Comparison of Innovative Signature Algorithms for WSNs Benedikt Driessen Axel Poschmann Christof Paar escrypt GmbH Horst-Görtz-Institute for Horst-Görtz-Institute for Lise-Meitner-Allee 4 IT-Security IT-Security 44801 Bochum, Germany Ruhr-University Bochum, Ruhr-University Bochum, [email protected] Germany Germany [email protected] [email protected] ABSTRACT the sensor nodes very efficiently. However, one problem with For many foreseen applications of Wireless Sensor Networks symmetric solutions is the key management: neither an in- (WSN) – for example monitoring the structural health of a dividual key (shared only between a sensor and the sink) nor bridge – message integrity is a crucial requirement. Usu- a network-wide key (shared between all sensors) is a suitable ally, security services such as message integrity are real- solution. The first approach, though it offers the highest re- ized by symmetric cryptography only, because asymmet- siliency, suffers from a significant pre-distribution overhead, ric cryptography is often stated as impracticable for WSN. whereas the latter one offers a good scalability with no re- However, the proposed solutions for symmetric key estab- siliency. Many probabilistic solutions have been proposed to lishment introduce a significant computation, storage, and– deal with these issues [3, 14, 21]. All these schemes introduce most important–communication overhead. Digital signa- a significant computation, storage, and – most important – tures and key-exchange based on asymmetric algorithms communication overhead. would be very valuable though. In the literature nearly only Using protocols based on asymmetric cryptography eases RSA and ECC are implemented and compared for sensor the establishment of keys. Furthermore, digital signatures nodes, though there exist a variety of innovative asymmetric with all their benefits can be realized by asymmetric cryp- algorithms. To close this gap, we investigated the efficiency tography. However, asymmetric algorithms such as RSA [26] and suitability of digital signature algorithms based on inno- have much longer operand lengths compared to symmetric algorithms (1024 bit vs 80 bit). This in turn results in three vative asymmetric primitives for WSN. We chose XTR-DSA orders of magnitude longer processing times on a typical 8- and NTRUSign and implemented both (as well as ECDSA) bit micro-controller such as compared to symmetric for MICAz motes. MICAz algorithms [10]. Consequently, despite the fact that the us- age of asymmetric cryptography would solve many problems, Categories and Subject Descriptors it is often stated as impracticable for WSN. E.3 [Data Encryption]: Public key cryptosystems; D.2.8 Beside RSA exist a variety of asymmetric algorithms, such [Software Engineering]: Metrics—performance measures as NTRU [13], XTR [19], ECC [23], and the so called MQ algorithms to name just a few. Interestingly, virtually all General Terms publications dealing with asymmetric algorithms for WSN have been focusing on RSA and ECC only. To close this Algorithms, Measurement, Performance, Security gap, we investigated the efficiency and suitability of dig- ital signature algorithms based on innovative asymmetric 1. INTRODUCTION primitives for WSN. We chose to evaluate the ECDSA [16] The benefits of Wireless Sensor Networks (WSN) are dis- scheme which is quite wide spread and well examined, XTR- cussed widely these days. The foreseen applications range DSA [18, 19, 28] because of its compact signatures and com- from military to vehicular scenarios. However, many of these parable speed, and NTRUSign [12, 15] due to its simple and applications process sensitive data, for example a WSN that fast core operation, promising significant computational ad- measures the structural health of a bridge. Since adversaries vantages over the two other schemes. Despite this feature, can easily eavesdrop and also manipulate or inject messages, NTRUSign is often ignored because previous versions of this security is a crucial requirement for these applications. scheme have already been broken [8] and a rigorous security Protocols based on symmetric cryptography can assure proof has not been made, yet. integrity, authentity, and confidentiality of messages sent by A brief description of each schemes’ core arithmetic can be found in Section 2. For further details the interested reader is referred to the original publications and [7]. Section 3 is dedicated to briefly outlining the target platform, the tools Permission to make digital or hard copies of all or part of this work for used, and the main optimizations applied to the schemes. personal or classroom use is granted without fee provided that copies are Subsequently, our implementation results are presented and not made or distributed for profit or commercial advantage and that copies compared to other published implementation results in Sec- bear this notice and the full citation on the first page. To copy otherwise, to tion 4. Finally, in Section 5 we give our conclusions and republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. close the paper. WiSec’08, March 31–April 2, 2008, Alexandria, Virginia, USA. Copyright 2008 ACM 978-1-59593-814-5/08/03 ...$5.00. 2. CORE ARITHMETIC 2.2 XTR-DSA In this section we provide a brief overview of the arith- The XTR-DSA signature scheme is based on the XTR metic used by the signature schemes. Note that ECDSA and public key scheme. XTR has been proposed by Lenstra and XTR-DSA are based on the Digital Signature Algorithm Verheul in 2000 [19] and is an abbreviation for “Efficient and (DSA) which was specified in a U.S. Government “Federal Compact Subgroup Trace Representation” (ECSTR). XTR Information Processing Standard” (FIPS) called the “Digital uses the trace Tr(g) ∈ Zp2 of g ∈ Zp6 to represent and cal- Signature Standard” (DSS) [1]. NTRUSign is defined by a culate powers of elements of the order p2 − p + 1 subgroup standard for financial services [24]. Z∗ of p6 . p and q are primes where q is chosen such that q > 6 and q|p2 − p + 1 is satisfied. XTR’s main arithmetic 2.1 ECDSA is performed in the q order subgroup (“XTR-subgroup”) of 2 Z∗ The ECDSA scheme [16] is a signature scheme based on the p − p + 1 order subgroup (“XTR-supergroup”) of p6 . elliptic curve cryptography (ECC). An elliptic curve E over According to the authors of XTR, the scheme is able to the finite field K is defined by the simplified “Weierstrass achieve the same security level as RSA-1024 [26] by operat- Equation”, ing on XTR-subgroup elements with 160-170 bits size. The arithmetic in XTR is performed on elements 2 3 2 E(K): y = x + ax + b, char(K) 6= 2, 3 c = c1α + c2α ∈ Zp2 and an element t ∈ Zp is represented as −tα−tα2. We have observed that a complete XTR-DSA where a, b ∈ K. The points P = (x, y) ∈ E(K) on the el- signature scheme can be built on top of three atomic oper- liptic curve E form an abelian group, where certain rules ations which we denote by Op1(·), Op2(·), and Op3(·) in the (“group law”) apply. The following basic mathematical op- remainder of this document. The following arithmetic in erations are perfomed on points P ∈ E(K): Zp2 and Zp is performed by these operations: Addition Let P1 = (x1, y1),P2 = (x2, y2) ∈ E(K) be two Op1(x,y,z,w) This operation requires four elements w, x, distinct points. The sum Q = (x3, y3) = P1 + P2 is y, z ∈ Zp2 . The resulting element c ∈ Zp2 is computed defined as follows: using two multiplications in Zp2 , „ «2 p y2 − y1 c = Op1(x, y, z, w) = xz − yz + w. x3 = − x1 − x2, x2 − x1 The actual arithmetic is performed by finite field oper- ations in Zp. For this purpose four modular multipli- „ « 2 y2 − y1 cations in Zp are required. c = c1α+c2α is computed y3 = (x1 − x3) − y1. x2 − x1 by, c1 = w1 + (z1(y1 − x2 − y2) + z2(x2 − x1 + y2)) mod p, Doubling Let P = (x1, y1) ∈ E(K) be a point on E(K). The double Q = (x2, y2) = 2P is derived by the fol- c = w + (z (x − x + y ) + z (y − x − y )) mod p. lowing equation: 2 2 1 1 2 1 2 2 1 1 Op2(x) c = Op2(x) is computed by one squaring in Z 2 , „ 2 «2 p 3x1 + a x2 = − 2x1, 2 p 2y1 c = Op2(x) = x − 2x . Note that computation of xp does not require any „ 2 « Z p p p p 2p p 3x1 + a arithmetic in p, because x = x1α +x2α = x1α + y2 = (x1 − x2) − y1. 2y1 x2α, hence x1 and x2 are just swapped – only two mul- tiplications are performed instead, By using these basic operations we can construct two point c1 = x2(x2 − 2x1) − 2x2 mod p, multiplication methods, which are required by the ECDSA scheme. c2 = x1(x1 − 2x2) − 2x1 mod p. Single (scalar) point multiplication Let P ∈ E(K) be Op3(x) This operation is based on Op2(·) and can be com- a point on E(K), k ∈ ord(K) is an integer. Single puted as point multiplication Q = kP may be performed by k p 3 p+1 additions; Q = P + P + ··· + P . c = Op3(x) = (Op2(x) − x )x + 3 = x − 3x + 3. | {z } k We compute c1, c2 in two steps, first we compute t1, t2, t1 = x2(x2 − 2x1) − 3x2 mod p, Simultaneous (scalar) point multiplication Let P1,P2 ∈ E(K) be two distinct points on E(K) where k, l ∈ ord(K) are integers. Simultaneous point multiplica- t2 = x1(x1 − 2x2) − 3x1 mod p. tion Q = kP1 +lP2 may be performed by applying sin- From t1, t2 we can compute c1, c2 directly. By applying gle point multiplication to obtain X1 = kP1, X2 = lP2 the ideas of Karatsuba [2] we compute (x1x2), (t1t2), and adding X1 and X2; X1 + X2 = Q.