Secure and scalable many-to-one symbol transmission for sensor ...

Computer Communications 31 (2008) 2408–2413Contents lists available at ScienceDirectComputer Communicationsjournal homepage: www.elsevier.com/locate/comcom**Secure** **and** **scalable** **many**-**to**-**one** **symbol** **transmission** **for** **sensor** networksAlex**and**re Viejo * , Francesc Sebé, Josep Domingo-FerrerRovira i Virgili University, Department of Computer Engineering **and** Mathematics, UNESCO Chair in Data Privacy, Av. Països Catalans, 26, E-43007 Tarragona, Catalonia, SpainarticleinfoabstractArticle his**to**ry:Received 24 Oc**to**ber 2007Received in revised **for**m 28 February 2008Accepted 2 March 2008Available online 8 March 2008Keywords:Many-**to**-**one** communications**Secure** communicationsSensor networksMulticastScalabilityIn secure **many**-**to**-**one** communications, a set of nodes transmit data **to** the same receiver. Research inthis area focuses on increasing scalability by minimizing the amount of data reaching the receiver. Currentproposals **for** secure **many**-**to**-**one** **transmission** use costly cryp**to**graphic operations. In this paper,we present a novel system **for** secure **many**-**to**-**one** **symbol** **transmission** in which nodes are only required**to** per**for**m lightweight operations. This makes it suitable **for** implementation in resource-constrainedscenarios such as **sensor** networks.Ó 2008 Elsevier B.V. All rights reserved.1. IntroductionCommunications can be classified according **to** the number ofinvolved senders **and** receivers. Single-sender paradigms are:**one**-**to**-**one** (unicast) in which a single sender transmits data **to** asingle receiver; **one**-**to**-all (broadcast) in which **one** source sendsdata **to** all nodes of a network; **and** **one**-**to**-**many** (multicast) wherea single source transmits **to** a given subset of nodes.Efficient **one**-**to**-**many** (**and** **one**-**to**-all) communications areimplemented using a tree communication model. The root of thetree is the source which sends the data, the intermediate nodesare the routers which receive the content from their parent node**and** retransmit it **to** their child nodes (replicating it **for** each child),**and** the leaves are the receivers. This model provides scalability becausethe number of receivers can be increased without increasingthe workload nor the b**and**width needs at the source.In this paper, we focus on **many**-**to**-**one** communications. In thisparadigm, a set of nodes transmit data **to** the same receiver. If thenumber of transmitting nodes is large, the receiver may be overwhelmedby the incoming traffic. This problem is known as implosion[1].Implosion resistance is a challenging issue in the design of **many****to**-**one**communication pro**to**cols. Such pro**to**cols also follow a tree**to**pology. In this case, the leaves are the senders; the intermediatenodes are routers that collect messages coming from their children**and** aggregate them in**to** a single message that is transmitted up **to*** Corresponding author. Tel.: +34 977558270.E-mail addresses: alex**and**re.viejo@urv.cat (A. Viejo), francesc.sebe@urv.cat (F.Sebé), josep.domingo@urv.cat (J. Domingo-Ferrer).their parent; finally, the root is the receiver. Scalability depends onthe aggregation operation per**for**med by intermediate routers.In addition **to** their being **scalable**, **many**-**to**-**one** communicationsoften need **to** be secure. Security requirements includeconfidentiality (an intruder should not be able **to** learn the transmitteddata), integrity (any data alteration should be detectableby the receiver) **and** authentication (the source of the data shouldbe verifiable by the receiver).There is a general consensus that in scenarios where nodesare resource-constrained devices the high cost of public-keycryp**to**graphy is usually not af**for**dable. Researchers assume thatin such scenarios symmetric cryp**to**graphy **and** hash functionsconstitute the **to**ols of choice **to** provide security. However, public-keytechnology can be selectively deployed in those environments**to**o. In [2], the author argues that the RSA [3] public-keycryp**to**system with a small public exp**one**nt **and** Rabin’s [4] public-keycryp**to**system have fast algorithms **for** encryption **and**digital signature verification which can be used on constraineddevices. In contrast, their decryption **and** signature generationare slow **and** resource-dem**and**ing. Elliptic curve cryp**to**systems(ECC, [5]) provide not only lightweight encryption **and** signatureverification, but also lightweight decryption **and** signature generationwhich make them suitable **for** resource-constraineddevices.Sensor networks are an example where secure **many**-**to**-**one**communications are required in low-cost **and** resource-constraineddevices. Here, the **sensor** nodes (which may be verynumerous) transmit data **to** a single collecting center. Securityrequirements arise when the networks are deployed in hostileareas.0140-3664/$ - see front matter Ó 2008 Elsevier B.V. All rights reserved.doi:10.1016/j.comcom.2008.03.002

A. Viejo et al. / Computer Communications 31 (2008) 2408–2413 24091.1. Previous workAs stated in [6], the solution **to** implosion in **many**-**to**-**one** scenariosis obtained by intermediate routers combining receivedmessages in**to** a single message that is routed **to**wards the base station.This process is called aggregation. The authors in [6] present ageneral framework **for** **scalable** **many**-**to**-**one** communicationwhere intermediate nodes collect messages from their children,aggregate them **and** send a single aggregated message up **to** theirparent. In this way, the base station receives a single message containingall the readings from the leaves. This solution is **scalable**(permitting an unlimited amount of senders) as long as aggregateddata do not grow in size. Requiring the output of the aggregation **to**be of constant size implies that some in**for**mation loss must be**to**lerated.Next, we give some examples of lossy data aggregation: If data is a temperature, different temperatures can be aggregatedby computing their average. In**for**mation loss comes fromthe fact that the base station will not learn the temperatureobtained by each node but only the average of all readings. If data is a counter, different counters can be aggregated by addition.In**for**mation loss comes from the base station not beingable **to** learn the exact contribution by each node. If data sent is a binary value indicating an alarm, it can be aggregatedusing a logical OR operation. The base station will learnthat an alarm has been raised somewhere but not exactly where.The above lossy approaches do not impose strong computationalrequirements so they are suitable **for** a wide variety of scenariosincluding resource-constrained **sensor** networks. However,they cannot be used in scenarios where the root must know thespecific data sent by each leaf: lossless communication is neededhere.There are some schemes in the literature which provide securityin **many**-**to**-**one** lossless **transmission**. Such proposals can be dividedin**to** two categories which are reviewed below.1.1.1. **Secure** acknowledgment**Secure** acknowledgment schemes provide the source of a multicastcommunication with an undeniable **and** un**for**geable proofthat a given group of receivers have properly received a specificmessage. In these schemes, upon receiving the message, everyreceiver will answer with an acknowledgment (consisting of adigital signature) in case of correct reception or will not answeranything otherwise. These acknowledgments can be aggregated**to** achieve scalability. Such solutions only permit unary communications(a receiver can send an acknowledgment or stay silent) sothat they are not appropriate **for** data **transmission**. The systemsproposed in [7] **and** [8] fall in**to** this category.1.1.2. **Secure** **symbol** **transmission**This class of schemes assume a tree communication modelwhere the root multicasts a data request **to** the leaves. Upon receptionof this request, the leaves react by sending **one** q-ary **symbol**each (data sent by each leaf can be modeled as an integer rangingfrom 1 **to** q). These messages will be aggregated by intermediatenodes. From the received message, the root will obtain the **symbol**sent by each leaf.It can be proven that **symbol**s sent by n leaves cannot be aggregatedin a message whose length is less than OðnÞ when all **symbol**shave the same probability of being sent. Current research insecure **symbol** **transmission** focuses on designing systems whoseactual message length is as short as possible (within the OðnÞlength class). Note that due **to** this fact the amount of senders cannotbe arbitrarily large.The schemes proposed in [9] **and** [10] belong **to** this category.For q-ary alphabets, the **for**mer provides a message length thatasymp**to**tically tends **to** 3tn (where q 6 2 t 1) while the latter providesa message length asymp**to**tically approaching tn (both messagelengths are OðnÞ).In [11], a proposal **for** biased binary (q ¼ 2) communicationsis described. It offers an Oðk log k log nÞ message length with nbeing the number of leaves **and** k being an upper bound onthe number of leaves that simultaneously wish **to** transmit theleast likely bit.The three schemes [9–11] provide a good b**and**width efficiency.Un**for**tunately, they require resource-dem**and**ing cryp**to**graphicoperations at the nodes. Proposals [9] **and** [11] use homomorphicpublic-key cryp**to**systems which cannot be used in resource-constrainednodes. Regarding the scheme presented in [10], it requiresan intensive use of multisignature generation **and** verification overGap Diffie-Hellman groups, which makes it unaf**for**dable in resource-constrainedscenarios.1.2. Contribution **and** plan of this paperIn this paper, we propose a secure **and** **scalable** scheme designed**to** provide secure **many**-**to**-**one** **symbol** **transmission** in networks**for**med by low-cost devices (such as **sensor** networks). Inour proposal, nodes only compute hash functions, simple arithmetic**and** logic operations, **and** a signature verification (which, as statedabove, is af**for**dable with elliptic curve cryp**to**systems [5], theRabin cryp**to**system [4] or RSA [3] with a small public exp**one**nt).Our pro**to**col provides **transmission** of q-ary alphabets withmessage length asymp**to**tically tending **to** tn, where n is the numberof leaves of the multicast tree **and** q 6 2 t 1.Section 2 describes the new pro**to**col. In Section 3, we analyze itssecurity. Section 4 provides a per**for**mance analysis **and** an optimizationof the proposed pro**to**col **to** reduce the energy consumption atnodes due **to** communication. Finally, Section 5 is a conclusion.2. Our proposalOur pro**to**col assumes a tree network where the root is the basestation receiving data from the leaves (which may be **sensor**nodes). For the sake of simplicity, we assume that only the leavessend data. Intermediate nodes simply act as routers. Extendingthe proposed solution **to** accommodate data **transmission** fromintermediate nodes is straight**for**ward.The base station (BS) is a full-fledged computer. Leaves **and**intermediate nodes are low-cost devices. The base station owns aprivate key SK BS . The corresponding public key PK BS is known**and** accepted as valid by all nodes in the tree. Let n be the numberof leaves **and** U i ,16 i 6 n, denote the leaves. Each leaf U i shares asecret key K i with the base station.2.1. Many-**to**-**one** q-ary **transmission**We represent each **symbol** from the q-ary alphabet by a differentinteger from the set f1; ...; qg. Parameter t is chosen as thesmallest integer satisfying q 6 2 t 1. Parameter s is a securityparameter (see Sections 3 **and** 4 **for** details about s). A pro**to**col executionconsists of the following steps:(1) Challenge. The base station generates a r**and**om value v **and**signs it **to** obtain fvg SKBS. The signed value is multicast bythe base station **to** all leaves.(2) Message generation.(a) Upon receiving v **and** verifying its signature, each leaf U icomputes a pseudo-r**and**om t-bit sequenceðc 1 ; ...; c t Þ lsb t ðHðvjjK i ÞÞ, where lsb t ðÞ is a function

2410 A. Viejo et al. / Computer Communications 31 (2008) 2408–2413returning the t least significant bits of its argument, H isa **one**-way hash function **and** jj is the concatenationopera**to**r.(b) Each U i computes a sequence ðd 1 ; ...; d t Þ as follows. Letðb 1 ; ...; b t Þ be the binary representation of the q-ary**symbol** **to** be transmitted by U i . If ðb 1 ; ...; b t Þ¼ðc 1 ; ...; c t Þ then ðd 1 ; ...; d t Þ :¼ ðb 1 ;...; b t Þ. Else ðd 1 ; ...; d t Þ :¼ ðb 1 c 1 ; ...; b t c t ÞNote that this step ensures that the sequenceðd 1 ; ...; d t Þ does not have all its elements equal **to** 0.This all zeroes value is reserved **to** identify non-transmittalby leaves.(c) U i computes an s-bit pseudo-r**and**om integer r i asfollows:r ilsb s ðHðd 1 ; ...; d t jjvjjK i ÞÞ(d) Each U i generates a tn-bit sequence (n is the number ofleaves) I i **and** sets the bits from the subsequencebetween positions tði 1Þþ1 **and** ti so that they matchðd 1 ; ...; d t Þ. The remaining bits are set **to** ‘‘0”.(e) U i sends the pair ðI i ; r i Þ up **to** its parent node.(3) Message aggregation. An intermediate node R (or the basestation) receives messages from its child routers/leaves**and** does the following:(a) S**to**re each received pair ðI j ; r j Þ (they may have **to** bechecked later).(b) Once all expected messages fðI j ; r j Þg jhave been received,aggregate them by computing I ¼ W j I j (_ denotes the bitwiseOR operation) **and** r ¼ P j r jmod 2 s .(c) If R is not the base station, send ðI; rÞ up **to** its parentnode. Else, this is the final aggregated message.(4) Symbol extraction. From the final aggregated message ðI; rÞ,the base station obtains, **for** each leaf U i , the binary representationðb i;1 ; ...; b i;t Þ of the **symbol** sent by the leaf. It isobtained from the sequence ðd i;1 ; ...; d i;t Þ, previously generatedby U i (see Step 2b), which is contained in I. Then thebase station computes the pseudo-r**and**om integer linked**to** ðd i;1 ; ...; d i;t Þ (see Step 2c), which will be used **to** checkthe integrity of the whole aggregated message. We next givethe pseudo-code related **to** this process:(a) Let i :¼ 1, x :¼ 0.(b) While i 6 n loop Compute ðc 1 ; ...; c t Þ lsb t ðHðvjjK i ÞÞ. If ðI½tði 1Þþ1Š; ...; I½tiŠÞ ¼ ðc 1 ; ...; c t Þ then ðb i;1 ; ...;b i;t Þ :¼ ðc 1 ; ...; c t Þ. Else ðb i;1 ; ...; b i;t Þ :¼ ðI½tði 1Þþ1Šc 1 ; ...; I½tiŠc t Þ. Compute / i lsb s ðHðI½tði 1Þþ1Š; ...; I½tiŠjjvjjK i ÞÞ. x :¼ x þ / i mod 2 s . i :¼ i þ 1.(c) If x ¼ r then return B ¼ððb 1;1 ; ...; b 1;t Þ; ...; ðb n;1 ; ...;b n;t ÞÞ, where ðb i;1 ; ...; b i;t Þ is the binary representationof the **symbol** transmitted by U i . The base station alsomulticasts a signed acknowledgment f\Ack"jjvg SKBS**to**the leaves. This message contains the challenge v **to**avoid replay attacks. Upon receiving this message, intermediaterouters remove messages s**to**red at Step 3a. Ifx 6¼ r the base station launches the error-tracing proceduredetailed in Section 2.2.Fig. 1 shows the message flow generated by a pro**to**col executionin a simple scenario with a base station (BS), two intermediatenodes (R 1 **and** R 2 ) **and** four leaves (U 1 ; ...; U 4 ). In Fig. 1a the base stationbroadcasts a challenge **to** all leaves (Step 1 in the pro**to**col execution).In Fig. 1b, message (1) sent by U 1 corresponds **to** the pairðI 1 ; r 1 Þ while message (2) sent by U 2 represents the pair ðI 2 ; r 2 Þ (Step2 in the pro**to**col execution). Node R 1 constructs message (3), whichcorresponds **to** ðI; rÞ, by aggregating messages (1) **and** (2) (Step 3 inthe pro**to**col execution). The same process occurs in the subtreerooted by R 2 . The latter node constructs message (6) by aggregatingmessages (4) **and** (5), which correspond **to** the pairs ðI 3 ; r 3 Þ **and**ðI 4 ; r 4 Þ, respectively. Eventually, the base station BS aggregates messages(3) **and** (6) **to** get the final aggregated message. After that, BSextracts the **symbol**s transmitted by the leaves (Step 4 in the pro**to**colexecution).2.2. Procedure **to** deal with corrupted messagesDuring **symbol** extraction, the base station checks the integrityof the received message. If this verification fails, the base stationidentifies the message as corrupted. The following procedure allows**to** remove the corrupting nodes from the tree.(1) From the received I comp**one**nt, the base station computesthe valid r i associated **to** each U i :(a) For i ¼ 1**to**n do ðd i;1 ; ...; d i;t Þ :¼ ðI½tði 1Þþ1Š; ...; I½tiŠÞ. r i lsb s ðHðd i;1 ; ...; d i;t jjvjjK i ÞÞ.(b) The base station sends **to** all nodes the signed messagefIjjr 1 ; ...; r n jjvg SKBS(2) Upon receiving fIjjr 1 ; ...; r n jjvg SKBS**and** verifying its signature**and** the value v, each intermediate node R checks eachs**to**red message ðI j ; r j Þ received from its children. For eachðI j ; r j Þ, R does:(a) For each leaf U i with non-zero contribution **to** I j (that is,ðI½tði 1Þþ1Š; ...; I½tiŠÞ 6¼ ð0; ...; 0Þ), check that the contribution**to** I j equals the contribution **to** I. If some ofthese checks fail, the point of corruption is above R’sposition **and** R s**to**ps the checking procedure.BSU 1 U 2 U 4abBSU 3(3)R 1R 2(1)R 1(2) (4)(6)U 1 U 2R 2(5)U 3 U 4Fig. 1. Message flow in a pro**to**col execution.

A. Viejo et al. / Computer Communications 31 (2008) 2408–2413 2411(b) Else, R computes the sum modulo 2 s of the r i associated**to** each U i who contributes **to** I j . If the sum is equal **to** r j ,the child who sent this message is considered innocent.If the result is different, that child is considered guilty.When a malicious node has altered a message (note that a maliciousnode can corrupt a message at each pro**to**col execution oronly once in a while), all nodes located in the path from the corruptionpoint **to** the root detect this corruption. However, the nodesdetecting the corruption cannot decide whether corruption wascaused by the child who sent the corrupted message or by anothernode located in the subtree rooted at this child. A simple solutionwould be **to** delete the entire suspicious subtree. This would entailthe loss of a big part of the network due **to** a single corrupted message.We propose the following procedure **to** minimize the numberof nodes **to** be eliminated:(1) The base station **and** all intermediate nodes have a preloadedinteger k associated **to** each child. Initially, an intermediate node assigns a value k ¼ 1**to**those of its children that are leaves. If a child is an internal node, the initial assigned valuecorresponds **to** the number of leaves in the subtreerooted at that child.(2) When a node detects a corrupted message, it decrements the kvalue assigned **to** the child from which this message comesfrom. Note that the k values of all nodes located between thepoint of corruption **and** the base station will be decremented.(3) When the k value assigned **to** a child becomes zero, the nodecloses communication with such a suspicious child (thuspruning the subtree rooted at this child).The initial value assignment ensures that a corrupted leaf ispruned the first time it sends a bad message (k ¼ 1). The initial valueassignment **for** an internal node is d**one** assuming that it always actsh**one**stly so that it only needs **to** be removed from the tree after all theleaves in its subtree have already been removed (in this case no moremessages will come from its subtree). This procedure ensures that adish**one**st internal node will be removed, although not necessarilythe first time it corrupts **and** **for**wards a message.3. Security analysisWe next explain the adversarial model **and** the possible attacksthe system has **to** be robust against. We refer **to** those attacks **to**justify the security properties achieved by our scheme: confidentiality,authentication **and** integrity. We also give the success probabilityof each possible attack.3.1. Adversarial modelOur attacker model considers an adversary who can controlnodes (thus turning them in**to** compromised nodes) **and** who canalso access communication lines **to** capture, modify **and** retransmitmessages. The attacker’s computational power does not permit her**to** break current computationally secure cryp**to**systems.3.1.1. Possible attacksAn adversary can try the following attacks: Eavesdrop messages. Impersonate a certain leaf U i . Alter the contribution of a certain leaf U i . Remove the contribution of a certain leaf U i . Disrupt the aggregation of messages received from some childnodes.More specifically, an external attacker can try the first four attackswhile an adversary which has compromised some nodescould also try the last **one**.3.2. Attacks **and** security propertiesTable 1 summarizes the success probabilities of each possibleattack in scenarios where non-transmittal is disallowed. The subsectionsbelow justify the values in the table.3.2.1. Message eavesdroppingThis attack refers **to** the confidentiality property. An adversaryeavesdropping messages of the **for**m ðI; rÞ at some point (calledsniffing point from now on) in the communication tree can discover,by observing the bits ranging from ðI½tði 1Þþ1ŠÞ **to** I½tiŠ,the sequence ðd i;1 ; ...; d i;t Þ transmitted by each leaf U i located belowthe sniffing point. The attacker will be unable **to** decrypt thissequence because decryption requires knowledge of the secretkey K i .The r value does not provide any useful in**for**mation **to** the attackereither.From I, an adversary can determine which leaves transmitted**and** which **one**s did not. In applications where this fact causesin**for**mation disclosure, non-transmittal should not be allowed.3.2.2. Leaf impersonationThis attack refers **to** the authentication property. An intruder(who does not know K i ) trying **to** send a given **symbol** coming fromU i faces several difficulties.First of all, the q-ary **symbol** is encrypted prior **to** encoding it insideI i . Since the attacker does not know the encryption key, she canonly fill the corresponding t bits in I i r**and**omly. The probability thatdecryption of those bits leads **to** the desired q-ary **symbol** is1=ð2 t 1Þ.On the other side, the redundancy r i is also computed using K i .In this way, the probability of r**and**omly guessing the appropriate r iis 1=2 s .3.2.3. Leaf contribution alterationThis attack refers **to** the authentication **and** integrity properties.In case the attacker captures **and** alters the contribution of a leaf,the difficulty comes from the low probability of guessing r, whichis 1=2 s . A sufficiently large value s exp**one**ntially reduces thechances of a corrupting attacker **to** stay undetected.3.2.4. Leaf contribution removalThe contribution of U i can be easily erased if r i is known. This factwill be considered as a non-transmittal by the base station. To detectthese erasure attacks, non-transmittal should be disallowed.In case the adversary does not know the r i value generated by U i ,she must guess the appropriate r i with a probability of success 1=2 s .3.2.5. Disruption of the aggregation of child node messagesA dish**one**st intermediate node can decide not **to** aggregate amessage received from some of its child nodes. The base stationwill consider this fact as a non-transmittal. To detect this situationnon-transmittal should be disallowed.Table 1Possible attacks **and** their success probabilitiesAttackSuccess probabilityMessage eavesdroppingNot possibleLeaf impersonation 1=ðð2 t 1Þ2 s ÞLeaf contribution alteration1=2 sLeaf contribution removalNot possibleMessage aggregation disruptionNot possible

2412 A. Viejo et al. / Computer Communications 31 (2008) 2408–2413Table 2Per**for**mance resultsConceptMessage length (**for** n "")Message length in the error-tracing procedure (**for** n "")Cost of message generationCost of message aggregationCost of **symbol** extractionCost of error tracing at intermediate nodes4. Per**for**mance analysisWe next evaluate the pro**to**col per**for**mance in terms of messagelength **and** computational cost at the **sensor** nodes. We also give anoptimization of the proposed pro**to**col **to** improve the efficiency ofthe message length **and** reduce the energy consumption at nodesdue **to** communication.Table 2 summarizes the per**for**mance results obtained. The subsectionsbelow justify the values in that table.4.1. Message lengthOur pro**to**col keeps the length of messages constant on theirway from the leaves **to**wards the base station. Each message consistsof the pair ðI; rÞ. Comp**one**nt I encodes the q-ary **symbol** transmittedby each leaf **and** its bitlength is tn, where n is the number ofleaves of the multicast tree **and** q 6 2 t 1. Since t is a constant, thebitlength of I is OðnÞ. Comp**one**nt r has a constant length of s bits.So its length is Oð1Þ. In this way, messages have a bitlengthOðnÞþOð1Þ. For large values of n, this length asymp**to**tically tends**to** tn. Note that this length is linear, which represents a limitationon the **to**tal amount of leaves which can participate in the network.However, it can be proven that **symbol**s sent by n leaves cannot beaggregated in a message whose length is below OðnÞ when all **symbol**shave the same probability of being sent.In the event of a corrupted message, the base station multicastsa message which contains ðIjjr 1 ; ...; r n jjvÞ. The first comp**one**nt hastn bits, the second **one** sn bits **and** the last **one** Oð1Þ bits. Thus, thisspecial message has a bitlength of OðnÞ. For large values of n, thislength asymp**to**tically tends **to** ðt þ sÞn.4.2. Computational costCosttnðt þ sÞnOðnÞOðn 2 ÞOðnÞOðn 2 ÞNext, we analyze the time complexity of the pro**to**col in fouroperations: message generation, message aggregation, **symbol**extraction **and** error tracing at intermediate nodes.Message generation. Each message has two comp**one**nts ðI i ; r i Þ.Leaf U i employs OðnÞ time **to** generate the binary sequence I i .The computation of r i does not depend on n,soitisOð1Þ. Duringmessage generation, each leaf verifies **one** signature **and** computestwo hash functions **and** at most t bitwise XOR operations.As menti**one**d in Section 1, there are fast algorithms **for** digitalsignature verification in resource-constrained environments.As a real example, the authors of [5] implement the EllipticCurve Digital Signature Algorithm [12,13] on a MICA2 mote[14,15], designed by researchers at the University of Cali**for**niaat Berkeley. This device offers an 8 bit, 7.3828-MHz ATmega128L processor, 4 kilobytes (KB) of primary memory (SRAM)**and** 128 KB of program space (ROM). According **to** their results,an ECDSA signature verification in such a device takes about24.17 seconds (this time can only be expected **to** decrease astechnology progresses).The remaining operations (hash functions **and** bitwise operations)take negligible time. Thus, our scheme is suitable **for**resource-constrained leaves.Message aggregation. An intermediate node receives **and** aggregatesmessages. Aggregation of fðI j ; r j Þg jin**to** ðI; rÞ requires atmost OðnÞ bitwise OR operations over OðnÞ-long messages duringthe computation of I. Computation of the new r requires atmost OðnÞ additions modulo 2 s (each with cost Oð1Þ). Thisresults in a maximum Oðn 2 Þ cost. Note that intermediate nodescompute only bitwise operations. These operations are appropriate**for** resource-constrained nodes.Symbol extraction. The base station extracts the contribution ofeach leaf in a vec**to**r B ¼ððb 1;1 ; ...; b 1;t Þ; ...; ðb n;1 ; ...; b n;t ÞÞ byprocessing comp**one**nt I (**to**tal length tn bits). Since t is a constant,this time is OðnÞ. Integrity checking does not increase thiscost.Since the base station is a full-fledged device, we consider thatall operations executed in this step are af**for**dable.Error tracing at intermediate nodes. This procedure is onlyinvoked in case of a corrupted message event. An intermediatenode may need **to** verify a signature **and** check the valueI j sent by each of its children. Each check takes OðnÞ time.Since the number of children may also be OðnÞ, the maximumtime spent on this operation is Oðn 2 Þ. Checking r j hasat most the same cost. In this step, we require **one** signatureverification. As explained above, this operation is af**for**dableon real **sensor** nodes like the MICA2 mote. In addition **to** that,intermediate nodes must execute Oðn 2 Þ additions modulo 2 s .These operations are suitable **for** resource-constrained nodes**to**o.4.3. Message length optimizationOur system is designed **for** nodes that are resource **and** powerconstraineddevices. This motivates the need **to** reduce energy consumptionas much as possible. Reducing the length of messages is**one** way **to** achieve this.In our pro**to**col, leaf U i sends ðI i ; r i Þ where I i is a tn bit long binarysequence. Useful in**for**mation within I i is contained in bits locatedbetween positions tði 1Þþ1 **and** ti. The remaining bits ofI i are set **to** 0.This in**for**mation could be represented in a more compact wayusing log n bits **to** code index i **and** t bits **for** useful in**for**mation.In this way, the length of I i would be t þ log n. Aggregation ofvec**to**rs I i would be d**one** by concatenation. In this way, thelength of a vec**to**r I containing data from j leaves would bejðt þ log nÞ bits.For small values of j this results in shorter messages than thosedescribed in our pro**to**col above (i.e. when jðt þ log nÞ < tn). Lowvalues of j appear at nodes that are far from the root. However,when j grows **to**wards n this new coding results in longer messagesthan those described above.There**for**e, using this alternative coding when j satisfiesjðt þ log nÞ < tn (near the leaves) **and** switching **to** the initial codingwhen messages get near the root is a way **to** minimize the length oftransmitted data.5. ConclusionA **scalable** **and** lightweight pro**to**col **for** secure **many**-**to**-**one****symbol** **transmission** in tree-based networks has been presented.This proposal is the first **one** in the literature that provides thiskind of communication **for** resource-constrained devices, whichare quite common in **sensor** networks. Our scheme provides constantmessage length **and** OðnÞ cost **for** **symbol** extraction at thebase station, where n is the number of senders (leaves of the tree).Besides, it achieves the fundamental security properties: confidentiality,authentication **and** integrity.

A. Viejo et al. / Computer Communications 31 (2008) 2408–2413 2413Regarding computation, this pro**to**col has been designed **to** bevery lightweight at leaves **and** intermediate nodes:(1) Leaves are only required **to** compute hash functions, bitwiseoperations **and** two signature verifications (the first **one** atthe beginning **and** the last **one** at the end of each pro**to**colexecution).(2) In a correct pro**to**col execution, intermediate nodes are onlyrequired **to** aggregate messages which represent bitwise ORoperations **and** additions modulo 2 s . In case of message corruption(whether intentional or accidental), intermediatenodes are required **to** verify **one** signature **and** check themessages received from their children. Message corruptionis thwarted by removing corrupting nodes from the network.AcknowledgmentsThe authors are with the UNESCO Chair in Data Privacy, butthey are solely responsible **for** the views expressed in this paper,which do not necessarily reflect the position of UNESCO norcommit that organization. This work was partly supported by theSpanish Ministry of Science **and** Education through projectsTSI2007-65406-C03-01 ‘‘E-AEGIS” **and** CONSOLIDER INGENIO2010 CSD2007-00004”ARES”, **and** by the Government of Cataloniaunder Grant 2005 SGR 00446.References[1] B. Quinn, K. Almeroth, IP multicast applications: challenges **and** solutions,Internet RFC 3170, 2001, Available from: .[2] Z. Benenson, Authenticated queries in **sensor** networks, Lecture Notes inComputer Science 3813 (2005) 54–67.[3] R.L. Rivest, A. Shamir, L. Adleman, A method **for** obtaining digital signatures**and** public-key cryp**to**systems, Communications of the ACM 21 (1978) 120–126.[4] M. Rabin, Digitalized Signatures **and** Public-key Functions as Intractableas Fac**to**rization, MIT Labora**to**ry **for** Computer Science TR-212, January,1979.[5] E.-O. Blaß, M. Zitterbart, Towards acceptable public-key encryption in **sensor**networks, in: ACM Second International Workshop on Ubiqui**to**us Computing,2005, pp. 88–93.[6] T. Wolf, S.Y. Choi, Aggregated hierarchical multicast – a **many**-**to**-**many**communication paradigm using programmable networks, IEEE Transactionson Systems, Man **and** Cybernetics – Part C 33 (3) (2003) 358–369.[7] A. Nicolosi, D. Mazières, **Secure** acknowledgment of multicast messages inopen peer-**to**-peer networks, in: Proceedings of the Third InternationalWorkshop on Peer-**to**-Peer Systems – IPTPS’04, San Diego, CA, 2004.[8] C. Castelluccia, S. Jarecki, J. Kim, G. Tsudik, **Secure** acknowledgmentaggregation **and** multisignatures with limited robustness, ComputerNetworks 50 (10) (2006) 1639–1652.[9] J. Domingo-Ferrer, A. Martínez-Ballesté, F. Sebé, **Secure** reversecommunications in a multicast tree, Lecture Notes in Computer Science 3042(2004) 807–816.[10] F. Sebé, A. Viejo, J. Domingo-Ferrer, **Secure** **many**-**to**-**one** **symbol** **transmission****for** implementation on smart cards, Computer Networks 51 (9) (2007) 2299–2307.[11] F. Sebé, J. Domingo-Ferrer, Scalability **and** security in biased **many**-**to**-**one**communication, Computer Networks 51 (1) (2007) 1–13.[12] ANSI X9.62-1998, Public Key Cryp**to**graphy **for** the Financial ServicesIndustry: The Elliptic Curve Digital Signature Algorithm (ECDSA),American National St**and**ard **for** Financial Services, American BankersAssociation, 1999.[13] D.J. Johnson, A.J. Menezes, S.A. Vans**to**ne, The elliptic curve digital signaturealgorithm (ECDSA), International Journal of In**for**mation Security 1 (2001) 36–63.[14] University of Cali**for**nia Berkeley, Tiny OS Hardware Designs, 2004, Availablefrom: .[15] Crossbow Technology, Inc., MICA2 Data Sheet, 2008, Available from: .