Key Updating Methods for Combinatorial Design Based Key Management Schemes

1 College of Business Administration, Zhejiang Gongshang University, Hangzhou 310018, China 2 Contemporary Business and Trade Research Center, Zhejiang Gongshang University, Hangzhou 310018, China 3 Contemporary Business and Collaborative Innovation Research Center, Zhejiang Gongshang University, Hangzhou 310018, China 4College of Computer Science & Information Engineering, Zhejiang Gongshang University, Hangzhou 310018, China


Introduction
Wireless sensor network (WSN) is a kind of large wireless network.Generally speaking, WSNs consist of resourcelimited sensor nodes with a large number of functions, such as sensing, collecting, and processing, which leads to their ability to fulfill special missions [1].WSNs have become one of the most promising network technologies, which can be widely used in different applications.Because of the sensitivity of these applications and many issues involved in WSNs, sophisticated security services are required [2].Key management is a corner stone on which to build secure WSNs, because it is able to protect many services, such as confidentiality and authentication, which are required for secure communication in WSNs.However, the sensor nodes in WSNs are all resource-limited devices.Therefore, key management schemes like Diffie-Hellman based or publickey based schemes, which are widely used in other networks, are not very suitable for the direct application in WSNs [3].The key management scheme, which uses symmetric encryption technology, is still a hot research topic.Over the last decade, a lot of research works dealt with symmetric key predistribution issue for WSNs and many solutions have been proposed [4][5][6].Nevertheless, in most existing solutions, the design of key rings (blocks of keys) strongly depends on the size of the WSNs, which results in either suffering from low scalability or degrading other performance metrics [7].
Combinatorial design theory is an important part of combinatorial mathematics.Combinatorial design theory deals with the existence, construction, and properties of systems of finite sets whose arrangements satisfy generalized concepts of balance and/or symmetry.Combinatorial design theory has been used in many different applications, such as cryptography and secret sharing in literatures [8][9][10], network design in literatures [11,12], and key management for WSNs in literatures [7,[13][14][15][16].Since Mitchell and Piper [13] firstly applied combinatorial designs to key distribution, a lot of other combinatorial design based key management schemes have been proposed.
(1) we point out the essence of key updating for combinatorial design based key management schemes which is a multigroup key distribution; (2) we propose two key updating methods for the unital design based key management scheme.The two key updating methods can be generalized to other kinds of combinatorial design based key management schemes.The first proposed method is distributed where each sensor node is devoted to key updating and the second one is traditional group key distribution; (3) we conduct the performance analysis on our proposed two methods and show their advantages and disadvantages; (4) we enrich the application of combinatorial design in key management for WSNs and also point out some future research directions.
The remainder of this paper is organized as follows: Section 2 presents the related works on combinatorial design based key management scheme for WSNs and shows the importance of key updating.We propose our two methods in Section 3. In Section 4, we conduct the performance analysis on the two methods from three aspects and make some comparison.In Section 5, we discuss our two proposed methods and improve them.Finally, we draw conclusions and point out our future research directions in Section 6.

Related Work
Mitchell and Piper [13] firstly used combinatorial designs into key distribution.They introduced a number of new concepts and showed how the theory of incidence structures with special properties, called key distribution patterns, may be applied to key management problems.The proposed method is shown to generalize earlier work in the area.
C ¸amtepe and Yener [14] proposed novel deterministic and hybrid schemes based on symmetric balanced incomplete block design (SBIBD) for key predistribution in WSNs.The SBIBD decides how many and what keys are assigned into each key-chain before the WSNs are deployed.After mapping from SBIBD to key predistribution, there are  2 +  + 1 key rings, which contain  =  + 1 keys selected from a key pool S with the size  2 +  + 1.And each pair of two key rings shares exactly one common key.SBIBD which produces better connectivity with smaller key-chain size can make key distribution schemes more efficient.The main strength of the proposed scheme is that each pair of two nodes shares exactly one common key which can obtain total secure connectivity.However, the SBIBD schemes do not have a good scalability for large WSNs because they only generate  2 +  + 1 key rings to obtain a key ring with  + 1 keys, while the former are determined by the properties of SBIBD.
Ruj and Roy [15] also used SBIBD to guarantee intraregion secure communications in grid group WSNs.In grid group WSNs, all nodes within a particular region can link to each other directly.While sensor nodes in different regions can make use of more special resource nodes to communicate with each other.Taking the Lee distance into account, they consider the resiliency not only in terms of fraction of links broken, but also in terms of the number of nodes and regions disconnected when some sensors are compromised.But the deterministic key predistribution schemes will lead to constant-time computation cost for shared key discovery and path key establishment.
Basic schemes like [17] have perfect network resilience but their network scalability is only () where k is the key ring size.The SBIBD [15] and the trade [16] based ones obtain a network scalability of ( 2 ).The solutions proposed in [13] elevate the network scalability up to ( 4 ) without losing secure connectivity coverage and overall performances.The researchers apply the unital design into predistribution.They propose two schemes, a basic one and an enhanced one, which achieve a good tradeoff between scalability and connectivity.
Combinatorial design based key management schemes obtain a lot of attentions.However, to the best of our knowledge, none of the related works have taken key updating into consideration.Without key updating, the key management schemes will be less secure as time passes.In this paper, we point out the essence of key updating for combinatorial design based key management scheme and then put up our two different kinds of key updating methods.

The Proposed Schemes
In this section, first we briefly introduce the unital design based key management scheme [7].The brief introduction consists of unital design and its mapping to key predistribution.Then, we point out the essence of the key updating for the unital design based key management scheme.At last, we propose two key updating methods.

Unital Based Key Management Scheme
3.1.1.Background: Unital Design.Combinatorial design theory is a part of combinatorial mathematics dealing with the existence, construction, and properties of the systems which consist of finite sets whose arrangements satisfy generalized concepts of balance and/or symmetry.A t-design (], , , , ) is defined as follows: given a finite set X of ] points (elements), we construct a family of  subsets from the finite set X, called blocks, such that each block has a certain number of points, which is k, each point is contained in r blocks, and t points are contained together in exactly  blocks [13].A unital design is a Steiner 2-design, where ] =  3 + 1,  =  2 ( 3 +1)/(+1) =  2 ( 2 −+1),  =  2 ,  = +1, The number of keys of each ring has :

Each point belongs to exactly 𝑚 2 blocks
Each key appears in exactly  2 key rings and  = 1.We call the unital design 2−design Here is an example of a 2-(9,3,1) unital design with  = 2 shown in Table 1.
We can see from Table 1 that there are 12 blocks,  1 , . . .,  12 , in the above example, and 9 elements  1 , . . .,  9 are 1, 2, . . ., 9, respectively.In addition, we can find that every block has 3 elements; for example, B 1 has 3 elements, E 1 , E 4 , and E 8 ; each element is contained in 4 blocks; for example, E 1 is contained in B 1 , B 6 , B 7 , and B 11 , and each pair of 2 elements together is contained in exactly 1 block; for example, E 1 and E 4 together are contained only in B 1 .

A Basic Mapping from Unital to Key Predistribution for
WSNs.Each block which has  + 1 points can be mapped into a sensor node in WSNs while each point can be mapped to a key.Note that point can also be called element in combinatorial design.The following table, Table 2, shows the basic mapping from unital design to key predistribution for WSNs.
The key distribution center (KDC) generates the unital blocks (key rings) and loads them to the memory of sensor nodes before these sensor nodes are deployed.Each distinct key ring will be preloaded in only one node, along with the corresponding key identifiers.When two nodes want to communicate with each other, they will exchange their key identifiers.According to their key identifiers, they can decide the communication key or they need to establish a secure path for communication.In the basic unital design mapping, each pair of two nodes shares at most one common key.Therefore, if two nodes have a common key, after exchanging the key identifiers, they will be able to determine this common key, or if two nodes do not have a common key, they need the help of other nodes to establish secure paths.

System Model for WSNs and Updating Model for Each
Sensor.We can see from the generalized definition of the unital design (a 2-design ( 3 +1,  2 ( 2 −+1),  2 , +1, 1)) that there are  3 +1 keys and  2 ( 2 −+1) sensor nodes.In addition, the definition of the unital design shows that each key is contained in  2 sensor nodes and each sensor node has +1 keys.We can regard all the sensor nodes which have the same key as a group; therefore, there will be  3 +1 group, and in each group there will be  2 sensor nodes.Furthermore, each sensor node belongs to  + 1 groups because it has  + 1 keys.
Therefore, the system model can be described in the following two formulas: The first formula shows that the system model consists of  3 + 1 groups.Each group corresponds to a key and there are  2 sensor nodes in each group which is marked by the key ID.Note that   ∩   = 1 because, in a unital design, each pair of 2 elements is contained together in exactly 1 block.
The second formula points out that the system model is made up of  2 ( 2 −  + 1) sensor nodes and each sensor node n i has  + 1 keys.The  + 1 keys can be defined as a key ring or a key block, B i .Note that two nodes have one common key or not because in one unital design, each pair of B  and B j has the relationship that |  ∩   | = 0 or 1.
According to the above system model, we can obtain the key updating model as each sensor node updates all its  + 1 keys.For each of sensor nodes n i , the updating model can be described as in Figure 1.
Figure 1 shows the key updating model for each sensor.We can see, from it, sensor node n i has  + 1 keys  1 ,  2 , . . .,  ( + 1) .If it wants to update  1 , it will need to communicate with the other  3 sensor nodes in  1 that share the same key  1 with it, and by some methods, the new updated key  1 can be obtained by all the sensor nodes in the  1 .As each sensor node n i has  + 1 keys, it needs to communicate with other groups like what it does with  1 to update all its other keys.
We can see from the updating model for each of sensor nodes that the essence of key updating for the unital design based key management scheme is multigroup key management.
In the following subsection, we propose two key updating methods for the unital design based key management scheme, the first one is distributed which means each sensor node in the group is devoted to updating the group key, while in the second one, there is a group manager in each group distributing the broadcast to update the group key.

The First Key Updating Method.
In this method, each sensor node is predistributed with a device ID, that is, id   ,  + 1 keys, and  + 1 corresponding key ID.In addition, each sensor node also stores the corresponding ID of sensor nodes in each group which is made up of the corresponding key.Table 3 shows the detail of the content which each sensor node should store in the first method.
In this method, to update one key, each sensor node will send a random number which is encrypted by the group key to other sensor nodes in the same group.And then, it will receive a certain number of messages which also contain random numbers from other sensor nodes.The number of the messages is determined by the number of legal sensor nodes in the group.For the sensor n i , it updates one of its keys,  1 , as the following steps.
In this step, sensor node n i broadcasts the message id  1 |id   | 1 (RN i ) to other sensor nodes which have the same group key  1 .Here, id  1 is the id of the key which needs to be updated; id   is the ID of the sensor node and  1 (RN i ) which is the decrypted RN i .
Step 2. Sensor n i receives broadcast message from other senor nodes.If the first part of the broadcast message, id  1 , is also contained in the content of sensor n i , and the ID of that sensor node (the sender of the broadcast message), id   , is in the same key group, then it begins to receive the whole broadcast message.In order to compute the new updating key, it needs to receive a certain number (the number of other legal sensor nodes in the same key group).Note that after one  node has used up its energy, it will inform other nodes in the same key group to delete its id.Therefore, the number of the broadcast messages which a sensor node needs to receive for computing the group key will decrease when the time goes.
Note that these messages contain other RN generated by other sensor nodes in the same key group.
Step 3.After it receives l messages for updating the key, it computes the new updated key as the following equation: Here  ( ≤  3 + 1) is the number of legal nodes.The order of each RN i is decided by the ID of the sender which is set before deployment.
As each senor node has  + 1 keys, it needs to do the above steps  + 1 times to update all its  + 1 keys.When a sensor node is about to use up its energy, it will send a revocation message to other sensor nodes to inform them to delete the corresponding information about it in the key groups.In addition, if a node is detected as a promised sensor node, the detector will inform other nodes to delete the corresponding information about the promised node.The detector will ask other sensor nodes to update the corresponding keys the promised node has.

The Second Key Updating Method.
In the first method, all the sensor nodes are distributed and are all responsible for the generation of the new key, while in the second key updating method, only one sensor node which is defined as group manager (GM) is responsible for the generation of a new key.
In this key updating method, the GM stores the same content as the content each sensor node stores in the first method.Each member sensor node is predistributed with a device ID id   ,  + 1 keys, and  + 1 corresponding key ID.Note that in this scheme, each sensor node does not store the identifiers of other senor nodes.Table 4 shows the detail of the content which the group member sensor nodes store.
We can see from Table 4 that this method is more efficient in storage overhead because each member sensor node stores less content than that of the first method.The second method is based on the group key distribution.Therefore, there are two kinds of sensor nodes in the system: the GM and the member sensor nodes.In this method, to update one key, the GM needs to generate the broadcast and each member sensor node can compute the group key after receiving the whole broadcast.
The GM generates and sends the broadcast as the following steps.
Step 1.The GM generates the authentication polynomial as the following equation: l is the number of legal member sensor nodes (except the GM and revoked sensor nodes), and  ≤  3 .
Step 2. The GM generates the key updating polynomial as follows: ku j is the key updating material.
Step 3. The GM generates the broadcast and sends it.The construction of the broadcast is as follows: We can see from ( 5) that the broadcast consists of two parts.The first part is id k , the ID of the key which needs to be updated.And the second part is the key updating polynomial P j (x) which is generated in the second step.
Each sensor node (except for the GM) receives the first part of the broadcast and decides whether it needs to receive the whole broadcast according to theID of the key, id k .If it has this key (also has this key ID), then it receives the whole broadcast and computes the corresponding key updating information according to the broadcast; otherwise, it waits for the next broadcast.The key updating information can be computed as the following equation: Each legal member node will get the computation result of 0 when computing the authentication polynomial a j (x i ).Therefore, all the legal member nodes will get the same key update information ku j from the above equation while other revoked sensor nodes will obtain value of a j (x i ).The different value a j (x i ) will lead to different key updating information ku j .And then each legal member sensor node uses the key update information to update the group key as the following equation: Note that all the legal member nodes can compute the same updated key because these legal member nodes have the same group key  1 and use the same key updating information ku j to update the group key.

Performance Analysis
In this section, we conduct the performance analysis on the two different kinds of key updating methods.As the sensor nodes in WSNs are all resource-limited devices, we take the following three aspects into consideration: storage, computation, and communication overhead.5 shows the storage overhead of the sensor devices in the proposed two methods.

Storage Overhead. Table
In the first method, each sensor node stores its own device ID, and  + 1 group information which contains one key, one key ID, and other  3 IDs of other sensor nodes is in the same group.Therefore, the total ID number which each sensor node stores is ( 3 + 1)( + 1) + 1 =  4 +  3 +  + 2 and the total number of keys is  + 1.
In the second method, the GM has the same storage overhead as the first method; however, each member sensor node only needs to store its device ID and  + 1 group information.The group information consists of one key and one key ID.Therefore, the total ID number which each member sensor node stores is (+1)+1 = +2, and the total number of keys is also  + 1, the same as the first method.
We can see from Table 5 that the second method is more efficient in storage overhead than the first method.Therefore, when the sensor nodes in WSNs are more limited in memory, the second method would be preferable.6 shows the computation overhead of the sensor devices in the proposed two methods.

Computation Overhead. Table
In the first method, each sensor node needs to generate a random number RN and do  + 1 hash to update its  + 1 keys.In the second method, the GM needs to generate a random number, that is, the updating information, and a ldegree polynomial while other sensor nodes need to do  + 1 polynomial evaluation operations to obtain  + 1 updating information.Both the GM and the member sensor nodes need to operate  + 1 hash to update its  + 1 keys.
As all the sensor nodes in both methods have  + 1 hash operations (when lengths of the content n and nm are small, the time required for hash operations, for example, md5 and sha1, is not obviously different compared with that of polynomial operations which need a large number of loops.For example, the time required for hashing 64-bit data by md5 in java is 1 ms while hashing 64000 bits is about 19 ms); we can compare them from the previous three items: Generate RN, Poly generation, and Poly evaluation.The first method is much more efficient in computation overhead because the Generate RN operation is much more efficient in computation than that of the Poly operation in the second method.Therefore, when the sensor nodes in WSNs are more limited in computation ability, the first method would be preferable.7 shows the communication overhead of the sensor devices in the proposed two methods.

Communication Overhead. Table
Table 7 shows the communication overhead of the devices in two methods.In the first key updating method, in order to update one key, a sensor node needs to send a message which contains two IDs and one encrypted random number and will receive  3 messages from other  3 nodes in the same key group.The communication overhead for updating one key is 2( 3 + 1) IDs and  3 + 1 random numbers.Therefore, for each of sensor nodes to update all its  + 1 keys, the total communication overhead is 2( 3 + 1)( + 1) ID and ( 3 + 1)( + 1) random numbers.
In the second method, the GM needs to send (while the other sensor nodes need to receive) the broadcast which contains the ID of the key and a l-degree polynomial ( ≤  3 + 1).Therefore, the total communication overhead of the GM and each member sensor node are both  + 1 keys and  + 1 l-degree polynomials.Here, we take into consideration the largest communication overhead of each sensor node; therefore, the number of legal sensor nodes or the degree of the authentication polynomial, l, is set as  3 ( 3 + 1 member sensor nodes except the GM itself).Because each sensor node needs to update all its  + 1 keys, the total communication overhead is  + 1 ID and  + 1 3 -degree polynomials.
Here, we define all the IDs, RNs, and coefficients of the polynomial AS belonging to Fp.Therefore, the communication overhead of the two methods can be concluded in Table 8.
Table 8 shows that the second method is more efficient than the first method in communication overhead.Therefore, when the sensor nodes in WSNs are more limited in energy, the second method is preferred.

Comparison between the Two Methods.
We can draw a conclusion from the above three subsections that the first method is better in computation while the second method is more efficient in storage and communication.In addition, the second method is more energy saving because the energy cost is linked to communication overhead (communication needs more energy than the calculation) [18].However, the first method is more secure because in the first second the capture of one sensor node will not affect the whole WSNs with the help of other security technologies such as IDS (intrusion detect system), while in the second method, the capture of the GM will affect the whole WSNs.Note that the capture of the member sensor nodes will not affect the WSNs.In conclusion, as each proposed method has its own strong points and weak points, we should choose different key updating method for different applications.

Discussion
5.1.Generalization.When a combinatorial design is constructed, the number of elements and the number of blocks are both determined which will load to the determination of the number of groups and sensor nodes.As our methods are designed for the case that there exist a certain number of groups which contain some sensor nodes and sensor nodes which have some keys, they can be generalized to other combinatorial design based key management schemes.
For example, the symmetric balanced incomplete block design (SBIBD) is a (], , , , and ) design, where =  =  2 +  + 1,  =  =  + 1, and  = 1.There are  2 +  + 1 sensor nodes and  2 +  + 1 keys in the WSNs.In addition, each key is contained in  + 1 sensor nodes and each sensor As we can see from predistribution rule, each sensor node has +1 keys.Note that the construction of the unital design makes it possible for  2 −  + 1 blocks having all  3 + 1 elements.For example, in the example of the 2-(9,3,1) unital in Table 1, there are 2 2 − 2 + 1 = 3 blocks and 2 3 + 1 = 9 keys, and B 1 , B 2 , and B 10 have all the 9 different keys, and so do B 2 , B 7 , and B 9 .Taking advantage of this good feature, we set that a node manages +1 groups, so the number of group managers and the corresponding broadcasts will drop to  2 ( 2 −  + 1)/( + 1).The first part KID of the broadcast contains all the key IDs which the GM has.Therefore, the broadcast can be described as in the following equation: The disadvantage is that the degree of the P j (x) will increase to  2 ( 2 −  + 1) −  as the authentication polynomial contains all IDs of the legal sensor nodes the GM knows.To reduce the degree of the P j (x), we can replace the authentication polynomial with the revocation polynomial and masking polynomial which will lead to only t (the degree of the masking polynomial) revocation ability.The masking polynomial is used in [19], and the construction of P j (x) is as follows: where r j (x) is the revocation polynomial,  (, sid  ) is the masking polynomial, and sid  is the session ID.The modification increases the storage overhead that each sensor node needs to store the masking polynomial and the session ID but can decrease the degree of the P j (x) to T which can be much less than  2 ( 2 −  + 1) − .
Self-healing is a desirable feature for group key distribution scheme as the wireless environment and resourcelimited features make the WSNs sometime an unreliable network.In unreliable networks, the member in the group may lose a message from the GM.The member can ask the GM to resend the broadcast.However, it will become a large communication cost for the GM when the resend requirement increases.To overcome the above problem, in 2002, group key distribution with the feature of self-healing is proposed, and soon self-healing group key distribution scheme becomes a hot research topic [20].
Here,  is the number of all the sessions and T is the number of P j (x) which each broadcast owns to ensure the ability of self-healing the group key within T sessions.Note that the number of P j (x) in the second part of B j increases from 1 to T. Figure 2 shows the relationship between T and healing rate in the case that there are 1001 sensor nodes (a GM controls 1000 member sensor nodes) in the WSNs where the loss probability is 10%.
As we can see from Figure 2, the broadcast which contains less P j (x) can still have a good healing rate which means that we can set T a small number for self-healing of the second method.

Conclusion
In this paper, we focus on how to update the key used in combinatorial design based key management schemes for WSNs.In order to better introduce combinatorial design, we give an example of unital design and its mapping to key predistribution for WSNs.Then, we propose two key updating methods for the unital design based key management scheme; one is distributed and the other is group based.The key updating methods can be generalized to other combinatorial design based key management schemes, and the group based key updating method can be modified to a self-healing version easily.We conduct the performance analysis on the two proposed methods from three aspects: storage, computation, and communication overhead.As the essence of updating keys for combinatorial design based key management schemes is the same as that of the unital design based key management scheme, our two key updating methods can be generalized into other combinatorial design based key management schemes.Referring to the construction of P j (x) in [19], we can modify the second method to a less communication overhead version.In addition, the second method also can be modified to a self-healing one.The best contribution of this paper is that with the key updating feature, combinatorial design based key management scheme will be more secure and, thus, enriches the application of combinatorial design in key management for WSNs.
Regarding future work, we will research in the following two aspects: (1) how to reduce the communication overhead of the first method by the construction of the combinatorial design; (2) looking for or coming up with another combinatorial design holding better features for key management in WSNs.

Figure 1 :
Figure 1: The updating model for each sensor.

Figure 2 :
Figure 2: The relationship between T and healing rate.

Table 2 :
The mapping from unital to key predistribution.

Table 5 :
The storage overhead of the two methods.

Table 6 :
The computation operation of the two methods.

Table 7 :
The communication overhead of the two methods.

Table 8 :
The communication overhead of the two methods.The sensor node in the first method 3( 3 + 1)( + 1)log  The sensor node in the second method ( 3 + 1)( + 1)log  node has  + 1 keys, which means, for a sensor node n i , it needs to update  + 1 keys among  + 1 key groups.The sensor node n i can use the proposed two methods to update its  + 1 keys.