An efficient identity-based key management scheme for wireless sensor networks using the Bloom filter.

With the rapid development and widespread adoption of wireless sensor networks (WSNs), security has become an increasingly prominent problem. How to establish a session key in node communication is a challenging task for WSNs. Considering the limitations in WSNs, such as low computing capacity, small memory, power supply limitations and price, we propose an efficient identity-based key management (IBKM) scheme, which exploits the Bloom filter to authenticate the communication sensor node with storage efficiency. The security analysis shows that IBKM can prevent several attacks effectively with acceptable computation and communication overhead.

and CA. Additionally, the certificate will result in a large communication overhead and expensive signature verification operations, which consume more energy [10].
Because of the absence of PKI and a certificate, there is no authentication in the state-of-the-art IBE schemes, which are subject to many attacks, such as the Sybil attack, the man-in-the-middle attack, etc. Focused on addressing these problems, we propose an efficient identity-based key management scheme (IBKM) in this paper, which adopts an identity-based cryptosystem to distribute session keys between nodes without the complicated operations of the public key certificate; specifically, we exploit the Bloom filter to provide authentication with storage efficiency. A Bloom filter is a simple space-efficient randomized data structure based on a hash function for representing a set in order to support membership queries. Although Bloom filters allow false positives, for many applications, e.g., WSNs, the space savings outweigh this drawback when the probability of an error is sufficiently low [11].
The main contributions of this paper are as follows: (1) To the best of our knowledge, we are the first one to exploit the Bloom filter to authenticate sensor nodes in WSNs. The sensor node's public key in IBE is verified using the Bloom filter together with its ID. (2) We come up with a security analysis, as well as quantitative memory, computation and communication overhead to demonstrate the effectiveness and efficiency of IBKM. The computation overhead that is brought by the Bloom filter is quite small, as hash operations are negligible compared with the bilinear pairing.
The rest of this paper is organized as follows. Section 2 introduces related works. Section 3 gives some preliminaries on bilinear pairing, bilinear computational Diffie-Hellman (BCDH) and the Bloom filter. We describe IBKM in Section 4. In Section 5, a security analysis of IBKM is given to prove its resilience against various types of attacks. Section 6 gives the evaluation of the storage, computation and communication overhead. Finally, Section 7 concludes the paper.

Related Works
The notion of identity-based public key schemes was firstly introduced by Adi Shamir [12], who presented an identity-based signature scheme. As compared with the traditional certificate-based public-key cryptosystems, the ID-based system utilizes the users' identity (for example, name or email address) as the public key; therefore, additional computations to verify the corresponding certificates are not needed.
Until now, several cryptography algorithms based on identity have been proposed; however, these solutions cannot completely meet the requirements of practical use, especially in WSNs. In 2001, Franklin and Boneh [13] proposed an identity-based encryption scheme from Weil pairing. They also showed that their scheme can gain security against an adaptive chosen cipher text attack in the random oracle model. Their work is based on bilinear pairings on elliptic curves and led to high research activity in this field.
Yang et al. [14] propose an approach based on identity-based encryption and Diffie-Hellman algorithms, which provides authenticated key agreement between pairs of sensor nodes. However, its computation and memory overhead are too high to be practically applied. Zhang et al. [15] propose a new security scheme based on LOCK [16] and ID-based secure group key management. They use the exclusion basis system (EBS) [17] for key agreement between the gateway and node, while ID-based key management between the base station and gateway.
Since Boneh et al. [18] proposed a signature and encryption scheme based on identity from pairing; many schemes [19][20][21][22] attempt to apply pairing on WSNs. Yang et al. [22] proposed IBAKA using pairing-based cryptography. Their scheme achieves significant improvements in terms of security strength, communication and storage overhead. Later in this paper, we will compare our scheme with theirs. However, the pairing costs too much computation overhead for WSNs. Barreto [23] proposed an efficient approach to compute pairings on supersingular curves, which can be used for elliptic and hyperelliptic curves with very efficient results. Manel et al. [24] propose a scheme based on identity, which supports the establishment of pair-wise keys and cluster keys. However, their scheme does not verify the authenticity of the identity before the key agreement between two nodes; also, nodes in this scheme store a bunch of other nodes' public key and the identity value, which increases the storage overhead. Cheng et al. [25] presented EKAES, which is an ID-based key agreement and encryption scheme for WSNs, but their scheme has an expensive communication overhead. Chatterjee et al. [26] propose an ID-based key management scheme using bilinear pairings. The nodes in their scheme verify the authenticity of other nodes through the cluster, which causes a heavy communication overhead.
Kui et al. [10] presented several public-key-based schemes to achieve immediate broadcast authentication in WSNs, and the Bloom filter is used. However, in their schemes, the broadcast messages are initiated by network users, which are personnel or devices that use the WSN; they are not sensor nodes. Instead, our scheme is used to authenticate among the sensor nodes in a WSN.
Altogether, state-of-the-art identity-based approaches do not verify the authenticity of the corresponding node before the key agreement, because certificate verification usually needs extensive computation, which causes much computation overhead on the sensor nodes; besides, more entities, such as CA, should be setup. In this paper, we address this problem by adopting the Bloom filter with minimized computational and storage costs to cope with the resource-constrained nature of WSNs.

Preliminaries
In this section, we give a brief introduction to bilinear pairing, the bilinear Diffie-Hellman (BDH) problem and the Bloom filter.
Bilinear Pairing: Let 1 G be a cyclic additive group of prime order q and 2 G be a cyclic multiplicative group of the same order q. Bloom filter: A Bloom filter [11] is a simple space-efficient randomized data structure; it can be used to succinctly represent a set in order to support membership queries. In our scheme, we use it to authenticate a sensor node while receiving the communication request. A Bloom filter is described by a vector of m bits, which are initially all set to zero. In order to represent a set contains n elements, we use k independent hash functions to map each item to the m-bits vector. For each element, x S ∈ bits ( ) a h x are set to one. Then, we have: The initial value: Figure 1 when k = 3. 1 x is hashed by three hash functions, and three corresponding items in the Bloom filter are set to one. Note that a bit of the vector can be set to one multiple times, but only one works.

IBKM Scheme
Basically, there are two architectures available for WSNs. One is a distributed flat architecture, and the other is a hierarchical architecture. Considering the limitations of WSNs, such as low energy supply, extremely large network size and redundant low-rate data, the hierarchical network model has more operational advantages than the flat homogeneous model for wireless sensors [27].
In this work, we focus on the hierarchical network model, which is shown in Figure 2, as in [28]. It has three different kinds of wireless devices; base station (BS), cluster head (CH) and sensor node (N). We assume that the BS is trusted and that the CH is more capable than normal nodes. In a cluster, the CH collects and aggregates packets from its member nodes and then forwards them to the BS. Normally, a member sensor node can transfer packets to CH through several hops. IBKM consists of three phases: parameters initialization, node registration and share secret key generation between two nodes. Table 1 displays the notations used in this paper.

Parameters Initialization Phase
BS selects large prime p, q and generates a random elliptic curve E over finite field p F . One point P on curve E is selected and used as generator to construct an additive group 1 G , and , where CH is a cluster header in WSNs.
(4) BS keeps a list of all nodes' IDs and their public-private key pairs. BS also keeps all CHs' IDs and public keys for the next steps.

Node Registration Phase
In this phase, all sensor nodes register to the cluster heads and a session key is generated between each node and their cluster head, as shown in Figure 3.
(1) CH broadcasts a message that contains its own identity and a public key to all neighboring sensor nodes: (2) Upon the receipt of CH's messages, each sensor node sends its ID and public key to the CH with whom it wants to join. (2) (5) CH generates a Bloom filter of all nodes' IDs and public keys within its cluster and sends the Bloom filter encrypted by the session key generated before to all nodes in the cluster. Figure 4 shows the generation of the Bloom filter.  . CH generates its own cluster Bloom filter. 1 1

Share Secret Key Generation between Two Nodes
(1) Sensor Node A chooses a random number 1 r and broadcasts a message that contains its ID, public key and a time stamp encrypted by its own private key to neighboring nodes after it registers to the CH.
(2) When the neighboring Node B receives the message, it verifies the authenticity of A by checking if the hash mapping of ( , ) A A ID Q is contained in the Bloom filter obtained from CH.
A negative answer means authentication failure. Our node authentication algorithm takes a similar idea as in [10] and is provably efficient. If the authentication is passed, B chooses its random number r2 and returns its ID, public key and a time stamp encrypted by its own private key.
Afterwards, Nodes A and B can communicate with each other using the shared session key. The shared secret key between two nodes can be decided as shown in Figure 5.

Security Analysis
Due to the unreliable wireless channel and volatile topology, a key agreement scheme for WSNs is subject to various attacks, such as node-compromise attack, Sybil attack, etc. Compared to previous works, our scheme can resist these attacks using the bilinear map and authentication through the Bloom filter.
Sybil Attack: Before node deployment, the BS allocates an ID for each node in the WSNs, and then, the CH generates a Bloom filter of nodes in its own cluster. Therefore, before sharing the secret key between two nodes, they authenticate each other using the Bloom filter generated by CH. Therefore, IBKM can resist Sybil attack because an adversary cannot convince another node that it has a legal ID.
Node-compromise attack: It is easy to capture a node in WSNs and steal secret information about the network stored in the node. Compared to the E-G and other key pre-distribution schemes, IBKM can resist node-compromise attack and ensure the security of the entire network. For the E-G scheme and its variants, if the number of node adversaries captured exceeds a certain threshold, the adversaries will get almost all of the keys of the WSN. However, in our scheme, different node pairs share different keys; even if a node is compromised, it will not affect other node pairs' keys.
Rekeying and forward secrecy: IBKM employs a random number r in the process of secret key generation between two nodes. On the one hand, we can stipulate the secret key agreement period; therefore, nodes must renegotiate a new session key in a certain period. In this way, we can enhance the security of the network. On the other hand, the rekeying can provide forward secrecy of the network when a node is captured by the adversary. Even if the adversary gets the current secret key, he cannot deduce the keys used before, because different random numbers generate different secret keys.
HELLO flood attack: In this attack, the main aim of the attacker is to deplete the node energy. In our scheme, every node possesses a Bloom filter for node identity authentication. Therefore, if an adversary sends a HELLO message, the receiver nodes will first check if the message is legitimate or not. If the result is negative, later calculation will not be carried on. Therefore, no more energy of the received node will be consumed.
Man-in-the-middle attack: In our scheme, the adversary cannot calculate the pairwise session key, even if it intercepts the system parameters, since the messages transmitted in our scheme are all encrypted in the public key cryptosystem. On the other hand, the session key is generated by the private key and the random number. It is assumed to be hard for an adversary to decrypt the message on air or to calculate the session key.
Mutual authentication: Our scheme achieves both identity authentication and key authentication. Before the session key is agreed upon, the nodes verify the authenticity of each other by checking if the corresponding hash mapping is contained in the local Bloom filter. A negative answer means that the node is illegal in this cluster. Then, we verify the identity of the node by the signature of the private key. While, after, Node A and Node B share the same session key, they can realize identity authentication by the session key, because only A and B share the same key. In this way, we can prevent the unauthenticated node from accessing the sensor network.

Performance Evaluation
Although security is a critical factor in WSNs, it is also necessary to evaluate the storage, computation and communication consumption of sensor nodes, since they are extremely resource constrained. In this section, we evaluate the performance of IBKM by comparing the storage, computation and communication overhead with two relevant schemes, Yang's scheme [22] and Cheng's scheme [25]. The two schemes were influential ones of the key management protocols proposed for WSNs.

Performance of Bloom Filter
Since we apply the Bloom filter to provide probabilistic membership verification in our scheme and hash functions have the disadvantage to collision, it is important to evaluate the probability of the false positive. In addition, it is not hard to show that this is a global minimum [11]. Now, we can see that the probability of a false positive f is a function of k, i.e., 2 k f − = . Figure 6 shows that as k increases, the false positive decrements rapidly. Then, we can choose appropriate k according to the different application scenarios of WSNs to achieve an acceptable false positive rate. In our following experiments, we take k as 10, since the false positive f has dropped below

Memory Overhead
It can be obtained from the above analysis that the probability of the false positives reaches the minimum when ( / ln 2) m n k = , and the minimum value is For a certain network whose number of nodes n is determinate, thus the probability of the false positive changes after m and k. To maintain the minimum probability of the false positives, we should keep ( / ln 2) m n k = . It turns out that when we want smaller f, we should use larger m or k, which means more memory consumption and more hash computation; therefore, we should make a trade-off to choose appropriate k and m in accordance with different scenarios. At this point, we assume a civilian scenario in which f is acceptable when less than 1%, i.e., k = 10, we obtain 14.427 * m n = . In Cheng's and Yang's scheme, each node is preloaded with other node's public keys, while our scheme only use the Bloom filter to verify the public keys. Therefore, for convenience, to compare the three schemes, we take the whole cluster memory consumption as the measurement. Here, we assume the public key is 128 bits long; thus, the total memory of preloaded keys in the cluster is 128* m n = for Cheng's and Yang's scheme. Figure 7 shows the performance comparison of IBKM, Cheng's and Yang's schemes. From the comparison, we can see that our scheme costs significantly less memory consumption than their schemes.

Computational Overhead
We implement our proposed scheme in Microsoft Visual C++ 6.0. The operating system is Windows 7 Ultimate. The computer configuration is as follows: CPU, Intel Core i5 3.2 GHz; memory, 4 GB; hard disc, 1 TB. In our scheme, we need to compute one bilinear pairing, exponentiation on T G , 160-bit scalar point multiplication and the Bloom filter. Yang's scheme [22] involves the computation of two bilinear pairings, one exponentiation on T G and one 271-bit scalar point multiplication. Cheng's scheme [25] involves the computations of two bilinear pairings, one exponentiation on T G , two 160-bit scalar point multiplications and one 271-bit scalar point multiplication. We calculate the time needed for the major operations, which is shown in Table 2.   A comparison of total computation overhead with the two schemes is shown in Table 3. From the table, we can see that, since we only use one bilinear pairing, which is the most time-consuming operation, our scheme needs less computation time than the other two schemes; therefore, IBKM saves the energy consumption of node. Notice that, although hash mapping and encryption are introduced in the Bloom filter, they are omitted, since they consume negligible computing power compared with that of bilinear pairing, etc.

Communication Overhead
In IBKM, the secret key generation process comprises two messages: one is sent by A, and the other is sent by B. Each message includes the node's ID, public key and a time stamp, namely the message is (rQ ) ID E T . In this message, rQ is a point on elliptic curve, which given x of rQ, the node can derive y whenever it needs. In accordance with Yang's scheme, Q can be compressed to 34 bytes and two bytes for ID. We take eight bytes for the time stamp in our scheme, and the encryption here does not change the length of the messages. Therefore, the communication overhead of our scheme is 44 bytes. While Yang's scheme needs 61 bytes for the message of , U V and Cheng's scheme needs 168 bytes for using the 1024-bit modular in Diffie-Hellman key exchange, their schemes both need two messages when nodes share a secret key in the communication process. We show the communication overhead of the three schemes in Table 4. From this table, we can see the superiority of our communication consumption compared with the other two schemes.

Conclusions
In this paper, we propose IBKM, which is an efficient key management scheme for WSNs. By adopting the Bloom filter into identity-based cryptosystem to distribute session keys between nodes, IBKM achieves the advantages of the node's identity authentication without complex certification verification by the certification authority. The results of the analysis show that our scheme can resist various attacks and has acceptable overhead in storage, computation and communication compared to the existing related schemes.