1 Introduction

Advances in the micro-electro-mechanical systems (MEMs) and very large scale integration (VLSI) technology, given rise to the development of large scale wireless sensor networks (WSNs). WSNs are comprised of hundreds to thousands of tiny battery-operated sensor nodes which have no supporting infrastructure and are self-organizing, therefore they can be set up anywhere, and will work without any support [1]. Furthermore they have been made popular by their broad applications in areas such as monitoring and control of environments, military and various industrial uses where they are used to collect data from different sources such as humidity, temperature, vehicular movement, levels of noise, stress levels of mechanical structures and pressure [13]. The collected data is then forwarded to a central node called base station or sink node which will be connected to the internet which it uses to forward the data to a remote site for more processing.

To add on, the majority of consumer devices are being embedded with sensors, thereby leading to the evolution of WSNs and the realization the notion of the Internet of Things (IoT). Now-a-days, WSNs envisioned for numerous industrial, military and medical applications keep stimulating research in the proposal of secure architectures and protocols. Precisely, the application in critical systems like nuclear power plants, aircrafts and healthcare demand effective mechanisms to assure the authenticity, confidentiality and integrity of the communicated data [2].

Generally WSN nodes use the IEEE 802.15.4 wireless technology that was designed for low power devices. As a result they suffer from an excess of security loopholes faced by wireless networks. In addition to the security constraints of wireless networks in general, WSNs are prone to several other forms of attacks, chief amongst them the node capture attack, making security a paramount concern [38]. Despite this, the computation, energy and memory limitations imposed on sensor nodes, due to design constraints, as well as the aggressive environment in which they operate make them more exposed to attacks and prohibit the use of more secure public key cryptographic techniques. Resultantly, there is a strong need for security protocols that protect these kinds of networks from malicious attacks. In order to bootstrap secure communication, key pre-distribution has become an acceptable technique that can be used allowing nodes to dynamically establish peer relationships. Whilst the simplest procedure of key pre-distribution involves using one single key network-wide and allows any node pair to efficiently connect, compromising any node can bring the whole system down. Pairwise techniques have been suggested in which a node stores (n − 1) unique keys. This scheme provides sufficient security as compromising any single node will not reveal the keys in any other node. However, as the quantity of nodes increases the system fails to scale as more memory will be required to store the keys. In line with research in energy efficiency in WSN which favor hierarchical network against the historical flat structure, it therefore becomes necessary to align WSN key establishment to cluster based techniques moreover, to techniques that are quantum safe according to [4], such like multivariate cryptography, coding theory and lattice theory.

2 Related Work

In WSN, symmetric key cryptography has become a technology of choice to provide better key management. However, besides its simplicity it requires the distribution of keys before nodes can utilize it. Various key pre-distribution techniques have been suggested for pairwise key establishment [712]. Eschenauer and Gligor [2] proposed a random key distribution scheme. In their scheme, every node randomly selected a subset of keys, termed a key-ring, from a key pool generated by an offline key generator and stored the keys along with their identities in memory; this was the key pre-distribution phase. The key-rings were distributed in a probabilistic manner such that any node pair shares a mutual key with a probability p. The aim of this technique was to create a connected graph with preferred probability. Two adjacent nodes that need to connect securely first exchanged and compared the list of identities in their key-rings. If they happened to find a match, then they could establish a direct secure link between them; this constituted the shared-key discovery phase. In situations of a mismatch, the scheme used a path-key establishment phase, where some intermediary nodes with a mutual key between the nodes were selected to form a mutual session key. That session key is then used as a path key to the selected sensor node pairs. This approach is better with regard to resilience to node capture since in case a malicious attacker captures a node it only reveals a subset of keys. The whole process is repeated with every addition of new nodes to the network. The path-key establishment phase introduces some communication overhead network wide. Suppose there are a total of t nodes in the network, since each node establishes a pairwise key with every other node therefore a total of t(t − 1)/2 keys exist in network wide with each sensor storing a total of t − 1 keys. This affects the scalability of the network linearly and considering the storage limitations of nodes, sensors can only store a limited set of keys.

The resilience of [2] was improved in the q-composite scheme proposed by Chan and Perrig [5] while the elementary scheme of [2] required a single common key for nodes to form secure links, [5] required nodes to have not less than x: (x > 1) common keys among them to create a protected connection between them. This scheme was secure up to a certain critical value k of compromised nodes. At k + 1 all pairwise keys could be calculated. The resilience, however, was proportional to k, but as k increased so was the storage space required to store it. The probabilistic nature in both [2, 5], meant there was a possibility of two nodes failing to share any common keys and hence failing to create secure links amongst them. This was overcome by introducing a communication intensive path-key establishment technique via a third party node which was common to both nodes.

Jolly et al. [6] suggested a key management protocol, herein denoted to as G. Jolly scheme that used low energy and was based on hierarchical WSNs. In their scheme, the network was separated into clusters with each comprising a cluster head (CH) and general sensor nodes. Before placement, each CH node stored a number of secrets in its memory. Each node randomly selected a secret from a CH node and stored it with the CH node’s id in its memory. After placement, each node exchanged its secret information with its CH, if the CH has the secret in its memory, they can create a protected connection directly. If not, the CH requests the intended secret from the matching CH node. This ensured improved network performance since a hierarchical network structure was used subsequently contributing to low energy use. However, a group key was used to shield the communication between CH nodes, which is extremely dangerous for a WSN. Furthermore the G. Jolly scheme had a low resilience of the node capture attack and was not scalable enough for large scale WSNs since increasing number of nodes meant more keys were required for storage.

Cheng and Agrawal [11] proposed a key distribution for large scale WSNs (IKDM). Their technique was an improvement of the G. Jolly scheme and used the concept of bivariate polynomials introduced by Blundo et al. [14]. It guaranteed pairwise keys between any two communicating nodes. The IKDM scheme had three phases namely key pre-distribution phase, inter-cluster pairwise establishment phase and intra-cluster pairwise key establishment phase. During the key pre-distribution phase, different secrets are loaded into sensors depending on their role in the network. In the inter-cluster phase the bivariate polynomial based key distribution technique was used to establish secure communication between cluster head nodes. After this, general sensor nodes will initiate the intra-cluster pairwise keys. This addressed the node capture attack and there was no extra communication overhead required in setting up the pairwise keys amongst cluster heads. The Achilles heel of this scheme is the ‘‘K-security’’ property of bivariate polynomials which means that the network is only secure if number of compromised nodes are equal or less than k, the degree of the polynomial, after this it ceases to be secure as the bivariate polynomial can be reconstructed. Kim et al. [22] proposed a key management for three dimensional node deployments in WSN. However, this scheme is applied to key distribution and store in order to supply a special case of the low power of the sensor node.

3 Review of Bivariate Polynomials

These are polynomials which have two variables. The terms in the polynomial can be considered as multivariate monomials whose degree is the sum of the indices of the variables. So given a monomial P as below

$$P = x^{i} y^{j}$$
(1)

The degree of the monomial is given by \(deg\left( P \right) = i + j\). A bivariate polynomial is given by the following expression

$$f\left( {x,y} \right) = \mathop \sum \limits_{i,j = 0}^{t} a_{ij} x^{i} y^{j}$$
(2)

In this case the degree of polynomial cannot exceed t and the coefficients of the polynomial are elements of a finite group GF(q), also known as the Galois field with q elements. It follows that a sensor using this kind of polynomial can establish a link with one other sensor node, that is to say the group is limited to two members corresponding to two variables. This means that for a network of n nodes which share the same polynomial, each node is able to establish (n − 1) links all having unique keys. The compromise of a single link is limited only to that particular link. However, if \(\left( {t + 1} \right)\) nodes are compromised, the attacker is able to reconstruct the polynomial used and thus it suffers the t-security problem. According to [11], for a given polynomial of n variables, each sensor will have a share with (n − 1) variables and if the degree of the polynomial is t then each sensor needs to store \(\left( {t + 1} \right) n - 1\) coefficients from GF(q). Likewise, in this case the sensor needs to store \(\left( {t + 1} \right)\) coefficients. In general a polynomial of degree k needs k + 1 or more points to reconstruct the polynomial by using Lagrange’s interpolation method [12, 13].

$$Pj\left( {x_{i} } \right) = yj\mathop{\mathop{\mathop{\prod}_{k = 1}}_{k \ne j}}^{k + 1} \frac{{x_{i} - x_{k} }}{{x_{j} - x_{k} }}modN$$
(3)

Therefore, this scheme is only secure if not more than k sensors are compromised and thus are often said to be k-secure. However, it is resilient to the node capture attack considering that if less than k sensors are compromised they do not contain enough information to reveal the secrets of the other uncompromised nodes.

It can also be shown that the storage space \(S_{p }\) required to store any polynomial using this scheme is given by Cheng and Agrawal [11] as:

$$S_{p} = \left( {k + 1} \right)^{m - 1 }$$
(4)

where m is the size of the group that needs to establish the key, two in this case. Equation (9) results in storage of \(\left( {k + 1} \right)\) coefficients of GF(q). This results in less storage space being required for each connection. Thus if there are n CHs in the network, each can establish (n − 1) links to every other CH this requires \(\left( {n - 1} \right)\left( {k + 1} \right)\) storage space. The storage space is therefore linearly dependent on the group size, in this case the number of CH nodes in the network. However, for the intra-cluster key establishment constant storage space is required consequently scaling well with increased network size.

4 Proposed Mechanism

This section proposed a mechanism for key distribution and management. The notation in Table 1 is used to describe the various keys.

Table 1 Notation used in work
Full size table

Similar to IKDM [11], our solution uses the same network model of three tier heterogeneous sensors. Furthermore, it is divided into four stages namely key pre-distribution; inter-cluster key establishment, intra-cluster key establishment and key refreshing stage.

These stages are explained in detail in the following sub-sections.

4.1 Key Pre-distribution Phase

An offline key distribution center (KDC) generates a bivariate polynomial which will be used in the inter-cluster key establishment. Similar to IKDM [11], polynomial shares are then derived from this polynomial, and are stored in the respective CH nodes. The KDC also generates a key pool containing k keys as in [15]. Each key in the pool is given an ID (ID = 1, 2… k). From the key pool, m key strings containing l random keys are created such that

$$ks1 \cap ks2 \ldots \cap ksm = \emptyset$$
(5)

where m is the number of CH nodes and ks is for key string, \(l = n/m\) and n is the total number of sensors nodes in the network. These keys are then stored in different CH nodes.

Unlike IKDM [11] which uses a bivariate polynomial to generate key \(K_{Si - CH}\), our proposed solution generates the key as follows:

  • From the key strings generated by the KDC \(\left( {ks1, ks2 \ldots ksm} \right), \lambda\) keys are selected each from different key strings such that \(\left( {2 < \lambda < m} \right)\) and \(\left( {\lambda\,modulus 2 = 1} \right)\). Suppose 3 keys are selected say k1, k2 and k3.

  • The key is calculated using bitwise XOR as follows:

    $$K_{Si - CH} = k1 \oplus k2 \oplus k3$$
    (6)

  • This key is pre-loaded into sensor node Si along with the corresponding IDs in which the respective keys reside in.

4.2 Inter-cluster Pairwise Key Establishment Phase

Once the keys have been preloaded into the various sensors nodes, the CH nodes initiate the inter-cluster pairwise key stage using similar technique as in IKDM as follows:

  • Cluster head CH a and CH b exchange their IDs.

  • Each node evaluates its stored polynomial using the received ID as the y value resulting in

    $$f\left( {ID_{CHa} , ID_{CHb} } \right)$$
    (7)
    $$f\left( {ID_{CHb} ,ID_{CHa} } \right)$$
    (8)

Since polynomial \(f\left( {x, y} \right)\) is symmetric then

$$f\left( {ID_{CHa} , ID_{CHb} } \right) = f\left( {ID_{CHb} ,ID_{CHa} } \right)$$
(9)

Therefore the two nodes will have the same key. This is the symmetric key used for encrypting traffic between the two nodes CH a and CH b .

4.3 Intra-cluster Pairwise Key Establishment

Once the cluster heads have secured the communication links amongst each other, then communication links within the cluster have to be secured as well. This process is done as follows:

  • Each sensor node sends its id, ID Si and the ids ID CHi of the CHs in which the component keys used to generate K SiCH reside along with the corresponding key ids.

  • The intended CH requests for the key ids from their resident cluster heads and uses (6) to generate the pairwise key between the cluster head and sensor node Si.

CH will generate random number or may take random number from base station as used in next step and then all sensor nodes will use updated or new keys for encrypted communication between CHi and Si. Communication of key exchange between CHi and Si is completed within exchanges of two control messages.

4.4 Key Refreshing Phase

If the network nodes using the same keys continuously an adversary may use devious means that reveal the secrets of the nodes. If the adversary has knowledge of the data sent and the format of the encrypted text, a known plain text attack can be conducted thus revealing the keys used to encrypt the data. Therefore, to enhance the resilience of the proposed system, a new stage to be introduced for the key refreshing stage. In this stage, the base station, at configured random time intervals, sends an encrypted random number generated by the KDC to all authenticated nodes in the network. This number forces all nodes to perform bitwise XOR of the keys in the key string with sensor nodes. From the associative rules of XOR which are given by (10) as

$$\left( {A \oplus B} \right) \oplus C = \left( {A \oplus C} \right) \oplus B$$
(10)

The following can be deduced. Suppose a random number R is generated then from (6)

$$K_{Si - CH} \oplus R = \left( {k1 \oplus k2 \oplus k3} \right) \oplus R$$
(11)

From calculations it also observed that for odd number of keys (λ modulus 2 = 1) the expression can be expanded to

$$K_{Si - CH} \oplus R = \left( {k1 \oplus R} \right) \oplus \left( {k2 \oplus R} \right) \oplus \left( {k3 \oplus R} \right)$$
(12)

Therefore if the random number R is used on all keys in the key chain using above example then

$$\left( {k1 \oplus R} \right) = k1'$$
(13)
$$\left( {k2 \oplus R} \right) = k2'$$
(14)
$$\left( {k3 \oplus R} \right) = k3'$$
(15)
$$(K_{Si - CH} \oplus R) = k_{Si - CH} '$$
(16)

Expression (12) reduces to

$$K_{Si - CH'} ' = k1' \oplus k2' \oplus k3'$$
(17)

Thus at the end of this stage all sensor nodes will use new keys for encrypted communication between Si and CHi. After the new keys have been generated then R is discarded.

5 Security and Performance Analysis

Simulations were carried out and results obtained from ns2 simulation tool [18]. Results were analyzed according to effects on security, storage, and residual energy on each CH node. We have considered total simulation time 80 s and number of sensors is 1000 and initial CH energy is 10 J. Simulation parameters are given in Table 2.

Table 2 Simulation parameters
Full size table

Communication overhead in terms of average energy consumption of sensor nodes from each cluster and average energy consumption of cluster heads is 0.3 and 0.9 J [19]. We have taken packet size is 30–50 bytes then network throughput is 0.25–2.25 Kbps and end-to-end network delay is 3–27 ms respectively.

We have also evaluated network lifetime in two ways. One way used is to measure the round when first sensor node dies and another way used is to measure the round when 90% of the sensors are alive in the network. The results are better than other protocols [6] and [11]. However, the communication overheads in both intra-cluster and inter-cluster communication loads during operation are same as in [20] and [21]. Table 3 shows network life time for hierarchical topology at the level three and distance (r) from base station. Results show and CH will die out by doing 500 units of jobs i.e. data transferred or processed in the CH. The energy spent for each job is on reception and transmission as energy spent on processing is negligible. If reception is 0.5 units and transmission is 1 unit for r distance then CH spends 1.5 units of energy on each data transfer then it will perform total of 500 units before dying out.

Table 3 Network life time
Full size table

5.1 Security for Key Distribution

From Fig. 1, it is observed that that even if all CH nodes are compromised then also node is not directly affected. Therefore, the keys in sensor nodes cannot be revealed after the compromise of CH nodes. The authors argue that the effect of using component keys from different CHs’ key strings is similar to that introduced in IKDM. The difference lies in the storage of the keys in the CH. In short, evaluating a polynomial to get a component key is the same as searching for a key within a key string. The difference is that when a CH is compromised in IKDM no keys are directly available to the perpetrator. However, proposed scheme suggested the use of tamper-proof hardware as in [16] for the CH. This can provide the security needed and once compromised, any act of trying to retrieve the keys in a CH leads to the deletion of the data on the CH node. Suppose we have 10 CH nodes, 100 sensor nodes and each node using 3 component keys for the key with its intended CH, a compromise of any CH node does not affect the keys stored in any sensor node similar to IKDM. Figure 1 shows the resilience of the network in case of compromised CH nodes. This proposed mechanism will perform better results as compared to the other existing mechanism as depicted by Fig. 1.

Fig. 1
figure 1

Resilience of network

Full size image

5.2 Storage Management

The scheme in [11] used two 128-degree bivariate polynomials. But according to [12] for a t-degree polynomial, it stores t + 1 coefficients of the polynomial. Therefore, for IKDM need to store roughly 258 coefficients of the two polynomials stored in CH nodes as well as the key K CHiBS for authenticated communication with BS. It is given that each coefficient is large enough to store a cryptographic key. Our scheme proposes the use of a 128-degree bivariate polynomial, under similar conditions, for the inter-cluster phase. However, for the intra-cluster phase we have proposed storing a fewer number of keys. Since the final key \(K_{Si - CH'}\) is a combination of several keys, and we have a key string of 10 keys per CH, these have more than enough combinations to cater for the 10,000 sensors which were used as bases for the polynomial degree in IKDM. In fact, the combinations cater for expansion and can accommodate addition of more than 10,000 nodes without impacting the storage in CH nodes. In Fig. 2, shows that proposed scheme uses constant storage at least for the number of nodes under consideration. There is a reduction of storage used by approximately 50%. This result is however, depended on the number of CHs in the network according to [17].

Fig. 2
figure 2

Storage requirements with network growth

Full size image

5.3 Energy Efficiency

In Fig. 3, shows the benefit of proposed scheme in terms of energy efficiency and management. From results obtained Eq. (18) can be used to show the percentage of energy used for example in the first 10 s as follows:

Fig. 3
figure 3

Comparison of residual energy

Full size image
$$Protocol_{ Percentage\,of\,energy\,used} = \frac{Consumed}{Original\,amount} \times 100\%$$
(18)

The results show that in the first 10 s proposed scheme uses approximately 8% less energy compared to the IKDM scheme. However, during the same period of time our proposed scheme uses about 2.9% more energy than G. Jolly scheme. In short, proposed scheme takes less computational energy to search for a key than it takes to evaluate a polynomial and since a significant amount of computation energy used in CH nodes is due to the evaluation of the intra-cluster polynomial this consequently contributes to the efficient utilization of the scarce energy in CH nodes. We have also compared our proposed mechanism with [22] in terms of security measures. The proposed key distribution scheme is less overhead because there is no requirement of encryption and decryption. It is hard to compute the key because compromiser not only needs the polynomial component but also need to know at least all three keys of sensor nodes. Results are also shown that energy efficiency is similar to [22] more energy efficient than LOCK [23] because of usage of symmetric key.

6 Conclusion

In this paper, the proposed mechanism has shown that it conserves less energy compared to other existing schemes. It is scalable in terms of storage and energy efficiency. The extra step of key refreshment adds another layer of security compared to other existing techniques. However, cost is incurred as a result of extra communication required.