An Enhanced Polynomial-based Key Establishment Scheme for Wireless Sensor

Networks
Hu Tong-sen, Chen Deng, Tian Xian-zhong
College of Information Engineering,
Zhejiang University of technology, Hangzhou 310032, China
hts@zjut.edu.cn, dengchn@126.com, txz@zjut.edu.cn

Abstract
Key establishment is a fundamental security issue in
wireless sensor networks (WSN). It is the basis to
establish the secure communication using cryptographic
technologies between sensor nodes. Due to the current
resource constraints on sensors, it is infeasible to use
traditional key management techniques such as public key
cryptography or key distribution center based protocols.
So the key predistribution schemes are paid most attention
in key management of WSN. To establish pairwise keys
securely and meanwhile prevent a number of
compromised colluding nodes from breaking the pairwise
key shared by any two innocent nodes, we propose an
enhanced polynomial-based key establishment scheme
(EPKES) for WSN. In EPKMS, we introduce an auxiliary
set to improve the security level compared to previous
schemes. The results of performance evaluations show
that our proposed scheme has a good key connectivity,
scalability, direct key establishment, resilience to nodes
capture and storage consumption.
1. Introduction
Wireless sensor networks consist of a number of tiny
sensor nodes, which are powered by batteries, equipped
with sensing, data processing and short-range radio
communications components
[1, 2]
. Recent advancements
in micro electromechanical systems and wireless
communications technologies have led to the development
and application of WSN. WSN are expected to play key
roles in many applications, such as managing energy
plants, battlefields and medical monitoring
[3]
. WSN are
usually connected to the outside world through a
computationally powerful center called the sink that is
also responsible for data collection and data fusion.
When sensor networks are deployed in a hostile
environment, security is of great importance, as there are
varieties of malicious attacks. For example, an adversary
can easily listen to the network traffic, impersonate sensor
nodes, or intentionally provide misleading information to
the sensors. Thus, node-to-node communication should be
encrypted and authenticated to provide security. The core
problem is how to establish secret keys between
communicating nodes? Generally, the current solutions
for this problem can be summarized as:1)the arbitrated
keying protocols, 2) self-enforcing protocols and 3)
pre-distribution keying protocols. The first solution relies
on some trusted center, which is vulnerable to single point
failure. The second one uses the asymmetric encryption
cryptography, which is limited by the current computation
abilities and energy resources of WSN. So we mainly
consider applying the third one, in which keys or key
materials are loaded into nodes before deployment.
The main contributions of this paper are summarized as
follows: 1) we introduce an auxiliary set for the nodes ID
set to generate piarwise keys and make it more difficult to
break the symmetric polynomials. 2) Any two sensors can
definitely establish a pairwise key when needed, even
with some nodes compromised. 3) We provide an
evaluation of the proposed scheme.
The paper is organized as follows. In Section 2, some
security requirements and evaluation metrics are
introduced. In Section 3, some predistribution key
management schemes are examined and discussed. We
present our scheme in Section 4. In Section 5, we give the
evaluation of our scheme. And we conclude in Section 6.
2. Security requirements and evaluation
metrics
Due to the constraints of WSN nodes, such as limited
power, low transmission range, limited storage and
working memory, pairwise key establishment (PKE) in
WSN is challenging. A PKE scheme must meet the
following requirements:
1) Key connectivity: the probability that two nodes in
communication range share at least one key. A good PKE
scheme should guarantee that any two nodes can establish
a pairwise key whenever needed.
2008 International Workshop on Education Technology and Training & 2008 International Workshop on Geoscience and Remote Sensing
978-0-7695-3563-0/08 $25.00 2008 IEEE
DOI 10.1109/ETTandGRS.2008.373
809
2008 International Workshop on Education Technology and Training & 2008 International Workshop on Geoscience and Remote Sensing
978-0-7695-3563-0/08 $25.00 2008 IEEE
DOI 10.1109/ETTandGRS.2008.373
809
2) Direct key establishment: a PKE scheme should
allow two nodes that can communicate with each other to
establish a pairwise key without exposing secrets to or
obtaining secrets from any third parties (e.g., a central
on-line server). The involvement of third parties is highly
undesirable because third parties may have been
compromised.
3) Resilience to sensor nodes capture: whenever a WSN
node is captured, the information it carries may be
retrieved by the adversary. The fraction of total keys
information exposed to adversary can be considered as the
resilience.
4) Scalability: it is the possibility that new nodes might
be added later. A good PKE scheme should have a good
scalability.
5) Storage consumption: it is measured by the amount
of keying information stored in each node. A good PKE
scheme should have a less storage consumption.
3. Related work
Key establishment is a fundamental security issue in
WSN. It is the basis to establish the secure communication
using cryptographic technologies between sensor nodes.
As mentioned in Section 1, due to the current resource
constraints on sensors, it is infeasible to use traditional
key management techniques, such as public key
cryptography or key distribution center based protocols.
Consequently, the key predistribution schemes are paid
most attention in key management of WSN. Current key
predistribution schemes can be classified into three types:
1) random key predistribution schemes
[4, 5]
, 2)
polynomial-based key predistribution schemes
[6, 7, 8]
, 3)
Matrix-based key predistribution schemes
[9, 10]
and 4)
deterministic key predistribution schemes
[11]
.
Now, we mainly introduce the basic polynomial-based
key predistributin scheme
[8]
proposed by Blundo et al.,
which is the basis of our EPKES. To predistribute
pairwise keys, the offline authority first randomly
generates a bivariate, t-degree, symmetric polynomial
over a finite field Fq, where q is
a large prime number, and . Before
deploying each sensor node into the network, the authority
assigns a unique ID (e.g., u) to each node. Then, the
authority computes and preloads a univariate polynomial
share of for the node. In particular, for the node
with ID u, the preloaded share ,
where . For any two nodes u and v,
node u can compute the key shared with node v, i.e., f(u,
v), by evaluating f(u, y) at y = v. Node v can compute f(v, u)
in the similar way. Since f(x, y) is symmetric, f(u, v) = f(v,
u). Then, node u and v can agree on the same key for
communication. So to establish a pairewise key both
nodes need to evaluate the polynomial with the ID of the
other node.
j
t
j i
i
ij
y x a y x f

0 ,
) , (
) , ( ) , ( x y f y x f
) , ( y x f
j
t
j
j u
y b y u f

0
,
) , (

t
i
i
j i j u
u a B
0
, ,
It is proved in paper [8] that Blundos scheme is
unconditionally secure and t-collusion resistant; that is to
say, a coalition of no more than t compromised nodes
cannot know anything about the key shared by any two
non-compromised nodes. However, if (t + 1) or more
nodes are compromised, the adversary can find out the
pairwise key shared by any two non-compromised nodes.
Suppose nodes u
0
, u
1
, , u
t
are compromised. The
adversary can construct (t + 1) systems of linear equations,
and each system includes (t + 1) linear equations. By
solving these linear equations, the adversary can find out
all the coefficients of symmetric polynomial f(x, y).
Though, the security level of Blundos scheme can be
improved by increasing t, it is not scalable since the
computational complexity and the storage overhead
increase rapidly as t increases. To improve the security
level, Liu and Ning
[6]
proposed a scheme that combine
Blundos scheme with the key pool idea
[4, 5]
.

4. An enhanced polynomial-based key
establishment scheme
To securely establish pairwise keys and meanwhile
prevent a number of compromised colluding nodes from
breaking the pairwise key shared by any two innocent
nodes, we propose an enhanced polynomial-based key
establishment scheme (EPKES). This scheme relies on
polynomials to generate pairwise keys, and the
polynomials are defined over a finite field denoted as Fq.
The details of EPKES are as follows.
4.1. System model and assumptions
We consider WSN are composed of a large number of
resources constraint sensor nodes, such as the Berkeley
MICA motes
[12]
. These nodes have limited power supply,
storage space, and computational capability. The sensor
network is administrated by an offline authority, which is
responsible for node initialization and deployment. Before
deploying a node, the authority assigns the node a unique
identity (ID) from a set of legitimate IDs. The following
are some assumptions:
1) Each node has a unique ID.
2) All nodes have been authenticated when deployed.
3) The system is fully distributed.
4) All nodes have the same WSN module, such as
Berkeley MICA.
5) All sensor nodes keep unmoving after deployment.
810 810
4.2. Notations
The following is a list of notations used in presenting
the EPKES:
z N: the size of the network, i.e., the total number of
sensor nodes.
z S: a set of legitimate IDs for sensor nodes. In this
paper, we let S {1, , N}.
z T: a auxiliary set for S. T {N+1, , 2N}.
z A(i): a sub-set of T for node i, A(i) ={i
k
|i
k
T,
k=1, , n}, n is the size of A(i).
z f(x, y): a symmetric polynomial, in which the degree
of x and y are both t.
z P(i): the polynomial share set stored in node i, and
P(i)={f(s, y)|sA(i)}.
z K: the final session key between two communicating
nodes.
z Ks: share key segment computed by the polynomial,
for sT, Ks=f(s, y).
z Ki, j: pairwise key between node i and j.
z q: a large prime number in finite field Fq.
4.3. Description of EPKES
EPKES contains two phases: 1) system initialization
and polynomial predistribution phase, and 2) pairwise key
establishment phase.The scheme is described as follows:
4.3.1 System initialization and polynomial predistribu-
tion. In the initialization stage of the EPKES, the
authority:
1) Constructs a set ( S ) of legitimate node IDs and an
auxiliary set ( T ) for S.
2) Randomly generates a bivariate t-degree polynomial
f(x, y) over a field Fq, where , and
for any x and y, f(x, y) = f(y, x).
j
t
j i
i
ij
y x a y x f

0 ,
) , (
3) Pick a unique ID from S and A(i) from T for each
node.
4) Before a node (with ID iS) is deployed, the
authority preload P(i) which is a n univariate polynomial
shares of the equation to the node.
4.3.2. Pairwise key establishment. Figure 1 is a small
part of WSN topology. We now demonstrate how any two
nodes (say b and c) can establish a pairwise key. When
node b wants to communicate securely with node c, the
key establishment process bases on the shares of n
polynomials. We describe this process in the following
steps:
Step 1: b sends a message contained A(b) to node c.
Step 2: after c received the message from b, c sends a
reply message contained A(c) to node b; then c computes
f(c
1
, b
1
), f(c
2
, b
2
), , f(c
n
, b
n
).
Step 3: when b received the reply message from c, node b
computes f(b
1
, c
1
), f(b
2,
c
2
), , f(b
n
, c
n
).
Step 4: then node b computes the final session key with c,
for b, K=K
b, c
=f(b
1
, c
1
)f(b
2
, c
2
) f(b
n
, c
n
); node c
computes K
c, b
= f(c
1
, b
1
)f(c
2
, b
2
) f(c
n
, b
n
). Then
we can easily find that the session key K=K
b, c
= K
c, b
.(is
Exclusive OR.)
Step 5: for node b, destroy f(b
1
, c
1
), f(b
2,
c
2
), , f(b
n
, c
n
)
and store K
b, c
; for node c, destroy f(c
1
, b
1
), f(c
2
, b
2
), ,
f(c
n
, b
n
) and store K
c, b
.

Figure 1. A part of WSN topology
5. Performance evaluation
In this section, we evaluate the proposed EPKES by the
metircs given in section 2.
5.1. Key connectivity
From the description of EPKES, we can easily see that
our scheme can guarantee any two neighbor nodes
establish a pairwise key when needed. Compared to the
random schemes, such as E-G scheme
[4]
, which is
probabilistic based and cant guarantee any two neighbor
nodes establish a session key, EPKES has a full key
connectivity.
5.2. Direct key establishment
EPKES can not only guarantee any two neighbor nodes
estabish a pairwise key, but aslo guarantee multi-hop
nodes estabsih a session key directly when needed.
Because each node only send set A(i) to other nodes
instead of session key, it doesnt expose secrets to any
third parties.
5.3. Resilience to sensor nodes capture
Because the adversary cannot obtain the original shares
of polynomial f(x, y), it has prohibitively high complexity
to break f(x, y) even if it has compromised a large number
of sensor nodes in EPKES. As we know, increasing the
size of WSN increases the probability of compromising
more than t nodes, but instead of using a single share
t-degree polynomial, n-share of polynomials is used in our
scheme to enhance the security. To break our scheme, the
811 811
adversary should first break K=K
1
K
2
K
n
, then
break the t-degree polynomial, but K
1
, K
2
, , K
n
are
destroyed after K is generated and the cost to get K
1
,
K
2
, , K
n
is O (m
n
) (assume K is m bits). For this reason,
compared to the existing key predistribution schemes
[4, 5,
6]
, EPKES is substantially more resilient against nodes
capture.
5.4. Scalability
New nodes can be easily added in EPKES, since each
node is preloaded with a bivariate t-degree polynomial
and an auxiliary set, rather than the real key itself before
WSN deployment. So it is very easily for new nodes to
establish session keys with the existing nodes when
needed. The detailed key establishment process is the
same as the section 4.3.2.
5.5. Storage consumption
Our scheme finally destroys the segment share key K
1
,
K
2
, , K
n
, and it only stores the session key with
communicating nodes, so the storage consumption is the
same as Blundos scheme
[8]
. Compared to the random
schemes
[4, 5]
, EPKES need less storage. Figure 2 shows
the storage consmption per node of EPKES and E-G
scheme
[4]
. Because nodes only establish keys when
needed in EPKES, but nodes preload a key ring in E-G
scheme, we can see that EPKESs storage consumption is
generally less than E-G scheme.
0
!00
?00
300
+00
00
b00
00
!000 ?000 3000 +000 000 b000
WSN size:N
N
u
m
b
e
r

o
f

k
e
y
s
llllS l0 :hm
Figure 2. Storage consumption comparison
6. Conclusion
We have presented a new pairwise key establishment
scheme named EPKES for WSN. Our scheme improves
the security level of WSN. Moreover, our scheme is
scalable and flexible. New nodes can be very easily added,
and session keys can be directly established with the
existing nodes when needed. The results of performance
evaluations also show that the proposed EPKES has a
good key connectivity, resilience to nodes capture and
storage consumption.
Acknowledgement
This paper was supported by Zhejiang Natural Science
Foundation No. Y107553.
References
[1] Chong C.Y., Kumar S.P., Sensor Networks Evolution,
Opportunities and Challenges, Proceedings of the IEEE,
2003, Vol. 91, No. 8, pp. 1247-1256.
[2] Akyildiz IF, SuWL, Sankarasubramaniam Y, Cayirci E, A
survey on sensor networks, IEEE Communications
Magazine, 2002, Vol. 40, No. 8, pp. 102-114.
[3] T. Arampatzis, J. Lygeros, S. Manesis, A survey of
applications of wireless sensors and wireless sensor
networks, Proc. IEEE Int. Symp. Intelligent Control, vol. 1,
Limassol, Cyprus: IEEE, June 2005, pp. 719-724.
[4] L.Eschenauer, V.D. Gligor. A key management scheme
for distributed sensor networks", Proc. of the 9th ACM
Conference on Computer and Communication Security,
Washington, DC, USA, 2002.
[5] H.Chan, A.Perrig, D.Song, Random Key Predistribution
Schemes for Sensor Networks", Proc. of the 2003 IEEE
Symposium on Security and Privacy, 2003, pp. 197-213.
[6] Liu D, Ning P, Establishing pairwise keys in distributed
sensor networks, Proceedings of 10th ACM Conference on
Computer and Communications Security, Washington DC:
ACM Press, 2003, pp. 41-47.
[7] Liu D, Ning P, Improving key pre-distribution with
deployment knowledge in static sensor netowrks, ACM
Transactions on Sensor Networks, 2005, Vol. 1, No. 2,
pp.204-239.
[8] Blundo C, Santix A D, Herzberg A, Perfectly- secure key
distribution for dynamic conferences, Proceedings of the
12th Annual International Cryptology Conference on
Advances in Cryptolog, Berlin: Spring-Verlag, 1992, pp.
471- 486.
[9] Du W, Deng J, Han Y S, Varshney P, Katz J, Khalili A, A
pairwise key pre-distribution scheme for wireless sensor
networks, ACM Transactions on Information and System
Security (TISSEC), 2005, Vol. 8, No. 2, pp. 228-258.
[10] Huang D, Mehta M, Medhi D, Harn L, Location-aware
key management scheme for wireless sensor networks,
Proceedings of ACM Workshop on Security of Ad Hoc and
Sensor Networks (SASN04), Washington DC, USA: ACM
Press, 2004, pp. 29-42.
[11] Lee J, Stinson D R, Deterministic key predistribution
schemes for distributed sensor networks, Proceedings of
ACM Symposium on Applied Computing 2004, Lecture
Notes in Computer Science 3357 (2005), Waterloo, Canada:
Springer, 2004, pp. 294-307.
[12] http://www.xbow.com/Products/Product_pdf_files/Wireless
_pdf/MICA.pdf
812 812