efficient key distribution schemes for wireless sensor networks using ldu' composition of...
DESCRIPTION
This paper proposes a new robust key pre-distribution schemes based on LDU' composition of matrices. In the first scheme, we use integer as elements of symmetric matrices and in the second scheme we use polynomials over finite fields as elements of the symmetric matrices. The existing approach use decomposition of matrices which is compute intensive but our proposed scheme uses composition of matrices. The analysis shows that the proposed scheme allows almost 100% connectivity regardless of the number of keys and provides 100% resilience against node capture.TRANSCRIPT
Efficient Key Distribution Schemes for Wireless SensorNetworks Using LDU ′ composition of Symmetric
Matrices
Sanjay Kumar and Deepti Dohare
Indian Institute of Science, Bangalore{sanjay08,deeptidohare}@csa.iisc.ernet.in
Abstract. Wireless sensor network (WSNs) is highly vulnerable to attacks be-cause it consists of various resource-constrained sensor nodes which communi-cates among themselves via wireless links. Establishment of pairwise keys be-tween sensor nodes is used to realize many of the security services for wire-less sensor networks. Hence, securely distributing keys among sensor nodes isa fundamental challenge for providing security services in WSNs. Even thoughthe random key pre-distribution approach is suitable for low power and resourceconstrained sensor nodes, a shared key between a pair of nodes is not guaran-teed and thus, they may not be able to communicate with each other. Matrixbased scheme for key pre-distribution essentially use LU decomposition of ma-trix which can provide keys between any pair of nodes but are quite vulnerable toattack. This paper proposes a new robust key pre-distribution schemes based onLDU ′ composition of matrices. In the first scheme, we use integer as elementsof symmetric matrices and in the second scheme we use polynomials over finitefields as elements of the symmetric matrices. The existing approach use decom-position of matrices which is compute intensive but our proposed scheme usescomposition of matrices. The analysis shows that the proposed scheme allowsalmost 100% connectivity regardless of the number of keys and provides 100%resilience against node capture.
1 Introduction
Wireless sensor networks (WSNs) have potential to provide economical solutions tomany problems of practical importance. Some of the applications where WSNs can beused are: Emergency Response System, Energy Management, Battlefield Management,Health Monitoring, Logistics and Inventory management etc. For example, power loadthat should be carried over an electrical line depends on the temperature of the wireand the environmental conditions. If the parameters are monitored by remote sensorsand transmitted to a base station, it would be possible to meet load requirements opti-mally. Wireless sensor network (WSN) consists of various resource-constrained sensornodes. Each sensor node has low battery power, less memory and very less computa-tional capability. Same battery is used throughout the life time of a sensor node. TypicalMica2Dot sensor node has 4K RAM with 128K flash memory and processor speed of8 MHz. WSNs are usually deployed in hostile environments. Environmental conditionsalong with resource-constraints give rise to many type of security threats or attacks.
Adversary can physically capture and get the information contained in the sensor node,eavesdrop and inject new messages, modify messages, listen and analyze the messagesto obtain the information contained in a message etc. Since solution to physical captureof a node is possible in our approach, we can provide solutions to other security at-tacks. To defend against false data injection, authenticity of the sender must be checkedso that sensor nodes will not listen to unauthorized nodes. Modification of a message isdetected by checking integrity of the message. To ensure confidentiality, the informa-tion contained in the message should not be displayed to any node other than sender andreceiver. The message is sent encrypted with a key that is shared by sender and receiver.Keys play a central role in realizing security services like authenticity, integrity, con-fidentiality etc. Keys need to be distributed securely among sensor nodes. A new keypre-distribution scheme solving this problem was recently proposed in [7]. It uses keyassignment with LU decomposition of the symmetric matrix of the keys. One pitfall ofthis scheme is, however, that some data needs to be exchanged between the nodes forkey authentication. This may compromise the security if the exchanged data are tappedby an adversary. In this paper, thus, we further enhance the security of the approach byemploying LDU ′ composition with polynomial pool, which still allows high securityeven when the exchanged data are tapped and nodes are captured. A general form ofsolution for constructing the L, D, and U ′ matrix is developed in order to minimize thetime overhead of LDU ′ composition in the key pre-distribution steps.
The rest of the paper is organized as follows: Related work and Motivation is givenin Section 2. In Section 4 and 5, we describe the proposed schemes. In Section 6, wedescribe the key distribution scheme for addition of a new node. Section 7 contains theperformance analysis of our schemes and comparison with existing schemes. Section 8ends the paper with conclusions and directions for future work.
2 Related work
Key distribution schemes available in literature can be broadly divided into the follow-ing two categories:
1. Probabilistic key distribution schemes [10]2. Deterministic key distribution schemes [2, 4, 7, 8]
There are some other schemes which can’t be put in these categories directly, like keymanagement schemes using public key cryptography that uses elliptic curve cryptogra-phy, and consumes less power and less memory [5]. Other schemes are location basedschemes [6]. Eschenauer and Gligor [7] proposed a probabilistic key pre-distributionscheme for pairwise key establishment. For each sensor node, a set of keys are chosenfrom a big pool of keys and given to each node before deployment. In order to estab-lish a pairwise key [3], two sensor nodes only need to identify the common keys theyshare. Deterministic key distribution schemes have the advantage that the graph is fullyconnected because every node in the network can establish a key with any other node.Basically deterministic algorithms are of three types: master key based, matrix basedand polynomial based key distribution schemes. Broadcast session key negotiation pro-tocol (BROSK) is based on a single master key which is pre-deployed in each sensor
node. This master key is used to establish a key between a pair of sensor nodes. Mas-ter key based scheme is very simple to implement but it has no resilience. Lightweightkey management system proposes a solution with slightly better resilience where morethan one master keys are employed. It also does not give full resilience to node capture.Blom [9] has proposed a key pre-distribution scheme that allows any pair of nodes ina network to be able to find a pairwise secret key. As long as no more than t nodes arecompromised, the network is perfectly secure (this is called the t-collision resistanceproperty). Multiple space key pre-distribution scheme [1] improves the resilience ofBloms scheme. The central idea is, for any node, there is no need to establish a keywith any other node. Park, Choi, and Youn [3] proposed a new scheme called “A no-ble key pre-distribution scheme with lu matrix for secure wireless sensor networks”[3]. According to this scheme, the base station creates a large pool of elements andrandomly selects some elements from the pool to construct a symmetric matrix A. Af-ter constructing this symmetric matrix, the base station applies LU decomposition forcalculating L and U matrices by using some formula, i.e., L = E1.E2.E3....En · Aand U = E−11 .E−12 .E−13 ....E−1n , where E1, E2, E3, . . . En are elementary matrices.The main disadvantages of this scheme is that it takes lot of computational overhead,memory overhead and also takes more time in O(k2). To overcome this problem, Choiand Youn proposed another scheme called ”Mkps: A multi-level key pre-distributionscheme for secure wireless sensor networks“ [1]. According to this scheme, the basestation creates a large pool of elements and randomly selects some number of elementsfrom the pool, and construct a lower triangular matrix. After that the base station con-structs an upper triangular matrix based on the lower triangular matrix by applying theformula as follows. For the first row elements, u1j = (lj1/l11).u11 and for other rowselements, uij =
∑j−1a=1 ljauai −
∑i−1a=1 lia.uaj /lii, where 1 < i < j ≤ m. The main
disadvantages of this scheme is that it takes lot of computational overhead and memoryoverhead, but the total time taken is reduced to O(k). In this paper, we improvised ourapproach over previous two schemes by reducing the computational overhead, and alsoincreased confidentiality by changing the order of elements of matrix and provide thesecurity for capturing the nodes in the network by the adversary. To address this problemof compromising a network by capturing nodes, we have devised a new approach that isefficient and provide full resilience to network against node capture. Performance anal-ysis shows that it consumes less energy than probabilistic key pre-distribution schemesand completely secure in the sense that compromising any number of nodes will nothave any effect on the remaining network. Even a single link will not be compromisedbetween non-compromised nodes.
3 Definitions and Assumption
In this section we present the preliminaries and some assumption of the proposedschemes.
3.1 Preliminaries
We start with a brief description of various concepts and definitions used in this paper.
– Definition 1: If a square matrix A has the property AT = A, where transpose ofmatrix A is denoted by AT , we say that A is a symmetric matrix. A is a symmetricmatrix means Aij = Aji, where Aij is the element in the ith row and jth columnof matrix A [3].
– Definition 2: LU decomposition of an m × m matrix A decomposes it into twomatrices L and U such that A = LU , where L is an m×m lower triangular matrixand U is an m×m upper triangular matrix, respectively [1].
– Definition 3: Now suppose that A is a square matrix with A = LU , and the pivotson the diagonal of U are all nonzero. By dividing ith (1 ≤ i ≤ m) row of Uby the nonzero pivot di, the matrix U is decomposed into a diagonal matrix Dwhose diagonals are just the pivots d1, d2, ..., dn and a new upper triangular matrix,denoted by U ′, whose diagonal elements are all 1. Then A = LDU ′ [3].
– Definition 4: A hash function (H) is any well-defined procedure or mathematicalfunction that converts a large, possibly variable-sized amount of data into a smalldatum, usually a single integer that may serve as an index to an array. The valuesreturned by a hash function are called hash values, hash codes, hash sums, or simplyhashes.
– Definition 5: A Circular shift function (CS) is a function that defines an operationof rearranging the entries in a tuple, by moving the final entry to the first posi-tion. CS(tuple, n) indicates that n circular shifts are applied to a given tuple. Forexample, CS((a, b, c, d), 2) = (c, d, a, b).
– Definition 6: A Reverse function (R) is a function that rearranges the entries of atuple in a reverse order. For example, R((a, b, c, d)) = (d, c, b, a).
3.2 Assumption
– Network topology is not known prior to deployment.– Before deployment each node doesn’t know its own location and about its neigh-
bors.– Initial deployment of the network takes place safely in the sense that adversary
cannot capture any node even for a small period of time.– There is a lower bound Tmin to compromise a node.– Time to discover the neighbors for a new node is Test and Test < Tmin.
4 Proposed First Key Distribution Scheme
To remove the drawbacks of the existing schemes, we proposed a new key pre-distributionscheme called A Key Pre-Distribution Scheme with LDU ′ Composition of Matrixfor WSNs. The following procedure is executed by base station in order to construct L,D, U and U ′ matrices.
– Step 1: Generation of large pool of keys (218∼221 keys): Base station generatesa large pool of keys as shown in Figure 1. Those generated keys are then used toconstruct a symmetric matrix in further steps.
– Step 2: Forming a lower triangular matrix using the pool of elements: Constructa lower triangular matrix using the randomly selected elements from the key pool.This can be an m×m dimension matrix as given below. The first condition for se-lecting elements from the large pool is that all elements present in a column shouldbe multiple of the diagonal element of the same column, some elements should bezero, some elements should be same as diagonal element and all the selected el-ements should be large. One more condition for this matrix is that summation ofall the diagonal elements should not be divisible by the number of columns of thelower triangular matrix.
L =
L11 0 0 0L21 L22 0 0L31 L32 L33 0L41 L42 L43 L44
– Step 3: Forming an upper triangular matrix using lower triangular matrix: Up-
per triangular matrix is formed by taking the simple transpose of lower triangularmatrix, i.e., U = LT , and this matrix is formed in a linear time as given below.
U =
U11 U12 U13 U14
0 U22 U23 U24
0 0 U33 U34
0 0 0 U44
– Step 4: Forming a diagonal D matrix using U matrix: Diagonal matrix D is con-
structed by choosing diagonal elements from matrix U and also generates a U ′
matrix, where U = DU ′. Both D and U ′ are shown below.
D =
U11 0 0 00 U22 0 00 0 U33 00 0 0 U44
U ′ =
1 U12/U11 U13/U11 U14/U11
0 1 U23/U22 U24/U22
0 0 1 U34/U33
0 0 0 1
– Step 5: After computing L, U, D, and U ′ matrices, the base station selects one row,Lri from lower triangular matrix ,L and one column, U ′ci from upper triangularmatrix, U ′ for each node and sends both the tuples along with diagonal matrix D toeach node in the network. This is done by using the condition that the row numberand column number selected for a particular node should be equal. The followingexample is given for more clarification:Example: Suppose we have limited pool of keys (−20 ∼ 20). From this pool,we randomly select a subset of elements (2,3,9,7,3,2,5,1,4,6,. . . ,20). Using theseelements, we construct a lower triangular matrix, L shown in Figure 1(a). Uppertriangular matrix, U is generated by taking simple transpose of L matrix (Figure1(b)). Then we select the diagonal elements from U matrix and generate diagonalmatrix, D shown in Figure 1(c). Finally, we construct U matrix such that U = DUshown in Figure 1(d).
L =
2 0 0 04 5 0 016 15 6 020 10 12 9
U =
2 4 16 200 5 15 100 0 6 120 0 0 9
D =
2 0 0 00 5 0 00 0 6 00 0 0 9
U ′ =
1 2 8 100 1 3 20 0 1 20 0 0 1
Fig. 1. (a)Lower triangular matrix, L (b)Upper triangular matrix, U (c)Diagonal matrix, D(d)Upper triangular matrix, U ′
4.1 Node to Node Pairwise Key establishment
The existing random key pre-distribution schemes [3, 1] allow node to node pairwisekey establishment but these schemes have some drawbacks as discussed in section 2.As per [3, 1], sending a direct key Kij or kji between any pair of nodes is not securebecause adversary can tamper the key. If the adversary captures the columns send byany node then she can calculate the original matrix by calculating the dimension of thematrix, and the column number in the matrix. The adversary can also put her node inplace of actual node in the network and communicate with other nodes. To overcomethese problems, we propose a new scheme for node to node mutual authentication byusing a hash function, circular shift function and reverse function on L, U, D, and U ′
matrices which is described in the following steps:
– Step 1: Let NodeA and NodeB are in the network. Initially NodeA applies Re-verse function (R) on the selected column elementsU ′ci and after that it applies rightcircular shift (CS) function on the reversed data R(U ′ci) for (
∑ni=1Di,i mod n)
times and sends it to the NodeB .– Step 2: NodeB applies CS function on the data received from NodeA and then
applies reverse function to calculate U ′ci . Then NodeB computes the cross productUci = D×U ′ci . After computing this cross product, NodeB generates a key Kji bymultiplying Lrj with Uci , and apply hash function on key Kji, i.e., H(Kji).
– Step 3: Now NodeB applies the same process as done by NodeA in step 1 on itsown columnU ′cj and send this value with the generated hash key H(Kji) toNodeA.
– Step 4: After receiving data from NodeB , NodeA calculates Kij similarly asNodeB calculated in step 2 and apply the hash function H on Kij .
– Step 5: After calculating the key H(kij), NodeA checks whether H(Kij) andH(Kji) are equal or not. If H(Kij) and H(Kji) are equal then NodeA sends Yesmessage along with H(Kij) to NodeB otherwise sends errmsg to NodeB . If theresponse is yes then NodeB verifies H(Kij) with H(Kji) to establish a securechannel.
The above scheme is explained using an example in Table 1.
Advantages: The main advantages of the first scheme is the use of Circular Shift Func-tion, Diagonal Matrix and Hash Function. When a node exchanges the column withother nodes, the adversary may capture the exchanged column. But the column is sentafter applying reverse function and then circular shift function, thus the adversary can-not predict anything about the original matrix. Diagonal matrix is constructed by takingout diagonal elements from the upper triangular matrix U such that U = D×U ′ . Even
Table 1. Node to Node Pairwise Key establishment
SensorNodeA Messages SensorNodeBLri = (4, 5, 0, 0), i = 2 Lrj = (16, 15, 6, 0), j = 3U ′
ci = (2, 1, 0, 0), i = 2 U ′cj = (8, 3, 1, 0), j = 3
Dn,n = (2, 5, 6, 9), n = 1..4. Dn,n = (2, 5, 6, 9), n = 1..4.Hash function Hash functionCS function CS function
U ′ri = R
(U ′
ci
)= (0, 0, 1, 2) U ′
ci = R(CS
(U ′
csi , 2))
U ′csi = CS
(U ′
ri , 2)= (1, 2, 0, 0) U ′
csi−−−→Uci = D × U ′
ci
Kji = Lrj × Uci
Kji = 139apply hash on key H(Kji)
U ′cj = R
(CS
(U ′
csj , 2))
H(Kji), U′csj = CS(R(U ′
cj ), 2)
Ucj = D × U ′cj U ′
csj = (3, 8, 0, 1), H(Kji)←−−−−−−−−−−−−−−−−−−−
Kij = Lri × Ucj
Kij = 139
Apply Hash function on key H(Kij)
Check H(Kij) = H(Kji)
If (yes) [yes,H(Kij)]−−−−−−−−−→H(Kji) = H(Kij)
If (no) [no, errmsg]−−−−−−−−→
Connection discarded
Secure communication established.
if adversary captures this U ′ci column, she cannot predict anything about upper trian-gular matrix U . Hash function is a one-way function, so it should be hard to find anymessage m, such that h = H(m). It is easy to compute the hash value for any givenmessage, but it is infeasible to find a message from a given hash.
In the first approach, if each node will delete its information then a new node cannotbe added in the network but provide full resilience to node capture. In second way nodesdo not delete all information regarding establishment of key, we can add new node inthe network but not provide the resilience to node capture. The main disadvantage ofthis approach is that this scheme is not proving security for physical capture of nodes.In this approach we provided secure data exchange between nodes.
5 Proposed Second Key Pre-Distribution Scheme
To overcome the drawbacks of our previous scheme we have proposed a new key pre-distribution scheme called A Key Pre-Distribution Scheme Based on PolynomialPool Symmetric Matrix withLDU ′ composition for WSNs. The following procedureis executed by the base station in order to construct L, D, U and U ′ matrices.
– Step 1. Generation of large pool of polynomials (−218 ∼ 221 degree): Base sta-tion generates large pool of polynomials over the finite field Fq , where q is a largeprime number. The t-degree polynomial is of the form: Pi(x) =
∑ti=0 aix
i whereai is the polynomial’s ith coefficient. These polynomials are then used to construct
a symmetric matrix A. Let us take an example for generating a large pool of poly-nomials of degree t (−20 ∼ 20). From this limit, we took (P1(x), P2(x), P3(x),P10(x), . . . P20(x)) etc.
– Step 2. Forming a lower triangular matrix using the pool of polynomials: Ran-domly select polynomials from the above generated pool to construct a lower tri-angular matrix as shown below. The first condition for selecting polynomials fromthe large pool is that all polynomials present in a column should be multiple of thediagonal polynomial of that column and the degree of all the selected polynomialshould be large.
L =
P2(x) 0 0 0P4(x) P5(x) 0 0P16(x) P15(x) P6(x) 0P20(x) P10(x) P12(x) P9(x)
– Step 3. Forming an upper triangular matrix using lower triangular matrix: Upper
triangular matrix is formed by taking the transpose of the above lower triangularmatrix L, i.e., U = LT as given below. This operation takes linear time thus itminimizes the computational overhead.
U =
P2(x) P4(x) P16(x) P20(x)0 P5(x) P15(x) P10(x)0 0 P6(x) P12(x)0 0 0 P9(x)
– Step 4. Forming a diagonal matrix D and a new upper triangular matrix U ′: We
take the diagonal polynomials from the upper triangular matrix U to construct thediagonal matrix as shown below:
D =
P2(x) 0 0 00 P5(x) 0 00 0 P6(x) 00 0 0 P9(x)
U ′ =
1 P2(x) P8(x) P20(x)0 1 P3(x) P2(x)0 0 1 P2(x)0 0 0 1
The upper triangular matrix U can be written in the form U = DU ′, where the newupper triangular matrix U ′ is used for key establishment.
– Step 5. Finding the Common Key: Assume that NodeA and NodeB are in the net-work. In order to find a common key, the base station randomly selects a row Lri
from lower triangular matrix L and a column U ′ci from upper triangular matrix U ′
and send these two tuples along with diagonal matrix D toNodeA. The row numberand column number selected by the base station for NodeA must be equal. Simi-larly the base station performs the same operation for other nodes in the network.Then NodeA and NodeB calculate key Kij and key Kji respectively as shown inTable 2. Since A is a symmetric matrix and A = LDU ′ as per the definition givenin section 4, so Kij and Kji should be equal.
5.1 Node to Node Pairwise Key establishment:
The proposed scheme provides node to node pairwise key establishment which is ex-plained in the following steps. These steps are also given in table 2. Here we have twonodes, NodeA and NodeB , which perform the following operations:
1. NodeA sends column U ′ci to NodeB . NodeA → NodeB : U ′ci2. NodeB receives U ′ci and calculates Uci by multiplying diagonal matrix D with U ′ci
and computes the key Kji. Uci = D × U ′ci .Kji(x) = Lrj × Uri
NodeB randomly generates a large number α′ and applies hash function H on α′.α = H(α′)NodeB calculates the key Kji by replacing α in place of x in Kji(x).Kji=Kji(α)
3. After calculating the key Kji, NodeB computes H(Kji) and sends it along withα′ and U ′cj to NodeA. NodeB → NodeA: U ′cj , H(Kji), α
′
Kji should be the common between NodeA and NodeB .4. Similarly NodeA calculates Kij and apply hash function H on Kij and calculateH(Kij).
5. Then NodeA perform some check operation as:NodeA check whether H(Kij) and H(Kji) are equal or not.if (H(kij) = H(kji)) send [Y es,H(kij)] to NodeB else send [No, errmsg] toNodeB
After establishment of key among the nodes, each node deletes all of its informationwhich is used during the establishment of keys.
6 Proposed Key Distribution Scheme for Addition of a New Node
After the completion of key establishment over the network, each node deletes its in-formation related to the key establishment. So the addition of new node in the networkwill create a problem because at that moment every node has already deleted the infor-mation related to the key establishment. To solve this problem we proposed a schemefor addition of new nodes.
6.1 Lower Triangular Matrix Based
We proposed a new approach based on lower triangular matrix, for adding new nodesin the network. We take a lower triangular matrix L of polynomials, which are ran-domly selected from large polynomial pool. These polynomials are different from thepolynomials which are used in the previous scheme in the sense that the degree of eachpolynomial selected from the pool, should be different i.e. for any two polynomial pi(x)and pj(x), their corresponding degree ti and tj should not be equal. Let L be a lowertriangular matrix of polynomials.
Table 2. Node to Node mutual Authentication
SensorNodeA messages SensorNodeBLri = (P16(x), P15(x), P6(x), 0), i = 3 Lrj (P4(x), P5(x), 0, 0), j = 2U ′
ci = (P8(x), P3(x), 1, 0), i = 3 U ′cj(P2(x), 1, 0, 0), j = 2Dn,n = (P2(x), P5(x), P6(x), P9(x)), n = 1..4 Dn,n = (P2(x), P5(x), P6(x), P9(x)), n = 1..4
Hash function Hash functionU ′
ci = (P8(x), P3(X), 1, 0))U ′
ci−−→Uci = D × U ′
ci
Kji = Lrj × Uci
Kji(x) = P4(x) · P16(x) + P15(x) · P5(x)Generate a number α′
Apply hash function on α′, i.e., α = H(α′)Kji = Kji(α).
Apply Hash on Kji, i.e., H(Kji)
H(Kji), U′cj
Ucj = D × U ′cj U ′
cj , α′, H(Kji)
←−−−−−−−−−−−Kij = Lri × Ucj
Kij(x) = P4(x) · P16(x) + P15(x) · P5(x)Kij = Kij(H(α′))
Apply Hash function on key H(Kij)
Check H(Kij) = H(Kji)
If (yes) yes,H(Kij)−−−−−−−−→H(Kji) = H(Kij)
If (no) no, errmsg−−−−−−−→
Connection discarded
Secure communication established.Node delete all information after established keys.
L =
P7(x), t7 0 0 0P6(x), t6 P5(x), t5 0 0P1(x), t1 P2(x), t2 P3(x), t3 0P8(x), t8 P10(x), t10 P4(x), t4 P9(x), t9
Before the deployment of the network, we randomly select a polynomial and its corre-sponding degree from the above lower triangular matrix, L and give it to a particularnode in the network. After distributing different polynomials to different nodes, we ap-ply the efficient sorting algorithm to sort the polynomial elements of the lower triangularmatrix in order of their degree. Then, we construct a new sorted lower triangular matrixLsort by using the above sorted polynomials. As per matrixLsort, Pi(x), ti < Pj(x), tjif i < j for ∀i, j.
Lsort =
P1(x), t1 0 0 0P2(x), t2 P3(x), t3 0 0P4(x), t4 P5(x), t5 P6(x), t6 0P7(x), t7 P8(x), t8 P9(x), t9 P10(x), t10
Now each node Vj will evaluate its polynomial on its own id IDVj . After that eachnode will erase the polynomial and keep the evaluated value Pi(IDV ) and polynomial’sdegree ti.
When a new node U is being added to the network, the sorted lower triangular ma-trix Lsort is given to the new node U . For key establishment with node U, every neigh-bor node Vj will send a randomly generated value α, IDVj
, tj and encrypted value ofα, i.e., ENCPi(IDVj
)(α) to node U. After receiving key related information from itsneighbor, the new node U will search the polynomial of degree tj using diagonal search
1: Give sorted lower triangular matrix to node U2: for each node in the network do3: Randomly select a polynomial Pk(X) from sorted lower triangular matrix, eval-
uate it on IDVj i.e. Pk(IDVj ) and give it to each node/ ∗ V1, V2........Vm are neighbors of node U */
4: end for5: for j = 1 to m do6: Send α , ENCKSVj
(α) , IDVj , tj to new node U .
7: for i = 1 to |k| do8: New node U will search the polynomial of degree tj in the sorted lower trian-
gular matrix Lsort using diagonal search. If found, evaluate the polynomialon IDVj . K′
U,Vj = Pi(IDVj ) that equals to KSVj
9: Decrypt ENCKSVj(α) with K′
U,Vjwhich gives α′
10: if α′ = α then11: U randomly generates a key KU,Vj , encrypt it with K′
U,Vjand send as
ENCK′U,Vj
(KU,Vj )
12: Node Vj will decrypt it with KSVjand will get the key KU,Vj .
13: Erase K = Pi(IDVj )14: break;15: end if16: Erase K = Pi(IDVj )17: end for18: end for19: Erase all the polynomials
Fig. 2. Algorithm for Addition of new node U .
on the sorted lower triangular matrix Lsort. Now node U will evaluate this polynomialon ID of node Vj and compute α by decrypting the received message with Pi(IDVj
).Then the node U compare the computed α with the α received from its neighbor Vj . Ifit matches then Pi(IDVj ) is the common key between U and Vj . For the sake of sim-plicity, we have used the notationKSVj
for Pi(IDVj). It will first search the polynomial
from the matrix Lsort and put IDVjin that polynomial. By using this newly established
common key KSVj, the node U and neighbor node Vj share a new key KU,Vj
. After es-tablishing the new keyKU,Vj , both the nodes delete the previously established commonkey KSVj
. Now both U and Vj have same key KU,Vj for further communication. Thisprocess is repeated for each node. The new node U also randomly choose a polynomialfrom lower triangular matrix Lsort and evaluates on its own id, i.e., IDU . After that thenode U deletes all information regarding key establishment. The complete algorithmfor addition of new node in the network is given in Figure 2.Advantages: The main advantage of this scheme is that the establishment of key be-tween the new node U and all its neighbors takes very less time and less computationaloverhead. If the adversary captures some node in the network, she will not get any in-formation regarding the polynomials as the polynomials are different for each node inthe network and the new node will also delete all its information after establishment ofkey with all its neighboring nodes.
7 Performance Analysis and Comparison
In this section, we present the evaluation of the performances of our schemes, and com-pare the scheme with Eschenauer and Gligor scheme[8]. Our focus are on analysisof the network connectivity, analysis of resilience against nodes capture and Analysismemory usage by each node in the network.
7.1 Analysis of Network Connectivity
In this subsection, we will evaluate the network connectivity and compare it with Es-chenauer and Gligor scheme [8]. In our proposed scheme network connectivity is theprobability (P ) of sharing at least one key between any two sensor nodes. We define anevent in which a pair of nodes that does not have a common any one key by an [Event],and Pr[Event] is the probability of such event. The network connectivity P is:
P = 1− Pr[Event]P = 1− (1−K/S)2S−2K+1/(1− 2K/S)S−2K+1/2
where S= total number of node in network and K is the number of keys in each node.In the first and second scheme, we have shown that any two sensor nodes can always
find a shared key between themselves using LDU ′ composition. In other word, we cansay that the probability of not sharing a common key between any two network sensornodes is zero. Figure 3(a) compares network connectivity P of our proposed scheme
Fig. 3. (a) Analysis of network connectivity and (b) Network resilience comparison between E-Gscheme and our scheme
with the Eschenauer and Gligor schemes [8]. In the performance analysis, we assumethat the size of key pool for each node is 1000, 2000, 5000 and 10000. The result showsthat the proposed scheme has hundred percent connectivity without concern for thenumber of keys per node. In addition, keys in our scheme occupy less memory space insensor nodes.
7.2 Analysis of Resilience Against Node Capture
In wireless sensor networks, an adversary can easily calculate the information of com-promised nodes, intentionally provide misleading information to the entire network,and break the whole network security. In this subsection we evaluated that the pro-posed scheme improves WSNs resilience by calculating the fraction of compromisednodes among non-compromised nodes. In addition, we plan to compare our schemewith Eschenauer and Gligor schemes [8] based on performance. In Eschenauer andGligor schemes [8], the probability of compromising the shared keys between any twonon-compromised nodes is following:
Pcompromised = (1− (1− k/S)m)
where S is the total number of node in network and K is the number of keys in eachnode. In the proposed scheme, rows from lower triangular matrix L, column from uppertriangular matrixU ′, diagonal matrix D, hash function H and circular shift function (CS)are deleted after the Establishment of the keys. Polynomials which are pre-distributed toeach node are randomly selected from the lower triangular matrix L and its degree willbe left in each node for the purpose of addition of new nodes in network. Ifm nodes arecompromised, the probability of compromising the shared keys between any two non-compromised nodes is equal to the probability of compromising the shared polynomialsbetween any two non-compromised nodes But in our scheme, adversary will not getany information from compromised nodes about non-compromised nodes, so we cansay that m is equal to zero. Thus in our scheme, the probability of compromising theshared keys between any two non-compromised nodes is:
Pcompromised = (1− (1− k/S)0)Pcompromised = (1− 1) = 0
In case, if adversary captures one node and get the degree of polynomial and key gen-erated by polynomial then there is no effect on other nodes in the network. Thus, ourscheme provide 100% resilience against node capture. In the figure 3(b) shows the com-parison between Eschenauer and Gligor schemes [8] and the proposed scheme.
7.3 Memory Usage Analysis
In the proposed scheme, any two sensor nodes establish the shared key by using poly-nomial with LDU ′ composition based key pre-distribution scheme. The major part ofmemory is used in storing the polynomial information. We proposed an efficient methodto store the row and column information of L, D, and U ′ matrices. Our scheme willstore each element in the non-zero-element part and one value specifying the maximumnumber of zeros in zero-element part of L and U matrices. This technique is speciallysuitable for large wireless senor networks. The notations, used in estimating the storageefficiency, are given below:
– Mb:The number of bits to store each polynomial information in L, D, and U ′ ma-trix.
– S: The maximum number of sensor nodes deployed in the network.
– Zni: The total number of nonzero elements in a row of L and in a column of U ′
and diagonal D stored in sensor node with node IDi.
– Zo: The number of bits, needed to store the number of zero elements in zero ele-ment part in row of L or in a column of U ′ could be represented.
– Utotal: The total memory required using the above method.
– Usaving: Memory saved using the above method.
– Uwithout: The total memory required without using our method.
– λi: The sum of total bits needed to store the polynomial information in each nodein the network.
Now the memory usage to store polynomial information in sensor node is:λi = (Zni ×Mb + 2× Zo+Mb + S ×Mb)Memory usage for S number of node in networks:Utotal =
∑Si=1 λi
Utotal = Mb
∑Si=1 Zni + S × (2× Zo)+S ×Mb +S2 ×Mb
Utotal = Mb × 2(1 + 2 + 3 + 4 + ......S) + S × (2× Zo)+S ×Mb +S2 ×Mb
Utotal = Mb × 2.S(S + 1)/2 + S × (2× Zo)+S ×Mb +S2 ×Mb
Utotal = Mb × S(S + 1) + S × (2× Zo)+S ×Mb +S2 ×Mb
Utotal = Mb × S(S + 1) + S × (2× dlog2(S − 1)e)+S ×Mb +S2 ×Mb
where Zo= dlog2(S − 1)eIn our proposed scheme, the memory saving is done by encoding the zeros in the zero-element parts of the L, D, and U ′ matrices. Hence, the memory saved could be com-puted as:Memory usage with out our scheme:Uwithout = 2S2 ×Mb+S ×Mb+S2 ×Mb
Now we can calculate saving memory by Usaving=Uwithout-Utotal
Usaving = 2S2 ×Mb+S ×Mb+S2 ×Mb - (Mb × S(S + 1) + S × (2 × dlog2(S −1)e)+S ×Mb +S2 ×Mb)Usaving = 2S2 ×Mb-Mb(S(S + 1))-2SZo
Usaving = SMb(2S − (S + 1))-2SZo
Usaving = SMb(S − 1)-2SZo
we know that Zo = dlog2(S − 1)eUsaving = SMb(S − 1)-2S(dlog2(S − 1)e)
In Eschenauer and Gligor [8] scheme, to maintain the certain network connectivity,which is the probability that two neighboring sensor nodes can establish a direct sharedkey, the number of keys cannot be too small. However, large number of keys meansthe adversary can obtain more secrets each time she compromises one more node. Thecontradiction of memory requirements make it difficult to optimize both security andnetwork connectivity given fixed memory resource. A merit of our scheme is that thememory usage is unrelated with network connectivity, and any two sensor nodes alwaysfind a shared key between them by using our scheme.
8 Conclusion
The first key distribution scheme that has been proposed in this paper has very goodresilience to data exchanged between the nodes and also took very less time to estab-lishment of key between the nodes. This proposed scheme has very less computationaloverhead to calculate the key in the network. In our first approach, if every node deletesall its information then a new node cannot be added in the network but still it providesfull resilience to the node capture. In other way, if nodes do not delete their informationregarding establishment of key, then we can add a new node in the network withoutproviding the resilience to node capture. So in this approach we consider that each nodedeletes all its information regarding key establishment and proposed new scheme toadd new node in the network. In our second approach, we have proposed a new keypre-distribution scheme based on polynomials pool of a symmetric matrix with LDU ′
composition. This scheme guaranteed that any pair of nodes can find a common key be-tween themselves and also it allows more security enhancement on node-to-node pair-wise key establishment. In this paper we showed that both the approaches give manyadvantages over probabilistic key distribution scheme and deterministic key distributionscheme and our approach requires less memory space for keying material and providefull network connectivity, even after compromising any number of nodes in the network.Our proposed scheme requires very less time to establish a common key between anytwo nodes while other existing schemes require O(k) [1] and O(k2) [3]. Our proposedscheme makes a significant improvement in the performance and energy efficiency ofthe sensor nodes. There is some scope to improve upon our algorithm. Developing ascheme, that provides better path key establishment while retaining good features ofour algorithm, would be future work.
References
1. S. J. Choi and H. Y. Youn, Mkps: A multi-level key pre- distribution scheme for secure wire-less sensor networks, in HCI (2), 2007, pp. 808-817.
2. P. Naik, K. Ravichandran, and K. M. Sivalingam, Cryptographic key exchange based on loca-tioning information, Pervasive Mob. Comput., vol. 3, no. 1, pp. 15-35, 2007.
3. C.-W. Park, S. J. Choi, and H. Y. Youn, A noble key pre- distribution scheme with lu matrixfor secure wireless sensor networks, in CIS (2), 2005, pp. 494-499.
4. S. Zhu, S. Xu, S. Setia, and S. Jajodia, Establishing pairwise keys for secure communicationin ad hoc networks: A probabilistic approach, in ICNP, 2003, pp. 326-335.
5. I. F. Akyildiz and W. Su and Y. Sankarasubramaniam and E. Cayirci: Wireless sensor net-works: a survey Arch. Rat. Mech. Anal. 78, 393-422, 1982.
6. F. Stajano, Security for Ubiquitous Computing. John Wiley and Sons, February 2002.7. R. L. Rivest, A. Shamir, and L. Adleman, A Method for Obtaining Digital Signatures and
Public-Key Cryptosystems.Communications of the ACM. Feb., 1978 21(2) pages 120-126.8. L. Eschenauer and V. D. Gligor, A key-management scheme for distributed sensor networks,
in ACM Conference on Computer and Communications Security, 2002, pp. 41-47.9. R. Blom , An optimal class of symmetric key generation systems, in Eurocrypt, 1976.10. A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar, Spins: security protocols for
sensor networks, in MobiCom 01: Proceedings of the 7th annual international con- ference onMobile computing and networking. New York, NY, USA: ACM, 2001, pp. 189-199.