Key Establishment Schemes against Storage-Bounded Adversaries in Wireless Sensor Networks

Key Establishment Schemes against

Storage-Bounded Adversaries in Wireless Sensor Networks

Shi-Chun Tsai, Wen-Guey Tzeng, and Kun-Yi Zhou

Abstract—In this paper we re-examine the attacking scenario about wireless sensor networks. It is generally assumed that the adversary picks up all radio communications of sensor nodes without any loss and stores the eavesdropped messages for later use. We suggest that in some situations the adversary may not be able to pick up all radio communications of sensor nodes. Therefore, we propose the storage-bounded adversary model for wireless sensor networks, in which the adversary’s storage is bounded.

We propose two key establishment schemes for establishing shared keys for neighboring sensor nodes in the storage-bounded adversary model. The first scheme needs special beacon nodes for broadcasting random bits. In the second scheme, some sensor nodes play the role of beacon nodes. Our results are theoretical in some sense. Nevertheless, we can adjust them for realistic consideration.

Index Terms—Bounded-storage model, key establishment, un-conditional security, wireless sensor network.

I. INTRODUCTION

A

WIRELESS sensor network usually consists of a large number of small autonomous sensor nodes. Each sensor node has some level of computing power, a limited size of storage, a set of sensors for exploring the environment and a small antenna for communicating with the outside world. One way of deploying a wireless sensor network is to scatter senor nodes in the field randomly. Then, these sensor nodes form a network autonomously via their built-in programs. Due to restriction of small antenna, each sensor node can communicate with its geographic neighbors only. We say that two sensor nodes are neighbored if they can communicate with each other via radio directly. In some situations, we may deploy a set of special nodes, called beacon nodes, for broadcasting instructions and data to the sensor nodes. A beacon node is more powerful so that its radio signal could cover a larger area.

There are some security issues about wireless sensor net-works, such as, communication security, message authentica-tion, node authenticaauthentica-tion, etc. We are concerned about the key establishment problem, which is to establish a shared (secret) key for two neighboring sensor nodes via the public radio link. The established key is later used for secure communication (encryption) or authentication. The key establishment problem Manuscript received August 6, 2008; revised October 2, 2008; accepted November 8, 2008. The associate editor coordinating the review of this paper and approving it for publication was D. Wu.

The authors are with the Computer Science Department, National Chiao Tung University, Hsinchu, Taiwan 30050 (e-mail:{sctsai, wgtzeng,

kyzhou}@cs.nctu.edu.tw). Corresponding author: W.-G. Tzeng.

This research was supported in part by projects NSC-96-2628-E-009-011-MY3, NSC-97-2221-E-009-064-MY3 NSC-97-2219-E-009-006 (TWISC), and MoE-97W803.

Digital Object Identifier 10.1109/TWC.2009.081048

for wireless sensor networks has been studied actively. In this paper we re-examine the attacking scenario about wireless sensor networks. It is generally assumed that the adversary picks up all radio communications of sensor nodes without any loss and stores the eavesdropped messages for later use. We suggest that this may not be the case. For example, the radio quality of a sensor node is not very good and its coverage area is small. It is hard for the adversary to get all communications between sensor nodes. Therefore, we propose the

storage-bounded adversary model for wireless sensor networks to

cap-ture the essence of incomplete eavesdropping. In this model, the adversary cannot eavesdrop all communications of the sensor nodes. We could conceptually think that the adversary’s storage is limited so that it cannot store all communications. The storage-bounded adversary model has been studied in the cryptographic field for its advanced view. It explores the possibility of encryption in the era of quantum computation. We bring the model to wireless sensor networks for exploring an alternative adversary model.

By considering the storage-bounded adversary, we propose two key establishment schemes. The first scheme needs some special beacon nodes for broadcasting random bits. In the second scheme, some sensor nodes play the role of beacon nodes. Our results are theoretical in some sense. Nevertheless, we can adjust them for realistic consideration.

Our key establishment schemes have the following prop-erties. Firstly, they do not pre-load secrets to sensor nodes. This saves quite a lot of setup work before sensor nodes are deployed to the field. Secondly, the connectivity rate of neighboring sensor nodes is very high and the probability of repeated keys is very low. Thirdly, even if the adversary captures a large fraction of the deployed sensor nodes, almost all of the shared keys of un-compromised links remain secure. We note that most key pre-distribution schemes allow only a small fraction of sensor nodes to be compromised by the adversary. Finally, the shared keys in the first scheme are unconditionally secure. Furthermore, since all shared keys are generated in the field without pre-loaded secrets in sensor nodes, shared keys can be updated from time to time.

We do not consider the adversary that applies other types of attacks, such as node impersonation, node replication, etc. There have been many proposed countermeasures [5]–[7]. If we need them, we can simply use them without too much effort.

Related work. Maurer [8] first proposed the storage-bounded

adversary model. Cachin and Maurer [2] proposed a complete solution for encryption under the storage-bounded adversary model.

For key pre-distribution, Blom [1] proposed a scheme for 1536-1276/09$25.00 c 2009 IEEE

multiple parties to establish pairwise keys. Eschenauer and Gligor [6] proposed to assign a random subset of the key space to each sensor node. They showed that two neighboring nodes can establish a shared key from their own key pools with a reasonable probability. Chan, et al. [3], Du, et al. [5], and Liu and Ning [7] improved the basic random key pre-distribution scheme of Eschenauer and Gilgor by using multiple random key pools for each sensor node. Ren, et al. [12] discussed how to pre-distribute keys in large scale.

Miller and Vaidya [9] proposed a key pre-distribution scheme by assuming that the communication channels be-tween sensor nodes use the orthogonal frequency-division multiplexing technology. They considered that these channels cannot be eavesdropped all together. Thus, each sensor node broadcasts its pre-loaded secrets to its neighboring nodes through these channels randomly. Due to the characteristics of the channels, only a part of broadcasted secrets are obtained by the adversary. Then, two neighboring sensor nodes can use the uncompromised secrets to establish their shared key. The essence of their assumption is similar to incomplete

eavesdropping. But, they used it in designing a key

pre-distribution scheme. Our schemes are not key pre-distributed. Furthermore, our analysis technique is quite different.

II. PRELIMINARIES

We assume that the sensor nodes are scattered to the field randomly. Each sensor node has no post-deployment knowledge about the other sensor nodes. All it can do is to use its antenna to communicate with its neighboring sensor nodes.

The adversary can eavesdrop all communications of sensor nodes. But, due to storage limitation it can store only a fraction of the eavesdropped messages. After that, the adversary com-promises a fraction of the sensor nodes (compromised sensor nodes) and gets the secrets inside them. Then, the adversary tries to infer the shared key held by two neighboring sensor nodes that are not compromised.

Our first key establishment scheme is called Key

Establish-ment with Beacons in the Storage-Bounded Model, denoted

as KEB-SB. The beacon nodes are deployed like the sensor nodes, but with a much less number. Each beacon node broadcasts random bits that are received by the sensor nodes within its radio range. Then, two neighboring sensor nodes use the received bits to establish their shared key.

The second key establishment scheme is called Key

Estab-lishment in the Storage-Bounded Model, denoted as KE-SB. KE-SB needs no beacon nodes. Each sensor node can play the role of a beacon node. Unlike KEB-SB, a sensor node that broadcasts random bits establishes shared keys with its neighboring sensor nodes.

The used parameters and notations of the schemes are shown in Table I.

In our analysis, we use a Chernoff bound to derive a closed form for approximating security probabilities [11]. Let Xi be identical and independent Boolean random variables with expectationE(Xi) = θ, 1 ≤ i ≤ t. Then, almost all values of _t

i=1Xi are around its meanE(ti=1Xi) = tθ, that is, for

TABLE I

THE USED PARAMETERS AND NOTATIONS.

• n: the number of deployed sensor nodes in a wireless sensor network. Assume that the sensor node set is{V1, V2, . . . , Vn}.

• α: the number of broadcasted random bits by a beacon node. • β: the number of stored bits, with respect to each beacon or beaming

node, by the adversary.

• γ: the number of broadcasted random bits by a beaming node. • κ: the length of the shared keys established among neighboring sensor

nodes. Typically,κ is 128-bit long.

• μ = 2√κα: the number of randomly stored bits of a sensor node for

each beacon node in the KEB-SBscheme.

• Ki,j: the shared key computed by sensor nodeVifor its neighborVj within a bacon or beaming node.

• pcomplete: the probability of forming a complete network. • H: a cryptographic hash function with κ-bit output.

• G: a pseudorandom generator that stretches a short random bit string to a very long pseudorandom bit string.

• |S|: the number of elements in set S. • a  b: a is much smaller than b.

B

₁

B

2

B

3 V1 V2 V3 V7

Fig. 1. Deployment of sensor and beacon nodes in a field. Each beacon node uses a different frequency to broadcast random bits and each sensor receives and stores some of them.

any0 <  ≤ 1, Pr[ t  i=1 Xi≥ (1 + )tθ] ≤ e−tθ2/3. III. SCHEME: KEB-SB

Assume that the field deployment of sensor and beacon nodes is like that in Figure 1, in which a dot is a sensor node and a triangle is a beacon node. We assume that there are z beacon nodes B1, B2, . . . , Bz. We shall determine an appropriatez later. Without loss of generality, we only present

steps for beacon node B1 and sensor nodes V1, V2, . . . , Vm within its radio range. The adversary gets a fractionδ of the

broadcasted random bits ofB1.

The Scheme. The sensor nodes withinB1 use the steps in

Figure 2 to establish their shared keys. Those within other beacon nodes do the same thing. The idea is thatB1broadcasts

1) B1 generates and broadcastsα random bits on the fly.

2) Each Vi, 1 ≤ i ≤ m, randomly stores μ bits

ri1ri2· · · riμ. LetSi= {i1, i2, . . . , iμ}.

3) Each Vi,1 ≤ i ≤ m, does the following:

a) ExchangeSiwith each of its neighborsVjvia their direct radio link;

b) Let Si,j = Si∩ Sj = {s1, s2, . . . , sl}. If |Si,j| =

l ≥ κ, compute Ki,j= H(rs1rs2· · · rsl).

c) Erase the stored bitsri1ri2· · · riμfrom its memory.

Fig. 2. KEB-SB: Steps of establishing shared keys between neighboring sensor nodes within the radio range of the beacon nodeB1.

α random bits and each sensor node randomly stores μ bits.

Then, two neighboring sensor nodes exchange the indices of their stored bits and find their common bits. Finally, they compute the shared key from the common bits by taking the hash value of the common bits. It is easy to check that

Ki,j = Kj,i since Vi andVj found their common bits from the publicly exchanged indices.

It is critical that some sensor nodes V lie within the radio

coverage areas of many beacon nodes, say, B1, B2, . . . , Bτ. Assume that Bi’s use different frequencies for broadcasting so that they won’t interfere with each other. In this case,

V establishes shared keys with its neighboring sensor nodes

within various beacon nodesBk,1 ≤ k ≤ τ. Thus, a network that connects all sensor nodes can be formed. For example, the sensor node V1 has a shared key K1,3 with V3 within

B1 and a shared keyK1,7 with V7 within B3. V1 plays as a

connecting node between the sensor nodes withinB1and the

sensor nodes withinB3.

Probability of Establishing Shared Keys. In the scheme

each sensor node within a beacon node stores μ = 2√κα

broadcasted bits randomly. Two neighboring sensor nodes within a beacon node will have 4κ common bits on aver-age. Furthermore, the probability that two neighboring sensor nodes have at leastκ common bits is 1 − e−κ/4 _{at least. For}

κ = 128, 1 − e−κ/4 _{≈ 1. The following lemma shows this} fact, whereS and T are the sets of indices of stored bits by

two neighboring sensor nodes, respectively.

Lemma 1 ( [4]): If S and T are randomly chosen from

the 2√κα-element subsets over {1, 2, . . . , α}, then, for

suf-ficiently largeα,

Pr

S,T[|S ∩ T | < κ] < e −κ/4_.

Security of Shared Keys. Assume that the adversary stores β = δα bits of the broadcasted α bits, where δ < 1 is a

constant. The security of shared keys depends onδ and κ. Two

neighboring sensor nodes within a beacon node havel = 4κ

common bits on average and the adversary gets a fraction

δl of them on average. Although the number l of common

stored bits is a random variable, we take the averagel = 4κ

for simplifying analysis. We show that the probability that the adversary gets up to(δ + )l common bits is very low, where

δ +  < 1.

Let A ⊂ {1, 2, . . . , α} be the set of indices of the stored

bits by the adversary,|A| = β, and B the set of indices of

the commonly stored bits by two neighboring sensor nodes,

|B| = l. We fix A first. The probability that the adversary

stores (δ + )l common bits is, for δ +  < 1 and integer

l(δ + ), Pr B[|A ∩ B| ≥ (δ + )l] = l  i=(δ+)l _β i _α−β l−i  _α l  .

It is hard to derive a closed form for the above equation. Nevertheless, we can compute a pretty tight upper bound. In the above computation the elements inB are randomly chosen

one by one from{1, 2, . . . , α} without replacement. However,

ifα is much larger than l, we can think that the elements are

randomly chosen one by one with replacement. Let B _{be a} multi-set with l elements randomly chosen one by one from {1, 2, . . . , α} with replacement. Since α is indeed much large

thanl in our schemes, we can safely say that

Pr

B[|A ∩ B| ≥ (δ + )l] ≈ PrB[|A ∩ B

_{| ≥ (δ + )l],} which is bounded by the following lemma.

Lemma 2: Let A be a fixed subset of {1, 2, . . . , α} with |A| = β and B_{, |B}_{| = l  β, a multi-subset randomly} chosen from{1, 2, . . . , α} with replacement. It holds that

Pr B[|A ∩ B

_{| ≥ (δ + )l] ≤ e}−l2_/(3δ)

.

Proof: Let Xi be the indicator random variable for whether the ith chosen element of B _{is in A, 1 ≤ i ≤ l.} We have |A ∩ B_{| =}l

i=1Xi andE(li=1Xi) = δl. Since

Xi’s are independent, by the Chernoff bound, we have Pr B[|A ∩ B _{| ≥ (δ + )l] = Pr[}l i=1 Xi≥ (δ + )l] = Pr[l i=1 Xi≥ δl(1 + /δ)] ≤ e−δl(/δ)2/3 = e−l2_/(3δ) .

Since the above holds for any fixedA, the probability holds

no matter how the adversary stores broadcasted bits. Forκ =

128, δ = 2/3,  = 1/4, we have Pr

B[|A ∩ B

_{| ≥ (11/12)l] < e}−16_.

In this case, the adversary does not know at least(1−δ−)l ≈ 43 common bits of two neighboring sensor nodes within a beacon node.

Probability of Complete Connectivity. We now compute the

number of beacon nodes that are needed for high pcomplete. The most important factor for pcomplete is the size of the overlapping area of radio coverage since the sensor nodes within the overlapping area connect sensor nodes within different beacon nodes. LetR be the radius of the field and r

be the radius of the radio coverage of a beacon node. Recall that there are z beacon nodes. We take a very conservative

and ideal estimate for the required z. Here, we assume that

each overlapping area is shared by three beacon nodes. For each beacon node, the overlapping area of coverage is at least

V1 V2 V9 V4 V5 V6 V7 V8 V3

Fig. 3. Deployment of sensor nodes in a field. Some sensor nodes become beaming nodes for broadcasting random bits.

wherer2_{z − R}2_{> 0. If we want the number of sensor nodes}

within the overlapping area of a beacon node to be at leastc,

we need n πR2( πr2_{z − πR}2 2z ) ≥ c, which implies z ≥ nR2 nr2_{− 2cR}2 (1)

With these c connecting sensor nodes within each beacon

node, the probability that the sensor nodes within the beacon node are isolated from the whole network is at most(2e−κ/4₎c_. There are n/z sensor nodes within each beacon node on

average. The probability that any one of them fails to connect to another sensor node is at most(n/z)e−κ/4_{. Since there are}

z beacon nodes, the probability pcompletethat all sensor nodes are connected is at least

1 − z((n/z)e−κ/4_{+ (2e}−κ/4₎c_),

which is very close to 1 for a relatively largen, say, n = 1000.

Our analysis is based on idealistic assumptions, such as a good frequency management and the coverage of the random deployment is reasonably well. For practical consideration, please see, e.g., [10].

IV. SCHEME: KE-SB

In the situation that no beacon nodes exist, we let some sensor nodes play the role of broadcasting random bits. We call these sensor nodes as beaming nodes. Assume that each sensor node becomes a beaming node with probability p

independently, wherep will be determined later. The choice of p is to have enough beaming nodes to cover the whole field.

A field deployment is shown in Figure 3, in whichV1 toV9,

denoted as triangles, are the beaming nodes. Note that since a beaming node uses a seed to generate pseudorandom bits,

- Each Vi, 1 ≤ i ≤ n, randomly acts a beam-ing node with probability p. Without loss of

gen-erality, let V1, V2, . . . , Vτ be the beaming nodes and

Vτ+1, Vτ+2, . . . , Vn be the non-beaming sensor nodes. 1) Each beaming node Vj, 1 ≤ j ≤ τ, generates a secret

seedsj randomly and broadcastsγ pseudorandom bits

G(sj) = rj,1rj,2· · · rj,γ.

2) Each non-beaming sensor nodeVi, τ + 1 ≤ i ≤ n, does the following. Assume that Vi is within radio range of beaming nodesV1, V2, . . . , Vρ, wlog.

a) Randomly store 4κ bits rj,j1rj,j2· · · rj,j4κ from each Vj, 1 ≤ j ≤ ρ. Let Si,j =

{(j, j1), (j, j2), . . . , (j, j4κ)}, 1 ≤ j ≤ ρ.

b) SendSi,j toVj,1 ≤ j ≤ ρ.

c) Compute the shared key Ki,j =

H(rj,j1rj,j2· · · rj,j4κ) with Vj,1 ≤ j ≤ ρ. 3) Each beaming node Vj, 1 ≤ j ≤ τ, computes

the shared key Kj,i = H(rj,j1rj,j2· · · rj,j4κ) by Si,j with each of its neighboring sensor nodes Vi, where

rj,j1rj,j2· · · rj,j4κ is re-computed from its random seed

sj.

4) Each beaming nodeVj erases its random seedsj from its memory,1 ≤ j ≤ τ.

Fig. 4. KE-SB: Steps of establishing shared keys between beaming nodes and their neighboring sensor nodes.

the adversary’s computing power should be polynomial-time bounded, instead of unboundedness.

The Scheme. The KE-SB scheme is shown in Figure 4. A beaming node Vj broadcasts γ pseudorandom bits G(sj) =

rj,1rj,2. . . rj,γ and each sensor nodeViwithin its radio range stores 4κ bits of them randomly. Then, the sensor node

Vi sends the indices (j, j1), (j, j2), . . . , (j, j4κ) of the stored

bits to Vj and computes the shared key Ki,j which is the hash value of its stored bits. Vj computes the stored bits of Vi from the random seed sj and the shared key Kj,i in the same way. It is necessary that a beaming node uses a pseudorandom generator to generate pseudorandom bits since these pseudorandom bits are used later for computing shared keys with its neighboring sensor nodes.

Security of Shared Keys. The security analysis of a shared

key is the same as that of the KEB-SBscheme. Recall that an adversary has a storage ofβ bits. By Lemma 2, the probability

that the adversary getsl(δ + ) of the stored bits of a sensor

node is less than

e−4κ2_γ/(3β)

.

Density of Beaming Nodes. The larger p is, the higher pcomplete is. Nevertheless, we want to have a smaller p so that the expected number np of beaming nodes is as small

as possible. Assume that r is the radius of radio range of a

beaming node and R is the radius of the deployment field.

Note that this r is smaller than that of a beacon node in the

KEB-SBscheme. The expected number of beaming nodes is

Equation (1), we need

z = np ≥ nR2 nr2_{− 2cR}2,

wherec is the expected number of connecting nodes in the

overlapping area of two beaming nodes. Thus, we have

p ≥ _{nr2− 2cR}R2 ₂.

V. DISCUSSION

Our schemes are designed on an abstract model of wireless sensor networks. Many details are omitted. Comparison be-tween the conventional and storage-bounded adversary model is uncalled-for since their basic assumptions are fundamentally different. Even though our schemes are theoretical, we can use some techniques to improve their performance on energy consumption, storage requirement and computation cost.

1) No re-send: It is possible that a sensor node does not receive some random bits from beacon or beaming nodes. The sensor node can simply ignore a lost bit and continues to wait for the next one. This does not affect its functionality since only a very small fraction of broadcasted bits are stored by each sensor node. Thus, the beacon and beaming nodes can broadcast in a ”raw” mode.

2) Sleeping: In our schemes, random bits are broadcasted for a relatively long period of time. But, the sensor nodes do not store all of them. Thus, the sensor nodes can use the random sleeping technique to reduce energy consumption. Each sensor node stays in a state of very low energy consumption for most time and wakes up to receive bits from time to time.

Furthermore, when a sensor node needs to receive broad-casted random bits from different beacon or beaming nodes in different frequencies, it can switch to a different frequency in each wake-up. Thus, the beacon or beaming nodes can broadcast random bits at different frequencies without worrying about whether their neighboring sen-sor nodes can receive them simultaneously.

3) Pseudorandomness: In our schemes, all kinds of nodes need some random bits. Beacon and beaming nodes need to generate random bits for broadcasting and sensor nodes need to generate random indices for picking up broadcasted random bits. In fact, pseudorandom bits can replace random bits for better efficiency. A node can sample a short random seed s from the environment

and uses the pseudorandom bit generatorG to generate

pseudorandom bitsG(s).

It should be noted that if we use pseudorandom bits in the scheme, the storage-bounded adversary should be polynomial-time bounded also, instead of computing-unboundedness. This is because a computing-unlimited adversary can search the seed by the eavesdropped pseudorandom bits and the pseudorandom generatorG.

In reality, an adversary may jam the media to block the process of key establishment. It is hard for wireless commu-nications to resist this kind of denial of service attacks. Due to sensor nodes’ low hardware profile, it is not practical for them to receive the random bits from a satellite. In the above we only discuss how to establish shared keys for the sensor nodes that are within the radio range of beacon and beaming nodes. For others that are neighbored can establish direct link through the path-key finding process.

VI. CONCLUSIONS

We have introduced the storage-bounded adversary model to wireless sensor networks and proposed two key establishment schemes in this model. We are interested in improving effi-ciency of the schemes for practicability in the future. We are also interested in proposing different kinds of security schemes for wireless sensor networks in this model.

REFERENCES

[1] R. Blom, “An optimal clas of symmetric key generation systems,” in

Proc. EUROCRYPT 84, pp. 335–338, 1984.

[2] C. Cachin and U. M. Maurer, “Unconditional security against memory-bounded adversaries,” in Proc. CRYPTO 97, pp. 292–306, 1997. [3] H. Chan, A. Perrig, and D. Song, “Random key predistribution for sensor

networks,” in Proc. IEEE Symposium on Security and Privacy 03, pp. 197–213, 2003.

[4] Y. Z. Ding, “Oblivious transfer in the bounded storage model,” in Proc.

CRYPTO 01, pp. 155–170, 2001.

[5] W. Du, J. Deng, Y. S. Han, and P. Varshney, “A pairwise key pre-distribution scheme for wireless sensor networks,” in Proc. ACM CCS

03, pp. 42–51, 2003.

[6] L. Eschenauer and V. D. Gilgor, “A key-mamnagement scheme for distributed sensor networks, in Proc. ACM CCS 02, pp. 41–47, 2002. [7] D. Liu and P. Ning, “Eatablishing pairwise keys in distributed sensor

networks,” in Proc. ACM CCS 03, pp. 52–61, 2003.

[8] U. M. Maurer, “Conditionally-perfect secrecy and a provably-secure randomized cipher.” J. Cryptology, vol. 5, no. 1, pp. 53–66, 1992. [9] M. J. Miller and N. H. Vaidya, “Leveraging channel diversity for key

establishment in wireless sensor networks,” in Proc. IEEE INFOCOM

06, pp. 1–12, 2006

[10] S. Meguerdichian, F. Koushanfar, M. Potkonjak, and B. Srivastava, “Coverage problems in wireless ad-hoc sensor networks,” in Proc. IEEE

INFOCOM 01, pp. 1380–1387, 2001.

[11] M. Mitzenmacher and E. Upfal, Probability and Computing:

Random-ized Algorithms and Probabilistic Analysis. Cambridge University Press,

2005.

[12] K. Ren, K. Zeng, and W. Lou, “A new approach for random key pre-distribution in large scale wireless sensor networks,” Wireless Commun.