Pairwise and Triple Key Distribution in Wireless Sensor Networks with Applications

Transcription

1 1 Pairwise and Triple Key Distribution in Wireless Sensor Networks with Applications Sushmita Ruj, Member, IEEE, Amiya Nayak, Senior Member, IEEE and Ivan Stojmenovic, Fellow, IEEE SEECS, University of Ottawa, Canada {sruj, anayak, Abstract We address pairwise and (for the first time) triple key establishment problems in wireless sensor networks (WSN). Several types of combinatorial designs have already been applied in key establishment. A BIBD(v, b, r, k, λ) (or t (v, b, r, k, λ) design) can be mapped to a sensor network, where v represents the size of the key pool, b represents the maximum number of nodes that the network can support, and k represents the size of the key chain. Any pair (or t-subset) of keys occurs together uniquely in exactly λ nodes; λ = and λ = 3 are used to establish unique pairwise or triple keys. We use several known constructions of designs with λ =, to predistribute keys in sensors. We also describe a new construction of a design called Strong Steiner Trade and use it for pairwise key establishment. To the best of our knowledge, this is the first paper on application of trades to key distribution. Our scheme is highly resilient against node capture attacks (achieved by key refreshing) and is applicable for mobile sensor networks (as key distribution is independent on the connectivity graph), while preserving low storage, computation and communication requirements. We introduce a novel concept of triple key distribution, in which three nodes share common keys, and discuss its application in secure forwarding, detecting malicious nodes and key management in clustered sensor networks. We present a polynomial-based and a combinatorial approach (using trades) for triple key distribution. We also extend our construction to simultaneously provide pairwise and triple key distribution scheme, and apply it to secure data aggregation. Keywords: Key predistribution, Pairwise-keys, Resilience, Secure-routing, Secure-aggregation, Steiner Trades 1 INTRODUCTION Sensor nodes are small battery powered devices which are deployed in large numbers to sense and collect information in various applications ranging from health care to military [1]. In key predistribution, keys are preloaded in sensor nodes prior to deployment. A good key predistribution scheme should be resilient to node compromise. One way of predistribution is to load all the nodes with a single common master key, resulting in an optimal storage and full connectivity of the network. However, if one node is compromised then the entire network becomes insecure. At the other extreme, each pair of nodes can share a unique key (called pairwise key). If there are N nodes in the network, then each node stores N 1 pairwise keys (naive pairwise scheme). Such network has perfect resilience to node compromise, defined as follows: captured node reveals no information about links that it is not directly involved in, assuming captured node only reveals its own keys []. However, the storage requirement for such a scheme can be very high. For a network consisting of 10,000 nodes the storage for the keys alone is about 160 KiloBytes (assuming keys are 18 bits long). Flash memory can be used in sensors; however, the storage for keys itself would be quite high, increasing the cost of each sensor considerably. Sensors devices like TelosB have 10 KiloByte RAM and 48 KiloBytes of flash memory[3], which is not sufficient for storing all the pairwise keys. Perfect resilience is traded here for less storage requirements. Instead of deploying straight single pairwise keys, which will be mostly idle in sparse and medium densities, pair of keys are needed, preserving space considerably. Another drawback is the time taken to access data from the flash memory [4]. In applications where sensors need to establish pairwise keys with several nodes, the access time increases greatly. This affects the overall performance. Sensor nodes are deployed after predistributing the keys. Depending upon the application, the deployment can either be random [5] or arranged e.g. as square grid [6], triangular or hexagonal grids [7], in groups [8], [9]. Two nodes wishing to communicate securely must establish a common key. Selected key distribution scheme should have the following desirable properties: 1) low memory cost, which is directly proportional to the number of keys stored, ) high probability that two nodes within communication range are able to communicate securely using a common key, 3) low path length between two nodes that are within communication range; path may contain only links with endpoints sharing a common key, 4) high resilience to node compromise, and 5) low computation and commutation overheads to establish common key. Eschenaur and Gligor [5] were the first to propose a key predistribution scheme for sensor networks. Most other techniques follow their design. Each node carries k < N 1 preloaded keys and k corresponding key identifiers. The storage cost is O(k log N). Chan, Perrig and Song [] proposed several variations of this scheme. At initialization, each node is preloaded with a set of identifiers of nodes chosen at random. For each of these identifiers, a pairwise key is also loaded in the node. After deployment, two nodes can communicate securely provided they have a pairwise key. In a static network, nodes should be deployed so that they share pairwise keys with their neighbors. However, in a dynamic network, new neighbors might not have pairwise keys to communicate Digital Object Indentifier /TC /1/$ IEEE

2 with each other. In q-composite scheme [], two nodes can communicate if they share q q keys in common. The link key is calculated as K = hash(k 1 K K q ). The hash function is SHA-1 [10]. The link key is also the pairwise key between the two nodes. The communication overhead for key establishment is O(k log v) (k is the number of keys in each node and v is the size of key pool). The computation cost is O(k log k). We extend our predistribution schemes to q-composite schemes, where the keys are selected from the key pool according to some pattern, instead of the random approach given in []. The connectivity of the network involves two aspects. Local connectivity requires that neighboring nodes either share keys or there exists a path between them consisting of secure links. Global connectivity requires that there exist a path between any two nodes in the network, consisting of hops with link keys. The probabilistic scheme in [5] does not guarantee local or global connectivity, however [] guarantees local connectivity. A key distribution scheme should preserve connectivity and minimize path lengths. Pairwise schemes are preferred over other schemes because of increased security. In collusion attacks, an adversary might gather the information from many nodes to construct the pairwise keys of the uncompromised nodes. Blom [11], Blundo et al. [1] and other schemes based on them (for example [13]) are vulnerable to such attacks. In c-secure schemes, if an adversary compromises more than c nodes, then it can construct all the pairwise keys of the uncompromised nodes. In scenarios such as secure data aggregation and secure routing, an efficient session key needs to be established between two nodes [14]. Pairwise key distribution is a very effective and efficient way of establishing common key. Some of the schemes like PIKE [6] establish pairwise keys between nodes using the deployment position and are not suitable for mobile networks. Thus, we attempt to design a scheme, which is secure against node compromise, can support mobile nodes, and has smaller or equal storage and communication overheads than existing schemes. Deterministic designs result in efficient schemes, by exploiting the underlying patterns [15,16,17]. We design deterministic techniques using combinatorial designs to achieve communication and computation efficiency. High resilience to collusion attacks is achieved by establishing unique pairwise keys and key refreshing. Each node A has an inbuilt algorithm which takes node identifier of B as input and outputs the pairwise key with B, if it exists. Thus, nodes discover their neighbors and can calculate the pairwise keys on the fly. Pairwise key is periodically refreshed and authenticated. An adversary who overhears the identifiers of A and B, even if it can gather the keys predeployed in A and B by compromising some other nodes, cannot calculate the subsequent pairwise keys between them, unless it remains permanently within their transmission range. We also show that our key management technique is resistant to man-in-the-middle attack, in which an adversary can impersonate as one of the senders/receivers and establish common keys with each of them. In many probabilistic schemes, nodes broadcast key identifiers. Nodes which share common key identifiers can find the common key. An adversary can overhear which set of key identifiers each node possesses, without compromising it. It can selectively choose nodes with non-overlapping sets of keys. The adversary can thus compromise a large number of keys, by compromising a small number of nodes. This method therefore suffers from selective node capture attack [18]. However, since our schemes do not need to broadcast key identifiers to establish common key, selective node capture attack is not possible. Mitchel and Piper [19] were the first to use combinatorial designs in key distribution. Çamtepe and Yener [0], [1] applied combinatorial designs for key predistribution in WSN. A set system or design can be mapped to a key predistribution scheme in the following way. Let (X, A) be the set system with elements from set X, where A is a set of subsets with elements from X. The subsets belonging to A are also called blocks (or key chains) of the design. The pool of key identifiers is the set X. A special type of design is Balanced Incomplete Block Design, BIBD [, Chapter II.1], with the parameters v, b, r, k and λ, where v = X, b is the number of subsets of A or blocks, r is the number of blocks in which a particular element occurs, k is the size of each subset, λ is the number of blocks in which a given pair of elements occur. For a t-design, every t-subset of X occurs in λ blocks. t =for BIBD. Following this design, each sensor is loaded with k keys along with their identifiers. The keys are chosen from a pool of v keys. Any pair of keys can occur in precisely two nodes. If K 1 and K are two keys shared by nodes A and B then the common unique pairwise key is hash(k 1 K id A id B ). Lee and Stinson [3] used Transversal designs [] and Ruj and Roy [4] used Partially BIBDs (defined later in Section.3) for key predistribution. These scheme can be applied to both static and mobile networks. However, as the number of compromised nodes increases, the resilience drastically decreases. Blackburn et al. [5] used Costas arrays [] for key predistribution. The scheme assumes grid-based geometry of deployment while predistributing keys. Keys are distributed such that neighboring nodes share common keys and can communicate efficiently. The scheme can only be applied to networks where nodes are static and arranged in square grids. Hence, the mobility of the nodes adversely affects network resilience and connectivity. Two nodes S and D wishing to communicate securely, which either do not have a common key or are not within communication range, communicate through intermediary nodes. If any of the intermediary nodes are compromised, then the message can be altered, and neither node S nor node D will be able to recognize the alteration. To address this problem, we propose a solution using triple key distribution. In triple key distribution, keys are distributed in such a way that any three nodes share a unique common key. It is a special type of group key distribution, where the group size is three. A message between S and D can be securely routed by passive monitoring in the following way. Suppose node A on the path (between S and D) wants to send a message to C and it is routed via B. A can recognize forwarding from B to C by overhearing. If

3 3 A, B and C share a triple key, A will recognize that the message has been forwarded by B to C and none of the other nodes are aware of the forwarding. If node B does not forward the correct message, then node A can identify B as malicious. Triple key can be used in hierarchical sensor networks which typically consist of a base station (BS), cluster heads (CH) and sensor nodes. Each sensor is associated with a CH and sends sensed data to it. CH processes received data and forwards them to BS. If CH needs to monitor the communication between two nodes in its cluster then these three nodes need to share a unique common key. We will describe several other applications of triple key distribution in Section 8. Tripartite Diffie-Hellman protocol is a key agreement protocol between three parties. In [6], Joux presented a one-round tripartite protocol, which is based on bilinear pairing [7]. A round consists of all the information that can be sent or received in parallel [8]. Each node sends only one round of information about the keys it possess and the members can calculate the common key in parallel, from these partial information. Joux s protocol is prone to man-in-the-middle attack. The sender/receiver will not recognize that it is sending the data to the intruder. To counter this, Al-Riyami and Paterson [8] proposed an authenticated tripartite key agreement protocol. Tripartite key agreement has been a major topic of interest in cryptology. This relies on pairings on elliptic curve groups. Difficulty in choosing pairing friendly curves [9] and expensive pairing operations make it difficult to be used in resource constrained sensor networks. two such schemes, one using polynomials and the other using trades. 4) Pairwise and triple-key distribution. We also describe a scheme to establish pairwise or triple key simultaneously among sensors. 5) Applications. We apply triple key distribution to secure forwarding and key management in clustered sensor networks. We apply simultaneous pairwise and triple key assignment for secure data aggregation in sensor networks. 1. Organization The paper is organized in the following way. Related work is described in Section. This section also contains definitions of known combinatorial structures. In Section 3, we present our pairwise scheme in details. We apply trades to our schemes and present a new construction of Steiner trades in Section 4. We discuss features of our new key predistribution scheme using trades and compare it with existing schemes in Section 5. In Section 6, we discuss triple key distribution and present two constructions. In Section 7, we present technique to simultaneously establish pairwise and triple keys. Several application and open problems are discussed in Section 8. We conclude in Section 9. Preliminary version of this paper appears in [30]. RELATED WORK In this section, we discuss existing pairwise key predistribution schemes and key predistribution schemes which use combinatorial techniques. 1.1 Our contributions 1) Combinatorial contributions. We propose a new construction of Strong Steiner trades and describe their first application to key distribution in networks. ) Pairwise key distribution. We propose new pairwise key schemes which exploit the following property. When λ =, a pair (or t-subset) of keys occur in exactly two nodes. This pair (or t-subset) of keys is used to establish an unique pairwise key between the two nodes. We also propose a new pairwise key predistribution scheme using combinatorial structures called trades. The schemes are efficient in terms of storage O( N), communication overheads O(log N), computations O((log N) ), where N is the number of sensors in the network. Our schemes can be used for both static and mobile networks, because pairwise keys can be calculated on the fly. In a complete graph (with all nodes within communication range of each other, and all keys of given design being allocated) any two nodes can securely communicate using a maximum of three hop paths. The average path length is two. Our scheme is highly resilient to node compromise and collusion attacks, by the use of pairwise keys between nodes and key refreshing. 3) Triple-key distribution. We introduce a novel concept of triple key distribution in sensor networks in which every three nodes share a common key. We describe.1 Pairwise key predistribution schemes In Chan et al. scheme [], during the initialization phase, a unique pairwise key is generated and stored for each of k neighboring nodes (their identifiers are also stored). It is basically a naive scheme restricted to expected neighbors in future deployment, and claimed perfect resilience against node capture is only achieved by not reproducing same key anywhere else. Only naive scheme (when k = N 1) is then applicable to mobile networks, when each node has a list of all possible unique pairwise keys (and respective node identifiers), with any other node in the network, even if they are not in use. One can use Blundo et al. scheme [1] to establish pairwise scheme. Details of the scheme is given in Appendix 1.1 (in the supplementary file). This scheme is c-secure. Another c-secure scheme by Blom [11] uses a matrix based approach. Du et al. [13] presented a pairwise scheme which uses multiple Blom s scheme [11]. Details about these two schemes are presented in Appendices 1. and 1.3, respectively. Zhu et al. [31] proposed a scheme to establish pairwise keys using probabilistic key sharing [3] and threshold secret sharing [33]. Initially k keys are predistributed in each sensor from a key pool consisting of v keys. During pairwise key establishment, any node i randomly generates the secret key S and derives shares, sk 1, sk,..., sk n from S such that sk 1 = sk = = sk n 1 = S and

4 4 sk n = S sk 1 sk sk n 1, where is the XOR operation. Sender sends each of shares sk i through a different path. Receiver can construct S if it receives all these shares. To establish the common key, the sender must encrypt each of n shares and the receiver must decrypt each of n shares. The computation cost is hence ne, where e is the time to encrypt or decrypt a message. The security depends on the number of nodes compromised. The scheme can be attacked if at least one node in each path is compromised. The security of the scheme is enhanced by increasing the number of shares and establishing multiple path to communicate shares is expensive. This is computationally more intensive and does not have perfect resilience to node compromise. A pairwise key establishment scheme for a heterogeneous network has been suggested by Traynor et al. [34]. Some nodes have k keys and some m>>kkeys. Two nodes having one or more common keys establish a pairwise key by choosing a random key K and encrypting it with the shared key and sending to the other node. A node establishes pairwise keys and deletes the existing keys. Thus, it cannot establish new pairwise keys once it moves to a new region. Therefore, this scheme does not work for mobile networks. Huang and Medhi s scheme [35] is also not suitable for mobile networks for similar reasons.. Joux s Tripartite Key Agreement Joux [6] proposed a tripartite key agreement protocol to establish a common key between three parties using public key cryptographic techniques. The protocol uses bilinear pairing on elliptic curve groups. The advantage of this protocol is that it is a one round protocol meaning that all three nodes can establish a common key by transmitting a single broadcast message. Let G 1 and G be two cyclic groups of prime order q generated by g 1 and g respectively. Let G T be a group of order q. We can define the map e : G 1 G G T. The map satisfies the following properties: 1) e : G 1 G G T is bilinear map if e(ap, bq) = e(p, Q) ab for all P G 1 and Q G and a, b Z q, Z q = {0, 1,,...,q 1}. ) Non-degenerate: e(g 1,g ) 1. 3) Computability: ψ : G G 1 is a computable isomorphism from G to G 1, with ψ(g ) = g 1. The isomorphism ψ and the bilinear map e are efficiently computable. Let A, B and C be three nodes wishing to establish a common key. They are preloaded with secret keys a, b, c Z q. The nodes A, B and C transmit ap, bp and cp respectively After the values are received, node A can calculate the common triple key between itself, B and C as follows: e(bp, cp ) a. This is equal to e(p, P) abc. Similarly, B and C can also calculate the triple key K ABC = e(p, P) abc. The security of the protocol follows from the hardness of Bilinear Diffie Hellman Problem. A proof appears in [8]..3 Combinatorial designs A set system or design [3] is a pair (X, A), where A is a set of subsets of X. Each subset of A is also called a block. Let K be a set of positive integers and let λ be a positive integer. A pairwise balanced design (PBD), (denoted by (v, K,λ) PBD) of order v with block sizes from K is a design (X, A), such that if A Ais a block, A = k, then k K, and every pair of elements in X occur in exactly λ blocks. BIBD(v, b, r, k, λ) and t-design have been defined in Section 1. A BIBD(v, b, r, k, λ), isadesign which satisfies the following conditions: 1) X = v, A = b, ) Each subset in A contains exactly k elements, 3) Each element in X occurs in r blocks, and 4) Each pair of elements in X is contained in exactly λ blocks in A. When v = b, the BIBD is called a symmetric BIBD and denoted by SBIBD(v, k, λ). At-design (represented by t (v, b, r, k, λ)) is the design where each t-subset of elements in X is contained in exactly λ blocks in A. BIBD is special case of t-design where t =. A partially balanced incomplete block design, denoted by PBIBD(v, b, r, k, λ 1,λ,...,λ m ) is a design on a v-set X, with b blocks each of size k and with each element of X being repeated r times, and any pair of elements occurring in either λ 1,λ,...,λ m blocks. A t (v, k) trade (also called combinatorial trade or bitrade) consists of collections T = {T 1,T }, where T i, (i =1, ), is a collection of m blocks of size k (k-subsets) chosen from X in such a way that the blocks of T 1 are distinct from the blocks of T (T 1 T = φ) and, further, each t-set chosen from X occurs in precisely the same number of blocks of T 1, as those of T. The volume of the trade is T 1 = T = m. The foundation of the trade is the subset of elements of X which occur in a block of T 1. Example 1: [, Chapter VI.60] T = {T 1,T } is a (6, 3) trade, where X = {1,,...,6} and T 1 = {{1,, 3}, {1,, 4}, {1, 5, 6}, {, 5, 6}, {3, 4, 5}, {3, 4, 6}} T = {{1,, 5}, {1,, 6}, {1, 3, 4}, {, 3, 4}, {3, 5, 6}, {4, 5, 6}}. The volume is m =6and foundation size is 6. A Steiner Trade is one in which no t-set chosen from X is repeated more than once in any of the sets T 1 or T. Example 1 is not a Steiner trade. Example : [, Chapter VI.60] Let X = {1,,...,6}. Then T = {T 1,T } is a (6, 3) trade, where T 1 = {{1,, 3}, {1, 5, 6}, {, 4, 6}, {3, 4, 5}} and T = {{1,, 6}, {1, 3, 5}, {, 3, 4}, {4, 5, 6}}. T has volume 4 and foundation size 6. A (v, k) Steiner trade T = {T 1,T } is said to be strong, if any block in T 1 intersects any block of T in at most two elements. Example is a Steiner trade but the following trade is not. Example 3: [, Chapter VI.60] Let X = {1,,...,8}, T = {T 1,T }, T 1 = {{1, 3, 5, 6}, {1, 4, 7, 8}, {, 3, 7, 8}, {, 4, 5, 6}}, and T = {{1, 3, 7, 8}, {1, 4, 5, 6}, {, 3, 5, 6}, {, 4, 7, 8}}. An N-legged trade [], denoted by T [N](t, k, v) trade is a set T = {T 1,T,...,T N } such that for i j, {T i,t j } is a t (v, k) trade. Example 4: A T [3](, 3, 7) with T 1 = {{1,, 3}, {1, 6, 7}, {, 4, 7}, {, 5, 6}, {3, 4, 6}, {3, 5, 7}},

5 5 T = {{1,, 7}, {1, 3, 6}, {, 3, 5}, {, 4, 6}, {3, 4, 7}, {5, 6, 7}}, T 3 = {{1,, 6}, {1, 3, 7}, {, 3, 4}, {, 5, 7}, {3, 5, 6}, {4, 6, 7}}. Surveys on trades can be found in [36], [37]. Strong Steiner Trades (SST) were studied by Hamilton and Khodkar [38]. We present the following theorem. Theorem 1: [38] 1) There exists a (q + q, q +1) Strong Steiner Trades (SST) of volume q for every q a power of, and a ((q +1),q+1) SST of volume q + q, for every q such that q +1 is a power of. ) There exists a (q + q +1,q +1) SST of volume q + q +1 for every prime power q. 3) If q is a power of then there exists a (v, q +1) SST of volume m for every m q (q + q +1). 4) If q is a power of and q 1 is a prime power then there exists a (v, q) SST of volume m for every m (q q)(q q +1)..4 Combinatorial designs in key predistribution Combinatorial designs for key management were introduced in [19]. Example 9 in Appendix 3 can be mapped to key predistribution in the following way: X is the pool of key identifiers, containing six keys. Each key identifier corresponds to a 18-bit key. The network supports a maximum of ten nodes n 0,n 1,...,n 9, each containing three keys. For example, node n 0 contains the key with identifiers 0, 1, and the corresponding keys, node n 1 contains the key with identifiers 0, 1, 3 and the corresponding keys and so on. Camtepe and Yener [0] used combinatorial designs in key predistribution. They used finite projective planes. Lee and Stinson [3] used transversal designs and Ruj and Roy [4] used PBIBD (Partially Balanced Incomplete Block Designs) for key predistribution. Combinatorial approach has its positive and negative features. A survey can be found in [39], [40]. Deterministic schemes result in efficient shared-key discovery algorithm, by exploiting the patterns inherent in the combinatorial designs [15]. Xu et al. [16] pointed out that the resilience to node compromise in probabilistic key predistribution algorithms is only marginally better than in deterministic algorithms. 3 NEW KEY PREDISTRIBUTION SCHEMES Table 1 lists the notations used throughout the paper. The network consists of (static or mobile) nodes deployed randomly over an adversarial region. The key pool is constructed of keys, each of length 18 bits. The keys are unique. Before deployment each node n i is given an unique id at random by a trusted authority (TA), and is loaded with the following information: k 18-bit keys which are chosen from a key pool, (the keys are chosen according to predistribution algorithm in Section 4.) k 18-bit keys which are chosen from a key pool, SHA-1 [33, Chapter 4.3.] hash function with 160-bit message digest, and The key establishment algorithm (Section 4.3) which takes as input the identifier of the node it wants to TABLE 1 Notations and their meanings Symbols Meaning N Size of the network k Size of the key chain v Size of key pool K, K j,k (i,j) Keys n i ith node id A Identifier of node A id(k 1 ) Identifier of key K 1 E K (M) Message M is encrypted using key K hash SHA-1 hash function MAC K (M) Message authentication code on message M using key K communicate with and outputs the common unique key to be used for communication. A pseudorandom number generator function (PRNG) [10] which generates a random number. We assume that there are underlying revocation algorithms [41] that can be used to revoke compromised nodes. 3.1 Adversarial model We assume that there are no compromised nodes at startup. Attacks are launched sometime after the nodes are deployed. An adversary can be static or mobile and can either be active (physically compromise the nodes) or passive (eavesdrop on messages). We consider both insider and outsider attacks. An adversary can launch an outsider attack by compromising a node and reading the keys that it possesses. An insider adversary is a malicious node which can read/modify all messages that are encrypted with the keys that it possesses. It can either drop packets, overhear messages sent between nodes within communication range or selectively forward packets. We assume that adversaries can launch attacks only when they are within communication range of the nodes. 3. Sketch of new pairwise predistribution schemes The mapping from combinatorial designs (X, A) to sensor networks is done in the following way. X is the pool of key identifiers. A Ais a sensor node which contains a set of key identifiers from X. The number of keys in each sensor node may be different, but normally is assumed to be equal. If we map sensor network to BIBD(v, b, r, k, λ) then the size of each key-chain is k, each key occurs in exactly r sensor nodes, and λ is the number of nodes in which a pair of keys occur. Dual of a BIBD can be alternatively used e.g. [4] for design based key predistribution. Then λ is the intersection number in the dual design. They consider this parameter to find if two nodes share one or more keys. There are b keys in the key pool and the network can support a maximum of v nodes, each containing r keys, and λ is the number of common keys between any two nodes. According to our predistribution scheme, keys are preloaded into the sensor nodes according to a PBD with

6 6 λ =. We may also use a PBIBD with λ 1 =0and λ =. This means that any two sensors have either two or none common keys. Two nodes n i and n j wanting to communicate securely, establish a unique common key K ij. Nodes broadcast only their identifier. Thus, the communication overhead is O(log N). An algorithm, (for example, Algorithm 1 in Section 4.3) is built into the sensor, which enables a node n i to calculate common keys with another node n j. If common keys are K 1 and K, the pairwise key between n i and n j is given by K ij = hash(k 1 K id i id j ). Since K 1 and K are unique, their concatenation is also unique. This is similar to q-composite scheme [](here q =). Neighboring node can calculate the common identifier between n i and n j, and identifiers of their common keys. However, since it does not hold both keys, it is not able to learn the value of K 1 K, and cannot calculate the common key K ij. Nodes may however collude and derive the values of K 1 and K and thus calculate K ij. To counter this problem, nodes can refresh their pairwise keys periodically, by communicating new key using the previous key, similar to [4]. In mobile networks, local neighborhood changes and most nodes are not able to keep track of key changes. However, especially in static configurations, neighbors present at the deployment stage would be able to monitor key changes. This problem exists in all key predeployment methods based on node identifiers, for example in [43]. 3.3 Construction of designs with λ = We now discuss the designs for the key predistribution schemes that we have suggested in the previous section. Pairwise key establishment schemes are based on the designs in which two blocks contain a unique pair (or a set of t) of elements or no common elements at all. One option is biplanes [44]. However, it has been pointed by the authors that no biplane of more than 79 points is known. Hence, biplanes do not scale well for sensor networks. We consider designs with BIBD λ =and PBIBD with λ 1 = 0,λ =. In the next section, we show that this problem is equivalent to finding Steiner trades (defined in Section.3). We give a new construction for the design where every pair of elements occurs exactly twice. Construction 1: Let the set system (X, A) be D 1 = (v, K,λ) PBD, defined on the set of elements X, then a new design D = (X, A ) = (v, K, λ) PBD can be constructed in the following way. We define a permutation π on the set of elements in X, such that for any block A = {x 1,x,...,x n } (n K)inD 1, {π(x 1 ),π(x ),...,π(x n )} / D 1. Then for each block A = {x 1,x,...,x n } of the design D 1, D contains A and the block {π(x 1 ),π(x ),...,π(x n )}. We present an example in Appendix. Theorem : Construction 1 results in a D =(v, K, λ) PBD which has twice as many blocks as D 1 =(v, K,λ) PBD. Proof: For each block A A, there is a new block in D =(v, K, λ). There are twice as many blocks in D as there were in D 1. Since a permutation is a bijection, for any element x 1 D 1, there is an element x 3 D, such that x 1 = π(x 3 ). Thus, for any pair of elements x 1 and x, which occur in D 1, there exists a pair of elements x 3 and x 4 in D, such that x 1 = π(x 3 ) and x = π(x 4 ). Since each pair of elements occur in λ blocks in D 1, they occur together in λ blocks in D. The above construction can be used to find families of designs with λ =, since there is a very large number of families of PBDs with λ =1. The only problem is how to choose the permutation of the set of elements which satisfy Construction 1. We present another method to construct designs with λ =in Appendix 3. 4 COMBINATORIAL TRADES AND NEW PAIRWISE KEY ESTABLISHMENT SCHEMES We recall the definition of trades from Section.3. Our problem of pairwise key establishment can be mapped to Steiner trades. If there exists a t (v, k) Steiner trade with volume m, then we can consider all the k-subsets of T 1 T as blocks of the design. Then, any t-subset of elements occur in either blocks or none. When we map this to key predistribution, v is the size of the key pool, T 1 and T are sensors, each containing k keys. Thus, there are a total of m sensors in the network. Any set of t keys occurs either in two sensors or none. This is the first paper where the application of trades to key establishment is being discussed. We present some results on trades and apply them to pairwise key establishment. We refer to Theorem 1. Its proof [38] can be used in the construction of pairwise key predistribution schemes. 1) The first result can be applied to the design of pairwise key predistribution scheme in the following way. If q is a power of, then a key predistribution scheme can be designed where the size of the key pool is q + q, the maximum number of nodes in the network is q, the length of the key chain is q +1.If q +1 is a power of two, then the key predistribution scheme has a key pool size of q +q+1, the maximum number of nodes in network is (q + q), and the length of key chain is q +1. The other results can be applied similarly. ) If q is a prime power, then the key predistribution scheme has a key pool size of q +q+1. The maximum number of nodes in the network of (q + q +1), and a key chain size of q +1. We note here that the construction in Appendix 3 (in the supplementary file) can be used to design such a predistribution scheme. Every pair of keys occurs in exactly two nodes or none. Two common keys can be used for key establishment between the concerned nodes. Similarly, other key predistribution schemes can be constructed by Theorems, 3 and 4. For a network consisting of N nodes, the number of keys to be stored in each node is less than N. 4.1 New construction of Strong Steiner Trade We now present a new construction of Strong Steiner Trade, to establish pairwise keys in sensor networks.

7 7 Construction : Let X be a set of elements such that X = v. Let q be a prime power. Let T 1 and T be sets of k-subsets (k 4) fromx. Ak-subset of T 1 is represented by t 1 i,j, such that, t1 i,j = {(x, (xi + j) mod q) :0 x<k}, where 0 i, j < q. Ak-subset of T is represented by t i,j, such that, t i,j = {(x, (x + xi + j) mod q) :0 x<k}, where 0 i, j < q. Lemma 1: Construction results in a (qk, k) SST with volume q. Proof: T 1 = T = q. First we show that T 1 T = φ. It suffice to show that no blocks in T 1 and T have more than a pair of elements in common. Suppose on the contrary, the blocks t 1 i,j T 1 and t i,j T have the three elements {(x, xi+j), (y, yi+j), (z,zi+j)} in common. Then xi + j x + xi + j (mod q), yi+ j y + yi + j (mod q) and zi+ j z + zi + j (mod q). Thus, from the first pair of equations i x + y + i (mod q) and from the last pair i y + z + i (mod q). Then x = z which is a contradiction. No two blocks in T 1 and T intersect in more than two points. We show that any pair of elements occur either once in both T 1 or T or does not occur in any of T 1 and T. From the construction, pair {(x, y), (x, z)} does not occur in any block in either T 1 or T. We will now show that each pair of elements {(x, y), (x,y )} (where x x ) occurs at most once in T 1 and at most once in T. Suppose on the contrary a pair of elements occur in two blocks t 1 i,j and t1 i,j of T 1. Then xi + j xi + j (mod q) and x i + j x i + j (mod q). Thus, (x x )i (x x )i (mod q). Since x x, i i (mod q), i = i which implies j = j. This leads to a contradiction. Similarly, if a pair of elements occurs in two blocks t i,j and t i,j of T, then, x + xi + j x + xi + j (mod q) and x + x i + j x + x i + j (mod q). Thus, (x x )i (x x )i (mod q). Since x x, i = i which implies j = j. This leads to a contradiction. Next we show that any pair of elements which occur once in T 1 also occurs once in T. Suppose the pair of elements {(x, xi + j), (x,x i + j)} occurs once in T 1 in the block t 1 i,j. Then the block t i x x,xx +j in T also contains {(x, xi + j), (x,x i + j)}. Hence, the above construction results in a strong Steiner trade. From the above construction we can state the following theorem. Theorem 3: There exists a (qk, k) strong Steiner trade with volume q, where q is a prime power. We present an example in Appendix. 4. Our design mapped to key predistribution Construction can be applied to design a pairwise scheme in sensor network. Consider the set of blocks T 1 T.If each block represents a key chain, then the size of key chain is k (0 <k q), the number of sensors supported is N = q, and the size of the key pool X is qk. The identifier of a node is denoted by (i, j, u), where (i, j) represents the block t i,j and u is either 1 or depending on which of the sets T 1 or T it belongs to. Each key has an identifier of the form (x, y), where 0 x<kand 0 y<q. Thus, K (x,y) denotes the key, whose identifier is (x, y). We note that a pair of keys occurs either in two sensors A and B or none. The pair of keys shared between A and B never occur together in any other block. If A and B share a pair of keys K 1 and K, then the pairwise key between A and B is calculated as K AB = K BA = hash((k (x1,y 1) K (x,y )) id A id B ), id A < id B. In the above case, the common key between two nodes A and B having key-chains {(0, 0), (1, 1), (, 4), (3, 4)} and {(0, 0), (1, 1), (, ), (3, 3)} from T and T 1 respectively, can be calculated as hash((k (0,0) K (1,1) ) id A id B ). 4.3 Pairwise key establishment Suppose node A which has the identifier (i, j, u) wants to establish a pairwise key with B whose identifier is (i,j,u ). The following algorithm runs in node A. Algorithm 1 Pair-wise key establishment algorithm Input: Identifier (i,j,u ) of B Output: Pairwise key between A and B if one exists, and NULL if none exists 1: if u = u then : Print No common key 3: Return NULL 4: else 5: y =((i i ) +4(j j )) mod q 6: if y exists, then 7: x 1 = (i i )+ y (mod q) 8: x = (i i ) y (mod q) 9: if x 1 <kand x <kthen 10: X AB = K (x1,x 1i+j) K (x,x i+j) 11: K AB = hash(x AB id A id B ) 1: Return K AB 13: else 14: Print No common key 15: Return NULL 16: end if 17: else 18: Print No common key 19: Return NULL 0: end if 1: end if If u = u, then A and B do not share a pairwise key and the algorithm returns a null value. Let u u. Suppose A has been assigned keys from T 1 and B from T. Suppose (x, xi + j mod q) is a common key between two nodes. Thus, xi + j x + xi + j (mod q) and x is given by x = (i i ) ± (i i ) +4(j j ) (mod q). (1) If (i i ) +4(j j )(modq) exists, then we can obtain two values x 1 and x of x. The algorithm calculates K (x1,x 1i+j) K (x,x i+j), if x 1 < k and x < k, and null otherwise. The pairwise key K AB = hash((k (x1,x 1i+j) K (x,x i+j)) id A id B ) is then returned. We note the following points about the pair-wise key establishment algorithm. The values of i, j and u are fixed throughout the algorithm and the values of i, j, u change depending upon node to which A wants to communicate.

8 8 The algorithm can be thought of as a function f on three variables i,j,u. An attacker who knows how the pair-wise key establishment works might know the identifiers of the common keys, K (x1,x 1i+j) and K (x,x i+j). However, unless it also possesses the keys, it cannot calculate the shared key. If q is prime and q 3(mod4), then the square root of a, if it exists (where a is an integer, such that 0 a<q) is a q+1 4 (mod q). The proof appears in [10]. This can be calculated in O((log q) ) = O((log k) ) (when q = k). If q is composite then the square root can be found by Chinese remainder theorem. For details one may refer to [33]. Thus, we can calculate the common keys efficiently. When probabilistic schemes are used, it takes O(k log k) time to find the common keys, where k is the number of keys in each node. The communication overhead in our scheme is O(log q) =O(log k) =O(log N) (when k = q = N ), compared to probabilistic pairwise schemes where the overhead is O(k). However, nodes cannot learn other keys not common with neighbors. A third node C cannot know the common key between A and B by overhearing. Subsequent pairwise session keys are established as and when required as discussed before. 5 ANALYSIS 5.1 Resilience of our scheme For a static network, nodes within communication range establish pairwise keys just after deployment. Since at start-up no nodes are compromised, adversary cannot learn any initial pairwise keys and subsequent session keys which are established. For mobile networks, two nodes A and B establish common key K AB = hash(k 1 K id A id B ) when they are in communication range. Suppose there are two nodes C and D which have keys K 1 and K respectively. An adversary that compromises C and D can subsequently calculate K AB. However it needs to be physically near them when they meet for the first time, and remain their neighbor afterwards, to monitor subsequent key refreshments. In a mobile network nodes move continuously. So even if the nodes C and D can calculate K AB, they have to be physically close to both A and B to keep on monitoring the key refreshment process. One might ask, why is it important to store so many keys and not pairwise keys. This is because, it is not known prior to deployment, which nodes will be in communication range of each other and all possible pairwise keys need not be stored, thus saving space. 5. Connectivity of the network We next analyze the connectivity of the network, in the absence of adversaries. Recall that, when adversaries are present, only links containing compromised nodes are affected. Each node (which corresponds to blocks in T 1 ) is connected to k(k 1)/ other nodes (which correspond to blocks in T ). Thus, we note that number of nodes which are connected directly is k(k 1)q /. Therefore, the fraction of nodes directly connected is k(k 1) (q 1). For k = q, the connectivity is approximately equal to 1/4. Though this direct connectivity is low, we will show in the next theorem that any two nodes can be reached by a maximum of three hops. Further, the average path length is two. This is quite practical for sensor networks. Theorem 4: Let N =q and k = q. If all nodes are within communication range (form a complete graph), then any two nodes n A and n B can communicate via a secure path, the length of which is at most three. Proof: Let id A =(i, j, u) and id B =(i,j,u ). We first note that two nodes with u = u cannot communicate directly because they do not share two keys in common. Two nodes with identifiers id A =(i, j, u) and id B =(i,j,u) can communicate via a two-hop path, if there exists node having identifier id C =(i,j,u ), such that the following equations hold ( x y and z w). xi + j = x + xi + j (mod q) yi + j = y + yi + j (mod q). zi + j = z + zi + j (mod q) wi + j = w + wi + j (3) (mod q). For the Equations () and (3) to be true, the following pair of equations must be true, respectively. Therefore, the equation () i = x + y + i. (4) i = w + z + i. (5) i = i (w + z)+(x + y) (6) must hold. Since k = q and N =q, there exist x, y, w, and z such that Equations (4), (5) and (6) are satisfied. One such solution to the set of equations (4), (5) and (6), is x = i i i i 1, y = +1, w = i i 1, z = i i +1. We next show that any two nodes with identifier id A = (i, j, u) and id B = (i,j,u ) (u u ) that are not connected directly, are connected by a three-hop path. We show that there exist intermediary nodes with identifier id C =(i,j,u ) and id D =(i,j,u), such that xi + j = x + xi + j (mod q) yi + j = y + yi + j (mod q) zi + j = z + zi + j (mod q) wi + j = w + wi + j (mod q) li + j = l + li + j (mod q) mi + j = m + mi + j (9) (mod q) hold. This implies that the following Equations (10), (11) and (1) must hold. (7) (8) i = x + y + i (10) i = w + z + i (11) i = l + m + i. (1) This implies that the following equation holds. i i =(x + y)+(l + m) (z + w) (13)

9 9 Equations (10), (11), (1) and (13) hold for x = i i 1, y = i i +1, w = i i 1, z = i i +1, l = i i 1, m = i i +1, Since N =q and k = q, there always exists such values of x, y, w, z, l and m. Hence, two nodes with id A =(i, j, u) and id B =(i,j,u ) (where u u ) are connected by a path of length at most 3. The above proof is an existence proof of a path between two nodes. In practice, a node with id A =(i, j, 1) broadcasts a message that it wants to communicate with node with id B =(i,j, 1), and any node with id C =(i,j, ) which shares keys with both A and B can serve as intermediate node. id C can then send a message back to A and B that it will serve as intermediate node. The messages are then routed through C. If nodes id A = (i, j, 1) wants to establish a common key with id B =(i,j, 1) (which does not have a pair of common keys), then the following steps are executed: 1) Node A calculates x = i 1, y = i +1 and i = i x y. ) A sends message to C =(i,j, ), j =(xi + j) (x + xi ). 3) Node C sends message to B, using keys (wi + j ) and (zi + j ), calculated from Equation (3). When A = (i, j, 1) wants to send message to B = (i,j, ), then the following steps are executed. 1) Node A calculates x = i 1, y = i +1 and i = i x y. ) Node A sends message to C =(i,j, ), j =(xi + j) (x + xi ). 3) Node C calculates m = i i 1, l = +1 and i = i l m. 4) Node C sends message to D =(i,j, ), j =(li + j ) (l + li ), using the keys (zi + j ) and (wi + j ), calculated using Equation (8). 5) Node D sends message to B, using keys (li + j ) and (mi + j ), calculated using Equation (9). Therefore, any two nodes from the set T 1 are connected by a two-hop path, when N =q,k = q and all node are within communication range. There are k(k 1)q / links which are connected by a one hop path and q (q 1)/ k(k 1)q / links which are connected by a three-hop path. If k = q then half of the links are connected by two hop paths, quarter of the links by a one hop path, and quarter by three hop paths. Therefore, the average path length is two. For a fixed q, the maximum number of nodes supported is q. When the number of nodes is less than q, new nodes can be added to the network. The trusted authority assigns an id to the new node at random, along with a set of keys. If the node identifier (i, j, 0) is added, then it is assigned a set of keys {(x, xi + j mod q) :0 x<q}. If the new node has an identifier (i,j, 1), then it is assigned a set of keys {(x, x +xi+j mod q) :0 x<q}. When a node is removed the initial set of q predistributed keys is deleted from the memory of the node. The trusted authority then deletes the node identifier and the assigned keys from its memory. This set of keys can be used in future if there is a need for it. 5.3 Comparison with pairwise and combinatorial key distribution schemes The naive scheme and Chan et al. scheme [] require significant storage, although they have perfect resilience to node compromise. The schemes [1], [13] are c-secure. Schemes like PIKE [6] and Traynor et al. [34] are not suitable for mobile networks. Based on these observations and discussions in Section, we compare other pairwise schemes with ours in Table. N refers to the maximum number of nodes, k represents number of keys in each node, and c refers to the security parameter. Degree of polynomial is c in case of Blundo et al. [1] scheme. Size of the matrix chosen is (c+1) (c+1),in case of Blom [11] scheme. We recall that Du et al. scheme [13], is based on multiple matrices instead of one as in Blom [11] scheme. Here, ω is the number of matrices given in Appendix 1.3. For the schemes [6], [31], [34], [35], the simulation results for the resilience (in terms of fraction of links affected by compromised sensors) can be found in the respective papers. We also compare our scheme with existing combinatorial schemes. From Table 3, we observe that most combinatorial schemes do not work for mobile networks. Their resilience depends on the number of nodes compromised. We note that this is the first triple key distribution scheme in WSN. Though there has been tripartite key establishment algorithm, for example Joux s [6] protocol and other variations, these have not been applied to wireless sensor networks. As mentioned in Section., Joux s protocol and later modifications can establish a common key between three parties in one round using pairing based techniques. Pairings on elliptic curves are expensive operations, compared to simple addition and multiplication operations for symmetric key protocols. Furthermore, the choice and construction of elliptic curve and the pairing function is equally important. Due to these expensive operations and complex constructions of elliptic curves and pairing functions, we use a symmetric key approach. 6 TRIPLE KEY DISTRIBUTION SCHEMES Triple key distribution is a method of assigning keys, such that three nodes share a unique common key. We introduce this novel idea of triple key distribution and present some constructions. In the next section, we present some applications of triple key distribution. 6.1 Triple key distribution from polynomials Blundo s scheme [1] can be used for constructing a triple key distribution scheme. Let c be the security parameter. It means that if more than c nodes are compromised, then the scheme is broken. If c or less nodes are compromised, then the adversary does not know the triple key between any three uncompromised nodes. Instead of choosing a bivariate polynomial (as done for establishing pairwise keys), we choose a c-degree symmetric polynomial with co-efficients from F q (finite field with q elements, q can be or 3 +1) in three variables P (x, y, z) and assign each node i the value P (i, y, z) of the polynomial evaluated