In this paper, we propose an authenticated key agreement scheme, TinyIBAK, based on the identitybased cryptography and bilinear paring, for large scale sensor networks. We prove the security of our proposal in the random oracle model. According to the formal security validation using AVISPA, the proposed scheme is strongly secure against the passive and active attacks, such as replay, maninthe middle and node compromise attacks, etc. We implemented our proposal for TinyOS2.1, analyzed the memory occupation, and evaluated the time and energy performance on the MICAz motes using the Avrora toolkits. Moreover, we deployed our proposal within the TOSSIM simulation framework, and investigated the effect of node density on the performance of our scheme. Experimental results indicate that our proposal consumes an acceptable amount of resources, and is feasible for infrequent key distribution and rekeying in large scale sensor networks. Compared with other IDbased key agreement approaches, TinyIBAK is much more efficient or comparable in performance but provides rekeying. Compared with the traditional key predistribution schemes, TinyIBAK achieves significant improvements in terms of security strength, key connectivity, scalability, communication and storage overhead, and enables efficient secure rekeying.
1. Introduction
W
ireless sensor networks (WSNs) are comprised of a large number of limited sensor nodes which are spatially distributed across the field of interest. WSNs have been appiled in many areas including military, healthcare, environment, and manufacturing, etc. WSNs are vulnerable to various malicious attacks such as eavesdropping, message replay and node compromise, due to its nature of open wireless medium, restricted node resources, and unattended operation manners. Thus security is very significant for wireless sensor networks deployed in hostile environments.
In order to prevent malicious nodes from violating the security of sensor networks, cryptographic technologies should be used to achieve the data confidentiality, integrity, and authentication between communicating nodes. Symmetric key cryptography (SKC) is a popular choice for securing sensor networks due to its efficiency. There have been some implementations of SKCbased mechanisms designed for sensor networks, but the security of the key management mechanism in these implementations is very poor. Take TinySec
[1]
, a link layer security mechanism for the MICA2 implemented in TinyOS, as an example. TinySec relies on a single global key all over the network, and doesn’t support securely rekeying itself. Meanwhile, TinySec’s 4byte initialization vector (IV) only allows secure communication for 2
^{16}
times, which may be insufficient for WSNs whose lifespans demand longer lasting security. For instance, in the Great Duck Island Project
[2]
, each node sends one message every 70 seconds, thus 2
^{16}
packets’ secure transmission can only last for approximately 45 days. On the other hand, the reliance on a single global key is vulnerable to the compromise of a single node. Hence, more effective key distribution and rekeying schemes are needed to enhance the security strength of the SKCbased mechanisms.
Key management becomes a major challenge in resource constrained sensor networks. Existing key management schemes for sensor networks can be classified into the key predistribution approaches and the public key cryptography (PKC) based approaches. In the key predistribution approaches, a subset of keys from the same key pool is preloaded to sensor nodes. Any two nodes search for the common keys to establish the pairwise key. However, this kind of approaches has a high memory and communication costs, and is vulnerable to impersonating and node compromise attack. On the other hand, the traditional PKC based approaches are energy consuming and usually need public key infrastructure (PKI), which is not affordable for sensor networks.
The main idea of identitybased cryptography (IBC) is that any information that uniquely identifies entities (e.g. name or email address) can be used as a public key, thus the PKI is unnecessary. In this work, we argue that IBC is ideal for WSNs. In the context of WSNs, the network deployer can be considered as a trusted entity, thus can play the role of Private Key Generator (PKG) perfectly which takes charge of generating and escrowing nodes’ private keys. On the other hand, the private keys can be preloaded into nodes offline in a secure way.
Inspired by the synergy between IBC and WSNs, we proposed an identitybased authenticated key agreement scheme named TinyIBAK based on bilinear paring, for large scale sensor networks. The major contributions of this work are as follows:

1) We performed the formal security proof for the proposed scheme, and heuristically analyzed the security properties which the formal security proof does not cover, and the resilience against some attacks on routing protocols. Furthermore, we presented the formal security validation using AVISPA tool[3].

2) We presented a prototype implemented of our proposal on the TinyOS2.1 platform based on RELIC cryptographic toolkit[4]to evaluate the feasibility and performance of our proposal in the practical network deployment.

3) We compared our scheme with other IDbased approaches and traditional key predistribution schemes in terms of computation, communication and memory overhead, as well as security strength, key connectivity and scalability.
The rest of this paper is organized as follows. In section 2, we discuss the related works. In section 3, we introduce related basic mathematical concepts and the security model. In section 4, we describe the proposed TinyIBAK scheme in details. In section 5, we present the detailed security analysis of TinyIBAK. The Prototype implementation issues and the performance evaluation are discussed in section 6 and section 7 respectively. In Section 8, we compare our proposal with some wellknown key agreement schemes for sensor networks. Finally, we conclude our work in section 9.
2. Related Works
Recently, a number of key management schemes have been proposed for large scale sensor networks
[5

12]
, these schemes may be classified into the key predistribution and public key cryptographic based approaches.
Key predistribution is a promising scheme for key management in sensor networks. In this kind of schemes, keying materials are preloaded into sensor nodes before deployment. Eschenauer and Gligor
[5]
propose the first random key predistribution scheme for pairwise key establishment. The main idea behind the scheme is that each node randomly picks a set of keys from a key pool before deployment so that any two sensor nodes have a certain probability to share at least one common key. Subsequent extensions were proposed in
[6
,
7]
, in which two nodes can establish a secure link if they share
q
keys. Liu and Ning
[8]
provide further extension to enhance scalability and resilience to attacks by using key polynomials. This set of schemes is static since they do not support rekeying and new node addition after deployment.
Dynamic key predistribution approaches are more flexiblein rekeying and deployment than the static ones.Moharrumet al.
[9]
presents a comparative study between the static and dynamic key predistribution schemes. Eltoweissy et al.
[10]
proposed a dynamic key management scheme called the Localized Combinatorial Keying (LOCK) which is based on EBSbased dynamic key management scheme. LOCK significantly enhances network resilience to collusion at the low cost of using key polynomials as compared to that for the Liu et al.’s polynomialpoolbased scheme
[8]
. Chorzempa et al.
[11]
proposed another dynamic key management scheme called the Survivable and Efficient Clustered Keying (SECK) for hierarchical wireless sensor networks, which is resilient against node capture as well as key capture to a certain extent while maintaining low levels of communication and computation overheads. Das
[12]
propose a dynamic random key establishmentscheme, which is called multiphase deployment key establishment scheme (MPDKE). The basic idea is todivide the deployment into multiple phases, and ask the already deployed nodes refresh their own keys in key rings before the nextdeployment phase occurs. This scheme provides a goodtradeoff between network connectivity, overheads, andnetwork resilience against node capture attack.
However, the common shortcomings of key predistribution schemes cannot be neglected. To ensure the key connectivity, most predistribution schemes require a large number of keys to be preloaded. With the increase of the node number, the key storage occupation and communication costs increase significantly, which makes the predistribution schemes inapplicable to large scale sensor networks.
To address the problems aforementioned, researchers have been investigating the possibility of making use of public key cryptography (PKC). Several works
[13

15]
have demonstrated the feasibility of PKC on the resource constrained sensor nodes. Malan et al.
[13]
implement elliptic curve DiffieHellman (ECDH) key exchange on the MICA2 motes to derive a mutual key between pairs of nodes. But it is not authenticated, and hence is subject to the maninthemiddle attack. Watro et al.
[14]
propose a scheme named TinyPK based on RSA cryptosystem and DiffieHellman algorithms, allowing authentication and key agreement between a sensor network and a third party as well as between two sensor networks. However, TinyPK requires a public key infrastructure (PKI) for public key authentication, which is not affordable in WSNs. Yang et al.
[16]
propose an approach based on identitybased encryption and DiffieHellman Algorithms, providing authenticated key agreement between pairs of sensor nodes. But its computation and memory overhead are too high to apply practically. Oliveira et al.
[15]
implement SOK protocol for sensor networks, in which no interaction is required. However, the shared secret derived through SOK is static, which means that SOK doesn’t support rekeying.
3. Preliminaries
 3.1 Basic Concepts
Let
E
/ F
_{q}
be an elliptic curve over a finite field F
_{q}
, and
E
(F
_{q}
) be the group of points on this curve, where
q
is a large prime. Let point
P
∈
E
(F
_{q}
) be a generator of order
n
, and group
G
_{1}
= <
P
> , where
n
is a large prime.
Bilinear Pairing.
Let
G
_{1}
be an additivelywritten group of order
n
with identity
o
, and let
G_{T}
be a multiplicativelywritten group of order
n
with identity 1. A
bilinear pairing
is a computable, nondegenerate function
The most important property of pairings in cryptographic constructions is the
bilinearity
, namely, for any
U
,
V
∈
G
_{1}
, and any
a
,
b
∈
Z
^{*}
, we have
Bilinear DiffieHellman Problem (BDHP).
Given
P
, [
a
]
P
, [
b
]
P
, and [
c
]
P
for some
a
,
b
,
c
∈
Z
^{*}
,compute
BDH assumption.
There exists no probabilistic polynomial time (PPT) algorithm which can solve the BDH problem in
G
_{1}
,
G_{T}
with nonnegligible probabiliity.
Embedding Degree.
A subgroup
G
of
E
(F
_{q}
) is said to have an
embedding degree k
with respect to
n
if
k
is the smallest integer such that
n

q^{k}
1.
 3.2 Security Model
In this work, we shall use a modified BlakeWilson key exchange security model
[17]
to analyze the protocol security. We adapt the model to the identitybased setting. In the model, a protocol is modeled as a set of oracles
which means the n
th
protocol running between participants
i
and
j
. Oracles keep transcripts which record messages they have sent or received as a result of queries they have answered.
Each participant has a pair of IDbased longterm asymmetric keys, where the public key is created using the participant’s ID and the private key is computed and issued by a PKG. We assume there is a setup algorithm
Setup
which produces a description of the groups
G
_{1}
,
G_{T}
and the bilinear map
assigns random tapes and oracles as necessary, and distributes a longterm master key to the PKG.
The model also includes an adversary
E
who is modeled by a PPT Turing Machine and has access to all the participants’ oracles in the game.
E
can reply, modify, delay, interleave or delete messages.
E
is called the benign adversary if she simply passes messages to and fro between participants. We note that all communications go through the adversary. Participant oracles only respond to queries by the adversary and do not communicate directly amongst themselves. It is assumed that
E
is allowed to make the following types of queries of existing oracles as defined in
[17]
:

–Send:this allowsEto send a message of her choice to an oracle, say, in which case participantiassumes the message has been sent by participantj.Emay also make a special Send query to an oraclewhich instructsito initiate a protocol run withj. An oracle is aninitiator oracleif the first message it has received is a λ. If an oracle has not received a message λ as its first message, then it is aresponder oracle.

–Reveal:this allowsEto ask a particular oracle to reveal the session key (if any) it currently holds toE.

–Corrupt:this allowsEto ask a particular oracle to reveal its longterm private key.
The security of protocol is defined by the game between
E
and a challenger. In the game,
E
has access to a set of oracles
, and is allowed to make a polynomial number of queries including
Send, Reveal, and Corrupt
to any oracle in any order. Then at some point,
E
has to make a
Test
query to a fresh oracle
. Then the challenger chooses at randomb b ∈ {0,1} and responds to
E
with the session key of
if
b
= 0 , and otherwise a random sample from {0,1}
^{k}
. After this point,
E
can continue querying oracles except that
E
cannot reveal the test oracle
or its partner oracle
(if exists), and that
E
cannot corrupt its partner j. Finally,
E
output its guess
bʹ
for
b
.
E
’s advantage is defined as the probability that
E
can distinguish the session key held by the queried oracle from a random string, and is denoted as:
Adv^{E}
(
k
)= Pr[
bʹ
=
b
]1/2 .
Definition 1.
An oracle
is fresh if: (1)
has accepted holding a session key; (2)
is unopened; (3) the participant
j
≠
i
is not corrupted; (4) there is no opened oracle
which has a matching conversation to
.
The above fresh oracle definition is particularly defined to cover the keycompromise impersonation resilience property since it implies that the user
i
could have been issued a Corrupt query.
Definition 2.
A MAC is a secure MAC if for every PPT adversary
E
of the MAC, the function
ε
(
k
) defined by
ε
(
k
) = Pr[
kʹ
←{0,1}
^{k}
;(
m
,
a
)←
E
:(
m
,
a
) =
MAC
_{kʹ}
(
m
)] is negligible.
Definition 3.
A protocol is a secure authenticated key agreement protocol with key confirmation (AKC) if: (1) in the presence of the benign adversary
and
both oracles always accept holding the same session key, and this key is distributed uniformly at random on {0,1}
^{k}
; and if for every adversary
E
: (2) if uncorrupted oracles
and
having matching conversations then both oracles accept and hold the same session key; (3) the probability of
No

Matching^{E}
(
k
) is negligible; (4)
Adv^{E}
(
k
) is negligible.
The above security model and definitions imply the implicit key authentication(IKA), known key security (KKS), key compromise impersonation resilience (KCIR) and unknown key share resilience (UKSR), but do not cover the forward secrecy property
[17]
. We discuss this property of our protocol heuristically later in the paper.
4. Proposed TinyIBAK Scheme
 4.1 TinyIBAK
In this section, we describe our proposal TinyIBAK. TinyIBAK is involved with three kinds of entities, i.e. any two nodes intent to agree a secret key, represented as node A and node B, and a management system owned by the network deployer (plays the role of PKG). TinyIBAK is comprised of three steps, including Setup, Extract, and Key Agreement. Before deployment, the management system performs Setup and Extract steps offline in a secure environment, and preloads corresponding information including private key, public key, and public system parameters into each node. After deployment, each node performs neighbor discovery, broadcasts its ID within its neighborhood, and performs the Key Agreement step of TinyIBAK as shown in
Fig. 1
. We assume that an adversary cannot compromise a node in the bootstrapping phase.
The Key Agreement of TinyIBAK
Setup.
takes a security parameter
k
as input, and returns the master key and system parameters. For a given security parameter
k
, the management system does the following,
(1) Chooses a pairingfriendly supersingular elliptic curve
E
/ F
_{q}
, and runs the IBC parameter generator to generate the cyclic groups(
G
_{1}
, +) and (
G_{T}
, ‧) of the prime order
n
, an arbitrary generator
P
of
G
_{1}
, and a bilinear pairing
(2) Chooses the master key
s
∈
_{R}
Z
^{*}
_{n}
, and computes the system public key
P_{pub}
=
sP
;
(3) Chooses cryptographic secure hash functions
H
_{1}
: {0,1}
^{*}
→
G_{T}
and
H
_{2}
:
G_{T}
→ {0,1}
^{k}
;
(4) Publishes the tuple
as system parameters and keeps the master key
s
secret.
Extract.
takes the system parameters, master key, and a node identifier as input and returns the node’s IDbased longterm key. For each node
i
with identifier
ID_{i}
, the management system
(1) Computes
Q_{i}
=
H
_{1}
(
ID_{i}
) ;
(2) Computes the private key
d_{i}
=
sQ_{i}
;
(3) Preloads <
ID_{i}
,
d_{i}
,
Q_{i}
, Π> into every node of the network.
Key Agreement:
For two nodes A and B to establish an authenticated session key, they should do as follows:
(1) To start a key agreement session with the intended responder B, the initiator A chooses a random
a
∈
_{R}
Z
^{*}
_{n}
, computes the key token
W_{A}
=
aQ_{A}
, and sends
ID_{A}
and
W_{A}
to B,
A → B :
ID_{A}
‖
W_{A}
.
(2) On receiving the initiation message from node A, node B does the followings:

a) Chooses a randomb∈RZ*n, and computes the key tokenWB=bQB

b) Computesand derivesk1,k2using the key derive functions (KDFs), (k1,k2) ←KDF(KBA) ;

c) Computes the message authentication code (MAC) with the secretk1,tB=MACk1(IDB,IDA,WB,WA) ;

d) SendsIDB,WBand tB to node A, B → A:IDB‖WB‖tB.
(3) On receiving the responding message from node B, node A :

a) Computesand derivesk1,k2using the KDFs, (k1,k2) ←KDF(KAB) ;

b) Checks the received MAC tagtB=MACk1(IDB,IDA,WB,WA) ;

c) Computes the MACtA=MACk1(IDB,IDA,WB,WA), and sends it to node B,A→B:tA.
(4) On receiving the confirmation message from node A, node B checks the received
t_{A}
=
MAC
_{k1}
(
ID_{A}
,
ID_{B}
,
W_{A}
,
W_{B}
).
(5) The shared session key between node A and node B is
k
_{2}
, i.e.
K_{AB}
=
k
_{2}
.
It is easy to see that thanks to the bilinear property,
Therefore, the shared secret between node A and B agrees.
The shared secret is dynamic, because it uses the number
a
and
b
, which are randomly chosen for every round of key agreement. In TinyIBAK, We use two different secure hash functions
H
_{2}
:
G_{T}
→ {0,1}
^{k}
and
H
_{3}
:
G_{T}
→ {0,1}
^{k}
as key derivation functions to generate two symmetric keys, in which
k
_{1}
is used to compute the message authentication code (MAC) and
k
_{2}
is the shared session key used for the secrecy communications between node A and B.
 4.2 Node Addition, Rekeying and Key Revocation
Whenever the new nodes enter the existing network, or failure nodes need replacement, TinyIBAK does not require any new keying material for existing nodes. The management system runs the Setup and Extract steps of TinyIBAK, and preloads <
ID_{i}
,
d_{i}
,
Q_{i}
, Π> into the new nodes. After deployment, the new nodes run the Key Agreement step to establish shared secret keys with its neighbor nodes.
Whenever rekeying is needed, node A sends rekeying request
Enc_{kAB}
(
rekeying nonce
) to its neighbor node B, and then they both run the Key Agreement step to agree new shared secret key.
Node addition/replacement and rekeying only incur interactions within the neighborhood, and do not affect other nodes of the WSN.
When a sensor node is compromised by an adversary, all the keys shared with this node need to be revoked. Assume that the node compromise is detected by some scheme and is reported to the base station (BS). After detection, BS disseminates a
Revocation
message containing a list of malicious nodes IDs, appending the signature calculated using its private key. When sensor nodes receive the
Revocation
message, they can check the integrity of the message by verifying the digital signature. If the
Revocation
is valid, sensor nodes delete the shared session keys with the compromised nodes, and blacklist the corresponding IDs.
5. Security Analysis
In this section, we formally analyze the security of our protocol, and heuristically discuss the additional security properties that the security proof does not cover. Furthermore, we validite the protocol using the AVISPA tool.
 5.1 Security Proof
The inherent security of our protocol relies on the difficulty of BDH Problem.With the security model descripted in Section 3.2, we now state:
Theorem 1.
Protocol TinyIBAK is a secure AKC protocol, assuming that the adversary does not make any
Reveal
queries, the BDH problem (for the pair of groups
G
_{1}
and
G_{T}
) is hard, the MAC is secure and provided that
H
_{1}
,
H
_{2}
and
H
_{3}
are random oracles.
Proof.
Conditions 1 and 2 of Definition 2 follow from the assumption that the two oracles follow the protocol and in both cases have matching conversations. Therefore both oracles accept (since they both receive correctly formatted messages from the other oracle) holding the same key
SK
(since
K_{AB}
=
K_{BA}
by the bilinearity of the pairing and the matching conversation). Since
H
_{2}
is a random oracle,
SK
is distributed uniformly at random on {0,1}
^{k}
. Condition 3 of Definition 2 follows from the Theorem 8 in
[17]
, and the detailed proof is omitted due to the page limitation.
Condition 4.
By the way of contradiction, we suppose that there exist a PPT adversary
E
who can win the above game with nonnegligible advantage ε(
k
). We assume that the number of participants is
q
_{1}
, and the maximum number of sessions for each participant is
q
_{0}
.
We construct from
E
an algorithm
F
which solves the BDH problem with nonnegligible probability. Let <
P
,
xP
,
yP
,
zP
> be the BDH instance given to
F
, whose task is to compute ,
e
(
P
,
P
)
^{xyz}
∈
G_{T}
.
F
chooses distinct random values
I
and
J
from {1,⋯ ,and a value l ∈{1.⋯.
F
simulates the
Setup
algorithm and sets the PKG’s master public key to be
xP
.
F
will also simulate all oracles required during the game.
F
then starts
E
, and answers all
E
’s queries as follows.
H
_{1}
(
ID_{i}
) : Algorithm
F
maintains an initially empty list
H
_{1}
list with the form <
ID_{i},
Q_{i}
> . F responds to the query in the following way.

– IfIDiis already on theH1list in the tuple , then F outputsQi.

– Otherwise, ifIDiis theJth unique identifier query, then F outputsQ=yPand adds the tuple to theH1list.

– Otherwise, F selects a randomri∈Z*q, outputsQi=riPand adds the tuple to theH1list.
F
simulates the
H
_{2}
oracle in the same way, keeping an H2 :
H
_{2}
list and answers all H2 :
H
_{2}
oracle queries at random.
Corrupt query:
F
answers
Corrupt
queries as specified by a normal oracle, i.e., revealing the longterm private key of the related participant, except that if
E
asks
J
a
Corrupt
query,
F
gives up.
Send query:
F
answers all
Send
queries as specified for a normal oracle, i.e., for the first
Send
query to an oracle,
F
takes a random value in
Z
^{*}
_{q}
to form its contribution, except that if
E
asks
for any
n
its first
Send
query,
F
chooses a random
s_{n}
∈
Z
^{*}
_{q}
and answers
s_{n}r_{I}zP
=
s_{n}zQ_{I}
. If the oracle is an initiator oracle, the first
Send
query will be a special initiating query, and if it is a responder oracle, the first
Send
query will contain an ephemeral input to
.
Reveal query:
F
does not need to answer
Reveal
queries since we do not allow the adversary to make
Reveal
queries.
Test query:
At some point in the simulation,
E
will ask a
Test
query to a fresh oracle. If
E
does not choose one of the oracles
for some
n
to ask the
Test
query, then
F
aborts. However, if
E
does pick
for the
Test
query, then
must be fresh, otherwise
F
aborts. Assuming that
obtained some value
jQ_{J}
as its input prior to accepting, the oracle should hold a session key of the form
H
_{2}
However,
F
cannot compute this key. Instead,
F
simply outputs a random value.
If
F
does not abort, then
E
must have computed
with the nonnegligible probability ε(
k
) , and queried the
H
_{2}
oracle on the corresponding value. At the end of
E
’s attack, if
E
has not made at least
l
queries to the
H
_{2}
oracle, then
F
aborts. Otherwise
F
picks
E
’s
l
th query (on some value
h
) to the
H
_{2}
oracle, which
F
guesses to be the value
with
and
γ
=
r_{I}s_{n}
.
F
outputs (
h
/
δ
)
^{1/γ}
as the response to the BDH challenge.
So the probability that F does not abort during the game and produces the correct output is at least
which is nonnegligible. This contradicts the BDH assumption. Hence, there exists no PPT adversary against our protocol that has nonnegligible advantage. We conclude that our protocol is a secure AKC protocol.
If a protocol is secure regarding the security model described in section 3.2, it achieves implicit mutual key authentication and the following general security properties: known key security (KKS), key compromise impersonation resilience (KCIR) and unknown key share resilience (UKSR)
[17]
. Since we assume that the adversary cannot make
Reveal
queries, our proof of security does not guarantee the KKS property.
 5.2 Other Properties of the Protocol
Since the security model which we used to prove Theorem 1 doesn’t cover some known active attacks, we now heuristically discuss some of the security properties related to these attacks.
Known key security (KKS).
Each run of the TinyIBAK between the node A and B produces a different session key that depends on the random selection of
a
and
b
. The adverary, who learned some other session keys, can predict neighter new or subsequent session keys, nor any earlier session keys either under the BDH assumption. Therefore, TinyIBAK achieves known key security.
Partial forward secrecy(PFS).
Compromise of longterm private keys
d_{A}
or
d_{B}
does not seem to lead to the compromise of past communications. But compromising both
d_{A}
and
d_{B}
does lead to the compromise of past communications, because the shared secret
K
can be computed as
So TinyIBAK only achieves partial forward secrecy, but not offer perfect forward secrecy.
Key confirmation.
If the tag
t_{A}
and
t_{B}
are validated, both parties can be sure that the other party does calculate the shared secret
the other party knows the identity of the entity that it is communicating with, and the communication process of both sides has not been tampered with. Therefore, TinyIBAK achieves mutual authentication of the communication, and confirmation of the shared key.
Explicit key authentication.
Our protocol achieves both implicit key authentication and key confirmation, so we can say it achieves explicit key authentication.
Resilience against node capture attack.
In TinyIBAK, each sensor is preloaded with one unique private key. After the session key established, each pair of nodes has a different shared key. Thus, compromising some sensors does not affect the security of communication among other pairs of nodes. Therefore, TinyIBAK achieves strong resilience against the node compromise attacks.
Resilience against replay attack.
In the bootstrapping phase, an attack can replay the old pairwise key establishment messages. This attack is prevented as each sensor has a secret random number which allows it to generate the key. So, even if an adversary replays an old message trying to establish a pairwise key with a valid node, she will not be able to do this as she must solve a DLP to get the random number.
Resilience against node fabrication attack.
Each node has a pair of IDbased longterm asymmetric keys, where the public key is created using the node’s ID and the privacy key is computed and issued by a trusted PKG. Therefore, even an adversary compromise a node, she still couldn’t fabricate another legitimate node.
Resilience against maninthemiddle attack.
Assume that the adversary
E
tries to launch the maninthemiddle attack, as the follow steps.

(i)Eintercepts the message A→B:IDA‖WA, computesW*A=aʹQA, and sendsIDA‖W*Ato node B;

(ii) Node B computes the shared keyKB=e(W*A+bQA,SB) =e(QA,QB)(aʹ+b)s, and the authentication tagtB=MACkB1(IDB,IDA,WB,W*A) ;

(iii)Eintercepts the message B→A ：IDB‖WB‖tB, computesW*B=bʹQB, and sendsIDB‖W*B‖tBto node A;

(iv) Node A computes the shared key KA =e(SA,W*B+aQB) =e(QA,QB)(bʹ+a)sand the tagtʹB=MACkA1(IDB,IDA,W*B,WA) , then node A findstʹB≠tB.The key agreement fails.
E
does not know the private keys
d_{A}
and
d_{B}
, so she can calculate neither
K_{A}
nor
K_{B}
. Therefore, our protocol is resistant to the maninthemiddle attack. We validate it using AVISPA tool in section 5.3
Resilience against attacks on routing protocols.
Many attacks on routing protocols are based on the node capture attack. Our proposed protocol can efficiently defend against several of them such that the sybil attack, the sinkhole attack and the wormhole attack. More details about these attacks can be found in
[18]
.
After deployment, the proposed protocol goes through the neighborhood discovery phases. At the end of the phase, each node would keep a list of its immediate neighbors. Given the assumptions mentioned before: an adversary cannot compromise a node in the bootstrapping phase. Since after key agreement each node knows the set of valid nodes with which it may communicate, an adversary cannot convince another node, which is not really in its neighborhood, that it is a near one. Therefore, a sinkhole attack or a wormhole attack can be detected. Moreover, the sybil attack is prevented as valid IDs and IDbased private keys are assigned by the trusted PKG. Hence the adversary cannot present as multiple IDs.
 5.3 Formal Security Validation Using AVISPA Tool
In this paper, we choose AVISPA
[3]
, an automated formal security validation tool, to analyze the security properties of the proposed TinyIBAK protocol. The reason for the choice of AVISPA lies in that (1) it is able to specify the security protocols in a very finegrained manner, so that we can model the security properties like secrecy of keys, authentication, resilience against the maninthemiddle and replay attacks, etc., (2) it integrates four different backend model checkers (i.e. the OFMC
[19]
, CLAtSe
[20]
, SATMC
[21]
, and TA4SP
[22]
) that implement a variety of stateoftheart automatic analysis techniques, so that we can choose the appropriate backends according to the scenario, and (3) it is widelyaccepted by academic researchers to analyze the potential threats on the security protocols.
Specifying the Protocol.
In order to validate the security properties of the proposed scheme with the AVISPA tool, we have implemented the key agreement phase of this scheme in the HLPSL language
[23]
. In the implementation, we assume that the public keys can be derived from the node ID via the hash function
H
_{1}
(·) . We model the operations of pairing, point addition and point multiplication as hash functions, denoted as
Ebilinear
(·),
Pred
(·) , and
Union
(·) , respectively, since the inverse of these operations is hard to compute for intruders. In addition, the proposed protocol is simulated under the DelovYao intruder model
[24]
. In this model, we assume that the intruder fully controls the whole network, namely the intruder can forward, modify, replay, suppress and synthesize all the messages sent by participants and send them anywhere. Besides, an intruder can play the legitimate participants, and gain knowledge from compromised participants, but he cannot violate the cryptography.
Our implementation includes two basic roles: alice and bob, which represent the initiator A and responder B in the proposed protocol, respectively.
Fig. 2
shows the role specification of the initiator A. When the initiator A firstly receives the start signal, it changes its initial state 0 to 2, and sends the message, <
A
,
Wʹ_{a}
> to the responder B with the
Snd
(·) operation, where a
Wʹ_{a}
is the key token derived from the point multiplication of the random number RndA and the public key
Q_{a}
. After receiving the message <
B
,
Wʹ_{b}
,
Tʹ_{b}
> from B, A changes its state 2 to 4, computes the shared secret ab
Kʹ_{ab}
using
RndA
,
Wʹ_{b}
and
Qʹ_{b}
, and derives the authentication tag a
Tʹ_{a}
using the key deriving function
KDF
(·) and the message authentication function
MAC
(·) . Finally, A sends the message a <
Tʹ_{a}
> to
B
.
Role specification for the initiator A
Fig. 3
shows the specification for the role of responder B. After receiving the message <
A
,
Wʹ_{a}
> from A, B changes its initial state 1 to 3, computes the key token
Wʹ_{b}
, and sends it to A using the Snd (·) operation. Then the shared secret
Kʹ_{ab}
and the authentication tag
Tʹ_{b}
are obtained with the same method as that of the initiator A, and
Tʹ_{b}
is sent to A. After receiving the authentication message <
Tʹ_{a}
>, B changes its state 3 to 5, and finally verifies the source of the message exchanged in this session.
Role specification for responder B
We have specified the toplevel role “environment” to describe the execution context of our scheme. A typical toplevel role contains the global constants, the intruder knowledge, and a composition of one or more sessions. The intruder in our protocol has the knowledge of all the cryptographic operations, system parameters, and the public key of each node in the network. The intruder plays some roles as legitimate users and participates in the execution of protocol. Due to the page limitation, the toplevel role specification is omitted from this paper. A similar example is presented in
[25]
. The following four secrecy and two authentication goals are verified in TinyIBAK:

– secrecy_of ra: It represents thatRndAis kept secret to A only.

– secrecy_of rb: It represents thatRndBis kept secret to B only.

– secrecy_of kab: It represents thatKabis kept secret to A and B only.

– secrecy_of k1: It represents thatK1is kept secret to A and B only.

– authentication_on alice_bob_tb: SinceK1is only known to A and B, if A verifies the message authentication codeTb, then A authenticates B.

– authentication_on bob_alice_ta: SinceK1is only known to A and B, if B verifies the message authentication code aTa, then B authenticates A.
Analysis of the Results.
We choose the OFMC
[19]
and CLAtSe
[20]
backends and a bounded number of sessions model checking to analyze the security properties of our scheme. According to the summary result for the formal security verification analysis depicted in
Fig. 4
, the proposed TinyIBAK is secure against the passive attacks and active attacks such as maninthemiddle attack and replay attack. Both the OFMC and CLAtSe report that the protocol is SAFE.
(i) Summary of analysis results from OFMC backend and (ii) summary of CLAtSe backend
6. The Prototype Implementation of TinyIBAK
In order to evaluate the feasibility and performance of our proposal in the practical network deployments, we have implemented a prototype of TinyIBAK on the TinyOS 2.1 platform. Current implementation involves the offline operations performed on the management system (a PC with TinyOS installed) and the online operations performed on the sensor nodes. The management system performs the Setup and Extract steps, and preloads the system parameters and node’s private key into each sensor node. The sensor nodes perform the Key Agreement step.
All the programs running on the sensor nodes have been developed in NesC, a Clike language for developing applications in TinyOS. The implementation of TinyIBAK is based on the RELIC cryptographic toolkit
[4]
, which provides the necessary tools to perform operations on elliptic curves. RELIC is a publicly available and open source library which is specifically designed for resourceconstrained devices.
As recommended by NIST
[26]
, we adopt an 80bit security level (RSA1024 equivalent), which can be achieved by choosing n ≥ 2
^{160}
and
q^{k}
≥ 2
^{1024}
for pairingbased cryptography. It means that we need to work with values that have more than 1024 bits. This fact makes the pairing computation the most expensive operation in TinyIBAK. For the pairing implementation we employed the
η_{T}
algorithm
[27]
, which is demonstrated to achieve a good efficiency on the embedded sensor devices
[28]
. The scalar point multiplication is another major operation in our scheme. We used the RighttoLeft window nonadjacent form (RwNAF) method
[29]
for general point multiplication, and the LefttoRight window nonadjacent form (LwNAF) method
[29]
for fixed point multiplication. Both methods we chose are constructed based on the slide window techniques, and specially designed for memoryconstrained platforms. In accordance with the required security level we choose the supersingular elliptic curve
y
^{2}
+
y
=
x
^{3}
+
x
with the embedding degree
k
= 4 defined over the binary field F
_{2271}
for our implementation.
As shown in
Fig. 5
, the core functions of TinyIBAK are modeled as three TinyOS components:
SecPrimitives
,
KeyAgree
, and
IdentityVerify
. The
SecPrimitives
component encapsulates the necessary security primitives from RELIC library, and provides the calling interface for other components. The
KeyAgree
component takes the responsibility for generating the key token and computing the shared secret key. The
IdentityVerify
component generates and verifies the authentication tags of the IDs and key tokens of both sides, using a keyedhash based message authentication code (HMAC) algorithm. TinyIBAK uses Timer and Random interfaces (provided by TimerC and RandomLFSR components, respectively) to handle the randomly delay transmission during the
Key Agreement
phase. On receiving the key agreement request from the initiator, the neighbors start a timer to wait a random period of time before transmission, to avoid channel contention and message collisions.
The TinyOS components used in the implementation of TinyIBAK
7. Experiment and Performance Evaluation
We conduct two experiments to explore the feasibility and performance of our proposal. The first experiment focuses on the performance of TinyIBAK deployed on a pair of sensor nodes, and the second experiment investigates the effect of node density on the performance of our proposal.
 7.1 NodeLevel Experiment
The goal of our first experiment is to evaluate the feasibility and performance of TinyIBAK on the MICAz sensor motes, a popular choice among the research community. The MICAz is based on the lowpower 8bit microcontroller ATmega128L, which operates at 7.3828MHz and offers 4KB of RAM memory and 128KB of program space. The MICAz runs TinyOS and embeds an IEEE 802.15.4 compliant CC2420 transceiver with a claimed data rate of 250 kbps. For simplicity, we deployed the programs of TinyIBAK on a pair of MICAz motes. Here we only focus on the operations carried out by the sensor nodes during the Key Agreement phase. We used Avrora
[30]
, an instructionlevel AVRmicrocontrolleroriented analysis tool, to evaluate the time and energy performance on the MICAz motes. We measured the memory occupation by examining the binary image of the programs of TinyIBAK. In the rest of this subsection, we discuss the performance of our proposal in terms of computation, communication and storage.
Computation Overhead.
The TinyIBAK scheme involves the computations of one bilinear pairing, two 271bit scalar point multiplications, one scalar point addition, two hashing functions and one MAC. The empirical computation overhead of TinyIBAK is shown in
Table 1
.
Initialization
comprises the parameter configuration of RELIC and the loading of the system parameters.
Parameter Computation comprises
the random chosen of
a
(
b
) and the computation of key token
W_{A}
(
W_{B}
).
Shared Key Computation
comprises the computation of the shared secret and the derivation of the shared key.
Computation overhead of TinyIBAK
Computation overhead of TinyIBAK
As shown in the
Table 1
, the TinyIBAK scheme takes 3.55s and consumes 80.85mJ in total to execute on ATmega128L microcontroller. Since the
Initialization
is only executed once at the bootstrap of sensor nodes, the actual time and energy consumption for the key agreement are 2.25s and 51.25mJ respectively. These data show that TinyIBAK consumes an acceptable amount of resources, given that these operations are performed very rarely and mainly at the beginning of the network operation. After the key agreement phase nodes will use much cheaper symmetric key encryption methods.
Memory Overhead.
The memory overhead of TinyIBAK includes the RELIC codes, TinyOS codes, node’s id, private key, public key, system parameters and the established shared keys with its neighbors. A private key (public key) requires a point on an elliptic curve, which is represented by coordinates (
x
,
y
) from a finite field with 271bit elements. Given x and a single bit of
y
, one can easily derive y. Thus, a private key (public key) can be compressed to 34 bytes.
Memory overhead of TinyIBAK
Memory overhead of TinyIBAK
Table 2
depicts the memory occupation of TinyIBAK scheme, where the .
bss
and .
data
segments consume RAM while the .
text
segment consumes ROM. The RAM utilization may seem high for MICAz sensor motes but most memory is reserved only for the duration of key agreement. The values showed in
Table 2
present only the peak numbers for stack usage during the program execution.
Communication Overhead.
In our TinyIBAK scheme, three messages are required to be exchanged during the key agreement, which can be expressed in the form of (1).
The key token
W_{A}
(
W_{B}
) is a point on
E
(F
_{2271}
) , thus can be compressed to 34 bytes. Each node identifier consists of 2 bytes. The MAC function is implemented with SHA1, thus the MAC tag occupies 16 bytes. Therefore, the initiator and the responder are required to transmit 52 bytes, respectively. Here we do not take the extra overhead arose from TinyOS packet encapsulation into consideration.
The communication overhead of TinyIBAK scheme is fixed for each node pair and independent of the network size. This feature allows our scheme to scale gracefully with the number of nodes in the network.
 7.2 NetworkLevel Experiment
The goal of our second experiment is to explore the effects of different node densities on the performance of TinyIBAK. We consider the case that a new sensor node is added into the network. After the neighborhood discovery, it needs to establish pairwise keys with all of its neighbors. We measured the time, energy and memory required by the newly added node to establish pairwise key with all of its neighbors, whose number is increasing with the node density.
We conduct the experiment within the TOSSIM simulation framework
[31]
for its accurate representation of realworld sensor networks. In the simulation, we randomly deployed 100 sensor nodes in the area of 200 m * 200 m, and chose a set of parameters to describe a scenario with a lowlevel asymmetric radio channel, as depicted in
Table 3
. The neighbors of the new comer are assigned by setting appropriate link qualities between the new comer and other nodes in the network.
Simulation parameters
We repeated our experiment for 100 times and generated a new set of internode link qualities for each run of the experiment, in order to prevent the result from being unduly affected by particularly good or bad connectivity for certain nodes in a generated topology. We chose to configure the media access protocol to make the sensor node keep backing off until it gets a chance to transmission. The choice greatly reduces retransmission at the cost of increasing latency.
In the second experiment, we evaluated the time, energy and memory consumed by a newly added node to establish pairwise keys with its neighbors. Since TOSSIM itself does not provide the energy model or MCU executing time model, we used the experiment data measured in section 7.1 to model the MCU executing time and energy consumption. We adopted the communication energy model constructed based on the CC2420 transceiver which transmits at a maximum data rate of 250 Kbps and an output power of 0 dBm, and receives at a constant reception power of 35.28 mW
[32]
. The parameters of time and energy models are listed in
Table 4
.
Parameters of time and energy model
Parameters of time and energy model
Time for New Node Addition.
We conducted 100 repeated experiments to measure the time taken by a newcomer to accomplish the key agreement with its neighbors.The experiment results depicted in
Table 5
indicates that when the number of neighbors
d
varies from 2 to 20, the empirical time shows a trend of increase in general, whereas the rising rate remains stable within an acceptable range, which is not affected by the network density. When
d
reaches 20, the newcomer needs about 47 seconds to complete the key agreement with all its neighbors.
Time for a sensornode to establish pairwise keys with itsdneighbors
Time for a sensornode to establish pairwise keys with its d neighbors
Energy Consumption for New Node Addition.
We recorded the energy dissipation of each operation of the newly added node in accordance with the model depicted in
Table 4
, and added up the records to achieve the total value at the end of each round of simulation.
Fig. 6
shows the energy consumption of a newly added node to accomplish the key agreement with all of its neighbors, which ranges from 2 to 20. The total energy consumption rises slowly with the increase of neighbors, which mainly due to the growth of traffic and the time for listening channel. The total energy consumption reaches around 1.0 joule when the number of neighbors is 20.
Energy consumption for a sensor node to establish pairwise keys with its neighbors
RAM Occupation.
As the node density increased, the newly added node needs to establish more pairwise keys with its neighbors, which means that the newcomer has to cache more key tokens from its neighbors. The relationship between the RAM occupation and the number of neighbors is shown in
Table 6
. Note that the memory allocated for the key tokens are reusable, which means once the pairwise key is established, the memory is available for other operations. Thus, the memory efficiency of our scheme is much higher than the key predistribution schemes like EG, in which the key ring always resides in RAM.
RAM occupation of TinyIBAK fordneighbors
RAM occupation of TinyIBAK for d neighbors
The results from the two experiments demonstrate that our proposal consumes an acceptable amount of resources, and is feasible for infrequent key agreement and rekeying in large scale sensor networks.
8. Comparison with Other Schemes
In this section, we compare TinyIBAK with some wellknown key distribution protocols, including the IDbased key distribution approach proposed by Yang et al.
[16]
(referred to as Yang’s scheme), Oliveira et al.
[15]
(referred to as TinyPBC), and the key predistribution scheme proposed by Eschenauer and Gligor
[5]
(referred to as EG scheme).
The EG scheme doesn’t involve any PKC operations, so its computation cost is negligible compared with other schemes. In
Table 7
, we compare the computation cost of the other two IDbased schemes with our proposal. We ignore the time taken by conventional hash operations and point addition operations as they are much more efficient compared with pairings, scalar point multiplications, and modular exponentiation operations. As shown in
Table 7
, TinyIBAK need two more scalar point multiplications than TinyPBC.
To compare the practical performance of the three schemes, we also implement TinyPBC and Yang’s scheme on the MICAz motes. For the implementation of TinyPBC, we adopt the same parameters as in our proposal. For the implementation of the Yang’s scheme, we employ a modulus of 1024 bits and an exponent of 160 bits for DiffieHellman, as recommended by NIST. All the performance data are the average results of 20 repeated experiments. The comparison of the performance evaluation results for the TinyIBAK, TinyPBC and Yang’s scheme is shown in
Table 8
.
Comparisons of computation cost
Comparisons of computation cost
Performance comparisons
In respect of communication overhead, Yang’s scheme requires each node to transmit 168 bytes due to the utilization of 1024bit modular in DiffieHellman key exchange. In TinyPBC, the SOK protocol only needs to exchange the node IDs, which only introduces 2 bytes communication for each node. In the EG scheme, each sensor broadcasts the list of identifiers of keys on its key ring. When the key pool S = 10000, the number of preloaded keys m of each node needs to be larger than 150 to achieve a high key sharing probability of 0.9
[5]
. Each key identifier requires at least 14 bits and the resulting message have a size more than 263 bytes. The comparison of the communication overhead of the three key distribution schemes with TinyIBAK is shown in
Fig. 7
. Here we do not take the extra overhead arose from TinyOS packet encapsulation into consideration.
Comparisons of communication overhead
According to the results in
Table 8
and
Fig. 7
, TinyIBAK is much more efficient than Yang’s scheme in the terms of computation, communication and memory overhead. The performance of our TinyIBAK is comparable with TinyPBC, except that in terms of the communication cost TinyIBAK is slightly less efficient than TinyPBC. However, TinyPBC, in which the shared secret is static, does not provide rekeying and key confirmation. Compared with the EG scheme, TinyIBAK has many advantages in terms of security strength, key connectivity, scalability, communication and storage overhead.
The communication overhead of the TinyIBAK scheme is fixed for each node pair, which is independent of the network size. Whereas in case of the key predistribution schemes (e.g. EG), the communication overhead increases significantly with the number of preloaded keys and the key pool size. If two nodes have to resort to a third node that might be one or multiple hops away, for helping establishing a pairwise key, larger communication overhead will be incurred. When the network expands to a large scale, this kind of scheme is no longer practicable.
One of the biggest advantages of TinyIBAK when compared with the EG scheme is the significant storage saving in terms of cryptographic keys. Assume that the number of sensors in a WSN is
N
. In TinyIBAK, each node is preloaded with a pair of keys (node’s private key and public key, 34 bytes each), thus the total number of preloaded keys in the network is 2N. In the EG scheme, each node is preloaded with
m
keys (e.g. each key 80bit). Thus the total number of preloaded keys in the network equals to
mN
. The value of
m
depends on the key pool size (
S
) and the probability of sharing at least one key between two nodes (
p
).
Fig. 8
depicts the total number of keys preloaded in the whole network for EG and TinyIBAK. The parameters of EG were set as
S
= 5000,
p
= 0.87, and two different values of
m
(
m
= 20, 50). As shown in
Fig. 8
, the storage savings of TinyIBAK increase drastically with the number of sensor nodes in the network. In TinyIBAK, the number of keys preloaded in each node is independent of the number of nodes. This feature allows our scheme to scale gracefully with the number of nodes in the network.
Comparison of the preloaded key storage space
As referred to the security strength, we first define the
compromising probability
, which is the probability that the attacker can decrypt the communication between any two nodes which are not compromised after capturing c nodes. In TinyIBAK, each sensor is preloaded with one unique private key. After the session key established, each pair of nodes has a different shared key. Thus, compromising c sensors does not affect the security of communication among other pairs of nodes. Chan et al.
[7]
presents the formula to calculate the probability that two sensors have exactly
j
common keys in the EG scheme
where
S
is the key pool size and
m
is the number of preloaded keys in each node. The compromising probability can be calculated as (2).
In
Fig. 9
we compare the compromising probability of TinyIBAK and EG. We set the parameters
S
as 5000 and
m
as 20 and 50 in two cases for the EG scheme, respectively. As
Fig. 9
shows, for the EG scheme the compromising probability increases significantly with the number of preloaded keys, while for TinyIBAK the compromising probability is always zero for all
c
values. Therefore, TinyIBAK provides deterministic security, and strong resilience to the node compromise attack. Whereas, the EG scheme only provides probabilistic security, and is vulnerable to the node compromise attack.
Comparison of the compromising probability
9. Conclusions
In this paper, we proposed an identitybased authenticated key agreement scheme, TinyIBAK, based on the bilinear paring, for large scale sensor networks. Through the formal security proof, the heuristical security analysis, and the formal security validation using AVISPA, we can see that our scheme is strongly secure against the passive and active attacks, such as replay attacks, maninthe middle attacks and node compromise attacks, etc.
To evaluate the feasibility and performance of our proposal, we implemented it for TinyOS2.1 based on the MICAz motes, analyzed the memory occupation, and evaluated the time and energy performance with Avrora. Moreover, we evaluated the effect of the node density on the performance of our scheme within the TOSSIM simulation framework. Experimental results indicate that our proposal consumes an acceptable amount of resources, and is feasible for infrequent key distribution and rekeying in large scale sensor networks.
Compared with other IDbased key agreement approaches, TinyIBAK is much more efficient, or comparable in performance but provides rekeying. Compared with the traditional key predistribution scheme, TinyIBAK achieves many advantages in terms of security strength, key connectivity, scalability, communication and storage overhead, and enables efficient secure rekeying.
BIO
Lijun Yang received the B.S. degree in 2007 from the School of Communication and Information Engineer, Nanjing University of Posts and Telecommunications, Nanjing, China, where she is currently pursuing the Ph.D. degree in information and Network Security. Her research interests include wireless sensor networks, information security, privacy preservation, and public key cryptography.
Chao Ding received the B.S. degree in 2006 from the School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing, China, where he is currently pursuing his Ph.D. degree in Information and Network Security. His current research interests include applied cryptography, anomaly detection in sensor networks and implementation of real sensor platforms.
Meng Wu received his B.S., M.S. and Ph.D. degrees in Communication Engineering and Computer Science from Zhejiang University, Shanghai Jiao Tong University, Southeast University, in 1985, 1990 and 1993, respectively. Currently, he is a professor and the leading person of Information Security doctoral discipline of Nanjing University of Posts and Telecommunications. His main research areas are wireless communication and information security.
Karlof Chris
,
Sastry Naveen
,
Wagner David
2004
“TinySec: a link layer security architecture for wireless sensor networks,”
in Proc. of 2nd Int. Conf. on Embedded Networked Sensor Systems
November 35
Article (CrossRef Link).
162 
175
Szewczyk Robert
,
Mainwaring Alan
,
Polastre Joseph
,
Anderson John
,
Culler David
2004
“An analysis of a large scale habitat monitoring application,”
in Proc. of 2nd Int. Conf. on Embedded Networked Sensor Systems
November 35
Article (CrossRef Link).
214 
226
AVISPA Project
Automated Validation of Internet Security Protocols and Applications [Online].
Available: .
Aranha. Diego F.
RELIC Cryptographic Toolkit [Online].
Available: .
Eschenauer Laurent
,
Gligor Virgil D.
2002
“A keymanagement scheme for distributed sensor networks,”
in Proc. of 9th ACM Conf. on Computer and Communications Security
November 1721
Article (CrossRef Link).
41 
47
Pietro Roberto Di
,
Mancini Luigi V.
,
Mei Alessandro
2003
“Random keyassignment for secure Wireless Sensor Networks,”
in Proc. of 1st ACM Workshop on Security of Ad hoc and Sensor Networks
November 13
Article (CrossRef Link).
62 
71
Chan Haowen
,
Perrig Adrian
,
Song Dawn
2003
“Random key predistribution schemes for sensor networks,”
in Proc. of 23th IEEE Symposium on Security and Privacy
May 1114
Article (CrossRef Link).
197 
213
Liu Donggang
,
Ning Peng
,
Li Rongfang
2005
“Establishing pairwise keys in distributed sensor networks,”
ACM Transactions on Information and System Security
Article (CrossRef Link).
8
(1)
41 
77
DOI : 10.1145/1053283.1053287
Moharrum Mohammed A.
,
Eltoweissy Mohamed
2005
“A study of static versus dynamic keying schemes in sensor networks,”
in Proc. of 2nd ACM International Workshop on Performance Evaluation of Wireless Ad Hoc, Sensor, and Ubiquitous Networks
October 1315
Article (CrossRef Link).
122 
129
Eltoweissy Mohamed
,
Moharrum Mohammed A.
,
Mukkamala Ravi
2006
"Dynamic key management in sensor networks,"
IEEE Communications Magazine
Article (CrossRef Link).
44
(4)
122 
130
DOI : 10.1109/MCOM.2006.1632659
Chorzempa Michael
,
JungMin Park
,
Eltoweissy Mohamed
2005
"SECK: survivable and efficient clustered keying for wireless sensor networks,"
in Proc. of 24th IEEE International Performance, Computing, and Communications Conference
April 79
Article (CrossRef Link).
453 
458
Das Ashok Kumar
2012
“A random key establishment scheme for multiphase deployment in largescale distributed sensor networks,”
International Journal of Information Security
Article (CrossRef Link).
11
(3)
189 
211
DOI : 10.1007/s1020701201629
Malan David J.
,
Welsh Matt
,
Smith Michael D.
2004
“A publickey infrastructure for key distribution in TinyOS based on elliptic curve cryptography,”
in Proc. of 1st Annual IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks
October 47
Article (CrossRef Link).
71 
80
Watro Ronald
,
Kong Derrick
,
Cuti Suefen
,
Gardiner Charles
,
Lynn Charles
,
Kruus Peter
2004
“TinyPK: securing sensor networks with public key technology,”
in Proc. of 2nd ACM Workshop on Security of Ad hoc and Sensor Networks
November 13
Article (CrossRef Link).
59 
64
Oliveira Leonardo B.
,
Aranha Diego F.
,
Gouvêa Conrado P. L.
,
Scott Michael
,
Câmara Danilo F.
,
López Julio
2011
“TinyPBC: Pairings for authenticated identitybased noninteractive key distribution in sensor networks,”
Computer Communications
Article (CrossRef Link).
34
(3)
485 
493
DOI : 10.1016/j.comcom.2010.05.013
Yang Geng
,
Cheng Hongbin
2008
“An efficient key agreement scheme for wireless sensor networks,”
Chiness Journal of Electronics
Article (CrossRef Link).
36
(7)
1389 
1395
BlakeWilson Simon
,
Johnson Don
,
Menezes Alfred
1997
“Key agreement protocols and their security analysis,”
Cryptography and Coding
Article (CrossRef Link).
1355
30 
45
Karlof Chris
,
Wagner David
2003
“Secure routing in wireless sensor networks: attacks and countermeasures,”
in Proc. of 1st IEEE International Workshop on Sensor Network Protocols and Applications
May 11
Article (CrossRef Link).
113 
127
Basin David
,
Modersheim Sebastian
,
Vigano Luca
2005
“OFMC: A symbolic model checker for security protocols,”
International Journal of Information Security
Article (CrossRef Link).
4
(3)
181 
208
DOI : 10.1007/s1020700400557
Turuani Mathieu
2006
“The CLAtse Protocol Analyser,”
Term Rewriting and Applications
Article (CrossRef Link).
4098
277 
286
Armando Alessandro
,
Compagna Luca
2008
“SATbased ModelChecking for Security Protocol Analysis,”
International Journal of Information Security
Article (CrossRef Link).
7
(1)
3 
32
DOI : 10.1007/s102070070041y
Boichut Y.
,
Heam P. C.
,
Kouchnarenko O.
,
Oehl F.
2004
“Improvements on the Genet and Klay Technic to Automatically Verify,”
in Proc. of International Workshop on Automated Verification of InfiniteState System, joint to ETAPS'04
March 27April 4
Article (CrossRef Link).
1 
11
Oheimb David von
2005
“The highlevel protocol specification language HLPSL developed in the EU project AVISPA,”
in Proc. of APPSEM workshop
September 13
Article (CrossRef Link).
1 
17
Dolev Danny
,
Yao Andrew C.
1983
“On the security of public key protocols,”
IEEE Transactions on Information Theory
Article (CrossRef Link).
29
(2)
198 
208
DOI : 10.1109/TIT.1983.1056650
Das Ashok Kumar
,
Chatterjee Santanu
,
Sing Jamuna Kanta
2013
“Formal Security Verification of a Dynamic PasswordBased User Authentication Scheme for Hierarchical Wireless Sensor Networks,”
Security in Computing and Communications
Article (CrossRef Link).
377
243 
254
NIST
Special Publication 80057: Recommendation for Key Management [Online].
Available: .
Barreto Paulo L. M.
,
Galbraith Steven D.
,
hÉigeartaigh ColmÓ’
,
Scott Michael
2007
“Efficient pairing computation on supersingular Abelian varieties,”
Designs, Codes and Cryptography
Article (CrossRef Link).
42
(3)
239 
271
DOI : 10.1007/s1062300690336
Szczechowiak Piotr
,
Kargl Anton
,
Scott Michael
,
Collier M.
2009
“On the application of pairing based cryptography to wireless sensor networks,”
in Proc. of 2nd ACM Conference on Wireless Network Security
March 1618
Article (CrossRef Link).
1 
12
King Brain
2008
“wNAF *, an Efficient LefttoRight Signed Digit Recoding Algorithm,”
in Applied Cryptography and Network Security
Article (CrossRef Link).
5037
429 
445
UCLA Compliers Group
Avrora: The AVR Simulation and Analysis Framework [Online].
Available: .
Levis Philip
,
Lee Nelson
,
Welsh Matt
,
Culler David
2003
“TOSSIM: accurate and scalable simulation of entire TinyOS applications,”
in Proc. of 1st Int. Conf. on Embedded Networked Sensor Systems
November 57
Article (CrossRef Link).
126 
137
Barderis Agustin
,
Barboni Leonardo
,
Valle Maurizio
2007
"Evaluating Energy Consumption inWireless Sensor Networks Applications,"
in Proc. of 10th Euromicro Conf. on Digital System Design Architecture, Methods and Tools (DSD)
August 2931
Article (CrossRef Link).
455 
462