Thesis

Budapest University of Technology and Economics
Department of Telecommunications
Privacy enhancing protocols
for wireless networks
Ph.D. Dissertation
of
Tamás Holczer
Supervisor:
Levente Buttyán, Ph.D.
TO BE ON THE SAFE SIDE
Budapest, Hungary
2012

Alulírott Holczer Tamás kijelentem, hogy ezt a doktori értekezést magam készítettem
és abban csak a megadott forrásokat használtam fel. Minden olyan részt, amelyet szó szerint,
vagy azonos tartalomban, de átfogalmazva más forrásból átvettem, egyértelműen,
a forrás megadásával megjelöltem.
I, the undersigned Tamás Holczer hereby declare, that this Ph.D. dissertation was
made by myself, and I only used the sources given at the end. Every part that was
quoted word-for-word, or was taken over with the same content, I noted explicitly by
giving the reference of the source.
A dolgozat bírálatai és a védésről készült jegyzőkönyv a Budapesti Műszaki és
Gazdaságtudományi Egyetem Villamosmérnöki és Informatikai Karának dékáni hivatalában
elérhetőek.
The reviews of the dissertation and the report of the thesis discussion are available
at the Dean’s Office of the Faculty of Electrical Engineering and Informatics of the
Budapest University of Technology and Economics.
Budapest, . . . . . . . . . . . . . . . . . . . . . . . .
iii
Holczer Tamás

Abstract
Wireless networks are used in our everyday life. We use wireless networks to call each other, to
download our emails at home, or to enter a building with a proximity card. In the near future
wireless networks will be used in many new fields such as vehicular ad hoc networks, or critical
infrastructure protection.
The use of wireless networks instead of wired networks opens up new research challenges. These
challenges include mobility, coping with unreliable links, resource constraints, and the security and
privacy aspects of the wireless networks. In this thesis some privacy aspects of different wireless
networks are investigated.
In chapter 2, private authentication methods are proposed and analyzed for radio frequency
identification (RFID) systems. A typical example for such an application is a Radio Frequency
Identification System (RFID) system, where the provers are low-cost RFID tags, and the number
of the tags can potentially be very large. I study the problem of private authentication in RFID
systems. More specifically I propose two methods, that are the privacy efficient key-tree based
authentication, and the group based authentication.
The first key-tree based private authentication protocol has been proposed by Molnar and
Wagner as a neat way to efficiently solve the problem of privacy preserving authentication based on
symmetric key cryptography. However, in the key-tree based approach, the level of privacy provided
by the system to its members may decrease considerably if some members are compromised. In this
thesis, I analyze this problem, and show that careful design of the tree can help to minimize this
loss of privacy. First, I introduce a benchmark metric for measuring the resistance of the system
to a single compromised member. This metric is based on the well-known concept of anonymity
sets. Then, I show how the parameters of the key-tree should be chosen in order to maximize the
system’s resistance to single member compromise under some constraints on the authentication
delay. In the general case, when any member can be compromised, I give a lower bound on the
level of privacy provided by the system. I also present some simulation results that show that this
lower bound is quite sharp. The results of Chapter 2 can be directly used by system designers to
construct optimal key-trees in practice.
In the second part of chapter 2, I propose a novel group based authentication scheme similar
to the key-tree based method. This scheme is also based on symmetric-key cryptography, and
therefore, it is well-suited to resource constrained applications in large scale environments. I
analyze the proposed scheme and show that it is superior to the previous key-tree based approach
for private authentication both in terms of privacy and efficiency.
In chapter 3, I analyze the privacy consequences of inter vehicular communication. The promise
of vehicular communications is to make road traffic safer and more efficient. However, besides the
expected benefits, vehicular communications also introduce some privacy risk by making it easier to
track the physical location of vehicles. One approach to solve this problem is that the vehicles use
pseudonyms that they change with some frequency. In this chapter, I study the effectiveness of this
approach. I define a model based on the concept of mix zone, characterize the tracking strategy
of the adversary in this model, and introduce a metric to quantify the level of privacy enjoyed
v

y the vehicles. I also report on the results of an extensive simulation where I used my model to
determine the level of privacy achieved in realistic scenarios. In particular, in my simulation, I used
a rather complex road map, generated traffic with realistic parameters, and varied the strength
of the adversary by varying the number of her monitoring points. My simulation results provide
information about the relationship between the strength of the adversary and the level of privacy
achieved by changing pseudonyms.
From the first half of Chapter 3, it can be seen that untraceability of vehicles is an important
requirement in future vehicle communications systems. Unfortunately, heartbeat messages used by
many safety applications provide a constant stream of location data, and without any protection
measures, they make tracking of vehicles easy even for a passive eavesdropper. However, considering
a global attacker, this approach is effective only if some silent period is kept during the pseudonym
change and several vehicles change their pseudonyms nearly at the same time and at the same
location. Unlike other works that proposed explicit synchronization between a group of vehicles
and/or required pseudonym change in a designated physical area (i.e., a static mix zone), I propose
a much simpler approach that does not need any explicit cooperation between vehicles and any
infrastructure support. My basic idea is that vehicles should not transmit heartbeat messages when
their speed drops below a given threshold, and they should change pseudonym during each such
silent period. This ensures that vehicles stopping at traffic lights or moving slowly in a traffic jam
will all refrain from transmitting heartbeats and change their pseudonyms nearly at the same time
and location. Thus, my scheme ensures both silent periods and synchronized pseudonym change
in time and space, but it does so in an implicit way. I also argue that the risk of a fatal accident at
a slow speed is low, and therefore, my scheme does not seriously impact safety-of-life. In addition,
refraining from sending heartbeat messages when moving at low speed also relieves vehicles of the
burden of verifying a potentially large amount of digital signatures, and thus, makes it possible to
implement vehicle communications with less expensive equipments.
In chapter 4, I propose protocols that increase the dependability of wireless sensor networks,
which are potentially useful building blocks in cyber-physical systems. Wireless sensor networks
can be used in many critical applications such as martial or critical infrastructure protection
scenarios. In such a critical scenario, the dependability of the monitoring sensor network can be
crucial. One interesting part of the dependability of a network, is how the network can hide its
nodes with specific roles from an eavesdropping or active attacker.
In this problem field, I propose protocols which can hide some important nodes of the network.
More specifically, I propose two privacy preserving aggregator node election protocols, a privacy
preserving data aggregation protocol, and a corresponding privacy preserving query protocol for
sensor networks that allow for secure in-network data aggregation by making it difficult for an
adversary to identify and then physically disable the designated aggregator nodes. The basic
protocol can withstand a passive attacker, while my advanced protocols resist strong adversaries
that can physically compromise some nodes. The privacy preserving aggregator protocol allows
electing aggregator nodes within the network without leaking any information about the identity of
the elected node. The privacy preserving aggregation protocol helps collecting data by the elected
aggregator nodes without leaking the information, who is actually collecting the data. The privacy
preserving query protocol enables an operator to collect the aggregated data from the unknown
and anonymous aggregators without leaking the identity of the aggregating nodes.
vi

Kivonat
Vezeték nélküli hálózatok a mindennapi élet részét képezik. Ilyen hálózatokat használhatunk
például telefonálásra, Interneten elérhető szolgáltatások igénybe vételére, vagy kontaktus mentes
kártyás beléptető rendszerekben. A közeljövőben a felhasználási területek jelentős mértékben ki
fognak bővülni, többek között a gépjárművek is így fognak kommunikálni egymással, vagy szerepet
fog kapni a kritikus infrastruktúra védelmében is.
A vezeték nélküli hálózatok széleskörű használata új kutatási problémákat vet fel. Ilyen új
problémakör a mobilitás, megbízhatatlan kapcsolatok kezelése, szűkös erőforrásokból származó
problémák és kihívások vagy az adatvédelmi és adatbiztonsági kérdések kutatása. Ebben a disszertációban
különböző vezeték nélküli hálózatok adatvédelmi kérdéseit vizsgálom.
A disszertáció első fejezetében privát hitelesítési módszereket vizsgálok rádiófrekvenciás azonosítási
problémák kezelésére. Tipikus alkalmazási terület az RFID rendszerek, ahol potenciálisan rengeteg
felhasználó olcsó RFID kártyák segítségével hitelesítik magukat egy olvasó felé. A két hitelesítési
mód a kulcsfa alapú illetve a csoport alapú azonosítás.
Az első kulcsfa alapú privát hitelesítési protokollt Molnar és Wagner javasolta. Ez a módszer
egy hatékony szimmetrikus kulcs alapú privát hitelesítő protokoll volt. Ez a módszer nagyon jól
működik mindaddig, amíg nem kompromittálódik valamelyik felhasználó titkos kulcsai. Ekkor
nemcsak a kompromittálódott felhasználó élvez kisebb anonimitást, de az összes többi felhasználó
anonimitása is sérül.
A disszertáció 2. fejezetében azt elemzem, hogy a fa paramétereinek gondos megválasztása
hogyan tudja minimalizálni az elveszett anonimitást. Először is, definiálok egy mértéket, ami
azt méri, hogy milyen hatása van annak, ha egy felhasználó kompromittálódik a rendszerben.
Ez a mérték az anonimitási halmaz jól ismert fogalmára épül. Ezután megmutatom, hogy kell
a kulcsfa paramétereit megválasztani úgy, hogy az előbb definiált mértékben minimális legyen a
kompromittálódásból származó veszteség bizonyos külső kényszerek teljesülése mellett. Általános
esetben, ahol nem csak egy felhasználó kompromittálódhat hanem több is, alsó becslést adok a
rendszer által biztosított anonimitási szintre. Szimulációkkal megmutatom, hogy ez az alsó becslés
jellemzően pontos becslés. A fejezet eredményei közvetlenül felhasználhatók rendszer tervezéskor,
amikor meg kell találni a feladatnak legjobban megfelelő kulcsfát.
2. fejezet második részében egy új csoport alapú privát hitelesítési módszert javaslok. Ez
a módszer is szimmetrikus kulcsokon alapul, így jól alkalmazható erőforrás korlátozott eszközök
esetén is. A fejezetben elemzem a javasolt megoldást, és megmutatom, hogy bizonyos tipikus
esetekben jobban működik, mint a fejezet elején bevezetett kulcsfa alapú módszer.
A 3. fejezetben a járműközi kommunikáció adatvédelmi következményeit elemzem. A közeljövőben
megvalósuló járműközi kommunikáció biztonságosabb és hatékonyabb közlekedést tesz lehetővé, de
ugyanakkor egyszerűbbé teszi a járművek követhetőségét is, ami jelentősen sértheti a járművezetők
privát szféráját. Egy lehetséges megoldás a problémára, ha a járművek nem állandó azonosítókat
használnak a kommunikációjuk során, hanem álneveket, amiket gyakran le tudnak cserélni. Ebben
a fejezetben ennek a megoldásnak a hatékonyságát elemzem. Először is egy mix zóna alapú modellt
alkotok. Ebben a modellben definiálom a támadó követési stratégiáját, és definiálom a mértéket,
vii

ami azt méri, hogy az egyes járművek mennyire követhetők. Ezek után megvizsgálom a modellt egy
részletes szimulációban. A szimuláció folyamán, egy komplex térképen valósághűen közlekednek
járművek, és vizsgálom a forgalom és a támadó erősségének hatását a követhetőségre.
Ahogy ez a 3. fejezet első részéből látszik, a járművek követhetősége fontos szempont a
járműközi kommunikációban. Sajnálatos módon, ahogy láttuk, a folytonosan adott helyzetjelentések
könnyen követhetővé teszik a járműveket. Általános megoldás a problémára, ha a járművek
váltogatják az azonosítójukat. Ez a váltás, persze csak akkor tud hatékony lenni, ha a két
különböző azonosító használata között eltelik legalább egy kis idő, amikor a jármű nem ad semmit,
és egyszerre több egymás közelében lévő jármű vált azonosítót. Míg a legtöbb megoldás
bonyolult szinkronizációt ír elő, vagy csak statikusan kijelölt helyeken engedi a cserét, addig az én
megoldásom ennél sokkal egyszerűbb. Ebben a megoldásban nincs szükség explicit kooperációra
vagy külső infrastruktúrára, hanem egyszerűen a járművek abbahagyják az adást egy bizonyos
sebesség alatt, majd amikor átlépik ezt a küszöb sebességet, akkor újra elkezdenek adni de már az
új azonosítóval. Ezáltal közlekedési lámpánál várakozó, vagy dugóban araszoló járművek egyszerre
maradnak csöndben és cserélnek azonosítót. Ezáltal ez a módszer egyszerűen garantálja a szükséges
csöndes periódust, és a helyileg és időben szinkronizált cserét valósit meg szinkronizáció nélkül. Ez
a módszer egyrészt azért szerencsés, mivel alacsony sebességnél kicsi az esély súlyos balesetre, tehát
épp akkor nem ad jeleket a jármű, amikor nincs is szükség rá, másrészt az egymáshoz közel araszoló
járművek nagyon nagy mennyiségű feldolgozandó adatot generálnak, ami így szintén elkerülhető.
A disszertáció 4. fejezetében protokollokat javaslok, amik növelni tudják egy vezeték nélküli
szenzorhálózat megbízhatóságát. Vezeték nélküli szenzorhálózatokat fel lehet használni kritikus
feladatokra is mint például hadászati vagy kritikus infrastruktúra védelem. Ilyen kritikus feladatokban,
nagyon fontos lehet a kiemelt szerepű node-ok védelme illetve elrejtése támadók elől.
Ezen probématerületen belül javaslok protokollokat, melyek el tudják rejteni a kulcsfontosságú
eszközök kilétét. Pontosabban, két privát aggregátor választó protokollt egy privát aggregáló és
egy privát lekérdező protokollt javaslok, amelyek használata esetén szenzor hálózatban támadók
nem tudják azonosítani az aggregátor eszközöket. A két megoldás közül az egyszerűbb protokoll
passzív lehallgatás ellen nyújt biztonságot, míg a komplexebb protokoll aktív támadások ellen is
védelmet nyújt.
viii

Acknowledgement
First of all, I would like to express my gratitude to my supervisor, Professor Levente Buttyán,
Ph.D., Departement of Telecommunication, Budapest University of Technology and Economics.
He gave me guidance in selecting problems to work on, helped in elaborating the problems, and
pushed me to publish the results. All these three steps were needed to finish this thesis.
I am also grateful to the current and former members of the CrySyS Laboratory: Boldizsár
Bencsáth, László Czap, László Csík, László Dóra, Amit Dvir, Gergely Kótyuk,
Áron Lászka,
Gábor Pék, Péter Schaffer, Vinh Thong Ta, and István Vajda for the illuminating discussions
on different technical problems that I encountered during my research. They also provided a
pleasant atmosphere which was a pleasure to work in.
I would also like to thank for our joint efforts and publications to Petra Ardelean, Naim Asaj,
Gildas Avoine, Danny De Cock, Stefano Cosenza, Amit Dvir, László Dóra, Julien Freudiger, Albert
Held, Jean-Pierre Hubaux, Frank Kargl, Antonio Kung, Zhendong Ma, Michael Müter, Panagiotis
Papadimitratos, Maxim Raya, Péter Schaffer, Elmar Schoch, István Vajda, Andre Weimerskirch,
William Whyte, and Björn Wiedersheim.
The financial support of the Mobile Innovation Centre (MIK) and the support of the SEVECOM
(FP6-027795) and WSAN4CIP (FP7-225186) EU projects are gratefully acknowledged.
And last but not least my thanks go to my wife Nóra, who accepted me as being a PhD student.
I know sometimes it was not easy.
ix

Contents
1 Introduction 1
1.1 Introduction to RFID systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Introduction to Vehicular Ad Hoc Networks . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Introduction to Wireless Sensor Networks . . . . . . . . . . . . . . . . . . . . . . . 4
2 Private Authentication 9
2.1 Introduction to private authentication . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Resistance to single member compromise . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 Optimal trees in case of single member compromise . . . . . . . . . . . . . . . . . . 14
2.4 Analysis of the general case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.5 The group-based approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.6 Analysis of the group based approach . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.7 Comparison of the group and the key-tree based approach . . . . . . . . . . . . . . 26
2.8 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.9 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.10 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3 Location Privacy in VANETs 29
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.2 Model of local attacker and mix zone . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2.1 The concept of the mix zone . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2.2 The model of the mix zone . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.2.3 The operation of the adversary . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.2.4 Analysis of the adversary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.2.5 The level of privacy provided by the mix zone . . . . . . . . . . . . . . . . . 34
3.3 Simulation of mix zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.3.1 Simulation settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.3.2 Simulation results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.4 Global attacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.5 Framework for location privacy in VANETs . . . . . . . . . . . . . . . . . . . . . . 37
3.6 Attacker Model and the SLOW algorithm . . . . . . . . . . . . . . . . . . . . . . . 38
3.7 Analysis of SLOW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.7.1 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.7.2 Effects on safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.7.3 Effects on computation complexity . . . . . . . . . . . . . . . . . . . . . . . 44
3.8 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.9 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.10 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
xi

CONTENTS
4 Anonymous Aggregator Election and Data Aggregation in WSNs 49
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2 System and attacker models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.3 Basic protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.3.1 Protocol description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.3.2 Protocol analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.3.3 Data forwarding and querying . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.4 Advanced protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.4.1 Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.4.2 Data aggregator election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.4.3 Data aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.4.4 Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.4.5 Misbehaving nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.5 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.7 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
5 Application of new results 75
6 Conclusion 77
xii

List of Figures
2.1 Illustration of a key-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Illustration of single member compromise . . . . . . . . . . . . . . . . . . . . . . . 12
2.3 Illustration of several members compromise . . . . . . . . . . . . . . . . . . . . . . 20
2.4 Simulation results for branching factor vectors . . . . . . . . . . . . . . . . . . . . . 22
2.5 system comparison based on approximation . . . . . . . . . . . . . . . . . . . . . . 23
2.6 Operation of the group-based private authentication scheme . . . . . . . . . . . . . 24
2.7 Tree and group based authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.8 Simulation results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.1 Mix and observed zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2 Simplified map of Budapest generated for the simulation. . . . . . . . . . . . . . . 35
3.3 Success probabilities of the adversary . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.4 Results of the simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.5 Success rate of a tracking attacker . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.6 Example intersection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.7 Success rate of the simple attacker . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.8 Success rate of the simple attacker . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.9 Number of signatures to be verified . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.1 Result of aggregator election protocol . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.2 Probability of being cluster aggregator . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.3 Probability of being cluster aggregator . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.4 Result of balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.5 Entropy of the attacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.6 Connected dominating set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.7 Aggregation example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.8 Query example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.9 Graphical representation of the suitable intervals . . . . . . . . . . . . . . . . . . . 69
4.10 Misbehavior detection algorithm for the query protocol. . . . . . . . . . . . . . . . 71
xiii

List of Tables
2.1 Illustration of the operation of the recursive function f . . . . . . . . . . . . . . . . 19
3.1 Notation in SLOW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.1 Estimated time of the building blocks on a Crossbow MICAz mote . . . . . . . . . 55
4.2 Optimal γ values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.3 Summary of complexity of the advanced protocol . . . . . . . . . . . . . . . . . . . 61
xv

List of Algorithms
1 Optimal branching factor generating algorithm . . . . . . . . . . . . . . . . . . . . 19
2 Basic private cluster aggregator election algorithm . . . . . . . . . . . . . . . . . . 54
xvii

Chapter 1
Introduction
In this dissertation privacy enhancing protocols for wireless networks are proposed. In this chapter,
a brief overview is given on those wireless networks to which the work presented in this dissertation
is related, namely on Radio Frequency Identification systems (RFID systems), Vehicular Ad Hoc
Networks (VANETs), and Wireless Sensor Networks (WSNs). The privacy consequences of the
usage of such networks and some related problems are sketched. The main reason for choosing
these networks is that they are or will potentially be used by billions of users, so solving a problem
related to these networks can have an effect on an extremely large amount of user’s privacy.
Wireless technology is a truly revolutionary paradigm shift, enabling multimedia communications
between people and devices from any location. It also enables exciting applications
such as sensor networks, smart homes, telemedicine, and automated highways. Comprehensive
introductions to wireless networks can be found in [Goldsmith, 2005; Rappaport, 2001].
The security and privacy problems of wireless networks is a well studied field, however there
are a lot of open question worth to work on. Overviews of security and privacy in wireless
networks can be found in [Buttyán and Hubaux, 2008; Juels, 2006; Raya and Hubaux, 2007;
Akyildiz et al., 2002].
A wireless network consists of nodes that can communicate through wireless channels. Those
channels include Infra Red (IR) or Radio Frequency (RF) channels. From the security point of view,
the main difference between wireless and traditional wired networks is that a passive attacker can
easily eavesdrop the wireless channel without detection, while it can be harder with wired networks.
Harder actually means here that those attacks require physical access to the network (cables or
network elements), and the lack of physical protection in case of wireless networks makes these
attacks easier to carry out. An active attacker can inject, modify, and delete messages in the
air with some knowledge of the network and wireless technologies, while again it is harder for a
traditional wired network.
In information technology, privacy is defined as the right of an entity to choose which information
is revealed about the entity, what information is collected and stored, how that information
is used, shared or published, and also the right to keep control on that information (e.g., the
right to delete data from a database if the user wishes to do so). Privacy has actually two facets:
data control and data protection. One way to keep control is to keep data secret, e.g., to remain
anonymous. According to [Pfitzmann and Köhntopp, 2001], anonymity is the state of being not
identifiable within a set of subjects, the anonymity set. In the remaining part of the dissertation,
I will use privacy with this information centric meaning, and decisional privacy 1 or intentional
privacy 2 will not be discussed.
1 This conception of privacy addresses issues related to an individual’s authority to make decisions that affect the
individual’s life and body and that of the individual’s family members such as end of life issues. [ITLaw] 2 This
conception of privacy addresses issues related to intimate activities or characteristics that are publicly visible.
[ITLaw]
1

1. INTRODUCTION
In the remainder part of this chapter, the three wireless networks I worked with within this
dissertation are introduced.
1.1 Introduction to RFID systems
The following description of RFID systems and its security and privacy problems is based on [Juels,
2006; Langheinrich, 2009; Peris-Lopez et al., 2006]. The interested reader can get a broader view
and deeper understanding on RFID systems by reading the cited papers instead of only relying on
this short introduction.
RFID (Radio-Frequency IDentification) is a technology for automated identification of objects
or people. An RFID system consist of simple Tags, Readers, and Backend servers. The tags carry
unique identifiers. These unique identifiers are read by nearby Readers by radio communication.
The Readers send the obtained identifiers to Backend Servers. The goal of an RFID system is the
unique identification of the holders of the Tags.
Example applications of RFID systems include smart appliances, shopping, interactive objects,
or medication compliance. This list can be expanded to hundreds of scenarios [Wu et al., 2009;
RFID, 2012].
The main threats to privacy in RFID systems are tracking and inventorying. A tracking attacker
can eavesdrop message exchanges in different parts of the network. If the system is not defended
against such attacks, the attacker can link different message exchanges of the same user, hence
can track the user. This is a very important concern in RFID systems, that is why this problem
is discussed in Chapter 2 (the problem of tracking is actually not unique to RFID systems, and I
will study it in a different context in Chapter 3, namely in vehicular networks).
Inventorying is a specific attack against RFID systems. It relies on the assumption that in
the near future, most of our objects will be tagged with distant readable RFID tags. An attacker
carrying out an inventorying attack can get know exactly what a user wears, has in her pockets or
bag without the consent of the user.
In Chapter 2, two private authentication methods are given, which make it difficult for an
attacker to carry out tracking and inventorying attacks.
Another important field of security problems regarding RFID is the authenticity of the tags. In
short, the privacy problem is related to malicious readers, while the authenticity problem is related
to malicious tags. The main problem is that illegitimate tags can be counterfeited to obtain the
same rights as the legitimate tag holds. In the following, I will assume the presence of malicious
readers, but no malicious tags is considered.
When considering the RFID tags capabilities, the tags on the market can be classified into two
main categories: basic tags with no real cryptographic capabilities and advanced tags with some
symmetric key cryptography capabilities.
Basic tags
Basic RFID tags lack the resources to perform true cryptographic operations. The lack of cryptography
in basic RFID tags is a big impediment to security design; cryptography, after all, is the
main building block of data security. The main approaches to provide privacy to basic tags are the
following: killing, sleeping, renaming, proxying, distance measurement, blocking, and legislation.
Killing and sleeping are very similar approaches. The basic idea is that an authenticated
command can reversibly or permanently switch off the tag.
Another approach is to divide the identifier space into two separate parts by a modifiable
privacy bit [Juels et al., 2003; Juels and Brainard, 2004]. The two parts are the private and the
public parts. A blocker device can make the scanning of private tags infeasible, and the tags can
be moved between the public and private zone on demand. Another device based solution is the
proxying, where the holder of the tag can use some equipments (like a mobile phone)to enforce
privacy [Floerkemeier et al., 2005; Juels et al., 2006; Rieback et al., 2005].
2

1.2. Introduction to Vehicular Ad Hoc Networks
The tracking problem is based on the fact, that tags use static identifiers. Some proposals
suggest to rename the tags by readers [Instruments, 2005], or the tag itself can rotate pseudonyms
[Juels, 2005a] to make tracking harder. In distance measurement the tags can roughly measure
their distance to the reader by measuring the signal-to-noise ratio of the channel [Fishkin et al.,
2005]. This can be used to avoid distant aggressive scanning.
A non technical approach is legislation: There are some efforts to regulate the usage of RFID
tags from the privacy point of view [Kelly and Erickson, 2005], but these efforts are far from
efficient completion. Ultimately, this approach may be more effective and cost efficient than any
other (e.g. from an economic aspect, it is not worth to track if the tracker can go to jail by doing
so). The authentication of basic tags is as hard as providing privacy to them. There are some
work [Juels, 2005b], how the kill PIN can be used to authenticate the tags.
Advanced tags
Advanced tags are capable of simple symmetric key operations. However weak cryptographic
algorithms are targets of successfull attacks [Bono et al., 2005]. Another attack type against
cryptographically enabled tags are the man-in-the-middle attacks. In a MiM attack the attacker
is relaying messages between the tag and the reader and by doing so, he can modify, delete, and
inject messages in their communication. This can also be done if the tag and the reader are not in
vicinity [Hancke, 2005; Kfir and Wool, 2005].
The privacy of advanced tags is deeply analyzed in Chapter 2. In short, the problem is that
the tag is not allowed to send its identifier in order to avoid tracking, therefore the reader needs a
lot of trials to find the right decryption key.
The computational burden on the reader can be partly alleviated with key-trees [Molnar and
Wagner, 2004], synchronization [Ohkubo et al., 2004], or time-memory tradeoffs [Avoine et al.,
2005; Avoine and Oechslin, 2005]. However, all known mitigation techniques lead to degradation
of privacy or efficiency. The degradation of privacy is analyzed in Chapter 2, where efficient
solutions are also proposed.
1.2 Introduction to Vehicular Ad Hoc Networks
The following description of Vehicular Ad Hoc Networks and their security and privacy properties
is based on [Raya and Hubaux, 2005; Raya and Hubaux, 2007; Lin et al., 2008; Blum et al., 2004b;
Dötzer, 2006]. The interested reader can get a broader view and deeper understanding on VANETs
by reading the cited papers instead of only relying on this short introduction.
The main motivation to use VANETs is to enhance traffic safety, traffic efficiency, give assistance
to drivers, and the possibility of infotainment applications. A VANET consist of vehicles equipped
with On Board Units (OBUs) and wireless communication equipment, Road Side Units (RSUs),
and backend infrastructure. The vehicles exchange messages regularly with each other and with
the infrastructure using wireless communication to achieve the main goals such as safer roads.
The main vulnerabilities in VANETs come from the wireless nature of the communication, and
the sensitive information, such as location of users, used by the network. One major vulnerability
comes from the the wireless nature of the system: the communication can be jammed easily, the
messages can be forged. Another problem related to the wireless communication is that while the
nodes are relaying messages, they can modify them. This is called In-Transit Traffic Tampering.
Another kind of problem, that the vehicles can impersonate other vehicles with higher privileges
such as emergency vehicles to gain extra privileges. The most relevant problem to this dissertation
is that the privacy of the drivers of the vehicles can be violated. This vulnerability is analyzed in
Chapter 3. In general an attacker can achieve her goals by tampering the OBU, an RSU, sensor
readings, or the wireless channel.
Traditional mechanisms cannot deal with the vulnerabilities discussed above because of the
new challenges in VANETs. Such challenge is the high network volatility caused by the highly
mobile very large scale network. Another challenge is that the network must offer liability and
3

1. INTRODUCTION
privacy at the same time in an efficient way, as the applications are delay sensitive. To make things
even worse, the network is very heterogenous, different vehicles can have different equipment and
abilities, so no unique solution can solve every problem.
When defining the key vulnerabilities and challenges of vehicular ad hoc networks, it is crucial
to first define and characterize the possible attackers. In many papers [Raya and Hubaux, 2007;
Hu et al., 2005] the attacker can be characterized as follows:
Insider vs. Outsider: The key difference between an insider and an outsider attacker is that
an insider poses legitimate and valid cryptographic credentials, while an outsider does not
have any valid credentials. It is obvious that an insider attacker can mount stronger attacks,
then an outsider.
Malicious vs. Rational: The main goal of a malicious attacker is to disrupt the normal operation
of the network without any further goal, while a rational attacker wants to make some
profit with his attack. In general, it is easier to handle a rational attacker, because his steps
can be foreseen easier.
Active vs. Passive: A passive attacker only eavesdrops the messages of the vehicles, while an
active attacker can send, modify, or delete messages.
Local vs. Global: A local attacker mounts his attack on a small area (or on some non continuous
small areas), while a global attacker has influence on broader areas.
In the following, some basic and sophisticated attacks are presented to give the reader an idea
about the threats in vehicular ad hoc networks.
An insider attacker can diffuse bogus information to affect the behavior of other drivers. The
source of the information can be a cheated sensor reading or a modified location data.
In wireless networking, the wormhole attack [Hu et al., 2006] consists in tunneling packets
between two remote nodes. Similarly, in VANETs, an attacker that controls at least two entities
remote from each other and a high speed communication link between them can tunnel packets
broadcasted in one location to another, thus disseminating erroneous (but correctly signed)
messages in the destination area.
According to [Kroh et al., 2006] the following security concepts must be used in a vehicular
ad hoc network to handle most of the possible attacks: identification and authentication concepts,
privacy concepts, integrity concepts, access control and authorization concepts. The concepts are
introduced in Section 3.8 with a special attention on providing privacy to the users of the system.
In Chapter 3, the privacy of VANETs is analyzed, especially the privacy provided by pseudonyms
considering outsider rational passive local attackers. A pseudonym change algorithm is
provided as well considering an outsider rational passive global attacker.
1.3 Introduction to Wireless Sensor Networks
The following description of Wireless Sensor Networks (WSNs) and the related security problems
is based on [Akyildiz et al., 2002; Chan and Perrig, 2003; Li et al., 2009; Lopez, 2008; Perrig et
al., 2004; Sharma et al., 2012; Yick et al., 2008]. The interested reader can get a broader view and
deeper understanding on WSNs by reading the cited papers instead of only relying on this short
introduction.
A sensor network is composed of a large number of sensor nodes, which are typically densely
deployed. One sensor node consists of some sensor circuits which can measure some environmental
variable, central processing unit which is typically a microcontroller, and radio circuit which
enables the communication with other nearby nodes. The goal of a wireless sensor network can
be one of many applications: military applications (e.g. battlefield surveillance), environmental
applications (e.g. forest fire detection), critical infrastructure protection (e.g. surveillance of water
pipes), health applications (e.g. drug administration in hospitals), home applications (e.g. smart
environment).
4

1.3. Introduction to Wireless Sensor Networks
Some important security challenges in WSNs are: secure routing, secure key management, efficient
(broadcast) authentication, secure localization, secure data aggregation. A good introduction
to these problems and some countermeasures can be found in [Lopez, 2008].
The privacy related challenges can be categorized into two main groups [Li et al., 2009]: dataoriented
and context oriented challenges. In data-oriented protection, the confidentiality of the
measured data must be preserved. Context oriented protection covers the location privacy of the
source and some significant nodes such as the base station or aggregator nodes:
Data-oriented privacy protection: Data-oriented privacy protection focuses on protecting
the privacy of data content. Here ”data” refer to not only sensed data collected within a
WSN but also queries posed to a WSN by users.
– Privacy protection during data aggregation: Data aggregation is designed to
substantially reduce the volume of traffic being transmitted in a WSN by fusing or
compressing data in the intermediate sensor nodes (called aggregators). It is an important
technique for preserving resources (e.g., energy consumption) in a WSN. Interestingly,
it is also a common and effective method to preserve private data against
an external adversary, because the process compresses large inputs to small outputs at
the intermediate sensor nodes. On the other hand, a malicious aggregator can modify
the measurements of many nodes with one step, or can learn the individual measurements
of individual nodes. Some countermeasure are proposed in [He et al., 2007;
Zhang et al., 2008].
Cluster-based privacy data aggregation (CPDA): The basic idea of CPDA
[He et al., 2007] is to introduce noise to the raw data sensed from a WSN, such
that although an aggregator can obtain accurate aggregated information but not
individual data points.
Slice-mixed aggregation (SMART): The main idea of SMART [He et al., 2007]
is to slice original data into pieces and recombine them randomly. This is done in
three phases: slicing, mixing, and aggregation.
Generic privacy-preservation solutions for approximate aggregation (GP 2 S):
The basic idea of GP 2 S [Zhang et al., 2008] is to generalize the values of data transmitted
in a WSN, such that although individual data content cannot be decrypted,
the aggregator can still obtain an accurate estimate of the histogram of data distribution,
and thereby approximate the aggregates.
– Private date query: The query issued to a WSN (to retrieve the collected data)
is often also of critical privacy concerns. To address this challenge, a target-region
transformation technique was proposed in [Carbunar et al., 2007] to fuzzy the target
region of the query according to predefined transformation functions.
Context-oriented privacy protection: Context-oriented privacy protection focuses on
protecting contextual information, such as the location and timing information of traffic
transmitted in a WSN. Location privacy concerns may arise for such special sensor nodes as
the data source and the base station. Timing privacy, on the other hand, concerns the time
when sensitive data is created at a data source, collected by a sensor node and transmitted
to the base station.
– Location privacy: A major challenge for context-oriented privacy protection is that
an adversary may be able to compromise private information even without the ability
of decrypting the transmitted data. In particular, since hop-by-hop transmission is
required to address the limited transmission range of sensor nodes, an adversary may
derive the locations of important nodes and data sources by observing and analyzing
the traffic patterns between different hops.
Location privacy of data source: In event driven networks, an event is generated
if something interesting happens in the vicinity of the node. In some networks, the
5

1. INTRODUCTION
only data sent to the base station is the occurrence of the event. Thus the presence
of communication reveals the location of the event. In some situations, it must be
hidden from an attacker. Some approaches are described in the following:
Baseline and probabilistic flooding mechanisms: The basic idea of baseline
flooding is for each sensor to broadcast the data it receives from one neighbor
to all of its other neighbors. The premise of this approach is that all sensors
participate in the data transmission so that it is unlikely for an attacker to
track a path of transmission back to the data source [Kamat et al., 2005]. This
can be further optimized if not every node rebroadcasts the message, only a
probabilistic set of them.
Random walk mechanisms: According to [Kamat et al., 2005], a random
walk can be performed before the probabilistic flooding to further increase the
uncertainty of the attacker. To improve simple random walk, a two-way greedy
random walk(GROW) scheme was proposed in [Xi et al., 2006].
Dummy data mechanism: To further protect the location of the data source,
fake data packets can be introduced to perturb the traffic patterns observed by
the adversary. In particular, a simple scheme called Short-lived Fake Source
Routing was proposed in [Kamat et al., 2005] for each sensor to send out a fake
packet with a pre-determined probability.
Fake data sources mechanism: The basic idea of fake data source is to
choose one or more sensor node to simulate the behavior of a real data source
in order to confuse the adversaries [Mehta et al., 2007].
Location privacy of base station: In a WSN, a base station is not only in
charge of collecting and analyzing data, but also used as the gateway connecting the
WSN with outside wireless or wired network. Consequently, destroying or isolating
the base station may lead to the malfunction of the entire network. This can be
circumvented if the location of the base station is unknown to the adversary.
Defense against local adversaries: The location information or identifier
of the base station is sent in clear in many protocols. These information must be
hidden from an eavesdropper, which can be done by traditional cryptographic
techniques (encryption). Another problem can be if the attacker can follow
the way of packets from the source towards the base station. This can be
mitigated by changing data appearance by re-encryption [Deng et al., 2006a;
Dingledine et al., 2004], routing with multiple parents [Deng et al., 2005; Deng et
al., 2006a], routing with random walk [Jian et al., 2007], or decorrelating parentchild
relationship by randomly selecting sending time [Deng et al., 2006a].
Defense against global adversaries: The techniques discussed above are
inefficient against a global attacker. To fight against a global attacker the
traffic patterns of the whole network must be modified. This can be done by
hiding traffic pattern by controlling transmission rate [Deng et al., 2006a], or
by propagating dummy data [Deng et al., 2005; Deng et al., 2006a].
– Temporal privacy problem: When an adversary eavesdrops a message, it can
deduce the sending time of the message from the time it eavesdropped and the TTL
value. In some applications this information must be hidden. It can be done by randomly
delaying the messages by the relaying nodes [Kamat et al., 2007].
As it can be seen from the discussion above, a considerable amount of work has been done in the
field of privacy in wireless sensor networks. However, the particular problem of location privacy
of aggregator nodes received less attention. Therefore, in Chapter 4, I study this problem and
propose two anonym aggregator election protocols, which can hide the identity of the aggregator
nodes.
6

1.3. Introduction to Wireless Sensor Networks
The remainder of the dissertation is organized as follows: In Chapter 2, I propose two private
authentication schemes for resource limited systems, such as RFID systems. The results presented
in Chapter 2 have been published in [Buttyan et al., 2006a; Buttyan et al., 2006b; Avoine et
al., 2007]. In Chapter 3, I analyze the privacy achieved by pseudonym changing techniques in
vehicular ad hoc networks, and propose a pseudonym changing algorithm for VANETs. All results
of Chapter 3 have been published in [Buttyan et al., 2007; Papadimitratos et al., 2008; Holczer et
al., 2009; Buttyan et al., 2009]. In Chapter 4, I analyze how an aggregator node can be elected and
used in wireless sensor networks without revealing its identity. All results of Chapter 4 have been
published in [Buttyán and Holczer, 2009; Buttyán and Holczer, 2010; Holczer and Buttyán, 2011;
Schaffer et al., 2012]. The possible application of the new results can be found in Chapter 5, while
Chapter 6 concludes the dissertation.
7

Chapter 2
Private Authentication in Resource
Constrained Environments
2.1 Introduction to private authentication
Entity authentication is the process whereby a party (the prover) corroborates its identity to
another party (the verifier). Entity authentication is often based on authentication protocols in
which the parties pass messages to each other. These protocols are engineered in such a way that
they resist various types of impersonation and replay attacks [Boyd and Mathuria, 2003]. However,
less attention is paid to the requirement of preserving the privacy of the parties (typically that of
the prover) with respect to an eavesdropping third party. Indeed, in many of the well-known and
widely used authentication protocols (e.g., [ISO, 2008; Kohl and Neuman, 1993]) the identity of
the prover is sent in cleartext, and hence, it is revealed to an eavesdropper.
One approach to solve this problem is based on public key cryptography, and it consists of
encrypting the identity information of the prover with the public key of the verifier so that no
one but the verifier can learn the prover’s identity [Abadi and Fournet, 2004]. Another approach,
also based on public key techniques, is that the parties first run an anonymous Diffie-Hellman key
exchange and establish a confidential channel, through which the prover can send its identity and
authentication information to the verifier in a second step. An example for this second approach is
the main mode of the Internet Key Exchange (IKE and IKEv2) protocol [Harkins and Carrel, 1998;
Black and McGrew, 2008]. While it is possible to hide the identity of the prover by using the above
mentioned approaches, they provide appropriate solution to the problem only if the parties can
afford public key cryptography. In many applications, such as low cost RFID tags and contactless
smart card based automated fare collection systems in mass transportation, this is not the case,
while at the same time, the provision of privacy (especially location privacy) in those systems is
strongly desirable.
The problem of using symmetric key encryption to hide the identity of the prover is that
the verifier does not know which symmetric key it should use to decrypt the encrypted identity,
because the appropriate key cannot be retrieved without the identity. The verifier may try all
possible keys in its key database until one of them properly decrypts the encrypted identity 1 , but
this would increase the authentication delay if the number of potential provers is large. Long
authentication delays are usually not desirable, moreover, in some cases, they may not even be
acceptable. As an example, let us consider again contactless smart card based electronic tickets
in public transportation: the number of smart cards in the system (i.e., the number of potential
provers) may be very large in big cities, while the time needed to authenticate a card should be
short in order to ensure a high throughput of passengers and avoid long queues at entry points.
1 This of course requires redundancy in the encrypted message so that the verifier can determine if the decryption
was successful.
9

2. PRIVATE AUTHENTICATION
Some years ago, Molnar and Wagner proposed an elegant approach to privacy protecting authentication
[Molnar and Wagner, 2004] that is based on symmetric key cryptography while still
ensuring short authentication delays. More precisely, the complexity of the authentication procedure
in the Molnar-Wagner scheme is logarithmic in the number of potential provers, in contrast
with the linear complexity of the naïve key search approach. The main idea of Molnar and Wagner
is to use key-trees (see Figure 2.1 for illustration). A key-tree is a tree where a unique key is assigned
to each edge. The leaves of the tree represent the potential provers, which is called members
in the sequel. Each member possesses the keys assigned to the edges of the path starting from the
root and ending in the leaf that corresponds to the given member. The verifier knows all keys in
the tree. In order to authenticate itself, a member uses all of its keys, one after the other, starting
from the first level of the tree and proceeding towards lower levels. The verifier first determines
which first level key has been used. For this, it needs to search through the first level keys only.
Once the first key is identified, the verifier continues by determining which second level key has
been used. However, for this, it needs to search through those second level keys only that reside
below the already identified first level key in the tree. This process is continued until all keys are
identified, which at the end, identify the authenticating member. The key point is that the verifier
can reduce the search space considerably each time a key is identified, because it should consider
only the subtree below the recently identified key.
k111
k11
k1
Figure 2.1: Illustration of a key-tree. There is a unique key assigned to each edge. Each leaf
represents a member of the system that possesses the keys assigned to the edges of the path
starting from the root and ending in the given leaf. For instance, the member that belongs to the
leftmost leaf in the figure possesses the keys k1, k11, and k111.
The problem of the above described tree-based approach is that upper level keys in the tree are
used by many members, and therefore, if a member is compromised and its keys become known
to the adversary, then the adversary gains partial knowledge of the key of other members too
[Avoine et al., 2005]. This obviously reduces the privacy provided by the system to its members,
since by observing the authentication of an uncompromised member, the adversary can recognize
the usage of some compromised keys, and therefore its uncertainty regarding the identity of the
authenticating member is reduced (it may be able to determine which subtree the member belongs
to).
One interesting observation is that the naïve, linear key search approach can be viewed as a
special case of the key-tree based approach, where the key-tree has a single level and each member
has a single key. Regarding the above described problem of compromised members, the naïve
approach is in fact optimal, because compromising a member does not reveal any key information
of other members. At the same time, as described above, the authentication delay is the worst in
this case. On the other hand, in case of a binary key-tree, it can be observed that the compromise
of a single member strongly 2 affects the privacy of the other members, while at the same time,
the binary tree is very advantageous in terms of authentication delay. Thus, there seems to be a
trade-off between the level of privacy provided by the system and the authentication delay, which
depends on the parameters of the key-tree, but it is far from obvious to see how the optimal
2 The precise quantification of this effect is the topic of this chapter and will be presented later.
10

2.2. Resistance to single member compromise
key-tree should look like. In this chapter, I address this problem, and I show how to find optimal
key-trees.
In this chapter, after finding the optimal key-tree, I go further and I present a novel symmetrickey
private authentication scheme that provides a higher level of privacy and achieves better
efficiency than the key-tree based approach. This approach is called the group based approach.
More precisely, the complexity of the group based scheme for the reader can be set to be O(log N)
(i.e., the same as in the key-tree based approach), while the complexity for the tags is always a
constant (in contrast to O(log N) of the key-tree based approach). Hence, the group based scheme
is better than the key-tree based scheme both in terms of privacy and efficiency, and therefore, it
is a serious alternative to the key-tree based scheme to be considered by the RFID community.
More precisely, the main contributions are the following:
I propose a benchmark metric for measuring the resistance of the system to a single compromised
member based on the concept of anonymity sets. To the best of my knowledge,
anonymity sets have not been used in the context of private authentication yet. I prove that
this simply defined metric is equivalent to a metric widely used in cryptography with a much
more complex definition. The real contribution of the metric, is that its definition simplifies
the usage of the metric without losing any details of the more complex metric.
I introduce the idea of using different branching factors at different levels of the key-tree;
the advantage is that the system’s resistance to single member compromise can be increased
while still keeping the authentication delay short. To the best of my knowledge, key-trees
with variable branching factors have not been proposed yet for private authentication.
I present an algorithm for determining the optimal parameters of the key-tree, where optimal
means that resistance to single member compromise is maximized, while the authentication
delay is kept below a predefined threshold.
In the general case, when any member can be compromised, I give a lower bound on the
level of privacy provided by the system, and present some simulation results that show that
this lower bound is quite sharp. This allows me to compare different systems based on their
lower bounds.
I introduce a group based approach, which is superior to the tree-based approach in many
properties.
In summary, I propose practically usable techniques for designers of RFID based authentication
systems.
The outline of the chapter is the following: in Section 2.2, I introduce my benchmark metric
to measure the level of privacy provided by key-tree or group based authentication systems, and
I illustrate, through an example, how this metric can be used to compare systems with different
parameters. By the same token, I also show that key-trees with variable branching factors can be
better than key-trees with a constant branching factor at every level. In Section 2.3, I formulate
the problem of finding the best key-tree with respect to my benchmark metric as an optimization
problem, and I present an algorithm that solves that optimization problem. In Section 2.4, I
consider the general case, when any number of members can be compromised, and I derive a useful
lower bound on the level of privacy provided by the system. After finding the optimal key-tree, I
describe the operation of my group based scheme in Section 2.5, and I quantify the level of privacy
that it provides in Section 2.6. I compare the group based scheme to the key-tree based approach
in Section 2.7. Finally, in Section 2.8, I report on some related work, and in Section 2.9, I conclude
the chapter.
2.2 Resistance to single member compromise
There are different ways to measure the level of anonymity provided by a system [Diaz et al., 2002;
Serjantov and Danezis, 2003]. Here the concept of anonymity sets [Chaum, 1988] is used. The
11

2. PRIVATE AUTHENTICATION
anonymity set of a member v is the set of members that are indistinguishable from v from the
adversary’s point of view. The size of the anonymity set is a good measure of the level of privacy
provided for v, because it is related to the level of uncertainty of the adversary, if all members
of the set are equiprobably likely (otherwise an entropy based metric can be used). Clearly, the
larger the anonymity set is, the higher the level of privacy is. The minimum size of the anonymity
set is 1, and its maximum size is equal to the number of all members in the system. In order to
make the privacy measure independent of the number of members, one can divide the anonymity
set size by the total number of members, and obtain a normalized privacy measure between 0 and
1. Such normalization makes the comparison of different systems easier.
Now, let us consider a key-tree with ℓ levels and branching factors b1, b2, . . . , bℓ at the levels, and
let us assume that exactly one member is compromised (see Figure 2.2 for illustration). Knowledge
of the compromised keys allows the adversary to partition the members into subsets P0, P1, P2, . . .,
where
P0 contains the compromised member only,
P1 contains the members the parent of which is the same as that of the compromised member,
and that are not in P0,
P2 contains the members the grandparent of which is the same as that of the compromised
member, and that are not in P0 ∪ P1,
etc.
Members of a given subset are indistinguishable for the adversary, while it can distinguish between
members that belong to different subsets. Hence, each subset is the anonymity set of its members.
k111
k11
k1
P0 P1 P2 P3
Figure 2.2: Illustration of what happens when a single member is compromised. Without loss
of generality, it is assumed that the member corresponding to the leftmost leaf in the figure is
compromised. This means that the keys k1, k11, and k111 become known to the adversary. This
knowledge of the adversary partitions the set of members into anonymity sets P0, P1, . . . of different
sizes. Members that belong to the same subset are indistinguishable to the adversary, while it can
distinguish between members that belong to different subsets. For instance, the adversary can
recognize a member in subset P1 by observing the usage of k1 and k11 but not that of k111, where
each of these keys are known to the adversary. Members in P3 are recognized by not being able to
observe the usage of any of the keys known to the adversary.
The level of privacy provided by the system can be characterized by the level of privacy provided
to a randomly selected member, or in other words, by the expected size of the anonymity set of a
randomly selected member. By definition, the expected anonymity set size is:
¯S =
ℓ∑
i=0
|Pi|
N |Pi| =
12
ℓ∑
i=0
|Pi| 2
N
(2.1)

2.2. Resistance to single member compromise
where N is the total number of members, and |Pi|/N is the probability of selecting a member from
subset Pi. The resistance to single member compromise, denoted by R, is defined as the normalized
expected anonymity set size, which can be computed as follows:
R = ¯ S
N =
=
=
where it is used that
1
N 2
1
N 2
ℓ∑
i=0
|Pi| 2
N 2
( 1 + (bℓ − 1) 2 + ((bℓ−1 − 1)bℓ) 2 + . . . + ((b1 − 1)b2b3 . . . bℓ) 2)
⎛
⎝1 + (bℓ − 1) 2 ∑ℓ−1
+ (bi − 1) 2
i=1
|P0| = 1
|P1| = bℓ − 1
ℓ∏
j=i+1
|P2| = (bℓ−1 − 1)bℓ
b 2 j
|P3| = (bℓ−2 − 1)bℓ−1bℓ
. . . . . .
|Pℓ| = (b1 − 1)b2b3 . . . bℓ
⎞
⎠ (2.2)
As its name indicates, R characterizes the loss of privacy due to the compromise of a single
member of the system. If R is close to 1, then the expected anonymity set size is close to the total
number of members, and hence, the loss of privacy is small. On the other hand, if R is close to
0, then the loss of privacy is high, as the expected anonymity set size is small. R is used as a
benchmark metric based on which different systems can be compared.
This metric can be seen as being a little ad hoc, but actually the same metric is used in other
papers like [Avoine et al., 2005] with a different more complex definition:
Theorem 1. The expected anonymity set size based metric (R) is complement to the one tag
tampering based metric (M) defined in [Avoine et al., 2005].
Proof. The metric M used in [Avoine et al., 2005] is defined in that paper as:
1. The attacker has one tag T0 (e.g., her own) she can tamper with and thus obtain its complete
secret. For the sake of calculation simplicity, we assume that T0 is put back into circulation.
When the number of tags in the system is large, this does not significantly affect the results.
2. She then chooses a target tag T. She can query it as much as she wants but she cannot
tamper with it.
3. Given two tags T1 and T2 such that T ∈ {T1, T2}, we say that the attacker succeeds if she
definitely knows which of T1 and T2 is T . We define the probability to trace T as being the
probability that the attacker succeeds. To do that, the attacker can query T1 and T2 as many
times as she wants but, obviously, cannot tamper with them.
In the following P1 . . . Pk are the subsets of the tags after the compromise of some tags
( ∑k i=1 Pi = N).
In the third step, the attacker can be successful if (and only if) T1 and T2 belongs to different
subsets.
The probability of the attacker’s success is the probability that two randomly chosen tags
belongs to two different subsets. This probability can be calculated as follows:
M = 1 − Pr(T1, T2 are in P1) − . . . − Pr(T1, T2 are in Pk) = 1 −
This is the complement of the metric R (M + R = 1).
13
k∑
i=1
( ) 2
Pi
N

2. PRIVATE AUTHENTICATION
Obviously, a system with greater R is better, and therefore, one would like to maximize R (and
at the same time minimize M). However, there are some constraints. The maximum authentication
delay, denoted by D, is defined as the number of basic operations needed to authenticate any
member in the worst case. The maximum authentication delay in case of key-tree based authenti-
cation can be computed as D = ∑ ℓ
i=1 bi. In most practical cases, there is an upper bound Dmax
on the maximum authentication delay allowed in the system. For instance, in the specification
for electronic ticketing systems for public transport applications in Hungary [Berki, 2008], it is
required that a ticket validation transaction should be completed in 250 ms. Taking into account
the details of the ticket validation protocol, one can derive Dmax for electronic tickets from such
specifications. Therefore, in practice, the designer’s task is to maximize R under the constraint
that D ≤ Dmax. This problem is addressed in Section 2.3.
In the remainder of this section, I illustrate how the benchmark metric R can be used to
compare different systems. This exercise will also lead to an important revelation: key-trees with
varying branching factors at different levels could provide higher level of privacy than key-trees
with a constant branching factor, while having the same or even a shorter authentication delay.
Example: Let us assume that the total number N of members is 27000 and the upper bound Dmax
on the maximum authentication delay is 90. Let us consider a key-tree with a constant branching
factor vector B = (30, 30, 30), and another key-tree with branching factor vector B ′ = (60, 10, 9, 5).
Both key-trees can serve the given population of members, since 30 3 = 60 · 10 · 9 · 5 = 27000.
In addition, both key-trees ensure that the maximum authentication delay is not longer than
Dmax: for the first key-tree, we have D = 3 · 30 = 90, whereas for the second one, we get
D = 60+10+9+5 = 84. Using (2.2), we can compute the resistance to single member compromise
for both key-trees. For the first tree, we get R ≈ 0.9355, while for the second tree we obtain
R ≈ 0.9672. Thus, we can arrive to the conclusion that the second key-tree with variable branching
factors is better, as it provides a higher level of privacy, while ensuring a smaller authentication
delay.
At this point, several questions arise naturally: Is there an even better branching factor vector
than B ′ for N = 27000 and Dmax = 90? What is the best branching factor vector for this case?
How can we find the best branching factor vector in general? I give the answers to these questions
in the next section.
2.3 Optimal trees in case of single member compromise
The problem of finding the best branching factor vector can be described as an optimization
problem as follows: Given the total number N of members and the upper bound Dmax on the
maximum authentication delay, find a branching factor vector B = (b1, b2, . . . bℓ) such that R(B)
is maximal subject to the following constraints:
ℓ∏
bi = N (2.3)
i=1
ℓ∑
bi ≤ Dmax (2.4)
i=1
This optimization problem is analyzed through a series of lemmas that will lead to an algorithm
that solves the problem. The first lemma states that we can always improve a branching factor
vector by ordering its elements in decreasing order, and hence, in the sequel only ordered vectors
are considered:
Lemma 1. Let N and Dmax be the total number of members and the upper bound on the
maximum authentication delay, respectively. Moreover, let B be a branching factor vector and let
B ∗ be the vector that consists of the sorted permutation of the elements of B in decreasing order.
If B satisfies the constraints of the optimization problem defined above, then B ∗ also satisfies
them, and R(B ∗ ) ≥ R(B).
14

2.3. Optimal trees in case of single member compromise
Proof. B ∗ has the same elements as B has, therefore, the sum and the product of the elements of
B ∗ are the same as that of B, and so if B satisfies the constraints of the optimization problem,
then B ∗ does so too.
Now, let us assume that B ∗ is obtained from B with the bubble sort algorithm. The basic step
of this algorithm is to change two neighboring elements if they are not in the right order. Let us
suppose that bi < bi+1, and thus, the algorithm changes the order of bi and bi+1. Then, using
(2.2), we can express ∆R = R(B ∗ ) − R(B) as follows:
∆R = 1
N 2
⎛
⎝(bi+1 − 1) 2 b 2 i
=
=
1
N 2
⎛
⎝(bi − 1) 2 b 2 i+1
∏ ℓ
j=i+2 b2 j
ℓ∏
j=i+2
ℓ∏
j=i+2
b 2 j + (bi − 1) 2
b 2 j + (bi+1 − 1) 2
ℓ∏
j=i+2
ℓ∏
b 2 j
j=i+2
⎞
⎠ −
N 2
(
(bi+1 − 1) 2 b 2 i + (bi − 1) 2 − (bi − 1) 2 b 2 i+1 − (bi+1 − 1) 2)
∏ℓ j=i+2 b2j N 2
(
(bi+1 − 1) 2 (b 2 i − 1) − (bi − 1) 2 (b 2 i+1 − 1) )
= (bi − 1)(bi+1 − 1) ∏ℓ j=i+2 b2j N 2
((bi+1 − 1)(bi + 1) − (bi − 1)(bi+1 + 1))
Since bi ≥ 2 for all i, ∆R is non-negative if
bi + 1
bi − 1 ≥ bi+1 + 1
bi+1 − 1
But (2.5) must hold, since the function f(x) = x+1
x−1 is a monotone decreasing function, and by
assumption, bi < bi+1. This means, that when sorting the elements of B, we improve R(B) in
every step, and thus, R(B∗ ) ≥ R(B) must hold. ⋄
The following lemma provides a lower bound and an upper bound for the resistance to single
member compromise:
Lemma 2. Let B = (b1, b2, . . . bℓ) be a sorted branching factor vector (i.e., b1 ≥ b2 ≥ . . . ≥ bℓ).
We can give the following lower and upper bounds on R(B):
Proof. By definition
(
1 − 1
b1
) 2
≤ R(B) ≤
R = 1
N 2
⎛
⎝1 + (bℓ − 1) 2 +
=
( b1 − 1
b1
) 2
(
1 − 1
∑ℓ−1
(bi − 1) 2
i=1
b1
+ 1
N 2
⎛
⎝1 + (bℓ − 1) 2 +
) 2
ℓ∏
j=i+1
b 2 j
+ 4
3b 2 1
b 2 j
⎞
⎠
⎞
⎠
∑ℓ−1
(bi − 1) 2
i=2
ℓ∏
j=i+1
b 2 j
⎞
(2.5)
(2.6)
⎠ (2.7)
where it is used that N = b1b2 . . . bℓ. The lower bound in the lemma 3 follows directly from (2.7).
3
( ) 2
b1−1
Note that we could also derive the slightly better lower bound of + b1
1
N 2 from (2.7), however, we do not
need that in this chapter.
15

2. PRIVATE AUTHENTICATION
In order to obtain the upper bound, we can write bi instead of (bi − 1) in the sum in (2.7):
R <
=
( b1 − 1
b1
( b1 − 1
b1
b1
) 2
) 2
+ 1
N 2
⎛
⎝1 +
⎛
+ 1
b 2 1
+ 1
b 2 1
⎝1 +
ℓ∑
ℓ∏
i=2 j=i
ℓ∑
i∏
b 2 j
b
i=2 j=2
2 j
i=2
⎞
⎠
⎞
1
⎠
Since bi ≥ 2 for all i, we can write 2 in place of bi in the sum, and we obtain:
R <
( ) 2
b1 − 1
+
b1
1
b2 =
⎛
⎞
ℓ∑ i∏
⎝1
1
+ ⎠
1
4
i=2 j=2
( ) 2
b1 − 1
+
b1
1
b2 <
(
ℓ∑
( ) )
i−1
1
1 +
1
4
i=2
( ) (
2
∞∑
( ) )
i−1
b1 − 1
1
1 +
4
=
( b1 − 1
and this is the upper bound in the lemma. ⋄
b1
) 2
+ 1
b 2 1
1
1 − 1
4
Let us consider the bounds in Lemma 2. Note that the branching factor vector is ordered,
therefore, b1 is not smaller than any other bi. We can observe that if we increase b1, then the
difference between the upper and the lower bounds decreases, and R(B) gets closer to 1. Intuitively,
this implies that in order to find the solution to the optimization problem, b1 should be maximized.
The following lemma confirms this intuition formally:
Lemma 3. Let N and Dmax be the total number of members and the upper bound on the maximum
authentication delay, respectively. Moreover, let B = (b1, b2, . . . , bℓ) and B ′ = (b ′ 1, b ′ 2, . . . , b ′ ℓ ′)
be two sorted branching factor vectors that satisfy the constraints of the optimization problem
defined above. Then, b1 > b ′ 1 implies R(B) ≥ R(B ′ ).
Proof. First, we can prove that the statement of the lemma is true if b ′ 1 ≥ 5. We know from
Lemma 2 that
R(B ′ (
) < 1 − 1
b ′ ) 2
+
1
4
3b ′ 2
1
and
R(B) >
(
1 − 1
b1
) 2
(
≥ 1 − 1
b ′ 1 + 1
where we used that b1 > b ′ 1 by assumption. If we can prove that
(
1 − 1
b ′ ) 2
1
+ 4
3b ′ (
≤ 2
1
1 − 1
b ′ 1 + 1
then we also proved that R(B ′ ) ≤ R(B). Indeed, a straightforward calculation yields that (2.8) is
true if b ′ √
15
1 ≥ 2 + 2 , and since b′ 1 is an integer, we are done.
Next, we can make the observation that a branching factor vector A = (a1, . . . , ak, 2, 2) that
has at least two 2s at the end can be improved by joining two 2s into a 4 and obtaining A ′ =
16
) 2
) 2
(2.8)

2.3. Optimal trees in case of single member compromise
(a1, . . . , ak, 4). It is clear that neither the sum nor the product of the elements changes with this
transformation. In addition, we can use the definition of R to get
and
N 2 · R(A) = ((a1 − 1) · a2 · . . . · ak · 2 · 2) 2 + . . . + ((ak − 1) · 2 · 2) 2 +
((2 − 1) · 2) 2 + (2 − 1) 2 + 1
N 2 · R(A ′ ) = ((a1 − 1) · a2 · . . . · ak · 4) 2 + . . . + ((ak − 1) · 4) 2 +
(4 − 1) 2 + 1
Thus, R(A ′ ) − R(A) = 1
N 2 (9 − 4 − 1) > 0, which means that A ′ is better than A.
Now, that is proven that the lemma is also true for b ′ 1 ∈ {2, 3, 4}:
b ′ 1 = 2: Since B ′ is an ordered vector where b ′ 1 is the largest element, it follows that every
element of B ′ is 2, and thus, N is a power of 2. From Lemma 2, R(B ′ ) < (1− 1
2 )2 + 4
3·22 = 7
12
and R(B) > (1 − 1
b1 )2 . It is easy to see that (1 − 1
b1 )2 ≥ 7
12 if b1
1 ≥
1− √ = 4.23. Since
7
12
b1 > b ′ 1, the remaining cases are b1 = 3 and b1 = 4. However, b1 = 3 cannot be the case,
because N is a power of 2. If b1 = 4, then B can be obtained from B ′ by joining pairs of
2s into 4s and then ordering the elements. However, according to the observation above and
Lemma 1, both operations improve the vector. It follows that R(B) ≥ R(B ′ ) must hold.
b ′ 1 = 3: From Lemma 2, R(B ′ ) < (1 − 1
3 )2 + 4
3·32 = 16
27
that (1 − 1
b1 )2 ≥ 16
27 if b1 ≥
In this case, the vectors are as follows:
and R(B) > (1 − 1
b1 )2 . It is easy to see
9
9−4· √ 3 = 4.34. Since b1 > b ′ 1, the only remaining case is b1 = 4.
B = ( 2 2 , . . . , 2 2 ,
i
B ′
= ( 3, . . . , 3,
j
j
3, . . . , 3,
2i+k
2, . . . , 2)
k
2, . . . , 2)
where i, j ≥ 1 and k ≥ 0. This means that B can be obtained from B ′ by joining i pairs of
2s into 4s and then ordering the elements. However, as we saw earlier, both joining 2s into
4s and ordering the elements improve the vector, and thus, R(B) ≥ R(B ′ ) must hold.
b ′ 1 = 4: Since B ′ is an ordered vector where b ′ 1 is the largest element, it follows that N is not
divisible by 5. From Lemma 2, R(B ′ ) < (1 − 1
4 )2 + 4
3·42 = 31
48
easy to see that (1 − 1
b1 )2 ≥ 31
48 if b1 ≥
1
1− √ 31
48
and R(B) > (1 − 1
b1 )2 . It is
= 5.09. Since b1 > b ′ 1, the remaining case is
b1 = 5. However, b1 = 5 cannot be the case, because N is not divisible by 5. ⋄
Lemma 3 states that given two branching factor vectors, the one with the larger first element is
always at least as good as the other. The next lemma generalizes this result by stating that given
two branching factor vectors the first j elements of which are equal, the vector with the larger
(j + 1)-st element is always at least as good as the other.
Lemma 4. Let N and Dmax be the total number of members and the upper bound on the maximum
authentication delay, respectively. Moreover, let B = (b1, b2, . . . , bℓ) and B ′ = (b ′ 1, b ′ 2, . . . , b ′ ℓ ′)
be two sorted branching factor vectors such that bi = b ′ i for all 1 ≤ i ≤ j for some j < min(ℓ, ℓ′ ),
and both B and B ′ satisfy the constraints of the optimization problem defined above. Then,
bj+1 > b ′ j+1 implies R(B) ≥ R(B′ ).
17

2. PRIVATE AUTHENTICATION
Proof. By definition
R(B) = 1
N 2
=
=
⎛
⎝1 + (bℓ − 1) 2 ∑ℓ−1
+ (bi − 1) 2
( b1 − 1
b1
( b1 − 1
b1
) 2
) 2
where B1 = (b2, b3, . . . , bℓ). Similarly,
i=1
+ 1
b2 ⎛
⎝
1
1
(N/b1) 2
+ 1
b2 · R(B1)
1
R(B ′ ( ′ b 1 − 1
) =
b ′ 1
ℓ∏
j=i+1
b 2 j
⎞
⎠
⎛
⎝1 + (bℓ − 1) 2 ∑ℓ−1
+ (bi − 1) 2
) 2
+ 1
b ′ · R(B 2
1
′ 1)
i=2
ℓ∏
j=i+1
where B ′ 1 = (b ′ 2, b ′ 3, . . . , b ′ ℓ ′). Since b1 = b ′ 1, R(B) ≥ R(B ′ ) if and only if R(B1) ≥ R(B ′ 1). By
repeating the same argument for B1 and B ′ 1, we get that R(B) ≥ R(B ′ ) if and only if R(B2) ≥
R(B ′ 2), where B2 = (b3, . . . , bℓ) and B ′ 2 = (b ′ 3, . . . , b ′ ℓ ′). And so on, until we get that R(B) ≥ R(B′ )
if and only if R(Bj) ≥ R(B ′ j ), where Bj = (bj+1, . . . , bℓ) and B ′ j = (b′ j+1 , . . . , b′ ℓ ′). But from
, and we are done. ⋄
Lemma 3, we know that R(Bj) ≥ R(B ′ j ) if bj+1 > b ′ j+1
I will now present an algorithm that finds the solution to the optimization problem. However,
before doing that, we need to introduce some further notations. Let B = (b1, b2, . . . , bℓ) and
B ′ = (b ′ 1, b ′ 2, . . . , b ′ ℓ ′). Then
∏ ∏ℓ (B) denotes i=1 bi;
∑ ∑ℓ (B) denotes i=1 bi;
{B} denotes the set {b1, b2, . . . , bℓ} of the elements of B;
B ′ ⊆ B means that {B ′ } ⊆ {B};
b 2 j
⎞⎞
⎠⎠
if B ′ ⊆ B, then B \ B ′ denotes the vector that consists of the elements of {B} \ {B ′ } in
decreasing order;
if b is a positive integer, then b|B denotes the vector (b, b1, b2, . . . , bℓ).
The algorithm is defined as a recursive function f, which takes two input parameters, a vector
B of positive integers, and another positive integer d, and returns a vector of positive integers. In
order to compute the optimal branching factor vector for a given N and Dmax, f should be called
with the vector that contains the prime factors of N, and Dmax. For instance, if N = 27000 and
Dmax = 90 (the same parameters are used as in the example in Sec 2.2, to compare the naïve
and algorithmical results), then f should be called with B = (5, 5, 5, 3, 3, 3, 2, 2, 2) and d = 90.
Function f will then return the optimal branching factor vector.
Function f is defined Algorithm 1.
The operation of the algorithm can be described as follows: The algorithm starts with a branching
factor vector consisting of the prime factors of N. This vector satisfies the first constraint of
the optimization problem by definition. If it does not satisfy the second constraint (i.e., it does not
respect the upper bound on the maximum authentication delay), then no solution exists. Otherwise,
the algorithm successively improves the branching factor vector by maximizing its elements,
starting with the first element, and then proceeding to the next elements, one after the other. Maximization
of an element is done by joining as yet unused prime factors until the resulting divisor
of N cannot be further increased without violating the constraints of the optimization problem.
18

Algorithm 1 Optimal branching factor generating algorithm
f(B, d)
if ∑ (B) > d then
exit (no solution exists)
else
find B ′ ⊆ B such that
∏ (B ′ ) + ∑ (B \ B ′ ) ≤ d and ∏ (B ′ ) is maximal
end if
if B ′ = B then
return ( ∏ (B ′ ))
else
return ∏ (B ′ )|f(B \ B ′ , d − ∏ (B ′ ))
end if
2.3. Optimal trees in case of single member compromise
Theorem 2. Let N and Dmax be the total number of members and the upper bound on the
maximum authentication delay, respectively. Moreover, let B be a vector that contains the prime
factors of N. Then, f(B, Dmax) is an optimal branching factor vector for N and Dmax.
Proof. I will give a sketch of the proof. Let B ∗ = f(B, Dmax), and let us assume that there is
another branching factor vector B ′ ̸= B ∗ that also satisfies the constraints of the optimization
problem and R(B ′ ) > R(B ∗ ). I will show that this leads to a contradiction, hence B ∗ should be
optimal.
Let B ∗ = (b ∗ 1, b ∗ 2, . . . , b ∗ ℓ ∗) and B′ = (b ′ 1, b ′ 2, . . . , b ′ ℓ ′). Recall that B∗ is obtained by first maximizing
the first element in the vector, therefore, b ∗ 1 ≥ b ′ 1 must hold. If b ∗ 1 > b ′ 1, then R(B ∗ ) ≥ R(B ′ )
by Lemma 3, and thus, B ′ cannot be a better vector than B ∗ . This means that b ∗ 1 = b ′ 1 must hold.
We know that once b ∗ 1 is determined, the algorithm continues by maximizing the next element
of B ∗ . Hence, b ∗ 2 ≥ b ′ 2 must hold. If b ∗ 2 > b ′ 2, then R(B ∗ ) ≥ R(B ′ ) by Lemma 4, and thus, B ′
cannot be a better vector than B ∗ . This means that b ∗ 2 = b ′ 2 must hold too.
By repeating this argument, finally, we arrive to the conclusion that B ∗ = B ′ must hold, which
is a contradiction. ⋄
Table 2.1 illustrates the operation of the algorithm for B = (5, 5, 5, 3, 3, 3, 2, 2, 2) and d = 90.
The rows of the table correspond to the levels of the recursion during the execution. The column
labeled with B ′ contains the prime factors that are joined at a given recursion level. The optimal
branching factor vector can be read out from the last column of the table (each row contains one
element of the vector). From this example, we can see that the optimal branching factor vector
for N = 27000 and Dmax = 90 is B ∗ = (72, 5, 5, 5, 3). For the key-tree defined by this vector, we
get R ≈ 0.9725, and D = 90.
Table 2.1: Illustration of the operation of the recursive function f when called with B =
(5, 5, 5, 3, 3, 3, 2, 2, 2) and d = 90. The rows of the table correspond to the levels of the recursion
during the execution.
recursion level B d B ′ ∏ (B ′ )
1 (5, 5, 5, 3, 3, 3, 2, 2, 2) 90 (3, 3, 2, 2, 2) 72
2 (5, 5, 5, 3) 18 (5) 5
3 (5, 5, 3) 13 (5) 5
4 (5, 3) 8 (5) 5
5 (3) 3 (3) 3
19

2. PRIVATE AUTHENTICATION
2.4 Analysis of the general case
So far, we have studied the case of a single compromised member. This already proved to be useful,
because it allowed us to compare different key-trees and to derive a key-tree construction method.
However, one may still be interested in what level of privacy is provided by a system in the general
case when any number of members could be compromised. In this section, I address this problem.
P
P
Figure 2.3: Illustration of what happens when several members are compromised. Just as in the
case of a single compromised member, the members are partitioned into anonymity sets, but now
the resulting subsets depend on the number of the compromised members, as well as on their
positions in the tree. Nevertheless, the expected size of the anonymity set of a randomly selected
member is still a good metric for the level of privacy provided by the system, although, in this
general case, it is more difficult to compute.
In what follows, we will need to refer to the non-leaf vertices of the key-tree, and for this reason,
I introduce the labelling scheme that is illustrated in Figure 2.3. In addition, we need to introduce
some further notations. I call a leaf compromised if it belongs to a compromised member, and I
call a non-leaf vertex compromised if it lies on a path that leads to a compromised leaf in the tree.
If vertex v is compromised, then
Kv denotes the set of the compromised children of v, and kv = |Kv|;
Pv denotes the set of subsets (anonymity sets) that belong to the subtree rooted at v (see
Figure 2.3 for illustration); and
¯ Sv denotes the average size of the subsets in Pv.
We are interested in computing ¯ S ⟨−⟩. We can do that as follows:
¯S ⟨−⟩ = ∑
P ∈P ⟨−⟩
|P | 2
b1b2 . . . bℓ
= ((b1 − k ⟨−⟩)b2 . . . bℓ) 2
+
b1b2 . . . bℓ
∑
= ((b1 − k ⟨−⟩)b2 . . . bℓ) 2
b1b2 . . . bℓ
∑
v∈K ⟨−⟩ P ∈Pv
+ 1
b1
∑
v∈K ⟨−⟩
In general, for any vertex ⟨i1, . . . , ij⟩ such that 1 ≤ j < ℓ − 1:
¯S ⟨i1,...,ij⟩ = ((bj+1 − k ⟨i1,...,ij⟩)bj+2 . . . bℓ) 2
bj+1 . . . bℓ
20
¯Sv
+ 1
bj+1
|P | 2
b1b2 . . . bℓ
∑
v∈K ⟨i1 ,...,i j ⟩
¯Sv
(2.9)
(2.10)

Finally, for vertices ⟨i1, . . . , iℓ−1⟩ just above the leaves, we get:
¯S ⟨i1,...,iℓ−1⟩ = (bℓ − k ⟨i1,...,iℓ−1⟩) 2
bℓ
2.4. Analysis of the general case
+ k ⟨i1,...,iℓ−1⟩
bℓ
(2.11)
Expressions (2.9 – 2.11) can be used to compute the expected anonymity set size in the system
iteratively, in case of any number of compromised members. However, note that the computation
depends not only on the number c of the compromised members, but also their positions in the tree.
This makes the comparison of different systems difficult, because for a comprehensive analysis,
all possible allocations of the compromised members over the leaves of the key-tree should be
considered. Therefore, such a formula is preferred that depends solely on c, but characterizes the
effect of compromised members on the level of privacy sufficiently well, so that it can serve as a
basis for comparison of different systems. In the following, such a formula is derived based on the
assumption that the compromised members are distributed uniformly at random over the leaves of
the key-tree. In some sense, this is a pessimistic assumption as the uniform distribution represents
the worst case, which leads to the largest amount of privacy loss due to the compromised members.
Thus, the approximation that is derived can be viewed as a lower bound on the expected anonymity
set size in the system when c members are compromised.
Let the branching factor of the key-tree be B = (b1, b2, . . . , bℓ), and let c be the number of
compromised leaves in the tree. We can estimate k ⟨−⟩ for the root as follows:
k ⟨−⟩ ≈ min(c, b1) = k0
(2.12)
If a vertex ⟨i⟩ at the first level of the tree is compromised, then the number of compromised
leaves in the subtree rooted at ⟨i⟩ is approximately c/k0 = c1. Then, we can estimate k ⟨i⟩ as
follows:
k ⟨i⟩ ≈ min(c1, b2) = k1
(2.13)
In general, if vertex ⟨i1, . . . , ij⟩ at the j-th level of the tree is compromised, then the number
of compromised leaves in the subtree rooted at ⟨i1, . . . , ij⟩ is approximately cj−1/kj−1 = cj, and
we can use this to approximate k ⟨i1,...,ij⟩ as follows:
k ⟨i1,...,ij⟩ ≈ min(cj, bj+1) = kj
(2.14)
Using these approximations in expressions (2.9 – 2.11), we can derive an approximation for
¯S ⟨−⟩, which is denoted by ¯ S0, in the following way:
¯Sℓ−1 = (bℓ − kℓ−1) 2
. . . . . .
bℓ
+ kℓ−1
bℓ
¯Sj = ((bj+1 − kj)bj+2 . . . bℓ) 2
. . . . . .
bj+1 . . . bℓ
¯S0 = ((b1 − k0)b2 . . . bℓ) 2
b1 . . . bℓ
+ k0 ¯S1
b1
+ kj ¯Sj+1
bj+1
(2.15)
(2.16)
(2.17)
Note that expressions (2.17 – 2.15) do not depend on the positions of the compromised leaves
in the tree, but they depend only on the value of c.
In order to see how well ¯ S0 estimates ¯ S ⟨−⟩, some simulations are run. The simulation parameters
are the following:
total number of members N = 27000;
upper bound on the maximum authentication delay Dmax = 90;
Two branching factor vectors are considered: (30, 30, 30) and (72, 5, 5, 5, 3);
The number c of compromised members is varied between 1 and 270 with a step size of one.
21

2. PRIVATE AUTHENTICATION
For each value of c, I run 100 simulations 4 . In each simulation run, the c compromised members
were chosen uniformly at random from the set of all members. The exact value of the normalized
expected anonymity set size ¯ S ⟨−⟩/N is computed using the expressions (2.9 – 2.11). Finally, the
obtained values are averaged over all simulation runs. Moreover, for every c, I also computed the
estimated value ¯ S0/N using the expressions (2.15 – 2.17).
The simulation results are shown in Figure 2.4. The figure does not show the confidence
interwalls, because they are very small (in the range of 10 −4 for all simulations) and thus they
could be hardly visible. As we can see, ¯ S0/N approximates ¯ S ⟨−⟩/N quite well, and in general it
provides a lower bound on the normalized expected anonymity set size.
Normalized average anonymity set size
1
0.8
0.6
0.4
0.2
Simulation result for (S /N)
Approximation (S 0 /N)
0
0 50 100 150 200 250 300
Number of compromised members (c)
Normalized average anonimity set size
1
0.8
0.6
0.4
0.2
Simulation result for (S /N)
Approximation (S 0 /N)
0
0 50 100 150 200 250 300
Number of compromised members (c)
Figure 2.4: Simulation results for branching factor vectors (30, 30, 30) (left hand side) and
(72, 5, 5, 5, 3) (right hand side). As we can see, ¯ S0/N approximates ¯ S ⟨−⟩/N quite well, and in
general it provides a lower bound on it.
In Figure 2.5, the value of ¯ S0/N is plotted as a function of c for different branching factor
vectors. This figure illustrates, how different systems can be compared using the approximation
¯S0/N of the normalized expected anonymity set size. On the left hand side of the figure, we
can see that the value of ¯ S0/N is greater for the vector B ∗ = (72, 5, 5, 5, 3) than for the vector
B = (30, 30, 30) not only for c = 1 (as we saw before), but for larger values of c too. In fact, B ∗
seems to lose its superiority only when the value of c approaches 60, but at this range, the systems
nearly provide no privacy in any case. Thus, we can conclude that B ∗ is a better branching factor
vector yielding more privacy than B in general.
We can make another interesting observation on the left hand side of Figure 2.5: ¯ S0/N starts
decreasing sharply as c starts increasing, however, when c gets close to the value of the first element
of the branching factor vector, the decrease of ¯ S0/N slows down. Moreover, almost exactly when
c reaches the value of the first element (30 in case of B, and 72 in case of B ∗ ), ¯ S0/N seems
to turn into constant, but at a very low value. We can conclude that, just as in the case of a
single compromised member, in the general case too, the level of privacy provided by the system
essentially depends on the value of the first element of the branching factor vector. The plot on the
right hand side of the figure reinforces this observation: it shows ¯ S0/N for two branching factor
vectors that have the same first element but that differ in the other elements. As we can see, the
curves are almost perfectly overlapping.
Thus, a practical design principle for key-tree based private authentication systems is to maximize
the branching factor at the first level of the key-tree. Further optimization by adjusting the
branching factors of the lower levels may still be possible, but the gain is not significant; what
really counts is the branching factor at the first level.
4 All computations have been done in Matlab, and for the purpose of repeatability, the source code is available
on-line at http://www.crysys.hu/∼holczer/PET2006
22

Estimated normalised average anonimity set size (S 0 /N)
1
0.8
0.6
0.4
0.2
B = [72 5 5 5 3]
B = [30 30 30]
0
0 20 40 60 80 100
Number of compromised members (c)
Estimated normalised average anonimity set size (S 0 /N)
1
0.8
0.6
0.4
0.2
2.5. The group-based approach
B = [60 30 15]
B = [60 5 5 3 3 2]
0
0 20 40 60 80 100
Number of compromised members (c)
Figure 2.5: The value of ¯ S0/N as a function of c for different branching factor vectors. The figure
illustrates, how different systems can be compared based on the approximation ¯ S0/N. On the left
hand side, we can see that the value of ¯ S0/N is greater for the vector (72, 5, 5, 5, 3) than for the
vector (30, 30, 30) not only for c = 1 (as we saw earlier), but for larger values of c too. On the
right hand side, we can see that ¯ S0/N is almost the same for the vector (60, 5, 5, 3, 3, 2) as for the
vector (60, 30, 15). We can conclude that ¯ S0/N is essentially determined by the value of the first
element of the branching factor vector.
2.5 The group-based approach
In the group based authentication scheme, the set of all tags is divided into groups of equal size,
and all tags of a given group share a common group key. Since the group keys do not enable
the reader to identify the tags uniquely, every tag also stores a unique identifier. Keys are secret
(each group key is known only to the reader and the members of the corresponding group), but
identifiers can be public. To avoid impersonation of a tag from the same group, every tag has a
unique secret key as well. This key is only shared between the tag and the reader. To reduce the
storage demands on the reader side, the pairwise key can be generated from a master key using
the identifier of the tag.
In order to authenticate a tag, the reader sends a single challenge to the tag. The answer of the
tag has two parts. In the first part, the tag answers to the reader by encrypting with the group key
the reader’s challenge concatenated with a nonce picked by the tag, and the tag’s identifier. In the
second part, the tag encrypts the challenge concatenated with the nonce using its own secret key.
Encrypting the identifier is needed since the key used for encryption does not identify uniquely the
tag. Upon reception of the answer, the reader identifies the tag by trying all the group keys until
the decryption succeeds. Then it checks the second part, that it was encrypted by the same tag.
Without the second part, every tag could impersonate every other tag in the same group.
The operation of the group-based private authentication scheme is illustrated in Figure 2.6.
The complexity of the group-based scheme for the reader depends on the number of the groups.
In particular, if there are γ groups, then, in the worst case, the reader must try γ keys. Therefore,
if the upper bound on the worst case complexity is given as a design parameter, then γ is easily
determined. For example, to get the same complexity as in the key-tree based scheme with constant
branching factor, one may choose γ = (b log b N) − 1, where N is the total number of tags and b is
the branching factor of the key-tree. The minus one indicates the decryption of the second part of
the message.
An immediate advantage of the group-based scheme with respect to the key-tree based approach
is that the tags need to store only two keys and an identifier. In contrast to this, in the key-tree
based scheme, the number of keys stored by the tags depends on the depth of the tree. For instance,
in the case of the Molnar-Wagner scheme, the tags must store log b N keys. Moreover, by using
only two keys, this scheme also has a smaller complexity for the tag in terms of computation and
communication.
Besides its advantages with respect to complexity, the group-based scheme provides a higher
23

2. PRIVATE AUTHENTICATION
Reader R Tag T
Pick R1
Try all group keys
until K is found
Check ID's own key
R1
EK(R1|R2|ID) EKID (R1|R2)
Pick R2
Figure 2.6: Operation of the group-based private authentication scheme. K is the group key stored
by the tag,KID is the tag’s own secret key, ID is the identifier of the tag, R1 and R2 are random
values generated by the reader and the tag, respectively, | denotes concatenation, and EK() denotes
symmetric-key encryption with K.
k1
k1,1 k1,2 k2,1 k2,2
k1,1,1 k1,1,2 k1,2,1 k1,2,2 k2,1,1 k2,1,2 k2,2,1 k2,2,2
k2
K1 K2 K3 K4
KID1 KID2 KID3 KID4 KID5 KID6 KID7 KID8
Figure 2.7: On the left hand side: The tree-based authentication protocol uses a tree, where
the tags correspond to the leaves of the tree. Each tag stores the keys along the path from the
root to the leaf corresponding to the given tag. When authenticating itself, a tag uses all of its
keys. The reader identifies which keys have been used by iteratively searching through the keys
at the successive levels of the tree. On the right hand side: In the group-based authentication
protocol, the tags are divided into groups. Each tag stores its group key and its own key. When
authenticating itself, a tag uses its group key first, and then its own key. The reader identifies
which group key has been used by trying all group keys, then it checks the tags own key.
level of privacy than the key-tree based scheme when some of the tags are compromised. I will
show this in Section 2.7.
2.6 Analysis of the group based approach
The metric proposed in Section 2.2 is based on the observation that when some tags are compromised,
the set of all tags become partitioned such that the adversary cannot distinguish the tags
that belong to the same subset, but she can distinguish the tags that belong to different subsets.
Hence, the subsets are the anonymity sets of their members. The level R of privacy provided by the
scheme is then characterized as the average anonymity set size normalized with the total number
N of the tags. Formally,
R = 1
N
∑
i
|Pi| |Pi|
N
= 1
N 2
∑
i
|Pi| 2
(2.18)
where |Pi| denotes the size of subset Pi and |Pi|/N is the probability that a randomly chosen tag
belongs to subset Pi.
In the group-based scheme, a similar kind of partitioning can be observed when tags become
compromised. In particular, when a single tag is compromised, the adversary learns the group
key of that tag, which allows her to distinguish the tags within this group from each other (since
24

2.6. Analysis of the group based approach
the tags use their identifiers in the protocol) and from the rest of the tags in the system. This
means that each member of the compromised group forms an anonymity set of size 1, and the
remaining tags form another anonymity set. In general, when more tags are compromised, we can
observe that the partitioning depends on the number C of the compromised groups, where a group
is compromised if at least one tag that belongs to that group is compromised. More precisely,
when C groups are compromised, we get nC anonymity sets of size 1 and an anonymity set of size
n(γ − C), where γ is the number of groups and n = N/γ is the size of a group. This results in the
following expression for the level R of the privacy according to the metric (2.18):
R = 1
N 2
( 2
nC + (n(γ − C)) )
(2.19)
If tags are compromised randomly, then C, and hence, R are random variables, and the level of
privacy provided by the system is characterized by the expected value of R. In order to compute
that, we must compute the expected value of C and that of C 2 . This can be done as follows: let
us denote by Ai the event that at least one tag from the i-th group is compromised, and let IAi
be Ai’s indicator function. The probability of Ai can be calculated as follows:
(
N − n
)
P (Ai) = 1 −
c
(
N
c
) = (2.20)
c−1 ∏
(
= 1 − 1 − n
)
N − j
(2.21)
j=0
The expected value of C is the expected value of the sum of the indicator functions:
E [C] = E
[ γ∑
i=1
IAi
]
j=0
=
γ∑
P (Ai) = (2.22)
i=1
⎛
c−1 ∏
(
= γ ⎝1 − 1 − n
)
N − j
⎞
⎠ (2.23)
Similarly, the second moment of C can be computed as follows:
= E
[ γ∑
i=1
E [ C 2] = E
IAi
[ γ∑
] ⎡
+ E ⎣ ∑
i̸=j
i=1
IAi
IAi∩Aj
] 2
⎤
= (2.24)
⎦ = (2.25)
= E [C] + ( γ 2 − γ ) P (Ai ∩ Aj) (2.26)
Finally, probability P (Ai ∩ Aj) can be computed in the following way:
P (Ai ∩ Aj) = (2.27)
= 1 − P ( ) ( )
Ai ∩ Aj − 2P Ai ∩ Aj
(2.28)
25

2. PRIVATE AUTHENTICATION
P ( (
N − 2n
)
)
Ai ∩ Aj =
c
(
N
c
) = (2.29)
c−1 ∏
(
= 1 − 2n
)
N − j
(2.30)
j=0
j=0
P ( ) ( ) ( )
Ai ∩ Aj = P Ai|Aj P Aj = (2.31)
⎡
c−1 ∏
(
)
= ⎣1
n
− 1 −
N − n − j
⎤
⎦ · (2.32)
c−1 ∏
(
· 1 − n
)
N − j
j=0
(2.33)
Based on the above formulae, the expected value of R is computed as a function of c for N = 2 14
and γ = 64. The results are plotted on the left hand side of Figure 2.8. The same plot also contains
the results of a Matlab simulation with the same parameters, where we chose the c compromised
tags uniformly at random. For each value of c, 10 simulations are run, computed the exact values
of the average anonymity set size using (2.19) directly, and averaged the results. As it can be
seen in the figure, the analytical results match the results of the simulation. I performed the same
verification for several other values of N and γ, and in each case, I obtained the same matching
results.
2.7 Comparison of the group and the key-tree based approach
In this section, I compare the group-based scheme to the key-tree based scheme. The methodology
is the following: for a given number N of tags and upper bound γ on the worst case complexity for
the reader, I determine the optimal key-tree using the algorithm proposed in 2.3. Then, I compare
the level of privacy provided by this optimal key-tree to that provided by the group-based scheme
with γ groups and N tags.
The comparison is performed by means of simulations. A simulation run consists in randomly
choosing c compromised tags, and computing the resulting normalized average anonymity set size
R for both the optimal key-tree and the group-based scheme. For the former, we can use the
formulae (2.15 – 2.17), while for the latter, I use formula (2.19) directly. For each value of c, I run
several simulation runs, and average the results.
The simulation parameters were the following: for the number N of tags, only powers of 2
are considered, because in practice, that number is related to the size of the identifier space, and
identifiers are usually represented as binary strings. Thus, in the simulations, N = 2 x , and x is
varied between 10 and 15 with a step size of 1. The values for the worst case complexity γ (which
coincides with the number of groups in the group-based scheme) were 64, 128, and 256. Finally,
the number c of compromised tags from 1 to 3γ is varied. For each combination of these values,
100 simulation runs were performed.
The right hand side of Figure 2.8 shows the results that we can obtain for N = 2 10 and γ = 64.
The plots corresponding to the other simulation settings are not included, because they are very
similar to the one in Figure 2.8. As we can see, the group-based scheme provides a higher level of
privacy when the number of compromised tags does not exceed a threshold. Above the threshold,
the key-tree based scheme becomes better, however, in this region, both schemes provide virtually
26

Level of privacy (R)
1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
Simulation result
Formal result
0
0 50 100 150 200
Number of compromised members (c)
Level of privacy(R)
1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
2.8. Related work
Tree based authentication
Group based authentication
0
0 50 100 150 200
Number of compromised members (c)
Figure 2.8: On the left hand side: The analytical results obtained for the expected value of R
match the averaged results of ten simulations. The parameters are: N = 2 14 and γ = 64. On the
right hand side: Results of the simulation aiming at comparing the key-tree based scheme and
the group-based scheme. The curves show the level R of privacy as a function of the number c of
the compromised tags. The parameters are: N = 2 10 and γ = 64. The confidence intervals are
not shown, because they are in the range of 10 −3 , and therefore, they would be hardly visible. As
we can see, the group-based scheme achieves a higher level of privacy when c is below a threshold.
Above the threshold, the key-tree based approach is slightly better, however, in this region, both
schemes provide virtually no privacy.
no privacy. Thus, for any practical purposes, the group-based scheme is better than the key-tree
based scheme (even if optimal key-trees are used).
2.8 Related work
The problem of private authentication has been extensively studied in the literature recently, but
most of the proposed solutions are based on public key cryptography. One example is Idemix, which
is a practical anonymous credential system proposed by Camenisch and Lysyanskaya in [Camenisch
and Lysyanskaya, 2001]. Idemix allows for unlinkable demonstration of the possession of various
credentials, and it can be used in many applications. However, it is not applicable in resource
constraint scenarios, such as low-cost RFID systems. For such applications, solutions based on
symmetric key cryptography seem to be the only viable options. A comprehensive bibliography
of RFID related privacy problems is maintained by Avoine in [Avoine, 2012]. A recent survey of
RFID privacy approaches is published by Langheinrich [Langheinrich, 2009], where he overviews
60 papers in this field. Another important paper by Syamsuddin et al. survey the hash chain
based RFID authentication protocols in [Syamsuddin et al., 2008]. In the following I try to focus
on the methods similar to the ones described in this thesis, and encourage the reader to read the
aforementioned surveys for a broader view.
The key-tree based approach for symmetric key private authentication has been proposed by
Molnar and Wagner in [Molnar and Wagner, 2004]. However, they use a simple b-ary tree, which
means that the tree has the same branching factor at every level. Moreover, they do not analyze
the effects of compromised members on the level of privacy provided. They only mention that
compromise of a member has a wider effect than in the case of public key cryptography based
solutions.
An entropy based analysis of key trees can be found in [Nohara et al., 2005]. Nohara et al.
prove that their K-steps ID matching scheme (which is very similar to [Molnar and Wagner, 2004])
is secure against one compromised tag, if the number of nodes are large enough. They consider
only b-ary trees, no variable branching factors.
27

2. PRIVATE AUTHENTICATION
Avoine et al. analyze the effects of compromised members on privacy in the key-tree based
approach [Avoine et al., 2005]. They study the case of a single compromised member, as well as
the general case of any compromised members. However, their analysis is not based on the notion
of anonymity sets. In their model, the adversary is first allowed to compromise some members,
then it chooses a target member that it wants to trace, and it is allowed to interact with the chosen
member. Later, the adversary is given two members such that one of them is the target member
chosen by the adversary. The adversary can interact with the given members, and it must decide
which one is its target. The level of privacy provided by the system is quantified by the success
probability of the adversary.
Beye and Veugen goes a little further and analyze, what happens if the attacker has access
to side channel information, and adapts the attack dynamically [Beye and Veugen, 2012]. They
analyze the case of key trees described in this chapter as well and generalize the problem by setting
only a minimum on N in [Beye and Veugen, 2011].
2.9 Conclusion
Key-trees provide an efficient solution for private authentication in the symmetric key setting.
However, the level of privacy provided by key-tree based systems decreases considerably if some
members are compromised. This loss of privacy can be minimized by the careful design of the
tree. Based on the results presented in this chapter, we can conclude that a good practical design
principle is to maximize the branching factor at the first level of the tree such that the resulting
tree still respects the constraint on the maximum authentication delay in the system. Once the
branching factor at the first level is maximized, the tree can be further optimized by maximizing
the branching factors at the successive levels, but the improvement achieved in this way is not
really significant; what really counts is the branching factor at the first level.
In the second part of this chapter, I proposed a novel group based private authentication scheme.
I analyzed the proposed scheme and quantified the level of privacy that it provides. I compared
the group based scheme to the key-tree based scheme originally proposed by Molnar and Wagner,
and later optimized by me in the first half of this chapter. I showed that the group based scheme
provides a higher level of privacy than the key-tree based scheme. In addition, the complexity of
the group based scheme for the verifier can be set to be the same as in the key-tree based scheme,
while the complexity for the prover is always smaller in the latter scheme. The primary application
area of the schemes are that of RFID systems, but it can also be used in applications with similar
characteristics (e.g., in wireless sensor networks).
2.10 Related publications
[Buttyan et al., 2006a] Levente Buttyan, Tamas Holczer, and Istvan Vajda. Optimal key-trees
for tree-based private authentication. In Proceedings of the International Workshop on Privacy
Enhancing Technologies (PET), June 2006. Springer.
[Buttyan et al., 2006b] Levente Buttyan, Tamas Holczer, and Istvan Vajda. Providing location
privacy in automated fare collection systems. In Proceedings of the 15th IST Mobile and Wireless
Communication Summit, Mykonos, Greece, June 2006.
[Avoine et al., 2007] Gildas Avoine, Levente Buttyan, Tamas Holczer, and Istvan Vajda. Groupbased
private authentication. In Proceedings of the International Workshop on Trust, Security,
and Privacy for Ubiquitous Computing (TSPUC 2007). IEEE, 2007.
28

Chapter 3
Location Privacy in Vehicular Ad Hoc
Networks
3.1 Introduction
In this chapter, I investigate what level of privacy a driver can achieve in Vehicular Ad Hoc
Networks (VANET). More specifically, in the first half of this chapter, I investigate how can a local
eavesdropping attacker trace the vehicles based on their frequently sent status information. In the
second half of this chapter (from Section 3.4), I go a little further in terms of strength of attacker,
and check what can a global eavesdropping attacker do. After realizing its broad capabilities, I
suggest an algorithm, which can greatly reduce the attackers success rate.
Recently, initiatives to create safer and more efficient driving conditions have begun to draw
strong support in Europe [COM], in the US [VSC], and in Japan [ASV]. Vehicular communications
will play a central role in this effort, enabling a variety of applications for safety, traffic
efficiency, driver assistance, and entertainment. However, besides the expected benefits, vehicular
communications also have some potential drawbacks. In particular, many envisioned safety related
applications require that the vehicles continuously broadcast their current position and speed in
so called heart beat messages. This allows the vehicles to predict the movement of other nearby
vehicles and to warn the drivers if a hazardous situation is about to occur. While this can certainly
be advantageous, an undesirable side effect is that it makes it easier to track the physical location
of the vehicles just by eavesdropping these heart beat messages.
One approach to solve this problem is that the vehicles broadcast their messages under pseudonyms
that they change with some frequency [Raya and Hubaux, 2005]. The change of a pseudonym
means that the vehicle changes all of its physical and logical addresses at the same time. Indeed, in
most of the applications, the important thing is to let other vehicles know that there is a vehicle at
a given position moving with a given speed, but it is not really important which particular vehicle
it is. Thus, using pseudonyms is just as good as using real identifiers as far as the functionality of
the applications is concerned. Obviously, these pseudonyms must be generated in such a way that
a new pseudonym cannot be directly linked to previously used pseudonyms of the same vehicle.
Unfortunately, only changing pseudonyms is largely ineffective against a global eavesdropper
that can hear all communications in the network. Such an adversary can predict the movement of
the vehicles based on the position and speed information in the heart beat messages, and use this
prediction to link different pseudonyms of the same vehicle together with high probability. For
instance, if at time t, a given vehicle is at position ⃗p and moves with speed ⃗v, then after some short
time τ, this vehicle will most probably be at position ⃗p + τ · ⃗v. Therefore, the adversary will know
that the vehicle that reports itself at (or near to) position ⃗p + τ ·⃗v at time t + τ is the same vehicle
as the one that reported itself at position ⃗p at time t, even if in the meantime, the vehicle changed
29

3. LOCATION PRIVACY IN VANETS
pseudonym. This problem can be solved with some silent periods. This is discussed in the second
part of this chapter (from Section 3.4).
On the other hand, the assumption that the adversary can eavesdrop all communications in the
network is a very strong one. In many situations, it is more reasonable to assume that the adversary
can monitor the communications only at a limited number of places and only in a limited range.
In this case, if a vehicle changes its pseudonym within the non-monitored area, then there is a
chance that the adversary loses its trace. My goal in the first half of the chapter is to characterize
this chance as a function of the strength of the adversary (i.e., its monitoring capabilities). In
the second part of the chapter, I assume a relatively small area, where a global eavesdropping is
reasonable. I analyze what a global attacker can do, and suggest a simple algorithm to reduce the
capabilities of a global attacker. In particular, my main contributions are the following:
I define a model in which the effectiveness of changing pseudonyms can be studied. I emphasize
that while changing pseudonyms has already been proposed in the literature as a
countermeasure to track vehicles [Raya and Hubaux, 2005], to the best of my knowledge, the
effectiveness of this method has never been investigated rigorously in this context. My model
is based on the concept of the mix zone. This concept was first introduced in [Beresford and
Stajano, 2003], but again, to the best of my knowledge, it has not been used in the context
of vehicular networks so far. I characterize the tracking strategy of the adversary in the mix
zone model, and I introduce a metric to quantify the level of privacy provided by the mix
zone.
I report on the results of an extensive simulation where I used my model to determine the
level of privacy achieved in realistic scenarios. In particular, in my simulation, I used a rather
complex road map, generated traffic with realistic parameters, and varied the strength of the
adversary by varying the number of her monitoring points. As expected, my simulation
results confirm that the level of privacy decreases as the strength of the adversary increases.
However, in addition to this, my simulation results provide detailed information about the
relationship between the strength of the adversary and the level of privacy achieved by
changing pseudonyms.
In Section 3.5, I provide a breakdown of the requirements that a system must address in order
to provide privacy. The aim is to provide an analytical framework that future researchers
can use to concisely state which aspects of privacy a new proposal does or does not address.
In Section 3.6, I propose an approach for implementing mix zones that does neither require
extensive RSU support nor complex communication between vehicles, and that does not
endanger safety-of-life to any significant extent, while providing both syntactic mixing and
semantic mixing (in the language of Section 3.5). To my knowledge, this is the first proposal
that provides for semantic mixing while at the same time addressing the safety-of-life concerns
that naturally arise when a vehicle tries to obscure its path. The key insights are simply that
vehicles traveling at a low speed are less likely to cause fatal accidents, and that vehicles will
be traveling at a low speed at natural mix-points such as signalled intersections. The main
body of experimental work in Section 3.6 is therefore an investigation of the consequences
for the untraceability of vehicles if they stop sending heartbeat messages when their speed
drops below a certain threshold and change all their identifiers after such silent periods. I
call my scheme SLOW, which stands for silence at low speeds. (I note that of course SLOW
is not a full solution to untraceability, as it does not cover the safe use of silent periods at
high speeds; other techniques will need to be used to give untraceability in this case).
The organization of the chapter is the following: in Section 3.2, I introduce the mix zone
model, I define the behavior of the adversary in this model, and I introduce my privacy metric.
In Section 3.3, I describe my simulation setting and the simulation results for the mix zones. In
Section 3.4 I introduce the global attacker scenario. Then I introducing my overall analytical
framework in Section 3.5. Next, in Section 3.6, I introduce my attacker model and my proposed
30

3.2. Model of local attacker and mix zone
solution, and in Section 3.7, I present the results of my experiments showing that my approach
does indeed make tracing of vehicles hard for the attacker, and that it is usable in the real world.
Finally, I report on some related work in Section 3.8, and conclude the chapter in Section 3.9.
3.2 Model of local attacker and mix zone
3.2.1 The concept of the mix zone
I consider a continuous part of a road network, such as a whole city or a district of a city. I assume
that the adversary installed some radio receivers at certain points of the road network with which
she can eavesdrop the communications of the vehicles, including their heart beat messages, in a
limited range. On the other hand, outside the range of her radio receivers, the adversary cannot
hear the communications of the vehicles.
Thus, the road network is divided into two distinct regions: the observed zone and the unobserved
zone. Physically, these zones may be scattered, possibly consisting of many observing
spots and a large unobserved area, but logically, the scattered observing spots can be considered
together as a single observed zone. This is illustrated on the left hand side of Figure 3.1.
observation
spots
observed zone
4
1
3
2
6
5
1
mix zone
2 3
Figure 3.1: On the left hand side: The figure illustrates how a road network is divided into
an observed and an unobserved zone in the model. In the figure, the observed zone is grey, and
the unobserved zone is white. The unobserved zone functions as a mix zone, because the vehicles
change pseudonyms and mix within this zone making it difficult for the adversary to track them.
On the right hand side: The figure illustrates how the road network on the left can be abstracted
as single mix zone with six ports.
Note that the vehicles do not know where the adversary installed her radio receivers, or in
other words, when they are in the observed zone. For this reason, we can assume that the vehicles
continuously change their pseudonyms 1 . In this part of the chapter, we can abstract away the
frequency of the pseudonym changes, and we can simply assume that it is high enough so that
every vehicle surely changes pseudonym while in the unobserved zone. I intend to relax this
assumption in my future work.
Since the vehicles change pseudonyms while in the unobserved zone, that zone functions as a
mix zone for vehicles (see the right hand side of Figure 3.1 for illustration). A mix zone [Beresford
and Stajano, 2003; Beresford and Stajano, 2004] is similar to a mix node of a mix network [Chaum,
1981], which changes the encoding and the order of messages in order to make it difficult for the
adversary to link message senders and message receivers. In my case, the mix zone makes it
difficult for the adversary to link the vehicles that emerge from the mix zone to those that entered
it earlier. Thus, the mix zones makes it difficult to track vehicles. On the other hand, based on the
observation that I made in the Introduction, I assume that the adversary can track the physical
location of the vehicles while they are in the observed zone, despite the fact that they may change
pseudonyms in that zone too.
1 Otherwise, if the vehicles knew when they are in the unobserved zone, then it would be sufficient to change their
pseudonyms only once while they are in the unobserved zone.
31
ports
6
5
4

3. LOCATION PRIVACY IN VANETS
Since the vehicles move on roads, they cannot cross the border between the mix zone and the
observed zone at any arbitrary point. Instead, the vehicles cross the border where the roads cross
it. We can model this by assuming that the mix zone has ports, and the vehicles can enter and
exit the mix zone only via these ports. For instance, on the right hand side of Figure 3.1, the ports
are numbered from 1 to 6.
3.2.2 The model of the mix zone
While the adversary cannot observe the vehicles within the mix zone, we can assume that she still
has some knowledge about the mix zone. This knowledge is subsumed in a model that consists of a
matrix Q = [qij] of size M × M, where M is the number of ports of the mix zone, and M 2 discrete
probability density functions fij(t) (1 ≤ i, j ≤ M). qij is the conditional probability of exiting the
mix zone at port j given that the entry point was port i. fij(t) describes the probability distribution
of the delay when traversing the mix zone between port i and port j. We can assume that time
is slotted, that is why fij(t) is a discrete function. I note here, that it is unlikely for an attacker
to achieve such a comprehensive knowledge of the mix zone. However it is not impossible with
comprehensive real world measurements to approximate the needed probabilities and functions. In
the rest of the chapter, we can consider the worst case (as it is advisable in the field of security),
the attacker knows the model of the mix zone.
3.2.3 The operation of the adversary
The adversary knows the model of the mix zone and she observes events, where an event is a
pair consisting of a port (port number) and a time stamp (time slot number). There are entering
events and exiting events corresponding to vehicles entering and exiting the mix zone, respectively.
Naturally, an entering event consists of the port where the vehicle entered the mix zone, and the
time when this happened. Similarly, an exiting event consists of the port where the vehicle left the
mix zone, and the time when this happened.
The general objective of the adversary is to relate exiting events to entering events. More
specifically, in the model, the adversary picks a vehicle v in the observed zone and tracks its
movement until it enters the mix zone. In the following, I denote the port at which v entered
the mix zone by s. Then, the adversary observes the exiting events for a time T such that the
probability that v leaves the mix zone before T is close to 1 (i.e., Pr{tout < T } = 1 − ϵ, where ϵ is a
small number, typically, in the range of 0.005 − 0.01, and tout is the random variable denoting the
time at which the selected vehicle v exits the mix zone). For each exiting vehicle v ′ , the adversary
determines the probability that v ′ is the same as v. For this purpose, she uses her observations and
the model of the mix zone. Finally, she decides which exiting vehicle corresponds to the selected
vehicle v.
The decision algorithm used by the adversary is intuitive and straightforward: the adversary
knows that the selected vehicle v entered the mix zone at port s and in timeslot 0. For each exiting
event k = (j, t) that the adversary observes afterwards, she can compute the probability pjt that
k corresponds to the selected vehicle as pjt = qsjfsj(t) (i.e., the probability that v chooses port
j as its exit port given that it entered the mix zone at port s multiplied by the probability that
it covers the distance between ports s and j in time t). The adversary decides for the vehicle for
which pjt is maximal. The adversary is successful if the decided vehicle is indeed v.
Indeed, the above described decision algorithm realized the Bayesian decision (see the Section
3.2.4 for more details). The importance of this fact is that the Bayesian decision minimizes
the error probability, thus, it is in some sense the ideal decision algorithm for the adversary.
3.2.4 Analysis of the adversary
In this section, I show that the decision algorithm of the adversary described in Subsection 3.2.3
realizes a Bayesian decision. The following notations are used:
32

3.2. Model of local attacker and mix zone
k is an index of a vector. Every port-timeslot pair can be mapped to such an index and
k can be mapped back to a port-timeslot pair. Therefore indices and port-timeslot pairs
are interchangeable, and in the following discussion, I always use the one which makes the
presentation simpler.
k ∈ 1 . . . M · T , where M is the number of ports, and T is the length of the attack measured
in timeslots.
C = [ck] is a vector, where ck is the number of cars leaving the mix zone at k during the
attack.
N is the number of cars leaving the mix zone before timeslot T (i.e., N = ∑ MT
k=1 ck).
ps(k) is the probability of the event that the target vehicle leaves the mix zone at k (port
and time) conditioned on the event that it enters the zone at port s at time 0. The attacker
exactly knows which port is s. Probability ps(k) can be computed as: ps(k) = qsjfsj(t),
where port j and timeslot t correspond to index k.
p(k) is the probability of the event that a vehicle leaves the mix zone at k (port and time).
This distribution can be calculated from the input distribution and the transition probabilities:
p(k) = ∑ M
s=1 ps(k).
Pr(k|C) is the conditional probability that the target vehicle left the mix zone at time and
port defined by k, given that the attacker’s observation is vector C.
We must determine for which k probability Pr(k|C) is maximal. Let us denote this k with k ∗ .
The probability Pr(k|C) can be rewritten, using the Bayes rule:
Then k ∗ can be computed as:
k ∗ = arg max
k
Pr(k|C) = Pr(C|k)ps(k)
Pr(C)
Pr(C|k)ps(k)
Pr(C)
= arg max Pr(C|k)ps(k)
k
Pr(C|k) has a multinomial distribution with a condition that at least one vehicle (the target of
the attacker) must leave the mix zone at k:
Pr(C|k) =
N!
c1! . . . ck−1!(ck − 1)!ck+1! . . . cMT ! p(k)ck−1
MT ∏
j=1,j̸=k
Pr(C|k) can be multiplied and divided by p(k)
to simplify the equation:
ck
Pr(C|k) = ck
⎛
MT
⎝
N! ∏
p(j)
p(k) c1! . . . cMT !
cj
⎞
⎠
j=1
p(j) cj
where the bracketed part is a constant, which does not have any effect on the maximization, thus
it can be omitted.
k ∗ = arg max
k
ck
p(k) ps(k) = arg max
k
ck
p(k)N ps(k) = arg max
k
pk
p(k) ps(k)
where pk is the empirical distribution of k (i.e., pk = ck/N). If the number of vehicles in the
mix zone is large enough, then pk
p(k) ≈ 1. Thus correctness of the intuitive algorithm described in
Subsection 3.2.3 holds:
k ∗ = arg max ps(k)
k
33

3. LOCATION PRIVACY IN VANETS
This means that if many vehicles are traveling in the mix zone, then the attacker must choose
the vehicle with the highest ps(k) probability.
3.2.5 The level of privacy provided by the mix zone
There are various metrics to quantify the level of privacy provided by the mix zone (and the
fact that the vehicles continuously change pseudonyms). A natural metric in the model is the
success probability of the adversary when making her decision as described above. If the success
probability is large, then the mix zone and changing pseudonyms are ineffective. On the other
hand, if the success probability of the adversary is small, then tracking is difficult and the system
ensures location privacy.
We can note that the level of privacy is often measured using the anonymity set size as the
metric [Chaum, 1988], however, in this case, this approach cannot be used. The problem is that
as described above, with probability ϵ, the selected vehicle v is not in the set V of vehicles exiting
the mix zone during the experiment of the adversary, and therefore, by definition, V cannot be the
anonymity set for v. Although, the size of V could be used as a lower bound on the real anonymity
set size, there is another problem with the anonymity set size as privacy metric. Namely, it is an
appropriate privacy metric only if each member of the set is equally likely to be the target of the
observation, however, as we will see in Section 3.3, this is not the case in my model.
Obviously, the success probability of the adversary is very difficult to determine analytically
due to the complexity of the model. Therefore, I ran simulations to determine its empirical value
in realistic situations. The simulation setting and parameters, as well as the simulation results are
described in the next section.
3.3 Simulation of mix zone
The purpose of the simulation is to get an estimation of the success probability of the attacker in
realistic scenarios. In this section, I first describe the simulation settings, and then, I present the
simulation results.
3.3.1 Simulation settings
The simulation was carried out in three main phases. In the first phase, I generated a realistic map,
where the vehicles moved during the simulation. This map was generated by MOVE [Karnadi et
al., 2005], a tool that allows the user to quickly generate realistic mobility models for vehicular
network simulations. My map is illustrated in Figure 3.2. In fact, it is a simplified map of Budapest,
the capital of Hungary, and it contains the main roads of the city. I believe that despite of the
simplifications, this map is still complex enough to get realistic traffic scenarios.
The second phase of the simulation was to generate the movement of the vehicles on the
generated map. This was done by SUMO [Krajzewicz et al., 2002], which is an open source microtraffic
simulator, developed by the Center for Applied Informatics (ZAIK) and the Institute of
Transport Research at the German Aerospace Center. SUMO dumps the state of the simulation in
every time step into files. This state dump contains the location and the velocity of every vehicle
during the simulation.
In the third phase of the simulation, I processed the state dump generated by SUMO, and
simulated the adversary. This part of the simulation was written in Perl, because Perl scripts can
easily process the XML files generated by SUMO. Note that for the purpose of repeatability, I
made the source code available on-line at http://www.crysys.hu/∼holczer/ESAS07.
I implemented the adversary as follows. First, I defined the observation spots (position and
radius) of the adversary in a configuration file. Then, I let the adversary build her model of the mix
zone (i.e., the complement of its observation spots) by allowing her to track the vehicles as if they
do not change their pseudonyms. In effect, the adversary’s knowledge is represented by a set of two
dimensional tables. Each table K (i) corresponds to a port i of the mix zone, and contains empirical
34

3.3. Simulation of mix zone
Figure 3.2: Simplified map of Budapest generated for the simulation.
probabilities. More specifically, the entry K (i)
jt of table K(i) contains the empirical probability that
a vehicle exits the mix zone at port j in time t given that it entered the mix zone at port i at time
0. The size of the tables is M × T , where M is the number of the ports of the mix zone and T is
the duration of the learning procedure defined as the time until which every observed vehicle left
the mix zone. Once the adversary’s knowledge is built, she could use that for making decisions as
described above in Section 3.2. I executed several simulation runs in order to get an estimation
for the success probability of the adversary.
Experiments with adversaries of different strength are made, where the strength of the adversary
depends on the number of her eavesdropping receivers. In the simulations, all receivers were
deployed in the middle of the junctions of the roads. The eavesdropping radius of the receivers was
set to 50 meter. The number of the receivers varied between 5 and 59 with a step size of 5 (note
that the map contains 59 junctions). Always the junctions with the highest traffic was chosen as
the observation spots of the adversary (for instance, when the adversary had ten receivers, I chose
the first ten junctions with the largest traffic).
In addition to the strength of the adversary, the intensity of the traffic is varied. More specifically,
I simulated three types of traffic: low, medium, and high. Low traffic means that in each
time step 250 vehicles are emitted into the traffic flow, medium traffic is defined as 500 vehicles
are emitted into the flow, and in case of high traffic 750 vehicles are emitted.
For each simulation setting (strength of the adversary and intensity of the road traffic) 100
simulations were performed.
3.3.2 Simulation results
Figure 3.3 contains the resulting success probabilities of the adversary as a function of her strength.
The different curves belong to different traffic intensities. The results are quite intuitive: we can
conclude that the stronger the adversary, the higher her success probability. Note, however, that
from above a given strength, the success probability saturates at about 60 %. Higher success
probabilities can not be achieved, because the order of the vehicles may change between junctions
without the adversary being capable of tracking that. Note also that the saturation point is
35

3. LOCATION PRIVACY IN VANETS
reached with the control of only the half of the junctions. The intensity of the traffic is much less
important parameter, than the strength of the attacker. The success probability of the attacker is
nearly independent from the intensity of the traffic above a given attacker strength.
Success probability of an attack [%]
80
70
60
50
40
30
20
Low traffic
Medium traffic
High traffic
10
0 10 20 30 40 50 60
Number of attacker antennas
Figure 3.3: Success probabilities of the adversary as a function of her strength. The three curves
represent three different scenarios (the darker the line, the more intensive the traffic).
The dark bars in Figure 3.4 show how the size of the set V of the vehicles that exit the mix
zone during the observation period and from which the adversary has to decide to the selected
vehicle varies with the strength of the adversary. The three sub-figures are related to the three
different traffic situations (low traffic – left, medium traffic – middle, high traffic – right). While
the size of V seems to be large (which seemingly makes the adversary’s decision difficult), it is
also interesting to examine how uniform this set V is in terms of the probabilities assigned to the
vehicles in V . Recall that the adversary computes a probability pjt for each vehicle v ′ in V , which
is the probability of v ′ = v. These probabilities can be normalized to obtain a distribution, and the
entropy of this distribution can be computed. From this entropy, I computed the effective size of V
(i.e., the size to which V can be compressed due to the non-uniformity of the distribution over its
members), and the light bars in the figure illustrate the obtained values. As we can see, the effective
size of V is much smaller than its real size, which means that the distribution corresponding to
the members of V is highly non-uniform. This is the reason why the adversary can be successful.
3.4 Global attacker
In the following part of this chapter, I assume a global eavesdropping attacker instead of a local
attacker. A global eavesdropping attacker can hear all of the messages sent by the vehicles. This
is a more challenging task, compared to the local attacker scenario. My work is inspired by the
work of [Freudiger et al., 2007]. However, [Freudiger et al., 2007] requires the use of significant
infrastructure. By replacing [Freudiger et al., 2007]’s cryptographic mix zones with zones of silence
I address semantic mixing and infrastructure requirements simultaneously. In the following, in
Section 3.5, I give a framework, where the minimal requirements for providing privacy for vehicles
is analyzed. Next, in Section 3.6, I introduce my attacker model and my proposed solution, and in
Section 3.7, I present the results of my experiments showing that my approach does indeed make
tracing of vehicles hard for the attacker, and that it is usable in the real world.
36

3.5. Framework for location privacy in VANETs
Figure 3.4: The dark bars show how the size of the set V of the vehicles that exit the mix zone
during the observation period varies with the strength of the adversary (y axis: number of attacker
antennas). The three sub-figures are related to the three different traffic situations (low traffic –
left, medium traffic – middle, high traffic – right). The light bars illustrate the effective size of V .
As we can see, the effective size is much smaller than the real size, which means that distribution
corresponding to the members of V is highly non-uniform.
3.5 Framework for location privacy in VANETs
Any system that aims to provide privacy for vehicles must address the following areas 2 :
Syntactic privacy. In brief, all vehicles that use pseudonyms must change those pseudonyms
from time to time. This area includes:
N1 Pseudonymity: An identifier that is available to an eavesdropper must not be directly linkable
to the vehicle (for example, it must not contain the VIN, the driver’s name, or anything else
an eavesdropper might know).
N2 Change of identifiers: Identifiers must change with some frequency 3 .
N3 Local synchronization of change of identifiers: All identifiers, up and down the network
stack, must change simultaneously. (This is not a communications issue as such, but a local
engineering issue; however, it must be addressed).
N4 Cooperative synchronization of change of identifiers or syntactic mixing: A vehicle in an
observed area must change its identifier at the same time as at least one other vehicle and
the two (or more) changing vehicles must do so in a way that allows semantic privacy as
defined below 4 .
N5 Pseudonym use: This covers two intermingled areas:
2 This section is mainly based on the work of my coauthor, William Whyte [Buttyan et al., 2009] 3 The frequency
of change that provides privacy to the level expected by a user will in practice often depend on local regulation.
4 Otherwise, an attacker who sees, for instance, identifiers (A, B, C, D) at time t and (A, B, C, E) at time t + 1 will
know that D and E refer to the same vehicle.
37

3. LOCATION PRIVACY IN VANETS
N5.1 Pseudonym format: What cryptographic mechanism is used by psuedonym owners to
authenticate that they are valid units within the system?
N5.2 Pseudonym issuance and renewal: How are pseudonyms issued? How does a vehicle
avoid running out of them? (The answer to this may involve the identifier change
frequency, N2.) What assumptions are necessary about the infrastructure to ensure
that a vehicle is not left without pseudonyms?
Semantic privacy. This captures the idea that vehicles must not be traceable by reconstructing
the trajectories implied by their heartbeat messages. This area includes:
M1 Semantic unlinkability: A vehicle’s stream of heartbeat messages must be interrupted at some
frequency for some period of time.
M2 Semantic mixing: Semantic unlinkability is valuable mainly in so far as it creates ambiguity
for an attacker about whether a resumed stream of heartbeats comes from vehicle A or vehicle
B.
Robust privacy. This captures how misbehaving entities within the system may affect privacy and
security. This area includes:
R1 Privacy-preserving bad-actor removal: How is a misbehaving entity removed? Does this
removal affect the privacy of its transmissions before it began to misbehave? Does its removal
affect the privacy of other entities in the system?
R2 Privacy against insider attacks: How is privacy protected against bad actors in Law Enforcement
or at a Certificate Authority (CA)?
This part of the chapter explicitly contributes in the area of syntactic mixing (N4), semantic
mixing (M2), and semantic unlinkability (M1). The results are based on the assumption that
pseudonyms are changed whenever the criteria are met. This will be fairly frequent, on the order
of once every few minutes for urban driving, implicitly addressing N2. An identifier change frequency
this high may require frequent reissuance of pseudonyms, limiting the choices possible in
areas N5.1 and N5.2. To the best of my understanding, the following proposal is compatible with
any reasonable solution for N1, N3, R1, or R2.
3.6 Attacker Model and the SLOW algorithm
A global attacker is assumed who can get mass coverage. Conceptually, the attacker might be the
RSU network operator that has access to messages received by all RSUs, or the attacker might
have set up a network covering an entire city 5 . This is clearly an extremely powerful attack model,
perhaps too powerful to be plausible, but we can use this because if the system is secure in the
face of this attacker it will be secure in the face of other, weaker attackers too.
The attacker can use two basic mechanisms to link transmissions from a vehicle: (1) linking
pseudonyms or other identifiers between heartbeat messages (syntactic linking), and (2) using the
position and velocity information in the heartbeat messages to reconstruct the trajectory of the
vehicle (semantic linking).
We assume no supporting infrastructure in terms of an RSU network, therefore, vehicles must
have a strategy to create their own mix zones, and that strategy must work even in the case where
the attacker has 100% coverage. The defender’s mechanism is to turn off radio transmissions (to
make semantic linking difficult) and change pseudonyms (to make syntactic linking difficult) while
the radio is turned off without endangering safety of life.
More precisely, the proposed solution, which is called SLOW for Silence at LOW speeds, works
as follows. We can choose a threshold speed vT , say vT = 30 km/h. A vehicle will not broadcast
5 Fraunhofer Institute has established that the hardware cost (ignoring the backhaul connections) to set up receivers
covering all 900 km 2 of Berlin is about 250, 000 Euros.
38

3.7. Analysis of SLOW
any heartbeat message, or any other message containing location or trajectory data in the clear,
if it is traveling below speed vT , unless this is necessary for safety- of-life reasons. If the vehicle
has not sent a message for a certain period of time, then it changes pseudonyms (identifiers at all
layer of the network stack and related certificates) before the next transmission. Traffic signals
in a crowded urban area seem like an ideal location for such a pseudonym change: whenever a
crowd of vehicles stop at a traffic signal, they may go into one of several lanes, they may choose
to turn or not turn, and so on. Thus, mix-zones are created at the point where there is maximum
uncertainty about exactly where a vehicle is and exactly what it is going to do next. This is also
a safe set of circumstances under which to stop transmitting. Only 5% of pedestrians struck by a
vehicle at 20 km/h die [Leaf and Preusser, 1999] while at 50 km/h the figure is 40%. Presumably,
vehicle-to-vehicle collisions where both cars are traveling at 30 km/h result in even fewer fatalities.
Situations can be defined as exceptions. For instance, if vehicle A is stopped at a signal, but
vehicle B coming up behind it emits a heartbeat that lets vehicle A know that there is a risk of
a collision, then vehicle A can send out a heartbeat to warn vehicle B to brake. We can note
that the simulations do not include this exception case, because in practice these cases come up
only rarely. Future research based on SLOW will investigate this exception case in greater detail.
We can also note that an attacker can abuse exception cases to break the silent period, but this
attacker (unless it is an inside attacker) can be tracked down by standard methods and revoked.
Besides being very simple to implement, SLOW has other advantages. Traffic jams and slow
traffic leads to a large amount of vehicles in transmission range and therefore requires extensive
processing power to verify the digital signatures of all incoming heartbeat messages. By refraining
from sending heartbeat messages, SLOW avoids the necessity of extensive signature verifications
in traffic jams and slow traffic, and thus, reduces hardware cost. A more detailed analysis of
the impact on computation complexity, as well as the level of privacy and safety provided by the
scheme will be presented in the next section.
3.7 Analysis of SLOW
3.7.1 Privacy
It must be intuitively clear that a vehicle frequently sending out heartbeat messages is easy to
trace, but to the best of my knowledge, no accurate experiment confirms this statement in VANET
settings. As field experiments cannot be done due to the lack of envisioned VANET infrastructure,
simulations were carried out to measure the level of traceability in an urban setting. The SUMO
[Krajzewicz et al., 2002] simulation environment was used, as it is a realistic, microscopic urban
traffic simulator. SUMO was set to use a 100 Hz frequency for internal update of vehicle position
and velocities, and every Nth position (N depending on the heartbeat frequency) was considered
to be available to the attacker as a heartbeat.
Note that tracing vehicles in an urban setting is essentially a multitarget tracking problem,
which has an extensive literature, however, mostly related to radar development in the fields of
aviation and sailing [Gruteser and Hoh, 2005]. Yet, the following tracking approach, consisting of
three steps, can be adopted to the vehicular setting too: first, the actual position and speed of the
targets are recorded by eavesdropping the heartbeat messages. Based on the position and speed
information, a predicted new position is calculated, which can be further refined by the help of side
information such as the layout of the streets, lanes etc. At the next heartbeat, the new positions
are eavesdropped and matched with the predicted positions.
We implemented an attacker that tracked the vehicles in the SUMO output based on the tracking
approach described above. The attacker uses the last two heartbeat information to calculate
the acceleration of the vehicles making the prediction of the next position more accurate. The
vehicles are tracked from their departure to their destination. Tracking is considered successful, if
the attacker has not lost a target through its entire journey.
The results of the tracking of 50 vehicles are shown in Figure 3.5. As we can see, if the
beaconing frequency is 5-10 Hz, which is needed for most of the safety applications, then 75-80%
39

3. LOCATION PRIVACY IN VANETS
Success rate of tracing [%]
80
75
70
65
60
55
0 2 4 6 8 10
Beacon frequency [1/s]
Figure 3.5: Success rate of an attacker performing vehicle tracking by semantic linking of heartbeat
messages when no defense mechanisms are in use.
of the vehicles are tracked successfully. By evaluating the unsuccessful cases, we can observe that
the target vehicles were lost at their destinations. More precisely, in the vast majority of the
unsuccessful cases, when the target vehicle V1 arrived to its destination and stopped sending more
messages, if an other vehicle V2 was in its vicinity, then the attacker continued tracking V2 as if
it was V1. I counted this as unsuccessful case, because the attacker erroneously determined the
destination of the target vehicle (i.e., it concluded that the destination of V1 was that of V2, and
those two destinations have virtually never been the same). However, during the movement of the
target vehicles (i.e., before they reached their destination), the attacker was able to track them
with a remarkable 99% success rate. This confirms that semantic linking is a real problem.
In any case, from a privacy point of view, a system where the users are traceable with probability
0.75-0.8 is not acceptable. My proposed silent period scheme, where the vehicles stop sending
heartbeat message below a given speed, mitigates this problem. It must be clear that the tracking
algorithm described above does not work when the vehicles stop sending heartbeats regularly.
Yet, the attacker may use other side information, such as the probability of turning to a given
direction in an intersection, to improve the success probability of tracking despite the absence of
the heartbeats. Thus, we need a new attacker model that also accounts for such side knowledge of
the attacker.
We can formalize the knowledge of the attacker as follows (for a summary of notations the
reader is referred to Table 3.1): first, each intersection is modeled with a binary matrix J, where
each row corresponds to an ingress lane and each column corresponds to an egress lane of the
intersection, and Jij (the entry in the i-th row and j-th column) is 1 if it is possible to traverse
the intersection by arriving in ingress lane i and leaving in egress lane j. As an example, consider
the intersection shown in Figure 3.6 and its corresponding matrix J defined in matrix (3.1).
⎛
⎜
J = ⎜
⎝
0 0 0 1 1
0 0 1 0 0
1 1 0 1 1
0 0 1 0 0
1 1 0 0 0
40
⎞
⎟
⎠
(3.1)

Table 3.1: Notation in SLOW
vT threshold speed
J junction descriptor matrix
m number of lanes towards the junction
n number of lanes from the junction
T probability distribution of the target’s lanes
W number of waiting vehicles per lanes
w number of waiting vehicles in the junction
L list of egress events
lD decision of the attacker
ˆ l the target’s real egress event
LS list of suspect events
3.7. Analysis of SLOW
Second, we can assume that the accuracy of GPS receivers does not permit to decide with certainty
which lane of a road a given vehicle is using. Therefore, we can also assume that the attacker
knows on which road a target vehicle enters the intersection, but it does not know which ingress
lane it is using. Nevertheless, the attacker may have some a priori knowledge on the probability
of an incoming vehicle choosing a given ingress lane on a given road in a given intersection; such
knowledge may be acquired by visually observing the traffic in that intersection for some time.
These probabilities can be arranged in an m dimensional vector T , where the i-th element Ti is
the probability of choosing ingress lane i when entering the intersection on the road that contains
ingress lane i. As an example, consider the intersection in Figure 3.6, and the vector
T = (0.6, 0.4, 1, 0.8, 0.2)
This would mean that vehicles arriving to the intersection on the road that contains ingress lanes
1 and 2 choose lane 1 with probability 0.6 and lane 2 with probability 0.4. Note that vehicles
arriving on the road that contains only ingress lane 3 have no choice, hence T3 in this example is
1.
Third, when multiple possible egress lanes correspond to a given ingress lane (i.e., there are
more than one 1s in a given row of matrix J), we can assume that vehicles choose any of those egress
lanes uniformly at random. For example, a vehicle arriving in ingress lane 1 of the intersection in
Figure 3.6 can leave the intersection in egress lane 4 or 5 with equal probability.
Finally, when the target vehicle arrives at an intersection, there may already be some other
vehicles waiting or moving below the threshold speed in that intersection. The number of such
silent vehicles in ingress lane i is denoted by Wi, and the m dimensional vector containing all
Wi values is denoted by W . Note that due to the previous assumption that the attacker is not
always able to precisely determine the ingress lane used by an incoming vehicle, it is also unable to
determine the exact values of all Wi’s; nevertheless, it can use its experimental knowledge on the
probabilities of choosing a given lane, represented by vector T , to at least estimate the Wi values.
Let us denote by L the list of vehicles that leave the intersection (and thus restart sending
heartbeats) after the target entered the intersection (and thus stopped sending more heartbeats).
More precisely, each element Lk of list L is a (timestamp, road) pair (t, r) that represents a vehicle
reappearing on road r at time t. The objective of the attacker is to decide which Lk corresponds
to the target vehicle. Let us denote by ℓ the list element chosen by the attacker, and let ℓ ∗ be the
list element that really corresponds to the target vehicle. The attacker is successful if and only if
ℓ = ℓ ∗ .
In theory, the optimal decision is the following:
ℓ = arg max Pr(Lk|J, T, W, L)
k
where Pr(Lk|J, T, W, L) is the probability of Lk being the right decision given all the knowledge
of the attacker. However, it seems to be difficult to calculate (or estimate) all these conditional
41

3. LOCATION PRIVACY IN VANETS
Figure 3.6: An example intersection, the corresponding matrix is given in (3.1)
probabilities, as they have to be determined for every possible intersection (J), number of awaiting
vehicles in the intersection (W ), and observation of egress events (L).
Hence, I assume a more simplistic attacker that uses the following tracking algorithm: let us
denote by w the total number of silent vehicles in the intersection when the target vehicle arrives
and stops sending heartbeats. The attacker decides on the w-th element of L, unless that entry
surely cannot correspond to the target (e.g., it is not possible to leave the intersection on the road
in the w-th element of L given the road on which the target arrived to the intersection). When
the w-th element of L must be excluded, the attacker chooses the next element on the list L that
cannot be excluded.
Our simple attacker model essentially assumes that traffic at an intersection follows the FIFO
(First In First Out) principle. While this is clearly not the case in practice, the attacker still
achieves a reasonable success rate in a single intersection as shown in Figure 3.7. One can see, for
instance, that when the total number of vehicles is 100, the attacker can still track a target vehicle
through a single intersection with probability around 1
2 .
Figure 3.8 shows the success rate of the attacker in the general case, when the target traverses
multiple intersections between its starting and destination points. As expected, the tracking capabilities
of the attacker in this case are worse than in the single intersection case. The quantitative
results of the simulation experiments suggest that only around 10% of the vehicles can be tracked
fully by the attacker when the threshold speed is larger than 22 km/h (approximately 6 m/s).
The effectiveness of the attacker depends on the vT threshold speed and the density of the
vehicles. In general the higher the threshold speed at which vehicles stop sending heartbeats,
the higher the chance that the attacker loses the target (i.e., the lower the chance of successful
tracking). Moreover, in a dense network, it is more difficult to track vehicles. Note, however, that
there is an important difference in practice between the traffic density and the threshold speed,
namely, that the threshold speed can be influenced by the owner of the vehicle, while the traffic
density cannot be.
42

Success rate of tracing [%]
100
90
80
70
60
50
40
30
20
10
0
0 2 4 6 8 10
Threshold speed [m/s]
3.7. Analysis of SLOW
Figure 3.7: Success rate of the simple attacker in a single intersection. Different curves belong to
different experiments with the total number of vehicles given in the legend.
Success rate of tracing [%]
100
90
80
70
60
50
40
30
20
10
50
100
150
200
50
100
150
200
0
0 2 4 6 8 10
Threshold speed [m/s]
Figure 3.8: Success rate of the simple attacker in the general case, when the target traverses multiple
intersections between its starting and destination points. Different curves belong to different
experiments with the total number of vehicles given in the legend.
43

3. LOCATION PRIVACY IN VANETS
3.7.2 Effects on safety
The main objective of vehicular communications is to increase road safety. However, refraining
from sending heartbeat messages may seem to be in contradiction with this objective. Note,
however, that I propose to refrain from sending heartbeats only below a given threshold speed,
and I argue below that this may not endanger the objective of road safety.
According to [Leaf and Preusser, 1999], only 5% of pedestrians struck by a vehicle at 20 km/h
die, while this figure is 40% at 50 km/h. In [Kloeden et al., 1997], it is shown that in a 60 km/h
speed limit area, the risk of involvement in a casualty crash doubles with each 5 km/h increase in
traveling speed above 60 km/h. In [Baruya, 1998], it is shown that 1 km/h change in speed can
influence the probability of an accident by 3.45%.
The statistical figures above show that at lower speed the probability of an accident is lower
too. This is because usually vehicles go at lower speed in areas where the drivers need to be more
careful (hence the speed limit). Thus, it makes sense to rely more on the awareness of the drivers
to avoid accidents at lower speeds. On the other hand, at higher speeds, accidents can be more
severe, and warning from the vehicular safety communication system can play a crucial role in
avoiding fatalities.
3.7.3 Effects on computation complexity
A great challenge in V2V communication deployment is the processing power of the vehicles [Kargl
et al., 2008]. The most demanding task of the On Board Unit (OBU) is the verification of the
signatures on the received heartbeat messages. This problem can be partially handled by not
attaching certificates to every heartbeat message [Calandriello et al., 2007], but it does not solve
the problem of verifying the signatures on the messages.
In principle, the heavier the traffic, the more vehicles are in each others communication range.
More vehicles send more heartbeats overwhelming each other. The number of vehicles in communication
range depends on the average speed of the traffic, assuming that the vehicles keep a safety
distance between each other depending on their speed.
In Figure 3.9, the results of some simple calculations can be seen showing the number of
signature verifications performed as a function of the average speed. In this calculation, vehicles
are assumed to follow each other within 2 seconds. The communication range is assumed to be
100 m and the heartbeat frequency is 10 Hz. It can be seen in the figure that, in a traffic jam on
an 8-lane road, each vehicle must verify as many as approximately 8,000 signatures per second. If
SLOW is used with a threshold speed of around 30 km/h (approximately 8 m/s), then the vehicles
never need to verify more than 1,000 signatures per second (assuming all other parameters are the
same as before). This approach also works well in combination with congestion control where the
transmission power is reduced in high density traffic scenarios. My approach therefore makes the
hardware requirements of the OBU much lower and enables the use of less expensive devices.
3.8 Related work
The privacy of VANET’s is a recent topic. Many author addressed VANETs and its security and
privacy in some papers (for example in [Aoki and Fujii, 1996; Luo and Hubaux, 2004; McMillin et
al., 1998; Chisalita and Shahmehri, 2002; El Zarki et al., 2002; Dötzer, 2006; Hubaux et al., 2004;
Raya and Hubaux, 2005; Raya and Hubaux, 2007; Gerlach, 2006; Ma et al., 2010; Wiedersheim et
al., 2010]). A good online bibliography for the security of VANETs can be found in [Lin and Lu,
2012]. The problem of providing location privacy for VANET’s is categorised in [Gerlach, 2006],
into classes. The difference between the classes is the goal and the strength of the attacker. In
[Choi et al., 2005], Choy et al. investigates how to obtain a balance between privacy and audit
requirements in vehicular networks using only symmetric primitives. Ren et al. analyzes the
location privacy problems in VANETs with attack trees in [Ren et al., 2011].
Many privacy preserving techniques are suggested for on-line transactions (for example in
[Chaum, 1988; Gulcu and Tsudik, 1996]). Mainly they are based on mix networks [Kesdogan
44

Number of signatures to be verified [1/s]
8000
7000
6000
5000
4000
3000
2000
1000
8 lanes
6 lanes
4 lanes
2 lanes
0
0 5 10 15 20
Speed [m/s]
25 30 35 40
3.8. Related work
Figure 3.9: Number of signatures to be verified as a function of the average speed. The communication
range is 100 m, and the heartbeat frequency is 10 Hz. Safety distance between the vehicles
depends on their speed.
et al., 1998; Reiter and Rubin, 1998], which was basically proposed by Chaum in 1981 [Chaum,
1981]. A single mix collect messages mixes them and send them towards their destination. A mix
networks consits of single mixes, which are linked together. In a mix network, some misbehaving
mixes can not break the anonimity of the senders/receivers.
An evident extension of mix networks to the off-line world is the the mix zones, proposed by
Beresford et al. in [Beresford and Stajano, 2003; Beresford and Stajano, 2004]. A mix zone is a
place where the users of the network are mixed, thus after leaving the mix zone, they can not be
distinguished from each other.
The problem of providing location privacy in wireless communication is well studied by Hu and
Wang in [Hu and Wang, 2005]. They built a transaction-based wireless communication system
in which transactions are unlinkable, and give a detailed simulation results. Their solution can
provide location privacy for real-time applications as well.
To qualify the operation of the mix zones, the offered anonomity must be measured. The first
metric was proposed by Chaum [Chaum, 1988], was the size of the anonimity set. It is good metric
only if any user leaving the mix zone is the target with the same probability. If the probabilities
are different, then entropy based metric should be used. Entropy based metrics were suggested by
Díaz et. al [Diaz et al., 2002] and Serjantov et al. [Serjantov and Danezis, 2003] at the same time.
For the best of my knowledge, one the most relevant paper to SLOW is done by Sampigethaya
et al. in [Sampigethaya et al., 2005; Sampigethaya et al., 2007]. In the paper, they study the
problem of providing location privacy in VANET in the presence of a global adversary. A location
privacy scheme called CARAVAN is also proposed. The main idea of the scheme is that random
silent period [Huang et al., 2005] are used in the communication to avoid continous traceability.
The solution is evaluated only in freeway model and in randomly generated manhattan street
model. Lu et al. arrives to similar consequences as SLOW, namely, that the pseudonyms should
be changed at intersections with high traffic in [Lu et al., 2012]. The main difference between the
two approaches is that in their paper, the vehicles are aware of the possible zones from a predefined
45

3. LOCATION PRIVACY IN VANETS
map, so the mix zones are defined priori. They use a game theoretic approach to analyze their
model.
The change of pseudonyms may also have a detrimental effect, especially on the efficiency of
routing and the packet loss ratio. In [Schoch et al., 2006], Schoch et al. investigated this problem
and proposed some approaches that can guide system designers to achieve both a given level of
privacy protection as well a reasonable level of performance.
Another proposed approach provides multiple certificates in vehicles based on the combination
of group signatures and multiple self-issued certificates [Calandriello et al., 2007; Armknecht et
al., 2007]. The disadvantage is that On Board Units (OBUs) need to perform expensive group
signature verification operations, and that OBUs are empowered to mount Sibyl attacks. [Studer
et al., 2008] uses group signatures to request temporary certificates from a CA in an anonymous
manner without the disadvantages of the previous scheme, but at the cost of an available connection
to the CA. My solution suggested in Section 3.6 accounts for a global attacker without the support
of the RSU infrastructure.
3.9 Conclusion
In the first half of this chapter from Section 3.2, I studied the effectiveness of changing pseudonyms
to provide location privacy for vehicles in vehicular networks. The approach of changing pseudonyms
to make location tracking more difficult was proposed in prior work, but its effectiveness
has not been investigated yet. In order to address this problem, I defined a model based on the
concept of the mix zone. I assumed that the adversary has some knowledge about the mix zone,
and based on this knowledge, she tries to relate the vehicles that exit the mix zone to those that
entered it earlier. I also introduced a metric to quantify the level of privacy enjoyed by the vehicles
in this model. In addition, I performed extensive simulations to study the behavior of the model in
realistic scenarios. In particular, in the simulation, I used a rather complex road map, generated
traffic with realistic parameters, and varied the strength of the adversary by varying the number of
her monitoring points. My simulation results provided detailed information about the relationship
between the strength of the adversary and the level of privacy achieved by changing pseudonyms.
I abstracted away the frequency with which the pseudonyms are changed, and I simply assumed
that this frequency is high enough so that every vehicle surely changes pseudonym while in the mix
zone. It seems that changing the pseudonyms frequently has some advantages as frequent changes
increase the probability that the pseudonym is changed in the mix zone. On the other hand, the
higher the frequency, the larger the cost that the pseudonym changing mechanism induces on the
system in terms of management of cryptographic material (keys and certificates related to the
pseudonyms). In addition, if for a given frequency, the probability of changing pseudonym in the
mix zone is already close to 1, then there is no sense to increase the frequency further as it will
no longer increase the level of privacy, while it will still increase the cost. Hence, there seems to
be an optimal value for the frequency of the pseudonym change. Unfortunately, this optimal value
depends on the characteristics of the mix zone, which is ultimately determined by the observing
zone of the adversary, which is not known to the system designer.
In the second half of the chapter from Section 3.4, I proposed a simple and effective privacy
preserving scheme, called SLOW, for VANETs. SLOW requires vehicles to stop sending heartbeat
messages below a given threshold speed (this explains the name SLOW that stands for “silence
at low speeds”) and to change all their identifiers (pseudonyms) after each such silent period. By
using SLOW, the vicinity of intersections and traffic lights become dynamically created mix zones,
as there are usually many vehicles moving slowly at these places at a given moment in time. In
other words, SLOW implicitly ensures a synchronized silent period and pseudonym change for
many vehicles both in time and space, and this makes it effective as a location privacy enhancing
scheme. Yet, SLOW is remarkably simple, and it has further advantages. For instance, it relieves
vehicles of the burden of verifying a potentially large amount of digital signatures when the vehicle
density is large, as this usually happens when the vehicles move slowly in a traffic jam or stop at
46

3.10. Related publications
intersections. Finally, the risk of a fatal accident at a slow speed is low, and therefore, SLOW does
not seriously impact safety-of-life.
I evaluated SLOW in a specific attacker model that seems to be realistic, and it proved to be
effective in this model, reducing the success rate of tracking a target vehicle from its starting point
to its destination down to the range of 10–30%.
As a conclusion of this chapter, I analyzed what a local and a global eavesdropping attacker
can do when trying to trace vehicles in VANETs, and gave an efficient countermeasure against the
stronger global attacker.
3.10 Related publications
[Buttyan et al., 2007] Levente Buttyan, Tamas Holczer, and Istvan Vajda. On the effectiveness of
changing pseudonyms to provide location privacy in vanets. In Proceedings of the Fourth European
Workshop on Security and Privacy in Ad hoc and Sensor Networks (ESAS2007). Springer, 2007.
[Papadimitratos et al., 2008] Panagiotis Papadimitratos, Antonio Kung, Frank Kargl, Zhendong
Ma, Maxim Raya, Julien Freudiger, Elmar Schoch, Tamas Holczer, Levente Buttyán, and
Jean pierre Hubaux. Secure vehicular communication systems: design and architecture. IEEE
Communications Magazine, 46(11):100–109, 2008.
[Holczer et al., 2009] Tamas Holczer, Petra Ardelean, Naim Asaj, Stefano Cosenza, Michael
Müter, Albert Held, Björn Wiedersheim, Panagiotis Papadimitratos, Frank Kargl, and Danny De
Cock. Secure vehicle communication (sevecom). Demonstration. Mobisys, June 2009.
[Buttyan et al., 2009] Levente Buttyan, Tamas Holczer, Andre Weimerskirch, and William
Whyte. Slow: A practical pseudonym changing scheme for location privacy in vanets. In Proceedings
of the IEEE Vehicular Networking Conference, pages 1–8. IEEE, IEEE, October 2009.
47

Chapter 4
Anonymous Aggregator Election and Data
Aggregation in Wireless Sensor Networks
4.1 Introduction
Wireless sensor and actuator networks are potentially useful building blocks for cyber-physical
systems. Those systems must typically guarantee high-confidence operation, which induces strong
requirements on the dependability of their building blocks, including the wireless sensor and actuator
network. Dependability means resistance against both accidental failures and intentional
attacks, and it should be addressed at all layers of the network architecture, including the networking
protocols and the distributed services built on top of them, as well as the hardware and
software architecture of the sensor and actuator nodes themselves. Within this context, in this
chapter, I focus on the security aspects of aggregator node election and data aggregation protocols
in wireless sensor networks.
Data aggregation in wireless sensor networks helps to improve the energy efficiency and the
scalability of the network. It is typically combined with some form of clustering. A common
scenario is that sensor readings are first collected in each cluster by a designated aggregator node
that aggregates the collected data and sends only the result of the aggregation to the base station.
In another scenario, the base station may not be present permanently in the network, and the
aggregated data must be stored by the designated aggregator node in each cluster temporarily
until the base station can eventually fetch the data. In both cases, the amount of communication,
and hence, the energy consumption of the network can be greatly reduced by sending aggregated
data, instead of individual sensor readings, to the base station.
While data aggregation in wireless sensor networks is clearly advantageous with respect to
scalability and efficiency, it introduces some security issues. In particular, the designated aggregator
nodes that collect and store aggregated sensor readings and communicate with the base station are
attractive targets of physical node destruction and jamming attacks. Indeed, it is a good strategy
for an attacker to locate those designated nodes and disable them, because he can prevent the
reception of data from the entire cluster served by the disabled node. Even if the aggregator role
is changed periodically by some election process, some security issues remain, in particular in the
case when the base station is off-line and the aggregator nodes must store the aggregated data
temporarily until the base station goes on-line and retrieves them. More specifically, in this case,
the attacker can locate and attack the node that was aggregator in a specific time epoch before
the base station fetches its stored data, leading to permanent loss of data from the given cluster
in the given epoch.
In order to mitigate this problem, I introduced the concept of private aggregator node election,
and I proposed the first private aggregator node election protocol. Briefly, the first protocol
ensures that the identity of the elected aggregator remains hidden from an attacker who observes
49

4. ANONYMOUS AGGREGATOR ELECTION AND DATA AGGREGATION IN WSNS
the execution of the election process. However, this protocol ensures only protection against an
external eavesdropper that cannot compromise sensor nodes, and it does not address the problem
of identifying the aggregator nodes by means of traffic pattern analysis after the election phase.
In the second protocol, I addressed the shortcomings of the first scheme: I proposed a new
private aggregator node election protocol that is resistant even to internal attacks originating
from compromised nodes, and I also proposed a new private data aggregation protocol and a new
private query protocol which preserved the anonymity of the aggregator nodes during the data
aggregation process and when they provide responses to queries of the base station. In the second
private aggregator node election protocol, each node decides locally in a probabilistic manner to
become an aggregator or not, and then the nodes execute an anonymous veto protocol to verify if
at least one node became aggregator. The anonymous veto protocol ensures that non-aggregator
nodes learn only that there exists at least one aggregator in the cluster, but they do not learn
any information on its identity. Hence, even if such a non-aggregator node is compromised, the
attacker learns no useful information regarding the identity of the aggregator.
The protocols can be used to protect sensor network applications that rely on data aggregation
in clusters, and where locating and then disabling the designated aggregator nodes is highly
undesirable. Such applications include high-confidence cyber-physical systems where sensors and
actuators monitor and control the operation of some critical physical infrastructure, such as an
energy distribution network, a drinking water supply system, or a chemical pipeline. A common
feature of these systems is that they have a large geographical span, and therefore, the sensor
network must be organized into clusters and use in-network data aggregation in order to ensure
scalability and energy efficient operation. Moreover, due to the mission critical nature of these
applications, it is desirable to prevent the identification of the aggregator nodes in order to limit
the impact of a successful attack against the sensor network. The first protocol that resist only an
external eavesdropper is less complex than the second protocol that works in a stronger attacker
model. Hence, the first protocol can be used in case of strong resource constraints or when the
risk of compromising sensor nodes is limited (e.g., it may be difficult to obtain physical access to
the nodes). The second protocol is needed when the risk of compromised and misbehaving nodes
cannot be eliminated by other means.
The remainder of the chapter is organized as follows: in Section 4.2, I introduce my system
and attacker models. In Section 4.3, I present my basic aggregator election protocol which can
withstand external attacks, while in Section 4.4, I introduce my advanced protocols, which can
withstand internal aggregator identification and scamming attackers as well. In Section 4.5, I give
an overview of some related work, and in Section 4.6, I conclude the chapter and sketch some
future research directions.
4.2 System and attacker models
A sensor network consists of sensor nodes that communicate with each other via wireless channels.
Every node can generate sensor readings, and store it or forward it to another node. Each node can
directly communicate with the nodes within its radio range; those nodes are called the (one-hop)
neighbors of the node. In order to communicate with distant nodes (outside the radio range),
the nodes use multi-hop communications. The sensor network has an operator as well, who can
communicate with some of the nodes through a special node called base station, or can communicate
directly with the nodes if the operator moves close to the network.
Throughout the chapter, a data driven sensor network is envisioned, where every sensor node
sends its measurement to a data aggregator regularly. Such data driven networks are used for
regular inspection of monitored processes notably in critical infrastructures. Event driven networks
can be used for reporting special usually dangerous but infrequent events like fire in a building.
There is no need of clustering and data aggregation in event based systems, thus private cluster
aggregator election and data aggregation is not applicable there. The third kind of network is the
query driven network, where the operator sends a query to the network, and the network sends a
50

4.2. System and attacker models
response. This kind of functionality can be used with data driven networks, and can have privacy
consequences, like the identity of the answering node should remain hidden.
In the following, it is assumed, that the time is slotted, and one measurement is sent to the
data aggregator in each time slot. The time synchronization between the nodes is not discussed
here, but a comprehensive survey can be found in [Faizulkhakov, 2007].
It is assumed that every node shares some cryptographic credentials with the operator. These
credentials are unique for every node, and the operator can store them in a lookup table, or can
be generated from a master key and the node’s identifier on demand. The exact definition of the
credentials can be found in Section 4.3.1 and in Section 4.4.1.
The nodes may be aware of their geographical locations, and they may already be partitioned
into well defined geographical regions. In this case, these regions are the clusters, and the objective
of the aggregator election protocol is to elect an aggregator within each geographical region. We
call this approach location based clustering; an example would be the PANEL protocol [Buttyán
and Schaffer, 2010].
A kind of generalization of the position based election is the preset case, where the nodes know
the cluster ID they belong to before any communication. Here the goal of the election is to elect
one node in every preset cluster. This approach is used in [Buttyán and Holczer, 2010].
Alternatively, the nodes may be unaware of their locations or cluster IDs, and know only their
neighbors. In this case, the clusters are not pre-determined, but they are dynamically constructed
parallel to the election of the aggregators. Basically, any node may announce itself as an aggregator,
and the nodes within a certain number of hops on the topology graph may join that node as cluster
members. We call this approach topology based clustering; an example would be the LEACH
protocol [Heinzelman et al., 2000].
The location based and the topology based approaches are illustrated in Figure 4.1.
100
80
60
40
20
0
0 20 40 60 80 100
100
80
60
40
20
0
0 20 40 60 80 100
Figure 4.1: Result of a location based (left), and topology based (right) one-hop aggregator election
protocol. Solid dots represent the aggregators, and empty circles represent cluster members.
Both approaches may use controlled flooding of broadcast messages. In case of location based
or preset clustering, the scope of a flood is restricted to a given geographic region or preset cluster.
Nodes within that region re-broadcast the message to be flooded when they receive it for the first
time. Nodes outside of the region or having different preset cluster IDs simply drop the message.
In case of topology based clustering, it is assumed that the broadcast messages has a Time-to-
Live field that controls the scope of the flooding. Any node that receives a broadcast message
with a positive TTL value for the first time will automatically decrement the TTL value and rebroadcast
the message. Duplicates and messages with TTL smaller than or equal to zero are silently
discarded. When I say that a node broadcasts a message, I mean such a controlled flooding (either
location based, preset or topology based, depending on the context). In Section 4.4, connected
dominating sets (CDS) are used to implement efficient broadcast messaging. The concept of CDS
will be introduced there.
51

4. ANONYMOUS AGGREGATOR ELECTION AND DATA AGGREGATION IN WSNS
We can call the set of nodes which are (in the location based and the preset case) or can
potentially be (in the topology based case) in the same cluster as a node S the cluster peers of S.
Hence, in the location based case, the cluster peers of S are the nodes that reside within the same
geographic region as node S. In the preset case, the cluster peers are the nodes sharing the same
cluster ID. In the topology based case, the set of cluster peers of S usually consists in its n-hop
neighborhood, for some parameter n. The nodes may not explicitly know all their cluster peers.
The main functional requirement of any clustering algorithm is that either node S or at least
one of the cluster peers of S will be elected as aggregator.
The leader of each cluster is called cluster aggregator, or simply aggregator. In the following I
will use aggregator, cluster aggregator and data aggregator interchangeably.
As mentioned in Section 4.1, an attacker can gain much more information by attacking an
aggregator node than attacking a normal node. To attack a data aggregator node either physically
or logically, first the attacker must identify that node. In this chapter I assume that the attacker’s
goal is to identify the aggregator (which means that simply preventing, jamming or confusing the
aggregation is not the goal of the attacker). In Section 4.4.5 I go a little further, and analyze what
happens if a compromised node does not follow the proposed protocols in order to mislead the
operator.
An attacker who wants to discover the identity of the aggregators can eavesdrop the communication
between any nodes, can actively participate in the communication (by deleting modifying
and inserting messages) and can physically compromise some of the nodes. A compromised node
is under the full control of the attacker, the attacker can fully review the inner state of that node,
and can control the messages sent by that node.
Compromising a node is a much harder challenge for an attacker than simply eavesdropping the
communication. It requires physical contact with the node and some advanced knowledge, however
it is far from impossible for an attacker with good electrical and laboratory background [Anderson
and Kuhn, 1996]. So I propose two solutions. The first basic protocol can fully withstand a passive
eavesdropper, but a compromising attacker can gain some knowledge about the identities of the
cluster aggregators. The second advanced protocol can withstand a compromising attacker as well,
with only leaking information about the compromised nodes.
In case of a passive adversary, a rather simple solution could be based on a common shared
global key. Using that shared global key as a seed of a pseudo random number generator, every
node can construct locally (without any communications) the same pseudo randomly ordered list
of all nodes. These lists will be identical for every node because all nodes use the same seed and the
same pseudo random number generator. Then, the first A nodes of the list are elected aggregators
such that every node can communicate with a cluster aggregator and no subset of A covers the
whole system. An illustration of the result of this algorithm can be seen on Figure 4.1 for location
based and topology based cluster aggregator election.
The problem with this solution is that it is not robust: compromising a single node would leak
the common key, and the adversary could compute the identifier of all cluster aggregators. While I
do not want to fully address the problem of compromised nodes in the first protocol, I still aim at
a more robust solution than the one described above. In particular, the system should not collapse
by compromising just a single or a few nodes.
The second protocol can withstand the compromise of some nodes without the degradation
of the privacy of the cluster aggregators. This protocol meets the following goals and has the
following limitations:
The identity of the non-compromised cluster aggregators remains secret even in the presence
of passive and active attackers or compromised nodes.
The attacker can learn whether the compromised node is an aggregator.
An attacker can force a compromised node to be aggregator, but does not know anything
about the existence or identity of the other aggregators.
The attacker cannot achieve that no aggregator is elected in the cluster, however all the
elected aggregator(s) may be compromised nodes.
52

4.3. Basic protocol
The main difference between the first and second protocol is the following. The first protocol
is very simple, but not perfect as a compromised node can reveal the identity of the aggregators.
The second protocol requires more complex computations, but offers anonymity in case of node
compromise as well. In some cases such complex computations are outside the capabilities of the
nodes (or the probability of compromise is low), but anonymity is still required by the system.
In these cases I suggest to use the first protocol. If the probability of node compromise is not
negligible, then the use of the second protocol is recommended.
4.3 Basic protocol
In this section, I describe the basic protocol that I propose for private aggregator node election.
First I give a brief overview of the basic principles of the protocol, and present the details later.
After that, some important details of this basic protocol is presented in Section 4.3.2, where I also
describe how to set the parameters of the protocol.
4.3.1 Protocol description
I assume that the nodes are synchronized (see [Faizulkhakov, 2007] for a survey on time synchronization
mechanism for sensor networks), and each node starts executing the protocol roughly
at the same time. The protocol terminates after a predefined fix amount of time. During the
execution of the protocol, any node that has not received any aggregator announcement yet may
decide to become an aggregator, in which case, it broadcasts an aggregator announcement message
announcing itself as a cluster aggregator. This message is broadcast among the cluster peers of
the node sending the announcement (see Section 4.2). Upon reception of a cluster aggregator
announcement, any node that has neither announced itself as a cluster aggregator nor received any
such announcement yet will consider the sender of the announcement as its cluster aggregator. In
order to prevent an external observer to learn the identity of the cluster aggregators, all messages
sent in the protocol are encrypted such that only the nodes to whom they are intended can decrypt
them. For this, it is assumed that each node shares a common key with all of its cluster peers (an
overview of available key establishment mechanisms for sensor networks can be found in [Lopez
and Zhou, 2008]). In addition, in order to avoid that message originators are identified as cluster
aggregators, the nodes that will be cluster members are required to send dummy messages that
cannot be distinguished from the announcements by the external observer (i.e., they are encrypted
and disseminated in the same way as the announcements).
Note that the proposed basic protocol considers only either pairwise keys between the neighboring
nodes or group keys shared between sets of neighboring nodes, so no global key is assumed.
Such pairwise or group keys can be established by the techniques proposed in [Lopez and Zhou,
2008]. The key establishment can be based on randomly selected key sets. In such a protocol, the
probability that neighboring nodes share a common key is high, and the unused keys are deleted
[Chan et al., 2003]. The key establishment can be also based on a common key which is deleted
after some short time when the neighbors are discovered [Zhu et al., 2003]. Any node that owns
the common key can generate a pairwise key with a node which owns or previously owned the
common key. The basic method for exchanging a group/cluster key with the neighboring nodes is
to send the same random key to each neighbor encrypted with the previously exchanged pairwise
keys.
The pseudo-code of the protocol is given in Algorithm 2, and a more detailed explanation
of the protocol’s operation is presented below. The protocol consists of two rounds, where the
length of each round is τ. The nodes are synchronized, they all know when the first round begins,
and what the value of τ is. At the beginning, each node starts two random timers, T1 and T2,
where T1 expires in the first round (uniformly at random) and T2 expires in the second round
(uniformly at random). Each node also initializes at random a binary variable, called announFirst,
that determines in which round the node would like to send a cluster aggregator announcement.
53

4. ANONYMOUS AGGREGATOR ELECTION AND DATA AGGREGATION IN WSNS
Algorithm 2 Basic private cluster aggregator election algorithm
start T1, expires in rand(0,τ) //timer, expires in round 1
start T2, expires in rand(τ,2τ) //timer, expires in round 2
announFirst = (rand(0,1) ≤ γ)
CAID = -1 // ID of the cluster aggregator of the node
while T1 NOT expired do
if receive ENC(announcement) AND (CAID = -1) then
CAID = ID of sender of announcement
end if
end while
// T1 expired
if announFirst AND (CAID = -1) then
broadcast ENC(announcement);
CAID = ID of node itself;
else
broadcast ENC(dummy);
end if
while T2 NOT expired do
if receive ENC(announcement) AND (CAID = -1) then
CAID = ID of sender of announcement
end if
end while
// T2 expired
if (NOT announFirst) AND (CAID = -1) then
broadcast ENC(announcement);
CAID = ID of node itself;
else
broadcast ENC(dummy);
end if
54

Table 4.1: Estimated time of the building blocks on a Crossbow MICAz mote
Algorithm Generation [ms] Verification [ms]
SHA-1 [Ganesan et al., 2003] 1.4 –
RSA 1024 bit [Piotrowski et al., 2006] 12040 470
RC4 [Ganesan et al., 2003] 0.1 0.1
RC5 [Ganesan et al., 2003] 0.4 0.4
4.3. Basic protocol
The probability that announFirst is set to the first round is γ, which is a system parameter. The
setting of γ is elaborated in Section 4.3.2.
In the first round, every node S waits for its first timer T1 to expire. If S receives an announcement
before T1 expires, then the sender of the announcement will be the cluster aggregator of S.
When T1 expires, S broadcasts a message as follows: if announFirst is set to the first round and
S has not received any announcement yet, then S sends an announcement, in which it announces
itself as a cluster aggregator. Otherwise, S sends a dummy message. In both cases, the message is
encrypted (denoted by ENC() in the algorithm) such that only the cluster peers of S can decrypt
it.
The second round is similar to the first round. When T2 expires S broadcasts a message as
follows: if announFirst is set to the second round and S has not received any announcement yet,
then S sends an announcement, otherwise, S sends a dummy message. In both cases, the message
is encrypted.
It is easy to see that at the end of the second round each node is either a cluster aggregator or
it is associated with a cluster aggregator whose ID is stored in variable CAID. Without the second
round, a node can remain unassociated, if it sends and receives only dummy messages in the first
round. In addition, a passive observer only sees that every node sends two encrypted messages,
one in each round. This makes it difficult for the adversary to identify who the cluster aggregators
are (see also more discussion on this in the next section). In addition, if a node is compromised,
the adversary learns only the identity of the cluster aggregators whose announcements have been
received by the compromised node.
In WSNs, it must be analyzed what happens if some messages are delayed or lost in the noisy
unreliable channel. Two cases must be analyzed, dummy messages and announcements. If a
dummy message is delayed or not delivered successfully to all recipients, then the result of the
protocol is not modified as dummy messages serve for only covering the announcements. If an
announcement is delayed or not delivered to a node, then the recipient will not select the sender as
cluster aggregator. It will select a node who sent the announcement later or the node elects itself
and sends an announcement. The message loss may modify the resulting set of cluster aggregators,
but neither harm the anonymity of the elected aggregators, nor harm the original goal of cluster
aggregator election (a node must be either a cluster aggregator or a cluster aggregator must be
elected from the nodes cluster peers).
Note that two neighboring nodes can send an announcement at the same time with some small
probability. Actually, it is not a problem in the protocol. The only result is that both nodes
will be cluster aggregators independently. As it is not conflicting with the original goal of cluster
aggregator election, this infrequent situation does not need any special attention.
The overhead introduced by the basic protocol is sending two encrypted messages for each
election round. Other protocols [Buttyán and Schaffer, 2010; Heinzelman et al., 2000] uses one (or
zero) unencrypted messages to elect an aggregator. So the number of messages sent in the election
phase is slightly larger compared to other solutions. The symetric encryption also causes some
extra overhead (for details, see Table 4.1, rows with RC4 and RC5).
55

4. ANONYMOUS AGGREGATOR ELECTION AND DATA AGGREGATION IN WSNS
4.3.2 Protocol analysis
In this section the previously suggested basic protocol is analyzed. As defined in Section 4.2, the
main goal of the attacker is to reveal the identity of the cluster aggregators. To do so, the attacker
can eavesdrop, modify, and delete messages, and can capture some nodes.
First the logical attacks are analyzed where the attacker does not capture any nodes, then the
results of a node capture.
The attackers main goal is to reveal the identity of the cluster aggregators. As all the inter node
communication is encrypted and authenticated, it cannot get any information from the messages
themselves, but it can get some side information from simple traffic and topology analysis.
Density based attack
Thanks to the dummy messages and the encryption in the basic protocol, an external observer
cannot trivially identify the cluster aggregators; however, it can still use side information and
suspect some nodes to be cluster aggregators with higher probability than some other nodes. Such
a side information is the number of the cluster peers of the nodes. This number correlates with
the local density of the nodes, that is why this attack is called density based attack. Indeed, the
probability of becoming a cluster aggregator depends on the number of the cluster peers of the
node. For instance, if a node does not have any cluster peers, it will be a cluster aggregator with
probability one. On the other hand, if the node has a larger number of cluster peers, then the
probability of receiving an announcement from a cluster peer is large, and hence, the probability
that the node itself becomes cluster aggregator is small. Note also that the number of cluster peers
can be deduced from the topology of the network, which may be known to the adversary.
The probability of becoming a cluster aggregator is approximately inversely proportional to the
number of cluster peers:
Pr(CA(S)) ∼ = 1
D(S)
where CA(S) is the event of S being elected cluster aggregator, and D(S) is the number of cluster
peers of node S. Figure 4.2 illustrates this proportionality where the curve belongs to Equation 4.1
and the plotted dots correspond to simulation results (100 nodes, random deployment, one hop
communication, topology based clustering). It can be seen, that Equation 4.1 is quite sharp, it is
very close to the simulated results.
Two approaches can be used to mitigate this problem. One is to take the number of cluster
peers of the nodes into account when generating the random timers for the protocol. The second
is to balance the logical network topology in such a way that every node has the same number of
cluster peers. In the following a possible solution for both approaches is introduced.
The first approach can be the fine tuning of the distributions. It is not analyzed here deeply,
because it can only slightly modify the probabilities of being cluster aggregator, so it has no large
effect. An example can be seen on Figure 4.3, where the 10 th power of D(S) is used as a normalizing
factor, when γ (probability of sending an announcement in the first round) is computed. The
coefficients of the polynomial are set as resulting curve is the closest to uniform distribution. It can
be seen, that modifying γ on a per node basis does not eventually reaches its goal, the normalized
distribution is far from uniform. Actually by modifying γ, the other attack discussed in the next
section can be mitigated, so here I propose a solution which does not set the γ parameter.
The second approach modifies the number of cluster peers of a node to reach a common value.
Let us denote this value by α.
An efficient approach to mitigate this problem is to modify the number of cluster peers such
that it becomes a common value α for all of them. In theory, this common value can be anything
between 1 and the total number N of the nodes in the network. In practice, it should be around
the average number of cluster peers, which can be estimated locally by the nodes. For example,
assuming one-hop communications (meaning that the cluster peers are the radio neighbors), the
following formula can be used:
56
(4.1)

Probability of being cluster aggregator
1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
Simulation
Analytical
0
0 5 10 15 20 25
Number of cluster peers
4.3. Basic protocol
Figure 4.2: Probability of being cluster aggregator as a function of the number of cluster peers.
α = (N − 1) R2 π
A
+ 1 ≃ E(D(S)) (4.2)
where R is the radio range, and A is the size of the total area of the network. The formula is based
on the fact that the number of cluster peers is proportional to the ratio between radio coverage
and total area. Similar formulae can be derived for the general case of multi-hop communication.
If a node S has more than α cluster peers it can simply discard the messages from D(S) − α
randomly chosen cluster peers. If S has less than α cluster peers it must get new cluster peers by
the help of its actual cluster peers (if S has not got any cluster peers originally, then it will always
become a cluster aggregator). The new cluster peers can be selected from the set of cluster peers of
the original cluster peers. To explore the potential new cluster peers, every node can broadcast its
list of cluster peers within its few hop neighborhood before running the basic protocol. From the
lists of the received cluster peers, every node can select its α − D(S) new cluster peers uniformly
at random. Then, the basic aggregator election protocol can be executed using the balanced set of
cluster peers. An example for this balancing is shown in Figure 4.4 (70 nodes, random deployment,
one hop communication, topology based clustering).
After running the balancing protocol, every node can approach the envisioned α value. The
advantage of the balancing protocol is that however an attacker can gather the information about
the number of cluster peers, this number is efficiently balanced after the protocol. The drawback of
this solution is that it requires the original cluster peers to relay messages between distant nodes.
One can imagine this solution as selectively increasing the TTL of protocol messages creating much
larger neighborhoods.
Order based attack
Another important side information an attacker can use is the order in which the nodes send
messages in the first round of the protocol. Indeed, the sender of the i-th message will be cluster
aggregator if none of the previous i − 1 messages are announcements (but dummies) and the i-th
message is an announcement. Thus, the probability Pi that the sender of the i-th message becomes
cluster aggregator depends on i and parameter γ:
57

4. ANONYMOUS AGGREGATOR ELECTION AND DATA AGGREGATION IN WSNS
Probability of being cluster aggregator
1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
Normalized
Original
0
0 5 10 15 20 25
Number of cluster peers
Figure 4.3: Probability of being cluster aggregator as a function of number of cluster peers. The
analytical values comes from Equation 4.1, while the simulation values come from simulation,
where the γ probabilities are normalized with the number of cluster peers of the nodes.
Pi = (1 − γ) i−1 γ, 1 ≤ i ≤ n
The (n + 1)-th element of the distribution is the probability that no announcement is sent in
the first round:
Pn+1 = (1 − γ) n
in which case the sender of the first message of the second round must be a cluster aggregator.
The entropy of this distribution characterizes the uncertainty of the attacker who wants to
identify the cluster aggregator using the order information. Assuming that the number of cluster
peers has been already balanced, this entropy can be calculated as follows:
Number of cluster peers
40
30
20
10
0
0 20 40
Node ID
60
Number of cluster peers
40
30
20
10
0
0 20 40
Node ID
60
Figure 4.4: Result of balancing. The 70 nodes are represented on the x axis. The number of cluster
peers before (left), and after (right) the balancing are represented on the y axis.
58

− n∑
i=1
H = − n+1 ∑
4.3. Basic protocol
Pi log Pi = (4.3)
i=1
(
(1 − γ) i−1 (
γ log (1 − γ) i−1 ))
γ −
− (1 − γ) n log (1 − γ) n
where γ is the probability of sending an announcement in the first round and n is the balanced
number of cluster peers.
Entropy
3.5
3
2.5
2
1.5
1
0.5
0
0 0.2 0.4 0.6 0.8 1
γ
Figure 4.5: Entropy of the attacker as a function of sending announcement in the first round (γ).
Number of nodes in one cluster: 10.
In Figure 4.5, I plotted formula (4.3). If γ is large, then the uncertainty of the attacker is low,
because one of the first few senders will become the cluster aggregator with very high probability.
If γ is very small, then the uncertainty of the attacker is small again, because no cluster aggregator
will be elected in the first round with high probability, and therefore, the first sender of the second
round will be the cluster aggregator. The ideal γ value corresponds to the maximum entropy,
which can be easily computed by the nodes locally from formula (4.3). For instance, Table 4.2
shows some ideal γ values for different number of nodes in one cluster. The fifth row (Hmax)
shows the maximal entropy (uncertainty) that any kind of election protocol can achieve with the
given number of nodes. This is achieved if every node is equiprobably elected from the viewpoint
of the attacker. This value is closely approached by H(ˆγ), where ˆγ is very close to the optimal
solution (the difference between the found value and the optimal value can be arbitrarily small,
and depends on the number of iterations the estimation algorithm uses). Using the found ˆγ value,
the order of the messages has no meaning for the attacker.
Node capture attacks
If an attacker can compromise a node, it can reveal some sensitive information, even when the
system uses the local key based protocol. If the compromised node is a cluster aggregator, then
all the previously stored messages can be revealed. The attacker can decide to demolish the node,
modify the stored values, simply use the captured data, or modify the aggregation functions.
59

4. ANONYMOUS AGGREGATOR ELECTION AND DATA AGGREGATION IN WSNS
Table 4.2: Optimal γ values (ˆγ) for different number of nodes in one cluster. Achieved entropy
(H(ˆγ)) and maximal entropy (Hmax = log 2 n)
n 10 25 50 100
ˆγ 0.167 0.082 0.049 0.027
nˆγ 1.67 2.05 2.45 2.7
H(ˆγ) 3.281 4.410 5.312 6.218
Hmax 3.322 4.644 5.644 6.644
If the compromised node is not a cluster aggregator, then the attacker can reveal the cluster
aggregator of that node, which can result in the same situation described in the previous paragraph.
4.3.3 Data forwarding and querying
The problem of forwarding the measured data to the aggregators without revealing the identity
of the aggregators is a well known problem in the literature, called anonymous routing [Seys and
Preneel, 2006; Zhang et al., 2006; Rajendran and Sreenaath, 2008].
Anonymous routing let us route packets in the network without revealing the destination of
the packet. A short overview of anonymous routing can be found in Section 4.5.
With anonymous routing any node can send the measurements to the aggregators without
revealing the identity of it. An operator can query the aggregator with the help of an ordinary
node which uses anonymous routing towards the aggregator.
Anonymous routing introduces significant overhead in the traffic. However this can be partially
mitigated by synchronizing the data transmissions. Instead of suggesting such an approach, in this
chapter I elaborate a more challenging situation where the identity of the aggregators is unknown
to the cluster members as well in Section 4.4.3. The clear advantage is that even if a node is
compromised, it’s aggregator cannot be identified.
4.4 Advanced protocol
The advanced private data aggregation protocol is designed to withstand the compromise of some
nodes without revealing the identities of the aggregator. The protocol consists of four main parts.
The first part is the initialization, which provides the required communication channel. The second
part is needed for the data aggregator election. This subprotocol must ensure that the cluster does
not remain without a cluster aggregator. This must be done without revealing the identity of the
elected aggregator. The third part is needed for the data aggregation. This subprotocol must be
able to forward the measured data to the aggregator without knowing its identifier. The last part
must support the queries, where an operator queries some stored aggregated data.
In the following, the description of each subprotocol follows the same pattern. First the goal
and the requirements of the subprotocol are discussed, then the subprotocol itself is presented.
After the presentation of the subprotocol, I analyze how it achieves its goal even in the presence
of an attacker, and what data and services it provides to the next subprotocol.
At the end of this section, misbehavior is analyzed. I discuss, what an attacker can achieve,
if its goal is not to identify the aggregators of the cluster, but to confuse the operation of the
protocols.
In the following, it is assumed that every node knows which cluster it belongs to. The protocol
descriptions are considering only one cluster, and separate instances of the protocol are run in
different clusters independently.
The complexity of each subprotocol is summarized in Table 4.3. This table gives an overview of
the message complexity of the used subprotocols, so the bandwidth requirements can be calculated
from it. It can be seen, that the rarely used election protocol has the highest complexity, and the
frequently used aggregation is the most lightweight protocol in use.
60

4.4. Advanced protocol
Table 4.3: Summary of complexity of the advanced protocol. N is the number of nodes in the
cluster
Election Aggregation Query
Message complexity O(N 2 ) O(N) O(N)
Modular exponentiations 4N 1 0 0
Hash computations 0 0 1
4.4.1 Initialization
The initialization phase is responsible for providing the medium for authenticated broadcast communication.
In the following, I shortly review the approaches of broadcast authentication in wireless
sensor networks, and give some efficient methods for broadcast communication.
The initialization relies on some data stored on each node before deployment. Each node
has some unique cryptographic credentials to enable authentication, and is aware of the cluster
identifier it belongs to. In the following, without further mentioning, it is assumed, that each
message contains the cluster identifier. Every message addressed to a cluster different from the one
a node belongs to is discarded by the node. First, I briefly review the state of the art in broadcast
authentication, then I propose a connected dominating set based broadcast communication method,
which fits well to the following aggregation and query phases.
Broadcast authentication
Broadcast authentication enables a sender to broadcast some authenticated messages efficiently to
a big number of potential receivers. In the literature, this problem is solved with either digital
signatures or hash chains. In this section, I review some solutions from both approaches.
For the sake of completeness, Message Authentication Codes (MAC) must also be mentioned
here [Preneel and Oorschot, 1999]. MACs are based on symmetric cryptographic primitives, which
enable very efficient computation. Unfortunately, the verifier of a MAC must also possess the
same cryptographic credential the generator used for generating the MAC. It means that every
node must know every credential in the network, to verify every message broadcast to the network.
This full knowledge can be exploited by an attacker who compromises a node. The attacker can
impersonate any other honest node, which means that if only one node is compromised, message
authenticity can no longer be ensured.
One solution to the node compromise is the hop by hop authentication of the packets. In hop
by hop authentication, every packets authentication information is regenerated by every forwarder.
In this case, it is enough to only have a shared key with the direct neighbors of a node. In case
of node compromise, only the node itself and the direct neighbors can be impersonated. Such a
neighborhood authentication is provided by Zhu et al. in LEAP [Zhu et al., 2003], where it is
based on so called cluster keys.
To make the authentication scheme robust against node compromise, one approach is the usage
of asymmetric cryptography, namely digital signatures.
Digital signatures are asymmetric cryptographic primitives, where only the owner of a private
key can compute a digital signature over a message, but any other node can verify that signature.
Computing a digital signature is a time consuming task for a typical sensor node, but there exist
some efficient elliptic curve based approaches in the literature [Liu and Ning, 2008; Szczechowiak
et al., 2008; Oliveira et al., 2008; Xiong et al., 2010].
One of the first publicly available implementations was the TinyECC module written by Liu and
Ning [Liu and Ning, 2008]. A more efficient implementation is the NanoECC module. Proposed
by Szczechowiak et al. [Szczechowiak et al., 2008]. It is based on the MIRACL cryptographic
library [mir, ] . Up to now, to the best of my knowledge, the fastest implementations are the
1 4 exponentiations for generating the two messages with knowledge proofs and 4N-4 exponentiations for checking
the received knowledge proofs
61

4. ANONYMOUS AGGREGATOR ELECTION AND DATA AGGREGATION IN WSNS
TinyPBC by Oliveira et al. [Oliveira et al., 2008], which is based on the RELIC toolkit [rel, ], and
the TinyPairing proposed by Xiong et al. in [Xiong et al., 2010].
Another approach is proposed for broadcast authentication in wireless sensor networks by Perrig
et al. in [Perrig et al., 2002]. The µTESLA scheme is based on delayed release of hash chain
values used in MAC computations. The scheme needs secure loose time synchronization between
the nodes. The µTESLA scheme is efficient if it is used for authenticating many messages, but
inefficient if the messages are sparse. Consequently, if only the rarely sent election messages must
be authenticated, then the time synchronization itself can cause a heavier workload then simple
digital signatures. If the aggregation messages must also be authenticated, then µTESLA can
be an efficient solution. A DoS resistant version specially adapted for wireless sensor networks is
proposed by Liu et al. in [Liu et al., 2005]. A faster but less secure modification is proposed by
Huang et al. in [Huang et al., 2009].
In the following it is assumed, that an efficient broadcast authentication scheme is used without
any indication.
Broadcast communication
Broadcast communication is a method that enables sending information from one source to every
other participant of the network. In wireless networks it can be implemented in many ways, like
flooding the network or with a sequence of unicast messages.
A natural question would be, why broadcast communication is so important to the advanced
protocol? The reason is that only broadcast communication can hide the traffic patterns of the
communication, thus not revealing any information about the aggregators.
An efficient way of implementing broadcast communication in wireless sensor networks is the
usage of connected dominating set (CDS). The connected dominating set S of graph G is defined
as a subset of G such that every vertex in G − S is adjacent to at least one member of S, and S is
connected. A graphical representation of a CDS can be found in Figure 4.6. The minimum connected
dominating set (MCDS) is a connected dominating set with minimum cardinality. Finding
a MCDS in a graph is an NP-Hard problem, however there are some efficient solutions which can
find a close to minimal CDS in WSNs. For a thorough review of the state of the art of CDS in
WSNs, the interested reader is referred to [Blum et al., 2004a] and [Jacquet, 2004].
In the following, it is assumed that a connected dominating set is given in each cluster, and a
minimum spanning tree is generated between the nodes in the CDS. Finding a minimum spanning
tree in a connected graph is a well known problem for decades. Efficient polynomial algorithms
are suggested in [Kruskal, 1956; Prim, 1957]. This kind of two layer communication architecture
enables the efficient implementation of different kind of broadcast like communications, which are
required for the following protocols. The spanning tree is used in the aggregation protocol in
Section 4.4.3.
The simple all node broadcast communication can be implemented simply: if a node sends a
packet to the broadcast address, then every node in the CDS forwards this message to the broadcast
address. The CDS members are connected and every non CDS member is connected to at least one
CDS member by definition, so the message will be delivered to every recipient in the network. This
approach is more efficient than simple flooding as only a subset of the nodes forwards the message,
but the properties of the CDS ensures that every node in the cluster will eventually receive the
broadcast information. Here, the notion of CDS parent (or simply parent) must be introduced.
The CDS parent of node A is a node, which is in communication distance with A and is a member
of the CDS.
The complexity of such a broadcast communication is O(N), but actually it takes |S| messages
to broadcast some information, where |S| is the number of nodes in the connected dominating
set. If the CDS algorithm is accurate, than it can be very close to the minimum number of nodes
required to broadcast communication.
In the following, broadcast communication is used frequently to avoid that an attacker can gain
some knowledge about the identity of the aggregators from the traffic patterns inside the network.
Obviously not every message is broadcast in the network, because that would shortly lead to
62

100
90
80
70
60
50
40
30
20
10
0
0 20 40 60 80 100
4.4. Advanced protocol
Figure 4.6: Connected dominating set. Solid dots represents the dominating set, and empty circles
represent the remaining nodes. The connections between the non CDS nodes of the network is not
displayed on the figure.
battery depletion and inoperability of the sensor network. Instead of automatically broadcasting
every message, as much information as possible is aggregated in each message to preserve energy.
In the following sections, I will use the given CDS in different ways, and each particular usage will
be described in the corresponding section.
The used communication patterns are closely related to and inspired by the Echo algorithm
published by Chang in [Chang, 2006]. The Echo algorithm is a Wave algorithm [Tel, 2000], which
enables the distributed computation of an idempotent operator in trees. It can be used in arbitrary
connected graphs, and generates a spanning tree as a side result.
4.4.2 Data aggregator election
The main goal of the aggregator node election protocol is to elect a node that can store the
measurements of the whole cluster in a given epoch, but in such a way that the identity remains
hidden. The election is successful if at least one node is elected. The protocol is unsuccessful if
no node is elected, thus no node stores the data. In some cases, electing more than one node can
be advantageous, because the redundant storage can withstand the failure of some nodes. In the
following, I propose an election protocol, where the expected number of elected aggregators can
be determined by the system operator, and the protocol ensures that at least one aggregator is
always elected.
The election process relies on the initialization subprotocol discussed in Section 4.4.1. It requires
an authenticated broadcast channel among the cluster members, which is exactly what the
initialization part offers.
The election process consists of two main steps: (i) Every node decides, whether it wants to
be an aggregator, based on some random values. This step does not need any communication,
the nodes compute the results locally. (ii) In the second step, an anonymous veto protocol is run,
which reveals only the information that at least one node elected itself to be aggregator node. If
no aggregator is elected, it will be clear for every participant, and every participant can run the
election protocol again.
63

4. ANONYMOUS AGGREGATOR ELECTION AND DATA AGGREGATION IN WSNS
Step (i) can be implemented easily. Every node elects itself aggregator with a given probability
p. The result of the election is kept secret, the participants only want to know that the number c
of aggregators is not zero, without revealing the identity of the cluster aggregators. This is advantageous,
because in case of node compromise, the attacker learns only whether the compromised
node is an aggregator, but nothing about the identity or the number of the other aggregators. Let
us denote the random variable representing the number of elected aggregators with C. It is easy
to see that the distribution of C is binomial (N is the total number of nodes in one cluster):
Pr(C = c) =
( N
c
)
p c (1 − p) N−c
The expected number of aggregators after the first step is: cE = Np. So if on average ĉ cluster
aggregator is needed, then p should be ĉ
N (this formula will be slightly modified after considering
the results of the second step).
The probability that no cluster aggregator is elected is: (1 − p) N . To avoid this anarchical
situation when no node is elected, the nodes must run step (ii) which proves that at least one node
is elected as aggregator node, but the identity of the aggregator remains secret. This problem can
be solved by an anonymous veto protocol. Such a protocol is suggested by Hao and Zieliński in
[Hao and Zielinski, 2006].
Hao and Zieliński’s approach has many advantageous properties compared to other solutions
[Brandt, 2006; Chaum, 1988], such as it requires only 2 communication rounds.
The anonym veto protocol requires knowledge proofs. Informally, a knowledge proof allows a
prover to convince a verifier that he knows a solution of a hard-to-solve problem without revealing
any useful information about the knowledge. A detailed explanation of the problem can be found
in [Camenisch and Stadler, 1997]
A well known example of knowledge proof is given by Schnorr in [Schnorr, 1991]. The proposed
method gives a non interactive proof of knowledge of a logarithm without revealing the logarithm
itself. The operation can be described briefly as follows. The proof of knowledge of the exponent of
gx i consists of the pair {gv , r = v − xih}, where h = H(g, gv , gx i , i) and H is a secure hash function.
This proof of knowledge can be verified by anyone through checking whether g v and g r g xih are
equal.
The operation of the anonym veto protocol consists of two consecutive rounds (G is a publicly
agreed group with order q and generator g):
1. First, every participant i selects a secret random value: xi ∈ Zq. Then g x i is broadcast with
a knowledge proof. The knowledge proof is needed to ensure that the participant knows xi
without revealing the value of xi. Without the knowledge proof, the node could choose gx i in
a way to influence the result of the protocol (it is widely believed that for a given gx i (mod p)
it is hard to find xi(mod p), this problem is known as the discrete logarithm problem). Then
every participant checks the knowledge proofs, and computes a special product of the received
values:
g yi i−1 ∏
= g xj
/
N∏
j=1
j=i+1
2. g yici is broadcast with a knowledge proof (the knowledge proof is needed to ensure that the
node cannot influence the election maliciously afterwards). ci is set to xi for non aggregators,
while a random ri value for aggregators.
The product P = N∏
gciyi equals to 1 if and only if no cluster aggregator is elected (none vetoed
i=1
the question: Is the number of cluster aggregators elected zero?). If no aggregator is elected, then
it will be clear for all participants, and the election can be done again. If P differs from 1, then
some nodes are announced themselves to be cluster aggregators, and this is known by all the nodes.
64
g xj

4.4. Advanced protocol
If we consider the effect of the second step (new election is run if no aggregator is elected), the
expected number of aggregators is slightly higher than in the case of binomial distributions. The
expected number of aggregators are:
cE =
Np
1 − (1 − p) N
The anonymity of the election subprotocol depends on the parts of the protocol. Obviously,
the random number generation does not leak any information about the identity of the aggregator
nodes, if the random number generator is secure. A cryptographically secure random number
generator, called TinyRNG, is proposed in [Francillon and Castelluccia, 2007] for wireless sensor
networks. Using a secure random number generator, it is unpredictable, who elects itself to be
aggregator node.
The anonymity analysis of the anonym veto protocol can be found in [Hao and Zielinski, 2006].
The anonymity is based on the decisional Diffie-Hellman assumption, which is considered to be a
hard problem.
The message complexity of the election is O(N 2 ), which is acceptable as the election is run
infrequently (N is the number of nodes in the cluster).
If this overhead with the 4 modular exponentiations (see Table 4.3 for the complexities and
Table 4.1 for the estimated running times, note that RSA is based on modular exponentiation)
is too big for the application, then it can use the basic protocol described in Section 4.3.1, where
only symmetric key encryption is used.
In wireless sensor networks, the links in general are not reliable, packet losses occur in time to
time. Reliability can be introduced by the link layer or by the application. As it is crucial to run
the election protocol without any packet loss, it is required to use a reliable link layer protocol for
this subprotocol. Such protocols are suggested in [Iqbal and Khayam, 2009; Wan et al., 2002] for
wireless sensor networks.
As a summary, after the election subprotocol every node is equiprobably aggregator node. The
election subprotocol ensures that at least one aggregator is elected and this node(s) is aware of
its status. An outside attacker does not know the identity of the aggregators or even the actual
number of the elected aggregator nodes. An attacker, who compromised one or more nodes, can
decide whether the compromised nodes are aggregators, but cannot be certain about the other
nodes.
4.4.3 Data aggregation
The main goal of the WSN is to measure some data from the environment, and store the data
for later use. This section describes how the data is forwarded to the aggregator(s) without the
explicit knowledge of the identifier(s) of the aggregator(s).
The data aggregation and storage procedure use the broadcast channel. If the covered area
is so small or the radio range is so large that every node can reach each other directly, then the
aggregation can be implemented simply. Every node broadcasts their measurement to the common
channel, and the cluster aggregator(s) can aggregate and store the measurements. If the covered
area is bigger (which is the more realistic case), a connected dominating set based solution is
proposed.
In each timeslot, each ordinary node (not member of the CDS) sends its measurement to one
neighboring CDS member (to the parent) by unicast communication. When the epoch is elapsed
and all the measurements from the nodes are received, the CDS nodes aggregate the measurements
and use a modification of the Echo algorithm on the given spanning tree to compute the gross
aggregated measurement in the following way: each CDS member waits until all but one CDS
neighbor sends its subaggregate to it, and after some random delay it sends the aggregate to the
remaining neighbor. This means that the leaf nodes of the tree start the communication, and then
the communication wave is propagated towards the root of the spanning tree. This behavior is the
same as the second phase of the Echo algorithm. When one node receives the subaggregates from
all of its neighbors, thus cannot send it to anyone, it can compute the gross aggregated value of
65

4. ANONYMOUS AGGREGATOR ELECTION AND DATA AGGREGATION IN WSNS
1;1
3;1
1;1
3;1
2;1
3;1 4;1
4;1
1;1
3;1
2;2
2;2
3;3
4;1
1;1
2.6;5
2.6;5
2.6;5
2.6;5
2.6;5
2.6
2.6;5
2.6 2.6;5
2.6;5
2.6;5
Aggregator
Figure 4.7: Aggregation example. The subfigures from left to right represents the consecutive steps
of an average computation: (i) The measured data is ready to send. It is stored in a format of
actual average; number of data. Non CDS nodes sends the average to their parents. (ii) The CDS
nodes start to send the aggregated value to its parents. (iii) A CDS node receives an aggregate
from all of its neighbors, and starts to broadcast the final aggregated value. Nodes willing to store
the value can do so. (iv) Other CDS nodes receiving the final value rebroadcasts it. Nodes willing
to store the value can do so.
the network. Then, this value is distributed between the cluster members by broadcasting it every
CDS member.
This second phase is needed, so that every member of the cluster can be aware of the gross
aggregated value, and the anonymous aggregators can store it, while the others can simply discard
it. The stored data includes the timeslot in which the aggregate was computed, and the environmental
variables if more than one variable (e.g. temperature and humidity) are recorded besides
the value itself.
The aggregation function can be any statistical function of the measured data. Some easily implementable
and widely used functions are the minimum, maximum, sum or average. In Figure 4.7,
the aggregation protocol is visualized with five nodes and two aggregators using the average as an
aggregation function.
The anonymity analysis of the aggregation subprotocol is quite simple. After the aggregation,
every node possesses the same information as an external attacker can get. This information is
the aggregated data itself, without knowing anything about the identity of the aggregators. If the
operator wants to hide the aggregated data, it can use some techniques discussed in Section 4.5.
The message complexity of the aggregation is O(N), where N is the number of nodes in the
cluster. This is the best complexity achievable, because to store all the measurements by a single
aggregator, all nodes must send the measurements towards the aggregator, which leads to O(N)
message complexity. In terms of latency, the advanced protocol doubles the time the aggregated
measurement arrives to the aggregator compared to a naive system, where the identity of the
aggregators are known to every participant. This latency is acceptable as in most WSN applications
the time between the measurements is much longer than the time required to aggregate the data.
As mentioned in the election subprotocol, the protocol must be prepared to packet losses due
to the nature of wireless sensor networks. In the aggregation subprotocol two kind of packet loss
can be envisioned: a packet can be lost before or after the final aggregate is computed. Both
cases can be detected by timers and a resend request can be sent. If the resend is unsuccessful for
some times, the aggregation must be run without those messages. If the lost message contains a
measurement or subaggregate, then the final aggregate will be computed without that data leading
to an inaccurate measurement. If the lost message contained the gross aggregate, then some nodes
will not receive the gross aggregate. Here it is very useful that the network can have multiple
aggregators, because if at least one aggregator receives the data, the data can be queried by the
operator.
66
CDS

4.4.4 Query
4.4. Advanced protocol
The ultimate goal of the sensor network is to make the measured data available to the operator
upon request. While the aggregation subprotocol ensures that the measured data is stored by the
aggregators, the goal of the query subprotocol is to provide the requested data to the operator and
keep the aggregators’ identity hidden at the same time.
One solution would be that the operator visits all the nodes, and connects to them by wire.
While this solution would leak no information about the identities of the aggregators to any eavesdropping
attacker, the execution would be very time consuming and cumbersome. Moreover, the
accessibility of some nodes may be difficult or dangerous (for example in a military scenario).
Therefore, I propose a solution where it is sufficient for the operator to get in wireless communication
range of any of the nodes. This node does not need to be an aggregator, as actually no one,
not even the operator knows who the aggregator nodes are.
As a first step, the operator authenticates itself to the selected node O using the key kO. After
that, node O starts the query protocol by sending out a query, obtains the response to the query
from the cluster, and makes the response available to the operator. In the following, it is assumed
that O is not a CDS node. (If it is indeed a CDS node, then the first and last transmission of the
query protocol can be omitted.)
Node O broadcasts the query data Q with the help of the CDS nodes in the cluster. This
is done by sending Q to the CDS parent, and then every CDS member rebroadcasts Q as it is
received. The query Q describes what information the operator is interested in. It includes a
variable name, a time interval, and a field for collecting the response to the query. It also includes
a bit, called “aggregated”, which will later be used in the detection of misbehaving nodes. For the
details of misbehaving node detection, the reader is referred to Section 4.4.5; here we assume that
the “aggregated” bit is always set meaning that aggregation is enabled.
The idea of the query protocol is that each node i in the cluster contributes to the response by
a number Ri, which is computed as follows:
{
h(Q|ki), for non-aggregators
Ri =
(4.4)
h(Q|ki) + M, for aggregators
where M is the stored measurement (available only if the node is an aggregator), h is a cryptographic
hash function, and ki is the key shared by node i and the operator. Thus, non-aggregators
contribute with a pseudo-random number h(Q|ki) computed from the query and the key ki, which
can later be also computed by the operator, while aggregator nodes contribute with the sum of
a pseudo-random number and the requested measurement data. The sum is normal fix point
addition, which can overflow if the hash is a large value.
The goal is that the querying node O receives back the sum of all these Ri values. For this
reason, when the query Q is received by a non CDS node from its CDS parent, it computes its
Ri value and sends it back to the CDS parent in the response field of the query token. When a
CDS parent receives back the query tokens with the updated response field from its children, it
computes the sum of the received Ri values and its own, and after inserting the identifiers of the
nodes sends the result back to its parent. This is repeated until the query token reaches back to
the CDS parent of node O, which can forward the response R = ∑ Ri and the list of responding
nodes to node O, where the sum is computed by normal fix point addition. This operation is
illustrated in Figure 4.8.
When receiving R from O, the operator can calculate the stored data as follows. First of all, the
operator can regenerate each hash value h(Q|ki), because it stores (or can compute from a master
key on-the-fly) each key ki, and it knows the original query data Q. The operator can subtract the
hash values from R (note that the responding nodes list is present in the response), and it gets a
result R ′ = cM, where c is the actual number of aggregators in the cluster 2 . Unfortunately, this
number c is unknown to the operator, as it is unknown to everybody else. Nevertheless, if M is
2 Note that each aggregator contributed the measurement M to the response, that is why at the end, the response
will be c times M, where c is the number of aggregators.
67

4. ANONYMOUS AGGREGATOR ELECTION AND DATA AGGREGATION IN WSNS
O
Q
Q
Q
Q
O Q
Q
Q
Q Q
O Q
R 1
Q
R 1 +R 2 +R 3
R 2
R +... +R
1 5
O
R +R +R +R
1 2 3 4
Q
R 1 +R 2 +R 3
Figure 4.8: Query example. The subfigures from left to right represents the consecutive steps of a
query: (i) The operator sends the Q query to node O. This node forwards it to its CDS parent.
The CDS parent broadcasts the query. (ii) The CDS nodes broadcasts the query, so every node in
the network is aware of Q. (iii) Every non CDS node (except O) sends it response to its parent. (iv)
The sum of the responses is propagated back to the parent of O (including the list of responding
nodes, not on the figure), who forwards it to the operator through O.
restricted to lie in an interval [A, B] such that the intervals [iA, iB] for i = 1, 2, . . . , N are nonoverlapping,
then cM can fall only into interval [cA, cB], and hence, c can be uniquely determined
by the operator by checking which interval R ′ belongs to. Then, dividing R ′ with c gives the
requested data M.
More specifically, and for practical reasons, the following three criteria need to be satisfied by
the interval [A, B] for my query scheme to work: (i) as we have seen before, for unique decoding
of cM, the intervals [iA, iB] for i = 1, 2, . . . , N must be non-overlapping, (ii) in order to fit in
the messages and to avoid integer overflow 3 , the highest possible value for cM, i.e., NB must be
representable with a pre-specified number L, and (iii) it must be possible to map a pre-specified
number D of different values into [A, B].
The first criterion (i) is met, if the lower end of each interval is larger than the higher end of
the preceding interval:
0 < iA − (i − 1)B = i(A − B) + B, i = 1, . . . , N
Note that if the above inequality holds for i = N, then it holds for every i, because A − B is a
negative constant and B is a positive constant. So it is enough to consider only the case of i = N:
The second criterion (ii) means that
0 < N(A − B) + B
B < N
N−1 A
BN < L
B < L
N
while the third criterion (iii) can be formalized as
D < B − A
B > A + D
Figure 4.9 shows an example for a graphical representation of the three criteria, where the
crossed area represents the admissible (A, B) pairs. It can also be easily seen in this figure that
a solution exists only if the B coordinate of the intersection of inequalities (4.5) and (4.7) meets
criterion (4.6), or in other words
3 In case of overflow, the result is not unique.
68
(4.5)
(4.6)
(4.7)

L
N
D
B
NM < L
N
(4.5)
A
(4.7)
(4.6)
Figure 4.9: Graphical representation of the suitable intervals
4.4. Advanced protocol
As a numerical example, let us assume, that we want to measure at least 100 different values
(D = 99), the micro-controller is a 16 bit controller (L = 2 16 ), and we have at most 20 nodes in
each cluster (N = 20). Then a suitable interval that satisfies all three criteria would be [A, B] =
[2000 − 2100]. Checking that this interval indeed meets the requirements is left for the interested
reader. Finally, note that any real measurement interval can be easily mapped to this interval
[A, B] by simple scaling and shifting operations, and my solution requires that such a mapping is
performed on the real values before the execution of the query protocol.
Our proposed protocol has many advantageous properties. First, the network can respond to
a query if at least one aggregator can successfully participate in the subprotocol. Second, the
operator does not need to know the identity of the aggregators, thus even the operator cannot
leak that information accidentally (although, after receiving the response, the operator learns the
actual number of the aggregator nodes). Third, the protocol does not leak any information about
the identity of the aggregators: an attacker can eavesdrop the query information Q, and the Ri
pseudo random numbers, but cannot deduce from them the identity of the aggregators. Finally,
the message complexity of the query is O(N), where N is the number of nodes in the cluster. This
is the best complexity achievable, when the originator of the query does not know the identity of
the aggregator(s). The latency of the query protocol depends on the longest path of the network
rooted at node O.
As mentioned in the previous subprotocols, the protocol must be prepared to packet losses
due to the nature of wireless sensor networks. Due to the packet losses, the final sum R is the
sum of the responding nodes which is a subset of all nodes. That is why the identifiers must be
included in the responses. The operator can calculate cM independently from the actual subset of
responders. If at least one response from an aggregator gets to the operator, it can calculate M in
the previously described way. If cM = 0, then it is clear for the operator that every aggregators’
response is lost.
4.4.5 Misbehaving nodes
In this section, I look beyond my initial goal. I briefly analyze what happens if a compromised
node deviates from the protocol to achieve some goals other than just learning the identity of the
aggregators.
In the election process, a compromised node may elect itself to be aggregator in every election.
This can be a problem if this node is the only elected aggregator, because a compromised node may
69

4. ANONYMOUS AGGREGATOR ELECTION AND DATA AGGREGATION IN WSNS
not store the aggregated values. Unfortunately this situation cannot be avoided in any election
protocol, because an aggregator can be compromised after the election, and the attacker can erase
the memory of that node. Actually my protocol is partially resistant to this attack, because more
than one aggregator may be elected with some probability, and the attacker cannot be sure if the
compromised node is the single aggregator node in the cluster.
During the aggregation, a misbehaving node can modify its readings, or modify the values it
aggregates. The modification of others’ values can be prevented by some broadcast authentication
schemes discussed in Section 4.4.1. The problem of reporting false values can be handled by
statistical approaches discussed in [Buttyán et al., 2006; Wagner, 2004; Buttyán et al., 2009].
The most interesting subprotocol from the perspective of misbehaving nodes is the query protocol.
In this protocol, a compromised node can easily modify the result of the query in the following
way. A compromised node can add an arbitrary number X to the hash in Equation (4.4) instead of
using 0 or M. It is easy to see, that if X is selected from the interval [A, B], then after subtracting
the hashes, the resulting sum R ′ will be an integer in the interval [(c+1)A, (c+1)B] (c is the actual
number of aggregators, c + 1 nodes act like aggregators, the c aggregator and the compromised
node). A compromised node can further increase its influence by choosing X from the interval
[iA, iB]. This means that the resulting sum R ′ will be in the interval [(c + i)A, (ci)B]. If X is
not selected from interval [jA, jB], j = 1 . . . N, then the result can be outside of the decodable
intervals. This can be immediately detected by the operator (see Figure 4.10).
If the result is in a legitimate interval (∃j, R ′ ∈ [jA, jB]), then the operator can further check the
consistency by calculating R ′ mod j. If the result is zero, then it is possible, that no misbehaving
node is present in the network. If the result is non zero, the operator can be sure, that apart
from the zeros and Ms, some node sent a different value, thus a misbehaving node is present in
the network. It is hard for the attacker to guess j, because it neither knows the actual number of
aggregators, nor can calculate R ′ from R by subtracting the unknown hashes.
If the modulus is zero, but the operator is still suspicious about the result, it can further test
the cluster for misbehaving nodes with the help of the aggregated bit in the queries. This further
testing can be done regularly, randomly, or on receiving suspicious results. If the aggregated bit is
cleared in a query Q, then the CDS nodes does not sum the incoming replies, but forward them
towards the agent O node as they are received. So if the operator wants to check if a misbehaving
node is present in the network it can run a query Q with aggregated bit set, and then run the
same query with cleared aggregated bit. If the two results are different, then the operator can be
sure, that a node wants to hide its malicious activity from the operator. If the two sums are equal,
then the operator can further check the results from the second round. If the values are all equal
after subtracting the hashes (not considering the zero values), then no misbehavior is detected,
otherwise some node(s) misbehave in the cluster.
Note here, that this algorithm does not find every misbehavior, but the misbehaviors not
detected by this algorithm does not influence the operator. For example, two nodes can misbehave
such that the first adds S to its hash and the second adds −S. It is clear that this misbehavior
does not effect the result computed by the operator, because S − S = 0. Other misbehavior not
detected by the algorithm if a compromised non aggregator node sends M instead of 0. This is
not detected by the algorithm, but not modifies the result the operator computes. The operation
of misbehavior detection algorithm is depicted on Figure 4.10. This algorithm only detects if some
misbehavior is occurred in the cluster, but does not necessarily find the misbehaving node. I left
the elaboration of this problem for future work.
4.5 Related work
A survey on privacy protection techniques for WSNs is provided in [Li et al., 2009], where they are
classified into two main groups: data-oriented and context oriented protection. In this section, I
briefly review these techniques, with an emphasis on those solutions that are closly related to my
work.
In data-oriented protection, the confidentiality of the measured data must be preserved. It is
70

R ′ = R− N
i=1 h(Q|ki)
ÆÓ Å×ÚÓÖ
R ′ ∃j R
×
mod j = 0 ÆÓ Å×ÚÓÖ
×
ÙÖØÖ
ÆÓ
ÆÓÑ×ÚÓÖ
×
ÊÚRiÚÐÙ×
′ ∈ [jA,jB]
N i=1
×
R′ i = R ′
∃M R ′ i = 0∨R ′ i = M
ÆÓÑ×ÚÓÖ
×
ÆÓ
ÆÓ
ËÒQÕÙÖÝÛØ
ÖØØÐÖ
R ′ i = Ri −h(Q|ki)
Å×ÚÓÖ
Å×ÚÓÖ
Figure 4.10: Misbehavior detection algorithm for the query protocol.
71
4.5. Related work

4. ANONYMOUS AGGREGATOR ELECTION AND DATA AGGREGATION IN WSNS
also a research direction how the operator can verify if the received data is correct. The main
focus is on the confidentiality in [He et al., 2007], while the verification of the received data is also
ensured in [Sheng and Li, 2008].
According to [Li et al., 2009] context oriented protection covers the location privacy of the
source and the base station. The source location privacy is mainly a problem in event driven
networks, where the existence and location of the event is the information, which must be hidden.
The location privacy of the base station is discussed in [Deng et al., 2006b]. The main difference
between hiding the base station and the in network aggregators is that a WSN regularly contains
only one base station which is a predefined node, while at the same time there are more in network
aggregators used in one network, and the nodes used as aggregators are periodically changed.
The problem of private cluster aggregator election in wireless sensor networks is strongly related
to anonym routing in WSNs. The main difference between anonym routing and anonymous
aggregation is that anonym routing supports any traffic pattern and generally handles external attackers,
while anonymous aggregation supports aggregation specific traffic patterns and can handle
compromised nodes as well. In [Seys and Preneel, 2006] an efficient anonymous on demand routing
scheme called ARM is proposed for mobile ad hoc networks. For the same problem another solution
is given in [Zhang et al., 2006] (MASK), where a detailed simulation is also presented for the
proposed protocol. A more efficient solution is given in [Rajendran and Sreenaath, 2008], which
uses low cryptographic overhead, and addresses some drawbacks of the two papers above. In [Choi
et al., 2007] a privacy preserving communication system (PPCS) is proposed. PPCS provides a
comprehensive solution to anonymize communication endpoints, keep the location and identifier
of a node unlinkable, and mask the existence of communication flows.
The security of different aggregator node election protocols is surveyed in [Schaffer et al., 2012].
Most protocols are aiming at no security on the election, or they aim at the non-manipulability
of the election. Such protocols are can withstand passive attacks [Kuhn et al., 2006], or active
attacks as well[Sirivianos et al., 2007; Gicheol, 2010].
4.6 Conclusion
In wireless sensor networks, in-network data aggregation is often used to ensure scalability and
energy efficient operation. However, as we saw, this also introduces some security issues: the
designated aggregator nodes that collect and store aggregated sensor readings and communicate
with the base station are attractive targets of physical node destruction and jamming attacks. In
order to mitigate this problem, in this chapter, I proposed two private aggregator node election
protocols for wireless sensor networks that hide the elected aggregator nodes from the attacker,
who, therefore, cannot locate and disable them. My basic protocol provides fewer guarantees than
my advanced protocol, but it may be sufficient in cases where the risk of physical compromise of
nodes is low. My advanced protocol hides the identity of the elected aggregator nodes even from
insider attackers, thus it handles node compromise attacks too.
I also proposed a private data aggregation protocol and a corresponding private query protocol
for the advanced version, which allow the aggregator nodes to collect sensor readings and respond to
queries of the operator, respectively, without revealing any useful information about their identity.
My aggregation and query protocols are resistant to both external eavesdroppers and compromised
nodes participating in the protocol. The communication in the advanced protocol is based on the
concept of connected dominating set, which suits well to wireless sensor networks.
In this chapter I went beyond the goal of only hiding the identity of the aggregator nodes. I
also analyzed what happens if a malicious node wants to exploit the anonymity offered by the
system, and tries to mislead the operator by injecting false reports. I proposed an algorithm that
can detect if any of the nodes misbehaves in the query phase. I only detect the fact of misbehavior
and leave the identification of the misbehaving node itself for future work.
In general, my protocols increase the dependability of sensor networks, and therefore, they can
be applied in mission critical sensor network applications, including high-confidence cyber-physical
72

4.7. Related publications
systems where sensors and actuators monitor and control the operation of some critical physical
infrastructure.
4.7 Related publications
[Buttyán and Holczer, 2009] Levente Buttyán and Tamas Holczer. Private cluster head election
inwireless sensor networks. In Proceedings of the Fifth IEEE International Workshop on Wireless
and Sensor Networks Security (WSNS 2009), pages 1048–1053. IEEE, IEEE, 2009.
[Buttyán and Holczer, 2010] Levente Buttyán and Tamas Holczer. Perfectly anonymous data
aggregation in wireless sensor networks. In Proceedings of The 7th IEEE International Conference
on Mobile Ad-hoc and Sensor Systems (WSNS 2010), San Francisco, November 2010. IEEE.
[Holczer and Buttyán, 2011] Tamas Holczer and Levente Buttyán. Anonymous aggregator
election and data aggregation in wireless sensor networks. International Journal of Distributed
Sensor Networks, page 18, 2011. Article ID 828414.
[Schaffer et al., 2012] Péter Schaffer, Károly Farkas, Ádám Horváth, Tamás Holczer, and Levente
Buttyán. Secure and reliable clustering in wireless sensor networks: A critical survey. Elsevier
Computer Networks, 2012.
73

Chapter 5
Application of new results
In this dissertation three different wireless network based systems are considered: Radio Frequency
Identification Systems, Vehicular Ad Hoc Networks, and Wireless Sensor Networks. In this chapter,
a brief overview is give, where these systems are used, and how my new results fit in them.
Radio Frequency Identification Systems The application of RFID is very widespread, some
application areas are [Wu et al., 2009; RFID, 2012]:
Payment by mobile phones Many companies like MasterCard or Nokia is working on mobile
phones with embedded RFID capabilities to enable payment by such devices.
Inventory systems RFID systems can provide accurate knowledge of the current inventory,
which helps saving labor cost, and enables self checkout in shops.
Access control RFID tags can be used as identification badges to enable access control in office
buildings, or can be used as tickets in automated fare collection systems.
Transportation and logistics In transportation, RFID tags can help identify cargo, its owner
or destination.
Passport Many countries include RFID tags into passports, to fasten the passport control on the
borders, and to make illegitimate replication harder.
Hospitals and healthcare Hospitals began implanting patients with RFID tags and using RFID
systems, usually for workflow and inventory management [Fisher, 2006].
Libraries Libraries are using RFID to replace the barcodes on library items. An RFID system
may replace or supplement bar codes and may offer another method of inventory management
and self-service checkout by patrons. [Molnar and Wagner, 2004]
Any usage of RFID systems, where the holder of the tag is a human being might breach
the privacy of the holder. The solutions proposed in Chapter 2 can be used in such situations.
An example application is the automated fare collection systems, where the pass for the mass
transportation system can contain an RFID tag. In such a system, the system designer might
consider the usage of key trees or group based private authentication, in particular if the legal
environment requires the usage of some kind of privacy enhancing technology.
Vehicular Ad Hoc Networks The application of Vehicular Ad Hoc Networks is very widespread,
but can be categorized into three main categories: safety related applications, transport efficiency,
and information/entertainment applications [Hartenstein and Laberteaux, 2008; Willke
et al., 2009]. Hundreds of possible applications can be envisioned or are under construction. Such
75

5. APPLICATION OF NEW RESULTS
an application is the cooperative forward collision warning, which help avoiding rear-end collisions
with the use of beacon messages. The traffic efficiency for example can be increased by a traffic
light optimal speed advisory application, which can assists the driver to arrive during a green
phase. An example for the information gathering applications is the ability of remote wireless
diagnosis, which enables to make the state of the vehicle accessible for remote diagnosis.
Most of the safety and traffic efficiency related applications are based on the beacon messages,
which are frequent messages containing the location, heading, identifier, and some other attributes
of the vehicle. These messages can enable the tracking of individual vehicles, which is an undesirable
side effect of the usage of VANETs. This side effect is analyzed in Chapter 3, and a countermeasure
is proposed as well. The countermeasure algorithm is compatible with the framework proposed by
the Car 2 Car Communication Consortium [Consortium, 2012].
Most of the results of Chapter 3 were parts of the results of the SeVeCom 1 European Commission
funded project. The results were delivered to and accepted by the European Commission.
Wireless Sensor Networks Wireless sensor networks can be used in many scenarios. In Chapter
4 I proposed two anonym aggregation schemes, which hides the identity of the aggregator node.
In the following a few applications are given based on [Akyildiz et al., 2002] with a special attention
on the possible need of hiding some special nodes: wireless sensor networks can be an integral part
of military command, control, communications, computing, intelligence, surveillance, reconnaissance
and targeting (C4ISRT) systems, where there is a clear motivation for an attacker to disturb
the normal functioning of the network by eliminating some special nodes. Another example can
be the protection of critical infrastructure. The problem is that some critical infrastructure like
electrical lines or drinking water pipes are so large scale, that it is impossible to protect them
with traditional methods. WSNs can be a possible protection and surveillance system, where the
disturbance of normal operation by the elimination of aggregator nodes must be avoided.
In the above mentioned applications, there is a clear need for aggregation, and the loss of
the aggregator might have undesirable consequences. Hence in these applications, the anonym
aggregator election, aggregation, and query schemes proposed in Chapter 4 can be used.
The goal of the Wireless Sensor and Actuator Networks for Critical Infrastructure Protection
project (WSAN4CIP 2 ), funded by the European Commission, was to make critical infrastructure
more dependable by the use of WSNs. Some of the results of Chapter 4 were integral part of that
project.
In summary, it can be seen that the results of Chapter 2-4 can be used in real applications,
and the problems discussed in the chapters are important for the society.
1 http://www.sevecom.org/ 2 http://www.wsan4cip.eu
76

Chapter 6
Conclusion
In this thesis, I proposed several privacy enhancing protocols for wireless networks. I dealt with
three different types of networks, namely RFID systems, vehicular ad hoc networks, and wireless
sensor networks.
In Chapter 2 I proposed a key-tree and a group based private authentication protocol for RFID
systems. Both approaches use only symmetric key based cryptographic primitives, which well suits
to resource limited RFID systems.
Key-trees provide an efficient solution for private authentication, however, the level of privacy
provided by key-tree based systems decreases considerably if some members are compromised.
This loss of privacy can be minimized by the careful design of the tree. Based on my results
presented in this dissertation, I can conclude that a good practical design principle is to maximize
the branching factor at the first level of the tree such that the resulting tree still respects the
constraint on the maximum authentication delay in the system. Once the branching factor at the
first level is maximized, the tree can be further optimized by maximizing the branching factors
at the successive levels, but the improvement achieved in this way is not really significant; what
really counts is the branching factor at the first level.
In the second part of Chapter 2, I proposed a novel group based private authentication scheme.
I analyzed the proposed scheme and quantified the level of privacy that it provides. I compared
my group based scheme to the key-tree based scheme. I showed that the group based scheme
provides a higher level of privacy than the key-tree based scheme. In addition, the complexity of
the group based scheme for the verifier can be set to be the same as in the key-tree based scheme,
while the complexity for the prover is always smaller in the latter scheme. The primary application
area of my schemes are that of RFID systems, but it can also be used in applications with similar
characteristics (e.g., in wireless sensor networks).
Some possible work that could be done is the usage of different metrics like the entropy based
metric, or the usage of different constraints like the minimal size of the anonymity sets when
selecting a structure like the groups for the users. These new metrics or constraints can make the
resulting optimization problem complex, which can require heuristic solutions as well. A general
framework that could solve the optimization problem for different metrics and constraints could
be a future research direction.
The most criticized part of any key tree or group based solution is the difficulty of the key
update. Hence, a challenging future work could be the implementation of a key update scheme in
a tree based solution.
In the first half of Chapter 3, I studied the effectiveness of changing pseudonyms to provide
location privacy for vehicles in vehicular networks. The approach of changing pseudonyms to
make location tracking more difficult was proposed in prior work, but its effectiveness has not
been investigated yet. In order to address this problem, I defined a model based on the concept of
the mix zone. I assumed that the adversary has some knowledge about the mix zone, and based
77

6. CONCLUSION
on this knowledge, she tries to relate the vehicles that exit the mix zone to those that entered
it earlier. I also introduced a metric to quantify the level of privacy enjoyed by the vehicles in
this model. In addition, I performed extensive simulations to study the behavior of my model in
realistic scenarios. In particular, in my simulation, I used a rather complex road map, generated
traffic with realistic parameters, and varied the strength of the adversary by varying the number of
her monitoring points. My simulation results provided detailed information about the relationship
between the strength of the adversary and the level of privacy achieved by changing pseudonyms.
I abstracted away the frequency with which the pseudonyms are changed, and I simply assumed
that this frequency is high enough so that every vehicle surely changes pseudonym while in the mix
zone. It seems that changing the pseudonyms frequently has some advantages as frequent changes
increase the probability that the pseudonym is changed in the mix zone. On the other hand, the
higher the frequency, the larger the cost that the pseudonym changing mechanism induces on the
system in terms of management of cryptographic material (keys and certificates related to the
pseudonyms). In addition, if for a given frequency, the probability of changing pseudonym in the
mix zone is already close to 1, then there is no sense to increase the frequency further as it will
no longer increase the level of privacy, while it will still increase the cost. Hence, there seems to
be an optimal value for the frequency of the pseudonym change. Unfortunately, this optimal value
depends on the characteristics of the mix zone, which is ultimately determined by the observing
zone of the adversary, which is not known to the system designer.
In the second half of Chapter 3, I proposed a simple and effective privacy preserving scheme,
called SLOW, for VANETs. SLOW requires vehicles to stop sending heartbeat messages below
a given threshold speed (this explains the name SLOW that stands for “silence at low speeds”)
and to change all their identifiers (pseudonyms) after each such silent period. By using SLOW,
the vicinity of intersections and traffic lights become dynamically created mix zones, as there are
usually many vehicles moving slowly at these places at a given moment in time. In other words,
SLOW implicitly ensures a synchronized silent period and pseudonym change for many vehicles
both in time and space, and this makes it effective as a location privacy enhancing scheme. Yet,
SLOW is remarkably simple, and it has further advantages. For instance, it relieves vehicles of
the burden of verifying a potentially large amount of digital signatures when the vehicle density is
large, as this usually happens when the vehicles move slowly in a traffic jam or stop at intersections.
Finally, the risk of a fatal accident at a slow speed is low, and therefore, SLOW does not seriously
impact safety-of-life.
I evaluated SLOW in a specific attacker model that seems to be realistic, and it proved to be
effective in this model, reducing the success rate of tracking a target vehicle from its starting point
to its destination down to the range of 10–30%.
Some future work could be a detailed analysis of the result of SLOW on the safety of vehicles,
or the analysis of the exceptional cases where the vehicles are forced to send a beacon message
below the threshold.
In Chapter 4 I proposed two private aggregation algorithms for wireless sensor networks. In
wireless sensor networks, in-network data aggregation is often used to ensure scalability and energy
efficient operation. However, this also introduces some security issues: the designated aggregator
nodes that collect and store aggregated sensor readings and communicate with the base station
are attractive targets of physical node destruction and jamming attacks. In order to mitigate this
problem, I proposed two private aggregator node election protocols for wireless sensor networks
that hide the elected aggregator nodes from the attacker, who, therefore, cannot locate and disable
them. My basic protocol provides fewer guarantees than my advanced protocol, but it may be
sufficient in cases where the risk of physically compromising nodes is low. My advanced protocol
hides the identity of the elected aggregator nodes even from insider attackers, thus it handles node
compromise attacks too.
I also proposed a private data aggregation protocol and a corresponding private query protocol
for the advanced version, which allow the aggregator nodes to collect sensor readings and respond to
queries of the operator, respectively, without revealing any useful information about their identity.
My aggregation and query protocols are resistant to both external eavesdroppers and compromised
78

6.0. Conclusion
nodes participating in the protocol. The communication in the advanced protocol is based on the
concept of connected dominating set, which suits well to wireless sensor networks.
At the end of Chapter 4 I went beyond the goal of only hiding the identity of the aggregator
nodes. I also analyzed what happens if a malicious node wants to exploit the anonymity offered by
the system, and tries to mislead the operator by injecting false reports. I proposed an algorithm
that can detect if any of the nodes misbehaves in the query phase. I only detect the fact of
misbehavior and leave the identification of the misbehaving node itself for future work. A more
challenging future work is the reduction of the message or computational complexity of the election
subprotocol.
79

List of Acronyms
CA Cluster Aggregator
CDS Connected Dominating Set
CH Cluster Head
DSRC Dedicated Short-Range Communications
ID IDentifier
IR Infrared
MAC Message Authentication Code
OBU On Board unit
RF Radio Frequency
RFID Radio Frequency IDentification
RSA Rivest Shamir Adleman algorithm
RSU Road Side Unit
SEVECOM Secure Vehicular Communication
SLOW Silence at LOW speeds
SUMO Simulation of Urban MObility
TTL Time To Live
VANET Vehicular Ad Hoc Network
VIN Vehicle Identification Number
WSAN4CIP Wireless Sensor and Actuator Networks for Critical Infrastructure Protection
WSN Wireless Sensor Network
81

List of publications
[Avoine et al., 2007] Gildas Avoine, Levente Buttyan, Tamas Holczer, and Istvan Vajda. Groupbased
private authentication. In Proceedings of the International Workshop on Trust, Security,
and Privacy for Ubiquitous Computing (TSPUC 2007). IEEE, 2007.
[Buttyán and Holczer, 2009] Levente Buttyán and Tamas Holczer. Private cluster head election
inwireless sensor networks. In Proceedings of the Fifth IEEE International Workshop on Wireless
and Sensor Networks Security (WSNS 2009), pages 1048–1053. IEEE, IEEE, 2009.
[Buttyán and Holczer, 2010] Levente Buttyán and Tamas Holczer. Perfectly anonymous data aggregation
in wireless sensor networks. In Proceedings of The 7th IEEE International Conference
on Mobile Ad-hoc and Sensor Systems (WSNS 2010), San Francisco, November 2010. IEEE.
[Buttyan et al., 2004] Levente Buttyan, Tamas Holczer, and Peter Schaffer. Incentives for cooperation
in multi-hop wireless networks. Híradástechnika, LIX(3):30–34, March 2004. (in Hungarian).
[Buttyan et al., 2005] Levente Buttyan, Tamas Holczer, and Peter Schaffer. Spontaneous cooperation
in multi-domain sensor networks. In Proceedings of the 2nd European Workshop on Security
and Privacy in Ad-hoc and Sensor Networks (ESAS), Visegrád, Hungary, July 2005. Springer.
[Buttyan et al., 2006a] Levente Buttyan, Tamas Holczer, and Istvan Vajda. Optimal key-trees
for tree-based private authentication. In Proceedings of the International Workshop on Privacy
Enhancing Technologies (PET), June 2006. Springer.
[Buttyan et al., 2006b] Levente Buttyan, Tamas Holczer, and Istvan Vajda. Providing location
privacy in automated fare collection systems. In Proceedings of the 15th IST Mobile and Wireless
Communication Summit, Mykonos, Greece, June 2006.
[Buttyan et al., 2007] Levente Buttyan, Tamas Holczer, and Istvan Vajda. On the effectiveness
of changing pseudonyms to provide location privacy in vanets. In Proceedings of the Fourth
European Workshop on Security and Privacy in Ad hoc and Sensor Networks (ESAS2007).
Springer, 2007.
[Buttyan et al., 2009] Levente Buttyan, Tamas Holczer, Andre Weimerskirch, and William Whyte.
Slow: A practical pseudonym changing scheme for location privacy in vanets. In Proceedings of
the IEEE Vehicular Networking Conference, pages 1–8. IEEE, IEEE, October 2009.
[Dora and Holczer, 2010] Laszlo Dora and Tamas Holczer. Hide-and-lie: Enhancing applicationlevel
privacy in opportunistic networks. In Proceedings of the Second International Workshop
on Mobile Opportunistic Networking ACM/SIGMOBILE MobiOpp 2010, Pisa, Italy, February
22-23 2010.
[Dvir et al., 2011] Amit Dvir, Tamas Holczer, and Levente Buttyán. Vera - version number and
rank authentication in rpl. In Proceedings of the 7th IEEE International Workshop on Wireless
and Sensor Networks Security (WSNS 2011). IEEE, 2011.
83

LIST OF PUBLICATIONS
[Holczer and Buttyán, 2011] Tamas Holczer and Levente Buttyán. Anonymous aggregator election
and data aggregation in wireless sensor networks. International Journal of Distributed Sensor
Networks, page 18, 2011. Article ID 828414.
[Holczer et al., 2009] Tamas Holczer, Petra Ardelean, Naim Asaj, Stefano Cosenza, Michael Müter,
Albert Held, Björn Wiedersheim, Panagiotis Papadimitratos, Frank Kargl, and Danny De Cock.
Secure vehicle communication (sevecom). Demonstration. Mobisys, June 2009.
[Papadimitratos et al., 2008] Panagiotis Papadimitratos, Antonio Kung, Frank Kargl, Zhendong
Ma, Maxim Raya, Julien Freudiger, Elmar Schoch, Tamas Holczer, Levente Buttyán, and Jean
pierre Hubaux. Secure vehicular communication systems: design and architecture. IEEE Communications
Magazine, 46(11):100–109, 2008.
[Schaffer et al., 2012] Péter Schaffer, Károly Farkas, Ádám Horváth, Tamás Holczer, and Levente
Buttyán. Secure and reliable clustering in wireless sensor networks: A critical survey. Computer
Networks, 2012.
84

Bibliography
[Abadi and Fournet, 2004] M. Abadi and C. Fournet. Private authentication. Theoretical Computer
Science, 322(3):427–476, 2004.
[Akyildiz et al., 2002] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci. Wireless
sensor networks: a survey. Computer networks, 38(4):393–422, 2002.
[Anderson and Kuhn, 1996] R. Anderson and M. Kuhn. Tamper resistance: a cautionary note. In
Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic
Commerce-Volume 2, page 1. USENIX Association, 1996.
[Aoki and Fujii, 1996] M. Aoki and H. Fujii. Inter-vehicle communication: Technical issues on
vehicle control application. Communications Magazine, IEEE, 34(10):90–93, 1996.
[Armknecht et al., 2007] F. Armknecht, A. Festag, D. Westhoff, and K. Zeng. Cross-layer privacy
enhancement and non-repudiation in vehicular communication. In 4th Workshop on Mobile
Ad-Hoc Networks (WMAN), 2007.
[ASV, ] Advanced safety vehicle program. ”http://www.ahsra.or.jp/demo2000/eng/demo_e/
ahs_e7/iguchi/iguchi.html”.
[Avoine and Oechslin, 2005] G. Avoine and P. Oechslin. A scalable and provably secure hash-based
rfid protocol. In Pervasive Computing and Communications Workshops, 2005. PerCom 2005
Workshops. Third IEEE International Conference on, pages 110–114. IEEE, 2005.
[Avoine et al., 2005] G. Avoine, E. Dysli, and P. Oechslin. Reducing time complexity in rfid systems.
In Proceedings of the 12th Annual Workshop on Selected Areas in Cryptography (SAC’05),
pages 291–306. Springer, 2005.
[Avoine, 2012] Gildas Avoine. Bibliography on security and privacy in rfid systems.
http://www.epfl.ch/*gavoine/rfid/, 2012.
[Baruya, 1998] A. Baruya. Speed-accident relationship on different kinds of european roads. MAS-
TER Deliverable 7, September 1998.
[Beresford and Stajano, 2003] A.R. Beresford and F. Stajano. Location privacy in pervasive computing.
Pervasive Computing, IEEE, 2(1):46–55, 2003.
[Beresford and Stajano, 2004] A.R. Beresford and F. Stajano. Mix zones: User privacy in locationaware
services. In Pervasive Computing and Communications Workshops, 2004. Proceedings of
the Second IEEE Annual Conference on, pages 127–131. IEEE, 2004.
[Berki, 2008] Z. Berki. Development of Traffic Models on the basis of Passanger Demand Surveys
Thesis of the PhD dissertation. PhD thesis, Budapest University of Technology and Economics,
2008.
85

BIBLIOGRAPHY
[Beye and Veugen, 2011] M. Beye and T. Veugen. Improved anonymity for key-trees? Technical
report, Cryptology ePrint Archive, Report 2011/395, 2011.
[Beye and Veugen, 2012] M. Beye and T. Veugen. Anonymity for key-trees with adaptive adversaries.
Security and Privacy in Communication Networks, pages 409–425, 2012.
[Black and McGrew, 2008] David L. Black and David A. McGrew. The internet key exchange
(ikev2) protocol. 2008.
[Blum et al., 2004a] Jeremy Blum, Min Ding, Andrew Thaeler, and Xiuzhen Cheng. Connected
dominating set in sensor networksand manets. In D.-Z. Du and P. Pardalos, editors, Handbook
of Combinatorial Optimization, pages 329–369. Kluwer Academic Publishers, 2004.
[Blum et al., 2004b] J.J. Blum, A. Eskandarian, and L.J. Hoffman. Challenges of intervehicle ad
hoc networks. Intelligent Transportation Systems, IEEE Transactions on, 5(4):347–351, 2004.
[Bono et al., 2005] S. Bono, M. Green, A. Stubblefield, A. Juels, A. Rubin, and M. Szydlo. Security
analysis of a cryptographically-enabled rfid device. In 14th USENIX Security Symposium,
volume 1, page 16, 2005.
[Boyd and Mathuria, 2003] C. Boyd and A. Mathuria. Protocols for authentication and key establishment.
Springer Verlag, 2003.
[Brandt, 2006] F. Brandt. Efficient cryptographic protocol design based on distributed El Gamal
encryption. Lecture Notes in Computer Science, 3935:32, 2006.
[Buttyán and Holczer, 2010] Levente Buttyán and Tamas Holczer. Perfectly anonymous data aggregation
in wireless sensor networks. In Proceedings of the Sixth IEEE International Workshop
on Wireless and Sensor Networks Security (WSNS’10). IEEE, IEEE, 2010.
[Buttyán and Hubaux, 2008] Levente Buttyán and Jean Pierre Hubaux. Security and Cooperation
in Wireless Networks. Cambridge University Press, 2008.
[Buttyán and Schaffer, 2010] Levente Buttyán and Peter Schaffer. Panel: Position-based aggregator
node election in wireless sensor networks. International Journal of Distributed Sensor
Networks, 2010.
[Buttyán et al., 2006] Levente Buttyán, Peter Schaffer, and István Vajda. Ranbar: Ransac-based
resilient aggregation in sensor networks. In In Proceedings of the Fourth ACM Workshop on
Security of Ad Hoc and Sensor Networks (SASN), Alexandria, VA, USA, October 2006. ACM
Press.
[Buttyán et al., 2009] Levente Buttyán, Peter Schaffer, and István Vajda. Cora: Correlation-based
resilient aggregation in sensor networks. Elsevier Ad Hoc Networks, 7(6):1035–1050, 2009.
[Calandriello et al., 2007] Giorgio Calandriello, Panos Papadimitratos, Jean-Pierre Hubaux, and
Antonio Lioy. Efficient and robust pseudonymous authentication in vanet. In VANET ’07:
Proceedings of the fourth ACM international workshop on Vehicular ad hoc networks, pages
19–28, New York, NY, USA, 2007. ACM.
[Camenisch and Lysyanskaya, 2001] J. Camenisch and A. Lysyanskaya. An efficient system for
non-transferable anonymous credentials with optional anonymity revocation. Advances in
Cryptology-EUROCRYPT 2001, pages 93–118, 2001.
[Camenisch and Stadler, 1997] Jan Camenisch and Markus Stadler. Proof systems for general
statements about discrete logarithms. Technical report, Department of Computer Science, ETH
Zürich, 1997.
86

Bibliography
[Carbunar et al., 2007] B. Carbunar, Y. Yu, L. Shi, M. Pearce, and V. Vasudevan. Query privacy
in wireless sensor networks. In Sensor, Mesh and Ad Hoc Communications and Networks, 2007.
SECON’07. 4th Annual IEEE Communications Society Conference on, pages 203–212. IEEE,
2007.
[Chan and Perrig, 2003] H. Chan and A. Perrig. Security and privacy in sensor networks. Computer,
36(10):103–105, 2003.
[Chan et al., 2003] H. Chan, A. Perrig, and D. Song. Random key predistribution schemes for
sensor networks. In IEEE Symposium on Security and Privacy, pages 197–215. IEEE Computer
Society, 2003.
[Chang, 2006] E.J.H. Chang. Echo algorithms: Depth parallel operations on general graphs. Software
Engineering, IEEE Transactions on, (4):391–401, 2006.
[Chaum, 1981] D.L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms.
Communications of the ACM, 24(2):84–90, 1981.
[Chaum, 1988] D. Chaum. The dining cryptographers problem: Unconditional sender and recipient
untraceability. Journal of Cryptology, 1(1):65–75, 1988.
[Chisalita and Shahmehri, 2002] L. Chisalita and N. Shahmehri. A peer-to-peer approach to vehicular
communication for the support of traffic safety applications. In Intelligent Transportation
Systems, 2002. Proceedings. The IEEE 5th International Conference on, pages 336–341. IEEE,
2002.
[Choi et al., 2005] J.Y. Choi, M. Jakobsson, and S. Wetzel. Balancing auditability and privacy in
vehicular networks. In Proceedings of the 1st ACM international workshop on Quality of service
& security in wireless and mobile networks, pages 79–87. ACM, 2005.
[Choi et al., 2007] H. Choi, P. McDaniel, and TF La Porta. Privacy Preserving Communication
in MANETs. In 4th Annual IEEE Communications Society Conference on Sensor, Mesh and
Ad Hoc Communications and Networks, pages 233–242, 2007.
[COM, ] Communications for esafety. ”http://www.comesafety.org/”.
[Consortium, 2012] Car 2 Car Communication Consortium. ”http://www.car-to-car.org”,
2012.
[Deng et al., 2005] J. Deng, R. Han, and S. Mishra. Countermeasures against traffic analysis
attacks in wireless sensor networks. In Security and Privacy for Emerging Areas in Communications
Networks, 2005. SecureComm 2005. First International Conference on, pages 113–126.
IEEE, 2005.
[Deng et al., 2006a] J. Deng, R. Han, and S. Mishra. Decorrelating wireless sensor network traffic
to inhibit traffic analysis attacks. Pervasive and Mobile Computing, 2(2):159–186, 2006.
[Deng et al., 2006b] J. Deng, R. Han, and S. Mishra. Decorrelating wireless sensor network traffic
to inhibit traffic analysis attacks. Pervasive and Mobile Computing, 2(2):159–186, 2006.
[Diaz et al., 2002] C. Diaz, S. Seys, J. Claessens, and B. Preneel. Towards measuring anonymity.
In Proceedings of the 2nd international conference on Privacy enhancing technologies, pages
54–68. Springer-Verlag, 2002.
[Dingledine et al., 2004] R. Dingledine, N. Mathewson, and P. Syverson. Tor: The secondgeneration
onion router. Technical report, DTIC Document, 2004.
[Dötzer, 2006] F. Dötzer. Privacy issues in vehicular ad hoc networks. In Privacy Enhancing
Technologies, pages 197–209. Springer, 2006.
87

BIBLIOGRAPHY
[El Zarki et al., 2002] M. El Zarki, S. Mehrotra, G. Tsudik, and N. Venkatasubramanian. Security
issues in a future vehicular network. In European Wireless, volume 2, 2002.
[Faizulkhakov, 2007] Ya. R. Faizulkhakov. Time synchronization methods for wireless sensor networks:
A survey. Programming and Computing Software, 33(4):214–226, 2007.
[Fisher, 2006] J.A. Fisher. Indoor positioning and digital management. Surveillance and security:
Technological politics and power in everyday life, page 77, 2006.
[Fishkin et al., 2005] K. Fishkin, S. Roy, and B. Jiang. Some methods for privacy in rfid communication.
Security in ad-hoc and sensor networks, pages 42–53, 2005.
[Floerkemeier et al., 2005] C. Floerkemeier, R. Schneider, and M. Langheinrich. Scanning with
a purpose–supporting the fair information principles in rfid protocols. Ubiquitous Computing
Systems, pages 214–231, 2005.
[Francillon and Castelluccia, 2007] Aurélien Francillon and Claude Castelluccia. TinyRNG: A
cryptographic random number generator for wireless sensors network nodes. In Modeling and
Optimization in Mobile, Ad Hoc and Wireless Networks and Workshops, 2007. WiOpt 2007. 5th
International Symposium on, pages 1–7, April 2007.
[Freudiger et al., 2007] J. Freudiger, M. Raya, M. Felegyházi, P. Papadimitratos, and J.-P.
Hubaux. Mix-zones for location privacy in vehicular networks. In Proceedings of the 1st International
Workshop on Wireless Networking for Intelligent Transportation Systems (WiN-ITS
07), 2007.
[Ganesan et al., 2003] P. Ganesan, R. Venugopalan, P. Peddabachagari, A. Dean, F. Mueller, and
M. Sichitiu. Analyzing and modeling encryption overhead for sensor network nodes. In Proceedings
of the 2nd ACM international conference on Wireless sensor networks and applications,
Sep. 2003.
[Gerlach, 2006] M. Gerlach. Assessing and improving privacy in vanets. ESCAR Embedded Security
in Cars, 2006.
[Gicheol, 2010] W. Gicheol. Secure cluster head election using mark based exclusion in wireless
sensor networks. IEICE transactions on communications, 93(11):2925–2935, 2010.
[Goldsmith, 2005] Andrea Goldsmith. Wireless Communications. Cambridge University Press,
New York, NY, USA, 2005.
[Gruteser and Hoh, 2005] M. Gruteser and B. Hoh. On the anonymity of periodic location samples.
In Proceedings of the Second International Conference on Security in Pervasive Computing, pages
179–192. Springer, 2005.
[Gulcu and Tsudik, 1996] C. Gulcu and G. Tsudik. Mixing e-mail with babel. In Network and
Distributed System Security, 1996., Proceedings of the Symposium on, pages 2–16. IEEE, 1996.
[Hancke, 2005] G.P. Hancke. A practical relay attack on iso 14443 proximity cards. Technical
report, University of Cambridge Computer Laboratory, 2005.
[Hao and Zielinski, 2006] F. Hao and P. Zielinski. A 2-round anonymous veto protocol. In Proceedings
of the 14th International Workshop on Security Protocols, Cambridge, UK, 2006.
[Harkins and Carrel, 1998] D. Harkins and D. Carrel. The internet key exchange (ike)protocol.
1998.
[Hartenstein and Laberteaux, 2008] H. Hartenstein and K.P. Laberteaux. A tutorial survey on
vehicular ad hoc networks. Communications Magazine, IEEE, 46(6):164 –171, June 2008.
88

Bibliography
[He et al., 2007] W. He, X. Liu, H. Nguyen, K. Nahrstedt, and T. Abdelzaher. Pda: Privacypreserving
data aggregation in wireless sensor networks. In Proceedings of Infocom, pages 2045–
2053. IEEE, 2007.
[Heinzelman et al., 2000] WR Heinzelman, A. Chandrakasan, and H. Balakrishnan. Energyefficient
communication protocol for wireless microsensor networks. In Proceedings of the 33rd
Annual Hawaii International Conference onSystem Sciences., page 10, 2000.
[Hu and Wang, 2005] Y.C. Hu and H.J. Wang. A framework for location privacy in wireless networks.
In ACM SIGCOMM Asia Workshop. Citeseer, 2005.
[Hu et al., 2005] Y.C. Hu, A. Perrig, and D.B. Johnson. Ariadne: A secure on-demand routing
protocol for ad hoc networks. Wireless Networks, 11(1-2):21–38, 2005.
[Hu et al., 2006] Y.C. Hu, A. Perrig, and D.B. Johnson. Wormhole attacks in wireless networks.
Selected Areas in Communications, IEEE Journal on, 24(2):370–380, 2006.
[Huang et al., 2005] L. Huang, K. Matsuura, H. Yamane, and K. Sezaki. Enhancing wireless
location privacy using silent period. In Wireless Communications and Networking Conference,
2005 IEEE, volume 2, pages 1187–1192. IEEE, 2005.
[Huang et al., 2009] Y. Huang, W. He, and K. Nahrstedt. ChainFarm: A Novel Authentication
Protocol for High-rate Any Source Probabilistic Broadcast. In Proc. of The 6th IEEE International
Conference on Mobile Ad-hoc and Sensor Systems (IEEE MASS), 2009.
[Hubaux et al., 2004] J.P. Hubaux, S. Capkun, and J. Luo. The security and privacy of smart
vehicles. Security & Privacy, IEEE, 2(3):49–55, 2004.
[Instruments, 2005] Texas Instruments. Securing the pharmaceutical supply chain with rfid and
public-key infrastructure (pki) technologies. texas instruments white paper, june 2005, 2005.
[Iqbal and Khayam, 2009] Adnan Iqbal and Syed Ali Khayam. An energy-efficient link layer protocol
for reliable transmission over wireless networks. EURASIP J. Wirel. Commun. Netw.,
2009:28:1–28:10, January 2009.
[ISO, 2008] Iso 9798-2. mechanisms using symmetric encipherment algorithms. 2008.
[ITLaw, ] ITLaw. Right of privacy. ”http://itlaw.wikia.com/wiki/Right_of_privacy”.
[Jacquet, 2004] Philippe Jacquet. Performance of connected dominating set in olsr protocol. Technical
Report RR-5098, INRIA, 2004.
[Jian et al., 2007] Y. Jian, S. Chen, Z. Zhang, and L. Zhang. Protecting receiver-location privacy in
wireless sensor networks. In INFOCOM 2007. 26th IEEE International Conference on Computer
Communications. IEEE, pages 1955–1963. Ieee, 2007.
[Juels and Brainard, 2004] A. Juels and J. Brainard. Soft blocking: Flexible blocker tags on the
cheap. In Proceedings of the 2004 ACM workshop on Privacy in the electronic society, pages
1–7. ACM, 2004.
[Juels et al., 2003] A. Juels, R.L. Rivest, and M. Szydlo. The blocker tag: Selective blocking of
rfid tags for consumer privacy. In Proceedings of the 10th ACM conference on Computer and
communications security, pages 103–111. ACM, 2003.
[Juels et al., 2006] A. Juels, P. Syverson, and D. Bailey. High-power proxies for enhancing rfid
privacy and utility. In Privacy Enhancing Technologies, pages 210–226. Springer, 2006.
[Juels, 2005a] A. Juels. Minimalist cryptography for low-cost rfid tags. Security in Communication
Networks, pages 149–164, 2005.
89

BIBLIOGRAPHY
[Juels, 2005b] A. Juels. Strengthening epc tags against cloning. In Proceedings of the 4th ACM
workshop on Wireless security, pages 67–76. ACM, 2005.
[Juels, 2006] A. Juels. Rfid security and privacy: A research survey. Selected Areas in Communications,
IEEE Journal on, 24(2):381–394, 2006.
[Kamat et al., 2005] P. Kamat, Y. Zhang, W. Trappe, and C. Ozturk. Enhancing source-location
privacy in sensor network routing. In Distributed Computing Systems, 2005. ICDCS 2005.
Proceedings. 25th IEEE International Conference on, pages 599–608. IEEE, 2005.
[Kamat et al., 2007] P. Kamat, W. Xu, W. Trappe, and Y. Zhang. Temporal privacy in wireless
sensor networks. In Distributed Computing Systems, 2007. ICDCS’07. 27th International
Conference on, pages 23–23. IEEE, 2007.
[Kargl et al., 2008] Frank Kargl, Antonio Kung, Albert Held, Giorgo Calandriello, Ta Vinh Thong,
Björn Wiedersheim, Elmar Schoch, Michael Müter, Levente Buttyán, Panagiotis Papadimitratos,
and Jean-Pierre Hubaux. Secure vehicular communication systems: implementation,
performance, and research challenges. IEEE Communications Magazine, 46(11):110–118, 2008.
[Karnadi et al., 2005] F.K. Karnadi, Z.H. Mo, and K. Lan. Rapid generation of realistic mobility
models for vanet. In Wireless Communications and Networking Conference, 2007. WCNC 2007.
IEEE, pages 2506–2511. IEEE, 2005.
[Kelly and Erickson, 2005] E.P. Kelly and G.S. Erickson. Rfid tags: commercial applications v.
privacy rights. Industrial Management & Data Systems, 105(6):703–713, 2005.
[Kesdogan et al., 1998] D. Kesdogan, J. Egner, and R. Büschkes. Stop-and-go-mixes providing
probabilistic anonymity in an open system. In Information Hiding, pages 83–98. Springer, 1998.
[Kfir and Wool, 2005] Z. Kfir and A. Wool. Picking virtual pockets using relay attacks on contactless
smartcard. In Security and Privacy for Emerging Areas in Communications Networks,
2005. SecureComm 2005. First International Conference on, pages 47–58. IEEE, 2005.
[Kloeden et al., 1997] C.N. Kloeden, A.J. McLean, V.M. Moore, and G. Ponte. Travelling speed
and the risk of crash involvement. NHMRC Road Accident Research Unit, The University of
Adelaide, 1997.
[Kohl and Neuman, 1993] J. Kohl and C. Neuman. Rfc 1510: The kerberos network authentication
service (v5). Published Sep, 1993.
[Krajzewicz et al., 2002] Daniel Krajzewicz, Georg Hertkorn, Christian Rössel, and Peter Wagner.
Sumo (simulation of urban mobility); an open-source traffic simulation. In A Al-Akaidi, editor,
Proceedings of the 4th Middle East Symposium on Simulation and Modelling (MESM2002), pages
183–187, Sharjah, United Arab Emirates, September 2002. SCS European Publishing House.
[Kroh et al., 2006] Rainer Kroh, Antonio Kung, and Frank Kargl. Vanets security requirements
final v ersion. Sevecom D1.1, 2006.
[Kruskal, 1956] Jr. Kruskal, Joseph B. On the shortest spanning subtree of a graph and the
traveling salesman problem. Proceedings of the American Mathematical Society, 7(1):pp. 48–50,
1956.
[Kuhn et al., 2006] F. Kuhn, T. Moscibroda, and R. Wattenhofer. Fault-tolerant clustering in ad
hoc and sensor networks. In Distributed Computing Systems, 2006. ICDCS 2006. 26th IEEE
International Conference on, pages 68–68. IEEE, 2006.
[Langheinrich, 2009] M. Langheinrich. A survey of rfid privacy approaches. Personal and Ubiquitous
Computing, 13(6):413–421, 2009.
90

Bibliography
[Leaf and Preusser, 1999] W.A. Leaf and D.F. Preusser. Literature review on vehicle
travel speeds and pedestrian injuries. National Highway Traffic Safety Administration,
http://www.nhtsa.dot.gov/people/injury/research/ pub/HS809012.html, October 1999.
[Li et al., 2009] N. Li, N. Zhang, S.K. Das, and B. Thuraisingham. Privacy preservation in wireless
sensor networks: A state-of-the-art survey. Ad Hoc Networks, 2009.
[Lin and Lu, 2012] Xiaodong Lin and Rongxing Lu. Bibliography on secure vehicular communications.
http://bbcr.uwaterloo.ca/ rxlu/sevecombib.htm, 2012.
[Lin et al., 2008] X. Lin, R. Lu, C. Zhang, H. Zhu, P.H. Ho, and X. Shen. Security in vehicular
ad hoc networks. Communications Magazine, IEEE, 46(4):88–95, 2008.
[Liu and Ning, 2008] An Liu and Peng Ning. Tinyecc: A configurable library for elliptic curve
cryptography in wireless sensor networks. In Proceedings of the 7th International Conference on
Information Processing in Sensor Networks (IPSN 2008), pages 245–256, April 2008.
[Liu et al., 2005] D. Liu, P. Ning, S. Zhu, and S. Jajodia. Practical broadcast authentication in sensor
networks. In Mobile and Ubiquitous Systems: Networking and Services, 2005. MobiQuitous
2005. The Second Annual International Conference on, pages 118–129, 2005.
[Lopez and Zhou, 2008] J. Lopez and J. Zhou. Wireless Sensor Network Security. Cryptology and
Information Security Series, IOS Press, 2008.
[Lopez, 2008] J. Lopez. Wireless sensor network security, volume 1. Ios Pr Inc, 2008.
[Lu et al., 2012] R. Lu, X. Li, T.H. Luan, X. Liang, and X. Shen. Pseudonym changing at social
spots: An effective strategy for location privacy in vanets. Vehicular Technology, IEEE
Transactions on, 61(1):86–96, 2012.
[Luo and Hubaux, 2004] J. Luo and J.P. Hubaux. A survey of inter-vehicle communication. Lausanne,
Switzerland, Tech. Rep, IC/2004/24, 2004.
[Ma et al., 2010] Z. Ma, F. Kargl, and M. Weber. Measuring long-term location privacy in vehicular
communication systems. Computer Communications, 33(12):1414–1427, 2010.
[McMillin et al., 1998] B. McMillin, J. Sirois, R. Mahoney, and F. Budd. Fault-tolerant and secure
intelligent vehicle highway system software a safety prototype. In IEEE International Conference
on Intelligent Vehicles. IEEE, 1998.
[Mehta et al., 2007] K. Mehta, D. Liu, and M. Wright. Location privacy in sensor networks against
a global eavesdropper. In Network Protocols, 2007. ICNP 2007. IEEE International Conference
on, pages 314–323. IEEE, 2007.
[mir, ] http://www.shamus.ie/.
[Molnar and Wagner, 2004] D. Molnar and D. Wagner. Privacy and security in library rfid: Issues,
practices, and architectures. In Proceedings of the 11th ACM conference on Computer and
communications security, pages 210–219. ACM, 2004.
[Nohara et al., 2005] Y. Nohara, S. Inoue, K. Baba, and H. Yasuura. Quantitative evaluation of
unlinkable id matching schemes. In Proceedings of the 2005 ACM workshop on Privacy in the
electronic society, pages 55–60. ACM, 2005.
[Ohkubo et al., 2004] M. Ohkubo, K. Suzuki, and S. Kinoshita. Efficient hash-chain based rfid
privacy protection scheme. In International Conference on Ubiquitous Computing–Ubicomp,
Workshop Privacy: Current Status and Future Directions, 2004.
91

BIBLIOGRAPHY
[Oliveira et al., 2008] Leonardo B. Oliveira, Michael Scott, J ˇ d˙z˝lio Lopez, , and Ricardo Dahab.
TinyPBC: Pairings for Authenticated Identity-Based Non-Interactive Key Distribution in Sensor
Networks. In Proceedings of the 5th International Conference on Networked Sensing Systems
(INSS’08), pages 173–179, Kanazawa/Japan, June 2008. IEEE, IEEE.
[Peris-Lopez et al., 2006] P. Peris-Lopez, J. Hernandez-Castro, J. Estevez-Tapiador, and A. Ribagorda.
Rfid systems: A survey on security threats and proposed solutions. In Personal Wireless
Communications, pages 159–170. Springer, 2006.
[Perrig et al., 2002] Adrian Perrig, Ran Canetti, J. ˜ D. Tygar, and Dawn Song. The TESLA Broadcast
Authentication Protocol. RSA CryptoBytes, 5(Summer), 2002.
[Perrig et al., 2004] A. Perrig, J. Stankovic, and D. Wagner. Security in wireless sensor networks.
Communications of the ACM, 47(6):53–57, 2004.
[Pfitzmann and Köhntopp, 2001] A. Pfitzmann and M. Köhntopp. Anonymity, unobservability,
and pseudonymity–a proposal for terminology. In Designing privacy enhancing technologies,
pages 1–9. Springer, 2001.
[Piotrowski et al., 2006] K. Piotrowski, P. Langendoerfer, and S. Peter. How public key cryptography
influences wireless sensor node lifetime. In Proceedings of the fourth ACM workshop on
Security of ad hoc and sensor networks, pages 169–176, Nov. 2006.
[Preneel and Oorschot, 1999] B. Preneel and Van Oorschot. On the security of iterated message
authentication codes. IEEE Transactions on Information theory, 45(1):188–199, 1999.
[Prim, 1957] R.C. Prim. Shortest connection networks and some generalizations. Bell system
technical journal, 36(6):1389–1401, 1957.
[Rajendran and Sreenaath, 2008] T. Rajendran and K. V. Sreenaath. Secure anonymous routing
in ad hoc networks. In Proceedings of the 1st Bangalore Annual Computer Conference. ACM
New York, 2008.
[Rappaport, 2001] Theodore Rappaport. Wireless Communications: Principles and Practice.
Prentice Hall PTR, Upper Saddle River, NJ, USA, 2nd edition, 2001.
[Raya and Hubaux, 2005] M. Raya and J. P. Hubaux. The security of vehicular ad hoc networks.
In Proc. of Third ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN 2005).
ACM, 2005.
[Raya and Hubaux, 2007] M. Raya and J.P. Hubaux. Securing vehicular ad hoc networks. Journal
of Computer Security, 15(1):39–68, 2007.
[Reiter and Rubin, 1998] M.K. Reiter and A.D. Rubin. Crowds: Anonymity for web transactions.
ACM Transactions on Information and System Security (TISSEC), 1(1):66–92, 1998.
[rel, ] http://code.google.com/p/relic-toolkit/.
[Ren et al., 2011] D. Ren, S. Du, and H. Zhu. A novel attack tree based risk assessment approach
for location privacy preservation in the vanets. In Communications (ICC), 2011 IEEE
International Conference on, pages 1–5. IEEE, 2011.
[RFID, 2012] Wikipedia RFID. Radio-frequency identification. ”http://en.wikipedia.org/
wiki/Radio-frequency_identification”, 2012.
[Rieback et al., 2005] M. Rieback, B. Crispo, and A. Tanenbaum. Rfid guardian: A batterypowered
mobile device for rfid privacy management. In Information Security and Privacy, pages
259–273. Springer, 2005.
92

Bibliography
[Sampigethaya et al., 2005] K. Sampigethaya, L. Huang, M. Li, R. Poovendran, K. Matsuura, and
K. Sezaki. Caravan: Providing location privacy for vanet. In in Embedded Security in Cars
(ESCAR, 2005.
[Sampigethaya et al., 2007] K. Sampigethaya, M. Li, L. Huang, and R. Poovendran. Amoeba:
Robust location privacy scheme for vanet. IEEE Journal on Selected Areas in Communications,
25(8):1569–1589, 2007.
[Schnorr, 1991] C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology,
4(3):161–174, 1991.
[Schoch et al., 2006] E. Schoch, F. Kargl, T. Leinmüller, S. Schlott, and P. Papadimitratos. Impact
of pseudonym changes on geographic routing in vanets. Security and Privacy in Ad-Hoc and
Sensor Networks, pages 43–57, 2006.
[Serjantov and Danezis, 2003] A. Serjantov and G. Danezis. Towards an information theoretic
metric for anonymity. In Privacy Enhancing Technologies, pages 259–263. Springer, 2003.
[Seys and Preneel, 2006] S. Seys and B. Preneel. ARM: Anonymous routing protocol for mobile
ad hoc networks. In 20th International Conference on Advanced Information Networking and
Applications, AINA, pages 133–137. IEEE, 2006.
[Sharma et al., 2012] S. Sharma, A. Sahu, A. Verma, and N. Shukla. Wireless sensor network
security. Advances in Computer Science and Information Technology. Computer Science and
Information Technology, pages 317–326, 2012.
[Sheng and Li, 2008] B. Sheng and Q. Li. Verifiable privacy-preserving range query in two-tiered
sensor networks. In Proceedings of Infocom, pages 46–50. IEEE, 2008.
[Sirivianos et al., 2007] M. Sirivianos, D. Westhoff, F. Armknecht, and J. Girao. Non-manipulable
aggregator node election protocols for wireless sensor networks. In Modeling and Optimization
in Mobile, Ad Hoc and Wireless Networks and Workshops, 2007. WiOpt 2007. 5th International
Symposium on, pages 1–10. IEEE, 2007.
[Studer et al., 2008] A. Studer, E. Shi, F. Bai, and A. Perrig. TACKing Together Efficient Authentication,
Revocation, and Privacy in VANETs. Technical report, Carnegie Mellon CyLab,
2008.
[Syamsuddin et al., 2008] Irfan Syamsuddin, Tharam Dillon, Elizabeth Chang, and Song Han. A
survey of RFID authentication protocols based on hash-chain method. In Convergence and
Hybrid Information Technology – ICCIT’08, volume 2, pages 559–564. IEEE, 2008.
[Szczechowiak et al., 2008] Piotr Szczechowiak, Leonardo B. Oliveira, Michael Scott, Martin Collier,
and Ricardo Dahab. Nanoecc: Testing the limits of elliptic curve cryptography in sensor
networks. In Proceedings of the European conference on Wireless Sensor Networks (EWSN’08),
2008.
[Tel, 2000] Gerard Tel. Introduction to Distributed Algorithms (2nd ed.). Cambridge University
Press, 2000.
[VSC, ] Vehicle safety communications project. ”http://www-nrd.nhtsa.dot.gov/pdf/nrd-12/
CAMP3/pages/VSCC.htm/”.
[Wagner, 2004] David Wagner. Resilient aggregation in sensor networks. In Proceedings of the 2nd
ACM workshop on Security of ad hoc and sensor networks, SASN ’04, pages 78–87, New York,
NY, USA, 2004. ACM.
[Wan et al., 2002] C.Y. Wan, A.T. Campbell, and L. Krishnamurthy. PSFQ: a reliable transport
protocol for wireless sensor networks. In Proceedings of the 1st ACM international workshop on
Wireless sensor networks and applications, pages 1–11. ACM, 2002.
93

BIBLIOGRAPHY
[Wiedersheim et al., 2010] B. Wiedersheim, Z. Ma, F. Kargl, and P. Papadimitratos. Privacy in
inter-vehicular networks: Why simple pseudonym change is not enough. In Wireless On-demand
Network Systems and Services (WONS), 2010 Seventh International Conference on, pages 176–
183. IEEE, 2010.
[Willke et al., 2009] T.L. Willke, P. Tientrakool, and N.F. Maxemchuk. A survey of inter-vehicle
communication protocols and their applications. Communications Surveys Tutorials, IEEE,
11(2):3 –20, quarter 2009.
[Wu et al., 2009] D.L. Wu, W.W.Y. Ng, D.S. Yeung, and H.L. Ding. A brief survey on current rfid
applications. In Machine Learning and Cybernetics, 2009 International Conference on, volume 4,
pages 2330–2335. IEEE, 2009.
[Xi et al., 2006] Y. Xi, L. Schwiebert, and W. Shi. Preserving source location privacy in
monitoring-based wireless sensor networks. In Parallel and Distributed Processing Symposium,
2006. IPDPS 2006. 20th International, pages 8–pp. IEEE, 2006.
[Xiong et al., 2010] Xiaokang Xiong, Duncan S. Wong, and Xiaotie Deng. TinyPairing: A Fast and
Lightweight Pairing-based Cryptographic Library for Wireless Sensor Networks. In Proceedings
of the IEEE Wireless Communications & Networking Conference. IEEE, 2010.
[Yick et al., 2008] J. Yick, B. Mukherjee, and D. Ghosal. Wireless sensor network survey. Computer
networks, 52(12):2292–2330, 2008.
[Zhang et al., 2006] Y. Zhang, W. Liu, W. Lou, and Y. Fang. Mask: Anonymous on-demand
routing in mobile ad hoc networks. IEEE Transactions on Wireless Communications, 5(9):2376–
2385, 2006.
[Zhang et al., 2008] W. Zhang, C. Wang, and T. Feng. Gpˆ 2s: Generic privacy-preservation
solutions for approximate aggregation of sensor data (concise contribution). In Pervasive Computing
and Communications, 2008. PerCom 2008. Sixth Annual IEEE International Conference
on, pages 179–184. IEEE, 2008.
[Zhu et al., 2003] Sencun Zhu, Sanjeev Setia, and Sushil Jajodia. Leap: Efficient security mechanisms
for large-scale distributed sensor networks. In Proceedings of the 10th ACM conference
on Computer and communications security, pages 62–72. ACM Press, 2003.
94