FANG LAYOUT 4/9/09 1:08 PM Page 24 ACCEPTED FROM OPEN … · public key is a string not related to his/her iden-tity; thus, there is a need to provide an assurance (or binding) about

IEEE Wireless Communications • April 200924 1536-1284/09/$25.00 © 2009 IEEE

AC C E P T E D F R O M OP E N CALL

INTRODUCTIONIn the last few years we have witnessed a surgeof research and development activities for wire-less ad hoc networks (WANETs) such as wire-less local area networks (WLANs), mobile adhoc networks (MANETs), and wireless sensornetworks (WSNs). Unlike conventional infra-structure-based wireless networks such as wire-less cellular networks, WANETs feature rapidlydeployable self-organizing and self-maintainingcapabilities, and can be formed on the fly asneeded. Due to such salient features, WANETshave naturally been deployed in emergency res-cue, disaster relief, military operations, home-land security, and public safety, where fixedinfrastructures are often either destroyed,unavailable, or unreliable, while fast network

establishment and self-maintenance are a must.In such a network each node functions not onlyas an end host but also as a router, forwardingpackets for other nodes to enable otherwiseimpossible multihop communications. WANETscan generally be classified into two main cate-gories, mobile ad hoc networks and wirelesssensor networks. The former comprises mobilenodes that are free to move and organize them-selves arbitrarily, while the latter consists of alarge number of sensor nodes that are morelimited in power, computational capacities, andmemory than nodes in MANETs [1]. Moreover,WSNs also differ from MANETs in that mostsensor nodes are stationary after deployment.Recently, we have witnessed the marriage ofinfrastructured wireless networks and infras-tructureless ad hoc networks, leading to a newflexible network architecture called wirelessmesh networks (WMNs) that find many inter-esting applications such as high-speed Internetaccess, surveillance, and public safety [2]. Thus,the future Internet architecture will consist ofwireless ad hoc networking segments withresource-constrained mobile nodes or sensors,and the security issues over such weakest wire-less links must be addressed. However, manysalient characteristics of WANETs not onlypose diverse security challenges but also offermany opportunities one needs to take intoaccount when designing security mechanismsfor them [3–5]. So it is of vital importance toseek efficient and effective security mechanismsto advance the realistic deployment ofWANETs.

Although wireless indeed offers us manyadvantages, it also poses many design challenges.Wireless channel condition is usually very poorand time-varying due to mobility, power deple-tion, or unpredictable interference, leading toconstant transmission failures. We also facemany resource limitations in terms of bandwidth,power, and computing resources. The channelenvironment is open, and hence potential inter-ception or eavesdropping causes security con-cerns. For many WANETs, there is no trustedinfrastructure in place to implement a well devel-

YUGUANG FANG, UNIVERSITY OF FLORIDA AND XIDIAN UNIVERSITYXIAOYAN ZHU, XIDIAN UNIVERSITY

YANCHAO ZHANG, NEW JERSEY INSTITUTE OF TECHNOLOGY

ABSTRACTHuge interest in and demand for services

over the information superhighway have pressedvarious telecommunications research fronts andled to a new form of future Internet consistingof wired and wireless segments where resource-constrained devices such as mobile devices,smart phones, palm pilots, and wireless sensorsmay become integral parts of the Internet ratherthan access-only platforms. One of the keydesign problems is the security in such heteroge-neous networks, particularly over wireless net-works with resource constraints. In this tutorialarticle we discuss a novel approach to addressingsecurity issues, and articulate why and how ID-based cryptography can be effectively applied toaddress various security problems in resource-constrained wireless networks.

SECURING RESOURCE-CONSTRAINEDWIRELESS AD HOC NETWORKS

This work was partially supported by the National ScienceFoundation under grants CNS-0716450, CNS-0716302,and CNS0626881. The works of Fang and Zhu were alsopartially supported by the 111 Project under GrantB08038. A preliminary version of this article was presentedat the IEEE Sarnoff Symposium held in Princeton, NewJersey on April 30–May 2, 2007.

The authors discussa novel approach toaddressing securityissues and articulatewhy and how the ID- based cryptography can beeffectively applied toaddress various security problems inthe resource-con-strained wireless networks.

FANG LAYOUT 4/9/09 1:08 PM Page 24

Authorized licensed use limited to: University of Florida. Downloaded on June 20, 2009 at 02:57 from IEEE Xplore. Restrictions apply.

IEEE Wireless Communications • April 2009 25

oped secure architecture such as public keyinfrastructure (PKI), which may rely on thetrusted certificate authority (CA) to handle thecertificate management.

Due to these various constraints, securitydesign becomes very challenging. Securityschemes for wired networks may not be feasi-ble for WANETs; computationally intensiveschemes will not work well, and power hungryoperations in either computation or communi-cations should be avoided. We have to re-eval-uate the trust model, predict or investigateunconventional attacks due to the salient fea-tures of the WANETs, and come up with moreappropriate strategies. In the current literaturethere are mainly two major approaches: sym-metric and asymmetric (PKI). The former usesthe same key in encryption and decryption,while the latter uses different keys. The sym-metric key approach offers many advantagessuch as low computational overhead and noneed for certificates. This is why it was favoredin addressing security issues in WANETs in thepast. Unfortunately, it is not scalable, and it isnot easy to establish the secret key required bythis approach; it tends to demand much highercommunication overhead in order to make itwork properly and efficiently, and it does notsupport the digital signature required forauthentication. Moreover, it may not fare wellwhen taking both computational and communi-cation complexity into consideration in practi-cal situations. On the other hand, theasymmetric key approach is scalable with easierkey establishment, has a better authenticationtechnique, and owns an embedded digital sig-nature. Unfortunately, it is indeed computa-tionally intensive with larger key size, and hasdifficult public key management and moreoverhead due to certificate management,whichmay rely on some commonly trusted infra-structure or entities in the network to besecured. Moreover, it opens new possibledenial of service (DoS) attacks due to authen-tication and power depletion. It is not easy todecide between symmetric and asymmetricapproaches in WANETs.

Inspired by the recently resurging identity-based public key cryptography (ID-PKC), wehave recently developed a novel approach toaddressing a number of challenging securityissues in WANETs [6–10] and demonstrate whyID-PKC is a perfect fit for WANETs, and howto apply this new approach effectively. In thistutorial article we intend to present the funda-mental ideas behind this approach. We articu-late that the new emerging ID-basedcryptography (or noninteractive cryptography)can be effectively utilized, together with thesalient features of WANETs, to address suchdifficult security issues. As an example applica-tion, we demonstrate that the proposedapproach can effectively address a few notoriousattacks in WSNs with a unifying solution. It isour hope that this article can serve as a steppingstone to develop more comprehensive and viableschemes to secure our future cyberspace withwireless components. The preliminary version ofthis article was presented at the IEEE SarnoffSymposium in 2007.

WHY IDENTITY-BASED CRYPTOGRAPHY?Since our proposed schemes heavily rely on theID-PKC, we first want to justify why this tech-nique is a perfect fit for WANETs, specificallyfor MANETs and WSNs.

IDENTITY-BASED PUBLIC KEY CRYPTOGRAPHYIn traditional public key cryptosystems, a user’spublic key is a string not related to his/her iden-tity; thus, there is a need to provide an assurance(or binding) about the relationship between apublic key and the identity of the holder of thecorresponding private key. This assurance isdelivered in the form of a certificate in the tradi-tional PKI. The PKI has to deal with the issuesassociated with certificate management, includ-ing revocation, storage, and distribution, and thecomputational costs of certificate verification,which often rely on reliable trustworthy infra-structure (certificate agency, CA). These issuesare particularly acute in low-power and low-bandwidth situations (e.g., in WANETs), wherethe need to transmit and check certificates hasbeen identified as a significant limitation [11].Moreover, it is challenging to select the set ofnodes in such networks to assume the duty ofthe CAs to efficiently manage the certificates.

In 1984 Shamir proposed the idea of the ID-PKC [12], where an entity’s public key can bederived directly from a certain aspect of its iden-tity, for example, an IP address, a telephonenumber, or an email address associated with auser. Private keys are generated for entities by atrusted authority (TA), sometimes also called aprivate key generator (PKG). In contrast to con-ventional PKC such as RSA, the ID-PKC com-pletely eliminates the need for public keycertificates and hence for complicated certificatemanagement. Despite its attractive features, theID-PKC has undergone rapid development onlyrecently [13] due to the novel application of acryptographic technique called pairing, which isoutlined as follows [14].

Let p, q be two large primes and E/FFp denotean elliptic curve over the finite field FFp appropri-ately chosen for security purposes. We denote byGG1 a q-order subgroup of the additive group ofpoints of E/FFp, and by GG2 a q-order subgroup ofthe multiplicative group of the finite field FF*p2.When a ∈ Zq and P ∈ GG1, we write mP for Padded to itself m times, also called scalar multi-plication of P by an integer m. Assume that thediscrete logarithm problem (DLP) is hard1 inboth GG1 and GG2. From a cryptographic point ofview, a pairing is a map ê: GG1 × GG1 → GG2 withthe following properties:• ê is bilinear: ∀ P, Q, R ∈ GG1.

ê(P + Q, R) = ê(P, R) ⋅ ê(Q, R).ê(P, Q + R) = ê(P, Q) ⋅ ê(P, R).

Consequently, for ∀ a, b ∈ Zq , we have ê(aP,bQ)= ê(aP, Q)b = ê(P, bQ)a = ê(P, Q)ab.

• ê is non-degenerate: if P is a generator of GG1 ,then ê(P, P) is a generator of GG2 In otherwords, ê(P, P) ≠ 1.

• ê is efficiently computable.It is also worth pointing out that ê is symmet-

ric. Typically, the map ê will be derived fromeither the (modified) Weil [14] or Tate [15] pair-ing on a super-singular elliptic curve over a finite

1 It is computationallyinfeasible to extract theinteger x ∈ Z*q = {i|1 ≤ i≤ q – 1}, given P, Q ∈ GG1(respectively, P, Q ∈ GG2),such that Q = xP (respec-tively, Q = Px).

PKI has to deal withthe issues associated

with certificate management,

including revocation,storage and

distribution and thecomputational costs

of certificate verification, which

often rely on reliabletrustworthy

infrastructure.



IEEE Wireless Communications • April 200926

field. The finite field containing GG2 as a sub-group typically uses a security parameter k,which is the same for most popular public keycryptographic systems, such as RSA or discrete-logarithm-based systems, sto obtain a degree ofsecurity protection similar to that in those popu-lar public key cryptographic systems. Therefore,the cost of computing a bilinear pairing is similarto that of computing a public key cryptographicoperation in those popular cryptographic systems[16].

Fast hardware implementations of the pairinghave been reported recently [17, 18]. For exam-ple, it is reported in [18] that the Tate pairingcan be calculated in about 6 ms on a field pro-grammable gate array (FPGA). We refer readersto [14, 15, 19] for a more comprehensive descrip-tion of how these groups, pairings, and otherparameters should be selected in practice forefficiency and security.

To bootstrap a pairing-based ID-PKC cryp-tosystem, a TA runs some initialization functionon an input, the security parameter k, to gener-ate a prime q, two suitable groups GG1, GG2 oforder q, a bilinear map ê, and an arbitrary gener-ator P ∈ GG1. The TA then selects a random keys ∈ Zq as its master secret and sets Ppub = sP.Upon a key registration request from an entity xwhose identity we denote IDx, the TA issues aprivate key Sx = sH1(IDx), where H1 is a crypto-graphic hash function deterministically mappingstrings in {0, 1}* onto GG1 Under the hardnessassumption of the discrete logarithm in GG1, it ishard to find the master key s of the TA from thepublic/private key pair (IDx,Sx). In addition,parameters ⟨GG1, GG2, H1, P, Ppub⟩ are publiclyknown, while the TA should well safeguard andprevent unauthorized access to its master secrets. In MANETs and WSNs, the TA can be thesystem administrator or network planner whousually does not appear in the resulting networkoperations; that is, a TA is used only before thenetwork deployment.

Many efficient cryptographic primitives havebeen proposed recently on how to leverage iden-tity-based public/private key pairs to realizeessential public key operations such as encryp-tion/decryption and signature generation/verifi-cation [13, references therein]. The security ofmost existing ID-PKC schemes depends on thedifficulty of solving the bilinear Diffie-Hellmanproblem (BDHP): given ⟨P, xP, yP, zP⟩ with ran-dom x, y, z ∈ Z*q and P ∈ GG1 , there is no q algo-rithm running in expected polynomial time,which can compute ê(P, P)xyz with non-negligi-ble probability [13].

SUITABILITY OF ID-PKC TOWIRELESS AD HOC NETWORKS

How to establish a shared secret key betweenany two or more communicating nodes for sub-sequent cryptographic use is a fundamentalproblem of the security study in WANETs. Dueto the constraints of WANETs, in the past it wasbelieved that PKC was too complex, slow, andpower hungry to be suitable for WANETs. Thisopinion has led to a burst of interesting researchresults based on pure symmetric key cryptogra-phy [20–24]. However, the inherent limitations

of symmetric key cryptography mean these pro-posals suffer from the lack of authentication,scalability, and resilience to node compromisediscussed earlier.

Although ID-PKC has comparable computa-tional efficiency to that of conventional PKC[16], there are at least three significant advantagesof ID-PKC over conventional PKC. First, ID-PKC removes the need for certificates, andhence certificate distribution and verification.Considering the resource- constrained nature ofWANETs, this often represents nontrivial sav-ings in both communication and computationoverheads, especially in large-scale WANETs.Second, ID-PKC facilitates noninteractive keyagreement. Computationally expensive publickey techniques are often used to establish ashared key between two communication entities,based on which subsequent communications canbe secured with computationally more efficientsymmetric key techniques. Traditional sharedkey establishment based on conventional PKCrequires message exchange between two parties.By contrast, any two parties, if both have anauthentic public/private pair from the same TAbased on ID-PKC, have already shared a secretkey without exchanging any message. For exam-ple, suppose nodes x with identity IDx and y withidentity IDy have obtained their respective pri-vate keys Sx = sH1(IDx) and Sy = sH1(IDy) fromthe same TA during network initialization. Theycan calculate the shared key between them as

Kxy = ê(Sx, H1(IDy))= ê(sH1(IDx), H1(IDy))= ê(H1(IDx), H1(IDy))s

= ê(H1(IDx), sH1(IDy))= ê(H1(IDx), Sy) = ê(Sy, sH1(IDx))= Kyx

Due to the difficulty of solving the BDHP, Kxy isexclusively available to nodes x and y withoutcounting on the TA, which usually does notappear in the network. This method of identity-based noninteractive shared key establishment isreported in [25] and obviously can further reduceboth communication and computation over-heads, which is obviously desirable in resource-constrained WANETs. This is particularly impor-tant when we realize that the proposed ID-basedschemes do not rely on any trustworthy entitiesor interactions with trusted entities in order toexchange shared key materials during networkoperation (certificate management); hence, ID-PKC is a perfect fit for WANETs in which thereis generally a lack of commonly trustworthy enti-ties. Finally, the fact that any type of string canbe a public key in ID-PKC provides many usefulproperties that do not exist with conventionalPKC. For instance, if one wants to talk to Gatorat the University of Florida, Gator’s public keycan be in the form “GatorID | | University ofFlorida” where || denotes the concatenation ofmessages. In so doing, when we send a messageto Gator, only Gator at the University of Floridacan decrypt the message. This is difficult, if notimpossible, to achieve in a conventional publickey cryptosystem, in which a source has to obtainthe destination’s authenticated public key beforeactually sending encrypted messages. This idea

Due to the constraints ofWANETs, in the past,it is believed thatPKC is too complex,slow and power hungry to be suitablefor WANETs. Thisopinion has led to aburst of interestingresearch resultsbased on pure symmetric-key cryptography.




can be further extended by including even moreinformation in the public key, such as some con-fidentiality specification, to realize many otherinteresting applications [14].

Despite its attractive features, ID-PKC hasnot received the attention it deserves as a power-ful tool to secure WANETs until recently. Khaliliet al. [26] suggested the possible application ofID-PKC combined with the secret sharing tech-nique [27]. Deng et al. [28] proposed an identity-based key management scheme for MANETs.Moreover, Bohio and Miri [29] proposed to useidentity-based keys for securing MANET broad-cast communications. As an addition, Saxena etal. [30] applied ID-PKC to realize access controlfor ad hoc network groups such as peer-to-peer(P2P) systems and MANETs, and demonstratedwith experimental results the superiority of ID-PKC over conventional certificate-based PKC inMANETs. Recently, we have developed severalsecurity schemes based on ID-PKC and demon-strated their effectiveness in addressing securityissues in WANETs [7–10, 31].

In summary, although ID-PKC cannot com-pletely replace conventional certificate-basedPKC under all circumstances, it does providemore efficient, lightweight, and flexible solutionsin many application scenarios such as resource-constrained WANETs.

SECURING WIRELESS SENSOR NETWORKS

To demonstrate the effective use of ID-PKC, wetake WSNs as an example application. One kindof WSN is area monitoring for potential enemyintrusion. Sensors are deployed in the area ofinterest. Whenever there is any intrusion detect-ed, a warning message is used to report theevent via possibly multihop communications tothe remote monitoring center or a base stationso that appropriate actions can be taken.

In this setting, in order to securely send areport from a node sensing an intrusion, the fol-lowing issues have to be carefully addressed.Nodes have to be able to authenticate eachother to make sure that the report is not fromthe intruder; when the report is transmitted, itshould not be detected by the intruder; it shouldbe guaranteed that the report was not tamperedwith during delivery; and the designed securityscheme should resist various serious attacks suchas Sybil, node duplication, random walk, worm-hole, and bogus message injection attacks. Thereare many separate solutions to addressing theaforementioned issues; however, it is difficult tocombine them due to different or even conflict-ing underlying assumptions. Even if it is possibleto combine some of them, it is far too complexto implement for WSNs. Moreover, most priorsolutions do not work well even when a smallnumber of nodes are compromised by attackers.More important, many solutions address oneproblem while inducing others. Finally, mostschemes apply the symmetric key approach andreduce computational cost; unfortunately, theytend to dramatically increase the communica-tions cost, which is often ignored by many intheir performance evaluation.

In order to come up with a unifying and effec-tive solution to the aforementioned security

issues, we have to utilize the salient feature ofWSNs. We observe that almost all WSN applica-tions are location-dependent and require a sen-sor node to know its own location, as in militarysensing and tracking. Most sensor nodes are sta-tionary once deployed and can be identified bytheir IDs plus their locations. Moreover, mostsensor nodes have a limited communicationrange and can only directly communicate withothers inside their communication range. Basedon these features, we propose a novel location-based security solution, demonstrated next [8].

The basic idea of our location-based approachis as follows. Name a node with both an ID andits location, and thus bind the ID and locationtogether. We do this because of the observationthat “Michael@UF” will be more specific than“Michael.” If we let IDA and LA indicate the IDand location of sensor node A, respectively, wecan assign the public-private key pair as(IDA@LA, KA) where KA = sH1(IDA@LA), thelocation-based key (LBK) corresponding to theID-location pair IDA@LA, and s is the sensornetwork master secret key known only to the TA(i.e., the sensor network owner), which is neverexposed to the sensor network field. Accordingto ID-based cryptography, each sensor node canonly know its own private key, but not the mas-ter secret key, and any two sensors could estab-lish a shared key without exchanging any secretmaterial. Next, we want to demonstrate how wecan address a few other security issues with thisunifying approach.

To mutually authenticate each other, node Atransmits to B an authentication request with itslocation LA and a random nonce nA. Uponreceiving this request, node B with location LBfirst checks whether the claimed location LA isindeed in its transmission range (i.e., the dis-tance check). If the check fails, node B simplydiscards the request and determines that node Ais not an authentic neighbor. Otherwise, Breplies with its own location LB, a random noncenB, and an authenticator VB calculated as

VB = H2(ê(KB, H1(IDA@LA)) || nA || nB || 0),

where H2 is another hash function. Once it hasreceived B’s reply, node A can determine whetherB is in its transmission range based on the provid-ed LB If not, the authentication fails. Otherwise,A proceeds to compute a verifier V′B as

V′B = H2(ê(KA, H1(IDB@LB)) || nA || nB || 0).

According to the bilinearity of the pairing ê,if and only if both A and B have the authenticLBKs corresponding to their claimed locationscan they have

ê(KB, H1(IDA@LA)) = ê(KA, H1(IDB@LB)) =ê(H1(IDB@LB)),H1(IDA@LA))s ∈ GG2.

After verifying the equality of V′B and VB, Acan ascertain that B is an authentic neighborwith the claimed location LB. Node A then sendsto B its own authenticator VA computed as

VA = H2(ê(KA, H1(IDB@LB)) || nA || nB || 1).

The authors proposea novel location-

based security solution. The basic

idea of theirlocation-basedapproach is as

follows. Name anode with both anID and its locationand thus bind the

ID and locationtogether.




By a simple calculation, node B can deter-mine whether A is an authentic neighbor withthe claimed location LA using a similar approachas demonstrated for node B. Based on this three-way handshaking, nodes A and B can achievemutual authentication and establish a secure linkbetween them.

With this location-based ID-PKC approach,our scheme can defend effectively against theaforementioned security attacks. When an adver-sary launches a Sybil attack, the only possibleway is to compromise one legitimate node torecover the private key first, then substitute theID with its own [32, 33]. However, when othernodes receive the authentication request fromthe adversary, the ID-location pair will not matchthat used to generate the private key; hence, theauthentication will fail, and the Sybil attack willnot be effective. In a node duplication attack orrandom walk attack, an adversary, when compro-mising a node, will either duplicate the compro-mised node in other places or move around inthe sensor network to gain communication withother nodes using the compromised secret mate-rial (the private key) [33]. Our location-based keyapproach will localize the damage of such attackswithin the neighborhood of the compromisednode because whenever the adversary moves outof that neighborhood, the authentication will failbecause the distance check fails. In a wormholeattack adversaries could relay an authenticationrequest to make two faraway nodes think theyare neighbors [32]. Our approach can also easilydefeat this attack because the authentication willfail due to either the failure of the distance checkor the mismatch of the ID-location pair providedwith those used to generate the private LBKs. Toguard against bogus message injection, the wholesensor network is divided into different areascovering multiple sensor nodes. Each area isequipped with a private area LBK for report sig-nature, and each sensor node in this area is givena partial share of the area LBK based on thesecret sharing scheme in such a way that onlywhen a preset number, say t, shares are obtainedcan the area LBK be recovered. Thus, if werequire all event reports to be signed by at least tsensors in the area for validity, the adversary hasto compromise at least t sensor nodes in an areain order to recover the area key to sign its inject-ed messages. Without the area signature, theinjected message will be filtered out en route tothe BS. The detail can be found in [8]. In conclu-sion, our location-based security approach indeedprovides a unifying and effective security scheme.

CONCLUSIONS ANDFUTURE RESEARCH DIRECTIONS

ID-PKC has indeed found many interesting appli-cations in which a traditional approach may notbe effective. In this article we attempt to demon-strate the advantages of ID-PKC in resource-con-strained wireless ad hoc networks and hope toinspire more research on this approach. Thereare many challenging research problems ahead.One of the obstacles is the computational com-plexity of the pairing operations, which is stillunder intensive research. In most research we

have carried out, we assume that the network inconsideration is homogeneous, yet there aremany networks that are inheritably heteroge-neous, and how to tackle the security issues usingID-PKC is still open. Finally, many resource-con-strained networks such as wireless ad hoc net-works rely on cooperation. How to takeadvantage of this cooperative nature in the ID-based security approach is under research.

REFERENCES[1] I. Akyildiz et al., “A Survey on Sensor Networks,” IEEE

Commun. Mag., vol. 40, no. 8, Aug. 2002, pp. 102–16.[2] Akyildiz, X. Wang, and W. Wang, “Wireless Mesh Net-

works: A Survey,” Comp. Net., Mar. 2005.[3] Hu and A. Perrig, “A Survey of Secure Wireless Ad Hoc

Routing,” IEEE Sec. & Privacy, vol. 2, no. 3, May–June2004, pp. 28–39.

[4] W. Lou and Y. Fang, “A Survey on Wireless Security inMobile Ad Hoc Networks: Challenges and Possible Solu-tions,” in Ad Hoc Wireless Networking (Springer Net-work Theory and Applications Series), vol. 14, X. Chen,X. Huang, and D.-Z. Du, Eds., Kluwer/Springer, 2004.

[5] H. Yang et al., “Security in Mobile Ad Hoc Networks:Challenges and Solutions,” IEEE Wireless Commun., vol.11, no. 1, Feb. 2004, pp. 38–47.

[6] Y. Zhang and Y. Fang, “A Secure Authentication andBilling Architecture for Wireless Mesh Networks,” ACMWireless Net., vol. 13, no. 5, Oct. 2007, pp. 569–82.

[7] Y. Zhang and Y. Fang, “ARSA: An Attack-Resilient SecurityArchitecture for Multi-Hop Wireless Mesh Networks,” IEEEJSAC, vol. 24, no. 10, Oct. 2006, pp. 1916–28.

[8] Y. Zhang et al., “Location-based Security Mechanisms inWireless Sensor Networks,” IEEE JSAC, vol. 24, no. 2,Feb. 2006, pp. 247–60.

[9] Y. Zhang et al., “MASK: Anonymous On-Demand Rout-ing in Mobile Ad Hoc Networks,” IEEE Trans. WirelessCommun., vol. 5, no. 9, Sept. 2006, pp. 2376–85.

[10] Y. Zhang et al., “Securing Mobile Ad Hoc Networks withCertificateless Public Keys,” IEEE Trans. Dependable SecureComp., vol. 3, no. 4, Oct.–Dec. 2006, pp. 386–99.

[11] S. Al-Riyami and K. Paterson, “Certificateless PublicKey Cryptography,” Proc. AsiaCrypt ‘03, LNCS 2894,Springer-Verlag, 2003, pp. 452–73.

[12] A. Shamir, “Identity Based Cryptosystems and Signa-ture Schemes,” Proc. CRYPTO ‘84, LNCS 196, Springer-Verlag, 1984, pp. 47–53.

[13] R. Dutta, R. Barua, and P. Sarkar, “Pairing-based Cryp-tography: A Survey,” Cryptology ePrint Archive, rep.2004/064, 2004.

[14] D. Boneh and M. Franklin, “Identify-based Encryptionfrom the Weil Pairing,” Proc. CRYPTO ‘01, LNCS 2139,Springer-Verlag, 2001, pp. 213–29.

[15] P. Barreto, H. Kim, B. Bynn, and M. Scott, “Efficient Algo-rithms for Pairing-Based Cryptosystems,” Proc. CRYPTO ‘02,LNCS 2442. Springer-Verlag, 2002, pp. 354–68.

[16] W. Mao, “An Identity-Based Non-Interactive Authenti-cation Framework for Computational Grids,” Hewlett-Packard Labs. tech. rep. HPL-2004-96, June 2004.

[17] T. Kerins et al., “Efficient Hardware for the Tate Pair-ing Calculation in Characteristic Three,” CryptologyePrint archive, rep. 2005/065, 2005; http://eprint.iacr.org/2005/065

[18] T. Kerins et al., “A Hardware Accelerator For PairingBased Cryptosystems,” submitted preprint, 2005;http://paginas.terra.com.br/informatica/paulobarreto

[19] P. Barreto, B. Lynn, and M. Scott, “On the Selection ofPairing-Friendly Groups,” Sel. Areas Cryptography2003, LNCS 3006, Springer-Verlag, 2004, pp. 17–25.

[20] L. Eschenauer and V. Gligor, “A Key-ManagementScheme for Distributed Sensor Networks,” Proc. ACMCCS, Washington, DC, Nov. 2002.

[21] H. Chan, A. Perrig, and D. Song, “Random Key Predis-tribution Schemes for Sensor Networks,” IEEE Symp.Sec. & Privacy, Oakland, CA, May 2003.

[22] W. Du et al., “A Pairwise Key Pre-Distribution Schemefor Wireless Sensor Networks,” Proc. ACM CCS, Wash-ington, DC, Oct. 2003.

[23] D. Liu and P. Ning, “Establishing Pairwise Keys in Dis-tributed Sensor Networks,” Proc. ACM CCS, Washing-ton, DC, Oct. 2003.

[24] D. Liu and P. Ning, “Location-based Pairwise KeyEstablishments for Static Sensor Networks,” Proc. ACMSASN, Fairfax, VA, Oct. 2003.

[25] R. Sakai, K. Ohgishi, and M. Kasahara, “Cryptosystems

Many resource-constrained networkssuch as wireless ad hoc networks relyon cooperation. How to take advantage of thecooperative nature inthe ID-based securityapproach is underresearch.




Based on Pairing,” Proc. 2000 Symp. CryptographyInfo. Sec., Okinawa, Japan, Jan. 2000.

[26] A. Khalili, J. Katz, and W. Arbaugh, “Toward SecureKey Distribution in Truly Ad-Hoc Networks,” IEEE Wksp.Secu. Assurance Ad Hoc Net., Orlando, FL, Jan. 2003.

[27] A. Shamir, “How to Share a Secret,” Commun. ACM,vol. 22, no. 11, 1979, pp. 612–13.

[28] H. Deng, A. Mukherjee, and D. Agrawal, “Thresholdand Identity-Based Key Management and Authentica-tion for Wireless Ad Hoc Networks,” Int’l. Conf. Info.Tech.: Coding Comp. ‘04, Las Vegas, NV, Apr. 2004.

[29] M. Bohio and A. Miri, “Efficient Identity-Based SecuritySchemes for Ad Hoc Network Routing Protocols,” Else-vier Ad Hoc Net. J., vol. 2, no. 3, 2004, pp. 309–17.

[30] N. Saxena, G. Tsudik, and J. H. Yi, “Identity-BasedAccess Control for Ad Hoc Groups,” Proc. Int’l. Conf.Info. Sec. Cryptology, Seoul, Korea, Dec. 2004.

[31] J. Sun, C. Zhang, and Y. Fang, “A Security ArchitectureAchieving Anonymity and Traceability in Wireless MeshNetworks,” Proc. 27th IEEE INFOCOM ‘08, Phoenix, AZ,Apr. 13–18 2008.

[32] C. Karlof and D. Wagner, “Secure Routing in WirelessSensor Networks: Attacks and Countermeasures,” AdHoc Net., vol. 1, no. 2, 2003.

[33] J. Newsome et al., “The Sybil Attack in Sensor Net-works: Analysis & Defenses,” Proc. 3rd IPSN ‘04, Berke-ley, CA, Apr. 2004.

BIOGRAPHIESYUGUANG FANG [F‘08] ([email protected]) received a Ph.D.degree in systems engineering from Case Western ReserveUniversity in January 1994 and a Ph.D. degree in electricalengineering from Boston University in May 1997. He wasan assistant professor in the Department of Electrical andComputer Engineering at New Jersey Institute of Technolo-gy from July 1998 to May 2000. He then joined theDepartment of Electrical and Computer Engineering at theUniversity of Florida in May 2000 as an assistant profes-sor, got an early promotion to associate professor withtenure in August 2003, and became a full professor inAugust 2005. He holds a University of Florida ResearchFoundation (UFRF) Professorship from 2006 to 2009 and a

Changjiang Scholar Chair Professorship from 2008 to 2011with Xidian University, Xi’an, China. He has published over250 papers in refereed professional journals and confer-ences, and won the Best Paper Award at the 2006 Inter-national Conference on Network Protocols and at IEEEGLOBECOM 2002. He received the National Science Foun-dation Faculty Early Career Award in 2001 and the Officeof Naval Research Young Investigator Award in 2002. Heis currently serving as the Editor-in-Chief of EEE WirelessCommunications and has served on several editorialboards of technical journals including IEEE Transactions onCommunications, IEEE Transactions on Wireless Communi-cations, IEEE Transactions on Mobile Computing, IEEEWireless Communications, and ACM Wireless Networks.He has also actively participatied in professional confer-ence organizations such as serving as Technical ProgramVice-Chair for IEEE INFOCOM 2005, Technical ProgramSymposium Co-Chair for IEEE GLOBECOM 2004, and amember of the Technical Program Committee for IEEEINFOCOM (1998, 2000, 2003–2007) and ACM Mobihoc(2008–2009).

XIAOYAN ZHU ([email protected]) received her B.E.degree in information engineering in July 2000 and herM.E. degree in information and communications engineer-ing in March 2004, both from Xidian University. She isnow working toward her Ph.D. degree at Xidian University.Her research interests include wireless security and networkcoding.

YANCHAO ZHANG [M‘06] ([email protected]) received his B.E.degree in computer communications from Nanjing Univer-sity of Posts and Telecommunications, China, in July 1999,an M.E. degree in computer applications from Beijing Uni-versity of Posts and Telecommunications in April 2002, anda Ph.D. degree in electrical and computer engineering fromthe University of Florida, Gainesville, in August 2006. He iscurrently an assistant professor in the Department of Elec-trical and Computer Engineering, New Jersey Institute ofTechnology, Newark. His research interests include networkand distributed system security, wireless networking, andmobile computing.






Documents

FANG LAYOUT 4/9/09 1:08 PM Page 24 ACCEPTED FROM OPEN … · public key is a string not related to his/her iden-tity; thus, there is a need to provide an assurance (or binding) about