欧洲首届Ad-hoc与传感器网络安全研讨会

需积分: 3 68 浏览量更新于2024-08-01 收藏 3.45MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

"Springer出版的《Security in Ad-hoc and Sensor Networks》是第一本欧洲研讨会的论文集，属于计算机科学系列讲座（Lecture Notes in Computer Science，卷3313）。该书关注的是移动Ad-hoc网络和传感器网络的安全问题，由多位知名学者和专家编辑并贡献章节，包括David Hutchison、Takeo Kanade、Jon M. Kleinberg等。书中涵盖了这些网络领域的安全挑战、解决方案以及最新的研究成果。" Ad-hoc网络和传感器网络是分布式通信网络的两个重要类型，它们在无线通信、物联网(IoT)和军事应用中有着广泛的应用。Ad-hoc网络是一种临时性、自组织的网络，其中的设备可以直接相互通信，而不需要固定的基础设施。这种网络结构的灵活性使得它在灾难救援、战场通信等场景中非常有用，但也带来了独特的安全挑战，例如节点间的身份验证、数据完整性和网络路由安全。传感器网络通常由大量微型传感器节点组成，这些节点能够感知环境并进行通信。它们常用于环境监测、智能城市和工业自动化等领域。然而，由于节点资源有限且分布广泛，传感器网络面临着能量效率、隐私保护和抵御恶意攻击的复杂问题。本书深入探讨了Ad-hoc和传感器网络的安全特性，可能包括以下几个方面： 1. 安全协议设计：如何设计适应网络动态性的安全协议，确保数据在传输过程中的机密性、完整性和可用性。 2. 节点认证：在没有中心权威机构的情况下，如何实现节点间的相互认证，防止假冒和中间人攻击。 3. 安全路由：研究安全路由算法，避免数据包被篡改或路由到错误的目的地。 4. 隐私保护：在收集和传输敏感数据时，如何保护用户的隐私不被泄露。 5. 能量效率：设计低能耗的安全机制，延长网络的生存时间。 6. 安全监测与防御：如何检测和应对网络中的恶意行为，如节点失效、拒绝服务攻击等。 7. 安全更新和维护：在网络规模大且分散的环境下，如何有效地进行软件更新和故障修复，同时保持安全性。通过深入研究这些议题，本书旨在为研究人员、工程师和政策制定者提供一个全面的视角，了解并解决Ad-hoc和传感器网络中的安全问题，推动这些技术在实际应用中的安全实践。

资源详情

资源推荐

8 G. Gaubatz, J.-P. Kaps, and B. Sunar

P =



· C · V

+ Q

· V



· f · N



 

dyn

+ I

leak

· V

  

leak

(1)

The term P

dyn

represents the dynamic power dissipated during circuit ac-

tivity. Circuit capacitance C, short-circuit charge Q

and supply voltage V

are technology dependent parameters [18] outside of our inﬂuence. The switch-

ing activity N and operating frequency f, however, can be inﬂuenced, and thus

minimized, by architectural decisions. The second term P

leak

represents the static

power dissipation due to the leakage current I

leak

. The leakage current is directly

determined by the number of gates and the process technology. For more infor-

mation about low-power design see [19]. Since we are using a standard cell based

design ﬂow, transistor level circuit optimizations are outside of the scope of this

paper. In order to minimize the power consumption, we optimized our gate level

design according to the following rules:

– The number of transitions (‘0’ to ‘1’ and ‘1’ to ‘0’) has to be minimal.

– The circuit size should be minimized.

– Glitches cause unnecessary transitions and therefore should be avoided.

Our work is focused on the architectural aspects of low-power design, not

on any speciﬁc VLSI techniques. Our architectures are implemented using a

common CMOS standard cell design ﬂow: circuit speciﬁcation in structural

VHDL, functional RT level simulation (ModelSim), synthesis (DesignCompiler

Ultra, TSMC 0.13µm standard cell library), power optimization using anno-

tated switching activity and delay information (DesignCompiler, PowerCompiler

and ModelSim), and power analysis (PrimePower, back-annotated wire capaci-

tances).

The TSMC library we use is fully characterized for timing and power con-

sumption and includes several diﬀerent wireload models for worst case estimation

of interconnect capacitances. We would like to stress at this point that, although

we use a low-voltage library, it is not in any way optimized for low-power designs.

4 Implementation

In order to provide a common ground for both implementations we had to make

certain assumptions about the application scenario, which we state in the follow-

ing paragraphs. Subsequently we describe the speciﬁcs of both implementations.

4.1 Assumptions

Sensor networks typically consist of a number of tiny nodes communicating with

a base station [1]. The base station collects the data from the sensors and com-

municates with the outside world. The sensor nodes have only limited power

and can therefore only communicate directly with nodes in close vicinity. They

Public Key Cryptography in Sensor Networks—Revisited 9

establish a routing tree with the base station at its root. The base station is

assumed to have suﬃcient power for all computations and communications with

the nodes and the outside world. Based on this setting we made the following

assumptions:

– As stated in the introduction, we only consider the encryption operation of

both systems. The purpose of this paper is to show that public key cryptog-

raphy is computationally feasible in this environment.

– Depending on the exact application scenario it might be possible to ﬁx the

public key to a constant value. This is extremely beneﬁcial for ultra-low

power implementation, since the key can be embedded statically and does

not require costly storage elements. In our implementations the public key

is either hardwired or realized as a look-up table in combinational logic.

– Power consumption and energy eﬃciency are two diﬀerent things. Depending

on the actual application scenario one might want to trade oﬀ the two metrics

diﬀerently over one another.

4.2 Rabin’s Scheme

We have shown in Section 2.2 that the basic function for encryption in Rabin’s

Scheme is a simple squaring operation E

(x)=x

mod n,ifwesetb =0.

Squarers are a special form of multiplier. While any multiplier can be used

to compute the square of a number, special-purpose squarers usually require

signiﬁcantly less hardware and are faster [20] by exploiting the symmetry of the

squaring operation.

Squarers can be implemented in many ways. As our main concern is to con-

serve power we chose a bit-serial approach. The main advantage of a bit-serial

design is that it minimizes the number of gates and reduces wire lengths—all

factors that are of concern with regards to the circuit’s power consumption. The

bit-serial approach is ideal for modular reduction. Using the most signiﬁcant bit

(MSB) ﬁrst method, modular reduction can be performed elegantly after each

partial product addition. The generation of the partial product sequence, how-

ever, requires an extra 512-bit register. This is very expensive in terms of area

and leakage power as each ﬂip-ﬂop is the equivalent of 6 gates. Therefore, we

implemented the squarer as a bit serial modular multiplier where multiplicand

and multiplier are hard-wired to the same input. All 512 bits of input are avail-

able in parallel at the same time. As a multiplier does not take advantage of the

symmetry in squaring we expect it to consume more switching power. However,

due to its smaller footprint the leakage power is also greatly reduced. At the

low clock frequencies commonly encountered in sensor nodes, the inﬂuence of

leakage power is the dominant part. An additional advantage of this approach is

that this unit can easily be converted to a full multiplier for an implementation

of RSA or a similar algorithm.

Figure 2 shows the architecture of our squarer. It is a standard bit serial mul-

tiplier design comprised of a Left Shift Register,aBit Multiplier,aLeft Shift unit,

and the main units Adder and Sum Register. In order to perform modular multi-

plication we added two multiplexers which toggle the input of the adder between

10 G. Gaubatz, J.-P. Kaps, and B. Sunar

the next partial product and the 2’s complement of the modulus n (reduction).

The control logic determines whether a reduction operation is necessary after an

addition. Since we are using the same adder for both functions, the number of

clock cycles needed for one squaring is data dependent and at most 1024.

The most complex part of the squarer is the Adder. There are two basic adder

designs that are suitable for a low power implementation, namely carry-save adder

and ripple-carry adder. A ripple-carry adder uses fewer gates and hence consumes

the least amount of leakage power, but as the worst case carry chain is the

longest, this adder also has the longest delay. The propagation of carries causes

glitches which in turn cause a very high dynamic power consumption. A carry-

save adder on the other hand propagates carries only by one position, hence there

are no glitches, resulting in insigniﬁcant amounts of delay and dynamic power

consumption. Its disadvantage is that the result is kept in redundant carry-save

representation which requires 512 additional ﬂip-ﬂops. This in turn causes a

higher consumption of leakage power. Since partial products and complements

of the modulus can be accumulated in redundant form, the ﬁnal non-redundant

result needs to be computed only at the very end of the multiplication which

takes 512 additional clock cycles.

Neither of both approaches seems optimal for this implementation, so we

tried to strike a balance between power and speed. For our adder we are using a

ripple-carry adder and insert a carry-save bit on every 8th bit position. Hence the

carries ripple for a maximum of 8 bits causing some glitching but signiﬁcantly

less than a full ripple-carry adder would. The dynamic power consumption is

therefore much lower than for a full ripple-carry adder. This adder also needs

only 64 additional ﬂip-ﬂops to store the carry bits, which is 448 ﬂip-ﬂops less

than necessary for a full carry-save adder. This approach, however, introduces

a new diﬃculty. After adding a partial product to the sum, the result has to

be shifted. This would misalign the saved carry bits

. Hence, carry bits need

to be re-aligned before shifting the sum. This is done by adding the carry bits

to the sum in the appropriate position and saving the carry bits at the new

position. The cost for this is a 512 bit multiplexer, 512 additional clock cycles

and a slightly more complex control logic.

The Control logic is comprised of two state machines and one counter. The

counter is implemented as a Linear Feedback Shift Register (LFSR) and “counts”

up to 512. LFSRs have reduced switching activity and are faster than regular

counters, hence reducing the eﬀects on the critical path delay. Furthermore it is

clock gated and can be reset. The counter is used to count all the multiplication

steps and also to count the worst case number of steps necessary to ripple all

64 carry-save ﬂip-ﬂops. The main state machine of this control logic keeps track

of the overall operation of the circuit. The second state machine takes care of

arithmetic operations of the circuit. Furthermore it is responsible for the clock

gating of the counter and the left shift register (see Figure 2).

This problem does not occur when a full carry-save adder is being used as there is

one carry bit associated with every bit position

Public Key Cryptography in Sensor Networks—Revisited 11

4.3 NtruEncrypt

The basis for our ultra-low power NtruEncrypt architecture is the multiplication

operation in the ring R, a cyclic convolution of two polynomials of the same

degree N. Considering a scenario, in which a sensor node encrypts a message and

sends it to the base station, allows us to make the following observations which

are helpful in creating an ultra-low power architecture. Similar observations can

also be made for the case of decryption, but these are omitted here due to space

restrictions.

– As mentioned at the beginning of this section, the public key of the node

h(x) is constant and embedded in the device. Since p is also constant, we

can store a pre-scaled version of the public key h



(x)=ph(x)modq.Thus

we only need to compute c(x)=φ(x)  h



(x)+m(x)modq.

– Coeﬃcients of the public key h(x) are computed modulo q and therefore

occupy the larger of two wordsizes, while those of the random polynomial

φ(x) are reduced modulo p. For our choice of p = 3 each coeﬃcients of φ(x)

is encoded as two bits. Since the public key is constant and realized as a

look-up table, only 2N bits of storage are required as opposed to N log

q.

– We assume that we have a good source of random bits available for generation

of the random polynomial φ(x). In this paper we focus on the computational

aspects of NtruEncrypt only, and therefore random number generation falls

outside of the scope of this paper. For information on a compact implemen-

tation of an RNG based on digital artefacts requiring only a few hundred

gates we refer to [21].

The algorithm consists of two nested loops: The outer loop iterates over all N

coeﬃcients of the result. The inner loop computes the coeﬃcient by accumulat-

ing products of the form a

, with index i increasing and j decreasing modN.

The three major building blocks comprising the data path of the circuit—public

key LUT, arithmetic units and circular buﬀer—are illustrated in Figure 3. The

public key look-up table is realized in combinational logic that lends itself to

optimization through the synthesis tool. The circular buﬀer consists of 2N bits

of storage elements containing the coeﬃcients of the random polynomial φ(x).

Data enters the buﬀer through a multiplexer which connects the two ends of

the buﬀer and forms a ring. Both, public key LUT and circular buﬀer, feed into

the arithmetic units (AUs) which multiply and accumulate the operands. The

smallest version of the circuit implements only a single AU. Yet, the architec-

ture allows the implementor to scale up the number k of parallel AUs relatively

easily, with minimal impact on the other elements of the design. Section 5.4 elab-

orates further on NtruEncrypt’s inherent scalability. An AU consists of a partial

product generator, a carry-save adder and a register. For any long operand a

and short operand b the partial product generator will compute ab mod q.By

choosing p = 3 and q = 128 the modular reduction of the intermediate result

c =



mod q comes essentially for free through simple truncation of bits at

positions ≥ log

q =7.

The control logic is designed to be as simple as possible in order to avoid being

the bottleneck in terms of power consumption. The two nested counters needed

12 G. Gaubatz, J.-P. Kaps, and B. Sunar

for keeping track of coeﬃcients in the inner and outer loop of the algorithm are

implemented as Linear Feedback Shift Registers (LFSR) for reduced switching

activity. Furthermore, clock gating is used extensively whenever possible, to

avoid any unnecessary switching activity and reduce parasitic wire capacitance.

In the case of only a single AU each round of computation takes N +8

clock cycles to complete, with one coeﬃcient per round. The eight additional

clock cycles are necessary for addition of the message coeﬃcient and propagation

of carries in the carry-save adder. The total number of clock cycles for a full

polynomial multiplication of N coeﬃcients therefore takes 29, 225 clock cycles

(N = 167). If k AUs are computing coeﬃcients in parallel, the rounds overlap

partially and the number of clock cycles amounts to (N + 8)(N/k)+k −1. For

a high degree of parallelization k the number of clock cycles can thus be reduced

dramatically, i.e. to only 433 cycles for k = 84.

5 Analysis

In this section we analyze the proposed architectures according to various metrics

of interest to ultra low-power applications such as sensor nodes. Since both

architectures and algorithms are distinctly diﬀerent from each other a direct

comparison is diﬃcult. We alleviate this situation by ﬁxing system parameters

to values that match security levels of both systems as closely as possible, as

mentioned in Section 2.1.

5.1 Deﬁnition of Metrics

Chip Area. The number of equivalent gates (2-input NAND gate) used by the

circuit. This metric is independent of the process technology, and correlates well

with the actual area of the physical layout.

Power Consumption. This is the total power consumption of the circuit, cate-

gorized into static and dynamic power. This metric is highly dependent on the

process technology. In this context, however, both architectures use the same

target library so that diﬀerences in power consumption are a direct consequence

of diﬀerences in the architecture.

Throughput. Speciﬁes the number of plaintext bits that are encrypted per sec-

ond. This metric is independent of any message expansion properties of a given

system.

Energy per Bit Encrypted. Amount of energy necessary to encrypt a single bit

of the message. This metric can be used to compare the energy eﬃciency of

cryptosystems with a roughly equivalent level of security. It is independent of

the actual operand length.

Scalability. Refers to the possibility of scaling an algorithm between bit serial and

highly parallelized realizations in an eﬃcient manner. A closely related concept

is modularity, which is an indicator of how easily simple processing elements

剩余237页未读，继续阅读

DoomLord

粉丝: 114
资源: 1318

欧洲首届Ad-hoc与传感器网络安全研讨会

网络游戏-基于多协议模块结构的智慧型AD-HOC的自适应传感器网络.zip

Ad-hoc网络.doc

无线传感器网络与AD-HOC对比：计算机网络新趋势

模糊逻辑与图理论驱动的Ad-Hoc网络数据平面安全信任系统

"Ad-hoc网络安全节点发现及应用

基于博弈论的Ad hoc网络安全研究

移动adhoc网络中黑洞的检测

基于Fuzzy-TOPSIS的移动无线传感器网络的寿命优化

Ad-hoc Process

ubuntu中使用ansible的ad-hoc下载软件

ad-hoc 网络 与Link16 的联系或者是区别是什么？

什么是ad-hoc测试

linux 下adhoc

在计算机领域中，ad-hoc网络是什么

使用ad-hoc命令检查Ansible的部署结果

详细介绍 ad-hoc 网络

ansible ad-hoc和ansible playbook的区别

1、ansible ad-hoc常用命令 2、YMAL文件格式 3、编写简单的playbook

COOPERATIVE RELAYING FOR AD-HOC GROUND NETWORKS USING SWARM UAVS

最新资源

ad-hoc 网络与Link16 的联系或者是区别是什么？