As mentioned earlier, pairing based cryptography is an emerging trend in cryptography that is strictly related to Elliptic Curve Cryptography. Although much research has been carried out on pairings on standard desktop class computers, not much attention has focused on implementing those complex operations on small and constrained devices. Pairing-based systems have become more and more popular in Public Key Cryptography schemes but it may seem that these operations are far too complex to be calculated in reasonable amount of time on tiny architectures like WSN nodes.
In the literature there are some papers [33], [94] that envisage WSNs as a good ap- plication space for Pairing-Based Cryptography. However, the publications presented so far do not specify any implementation details and the viability of Pairing-Based Cryp- tography in WSNs remains unknown. There are only a few results available which are related to practical deployments of pairings on sensor nodes. So far the only software implementation of pairings was presented by Oliveira et al. in [96]. The TinyTate imple- mentation used TinyECC as the underlying library and targeted the MICAz mote. The following sections provide details of the above implementation and discuss the security parameters required to implement pairings on sensor nodes.
5.2.1 Security parameters
The security levels in pairing-based cryptography depends on the value of the embed- ding degree k. Other important parameters are the group order r and the size of the underlying finite fieldFq. In general, for most pairing applications the parameters q, r
and k must satisfy the following security requirements:
1) The group order r must be large enough so that solving the ECDLP in an order-r subgroup of E(Fq)is infeasible (e.g. using Pollard’s ρ algorithm);
2) The embedding degree k should be sufficiently large so that solving the DLP inFqk
is infeasible (e.g. using the index-calculus method).
With the current state-of-the-art in cryptanalysis setting, r as a 160-bit prime guaran- tees that any attack on the Elliptic Curve Discrete Logarithm Problem will take at least 280steps. In a similar manner choosing k· log2q ≈ 1024 sets a limit of minimum 280steps
for any Discrete Logarithm Problem attack over the extension field. Such values for k, q and r guarantee a security level of the equivalent of 80-bits of security in a symmetric key system. Based on the above conditions, one could use a k = 2 supersingular curve (r 160 bits) with a 512-bit prime p and an extension field size of 1024-bits for a security level of 80-bits. Similar level of security can be also achieved using a k = 6 MNT curve with a 160-bit prime p and an extension field size of 960 bits (r also 160-bits long). Both implementations, however, will have different performance depending on the speed of arithmetic operations inFqandFqk on a given platform.
Table 5.1:Key size comparison in Pairing-Based Cryptography
Symmetric key size Group size (r) Fqk size (k· log2q) Embedding degree (k)
80 160 960-1280 2-8
128 256 3000-5000 12-18
256 512 12000-18000 24-36
Usually on embedded devices, a smaller size ofFqresults in a faster pairing, as arith-
metic operations over large finite fields are very slow on constrained CPU’s. On the other hand, larger values of k require more operations in higher extension fields, which can be expensive without proper optimizations. In any case, the selection of parameters for Pairing-Based Cryptography is not straightforward and should be made with a particu- lar security protocol in mind. Table5.1presents a comparison of different security levels for Pairing-Based Cryptography together with the required security parameters [107]. The security level of 80 bits should be enough for the majority of sensor network applica- tions. Therefore all the implementations presented in this chapter conform to this level.
Looking at the values in Table5.1, it is evident that the efficiency of systems using pair- ings scales more like RSA rather than Elliptic Curve Cryptography. Nevertheless, unique properties of pairings makes pairing-based protocols more interesting in the context of sensor networks than the above cryptosystems.
5.2.2 TinyTate
The authors in [96] implemented the Tate pairing on a MICAz sensor node, which embeds the ATmega128 8-bit CPU. They used the following parameters in their implementation:
Finite field. The Tate pairing in TinyTate was evaluated over the prime field Fp. The
choice of the finite field was motivated by the use of TinyECC as the underlying library, which only supports operations overFp. The authors claimed also that the
Discrete Logarithm Problem in prime fields is harder than the Discrete Logarithm Problem in binary fields.
Curve selection. TinyTate used a supersingular y2 = x3+ xcurve over the prime field Fpwith p is a 256-bit prime.
Coordinate system. Projective coordinates were chosen instead of the affine system to eliminate the expensive inversion in point addition and doubling operations.
Pairing parameters. The main security parameters were chosen as k = 2, q is a 256 bit prime and r is a 128 bit prime. For r, a Solinas prime was chosen in order to decrease the number of point additions in the main loop of Miller’s algorithm. The choice of k = 2permitted the application of the denominator elimination optimization and made arithmetic operations inFqk easier to implement. The security level for the
pairing implementation was relaxed in order to achieve better performance. Table5.2presents the performance evaluation of TinyTate. Although the memory con- sumption figures are reasonable, the execution time of 30s is significant for a MICAz mote with very limited energy resources. The execution time of TinyTate is high especially given that the parameters used by the authors are below the 80-bit level of security. The group order r was set to 128 bits and the extension field size was k· log2q = 512. Both
values are below the current records for breaking the Discrete Logarithm Problem [73] and below the security levels presented in Table5.1. All these features makes TinyTate unsuitable for practical wireless sensor network applications.
Table 5.2:TinyTate implementation results
Tate pairing implementation on MICAz
Execution time ROM size RAM size
30.21s 18.384KB 1.831KB