable ally, security services such as message integrity are real- solution. The first approach, though it offers the highest re- ized by symmetric only, because asymmet- siliency, suffers from a significant pre-distribution overhead, ric cryptography is often stated as impracticable for WSN. whereas the latter one offers a good scalability with no re- However, the proposed solutions for symmetric key estab- siliency. Many probabilistic solutions have been proposed to lishment introduce a significant computation, storage, and– with these issues [3, 14, 21]. All these schemes introduce most important–communication overhead. Digital signa- a significant computation, storage, and – most important – tures and key-exchange based on asymmetric algorithms communication overhead. would be very valuable though. In the literature nearly only Using protocols based on asymmetric cryptography eases RSA and ECC are implemented and compared for sensor the establishment of keys. Furthermore, digital signatures nodes, though there exist a variety of innovative asymmetric with all their benefits can be realized by asymmetric cryp- algorithms. To close this gap, we investigated the efficiency tography. However, asymmetric algorithms such as RSA [26] and suitability of algorithms based on inno- have much longer operand lengths compared to symmetric algorithms (1024 bit vs 80 bit). This in turn results in three vative asymmetric primitives for WSN. We chose XTR-DSA orders of magnitude longer processing times on a typical 8- and NTRUSign and implemented both (as well as ECDSA) bit micro-controller such as compared to symmetric for MICAz motes. MICAz algorithms [10]. Consequently, despite the fact that the us- age of asymmetric cryptography would solve many problems, Categories and Subject Descriptors it is often stated as impracticable for WSN. E.3 [Data ]: Public key ; D.2.8 Beside RSA exist a variety of asymmetric algorithms, such [Software Engineering]: Metrics—performance measures as NTRU [13], XTR [19], ECC [23], and the so called MQ algorithms to name just a few. Interestingly, virtually all General Terms publications dealing with asymmetric algorithms for WSN have been focusing on RSA and ECC only. To close this Algorithms, Measurement, Performance, Security gap, we investigated the efficiency and suitability of dig- ital signature algorithms based on innovative asymmetric 1. INTRODUCTION primitives for WSN. We chose to evaluate the ECDSA [16] The benefits of Wireless Sensor Networks (WSN) are dis- scheme which is quite wide spread and well examined, XTR- cussed widely these days. The foreseen applications range DSA [18, 19, 28] because of its compact signatures and com- from military to vehicular scenarios. However, many of these parable speed, and NTRUSign [12, 15] due to its simple and applications process sensitive data, for example a WSN that fast core operation, promising significant computational ad- measures the structural health of a bridge. Since adversaries vantages over the two other schemes. Despite this feature, can easily eavesdrop and also manipulate or inject messages, NTRUSign is often ignored because previous versions of this security is a crucial requirement for these applications. scheme have already been broken [8] and a rigorous security Protocols based on symmetric cryptography can assure proof has not been made, yet. integrity, authentity, and confidentiality of messages sent by A brief description of each schemes’ core arithmetic can be found in Section 2. For further details the interested reader is referred to the original publications and [7]. Section 3 is dedicated to briefly outlining the target platform, the tools Permission to make digital or hard copies of all or part of this work for used, and the main optimizations applied to the schemes. personal or classroom use is granted without fee provided that copies are Subsequently, our implementation results are presented and not made or distributed for profit or commercial advantage and that copies compared to other published implementation results in Sec- bear this notice and the full citation on the first page. To copy otherwise, to tion 4. Finally, in Section 5 we give our conclusions and republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. close the paper. WiSec’08, March 31–April 2, 2008, Alexandria, Virginia, USA. Copyright 2008 ACM 978-1-59593-814-5/08/03 ...$5.00. 2. CORE ARITHMETIC 2.2 XTR-DSA In this section we provide a brief overview of the arith- The XTR-DSA signature scheme is based on the XTR metic used by the signature schemes. Note that ECDSA and public key scheme. XTR has been proposed by Lenstra and XTR-DSA are based on the Digital Signature Verheul in 2000 [19] and is an abbreviation for “Efficient and (DSA) which was specified in a U.S. Government “Federal Compact Subgroup Trace Representation” (ECSTR). XTR Information Processing Standard” (FIPS) called the “Digital uses the trace Tr(g) ∈ Zp2 of g ∈ Zp6 to represent and cal- Signature Standard” (DSS) [1]. NTRUSign is defined by a culate powers of elements of the order p2 − p + 1 subgroup standard for financial services [24]. Z∗ of p6 . p and are primes where q is chosen such that q > 6 and q|p2 − p + 1 is satisfied. XTR’s main arithmetic 2.1 ECDSA is performed in the q order subgroup (“XTR-subgroup”) of 2 Z∗ The ECDSA scheme [16] is a signature scheme based on the p − p + 1 order subgroup (“XTR-supergroup”) of p6 . cryptography (ECC). An elliptic curve E over According to the authors of XTR, the scheme is able to the finite field K is defined by the simplified “Weierstrass achieve the same as RSA-1024 [26] by operat- Equation”, ing on XTR-subgroup elements with 160-170 bits size. The arithmetic in XTR is performed on elements 2 3 2 E(K): y = x + ax + b, char(K) 6= 2, 3 c = c1α + c2α ∈ Zp2 and an element t ∈ Zp is represented as −tα−tα2. We have observed that a complete XTR-DSA where a, b ∈ K. The points P = (x, y) ∈ E(K) on the el- signature scheme can be built on top of three atomic oper- liptic curve E form an abelian , where certain rules ations which we denote by Op1(·), Op2(·), and Op3(·) in the (“group law”) apply. The following basic mathematical op- remainder of this document. The following arithmetic in erations are perfomed on points P ∈ E(K): Zp2 and Zp is performed by these operations:

Addition Let P1 = (x1, y1),P2 = (x2, y2) ∈ E(K) be two Op1(x,y,z,w) This operation requires four elements w, x, distinct points. The sum Q = (x3, y3) = P1 + P2 is y, z ∈ Zp2 . The resulting element c ∈ Zp2 is computed defined as follows: using two multiplications in Zp2 , „ «2 p y2 − y1 c = Op1(x, y, z, w) = xz − yz + w. x3 = − x1 − x2, x2 − x1 The actual arithmetic is performed by finite field oper- ations in Zp. For this purpose four modular multipli- „ « 2 y2 − y1 cations in Zp are required. c = c1α+c2α is computed y3 = (x1 − x3) − y1. x2 − x1 by,

c1 = w1 + (z1(y1 − x2 − y2) + z2(x2 − x1 + y2)) mod p, Doubling Let P = (x1, y1) ∈ E(K) be a point on E(K). The double Q = (x2, y2) = 2P is derived by the fol- c = w + (z (x − x + y ) + z (y − x − y )) mod p. lowing equation: 2 2 1 1 2 1 2 2 1 1

Op2(x) c = Op2(x) is computed by one squaring in Z 2 , „ 2 «2 p 3x1 + a x2 = − 2x1, 2 p 2y1 c = Op2(x) = x − 2x . Note that computation of xp does not require any „ 2 « Z p p p p 2p p 3x1 + a arithmetic in p, because x = x1α +x2α = x1α + y2 = (x1 − x2) − y1. 2y1 x2α, hence x1 and x2 are just swapped – only two mul- tiplications are performed instead, By using these basic operations we can construct two point c1 = x2(x2 − 2x1) − 2x2 mod p, multiplication methods, which are required by the ECDSA scheme. c2 = x1(x1 − 2x2) − 2x1 mod p.

Single (scalar) point multiplication Let P ∈ E(K) be Op3(x) This operation is based on Op2(·) and can be com- a point on E(K), k ∈ ord(K) is an . Single puted as point multiplication Q = kP may be performed by k p 3 p+1 additions; Q = P + P + ··· + P . c = Op3(x) = (Op2(x) − x )x + 3 = x − 3x + 3. | {z } k We compute c1, c2 in two steps, first we compute t1, t2,

t1 = x2(x2 − 2x1) − 3x2 mod p, Simultaneous (scalar) point multiplication Let P1,P2 ∈ E(K) be two distinct points on E(K) where k, l ∈ ord(K) are . Simultaneous point multiplica- t2 = x1(x1 − 2x2) − 3x1 mod p. tion Q = kP1 +lP2 may be performed by applying sin- From t1, t2 we can compute c1, c2 directly. By applying gle point multiplication to obtain X1 = kP1, X2 = lP2 the ideas of Karatsuba [2] we compute (x1x2), (t1t2), and adding X1 and X2; X1 + X2 = Q. and (x1 + x2)(t1 + t2) and therefore only need a total of five multiplications in Zp. Single point multiplication is performed once during the sig- nature generation process, while the verification algorithm Given these operations, we can construct exponentiation al- requires the simultaneous multiplication method. gorithms. Z∗ Z Single exponentiation For g ∈ p6 and k ∈ q the single Most of our optimizations took place on the second layer. exponentiation algorithm computes Tr(gk). Point addition and doubling is performed in mixed (Ja- cobian/affine) coordinates. We assume that the keypair Double exponentiation Computing Tr(gbk+a) for two in- changes infrequently and the curve is fixed by the parameters Z Z∗ defined by SECP160R1. Under these assumption we can ne- tegers a, b ∈ q and the “generator” g ∈ p6 requires glect the computational costs of the pre-computation phases the knowledge of c = Tr(gk), which is part of the k required by the fixed-point methods we used for generating public key. and verifying a signature. For single multiplication (i.e., Single exponentiation is performed once by the signature kP ), we implemented an adaption of the “fixed-base comb generation method, whereas double exponentiation is per- method” [11, Alg. 3.44] with a single table. While optimiz- formed once by the verification method. For a more de- ing our implementation of the so-called “Shamir’s trick” [11, tailed explanation of XTR’s mathematical background, the Alg. 3.48] we derived two further variants of this simultane- interested reader is referred to [18, 19, 28]. ous scalar multiplication algorithm which computes kP +lQ. w By pre-computing Γi,j = iP + jQ for all i, j ∈ [0, 2 − 1] we 2.3 NTRUSign can accelerate the multiplication-step. Our first variant [7, Alg. 42] is based on the observation that the original algo- is a digital signature scheme by Hoffstein NTRUSign rithm scales badly, i.e., increasing the window-size w by one et al. The first version of was published in NTRUSign quadruples the size of the pre-computation table. Our mod- 2003 [12]. is the successor of the “NTRU Sig- NTRUSign ification truncates the pre-computation table by computing nature Scheme” (NSS), which was published [13] and suc- 0 0 w−1 w Γ 0 0 for all i , j ∈ [0, t − 1] with 2 < t < 2 . This way, cessfully attacked [8] in 2001. ’s main arith- i ,j NTRUSign we can increase the table size in smaller steps, e.g., choosing metic operation is the convolution of two polynomials f, g ∈ w = 3 and t = 6 < 23 yields a table with 62 = 36 instead Z[X]/XN − 1, where h = f ∗ g such that of (23)2 = 64 points. Once pre-computation is complete, our multiplication algorithm starts by scanning the scalars X Z hk = figj , hk, fi, gj ∈ . k and l from the left with window size w, thereby obtaining i+j≡k mod N integers K,L ∈ [0, 2w − 1]. In case K ≥ t or L ≥ t we This operation can be performed efficiently in software, which can reduce K and L by right-shifting them by one bit. This effectively shrinks the width of the window that was used makes NTRU-based schemes (NSS, NTRUSign) promising w−1 candidates for fast signature schemes on constrained devices to obtain K and L by one, therefore K,L ∈ [0, 2 − 1]. Due to t > 2w−1 we can now safely use K and L to index such as the MICAz mote. our pre-computation table. We also derived a second vari- ant [7, Alg. 43] by combining the features of the fixed-point 3. IMPLEMENTATION method we previously mentioned and “Shamir’s trick”. Let We have developed modular ECDSA-, NTRUSign-, and t = dlog2(n)e, d = dt/we; we applied the idea of the origi- XTR-DSA-components in NesC (1.2.8a). The core arith- nal fixed-point method to “Shamir’s trick” by pre-computing metic was implemented in assembly specifically optimized Γα,β = aP + bQ where for the MICAz platform. All implementations were opti- d−1 d−1 d−1 mzed for speed rather than for code size, because a shorter z }| { z }| { z }| { processing time directly reduces the energy consumption. a = (0, ··· , 0, αw−1, ··· 0, ··· , 0, α1, 0, ··· , 0, α0)2 Benchmarks have been performed using the AVRStudio development suite [5] for micro-controllers. b = (0, ··· , 0, βw−1, ··· 0, ··· , 0, β1, 0, ··· , 0, β0)2 | {z } | {z } | {z } d−1 d−1 d−1 3.1 ECDSA for all α = (α , ··· , α ) , β = (β , ··· , β ) ∈ [0, 2w − Our implementation of ECDSA is optimized for use with w−1 0 2 w−1 0 2 1]. To compute kP + lQ we proceed as in the single fixed- the “SECP160R1” curve, a parameter set standardized by point method, with the difference that we write k = “Standards for Efficient Cryptography” (SEC2) [25]. The w−1 0 w−1 0 i i (K , ··· ,K ) d and l = (L , ··· ,L ) d and scan K ,L supported curve is supposed to provide a security level equiv- 2 2 simultaneously for all i ∈ [0, w − 1]. alent to a symmetric encryption scheme with an 80-bit key. For further details, the complete algorithms (including We can divide the ECDSA scheme in three layers: (1) fi- pre-computation methods), and a performance evaluation nite field arithmetic (in Zn or Zp), (2) ECC arithmetic (e.g., the interested reader is referred to [7, p. 42 ff.]. point addition, point multiplication, extitetc.), and (3) the ECDSA protocol layer. 3.2 XTR-DSA The finite field arithmetic on the first layer was imple- Our implementation of XTR-DSA uses two primes p and mented using Uhsadel’s previous work on fast and highly 2 efficient arithmetic routines in assembly [29, 30]. However, q satisfying q > 6 and q|p − p + 1, where Z Uhsadel’s routines can only be applied to calculations in p, dlog2(p)e = 170, dlog2(q)e = 160. so we had to complement them with arithmetic for mod- ular addition, subtraction, inversion and multiplication in The security provided by these parameters is assumed to Zn, which is only required by the third layer of ECDSA. equal the security of our ECDSA and NTRUSign imple- We implemented a variant of Euclid’s binary extended gcd- mentation [18, 19]. Similarly to the ECDSA scheme, we can algorithm [22, Alg. 14.62] as inversion algorithm and a com- divide XTR-DSA in three layers: (1) finite field arithmetic bination of Comba multiplication [4] with Barrett reduction (in Zp or Zq), (2) XTR arithmetic (Op1(·), Op2(·), Op3(·), [22, Alg. 14.42] for modular multiplication. Tr(gk), etc.), and (3) the XTR-DSA protocol layer. We will now list the most important optimizations on the RAM usage. We have noticed that XN = 1 is only applied first layer. For arithmetic in Zq we are actually re-using before Silverman’s algorithm returns. We have modified the the algorithms from our ECDSA implementation. Barrett’s algorithm so that the calling function needs to reserve only reduction in combination with Comba’s multiplication al- N coefficients for the resulting polynomial a. The idea of gorithm were implemented. Euclid’s binary gcd-algorithm our modification is to split the step where a is “assembled” computes inverses in Zq and Zp. The performance criti- from a1, a2, and a3 into two cases. In case 2n − 1 ≤ N, cal arithmetic in Zp is performed by separate algorithms. we assemble a straightforward according to Karatsuba’s for- We chose to perform calculations in Montgomery represen- mula. In case 2n−1 > N, we assemble a in a similar fashion, tation, therefore we can use faster Montgomery multiplica- but apply XN = 1 by adding the respective coefficients of tion algorithms instead of regular modular multiplication. a1, a2, and a3 directly instead of adding them according We have compared the “Finely Integrated Product Scan- to Karatsuba’s idea and applying the reduction step after- ning” (FIPS) to the “Coarsely Integrated Operand Scan- wards. By observing which coefficients of a1, a2, and a3 are ning” (CIOS) method [17] and found1 that the FIPS method added/subtracted and carefully sorting the order of these should be preferred on MICAz motes. We have imple- operations we were able to substitute the three polynomials mented the FIPS multiplication method, modular addition, (and hence three memory-buffers in every recursive itera- and subtraction in assembly, thereby significantly speeding tion) by one polynomial, see [7, Alg. 59]. up Op1(·), Op2(·), and Op3(·). Additionally, we have re-ordered the signature generation Our implementation of the second layer is based on a algorithm [7, Alg. 55] and found that the previously dis- paper by Stam [28]. Op1(·), Op2(·), and Op3(·) were im- cussed algorithm can be modified in order to compute two plemented in a straightforward manner according to the convolutions in parallel [7, Alg. 63], when both convolution equations as defined in Section 2.2, we only had to sub- operations share one input polynomial. stitute modular multiplication by Montgomery multiplica- tion. Our final implementation uses the “XTR Single Ex- ponentiation with Precomputation” [28, Alg. 4.3] and the 4. RESULTS improved “Simultaneous XTR Double Exponentiation” al- We will now shortly analyze the implemented signature gorithm [28, Alg. 3.1]. Changes to the latter algorithms schemes with respect to (1) energy consumption, (2) RAM were only made in order to transform the XTR-(sub)group and ROM size as estimated by the NesC compiler, (3) the elements to Montgomery representation. length of signatures and keys, and (4) the performance (sig- For more details and some additional “tricks” the inter- nature generation and verification) achieved by our imple- ested reader is referred to [7, p. 20 ff.]. mentation. Table 1 summarizes our results and compares them to other implementations. 3.3 NTRUSign We assume MICAz motes clocked at 7.37MHz to be used. The optimization of our NTRUSign implementation is At a supply voltage of 3V the MICAz mote draws a current based on a technical report by Silverman [27] and a paper of 12mA when the CPU is operating. From this we can on parameter generation by Hoffstein et al. [15]. From the calculate the energy consumption ECPU(t) for the timespan t latter we have chosen the follwing parameters, (in seconds) by

N = 127, d = 31, q = 256, NormBound = 122, ECPU(t) = 12mA · 3V · ts = (36 · t)mJ.

The computation energy figures E (t ) and E (t ) B = 1, t = ”transpose”, CPU sign CPU verify give the amount of energy required to perform one signing in combination with trinary polynomials. Our choice is esti- or verification operation. mated to provide a security level equivalent to a 80-bit sym- Furthermore, we assume its radio device (Chipcon’s metric key [15, Table 5]. Although implementing the keypair CC2420) to be operated with 0dB. From [6] we see that the generation methods took most of the time, we will now fo- current consumption for sending and receiving is 17.4mA cus on the signature generation and verification methods. and 18.8mA, respectively. The radio device is compliant For details on the keypair generation process, the interested with the 802.15.4 standard (ZigBee) and has an effective reader is referred to [7, p. 60 ff.]. data rate of 250kb/s. Therefore we can calculate the energy The “high speed multplication algorithm” presented by consumption Es for sending and Er for receiving one bit by Silverman is based on Karatsuba’s idea [2] and reduces the number of single-precision multiplications for two N-digit in- 17.4mA · 3V Es = = 209µJ/b, 2 3 2 250kb/s tegers from N to 4 N . By applying Karatsuba’s idea recur- sively, the complexity can be reduced even more. However, due to this recursive behaviour, a straightforward implemen- 18.8mA · 3V E = = 226µJ/b. tation of Silverman’s algorithm on MICAz is not advisable. r 250kb/s We have identified two problems that lead to excessive RAM usage when the algorithm is applied recursively. (1) The re- In TinyOS by default each message consists of a 10B header sulting polynomial a can have up to 2N coefficients, in this and a 29B payload. ZigBee specifies a maximum packet case the relation XN = 1 is applied. (2) The algorithm re- length of 128B. Therefore the maximum payload is theoret- quires three intermediate polynomials a1, a2, and a3 (with ically 118B. If more than 118B have to be transmitted the n coefficients each) for every recursive iteration (where n is message has to be split and sent in chunks. The overhead halved). Our solution to these problems results in 50% less for sending a payload of x total bytes can be calculated as xB ρ(x) = 10B · d 118B e. The total energy Et(x) for transmit- 1in contrast to the authors’ recommendation in [17] ting (i.e., sending and receiving) a message m of x = |m| bytes can be estimated by calculating Acknowledgement The work presented in this paper was supported in part by b Et(x) = (Es + Er) · (ρ(x) + x) · 8 . the European Commission within the STREP UbiSec&Sens B of the EU Framework Programme 6 for Research and Devel- opment (www.ist-ubisecsens.org). The views and conclu- The communication energy figures E (|Sig|) and E (|k |) t t pub sions contained herein are those of the authors and should are listed in Table 1. It is clearly visible that the commu- not be interpreted as necessarily representing the official nication cost of longer public keys plays a minor role – in policies or endorsements, either expressed or implied, of the our scenario – compared to the computation costs. How- UbiSec&Sens project or the European Commission. ever, with larger networks there might be a point where this relation turns into the opposite. 6. REFERENCES It is not surprising that the NTRUSign module is quite [1] Digital Signature Standard (DSS). Federal small; it has only one core operation (convolution) and is Information Processing Standards (FIPS) Publication therefore rather simple to implement. The ECDSA and the 186, National Institute of Standards and Technology XTR-DSA module have a more complex arithmetic, there- (NIST), May 1994. fore a lot more code is required. The RAM estimation seems [2] A. A. Karatsuba and Y. Ofman. Multiplication of to account for the memory statically allocated by the keypair Many-Digital Numbers by Automatic Computers. and pre-computed values such as the big pre-computation Soviet Physics-Doklad, 7:595–596, 1963. table of our ECDSA simultaneous fixed-point method. The [3] H. Chan, A. Perrig, and D. Song. Random Key RAM allocated by the XTR-DSA module is mostly used to store the Montgomery representation of the public key. Predistribution Schemes for Sensor Networks. In Proceedings of the IEEE Security and Privacy The signature sizes of XTR-DSA and ECDSA are iden- tical because a modulus of the same size is used to calculate Symposium 2003, 2003. the signature values. The size of their private key is also [4] P. G. Comba. Exponentiation Cryptosystems on the quite comparable. In order to accelerate XTR-DSA, we IBM PC. IBM Systems Journal 29, 4:526–536, 1990. chose to include the surrounding powers of ck in the public [5] Atmel Corporation. AVR Studio, 4.12.490, Service key, thereby drastically increasing the keysize. NTRUSign Pack 3. http://www.atmel.com/dyn/products/tools_ requires the largest keypair, this is due to the use of “Per- card.asp?tool\_id=2725. turbation bases”, i.e., we have to store two distinct private [6] Crossbow Technology Inc. MPR-MIB Users Manual - keys. Note that we have encoded trinary polynomials in Revision A. available via strings of 64B, see [7, p. 64] http://www.xbow.com/Support/Support_pdf_files/ NTRUSign is superior to the other signature schemes MPR-MIB_Series_Users_Manual., June 2007. when comparing signature generation and verification time. [7] B. Driessen. Efficient Embedded Implementation of Recall that these results are achieved with a pure NesC im- Security Solutions for ad-hoc Networks. Master’s plementation without any pre-computation. XTR-DSA and thesis, Ruhr-University Bochum, ECDSA are heavily assembly-enhanced and nearly equally http://www.crypto.rub.de/theses.html, September fast in generating a signature, but ECDSA wins the verifica- 2007. tion benchmark. However, ECDSA’s symmetric behaviour [8] C. Gentry, J. Jonsson, J. Stern, and M. Szydlo. requires a long pre-computation phase, because the simul- of the NTRU Signature Scheme (NSS) taneous fixed-point method calculates 64 points in advance. from Eurocrypt ’01. In Advances in Cryptology – All of our implementations outperform TinyECC, while the Asiacrypt 2001, Proceedings, volume 2248, pages RSA signature verification due to Gura et al. is faster than 123–131. Springer, 2001. ECDSA and XTR-DSA. [9] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz. Elliptic curve cryptography and RSA on 8-bit CPUs. In Proceedings of Workshop on Crpytographic 5. CONCLUSIONS Hardware and Embedded Systems (CHES 2004), 6th Despite the fact that there exist a variety of asymmet- International Workshop, pages 119 – 132, 2004. ric algorithms, publications dealing with implementation of [10] N. Gura, A. Patel, A. Wander, H. Eberle, and S.C. public key schemes for WSN only focus on RSA and ECC. In Shantz. Comparing Elliptic Curve Cryptography and order to close this gap we have investigated the efficiency and RSA on 8-bit CPUs. Proceedings of Workshop on suitability of two innovative asymmetric algorithms for WSN Cryptographic Hardware and Embedded Systems – namely XTR-DSA and NTRUSign – in direct compari- (CHES 2004), 6th International Workshop, pages son to the de-facto standard for lightweight signature appli- 119–132, 2004. cations ECDSA. However, past and attacks on the [11] D. Hankerson, A. Menezes, and S. Vanstone. Guide to NTRU-based scheme weakened the trust into NTRUSign, it Elliptic Curve Cryptography. Springer, 2004. should be awaited if NTRUSign becomes stable before us- [12] J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. H. ing it in security critical applications. Nevertheless, our im- Silverman, and W. Whyte. NTRUSign: Digital plementation results show that NTRUSign requires 619ms signatures using the NTRU lattice. In Proceedings of to generate and 78ms to verify a signature. This is signifi- the RSA conference, 2003. cantly less than any other digital signature scheme published [13] J. Hoffstein, J. Pipher, and J. H. Silverman. NSS: An so far. At the same time the memory requirements of 11.3kB NTRU Lattice-Based Signature Scheme. In Advances ROM and 542B RAM are moderate making it an interesting in Cryptology - EUROCRYPT 2001, Proceedings, candidate for usage in WSN. volume 2045, pages 211–228, 2001. [14] Joengmin Hwang and Yongdae Kim. Revisiting random key pre-distribution schemes for wireless ) sensor networks. In SASN ’04: Proceedings of the 2nd mJ mJ mJ mJ mJ verify t 5 8 7 3 . . . . (

ACM workshop on Security of ad hoc and sensor 81 . 15 33 87 2 72 networks, pages 43–52, New York, NY, USA, 2004. CPU ACM Press. E

[15] J. Hoffstein and N. Howgrave-Graham and J. Pipher )

and J. H. Silverman and W. Whyte. Performance sign mJ mJ mJ mJ t mJ 7 0 0 3 ( . . .

Improvements and a Baseline Parameter Generation , CPU 396 33 72 22 Algorithm for NTRUSign, 2005. 34 [16] D. Johnson and A. Menezes. The ellipcit curve digital E )

signature algorithm (ECDSA), 1999. | pub µJ µJ µJ [17] C. K. Koc¸c, T. Acar, and B. S. Kaliski Jr. Analyzing µJ µJ k |

and comparing Montgomery multiplication algorithms. ( t 525 174 174 511 681

IEEE Micro, 16(3):26–33, 1996. E

[18] A. K. Lenstra and E. R. Verheul. An overview of the ) XTR public key system. In The Proceedings of the | µJ µJ µJ µJ µJ Sig

Public Key Cryptography and Computational Number | ( t 514 174 174 Theory Conference, 2000. 511 174 E [19] A. K. Lenstra and E. R. Verheul. The XTR public key s s s s system. Lecture Notes in Computer Science, 1880:1+, s 43 938 436 078 009 2000...... verify 0 t 0 2 [20] A. Liu and P. Ning. TinyECC: A Configurable Library 0 2 s s s for Elliptic Curve Cryptography in Wireless Sensor s s 99

Networks. Technical Report TR-2007-36, North . sign 918 001 619 965 . . . . t 10 0 2 Carolina State University, Department of Computer 0 0 Science, November 2007. | B B B [21] D. Liu and P. Ning. Location-based Pairwise Key B B pub k 40 40 131 127 Establishments for Static Sensor Networks. 2003 ACM 176 Workshop on Security in Ad Hoc and Sensor Networks | | B B B B (SASN ’03), 720082, 2003. B priv 21 21 20 k 128 [22] A. J. Menezes, P. C. van Oorschot, and S. A. 383 Vanstone. Handbook of applied cryptography. CRC | | B B B B Press, 1996. Available at B Sig 40 40 40 | 128 www.cacr.math.uwaterloo.ca/hac/. 127 [23] V.S. Miller. Use of Elliptic Curves in Cryptography.

In Advances in Cryptology - Proceed- ings of B kB kB kB kB 1 2 5 6 . . . CRYPTO’85, pages 417–426, 1986. . 542 1 3 1 [24] N/A. DSTU X9.98 Draft 9 - Lattice-Based Polynomial 1 Public Key Establishment Algorithm for the Financial kB kB kB kB kB 3 2 3 Services Industries. Technical report, Accredited 3 4 . . . . .

Standards Commitee X9 Incorporated, 22. 2007. 7 11 43 19 24 [25] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters. Standards for Efficient Cryptography Version 1.0, 2000. [26] R. L. Rivest, A. Shamir, and L. M. Adleman. A RSA ECDSA method for obtaining digital signatures and public-key ECDSA XTR-DSA cryptosystems, pages 120 – 126. 1978. NTRUSign [27] J. H. Silverman. High Speed Multiplication of (Truncated) Polynomials. Technical Report 10, NTRU, 1999. , [9]

[28] M. Stam and A. K. Lenstra. Speeding up XTR. In , [20] Advances in Cryptology – Asiacrypt 2001, pages et al.

125–143. Springer Verlag, 2001. et al.

[29] L. Uhsadel. Comparison of Low-Power Public Key Author(s) Scheme ROM RAM Liu Cryptography on MICAz 8-bit Micro Controllers. Gura

Master’s thesis, Ruhr-University Bochum, 2007. This work, see also [7] [30] Leif Uhsadel, Axel Poschmann, and Christof Paar. Enabling Full-Size Public-Key Algorithms on 8-bit Sensor Nodes. In Proceedings of ESAS 2007, volume Table 1: Implementation results of NTRUSign, 4572 of LNCS, pages 73–86, 2007. ECDSA, and XTR-DSA for MICAz