Professional Documents
Culture Documents
Introduction
Wireless Sensor Nodes (WSN) systems have been extensively investigated over
the past decade and a half. These small, resource constrained devices monitor
their surroundings and they provide a real-time, distributed view on a physical
process. The Internet-of-Things, which may turn every WSN into an Internet
host, is an important opportunity for this class of devices. This contribution looks
at a specific type of WSN, one which is in capability just above a passive RFID.
We consider a wireless sensor node which harvests energy from its surroundings
[27]. Energy harvesting considerably simplifies the installation and maintenance
of such devices. Without battery replacement or wiring requirements, they can
be installed in physically challenging or inaccessible environments - and their
lifetime appears to become infinite. The downside of energy harvesting is that
it severely limits the energy budget available for WSN operation [17]. For example, vibration-based [13] or piezo-electric based harvesters [18] deliver a few
microwatt up to a milliwatt; solar-based harvesters deliver a few tens to hundreds
of milliwatt [23].
Figure 1 demonstrates the topology of an energy-harvested WSN. An energy
store collects energy from a harvester. The energy store then powers up a microcontroller and a radio. This system needs to balance the influx of energy from
the harvester with the energy consumed in computing and communicating. The
WSN will therefore operate in a duty cycle that periodically activates the communication/computation subsystem, and that otherwise powers it off or keeps
it in a low-power standby mode.
We studied the implementation of public-key cryptographic primitives on an
energy harvested node. In a public-key identification protocol, a verifier sends a
random challenge to the WSN and requests a signature for it. Afterwards, the
verifier checks the signature using the WSN public key. When large numbers
of WSN are involved, PKC is a better choice than symmetric-key cryptography
because of easier key distribution and key handling. The energy cost of PKC authentication using elliptic-curve cryptography (ECC) has been previously studied and the conclusions are as follows [15]: the strategy that minimizes the energy
cost per signature is one that runs the microcontroller as fast as possible, while
keeping it in a low-power state otherwise. This minimizes the loss through static
energy dissipation. Hence, in the energy-harvested sensor node of Figure 1, it
is best to hold off on activities until the energy store has sufficient energy to
support at least one complete iteration of the signature protocol. This contribution goes beyond this earlier effort by expanding the analysis to include the
communication overhead.
Contributions:
1. We demonstrate a WSN platform that integrates a microcontroller, a radio, an energy-harvester, and an energy-measurement subsystem. We can
Finally, the energy-harvesting itself poses a special challenge for the optimization of cryptographic algorithms. The uncertainty in the source of energy
has prompted researchers to propose checkpointing strategies [24] or scheduling
techniques that optimize the duty schedule of activity [9]. Furthermore, precomputing techniques have been proposed that can move some parts of the
calculations to an off-line phase [6]. This contribution does not yet include these
more advanced strategies, but we recognize the significance of these techniques
to enable the full potential of energy harvesting.
The remainder of the paper is organized as follows. In the next section, we
describe the target protocols used for authentication. In Section 3, we explain
our system architecture and the experimental setup. Section 4 describes different
operating modes of a sensor node. Next, we explain our energy model used to configure the node. The resulting comparison between different signature schemes
is presented in Section 6. Section 7 concludes the paper.
In this section, we describe the identification protocols running on the energyharvesting WSN. We are comparing three different methods of implementing
PKC signatures, while the top-level protocol remains identical in each case. The
next few subsections describe the top-level protocol, and they briefly review each
of the PKC algorithms.
2.1
The ISO/IEC 9798-3 standard describes a mechanism for a two-pass authentication protocol using signatures. It is based on the following steps:
Server W SN : NS
W SN Server : NS , NW , IDS , SigW (NW , NS , IDS )
(1)
(2)
In this protocol, NS and NW are nonces generated by the server and WSN,
respectively, IDS is a public server ID, and SigW () is a signature scheme executed by the WSN. The nonces guarantee freshness, while the server ID prevents
man-in-the-middle attacks. An alternate one-pass protocol is possible provided
that the Server and WSN maintain a synchronized counter or timer. In that
case, the ISO/IEC 9798-3 standard describes the following case:
W SN Server : TW , IDS , SigW (TW , IDS )
(3)
2.2
ECDSA is a well known signature mechanism based on elliptic curve cryptography [12]. We have implemented ECDSA using two different prime-field curves,
secp160r1 and nistp256, which have a security level of 80 bit and 128 bit respectively. In ECDSA, signing costs one point multiplication, while verification
costs two. Our code is written using the RELIC library [21], and with the following parameters. The scalar multiplication is implemented using a left-to-right
window-3 NAF multiplication, and with Jacobian Projective Coordinates. The
field operations are basic Comba multiplication and squaring, with Montgomery
reduction. SHA-1 is used for hashing and as a pseudo-random generator.
2.3
The second signature algorithm uses hash functions. It was first proposed by
Lamport and Diffie as a one-time-signature scheme (LD-OTS): this implies that
a single key pair can be used for exactly one signature. The LD-OTS scheme
works as follows [8]. For a security level b, the signer generates a secret key of
4b random strings, each 2b bits long. The 4b random strings of the secret key
can be thought of as two arrays of 2b random strings: x(0, 0), .., x(0, 2b 1) and
x(1, 0), .., x(1, 2b 1).
At 128-bit security, the signer will create a 16 KByte secret key. The public
key is obtained by computing the digest of each of the 4b strings: y(0, 0) =
H(x(0, 0)), .., y(0, 2b 1) = H(x(0, 2b 1)) and y(1, 0) = H(x(1, 0)), .., y(1, 2b
1) = H(x(1, 2b 1)). Each digest is 2b bits long. At 128-bit security level, we
use SHA256. To sign a message m, the signer computes a digest over the salted
message H(m, r), and breaks this digest into 2b bits: D(0) .. D(2b 1). The
signature is now formed by selecting a subset of the random strings from the
secret key: x(D(0), 0) .. x(D(2b 1), 2b 1). A signature thus is 8Kbyte plus
the length of the salt r. To verify the signature, the verifier computes the hash
of each string in the signature: H(x(D(0), 0)) .. H(x(D(2b 1), 2b 1)). The
verifier also computes the digest of the salted message H(m, r), splits the digest
into bits v(0) .. v(2b 1), and finally checks if y(v(0), 0) = H(x(D(0), 0)), ..,
y(v(2b 1), 2b 1) = H(x(D(2b 1), 2b 1)). Generating the key costs 4b hash
operations, verifying a signature costs 2b hash operations.
The LD-OTS scheme is simple, easy to compute, but it has a large signature
and key pair. Furthermore, the key can only be used a single time. This last
drawback can be eliminated by chaining: at each signing, a new key pair is
generated, the new public key is signed, and appended to the signature. This
triples the length of the message (from 8Kbyte to 24 Kbyte), and it requires
the verifier to check all signatures in sequence. In our experimental setup, we
have implemented chaining in order to obtain a fair comparison with ECDSA.
We refer to this scheme as LD-OTS-C (with the C indicating chaining). Merkle
has proposed improvements to chaining using a hash-three, but we have not
implemented these.
Verify
(Ops)
2 Pt Mul
2 Pt Mul
160 SHA1
256 SHA2
256 SHA2
System Architecture
Figure 2 shows the block diagram of our experimental setup. It consists of three
parts: (a) an energy-harvesting wireless node, (b) a server and (c) an energymeasurement subsystem. The server authenticates the wireless node by performing a standard unilateral authentication protocol over a low-cost wireless
link. The wireless node includes an solar-powered energy harvester, a microcontroller, and an RF frontend. The energy measurement unit monitors the energy
dissipation of the wireless node. It can distinguish communication energy from
computation energy. By controlling the timing of the energy measurement from
within the microcontroller, we achieve precise synchronization. In the following
subsections, we describe each of the components in Figure 2 in further detail.
3.1
Microcontroller
RF Transceiver
low power modes: the Power-Down mode, and the Wake-on-Radio mode. In
Power down mode, all the chip peripherals including radio frontend and digital
circuitry are off, consuming only 2uA current. During this mode, the transceiver
is effectively blind for RF communications. In the Wake-On-Radio mode, the
RF receiver periodically wakes up to check for RF packets. It automatically goes
back to sleep if no packet is available. The period and stay-awake time are both
configurable.
3.3
Energy harvester
The wireless node is passively powered through an energy harvester chip that
charges a low-leakage supercapacitor. We used the ANG 1010 chip from Anagear,
which includes a boost converter as well as autonomous logic for independent
operation [1]. The idea is that the chip can independently boot and perform initial harvesting to bring the system into a state where a sufficient level of energy
is available. Then, it will awake the microcontroller which will further complete
initialization of the wireless node, configure the RF frontend, and initialize the
ECC protocol. During operation, the microcontroller can check the level of harvested energy (the level of the supercapacitor voltage) through an SPI interface
on the Anagear chip.
3.4
Server
This unit precisely calculates the computation and communication energy for an
authentication. It consists of OpenADC [19, 20] attached to a Spartan FPGA [5]
that accumulates the sampled current values. The OpenADC samples the differential voltage measured over a shunt resistor in the power line of the wireless
node microcontroller or the wireless node RF frontend. The 1 k shunt resistor is high-precision, high-bandwidth. The accumulation process in the FPGA
is under control of the MSP430 by means of a trigger signal. This way, we can
easily evaluate the energy and timing of a specific set of events. The sample
frequency of the OpenADC depends on the clock frequency of the MSP430 microcontroller. Below 10 MHz, we set it at 20MHz. Above 10MHz, we increase
the OpenADC sample frequency to 30MHz. We justify the relatively slow sample
rate by observing that we are not interested in the high-frequency components of
the power, but in the accumulated value. Furthermore, the decoupling capacitors
of the chip ensure that the measured current will approach the average current
per clock cycle.
Energy Model
In this section, we introduce a model that estimates the total energy needed for
an authentication that guides the design of energy harvester.
In order to calculate required energy for one authentication, we need to precisely measure both computation as well as communication energy. The required
supercapacitor voltage is calculated as follows. We consider a safety margin of
twice the required energy. As solar panel harvests energy, supercapacitor voltage
increases and MSP430 periodically monitors this level. We require:
Energy stored in capacitor > Computation + Communication Energy
C.V 2
> 2.(Ec + Erf ) + Eov
2
C.V 2
2.(Ec + Erf ) + 125
>
2
1000
r
2.(Ec + Erf ) + 125
V >
500.C
where C is supercapacitor value in Farad, V is supercapacitor voltage in
Volts, Ec is computational energy in mJ, Erf is communication energy in mJ,
Eov is energy harvester overhead which is 125mJ.
35,058
2,046
38,174
2,365
21,210
3,634
LD-OTS-C-128 W-OTS-C-256
23,234
8,654
17,088
406
The relation between solar panel rating, the energy needed for one signature
and the signing duty cycle can be expressed as follows.
(4)
where Vsolar is the rated voltage of solar panel, Isolar is the rated current
of solar panel, Psleep is the sleep mode power of the system, Esig is the energy
needed for one signature and Dutycycle denotes how often the signature is generated.
Results
ECDSA128
2
10
LDOTSC128
WOTSC256
LDOTSC80
ECDSA80
1
10
10
15
Frequency (MHz)
20
10
LDOTSC128
WOTSC256
LDOTSC80
ECDSA80
1
10
10
12
ECDSA128
10
ECDSA128
ECDSA80
2
10
LDOTSC128
WOTSC256
LDOTSC80
1
10
10 0
10
10
10
10
Conclusion
This work has demonstrated the exciting design space of communication, computation, and energy-harvesting for the case of cryptographic signatures. We show
an end-to-end methodology which enables complete measurement of every aspect
of a signature protocol. We apply the methodology to several different signature
schemes, including ECC-based and hash-based signature schemes. This demonstrates the trade-off between computation energy and communication energy in
PKC signature schemes.
Our work also opens up a couple of interesting perspectives. A first aspect
are signature schemes that jointly optimize computation and communication
overhead at a given security level. For example, one could investigate how to
reduce communication overhead in hash-based schemes, or how to apply precomputation techniques in ECC-based schemes. A full and fair comparison of
energy-harvested cryptosystes should always consider both aspects: communication and computation.
A second perspective is the further optimization of our measurement and
prototype platform. We are developing an integrated version of Figure 2 which
combines all components on a single PCB, and which scales down the microcontroller to a smaller family member. We expect that this will provide significant
reduction of energy overhead.
Finally, we wish to acknowledge the support of the National Science Foundation, grant no 1314598.
References
1. Anagear Power Management, http://www.anagear.com/content/ANG1010
2. Texas Instruments Low Power 2.4GHz RF Transceiver, http://www.ti.com/lit/
ds/swrs040c/swrs040c.pdf