SECURITY AND COMMUNICATION NETWORKS

Security Comm. Networks (2017)

Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1726

A collusion-resistant dynamic key management

scheme for WSNs
Furui Zhan and Nianmin Yao*
Deparment of Computer Science and Technology, Dalian University of Technology, Dalian, China

ABSTRACT
Key management is an important security service for protecting wireless sensor networks (WSNs). Among various existing
schemes, exclusion basis system (EBS) is a practical solution that can be easily implemented to provide long-term and
flexible protection for WSNs. The involved rekeying strategy in EBS can efficiently evict the compromised node and
update the key system. However, the relatively small key pool leads to high correlation among the generated key rings.
Consequently, it is almost impossible for EBS-based schemes to efficiently defend collusion attack with their rekeying
mechanisms. In this paper, we first analyze the impact of collusion attack on WSNs, especially that in the case where the
keys of the compromised nodes can form a connected graph. Then, we propose a novel key management scheme based
on EBS. The proposed scheme is termed as t-EEBS because it can effectively resist the referred collusion attack formed
by t(t > 1) nodes. Furthermore, we assume that the proposed scheme is implemented in hierarchical WSNs. In this case,
two layers of t-EEBS administrative keys are used. The upper layer is implemented among the base station and all cluster
leaders, while the lower layer involves a t-EEBS for each cluster. The results of performance evaluation show that the
proposed scheme has better resistance to collusion attack than other schemes. Therefore, the proposed scheme can provide
better security service for WSNs. Copyright © 2017 John Wiley & Sons, Ltd.

KEYWORDS
key management; wireless sensor networks; exclusion basis system; collusion attack
*Correspondence
Nianmin Yao, Department of Computer Science and Technology, Dalian University of Technology, Dalian, China
E-mail: lucos@dlut.edu.cn

1. INTRODUCTION Many key management schemes have been proposed

Wireless sensor networks (WSNs) have been used in a
wide range of applications, such as transportation [1],
healthcare [2], military [3], and environmental monitor-
ing [4]. However, because of the inherent openness of
wireless communication and unattended operation, WSNs
are prone to various attacks. Therefore, some security
mechanisms were proposed for protecting WSNs. For
example, [5] proposed a public key infrastructure-enabled
security framework for ZigBee sensor network, while [6]
proposed a scheme for secure information dissemination in
industrial WSNs.
Key management is implemented to manage crypto-
graphic keys in the network. According to [7], a typical
key management process includes the following functions:
key analysis, key assignment, key generation, and key dis-
tribution (and redistribution). Moreover, different entities
might be used during the implementation of key manage-
ment, such as key server, base station, and sensor nodes.
The performance of key management significantly affects
the security and efficiency of the network.
for WSNs [8]. Different from other ad hoc networks,
where asymmetric keys can be used to achieve key man-
agement [9], most key management schemes for WSNs
were implemented based on symmetric keys with respect
to resources consumption.
In [10], a random key pre-distribution scheme was
proposed for WSNs. This scheme includes three phases:
key pre-distribution, shared-key discovery, and path-key
establishment. Prior knowledge is not necessary in this
scheme. This scheme is energy efficient. Based on [10], q-
composite scheme and node-based scheme were proposed
in [11] and [12], respectively.
Besides, different combinatorial design methods were
also used to realize key management for WSNs. In [13],
a deterministic key management scheme was proposed
based on symmetric balanced incomplete block design.
Similarly, [14] and [15] applied Steiner trade to achieve
key management. In addition, a highly scalable key pre-
distribution scheme was proposed based on the unital
design theory in [16].

Copyright © 2017 John Wiley & Sons, Ltd.

A collusion-resistant dynamic key management scheme for WSNs
In most of the mentioned schemes, keys are not changed
any more once they are distributed to the nodes. Conse-
quently, while some keys are exposed by the compromised
nodes, the entire key system might be uncovered because
of the lack of efficient node eviction and rekeying mecha-
nism. Therefore, these schemes cannot provide long-term
protection for WSNs.
In contrast, dynamic key management schemes can pro-
vided long-term and flexible protection for WSNs. One
classic solution is exclusion basis systems (EBS) [17],
which can be applied to achieve group key management.
EBS-based key management schemes can efficiently evict
the compromised node and update the entire key system.
In addition, these schemes have good scalability, because
a small key pool can be applied to protect a large scale of
network. Accordingly, in such schemes, the generated key
rings are highly correlate with each other. Therefore, it is
difficult for these schemes to resist collusion attack, which
enables the adversaries to share their knowledge with each
other to discover more information about the network.
Although EBS-based schemes are not ideal, these schemes
have many favorable properties, such as little storage
overhead, good scalability, and efficient post-deployment
rekeying.
In this paper, we first analyze the impact of collu-
sion attack on WSNs. We classify collusion attack into
the general case and special case. The former case only
requires that the compromised nodes can form a con-
nected graph based on their physical locations, while the
latter requires that the compromised nodes can form a con-
nected graph with both their physical locations and keys.
Then, based on EBS, we propose a new key manage-
ment scheme to enhance the resistance to collusion attack
in the special case. The proposed scheme is termed as
t-EEBS, because it can efficiently resist the referred col-
lusion attack formed by t(t > 1) compromised nodes.
In the proposed scheme, an appropriate framework for
t-EEBS is generated first. We propose two different algo-
rithms to construct the expected framework, and these
algorithms are terms as the randomized algorithm and the
order algorithm, respectively. Then, a modified key assign-
ment strategy is implemented so that the connectivity of
the network can be guaranteed. The results of analyses
show that the proposed scheme can provide long-term
protection even when the collusion attack is launched in
the network.
The main contributions of our work are summarized
as follows:
(1) We analyze the impact of collusion attack on WSNs.
According to whether the compromised nodes can
form a connected graph with their keys, we classify
the collusion attack into the general case and the
special case. The probability of collusion attack in
the special case is figured out.
(2) We describe a randomized t-EEBS framework con-
struction algorithm. With this algorithm, an appro-
priate framework is able to generated. Conse-
F. Zhan and N. Yao
quently, the proposed key management scheme is
able to resist collusion attack in the special case.
(3) We design an efficient order t-EEBS framework
construction algorithm. Comparing with the ran-
domized algorithm, this algorithm can be easily and
efficiently implemented by attaching some restric-
tions to the involved parameters. Likewise, this
algorithm also ensures that the proposed scheme is
able to resist collusion attack in the special case.
(4) We evaluate the performance of the proposed
scheme with several metrics, such as resistance to
collusion attack, connectivity, and storage overhead.
The remainder of this paper is organized as follows: In
Section 2, several EBS-based key management schemes
are introduced. In Section 3, we analyze the impact of
collusion attack on WSNs. The implementation of the pro-
posed key management scheme is described in Section 4.
Section 5 illustrates the results of performance evaluation.
The conclusions of this work are described in Section 6.
Finally, some proofs are explained in Appendix.
2. RELATED WORKS
As mentioned earlier, various dynamic key management
schemes can be implemented based on EBS. The scheme
proposed in this paper is also achieved by applying EBS. In
this section, EBS and several EBS-based key management
schemes are described.
2.1. Exclusion basis system
Exclusion basis system is a combinatorial formulation of
group key management [17]. This scheme can be briefly
summarized as follows:
EBS (n, k, m) is actually a collection  of subsets
of [1, n] = {1, 2, : : : , n} (elements of [1, n] are integers),
and each element t contained in [1, n] holds the following
two properties:
(1) t is in at most k subsets of ;
S m subsets, say A1 , A2 , : : : , Am in
(2) There are exactly
 such that m i=1 Ai = [1, n] – {t}. That is, each
element t can be excluded by a union of exactly m
subsets in .
Each subset of the collection  represents a key in the
key pool, and the elements of each subset denote the nodes
that have this key. Property (2) means that each node could
be excluded by broadcasting rekeying messages encrypted
by all its unknown keys. Actually, the parameters n and k
denote the size of the network and the number of
each node’s keys, respectively. m is the number of
rekeying messages, that is, the number of each node’s
unknown keys.
Security Comm. Networks (2017) © 2017 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F. Zhan and N. Yao
Table I. The matrix of EBS (10, 2, 3).
Key N1 N2 N3 N4 N5 N6 N7 N8
k1 1 1 1 1
k2 1 1 1 1
k3 1 1 1 1
k4 1 1 1 1
k5 1 1
In order to successfully construct an appropriate EBS
framework for the network, the relation among three
parameters is figured out in [17].
! this scheme, two types of nodes were applied in each clus-
k+m
n (1)
k each cluster established an EBS framework according to
Formula (1) is a positive solution for constructing EBS
(n, k, m). The application of EBS is illustrated in Table I.
According to Table I, an EBS (10, 2, 3) framework for
a network with 10 nodes can be established, where each
node selects two keys to store. Each node can be excluded
by broadcasting three rekeying messages according to the
definition of EBS, because there are totaly five keys in the
key pool. Taking node N5 for example, rekeying messages
are described as follows:
0 0 0 were also proposed. In [19], a lightweight key manage-
Message1 : E(k2 (S , E(k1 (k1 )), E(k3 (k3 ))))
0 0 0
Message2 : E(k4 (S , E(k1 (k1 )), E(k3 (k3 ))))
0 0 0 for hierarchical and heterogeneous WSNs, respectively.
Message3 : E(k5 (S , E(k1 (k1 )), E(k3 (k3 ))))
where E() denotes the encryption process, and S denotes
the new session key. Node N5 can be excluded because it
cannot decrypt rekeying messages encrypted by k2 , k4 , and
k5 . Meanwhile, all keys are successfully updated.
EBS is a scalable and efficient scheme. As illustrated
in [17], 23 6
11 = 1 352 078  10 , which means that a key
management scheme can be established for protecting a
network with at most 1 352 078 nodes. In this scheme, each
node selects 11 keys from the key pool, and each node can
be excluded with 12 rekeying messages. Therefore, such
key management scheme can provide flexible protection
for WSNs.
2.2. LOCK
Based on EBS, Eltoweissy et al. proposed a localized
combinatorial keying scheme for hierarchical sensor net-
works, which was called LOCK [7]. In this scheme, two
layers of EBS administrative keys were applied. The upper
layer EBS framework focused on key management among
the base station and all cluster leaders. Similarly, each
cluster allocated a lower EBS framework according to its
structure. The compromised member in each cluster can
be excluded by EBS rekeying mechanism. In contrast, the
eviction of cluster leader was difficult: the upper layer and
the corresponding lower layer EBS frameworks separately
Security Comm. Networks (2017) © 2017 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
A collusion-resistant dynamic key management scheme for WSNs
performed rekeying to exclude the compromised
N9 N10
cluster leader.
To enhance the resistance to collusion attack, key
polynomials instead of normal string keys were used
in this scheme. However, storage overhead was also
greatly increased.
1 1 2.3. SHELL
In [18], another EBS-based dynamic key management
scheme was proposed for hierarchical sensor networks.
This scheme was termed as SHELL, which was scalable,
hierarchical, efficient, location-aware and light-weight. In
ter: the gateway nodes and sensor nodes. Similar to LOCK,
its structure. One of the gateway nodes was selected to be
cluster head to manage the cluster, while other gateway
nodes were used to generate keys for the cluster. In this
scheme, key management functionality was implemented
by multiple nodes. In addition, to improve the resistance to
collusion attack, a novel key assignment scheme was also
proposed based on hamming distance. Only with the loca-
tion information of nodes, the proposed key management
scheme can be achieved.
Besides, other EBS-based key management schemes
ment scheme was proposed for WSNs. Moreover, [20]
and [21] proposed EBS-based key management schemes
These schemes are efficient and flexible. However, EBS-
0
based key management schemes cannot efficiently resist
collusion attack.
3. THE IMPACT OF COLLUSION
ATTACK ON EBS
The excellent scalability of EBS means that it can use
a small key pool to protect a very large scale of net-
work. However, this property also leads to high correla-
tion between different key rings. As a result, EBS-based
schemes are more vulnerable to collusion attacks. Accord-
ing to whether the keys of the compromised nodes can
form a connected graph, the collusion attack is classified
into the general case and the special case.
3.1. Collusion attack
Comparing with other attacks, collusion attack possesses
more threats to WSNs, because adversaries can deduce
more information about the network by integrating the
knowledge of each compromised node.
As described in [18], collusion attack can be launched
only when two nodes are in the transmission range of
one another. In other words, collusion attack is formed by
neighbor nodes. Figure 1 illustrates the collusion attack.
In Figure 1, both nodes A and C are neighbors of node
A collusion-resistant dynamic key management scheme for WSNs
Figure 1. Collusion attack.
B, but nodes A and C are not in the transmission range of
each other. When node B is healthy, though nodes A and C
are compromised, they can only grasp knowledge of their
own. However, if node B is compromised, they can per-
form collusion attack and share all knowledge known by
each other.
3.2. The general case
In the general case, the only condition of collusion attack
is that the involved nodes can form a connected graph
according to their locations. That is, the location and com-
munication capacity of node determine whether collusion
attack can be launched.
We analyze the impact of collusion attack on EBS from
two aspects: the number of exposed keys and sick nodes.
The sick node represents the node that is not compromised
but fail to update its keys by EBS rekeying mechanism.
Assume an EBS (18 564, 6, 12) framework for the network,
where the number of the exposed keys and the sick nodes
are assumed as x and y. When t(t  1) nodes collude and
k+1
k  t, it holds that
m
(1) if t < k–1
( key pool ranges from 39% to 61%. Expectation of x is 9.7,
x 2 [k + 1, tk]
k+1   (2)
y 2 [ k – 2, tkk – 2]
m update their keys. If three nodes collude, they will cause
(2) if t  k–1
( Comparing the collusion attack in the mentioned two
x 2 [k + 1, k + m]
  k+m (3)
y 2 [ k+1
k – 2, k – 2]
Considering that nodes are randomly deployed in the
network. If two nodes collude, they will cause x 2 [7, 12]
keys exposed and the proportion of exposed keys to key
pool ranges from 39% to 67%. Expectation of x is 10,
which means that about 56% keys of key pool are exposed.
F. Zhan and N. Yao
The number of sick nodes y 2 [5, 924]. Expectation of
y is 268, which means that average 268 nodes can not
update their keys. Therefore, the impact of collusion attack
on EBS is significant. If three nodes collude, they will
cause x 2 [7, 18] keys exposed. That is, all the keys in
key pool will be exposed in the worst case. There are
k+mmm–k
k k k = 17153136 cases where the whole key
pool can be discovered. The details of calculation are
described in Appendix.
3.3. The special case
In contrast to the general case, collusion attack in most
cases has some characteristics if the distribution of keys
is considered. In some cases, the keys of the colluding
nodes can form a connected graph. Consequently, the
connectivity of the key system directly affects the collu-
sion attack in this case. If the referred connectivity can
achieve 1, the colluding nodes must be connected even
with their keys. In order to analyze the impact of collusion
attack on key management more reasonable, it is necessary
to consider the distribution of keys.
Same as the general case, the EBS (18 564, 6, 12)
framework is illustrated to analyze the impact of collusion
attack in this case. The numbers of exposed keys and sick
nodes are assumed as x and y. When t(t  1) nodes collude
 
and k+1k  t, it holds that
1. if t < k+m–1
k–1
(
x 2 [k + 1, k + (t – 1)(k – 1)]
k+1   (4)
y 2 [ k – 2, k+(t–1)(k–1)
k – 2]
2. if t  k+m–1
k–1
(
x 2 [k + 1, k + m]
k+1   (5)
y 2 [ k – 2, k+m k – 2]
In this case, if two nodes collude, they may cause x 2
[7, 11] keys exposed and the proportion of exposed keys to
which means that about 54% keys of key pool are exposed.
Moreover, the amount of sick nodes y 2 [5, 462]. Expec-
tation of y is 222, which means average 222 nodes can not
x 2 [7, 16] keys exposed.
cases, we can find that the impact of collusion attack in
general case is larger than it in the special case. Conse-
quently, the implementation of key management scheme
that can resist such collusion attacks is more difficult.
Actually, when considering the keys of nodes, most collu-
sion attacks are the collusion attacks in the special case,
because excellent connectivity and efficiency of the net-
work must be guaranteed while distributing keys to nodes.
Security Comm. Networks (2017) © 2017 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F. Zhan and N. Yao A collusion-resistant dynamic key management scheme for WSNs

3.4. The probability of collusion attack in

the special case

As mentioned earlier, the probability of collusion attack

in the special case is affected by the connectivity of key
system. We analyze this relation based on random graph
theory. Random graph is the general term referring to prob-
ability distributions over graphs. The theory of random
graphs lies at the intersection between graph theory and
probability theory. In [10], the random graph theory is
applied to analyze the relationship between the global con-
nectivity and the degree of node. Likewise, we calculate
the probability of collusion attack in the special case based
on random graph.
Assume the probability that two sensor nodes have a
common key is p. Then, we need to calculate the prob-
ability of the case where t colluding nodes can form a
connected graph with their keys. A random graph G(t, p)
is a graph of t nodes for which the probability that a link
exists between two nodes is p. According to the conclusion
proposed by Erdős and Rényi, if the graph connectivity is
Pc , then the value of p is

–c
Pc = lim Pr [ G(t, p) is connected ] = ee (6)
t!1

where

ln(t) c
p= + (7) Figure 2. Implementation of key management.
t t

In this case, c is any real constant. As a result, the rela-
tionship between Pc and p can be figured out according to
formulas (6) and (7). In Section 4, an EBS-based key man-
agement scheme is proposed. The proposed scheme can
resist collusion attack in the special case.
4. THE PROPOSED KEY
MANAGEMENT SCHEME
In this work, a key management scheme that can resist col-
lusion attack in the special case is proposed. The proposed
scheme is achieved based on EBS. Accordingly, the pro-
posed scheme is terms as t-EEBS (n, k, m), where t denotes
the number of colluding nodes. In addition, n, k and m
have same meanings as EBS. In Table II, we summarize
the symbols used in the following sections.
4.1. Network model
We assume that n nodes are randomly deployed in the
network and all nodes have same capabilities, such as stor-
age, computation, communication and the power of bat-
tery. Furthermore, the proposed key management scheme
is applied in hierarchical sensor networks, i.e., the net-
work will be divided into several clusters. Each cluster is
managed by a cluster leader (CL).
4.2. t-EEBS key management scheme
Typically, a key management process includes four phases:
key analysis, key assignment, key generation and key dis-
tribution(and redistribution). In this work, we make some
modifications to the implementation.
According to figure 2, six phases are implemented in
the proposed key management scheme: the initialization
phase, t-EEBS framework construction, key assignment,
key distribution, node addition and node eviction. Dur-
ing the implementation of the proposed scheme, the first
four phases are performed so that appropriate keys can
be distributed to nodes. In contrast, node addition and
node eviction are implemented unless some events hap-
pen, e.g., some nodes are exhausted or compromised by
an adversary.
4.2.1. The initialization phase.
In this phase, all nodes join into the appropriate cluster
according to the clustering algorithm, e.g., LEACH [22].
Then, each cluster selects a member to be CL. Once the
clustering is achieved, all the members in each cluster sent
their IDs and locations to CL to complete registration. Until
the registration in each cluster is done, all CLs can accom-
plish their registrations to BS through the same way. All
the messages exchanged in this phase are encrypted by
kc. After the implementation of the initialization phase,

Security Comm. Networks (2017) © 2017 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
A collusion-resistant dynamic key management scheme for WSNs
Table II. Symbols and meanings.
Symbol Meaning
CL Cluster leader
BS Base station
n Scale of the network
k Size of key ring
m Number of the unknown keys of each node
t Number of the colluding nodes
ki ith Key of key pool
A Target collection of key rings
keyi ith Key ring in A
Ni ith Node in the cluster
neighbori List of neighbors of node Ni
dkct List of key rings in collection A,
which have common keys with keyt
the locations of nodes in the network are known, and the
structure of each cluster can be discovered.
4.2.2. t-EEBS framework construction.
In this work, the proposed key management scheme
applies same structure as LOCK. There are two layers of
t-EEBS administrative keys: the upper layer enables BS
to manage all CLs as a group; the lower layer involves
a t-EEBS for each cluster, and each t-EEBS enables CL
to manage the members as a group. Actually, the imple-
mentations of the upper layer and lower layer are similar.
Therefore, a lower layer t-EEBS is illustrated to describe
the construction of t-EEBS.
In most existing EBS-based schemes, after EBS frame-
work is established, key rings are assigned and distributed
to nodes without any further consideration. Actually, after
determining the size of key pool and key ring, if some
key rings instead of all key rings are determined as can-
didates for nodes, an more appropriate framework can
be generated for the target network. Based on different
rules, the generated frameworks ensure key management
scheme possesses different characteristics. In this section,
we find the rule of key ring selection and propose dif-
ferent methods to construct an appropriate framework so
that the proposed scheme can resist collusion attack in the
special case.
According to the definition of collusion attack in the
special case, some healthy nodes cannot update their keys
with EBS rekeying mechanism because all of their keys are
exposed by the compromised nodes. Therefore, a theorem
on resistance to such collusion attacks can be summarized
as follows:
Theorem 1. The key management scheme can resist col-
lusion attack formed by t(t > 1) compromised nodes in the
special case, when the following characteristic is satisfied:
If the sizes of network and key ring are determined, a
connected target collection A can be established. The ele-
ments of A are various key rings. In collection A, each
element is not contained in the union of any other t
F. Zhan and N. Yao
elements. In this case, the referred t elements can form a
connected graph.
The proposed key management scheme t-EEBS can be
implemented if Theorem 1 is satisfied. As mentioned ear-
lier, an appropriate framework needs to be generated first.
According to Theorem 1, we can find that the construc-
tion of framework is exactly the generation of referred
target collection A. In this work, a randomized construc-
tion algorithm is proposed to establish the expected target
collection. Algorithm 1 shows the details of this algorithm.
Algorithm 1: Randomized Framework Construction
Input: size of network-n
Input: number of colluding nodes-p
Output: Available key ring collection-A
1 Calculate the original key ring collection S of n by
EBS framework;
2 Random select a key combination keyi from S and
insert keyi to A;
3 if A satisfies the Theorem 1 then
4 Delete keyi from S;
5 Calculate the union of keys in A, denoted as ;
6 Delete the subset of  from S
7 end
8 else
9 Delete keyi from A;
10 Delete keyi from S
11 end
12 if S is empty then
13 if the size of A is no less than n then
14 return A
15 end
16 else
17 empty S and A;
18 rerun from step 1 to find a larger S
19 end
20 end
21 else
22 rerun from step 2
23 end
When the proposed algorithm is carried out, a target key
ring collection A that satisfies Theorem 1 is established.
After assigning and distributing these key rings to nodes,
a t-EEBS key management scheme can be implemented.
Table III illustrates a 3-EEBS (6, 3, 5) framework, where
key rings are randomly assigned to nodes. When collu-
sion attack in the special case is formed by three nodes
or less than three nodes, the compromised nodes can be
successfully excluded. Taking nodes N1 , N3 and N6 for
example, they can be evicted by broadcasting the messages
illustrated in Table IV.
The aforementioned construction algorithm can be
implemented without any additional restrictions to param-
eter k and m. However, this algorithm is inefficient, and the
result generated by this algorithm is unpredictable.
Security Comm. Networks (2017) © 2017 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F. Zhan and N. Yao
Table III. The matrix of 3-EEBS (6, 3, 5).
Key N1 N2 N3 N4 N5 N6
k1 1 1
k2 1 Proof of property (3): According to the aforemen-
k3 1 1 1 1 1 1
k4 1 exposed keys is kj kj+1 kj+2 , : : : , kj+t , j 2 [1, k+m–t]. At this
k5 1 moment, the addition of any key ring kj ku , u 2 [j + t + 1, k +
k6 1 m] to the target collection might ensure that the target col-
k7 1
k8 1 1 1 1 1 1
In order to find an efficient construction algorithm,
another solution is proposed. In this case, the value of k
is limited to 2. Then, the target collection that satisfies
Theorem 1 can be easily obtained. Before describing the
algorithm, a definition is introduced.
Definition 1. (Step-length): the referred Step-length of
each key ring is the absolutely value of difference between
the maximum and minimum indexes of keys, for example,
the step-length of k1 k4 is 3.
Considering that the size of key ring is 2, if the key
ring collection generated by EBS framework and each key
ring in this collection are sorted into ascending order, some
properties can be found:
(1) Putting all key rings whose Step-lengths are 1 into
the empty target collection can ensure the collection
satisfies Theorem 1;
(2) After the process (1) is done, the addition of all
key rings whose step-lengths are no more than t
makes the target collection unsatisfied Theorem 1.
Therefore, they can be directly eliminated;
(3) After the processes (1) and (2) are done, if the
key ring whose step-length is more than t is putted
into the target collection such that the collection
satisfies Theorem 1, the key ring can be retained.
Otherwise, the key ring will be eliminated from the
target collection.
Proof of property (1): In this case, the format of key
ring is kj kj+1 , j 2 [1, k + m – 1]. Furthermore, such key
rings are end to end. Obviously, it can be found that no
matter how many nodes are colluding, other nodes ensure
that at most one of their keys is exposed, Consequently,
each normal node has at least one key unknown to the col-
luding nodes. Then, they can update their keys with the
unknown key.
Proof of property (2): After process (1) is imple-
mented, the target collection has several elements whose
Table IV. The rekeying messages for N1 , N3 and N6 .
0 0
Message1 : E(k4 (S , E(k1 (k1 )), E(k2 (k2 )), E(k3 (k3 )), E(k6 (k6 )), E(k8 (k8 ))))
0 0
Message2 : E(k5 (S , E(k1 (k1 )), E(k2 (k2 )), E(k4 (k4 )), E(k5 (k5 )), E(k8 (k8 ))))
0 0
Message3 : E(k7 (S , E(k1 (k1 )), E(k2 (k2 )), E(k4 (k4 )), E(k5 (k5 )), E(k8 (k8 ))))
Security Comm. Networks (2017) © 2017 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
A collusion-resistant dynamic key management scheme for WSNs
formats are kj kj+1 . Therefore, when t nodes collude, the
exposed keys must be kj kj+1 kj+2 , : : : , kj+t , j 2 [1, k + m – t].
We can find that all kj ku , u 2 [j+1, j+t] are exposed and are
not able to be updated. Therefore, property (2) is proved.
tioned proofs, in the former cases, the format of the
lection meets Theorem 1. However, if such key ring is put
into the target collection, the format of the exposed keys
is no longer kj kj+1 kj+2 , : : : , kj+t , j 2 [1, k + m – t]. Conse-
quently, other key rings kj ku , u 2 [j + t + 1, k + m] need to be
further checked: if the target collection satisfies Theorem 1,
this key ring can be retained. Otherwise, this key ring will
be eliminated from the target collection.
According to the aforementioned properties, an order
framework construction algorithm (Algorithm 2) is
proposed.
After the implementation of this algorithm, a target
collection A is generated, which ensures that the corre-
sponding key management scheme can resist collusion
attack in the special case. Although the size of k is 2, the
target collection that satisfies various scales of networks
can be generated by the variations of m and t. In con-
trast to Algorithm 1, the order construction algorithm is
more efficient.
Similarly, Table V shows a 3-EEBS (8, 2, 5) frame-
work for the network. In this case, there are eight nodes in
the network, and each node stores two keys. Key rings in
the target collection are also randomly assigned to nodes.
When no more than three nodes collude, they can be
excluded by broadcasting the massages encrypted by their
unknown keys. Taking nodes N1 , N4 , and N7 for example,
they can be excluded by the messages in Table VI.
When t is also limited to 2, the target collection has
several statistical properties: (1) All the key rings whose
Step-lengths are 1, 3, 5, 7, : : : are appropriate; (2) rest key
rings are inappropriate. As a result, the target collection can
be directly deduced without programming at all. Therefore,
the referred construction is simple and easy to implement.
Table V. The matrix of 3-EEBS (8, 2, 5).
Key N1 N2 N3 N4 N5 N6 N7 N8
k1 1 1
k2 1 1
k3 1 1 1
k4 1 1
k5 1 1 1
k6 1 1
k7 1 1
0 0 0 0
0 0 0 0
0 0 0 0
A collusion-resistant dynamic key management scheme for WSNs F. Zhan and N. Yao

Table VI. The rekeying messages for N1 , N4 and N7 .
0 0 0 0 0 to the members according to key assignment. During key
Message1 : E(k3 (S , E(k1 (k1 )), E(k2 (k2 )), E(k4 (k4 )), E(k5 (k5 ))))
0 0 0 0 0
Message2 : E(k6 (S , E(k1 (k1 )), E(k2 (k2 )), E(k4 (k4 )), E(k5 (k5 ))))
0 0 0 0 0 4.2.5. Node Addition.
Message3 : E(k7 (S , E(k1 (k1 )), E(k2 (k2 )), E(k4 (k4 )), E(k5 (k5 ))))
4.2.3. Key Assignment.
With the proposed framework construction algorithms,
all available key rings can be determined. However, if
the size of k is limited, the connectivity of the network
might suffer decrease. If key rings are randomly assigned
to nodes as illustrated in Tables III and V, the resulting for-
warding processes caused by the low connectivity might
bring more communication overheads.
In the proposed scheme, when assigning key rings to
nodes, the locations of nodes are applied to guarantee the
connectivity. As stated in the initialization phase, the loca-
tions of nodes are known. Therefore, the neighbors of each
node in the cluster can be discovered. During key assign-
ment, if more elements in the target collection has common
keys with the selected element, then the selected element is
assigned to the node that has more neighbors. This process
is described as follows:
nodes. In this work, CL of each cluster distributes keys
distribution, the transmitted messages are encrypted by kc.
As battery-powered and usually deployed in compli-
cated environments, some nodes might fail, which might
lead to the challenge of coverage hole. In order to fix the
problem, new nodes need to be deployed into the network.
According to the location of new node, the new node joins
into the appropriate cluster. Then, when the target collec-
tion still has available key rings, the appropriate key ring is
distributed to the new node. Otherwise, the former proce-
dures need to be implemented once again. However, it can
be found that the framework established by Algorithm 2
holds the following properties: (1) nodes always store two
keys and different scales of networks are satisfied by the
variations of m and t; (2) almost all key rings established
by the current construction are still available, and thus it
means that no node or very few nodes need to change
their key rings triggered by the update of framework. Con-
sequently, energy consumption is hence reduced, and the
efficiency of WSNs is guaranteed.

(1) Count the number of each node’s neighbors, noted Algorithm 2: Order Framework Construction
as neighbori (1  i  n). According to the value of Input: size of network-n
neighbori , nodes are ranked into descending order. Input: number of colluding nodes-t
(2) To each element of the target collection A, count the Output: Available key ring collection-A
number of elements that have common keys with 1 Calculate the original key ring collection S according
this element, noted as dkct (1  t  |A|). Accord- to EBS;
ing to the value of dkct , the elements of A are also 2 Sort S and elements in S into ascending order;
ranked into descending order. 3 Add all of key rings that Step-length equals to 1
(3) According to the rank of nodes, appropriate key into A;
rings are assigned to nodes. To the node Ni (1  i  4 if Step – length of key ring is no more than t then
n), there are two different cases: 5 directly eliminate the key rings
6 end
(a) Ni is neighbor of the nodes that are already 7 else
assigned key rings. Without loss of gener- 8 if key ring satisfied Theorem 1 then
ality, assume Nu and Nv are neighbors of 9 add the key ring into A
Ni , and their key rings are keyr and keys , 10 end
respectively. If there are common key rings 11 else
between dkcr and dkcs , the common key 12 eliminate the key ring
ring that has the highest rank is assigned 13 end
to Ni . Otherwise, the key ring that has the 14 end
highest rank in the union of dkcr and dkcs 15 if S is empty then
is assigned to Ni . 16 if the size of A is no less than n then
(b) Ni is not neighbor of all nodes that already 17 return A
have been assigned key rings. The remain- 18 end
ing key ring that has the highest rank is 19 else
assigned to Ni 20 empty S and A;
21 rerun from step 1 to find a larger S
When each node is assigned an appropriate key ring, the 22 end
process is finished. 23 end
24 else
4.2.4. Key Distribution. 25 rerun from step 3
After the implementation of key assignment, appropri- 26 end
ate key rings need to be distributed to the corresponding

Security Comm. Networks (2017) © 2017 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F. Zhan and N. Yao
Figure 3. Various schemes’ resistance to collusion attack.
4.2.6. Node Eviction.
Because the proposed scheme uses the same struc-
ture as LOCK, node eviction and rekeying mechanism
are similar. If a member in the cluster is compromised,
it can be directly excluded by rekeying processes in its
cluster. In contrast, if CL is compromised, it should be
excluded twice: both in the upper layer and lower layer.
After the compromised CL is excluded, a new CL needs to
be selected.
5. PERFORMANCE EVALUATION
In this section, the performance of the proposed scheme is
evaluated with several metrics, such as storage overhead,
resistance to collusion attack, and scalability.
5.1. Resistance to collusion attack
Figure 3 shows various schemes’ resistance to collusion
attacks. The referred collusion attacks are performed by
two–six nodes in the special case. In this figure, p denotes
the number of the colluding nodes. The resistance to col-
lusion attacks is the ability of network resilience while
suffering collusion attacks. Without considering the com-
promised nodes, network resilience represents the propor-
tion of normal nodes that are able to successfully update
their keys to all normal nodes. When comparing the same
scheme in different cases, the referred resistance drops as
the number of the compromised nodes increases. More-
over, comparing different schemes in same case, 3-EEBS
schemes have better resistance than the corresponding
Security Comm. Networks (2017) © 2017 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
A collusion-resistant dynamic key management scheme for WSNs
2-EEBS schemes. As the number of nodes increases,
resistances of all schemes increase, because the result-
ing increase of key pool can weaken the influences of the
compromised nodes.
In Figure 4, a cluster with 30 nodes is illustrated.
Both EBS (30, 3, 4) and EBS (30, 2, 6) are considered
with respect to storage overhead and security, respectively.
Obviously, the resistance of EBS (30, 3, 4) is the worst.
The resistance of EBS (30, 3, 4) sharply decreases as
the number of the compromised nodes increases, and the
whole cluster is almost cracked when more than five nodes
are colluding. The best scheme is 3-EEBS scheme, whose
resistance is always higher than 97%, and thus provides
better security for the network.
5.2. Rekeying overhead
The rekeying overheads of various 2-EEBS schemes and 3-
EEBS schemes are illustrated in Figure 5. Similar to figure
3, p denotes the number of the colluding nodes. As the
increase of m, rekeying overheads of all illustrated schemes
increase. Moreover, when m is determined, rekeying over-
heads of various schemes increase as the number of the
colluding nodes increases. In contrast, if the size of m
and the number of the compromised nodes are determined,
rekeying overhead decreases as the ability of the resistance
to collusion attack increases.
5.3. Connectivity
Figure 6 shows average number of elements in the tar-
get collection that have common keys with each selected
A collusion-resistant dynamic key management scheme for WSNs F. Zhan and N. Yao

Figure 4. Resistance to collusion attack against the number of compromised nodes.

Figure 5. Variation of rekeying overhead.

element. Comaring with 2-EEBS scheme, the connectivity 5.4. Scalability

in other schemes changes slowly. In 3-EEBS (30, 2, 15)
scheme, average five key rings have common keys with
each key ring in the cluster. Comparing the connectivity
of different schemes, it can be found that the connectiv-
ity is decreased when the resistance of the corresponding
scheme increases.
The size of the target collection of t-EEBS is presented
in Figure 7. In this case, the referred t-EEBS framework
is generated by Algorithm 2. As the ability of resis-
tance to collusion attack increases, the number of available
key rings decreases, because the ability of resistance to

Security Comm. Networks (2017) © 2017 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F. Zhan and N. Yao A collusion-resistant dynamic key management scheme for WSNs

Figure 6. Connectivity in different cases.

Figure 7. Scalability of various schemes.

collusion attack is achieved by eliminating inappropriate 5.5. Storage overhead

key rings. However, though the size of key pool is increas-
ing, the size of key rings is not changed. Actually, with the
variation of m, the proposed scheme can satisfy any scale
of networks while limiting k equals 2. In addition, the pro-
posed scheme is a localized scheme applied in hierarchical
WSNs. According to the description in [23], the proposed
scheme can satisfy the requirements of various networks
by changing m and t.
In Figure 8, storage overheads of different schemes are
illustrated. Different from the proposed scheme, t in LOCK
denotes the degree of key polynomials. The illustrated key
management scheme is established by Algorithm 2. There-
fore, each node stores two string keys, that is, storage over-
head is not changed in different cases. The keys applied
in SHELL scheme are string key too. With the number of

Security Comm. Networks (2017) © 2017 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
A collusion-resistant dynamic key management scheme for WSNs
Figure 8. Storage overheads of different schemes.
nodes increasing, the size of key rings in SHELL increases
slowly. In contrast, although the number of key rings in
LOCK also increases slowly, the applied key polynomials
lead to larger storage overhead than other schemes.
6. CONCLUSION
Because EBS can provide efficient post-deployment rekey-
ing, EBS-based key management schemes can support
flexible and long-term protection for WSNs. However,
because of high correlation among key rings, security of
the network is significantly affected when collusion attack
is performed. In majority cases, the keys of the colluding
nodes can form a connected graph. In order to enhance the
resistance to collusion attack in such cases, a new key man-
agement scheme based on EBS is proposed, which is called
t-EEBS. We consider the proposed scheme is applied in
hierarchical WSNs. According to the structure of the net-
work, the entire scheme consists of two layers of t-EEBS
administrator keys: the upper layer enables BS to manage
all CLs as a group; the lower layer involves a t-EEBS for
each cluster, and each t-EEBS enables CL to manage the
members as a group. Two t-EEBS framework construc-
tion algorithms are proposed to ensure that the proposed
scheme can resist the collusion attack formed by t(t > 1)
nodes in the special case. The proposed scheme is local-
ized, location-aware, and resistant to collusion attacks. The
results of performance evaluation show that the proposed
scheme can greatly improve the resistance to collusion
attack and thus enhance the security of the network.
REFERENCES
1. Khanafer M, Guennoun M, Mouftah HT. Wsn archi-
tectures for intelligent transportation systems. 3rd
F. Zhan and N. Yao
international conference on new technologies, mobility
and security, ntms 2009, Cairo, Egypt, 2009.
2. Huang Y, Hsieh M, Chao H, Hung S, Park J.
Pervasive, secure access to a hierarchical sensor-
based healthcare monitoring architecture in wire-
less heterogeneous networks. IEEE Journal on
Selected Areas in Communications 2009; 27(4):
400–411.
3. Duriic MP, Tafa Z, Dimic G, Milutinovic V. A survey
of military applications of wireless sensor networks.
2012 Mediterranean Conference on Embedded Com-
puting, MECO 2012, Bar, Montenegro, 2012; 196–
199.
4. Liu YY, Yu XF, Zhao D. Hardware design of an
environmental monitoring system based on wireless
sensor networks. Advanced materials research 2014;
864-867: 891–896.
5. Misra S, Goswami S, Taneja C, Mukherjee A.
Design and implementation analysis of a public key
infrastructure-enabled security framework for zigbee
sensor networks. International Journal of Communi-
cation Systems 2016; 29(13): 1992–2014.
6. Misra S, Goswami S, Taneja C, Mukherjee A,
Obaidat MS. A pki adapted model for secure informa-
tion dissemination in industrial control and automation
6lowpans. IEEE Access 2015; 3: 875–889.
7. Eltoweissy M, Moharrum M, Mukkamala R. Dynamic
key management in sensor networks. IEEE Communi-
cations Magazine 2006; 44(4): 122–130.
8. Zhang J, Varadharajan V. Wireless sensor network
key management survey and taxonomy. Journal of
Network and Computer Applications 2010; 33(2):
63–75.
Security Comm. Networks (2017) © 2017 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F. Zhan and N. Yao A collusion-resistant dynamic key management scheme for WSNs

9. Misra S, Goswami S. Key Management in Mobile Ad 22. Heinzelman WR, Chandrakasan A, Balakrishnan H.
Hoc Networks, chap. 7: Security of Self-Organizing Energy-efficient communication protocol for wire-
Networks. MANET, WSN, WMN, VANET. S. pathan less microsensor networks. Proceedings of the hawaii
edn., CRC Press: USA, 2010; 145–170. international conference on system sciences, Maui,
10. Eschenauer L, Gligor VD. A key-management scheme USA, 2000; 223.
for distributed sensor networks. Proceedings of the 23. Tuah N, Ismail M, Jumari K. Evaluation of
ACM Conference on Computer and Communications optimal cluster size in heterogenous energy
Security, Washington, DC, United states, 2002; 41–47.
wireless sensor networks. 2012 International
11. Chan H, Perrig A, Song D. Random key predistribu-
Symposium on Telecommunication Technolo-
tion schemes for sensor networks. 2003 Symposium on
gies, ISTT 2012, Kuala Lumpur, Malaysia, 2012;
Security and Privacy, SP 2003, Berkeley, CA, United
124–130.
states, 2003; 197–213.
12. Huang SCH, Du DZ. New constructions on broadcast
encryption and key pre-distribution schemes. Proceed- Appendix
ings - IEEE INFOCOM, Miami, FL, United states,
2005; 515–523. The calculation of the expectation number of the exposed
13. Camtepe SA, Yener B. Combinatorial design of key keys mentioned in Section 3 is described as follows:
distribution mechanisms for wireless sensor networks. Assume that node NA is compromised. The key ring
IEEE/ACM Transactions on Networking 2007; 15 (2): stored by NA is KeyA , while the key ring stored by the col-
346–358. luding node NB is KeyB . The number of new exposed keys
14. Ruj S, Nayak A, Stojmenovic I. Fully secure pair- caused by the collusion attack formed by NA and NB is
wise and triple key distribution in wireless sensor DifAB . Note that DifAB is actually the keys of NB which are
unknown by NA .
networks using combinatorial designs. Proceedings -
IEEE INFOCOM, Shanghai, China, 2011; 326–330.
(1) The general case
15. Ruj S, Nayak A, Stojmenovic I. Pairwise and triple key The range of DifAB is [1, k]. Then, the probability
distribution in wireless sensor networks with applica- of each case in DifAB is
tions. IEEE Transactions on Computers 2013; 62(11):
2224–2237.  k m
16. Bechkit W, Challal Y, Bouabdallah A, Tarokh V. A k–i i
pi = k+m  , i 2 [1, k]
highly scalable key pre-distribution scheme for wire- k –1
less sensor networks. IEEE Transactions on Wireless
Communications 2013; 12(2): 948–959. Based on this formula, we can calculate the expec-
17. Eltoweissy M, Heydari MH, Morales L, Sudborough tation of DifAB is
IH. Combinatorial optimization of group key manage-
ment. Journal of Network and Systems Management k k  k m
X X
2004; 12(1): 33–50. k–i i
i  pi = i  k+m 
18. Younis MF, Ghumman K, Eltoweissy M. Location- i=1 i=1 k –1
aware combinatorial key management scheme for clus-
tered sensor networks. IEEE Transactions on Parallel According to the definition of DifAB , the expecta-
and Distributed Systems 2006; 17(8): 865–882. tion of the exposed keys caused by the collusion of
19. Jiang R, Luo J, Tu F, Zhong J. Lep: A lightweight NA and NB is
key management scheme based on ebs and polynomial
for wireless sensor networks. 2011 IEEE International k k  k m
X X
k–i i
Conference on Signal Processing, Communications k+ i  pi = k + i  k+m 
and Computing, ICSPCC 2011, Xi’an, China, 2011. i=1 i=1 k –1
20. Song YL, Cao SG. A lightweight of cluster-based
 
key management scheme for wireless sensor net- In contrast, the range of sick nodes is y 2 [ k+1
k –
works. Applied mechanics and materials 2013; tk
2, t – 2]. The probability of y in each scenario is
341–342: 1133–1137.  
same as DifAB . Assume that j = k+u k – 2, u 2 [1,
21. Ying B, Makrakis D, Mouftah HT, Lu W. Dynamic (t – 1)k], then
combinatorial key pre-distribution scheme for hetero-
geneous sensor networks. Communications in Com-  k m
puter and Information Science 2011; 186 CCIS: k–u u
pj = k+m  , u 2 [1, (t – 1)k]
88–95.
k –1

Security Comm. Networks (2017) © 2017 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
A collusion-resistant dynamic key management scheme for WSNs F. Zhan and N. Yao

As a result, the expectation of sick nodes caused by k–1 k–1  k m

X X
k–i i
the colluding nodes is k+ i  pi = k + i  k+m 
i=1 i=1 k –1
(t–1)k (t–1)k (" ! #  k m )
X X k+u  
k–u u
j  pj = –2  k+m The range of sick nodes is y 2 [ k+1 – 2,
u=1 u=1
k
k –1 k+(t–1)(k–1) k+u k
k – 2]. Assume that j = k – 2, u 2
[1, (t –1)k –(t –1)]. Then, the probability of y in each
(2) The special case
case is
In this case, the calculation of the referred expec-
tation is similar to the general case. First, the range  k m
of DifAB is [1, k – 1], then the probability of each k–u u
pj = k+m  , u 2 [1, (t – 1)k – (t – 1)]
scenario in DifAB is k –1
 k m
Therefore, the expectation of sick nodes caused by
k–i i
pi = k+m  , i 2 [1, k – 1] the colluding nodes is
k –1
(t–1)k–(t–1) (" ! #  k m )
X k+u
The expectation of DifAB is k–u u
– 2  k+m 
k
 k m u=1 k –1
k–1
X k–1
X
k–i i
i  pi = i  k+m 
i=1 i=1 k –1

The expectation of exposed keys caused by the

collusion of NA and NB is

Security Comm. Networks (2017) © 2017 John Wiley & Sons, Ltd.
DOI: 10.1002/sec