An Efficient Elliptic Curve based Key Management Scheme for Distributed Sensor Networks

Distributed Sensor Networks are broadly used in many applications and key distribution is a challenging task. In this work, a key management scheme is developed for distributed sensor networks based on elliptic curve cryptography over prime field. Key distribution among the nodes and interactive as well as non interactive protocols for agreement of common secret key for message transmission between two nodes are discussed. The probability for connectivity of the network generated according to the proposed key distribution scheme is discussed in detail. The implementation of the proposed scheme is done using NetSim interfaced with MATLAB. Connectivity of the network is also checked through eigenvalues of the Laplacian matrix of the network.  
 

nodes key information is distributed among the nodes.Key management and maintenance in sensor networks is an important issue in the secure transmission of sensitive data among the communication nodes.The key distribution among the nodes must be done so that the connectivity of the network is always ensured to forward the messages.
There are several key management schemes available in the literature.The scheme proposed by Eschenauer and Gliger [7], is composed of three stages: key pre distribution, shared-key discovery, and path-key establishment.In key distribution phase, each sensor node is preloaded with a predetermined number of keys randomly chosen from the key pool along with their key identifiers.In the shared-key discovery phase, if two nodes in a deployed region have common keys, then the nodes exchange the key identifiers of the common secret key and hence a direct link is established between the nodes.If there is no direct link, then the nodes will communicate with each other through some intermediate nodes having common secret keys among them and with end nodes.Thus a path is created between the end nodes through in between nodes.Based on Eschenauer et al scheme Chan et al [4], designed a key distribution method, in which two nodes can communicate with each other using a pair wise key if they have at least q keys in common and enhanced resilience against node capture.Du, Deng, Han, and Varshney [6] showed that a progress in the resilience of the network is achieved through their threshold key predistribution scheme.It is based on the threshold property that if compromised nodes count is less than the threshold, then the probability for rest of the nodes to be affected is negligible.Based on Du et al model, Wenliang Du et al [18] proposed a key management scheme in which the sensor deployment distribution is assumed as a two-dimensional Gaussian distribution.
Kakelli Anil Kumar et al [9] dealt with two types of nodes high and low configuration in the secure routing protocol with elliptic curve cryptography for military heterogeneous wireless sensor networks.Panayiotis Kotzanikolaou el al [11] presented two pairwise key establishment protocols involving hybrid and public cryptosystems for sensor nodes in unattended distributed sensor networks.Xiaojiang Du [19], designed a routingdriven key management scheme using Elliptic curve cryptography in which most of the sensor nodes have communication with a small portion of their neighbours.Amjad Mehmood et al [1], proposed an inter cluster multiple key distribution scheme for wireless sensor networks providing two-phase security for the cluster head in turn the security level of the network increased significantly.In the key management scheme proposed by Furui Zhan et al [8], the exclusion basis system is used and a An Efficient Elliptic Curve based Key Management Scheme for Distributed Sensor Networks Porkodi Chinniah, and Sangavai Krishnamoorthi shared hidden key is created to develop communication among nodes using system of equations with unique solution.Pseudorandom functions based key management is done by Das et al [5] to protect large scale wireless sensor networks.In the Localized Encryption and Authentication Protocol (LEAP), suggested by Sencun.Z et al [16], four types of keys shared among the individual components through which secured inter network communication of wireless sensor networks is achieved.Security Protocols SNEP for data confidentiality and μTESLA for data authentication are introduced by Yiying et al [20].In SPINS proposed by Perrig et al [12], each pair of sensor nodes communicate through base station which acts as a trusted third party.We Porkodi and Sangavai [13,14] developed two key management schemes involving polynomial and elliptic curves for hierarchy wireless sensor networks.
Various key management schemes [2,3,15,17] are available in the literature based on combinatorial design and exclusion based scheme.
As sensitive data are transmitted through sensor networks it is necessary to maintain privacy for such messages.Secrecy is achieved by cryptographic techniques through encryption and decryption processes.Among all cryptosystems, Elliptic curve cryptography (ECC) by Neil Koblitz [10] is considered to be best suitable for embedded space because of its significant benefits on cost and performance.The principal attraction of ECC is that it offers high level security for a far smaller key size there by reducing processing overhead.The smaller key size also makes possible much more compact implementations for a given level of security, and hence faster cryptographic operations, running on smaller chips.Thus ECC is used to improve the key management scheme.
In this paper, a novel key management scheme for distributed sensor networks based on elliptic curves is developed.The base work for the proposed scheme is the key management scheme for distributed sensor networks by Laurent Eschenauer and Virgil D.Gligor.In our scheme, initially the points on an elliptic curve over a prime field are generated; the order q of the elliptic curve and a base point is obtained.Each sensor node is randomly preloaded with the r secret keys from Zq* and corresponding public keys the points on the elliptic curve.Nodes with common keys are connected by links and corresponding keys are used for message encryption and decryption.Using binomial and Poisson distributions the theoretical probability for the connectivity of a randomly generated network under the proposed key distribution is discussed in detail.Simulation is done using NetSim standard version 9.1 interfaced with MATLAB R2013a.Connectivity of the network generated is checked using eigenvalues of the Laplacian matrix of the graph.
A Summary of Notation Niith Node NCcontroller node Fp-Prime field E(Fp) -Elliptic curve over Fp P-Base point of E(Fp) of order q Zq*= {1, 2, …, q-1} ID(i) -Identity of ith node K(i) -Secret key ring of Ni PK(i) -Public key ring of Ni KCi -Secret key shared by NC with Ni Kshare(i, j) -Set of common secret keys shared by Ni and Nj SignKe(hashK(i)) -Signature of the hash value of the compromised node Ni.

II. PROPOSED SCHEME
In this section, distribution of keys to sensor nodes, establishment of links between nodes based on key distribution, protocols for the nodes to identify whether they possess the common keys or not, revocation and rekeying are discussed in detail A. Key distribution to sensor nodes In the proposed scheme, it is assumed that the network is composed of a controller node NC of large memory high computation capability and communication range and a set of 'n' homogeneous sensor nodes Ni for i=1, 2, …, n.In the key distribution phase n-sets of secret key rings each of size 'r' is selected at random from Zq * , say K(i) for i=1, 2, …, n.Node Ni is preloaded with the secret keys K(i)= {ki,1, ki,2, …, ki,r} and public keys PK(i)= {pki,1, pki,2, …, pki,r} = {ki,1P, ki,2P, …, ki,rP}.A direct link exists between any two nodes Ni and Nj if they share at least one common secret key.i.e. if K(i)∩K(j) ≠ { }.To achieve revocation process the secret key used by the controller node NC and node Ni is KCi = (ki,1 ki,2… ki,r) modq for i= 1, 2, …, n .Each node Ni is preloaded with respective KCi and NC is preloaded with all KCi for i =1, 2,…, n.

B. Direct link Establishment
An easy way for any two nodes to discover if they share a key is that every node broadcast the list of public keys Each node Ni broadcasts its identity ID(i) with a list of key identifiers PK(i) = {ki,1P, ki,2P, …, ki,rP} for i=1, 2, …, n and there is a direct link between Ni and Nj if and only if PK(i) ∩PK(j) ≠{ }.In this approach, when a node is captured by an adversary he/she can find out corresponding key of that node and associated link by decrypting communications.If the node is not captured, he/she can make a traffic analysis attack in the lack of key identifiers.Another approach is that each node Ni randomly selects a point Pm ∈ E(Fp) and broadcasts a list (Pm, EK(i)Pm ) where EK(i)Pm ={ki,1Pm, ki,2Pm, …, ki,rPm} along with its identity ID(i).A direct link exists between Ni and Nj if and only if EK(i)Pm ∩ EK(j)Pm ≠{ } i.e. if and only if {ki,1Pm, ki,2Pm, …, ki,rPm } ∩ {kj,1Pm, kj,2Pm, …, kj,rPm} ≠{ }.Nodes Ni and Nj share the secret keys in k(i) ∩ k(j) for which EK(i)Pm ∩ EK(j)Pm ≠{ }.This shared secret key set need not be singleton.An adversary attempting to recover K(i) from (Pm, EK(i)Pm ) is equivalent to solving computational hard Elliptic curve discrete logarithm problem.

C. Path Establishment
In a network, any two nodes which are not connected by a direct link will be connected by a path with the intermediate nodes having common secret keys.Path keys need not be created.Messages are transmitted from source node to destination node through the intermediate nodes in the path.

D. Protocols for agreement of shared key for message transmission between two nodes
Any two nodes may be connected directly can have more than one common key.To have a communication, the nodes must agree a common key ki, j which can be done through interactive proof of knowledge of non-interactive proof of knowledge.Suppose Kshare(i, j) ={k1, k2, …, km / m≤r} is the set of shared keys by Ni and Nj.Nodes Ni and Nj shares an unique common key kv ∈ Kshare(i, j) through the following interactive or non-interactive protocols as follows.from the above equation which in turn implies that an adversary can solve the computational hard elliptic curve discrete logarithm problem.Hence, the probability of successes of an adversary is almost zero, as it is bounded by 1/q.

E. Revocation
It is necessary to revoke the entire key ring of a node, when it is compromised by attacker.To achieve revocation, a controller node of large memory high computation capability and communication range broadcasts a single revocation message with a signed list of the hash value of r keys of the compromised node.
Suppose if the ith node is compromised then the controller node broadcasts {ki,1P, ki,2P, …, ki,rP} along with a signature list SignKe(hashK(i)) = {SignKe(hash(ki,1)), SignKe(hash(ki,2)), …, SignKe(hash(ki,r))}, where Ke is the signature key generated by the controller node.The controller node transmits the signature key Ke to respective node Ni in the encrypted form  KCi (  ) using the shared secret key KCi.After receiving the signature key, each node checks the signature of the hash value of the compromised keys and eliminates the keys if any.The removal of such compromised node will affect the connectivity of the network, because some links may disappear.Hence path establishment should be done again after every revocation.

F. Re-Keying
In most of the distributed sensor networks, it is expected that there is a possibility only for the expiry of the nodes rather than the expiry of the keys.In rare cases there is a chance for the keys to expire and in such cases rekeying is to be done.Re keying is equivalent self-revocation.Direct link and path establishment is done for the affected nodes again.

III. CONNECTIVITY OF DSN BASED ON KEY ESTABLISHMENT
In this section the connectivity of a randomly generated graph based on the proposed scheme is discussed in detail.
Any two nodes in the network are connected if they share at least one key in common.Any two nodes Ni and Nj in the network are connected by an edge if they are preloaded with secret key sets K(i) = {ki,1, ki,2, …, ki,r}and K(j) = {kj,1, kj,2, …, kj,r}such that K(i)∩K(j) ≠ { }.Thus for any two nodes, the number of ways of assigning r-keys to the second node such that it have at least one secret key in common with node 1 is   − ( − )  .Thus the probability for any two nodes to be connected is  ′ =   −(−)    .Using Stirling's approximation n! ≈ √2  + 1 2  − , the probability  ′ for a pair of nodes to be connected is simplified as .
A network of n-nodes has 2 pairs of nodes and the network is connected if at least (n-1) pairs of nodes are connected.Let  denotes the random variable that the number of connected pairs of nodes then  follows binomial distribution with parameters  2 and  ′ .As  2 is large and  ′ is small,  is assumed to follow Poisson distribution with parameter λ = ( 2 ) ′ .Thus the probability for the connectivity of a network with n nodes created according to the proposed key distribution scheme is ( ≥ . .Connectivity of the network is also checked through the eigenvalues of Laplacian matrix of the network.After assigning the keys randomly to the nodes, the connectivity of the network generated is tested by verifying whether the Laplacian matrix of the network with n-nodes has 0 as one eigenvalue and rest of the (n-1) eigenvalues non zero.If the network is not connected, the process of reassigning a new set of keys to the nodes is repeated until the connectivity of the network is achieved.Simulation results for same elliptic curve E:  2 =  3 − 4 over Fp with various pool sizes p, number of nodes and the approximate number of keys r to be assigned to each node, the ratio r/p to achieve the connectivity of the network generated according to proposed distribution with probability at least 0.99 is tabulated below.0.0140 0.0095 0.0077 0.0068 0.0060 0.0055 0.0054 0.0051 0.0048 0.0042 0.0040 30 0.0110 0.0075 0.0060 0.0053 0.0046 0.0042 0.0041 0.0039 0.0037 0.0033 0.0031 40 0.009 0.0065 0.0050 0.0045 0.0040 0.0035 0.0034 0.0033 0.0030 0.0027 0.0026 50 0.008 0.0055 0.0043 0.0038 0.0034 0.0032 0.0030 0.0029 0.0027 0.0024 0.0023 60 0.007 0.0050 0.0040 0.0035 0.0032 0.0028 0.0027 0.0025 0.0025 0.0022 0.0021 70 0.007 0.0045 0.0037 0.0033 0.0028 0.0027 0.0024 0.0024 0.0022 0.0020 0.0019 80 0.006 0.0045 0.0033 0.0030 0.0026 0.0023 0.0023 0.0021 0.0020 0.0018 0.0017 90 0.006 0.0040 0.0033 0.0028 0.0024 0.0023 0.0021 0.0020 0.0019 0.0017 0.0016 100 0.006 0.0040 0.0030 0.0028 0.0024 0.0022 0.0020 0.0019 0.0018 0.0016 0.0015 Fig. 1.Nodes vs number of keys to be loaded to each node From the above Table II it is observed that, to achieve the connectivity of the network the number of keys to be loaded to each node is at most 2.2% of the pool size.Thus only a minimum number of keys to be loaded in to each node and in turn reduces memory storage.From the following graph it is observed that, as the pool size is increased the number of keys to be loaded in each node get decreased for various sizes of nodes.In this paper, a novel key distribution scheme for distributed sensor networks based on elliptic curve cryptography is proposed.Simulation for the proposed scheme is done through NetSim interfaced with Matlab.From simulation for various inputs of key pool sizes p, it is observed the ratio of the keys to be loaded in the nodes vs. pool size to achieve connectivity of the network is at most 0.02.Thus in the developed scheme, the connectivity of the network is achieved with minimum number of keys and in turn the sensor storage requirement for keys is reduced significantly.Interactive and non-interactive Protocols to be carried out by any two nodes to agree a common secret key for secure message transmission are discussed in detail.Our future scope is to develop a clustered routing algorithm based on distance and energy for the network constructed based on the proposed scheme.

1 )
Interactive protocol (Challenge response protocol)  Ni selects randomly u ∈ Zq* , R ∈ E(Fp) and sends challenge uR to Nj  Nj sends a response c ∈ Zq* to Ni  Ni transmits b=(u -c kv) mod q to Nj  Nj computes bR+(ck1)R, bR+(ck2)R, …, bR+(ckm)R and finds out which is equal to challenge uR Node Nj conforms the unique common shared key as kv.Since, bR+(ckv)R = (u -c kv)R+(ckv)R = uR-ckvR+c kj,t R = uR Completeness The equation bR+(ckv)R = uR is satisfied only if the nodes Ni and Nj follow the protocol correctly.Soundness An adversary can cheat node Nj with probability  (−)! (!) (!) in the following way: 1. Adversary selects u, c 1 , kadv ∈ Zq * at random and sends a = uR+(c 1 kadv)R to Nj. 2. Nj sends c to adversary 3. Adversary sends u to Nj 4. Nj accepts kadv as the shared secret key if and only if a= uR+(c 1 kt)R for kt ∈ Kshare(i, j).It is possible only when c = c1 and kadv = kt.The event c = c1 occurs with probability 1/q and the event kadv = kt occurs with probability    =  (−)!(!) (!) .Thus an adversary can cheat node Nj with a probability  (−)! (!) (!).Suppose an adversary knows a = bP+cktP for which he/she can answer two distinct challenges a=bP+cktP and a=b 1 P+c 1 ktP then he/she can compute (b -b 1 )P = (c -c1 Node Ni chooses u ∈ Zq * at random and computes a = uR, the hash value c = hash(Rx||(kvR)x||ax) where Rx, ax, and (kvR)x are the X coordinates of R, a, and kvR respectively and sets b = (uckv) modq.Ni sends R, b and c to node Nj.

Fig 2 .
Fig 2. Network based on random key distribution

TABLE I :
NUMBER OF KEYS 'R' TO BE LOADED TO EACH NODE FOR CONNECTIVITY OF THE NETWORK