Computer Communications 31 (2008) 2408–2413Contents lists available at ScienceDirectComputer Communicationsjournal homepage: www.elsevier.com/locate/comcomSecure and scalable many-to-one symbol transmission for sensor networksAlexandre Viejo * , Francesc Sebé, Josep Domingo-FerrerRovira i Virgili University, Department of Computer Engineering and Mathematics, UNESCO Chair in Data Privacy, Av. Països Catalans, 26, E-43007 Tarragona, Catalonia, SpainarticleinfoabstractArticle history:Received 24 October 2007Received in revised form 28 February 2008Accepted 2 March 2008Available online 8 March 2008Keywords:Many-to-one communicationsSecure communicationsSensor networksMulticastScalabilityIn secure many-to-one communications, a set of nodes transmit data to the same receiver. Research inthis area focuses on increasing scalability by minimizing the amount of data reaching the receiver. Currentproposals for secure many-to-one transmission use costly cryptographic operations. In this paper,we present a novel system for secure many-to-one symbol transmission in which nodes are only requiredto perform lightweight operations. This makes it suitable for implementation in resource-constrainedscenarios such as sensor networks.Ó 2008 Elsevier B.V. All rights reserved.1. IntroductionCommunications can be classified according to the number ofinvolved senders and receivers. Single-sender paradigms are:one-to-one (unicast) in which a single sender transmits data to asingle receiver; one-to-all (broadcast) in which one source sendsdata to all nodes of a network; and one-to-many (multicast) wherea single source transmits to a given subset of nodes.Efficient one-to-many (and one-to-all) communications areimplemented using a tree communication model. The root of thetree is the source which sends the data, the intermediate nodesare the routers which receive the content from their parent nodeand retransmit it to their child nodes (replicating it for each child),and the leaves are the receivers. This model provides scalability becausethe number of receivers can be increased without increasingthe workload nor the bandwidth needs at the source.In this paper, we focus on many-to-one communications. In thisparadigm, a set of nodes transmit data to the same receiver. If thenumber of transmitting nodes is large, the receiver may be overwhelmedby the incoming traffic. This problem is known as implosion.Implosion resistance is a challenging issue in the design of manyto-onecommunication protocols. Such protocols also follow a treetopology. In this case, the leaves are the senders; the intermediatenodes are routers that collect messages coming from their childrenand aggregate them into a single message that is transmitted up to* Corresponding author. Tel.: +34 977558270.E-mail addresses: email@example.com (A. Viejo), firstname.lastname@example.org (F.Sebé), email@example.com (J. Domingo-Ferrer).their parent; finally, the root is the receiver. Scalability depends onthe aggregation operation performed by intermediate routers.In addition to their being scalable, many-to-one communicationsoften need to be secure. Security requirements includeconfidentiality (an intruder should not be able to learn the transmitteddata), integrity (any data alteration should be detectableby the receiver) and authentication (the source of the data shouldbe verifiable by the receiver).There is a general consensus that in scenarios where nodesare resource-constrained devices the high cost of public-keycryptography is usually not affordable. Researchers assume thatin such scenarios symmetric cryptography and hash functionsconstitute the tools of choice to provide security. However, public-keytechnology can be selectively deployed in those environmentstoo. In , the author argues that the RSA  public-keycryptosystem with a small public exponent and Rabin’s  public-keycryptosystem have fast algorithms for encryption anddigital signature verification which can be used on constraineddevices. In contrast, their decryption and signature generationare slow and resource-demanding. Elliptic curve cryptosystems(ECC, ) provide not only lightweight encryption and signatureverification, but also lightweight decryption and signature generationwhich make them suitable for resource-constraineddevices.Sensor networks are an example where secure many-to-onecommunications are required in low-cost and resource-constraineddevices. Here, the sensor nodes (which may be verynumerous) transmit data to a single collecting center. Securityrequirements arise when the networks are deployed in hostileareas.0140-3664/$ - see front matter Ó 2008 Elsevier B.V. All rights reserved.doi:10.1016/j.comcom.2008.03.002
A. Viejo et al. / Computer Communications 31 (2008) 2408–2413 24091.1. Previous workAs stated in , the solution to implosion in many-to-one scenariosis obtained by intermediate routers combining receivedmessages into a single message that is routed towards the base station.This process is called aggregation. The authors in  present ageneral framework for scalable many-to-one communicationwhere intermediate nodes collect messages from their children,aggregate them and send a single aggregated message up to theirparent. In this way, the base station receives a single message containingall the readings from the leaves. This solution is scalable(permitting an unlimited amount of senders) as long as aggregateddata do not grow in size. Requiring the output of the aggregation tobe of constant size implies that some information loss must betolerated.Next, we give some examples of lossy data aggregation: If data is a temperature, different temperatures can be aggregatedby computing their average. Information loss comes fromthe fact that the base station will not learn the temperatureobtained by each node but only the average of all readings. If data is a counter, different counters can be aggregated by addition.Information loss comes from the base station not beingable to learn the exact contribution by each node. If data sent is a binary value indicating an alarm, it can be aggregatedusing a logical OR operation. The base station will learnthat an alarm has been raised somewhere but not exactly where.The above lossy approaches do not impose strong computationalrequirements so they are suitable for a wide variety of scenariosincluding resource-constrained sensor networks. However,they cannot be used in scenarios where the root must know thespecific data sent by each leaf: lossless communication is neededhere.There are some schemes in the literature which provide securityin many-to-one lossless transmission. Such proposals can be dividedinto two categories which are reviewed below.1.1.1. Secure acknowledgmentSecure acknowledgment schemes provide the source of a multicastcommunication with an undeniable and unforgeable proofthat a given group of receivers have properly received a specificmessage. In these schemes, upon receiving the message, everyreceiver will answer with an acknowledgment (consisting of adigital signature) in case of correct reception or will not answeranything otherwise. These acknowledgments can be aggregatedto achieve scalability. Such solutions only permit unary communications(a receiver can send an acknowledgment or stay silent) sothat they are not appropriate for data transmission. The systemsproposed in  and  fall into this category.1.1.2. Secure symbol transmissionThis class of schemes assume a tree communication modelwhere the root multicasts a data request to the leaves. Upon receptionof this request, the leaves react by sending one q-ary symboleach (data sent by each leaf can be modeled as an integer rangingfrom 1 to q). These messages will be aggregated by intermediatenodes. From the received message, the root will obtain the symbolsent by each leaf.It can be proven that symbols sent by n leaves cannot be aggregatedin a message whose length is less than OðnÞ when all symbolshave the same probability of being sent. Current research insecure symbol transmission focuses on designing systems whoseactual message length is as short as possible (within the OðnÞlength class). Note that due to this fact the amount of senders cannotbe arbitrarily large.The schemes proposed in  and  belong to this category.For q-ary alphabets, the former provides a message length thatasymptotically tends to 3tn (where q 6 2 t 1) while the latter providesa message length asymptotically approaching tn (both messagelengths are OðnÞ).In , a proposal for biased binary (q ¼ 2) communicationsis described. It offers an Oðk log k log nÞ message length with nbeing the number of leaves and k being an upper bound onthe number of leaves that simultaneously wish to transmit theleast likely bit.The three schemes [9–11] provide a good bandwidth efficiency.Unfortunately, they require resource-demanding cryptographicoperations at the nodes. Proposals  and  use homomorphicpublic-key cryptosystems which cannot be used in resource-constrainednodes. Regarding the scheme presented in , it requiresan intensive use of multisignature generation and verification overGap Diffie-Hellman groups, which makes it unaffordable in resource-constrainedscenarios.1.2. Contribution and plan of this paperIn this paper, we propose a secure and scalable scheme designedto provide secure many-to-one symbol transmission in networksformed by low-cost devices (such as sensor networks). Inour proposal, nodes only compute hash functions, simple arithmeticand logic operations, and a signature verification (which, as statedabove, is affordable with elliptic curve cryptosystems , theRabin cryptosystem  or RSA  with a small public exponent).Our protocol provides transmission of q-ary alphabets withmessage length asymptotically tending to tn, where n is the numberof leaves of the multicast tree and q 6 2 t 1.Section 2 describes the new protocol. In Section 3, we analyze itssecurity. Section 4 provides a performance analysis and an optimizationof the proposed protocol to reduce the energy consumption atnodes due to communication. Finally, Section 5 is a conclusion.2. Our proposalOur protocol assumes a tree network where the root is the basestation receiving data from the leaves (which may be sensornodes). For the sake of simplicity, we assume that only the leavessend data. Intermediate nodes simply act as routers. Extendingthe proposed solution to accommodate data transmission fromintermediate nodes is straightforward.The base station (BS) is a full-fledged computer. Leaves andintermediate nodes are low-cost devices. The base station owns aprivate key SK BS . The corresponding public key PK BS is knownand accepted as valid by all nodes in the tree. Let n be the numberof leaves and U i ,16 i 6 n, denote the leaves. Each leaf U i shares asecret key K i with the base station.2.1. Many-to-one q-ary transmissionWe represent each symbol from the q-ary alphabet by a differentinteger from the set f1; ...; qg. Parameter t is chosen as thesmallest integer satisfying q 6 2 t 1. Parameter s is a securityparameter (see Sections 3 and 4 for details about s). A protocol executionconsists of the following steps:(1) Challenge. The base station generates a random value v andsigns it to obtain fvg SKBS. The signed value is multicast bythe base station to all leaves.(2) Message generation.(a) Upon receiving v and verifying its signature, each leaf U icomputes a pseudo-random t-bit sequenceðc 1 ; ...; c t Þ lsb t ðHðvjjK i ÞÞ, where lsb t ðÞ is a function
2410 A. Viejo et al. / Computer Communications 31 (2008) 2408–2413returning the t least significant bits of its argument, H isa one-way hash function and jj is the concatenationoperator.(b) Each U i computes a sequence ðd 1 ; ...; d t Þ as follows. Letðb 1 ; ...; b t Þ be the binary representation of the q-arysymbol to be transmitted by U i . If ðb 1 ; ...; b t Þ¼ðc 1 ; ...; c t Þ then ðd 1 ; ...; d t Þ :¼ ðb 1 ;...; b t Þ. Else ðd 1 ; ...; d t Þ :¼ ðb 1 c 1 ; ...; b t c t ÞNote that this step ensures that the sequenceðd 1 ; ...; d t Þ does not have all its elements equal to 0.This all zeroes value is reserved to identify non-transmittalby leaves.(c) U i computes an s-bit pseudo-random integer r i asfollows:r ilsb s ðHðd 1 ; ...; d t jjvjjK i ÞÞ(d) Each U i generates a tn-bit sequence (n is the number ofleaves) I i and sets the bits from the subsequencebetween positions tði 1Þþ1 and ti so that they matchðd 1 ; ...; d t Þ. The remaining bits are set to ‘‘0”.(e) U i sends the pair ðI i ; r i Þ up to its parent node.(3) Message aggregation. An intermediate node R (or the basestation) receives messages from its child routers/leavesand does the following:(a) Store each received pair ðI j ; r j Þ (they may have to bechecked later).(b) Once all expected messages fðI j ; r j Þg jhave been received,aggregate them by computing I ¼ W j I j (_ denotes the bitwiseOR operation) and r ¼ P j r jmod 2 s .(c) If R is not the base station, send ðI; rÞ up to its parentnode. Else, this is the final aggregated message.(4) Symbol extraction. From the final aggregated message ðI; rÞ,the base station obtains, for each leaf U i , the binary representationðb i;1 ; ...; b i;t Þ of the symbol sent by the leaf. It isobtained from the sequence ðd i;1 ; ...; d i;t Þ, previously generatedby U i (see Step 2b), which is contained in I. Then thebase station computes the pseudo-random integer linkedto ðd i;1 ; ...; d i;t Þ (see Step 2c), which will be used to checkthe integrity of the whole aggregated message. We next givethe pseudo-code related to this process:(a) Let i :¼ 1, x :¼ 0.(b) While i 6 n loop Compute ðc 1 ; ...; c t Þ lsb t ðHðvjjK i ÞÞ. If ðI½tði 1Þþ1Š; ...; I½tiŠÞ ¼ ðc 1 ; ...; c t Þ then ðb i;1 ; ...;b i;t Þ :¼ ðc 1 ; ...; c t Þ. Else ðb i;1 ; ...; b i;t Þ :¼ ðI½tði 1Þþ1Šc 1 ; ...; I½tiŠc t Þ. Compute / i lsb s ðHðI½tði 1Þþ1Š; ...; I½tiŠjjvjjK i ÞÞ. x :¼ x þ / i mod 2 s . i :¼ i þ 1.(c) If x ¼ r then return B ¼ððb 1;1 ; ...; b 1;t Þ; ...; ðb n;1 ; ...;b n;t ÞÞ, where ðb i;1 ; ...; b i;t Þ is the binary representationof the symbol transmitted by U i . The base station alsomulticasts a signed acknowledgment f\Ack"jjvg SKBStothe leaves. This message contains the challenge v toavoid replay attacks. Upon receiving this message, intermediaterouters remove messages stored at Step 3a. Ifx 6¼ r the base station launches the error-tracing proceduredetailed in Section 2.2.Fig. 1 shows the message flow generated by a protocol executionin a simple scenario with a base station (BS), two intermediatenodes (R 1 and R 2 ) and four leaves (U 1 ; ...; U 4 ). In Fig. 1a the base stationbroadcasts a challenge to all leaves (Step 1 in the protocol execution).In Fig. 1b, message (1) sent by U 1 corresponds to the pairðI 1 ; r 1 Þ while message (2) sent by U 2 represents the pair ðI 2 ; r 2 Þ (Step2 in the protocol execution). Node R 1 constructs message (3), whichcorresponds to ðI; rÞ, by aggregating messages (1) and (2) (Step 3 inthe protocol execution). The same process occurs in the subtreerooted by R 2 . The latter node constructs message (6) by aggregatingmessages (4) and (5), which correspond to the pairs ðI 3 ; r 3 Þ andðI 4 ; r 4 Þ, respectively. Eventually, the base station BS aggregates messages(3) and (6) to get the final aggregated message. After that, BSextracts the symbols transmitted by the leaves (Step 4 in the protocolexecution).2.2. Procedure to deal with corrupted messagesDuring symbol extraction, the base station checks the integrityof the received message. If this verification fails, the base stationidentifies the message as corrupted. The following procedure allowsto remove the corrupting nodes from the tree.(1) From the received I component, the base station computesthe valid r i associated to each U i :(a) For i ¼ 1ton do ðd i;1 ; ...; d i;t Þ :¼ ðI½tði 1Þþ1Š; ...; I½tiŠÞ. r i lsb s ðHðd i;1 ; ...; d i;t jjvjjK i ÞÞ.(b) The base station sends to all nodes the signed messagefIjjr 1 ; ...; r n jjvg SKBS(2) Upon receiving fIjjr 1 ; ...; r n jjvg SKBSand verifying its signatureand the value v, each intermediate node R checks eachstored message ðI j ; r j Þ received from its children. For eachðI j ; r j Þ, R does:(a) For each leaf U i with non-zero contribution to I j (that is,ðI½tði 1Þþ1Š; ...; I½tiŠÞ 6¼ ð0; ...; 0Þ), check that the contributionto I j equals the contribution to I. If some ofthese checks fail, the point of corruption is above R’sposition and R stops the checking procedure.BSU 1 U 2 U 4abBSU 3(3)R 1R 2(1)R 1(2) (4)(6)U 1 U 2R 2(5)U 3 U 4Fig. 1. Message flow in a protocol execution.
A. Viejo et al. / Computer Communications 31 (2008) 2408–2413 2411(b) Else, R computes the sum modulo 2 s of the r i associatedto each U i who contributes to I j . If the sum is equal to r j ,the child who sent this message is considered innocent.If the result is different, that child is considered guilty.When a malicious node has altered a message (note that a maliciousnode can corrupt a message at each protocol execution oronly once in a while), all nodes located in the path from the corruptionpoint to the root detect this corruption. However, the nodesdetecting the corruption cannot decide whether corruption wascaused by the child who sent the corrupted message or by anothernode located in the subtree rooted at this child. A simple solutionwould be to delete the entire suspicious subtree. This would entailthe loss of a big part of the network due to a single corrupted message.We propose the following procedure to minimize the numberof nodes to be eliminated:(1) The base station and all intermediate nodes have a preloadedinteger k associated to each child. Initially, an intermediate node assigns a value k ¼ 1tothose of its children that are leaves. If a child is an internal node, the initial assigned valuecorresponds to the number of leaves in the subtreerooted at that child.(2) When a node detects a corrupted message, it decrements the kvalue assigned to the child from which this message comesfrom. Note that the k values of all nodes located between thepoint of corruption and the base station will be decremented.(3) When the k value assigned to a child becomes zero, the nodecloses communication with such a suspicious child (thuspruning the subtree rooted at this child).The initial value assignment ensures that a corrupted leaf ispruned the first time it sends a bad message (k ¼ 1). The initial valueassignment for an internal node is done assuming that it always actshonestly so that it only needs to be removed from the tree after all theleaves in its subtree have already been removed (in this case no moremessages will come from its subtree). This procedure ensures that adishonest internal node will be removed, although not necessarilythe first time it corrupts and forwards a message.3. Security analysisWe next explain the adversarial model and the possible attacksthe system has to be robust against. We refer to those attacks tojustify the security properties achieved by our scheme: confidentiality,authentication and integrity. We also give the success probabilityof each possible attack.3.1. Adversarial modelOur attacker model considers an adversary who can controlnodes (thus turning them into compromised nodes) and who canalso access communication lines to capture, modify and retransmitmessages. The attacker’s computational power does not permit herto break current computationally secure cryptosystems.3.1.1. Possible attacksAn adversary can try the following attacks: Eavesdrop messages. Impersonate a certain leaf U i . Alter the contribution of a certain leaf U i . Remove the contribution of a certain leaf U i . Disrupt the aggregation of messages received from some childnodes.More specifically, an external attacker can try the first four attackswhile an adversary which has compromised some nodescould also try the last one.3.2. Attacks and security propertiesTable 1 summarizes the success probabilities of each possibleattack in scenarios where non-transmittal is disallowed. The subsectionsbelow justify the values in the table.3.2.1. Message eavesdroppingThis attack refers to the confidentiality property. An adversaryeavesdropping messages of the form ðI; rÞ at some point (calledsniffing point from now on) in the communication tree can discover,by observing the bits ranging from ðI½tði 1Þþ1ŠÞ to I½tiŠ,the sequence ðd i;1 ; ...; d i;t Þ transmitted by each leaf U i located belowthe sniffing point. The attacker will be unable to decrypt thissequence because decryption requires knowledge of the secretkey K i .The r value does not provide any useful information to the attackereither.From I, an adversary can determine which leaves transmittedand which ones did not. In applications where this fact causesinformation disclosure, non-transmittal should not be allowed.3.2.2. Leaf impersonationThis attack refers to the authentication property. An intruder(who does not know K i ) trying to send a given symbol coming fromU i faces several difficulties.First of all, the q-ary symbol is encrypted prior to encoding it insideI i . Since the attacker does not know the encryption key, she canonly fill the corresponding t bits in I i randomly. The probability thatdecryption of those bits leads to the desired q-ary symbol is1=ð2 t 1Þ.On the other side, the redundancy r i is also computed using K i .In this way, the probability of randomly guessing the appropriate r iis 1=2 s .3.2.3. Leaf contribution alterationThis attack refers to the authentication and integrity properties.In case the attacker captures and alters the contribution of a leaf,the difficulty comes from the low probability of guessing r, whichis 1=2 s . A sufficiently large value s exponentially reduces thechances of a corrupting attacker to stay undetected.3.2.4. Leaf contribution removalThe contribution of U i can be easily erased if r i is known. This factwill be considered as a non-transmittal by the base station. To detectthese erasure attacks, non-transmittal should be disallowed.In case the adversary does not know the r i value generated by U i ,she must guess the appropriate r i with a probability of success 1=2 s .3.2.5. Disruption of the aggregation of child node messagesA dishonest intermediate node can decide not to aggregate amessage received from some of its child nodes. The base stationwill consider this fact as a non-transmittal. To detect this situationnon-transmittal should be disallowed.Table 1Possible attacks and their success probabilitiesAttackSuccess probabilityMessage eavesdroppingNot possibleLeaf impersonation 1=ðð2 t 1Þ2 s ÞLeaf contribution alteration1=2 sLeaf contribution removalNot possibleMessage aggregation disruptionNot possible
2412 A. Viejo et al. / Computer Communications 31 (2008) 2408–2413Table 2Performance resultsConceptMessage length (for n "")Message length in the error-tracing procedure (for n "")Cost of message generationCost of message aggregationCost of symbol extractionCost of error tracing at intermediate nodes4. Performance analysisWe next evaluate the protocol performance in terms of messagelength and computational cost at the sensor nodes. We also give anoptimization of the proposed protocol to improve the efficiency ofthe message length and reduce the energy consumption at nodesdue to communication.Table 2 summarizes the performance results obtained. The subsectionsbelow justify the values in that table.4.1. Message lengthOur protocol keeps the length of messages constant on theirway from the leaves towards the base station. Each message consistsof the pair ðI; rÞ. Component I encodes the q-ary symbol transmittedby each leaf and its bitlength is tn, where n is the number ofleaves of the multicast tree and q 6 2 t 1. Since t is a constant, thebitlength of I is OðnÞ. Component r has a constant length of s bits.So its length is Oð1Þ. In this way, messages have a bitlengthOðnÞþOð1Þ. For large values of n, this length asymptotically tendsto tn. Note that this length is linear, which represents a limitationon the total amount of leaves which can participate in the network.However, it can be proven that symbols sent by n leaves cannot beaggregated in a message whose length is below OðnÞ when all symbolshave the same probability of being sent.In the event of a corrupted message, the base station multicastsa message which contains ðIjjr 1 ; ...; r n jjvÞ. The first component hastn bits, the second one sn bits and the last one Oð1Þ bits. Thus, thisspecial message has a bitlength of OðnÞ. For large values of n, thislength asymptotically tends to ðt þ sÞn.4.2. Computational costCosttnðt þ sÞnOðnÞOðn 2 ÞOðnÞOðn 2 ÞNext, we analyze the time complexity of the protocol in fouroperations: message generation, message aggregation, symbolextraction and error tracing at intermediate nodes.Message generation. Each message has two components ðI i ; r i Þ.Leaf U i employs OðnÞ time to generate the binary sequence I i .The computation of r i does not depend on n,soitisOð1Þ. Duringmessage generation, each leaf verifies one signature and computestwo hash functions and at most t bitwise XOR operations.As mentioned in Section 1, there are fast algorithms for digitalsignature verification in resource-constrained environments.As a real example, the authors of  implement the EllipticCurve Digital Signature Algorithm [12,13] on a MICA2 mote[14,15], designed by researchers at the University of Californiaat Berkeley. This device offers an 8 bit, 7.3828-MHz ATmega128L processor, 4 kilobytes (KB) of primary memory (SRAM)and 128 KB of program space (ROM). According to their results,an ECDSA signature verification in such a device takes about24.17 seconds (this time can only be expected to decrease astechnology progresses).The remaining operations (hash functions and bitwise operations)take negligible time. Thus, our scheme is suitable forresource-constrained leaves.Message aggregation. An intermediate node receives and aggregatesmessages. Aggregation of fðI j ; r j Þg jinto ðI; rÞ requires atmost OðnÞ bitwise OR operations over OðnÞ-long messages duringthe computation of I. Computation of the new r requires atmost OðnÞ additions modulo 2 s (each with cost Oð1Þ). Thisresults in a maximum Oðn 2 Þ cost. Note that intermediate nodescompute only bitwise operations. These operations are appropriatefor resource-constrained nodes.Symbol extraction. The base station extracts the contribution ofeach leaf in a vector B ¼ððb 1;1 ; ...; b 1;t Þ; ...; ðb n;1 ; ...; b n;t ÞÞ byprocessing component I (total length tn bits). Since t is a constant,this time is OðnÞ. Integrity checking does not increase thiscost.Since the base station is a full-fledged device, we consider thatall operations executed in this step are affordable.Error tracing at intermediate nodes. This procedure is onlyinvoked in case of a corrupted message event. An intermediatenode may need to verify a signature and check the valueI j sent by each of its children. Each check takes OðnÞ time.Since the number of children may also be OðnÞ, the maximumtime spent on this operation is Oðn 2 Þ. Checking r j hasat most the same cost. In this step, we require one signatureverification. As explained above, this operation is affordableon real sensor nodes like the MICA2 mote. In addition to that,intermediate nodes must execute Oðn 2 Þ additions modulo 2 s .These operations are suitable for resource-constrained nodestoo.4.3. Message length optimizationOur system is designed for nodes that are resource and powerconstraineddevices. This motivates the need to reduce energy consumptionas much as possible. Reducing the length of messages isone way to achieve this.In our protocol, leaf U i sends ðI i ; r i Þ where I i is a tn bit long binarysequence. Useful information within I i is contained in bits locatedbetween positions tði 1Þþ1 and ti. The remaining bits ofI i are set to 0.This information could be represented in a more compact wayusing log n bits to code index i and t bits for useful information.In this way, the length of I i would be t þ log n. Aggregation ofvectors I i would be done by concatenation. In this way, thelength of a vector I containing data from j leaves would bejðt þ log nÞ bits.For small values of j this results in shorter messages than thosedescribed in our protocol above (i.e. when jðt þ log nÞ < tn). Lowvalues of j appear at nodes that are far from the root. However,when j grows towards n this new coding results in longer messagesthan those described above.Therefore, using this alternative coding when j satisfiesjðt þ log nÞ < tn (near the leaves) and switching to the initial codingwhen messages get near the root is a way to minimize the length oftransmitted data.5. ConclusionA scalable and lightweight protocol for secure many-to-onesymbol transmission in tree-based networks has been presented.This proposal is the first one in the literature that provides thiskind of communication for resource-constrained devices, whichare quite common in sensor networks. Our scheme provides constantmessage length and OðnÞ cost for symbol extraction at thebase station, where n is the number of senders (leaves of the tree).Besides, it achieves the fundamental security properties: confidentiality,authentication and integrity.
A. Viejo et al. / Computer Communications 31 (2008) 2408–2413 2413Regarding computation, this protocol has been designed to bevery lightweight at leaves and intermediate nodes:(1) Leaves are only required to compute hash functions, bitwiseoperations and two signature verifications (the first one atthe beginning and the last one at the end of each protocolexecution).(2) In a correct protocol execution, intermediate nodes are onlyrequired to aggregate messages which represent bitwise ORoperations and additions modulo 2 s . In case of message corruption(whether intentional or accidental), intermediatenodes are required to verify one signature and check themessages received from their children. Message corruptionis thwarted by removing corrupting nodes from the network.AcknowledgmentsThe authors are with the UNESCO Chair in Data Privacy, butthey are solely responsible for the views expressed in this paper,which do not necessarily reflect the position of UNESCO norcommit that organization. This work was partly supported by theSpanish Ministry of Science and Education through projectsTSI2007-65406-C03-01 ‘‘E-AEGIS” and CONSOLIDER INGENIO2010 CSD2007-00004”ARES”, and by the Government of Cataloniaunder Grant 2005 SGR 00446.References B. Quinn, K. Almeroth, IP multicast applications: challenges and solutions,Internet RFC 3170, 2001, Available from: . Z. Benenson, Authenticated queries in sensor networks, Lecture Notes inComputer Science 3813 (2005) 54–67. R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signaturesand public-key cryptosystems, Communications of the ACM 21 (1978) 120–126. M. Rabin, Digitalized Signatures and Public-key Functions as Intractableas Factorization, MIT Laboratory for Computer Science TR-212, January,1979. E.-O. Blaß, M. Zitterbart, Towards acceptable public-key encryption in sensornetworks, in: ACM Second International Workshop on Ubiquitous Computing,2005, pp. 88–93. T. Wolf, S.Y. Choi, Aggregated hierarchical multicast – a many-to-manycommunication paradigm using programmable networks, IEEE Transactionson Systems, Man and Cybernetics – Part C 33 (3) (2003) 358–369. A. Nicolosi, D. Mazières, Secure acknowledgment of multicast messages inopen peer-to-peer networks, in: Proceedings of the Third InternationalWorkshop on Peer-to-Peer Systems – IPTPS’04, San Diego, CA, 2004. C. Castelluccia, S. Jarecki, J. Kim, G. Tsudik, Secure acknowledgmentaggregation and multisignatures with limited robustness, ComputerNetworks 50 (10) (2006) 1639–1652. J. Domingo-Ferrer, A. Martínez-Ballesté, F. Sebé, Secure reversecommunications in a multicast tree, Lecture Notes in Computer Science 3042(2004) 807–816. F. Sebé, A. Viejo, J. Domingo-Ferrer, Secure many-to-one symbol transmissionfor implementation on smart cards, Computer Networks 51 (9) (2007) 2299–2307. F. Sebé, J. Domingo-Ferrer, Scalability and security in biased many-to-onecommunication, Computer Networks 51 (1) (2007) 1–13. ANSI X9.62-1998, Public Key Cryptography for the Financial ServicesIndustry: The Elliptic Curve Digital Signature Algorithm (ECDSA),American National Standard for Financial Services, American BankersAssociation, 1999. D.J. Johnson, A.J. Menezes, S.A. Vanstone, The elliptic curve digital signaturealgorithm (ECDSA), International Journal of Information Security 1 (2001) 36–63. University of California Berkeley, Tiny OS Hardware Designs, 2004, Availablefrom: . Crossbow Technology, Inc., MICA2 Data Sheet, 2008, Available from: .