An Improved μ TESLA Protocol Based on Queuing Theory and Benaloh-Leichter SSS in WSNs

Broadcast authentication is a fundamental security technology in wireless sensor networks (ab. WSNs). As an authentication protocol, the most widely used in WSN, μTESLA protocol, its publication of key is based on a fixed time interval, which may lead to unsatisfactory performance under the unstable network traffic environment. Furthermore, the frequent network communicationwill cause the delay authentication for somebroadcast packetswhile the infrequent onewill increase the overhead of key computation. To solve these problems, this paper improves the traditional μTESLA by determining the publication of broadcast key based on the network data flow rather than the fixed time interval. Meanwhile, aiming at the finite length of hash chain and the problem of exhaustion, a self-renewal hash chain based on Benaloh-Leichter secret sharing scheme (SRHC-BL SSS) is designed, which can prolong the lifetime of network. Moreover, by introducing the queue theory model, we demonstrate that our scheme has much lower key consumption than μTESLA through simulation evaluations. Finally, we analyze and prove the security and efficiency of the proposed self-renewal hash chain, comparing with other typical schemes.


Introduction
We can imagine there will be thousands of sensors deployed in the future space, but how can we ensure the security of these sensors?Aside from confidential communications, authentication is one of the essential services in security protocols of wireless sensor networks (ab.WSNs) system [1].If the authentication system stays defective or noneffective, attackers may launch threats to the whole network such as the wormhole attack, the man-in-the-middle attack, and the multiple identities attack.Data leakage may occur even in a military area, which can cause serious consequences.Therefore, the study of authentication system especially the broadcast authentication protocol for large-scale WSNs still remains challenging.However, restrained by the finite resources of WSNs, many previous protocols cannot be directly applied to the broadcast authentication of WSNs.For example, most protocols rely on asymmetric mechanism such as the public key cryptography, but this mechanism has heavy communication, computation, and storage overhead, which are impractical for WSNs.
Therefore, designing a protocol that can guarantee the data integrity, confidentiality, and authentication in the broadcast has been a popular research topic in WSNs.One straightforward solution is to let the base station and all other nodes share a common broadcast authentication key, but the key will be disclosed if one of nodes is corrupt.Another solution is to use one-time key for each packet so that the leak of current key will not have a bad influence on the following packets, but the cost of frequently updating keys is unacceptable for WSNs.Perrig et al. proposed a classic broadcast authentication protocol TESLA [2], which has a great improvement over the original protocol TESLA [3,4].The contribution of TESLA protocol is to implement a broadcast authentication process based on the symmetric key mechanism instead of the asymmetric one, and it overcomes  the problems in traditional protocols by delaying the publication of one-way hash function key.This protocol decreases the computational complexity for broadcast authentication and improves the authentication efficiency as well.In the following paragraph, we will give a brief overview of TESLA.
The main idea of TESLA is to broadcast a packet authenticated by the key  mac at first and then publish  mac so that there is no way to forge the broadcast packets before the publication of the key.In addition, the protocol achieves the secret sharing with the key generation algorithm shared by the entire network.The one-way hash function and the key chain mechanism can ensure the safety of keys and the tolerance of packet loss.Figure 1 illustrates the broadcast authentication process of TESLA.
TESLA protocol consists of three phases: (1) securely initializing the configuration of base station, (2) bootstrapping the new receivers, and (3) authenticating the broadcast packets.The base station generates a key pool ( −1 ,  −2 , . . .,  1 ,  0 ) by one-way hash function in the first phase and determines the synchronization time interval  int and the key-delayed-disclosure time interval  ×  int .The synchronization time interval represents the lifetime of a broadcast key, which means the broadcast packets sent from the base station use the same key   in a synchronous period [ ×  int , ( + 1) ×  int ].The value of integer  should make  ×  int longer than the time of packet-switching between the base station and the farthest node so that all the nodes can be ensured to have received the broadcast packet before the corresponding key is disclosed.
When the new node joins the network, TESLA distributes the key synchronized parameters and initialized related keys to the new node based on the SNEP protocol [3].For example, Figure 1 shows the process of node  requesting to join the broadcast network during the time interval where   is a nonce which is generated by  to achieve a strong freshness authentication;  req is a request data packet;   is an authentication key between  and ;   is the current time;   is an initial key;   is the starting time of the current synchronization interval;  int is the synchronization interval; and  is the disclosure delay.The key will be published after  ×  int .
After receiving a broadcast packet from the base station, the receiver will judge the validity of authentication key based on the synchronization time.The node will further verify the key's validity by running the hash calculation on it.Finally, the node will use the key to authenticate the packets that have been stored in the buffer during the time interval.
In TESLA protocol, the publication of key is dependent on a specific time interval, which is fixed after initialization.However, we notice that the current network traffic is not stable in each time interval, and we divide this unstable traffic into two cases: (i) The base station broadcasts the packets frequently to the sensor nodes.In this case, the broadcast packets in one time interval will dramatically increase.If the key is still disclosed according to the original time interval, the excessive number of packets is unable to get a timely authentication and the storage space of the sensor nodes will be exhausted inevitably.
(ii) The base station just broadcasts a few packets in a long time.In this case, it is possible that there are few packets during the fixed time interval.Consequently, the release of keys will lead to the increase of communication and computation overhead, which degrades the efficiency of key chain.
To decrease unnecessary consumption as well as to ensure security in the process of broadcast authentication, in this paper, we replace the fixed time interval with network traffic to determine the publication of broadcast key.In other words, the base station will not publish the authentication key unless it has broadcasted a certain number of packets.And our experiment has shown that some drawbacks of TESLA can be solved based on our mechanism.
Due to the one-way and lightweight characteristics, hash chains have been widely applied to various scenarios such as one-time password system [5], video stream security [6,7], micropayment protocol [8], key distribution scheme [9], and broadcast authentication [10].However, there is a trade-off between the length and the efficiency of hash chain.The exhaustion of the current hash chain will inevitably result in producing another new hash chain initialized with the public key cryptography.And this reinitialization will bring about the extra overhead of the network.
Aimed at overcoming the inadequacies of the above schemes, another concern of this paper is to design a novel self-renewal one-way hash chain scheme based on Benaloh-Leichter SSS (SRHC-BL).This scheme can effectively prolong the lifetime of network and increase the tolerance of key loss.Comparing with the typical self-renewal hash chain schemes, our approach has the benefit of higher security and less consumption of communication, computation, and storage.
Therefore, the main contribution of this paper can be summarized as follows: (1) A novel key distribution method based on data flow instead of fixed time interval is proposed in order to keep network stable in any situations.In addition, some special cases are discussed as the supplement.
(2) A self-renewal one-way hash chain scheme based on Benaloh-Leichter SSS is adapted for both keeping extending life time of network and ensuring the tolerance of key loss.
(3) Simulation experiments and theoretical analysis based on queue model are conducted to compare the storage cost and calculation complex among our schemes and traditional TESLA protocol.Consequently, the result proves that our design achieves a better performance.(i) Input process, which characterizes and describes the law of data packets coming to the random service system.

Preliminary Knowledge
(ii) Service time, namely, the time for the base station to authenticate the data packets.
(iv) Size of line determined by the number of customers waiting to be served, which characterizes the number of valid data packets to be processed by the base station.
(v) Customer source, which corresponds to the data packets.
(vi) Queue rule, determined by the detail of queuing model.

Basic Concepts of Self-Renewal Hash Chain.
In this section, we introduce some basic concepts of SSS and the definition of the Benaloh-Leichter SSS.

Concept of SSS.
First, we formally define the necessary monotone access structure.
Definition 1.Given a set , a monotone access structure on  is a family of subsets  ⊆ 2  such that Let  be an integer,  ≥ 2, let the set of participants be  = { 1 ,  2 , . . .,   }, and let an access structure  defined on  be comprised of a collection of subsets of . is a monotone access structure whenever  ∈  and  ⊆   ⊆ .
Similarly, -SSS is a method of generating (, ( 1 , . . .,   )) such that, (1) for any  ∈ , finding the element , given the set {  |  ∈ }, is easy, (2) for any  ∈ , finding the element , given the set The set  is the authorized access structure or simply the access structure,  is the secret, and  1 , . . .,   are the shares (or the shadows) of .The elements of the set  are the authorized access sets of the scheme.

Benaloh-Leichter SSS
Definition 2. Let  be a set.The set  of variables indexed by  is the set  = {V  :  ∈ }.Definition 3. Given a monotone function  on variables indexed by a set , the access structure defined by  is the set of subsets of  of  for which  is true precisely when the variables indexed by  are set to be true.
It is clear that, for every monotone function , the access structure defined by  is a monotone access structure.Definition 4. For a given set  and a monotone access structure  denoted by  min on , define () to be the set of monotone function on || variables such that, for every formula  ∈ (), the output of  is true if and only if the true variables in  correspond exactly to a set  ∈ .
Note that ,   ∈ () implies  and   denote the same function.They may, however, use entirely different expressions to express this function.
The formula can be expressed using only ∧ operator and ∨ operator, and it is sufficient to indicate how to "split" the secret with these operators.Definition 5.One can recursively define the share of a secret  with respect to a formula  as follows: where based on Definitions 1, 2, and 3, selecting the specific integer  and  min , for the case  =  1 ∧  2 ∧ ⋅ ⋅ ⋅ ∧   , one can use a (, )-threshold secret sharing scheme for deriving some shares  1 ,  2 , . . .,   corresponding to the secret , and then every distinct share is assigned to each   .Thus one has   = {  | (  , ) ∈ Shares (, )}, for all 1 ≤  ≤ , where  is an arbitrary formula in the set   .

Definition of Hash Chain
Definition 6.The secure hash function is a publicly known function   : {0, 1} * → {0, 1}  , it takes  as an input, and the output is a bit string   () of length .In   (),  is generated randomly from a pseudo-random string generator.One-way hash chain can be visually expressed as follows:

The Key Distribution Algorithm Based on Data Flow.
Compared with the traditional TESLA protocol which releases keys based on the fixed time interval, our approach releases keys according to the data flow based on the queue theory and the renewable hash chain.

Assumptions
(i) TESLA protocol is as follows: (1) the packet transmission time between the base station and the farthest node is  max ; (2) the base station releases the key every  int by a fixed time interval; (3) the delay time of key publication is  ×  int , and it satisfies the condition that  ×  int >  max ; (4) the verification condition is ⌊(  +Δ− 1 )/ int ⌋ <  +  − 1, where   is the current time, Δ is the maximum clock difference,  1 is the start time, and  is the th interval time.
(ii) The improved broadcast authentication protocol based on the queue theory and the renewable hash chain is as follows: (  ours; TESLA maps the key distribution to the time domain, while ours maps the key distribution to the flow domain.

Several Cases to Discuss
Case 1.If the base station has not broadcasted a packet after a long period, and the number of packets broadcasted has not achieved a certain threshold, the base station will not release the key during this long period, which disables the node to authenticate the buffered packets.In this case, we can set a time threshold  ( is the upper bound of broadcast key lifetime).So after time , the base station is required to release key no matter whether the condition is satisfied.
Case 2. It is very common to have packet loss in WSNs.Consider the following case: the base station will not send packets in a long period and thus the key for the next round will not be released either, but unfortunately, at this time, one node lost the current authentication key, which implies that this node cannot authenticate the remaining packets in the buffer any more.In terms of this case, we set the interval time 2 for the node to wait, where  is the upper bound of broadcast key lifetime.If the waiting time exceeds 2, the node can send the request message to the base station for the key of current round.
Case 3. Synchronization problem: how do we know which packet should be authenticated by which type of key?We use the counting mechanism to solve this problem.That is, the broadcast packet sent by the base station is counted from 0 to  and authentication key is also numbered from 0 to  so that we can create the relations between the packet and the key by simply mapping.

A Self-Renewal Hash Chain Based on Benaloh-Leichter SSS.
In this section, we propose a novel self-renewed hash chain based on Benaloh-Leichter SSS.This scheme has three phases: the hash chain initial phase, the hash chain usage phase, and the hash chain extension phase.Let  and  denote communication initiator and the recipient, respectively.

Initial Phase.
In the initial phase,  and  are synchronized in time, and there is a maximum error time denoted as Δ;  can reject the message which exceeds the time Δ plus the acceptable transmission delay.
(1) The initiator  generates an initial random value  as the seed of the first hash chain, and then  uses the preloaded hash function to compute  hash value of the first hash chain.Consider (2) Then,  selects  min based on Benaloh-Leichter SSS and a new random value   to generate  hash value of the next hash chain.Consider (3) Therefore, according to the Benaloh-Leichter SSS,  takes ℎ  (  ) as the secret , divides it into  parts as the set , and then defines the set () as the set of formula on set . Further, we select an arbitrary formula  in the set   .In this case, according to  min we can obtain Shares (, ) of the secret .Thus, the shares corresponding to the secret  in the access structure  are distributed as shadows  1 ,  2 , . . .,   .

Usage Phase
(1) Before the usage phase,  and  have confirmed the initial time  0 , and meanwhile the value ℎ  () and the hash function have been preloaded in  securely, as well as the message authentication code MAC 0 (ℎ −1 () ⊕  1 ).During the usage phase, the hash value is used from ℎ −1 () (firstly) to  (finally) corresponding to the time period  0 + * Δ (1 ≤  ≤ ).
(2) In the time  0 + Δ,  releases the Msg 1 and its corresponding message authentication code MAC 1 to , the formats of Msg 1 and MAC 1 are shown, respectively, as follows: So in the time  0 +  * Δ (1 ≤  ≤ ),  will compute and release Msg  ( 0 +  * Δ, ℎ − () ,   , MAC  ) , where Msg  is the content of current message and MAC  is used to verify MAC −1 .
(3) For the th authentication, after  receives the Msg  and MAC  ,  will calculate the difference between the last time of receiving packets and the current time of receiving packets.If the difference has not exceeded Δ,  will carry out the following steps: On the other hand, if the difference exceeds Δ, (a)  drops ℎ − () and   and saves MAC  ; then it will wait until the next authentication process, which is assumed as the th authentication where  < ; (b) compute and verify whether ℎ −+1 (ℎ − ()) is equal to ℎ −+1 (), where ℎ −+1 () is the valid hash value stored in the last process; if it is equal,  saves it; (c) compute and verify whether ℎ − () ⊕   is equal to MAC −1 ; if all checks are valid,  verifies  successfully and then stores the shadow   .
The hash chain usage phase has a detailed description in TESLA.If the hash chain is exhausted, the protocol goes into the hash chain extension phase.

Extension Phase.
When one hash chain has been exhausted,  has stored  shadows   .One thing we need to notice is that even though the number of shadows that  has stored is less than  (as long as the number is not less than ), we can still recover the final secret .The detailed description is as follows.
(1) Based on the shadows  1 ,  2 , . . .,   , we can easily deduce Shares(, ) corresponding to the secret  with the (, )-threshold secret sharing scheme.(2) With the Shares(, ), we can simply recover the secret .In other words, we have obtained the tail of the next hash chain ℎ  (  ).Then, a new hash chain can be applied in the right way, and we can use the same protocol in the next hash chain in order to achieve the purpose of self-renewed one.
Therefore, this protocol provides an on-demand hash chain extension without exhaustion, so the hash chain is able to work smoothly and infinitely.

The Key Distribution Algorithm Based on Data Flow. (1)
Our algorithm releases the keys based on the data flow instead of the original timeline and takes full account of the uneven distribution of arrival of the packets in the network.
(2) Valid packets simulation in the TESLA protocol: many simulation techniques in [11,12] are introduced to wireless sensor networks to help researchers to understand the behavior of the network which is hard to capture in situ.In this paper, we use Matlab to simulate the four queuing models of M/D/1/∞, M/M/1/∞, M/G/1/∞, and GI/G/1/∞, respectively.We take the base station as the waiter and the broadcast packets as the customer source, so the service time obeys the distribution of the packets to be processed and broadcasted by the base station and customer source obeys the distribution of arrival of packets.By considering practical situations, we give an example of packets arriving intensively.The arrival of data packets of M/D/1/∞, M/M/1/∞, and M/G/1/∞ obeys Poisson distribution with the randomly selected parameter  = 0.5, while GI/G/1/∞ obeys the general random distribution.We set a fixed time interval  int as 60 s and the numbers of valid packets  str in  int as 20, and the simulation time was half an hour.If the number is over 20, we would consider it as invalid one.There are two reasons for that.First, overly late authentication would cause the large storage overhead caused by the accumulated packets in the node buffer.Second, the message is more likely to be vulnerable to chosen plaintext attacks.It can also be proved that the conclusions of simulation experiments will not change by altering the values of parameters such as  and  int .From Figures 3-6, we notice that the intensive rate of broadcast packets will cause the packets to be cached in the nodes and unable to be authenticated timely, which eventually results in the loss of packets.Also, the probability of  choosing plaintext attack will become large if the number of packets exceeds the threshold  str .Furthermore, from Figures 7-10, the key consumption of our proposal is much lower than that of TESLA.Consequently, the life cycle of the key chain would be prolonged, and the network overhead would be reduced.
(4) The calculation complexity of the proposed algorithm is low.From Figures 1 and 2, we can find that there is no fallback process in both TESLA protocol and our algorithm.Although different network environments can contribute to different consumption of calculation, the proposed algorithm and TESLA both keep (), where  is the number of hash calculations during authentication processes.However, in the protocol of multilevel TESLA [13], repeated hash operations are conducted to guarantee life time of keys at the expense of large amounts of calculations.For instance,  denotes the time of high-level calculation while  denotes that of lowlevel calculation in a 2-level TESLA process, which leads to  ⋅  times of calculation.When  = , the complexity achieves ( 2 ); the order of magnitudes increases sharply and contributes to high calculation complexity if  becomes large.The variation tendency can be seen in Figure 11.

A Self-Renewal Hash Chain Based on Benaloh-Leichter SSS.
In this section, we will present the security and performance analysis of the proposed hash chain in Section 3.

4.2.1.
Security.The security of this scheme is based on one-way function and Benaloh-Leichter SSS.The purpose of XOR with hash value is to maintain the integrity and confidentiality of shadows.And the purpose of delaying key publication is to achieve nonrepudiation.Meanwhile, Benaloh-Leichter SSS can efficiently generate a much richer family of access structures than the current schemes, and it is convenient to view an access structure as a function.Any monotone Boolean function over  variables can be computed by a monotone formula.Thus, every access structure can be realized by the scheme of Benaloh-Leichter SSS.On the other hand, for every set that does not belong to the access structure, the elements in the set do not have any information on   ; hence they will not reveal any information about secret .
Also in the phase of authentication, the tolerance of packet loss or fault is embodied in our proposal.However, in Benaloh-Leichter SSS, even some   was dropped or lost; secret  can still be verified by other valid   as long as the number of shadows is not less than .
Moreover, dual authentication in our scheme can strengthen the security and integrity.The first authentication is that whether ℎ − () and   are received in a valid interval and they will not be stored unless both of them are verified correctly.And the second authentication is to judge whether ℎ − () is valid according to ℎ −+1 () which has been stored in the first authentication and whether   is valid by the exclusive-OR function.The shadow   will be accepted only if the packet passes the dual authentication.
Finally, our self-renewal hash chain has satisfactory confidentiality.However, the shadow   exists in the packet with the form of plaintext and the attacker can obtain the key shadow information by snooping the packet.However, the attacker is unlikely to recover the secret  unless he or she can get more than  pieces of shadow, which obviously increases the difficulty.And even though the attacker can finally recover the secret , he or she is still unable to produce the fake broadcast packets to play the role of the base station.The reason is that the secret , namely, ℎ  (  ), is the tail of the next hash chain, which can only be used to authenticate the subsequent keys.And due to one-way feature of the hash function, the attacker cannot generate ℎ −1 (  ), ℎ −2 (  ), . . .,   , so he or she is unable to fake the packet to deceive other sensor nodes.If the attacker does, these nodes can easily detect the validity of packets with ℎ  (  ).

Complexity.
In this part, we will analyze the performance of our proposal.Before that, we first define some parameters which are mentioned as follows: RHC is as follows: Computation: Communication: Storage: SUHC is as follows: Computation: Communication: Storage: ERHC is as follows: Computation: Communication: Storage: SRHC is as follows: Computation: Communication: Storage: SRHC-BL is as follows: Computation: Communication: Storage: For simplicity, we assumed that  ≈ ,  ≈   ≈    ,  ≈   ,  > ,  >  >  > , and   ≫   ≈   ≈   >   , so that it is easy to know the performance of our SRHC-BL relative to RHC, ERHC, SUHC, and SRHC.Through comparison, we can draw the following conclusion: the consumption of SRHC-BL in the initialization phase is much less than other schemes, while, in the phase of key distribution and authentication, SRHC-BL's consumptions of communication and storage are a little more than SRHC's but much less than RHC's, ERHC's, and SUHC's.

Related Work
5.1.Improved TESLA Protocol.Many hybrid broadcast authentication protocols have been proposed.Reference [14] proposed a broadcast authentication protocol with Bloom Filter compression to mainly reduce error rate of data broadcasting.Reference [15] introduced a multiuser broadcast authentication protocol to synchronously meet the requirements of multiuser.A lightweight secure authentication protocol was proposed in [16], which mainly focuses on the storage performance optimization.Reference [17] is a TESLA-like scheme based on symmetric keys, but the signature takes a large storage cost.A secure protocol named GPLD (Global Partition, Local Diffusion) was proposed in [18]; this scheme based on the symmetric encryption system and the geographical location information allows the different multicast group to exist in wireless sensor networks, and nodes can also act as the broadcast source and relay.On the basis of [18,19] a broadcast authentication scheme based on users, which achieves the promising security, scalability, and performance, was proposed.Reference [13] proposes an enhanced broadcast authentication protocol based on multilevel TESLA, however, whose overhead has not achieved the satisfactory efficiency.Reference [20] put forward a broadcast authentication scheme with the Merkle tree; although it can effectively resist the DoS attacks, the authentication delay seems to be inappropriate for most applications.Taking the tolerance of data loss into account, [21] presents a link-layer packet recovery algorithm which improves the reliability and minimizes the latency.
So we can see that TESLA protocol and its improved protocols are the mainstream of broadcast authentication protocol research in wireless sensor networks.

Reinitializable Hash Chain.
Hash function has the characteristics of one-wayness and high computational efficiency.Therefore, the hash chain mechanism has been widely used into many encryption applications and services.Furthermore, the length of the hash chain is limited, which makes it difficult to meet the requirement of sustainability.And extending the length of the hash chain is difficult because a secure channel established through other encryption mechanisms is needed, and a large overhead is required.
To solve this contradiction, researchers have proposed some hash chain schemes.Goyal introduced the reinitializable hash chain (RHC) scheme with the idea that a fire-new RHC will be regenerated safely and undeniably when the old RHC is exhausted.On the basis of RHC, [22] put forward the elegant reinitializable hash chain (ERHC) scheme, which uses the one-way hash function to regenerate the hash chain safely and infinitely instead of using the public key mechanism.However, due to the publication part of   to authentication for the next seed of hash chain, it is likely to be susceptible to the chosen plaintext attack.Reference [23] proposed the selfupdating hash chain (SUHC) scheme based on the hard core predicate algorithm.The solution of SUHC is that the sender distributes the first chain's every key value with one bit in the seed of second.In such a way, while the first one is exhausted, the receiver would receive all bits of second chain's seed.On the basis of [23,24] the self-renewal hash chain (SRHC) scheme was proposed.The main difference between the above two schemes is the generation method of the random numbers.The security distributions of the seed of SUHC and SRHC rely on the security distribution of  random numbers, where  denotes the length of chain.Furthermore, these two schemes require all the received random numbers to satisfy integrity and inevitability.And then the seed of a new chain can be reconstructed.However, both of them have given up the original fault tolerance of hash chain.Based on SUHC, [25] put forward a novel self-updating hash chain (NSUHC) scheme; afterwards, according to NSUHC, [26] proposed a new self-updating hash chain based on erasure coding (SUHC-EC).In the former scheme, the seed of a new hash chain is transformed from -dimensional to -dimensional ( < ) and the latter one is transformed from onedimensional to -dimensional.Therefore, two schemes select one of the  random values to release without repeating.The new seed can be resumed after  times.These two schemes seem to realize the renewable hash chain, but actually there is no difference from the conventional hash chain.Reference [27] proposed a new self-updating hash chain based on fair exchange idea (SRHC-FEI); this scheme uses one-time signature key to encrypt the first bit of the seed of a new hash chain in transmission when releasing the new hash value each time.It can enhance the security and fairness, but it inevitably increases the system time delay.After analysis, we can see that this scheme is also an enhanced scheme more than a strict hash chain renewable construction scheme.
From the analysis of the above typical schemes we can see that they all transform every bit of the new chain's seed into a random number and make the security of the new seed dependent on the security of distributed random numbers.Besides, they can successfully regenerate the new seed only when they receive all the random numbers correctly.As a result, they all weaken the security and increase the consumptions for reinitialization.On the other hand, NSUHC and SUHC-EC only expand the dimension of the seed of a new hash chain, but compared with RHC and ERHC and so forth, they increase the chance of encountering the man-in-themiddle attack.Above all, from a perspective of application of a hash chain, only RHC, ERHC, SUHC, and SRHC belong to the renewable construction scheme of hash chain.

Conclusion
This paper proposes a novel secret key release scheme based on the data flow, which addresses some problems of traditional key release schemes based on the fixed time interval, effectively improves the efficiency of the utilization of keys, prolongs the life cycle of hash chain, and reduces the network communication overhead and computational cost.
Moreover, we consider the scenario that when the number of packets using the same key to authenticate is greater than the threshold  str , it may disable some packets to get a timely authentication and thus results in the loss of data.Also, the probability of chosen plaintext attack will be increased.To solve these problems, we introduce the flow threshold mechanism to prevent the attacks and enhance network security as well.
After that we put forward a new renewable hash chain based on Benaloh-Leichter SSS (SRHC-BL).The renewable process can be executed infinitely.And we have theoretically proved that SRHC-BL has better performance on integrity, confidentiality, and nonrepudiation by adopting the delay disclosure and one-wayness.In addition, our scheme can also tolerate message loss or fault due to the property of the shadows in Benaloh-Leichter SSS.Furthermore, the dual authentication and transformed secret shadows enable our scheme to have higher security than other schemes.Finally, the analysis of complexity has proved that SRHC-BL has less consumption than those typical schemes.

Figure 1 :
Figure 1: The broadcast authentication process of TESLA.

Figure 2 :
Figure 2: The process of broadcast authentication based on queue theory.

( a )
Compute and verify whether ℎ(ℎ − ()) is equal to ℎ −+1 (), where ℎ −+1 () is the valid hash value stored in the last process.If it is equal,  saves it.(b) Compute and verify whether   ⊕ ℎ − () is equal to MAC −1 .If it is,  saves MAC  and   .
: the output of hash function which is an -bit string, : the length of hash chain, : the number of secret shadows in SRHC-BL, : the computation consumption of the hash function, : the computation consumption of the union operation, ,   ,    : the computation consumptions of generating a random number in RHC, ERHC, and SUHC (or SRHC), respectively, ,   : the computation consumption of obtaining one bit from a random number by hard core predicate in SUHC and SRHC, respectively, , , : the computation consumption of obtaining Shares(, ), computing the shadows   , and picking secret shadows   from   in SRHC-BL successively, : the computation consumption of XOR,   : the communication or memory consumption of  (bit),   : the communication or memory consumption of the seed of hash chain,   : the communication or memory consumption of the generated random number,   : the communication or memory consumption of shadows   in SRHC-BL,   : the communication or memory consumption of the secret shadows   in SRHC-BL.Then, we compare the computation, communication, and storage cost of our scheme SRHC-BL with the current schemes RHC, ERHC, SUHC, and SRHC.The comparison results are shown as follows.
1) the maximum speed (or frequency) for the base station to send packets is   max ; (2) the maximum transmission speed (or frequency) in WSNs is   max ; (3) the communication radius of the base station is  bs ; (4) the base station releases the authentication key every  int packets based on data traffic; (5) the delay of data flow of key publication is  int + , and it satisfies the condition that ( int + )/  max >  bs /  max ; (6) the verification condition is ⌊(  −  1 )/ int ⌋ < ⌊+−1⌋, where   is the identification number of packets that is currently received,  1 is the ID number of first packet received, and  is the th time interval of data flow.
3.1.2.The Process of Key DistributionBased on Data Flow.The process of broadcast authentication based on queue theory and renewable hash chain is shown in Figure2.Comparing with Figure1, we can see the difference between TESLA and