A Scheme for Secure and Reliable Distributed Data Storage in Unattended WSNs

Transcription

1 A Scheme for Secure and Reliable Distributed Data Storage in Unattended WSNs Yi Ren, Vladimir Oleshchuk, and Frank Y. Li Dept. of Information and Communication Technology, University of Agder, Norway {yi.ren, vladimir.oleshchuk, Abstract Unattended Wireless Sensor Networks (UWSNs) operated in hostile environments face a risk on data security due to the absence of real-time communication between sensors and sinks, which imposes sensors to accumulate data till the next visit of a mobile sink to off-load the data. Thus, how to ensure forward secrecy, backward secrecy and reliability of the accumulated data is a great challenge. For example, if a sensor is compromised, pre-compromise data accumulated in the sensor is exposed to access. In addition, by holding key secrecy of the compromised sensor, attackers also can learn post-compromise data in the sensor. Furthermore, in practical UWSNs, once sensors stop working for accidents due to node crash or battery depletion, all the data accumulated will be lost. To address the challenges, we propose a secure and reliable data distribution scheme in this paper. Detailed analysis shows that our scheme can provide forward secrecy, probabilistic backward secrecy and data reliability. To further improve probabilistic backward secrecy and data reliability, a constrained optimization data distribution scheme is proposed. Detailed analysis and simulation results show the superiority of the proposed scheme in comparison with several previous approaches developed for UWSNs. I. INTRODUCTION Recently, the security aspects of Unattended Wireless Sensor Networks (UWSNs) have gained more attention in the research community [1], [2], [3], [4]. In an UWSN, sensors cannot off-load data to a sink at will or in real-time due to the absence of an on-line sink or a base station in the network. Instead, a mobile sink visits the network periodically for data collection. In other words, in time intervals between any two consecutive visits, the sensors have to accumulate and store the sensed data till the next visit of the mobile sink. The design of UWSN is motivated by scenarios where not real-time information, but historical information is of interest. For example, [5] introducing a military UWSN application for border surveillance, target acquisition, situational awareness, etc., where unattended ground sensors are deployed in the ground of adversary environment to gather information about adversary activities. In addition, the U.S Defense Advanced Research Projects Agency (DARPA) developed a robotic radio relay node - National LANdroid [6] for battlefield data collection. Nodes are deployed in battlefield for data collection and then transmit the collected data to ally units (e.g., tank or soldiers) when they arrive. Compared with traditional WSNs, the property of UWSNs poses many new challenges in security. For example, a mobile adversary which roams in the UWSN periodically compromises and releases sensors to enrich its knowledge of all collected data when the mobile sink is absent. Since data is accumulated and stored in sensors, one importance issue is Forward Secrecy (FSe) - how to ensure that pre-compromise data will not be revealed if a sensor is compromised? On the other hand, the mobile adversary may release the sensor and then turn to compromise other sensors, another issue is Backward Secrecy (BSe) - how to guarantee that post-compromise data will not be exposed? Moreover, data reliability is also critical - how to keep the accumulated data survival if sensor nodes stop working due to power depletion, corroding or getting smashed? To deal with the aforementioned problems, DISH [3] and POSH [4] are proposed to provide FSe and merely certain probabilistic BSe in ideal networks where sensors and communication channels are reliable. However, they are not resilient to node failure and Byzantine failure. Aiming at this problem, the authors in [7] take advantage of (k, n) secret sharing and (m, n) Reed-Solomon (RS) Codes, in which m (or k) ofn data parts are required to reconstruct data, adding data redundancy to provide resilience to node invalidation and Byzantine failure. However, neither FSe and BSe nor how to specify (m, n) is addressed in their work. Two other approaches, keyinsulated [8] and intrusion-resilient [9] encryption schemes are designed to provide both FSe and BSe. Both approaches require public-key cryptosystems and are not suitable for resource-constrained sensors. Therefore, none of the above mentioned schemes satisfy the overall requirements of FSe, BSe and data reliability needed for UWSNs. This paper makes two main contributions. Firstly, we propose a secure and reliable data distributed storage scheme based on (m, n) RS Codes. The proposed scheme can provide FSe, probabilistic BSe and reliability of data without relying on reliable nodes and communication channels. Secondly, to further improve probabilistic BSe and reliability of data, we propose a constrained optimization data distribution scheme considering that nodes may be compromised. Based on the optimized data distribution scheme, suitable values of (m, n) can be selected to maximize security level and at the same time maximize data reliability. We show further through detailed analysis and simulation that our scheme provides FSe, enhanced probabilistic BSe and is resilient to node and message failure. The rest of the paper is organized as follows. In Section II, the network model, threat model and design goals are presented. Section III provides the detailed description of our

2 proposed scheme. How to distribute data to neighbor nodes is presented in Section IV. Then Section V analyzes and simulates performance of the scheme. Finally, Section VI concludes the paper. II. NETWORK MODEL, THREAT MODEL AND DESIGN GOAL A. Network Model We consider an UWSN that consists of N sensor nodes. It can be formulated as an undirected graph G(N, E), where the sensor node set is N = {s 1,s 2,,s N } and the edge set is E = {e 1,e 2,,e M }. We assume that a node s i has nb i neighbors, which compose a neighbor node set NB i. There is a mobile sink that visits the UWSN periodically to collect data. The time interval between the current visit and the previous visit is denoted as T. The sensor s i generates data at each round, and the data generated at round r is denoted as d r i. Once a data value d r i is generated, it is stored locally, and waits until an authorized mobile sink offloads them. Each sensor has the ability to perform one-way hashing and symmetric key encryption. We assume that the mobile sink is a trusted party which cannot be compromised. Additionally, the mobile sink will re-initialize the secret keys and reset the round counters when the mobile sink visits the network. B. Threat Model The UWSNs could be attacked in many ways. In this paper, we focus on a Mobile Adversary that prefers roaming in the UWSN while the mobile sink is absent. We refer to it as ADV hereafter. The ADV has capabilities [3] as follows: Compromise power: The ADV can compromise up to k<n sensors during a time interval T. No interference: The ADV would not interfere the communication between nodes, would not rework any data sensed by, or stored on sensors it compromises. In other words, the ADV is read-only. Strictly local eavesdropping: The ADV is unable to monitor and record all the communications. It can only eavesdrop incoming and outcoming communications on currently compromised nodes. Beside the attacks mentioned above, the ADV can also randomly select some sensor nodes to physically corrupt them (such as smash, melt or corrode), or sensor nodes may fail due to power depletion or natural disaster. In this occasion, the nodes totally lose the functionality. C. Design Goals Our design goals are to guarantee data confidentiality and data reliability against the attacks launched by the ADV. Data confidentiality: As shown in Fig. 1, we further divide data confidentiality into FSe and BSe. Let s assume that an ADV compromises a sensor node s i at round r 1, and release the s i at round r 2 (r 1 <r 2 ). Between round r 1 and r 2,the ADV is residing in s i, and we define this time interval as reside period T rp. Definition 1. We define the secrecy of the data generated before round r 1 as FSe.TheFSe of a sensor s i is compromised if the data generated and encrypted before the round r 1 can be decrypted by an ADV which holds the secret obtained during reside period T rp. Definition 2. We define the secrecy of the data generated after round r 2 as BSe. TheBSe of a sensor s i is compromised if the data generated and encrypted after the round r 2 can be decrypted by a ADV which holds the secret obtained during reside period T rp. Data reliability: The proposed scheme should be resilient to node crash, meaning that data can be retrieved even if some nodes have lost their functionality. Our design goal is to guarantee FSe, BSe and data reliability. Sink arrives compromise release return r 1 r 2 r 3 forward secrecy reside period T rp backward secrecy T Sink leaves Figure 1. Illustration: a node is compromised by ADV at round r 1,and released at round r 2 ; at round r 3,theADV returns again. D. Preliminaries 1) Erasure Code: A (m, n) erasure code encodes a block of data into n fragments, which has 1 m the size of the original block, so that any m fragments can be used to reconstruct the original block. An example of such erasure coding scheme is RS Codes [1]. We define an n-party RS Codes algorithm with data space DAT A as a pair Π=(Share RS, Recover RS ), where: Share RS is a probabilistic algorithm that takes an input d DAT A and generates the n-vector P R Share RS (d), where P = {p 1,p 2,,p n }, R means random output, and p i {, 1}. If d / DAT A, Share RS returns ( undefined ). Recover RS is a deterministic algorithm that takes input P ({, 1} ) n, where represents a data part that has been missing (or is not available). The Recover RS outputs Recover RS (P) DAT A, where is a distinguished value, denoting failed recovery. III. THE PROPOSED SCHEME In this section, we propose a secure and reliable data distribution scheme to provide FSe, BSe and data reliability. To provide FSe for sensor s i, a simple way is to update its secret key K i at each round by applying hash function, e.g., Ki r = h(kr 1 i )(Ki = K i). Duetoone-way property of hash function, the ADV cannot derive the previous rounds key (before the sensor was compromised). Thus, FSe is provided. However, the ADV which holds the secret key Ki r, r [r 1,r 2 ] still can derive the future key which will be used in the

3 following rounds. In other words, if the ADV returns at round r 3 (r 2 <r 3 ), it still can decrypt the data which was encrypted in time interval [r 2,r 3 ], by mimicking key update, meaning that the BSe is not guaranteed. To guarantee both FSe and BSe, we propose a data distribution scheme as following. A. The proposed scheme We observe that data encrypted by symmetric encryption cannot guarantee BSe. It holds as long as a sensor relies only on itself for security. However, as we discuss later, BSe can be probabilistically achieved if sensors cooperate with their neighbors. The new scheme that satisfies the mentioned above requirements contains the following steps: Step 1: System initialization. The mobile sink picks a secure hash function, denoted as h(.), and a master key denoted as K m. Before deploying each sensor node s i, the mobile sink preloads to the sensor hash function h(.), and initial data encryption keys K i for each sensor. Here, K i is computed as h(k m i). In the end of each round, the round index r and the encryption key Ki r are updated as Ki r = h(kr 1 i ), where r =1, 2, and Ki = K i. Thus, the mobile sink only needs to store a single master K m and all round keys Ki r can be derived as needed. Step 2: Distributed data storage. Each sensor s i firstly generates a keyed hash value with round key Ki r by MACi r = h(d r i Kr i ), and then a plaintext data that consists of d r i, MACr i, and values r and s i, denoted as PLtext r i = {d r i MACr i r s i}, is encrypted by using updated key Ki r. The encryption data is denoted as d r i ENtext r i = Enc(K r i,pltext r i ) = Enc(K r i, {d r i MAC r i r s i }). Thus, the integrity and FSe of the sensed data is guaranteed. is equipped in m r i = {ENtext r i,r s i }. Step 3: Data parts generation. s i employs (m, n) RS code (Share RS ) to encode ENtext r i into n data parts, denoted as a set of P i = {p r i,1,pr i,2,,pr i,n }. Step 4: Data distribution. s i selects top n security level neighbors in set NB i (e.g., s j ) based on node selection scheme (more details in Section IV), and sends one randomly selected distinct data part m r i,j = {p r i,j,r s i} to s j by using pairwise secret key K i,j to encrypt the packet. s i s j : {Enc(K i,j,m r i,j)}. After the data is distributed, the original data is erased securely. Step 5: Data reconstruction. The mobile sink collects m data parts from nodes and reconstructs data using (m, n) RS Codes. IV. OPTIMIZED DATA DISTRIBUTION SCHEME In this section, we discuss the data distribution scheme based on the possibility that nodes to be compromised to achieve enhanced data confidentiality and reliability. A. Node selection scheme Inspired by the routing path selection algorithm in [11], we assume each node has a Probability Vector (PV) PV i = [P i,1,p i,2,,p i,nbi ] to reflect the security level of its neighbor nodes in NB i, where P i,j (j = 1, 2,,nb i ) is the probability that s i,j, a neighbor node of the s i, is compromised in time interval T. P i,j could be evaluated from the feedback of certain security monitoring software and/or assigned manually by the mobile sink based on information such as the physical protection, the location, or the role of the nodes. For example, the nodes buried under the ground have higher security level (lower P i,j ) than the nodes exposed, or the nodes deployed in enemy ground would have lower security level (higher P i,j ). Without loss of generality, we further assume P i,1 P i,2 P i,nbi, meaning that the security levels are ordered from high to low. Given a probability threshold value PT i, s i can select t qualified neighbor nodes that have lower probability of being compromised than the threshold value PT i, denoted as set NB qlf_i = {s i,1,s i,2,,s i,t }, where P i,1 P i,2 P i,t PT i. Then, the data distribution scheme of s i can be formulated to a constrained optimization problem: minimize P r recov (m, n) subject to P i,j PT i where Pr recov (m, n) is the probability that the original data is recovered by a ADV. Given a redundancy factor τ = n m of the (m, n) RS Codes, the data distribution scheme can be divided into two classes depending on τ. 1) Maximum security without redundancy, that is τ =1 or m = n. To provide maximum security, in other words, minimize Pr recov (m, n), the data distribution scheme must force the ADV to compromise all the qualified data holders. In the data distribution scheme, s i encodes data into n = t parts and distributes them to the t qualified neighbor nodes in NB qlf_i.thepr recov (m, n) is thus equal to the probability that all the t nodes are compromised, t Pr recov (m, n) = P i,j. (1) It is easy to derive that the higher the number of qualified neighbor nodes, the lower the Pr recov (m, n). However, too many t may cause large storage and communication overhead. Given a required security level λ i, and considering storage overhead and communication overhead, s i can choose the top n = t (t t) security level nodes, which satisfy Pr recov (m, n) = t P i,j λ i to distribute the data. Discussion: When τ = 1, the data distribution scheme is able to provide maximum security, but it cannot improve reliability. In other words, it is not resilient to node failure and

4 message failure. Even one node loses function, or one data part is not delivered, the original data cannot be recovered. In practical networks, sensors may stop working due to node crash, and messages cannot always be delivered, it is necessary to add redundancy for data reliability. 2) Maximum security with redundancy, that is τ > 1 or m<n. Encoded by a (m, n) RS Codes, when m<n,if α (α n m) data parts are corrupted or lost, the original data still can be recovered. Note that the higher the τ is the more data reliability can be obtained, but the easier the ADV can recover the data. The tradeoff is thus, given a required redundancy threshold, e.g., τ<1+ 2 t, how to distribute data parts among nodes that satisfy the required security level to obtain the maximum security while having the maximum data reliability. s i encodes data into n = t parts and distributes them to t qualified neighbor nodes in NB qlf_i. Considering that the data redundancy is upper-bounded by τ<1+ 2 t,to maximize the data reliability, m can be chosen as m> nt t +2. (2) Thus, it is easy to see that ENtext can be recovered by the ADV, only if the ADV compromised at least m nodes in {s i,1,s i,2,,s i,n }, which has the probability m n P i,j Pr recov P i,j. (3) An example. For simplicity, we assume that a sensor s 9 has 7 neighbor nodes, denoted as NB 9 = {s 9,1,s 9,2,,s 9,7 }, with PV 9 = {5%, 5%, 1%, 1%, 2%, 3%, 4%}. Givena threshold value PT 9 = 25%, it is easy to see that qualified nodes are selected as set NB qlf_9 = {s 5,1,s 5,2,,s 5,5 }.At round 8, thes 9 generates data d 8 9, encrypts it into ENtext 8 9, encodes ENtext 8 9 into n = t =5parts, distributes the 5 parts to all the 5 nodes in NB qlf_9, and then follows the steps below depending on the τ. 1) τ = 1. Since m = n = 5, it forces the ADV to compromise all the 5 nodes to recover the ENtext 8 9 with probability Pr recov (5, 5) = 5 P i,j =5% 5% 1% 1% 2% =.5%. To compromise the BSe of s 9,theADV has to recover ENtext 8 9. On the other hand, it has to compromises s 9 to get the key secret to decrypt the ENtext 8 9. Assuming P 9 = 2% is the probability of the s 9 to be compromised by the ADV, the probability of BSe of s 9 to be compromised is Pr BSe_comp = P 9 Pr recov (5, 5) =.1%. 2) τ > 1. Based on Eq. (2), m should be chosen as m =4(m> 25 7 ).If1(n m =1)data part is corrupted or lost, the ENtext 8 9 still can be recovered. The ADV has to compromise at least 4 nodes to recover the ENtext 8 9 with probability.25% Pr recov (4, 5).1%. Given P 9 = 2%, thebse of s 9 to be compromised is.5% Pr BSe_comp.2%. V. PERFORMANCE ANALYSIS In this section, we show a comparison between the results j=n m obtained through a MATLAB simulator [12] we developed. To reduce storage overhead and communication overhead, We consider an UWSN where 2 nodes are randomly s i can choose the top n = t (t t) security level nodes, which satisfy Pr recov (m, n) = distributed in a 5m by 5m area. Each sensor node has a t P i,j λ i to distribute transmission range equal to TR = 6m. The simulation results the data, for a given required security level λ i. are averaged over 1 randomly deployed networks. Nodes are Below, we state our claims for the security of proposed divided into four sets with different compromise probability scheme. We defer the proofs to Appendix. P i : 2% of nodes with probability P i = 5%; 3% of nodes Claim 3. The proposed scheme can guarantee FSe. with P i = 4%; 3% of nodes with P i = 2%; and 2% of nodes with P i = 1%. We set the probability threshold value Lemma 4. The BSe of the sensor s i can be compromised PT i = 3% of the proposed node selection scheme, meaning by a ADV, if and only if the following three conditions are that node with P i >PT i is considered too risky to allocate satisfied. data parts and would not be selected based on node selection 1) the sensor s i is compromised by the ADV; scheme. The required security level is set as λ i =.1%. Since 2) the ADV s compromising ability k>m; both [3] and [4] operate in ideal network without node and 3) the ADV compromised at least m neighbor nodes of s i message failure, we conduct the simulation compare to the that store the corresponding data parts. proposed scheme, the scheme used in [7], and a naive scheme Proof: Straightforward. meaning that no security mechanism is adopted. As shown in Fig. 2 (A), (B), (D) and (E), we observe Claim 5. Let PT i be a probability threshold, τ be the redundancy factor and P i be the probability of s i to be compromised that the proposed scheme can guarantee the best probabilistic BSe with respect to [7] and the naive scheme, no matter in time interval T.IfConditions 1-3 of Lemma 4 are satisfied what redundancy factor τ is. When τ < 1, the proposed then the probability Pr BSe_comp that the ADV compromises scheme has the highest probability of data reliability. However, the BSe of s i is as following: when τ =1, both [7] and the proposed scheme has lower Pr BSe_comp =, k < m probability of data reliability than the naive scheme provided. m P i,jp i Pr BSe_comp This observation agrees with the discussion in Section IV-A n j=n m i,jp i, k > m,τ < 1,P i,j PT 1) maximum security without redundancy, meaning that the i Pr BSe_comp = t P original data cannot be recovered if one data part is lost. i,jp i, k > m,τ =1,P i,j PT i. Since the nodes are randomly distributed in the simulation, the number of s i s neighbor nodes is different, which causes effect on Pr BSe_comp and data reliability. Such effects with

5 Prob. of BSe to be compromised (A) τ= Prob. of data reliability (B) τ= Prob. of BSe to be compromised (C),τ=1,τ<1, τ=1, τ< nb, the number of neighbor nodes i.35 (D) τ<1 1 (E) τ<1 1 (F) Prob. of BSe to be compromised Prob. of data reliability Prob. of data reliability.8.6.4,τ=1.2,τ<1, τ=1, τ< nb i, the number of neighbor nodes Figure 2. Comparison results of different schemes in terms of probability of BSe and data reliability. respect to Pr BSe_comp and data reliability are shown in Fig. 2 (C) and (F). We observe that the proposed scheme has the best performance no matter how τ i and nb i are specified. According to the results, given a required security level λ i, it is very easy to choose average number of neighbors when a sensor network is deployed with uniformly distributed nodes. Finally, Table. I summarises the comparison results of different schemes in terms of FSe, BSe, Resilient to Node Failure (RNF) and Resilient to Message Failure (RMF). The results demonstrate that the proposed scheme has the best performance among these studied schemes. Table I SECURITY AND PERFORMANCE COMPARISON RESULT AMONG EXISTED WORK AND PROPOSED SCHEME IN TERMS OF FSe, BSe, RNF, AND RMF. FSe BSe RNF RMF DISH [3] Yes Probabilistic No No POSH [4] Yes Probabilistic No No Partial Probabilistic Normal Normal Yes Enhanced Probabilistic Strong Normal VI. CONCLUSIONS AND FUTURE WORK In this paper, we have proposed a secure and reliable scheme for distributed data storage in UWSNs. We take the advantages of both key evolution and RS Codes to guarantee FSe, probability BSe and data reliability. To maximize security level of data and optimize data reliability, we further proposed a constrained optimization data distribution scheme. As demonstrated in the Appendix, the proposed schme is low storage overhead, computational efficiency and especially suitable for UWSN applications. Compared with existing schemes, our scheme does not rely on reliable nodes and communication channels, and can be resilient to message failure and node failure with certain probabilities. Furthermore, through detailed security and efficiency analysis, we show that the proposed scheme can guarantee FSe and maximize probabilistic BSe while providing maximum data reliability. Finally, the simulation results demonstrate that, compared with other schemes, the proposed scheme is more robust to support FSe, BSe, and data reliability. In the future, we will work on the scheme that focuses on how to coordinate sensor nodes to support long-lived UWSNs and how to dynamically estimate the security level of nodes in UWSNs. APPENDIX A. Proof of FSe (Claim 3) The ADV cannot derive the previous key from the current key it holds due to the one-way property of hash function. Hence the ADV cannot decrypt the data encrypted and stored in the previous rounds. Therefore, the FSe is guaranteed. B. Proof of BSe (Claim 5) Since an ADV can compromise BSe only if the ADV can compromise s i to get its secret key Ki r and compromise at least its m neighbor nodes that store the data parts to recover the ENtext r i,theadv thus can use Kr i to decrypt the ENtextr i

6 to get the PLtext r i. As proof in Lemma 4, one can see that Pr BSe_comp = Pr{C 1} Pr{C 2} Pr{C 3}, where Condition 1 refer to C1 for short, so as the Condition 2 and 3. Case 1: k < m. That is Pr{C 2} =.TheADV does not have the ability to compromise at least m sensors within the mobile sink s visiting interval. Thus, it cannot recover ENtext r i. Hence, it cannot compromised the BSe, that is Pr =. Case 2: k>m,τ<1. That is Pr{C 2} =1.TheADV has the ability to get enough data parts to recover ENtext r i Given a threshold probability PT. i, the probability Pr recov is computed in Eq. (3). Thus, that is Pr BSe_comp = Pr{C 1} 1 Pr{C 3} = P i Pr recov, m P i,jp i Pr BSe_comp n j=n m P i,jp i. Case 3: k>m,τ<1. That is Pr{C 2} =1. Similar to the case 2, given a PT i, the probability Pr recov_ is computed in Eq. (1). Thus, Pr BSe_comp = Pr{C 1} 1 Pr{C 3} t = P i Pr recov = P i,jp i. C. Proof of Reliability 1) Resiliency to Node Failure: Proposition 6. The mobile sink can recover original data if the number of failure nodes in N is less than threshold value n m. The probability of sucessful data recovery in terms of random node failure is Pr resilient_nf =1 m t n C t npr t nf (1 Pr nf ) n t where Pr nf is the probability that a node has random failure. Proof: Straightforward. 2) Resiliency to Message Failure: Proposition 7. The mobile sink can recover original data if the number of failure message in N is less than threshold value n m. The probability of sucessful data recovery in terms of random node failure is Pr resilient_mf =1 m t n C t npr t mf (1 Pr mf ) n t where Pr mf is the probability that a message has random failure. Proof: Straightforward. D. Efficiency We follow the example of [7] to analyze the performance of the proposed scheme in terms of computation cost, communication and storage overhead. 1) Computation Cost: At each round, the data source node s i needs to perform two hash operations, updating key Ki r = h r 1 (K m i) and then computing MACi r = h(d r i Kr i ), and two symmetric encryptions ENtext r i = Enc(Ki r,pltextr i ) and Enc(K i,j,m r i,j ). To generate distributed data parts, s i encodes ENtext r i into n data parts using RS Codes. Let γ and β denote the size of K m i and d r i Kr i, respectively. The total computation cost at the data source node s i is Hash 1 γ + Hash 1 β + SymEnc2 + RSCoding 1, where Hash 1 γ denotes one hash operation with input size of γ, SymEnc 2 denotes two symmetric encryptions, and RSCoding 1 denotes one RS Codes operation. The computation cost at data part holders is only one symmetric decryption operation. 2) Storage Overhead and Communication Overhead: We assume symbols s i, Ki r, and r as the elements of the Galois Field GF (2 q ) (e.g., q =8, 16). After s i generates data parts, s i would send Enc(K i,j, {p r i,j, {r, s i}}) to one of its neighbor s j, where p r i,j is the output of coding ENtextr i using RS Codes. We assume ENtext r i contains φ symbols. Due to the property of RS Codes, the size of p r i,j is φ m. In addition, each node needs nb i q bits storage overhead to maintain a probability vector. Thus, the communication overhead during the distribution is approximately n ( φ m +2) q bits, and it requires ( φ m + nb i + 2) q bits storage overhead to keep the data parts at each data holder. REFERENCES [1] R. Di Pietro, L. V. Mancini, C. Soriente, A. Spognardi, and G. Tsudik, Catch me (if you can): data survival in unattended sensor networks, in Proc. IEEE PerCom 8, Hong Kong, Mar. 28, pp [2] D. Ma and G. Tsudik, Extended abstract: forward-secure sequential aggregate authentication, in Proc. IEEE Symp. on Security and Privacy (S&P 7), Oakland, CA, USA, May. 27, pp [3], DISH: Distributed Self-Healing, in Proc. 1th Int. Symp. on Stabilization, Safety, and Security of Distributed Systems (SSS 8), Detroit, MI, USA, Nov. 28, pp [4] R. Di Pietro, D. Ma, C. Soriente, and G. Tsudik, POSH: Proactive co-operative Self-Healing in unattended wireless sensor networks, in Proc. IEEE Symp. on Reliable Distributed Systems (SRDS 8), Napoli, Italy, Oct. 28, pp [5] Trident s family of unattended ground sensors. [Online]. Available: [6] Information Processing Technology Office (IPTO) Defense Advanced Research Projects Agency (DARPA). "BAA 7-46 LANdroids Broad Agency Announcement (BAA), 27". [Online]. Available: [7] Q. Wang, K. Ren, W. Lou, and Y. Zhang, Dependable and secure sensor data storage with dynamic integrity assurance, in Proc. IEEE INFOCOM 9, Rio de Janeiro, Brazil, Apr. 29, pp [8] Y. Dodis, J. Katz, S. Xu, and M. Yung, Key-insulated public key cryptosystems, in Proc. Advances in Cryptology - EUROCRYPT 2, 22, pp [9] Y. Dodis, M. Franklin, J. Katz, A. Miyaji, and M. Yung, Intrusionresilient public-key encryption, in Proc. Topics in Cryptology - CT-RSA 3, 23, pp [1] I. Reed and G. Solomon, Polynomial codes over certain finite fields, Journal of the Society for Industrial and Applied Mathematics, pp. 3 34, 196. [11] W. Lou, W. Liu, and Y. Fang, SPREAD: enhancing data confidentiality in mobile ad hoc networks, in Proc. IEEE INFOCOM 4, Hong Kong, Mar. 24, pp [12] Y. Ren. Unattended wireless sensor Simu. [Online]. Available: