Accepted Manuscript Energy-efficient Mechanisms in Security of the Internet of Things: A survey Hamed Hellaoui, Mouloud Koudil, Abdelmadjid Bouabdallah PII: DOI: Reference: S1389-1286(17)30314-6 10.1016/j.comnet.2017.08.006 COMPNW 6279 To appear in: Computer Networks Received date: Revised date: Accepted date: 24 February 2017 8 July 2017 14 August 2017 Please cite this article as: Hamed Hellaoui, Mouloud Koudil, Abdelmadjid Bouabdallah, Energy-efficient Mechanisms in Security of the Internet of Things: A survey, Computer Networks (2017), doi: 10.1016/j.comnet.2017.08.006 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. ACCEPTED MANUSCRIPT Energy-efficient Mechanisms in Security of the Internet of Things: A survey Hamed Hellaouia,∗, Mouloud Koudila , Abdelmadjid Bouabdallahb a Ecole b Sorbonne nationale Supérieure d’Informatique ESI, LMCS Laboratory, BP 68 M 16309 Oued Smar, El Harrach, Algiers, Algeria. Universités, Université de Technologie de Compiègne UTC, CNRS, Heudiasyc UMR 7253 CS 60 319, 60 203 Compiègne cedex, France. CR IP T Abstract AN US Security primitives in the IoT (Internet of Things) are energy consuming. Finding the best solutions that reduce energy consumption while ensuring the required security services is not an easy task. Many works proposed in the literature address security overhead issues by tackling some aspects such as cryptographic primitives, deployment environments, target applications, etc. This paper is a survey on energy-efficient mechanisms used in IoT security services. By studying the techniques that allow developing energy-efficient security solutions, it goes further than the previous surveys which focus more on the energy-efficient solutions themselves. To the best of our knowledge, this is the first work that tackles IoT security from this perspective. Not only security issues are addressed in this survey, but the energy impact of the solutions are also discussed. Energy consumption related to security services is first introduced. A taxonomy is then proposed for energy-efficient mechanisms in IoT security. The main factors affecting the application of an energy-saving technique for security solutions are finally analyzed. Keywords: Internet of Things (IoT), Security, Energy efficiency. 1. Introduction AC CE PT ED M The Internet of Things (IoT) is a relatively new paradigm that is attracting increasing attention from both scientific and industrial communities. It consists in extending the network to the real world, allowing the connection of physical objects. Thanks to communication technologies, objects (such as sensors, actuators, RFID tags) are able to communicate with each other and with users in order to achieve common objectives. Although the potential offered by the IoT allows many applications in different areas (e.g. smart cities, smart grids, healthcare monitoring, etc.), a large-scale deployment of this technology depends on its robustness and its security [1, 2]. Many IoT applications are very sensitive. As an example, parameters measured by sensor nodes in a healthcare application are related to human physiological signs, such as heart rate or body temperature. These sensitive data must not be available for unauthorized parties for capture or modification.In the other hand, the IoT is vulnerable to many types of attacks. The ability to listen, alter or disrupt information is easier to do in such networks, which typically use wireless communications without infrastructure. Objects can also be compromised and malicious nodes can be injected in the network, which may result in unauthorized actions on data and network resources. Moreover, as connected objects tend to invest our daily lives, the IoT could become a huge breach in users’ privacy. It is therefore important to consider the required security services to ensure IoT protection from attacks. ∗ Corresponding author. Email addresses: [email protected] (Hamed Hellaoui), [email protected] (Mouloud Koudil), [email protected] (Abdelmadjid Bouabdallah) Preprint submitted to Computer Networks Security services are typically instantiated on the basis of heavy schemes (e.g. encryption/decryption and signature/verification). They are generally designed to maintain a high security level without taking resource consumption into account. However, the IoT includes devices that are constrained in terms of resources (e.g. energy, storage, communication). The application of heavy security primitives on some nodes, as sensors and RFID tags, would consume resources and may divert these nodes from executing their main tasks. As the nodes can be battery-powered and expected to operate for a long time, energy consumption is therefore critical in this network. Replacing the battery may even be impossible in many situations, where objects must operate autonomously without human intervention. Security solutions must therefore be adapted to the energy constraints of the nodes in order to prolong their lifetime. With the emergence of Low-power and Lossy Networks (LLNs), several research works have been led to propose energy-saving solutions for security services. These proposals are varied and cover diverse aspects, such as security primitives, deployment environments, target applications, etc. Therefore, finding the efficient method that reduces the energy consumption while ensuring the required security service is not a trivial task, and it requires careful study so as not to sacrifice security. The objective of this work is to survey energy-efficient mechanisms that can be applied in IoT security solutions. It is intended to assist security protocol designers to select appropriate mechanisms for energy saving, before proceeding with implementation. It is with this aim in mind that this paper proposes a taxonomy of energy-efficient mechanisms in IoT security, studies each one, and analyzes their applicability. The added value of this survey is to contribute to the application of August 14, 2017 ACCEPTED MANUSCRIPT energy-efficient mechanisms in IoT security solutions. While existing IoT security surveys focus more on reviewing energyefficient protocols, the proposed work goes beyond this and studies what makes a security solution energy-efficient. As far as we know, this is the first survey with such an objective. Contributions of this survey can be summarized in the three following points: • A discussion on security services in the IoT is performed, from an energy consumption point of view. • A taxonomy of energy-efficient mechanisms in IoT security is proposed. Each one is studied, in addition to some proposed solutions that use the mechanism. • A discussion is devoted to the environment and the applicability of energy-saving mechanisms in the IoT security services. connecting objects to the Internet. The paper focuses on strategies of integrating low-power WSN with the Internet, and the required security depending on the integration approach. The deployment of the IoT is associated to the development of new communication protocols and standards. In the work of Granjal et al. [8], authors address security in IoT communication standards. They consider a stack of standardized communication protocols designed for the IoT. Then, they discuss security and open issues for each communication protocol of the stack. CR IP T Security proposals are also related to projects and middleware solutions. Sicari et al. [9] lead a survey in the field of IoT security. They analyze available solutions regarding security, trust and privacy, as well as exiting projects and middlewares that deal with these issues. The rest of this paper is organized as follows. Section 2 presents the related surveys led on IoT security and highlights the motivation behind of this work. Section 3 discusses services that can be addressed to ensure security in the IoT. It also deals with energy consumption related to security services. Energysaving mechanisms in security are studied in section 4. This section provides a taxonomy of existing mechanisms and surveys relevant solutions that use these techniques. In section 5, a discussion is conducted on the appropriate environment and the applicability of energy-saving mechanisms for IoT security solutions. Finally section 6 concludes this paper. AN US IoT security and privacy issues can also be seen from a legal point of view. In [10], Weber addressed IoT security from this perspective. He presents security and privacy needs, and discusses milestones for the establishment of an adequate legal framework by an international legislator. M 2. Related works ED Several surveys have been led to deal with security issues in the IoT. Most of these studies aim to review existing security protocols and solutions. For instance, Atzori et al. present in [1] a general survey on the IoT evoking some limits of security and privacy solutions, as well as the related open issues that can be addressed. The same observation can be made for the survey of Miorandi et al. [2]. Other surveys tackle a specific security service in the IoT. The work of Roman et al. [3] evaluates existing key management systems for wireless sensor networks (WSNs) in the IoT context. It covers public-key cryptography, pre-shared key strategies, and link-layer oriented key management systems. In [4], Yan et al. present a survey on the trust management issue for the Internet of Things. The authors identify objectives of trust management systems and evaluate existing solutions for the IoT. Nguyen and al. focus in [5] on bootstrapping in the context of the IoT. They provide a taxonomy of existing security protocols proposed for a secure bootstrapping process in WSNs and the IoT. They also discuss their applicability and limitations. Others surveys led in IoT security address the deployment and the architectural aspects in this network. Authors in [6] focus on security and privacy in distributed IoT. They evoke the distributed approach features, analyze attacker models and explore existing security solutions. In another study, Granjal et al. [7] deal with the way security should be addressed when Survey reference [1, 2] [3] [4] [5] [6] [7] [8] [9] [10] Survey targets in terms of security General open issues in IoT security KMS for WSN in the context of the IoT Trust management solutions and challenges Solutions for a secure bootstrapping process Security & privacy issues in distributed IoT Security solutions of Internet-integrated WSNs Security for IoT communication standards Security, privacy, trust requirements and solutions Legislative security and privacy challenges PT Table 1: Surveys on security in the Internet of Things AC CE This survey differs from the mentioned studies in the way it tackles IoT security. Indeed, a great number of solutions has been proposed to ensure the effectiveness of network security. Energy remains a key factor when it comes to IoT security, since resource-constrained objects are expected to operate autonomously for a long time. On the other hand, there has been several works dealing with energy-saving problems in security. The mentioned surveys focus more on studying solutions that are adequate for the IoT (a summary is provided in Table 1); mainly energy-efficient solutions. The goal of this work is to survey techniques that allow developing energy-efficient security solutions. This approach provides a guideline and helps security protocol designer to develop energy-efficient solutions. No such approach is used in the previous surveys. In order to achieve the established objective of the survey, we start in the next section by presenting some security services that can be addressed in the IoT, while highlighting the related energy consumption. 2 ACCEPTED MANUSCRIPT 3. Security services in the IoT tion and key management with ample storage of keys and messages [22]. This becomes problematic for high-traffic and largescale networks, as the IoT. On the other hand, authentication and access control solutions based on asymmetric cryptography would eliminate the need for complicated protocols and increase the security. However, public-key cryptography is considered to be very heavy for constrained nodes, as it is mentioned previously. For instance, Attribute Based Encryption (ABE) [23] and its related protocols are widely considered to ensure fine-grained access control with scalability management. The issue when considering these protocols for constrained networks, as the IoT, has to do with their consumption cost. Security can be ensured by applying specific services to provide protection from attacks. Indeed, security services are distinguished according to the countermeasures required to face threats. In the following of this section, some security services that can be used in the IoT are presented 1 . This section also deals with the resource consumption related to the security services. 3.1. Confidentiality CR IP T Data confidentiality is a security service which ensures that contents of a given message cannot be available for an unauthorized party. It is performed by encrypting messages, using symmetric or asymmetric cryptographies, so that it can be decrypted only by the authorized party. Due to their low consumption cost, symmetric cryptography schemes have been widely used in constrained networks such as WSNs. Many evaluations, as [11, 12], show that symmetric ciphers (like AES [13], RC5 [14] or Skipjack [15]) are fully suitable for constrained objects. However, key management in symmetric cryptography becomes a problem when the network scales. In the IoT, the scalability issue arises with more acuity. Indeed, since 2006, authors such as Lopez [16] highlight the limit of using symmetric cryptography for WSNs. In the other hand, asymmetric cryptography provides efficient key management, but induces more consumption compared to the symmetric one. Protocols such as RSA [14] or IBE [17], which are widely used in the Internet, are known to be very intensive in terms of computation. Direct application of these protocols for the IoT would be very heavy. 3.3. Signature/verification 3.2. Authentication and access control ED M AN US Digital signature is a security service that provide a means for an entity to bind its identity to a piece of information. It ensures authentication, integrity, and non-repudiation. One of the most significant applications of digital signatures is the certification of public keys. Public-key cryptography is the most used for digital signature. Standards such X.509 and ISO/IEC 9796 are based on public-key cryptography. RSA cryptosystem [14], or El-Gamal scheme [24] are examples of the used asymmetric cryptography. However, these asymmetric protocols are so heavy and their direct application for the IoT would be inefficient. Although one-time signature schemes (many of which arise from symmetric-key cryptography) are computationally less expensive, they require changing keys after each use; otherwise, signatures can be forged [25]. This affects the storage and the communication capacities in high-traffic networks, and mitigates the use of these schemes for some applications. 3.4. Key establishment Authentication is a security service used to ensure that entities are who they claim to be (entity authentication), or that the received message is as originated (message authentication). As for access control, it is used to allow or deny entities to access resources according to policies. Access control is generally performed after authenticating the entities/data. Because of its low cost computation, some access control and authentication solutions proposed for constrained networks are based on symmetric cryptography (e.g. [18–20]). This often imposes using mechanisms for pre-distribution of keys. However, this also may make these solutions working only for applications they are designed for, and may not support large-scale networks. In addition, it is difficult to ensure message authentication with non-repudiation when using symmetric cryptography. Even if some solutions, such as SNEP and µTESLA [21], achieve non-repudiation by emulating asymmetry (through delayed key disclosure and one-way function key chains), the emulation of asymmetric cryptography requires time synchroniza- AC CE PT Key establishment, or key bootstrapping, is the process that allows transferring settings between two or more parties, for the purpose of sharing cryptographic keys. It is basically required to setup any secure communication channel between nodes (before the network can operate or when a re-keying is needed), and enable them to perform other security services. Pre-distribution key establishment schemes, commonly known as symmetric-key schemes, involve low computation. They are based on pre-shared credentials (before deployment). Several pre-distribution solutions have been proposed in the literature, mainly for WSNs (such as [26–30]). However, these schemes can work for the local networks they are designed for, and do not address key establishing with a remote entity. Many IoT applications require establishing secure communications between entities without any initial knowledge of each other, or any pre-shared keys. In contrast, asymmetric-key schemes are the most widely considered for the Internet, and do not require any initial knowledge. However, the two categories of asymmetric-key schemes, key transport and key agreement, involve high computations. Key transport protocols (such as TLS handshake [31]) are based on public-key cryptography which is commonly known to be 1 Note that other security services might be required for the IoT, such as trust management. This section interests in energy consuming security services, which are the target of this survey. 3 ACCEPTED MANUSCRIPT resource intensive. Key agreement protocols (such as Internet Key Exchange (IKE) [32], Host Identity Protocol (HIP) [33]) are also resource intensive as they use asymmetric primitives. In addition, an authentication mechanism might be required for asymmetric-key schemes to bind the key with the communicating peer. This makes asymmetric key establishment schemes very heavy for resource-constrained networks, such as the IoT. at least two pairing means that the security service could take more than 11 seconds. Size of data A security service is employed aiming at securing a given data. The time consumed in executing a security service is proportional to the the data size. The more the data size is big, the more it takes time to run. The energy consumption depends directly on this fact. The size of data concerns not only the data to process, but also the meta-data related to the security protocol. Indeed, in security protocols that specify communication aspects (e.g. Internet Protocol security (IPsec) [39], Transport Layer Security (TLS) [40], or Datagram TLS (DTLS) [41]), a packet header is considered. The size of this header affects also the energy overhead, as it is sent and received by the constrained nodes. Number of calls Another aspect that affects the consumption overhead of applying security services is the number of calls. This parameter is related to the use manner of the security service and the number of times it needs to be requested. Let us take for example a key establishment protocol that is relatively heavy (in the order of a few seconds or dozens of seconds). A constrained node can support this protocol as it is executed only one time at the beginning. However, if this phase is called several times (e.g. due to re-keying), the consequences on energy can be critical. A frequent use of a security service will have a big impact on the consumption compared to only few uses. ED M AN US CR IP T 3.5. Discussion Several security services are required for the IoT and many of them involve heavy primitives. The issue of energy saving in security was tackled in some LLNs. For instance, several key establishment solutions for WSNs are based on pre-distribution (less energy-consuming but not efficient for large-scale networks). However, the IoT comes with new characteristics, such as the scalability. This makes some already developed energyefficient security solutions inappropriate for IoT applications. The problem of energy consumption in security services arises with greater acuity. To understand the reasons behind the overhead consumption, an analysis is led on the application of security services in the context of the IoT. The results of this analysis can be summarized in three levels: heavy operations, size of data, and number of calls. Table 2 provides a summary on the led analysis. Heavy operations The most important reason for the consumption related to security services is the involved heavy operations. These operations are mainly used in asymmetric cryptography. Indeed, asymmetric cryptography is based on using hard-to-solve problems in order to make the task of recovering private parameters from public ones extremely difficult [25]. The underlying used mathematic operations for these problems are generally heavy, such as exponentiations and modular exponentiations. Exponentiations (ge ) and modular exponentiations (ge mod p) are the basis of many cryptographic protocols, such as Diffie-Hellman (DH) [34] (which is the basis of many key agreement protocols) or RSA. These operations are very computationally expensive as the used parameters are generally big for security reasons. Lowering the parameters can reduce the overhead of the operation, but it is not always possible. Watro et al. proposed in [35] an adaptation of the RSA protocol to resource-constrained devices. Their idea relies on the use of smaller parameters such as the exponent. However, this comes at the price of a lower security level [36]. The evaluation performed by Watro et al. [35] on Mica1 motes shows that the RSA exponentiation can take more than 10 seconds, even using small exponents. Another operation that is used in many cryptographic protocols is the bilinear pairing. The latter is applied to enable some security concepts, such as IBE [17] and its variants (whose idea was formulated by Shamir [37] since 1984) or ABE [23] and its variants. However, this is a very costly operation for constrained nodes (the underlying mathematical operations are heavy). In [38], Oliveira et al. show that the execution of the pairing operation on a MicaZ node using their proposal implementation, TinyPBC, requires more than 5.5 seconds. Considering the fact that cryptographic operations require generally The cause Heavy operations Size of data Number of calls Justification The underlying operations used in asymmetric cryptography are generally heavy The size of data is proportional to the overhead of energy consumption Frequent use of a security service can have a big impact on consumption PT Table 2: Analysis on causes of consumption when applying security services AC CE It appears that many security protocols required in the IoT are computationally intensive. This raises the necessity for mechanisms allowing to reduce energy consumption in security solutions. The next section is devoted to review energy-efficient techniques in security. 4. Energy-efficient techniques in security In this section, the major existing mechanisms used to save energy in security services are reviewed. Relevant solutions that use these techniques are also presented. The proposed taxonomy of energy-efficient mechanisms is summarized in Figure 1. 4.1. On-line/off-line security The concept of on-line/off-line security consists in transforming the cryptographic scheme into two phases. The first one is performed off-line, before the start of the security service (before knowing the destination, the message to encrypt or to sign, 4 ACCEPTED MANUSCRIPT Outsource security Adaptive security Low-power sec protocols Size compression Hybridization Operationcentered Trusted assistance Threatcentered Asymmetric protocols Header compression Hybridization of mechanisms Servicecentered Semi-trusted Datacentered Symmetric protocols Ciphertext compression Hybridization of protocols CR IP T Online/offline security Untrusted assistance Phy layer sec protocols Figure 1: The proposed taxonomy of energy-saving mechanisms in security protocols random seed. The proposed scheme is based on pre-computing and buffering key stream bytes during periods of high energy, so they can be used in the future. Evaluation results using the Trivium stream cipher on ATmega128L and MSP430 show that energy consumption can be decreased by 14%. In [43, 45], Schnorr presents an on-line/off-line signature scheme for smart cards. It aims at reducing the computation cost for the signer and addresses algorithms based on fixed-base modular exponentiations, such as Brickell-McCurley [46] or El-Gamal [24]. This is achieved by pre-computing and storing a collection of xi = ari mod p, with ri being randomly selected. For each signature, the modular exponentiation is computed as multiplications of xi . However, Rooij shows in [47, 48] that the scheme can be vulnerable to an attack attempting to retrieve the secret key. Indeed, the combination exponent is no more guaranteed to be random and dependencies can be created between signatures, which lead to this attack. Since then, other solutions are proposed to pre-compute modular exponentiations. For example, the proposal in [49] introduces a method to split an exponentiation into a product of a number of exponentiations with more randomness in outputs. The proposal in [50] is inspired from the one in [49]. It uses a vector addition chains technique to compute the product. It is slightly slower than the method described in [49], but it requires far less memory. Guo et al. [51] (and other works like [52–55]) address the design of an on-line/off-line scheme for Identity-Based Encryption (IBE) variants, such as Boneh-Boyen IBE [56] or Gentry IBE [57]. In such protocols, neither the message nor the recipient’s identity are known during the off-line phase. The idea is based on the addition of a correction factor. Indeed, in the ciphertext of Boneh-Boyen IBE for example, the part containing the destination’s ID takes the following form: C0 = (h1 .g1ID ) s , and the one containing the message m to encrypt takes the form e(g1 , g2 ) s .m (e denotes the bilinear map while h1 , g1 , and g2 are elements of a multiplicative cyclic group of prime order, see [56] for more details). For the latter part, e(g1 , g2 ) s can be performed off-line and only a multiplication is required on-line. However, in the former part, the ID is embedded in exponentiations which are energy consuming operations. The solution PT ED M AN US etc.). This phase is supposed to absorb a part of the cryptographic overhead by calculating and storing the results of some costly operations that are required. The second phase is performed on-line. It uses the stored results of the first one, and is supposed to be very fast [42, 43]. Therefore, on-line/offline security can reduce energy consumption by moving the off-line phase before the deployment (or when an external energy source is available) and performing on-line only the second phase, rather than the overall cryptographic scheme. The on-line/off-line approach implies changes in the cryptographic algorithm of the security scheme, in order to build the two phases. The more heavy operations are moved to the offline phase, the more energy consumption will be reduced for the scheme. Obviously, what is moved to the off-line phase has to be calculable before the start of the security service 2 . This constitutes the difficulty of applying an on-line/off-line approach, as some heavy operations are generally related to data that may not be known in advance (e.g. the message to encrypt, the destination key, etc.). Based on the way to build the two phases, we propose to classify on-line/off-line approaches into two categories: operation-centered and service-centered. AC CE 4.1.1. Operation-centered The direct way to apply on-line/off-line security is by moving all operations that can be pre-computed in advance to the offline phase. This will reduce the consumption related to those parts in the on-line phase. Operation-centered solutions tackle the cryptographic operations level and propose a way to precompute these operations. Some security schemes can be naturally partitioned into online and off-line phases. Pelissier et al. propose in [44] a scheme that optimizes energy consumption of stream cipher cryptography in Energy Harvesting Wireless Sensor Networks (EH-WSNs). Stream ciphers are typically performed by applying the XOR operator between the plaintext bytes and the key stream bytes. The latter are typically generated serially from a 2 In the following of this paper, the term ‘calculable’ is used to refer to operations that can be computed before the start of the security service 5 ACCEPTED MANUSCRIPT to two keys (a public key HK and a private one T K). It allows having collisions knowing the two keys. To be more precise, given a message m and an auxiliary r, it is difficult to find m0 ,r0 such that h(m, r) = h(m0 , r0 ) knowing only HK. However, they are easy to find when T K is also known. In the off-line phase, the node randomly generates m0 , r0 and computes the hash using HK. The result is then signed using the basic signature scheme. When the message to sign, m, is known in the on-line phase, the node uses its T K to find r such that h(m, r) = h(m0 , r0 ). The verification requires computing h(m, r), before verifying it using the basic signature scheme. Compared to Even et al. proposal, only r needs to be attached to the signature in order to allow the verification. In [62], Bianchi et al. propose an on-line/off-line scheme that allows supporting the CP-ABE protocol [63] in EH-WSNs. The difficulty in applying such scheme for ABE relies on the fact that in addition to the fact that the message is not known at the off-line phase, attributes are not known either (access policy). The proposed solution uses KEM (use CP-ABE to encryption session keys off-line, and encrypt data on-line using session keys) and is based on the knowledge of access control policies that can be considered during the application states. When there is an energy overhead, session keys are generated and encrypted using the access control policies that are the most likely to be useful for the given state. A markov-based model is used to select the best strategies to store and minimize the cache miss probability. However, this technique is applicable only for this context, since information on destination and access policies are not always available. AN US CR IP T is based on the following correction. In the off-line phase, C1 and C2 are calculated as C1 = (h1 .gα1 ) s , C2 = gβs 1 (with α, β being randoms). The node in the on-line phase computes C3 as C3 = β−1 (ID − α), and adds it in the ciphertext. This requires only one multiplication and one subtraction. The decryptor can get C0 as C0 = C1 .C2C3 . This is possible due to the presence of an algebraic relationship between different identities. Note that these approaches use generally Key Encapsulation Mechanisms (KEM3 ) to speed up the on-line phase. In [58], Hohenberger and Waters propose on-line/off-line schemes for Attribute-Based Encryption (ABE). As in IBE, neither the message nor the attributes to use for encryption are known during the off-line phase. The authors address the variant large universe construction [59], which presents an algebraic relationship between the attributes (the correction solution is similar to the one presented earlier for IBE). In addition, the authors tackle the key generation phase and propose an online/off-line optimization. The bulk of the key generation work can be performed by off-line servers and passed afterwards to the on-line servers, where incoming requests can be rapidly processed (a similar correction solution is used for key generation). The provided performance evaluations show that over 99% of the computational work could be moved to off-line phase in many scenarios. Ref AC Service-centered CE PT Operation-centered ED M 4.1.2. Service-centered The second class of on-line/off-line security is called here ‘service-centered’. Unlike the first category, service-centered approaches provide methods to build the two phases without going down to the cryptographic operations level. Servicecentered on-line/off-line approaches do not require any advanced knowledge about the protocol cryptographic operations to build the phases. Some related solutions are presented in the following. In [42], Even et al. present a method for building on-line/offline signature schemes. The solution is based on one-time signatures, which are very fast. The off-line phase consists in generating pairs of one-time signature/verification keys, and signing verification ones using the basic signature scheme (energy consuming operation). At the on-line stage, the node retrieves an unused pair of one-time keys, and then signs the message using the one-time signature scheme (fast operation). The verification is performed by checking first the one-time verification key with respect to the basic signature scheme (to validate that it was signed by the sender), then this key can be used to verify message. However, as stated in other works, this technique increases the size of each signature by a quadratic factor, which is its major drawback (note that the one-time verification key and its signature are both attached to the signed message to enable the verification). In [60], Shamir and Tauman propose another on-line/off-line signature scheme, based on trapdoor hash functions [61]. A trapdoor hash function, h, is a probabilistic function associated [44] Method of precomputation Direct Network/ devices EH-WSN [43, 45, 49, 50] Factorization of exponentiation Smart cards [51] Correction technique Correction technique One-time signature on KEM Trapdoor hash function Knowledge of possible policies Smart cards Mobile devices / Security services/protocols Authen (Stream ciphers) Sign (discrete log-based protocols) Confidentiality (IBE) Access control (ABE) Signature / Signature EH-WSN Access control (CP-ABE) [58] [42] [60] [62] Table 3: On-line/off-line security approaches The difference between on-line/off-line approaches (operation-centered and service-centered) is the way the two phases are built. Operation-centered on-line/off-line solutions identify the heavy operations of the protocol and propose a mechanism to allow their pre-computation. In contrast, service-centered solutions provide a way to build the two 3 Key Encapsulation Mechanism (KEM): a technique that consists on encrypting a symmetric key using the original public-key scheme, then the data could be encrypted using the symmetric key 6 ACCEPTED MANUSCRIPT phases without requiring going down to the heavy operations. This makes service-centered solutions more generic compared to operation-centered ones. Even the proposal in [62], which tackles the CP-ABE protocol, can be considered for other protocols. A summary of the mentioned on-line/off-line security solutions is provided in Table 3. security services in WSNs using a FPGA (Xilixn Zynq 7000 FPGA/SoC family). Yussoff et al. present in [70] an outsourcing approach to implement IBE in a WSNs. Their solution relies in using an ARM processor (ARM1176JZF-S) instead of a TPM chip. Trusted-based outsourcing solutions are based, mostly, on hardware devices that can be added to the constrained node. This can preserve the helper trustworthiness. However, this could be very expensive as it requires equipping every constrained node with a dedicated helper. 4.2. Outsource security 4.2.2. Semi-trusted assistance When a dedicated hardware, such as a TPM, is not available, a node may rely on accessible unconstrained devices to outsource cryptographic operations. However, when doing so, it is very important to ensure that the information the helper gets will not lead to reveal the information to secure. This is required to maintain the confidentiality while outsourcing security. The term ‘semi-trusted’ refers to an entity that performs correctly what it is asked for, but it may attempt to learn more about the the information to secure. Some solutions that consider semitrusted assistants while outsourcing security are presented in the following. Touati et al. present in [71, 72] an outsourcing approach that enables a constrained node to encrypt data using ABE (CPABE [63] and KP-ABE [73]) and store it in a remote server. As explained in their papers, the number of exponentiations to compute increases linearly with the number of attributes. Their approach to compute an exponentiation ga consists in selecting n assisting devices and splitting a into n parts ai , such as the P sum of all ai gives a (a = ni=1 ai ). Then, each assisting device computes the exponentiation gai and the constrained node can have the original exponentiation by multiplying their results Q (ga = ni=1 gai ). Green et al. propose in [74] an approach to outsource the decryption of ABE in cloud storage applications. It aims at reducing the decryption cost for legitimate users requesting data stored in the cloud. In their proposal solution, a user can provide the cloud with a transformation key that allows the cloud to translate the ciphertext into partially decrypted ciphertext, without being able to read anything about the message. The user can then complete the decryption using its secret key with less expensive operations. ED M AN US CR IP T The outsourcing approach is based on using cryptographic helpers to compute costly operations. It consists in splitting the cryptographic algorithm into two parts. The first one is executed locally and is supposed to be less computationally intensive. The second one is computed by the cryptographic helpers; it can carry intensive computations. Outsourcing solutions can thus reduce energy consumption by delegating some costly operations to more powerful devices. Outsource security is based on delegating heavy operations to more powerful assistants. However, the involvement of other entities in a task such as security may be very critical. Let us take for instance the CP-ABE protocol [63]. A part of the encryption operation is performed by multiplying the plaintext M with a pairing exponentiation e(g, g)αs . A simple approach to apply the outsourcing is to delegate the computation of e(g, g)αs to an assisting node. However, knowing this exponentiation, the assisting node will be able to recover the plaintext even if it is not intended to that assisting node (division by the exponentiation). Furthermore, if the assisting node returns wrong results, this could lead to a wrong security operation. Depending on the type of assisting nodes and what to delegate, we propose to classify outsourcing approaches in three types: outsource security using trusted assistance, using semitrusted assistance, and using untrusted assistance. AC CE PT 4.2.1. Trusted assistance Outsource security can rely on trusted assistants. These latter are fully trusted and do not present risks for the security service. The heavy operation can therefore be delegated to that assistant without compromising the security. Some outsource security approaches based on trusted assistants are presented in the following. In [36, 64], Hu et al. present an implementation providing security services based on RSA and XTEA [65] protocols for WSNs, using assistance from a Trusted Platform module (TPM). TPM is a commodity co-processor that is practical to add. It is a dedicated security chip designed to provide support for cryptographic operations such as key generation, signing and encrypting messages, secure hash algorithm, and random number generation [66]. Kothmayr et al. propose in [67, 68] an approach to enable key establishment in DTLS using assistance from TPMs. Nodes equipped with TPMs can perform fully authenticated handshake to establish secure communications. The rest of the nodes that are not equipped with TPMs perform a variate of DTLS with pre-shared keys. Other solutions are proposed to offer the same assistance as TPMs, but using other types of hardware. In [69], Barbareschi et al. present an implementation to support RSA/AES based 4.2.3. Untrusted assistance Another aspect that can arise when developing outsource security solutions is accuracy. Indeed, even if the assisting device cannot learn anything about the information to secure, returning wrong results would lead to wrong security operations. The term ‘untrusted assistance’ means that the helper device may potentially bug and return inaccurate results. Therefore, in this cases, outsource security solutions need to provide mechanisms to check helper outputs and detect failures. In the following, some approaches that consider untrusted assistants are presented. In [75], authors present a protocol to outsource modular exponentiations (ga mod p) using two untrusted helpers. Their so7 ACCEPTED MANUSCRIPT Semi-trusted assistance In [76], authors propose an approach to outsource the computation of elliptic-curve pairing e(A, B) using one assistant device. The constrained node requests series of pairing that hide A and B, then checks the outputs by comparing those that should give the same result. However, this solution still requires from the constrained node to compute multiple exponentiations. [67] / [68] [69] / / [70] / [72] Secret sharing / / [71] Secret sharing / [74] Partially decrypted msg [75] Secret sharing / / Untrusted assistance AN US In their work [77], Ben Saied et al. tackle asymmetric key establishment schemes (key transport and key agreement) for the IoT. They use multiple helpers and propose threshold distributions. The latter allow the receiver to construct the original message if at least k ≤ n parts are received (n being the number of the participating helpers). Indeed, in addition to the fact that the threshold distribution protects against packet loss, it can be used to check accuracy. By constructing and comparing different combinations of k packets from the pool of n packets, it is possible to detect the node providing wrong information. Ref Confidential- Accuracy ity method method [36] / / [64] ED M The key transport proposal of [77] addresses protocols such as TLS handshake. In such protocols, the heavy parts are the asymmetric operations (encrypting the secret with the recipient public key and signing the message). The authors’ solution is based on splitting the secret into n parts and sending each one to a helper, which performs the asymmetric cryptography. The threshold distribution is based on a forward error correction scheme [78], which adds redundancy in packets so that it can be recovered if at least k packets are received. Network/ Security serdevices vices/protocols WSN RSA/XTEA based services IoT Key establishment WSN RSA/AES based services WSN IBE Cloud Access IoT control (KPABE) IoT Access control (CPABE) Cloud Access conbased trol (ABE) CR IP T Trusted assistance lution assumes that at most one of the helpers may deviate from its functionality without knowing which one. It is based on breaking a and g into pieces that look random to the helpers (to ensure confidentiality), and then asking them to compute a series of (exponent, base). The constrained node can test the helpers by comparing some outputs that should give the same result. [76] Secret sharing [77] Secret sharing [77] Secret sharing Comparing between outputs Comparing between outputs (k, n) threshold (k, n) threshold Smart cards Exponentiation based protocols Pairing based protocols IoT Key transport IoT Key ment / agree- Table 4: Outsource security approaches 4.3. Adaptive security The second proposal of [77] addresses key agreement protocols based on Diffie-Hellman, such as IKE and HIP. The most expensive parts are the computation of the two modular exponentiations of the DH and the signature. To compute a modular exponentiation ga mod p, the authors propose to split P a into n parts ai , such as ni=1 ai = a mod p. Each helper receives an ai and computes gai mod p. The constrained node applies only n multiplications to get the modular exponentiation Q (ga mod p = ni=1 gai mod p). The signature is also offloaded to the assisting nodes. The threshold distribution is based on Lagrange polynomial interpolation as it is used in [79]. AC CE PT The adaptive approach consists in adjusting or maintaining security measures in varying situations. This can be considered when the internal or the environmental parameters influencing the system security are uncertain after the design time, and changes may occur at runtime [80]. As the IoT is a very dynamic environment, adaptive security can be used to reduce consumption, by adjusting security measures. Indeed, as it is unchanged, static security considers always the worst case, which would consume network resources. As stated in [81], adaptation can be implemented in a parametrical and/or structural manner. In the former, adaptation is associated to changes that may occur in the proprieties and setting of the security method (e.g. the key size or the number of operational rounds). In contrast, the structural manner implies changing the security method. For instance, depending on the system current state, the security protocol can be replaced by another one. To adapt security, it is necessary to take the adequate decision about changing security measures. Otherwise, this could compromise the system security. Let’s consider for example an adaptive approach that decreases the security level when the energy becomes scarce (to extend node’s lifetime). A mali- The principle of outsourcing some cryptographic operations to more powerful assistants helps effectively to reduce energy consumption. However, it may introduce security issues. The difference between the three approaches lies in the type of the assisting node. When the latter is trusted, any part can be offloaded to the helper without any security concern. As semitrusted helpers present a risk for data confidentiality, the offloaded part must not lead to revealing the data to secure. In the same way, when using assisting nodes that may potentially bug and return wrong results, the outsource solution has to consider a mechanism that verifies the results. Table 4 provides a summary of the studied outsource security approaches. 8 ACCEPTED MANUSCRIPT cious node can exploit this state of fact and take the advantage if the energy is scarce. Demonstrations showed that attackers can hack less secured part of a system and get access to more important parts [82]. We propose to classify adaptive security solutions, based on the considerations used to take decisions, into two types: threat-centered and data-centered. Indeed, two elements are distinguished in this kind of security: the data to secure and against whom this has to be done. AC CE PT ED M AN US CR IP T 4.3.1. Threat-centered One way to adapt security consists in evaluating threats. If there is no risk, applying security measures is not required and doing so would consume unnecessary resources. Threatcentered adaptive security approaches rely on evaluating threats in order to dynamically adapt security rather than systematically considering the worst case. Some threat-centered adaptive security solutions are presented in the following. In [83], Li et al. propose a trust-based model to adapt routing security in Mobile Ad-hoc Networks (MANET). Rather than requesting and verifying certificates at every routing step, the proposed solution avoids this when a node trusts the one it interacts with. Chigan et al. propose in [84] a framework that provides adaptation in security services for MANETs. A preliminary offline module is proposed to select a cross-layer set of protocols with the desired level of security. At run time, an on-line selfadaptation module adapts the security depending on the trust evaluation of the surrounding. In [85], Younis et al. propose a trust-based adaptive approach for data routing security in WSN. The data being transmitted among the nodes can be encrypted at varying levels according to the trust of the path. The latter is determined by the least trusted node on the path. However, trust evaluation in these solutions is based on classical metrics such as packet drop rate and medium access collision, which might not provide good reasons for changing the security level (e.g. an increase in the packet drop rate does not mean that the encryption level has to be increased). Indeed, trust management systems are designed to deal with selfish behaviors and internal attacks, and not to assist cryptographic measures. In another solution, Hellaoui et al. [86] tackle this issue and propose a trust-based adaptive security model for the IoT. Rather than systematically applying data origin authentication at each hop, their solution allows a node to perform this only when it is required depending on the trust level of the message sender. Here, node’s behavior is its capacity to send authenticated messages. However, as stated by the authors, their solution needs to consider untrustworthy recommendations. Hamdi and Abie propose in [87] a Markov game-based model for adaptive security in the IoT, with an emphasis on eHealth applications. A mathematical framework is provided to model the dynamic context in which objects operate, including threat and resource models. A set of strategies is proposed to adapt security in order to cope with threats and resources. However, the authors do not define how a node determines if another one is compromised or not. They simulate an epidemic model of virus spread in WSNs, which makes their approach more analytical. The same observation can be made for the work [88] proposed by Wang et al. 4.3.2. Data-centered Another way to perform adaptation is by evaluating data sensitivity. Rather than considering the surrounding environment to evaluate threats, data-centered approaches focus on the data to secure. Applying security measures on non-sensitive data consumes unnecessary energy. The goal is to adapt security according to data sensitivity rather than always considering the highest level. Some data-centered adaptive security approaches are presented in the following. In [89], authors propose an adaptive security model for WSNs. Each application has security requirements associated to it. The security is gradually decreased when the current energy constraints cannot satisfy application requirements. However, as stated by the authors, lowering the security of the communication increases the potential of attacks even only for data that are transmitted in these periods. Taddeo et al. [90] propose an adaptive security approach for EH-WSNs. Each packet is associated to a priority level that reflects its importance, and security requirements that represent security suites that might be used for the packet. Strategies are defined to maximize the number of delivered high-priority packets, and to ensure that security requirements of each packet are satisfied. Security lowering is performed only when the system energy constraints cannot be satisfied. However, the authors also raise the fact that lowering security increases the potential of attacks. Unlike [90], Mauro et al. propose in [91] another adaptive solution yet for EH-WSNs. Their approach is based on the receiver initiated paradigm [92] in which the sender node waits for the receiver beacon before transmitting the data. Depending on the amount of available energy, a receiver node adapts its security parameters and announces them to senders using beacons. This allows a sender to choose the appropriate receiver based on packet’s criticality. However, although this allows a normal sender to choose the appropriate receiver based on packet’s criticality, it can also be exploited by a malicious node. For example, if the latter knows that a node has stopped its security measures, it can exploit this situation to inject undesired packets in the network through that node. The approach proposed in [93] introduces a tunable security module for wireless devices. The idea is that the strength of security services can be adjusted based on the number of years information need to be protected. A scheme that maps the number of years to the appropriate security parameters is proposed. However, this is based on the assumption that the number of years during which information need to be protected is known. The key difference between threat-centered and datacentered approaches is the way security si adapted. If the former is based on the evaluation of threats from the surrounding environment to perform the adaptation, the latter focuses more on the data to secure. This constitutes the major factor to choose between the two approaches. In cases where the application can provide specifications about the data criticality, it is possible to consider a data-centered approach to perform adaptation. Otherwise, it is necessary to be able to evaluate threats in order to perform the adequate changes in security. Table 5, provides a 9 ACCEPTED MANUSCRIPT Threat-centered Data-centered [83] [85] [86] [87] [88] Trust management Trust management Trust management Game theory Markov process Network/ devices MANET WSN IoT IoT IoT [89] Data criticality [90] Data criticality [91] Data criticality WSN EH-WSN EH-WSN [93] Data lifetime Wireless devices Security services/ protocols Sign (hop-by-hop) Conf (end-to-end) Auth (hop-by-hop) Auth (hop-by-hop) Conf+Auth (hopby-hop) Auth Conf+Auth Conf+Auth (hopby-hop) Conf+Auth Table 5: Adaptive security approaches M AN US summary of the aforementioned adaptive security approaches. Both approaches involve services at different levels. However, notice that a threat-centered approach is more difficult to apply for end-to-end security than a data-centered one. Indeed, an end-to-end threat-centered solution has to consider threat evaluation along the communication path. In contrast, as being almost independent from threat in the surrounding environment, data centering approaches can be easily considered for end-to-end security. 4.4. Implementation using low-power security protocols following presents some asymmetric cryptosystems that can be considered for constrained devices (a summary is provided in Table 8). Rabin’s scheme Rabin’s scheme [94] is an old algorithm based on the Integer Factorization Problem (IFP). Its security is therefore similar to RSA. The main feature of this algorithm is the computation asymmetry between the encryption and the decryption. The first operation is very fast compared to the second one, which is similar to RSA using the same parameters. This makes Rabin’s scheme interesting for constrained networks that require performing only encryption or signature verification. Proposals, as [95, 96], use Rabin’s scheme to implement security solutions for IoT devices ([95] considers a WSN application using nodes consisting of a 8-bit Atmel microcontroller and a Spartan-IIE FPGA, while [96] considers passive RFID tags). ECC Elliptic Curve Cryptography (ECC) is a public-key cryptography approach that is applicable for encryption and digital signature [97]. It is based on the difficulty to compute discrete logarithms in the group of points of an elliptic curve (this is ECDLP: Elliptic Curve Discrete Logarithm Problem). The main operation of ECC is the scalar multiplication which is quite heavy. However, the same security level provided by RSA can be achieved by ECC using smaller key sizes. This in turn affects the performance of the underlying arithmetic operations (faster computation). This also impacts positively the amount of data transmitted and stored. Table 6 provides a comparison between the required key sizes of RSA and ECC for the same security level. CR IP T Ref Decision method PT ED Many old security algorithms and protocols are designed without taking resource consumption into consideration. The emergence of pervasive computing raises the necessity for lightweight security protocols. This has generated a fruitful field of work for mathematicians. It aims at providing efficient security protocols requiring less energy consumption. Indeed, by implementing (or reimplementing) security solutions on the basis of low-power security protocols, energy consumption can be effectively reduced. This section makes an overview about some of the most known security protocols, that are low-power by nature. It includes asymmetric encryption, symmetric encryption, as well as physical layer security protocols which are not based on encryption. Security level (Bits4 ) 80 112 128 192 256 RSA key (bits) 1024 2048 3072 8192 15360 sizes ECC (bits) 160 224 256 384 512 key sizes CE Table 6: Key sizes comparison between RSA and ECC for equivalent security levels [98] Many works, such as [99, 100], show that ECC is more suited than RSA for small devices. The evaluation led in [99] considers two 8-bit processors (Chipcon CC1010 and Atmel ATmega128), while [100] uses also Atmel ATmega128. ECC guarantees smaller key sizes, faster computation, as well as energy and bandwidth saving. In addition, several protocols have been derived from ECC, such as Elliptic Curve Digital Signature Algorithm (ECDSA), Elliptic Curve Diffie Hellman (ECDH), Elliptic Curve Integrated Encryption Scheme (ECIES), etc. [98]. McEliece AC 4.4.1. Asymmetric protocols In public-key cryptography, the key pair has to be chosen so that the possibility to derive the private key from its corresponding public one would be equivalent to solving an intractable computational problem. For example, the RSA cryptosystem security is based on the hardness of the Integer Factorization Problem (IFP). The security of El-Gamal cryptographic system and its variants, such as DSS, is based on the hardness of the Discrete Logarithm Problem (DLP). The basis problem impacts the performance of the cryptographic system and the security services since it specifies the size of the domain, the key parameters and the arithmetic operations [25]. Other mathematical problems whose intractability can constitute a basis for public-key cryptography are proposed. The 4 Bit is a parameter used to provide equivalent security levels (for comparison). Security level of k Bits means that the best algorithm known for breaking the system takes approximately 2k steps. 10 ACCEPTED MANUSCRIPT Scheme Year Computation Proprieties problem Rabin 1979 IFP - Encryption is faster than decryption - Decryption is comparable in speed to RSA ECC 1985 ECDLP - Faster than RSA - Smaller keys and certificates McEliece 1978 ACT - Faster encryption and decryption - Big size of public parameters NTRU 1998 SVP - Faster encryption and decryption - Big message expansion McEliece public key sizes (bits) 460647 1537536 7667855 RSA key (bits) 1024 3072 15360 sizes Table 8: Low-power cryptography solutions compared to the other low-power cryptosystems. Many solutions for constrained networks are using ECC-based services (e.g. ECDSA, ECDH, ...). This is probably due to trade-off offered by ECC in terms of computation and storage. Constrained nodes are generally limited in energy, as well as in storage capacity. AN US Security level 80 128 256 CR IP T McEliece is a public-key cryptosystem based on Algebraic Coding Theory (ACT) [101]. Its security is based on errorcorrecting codes and the problem of decoding an arbitrary linear code. The encryption consists in multiplying the plaintext by a matrix and then adding a random vector. The matrix represents the republic parameter which is a generator of some linear code. The decryptor can recover the message by considering the ciphertext as codeword received with error. These operations make McEliece very fast. Research works, such as [102–104], show that McEliece is much faster than classical cryptosystems as RSA, or El-Gamal. The main drawback of McEliece is the public key size (the matrix). Compared to some cryptosystems as RSA, McEliece’s public keys are very expensive to store (a summary is provided in Table 7 from [105]). This is why McEliece has received little attention for constrained networks [25]. Nevertheless, some solutions, as [103, 104], propose implementations of McEliece for embedded devices such as FPGAs (Xilinx families). Even if FPGAs are less constrained compared to other devices, they remain part of the IoT. M Table 7: Key sizes of McEliece and RSA for equivalent security levels [105] AC CE PT ED NTRU NTRU (N-th degree TRUncated polynomial ring) is a publickey cryptosystem used for encryption and digital signature [106]. It is based on the Shortest Vector Problem (SVP). NTRU operations are built upon polynomial ring, which makes this cryptosystem quite fast compared to systems like RSA, ElGamal, or ECC. Many evaluations, such as [22, 107–109], show that NTRU involves less resource consumption on different devices including FPGAs and microcontrollers. NTRU requires less memory and less computation compared to other public-key cryptosystems. Indeed, NTRU is faster than RSA and ECC. However, NTRU has an overall reasonable key size in comparison to McEliece, but it also has the worst message expansion for encryption and signature [108]. This can affect storage and communication capacities. Different low-power cryptosystems are proposed and lightweight security services can be constructed on their basis (confidentiality, digital signature, authentication, etc.). Energy consumption can be effectively reduced by implementing security services based on low-power cryptography, rather than heavy one. As it is shown in Table 8, each cryptosystem has its own proprieties (advantages and drawbacks). The choice for a scheme can be made depending on the application. For example, Rabin’s scheme can be efficient for applications requiring only encryption and signature verification. Objects that have relatively sufficient memories can use security services based on McEliece cryptosystem. From the led work, it can be noted that ECC is the most used 11 4.4.2. Symmetric protocols Although classical symmetric ciphers are lightweight compared to asymmetric ones (for example, AES is 100-1000 times faster than ECC using 8-bit controller [110]), some recently developed symmetric protocols are more energy-efficient. The emergence of highly constrained devices led to the development of lightweight symmetric ciphers. This includes the two classes of symmetric protocols: block ciphers and stream ciphers. Most employed symmetric protocols are bock ciphers. Stream ciphers can be easily constructed by block ciphers, while some protocols cannot be designed with stream ciphers [25]. Given their wide use, many lightweight block ciphers are proposed. Examples of such protocols are KATAN [111], KLEIN [112], mCrypton [113], Piccolo [114], PRESENT [115], TWINE [116], and EPCBC [117]. However, block ciphers are generally designed to perform well on a single platform (software or hardware). In 2013, the National Security Agency released their own block cipher families SIMON and SPECK [118]. The aim of these protocols is to meet lightweight and flexible security. They achieve good performance in both hardware and software environments.The evaluations provided in the specification document [118] use ASIC and 8-bit microcontrollers. They show good results of these two protocols compared to many of the aforementioned ciphers in terms of throughput, footprint, etc. Lightweight stream ciphers have also gained much attention recently. Such protocols are relevant for applications where the plaintext length is either unknown or continues, like data streams in constrained networks. The eSTREAM project [119] was a great effort, held by European Network of Excellence ACCEPTED MANUSCRIPT for Cryptology, to promote the design of efficient and compact stream ciphers. As result of the project, a portfolio of new stream cipher protocols is proposed. It includes HC-128 [120], Rabbit [121], Salsa20 [122], SOSEMANUK [123] which are efficient in software implementations -, Grain v1 [124], MICKEY 2.0 [125], and Trivium [126] which are hardware oriented protocols. Other protocols are surveyed in [127] is taken in the execution. Energy consumption is directly related to this parameter. Size compression techniques aim at reducing the consumption by decreasing the data size. This can concern the header related to the protocol or the data to process by the cryptographic algorithm. CE PT ED M AN US CR IP T 4.4.3. Physical layer security protocols Physical layer security is another branch of secure communications that operates at the physical layer, without upper layer data encryption. It is based on exploiting the inherent randomness of the physical channel (such as noises and fluctuations due to fading) in the benefit of legitimate nodes. In this approach, the transmitter encodes messages so as to allow the receiver obtaining the information, while preventing an eavesdropper from interpreting the observed message [128]. Physical layer security approaches are less demanding in terms of energy consumption since they do not rely on heavy operations as classical cryptography. This makes physical layer security approaches very suitable for resource-constrained networks such as the IoT [82, 129]. Two main approaches have emerged from research on physical layer security: transmit coding and secret-key agreement. Transmit coding can achieve confidentiality without the need for a secret key. An initial work on transmit coding is made by Wyner [130], where the adversary on a wire-tap channel observes a degraded version of the message compared to the legitimate node. This work is extended to non-degraded channels [131]. Recently, there have been many efforts for considering wireless fading, multiple antennas, and multi-user channels. For instance, the impact of fading on secrecy capacity is studied in [132, 133], the secrecy capacity in multiple antennas is investigated in [134, 135], while multiple access channels are considered in [136, 137]. Other works on transmit coding are reviewed in [138]. Physical layer security approaches can also be applied to existing cryptosystems within the aim of providing key agreement. The idea is to use common correlated sources between nodes, partially unknown to the eavesdropper, to generate a secret key. The possibility that two nodes can agree on a secret key over public channels is demonstrated in [139]. The author shows that noisy communications can be exploited to create correlated sequences at the two nodes, allowing them therefore to agree on a secret key. A closely related work is provided in [140]. Recently, many secret key agreement approaches are based on wireless channel reciprocity proprieties as a common source of randomness. Such approaches include key generation based on using wideband multipath channels parameters [141], wireless fading channels proprieties [142], information content of wireless multi-dimensional Gaussian channels [143], etc. 4.5.1. Header compression In security protocols tackling communication aspects, a packet header is also specified. The size of the header affects directly the energy consumption, as it is transmitted and received by the constrained node. In [144], Raza et al. address the use of IPsec to secure data exchange in 6LoWPAN sensor networks. When IPsec is considered, additional IPv6 extension headers have to be included in each datagram. The authors’ proposal provides 6LoWPAN specifications that allow encoding and compressing IPsec headers. Compression at the 6LoWPAN layer is, generally, based on removing field that are implicitly known for all nodes, or can be inferred from other layers. This solution allows to keep packet size reasonable for a 802.15.4 frame, and therefore reduces energy consumption while sending packets. Header compression could also decrease the number of blocks to authenticate (when performing data origin authentication, the MAC is applied on the payload and the header). For example, the minimum IPsec header size using a HMAC-SHA1-96 is 24 bytes. After optimal compression, a header size of 16 bytes can be obtained. In another work, Raza et al. [145, 146] propose a header compression solution to reduce consumption. The authors tackle the use of the DTLS protocol to secure CoAP in the context of a network supporting the 802.15.4 standard. Their solution provides specifications to compress DTLS header at the 6LoWPAN layer. The evaluation shows that DTLS header compression reduces energy consumption, especially if the use of uncompressed DTLS involves fragmentation. In [147], Lighfoot et al. show that energy consumption can be reduced by decreasing the header size of the data. Their proposed link-layer security protocol for WSNs achieves this by removing a counter field from the header and replacing it by a synchronous feedback shift register at each pair. AC 4.5.2. Ciphertext compression In addition, some works that focus on the data expressed by users to reduce the processing and the ciphertext size are reported, mainly for ABE protocols. In [148], Cheng et al. present a method to reduce the CPABE protocol consumption, by compressing its attributes. Indeed, the overhead of this protocol increases with the number of attributes expressed by users. The proposal aims at integrating a certain number of attributes expressed with AND gates (att1 AND att2 AND ...) into a single one, called ‘attribute union’. This is done by using a prime number propriety. Every integer which is bigger than 1 can be expressed uniquely as a product of prime divisors. The solution thus maps each attribute to a prime number and maps the attribute union to the product of the prime numbers. In [149] Chen et al. tackle the same problem and propose a solution for CP-ABE. The construction also addresses the AND 4.5. Size compression As security services deal with data, the execution time is proportional to the data size. The more data are big, the more time 12 ACCEPTED MANUSCRIPT gate and proposes a solution based on aggregation. This means that attributes expressed with AND gates are aggregated into one attribute. Other solutions that tackle ABE protocols to compact the ciphertext regardless of the policy size expressed by users are proposed, such as [150–152]. as the size of the symmetric key is generally smaller than the size of the data. In addition, for encryptions with the same policy, CP-ABE is performed only one time (to encrypt the used symmetric key). 4.6. Hybridization The taxonomy proposed in this paper shows that several techniques can be used to reduce energy consumption in security protocols. Many security services are involved and different situations are considered. This section provides analysis about the considerations and the influencing parameters for applying energy-saving mechanisms. The applicability of energy-saving mechanisms depends on certain factors. More precisely, two parameters that can influence the application of the mechanisms are identified: the deployment environment in which the energy-saving mechanism is applied, and the target protocol. In the following, the energyefficient mechanisms are discussed according to these parameters. The discussion also emphasizes the consumption causes (heavy operations, size of data and number of calls) identified in section 3.5. Table 11 summarizes this discussion. On-line/off-line security reduces energy consumption by executing only a part of the entire security scheme. As it is based on pre-computation, the use of this technique does not really depend on the deployment environment. However, some applications can offer more benefits as the storage space is limited for IoT nodes. One motivating application of on-line/offline schemes is mobile technology. A mobile object can perform off-line computations and store the results whenever it is plugged into a power source. Once the device is unplugged, it applies light on-line computations using the stored results. The same observation can be made for energy harvesting technology. Constrained devices can take advantage of periods in which outside energy is available to perform pre-computations, and then exploit the results. Several developed solutions as [44, 58, 62] address this kind of applications (see Table 3). It is always possible to apply this mechanism for other networks by considering the off-line phase before the deployment. On-line/off-line security implies pre-computing some calculable operations. Solutions proposed in the literature provide specifications to build the two phases. As mentioned in section 4.1, service-centered on-line/off-line approaches are generic and do not depend on a given protocol. In contrast, operationcentered solutions focus more on how to pre-compute heavy operations and are applicable only for protocols that are based on operations specified by the solutions. For example, [44] targets stream cipher based protocols; [43] addresses algorithms that are based on fixed base modular exponentiations; [58] is designed for ABE protocol, etc. This makes this type of online/off-line security dependent on the targeted security protocol. Heavy operations are the consumption cause tackled by online/off-line security (it is about pre-computing and storing some heavy operations). This makes such technique not dependent on a specific security service, but on any protocol presenting calculable parts. However, the application of this mech- 5. Discussion CR IP T Finally, hybridization can be performed to combine different solutions and benefit from them. This concerns hybridization in energy-saving mechanisms and/or in security protocols. Some examples are mentioned in the following. PT ED M AN US 4.6.1. Hybridization of mechanisms Based on the mentioned mechanisms, it is possible to combine them in order to reduce consumption. Each mechanism addresses a specific aspect in a specific way to reduce energyconsumption. Mechanism combination can be considered for solutions presenting different contexts. For example, in [58] authors highlight the possibility of combining their solution (on-line/off-line security in ABE) with the one described in [74] (outsource security in ABE). Indeed, the authors’ proposal lightens the encryption operation by performing pre-computation. However, this is not considered for the decryption operation. In the other hand, the solution in [74] assumes that ABE ciphertext might be stored in the cloud and proposes an outsourcing method for users asking for decryption. The combination of these solutions allows to reduce consumption for encryption and decryption in ABE. In [153], the authors associate header compression and outsource security to reduce energy consumption in HIP. The latter specifies a header that is heavy for constrained nodes, in addition to the fact that it involves expensive computational operations for both initiator and responder. The proposed solution achieves more optimization and energy saving by considering the two mechanisms. AC CE 4.6.2. Hybridization of protocols Energy consumption can be reduced by mixing protocols. Some protocols are energy-efficient but cannot cope with some IoT characteristics. Others are adapted for an IoT environment, except in terms of energy. Hybrid solutions combine protocols to take benefit of their advantages. In [154], Mache et al. propose an hybrid key establishment framework for WSNs. In this solution, resource-constrained nodes use symmetric cryptography and only resource-rich gateways use public-key cryptography. This is done by allowing gateways to vouch constrained nodes. These latter use less expensive symmetric cryptography, and when the packet reaches a gateway it uses more expensive public-key cryptography such as digital signatures. In the AGREE framework proposed by Bianchi et al. [62], the solution allows to reduce the CP-ABE overhead by combining it with a symmetric protocol, such as AES. It is based on encrypting data with the symmetric protocol, and encrypting the used symmetric key with CP-ABE. This is very beneficial 13 ACCEPTED MANUSCRIPT anism for encryption schemes is, generally, more difficult than it is for signature ones. Indeed, a message is encrypted depending on the entity for which it is intended. Thus, in addition to the fact that the message to encrypt is unknown until the online phase, the receiver is also unknown. This is not the case in signature schemes where the node signs all the messages using its private key (see Table 9). The notion of on-line/off-line was introduced in the 1990s, but its first application for public-key cryptography was in 2008 (as it is claimed by the authors in [51]). From the conducted work, a link between outsource and online/off-line security approaches can be noted. Indeed, both are based on splitting the cryptographic scheme into two parts, and executing only one part. The other part is delegated to an assistant device in the case of outsource security, or pre-computed in the case of on-line/off-line security. An outsource scheme could thus be transformed into an on-line/off-line one by precomputing the part to be delegated. However, this part has to be calculable in advance so it can be pre-computed in the offline phase. One possible application for switching from outsource to on-line/off-line security is mobile environments. A constrained node can lose its assistant devices (due to mobility). Thus, before losing the connection with the helper devices, the constrained node can perform the off-line phase, so as to reduce the consumption in the future. An on-line/off-line scheme could also be transformed into an outsource one by delegating the part to be pre-computed. However, as outsource techniques imply an assistance from other devices, a special attention has to be paid to the type of helper (trusted, semi-trusted or untrusted) and to what is to be delegated, in order not to compromise the security. This can be considered in mobile environments where a node performing on-line/off-line security can reach assistant devices. For that purpose, it can switch to outsourcing and delegate the precomputation part to these devices. Table 10 summarizes the link and the proprieties between the two mechanisms. M ED PT CE How ? Issue Application environment Precomputing the part intended to be delegated The part has to be calculable in advance Mobility: when leaving assistant devices Online/offline to outsource On-line/off-line security is still possible for encryption schemes. Many solutions, such as [51–55], are based on correction factors that use algebraic relationships to address encryption schemes. However, this comes generally at the expense of the decryption operations (the correction is performed by the decryptor). In addition, the problem of dependency on the key in encryption schemes can be less constrained when destinations can be known, as in the solution proposed in [62]. Outsource security is based on delegating heavy operations to more powerful devices. Its application depends mainly on the deployment environment, as it requires the availability of assisting devices that must be accessible to the constrained node. Some solutions such as [77, 155] exploit the heterogeneity of the IoT to delegate heavy operations to more powerful devices. Other works such as [72, 74] use the cloud for outsourcing. While other solutions such as [36, 64] are based on the availability of TPM modules. Note that, because this mechanism involves other entities, special attention must be paid to what is to be delegated and to the type of assisting devices (trusted, semi-trusted or untrusted). This is for the purpose of not compromising the security by the assisting nodes. As it is the case for on-line/off-line schemes, outsource security addresses the heavy operations as consumption source (by delegating them), and is not related to a specific service. For instance, [36] addresses RSA and XTEA using trusted assistant; [71] tackles CP-ABE with semi-trusted helpers; [75] is interested in exponentiation-based protocols using untrusted devices; etc. This makes the application of an outsourcing solution dependent on the target protocol (the target protocol has to be based on operations specified by the outsourcing solution). Outsource to online/offline AN US Table 9: Dependencies of asymmetric schemes in the used key CR IP T Dependency Justification to the key Signature The node uses only its private key for signing Encryption + The encryption uses the destination public key Verification + The verification key depends on the signer Decryption The node uses its private key for decryption Signs signification Not dependent + Dependent Delegating the part intended to be pre-computed The helper must not compromise security Mobility: when reaching assistant devices AC Table 10: Link between outsource and on-line/off-line security Adaptive security is based on adjusting security measures according to the context. It concerns applications in which changes may occur in the sensitivity of data to secure or in the threat level of the environment where the security service is deployed. Indeed, the application of adaptive security is directly related to the deployment environment. It requires the availability, at runtime, of information about threats or data sensitivity, so that the security level can be adjusted without compromising the security. For example, solutions as [83–86] are based on the possibility of evaluating the surrounding nodes’ trust to adapt security; [89–91] are designed for applications providing information on data criticality. On the other hand, adaptive security solutions do not require 14 ACCEPTED MANUSCRIPT Outsource security x Adaptive security x Applicability x x x - Requires the availability of helper devices - Could be transformed to on-line/off-line scheme x Low-power sec protocols x Size compression x x x - Requires the availability of calculable parts - More beneficial in mobile and energy-harvesting applications - More easy to consider for signature than encryption schemes - Service-centered solutions are more generic (do not depend on a specific protocol) - Requires the availability of info on data sensitivity or threat level - Solutions are not dependent to a specific protocol - Requires the availability of an equivalent protocol in a low-power security class AN US On-line/off-line security Consumption causes Heavy Data Number of operations size calls x CR IP T Influencing parameters Environment Protocol x - Considered when there is a possibility of reducing in data size Table 11: Applicability of energy-saving mechanisms AC CE PT ED M knowledge on the target security protocol and its operations to perform adaptation. As mentioned in section 4.3, this can be done in a parametrical or structural manner. The application of adaptive security solutions does not depend on a specific class of security protocols. Adaptive security allows reducing energy by adjusting security measures, rather than considering systematically the worst case. This can be done by making changes (parametrical or structural) in the security protocols, or simply by calling the protocol only when it is required. For example, in [90] adaptation can be done by changing the encryption key; while in [87] adaptation is performed by applying or not the authentication service. Thus, adaptive security can reduce consumption by targeting heavy operations and/or the number of calls. Low-power security protocols constitutes an alternative solution for heavy classical cryptosystems. It provides a basis for building energy-efficient security services. Therefore, when considering a given security solution, energy consumption can be reduced by substituting the heavy protocol with a low-power one. This requires the availability of an equivalent low-power protocol. For instance, in a solution requiring key agreement, ECDH can be considered instead of DH. However, a security protocol may not have an equivalent implementation in some low-power security classes. For example, the original McEliece cryptosystem [101] does not allow signing messages, as mentioned by the author (although solutions are proposed later such as [156]). The consideration of low-power security depends on the target protocol. Low-power security protocols provide efficient services that 15 are based on less heavy operations. This constitutes the consumption cause tackled by low-power security protocols. For example, the main operation of ECC [97] is the scalar multiplication using smaller parameters (compared to RSA). NTRU operations [106] are built upon polynomial ring, which is very fast compared to cryptosystems as RSA and El-Gamal that are based on modular exponentiations. Physical layer security protocols do not rely on heavy operations as classical schemes. As the execution time and the energy consumption are related to the size of data, size compression techniques aim at reducing the data size while keeping the same protocol functionalities. Header compression techniques address security protocols that specify communication aspects. This is the case for protocol as IPsec, TLS or DTLS. In addition, other compression solutions that address data to process are also reported. These two classes of size compression technique are directly related to the target protocol. Solutions targeting header compression, as [144–146], are designed for specific protocols where some fields of their headers can be compressed (e.g. they can be deduced from other headers). The same observation can be made for solutions that reduce the data to process. Obviously, this technique achieves energy efficiency by tackling the size of data as consumption cause. Solutions as [144– 146] reduce consumption by addressing only to the header size, as the latter are transmitted and received by th constrained nodes. In additions, in solutions, such as [148, 149], the heavy operations are maintained. However, the processing is reduced for some big size policies expressed by users. It appears from this work that many energy-efficient mecha- ACCEPTED MANUSCRIPT [3] [4] 6. Conclusion [5] The Internet of Things (IoT) has widely spread in many areas (health-care, smart grid, transportation, manufacturing systems, etc.). The sensitivity related to these applications justifies the obligation of considering security services in the IoT. The devices involved in the IoT are resource-constrained and intended to operate for a long time. However, many security measures are commonly known to consume energy. This paper deals with the mechanisms involved in energy efficiency in the context of IoT security. Previous surveys focus more on studying IoT security solutions that are efficient in terms of energy. This work goes one step further and addresses the mechanisms that allow developing energy-efficient security solutions. A taxonomy of most energy-saving techniques in IoT security is proposed. Each one is studied, as well as relevant works that use it. The survey shows that each energy-saving technique implies changes in the original security protocol, and some issues may occur. This is why a discussion on these issues which are related to the use of energy-saving techniques is performed. A discussion is also led on the applicability conditions of the mechanisms, and the parameters affecting their use. It appears from this survey that different solutions can be considered to reduce energy consumption in security services. The survey also raises the necessity for performing comparable evaluations, in terms of the saved energy, between the different approaches and mechanisms. Indeed, an effective evaluation must consider comparable environments, such as the same target platforms (e.g. micro-processors, FPGAs, ASICs), the same target protocols, etc. This can be addressed as a perspective of our work. We believe that such a survey may be a contribution to the scientific and the industrial communities, and can help security protocol designers to select the appropriate mechanism and the way to apply it. AN US [6] URL http://www.sciencedirect.com/science/article/pii/ S1570870512000674 R. Roman, C. Alcaraz, J. Lopez, N. Sklavos, Key management systems for sensor networks in the context of the internet of things, Computers and Electrical Engineering 37 (2) (2011) 147 – 159, modern Trends in Applied Security: Architectures, Implementations and Applications. doi:http://dx.doi.org/10.1016/j.compeleceng. 2011.01.009. URL http://www.sciencedirect.com/science/article/pii/ S0045790611000176 Z. Yan, P. Zhang, A. V. Vasilakos, A survey on trust management for internet of things, Journal of Network and Computer Applications 42 (2014) 120 – 134. doi:http://dx.doi.org/10.1016/j.jnca. 2014.01.014. URL http://www.sciencedirect.com/science/article/pii/ S1084804514000575 K. T. Nguyen, M. Laurent, N. Oualha, Survey on secure communication protocols for the internet of things, Ad Hoc Networks 32 (2015) 17 – 31, internet of Things security and privacy: design methods and optimization. doi:http://dx.doi.org/10.1016/j.adhoc.2015.01.006. URL http://www.sciencedirect.com/science/article/pii/ S1570870515000141 R. Roman, J. Zhou, J. Lopez, On the features and challenges of security and privacy in distributed internet of things, Computer Networks 57 (10) (2013) 2266 – 2279, towards a Science of Cyber SecuritySecurity and Identity Architecture for the Future Internet. doi:http: //dx.doi.org/10.1016/j.comnet.2012.12.018. URL http://www.sciencedirect.com/science/article/pii/ S1389128613000054 J. Granjal, E. Monteiro, J. S. Silva, Security in the integration of lowpower wireless sensor networks with the internet: A survey, Ad Hoc Networks 24, Part A (2015) 264 – 287. doi:http://dx.doi.org/ 10.1016/j.adhoc.2014.08.001. URL http://www.sciencedirect.com/science/article/pii/ S1570870514001619 J. Granjal, E. Monteiro, J. S. Silva, Security for the internet of things: A survey of existing protocols and open research issues, IEEE Communications Surveys Tutorials 17 (3) (2015) 1294–1312. doi:10.1109/ COMST.2015.2388550. URL http://dx.doi.org/10.1109/COMST.2015.2388550 S. Sicari, A. Rizzardi, L. Grieco, A. Coen-Porisini, Security, privacy and trust in internet of things: The road ahead, Computer Networks 76 (2015) 146 – 164. doi:http://dx.doi.org/10.1016/j.comnet. 2014.11.008. URL http://www.sciencedirect.com/science/article/pii/ S1389128614003971 R. H. Weber, Internet of things new security and privacy challenges, Computer Law and Security Review 26 (1) (2010) 23 – 30. doi:http: //dx.doi.org/10.1016/j.clsr.2009.11.008. URL http://www.sciencedirect.com/science/article/pii/ S0267364909001939 C. Karlof, N. Sastry, D. Wagner, Tinysec: A link layer security architecture for wireless sensor networks, in: Proceedings of the 2Nd International Conference on Embedded Networked Sensor Systems, SenSys ’04, ACM, New York, NY, USA, 2004, pp. 162–175. doi:10.1145/ 1031495.1031515. URL http://doi.acm.org/10.1145/1031495.1031515 Y. W. Law, J. Doumen, P. Hartel, Survey and benchmark of block ciphers for wireless sensor networks, ACM Trans. Sen. Netw. 2 (1) (2006) 65– 93. doi:10.1145/1138127.1138130. URL http://doi.acm.org/10.1145/1138127.1138130 J. Daemen, V. Rijmen, Aes proposal: Rijndael (1999). R. L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Commun. ACM 21 (2) (1978) 120–126. doi:10.1145/359340.359342. URL http://doi.acm.org/10.1145/359340.359342 NIST, Skipjack and kea algorithm specifications version 2.0. nist (1998). J. Lopez, Unleashing public-key cryptography in wireless sensor networks, Journal of Computer Security 14 (5) (2006) 469–482. D. Boneh, M. Franklin, Identity-Based Encryption from the Weil Pairing, Springer Berlin Heidelberg, Berlin, Heidelberg, 2001, pp. 213–229. CR IP T nisms are independent from the target platform. For instance, outsource security tackles delegating heavy operations to assisting nodes in order to reduce consumption, on-line/off-line security addresses pre-computing costly operations, adaptive security is based on dynamically changing the security level, while size compression targets reducing the data size. These mechanisms are not related to one specific platform and can operate using different IoT devices. In addition, the presented lowpower security protocols are designed for constrained node. Performance evaluations related to these protocols are mostly performed using resource limited devices. [7] M [8] PT ED [9] CE [10] AC [11] [12] References [13] [14] [1] L. Atzori, A. Iera, G. Morabito, The internet of things: A survey, Computer Networks 54 (15) (2010) 2787 – 2805. doi:http://dx.doi. org/10.1016/j.comnet.2010.05.010. URL http://www.sciencedirect.com/science/article/pii/ S1389128610001568 [2] D. Miorandi, S. Sicari, F. D. Pellegrini, I. Chlamtac, Internet of things: Vision, applications and research challenges, Ad Hoc Networks 10 (7) (2012) 1497 – 1516. doi:http://dx.doi.org/10.1016/j.adhoc. 2012.02.016. [15] [16] [17] 16 ACCEPTED MANUSCRIPT [20] [21] [22] [23] [24] [25] [38] [39] [40] [41] [42] [43] [44] M [26] [37] [30] [31] [32] [33] [34] [35] ED PT [29] [47] [48] CE [28] [45] [46] [49] AC [27] CR IP T [19] [36] Securing sensor networks with public key technology, in: Proceedings of the 2Nd ACM Workshop on Security of Ad Hoc and Sensor Networks, SASN ’04, ACM, New York, NY, USA, 2004, pp. 59–64. doi:10.1145/1029102.1029113. URL http://doi.acm.org/10.1145/1029102.1029113 W. Hu, P. Corke, W. C. Shih, L. Overs, secFleck: A Public Key Technology Platform for Wireless Sensor Networks, Springer Berlin Heidelberg, Berlin, Heidelberg, 2009, pp. 296–311. doi:10.1007/ 978-3-642-00224-3_19. URL http://dx.doi.org/10.1007/978-3-642-00224-3_19 A. Shamir, Identity-Based Cryptosystems and Signature Schemes, Springer Berlin Heidelberg, Berlin, Heidelberg, 1985, pp. 47–53. doi: 10.1007/3-540-39568-7_5. URL http://dx.doi.org/10.1007/3-540-39568-7_5 L. B. Oliveira, M. Scott, J. Lopez, R. Dahab, Tinypbc: Pairings for authenticated identity-based non-interactive key distribution in sensor networks, in: Networked Sensing Systems, 2008. INSS 2008. 5th International Conference on, 2008, pp. 173–180. doi:10.1109/INSS.2008. 4610921. URL http://dx.doi.org/10.1109/INSS.2008.4610921 V. Manral, Cryptographic algorithm implementation requirements for encapsulating security payload (esp) and authentication header (ah), ietf rfc 4835, Tech. rep. (April 2007). E. R. T. Dierks, The transport layer security (tls) protocol version 1.2, ietf rfc 5246, Tech. rep. (August 2008). E. Rescorla, N. Modadugu, Datagram transport layer security version 1.2. S. Even, O. Goldreich, S. Micali, On-line/off-line digital signatures, Journal of Cryptology 9 (1) (1996) 35–67. C. P. Schnorr, Efficient Identification and Signatures for Smart Cards, Springer Berlin Heidelberg, Berlin, Heidelberg, 1990, pp. 688–689. doi:10.1007/3-540-46885-4_68. URL http://dx.doi.org/10.1007/3-540-46885-4_68 S. Pelissier, T. Prabhakar, H. Jamadagni, R. VenkateshaPrasad, I. Niemegeers, Providing security in energy harvesting sensor networks, in: Consumer Communications and Networking Conference (CCNC), 2011 IEEE, 2011, pp. 452–456. doi:10.1109/CCNC.2011.5766511. C. P. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology 4 (3) (1991) 161–174. doi:10.1007/BF00196725. URL http://dx.doi.org/10.1007/BF00196725 E. F. Brickell, K. S. McCurley, An interactive identification scheme based on discrete logarithms and factoring, Journal of Cryptology 5 (1) (1992) 29–39. doi:10.1007/BF00191319. URL http://dx.doi.org/10.1007/BF00191319 P. de Rooij, On the Security of the Schnorr Scheme using Preprocessing, Springer Berlin Heidelberg, Berlin, Heidelberg, 1991, pp. 71–80. doi: 10.1007/3-540-46416-6_6. URL http://dx.doi.org/10.1007/3-540-46416-6_6 P. de Rooij, On schnorr’s preprocessing for digital signature schemes, Journal of Cryptology 10 (1) (1997) 1–16. doi:10.1007/ s001459900016. URL http://dx.doi.org/10.1007/s001459900016 E. F. Brickell, D. M. Gordon, K. S. McCurley, D. B. Wilson, Fast Exponentiation with Precomputation, Springer Berlin Heidelberg, Berlin, Heidelberg, 1993, pp. 200–207. doi:10.1007/3-540-47555-9_18. URL http://dx.doi.org/10.1007/3-540-47555-9_18 P. de Rooij, Efficient exponentiation using precomputation and vector addition chains, Springer Berlin Heidelberg, Berlin, Heidelberg, 1995, pp. 389–399. doi:10.1007/BFb0053453. URL http://dx.doi.org/10.1007/BFb0053453 F. Guo, Y. Mu, Z. Chen, Identity-Based Online/Offline Encryption, Springer Berlin Heidelberg, Berlin, Heidelberg, 2008, pp. 247–261. doi:10.1007/978-3-540-85230-8_22. URL http://dx.doi.org/10.1007/978-3-540-85230-8_22 Z. Liu, L. Xu, Z. Chen, Y. Mu, F. Guo, Hierarchical identity-based online/offline encryption, in: Young Computer Scientists, 2008. ICYCS 2008. The 9th International Conference for, 2008, pp. 2115–2119. doi: 10.1109/ICYCS.2008.290. J. K. Liu, J. Zhou, An Efficient Identity-Based Online/Offline Encryption Scheme, Springer Berlin Heidelberg, Berlin, Heidelberg, 2009, pp. 156– 167. doi:10.1007/978-3-642-01957-9_10. AN US [18] doi:10.1007/3-540-44647-8_13. URL http://dx.doi.org/10.1007/3-540-44647-8_13 F. Bergadano, D. Cavagnino, B. Crispo, Individual single source authentication on the mbone, in: 2000 IEEE International Conference on Multimedia and Expo. ICME2000. Proceedings. Latest Advances in the Fast Changing World of Multimedia (Cat. No.00TH8532), Vol. 1, 2000, pp. 541–544 vol.1. doi:10.1109/ICME.2000.869659. Z. Benenson, N. Gedicke, O. Raivio, Realizing robust user authentication in sensor networks, Real-World Wireless Sensor Networks (REALWSN) 14 (2005) 52. S. Banerjee, D. Mukhopadhyay, Symmetric key based authenticated querying in wireless sensor networks, in: Proceedings of the First International Conference on Integrated Internet Ad Hoc and Sensor Networks, InterSense ’06, ACM, New York, NY, USA, 2006. doi:10. 1145/1142680.1142709. URL http://doi.acm.org/10.1145/1142680.1142709 A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, D. E. Culler, Spins: Security protocols for sensor networks, Wirel. Netw. 8 (5) (2002) 521–534. doi:10.1023/A:1016598314198. URL http://dx.doi.org/10.1023/A:1016598314198 G. Gaubatz, J.-P. Kaps, B. Sunar, Public Key Cryptography in Sensor Networks—Revisited, Springer Berlin Heidelberg, Berlin, Heidelberg, 2005, pp. 2–18. doi:10.1007/978-3-540-30496-8_2. URL http://dx.doi.org/10.1007/978-3-540-30496-8_2 A. Sahai, B. Waters, Fuzzy Identity-Based Encryption, Springer Berlin Heidelberg, Berlin, Heidelberg, 2005, pp. 457–473. doi:10.1007/ 11426639_27. URL http://dx.doi.org/10.1007/11426639_27 T. ElGamal, A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms, Springer Berlin Heidelberg, Berlin, Heidelberg, 1985, pp. 10–18. doi:10.1007/3-540-39568-7_2. URL http://dx.doi.org/10.1007/3-540-39568-7_2 A. J. Menezes, S. A. Vanstone, P. C. V. Oorschot, Handbook of Applied Cryptography, 1st Edition, CRC Press, Inc., Boca Raton, FL, USA, 1996. L. Eschenauer, V. D. Gligor, A key-management scheme for distributed sensor networks, in: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS ’02, ACM, New York, NY, USA, 2002, pp. 41–47. doi:10.1145/586110.586117. URL http://doi.acm.org/10.1145/586110.586117 D. Liu, P. Ning, Location-based pairwise key establishments for static sensor networks, in: Proceedings of the 1st ACM Workshop on Security of Ad Hoc and Sensor Networks, SASN ’03, ACM, New York, NY, USA, 2003, pp. 72–82. doi:10.1145/986858.986869. URL http://doi.acm.org/10.1145/986858.986869 H. Chan, A. Perrig, D. Song, Random key predistribution schemes for sensor networks, in: Security and Privacy, 2003. Proceedings. 2003 Symposium on, 2003, pp. 197–213. doi:10.1109/SECPRI.2003. 1199337. URL http://dx.doi.org/10.1109/SECPRI.2003.1199337 H. Chan, A. Perrig, Pike: peer intermediaries for key establishment in sensor networks, in: Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies., Vol. 1, 2005, pp. 524–535 vol. 1. doi:10.1109/INFCOM.2005.1497920. URL http://dx.doi.org/10.1109/INFCOM.2005.1497920 A. Fanian, M. Berenjkoub, H. Saidi, T. A. Gulliver, A scalable and efficient key establishment protocol for wireless sensor networks, in: 2010 IEEE Globecom Workshops, 2010, pp. 1533–1538. doi:10.1109/ GLOCOMW.2010.5700195. URL http://dx.doi.org/10.1109/GLOCOMW.2010.5700195 F. L. M. N. K. N. J. Arkko, E. Carrara, Mikey: Multimedia internet keying, ietf rfc 3830, Tech. rep. (August 2004). C. Kaufman, Internet key exchange (ikev2) protocol, ietf rfc 4306, Tech. rep. (December 2005). P. J. R. Moskowitz, P .Nikander, T. Henderson, Host identity protocol, ietf rfc 5201, Tech. rep. (April 2008). W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (6) (1976) 644–654. doi:10.1109/ TIT.1976.1055638. URL http://dx.doi.org/10.1109/TIT.1976.1055638 R. Watro, D. Kong, S.-f. Cuti, C. Gardiner, C. Lynn, P. Kruus, Tinypk: [50] [51] [52] [53] 17 ACCEPTED MANUSCRIPT [71] L. Touati, Y. Challal, A. Bouabdallah, C-cp-abe: Cooperative ciphertext policy attribute-based encryption for the internet of things, in: Advanced Networking Distributed Systems and Applications (INDS), 2014 International Conference on, 2014, pp. 64–69. doi:10.1109/INDS.2014. 19. [72] L. Touati, Y. Challal, Collaborative kp-abe for cloud-based internet of things applications, in: Communications (ICC), 2016 IEEE International Conference on, 2016. [73] V. Goyal, O. Pandey, A. Sahai, B. Waters, Attribute-based encryption for fine-grained access control of encrypted data, in: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS ’06, ACM, New York, NY, USA, 2006, pp. 89–98. doi: 10.1145/1180405.1180418. URL http://doi.acm.org/10.1145/1180405.1180418 [74] M. Green, S. Hohenberger, B. Waters, Outsourcing the decryption of abe ciphertexts, in: Proceedings of the 20th USENIX Conference on Security, SEC’11, USENIX Association, Berkeley, CA, USA, 2011, pp. 34–34. URL http://dl.acm.org/citation.cfm?id=2028067.2028101 [75] S. Hohenberger, A. Lysyanskaya, How to securely outsource cryptographic computations, in: Proceedings of the Second International Conference on Theory of Cryptography, TCC’05, SpringerVerlag, Berlin, Heidelberg, 2005, pp. 264–282. doi:10.1007/ 978-3-540-30576-7_15. URL http://dx.doi.org/10.1007/978-3-540-30576-7_15 [76] B. Chevallier-Mames, J.-S. Coron, N. McCullagh, D. Naccache, M. Scott, Secure Delegation of Elliptic-Curve Pairing, Springer Berlin Heidelberg, Berlin, Heidelberg, 2010, pp. 24–35. doi:10.1007/ 978-3-642-12510-2_3. URL http://dx.doi.org/10.1007/978-3-642-12510-2_3 [77] Y. B. Saied, A. Olivereau, D. Zeghlache, M. Laurent, Lightweight collaborative key establishment scheme for the internet of things, Computer Networks 64 (2014) 273 – 295. doi:http://dx.doi.org/10.1016/ j.comnet.2014.02.001. URL http://www.sciencedirect.com/science/article/pii/ S1389128614000437 [78] M. Watson, Basic forward error correction (fec) schemes, rfc 5445, Tech. rep. (2009). [79] A. Shamir, How to share a secret, Commun. ACM 22 (11) (1979) 612– 613. doi:10.1145/359168.359176. URL http://doi.acm.org/10.1145/359168.359176 [80] E. Yuan, N. Esfahani, S. Malek, A systematic survey of self-protecting software systems, ACM Trans. Auton. Adapt. Syst. 8 (4) (2014) 17:1– 17:41. doi:10.1145/2555611. URL http://doi.acm.org/10.1145/2555611 [81] C. T. Hager, Context aware and adaptive security for wireless networks, Ph.D. thesis, Virginia Polytechnic Institute and State University (2004). [82] W. Trappe, R. Howard, R. S. Moore, Low-energy security: Limits and opportunities in the internet of things, IEEE Security Privacy 13 (1) (2015) 14–21. doi:10.1109/MSP.2015.7. [83] X. Li, M. R. Lyu, J. Liu, A trust model based routing protocol for secure ad hoc networks, in: Aerospace Conference, 2004. Proceedings. 2004 IEEE, Vol. 2, 2004, pp. 1286–1295 Vol.2. doi:10.1109/AERO.2004. 1367726. [84] C. Chigan, L. Li, Y. Ye, Resource-aware self-adaptive security provisioning in mobile ad hoc networks, in: Wireless Communications and Networking Conference, 2005 IEEE, Vol. 4, IEEE, 2005, pp. 2118– 2124. [85] M. Younis, N. Krajewski, O. Farrag, Adaptive security provision for increased energy efficiency in wireless sensor networks, in: 2009 IEEE 34th Conference on Local Computer Networks, 2009, pp. 999–1005. doi:10.1109/LCN.2009.5355022. [86] H. Hellaoui, A. Bouabdallah, M. Koudil, Tas-iot: Trust-based adaptive security in the iot, in: 2016 IEEE 41st Conference on Local Computer Networks (LCN), 2016, pp. 599–602. doi:10.1109/LCN.2016.101. [87] M. Hamdi, H. Abie, Game-based adaptive security in the internet of things for ehealth, in: Communications (ICC), 2014 IEEE International Conference on, 2014, pp. 920–925. doi:10.1109/ICC.2014. 6883437. URL http://dx.doi.org/10.1109/ICC.2014.6883437 [88] E. K. Wang, T.-Y. Wu, C.-M. Chen, Y. Ye, Z. Zhang, F. Zou, MDPAS: AC CE PT ED M AN US CR IP T URL http://dx.doi.org/10.1007/978-3-642-01957-9_10 [54] S. S. M. Chow, J. K. Liu, J. Zhou, Identity-based online/offline key encapsulation and encryption, in: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’11, ACM, New York, NY, USA, 2011, pp. 52–60. doi: 10.1145/1966913.1966922. URL http://doi.acm.org/10.1145/1966913.1966922 [55] S. S. D. Selvi, S. S. Vivek, C. P. Rangan, Identity Based Online/Offline Encryption and Signcryption Schemes Revisited, Springer Berlin Heidelberg, Berlin, Heidelberg, 2011, pp. 111–127. doi:10.1007/ 978-3-642-24586-2_11. URL http://dx.doi.org/10.1007/978-3-642-24586-2_11 [56] D. Boneh, X. Boyen, Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles, Springer Berlin Heidelberg, Berlin, Heidelberg, 2004, pp. 223–238. doi:10.1007/ 978-3-540-24676-3_14. URL http://dx.doi.org/10.1007/978-3-540-24676-3_14 [57] C. Gentry, Practical Identity-Based Encryption Without Random Oracles, Springer Berlin Heidelberg, Berlin, Heidelberg, 2006, pp. 445–464. doi:10.1007/11761679_27. URL http://dx.doi.org/10.1007/11761679_27 [58] S. Hohenberger, B. Waters, Online/Offline Attribute-Based Encryption, Springer Berlin Heidelberg, Berlin, Heidelberg, 2014, pp. 293–310. doi:10.1007/978-3-642-54631-0_17. URL http://dx.doi.org/10.1007/978-3-642-54631-0_17 [59] Y. Rouselakis, B. Waters, Practical constructions and new proof methods for large universe attribute-based encryption, in: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS ’13, ACM, New York, NY, USA, 2013, pp. 463–474. doi:10.1145/2508859.2516672. URL http://doi.acm.org/10.1145/2508859.2516672 [60] A. Shamir, Y. Tauman, Improved online/offline signature schemes, in: Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’01, Springer-Verlag, London, UK, UK, 2001, pp. 355–367. URL http://dl.acm.org/citation.cfm?id=646766.704142 [61] H. Krawczyk, T. Rabin, Chameleon signatures., in: Symposium on Network and Distributed Systems Security (NDSS ’00), 2000, pp. 143–154. [62] G. Bianchi, A. T. Capossele, C. Petrioli, D. Spenza, Agree: exploiting energy harvesting to support data-centric access control in {WSNs}, Ad Hoc Networks 11 (8) (2013) 2625 – 2636. doi:http://dx.doi.org/ 10.1016/j.adhoc.2013.03.013. URL http://www.sciencedirect.com/science/article/pii/ S1570870513000607 [63] J. Bethencourt, A. Sahai, B. Waters, Ciphertext-policy attribute-based encryption, in: Security and Privacy, 2007. SP ’07. IEEE Symposium on, 2007, pp. 321–334. doi:10.1109/SP.2007.11. [64] W. Hu, H. Tan, P. Corke, W. C. Shih, S. Jha, Toward trusted wireless sensor networks, ACM Trans. Sen. Netw. 7 (1) (2010) 5:1–5:25. doi: 10.1145/1806895.1806900. URL http://doi.acm.org/10.1145/1806895.1806900 [65] R. M. Needham, D. J. Wheeler, Tea extensions, Report, Cambridge University, Cambridge, UK (October 1997). [66] T. C. Group, Trusted platform module specification, Tech. rep. (2014). [67] T. Kothmayr, C. Schmitt, W. Hu, M. Brnig, G. Carle, A dtls based endto-end security architecture for the internet of things with two-way authentication, in: Local Computer Networks Workshops (LCN Workshops), 2012 IEEE 37th Conference on, 2012, pp. 956–963. doi: 10.1109/LCNW.2012.6424088. [68] T. Kothmayr, C. Schmitt, W. Hu, M. Brnig, G. Carle, {DTLS} based security and two-way authentication for the internet of things, Ad Hoc Networks 11 (8) (2013) 2710 – 2723. doi:http://dx.doi.org/10. 1016/j.adhoc.2013.05.003. URL http://www.sciencedirect.com/science/article/pii/ S1570870513001029 [69] M. Barbareschi, E. Battista, A. Mazzeo, S. Venkatesan, Advancing wsn physical security adopting tpm-based architectures, in: Information Reuse and Integration (IRI), 2014 IEEE 15th International Conference on, 2014, pp. 394–399. doi:10.1109/IRI.2014.7051916. [70] Y. M. Yussoff, H. Hashim, M. D. Baba, Identity-based trusted authentication in wireless sensor network, arXiv preprint arXiv:1207.6185. 18 ACCEPTED MANUSCRIPT [96] [97] [98] [99] [100] [101] [102] [103] [104] [105] [106] [107] CR IP T [95] [113] delberg, 2001, pp. 262–272. doi:10.1007/3-540-44709-1_22. URL http://dx.doi.org/10.1007/3-540-44709-1_22 G. Gaubatz, J. P. Kaps, E. Ozturk, B. Sunar, State of the art in ultra-low power public key cryptography for wireless sensor networks, in: Third IEEE International Conference on Pervasive Computing and Communications Workshops, 2005, pp. 146–150. doi:10.1109/PERCOMW. 2005.76. B. Biswas, N. Sendrier, McEliece Cryptosystem Implementation: Theory and Practice, Springer Berlin Heidelberg, Berlin, Heidelberg, 2008, pp. 47–62. doi:10.1007/978-3-540-88403-3_4. URL http://dx.doi.org/10.1007/978-3-540-88403-3_4 T. Eisenbarth, S. Kumar, C. Paar, A. Poschmann, L. Uhsadel, A survey of lightweight-cryptography implementations, IEEE Design Test of Computers 24 (6) (2007) 522–533. doi:10.1109/MDT.2007.178. C. De Cannière, O. Dunkelman, M. Knežević, KATAN and KTANTAN — A Family of Small and Efficient Hardware-Oriented Block Ciphers, Springer Berlin Heidelberg, Berlin, Heidelberg, 2009, pp. 272– 288. doi:10.1007/978-3-642-04138-9_20. URL http://dx.doi.org/10.1007/978-3-642-04138-9_20 Z. Gong, S. Nikova, Y. W. Law, KLEIN: A New Family of Lightweight Block Ciphers, Springer Berlin Heidelberg, Berlin, Heidelberg, 2012, pp. 1–18. doi:10.1007/978-3-642-25286-0_1. URL http://dx.doi.org/10.1007/978-3-642-25286-0_1 C. H. Lim, T. Korkishko, mCrypton – A Lightweight Block Cipher for Security of Low-Cost RFID Tags and Sensors, Springer Berlin Heidelberg, Berlin, Heidelberg, 2006, pp. 243–258. doi:10.1007/ 11604938_19. URL http://dx.doi.org/10.1007/11604938_19 K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita, T. Shirai, Piccolo: An Ultra-Lightweight Blockcipher, Springer Berlin Heidelberg, Berlin, Heidelberg, 2011, pp. 342–357. doi:10.1007/ 978-3-642-23951-9_23. URL http://dx.doi.org/10.1007/978-3-642-23951-9_23 A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann, M. J. B. Robshaw, Y. Seurin, C. Vikkelsoe, PRESENT: An UltraLightweight Block Cipher, Springer Berlin Heidelberg, Berlin, Heidelberg, 2007, pp. 450–466. doi:10.1007/978-3-540-74735-2_31. URL http://dx.doi.org/10.1007/978-3-540-74735-2_31 T. Suzaki, K. Minematsu, S. Morioka, E. Kobayashi, TWINE: A Lightweight Block Cipher for Multiple Platforms, Springer Berlin Heidelberg, Berlin, Heidelberg, 2013, pp. 339–354. doi:10.1007/ 978-3-642-35999-6_22. URL http://dx.doi.org/10.1007/978-3-642-35999-6_22 H. Yap, K. Khoo, A. Poschmann, M. Henricksen, EPCBC - A Block Cipher Suitable for Electronic Product Code Encryption, Springer Berlin Heidelberg, Berlin, Heidelberg, 2011, pp. 76–97. doi:10.1007/ 978-3-642-25513-7_7. URL http://dx.doi.org/10.1007/978-3-642-25513-7_7 R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, L. Wingers, The simon and speck families of lightweight block ciphers. cryptol ogy eprint archive, report 2013/404, 2013. eSTREAM, Stream cipher project, 2004-2008, http://www.ecrypt. eu.org/stream/, accessed: July 2017. H. Wu, The Stream Cipher HC-128, Springer Berlin Heidelberg, Berlin, Heidelberg, 2008, pp. 39–47. doi:10.1007/978-3-540-68351-3_ 4. URL http://dx.doi.org/10.1007/978-3-540-68351-3_4 M. Boesgaard, M. Vesterager, E. Zenner, The Rabbit Stream Cipher, Springer Berlin Heidelberg, Berlin, Heidelberg, 2008, pp. 69–83. doi: 10.1007/978-3-540-68351-3_7. URL http://dx.doi.org/10.1007/978-3-540-68351-3_7 D. J. Bernstein, The Salsa20 Family of Stream Ciphers, Springer Berlin Heidelberg, Berlin, Heidelberg, 2008, pp. 84–97. doi:10.1007/ 978-3-540-68351-3_8. URL http://dx.doi.org/10.1007/978-3-540-68351-3_8 C. Berbain, O. Billet, A. Canteaut, N. Courtois, H. Gilbert, L. Goubin, A. Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin, H. Sibert, Sosemanuk, a Fast Software-Oriented Stream Cipher, Springer Berlin Heidelberg, Berlin, Heidelberg, 2008, pp. 98–118. doi:10. 1007/978-3-540-68351-3_9. URL http://dx.doi.org/10.1007/978-3-540-68351-3_9 AN US [94] [112] [114] [115] M [93] [111] ED [92] [110] [116] [117] PT [91] [109] [118] CE [90] [108] [119] [120] AC [89] Markov Decision Process Based Adaptive Security for Sensors in Internet of Things, Springer International Publishing, Cham, 2015, pp. 389– 397. doi:10.1007/978-3-319-12286-1_40. URL http://dx.doi.org/10.1007/978-3-319-12286-1_40 A. V. Taddeo, L. Micconi, A. Ferrante, Gradual adaptation of security for sensor networks, in: World of Wireless Mobile and Multimedia Networks (WoWMoM), 2010 IEEE International Symposium on a, 2010, pp. 1–9. doi:10.1109/WOWMOM.2010.5534903. A. Taddeo, M. Mura, A. Ferrante, Qos and security in energy-harvesting wireless sensor networks, in: Security and Cryptography (SECRYPT), Proceedings of the 2010 International Conference on, 2010, pp. 1–10. A. D. Mauro, X. Fafoutis, N. Dragoni, Adaptive security in odmac for multihop energy harvesting wireless sensor networks, Int. J. Distrib. Sen. Netw. 2015 (2015) 68:68–68:68. doi:10.1155/2015/760302. URL http://dx.doi.org/10.1155/2015/760302 E. Y. A. Lin, J. M. Rabaey, A. Wolisz, Power-efficient rendez-vous schemes for dense wireless sensor networks, in: Communications, 2004 IEEE International Conference on, Vol. 7, 2004, pp. 3769–3776 Vol.7. doi:10.1109/ICC.2004.1313259. P. Keeratiwintakorn, P. Krishnamurthy, Energy efficient security services for limited wireless devices, in: 2006 1st International Symposium on Wireless Pervasive Computing, 2006, pp. 1–6. doi:10.1109/ISWPC. 2006.1613636. M. O. Rabin, Digitalized signatures and public-key functions as intractable as factorization, Tech. rep. (1979). G. Murphy, A. Keeshan, R. Agarwal, E. Popovici, Hardware - software implementation of public-key cryptography for wireless sensor networks, in: 2006 IET Irish Signals and Systems Conference, 2006, pp. 463–468. Y. Oren, M. Feldhofer, A low-resource public-key identification scheme for rfid tags and sensor nodes, in: Proceedings of the Second ACM Conference on Wireless Network Security, WiSec ’09, ACM, New York, NY, USA, 2009, pp. 59–68. doi:10.1145/1514274.1514283. URL http://doi.acm.org/10.1145/1514274.1514283 N. Koblitz, Elliptic curve cryptosystems, Mathematics of computation 48 (177) (1987) 203–209. D. Hankerson, A. J. Menezes, S. Vanstone, Guide to elliptic curve cryptography, Springer Science & Business Media, 2004. N. Gura, A. Patel, A. Wander, H. Eberle, S. C. Shantz, Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs, Springer Berlin Heidelberg, Berlin, Heidelberg, 2004, pp. 119–132. doi:10.1007/ 978-3-540-28632-5_9. URL http://dx.doi.org/10.1007/978-3-540-28632-5_9 A. S. Wander, N. Gura, H. Eberle, V. Gupta, S. C. Shantz, Energy analysis of public-key cryptography for wireless sensor networks, in: Third IEEE International Conference on Pervasive Computing and Communications, 2005, pp. 324–328. doi:10.1109/PERCOM.2005.18. R. McEliece, A public-key cryptosystem based on algebraic. P. Loidreau, Strengthening McEliece Cryptosystem, Springer Berlin Heidelberg, Berlin, Heidelberg, 2000, pp. 585–598. doi:10.1007/ 3-540-44448-3_45. URL http://dx.doi.org/10.1007/3-540-44448-3_45 T. Eisenbarth, T. Güneysu, S. Heyse, C. Paar, MicroEliece: McEliece for Embedded Devices, Springer Berlin Heidelberg, Berlin, Heidelberg, 2009, pp. 49–64. doi:10.1007/978-3-642-04138-9_4. URL http://dx.doi.org/10.1007/978-3-642-04138-9_4 S. Heyse, I. von Maurich, T. Güneysu, Smaller Keys for Code-Based Cryptography: QC-MDPC McEliece Implementations on Embedded Devices, Springer Berlin Heidelberg, Berlin, Heidelberg, 2013, pp. 273– 292. doi:10.1007/978-3-642-40349-1_16. URL http://dx.doi.org/10.1007/978-3-642-40349-1_16 D. J. Bernstein, T. Lange, C. Peters, Attacking and Defending the McEliece Cryptosystem, Springer Berlin Heidelberg, Berlin, Heidelberg, 2008, pp. 31–46. doi:10.1007/978-3-540-88403-3_3. URL http://dx.doi.org/10.1007/978-3-540-88403-3_3 J. Hoffstein, J. Pipher, J. H. Silverman, NTRU: A ring-based public key cryptosystem, Springer Berlin Heidelberg, Berlin, Heidelberg, 1998, pp. 267–288. doi:10.1007/BFb0054868. URL http://dx.doi.org/10.1007/BFb0054868 D. V. Bailey, D. Coffin, A. Elbirt, J. H. Silverman, A. D. Woodbury, NTRU in Constrained Devices, Springer Berlin Heidelberg, Berlin, Hei- [121] [122] [123] 19 ACCEPTED MANUSCRIPT [146] S. Raza, H. Shafagh, K. Hewage, R. Hummen, T. Voigt, Lithe: Lightweight secure coap for the internet of things, IEEE Sensors Journal 13 (10) (2013) 3711–3720. doi:10.1109/JSEN.2013.2277656. [147] L. E. Lighfoot, J. Ren, T. Li, An energy efficient link-layer security protocol for wireless sensor networks, in: 2007 IEEE International Conference on Electro/Information Technology, 2007, pp. 233–238. doi: 10.1109/EIT.2007.4374458. [148] Y. Cheng, J. Ren, Z. Wang, S. Mei, J. Zhou, Attributes union in cpabe algorithm for large universe cryptographic access control, in: 2012 Second International Conference on Cloud and Green Computing, 2012, pp. 180–186. doi:10.1109/CGC.2012.13. [149] C. Chen, Z. Zhang, D. Feng, Efficient Ciphertext Policy Attribute-Based Encryption with Constant-Size Ciphertext and Constant ComputationCost, Springer Berlin Heidelberg, Berlin, Heidelberg, 2011, pp. 84–101. doi:10.1007/978-3-642-24316-5_8. URL http://dx.doi.org/10.1007/978-3-642-24316-5_8 [150] J. Herranz, F. Laguillaumie, C. Ràfols, Constant Size Ciphertexts in Threshold Attribute-Based Encryption, Springer Berlin Heidelberg, Berlin, Heidelberg, 2010, pp. 19–34. doi:10.1007/ 978-3-642-13013-7_2. URL http://dx.doi.org/10.1007/978-3-642-13013-7_2 [151] N. Attrapadung, J. Herranz, F. Laguillaumie, B. Libert, E. de Panafieu, C. Rfols, Attribute-based encryption schemes with constant-size ciphertexts, Theoretical Computer Science 422 (2012) 15 – 38. doi:http: //dx.doi.org/10.1016/j.tcs.2011.12.004. URL http://www.sciencedirect.com/science/article/pii/ S0304397511009649 [152] C. Wang, J. Luo, An efficient key-policy attribute-based encryption scheme with constant ciphertext length, Mathematical Problems in Engineering 2013. [153] S. Sahraoui, A. Bilami, Efficient hip-based approach to ensure lightweight end-to-end security in the internet of things, Computer Networks 91 (2015) 26 – 45. doi:http://dx.doi.org/10.1016/j. comnet.2015.08.002. URL http://www.sciencedirect.com/science/article/pii/ S1389128615002558 [154] J. Mache, C. Y. Wan, M. Yarvis, Exploiting heterogeneity for sensor network security, in: 2008 5th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks, 2008, pp. 591–593. doi:10.1109/SAHCN.2008.80. [155] Y. Saied, A. Olivereau, D-hip: A distributed key exchange scheme for hip-based internet of things, in: World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2012 IEEE International Symposium on a, 2012, pp. 1–7. doi:10.1109/WoWMoM.2012.6263785. [156] N. T. Courtois, M. Finiasz, N. Sendrier, How to Achieve a McElieceBased Digital Signature Scheme, Springer Berlin Heidelberg, Berlin, Heidelberg, 2001, pp. 157–174. doi:10.1007/3-540-45682-1_10. URL http://dx.doi.org/10.1007/3-540-45682-1_10 AC CE PT ED M AN US CR IP T [124] M. Hell, T. Johansson, W. Meier, Grain: a stream cipher for constrained environments, International Journal of Wireless and Mobile Computing 2 (1) (2007) 86–93. [125] S. Babbage, M. Dodd, The MICKEY Stream Ciphers, Springer Berlin Heidelberg, Berlin, Heidelberg, 2008, pp. 191–209. doi:10.1007/ 978-3-540-68351-3_15. URL http://dx.doi.org/10.1007/978-3-540-68351-3_15 [126] C. De Canniere, B. Preneel, Trivium specifications, in: eSTREAM, ECRYPT stream Cipher Project, Citeseer, 2005. [127] C. Manifavas, G. Hatzivasilis, K. Fysarakis, Y. Papaefstathiou, A survey of lightweight stream ciphers for embedded systems, Security and Communication Networks 9 (10) (2016) 1226–1246. [128] M. Bloch, J. Barros, Physical-layer security: from information theory to security engineering, Cambridge University Press, 2011. [129] A. Mukherjee, Physical-layer security in the internet of things: Sensing and communication confidentiality under resource constraints, Proceedings of the IEEE 103 (10) (2015) 1747–1761. doi:10.1109/JPROC. 2015.2466548. [130] A. D. Wyner, The wire-tap channel, The Bell System Technical Journal 54 (8) (1975) 1355–1387. doi:10.1002/j.1538-7305.1975. tb02040.x. [131] I. Csiszar, J. Korner, Broadcast channels with confidential messages, IEEE Transactions on Information Theory 24 (3) (1978) 339–348. doi: 10.1109/TIT.1978.1055892. [132] Y. Liang, H. V. Poor, S. Shamai, Secure communication over fading channels, IEEE Transactions on Information Theory 54 (6) (2008) 2470– 2492. doi:10.1109/TIT.2008.921678. [133] P. K. Gopala, L. Lai, H. E. Gamal, On the secrecy capacity of fading channels, IEEE Transactions on Information Theory 54 (10) (2008) 4687–4698. doi:10.1109/TIT.2008.928990. [134] A. Khisti, G. W. Wornell, Secure transmission with multiple antennas i: The misome wiretap channel, IEEE Transactions on Information Theory 56 (7) (2010) 3088–3104. doi:10.1109/TIT.2010.2048445. [135] F. Oggier, B. Hassibi, The secrecy capacity of the mimo wiretap channel, IEEE Transactions on Information Theory 57 (8) (2011) 4961–4972. doi:10.1109/TIT.2011.2158487. [136] Y. Liang, H. V. Poor, Multiple-access channels with confidential messages, IEEE Transactions on Information Theory 54 (3) (2008) 976– 1002. doi:10.1109/TIT.2007.915978. [137] E. Tekin, A. Yener, The gaussian multiple access wire-tap channel, IEEE Transactions on Information Theory 54 (12) (2008) 5747–5755. doi: 10.1109/TIT.2008.2006422. [138] Y. Liang, H. V. Poor, S. Shamai (Shitz), Information theoretic security, Found. Trends Commun. Inf. Theory 5 (4-5) (2009) 355–580. doi: 10.1561/0100000036. URL http://dx.doi.org/10.1561/0100000036 [139] U. M. Maurer, Secret key agreement by public discussion from common information, IEEE Transactions on Information Theory 39 (3) (1993) 733–742. doi:10.1109/18.256484. [140] R. Ahlswede, I. Csiszar, Common randomness in information theory and cryptography. i. secret sharing, IEEE Transactions on Information Theory 39 (4) (1993) 1121–1132. doi:10.1109/18.243431. [141] Y. Shen, M. Z. Win, Intrinsic information of wideband channels, IEEE Journal on Selected Areas in Communications 31 (9) (2013) 1875–1888. doi:10.1109/JSAC.2013.130919. [142] L. Lai, Y. Liang, H. V. Poor, A unified framework for key agreement over wireless fading channels, IEEE Transactions on Information Forensics and Security 7 (2) (2012) 480–490. doi:10.1109/TIFS.2011. 2180527. [143] G. Pasolini, D. Dardari, Secret information of wireless multidimensional gaussian channels, IEEE Transactions on Wireless Communications 14 (6) (2015) 3429–3442. doi:10.1109/TWC.2015. 2406320. [144] S. Raza, S. Duquennoy, T. Chung, D. Yazar, T. Voigt, U. Roedig, Securing communication in 6lowpan with compressed ipsec, in: 2011 International Conference on Distributed Computing in Sensor Systems and Workshops (DCOSS), 2011, pp. 1–8. doi:10.1109/DCOSS.2011. 5982177. [145] S. Raza, D. Trabalza, T. Voigt, 6lowpan compressed dtls for coap, in: 2012 IEEE 8th International Conference on Distributed Computing in Sensor Systems, 2012, pp. 287–289. doi:10.1109/DCOSS.2012.55. 20 CR IP T ACCEPTED MANUSCRIPT AC CE PT ED M AN US Hamed Hellaoui is currently pursuing his Ph.D. thesis in computer science at Ecole nationale Supérieure d’Informatique (ESI), Algeria. He holds an engineering degree, master degree and magister degree from the same school. His research interests cover security and energy saving in the Internet of Things. 21