Low Power Data Integrity in IoT SystemsMuhammad Naveed Aman, Biplab Sikdar, Kee Chaing Chua and Anwar Ali

Abstract—Devices in the Internet of Things (IoT) produce largeamounts of sensitive data. However, the use of the public Internetfor data transfer by IoT devices makes them susceptible to cyberattacks. Among these attacks, data tampering or modification at-tacks to disrupt or bias the states of applications using these datamay result in widespread damage and outages. To detect suchattacks, this paper proposes an efficient and simple technique todetect data tampering in IoT systems. The proposed mechanismuses a random time hopping sequence and random permutationsto hide validation information. We also present a formal securityanalysis of the proposed protocol. Performance analysis of theproposed protocol shows that it has low computational complexityand is suitable for IoT systems.

I. INTRODUCTION

The IoT is becoming increasingly popular in the areas ofsmart cities, smart homes, smart healthcare etc. [1] - [5]. IoTdevices interact with the physical world, giving rise to manynew applications. However, IoT devices may be deployed outin the open and even in hostile environments, exposing themto various physical and cyber attacks. The simple nature ofIoT devices makes them a prime target for tampering [6].Many IoT device produce large amounts of data and thisdata may be used to regulate critical industrial installations,wearable medical devices, traffic signals etc. [7], [8]. Amongthe various attacks an adversary may launch on an IoTsystem, data tampering attacks have the potential to causesignificant damage. The objective of an adversary in suchattacks is to modify IoT data in such a way as to disrupt theoperation of the system, and cause incorrect control decisions.For example, invalid temperature data can cause the controlunit of an industrial establishment to turn on/off the coolingsystem arbitrarily, which can cause significant damage to themachinery and may even result in personnel injury. Thus, datatampering attacks on the IoT can cause significant economicloss, infrastructure damages, and human injury. To address thisissue, this paper presents a mechanism to detect data tamperingin IoT systems.

The large amount of energy required to provide securecommunication is a challenge for energy constrained IoTdevices. Indeed, the slow-down of Moore’s law, the high costper transistor in the sub-32nm domain [9], [10], [11], andvoltage scaling reaching its limit [12], are factors motivating

M. N. Aman is with the Department of Computer Science, NationalUniversity of Singapore, Singapore 117417. (e-mail:dcsmnam@nus.edu.sg)

B. Sikdar and K. C. Chua are with the Department of Electrical andComputer Engineering, National University of Singapore, Singapore 117583.(e-mail: bsikdar@nus.edu.sg, eleckc@nus.edu.sg).

A. Ali is with the Department of Electrical Technology, University ofTechnology, Nowshera, Pakistan. (e-mail: anwar.safi@uotnowshera.edu.pk).

Copyright (c) 2012 IEEE. Personal use of this material is permitted.However, permission to use this material for any other purposes must beobtained from the IEEE by sending a request to pubs-permissions@ieee.org

further innovation in the area of energy efficient techniques forIoT systems. The energy consumed by the security subsystemin a system-on-chip setting is approximately 1-30 pJ/bit. Atypical IoT system consists of a large number of connectedsensors and actuators connected through a wireless interface.In such a setting the IoT devices are usually simple, small, andlow powered sensor motes. These devices send data at differentpacket rates. To provide data integrity, an IoT device may berequired to calculate and send a Message Authentication Code(MAC) with each packet. This approach may be adequate fromthe perspective of energy consumption for applications wheredevices send data at low rates such as 1 packet per second orlower. However, for high data rate applications where devicesmay send tens of packets per second or higher (e.g. roadside units (RSUs) in vehicular networks, process sensors inindustrial control systems, monitoring and surveillance sensorsetc.), the energy required to calculate and send MACs becomesa serious overhead for energy constrained sensors. Therefore,the traditional way of providing data integrity may not besuitable for such IoT devices. To solve this issue, this paperuses a consolidated approach to validate multiple packets atonce and proposes a new technique based on a randomizedapproach to provide low power data integrity in high data rateapplications for IoT.

The proposed mechanism uses a two step randomizedapproach to validate IoT data. Initially, a random time hoppingsequence is generated using a shared secret seed between anIoT device and a data server. The validation information isthen added by the IoT device to the packets corresponding tothis random sequence. The validation information is generatedusing a random permutation algorithm designed for IoT de-vices. Moreover, we employ Physically Unclonable Functions(PUFs) [13] to protect IoT devices from physical attacks. Thispaper makes the following contributions: (i) it proposes a newrandom permutation algorithm for IoT devices, (ii) it proposesa light-weight protocol using PUFs, random time sequences,and aggregation for data integrity in IoT systems, and (iii) itpresents a thorough security analysis as well as performanceevaluation using simulations and emulations. Our results showthat the proposed protocol is computationally efficient andrequires significantly lesser energy than the traditional wayof providing data integrity using MACs.

The rest of the paper is organized as follows. SectionII presents the related work. In Section III we discuss theassumptions and the attack model. Section IV describes theproposed detection mechanism. Sections V and VI presenta security analysis and simulation of the proposed protocol,respectively. Section VII presents a performance analysis whilewe conclude the paper in Section VIII.

2

II. RELATED WORK

IoT integrity protection refers to the ability to establish thereliability of data, i.e., it has not been tampered with, alteredor changed [15]. In a broader sense, data integrity techniquescan be used for protection and verification of the integrity of(1) data generated by a device, (2) the software running ona device (i.e., attestation) [3], and (3) stored data (e.g. in acloud) [14]. This paper focuses on the first category i.e., theability to establish the reliability of data communicated by anIoT device.

The two most common factors affecting data integrityinclude: an attacker maliciously modifying data while it isstored in the node or when it travels through the networkand “bad data” due to faulty equipment and unfavorablewireless channel conditions. Fundamentally, detecting datatampering is similar to traditional “bad data” detection (BDD)in industrial control systems which focus on detecting incor-rect measurements from faulty equipment. Bad data detectorstypically use statistical analysis of the measurement residualsto identify the faulty measurements. Usually, outliers or badmeasurements are detected using an L2 norm or the LargestNormalized Residual (LNR) of the measurements [16], [17],[18]. However, most BDD techniques were designed to detectonly bad data due to measurement or communication errors[19], [20]. Therefore, an adversary can easily bypass BDDby introducing correlated errors into the measurements [21].Thus BDD techniques are not reliable enough for the security-critical data in the IoT. Additionally, BDD techniques do notwork for systems without an underlying mathematical modelthat governs the measurements, or if the measurements fromdifferent devices are uncorrelated, limiting their applicabilityto many IoT systems.

The contemporary approach for providing data integrity fordata passing trough networks involves the use of MACs. AMAC is a one way function used to establish the credibilityof received data. A MAC usually consists of three algorithms:(1) a key generation algorithm to select a uniformly randomkey from the key space, (2) a signing algorithm to efficientlyproduce a tag from the key and the message, (3) a verificationalgorithm to establish the authenticity of a message usingthe key and the tag i.e., return accept if the message is nottampered with or forged, otherwise return reject. A secureMAC has the following property: it is computationally infea-sible for an attacker to compute/forge a valid tag for a givenmessage without knowledge of the secret key [22]. The mostpopular MACs used in various security applications includecipher block chaining MACs (CBC-MAC), Hash based MACs(HMAC) and MAC using universal hashing (UMAC) [23],[24], [25]. Most of these MACs have a computational com-plexity of O(nlogn) or worse. Therefore, given the resourceconstrained nature of IoT nodes, computing and sending aMAC with every packet may be impractical for high datarate IoT systems, due to the high energy and processingrequirements.

Another approach to provide data integrity is by using a

public key infrastructure (PKI). In PKI the sender of data usesdigital signatures or certificates to sign the data with its privatekey while the receiver of the data can verify the integrityby verifying the signed data using the sender’s public key.For example, the authors of [26] propose a PKI based dataintegrity scheme for wearable IoT devices sending biologicaland contextual data. However, as apparent from [26], PKI iscomputationally too complex for many IoT devices [27], [28].

Finally, security against physical and side-channel attacks isparticularly important in the context of IoT devices that may bedeployed in the open. Unprotected IoT devices may be stoleneasily and subjected to physical and side-channel attacks toextract or modify the cryptographic secrets in the device’smemory. Solutions for protection against physical and side-channel attacks include the masking of power consumption[29], dedicated hardware that avoids the creation of side-channels [30], and dynamic software diversity [31]. However,these solutions are expensive in terms of silicon cost, comeat a cost of degraded performance, and often have advancedsystem requirements, making them unsuitable for low cost IoTdevices.

Thus, there are two main issues with existing techniquesfor providing data integrity: (1) the techniques for protectingdata integrity at the network level have high energy and com-putational overheads which are not suitable for IoT devices,and (2) existing techniques assume physically well protecteddevices, while many IoT devices are vulnerable to physicalattacks. To address these issues, this paper presents a light-weight scheme for providing data integrity in high data rateIoT systems with the following properties:• High Efficiency: The proposed protocol uses a consoli-

dated approach to verify the integrity of multiple packetsinstead of each packet separately. This approach signif-icantly reduces the energy requirement as well as thecomputational complexity for data integrity protection.

• Protection Against Physical Attacks: The proposedprotocol uses PUFs to generate the secret keys for securecommunication on the network. This eliminates the needto store secret keys in a device’s memory. Therefore, theproposed protocol is considered secure against physicalattacks. Many PUF based secure key generation protocolshave been proposed in literature [32], [34], [33]. Commonto all these protocols is that a server sends a challengeto an IoT device, while the IoT device uses its PUFto generate a response to the given challenge. The IoTdevice then uses the PUF response as the secret key.

III. ASSUMPTIONS AND THREAT MODEL

A. AssumptionsThe network model and the proposed protocol are based on

the following assumptions:a. The network model consists of multiple IoT devices, a

single data server, and the Internet as shown in Figure 1.The IoT devices are connected to the server through theInternet using border router elements based on protocolssuch as 6LoWPAN.

3

Fig. 1: Network Model

b. A strong one way hash function is available which is public.c. IoT devices are deployed in the open and are not physically

protected. The data server is considered to be secure.d. IoT devices have limited resources such as energy, process-

ing power, etc. However, the data server is not constrainedin terms of resources.

e. We assume that each IoT device consolidates multiple datasamples and sends them together in a single packet. Eachpacket sent by an IoT device carries extra 8 bytes for thepurpose of validation and we call these extra bytes as theV field.

B. Attack Model

The attack model considered in this paper is as follows:a. The adversary has compromised one or more of the network

entities including IoT devices, routers, and communicationlinks.

b. The adversary can eavesdrop on all the traffic going throughthe network, replay previous messages, inject maliciouspackets, and impersonate other nodes.

c. The objective of the adversary is to cause damage oreconomic losses by tampering with IoT data.

The objective of this paper is to develop an efficientmechanism to detect tampered data in IoT systems.

IV. DETECTING TAMPERING OF IOT DATA

This section describes the proposed protocol for detectingtampered data. We denote the ID of an IoT device, hashoperation, and the concatenation operation by IDi, H(·),and ||, respectively. Moreover, NAND represents the bitwiseNAND operation, while, [Ex]Mem and [Ex]Rec represent anexpression Ex evaluated using a device’s memory or usingvalues from a received message, respectively. Finally, {Ex}krepresents an expression Ex encrypted using key k.

We assume that the server and IoT devices use PUFsto establish a secure symmetric key ki using the approachproposed in [36]. We selected [36] because it is efficient,reliable and does not rely on any additional cryptographicassumptions. In this scheme the server initially applies anumber of challenges to a PUF to obtain the correspondingchallenge-response pairs (CRPs). The PUF is then installed

Fig. 2: Sequence Sharing Phase

on the corresponding IoT device. The server later sends achallenge to the IoT device who recovers the response withthe help of the PUF. A fuzzy extractor is applied to theresponse for error correction and smoothing, after which theresponse can be used as the secret key. By using such a PUFbased scheme for secret key generation, the IoT devices donot need to store the secret key in their memory and onlyneed to store a string of bits called the challenge. An IoTdevice can generate the secret key ki using this challengeand its PUF whenever it is needed. However, an adversarycannot obtain the secret key using the challenge [36]. Thismakes IoT devices secure against physical and cloning attacks.Moreover, each IoT device uses a pseudonym identity insteadof their actual identity to communicate with the server. Thepseudonym identity, denoted by PIDA for an IoT device withID IDA, is constructed as follows:

PIDA = H(IDA ‖ ki). (1)Thus, the server saves ki and PIDA in its memory for allIoT devices, while each IoT device only saves its challenge.At random points in time, data packets from the IoT devicescarry the validation information and the server checks thisinformation to validate all the previous data sent by therespective IoT device. The proposed protocol can be dividedinto two phases: initial sequence sharing phase and datatransfer phase.

A. Sequence Sharing

Figure 2 shows the proposed protocol for sequence sharing.This three-way protocol is used to establish a secret randomtime hopping sequence between an IoT device and the server.The proposed protocol for sequence sharing works as follows:

1) The IoT device IDA uses the stored challenge to generatethe secret key ki [36]. It then calculates its pseudonymand sends PIDA and a random number RA to the serveras shown message 1 of Figure 2. Message 1 also containsa hash function that is used for ensuring data integrityand freshness of the message. The first three parameters

4

of the hash function ensure data integrity while the lastparameter i.e., RA not only ensures data integrity butalso acts as the freshness identifier of the source (the IoTdevice in this case). The same approach for data integrity,freshness, and source identification is used throughout theprotocol.

2) The server searches for PIDA in its memory. The serverdismisses the sequence sharing request if the search fails.Otherwise, the server obtains the random number RA

using the secret key ki. The server then verifies theintegrity and freshness of the message as shown in Figure2, i.e., the server uses the parameters from its memoryto construct H(PIDA ‖ ki ‖ RA) and compares it tothe same expression received from the IoT device IDA.If the verification fails, the server rejects the sequencesharing request. Otherwise, the server generates a randomnumber RB and uses the random numbers RA and RB

to establish the secret seed Sp to be used for the randomsequence generator as follows:

Sp = H(RA ⊕RB). (2)The server uses Sp to generate a random sequence ofintegers. Techniques for producing random sequenceswith good Hamming correlation characteristics are givenin [37]. The secret seed may be refreshed periodically toensure freshness. The server then sends the secret timehopping sequence THSequence in message 2 to the IoTdevice IDA.

3) The IoT device IDA extracts the server’s random numberRB using ki, and verifies the integrity and freshness ofthe received message. If verification succeeds, the IoT de-vice saves the secret time hopping sequence THSequence

and sends message 3 as an acknowledgment to the server.Otherwise, it aborts the sequence sharing process.

4) The server verifies the received acknowledgment.The IoT device IDA and the server now share a secret time

hopping sequence THSequence and may now proceed to thedata transfer phase.

B. Data Transfer

Figure 3 shows the data transfer phase of the proposedprotocol. After the sequence sharing phase, the IoT deviceIDA and the server have the secret random time hoppingsequence THSequence. Let us assume that the following timehopping sequence is generated by the server:

THSequence = T1, T2, T3, · · · . (3)This random sequence is used to hide the validation infor-mation from the adversary. To use this sequence, the IoTdevice and the server maintain a counter of the packets sentand received, respectively. When the IoT device starts sendingdata packets, it increments its packet counter, Pkt count, eachtime a new packet is sent (the server also increments itscounter for every received packet). When Pkt count reachesT1, the IoT device inserts the validation information in thispacket and resets the counter to zero. The next transmissionof validation information is when Pkt count reaches T2, and so

Fig. 3: Data transfer phase.

on. Without knowledge of THSequence, an adversary cannotinfer the timing of the validation packets and consequentlycannot differentiate between normal and validation packets. Inaddition to the sensed data, each IoT device sends randomlygenerated dummy values in the non-validation packets, whilea hash of the previous data is sent in the validation packets.To ensure both availability and security, the values in the timehopping sequence are uniformly distributed between 15 and 25(i.e., 15 ≤ Ti ≤ 25). The minimum value of 15 ensures that forall practical purposes, an adversary cannot break our schemeas discussed in Section V-A1. Moreover, the upper limit of25 dictates the maximum tolerable delay. This paper focuseson high data rate applications where devices send many tensof packets per second. Therefore, to keep the maximum delayfor verification in the order of one second or lower, 25 ischosen as the maximum value for the time hopping sequence.Note that many sensor motes usually have high sampling rates.Therefore, IoT devices consolidate multiple data samples in abuffer and then send the whole buffer consisting of multipledata samples in a single packet. We call the data samples ina single packet as a batch.

To construct a validation packet, an IoT device first gener-ates a random permutation of the previous data batches. For

5

example, let us assume that batches previously sent by anIoT device and not yet validated are given by: Pwindow =B1, B2, B3, · · · , BT1 . The IoT device IDA then generates arandom permutation of the set Pwindow using T1/25 as a se-cret seed. Let an example of the resulting random permutationbe B2, BT1

, · · · , B5. The IoT device IDA then takes the hashof this random permutation as follows:

HCHK = H(NAND(B2, BT1, · · · , B5)) (4)

where HCHK is the validation information sent in the V fieldof the validation packet. The steps of the protocol during thedata transfer phase are as follows:

1) The IoT device IDA initializes a counter Pkt count toone and saves the first batch of data samples B1 into abuffer window called Pwindow. Pwindow represents thedata batches sent but not yet validated. The IoT deviceIDA puts a random value into the V field and sends thefirst packet P1 to the server.

2) After receiving P1, the server initializes its Pkt count toone, discards the V field, and saves B1 in its bufferwindow Pwindow.

3) The previous steps of saving the batches of data inPwindow and incrementing Pkt count by one for everytransmission and reception are continued until we reacha validation packet, in this case T1. The IoT device IDA

generates a random permutation of the data batches inPwindow using T1/25 as the secret seed and calculatesthe hash of this randomly permuted set as in (4). TheIoT device IDA then inserts HCHK into the V field ofPT1

and sends it to the server.4) When the server receives PT1

, its counter Pkt count isalso incremented to T1

1 and the server recognizes thisis a validation packet. The server generates a randompermutation of the packets in Pwindow using the samesecret seed T1/25 and calculates HCHK of the permutedset of packets. The server then reads the eight bytes inthe V field for packet PT1

and compares it with thecomputed HCHK as shown in Figure 3, where V [1 : 8]denotes bytes 1 to 8 of the V field of a packet. If HCHK

fails validation, the server raises an alarm for the systemoperators. Otherwise, the data transfer continues as usual.

C. Random Permutation Generation

The purpose of the random permutation in the proposedprotocol is to make the validation packets statistically un-predictable i.e., an adversary should not be able to dif-ferentiate a validation packet from a non-validation packet.Many permutation generation techniques exist in literature,for example, for speech scrambling. However, they are notsuitable for cryptographic applications due to the absenceof fast algorithms. Moreover, existing permutation generationalgorithms perform well if the degree of permutation is large,

1Here we have assumed that there are no packet losses. In case a packetis lost, we assume that the reliability mechanisms at various network layersrecover the loss. If a loss cannot be recovered, then the validation process iscanceled for this window of packets.

typically 1000 or larger. In the proposed mechanism, thedegree of permutation needs to be less than 25 due to the delayrequirements. Therefore, we develop a random permutationgeneration algorithm designed for the proposed protocol.

The quality of random permutations is usually evaluatedusing the following three metrics [38], [39]:

1) Fixed Points: These are the number of elements thatremain at their original position even after permuting asequence. The criteria regarding fixed points is as follows:C1: Minimize the number of fixed points.

2) Adjacent Pairs: This metric represents the number of pairsof elements which were adjacent to each other in theoriginal sequence and remained together even after thepermutation. The criteria for adjacent pairs is as follows:C2: Minimize the number of adjacent pairs.

3) Shift Factor: Shift factor represents the average displace-ment of all elements after applying a random permutation.The shift factor is calculated as:

α =1

n

n∑i=1

|i− Pi| (5)

where Pi is the position of element i after permuting.The criteria for shift factor is as follows: C3: Maximizethe shift factor, ensuring the shift factor is at least n/3.

The proposed random permutation method is given inAlgorithm 1. To generate a random permutation qp =(qp[1], qp[2], · · · , qp[n]) of degree n, we start by first generat-ing n real numbers using a piece-wise linear chaotic map asfollows:

yn+1 =

{yn

p 0 < y(n) ≤ p1−y(n)1−p p < y(n) < 1

(6)

where the control parameter p ∈ (0, 1] and yn ∈ (0, 1). Weuse yn as the seed for our random permutation generationalgorithm while we fix p at 0.54 and take y(0) as 0.765[41]. These real values are then discretized using the equal-width discretization method [40] to obtain a list of randomintegers q = q[1], q[2], · · · , q[n], which is then given as inputto Algorithm 1. The proposed algorithm first finds the missingelements in q and then replaces the repeated elements of q withthe missing elements. To get a high shift factor we followan approach similar to [38], in which we assign the largestmissing element to the first position that has a repetition.By assigning large values to the beginning of the list andsmall values to the end of list we get a higher shift factor[38]. Moreover, the algorithm also checks for fixed points andadjacent pairs. If a fixed point or adjacent pair is found, thecurrent element is swapped with the first element in the list.

The worst case complexity of the proposed algorithm isO(n log n) which is better than the O(n2) complexity of [38].Moreover, the proposed algorithm outperforms [38] in termsof the three criteria C1, C2, and C3 as shown in Table I.Table I shows the simulation results for 100,000 permutationswith permutation lengths of 30 and 60 elements with eachentry showing the percentage of permutations satisfying therespective criteria.

6

Algorithm 1: Random permutation using a chaoticmap

Input : unsigned integers generated from chaotic mapq[1], q[2], · · · , q[n]

Output: permutation qp[1], qp[2], · · · , qp[n]1 n = length(q)// Find missing elements

2 for i = 1 to n do3 if count[q[i]] < 1 then4 count[q[i]] = count[q[i]] + 15 qtemp[i] = q[i]6 end7 end8 qsort = sort(qtemp)9 ntemp = length(qsort)

10 i1 = 1; temp = 011 for ind = 1 to qsort[1] do12 m[i1] = ind; i1 ++13 end14 for ind1 = 2 to n do15 for ind2 = 1 + qsort[ind1 − 1] to qsort[ind1]− 1 do16 m[i1] = ind2; i1 ++17 end18 end19 for ind = 1 + qsort[ntemp] to n do20 m[i1] = ind; i1 ++21 end

// Replace repetitions with missingelements and check for fixed points andadjacent pairs

22 ind = length(m); swapvar = 0; qp = q23 for i = 1 to n do24 if count[qp[i]] ≥ 1 then25 qp[i] = m[ind]; ind = ind− 126 else27 count[qp[i]] = count[qp[i]] + 128 if i > 1 and qp[i]− qp[i− 1] == 1 then29 swapvar = qp[i]30 qp[i] = qp[i− 1]31 qp[i− 1] = swapvar32 if i > 1 and qp[i] == i then33 swapvar = qp[i]34 qp[i] = qp[1]35 qp[1] = swapvar36 end

TABLE I: Performance of random permutation generationalgorithm for the IoT.

C1Degree Algorithm C1 C2 C3 & C2

& C3

30 [38] 43.61 53.88 99.54 22.95Proposed 95.96 96.54 99.89 92.43

60 [38] 40.31 76.16 100 30.49Proposed 96.96 98.85 100 95.81

V. SECURITY ANALYSIS

In this section we present a security analysis of the proposedprotocol using the Mao and Boyd logic [42].

To prove the security of the proposed protocol we first showthat the secret seed Sp is a good shared secret between the IoTdevice IDA and the server (i.e., the seed is not discoverable

by anyone other than the IoT device IDA and the server). Forease of notation, we denote the IoT device IDA and the serverby A and S, respectively. To use the Mao and Boyd logicfor security analysis, the first step is to idealize the protocolmessages of the seed sharing phase. The steps to idealizeprotocol messages are given in the Appendix. The idealizedversions of the messages exchanged during the seed sharingphase are as follows:

1) A→ S : A, {RA}ki

2) S → A : {A,RARRB}ki·

3) A→ S : {A,RARRB}ki

Sp is constructed using RA and RB . Therefore, to provethat Sp is a good shared secret between A and S we need toshow that RA and RB are good shared secrets between A andS. The logic framework of [42] uses a set of inference rulesto establish the security of shared secrets. The inference rulesused in this section are enumerated in the Appendix. Moreover,the set of initial beliefs/assumptions is given below:

1) A Aki↔ S: ki is a pre-established secret key.

2) A Sc/‖ RA: RA is generated by A.

3) Aki

|∼ RA: Message 1 in the idealized protocol.4) A #(RA): A generates a new RA each time.5) A sup(S): The server is the trusted party.

6) Aki/ RA R RB : Message 2 in the idealized protocol.

7) A S {S}c/‖ RB : S generates a new RB each time.8) S A

ki↔ S: ki is a pre-established secret key.

9) Ski/ RA R RB : Message 3 in the idealized protocol.

10) S Sc/‖ RB : S generates a new RB each time.

11) Ski

|∼ RB : Message 2 in the idealized protocol.12) S A {S}c/‖ RA: A generates a new RA each time.13) S Ac/‖ RB : RB is generated by S.

14) Ski

|∼ RB : Message 2 in the idealized protocol.We first establish the fact that A believes RA is a good

shared secret between A and S. This is shown in the tableauof Figure 4(d), where the statement we want to prove i.e.,A A

RA↔ S is at the bottom. To prove this we need toapply the good key rule from (13), which requires us to showthat A believes no one else except A and S has seen RA,i.e., A {A,S}c/ ‖ RA and that RA holds the freshnessproperty i.e., A #(RA). We observe that A #(RA) isone of the initial beliefs given above and thus does not needto be proved. However, to prove A {A,S}c/‖ RA, we canapply the confidentiality rule from (10). After applying thisrule we need to show that A and S share a secret key ki (i.e.,A A

ki↔ S), and A sent RA to S after encrypting it with

ki (i.e., Aki

|∼ RA), without sharing it with anyone else (i.e.,A Sc/ ‖ RA). The statements in the last step are foundin the set of initial beliefs. Therefore, we conclude that ourinitial statement is true, i.e., A A

RA↔ S. Similarly, we canprove that RB is a good shared secret between A and S asshown in Figure 4(c).

7

S ARA↔S

S {A,S}c/‖RA

S A {A,S}c/‖RA

S A Aki↔S

S #(RA)∧

S Aki|∼RA

S Aki↔S

∧S

ki/RA

∧S A {S}c/‖RA

∧S A

ki|∼RA

S Aki↔S

∧S

ki/RA

∧S sup(A) ∧

S #(RA)

S #(RB)∧

S/RA R RB

Ski/RA R RB

(a) “S believes RA is a good shared key of A and S”.

S ARB↔ S

S {A,S}c/‖RB

S Aki↔S

∧S Ac/‖RB

∧S

ki|∼RB ∧

S #(RB)

(b) “S believes RB is a good shared keyof A and S”.

A ARB↔ S

A {A,S}c/‖RB

A S {A,S}c/‖RB

A S Aki↔S

A #(RA)∧

A Ski|∼RA

A Aki↔S

∧A

ki/RA

∧A S {S}c/‖RB

∧A S

ki|∼RB

A Aki↔S

∧A

ki/RB

∧A sup(S) ∧

A sup(S)∧

A #(RB)

A #(RA)∧

A/RA R RB

Aki/RA R RB

(c) “A believes RB is a good shared key of A and S”.

A ARA↔S

A {A,S}c/‖RA

A Aki↔S

∧A Sc/‖RA

∧A

ki|∼RA ∧

A #(RA)

(d) “A believes RA is a good shared secretof A and S”.

S AHCHK↔ S

S {A,S}c/‖HCHK

S A {A,S}c/‖HCHK

S A AKT H↔ S

S #(HCHK)∧

S AKTH|∼RA

S AKTH↔ S

∧S

KTH/ HCHK

∧S A {S}c/‖HCHK

∧S A

KTH|∼HCHK

S AKTH↔ S

∧S

KTH/ HCHK

∧S sup(A) ∧

S #(HCHK)

(e) Proof of “S believes HCHK is a good shared secret of A and S”.

A AHCHK↔ S

A {A,S}c/‖HCHK

A AKTH↔ S

∧A Sc/‖HCHK

∧A

KTH|∼HCHK ∧

A #(HCHK)

(f) Proof of “A believes HCHK is a goodshared secret of A and S”.

Fig. 4: Security Proofs

Similar analysis for RA and RB on the site of principal Sare given in the tableaux of Figures 4(a) and 4(b), respectively.These proofs show that Sp is a good shared secret betweenA and S. Therefore, we can conclude that the time hoppingsequence generated using Sp is a good shared secret and isknown only to the IoT device and the server.

The data transfer phase can be considered secure if wecan prove that the validation information, i.e., HCHK is agood secret between A and S. The protocol idealization foreach iteration of the data transfer phase consists of a singlemessage, i.e., the data validation packet, because all the othermessages fall into the category of nonsense. The idealizedprotocol messages for data transfer phase are as follows:

1) A→ S : {HCHK}KTH.

2) A→ S : {HCHK}KTH.

...

In this protocol idealization we are representing the timehopping sequence as a key KTH . Although there is no suchkey in the protocol, it represents the fact that the random timehops are only known to A and S and are used to hide thevalidation information. This has been done to adopt to thenotion of formal proofs using [42]. We make the followinginitial assumptions:

1) A AKTH↔ S: Secret time hopping sequence.

2) A Sc/‖HCHK : HCHK can only be created by A andS.

3) AKTH

|∼ HCHK : A sends the validation information to Sby hiding it at random time hops.

4) A #(HCHK), S #(HCHK): A new HCHK is usedeach time.

5) S AKTH↔ S: Secret time hopping sequence.

6) SKTH/ HCHK : A sends the validation information to S

by hiding it at random time hops.7) S A Sc/ ‖HCHK : HCHK can only be created by

A and S.Figures 4(f) and 4(e) show the proof that HCHK is a

secure secret between A and S. This shows that HCHK

can be used to validate the data sent by an IoT device.Moreover, if the random permutation generation algorithm issecure enough (shown in Section V-A1), an adversary cannotconstruct HCHK . This shows that the proposed protocol issecure and cannot be compromised using eavesdropping, man-in-the-middle attacks, replay attacks etc.

A. Data Tampering Attack

An adversary may launch a data tampering attack in threeways: (i) data modification, (ii) data injection, and (iii) datareplay. Next, we show that the proposed protocol is secureagainst these types of attacks.

1) Data Modification: With our scheme, an adversary maymodify the contents of an IoT device packet without detectiononly if he/she can create the correct validation information.To do this, the adversary requires the knowledge of: (i) thetime hopping sequence and (ii) the random permutation of theIoT data batches used in the validation packet. An adversarymay try to attack the scheme by observing the packets fromthe start, i.e., from packet P1 and comparing the hash of all

8

TABLE II: Probability of breaking the proposed schemeSpeed

(combinations/sec) T P1sec

100,000 151 days 7.65× 10−8

100,000,000 3.6 hours 7.65× 10−5

1000,000,000 22 minutes 7.65× 10−4

possible permutations of previous data batches with the V fieldof the current packet. However, the adversary has to do thistask in real time and before the current window of data batchesis transmitted (i.e., in less than one second). Let us assumethat an adversary can check η combinations per second. Fora window of m data batches, the time taken by the adversaryto check all possible permutations, denoted by T , is given by

T =m!

η. (7)

Then, the probability of breaking our scheme within time t byfinding the correct permutation is given by

Pt =t

T. (8)

Table II shows the time required for checking all permutationsand the probability of breaking our scheme for m = 15 andt = 1 second. Table II shows that the proposed protocol isnot only secure against adversaries with regular computingresources (capable of checking 100,000 combinations/second),but supercomputers capable of checking 1000,000,000 com-binations/second would also have a very low probability ofbreaking the scheme within a second. Moreover, the resultsdo not consider the time required to calculate the hash of thepackets. Including this time into the calculation will furtherreduce the probability of breaking our scheme.

2) Data Injection: An adversary may try to launch atargeted attack on an IoT system by maliciously insertingbad data packets into the IoT data stream. To successfullylaunch this kind of attack, the adversary needs to modify thevalidation information carried in the next validation packet.However, as shown in Section V-A1, an adversary cannotmodify the validation packets without being detected.

3) Replay Attack: The use of a random time hoppingscheme ensures that the validation packet of a previous runof the protocol is unlikely to fall at the same place and havethe same permutation as the current run of the protocol. Thusthe proposed protocol can easily detect this type of attacks.

B. Comparison with Message Authentication Codes

Message authentication codes have traditionally been usedto verify the integrity of data packets. A MAC is constructedby taking a hash of the message and a shared secret key.However, given the huge amount of data produced by theresource constrained IoT devices in high data rate applications,sending a MAC with each packet increases the energy require-ment and may not be feasible in such scenarios. Moreover,in data tampering or modification attacks it is assumed thatthe encryption schemes can be broken by the attacker. Giventhis assumption, MACs are not an effective way to verify theintegrity of packets sent by the IoT devices. On the other

hand, the proposed protocol does not store any secrets in theIoT device’s memory, and under our scheme the IoT devicessend data packets without the use of any secret key. Thesecurity of the proposed scheme stems from the fact that theadversary cannot infer the timing of the validation packets andthe random permutation of the packets.

VI. PROTOCOL SIMULATION

The proposed protocol was simulated using the securityverification tool ProVerif (PV) [43]. PV uses process algebrato define protocols and correspondence assertions to prove cer-tain security properties. PV may terminate after successfullyproving a property, or finding an attack. The PV script forour simulation can be found at [44]. The IoT device and theserver are modeled as separate processes and an unboundednumber of instances of these processes are instantiated. Thissimulates arbitrarily many sessions of the protocol betweenthe two parties. Correspondence assertions were used to provesuccessful mutual authentication between the IoT devices andthe servers, while the secrecy of the secrets was establishedusing query commands [43]. PV can identify any possible ordefinite attack, and therefore, the proposed protocol can beconsidered secure against different types of attacks.

VII. PERFORMANCE ANALYSIS

In this section we show that the proposed protocol is suitablefor real time applications in IoT systems.

A. Computational Efficiency

Assuming fixed block ciphers, the complexity of encryptionand hash operations can be assumed to be O(N), where Nis the size of a message. However, as derived in SectionIV-C, the complexity of permutation generation is O(n log n),where n is the number of data batches in Pwindow. Usingthese individual complexities, we can show that the complexityof the seed sharing phase is O(N), while the complexityof data transfer phase is O(N + n log n) for the validationpackets and O(1) for the normal packets. Given the size ofPwindow, n is expected to be in the range of 15 to 25 whichtranslates to a very low complexity. However, if we use thetraditional scheme of sending a MAC with each packet thenthe complexity of the data transfer phase is O(N) for eachpacket. Moreover, given the fact that N � n we conclude thatthe proposed protocol has a lower computational complexity.

B. Energy Requirements

The proposed protocol was emulated on the MICA 2 moteplatform to study the related energy consumption through theAVRORA energy analysis tool [45]. We simulated 100 nodestransmitting (100 data packets each) at 38.4 kBaud usingManchester encoding, equivalent to 19.2 kbps, or 2.4 kilobytesper second. We report the result for energy consumptionfor the 100 packets averaged over 100 nodes. We comparethe proposed protocol with the traditional approach for dataintegrity, i.e., sending a MAC with each packet. The traditionalapproach is used as a benchmark as most of the state-of-the-art security protocols adopt this mechanism. We consider two

9

TABLE III: Energy Consumption for Proposed Protocol Com-pared to Traditional MAC Approach (Scenario 1)

MAC SizeProposedProtocol

TraditionalApproach

SavingsµJ

CPU64 bits 4,327.10 7,398.63 3,071.53 (41.52%)

128 bits 4,370.44 10,054.65 5,684.21 (56.54%)192 bits 4,414.16 12,685.93 8,271.77 (65.21%)256 bits 4,457.89 15,317.20 10,859.31 (70.90%)

Radio64-bits 270,944.22 270,945.54 1.32 (0%)128-bits 282,282.10 282,287.40 5.30 (0%)192 bits 293,617.86 293,625.28 7.42 (0%)256 bits 304,953.66 304,963.16 9.5 (0%)

scenarios to evaluate the performance of the proposed protocol.First, we keep the MAC size in the traditional approach andthe hash size in the proposed scheme the same. In this case,due to approximately same packet size, we expect the energyconsumed by the radio to be the same for the proposed as wellas the traditional approach. However, since we calculate thehash only for the validation packets, we expect the proposedprotocol to consume less CPU energy as compared to thetraditional approach. This can be seen in Table III. We observethat the CPU consumes approximately 70% more energy in thetraditional approach at a MAC size of 256 bits. Moreover, anincrease of 64 bits in the MAC size results in an increaseof approximately 2630 µJ in CPU energy for the traditionalapproach, while, we observe an increase of only 43 µJ in CPUenergy for the proposed protocol. The CPU and radio energyconsumed by the proposed and the traditional protocol for thisscenario are shown in Figure 5.

As shown in Section V-A1, the security of the proposedscheme stems from the difficulty in breaking the randompermutations. Therefore, we consider a 64 bit hash function tobe sufficient for the proposed protocol. However, most MACschemes require larger MAC sizes such as 128 bits or evenlarger to achieve the same level of security. Therefore, inour second scenario, we keep the hash size for the proposedprotocol at 64 bits and vary the MAC size for the traditionalapproach from 64 bits to 128 bits. In this case, due tosmaller packet size, we expect energy savings not only interms of CPU but also in radio energy. Table IV shows theenergy consumed by the CPU and the radio system. The CPUconsumes 41.51% more energy in the traditional approachwhen the MAC size is 64 bits. However, the energy savingsby the proposed protocol increase to 65% for a MAC sizeof 256 bits. Similarly, the proposed protocol can achieve upto11.15% energy savings in the radio transceiver. Figure 6 showsa comparison of the energy consumed by the proposed andtraditional approach for the second scenario.

These results show that the proposed scheme for detectingtampered data and providing data integrity in IoT systemsresults in significant reduction in the energy requirements ascompared to the traditional way of providing data integritythrough MACs.

TABLE IV: Energy Consumption for Proposed Protocol Com-pared to Traditional MAC Approach (Scenario 2)

MAC SizeProposedProtocol

TraditionalApproach

SavingsµJ

CPU64 bits 4327.10 7398.63 3,071.53 (41.51%)128 bits 4327.10 10054.65 5,727.55 (56.96%)192 bits 4327.10 12,685.93 7,043.19 (61.94%)256 bits 4327.10 15,317.20 8,358.83 (65.90%)

Radio64 bits 270,944.22 270,945.54 1.32 (0%)128 bits 270,944.22 282,287.40 11,343.18 (4.02%)192 bits 270,944.22 293,625.28 22,681.06 (7.72%)256 bits 270,944.22 304,963.16 34,018.94 (11.15%)

Fig. 5: Energy Consumed - Scenario 1

C. Communication Overhead

The communication overhead for most encryption basedsignature schemes such as RSA is typically in the range of128 to 256 bytes. Given a 64 bit hash function, the proposedprotocol produces only 8 bytes of overhead per packet. Ifwe consider sending a MAC with each packet, it will alsoproduce at least 8 bytes of overhead per packet. However,most MAC schemes require 128 bit MACs, thereby increasingthe per packet communication overhead to 16 bytes per packet.This shows that the proposed protocol has comparatively lowercommunication overhead.

VIII. CONCLUSIONS

This paper presented a mechanism to detect data tamperingin IoT systems. A security analysis of the protocol showedthat it is secure against various data tampering attacks such asdata modification and data injection. The proposed protocolsignificantly reduces the energy requirement for IoT devicesby reducing the computational complexity as well reducingthe transmission energy. The proposed protocol serves as an

10

Fig. 6: Energy Consumed - Scenario 2

attractive choice for real time applications in IoT systems.

ACKNOWLEDGMENT

This work is supported in part by Singapore Ministry ofEducation Academic Research Fund Tier 2 grant MOE2016-T2-1-150.

REFERENCES

[1] A. Zanella et al., “Internet of Things for Smart Cities,” in IEEE Internetof Things Journal, vol. 1, no. 1, pp. 22-32, Feb. 2014.

[2] N. Ianuale, D. Schiavon and E. Capobianco, “Smart cities and urbannetworks: are smart networks what we need?”,J. Manage. Analytics,vol. 2, no. 4, pp. 285-294, 2015.

[3] L. D. Xu, W. He and S. Li, “Internet of Things in Industries: A Survey,”IEEE Trans. Ind. Informatics, vol. 10, no. 4, pp. 2233-2243, Nov. 2014.

[4] J. Mao et al., “A hybrid reader transceiver design for industrial internetof things.” J. Ind. Inform. Integration, vol. 2, pp. 19-29, 2016.

[5] J. Kim, “A Review of Cyber-Physical System Research Relevant to theEmerging IT Trends: Industry 4.0, IoT, Big data, and Cloud computing.”J. Ind. Integration and Manage., vol. 2, no. 3, 2017.

[6] S. Li, and L. Xu, “Securing the Internet of Things.” Syngress, Elsevier,2017.

[7] Y. Yang et al., “A Survey on Security and Privacy Issues in Internet-of-Things,” in IEEE Internet of Things Journal, vol. 4, no. 5, pp. 1250-1258,Oct. 2017.

[8] H. Yan, “An Emerging Technology-Wearable Wireless Sensor Networkswith Applications in Human Health Condition Monitoring.” J. Manage.Analytics, vol. 2, no. 2, pp. 121-137, 2015.

[9] S. Borkar, “Design challenges of technology scaling,” IEEE Micro, vol.19, no. 4, pp. 23-29, Jul-Aug 1999.

[10] Igor L. Markov, “Limits on fundamental limits to computation,” Nature,vol. 512, pp. 147154, Aug 2014.

[11] M. Bohr, “14nm process technology: opening new horizons,” in IDF,2014.

[12] M. Alioto (Ed.), Enabling the Internet of Things from Integrated Circuitsto Integrated Systems, Springer, 2017.

[13] R. Maes, Physically Unclonable Functions: Constructions, Propertiesand Applications, London: Springer, 2013.

[14] Y. Yu et al., ”Identity-Based Remote Data Integrity Checking WithPerfect Data Privacy Preserving for Cloud Storage,” IEEE Trans. Inf.Forens. Security, vol. 12, no. 4, pp. 767-778, April 2017.

[15] A. R. Sadeghi, C. Wachsmann and M. Waidner, “Security and privacychallenges in industrial Internet of Things,” in Proc. ACM/EDAC/IEEEDAC, San Francisco, CA, 2015, pp. 1-6.

[16] E. Handschin et. al., “Bad data analysis for power system state estima-tion,” IEEE Trans. Power App. Syst., vol. 94, no.2, pp. 329-337, 1975.

[17] M. Baran, and A. Abur, “Power System State Estimation,” WileyEncyclopedia of Electrical and Electronics Engineering, 1999.

[18] Y. Deng, and S. Shukla. “Vulnerabilities and Countermeasures: A Surveyon the Cyber Security Issues in the Transmission Subsystem of a SmartGrid,” J. Cyber Security and Mobility, vol. 1, no. 2, pp. 251-276, 2012.

[19] Y. Liu et. al., “False Data Injection Attacks Against State Estimation inElectric Power Grids,” in Proc. ACM CCS, Chicago, IL, Nov. 2009, pp.21-32.

[20] M. Esmalifalak et. al., “Stealth false data injection using independentcomponent analysis in smart grid,” in Proc. IEEE SmartGridComm,Brussels, Oct. 2011, pp.244-248.

[21] A. Giani et al., “Smart grid data integrity attacks: characterizations andcountermeasures,” In 2011 IEEE Int. Conf. on Smart Grid Commun.(SmartGridComm), Brussels, Oct. 2011, pp. 232-237.

[22] O. Goldreich, Foundations of cryptography II: Basic Applications,Cambridge Univ. Press, 2004.

[23] M. Bellare, J. Kilian, and P. Rogaway, “The Security of the Cipher BlockChaining Message Authentication Code,” J. Comput. Syst. Sci., Vol. 61,no. 3, pp. 362-399, 2000.

[24] M. Bellare, R. Canetti, and H. Krawczyk, “Message authentication usinghash functions: The HMAC construction,” CryptoBytes, vol. 2, no. 1,Spring 1996.

[25] T. Krovetz, “UMAC: Message Authentication Code using UniversalHashing”, IETF RFC 4418, March 2006.

[26] C. Doukas et al., “Enabling data protection through PKI encryption inIoT m-Health devices,” in Proc. IEEE BIBE, Larnaca, 2012, pp. 25-29.

[27] A. W. Atamli and A. Martin, “Threat-Based Security Analysis for theInternet of Things,” In Proc. Int. Workshop on SIoT, Wroclaw, 2014, pp.35-43.

[28] Z. K. Zhang et al., “IoT Security: Ongoing Challenges and ResearchOpportunities,” in Proc. IEEE Int. Conf. on Service-Oriented Computingand Applicat., Matsue, 2014, pp. 230-234.

[29] D. McCann, K. Eder and E. Oswald, “Characterising and comparingthe energy consumption of side channel attack countermeasures andlightweight cryptography on embedded devices,” in Proc. IEEE SIoT,pp. 65-71, Vienna, 2015.

[30] K. Tiri and I. Verbauwhede, “A VLSI design flow for secure side-channelattack resistant ICs,” in Proc. IEEE DATE, Munich, Germany, 2005, pp.58-63.

[31] S. Crane et al., “Thwarting Cache Side-Channel Attacks ThroughDynamic Software Diversity,” in Proc. NDSS, San Diego, California,2015, pp. 8-11.

[32] O. Gnl, O. can and G. Kramer, “Reliable secret key generation fromphysical unclonable functions under varying environmental conditions,”Proc. 2015 IEEE International Workshop on Information Forensics andSecurity (WIFS), pp. 1-6, Rome, 2015.

[33] M. N. Aman, K. C. Chua and B. Sikdar, “Mutual Authentication inIoT Systems Using Physical Unclonable Functions,” in IEEE Internetof Things Journal, vol. 4, no. 5, pp. 1327-1340, Oct. 2017.

[34] C. Marchand et al., “Implementation and Characterization of a PhysicalUnclonable Function for IoT: A Case Study With the TERO-PUF,” inIEEE Transactions on Computer-Aided Design of Integrated Circuitsand Systems, vol. 37, no. 1, pp. 97-109, Jan. 2018.

[35] S. P. Skorobogatov. “Semi-invasive attacks - a new approach to hardwaresecurity analysis,” Technical Report UCAM-CL-TR-630, University ofCambridge Computer Laboratory, April 2005.

[36] C. Brzuska et. al., “Physical Unclonable Functions in the UniversalComposition Framework”, in Proc. CRYPTO, Santa Barbara, CA, Aug.2011, pp. 51-70.

[37] M. K. Simon et. al., Spread Spectrum Communications Hand-book,revised ed. New York: McGraw Hill, 1994.

[38] A.C. Dascalescu et. al., “A novel fast chaos-based algorithm for gen-erating random permutations with high shift factor suitable for imagescrambling”, Nonlinear Dynamics, vol.74, no. 1-2, pp. 307-318, 2013.

[39] B. Jayaramakrishnan, R. Vijayaraghavan and V. Ravichandran, “Oncounting certain permutation used for speech scrambling”, J. PhysicalScience, vol. 17, no. 2, pp. 131-139, 2006.

[40] Raymond DeCarlo, Linear Systems: A State Variable Approach withNumerical Implementation, Prentice Hall, NJ, 1989.

[41] Z. Nasim, Z. Bano and M. Ahmad, “Analysis of efficient randompermutations generation for security applications,” in Proc. ICACEA,Ghaziabad, Jul. 2015, pp. 337-341.

11

[42] W. Mao and C. Boyd, “Towards formal analysis of security protocols”,in Proc. Comp. Security Found. Workshop VI, Franconia, NH, Jun. 1993,pp. 147-158.

[43] B. Blanchet and B. Smyth, ProVerif: Automatic Cryptographic ProtocolVerier, User Manual and Tutorial, 2017.

[44] https://www.ece.nus.edu.sg/stfpage/bsikdar/scripts/tampering[45] B. L. Titzer, D. K. Lee, and J. Palsberg, “Avrora: scalable sensor network

simulation with precise timing”. In Proc. IEEE IPSN, Boise, ID, April2005, pp. 477-482.

APPENDIX

In this section we give a brief introduction to the Mao andBoyd logic [42] for the formal analysis of security protocols.The first step is to idealize the protocol messages. Logicalformulas are constructed using three types of information: M :messages, P : principals, and F : formula. As a convention,capital letters A, B, P , Q, · · · are used to represent principals,letters K, M , N, · · · are used for messages, and X , Y , Z, · · ·are used for formulas. The predicate constructs used in ouranalysis are given below:• P X: P believes X is true and may act accordingly.

• PK

|∼ X: P said X using encryption key K.• P

K/ X: P sees X using decipherment key K. In the

absence of encryption we use P / X .• P

K↔ Q: P and Q may use K as a good shared key.• #(M): M is fresh and has not been used before.• sup(S): Principal S is the trusted party.• P /‖M : Principal P cannot see message M .We first present some definitions before describing the rules

for protocol message idealization.• Atomic Message: A piece of data in a message which is

not constructed using “,”, “|”, “R”, or “{}”, where “,” isused to separate fields in a message and “{}” is used forencryption. “|” and “R” are defined below.

• Challenge: An atomic message (except timestamps)which is sent and received in separate lines by only oneprincipal (the originator).

• Replied Challenge: A challenge that is sent back to theoriginator.

• Response: An atomic message which is not a timestampand is sent together with a replied challenge by the senderof the response.

• Nonsense: An atomic message which is not a challenge,response, or a timestamp is said to be a nonsense.

The rules for protocol message idealization are as follows:1) Delete any nonsense.2) An atomic message which serves as a challenge as well

as a response in a line is treated as a response in thatline.

3) Use operator “|” to combine challenges separated bycommas.

4) Use operator “|” to combine responses separated bycommas. The resulting message is called a combinedresponse.

5) A challenge and its response are combined using “R” into“response R replied challenge”.

6) A message and its corresponding timestamp are combinedusing “R” into “message R timestamp”.

Finally, the list of inference rules is as follows:

1) Authentication Rule: If P and Q share a secret key K,and P can decrypt a received message M using K, thenP can believe that M comes originally from Q. The rulecan be represented as

P QK

|∼M

P PK↔Q

∧P

K/M

. (9)

2) Confidentiality Rule: If P and Q share a secret key Kand P sent M after encrypting it with K without sharingit with anyone else, then P can believe that only P andQ have seen M . The rule can be represented as

P (S∪{Q})c/‖M

P PK↔Q

∧P Sc/‖M

∧P

K

|∼M. (10)

3) Super-Principal Rule: If P believes Q is a trusted server,then P can believe what the server believes. The rule canbe represented as

P X

P Q X∧

P sup(Q)

. (11)

Note that this rule means that P can trust Q about X .In the proposed protocol both the IoT device and theserver are responsible for creating the secret seed forthe time hopping sequence. Therefore, we can considerboth as super principals with respect to the time hoppingsequence.

4) The Fresh Rule: If P knows that M is fresh and P hasseen N and M together in a message, then P can believein the freshness of N . The rule can be represented as

P #(N)

P #(M)∧

P/NRM

. (12)

5) The Good-Key Rule: This rule has two versions: (i) IfP believes that no one else except P and Q knows aboutK, and P believes K is fresh, then P can trust K asbeing a good key between P and Q

P PK↔Q

P {P,Q}c/‖K∧

P #(K)

(13)

and (ii) If P believes no one else except P , Q and Rknows about K and R is the trusted server and K isfresh, then P can trust K as being a good key betweenP and Q. The rule can be represented as

P PK↔Q

P {P,Q,R}c/‖K∧

P sup(R)∧

P #(K)

. (14)

6) Intuitive Rule: If P decrypted message M using K thenP has seen message M . The rule is given as

P/M

PK/M

. (15)

7) Derived Rule: Applying a belief axiom (P (X∧Y )

if and only if P X∧P Y ) to the confidentiality

12

rule gives rise to the following rule

P Q (S∪{P})c/‖M

P Q PK↔Q

∧P Q Sc/‖M

∧P Q

K

|∼M. (16)

Muhammad Naveed Aman received the B.Sc. de-gree in Computer Systems Engineering from KPKUET, Peshawar, Pakistan, M.Sc. degree in ComputerEngineering from the Center for Advanced Studiesin Engineering, Islamabad, Pakistan, M.Engg. de-gree in Industrial and Management Engineering andPh.D. in Electrical Engineering from the RensselaerPolytechnic Institute, Troy, NY, USA in 2006, 2008,and 2012 respectively.He is currently working as a Senior Research Fellowwith the Department of Computer Science at the Na-

tional University of Singapore, Singapore. Dr. Aman previously served on thefaculty of National University of Computer and Emerging Sciences Pakistanas an Assistant Professor. His research interests include IoT and networksecurity, wireless and mobile networks, and secure embedded systems.

Biplab Sikdar (S98-M02-SM09) received theB.Tech. degree in electronics and communica-tion engineering from North Eastern Hill Univer-sity,Shillong, India, in 1996, the M.Tech. degree inelectrical engineering from the Indian Institute ofTechnology, Kanpur, India, in 1998, and the Ph.D.degree in electrical engineering from the RensselaerPolytechnic Institute, Troy, NY, USA, in 2001. Hewas on the faculty of Rensselaer Polytechnic Insti-tute from 2001 to 2013, first as an Assistant and thenas an Associate Professor.

He is currently an Associate Professor with the Department of Electricaland Computer Engineering, National University of Singapore, Singapore. Hisresearch interests include wireless network, and security for IoT and cyberphysical systems. Dr. Sikdar is a member of Eta Kappa Nu and Tau Beta Pi. Heserved as an Associate Editor for the IEEE Transactions on Communicationsfrom 2007 to 2012. He currently serves as an Associate Editor for the IEEETransactions on Mobile Computing.

Kee Chaing Chua received a Ph.D. in electricalengineering from the University of Auckland, NewZealand, in 1990 and joined the Department ofElectrical Engineering at the National University ofSingapore (NUS) as a Lecturer. He is now a Pro-fessor in the Department of Electrical & ComputerEngineering at NUS. He served as the Faculty ofEngineerings Vice Dean for Research twice, from2003 to 2006 and from 2008 to 2009. From 1995 to2000, he was seconded to the Center for WirelessCommunications (now the Institute for Infocomm

Research), a national telecommunication R&D center funded by the SingaporeAgency for Science, Technology, and Research as its Deputy Director. From2001 to 2003, he was on leave of absence from NUS to work at SiemensSingapore where he was the Founding Head of the Mobile Core R&DDepartment funded by Siemens ICM Group. From 2006 to 2008, he wasseconded to the National Research Foundation as a Director. He was appointedHead of the Department of Electrical & Computer Engineering at NUS in2009. He chaired the World Economic Forums Global Agenda Council onRobotics and Smart Devices in 2011 and spoke on the role of robotics andsmart devices in shaping new models of development at the World EconomicForum in Davos in January 2012. He is a Fellow of the Singapore Academyof Engineering.

Anwar Ali was born in Mardan, Pakistan, in 1981.He received his B.E. degree in Electronics Engineer-ing from NED UET Karachi, Pakistan, in 2004. Hecompleted his M.S. degree in Electronics Engineer-ing in 2010 and the Ph.D. degree in Electronics andCommunication Engineering in 2014 from Politec-nico Di Torino, Italy. He is currently working as anAssistant Professor at the department of ElectricalTechnology, University of Technology (UoT), Now-shera, Pakistan. His research interests include designand development of power management subsystems

for small satellites, attitude sensors & control subsystems for small satellites,thermal analysis & thermal modeling of small satellites, power electronicsapplications and renewable energy systems.