Telechargé par Abdoulaye Mbaye


Accepted Manuscript
Energy-efficient Mechanisms in Security of the Internet of Things: A
Hamed Hellaoui, Mouloud Koudil, Abdelmadjid Bouabdallah
To appear in:
Computer Networks
Received date:
Revised date:
Accepted date:
24 February 2017
8 July 2017
14 August 2017
Please cite this article as: Hamed Hellaoui, Mouloud Koudil, Abdelmadjid Bouabdallah, Energy-efficient
Mechanisms in Security of the Internet of Things: A survey, Computer Networks (2017), doi:
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service
to our customers we are providing this early version of the manuscript. The manuscript will undergo
copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please
note that during the production process errors may be discovered which could affect the content, and
all legal disclaimers that apply to the journal pertain.
Energy-efficient Mechanisms in Security of the Internet of Things: A survey
Hamed Hellaouia,∗, Mouloud Koudila , Abdelmadjid Bouabdallahb
a Ecole
b Sorbonne
nationale Supérieure d’Informatique ESI, LMCS Laboratory, BP 68 M 16309 Oued Smar, El Harrach, Algiers, Algeria.
Universités, Université de Technologie de Compiègne UTC, CNRS, Heudiasyc UMR 7253 CS 60 319, 60 203 Compiègne cedex, France.
Security primitives in the IoT (Internet of Things) are energy consuming. Finding the best solutions that reduce energy consumption while ensuring the required security services is not an easy task. Many works proposed in the literature address security
overhead issues by tackling some aspects such as cryptographic primitives, deployment environments, target applications, etc.
This paper is a survey on energy-efficient mechanisms used in IoT security services. By studying the techniques that allow
developing energy-efficient security solutions, it goes further than the previous surveys which focus more on the energy-efficient
solutions themselves. To the best of our knowledge, this is the first work that tackles IoT security from this perspective. Not only
security issues are addressed in this survey, but the energy impact of the solutions are also discussed. Energy consumption related
to security services is first introduced. A taxonomy is then proposed for energy-efficient mechanisms in IoT security. The main
factors affecting the application of an energy-saving technique for security solutions are finally analyzed.
Keywords: Internet of Things (IoT), Security, Energy efficiency.
1. Introduction
The Internet of Things (IoT) is a relatively new paradigm that
is attracting increasing attention from both scientific and industrial communities. It consists in extending the network to the
real world, allowing the connection of physical objects. Thanks
to communication technologies, objects (such as sensors, actuators, RFID tags) are able to communicate with each other and
with users in order to achieve common objectives. Although the
potential offered by the IoT allows many applications in different areas (e.g. smart cities, smart grids, healthcare monitoring,
etc.), a large-scale deployment of this technology depends on
its robustness and its security [1, 2].
Many IoT applications are very sensitive. As an example, parameters measured by sensor nodes in a healthcare application
are related to human physiological signs, such as heart rate or
body temperature. These sensitive data must not be available
for unauthorized parties for capture or modification.In the other
hand, the IoT is vulnerable to many types of attacks. The ability to listen, alter or disrupt information is easier to do in such
networks, which typically use wireless communications without infrastructure. Objects can also be compromised and malicious nodes can be injected in the network, which may result
in unauthorized actions on data and network resources. Moreover, as connected objects tend to invest our daily lives, the IoT
could become a huge breach in users’ privacy. It is therefore
important to consider the required security services to ensure
IoT protection from attacks.
∗ Corresponding
Email addresses: [email protected] (Hamed Hellaoui),
[email protected] (Mouloud Koudil),
[email protected] (Abdelmadjid Bouabdallah)
Preprint submitted to Computer Networks
Security services are typically instantiated on the basis
of heavy schemes (e.g. encryption/decryption and signature/verification). They are generally designed to maintain a
high security level without taking resource consumption into
account. However, the IoT includes devices that are constrained
in terms of resources (e.g. energy, storage, communication).
The application of heavy security primitives on some nodes, as
sensors and RFID tags, would consume resources and may divert these nodes from executing their main tasks. As the nodes
can be battery-powered and expected to operate for a long time,
energy consumption is therefore critical in this network. Replacing the battery may even be impossible in many situations,
where objects must operate autonomously without human intervention. Security solutions must therefore be adapted to the
energy constraints of the nodes in order to prolong their lifetime.
With the emergence of Low-power and Lossy Networks
(LLNs), several research works have been led to propose
energy-saving solutions for security services. These proposals
are varied and cover diverse aspects, such as security primitives,
deployment environments, target applications, etc. Therefore,
finding the efficient method that reduces the energy consumption while ensuring the required security service is not a trivial
task, and it requires careful study so as not to sacrifice security. The objective of this work is to survey energy-efficient
mechanisms that can be applied in IoT security solutions. It is
intended to assist security protocol designers to select appropriate mechanisms for energy saving, before proceeding with
implementation. It is with this aim in mind that this paper proposes a taxonomy of energy-efficient mechanisms in IoT security, studies each one, and analyzes their applicability. The
added value of this survey is to contribute to the application of
August 14, 2017
energy-efficient mechanisms in IoT security solutions. While
existing IoT security surveys focus more on reviewing energyefficient protocols, the proposed work goes beyond this and
studies what makes a security solution energy-efficient. As far
as we know, this is the first survey with such an objective.
Contributions of this survey can be summarized in the three
following points:
• A discussion on security services in the IoT is performed,
from an energy consumption point of view.
• A taxonomy of energy-efficient mechanisms in IoT security
is proposed. Each one is studied, in addition to some proposed
solutions that use the mechanism.
• A discussion is devoted to the environment and the applicability of energy-saving mechanisms in the IoT security services.
connecting objects to the Internet. The paper focuses on strategies of integrating low-power WSN with the Internet, and the
required security depending on the integration approach.
The deployment of the IoT is associated to the development
of new communication protocols and standards. In the work
of Granjal et al. [8], authors address security in IoT communication standards. They consider a stack of standardized communication protocols designed for the IoT. Then, they discuss
security and open issues for each communication protocol of
the stack.
Security proposals are also related to projects and middleware solutions. Sicari et al. [9] lead a survey in the field of IoT
security. They analyze available solutions regarding security,
trust and privacy, as well as exiting projects and middlewares
that deal with these issues.
The rest of this paper is organized as follows. Section 2
presents the related surveys led on IoT security and highlights
the motivation behind of this work. Section 3 discusses services
that can be addressed to ensure security in the IoT. It also deals
with energy consumption related to security services. Energysaving mechanisms in security are studied in section 4. This
section provides a taxonomy of existing mechanisms and surveys relevant solutions that use these techniques. In section 5,
a discussion is conducted on the appropriate environment and
the applicability of energy-saving mechanisms for IoT security
solutions. Finally section 6 concludes this paper.
IoT security and privacy issues can also be seen from a legal point of view. In [10], Weber addressed IoT security from
this perspective. He presents security and privacy needs, and
discusses milestones for the establishment of an adequate legal
framework by an international legislator.
2. Related works
Several surveys have been led to deal with security issues in
the IoT. Most of these studies aim to review existing security
protocols and solutions. For instance, Atzori et al. present in
[1] a general survey on the IoT evoking some limits of security
and privacy solutions, as well as the related open issues that can
be addressed. The same observation can be made for the survey
of Miorandi et al. [2].
Other surveys tackle a specific security service in the IoT.
The work of Roman et al. [3] evaluates existing key management systems for wireless sensor networks (WSNs) in the
IoT context. It covers public-key cryptography, pre-shared key
strategies, and link-layer oriented key management systems. In
[4], Yan et al. present a survey on the trust management issue
for the Internet of Things. The authors identify objectives of
trust management systems and evaluate existing solutions for
the IoT. Nguyen and al. focus in [5] on bootstrapping in the
context of the IoT. They provide a taxonomy of existing security protocols proposed for a secure bootstrapping process in
WSNs and the IoT. They also discuss their applicability and
Others surveys led in IoT security address the deployment
and the architectural aspects in this network. Authors in [6] focus on security and privacy in distributed IoT. They evoke the
distributed approach features, analyze attacker models and explore existing security solutions. In another study, Granjal et
al. [7] deal with the way security should be addressed when
[1, 2]
Survey targets in terms of security
General open issues in IoT security
KMS for WSN in the context of the IoT
Trust management solutions and challenges
Solutions for a secure bootstrapping process
Security & privacy issues in distributed IoT
Security solutions of Internet-integrated
Security for IoT communication standards
Security, privacy, trust requirements and solutions
Legislative security and privacy challenges
Table 1: Surveys on security in the Internet of Things
This survey differs from the mentioned studies in the way
it tackles IoT security. Indeed, a great number of solutions
has been proposed to ensure the effectiveness of network security. Energy remains a key factor when it comes to IoT security,
since resource-constrained objects are expected to operate autonomously for a long time. On the other hand, there has been
several works dealing with energy-saving problems in security.
The mentioned surveys focus more on studying solutions that
are adequate for the IoT (a summary is provided in Table 1);
mainly energy-efficient solutions. The goal of this work is to
survey techniques that allow developing energy-efficient security solutions. This approach provides a guideline and helps security protocol designer to develop energy-efficient solutions.
No such approach is used in the previous surveys.
In order to achieve the established objective of the survey, we
start in the next section by presenting some security services
that can be addressed in the IoT, while highlighting the related
energy consumption.
3. Security services in the IoT
tion and key management with ample storage of keys and messages [22]. This becomes problematic for high-traffic and largescale networks, as the IoT.
On the other hand, authentication and access control solutions based on asymmetric cryptography would eliminate the
need for complicated protocols and increase the security. However, public-key cryptography is considered to be very heavy
for constrained nodes, as it is mentioned previously. For instance, Attribute Based Encryption (ABE) [23] and its related
protocols are widely considered to ensure fine-grained access
control with scalability management. The issue when considering these protocols for constrained networks, as the IoT, has to
do with their consumption cost.
Security can be ensured by applying specific services to provide protection from attacks. Indeed, security services are distinguished according to the countermeasures required to face
threats. In the following of this section, some security services
that can be used in the IoT are presented 1 . This section also
deals with the resource consumption related to the security services.
3.1. Confidentiality
Data confidentiality is a security service which ensures that
contents of a given message cannot be available for an unauthorized party. It is performed by encrypting messages, using
symmetric or asymmetric cryptographies, so that it can be decrypted only by the authorized party.
Due to their low consumption cost, symmetric cryptography
schemes have been widely used in constrained networks such
as WSNs. Many evaluations, as [11, 12], show that symmetric
ciphers (like AES [13], RC5 [14] or Skipjack [15]) are fully
suitable for constrained objects. However, key management in
symmetric cryptography becomes a problem when the network
In the IoT, the scalability issue arises with more acuity. Indeed, since 2006, authors such as Lopez [16] highlight the limit
of using symmetric cryptography for WSNs. In the other hand,
asymmetric cryptography provides efficient key management,
but induces more consumption compared to the symmetric one.
Protocols such as RSA [14] or IBE [17], which are widely
used in the Internet, are known to be very intensive in terms
of computation. Direct application of these protocols for the
IoT would be very heavy.
3.3. Signature/verification
3.2. Authentication and access control
Digital signature is a security service that provide a means for
an entity to bind its identity to a piece of information. It ensures
authentication, integrity, and non-repudiation. One of the most
significant applications of digital signatures is the certification
of public keys.
Public-key cryptography is the most used for digital signature. Standards such X.509 and ISO/IEC 9796 are based on
public-key cryptography. RSA cryptosystem [14], or El-Gamal
scheme [24] are examples of the used asymmetric cryptography. However, these asymmetric protocols are so heavy and
their direct application for the IoT would be inefficient.
Although one-time signature schemes (many of which arise
from symmetric-key cryptography) are computationally less
expensive, they require changing keys after each use; otherwise, signatures can be forged [25]. This affects the storage
and the communication capacities in high-traffic networks, and
mitigates the use of these schemes for some applications.
3.4. Key establishment
Authentication is a security service used to ensure that entities are who they claim to be (entity authentication), or that the
received message is as originated (message authentication). As
for access control, it is used to allow or deny entities to access
resources according to policies. Access control is generally performed after authenticating the entities/data.
Because of its low cost computation, some access control and
authentication solutions proposed for constrained networks are
based on symmetric cryptography (e.g. [18–20]). This often
imposes using mechanisms for pre-distribution of keys. However, this also may make these solutions working only for applications they are designed for, and may not support large-scale
networks. In addition, it is difficult to ensure message authentication with non-repudiation when using symmetric cryptography. Even if some solutions, such as SNEP and µTESLA [21],
achieve non-repudiation by emulating asymmetry (through delayed key disclosure and one-way function key chains), the emulation of asymmetric cryptography requires time synchroniza-
Key establishment, or key bootstrapping, is the process that
allows transferring settings between two or more parties, for the
purpose of sharing cryptographic keys. It is basically required
to setup any secure communication channel between nodes (before the network can operate or when a re-keying is needed),
and enable them to perform other security services.
Pre-distribution key establishment schemes, commonly
known as symmetric-key schemes, involve low computation.
They are based on pre-shared credentials (before deployment).
Several pre-distribution solutions have been proposed in the literature, mainly for WSNs (such as [26–30]). However, these
schemes can work for the local networks they are designed for,
and do not address key establishing with a remote entity. Many
IoT applications require establishing secure communications
between entities without any initial knowledge of each other,
or any pre-shared keys.
In contrast, asymmetric-key schemes are the most widely
considered for the Internet, and do not require any initial knowledge. However, the two categories of asymmetric-key schemes,
key transport and key agreement, involve high computations.
Key transport protocols (such as TLS handshake [31]) are based
on public-key cryptography which is commonly known to be
1 Note that other security services might be required for the IoT, such as
trust management. This section interests in energy consuming security services,
which are the target of this survey.
resource intensive. Key agreement protocols (such as Internet
Key Exchange (IKE) [32], Host Identity Protocol (HIP) [33])
are also resource intensive as they use asymmetric primitives.
In addition, an authentication mechanism might be required for
asymmetric-key schemes to bind the key with the communicating peer. This makes asymmetric key establishment schemes
very heavy for resource-constrained networks, such as the IoT.
at least two pairing means that the security service could take
more than 11 seconds.
Size of data
A security service is employed aiming at securing a given
data. The time consumed in executing a security service is proportional to the the data size. The more the data size is big,
the more it takes time to run. The energy consumption depends
directly on this fact.
The size of data concerns not only the data to process, but
also the meta-data related to the security protocol. Indeed, in
security protocols that specify communication aspects (e.g. Internet Protocol security (IPsec) [39], Transport Layer Security
(TLS) [40], or Datagram TLS (DTLS) [41]), a packet header
is considered. The size of this header affects also the energy
overhead, as it is sent and received by the constrained nodes.
Number of calls
Another aspect that affects the consumption overhead of applying security services is the number of calls. This parameter
is related to the use manner of the security service and the number of times it needs to be requested. Let us take for example a
key establishment protocol that is relatively heavy (in the order
of a few seconds or dozens of seconds). A constrained node
can support this protocol as it is executed only one time at the
beginning. However, if this phase is called several times (e.g.
due to re-keying), the consequences on energy can be critical.
A frequent use of a security service will have a big impact on
the consumption compared to only few uses.
3.5. Discussion
Several security services are required for the IoT and many
of them involve heavy primitives. The issue of energy saving in
security was tackled in some LLNs. For instance, several key
establishment solutions for WSNs are based on pre-distribution
(less energy-consuming but not efficient for large-scale networks). However, the IoT comes with new characteristics, such
as the scalability. This makes some already developed energyefficient security solutions inappropriate for IoT applications.
The problem of energy consumption in security services arises
with greater acuity.
To understand the reasons behind the overhead consumption,
an analysis is led on the application of security services in the
context of the IoT. The results of this analysis can be summarized in three levels: heavy operations, size of data, and number
of calls. Table 2 provides a summary on the led analysis.
Heavy operations
The most important reason for the consumption related to
security services is the involved heavy operations. These operations are mainly used in asymmetric cryptography. Indeed,
asymmetric cryptography is based on using hard-to-solve problems in order to make the task of recovering private parameters
from public ones extremely difficult [25]. The underlying used
mathematic operations for these problems are generally heavy,
such as exponentiations and modular exponentiations.
Exponentiations (ge ) and modular exponentiations
(ge mod p) are the basis of many cryptographic protocols,
such as Diffie-Hellman (DH) [34] (which is the basis of many
key agreement protocols) or RSA. These operations are very
computationally expensive as the used parameters are generally
big for security reasons. Lowering the parameters can reduce
the overhead of the operation, but it is not always possible.
Watro et al. proposed in [35] an adaptation of the RSA protocol
to resource-constrained devices. Their idea relies on the use of
smaller parameters such as the exponent. However, this comes
at the price of a lower security level [36]. The evaluation
performed by Watro et al. [35] on Mica1 motes shows that the
RSA exponentiation can take more than 10 seconds, even using
small exponents.
Another operation that is used in many cryptographic protocols is the bilinear pairing. The latter is applied to enable some
security concepts, such as IBE [17] and its variants (whose
idea was formulated by Shamir [37] since 1984) or ABE [23]
and its variants. However, this is a very costly operation for
constrained nodes (the underlying mathematical operations are
heavy). In [38], Oliveira et al. show that the execution of the
pairing operation on a MicaZ node using their proposal implementation, TinyPBC, requires more than 5.5 seconds. Considering the fact that cryptographic operations require generally
The cause
Heavy operations
Size of data
Number of calls
The underlying operations used in asymmetric cryptography are generally heavy
The size of data is proportional to the
overhead of energy consumption
Frequent use of a security service can
have a big impact on consumption
Table 2: Analysis on causes of consumption when applying security services
It appears that many security protocols required in the IoT are
computationally intensive. This raises the necessity for mechanisms allowing to reduce energy consumption in security solutions. The next section is devoted to review energy-efficient
techniques in security.
4. Energy-efficient techniques in security
In this section, the major existing mechanisms used to save
energy in security services are reviewed. Relevant solutions
that use these techniques are also presented. The proposed taxonomy of energy-efficient mechanisms is summarized in Figure
4.1. On-line/off-line security
The concept of on-line/off-line security consists in transforming the cryptographic scheme into two phases. The first one is
performed off-line, before the start of the security service (before knowing the destination, the message to encrypt or to sign,
sec protocols
of protocols
Phy layer sec
Figure 1: The proposed taxonomy of energy-saving mechanisms in security protocols
random seed. The proposed scheme is based on pre-computing
and buffering key stream bytes during periods of high energy,
so they can be used in the future. Evaluation results using the
Trivium stream cipher on ATmega128L and MSP430 show that
energy consumption can be decreased by 14%.
In [43, 45], Schnorr presents an on-line/off-line signature
scheme for smart cards. It aims at reducing the computation
cost for the signer and addresses algorithms based on fixed-base
modular exponentiations, such as Brickell-McCurley [46] or
El-Gamal [24]. This is achieved by pre-computing and storing
a collection of xi = ari mod p, with ri being randomly selected.
For each signature, the modular exponentiation is computed as
multiplications of xi . However, Rooij shows in [47, 48] that the
scheme can be vulnerable to an attack attempting to retrieve the
secret key. Indeed, the combination exponent is no more guaranteed to be random and dependencies can be created between
signatures, which lead to this attack. Since then, other solutions
are proposed to pre-compute modular exponentiations. For example, the proposal in [49] introduces a method to split an exponentiation into a product of a number of exponentiations with
more randomness in outputs. The proposal in [50] is inspired
from the one in [49]. It uses a vector addition chains technique
to compute the product. It is slightly slower than the method
described in [49], but it requires far less memory.
Guo et al. [51] (and other works like [52–55]) address the
design of an on-line/off-line scheme for Identity-Based Encryption (IBE) variants, such as Boneh-Boyen IBE [56] or Gentry
IBE [57]. In such protocols, neither the message nor the recipient’s identity are known during the off-line phase. The idea is
based on the addition of a correction factor. Indeed, in the ciphertext of Boneh-Boyen IBE for example, the part containing
the destination’s ID takes the following form: C0 = (h1 .g1ID ) s ,
and the one containing the message m to encrypt takes the form
e(g1 , g2 ) s .m (e denotes the bilinear map while h1 , g1 , and g2 are
elements of a multiplicative cyclic group of prime order, see
[56] for more details). For the latter part, e(g1 , g2 ) s can be performed off-line and only a multiplication is required on-line.
However, in the former part, the ID is embedded in exponentiations which are energy consuming operations. The solution
etc.). This phase is supposed to absorb a part of the cryptographic overhead by calculating and storing the results of some
costly operations that are required. The second phase is performed on-line. It uses the stored results of the first one, and
is supposed to be very fast [42, 43]. Therefore, on-line/offline security can reduce energy consumption by moving the
off-line phase before the deployment (or when an external energy source is available) and performing on-line only the second
phase, rather than the overall cryptographic scheme.
The on-line/off-line approach implies changes in the cryptographic algorithm of the security scheme, in order to build the
two phases. The more heavy operations are moved to the offline phase, the more energy consumption will be reduced for
the scheme. Obviously, what is moved to the off-line phase
has to be calculable before the start of the security service 2 .
This constitutes the difficulty of applying an on-line/off-line approach, as some heavy operations are generally related to data
that may not be known in advance (e.g. the message to encrypt,
the destination key, etc.). Based on the way to build the two
phases, we propose to classify on-line/off-line approaches into
two categories: operation-centered and service-centered.
4.1.1. Operation-centered
The direct way to apply on-line/off-line security is by moving
all operations that can be pre-computed in advance to the offline phase. This will reduce the consumption related to those
parts in the on-line phase. Operation-centered solutions tackle
the cryptographic operations level and propose a way to precompute these operations.
Some security schemes can be naturally partitioned into online and off-line phases. Pelissier et al. propose in [44] a
scheme that optimizes energy consumption of stream cipher
cryptography in Energy Harvesting Wireless Sensor Networks
(EH-WSNs). Stream ciphers are typically performed by applying the XOR operator between the plaintext bytes and the key
stream bytes. The latter are typically generated serially from a
2 In the following of this paper, the term ‘calculable’ is used to refer to operations that can be computed before the start of the security service
to two keys (a public key HK and a private one T K). It allows
having collisions knowing the two keys. To be more precise,
given a message m and an auxiliary r, it is difficult to find m0 ,r0
such that h(m, r) = h(m0 , r0 ) knowing only HK. However, they
are easy to find when T K is also known. In the off-line phase,
the node randomly generates m0 , r0 and computes the hash using
HK. The result is then signed using the basic signature scheme.
When the message to sign, m, is known in the on-line phase,
the node uses its T K to find r such that h(m, r) = h(m0 , r0 ).
The verification requires computing h(m, r), before verifying
it using the basic signature scheme. Compared to Even et al.
proposal, only r needs to be attached to the signature in order
to allow the verification.
In [62], Bianchi et al. propose an on-line/off-line scheme that
allows supporting the CP-ABE protocol [63] in EH-WSNs. The
difficulty in applying such scheme for ABE relies on the fact
that in addition to the fact that the message is not known at
the off-line phase, attributes are not known either (access policy). The proposed solution uses KEM (use CP-ABE to encryption session keys off-line, and encrypt data on-line using session
keys) and is based on the knowledge of access control policies
that can be considered during the application states. When there
is an energy overhead, session keys are generated and encrypted
using the access control policies that are the most likely to be
useful for the given state. A markov-based model is used to
select the best strategies to store and minimize the cache miss
probability. However, this technique is applicable only for this
context, since information on destination and access policies
are not always available.
is based on the following correction. In the off-line phase, C1
and C2 are calculated as C1 = (h1 .gα1 ) s , C2 = gβs
1 (with α, β being randoms). The node in the on-line phase computes C3 as
C3 = β−1 (ID − α), and adds it in the ciphertext. This requires
only one multiplication and one subtraction. The decryptor can
get C0 as C0 = C1 .C2C3 . This is possible due to the presence of
an algebraic relationship between different identities. Note that
these approaches use generally Key Encapsulation Mechanisms
(KEM3 ) to speed up the on-line phase.
In [58], Hohenberger and Waters propose on-line/off-line
schemes for Attribute-Based Encryption (ABE). As in IBE, neither the message nor the attributes to use for encryption are
known during the off-line phase. The authors address the variant large universe construction [59], which presents an algebraic relationship between the attributes (the correction solution is similar to the one presented earlier for IBE). In addition,
the authors tackle the key generation phase and propose an online/off-line optimization. The bulk of the key generation work
can be performed by off-line servers and passed afterwards to
the on-line servers, where incoming requests can be rapidly processed (a similar correction solution is used for key generation).
The provided performance evaluations show that over 99% of
the computational work could be moved to off-line phase in
many scenarios.
4.1.2. Service-centered
The second class of on-line/off-line security is called here
‘service-centered’. Unlike the first category, service-centered
approaches provide methods to build the two phases without
going down to the cryptographic operations level. Servicecentered on-line/off-line approaches do not require any advanced knowledge about the protocol cryptographic operations
to build the phases. Some related solutions are presented in the
In [42], Even et al. present a method for building on-line/offline signature schemes. The solution is based on one-time signatures, which are very fast. The off-line phase consists in generating pairs of one-time signature/verification keys, and signing verification ones using the basic signature scheme (energy
consuming operation). At the on-line stage, the node retrieves
an unused pair of one-time keys, and then signs the message
using the one-time signature scheme (fast operation). The verification is performed by checking first the one-time verification
key with respect to the basic signature scheme (to validate that
it was signed by the sender), then this key can be used to verify
message. However, as stated in other works, this technique increases the size of each signature by a quadratic factor, which is
its major drawback (note that the one-time verification key and
its signature are both attached to the signed message to enable
the verification).
In [60], Shamir and Tauman propose another on-line/off-line
signature scheme, based on trapdoor hash functions [61]. A
trapdoor hash function, h, is a probabilistic function associated
Method of precomputation
[43, 45,
49, 50]
Factorization of
Correction technique
Correction technique
One-time signature on KEM
Trapdoor hash
Authen (Stream
Sign (discrete
Access control
Access control
Table 3: On-line/off-line security approaches
The difference between on-line/off-line approaches
(operation-centered and service-centered) is the way the
two phases are built. Operation-centered on-line/off-line solutions identify the heavy operations of the protocol and propose
a mechanism to allow their pre-computation. In contrast,
service-centered solutions provide a way to build the two
3 Key Encapsulation Mechanism (KEM): a technique that consists on encrypting a symmetric key using the original public-key scheme, then the data
could be encrypted using the symmetric key
phases without requiring going down to the heavy operations.
This makes service-centered solutions more generic compared
to operation-centered ones. Even the proposal in [62], which
tackles the CP-ABE protocol, can be considered for other
protocols. A summary of the mentioned on-line/off-line
security solutions is provided in Table 3.
security services in WSNs using a FPGA (Xilixn Zynq 7000
FPGA/SoC family). Yussoff et al. present in [70] an outsourcing approach to implement IBE in a WSNs. Their solution relies in using an ARM processor (ARM1176JZF-S) instead of a
TPM chip.
Trusted-based outsourcing solutions are based, mostly, on
hardware devices that can be added to the constrained node.
This can preserve the helper trustworthiness. However, this
could be very expensive as it requires equipping every constrained node with a dedicated helper.
4.2. Outsource security
4.2.2. Semi-trusted assistance
When a dedicated hardware, such as a TPM, is not available,
a node may rely on accessible unconstrained devices to outsource cryptographic operations. However, when doing so, it
is very important to ensure that the information the helper gets
will not lead to reveal the information to secure. This is required
to maintain the confidentiality while outsourcing security. The
term ‘semi-trusted’ refers to an entity that performs correctly
what it is asked for, but it may attempt to learn more about the
the information to secure. Some solutions that consider semitrusted assistants while outsourcing security are presented in
the following.
Touati et al. present in [71, 72] an outsourcing approach that
enables a constrained node to encrypt data using ABE (CPABE [63] and KP-ABE [73]) and store it in a remote server.
As explained in their papers, the number of exponentiations to
compute increases linearly with the number of attributes. Their
approach to compute an exponentiation ga consists in selecting
n assisting devices and splitting a into n parts ai , such as the
sum of all ai gives a (a = ni=1 ai ). Then, each assisting device computes the exponentiation gai and the constrained node
can have the original exponentiation by multiplying their results
(ga = ni=1 gai ).
Green et al. propose in [74] an approach to outsource the
decryption of ABE in cloud storage applications. It aims at reducing the decryption cost for legitimate users requesting data
stored in the cloud. In their proposal solution, a user can provide the cloud with a transformation key that allows the cloud
to translate the ciphertext into partially decrypted ciphertext,
without being able to read anything about the message. The
user can then complete the decryption using its secret key with
less expensive operations.
The outsourcing approach is based on using cryptographic
helpers to compute costly operations. It consists in splitting the
cryptographic algorithm into two parts. The first one is executed locally and is supposed to be less computationally intensive. The second one is computed by the cryptographic helpers;
it can carry intensive computations. Outsourcing solutions can
thus reduce energy consumption by delegating some costly operations to more powerful devices.
Outsource security is based on delegating heavy operations
to more powerful assistants. However, the involvement of other
entities in a task such as security may be very critical. Let us
take for instance the CP-ABE protocol [63]. A part of the encryption operation is performed by multiplying the plaintext M
with a pairing exponentiation e(g, g)αs . A simple approach to
apply the outsourcing is to delegate the computation of e(g, g)αs
to an assisting node. However, knowing this exponentiation, the
assisting node will be able to recover the plaintext even if it is
not intended to that assisting node (division by the exponentiation). Furthermore, if the assisting node returns wrong results,
this could lead to a wrong security operation.
Depending on the type of assisting nodes and what to delegate, we propose to classify outsourcing approaches in three
types: outsource security using trusted assistance, using semitrusted assistance, and using untrusted assistance.
4.2.1. Trusted assistance
Outsource security can rely on trusted assistants. These latter are fully trusted and do not present risks for the security
service. The heavy operation can therefore be delegated to that
assistant without compromising the security. Some outsource
security approaches based on trusted assistants are presented in
the following.
In [36, 64], Hu et al. present an implementation providing security services based on RSA and XTEA [65] protocols
for WSNs, using assistance from a Trusted Platform module
(TPM). TPM is a commodity co-processor that is practical to
add. It is a dedicated security chip designed to provide support
for cryptographic operations such as key generation, signing
and encrypting messages, secure hash algorithm, and random
number generation [66]. Kothmayr et al. propose in [67, 68]
an approach to enable key establishment in DTLS using assistance from TPMs. Nodes equipped with TPMs can perform
fully authenticated handshake to establish secure communications. The rest of the nodes that are not equipped with TPMs
perform a variate of DTLS with pre-shared keys.
Other solutions are proposed to offer the same assistance as
TPMs, but using other types of hardware. In [69], Barbareschi
et al. present an implementation to support RSA/AES based
4.2.3. Untrusted assistance
Another aspect that can arise when developing outsource security solutions is accuracy. Indeed, even if the assisting device cannot learn anything about the information to secure, returning wrong results would lead to wrong security operations.
The term ‘untrusted assistance’ means that the helper device
may potentially bug and return inaccurate results. Therefore, in
this cases, outsource security solutions need to provide mechanisms to check helper outputs and detect failures. In the following, some approaches that consider untrusted assistants are
In [75], authors present a protocol to outsource modular exponentiations (ga mod p) using two untrusted helpers. Their so7
Semi-trusted assistance
In [76], authors propose an approach to outsource the computation of elliptic-curve pairing e(A, B) using one assistant device. The constrained node requests series of pairing that hide A
and B, then checks the outputs by comparing those that should
give the same result. However, this solution still requires from
the constrained node to compute multiple exponentiations.
[67] /
[69] /
[70] /
[72] Secret
[71] Secret
[74] Partially
[75] Secret
Untrusted assistance
In their work [77], Ben Saied et al. tackle asymmetric key
establishment schemes (key transport and key agreement) for
the IoT. They use multiple helpers and propose threshold distributions. The latter allow the receiver to construct the original
message if at least k ≤ n parts are received (n being the number
of the participating helpers). Indeed, in addition to the fact that
the threshold distribution protects against packet loss, it can be
used to check accuracy. By constructing and comparing different combinations of k packets from the pool of n packets, it is
possible to detect the node providing wrong information.
Ref Confidential- Accuracy
ity method method
[36] /
The key transport proposal of [77] addresses protocols such
as TLS handshake. In such protocols, the heavy parts are the
asymmetric operations (encrypting the secret with the recipient public key and signing the message). The authors’ solution
is based on splitting the secret into n parts and sending each
one to a helper, which performs the asymmetric cryptography.
The threshold distribution is based on a forward error correction scheme [78], which adds redundancy in packets so that it
can be recovered if at least k packets are received.
Network/ Security serdevices vices/protocols
Key establishment
control (KPABE)
control (CPABE)
Access conbased
trol (ABE)
Trusted assistance
lution assumes that at most one of the helpers may deviate from
its functionality without knowing which one. It is based on
breaking a and g into pieces that look random to the helpers
(to ensure confidentiality), and then asking them to compute a
series of (exponent, base). The constrained node can test the
helpers by comparing some outputs that should give the same
[76] Secret
[77] Secret
[77] Secret
(k, n)
(k, n)
based protocols
Pairing based
Key transport
Table 4: Outsource security approaches
4.3. Adaptive security
The second proposal of [77] addresses key agreement protocols based on Diffie-Hellman, such as IKE and HIP. The
most expensive parts are the computation of the two modular
exponentiations of the DH and the signature. To compute a
modular exponentiation ga mod p, the authors propose to split
a into n parts ai , such as ni=1 ai = a mod p. Each helper receives an ai and computes gai mod p. The constrained node applies only n multiplications to get the modular exponentiation
(ga mod p = ni=1 gai mod p). The signature is also offloaded
to the assisting nodes. The threshold distribution is based on
Lagrange polynomial interpolation as it is used in [79].
The adaptive approach consists in adjusting or maintaining
security measures in varying situations. This can be considered when the internal or the environmental parameters influencing the system security are uncertain after the design time,
and changes may occur at runtime [80]. As the IoT is a very
dynamic environment, adaptive security can be used to reduce
consumption, by adjusting security measures. Indeed, as it
is unchanged, static security considers always the worst case,
which would consume network resources.
As stated in [81], adaptation can be implemented in a parametrical and/or structural manner. In the former, adaptation is
associated to changes that may occur in the proprieties and setting of the security method (e.g. the key size or the number of
operational rounds). In contrast, the structural manner implies
changing the security method. For instance, depending on the
system current state, the security protocol can be replaced by
another one.
To adapt security, it is necessary to take the adequate decision about changing security measures. Otherwise, this could
compromise the system security. Let’s consider for example an
adaptive approach that decreases the security level when the
energy becomes scarce (to extend node’s lifetime). A mali-
The principle of outsourcing some cryptographic operations
to more powerful assistants helps effectively to reduce energy
consumption. However, it may introduce security issues. The
difference between the three approaches lies in the type of the
assisting node. When the latter is trusted, any part can be offloaded to the helper without any security concern. As semitrusted helpers present a risk for data confidentiality, the offloaded part must not lead to revealing the data to secure. In
the same way, when using assisting nodes that may potentially
bug and return wrong results, the outsource solution has to consider a mechanism that verifies the results. Table 4 provides a
summary of the studied outsource security approaches.
cious node can exploit this state of fact and take the advantage
if the energy is scarce. Demonstrations showed that attackers
can hack less secured part of a system and get access to more
important parts [82]. We propose to classify adaptive security
solutions, based on the considerations used to take decisions,
into two types: threat-centered and data-centered. Indeed, two
elements are distinguished in this kind of security: the data to
secure and against whom this has to be done.
4.3.1. Threat-centered
One way to adapt security consists in evaluating threats. If
there is no risk, applying security measures is not required
and doing so would consume unnecessary resources. Threatcentered adaptive security approaches rely on evaluating threats
in order to dynamically adapt security rather than systematically considering the worst case. Some threat-centered adaptive
security solutions are presented in the following.
In [83], Li et al. propose a trust-based model to adapt routing
security in Mobile Ad-hoc Networks (MANET). Rather than requesting and verifying certificates at every routing step, the proposed solution avoids this when a node trusts the one it interacts
with. Chigan et al. propose in [84] a framework that provides
adaptation in security services for MANETs. A preliminary offline module is proposed to select a cross-layer set of protocols
with the desired level of security. At run time, an on-line selfadaptation module adapts the security depending on the trust
evaluation of the surrounding. In [85], Younis et al. propose a
trust-based adaptive approach for data routing security in WSN.
The data being transmitted among the nodes can be encrypted
at varying levels according to the trust of the path. The latter
is determined by the least trusted node on the path. However,
trust evaluation in these solutions is based on classical metrics
such as packet drop rate and medium access collision, which
might not provide good reasons for changing the security level
(e.g. an increase in the packet drop rate does not mean that
the encryption level has to be increased). Indeed, trust management systems are designed to deal with selfish behaviors and
internal attacks, and not to assist cryptographic measures. In
another solution, Hellaoui et al. [86] tackle this issue and propose a trust-based adaptive security model for the IoT. Rather
than systematically applying data origin authentication at each
hop, their solution allows a node to perform this only when it
is required depending on the trust level of the message sender.
Here, node’s behavior is its capacity to send authenticated messages. However, as stated by the authors, their solution needs
to consider untrustworthy recommendations.
Hamdi and Abie propose in [87] a Markov game-based
model for adaptive security in the IoT, with an emphasis on
eHealth applications. A mathematical framework is provided
to model the dynamic context in which objects operate, including threat and resource models. A set of strategies is proposed
to adapt security in order to cope with threats and resources.
However, the authors do not define how a node determines if
another one is compromised or not. They simulate an epidemic
model of virus spread in WSNs, which makes their approach
more analytical. The same observation can be made for the
work [88] proposed by Wang et al.
4.3.2. Data-centered
Another way to perform adaptation is by evaluating data sensitivity. Rather than considering the surrounding environment
to evaluate threats, data-centered approaches focus on the data
to secure. Applying security measures on non-sensitive data
consumes unnecessary energy. The goal is to adapt security according to data sensitivity rather than always considering the
highest level. Some data-centered adaptive security approaches
are presented in the following.
In [89], authors propose an adaptive security model for
WSNs. Each application has security requirements associated
to it. The security is gradually decreased when the current energy constraints cannot satisfy application requirements. However, as stated by the authors, lowering the security of the communication increases the potential of attacks even only for data
that are transmitted in these periods.
Taddeo et al. [90] propose an adaptive security approach for
EH-WSNs. Each packet is associated to a priority level that reflects its importance, and security requirements that represent
security suites that might be used for the packet. Strategies
are defined to maximize the number of delivered high-priority
packets, and to ensure that security requirements of each packet
are satisfied. Security lowering is performed only when the
system energy constraints cannot be satisfied. However, the
authors also raise the fact that lowering security increases the
potential of attacks.
Unlike [90], Mauro et al. propose in [91] another adaptive
solution yet for EH-WSNs. Their approach is based on the receiver initiated paradigm [92] in which the sender node waits
for the receiver beacon before transmitting the data. Depending on the amount of available energy, a receiver node adapts
its security parameters and announces them to senders using
beacons. This allows a sender to choose the appropriate receiver based on packet’s criticality. However, although this allows a normal sender to choose the appropriate receiver based
on packet’s criticality, it can also be exploited by a malicious
node. For example, if the latter knows that a node has stopped
its security measures, it can exploit this situation to inject undesired packets in the network through that node.
The approach proposed in [93] introduces a tunable security
module for wireless devices. The idea is that the strength of
security services can be adjusted based on the number of years
information need to be protected. A scheme that maps the number of years to the appropriate security parameters is proposed.
However, this is based on the assumption that the number of
years during which information need to be protected is known.
The key difference between threat-centered and datacentered approaches is the way security si adapted. If the former is based on the evaluation of threats from the surrounding
environment to perform the adaptation, the latter focuses more
on the data to secure. This constitutes the major factor to choose
between the two approaches. In cases where the application can
provide specifications about the data criticality, it is possible to
consider a data-centered approach to perform adaptation. Otherwise, it is necessary to be able to evaluate threats in order to
perform the adequate changes in security. Table 5, provides a
Threat-centered Data-centered
Trust management
Trust management
Trust management
Game theory
Markov process
[89] Data criticality
[90] Data criticality
[91] Data criticality
[93] Data lifetime
Security services/
Sign (hop-by-hop)
Conf (end-to-end)
Auth (hop-by-hop)
Auth (hop-by-hop)
Conf+Auth (hopby-hop)
Conf+Auth (hopby-hop)
Table 5: Adaptive security approaches
summary of the aforementioned adaptive security approaches.
Both approaches involve services at different levels. However, notice that a threat-centered approach is more difficult to
apply for end-to-end security than a data-centered one. Indeed,
an end-to-end threat-centered solution has to consider threat
evaluation along the communication path. In contrast, as being almost independent from threat in the surrounding environment, data centering approaches can be easily considered for
end-to-end security.
4.4. Implementation using low-power security protocols
following presents some asymmetric cryptosystems that can be
considered for constrained devices (a summary is provided in
Table 8).
Rabin’s scheme
Rabin’s scheme [94] is an old algorithm based on the Integer Factorization Problem (IFP). Its security is therefore similar to RSA. The main feature of this algorithm is the computation asymmetry between the encryption and the decryption. The
first operation is very fast compared to the second one, which is
similar to RSA using the same parameters. This makes Rabin’s
scheme interesting for constrained networks that require performing only encryption or signature verification. Proposals, as
[95, 96], use Rabin’s scheme to implement security solutions
for IoT devices ([95] considers a WSN application using nodes
consisting of a 8-bit Atmel microcontroller and a Spartan-IIE
FPGA, while [96] considers passive RFID tags).
Elliptic Curve Cryptography (ECC) is a public-key cryptography approach that is applicable for encryption and digital
signature [97]. It is based on the difficulty to compute discrete logarithms in the group of points of an elliptic curve (this
is ECDLP: Elliptic Curve Discrete Logarithm Problem). The
main operation of ECC is the scalar multiplication which is
quite heavy. However, the same security level provided by RSA
can be achieved by ECC using smaller key sizes. This in turn
affects the performance of the underlying arithmetic operations
(faster computation). This also impacts positively the amount
of data transmitted and stored. Table 6 provides a comparison
between the required key sizes of RSA and ECC for the same
security level.
Ref Decision method
Many old security algorithms and protocols are designed
without taking resource consumption into consideration. The
emergence of pervasive computing raises the necessity for
lightweight security protocols. This has generated a fruitful
field of work for mathematicians. It aims at providing efficient
security protocols requiring less energy consumption. Indeed,
by implementing (or reimplementing) security solutions on the
basis of low-power security protocols, energy consumption can
be effectively reduced. This section makes an overview about
some of the most known security protocols, that are low-power
by nature. It includes asymmetric encryption, symmetric encryption, as well as physical layer security protocols which are
not based on encryption.
level (Bits4 )
RSA key
Table 6: Key sizes comparison between RSA and ECC for equivalent security
levels [98]
Many works, such as [99, 100], show that ECC is more suited
than RSA for small devices. The evaluation led in [99] considers two 8-bit processors (Chipcon CC1010 and Atmel ATmega128), while [100] uses also Atmel ATmega128. ECC
guarantees smaller key sizes, faster computation, as well as
energy and bandwidth saving. In addition, several protocols
have been derived from ECC, such as Elliptic Curve Digital Signature Algorithm (ECDSA), Elliptic Curve Diffie Hellman (ECDH), Elliptic Curve Integrated Encryption Scheme
(ECIES), etc. [98].
4.4.1. Asymmetric protocols
In public-key cryptography, the key pair has to be chosen so
that the possibility to derive the private key from its corresponding public one would be equivalent to solving an intractable
computational problem. For example, the RSA cryptosystem
security is based on the hardness of the Integer Factorization
Problem (IFP). The security of El-Gamal cryptographic system
and its variants, such as DSS, is based on the hardness of the
Discrete Logarithm Problem (DLP). The basis problem impacts
the performance of the cryptographic system and the security
services since it specifies the size of the domain, the key parameters and the arithmetic operations [25].
Other mathematical problems whose intractability can constitute a basis for public-key cryptography are proposed. The
4 Bit is a parameter used to provide equivalent security levels (for comparison). Security level of k Bits means that the best algorithm known for breaking
the system takes approximately 2k steps.
Year Computation Proprieties
1979 IFP
- Encryption is faster than
- Decryption is comparable
in speed to RSA
1985 ECDLP
- Faster than RSA
- Smaller keys and certificates
McEliece 1978 ACT
- Faster encryption and decryption
- Big size of public parameters
1998 SVP
- Faster encryption and decryption
- Big message expansion
McEliece public
key sizes (bits)
RSA key
Table 8: Low-power cryptography solutions
compared to the other low-power cryptosystems. Many solutions for constrained networks are using ECC-based services
(e.g. ECDSA, ECDH, ...). This is probably due to trade-off offered by ECC in terms of computation and storage. Constrained
nodes are generally limited in energy, as well as in storage capacity.
McEliece is a public-key cryptosystem based on Algebraic
Coding Theory (ACT) [101]. Its security is based on errorcorrecting codes and the problem of decoding an arbitrary linear code. The encryption consists in multiplying the plaintext
by a matrix and then adding a random vector. The matrix represents the republic parameter which is a generator of some linear
code. The decryptor can recover the message by considering the
ciphertext as codeword received with error. These operations
make McEliece very fast. Research works, such as [102–104],
show that McEliece is much faster than classical cryptosystems
as RSA, or El-Gamal.
The main drawback of McEliece is the public key size (the
matrix). Compared to some cryptosystems as RSA, McEliece’s
public keys are very expensive to store (a summary is provided
in Table 7 from [105]). This is why McEliece has received little attention for constrained networks [25]. Nevertheless, some
solutions, as [103, 104], propose implementations of McEliece
for embedded devices such as FPGAs (Xilinx families). Even
if FPGAs are less constrained compared to other devices, they
remain part of the IoT.
Table 7: Key sizes of McEliece and RSA for equivalent security levels [105]
NTRU (N-th degree TRUncated polynomial ring) is a publickey cryptosystem used for encryption and digital signature
[106]. It is based on the Shortest Vector Problem (SVP). NTRU
operations are built upon polynomial ring, which makes this
cryptosystem quite fast compared to systems like RSA, ElGamal, or ECC. Many evaluations, such as [22, 107–109], show
that NTRU involves less resource consumption on different devices including FPGAs and microcontrollers.
NTRU requires less memory and less computation compared
to other public-key cryptosystems. Indeed, NTRU is faster than
RSA and ECC. However, NTRU has an overall reasonable key
size in comparison to McEliece, but it also has the worst message expansion for encryption and signature [108]. This can
affect storage and communication capacities.
Different low-power cryptosystems are proposed and
lightweight security services can be constructed on their basis
(confidentiality, digital signature, authentication, etc.). Energy
consumption can be effectively reduced by implementing security services based on low-power cryptography, rather than
heavy one. As it is shown in Table 8, each cryptosystem has its
own proprieties (advantages and drawbacks). The choice for a
scheme can be made depending on the application. For example, Rabin’s scheme can be efficient for applications requiring
only encryption and signature verification. Objects that have
relatively sufficient memories can use security services based
on McEliece cryptosystem.
From the led work, it can be noted that ECC is the most used
4.4.2. Symmetric protocols
Although classical symmetric ciphers are lightweight compared to asymmetric ones (for example, AES is 100-1000 times
faster than ECC using 8-bit controller [110]), some recently developed symmetric protocols are more energy-efficient. The
emergence of highly constrained devices led to the development
of lightweight symmetric ciphers. This includes the two classes
of symmetric protocols: block ciphers and stream ciphers.
Most employed symmetric protocols are bock ciphers.
Stream ciphers can be easily constructed by block ciphers,
while some protocols cannot be designed with stream ciphers
[25]. Given their wide use, many lightweight block ciphers
are proposed. Examples of such protocols are KATAN [111],
KLEIN [112], mCrypton [113], Piccolo [114], PRESENT
[115], TWINE [116], and EPCBC [117]. However, block ciphers are generally designed to perform well on a single platform (software or hardware). In 2013, the National Security
Agency released their own block cipher families SIMON and
SPECK [118]. The aim of these protocols is to meet lightweight
and flexible security. They achieve good performance in both
hardware and software environments.The evaluations provided
in the specification document [118] use ASIC and 8-bit microcontrollers. They show good results of these two protocols
compared to many of the aforementioned ciphers in terms of
throughput, footprint, etc.
Lightweight stream ciphers have also gained much attention
recently. Such protocols are relevant for applications where
the plaintext length is either unknown or continues, like data
streams in constrained networks. The eSTREAM project [119]
was a great effort, held by European Network of Excellence
for Cryptology, to promote the design of efficient and compact stream ciphers. As result of the project, a portfolio of
new stream cipher protocols is proposed. It includes HC-128
[120], Rabbit [121], Salsa20 [122], SOSEMANUK [123] which are efficient in software implementations -, Grain v1
[124], MICKEY 2.0 [125], and Trivium [126] which are hardware oriented protocols. Other protocols are surveyed in [127]
is taken in the execution. Energy consumption is directly related to this parameter. Size compression techniques aim at reducing the consumption by decreasing the data size. This can
concern the header related to the protocol or the data to process
by the cryptographic algorithm.
4.4.3. Physical layer security protocols
Physical layer security is another branch of secure communications that operates at the physical layer, without upper layer
data encryption. It is based on exploiting the inherent randomness of the physical channel (such as noises and fluctuations due
to fading) in the benefit of legitimate nodes. In this approach,
the transmitter encodes messages so as to allow the receiver
obtaining the information, while preventing an eavesdropper
from interpreting the observed message [128]. Physical layer
security approaches are less demanding in terms of energy consumption since they do not rely on heavy operations as classical
cryptography. This makes physical layer security approaches
very suitable for resource-constrained networks such as the IoT
[82, 129].
Two main approaches have emerged from research on physical layer security: transmit coding and secret-key agreement.
Transmit coding can achieve confidentiality without the need
for a secret key. An initial work on transmit coding is made
by Wyner [130], where the adversary on a wire-tap channel
observes a degraded version of the message compared to the
legitimate node. This work is extended to non-degraded channels [131]. Recently, there have been many efforts for considering wireless fading, multiple antennas, and multi-user channels.
For instance, the impact of fading on secrecy capacity is studied in [132, 133], the secrecy capacity in multiple antennas is
investigated in [134, 135], while multiple access channels are
considered in [136, 137]. Other works on transmit coding are
reviewed in [138].
Physical layer security approaches can also be applied to existing cryptosystems within the aim of providing key agreement. The idea is to use common correlated sources between
nodes, partially unknown to the eavesdropper, to generate a secret key. The possibility that two nodes can agree on a secret
key over public channels is demonstrated in [139]. The author
shows that noisy communications can be exploited to create
correlated sequences at the two nodes, allowing them therefore
to agree on a secret key. A closely related work is provided
in [140]. Recently, many secret key agreement approaches are
based on wireless channel reciprocity proprieties as a common
source of randomness. Such approaches include key generation
based on using wideband multipath channels parameters [141],
wireless fading channels proprieties [142], information content
of wireless multi-dimensional Gaussian channels [143], etc.
4.5.1. Header compression
In security protocols tackling communication aspects, a
packet header is also specified. The size of the header affects directly the energy consumption, as it is transmitted and received
by the constrained node.
In [144], Raza et al. address the use of IPsec to secure data
exchange in 6LoWPAN sensor networks. When IPsec is considered, additional IPv6 extension headers have to be included
in each datagram. The authors’ proposal provides 6LoWPAN
specifications that allow encoding and compressing IPsec headers. Compression at the 6LoWPAN layer is, generally, based on
removing field that are implicitly known for all nodes, or can be
inferred from other layers. This solution allows to keep packet
size reasonable for a 802.15.4 frame, and therefore reduces energy consumption while sending packets. Header compression
could also decrease the number of blocks to authenticate (when
performing data origin authentication, the MAC is applied on
the payload and the header). For example, the minimum IPsec
header size using a HMAC-SHA1-96 is 24 bytes. After optimal
compression, a header size of 16 bytes can be obtained.
In another work, Raza et al. [145, 146] propose a header
compression solution to reduce consumption. The authors
tackle the use of the DTLS protocol to secure CoAP in the
context of a network supporting the 802.15.4 standard. Their
solution provides specifications to compress DTLS header at
the 6LoWPAN layer. The evaluation shows that DTLS header
compression reduces energy consumption, especially if the use
of uncompressed DTLS involves fragmentation.
In [147], Lighfoot et al. show that energy consumption can
be reduced by decreasing the header size of the data. Their
proposed link-layer security protocol for WSNs achieves this
by removing a counter field from the header and replacing it by
a synchronous feedback shift register at each pair.
4.5.2. Ciphertext compression
In addition, some works that focus on the data expressed by
users to reduce the processing and the ciphertext size are reported, mainly for ABE protocols.
In [148], Cheng et al. present a method to reduce the CPABE protocol consumption, by compressing its attributes. Indeed, the overhead of this protocol increases with the number of
attributes expressed by users. The proposal aims at integrating
a certain number of attributes expressed with AND gates (att1
AND att2 AND ...) into a single one, called ‘attribute union’.
This is done by using a prime number propriety. Every integer
which is bigger than 1 can be expressed uniquely as a product
of prime divisors. The solution thus maps each attribute to a
prime number and maps the attribute union to the product of
the prime numbers.
In [149] Chen et al. tackle the same problem and propose a
solution for CP-ABE. The construction also addresses the AND
4.5. Size compression
As security services deal with data, the execution time is proportional to the data size. The more data are big, the more time
gate and proposes a solution based on aggregation. This means
that attributes expressed with AND gates are aggregated into
one attribute.
Other solutions that tackle ABE protocols to compact the ciphertext regardless of the policy size expressed by users are proposed, such as [150–152].
as the size of the symmetric key is generally smaller than the
size of the data. In addition, for encryptions with the same policy, CP-ABE is performed only one time (to encrypt the used
symmetric key).
4.6. Hybridization
The taxonomy proposed in this paper shows that several techniques can be used to reduce energy consumption in security
protocols. Many security services are involved and different
situations are considered. This section provides analysis about
the considerations and the influencing parameters for applying
energy-saving mechanisms.
The applicability of energy-saving mechanisms depends on
certain factors. More precisely, two parameters that can influence the application of the mechanisms are identified: the deployment environment in which the energy-saving mechanism
is applied, and the target protocol. In the following, the energyefficient mechanisms are discussed according to these parameters. The discussion also emphasizes the consumption causes
(heavy operations, size of data and number of calls) identified
in section 3.5. Table 11 summarizes this discussion.
On-line/off-line security reduces energy consumption by
executing only a part of the entire security scheme. As it is
based on pre-computation, the use of this technique does not
really depend on the deployment environment. However, some
applications can offer more benefits as the storage space is limited for IoT nodes. One motivating application of on-line/offline schemes is mobile technology. A mobile object can perform off-line computations and store the results whenever it is
plugged into a power source. Once the device is unplugged,
it applies light on-line computations using the stored results.
The same observation can be made for energy harvesting technology. Constrained devices can take advantage of periods in
which outside energy is available to perform pre-computations,
and then exploit the results. Several developed solutions as
[44, 58, 62] address this kind of applications (see Table 3). It is
always possible to apply this mechanism for other networks by
considering the off-line phase before the deployment.
On-line/off-line security implies pre-computing some calculable operations. Solutions proposed in the literature provide
specifications to build the two phases. As mentioned in section
4.1, service-centered on-line/off-line approaches are generic
and do not depend on a given protocol. In contrast, operationcentered solutions focus more on how to pre-compute heavy
operations and are applicable only for protocols that are based
on operations specified by the solutions. For example, [44] targets stream cipher based protocols; [43] addresses algorithms
that are based on fixed base modular exponentiations; [58] is
designed for ABE protocol, etc. This makes this type of online/off-line security dependent on the targeted security protocol.
Heavy operations are the consumption cause tackled by online/off-line security (it is about pre-computing and storing
some heavy operations). This makes such technique not dependent on a specific security service, but on any protocol presenting calculable parts. However, the application of this mech-
5. Discussion
Finally, hybridization can be performed to combine different
solutions and benefit from them. This concerns hybridization in
energy-saving mechanisms and/or in security protocols. Some
examples are mentioned in the following.
4.6.1. Hybridization of mechanisms
Based on the mentioned mechanisms, it is possible to combine them in order to reduce consumption. Each mechanism
addresses a specific aspect in a specific way to reduce energyconsumption. Mechanism combination can be considered for
solutions presenting different contexts.
For example, in [58] authors highlight the possibility of combining their solution (on-line/off-line security in ABE) with the
one described in [74] (outsource security in ABE). Indeed, the
authors’ proposal lightens the encryption operation by performing pre-computation. However, this is not considered for the
decryption operation. In the other hand, the solution in [74]
assumes that ABE ciphertext might be stored in the cloud and
proposes an outsourcing method for users asking for decryption. The combination of these solutions allows to reduce consumption for encryption and decryption in ABE.
In [153], the authors associate header compression and outsource security to reduce energy consumption in HIP. The latter
specifies a header that is heavy for constrained nodes, in addition to the fact that it involves expensive computational operations for both initiator and responder. The proposed solution
achieves more optimization and energy saving by considering
the two mechanisms.
4.6.2. Hybridization of protocols
Energy consumption can be reduced by mixing protocols.
Some protocols are energy-efficient but cannot cope with some
IoT characteristics. Others are adapted for an IoT environment,
except in terms of energy. Hybrid solutions combine protocols
to take benefit of their advantages.
In [154], Mache et al. propose an hybrid key establishment
framework for WSNs. In this solution, resource-constrained
nodes use symmetric cryptography and only resource-rich gateways use public-key cryptography. This is done by allowing
gateways to vouch constrained nodes. These latter use less expensive symmetric cryptography, and when the packet reaches
a gateway it uses more expensive public-key cryptography such
as digital signatures.
In the AGREE framework proposed by Bianchi et al. [62],
the solution allows to reduce the CP-ABE overhead by combining it with a symmetric protocol, such as AES. It is based on
encrypting data with the symmetric protocol, and encrypting
the used symmetric key with CP-ABE. This is very beneficial
anism for encryption schemes is, generally, more difficult than
it is for signature ones. Indeed, a message is encrypted depending on the entity for which it is intended. Thus, in addition to
the fact that the message to encrypt is unknown until the online phase, the receiver is also unknown. This is not the case in
signature schemes where the node signs all the messages using
its private key (see Table 9). The notion of on-line/off-line was
introduced in the 1990s, but its first application for public-key
cryptography was in 2008 (as it is claimed by the authors in
From the conducted work, a link between outsource and online/off-line security approaches can be noted. Indeed, both are
based on splitting the cryptographic scheme into two parts, and
executing only one part. The other part is delegated to an assistant device in the case of outsource security, or pre-computed
in the case of on-line/off-line security. An outsource scheme
could thus be transformed into an on-line/off-line one by precomputing the part to be delegated. However, this part has to
be calculable in advance so it can be pre-computed in the offline phase. One possible application for switching from outsource to on-line/off-line security is mobile environments. A
constrained node can lose its assistant devices (due to mobility).
Thus, before losing the connection with the helper devices, the
constrained node can perform the off-line phase, so as to reduce
the consumption in the future.
An on-line/off-line scheme could also be transformed into an
outsource one by delegating the part to be pre-computed. However, as outsource techniques imply an assistance from other
devices, a special attention has to be paid to the type of helper
(trusted, semi-trusted or untrusted) and to what is to be delegated, in order not to compromise the security. This can be
considered in mobile environments where a node performing
on-line/off-line security can reach assistant devices. For that
purpose, it can switch to outsourcing and delegate the precomputation part to these devices. Table 10 summarizes the
link and the proprieties between the two mechanisms.
How ?
Application environment
the part intended to be
The part has
to be calculable in advance
Mobility: when
leaving assistant devices
to outsource
On-line/off-line security is still possible for encryption
schemes. Many solutions, such as [51–55], are based on correction factors that use algebraic relationships to address encryption schemes. However, this comes generally at the expense of
the decryption operations (the correction is performed by the
decryptor). In addition, the problem of dependency on the key
in encryption schemes can be less constrained when destinations can be known, as in the solution proposed in [62].
Outsource security is based on delegating heavy operations
to more powerful devices. Its application depends mainly on the
deployment environment, as it requires the availability of assisting devices that must be accessible to the constrained node.
Some solutions such as [77, 155] exploit the heterogeneity of
the IoT to delegate heavy operations to more powerful devices.
Other works such as [72, 74] use the cloud for outsourcing.
While other solutions such as [36, 64] are based on the availability of TPM modules. Note that, because this mechanism
involves other entities, special attention must be paid to what
is to be delegated and to the type of assisting devices (trusted,
semi-trusted or untrusted). This is for the purpose of not compromising the security by the assisting nodes.
As it is the case for on-line/off-line schemes, outsource security addresses the heavy operations as consumption source
(by delegating them), and is not related to a specific service.
For instance, [36] addresses RSA and XTEA using trusted assistant; [71] tackles CP-ABE with semi-trusted helpers; [75]
is interested in exponentiation-based protocols using untrusted
devices; etc. This makes the application of an outsourcing solution dependent on the target protocol (the target protocol has to
be based on operations specified by the outsourcing solution).
Outsource to
Table 9: Dependencies of asymmetric schemes in the used key
Dependency Justification
to the key
The node uses only its private
key for signing
Encryption +
The encryption uses the destination public key
Verification +
The verification key depends on
the signer
Decryption The node uses its private key for
Signs signification
Not dependent
the part intended to be
Mobility: when
reaching assistant devices
Table 10: Link between outsource and on-line/off-line security
Adaptive security is based on adjusting security measures
according to the context. It concerns applications in which
changes may occur in the sensitivity of data to secure or in the
threat level of the environment where the security service is deployed. Indeed, the application of adaptive security is directly
related to the deployment environment. It requires the availability, at runtime, of information about threats or data sensitivity,
so that the security level can be adjusted without compromising the security. For example, solutions as [83–86] are based
on the possibility of evaluating the surrounding nodes’ trust to
adapt security; [89–91] are designed for applications providing
information on data criticality.
On the other hand, adaptive security solutions do not require
- Requires the availability of helper devices
- Could be transformed to on-line/off-line scheme
Low-power sec
- Requires the availability of calculable parts
- More beneficial in mobile and energy-harvesting
- More easy to consider for signature than encryption schemes
- Service-centered solutions are more generic (do
not depend on a specific protocol)
- Requires the availability of info on data sensitivity or threat level
- Solutions are not dependent to a specific protocol
- Requires the availability of an equivalent protocol in a low-power security class
Consumption causes
Data Number of
operations size calls
Influencing parameters
Environment Protocol
- Considered when there is a possibility of reducing in data size
Table 11: Applicability of energy-saving mechanisms
knowledge on the target security protocol and its operations to
perform adaptation. As mentioned in section 4.3, this can be
done in a parametrical or structural manner. The application of
adaptive security solutions does not depend on a specific class
of security protocols.
Adaptive security allows reducing energy by adjusting security measures, rather than considering systematically the worst
case. This can be done by making changes (parametrical or
structural) in the security protocols, or simply by calling the
protocol only when it is required. For example, in [90] adaptation can be done by changing the encryption key; while in
[87] adaptation is performed by applying or not the authentication service. Thus, adaptive security can reduce consumption
by targeting heavy operations and/or the number of calls.
Low-power security protocols constitutes an alternative solution for heavy classical cryptosystems. It provides a basis
for building energy-efficient security services. Therefore, when
considering a given security solution, energy consumption can
be reduced by substituting the heavy protocol with a low-power
one. This requires the availability of an equivalent low-power
protocol. For instance, in a solution requiring key agreement,
ECDH can be considered instead of DH. However, a security
protocol may not have an equivalent implementation in some
low-power security classes. For example, the original McEliece
cryptosystem [101] does not allow signing messages, as mentioned by the author (although solutions are proposed later such
as [156]). The consideration of low-power security depends on
the target protocol.
Low-power security protocols provide efficient services that
are based on less heavy operations. This constitutes the consumption cause tackled by low-power security protocols. For
example, the main operation of ECC [97] is the scalar multiplication using smaller parameters (compared to RSA). NTRU
operations [106] are built upon polynomial ring, which is very
fast compared to cryptosystems as RSA and El-Gamal that are
based on modular exponentiations. Physical layer security protocols do not rely on heavy operations as classical schemes.
As the execution time and the energy consumption are related
to the size of data, size compression techniques aim at reducing the data size while keeping the same protocol functionalities. Header compression techniques address security protocols
that specify communication aspects. This is the case for protocol as IPsec, TLS or DTLS. In addition, other compression
solutions that address data to process are also reported. These
two classes of size compression technique are directly related
to the target protocol. Solutions targeting header compression,
as [144–146], are designed for specific protocols where some
fields of their headers can be compressed (e.g. they can be deduced from other headers). The same observation can be made
for solutions that reduce the data to process.
Obviously, this technique achieves energy efficiency by tackling the size of data as consumption cause. Solutions as [144–
146] reduce consumption by addressing only to the header size,
as the latter are transmitted and received by th constrained
nodes. In additions, in solutions, such as [148, 149], the heavy
operations are maintained. However, the processing is reduced
for some big size policies expressed by users.
It appears from this work that many energy-efficient mecha-
6. Conclusion
The Internet of Things (IoT) has widely spread in many areas
(health-care, smart grid, transportation, manufacturing systems,
etc.). The sensitivity related to these applications justifies the
obligation of considering security services in the IoT. The devices involved in the IoT are resource-constrained and intended
to operate for a long time. However, many security measures
are commonly known to consume energy.
This paper deals with the mechanisms involved in energy efficiency in the context of IoT security. Previous surveys focus more on studying IoT security solutions that are efficient in
terms of energy. This work goes one step further and addresses
the mechanisms that allow developing energy-efficient security
solutions. A taxonomy of most energy-saving techniques in IoT
security is proposed. Each one is studied, as well as relevant
works that use it. The survey shows that each energy-saving
technique implies changes in the original security protocol, and
some issues may occur. This is why a discussion on these issues which are related to the use of energy-saving techniques
is performed. A discussion is also led on the applicability conditions of the mechanisms, and the parameters affecting their
use. It appears from this survey that different solutions can be
considered to reduce energy consumption in security services.
The survey also raises the necessity for performing comparable
evaluations, in terms of the saved energy, between the different
approaches and mechanisms. Indeed, an effective evaluation
must consider comparable environments, such as the same target platforms (e.g. micro-processors, FPGAs, ASICs), the same
target protocols, etc. This can be addressed as a perspective of
our work. We believe that such a survey may be a contribution
to the scientific and the industrial communities, and can help
security protocol designers to select the appropriate mechanism
and the way to apply it.
R. Roman, C. Alcaraz, J. Lopez, N. Sklavos, Key management systems for sensor networks in the context of the internet of things, Computers and Electrical Engineering 37 (2) (2011) 147 – 159, modern
Trends in Applied Security: Architectures, Implementations and Applications. doi:
Z. Yan, P. Zhang, A. V. Vasilakos, A survey on trust management
for internet of things, Journal of Network and Computer Applications
42 (2014) 120 – 134. doi:
K. T. Nguyen, M. Laurent, N. Oualha, Survey on secure communication
protocols for the internet of things, Ad Hoc Networks 32 (2015) 17 – 31,
internet of Things security and privacy: design methods and optimization. doi:
R. Roman, J. Zhou, J. Lopez, On the features and challenges of security and privacy in distributed internet of things, Computer Networks
57 (10) (2013) 2266 – 2279, towards a Science of Cyber SecuritySecurity and Identity Architecture for the Future Internet. doi:http:
J. Granjal, E. Monteiro, J. S. Silva, Security in the integration of lowpower wireless sensor networks with the internet: A survey, Ad Hoc
Networks 24, Part A (2015) 264 – 287. doi:
J. Granjal, E. Monteiro, J. S. Silva, Security for the internet of things:
A survey of existing protocols and open research issues, IEEE Communications Surveys Tutorials 17 (3) (2015) 1294–1312. doi:10.1109/
S. Sicari, A. Rizzardi, L. Grieco, A. Coen-Porisini, Security, privacy
and trust in internet of things: The road ahead, Computer Networks 76
(2015) 146 – 164. doi:
R. H. Weber, Internet of things new security and privacy challenges,
Computer Law and Security Review 26 (1) (2010) 23 – 30. doi:http:
C. Karlof, N. Sastry, D. Wagner, Tinysec: A link layer security architecture for wireless sensor networks, in: Proceedings of the 2Nd International Conference on Embedded Networked Sensor Systems, SenSys
’04, ACM, New York, NY, USA, 2004, pp. 162–175. doi:10.1145/
Y. W. Law, J. Doumen, P. Hartel, Survey and benchmark of block ciphers
for wireless sensor networks, ACM Trans. Sen. Netw. 2 (1) (2006) 65–
93. doi:10.1145/1138127.1138130.
J. Daemen, V. Rijmen, Aes proposal: Rijndael (1999).
R. L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital
signatures and public-key cryptosystems, Commun. ACM 21 (2) (1978)
120–126. doi:10.1145/359340.359342.
NIST, Skipjack and kea algorithm specifications version 2.0. nist (1998).
J. Lopez, Unleashing public-key cryptography in wireless sensor networks, Journal of Computer Security 14 (5) (2006) 469–482.
D. Boneh, M. Franklin, Identity-Based Encryption from the Weil Pairing, Springer Berlin Heidelberg, Berlin, Heidelberg, 2001, pp. 213–229.
nisms are independent from the target platform. For instance,
outsource security tackles delegating heavy operations to assisting nodes in order to reduce consumption, on-line/off-line security addresses pre-computing costly operations, adaptive security is based on dynamically changing the security level, while
size compression targets reducing the data size. These mechanisms are not related to one specific platform and can operate
using different IoT devices. In addition, the presented lowpower security protocols are designed for constrained node.
Performance evaluations related to these protocols are mostly
performed using resource limited devices.
[1] L. Atzori, A. Iera, G. Morabito, The internet of things: A survey, Computer Networks 54 (15) (2010) 2787 – 2805. doi:http://dx.doi.
[2] D. Miorandi, S. Sicari, F. D. Pellegrini, I. Chlamtac, Internet of things:
Vision, applications and research challenges, Ad Hoc Networks 10 (7)
(2012) 1497 – 1516. doi:
Securing sensor networks with public key technology, in: Proceedings of the 2Nd ACM Workshop on Security of Ad Hoc and Sensor
Networks, SASN ’04, ACM, New York, NY, USA, 2004, pp. 59–64.
W. Hu, P. Corke, W. C. Shih, L. Overs, secFleck: A Public Key
Technology Platform for Wireless Sensor Networks, Springer Berlin
Heidelberg, Berlin, Heidelberg, 2009, pp. 296–311. doi:10.1007/
A. Shamir, Identity-Based Cryptosystems and Signature Schemes,
Springer Berlin Heidelberg, Berlin, Heidelberg, 1985, pp. 47–53. doi:
L. B. Oliveira, M. Scott, J. Lopez, R. Dahab, Tinypbc: Pairings for authenticated identity-based non-interactive key distribution in sensor networks, in: Networked Sensing Systems, 2008. INSS 2008. 5th International Conference on, 2008, pp. 173–180. doi:10.1109/INSS.2008.
V. Manral, Cryptographic algorithm implementation requirements for
encapsulating security payload (esp) and authentication header (ah), ietf
rfc 4835, Tech. rep. (April 2007).
E. R. T. Dierks, The transport layer security (tls) protocol version 1.2,
ietf rfc 5246, Tech. rep. (August 2008).
E. Rescorla, N. Modadugu, Datagram transport layer security version
S. Even, O. Goldreich, S. Micali, On-line/off-line digital signatures,
Journal of Cryptology 9 (1) (1996) 35–67.
C. P. Schnorr, Efficient Identification and Signatures for Smart Cards,
Springer Berlin Heidelberg, Berlin, Heidelberg, 1990, pp. 688–689.
S. Pelissier, T. Prabhakar, H. Jamadagni, R. VenkateshaPrasad,
I. Niemegeers, Providing security in energy harvesting sensor networks,
in: Consumer Communications and Networking Conference (CCNC),
2011 IEEE, 2011, pp. 452–456. doi:10.1109/CCNC.2011.5766511.
C. P. Schnorr, Efficient signature generation by smart cards, Journal of
Cryptology 4 (3) (1991) 161–174. doi:10.1007/BF00196725.
E. F. Brickell, K. S. McCurley, An interactive identification scheme
based on discrete logarithms and factoring, Journal of Cryptology 5 (1)
(1992) 29–39. doi:10.1007/BF00191319.
P. de Rooij, On the Security of the Schnorr Scheme using Preprocessing,
Springer Berlin Heidelberg, Berlin, Heidelberg, 1991, pp. 71–80. doi:
P. de Rooij, On schnorr’s preprocessing for digital signature schemes,
Journal of Cryptology 10 (1) (1997) 1–16.
E. F. Brickell, D. M. Gordon, K. S. McCurley, D. B. Wilson, Fast Exponentiation with Precomputation, Springer Berlin Heidelberg, Berlin,
Heidelberg, 1993, pp. 200–207. doi:10.1007/3-540-47555-9_18.
P. de Rooij, Efficient exponentiation using precomputation and vector
addition chains, Springer Berlin Heidelberg, Berlin, Heidelberg, 1995,
pp. 389–399. doi:10.1007/BFb0053453.
F. Guo, Y. Mu, Z. Chen, Identity-Based Online/Offline Encryption,
Springer Berlin Heidelberg, Berlin, Heidelberg, 2008, pp. 247–261.
Z. Liu, L. Xu, Z. Chen, Y. Mu, F. Guo, Hierarchical identity-based online/offline encryption, in: Young Computer Scientists, 2008. ICYCS
2008. The 9th International Conference for, 2008, pp. 2115–2119. doi:
J. K. Liu, J. Zhou, An Efficient Identity-Based Online/Offline Encryption
Scheme, Springer Berlin Heidelberg, Berlin, Heidelberg, 2009, pp. 156–
167. doi:10.1007/978-3-642-01957-9_10.
F. Bergadano, D. Cavagnino, B. Crispo, Individual single source authentication on the mbone, in: 2000 IEEE International Conference on Multimedia and Expo. ICME2000. Proceedings. Latest Advances in the Fast
Changing World of Multimedia (Cat. No.00TH8532), Vol. 1, 2000, pp.
541–544 vol.1. doi:10.1109/ICME.2000.869659.
Z. Benenson, N. Gedicke, O. Raivio, Realizing robust user authentication in sensor networks, Real-World Wireless Sensor Networks (REALWSN) 14 (2005) 52.
S. Banerjee, D. Mukhopadhyay, Symmetric key based authenticated
querying in wireless sensor networks, in: Proceedings of the First International Conference on Integrated Internet Ad Hoc and Sensor Networks, InterSense ’06, ACM, New York, NY, USA, 2006. doi:10.
A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, D. E. Culler, Spins: Security protocols for sensor networks, Wirel. Netw. 8 (5) (2002) 521–534.
G. Gaubatz, J.-P. Kaps, B. Sunar, Public Key Cryptography in Sensor
Networks—Revisited, Springer Berlin Heidelberg, Berlin, Heidelberg,
2005, pp. 2–18. doi:10.1007/978-3-540-30496-8_2.
A. Sahai, B. Waters, Fuzzy Identity-Based Encryption, Springer Berlin
Heidelberg, Berlin, Heidelberg, 2005, pp. 457–473. doi:10.1007/
T. ElGamal, A Public Key Cryptosystem and a Signature Scheme Based
on Discrete Logarithms, Springer Berlin Heidelberg, Berlin, Heidelberg,
1985, pp. 10–18. doi:10.1007/3-540-39568-7_2.
A. J. Menezes, S. A. Vanstone, P. C. V. Oorschot, Handbook of Applied Cryptography, 1st Edition, CRC Press, Inc., Boca Raton, FL, USA,
L. Eschenauer, V. D. Gligor, A key-management scheme for distributed
sensor networks, in: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS ’02, ACM, New York, NY,
USA, 2002, pp. 41–47. doi:10.1145/586110.586117.
D. Liu, P. Ning, Location-based pairwise key establishments for static
sensor networks, in: Proceedings of the 1st ACM Workshop on Security
of Ad Hoc and Sensor Networks, SASN ’03, ACM, New York, NY,
USA, 2003, pp. 72–82. doi:10.1145/986858.986869.
H. Chan, A. Perrig, D. Song, Random key predistribution schemes for
sensor networks, in: Security and Privacy, 2003. Proceedings. 2003
Symposium on, 2003, pp. 197–213. doi:10.1109/SECPRI.2003.
H. Chan, A. Perrig, Pike: peer intermediaries for key establishment in
sensor networks, in: Proceedings IEEE 24th Annual Joint Conference
of the IEEE Computer and Communications Societies., Vol. 1, 2005, pp.
524–535 vol. 1. doi:10.1109/INFCOM.2005.1497920.
A. Fanian, M. Berenjkoub, H. Saidi, T. A. Gulliver, A scalable and efficient key establishment protocol for wireless sensor networks, in: 2010
IEEE Globecom Workshops, 2010, pp. 1533–1538. doi:10.1109/
F. L. M. N. K. N. J. Arkko, E. Carrara, Mikey: Multimedia internet
keying, ietf rfc 3830, Tech. rep. (August 2004).
C. Kaufman, Internet key exchange (ikev2) protocol, ietf rfc 4306, Tech.
rep. (December 2005).
P. J. R. Moskowitz, P .Nikander, T. Henderson, Host identity protocol,
ietf rfc 5201, Tech. rep. (April 2008).
W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (6) (1976) 644–654. doi:10.1109/
R. Watro, D. Kong, S.-f. Cuti, C. Gardiner, C. Lynn, P. Kruus, Tinypk:
[71] L. Touati, Y. Challal, A. Bouabdallah, C-cp-abe: Cooperative ciphertext
policy attribute-based encryption for the internet of things, in: Advanced
Networking Distributed Systems and Applications (INDS), 2014 International Conference on, 2014, pp. 64–69. doi:10.1109/INDS.2014.
[72] L. Touati, Y. Challal, Collaborative kp-abe for cloud-based internet of
things applications, in: Communications (ICC), 2016 IEEE International
Conference on, 2016.
[73] V. Goyal, O. Pandey, A. Sahai, B. Waters, Attribute-based encryption
for fine-grained access control of encrypted data, in: Proceedings of
the 13th ACM Conference on Computer and Communications Security, CCS ’06, ACM, New York, NY, USA, 2006, pp. 89–98. doi:
[74] M. Green, S. Hohenberger, B. Waters, Outsourcing the decryption of
abe ciphertexts, in: Proceedings of the 20th USENIX Conference on
Security, SEC’11, USENIX Association, Berkeley, CA, USA, 2011, pp.
[75] S. Hohenberger, A. Lysyanskaya, How to securely outsource cryptographic computations, in: Proceedings of the Second International Conference on Theory of Cryptography, TCC’05, SpringerVerlag, Berlin, Heidelberg, 2005, pp. 264–282. doi:10.1007/
[76] B. Chevallier-Mames, J.-S. Coron, N. McCullagh, D. Naccache,
M. Scott, Secure Delegation of Elliptic-Curve Pairing, Springer Berlin
Heidelberg, Berlin, Heidelberg, 2010, pp. 24–35. doi:10.1007/
[77] Y. B. Saied, A. Olivereau, D. Zeghlache, M. Laurent, Lightweight collaborative key establishment scheme for the internet of things, Computer
Networks 64 (2014) 273 – 295. doi:
[78] M. Watson, Basic forward error correction (fec) schemes, rfc 5445,
Tech. rep. (2009).
[79] A. Shamir, How to share a secret, Commun. ACM 22 (11) (1979) 612–
613. doi:10.1145/359168.359176.
[80] E. Yuan, N. Esfahani, S. Malek, A systematic survey of self-protecting
software systems, ACM Trans. Auton. Adapt. Syst. 8 (4) (2014) 17:1–
17:41. doi:10.1145/2555611.
[81] C. T. Hager, Context aware and adaptive security for wireless networks,
Ph.D. thesis, Virginia Polytechnic Institute and State University (2004).
[82] W. Trappe, R. Howard, R. S. Moore, Low-energy security: Limits and
opportunities in the internet of things, IEEE Security Privacy 13 (1)
(2015) 14–21. doi:10.1109/MSP.2015.7.
[83] X. Li, M. R. Lyu, J. Liu, A trust model based routing protocol for secure
ad hoc networks, in: Aerospace Conference, 2004. Proceedings. 2004
IEEE, Vol. 2, 2004, pp. 1286–1295 Vol.2. doi:10.1109/AERO.2004.
[84] C. Chigan, L. Li, Y. Ye, Resource-aware self-adaptive security provisioning in mobile ad hoc networks, in: Wireless Communications and
Networking Conference, 2005 IEEE, Vol. 4, IEEE, 2005, pp. 2118–
[85] M. Younis, N. Krajewski, O. Farrag, Adaptive security provision for
increased energy efficiency in wireless sensor networks, in: 2009 IEEE
34th Conference on Local Computer Networks, 2009, pp. 999–1005.
[86] H. Hellaoui, A. Bouabdallah, M. Koudil, Tas-iot: Trust-based adaptive
security in the iot, in: 2016 IEEE 41st Conference on Local Computer
Networks (LCN), 2016, pp. 599–602. doi:10.1109/LCN.2016.101.
[87] M. Hamdi, H. Abie, Game-based adaptive security in the internet of
things for ehealth, in: Communications (ICC), 2014 IEEE International Conference on, 2014, pp. 920–925. doi:10.1109/ICC.2014.
[88] E. K. Wang, T.-Y. Wu, C.-M. Chen, Y. Ye, Z. Zhang, F. Zou, MDPAS:
[54] S. S. M. Chow, J. K. Liu, J. Zhou, Identity-based online/offline key encapsulation and encryption, in: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’11, ACM, New York, NY, USA, 2011, pp. 52–60. doi:
[55] S. S. D. Selvi, S. S. Vivek, C. P. Rangan, Identity Based Online/Offline
Encryption and Signcryption Schemes Revisited, Springer Berlin Heidelberg, Berlin, Heidelberg, 2011, pp. 111–127. doi:10.1007/
[56] D. Boneh, X. Boyen, Efficient Selective-ID Secure Identity-Based
Encryption Without Random Oracles, Springer Berlin Heidelberg, Berlin, Heidelberg, 2004, pp. 223–238.
[57] C. Gentry, Practical Identity-Based Encryption Without Random Oracles, Springer Berlin Heidelberg, Berlin, Heidelberg, 2006, pp. 445–464.
[58] S. Hohenberger, B. Waters, Online/Offline Attribute-Based Encryption,
Springer Berlin Heidelberg, Berlin, Heidelberg, 2014, pp. 293–310.
[59] Y. Rouselakis, B. Waters, Practical constructions and new proof methods for large universe attribute-based encryption, in: Proceedings of the
2013 ACM SIGSAC Conference on Computer & Communications
Security, CCS ’13, ACM, New York, NY, USA, 2013, pp. 463–474.
[60] A. Shamir, Y. Tauman, Improved online/offline signature schemes, in:
Proceedings of the 21st Annual International Cryptology Conference on
Advances in Cryptology, CRYPTO ’01, Springer-Verlag, London, UK,
UK, 2001, pp. 355–367.
[61] H. Krawczyk, T. Rabin, Chameleon signatures., in: Symposium on Network and Distributed Systems Security (NDSS ’00), 2000, pp. 143–154.
[62] G. Bianchi, A. T. Capossele, C. Petrioli, D. Spenza, Agree: exploiting
energy harvesting to support data-centric access control in {WSNs}, Ad
Hoc Networks 11 (8) (2013) 2625 – 2636. doi:
[63] J. Bethencourt, A. Sahai, B. Waters, Ciphertext-policy attribute-based
encryption, in: Security and Privacy, 2007. SP ’07. IEEE Symposium
on, 2007, pp. 321–334. doi:10.1109/SP.2007.11.
[64] W. Hu, H. Tan, P. Corke, W. C. Shih, S. Jha, Toward trusted wireless
sensor networks, ACM Trans. Sen. Netw. 7 (1) (2010) 5:1–5:25. doi:
[65] R. M. Needham, D. J. Wheeler, Tea extensions, Report, Cambridge University, Cambridge, UK (October 1997).
[66] T. C. Group, Trusted platform module specification, Tech. rep. (2014).
[67] T. Kothmayr, C. Schmitt, W. Hu, M. Brnig, G. Carle, A dtls based endto-end security architecture for the internet of things with two-way authentication, in: Local Computer Networks Workshops (LCN Workshops), 2012 IEEE 37th Conference on, 2012, pp. 956–963. doi:
[68] T. Kothmayr, C. Schmitt, W. Hu, M. Brnig, G. Carle, {DTLS} based
security and two-way authentication for the internet of things, Ad Hoc
Networks 11 (8) (2013) 2710 – 2723. doi:
[69] M. Barbareschi, E. Battista, A. Mazzeo, S. Venkatesan, Advancing
wsn physical security adopting tpm-based architectures, in: Information
Reuse and Integration (IRI), 2014 IEEE 15th International Conference
on, 2014, pp. 394–399. doi:10.1109/IRI.2014.7051916.
[70] Y. M. Yussoff, H. Hashim, M. D. Baba, Identity-based trusted authentication in wireless sensor network, arXiv preprint arXiv:1207.6185.
delberg, 2001, pp. 262–272. doi:10.1007/3-540-44709-1_22.
G. Gaubatz, J. P. Kaps, E. Ozturk, B. Sunar, State of the art in ultra-low
power public key cryptography for wireless sensor networks, in: Third
IEEE International Conference on Pervasive Computing and Communications Workshops, 2005, pp. 146–150. doi:10.1109/PERCOMW.
B. Biswas, N. Sendrier, McEliece Cryptosystem Implementation: Theory and Practice, Springer Berlin Heidelberg, Berlin, Heidelberg, 2008,
pp. 47–62. doi:10.1007/978-3-540-88403-3_4.
T. Eisenbarth, S. Kumar, C. Paar, A. Poschmann, L. Uhsadel, A survey of lightweight-cryptography implementations, IEEE Design Test of
Computers 24 (6) (2007) 522–533. doi:10.1109/MDT.2007.178.
C. De Cannière, O. Dunkelman, M. Knežević, KATAN and KTANTAN — A Family of Small and Efficient Hardware-Oriented Block Ciphers, Springer Berlin Heidelberg, Berlin, Heidelberg, 2009, pp. 272–
288. doi:10.1007/978-3-642-04138-9_20.
Z. Gong, S. Nikova, Y. W. Law, KLEIN: A New Family of Lightweight
Block Ciphers, Springer Berlin Heidelberg, Berlin, Heidelberg, 2012,
pp. 1–18. doi:10.1007/978-3-642-25286-0_1.
C. H. Lim, T. Korkishko, mCrypton – A Lightweight Block Cipher
for Security of Low-Cost RFID Tags and Sensors, Springer Berlin
Heidelberg, Berlin, Heidelberg, 2006, pp. 243–258. doi:10.1007/
K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita, T. Shirai, Piccolo: An Ultra-Lightweight Blockcipher, Springer Berlin Heidelberg, Berlin, Heidelberg, 2011, pp. 342–357. doi:10.1007/
A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann,
M. J. B. Robshaw, Y. Seurin, C. Vikkelsoe, PRESENT: An UltraLightweight Block Cipher, Springer Berlin Heidelberg, Berlin, Heidelberg, 2007, pp. 450–466. doi:10.1007/978-3-540-74735-2_31.
T. Suzaki, K. Minematsu, S. Morioka, E. Kobayashi, TWINE: A
Lightweight Block Cipher for Multiple Platforms, Springer Berlin Heidelberg, Berlin, Heidelberg, 2013, pp. 339–354. doi:10.1007/
H. Yap, K. Khoo, A. Poschmann, M. Henricksen, EPCBC - A Block Cipher Suitable for Electronic Product Code Encryption, Springer Berlin
Heidelberg, Berlin, Heidelberg, 2011, pp. 76–97. doi:10.1007/
R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks,
L. Wingers, The simon and speck families of lightweight block ciphers.
cryptol ogy eprint archive, report 2013/404, 2013.
eSTREAM, Stream cipher project, 2004-2008, http://www.ecrypt., accessed: July 2017.
H. Wu, The Stream Cipher HC-128, Springer Berlin Heidelberg, Berlin,
Heidelberg, 2008, pp. 39–47. doi:10.1007/978-3-540-68351-3_
M. Boesgaard, M. Vesterager, E. Zenner, The Rabbit Stream Cipher,
Springer Berlin Heidelberg, Berlin, Heidelberg, 2008, pp. 69–83. doi:
D. J. Bernstein, The Salsa20 Family of Stream Ciphers, Springer Berlin
Heidelberg, Berlin, Heidelberg, 2008, pp. 84–97. doi:10.1007/
C. Berbain, O. Billet, A. Canteaut, N. Courtois, H. Gilbert, L. Goubin,
A. Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin, H. Sibert, Sosemanuk, a Fast Software-Oriented Stream Cipher, Springer
Berlin Heidelberg, Berlin, Heidelberg, 2008, pp. 98–118. doi:10.
Markov Decision Process Based Adaptive Security for Sensors in Internet of Things, Springer International Publishing, Cham, 2015, pp. 389–
397. doi:10.1007/978-3-319-12286-1_40.
A. V. Taddeo, L. Micconi, A. Ferrante, Gradual adaptation of security
for sensor networks, in: World of Wireless Mobile and Multimedia Networks (WoWMoM), 2010 IEEE International Symposium on a, 2010,
pp. 1–9. doi:10.1109/WOWMOM.2010.5534903.
A. Taddeo, M. Mura, A. Ferrante, Qos and security in energy-harvesting
wireless sensor networks, in: Security and Cryptography (SECRYPT),
Proceedings of the 2010 International Conference on, 2010, pp. 1–10.
A. D. Mauro, X. Fafoutis, N. Dragoni, Adaptive security in odmac for
multihop energy harvesting wireless sensor networks, Int. J. Distrib. Sen.
Netw. 2015 (2015) 68:68–68:68. doi:10.1155/2015/760302.
E. Y. A. Lin, J. M. Rabaey, A. Wolisz, Power-efficient rendez-vous
schemes for dense wireless sensor networks, in: Communications, 2004
IEEE International Conference on, Vol. 7, 2004, pp. 3769–3776 Vol.7.
P. Keeratiwintakorn, P. Krishnamurthy, Energy efficient security services
for limited wireless devices, in: 2006 1st International Symposium on
Wireless Pervasive Computing, 2006, pp. 1–6. doi:10.1109/ISWPC.
M. O. Rabin, Digitalized signatures and public-key functions as intractable as factorization, Tech. rep. (1979).
G. Murphy, A. Keeshan, R. Agarwal, E. Popovici, Hardware - software implementation of public-key cryptography for wireless sensor networks, in: 2006 IET Irish Signals and Systems Conference, 2006, pp.
Y. Oren, M. Feldhofer, A low-resource public-key identification scheme
for rfid tags and sensor nodes, in: Proceedings of the Second ACM Conference on Wireless Network Security, WiSec ’09, ACM, New York,
NY, USA, 2009, pp. 59–68. doi:10.1145/1514274.1514283.
N. Koblitz, Elliptic curve cryptosystems, Mathematics of computation
48 (177) (1987) 203–209.
D. Hankerson, A. J. Menezes, S. Vanstone, Guide to elliptic curve cryptography, Springer Science & Business Media, 2004.
N. Gura, A. Patel, A. Wander, H. Eberle, S. C. Shantz, Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs, Springer Berlin
Heidelberg, Berlin, Heidelberg, 2004, pp. 119–132. doi:10.1007/
A. S. Wander, N. Gura, H. Eberle, V. Gupta, S. C. Shantz, Energy analysis of public-key cryptography for wireless sensor networks, in: Third
IEEE International Conference on Pervasive Computing and Communications, 2005, pp. 324–328. doi:10.1109/PERCOM.2005.18.
R. McEliece, A public-key cryptosystem based on algebraic.
P. Loidreau, Strengthening McEliece Cryptosystem, Springer Berlin
Heidelberg, Berlin, Heidelberg, 2000, pp. 585–598. doi:10.1007/
T. Eisenbarth, T. Güneysu, S. Heyse, C. Paar, MicroEliece: McEliece
for Embedded Devices, Springer Berlin Heidelberg, Berlin, Heidelberg,
2009, pp. 49–64. doi:10.1007/978-3-642-04138-9_4.
S. Heyse, I. von Maurich, T. Güneysu, Smaller Keys for Code-Based
Cryptography: QC-MDPC McEliece Implementations on Embedded
Devices, Springer Berlin Heidelberg, Berlin, Heidelberg, 2013, pp. 273–
292. doi:10.1007/978-3-642-40349-1_16.
D. J. Bernstein, T. Lange, C. Peters, Attacking and Defending the
McEliece Cryptosystem, Springer Berlin Heidelberg, Berlin, Heidelberg, 2008, pp. 31–46. doi:10.1007/978-3-540-88403-3_3.
J. Hoffstein, J. Pipher, J. H. Silverman, NTRU: A ring-based public key
cryptosystem, Springer Berlin Heidelberg, Berlin, Heidelberg, 1998, pp.
267–288. doi:10.1007/BFb0054868.
D. V. Bailey, D. Coffin, A. Elbirt, J. H. Silverman, A. D. Woodbury,
NTRU in Constrained Devices, Springer Berlin Heidelberg, Berlin, Hei-
[146] S. Raza, H. Shafagh, K. Hewage, R. Hummen, T. Voigt, Lithe:
Lightweight secure coap for the internet of things, IEEE Sensors Journal
13 (10) (2013) 3711–3720. doi:10.1109/JSEN.2013.2277656.
[147] L. E. Lighfoot, J. Ren, T. Li, An energy efficient link-layer security protocol for wireless sensor networks, in: 2007 IEEE International Conference on Electro/Information Technology, 2007, pp. 233–238. doi:
[148] Y. Cheng, J. Ren, Z. Wang, S. Mei, J. Zhou, Attributes union in cpabe algorithm for large universe cryptographic access control, in: 2012
Second International Conference on Cloud and Green Computing, 2012,
pp. 180–186. doi:10.1109/CGC.2012.13.
[149] C. Chen, Z. Zhang, D. Feng, Efficient Ciphertext Policy Attribute-Based
Encryption with Constant-Size Ciphertext and Constant ComputationCost, Springer Berlin Heidelberg, Berlin, Heidelberg, 2011, pp. 84–101.
[150] J. Herranz, F. Laguillaumie, C. Ràfols, Constant Size Ciphertexts in Threshold Attribute-Based Encryption, Springer Berlin Heidelberg, Berlin, Heidelberg, 2010, pp. 19–34.
[151] N. Attrapadung, J. Herranz, F. Laguillaumie, B. Libert, E. de Panafieu,
C. Rfols, Attribute-based encryption schemes with constant-size ciphertexts, Theoretical Computer Science 422 (2012) 15 – 38. doi:http:
[152] C. Wang, J. Luo, An efficient key-policy attribute-based encryption
scheme with constant ciphertext length, Mathematical Problems in Engineering 2013.
[153] S. Sahraoui, A. Bilami, Efficient hip-based approach to ensure
lightweight end-to-end security in the internet of things, Computer Networks 91 (2015) 26 – 45. doi:
[154] J. Mache, C. Y. Wan, M. Yarvis, Exploiting heterogeneity for sensor network security, in: 2008 5th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks,
2008, pp. 591–593. doi:10.1109/SAHCN.2008.80.
[155] Y. Saied, A. Olivereau, D-hip: A distributed key exchange scheme for
hip-based internet of things, in: World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2012 IEEE International Symposium on
a, 2012, pp. 1–7. doi:10.1109/WoWMoM.2012.6263785.
[156] N. T. Courtois, M. Finiasz, N. Sendrier, How to Achieve a McElieceBased Digital Signature Scheme, Springer Berlin Heidelberg, Berlin,
Heidelberg, 2001, pp. 157–174. doi:10.1007/3-540-45682-1_10.
[124] M. Hell, T. Johansson, W. Meier, Grain: a stream cipher for constrained
environments, International Journal of Wireless and Mobile Computing
2 (1) (2007) 86–93.
[125] S. Babbage, M. Dodd, The MICKEY Stream Ciphers, Springer Berlin
Heidelberg, Berlin, Heidelberg, 2008, pp. 191–209. doi:10.1007/
[126] C. De Canniere, B. Preneel, Trivium specifications, in: eSTREAM,
ECRYPT stream Cipher Project, Citeseer, 2005.
[127] C. Manifavas, G. Hatzivasilis, K. Fysarakis, Y. Papaefstathiou, A survey of lightweight stream ciphers for embedded systems, Security and
Communication Networks 9 (10) (2016) 1226–1246.
[128] M. Bloch, J. Barros, Physical-layer security: from information theory to
security engineering, Cambridge University Press, 2011.
[129] A. Mukherjee, Physical-layer security in the internet of things: Sensing
and communication confidentiality under resource constraints, Proceedings of the IEEE 103 (10) (2015) 1747–1761. doi:10.1109/JPROC.
[130] A. D. Wyner, The wire-tap channel, The Bell System Technical Journal 54 (8) (1975) 1355–1387. doi:10.1002/j.1538-7305.1975.
[131] I. Csiszar, J. Korner, Broadcast channels with confidential messages,
IEEE Transactions on Information Theory 24 (3) (1978) 339–348. doi:
[132] Y. Liang, H. V. Poor, S. Shamai, Secure communication over fading
channels, IEEE Transactions on Information Theory 54 (6) (2008) 2470–
2492. doi:10.1109/TIT.2008.921678.
[133] P. K. Gopala, L. Lai, H. E. Gamal, On the secrecy capacity of fading channels, IEEE Transactions on Information Theory 54 (10) (2008)
4687–4698. doi:10.1109/TIT.2008.928990.
[134] A. Khisti, G. W. Wornell, Secure transmission with multiple antennas i:
The misome wiretap channel, IEEE Transactions on Information Theory
56 (7) (2010) 3088–3104. doi:10.1109/TIT.2010.2048445.
[135] F. Oggier, B. Hassibi, The secrecy capacity of the mimo wiretap channel, IEEE Transactions on Information Theory 57 (8) (2011) 4961–4972.
[136] Y. Liang, H. V. Poor, Multiple-access channels with confidential messages, IEEE Transactions on Information Theory 54 (3) (2008) 976–
1002. doi:10.1109/TIT.2007.915978.
[137] E. Tekin, A. Yener, The gaussian multiple access wire-tap channel, IEEE
Transactions on Information Theory 54 (12) (2008) 5747–5755. doi:
[138] Y. Liang, H. V. Poor, S. Shamai (Shitz), Information theoretic security,
Found. Trends Commun. Inf. Theory 5 (4-5) (2009) 355–580. doi:
[139] U. M. Maurer, Secret key agreement by public discussion from common
information, IEEE Transactions on Information Theory 39 (3) (1993)
733–742. doi:10.1109/18.256484.
[140] R. Ahlswede, I. Csiszar, Common randomness in information theory
and cryptography. i. secret sharing, IEEE Transactions on Information
Theory 39 (4) (1993) 1121–1132. doi:10.1109/18.243431.
[141] Y. Shen, M. Z. Win, Intrinsic information of wideband channels, IEEE
Journal on Selected Areas in Communications 31 (9) (2013) 1875–1888.
[142] L. Lai, Y. Liang, H. V. Poor, A unified framework for key agreement
over wireless fading channels, IEEE Transactions on Information Forensics and Security 7 (2) (2012) 480–490. doi:10.1109/TIFS.2011.
[143] G. Pasolini, D. Dardari, Secret information of wireless multidimensional gaussian channels, IEEE Transactions on Wireless Communications 14 (6) (2015) 3429–3442. doi:10.1109/TWC.2015.
[144] S. Raza, S. Duquennoy, T. Chung, D. Yazar, T. Voigt, U. Roedig, Securing communication in 6lowpan with compressed ipsec, in: 2011 International Conference on Distributed Computing in Sensor Systems and
Workshops (DCOSS), 2011, pp. 1–8. doi:10.1109/DCOSS.2011.
[145] S. Raza, D. Trabalza, T. Voigt, 6lowpan compressed dtls for coap, in:
2012 IEEE 8th International Conference on Distributed Computing in
Sensor Systems, 2012, pp. 287–289. doi:10.1109/DCOSS.2012.55.
Hamed Hellaoui is currently pursuing his Ph.D. thesis in
computer science at Ecole nationale Supérieure d’Informatique
(ESI), Algeria. He holds an engineering degree, master degree
and magister degree from the same school. His research interests cover security and energy saving in the Internet of Things.