A WSN Layer-Cluster Key Management Scheme Based on Quadratic Polynomial and Lagrange Interpolation Polynomial

Since current key management schemes are mainly designed for static and planar networks, they are not very suitable for the layer-cluster wireless sensor networks (WSNs), a WSN layer-cluster key management scheme based on quadratic polynomial and Lagrange interpolation polynomial is proposed, in which the main idea of this scheme along the research line of broadcast identity authentication, session key, group key, network key and personal key. Specifically, authentication key can be established on the basis of Fourier series for identity authentication; session key is established by a multiple asymmetric quadratic polynomial, in which session key information is encrypted by the authentication key to ensure the security of intermediate interactive information; based on the former two keys, group key is established on the basis of Lagrange interpolation polynomial, in which the nodes of the cluster are not directly involved; the generation and management of network key is similar to the group key, in which the establishment idea is to regard the BS and all cluster heads as a group; the generation and management of personal key is also similar to the group key, the difference is that the personal key can be obtained by cluster nodes through getting the Lagrange interpolation polynomial coefficients based on their own random key information. It is analyzed that the proposed layer-cluster key management scheme can guarantee the identity of network nodes firstly through forward authentication and reverse authentication, and session key, group key and network key will guarantee the independence of the keys’ management and avoids the problem of single point failure compared with LEAP protocol, and personal key will guarantee the privacy of network.


Introduction
The development of modern network technology has proved a fact that a network without enough security cannot guarantee the future of a network [1,2]. Wireless Sensor Networks (WSNs) as a new network technology originated from the military field, require more attention to security [3,4]. Due to the great difference between WSNs and traditional networks, WSN security problems have some new characteristics: (1) because of the characteristics of self-organization, intermittent connection, wireless communication and resource limitation, it is difficult for WSN to fully guarantee the network security [5]; (2) WSN is vulnerable to be threats from internal, external and malicious attacks [6]; (3) the information and resources of WSN can be modified, eavesdropped, deleted, lost or disclosed, and the service may be blocked, or even the environment is not safe and vulnerable [7]. So, the key research of WSN security is to provide a service including self-protection, reliability, confidentiality, authenticity, and integrity service.
Since the characteristics of WSN determine that the security problems of WSN are much different from the traditional network [4,7], and the unreliable wireless communication channel makes WSN security execution more difficult. Even in some military special environments, WSN nodes are required to have the ability to detect and identify untrusted nodes and intruders and can resist various types of attacks for maintaining the security and integrity of the network. All these problems require WSN to have a higher and stronger security mechanism to overcome the weakness of WSN in security and ensure the application of WSN in various fields.
For WSN security, the actual situation is that the open wireless channel needs an encryption system, and the wireless sensor nodes constrained by resources need a lightweight and efficient security scheme, and the characteristic of uncontrolled operation of WSN needs a security strategy with high security flexibility [8]. At present, almost all encryption technologies rely on keys, but the leakage of the keys will directly lead to the leakage of the plaintexts. Therefore, key management is the key part of guaranteeing the wireless communication, and how to configure and manage keys effectively and safely has become one of the important parts of WSN security research.
At present, the research on security technologies of WSN involves cryptography, key management, data security fusion, security routing, intrusion detection, identity authentication, trust model and other special security issues [4,7], where the key management scheme is the most critical issue and also the basis of other security mechanisms such as secure routing, secure location, secure data fusion, etc., but the key management technology is also the most difficult and weak part of WSN security management [9]. It is shown in historical examples that the attack cost of key management is much less than the decoding algorithm. Therefore, in WSN security research, it is very important to attach great importance to the key management and introduce the key management schemes for effective control, which can increase the security and anti-attack of the network [10][11][12].

Identity Authentication
For key management research, researchers rarely classify the identity authentication as a key management technology. It is known that the broadcast identity authentication is the first secure task when a WSN begins to run, which can guarantee the sources of network information and conduct a periodic confirmation in subsequent work. In fact, the classic algorithms such as hash chain and digital signature authentication are essentially a process of key management [13][14][15]. Therefore, this paper proposes a layer-cluster key management scheme which takes the broadcast identity authentication as the first work of key management, the broadcast identity authentication work runs through the whole process of key management. For example, the network initialization requires the broadcast identity authentication, and identity authentication is also required when the network is periodically updated or attacked abnormally. In addition, broadcast identity authentication is the first secure barrier of WSN network, in which the broadcast authentication key generated at the first step can be used to encrypt the later key information and participate the generation of other keys.
In WSN, in order to save the network bandwidth and the communication time, base station (BS) or cluster heads usually send commands or make updating by means of broadcast. Since the broadcast communication plays a very important role in WSN and its security is directly related to the security of the whole network, it must be able to authenticate the source, accuracy and integrity of the broadcast packet when a node receives a broadcast packet, which also known as the broadcast authentication.
Broadcast authentication includes entity authentication and message source authentication. Entity authentication is a process in which one party confirms the identity of the other party according to a certain protocol. Message source authentication is mainly to confirm the legal identity of the information source and ensure the integrity of the information, which can prevent illegal nodes from sending, forgery and tampering with the information. These two parts of broadcast authentication can be realized by encrypting and decrypting the message authentication code (MAC).

Network Key
The network key is the communication key shared by BS and all network nodes, which is similar with the group key in understanding if the whole network is seemed as a group. The network key can be used for the information that all members need to know, such as the networking command. The distribution method of network key is clear that BS encrypts it by session key and sends it to each cluster head one by one firstly, and then each cluster head re-encrypts it with its own group key and broadcasts it to each group member.
Network key is established after the establishment of session key and group key, and not all networks have the requirements of network key. Since its establishment method is similar with the group key, for preventing collusion attack, it is suggested in this paper that the network key should be limited in cluster heads and the group key should still be used in group members for broadcasting.

Personal Key
A personal key is a key shared by a common member node and BS, which is used by the common node to send some important secret information to BS independently, such as military secrets, abnormal data, monitoring data from the coverage area. This important information is only expected to be known by BS, and the personal key and the establishment method cannot be known by the intermediate transmission node and cluster head nodes. It can be shown that the difficulty of the personal key research lies in the security of key's distribution and updating, and if the malicious nodes obtain too much relevant information through disguising as intermediate nodes, they will work out the key information of the personal key. Therefore, it is supposed that the establishment and updating method of personal key should maintain certain independence.
Personal keys are not required for all network management cases either and are only used in some special task situations and higher security circumstances. At present, the research on personal keys is mainly based on the definition of session key, and BS is treated as a non-adjacent node. The disadvantage of this way is that the establishment method of personal key is not independent enough, and the personal key will be cracked once the session key is cracked.

Layer-Cluster Key
These above key management schemes are mainly designed for static and planar networks, which are not very suitable for layer-cluster wireless sensor networks. For layer-cluster schemes, network nodes are divided into several clusters, where the cluster heads are usually powerful and the keys distribution, negotiation and updating of the common sensor nodes are all charged by cluster heads. Compared with the distributed key management schemes, these layer-cluster schemes have lower requirements on computing and storage capacity of common nodes [37]. In particular, the network has good scalability and invulnerability.
Layer-cluster key research includes the key's generation, distribution, updating, deletion, association, efficiency, and feasibility. At present, some key-cluster key schemes have been proposed [8,[37][38][39]. Zhu has proposed a LEAP scheme [8], which includes four types of communication keys. Although LEAP can achieve certain security performance, it still does not solve the problem of large energy consumption of key updating and suffers from single-point failure problem. In addition, these schemes are based on the case of fixed cluster head, which can cause huge security problems once the cluster head is captured. In a word, there are many new challenges for layer-cluster key research and providing a secure and reliable WSN key management has been becoming the most important and basic content for WSN security research.

Motivations
The motivations of this paper can be summarized as follows: • Since almost all existed encryption technologies rely on keys, and the leakage of the keys will directly lead to the leakage of the plaintexts, so key management is the key part of guaranteeing wireless communication security and how to configure and manage keys effectively and safely has become one of the important parts of WSN security research.

•
Key management is one of the most critical issues for security, and it is the basis of other security mechanisms such as secure routing, secure location, secure data fusion, etc. Therefore, it is very important to attach great importance to the key management and introduce appropriate key management schemes for effective control.

•
The current key management schemes are mainly designed for static and planar networks and easy to be trapped in the problem of single point failure, which is not very suitable for the layer-cluster wireless sensor network (WSN).
A WSN layer-cluster key management scheme based on a quadratic polynomial and a Lagrange interpolation polynomial (LCKMS-QPLIP) is proposed in this paper and the main research idea of LCKMS-QPLIP along the line of broadcasting identity authentication, session key, group key, network key and personal key, where each key establishment method of this scheme is independent, different and the encryption process is related to each other. This scheme not only can ensure the independence of each encryption process, but also can ensure the consistency of security strength.
In addition, the layer-cluster key management scheme LCKMS-QPLIP proposed in this paper should guarantee the identity of network nodes firstly through forward authentication and reverse authentication, and session keys, group keys and network keys should guarantee the security and efficiency of the network, and personal keys should guarantee the privacy of the network. These five keys should complement each other, which will only should ensure the independence of the keys' management and avoid the problem of single point failure, but also enable WSN to provide an efficient key management scheme in a reasonable network structure.

Main Contributions
The main contributions of this paper can be summarized as follows: Sensors 2020, 20, 4388 6 of 35

•
Broadcast authentication. The broadcast authentication protocol based on Fourier series for WSN is used for identity authentication. The authentication key is established by the initial sharing function f (x) to realize the broadcast authentication of the group members, and each member can confirm the source and integrity of the broadcast information from BS or cluster heads.

•
Session key. Session key information is encrypted by the former authentication key to ensure the security of intermediate interactive information. Using the initial private function g(x), a multiple asymmetric quadratic polynomial, to establish a session key management scheme, which can guarantee the independence of session key and network connectivity.

•
Group key. In order to realize the secure broadcast of the sharing information among the group members in a cluster, the group key should be established at the basis of the former session key, in which cluster is the most natural communication group. Since the generation of group keys needs the joint participation of all group nodes or the associated nodes, there is a single point failure problem. According to the former two kinds of key, a group key scheme based on Lagrange interpolation polynomial is established, in which the nodes of the cluster are not directly involved.

•
Network key. Network key is the communication key shared by BS and other network nodes and the generation and management scheme of network key is similar with the group key, in which the establishment idea of network key is to regard the BS and all cluster heads as a group, so network keys based on Lagrange interpolation polynomial can also be established.

•
Personal key. The key of personal key establishment is to keep the privacy and independence of the key. The generation and management scheme of personal keys is also similar to the situation of group keys, the difference being that personal keys can be obtained by cluster nodes through getting the Lagrange interpolation polynomial coefficients based on their own random key information, in which the coefficients can only be obtained by corresponding nodes. The independent coefficient is defined as the personal key which only can be known by BS and the corresponding node. • Reverse authentication. Based on the personal key to achieve one-to-one private communication, BS can verify the identity of each node, which is called the reverse authentication.

Organization
The paper is organized as follows: In Section 2, we analyze the characteristics of the Fourier series, quadratic polynomial, and Lagrange interpolation polynomial. In Section 3, we discuss the specific building process of five keys in LCKMS-QPLIP. In Section 4, the discuss the method for updating the five keys updating. In Section 5, we present a security analysis to verify the efficiency of LCKMS-QPLIP. In Section 6, conclusions are given.

Characteristics of the Fourier Series
Definition 1. Assume that f (x) is a continuous and periodic function and the period is T. If f (x) satisfies the following condition: (a n cos nωx + b n sin nωx) Equation (1) is called the Fourier series of the continuous function f (x).

Definition 3.
Assuming that A is the quadratic matrix of f (x 1 , x 2 , . . . , x n ) in fields P, if there is a non-zero real vector ξ coupling with a real number λ of fields P and they satisfy the function Aξ = λξ, in which λ is called the eigenvalue of matrix A and ξ is called the eigenvector of λ.
It can be concluded that (λE − A)ξ = 0 based on Aξ = λξ, which also indicates that ξ is a non-zero solution of Equation (10). The necessary and sufficient condition for a non-zero solution is that ξ satisfies the equation |λE − A| = 0:  (11) where |λE − A| is called the characteristic polynomial of matrix A.
Therefore, based on Definitions 2 and 3, the method to obtain the eigenvalues and eigenvectors of matrix A can be divided into the following steps: Step 1: In fields P, choosing a multivariate and asymmetric quadratic polynomial f (x 1 , x 2 , . . . , x n ) randomly and writing out the matrix A.
Step 2: Calculating the all roots of the characteristic equation |λE − A| = 0 in fields P which are also called eigenvalues.
Step 3: Taking the obtained eigenvalues into Equation (10) one by one, and then working out a group of basic solutions for each eigenvalue which are called the linearly independent eigenvectors of each eigenvalue. Therefore, based on this method, all linearly independent eigenvectors belonged to each eigenvalue can be obtained.

Theorem 1.
If matrix A is a real symmetric matrix, for any two non-zero vectors α, β in fields P, it can be proved that (Aα, β) = (α, Aβ).
Proof. Actually, it is easy to obtain that: Therefore, (Aα, β) = (α, Aβ) and this property of the symmetric matrix A is also called symmetric transformation.

Theorem 2.
If matrix A is a real symmetric matrix, any two non-zero eigenvectors belonged to different eigenvalues of A in fields P must be orthogonal.
In order to achieve orthogonalization, the Gram-Schmidt orthogonalization method is applied. The process of Gram Schmidt orthogonalization is as follows: Assume that the initial vector group is {α 1 , α 2 , . . . , α n }, and assume: where β i , i = 1, . . . , n represents the mod of the orthogonal vector β i and (α n , η i ) represents the inner product of these two vectors.
So, based on the method of Gram-Schmidt orthogonalization, these different eigenvectors belonging to the same eigenvalues of matrix B = [ξ 1 , ξ 2 , . . . , ξ n ] are converted into the unit standard orthogonal vectors which compose the unit orthogonal matrix Therefore, based on the above proof, for any real symmetric matrix A, there will actually be a unit orthogonal matrix B = [ξ 1 , ξ 2 , . . . , ξ n ] and B T AB = B −1 AB = C is a diagonal matrix, where the diagonal values are the eigenvalues of the matrix A.

Corollary 1.
Any quadratic polynomial f (x 1 , x 2 , . . . , x n ) in real field can be transformed into the sum of squares by orthogonal linear substitution, where the sum can be written as λ 1 y 2 1 + λ 2 y 2 2 + . . . + λ n y 2 n and λ 1 , λ 2 , . . . , λ n are the eigenvalues of the matrix A.

Lagrange Interpolation Polynomial
If setting l i (x) = 1 and x = x i , then: therefore: and set: It is shown in Equation (21) that the degree of L n (x) is less than n, and L n (x i ) = f (x i ), i = 0, 1, 2, . . . , n. Therefore, L n (x) is the interpolation polynomial for x 0 , x 1 , . . . , x n which is known as the Lagrange interpolation polynomial.

Corollary 2.
Lagrange interpolation polynomial is a special form of the Chinese Remainder Theorem.
Proof. Based on the definition of Chinese Remainder Theorem [40], assuming that m 1 (x), m 2 (x), . . . , m n (x) are pair-wise coprime polynomials, where a 1 (x), a 2 (x), . . . , a n (x) are all polynomials of x, and there will be a polynomial f (x): The . . , n) are constant and not equal each other, and m i (x)(i = 1, 2, . . . , n) are also pair-wise coprime polynomials, so based on the Remainder Theorem, Corollary 2 can be expressed by stating that there will be a polynomial f (x): The , there will be a unique f (x) which degree is less than n. It is the reason of the existence and uniqueness of interpolation polynomial.
According to the proof of Corollary 2, there is a polynomial M i (x) (i = 1, 2, . . . , n), and: can satisfy Equation (24), interpolation polynomial f (x) can be like as: It is clear from Equation (25) that f (x) is the famous Lagrange interpolation polynomial which also is a special form of the Chinese Remainder Theorem.

Network Model
To facilitate the discussion, the network model of LCKMS-QPLIP is assumed as follows: (1) It is assumed that the network is homogeneous and static, and each group member is identical in the configuration of hardware and software, where the network size is N and there are three types of nodes: base station, cluster head and common sensor node. The layer-cluster network structure of WSN shown in the Figure 1.
(2) It is assumed that BS is equipped with sufficient hardware and software resources and has stored the basic information of all nodes in the network. In addition, BS can detect the broken or captured nodes. (3) The cluster head is responsible for collecting the data from its members and sending it to BS layer by layer. The clustering protocol LEACH [41] in WSN is chosen to initialize the network topology and select the cluster heads in this paper.
Sensors 2020, 20, x FOR PEER REVIEW 12 of 36 (4) The common sensor nodes are responsible for collecting the surrounding environment data and sending the data to their neighbor nodes or cluster head. Common sensor nodes have not enough storage space and energy to process data. Since the communication radius of common sensor nodes is limited, the communication between nodes that are not within the communication radius needs to rely on the transit of their common neighbor nodes.
The explanation of main symbols is shown in Table 1:

Building Layer-Cluster Key
Based on the idea of LEAP protocol which relies on the master key to build the main four different keys (including individual key, session key, group key and cluster key), this paper will study and design a new wireless sensor network layer-cluster key management scheme according to the requirement of the WSN security communication process. (4) The common sensor nodes are responsible for collecting the surrounding environment data and sending the data to their neighbor nodes or cluster head. Common sensor nodes have not enough storage space and energy to process data. Since the communication radius of common sensor nodes is limited, the communication between nodes that are not within the communication radius needs to rely on the transit of their common neighbor nodes.
The explanation of main symbols is shown in Table 1: Table 1. Explanation of symbols.

Symbols Explanation
session key between node a and node b K CH i ,BS session key between cluster i and BS K i,CH j session key between node i and cluster head j K j group key of cluster j K S i j ,BS personal key of node i K N network key L(i) broadcast authentication information

Building Layer-Cluster Key
Based on the idea of LEAP protocol which relies on the master key to build the main four different keys (including individual key, session key, group key and cluster key), this paper will study and design a new wireless sensor network layer-cluster key management scheme according to the requirement of the WSN security communication process.
Unlike LEAP which depends on a master key and suffers from the single-point failure problem, the new key management scheme named LCKMS-QPLIP is based on the mathematical characteristics of the quadratic polynomial and Lagrange interpolation polynomial, in which it includes five different keys (including broadcast authentication key, session key, group key, network key and personal key). The most obvious features of this scheme compared with LEAP are the identity authentication and the independence of each key. The following will be described in sequence according to the keys' building order in LCKMS-QPLIP.

Forward Broadcast Authentication Key Management
The establishment of broadcast authentication key is the most obvious difference between LCKMS-QPLIP and LEAP, which is the first step of key management and the first barrier of WSN security.
Broadcasting is the most important way of data transmission in wireless networks, including command transmission from BS, information exchange between neighbor nodes, network updating, and so on. Broadcast messages without security mechanisms are vulnerable to be eavesdropped, tampered, and forged, which threatens WSN heavily, so broadcast authentication is one of the most basic security services in wireless sensor networks.
The security guarantee provided by broadcast authentication for broadcast message is consistent with the process of general message authentication, including two aspects: one is to ensure the legitimacy of the message source, and the other is to ensure the integrity of the message. Based on the broadcast authentication protocol, the receiving nodes can filter out the tampered and forged broadcast messages and ensure that the data received by the user is true and valid.
To sum up, broadcast authentication is a process of key management. While, for realizing the secure broadcasting communication management of WSN, the first thing to do is to realize the authentication between nodes.
The scheme flow of generation and management of forward broadcast authentication key is as follows: (1) The generation of inner-cluster broadcast authentication key based on a Fourier series The purpose of an authentication key is to realize the authentication of the source and the integrity of the broadcast message. It is assumed that the authentication key is K i and f (x) is a continuous and integrable function in the real field [−π, π] which also satisfies the conditions of a Fourier series. In addition, assuming that each WSN node is preset with two functions at the network initialization including a sharing function f (x) and a private function g(x). It should be noted that the private function g(x) of each node is different and each cluster shares a different sharing function f (x).
Based on [42] proposed by the first author, it is assumed that BS divides the network time into equal time slice D and allocates an independent key separately for each time slice, where the authentication key assigned to the i-th time slice is: Obviously, according to Equation (27), the key of each time slice is different and the common node only needs to calculate the coefficients a i+1 and b i+1 combined with the former authentication K i to work out the authentication key K i+1 of the (i + 1) − th time slice.
Then, BS generates the broadcast authentication information L(i) and broadcasts it: where π −π f (x) sin ixdx, and a i , b i are two Fourier series coefficients belonged to the time slice i, P i(t) is the plaintext message at time i(t), MAC = h K i , P i(t) , i(t) guarantees the privacy of K i , i(t) is t time of the i-th time slice.
(2) Judging the timeliness of a package Based on the broadcast authentication information L(i), if the last message time is i(t + 1) and the current message time is i(t), it can be judged that the current authentication message L(i) is outdated and it is necessary to detect the local time of the node if the outdated packets appear in succession. For this problem, the receiving node will also make misjudgment and discard the all later authentication messages if the local time of the node is not adjusted in time.
Therefore, for this case, it is necessary to make periodic time synchronization and early warning judgment. In order to guarantee the key management process, this paper will use the time synchronization method proposed by the first author [43].
(3) Key authentication After finishing the time synchronization operations, the local nodes need to make entity authentication and message source authentication according to L(i).
For entity authentication, since each node has been preset a function f (x), each local node can calculate the coefficients a i , b i belonged to the current time slice i according to the Fourier series coefficient characteristics: which indicates that the message is sent by the BS at the i-th time slice, and the entity identity authentication work is finished; otherwise, applying for the BS verification.
For message source authentication, the authentication key is used to determine whether the plaintext message P i(t) has been tampered, so the local node need to calculate the authentication key K i belonged to the current time slice i: where K i−1 is the authenticated key of the (i + 1) − th time slice, and a i , b i have been authenticated at Equation (29). In this way, only the current coefficients of the Fourier series are needed to be calculated and the calculation cost is much low.
, i(t) = MAC, it is indicated that K i is authenticated and the message source is also authenticated.
For layer-cluster network, if assuming that each cluster head and its group nodes of the cluster form a broadcast area, and different clusters are preset different f (x), the forward authentication of each cluster can be realized according to the above key authentication process. Meanwhile, the identity authentication between cluster head and base station can be realized by the same authentication method.
After completing all the authentication work and making sure that the network nodes are all belonged to their own network, the next work is to realize the session security between the two neighbor nodes called session key management.

Session Key Management Scheme Based on a Quadratic Polynomial
Session keys are keys shared between neighbor nodes, which are used for the secure exchange of information between nodes. At present, E-G, q-composite and other popular WSN session key management schemes are flexible and simple, but the problems of these schemes are that the shared keys between the neighbor nodes is not unique and the network connectivity is low, so that the attackers can easily obtain key information to make various malicious attacks.
Therefore, based on the advantages of the existing symmetric polynomial key pre-distribution schemes in anti-capture and connectivity, this paper proposes a WSN session key management scheme based on multiple asymmetric quadratic polynomials, which is built to solve the problems of session key independence and network connectivity.
The generation and management processes of the session key based on Quadratic Polynomials are as follows: (1) Initialization Assume that BS generates a quadratic polynomial keys pool (i.e., private function pool about g(x)) during network initialization and records the identifier ID i of each common node of the network and the identifier (ID i ||ω i ) of the quadratic polynomial assigned to the common node each time. Each common node stores an independent quadratic polynomial g ω i (x 1 , x 2 , . . . , x n ) = X T AX.
(2) Building session key Since the deployment area of the network is not secure, a secure link must be established between neighbor nodes to protect the possible communication. The establishment process of secure link is as follows: • Getting neighbor list Firstly, after the initialization and authentication of the layer-cluster network, the common nodes in each cluster begin to broadcast their own ID and receive the ID information of each neighbor node at the same time, and then establish their own neighbor list ID j ID k ||. . .||ID m .
Secondly, according to the previous authentication work, if K i = K i in time slice i, using the authentication key K i of time slice i to encrypt the neighbor list information where ID i is the identifier of sending node i, ID j is the identifier of current cluster head node j.
Each cluster head will receive the encryption list information E K i ID i ID j ID k ||. . .||ID m . If the current time is still within the time slice i, the cluster head CH j will directly send E K i ID i ID j ID k ||. . .||ID m to the upper layer. If the time has jumped to the next time slice i + 1, using K i to decrypt the list firstly, and then using the authentication key K i+1 of time slice i + 1 to re-encrypt the neighbor list information Last, BS can receive the neighbor list after several same steps and decrypt the list by authentication key K i+k of time slice i + k. If it fails to decrypt, BS will judge the situations whether time out of step or malicious intrusion. •

Building broadcast key information
Assuming that a is a common sensor node of cluster j, and calculating the matrix A of the private quadratic function g w a (x 1 , x 2 , . . . , x n ) belonged to a according to Definition 2. Based on Definition 3, solving the eigenvalues λ 1 , λ 2 , . . . , λ n arranged in the order of small to large and eigenvectors {ξ 1 , ξ 2 , . . . , ξ n } of matrix A, and assuming matrix D = [ξ 1 , ξ 2 , . . . , ξ n ]. Then, according to Theorem 3, solving the unit orthogonal matrix B and diagonal matrix C, where the diagonal values are arranged in the order of eigenvalues from small to large. Last, broadcasting key information E K i+l f w a (x 1 , x 2 , . . . , x n ) h(B) h(C) ID a to all neighbor nodes, where K i+l is the authentication key of time slice i + l. •

Information judgement
If the neighbor common node m has received the key information E K i+l f w a (x 1 , x 2 , . . . , x n ) h(B) h(C) ID a broadcasted by node a, using the authentication key K i+l to decrypt the message and calculating the matrix A according to f w a (x 1 , x 2 , . . . , x n ), and then solving the new eigenvalues λ 1 , λ 2 , . . . , λ n and eigenvectors {ξ 1 , ξ 2 , . . . , ξ n } based on Definition 3.
Because the new eigenvalues' sequence may be inconsistent with the source node a or tampered by attacker, which will affect the correctness of the new eigenvectors. Besides, the sequence of the eigenvectors belonged to the same eigenvalue will also affect the correctness of the results. Therefore, in order to judge the correctness of the received information f w a (x 1 , x 2 , . . . , x n ), it is required that the eigenvalues λ 1 , λ 2 , . . . , λ n solved by the node m should also be arranged in the order of small to large to form the diagonal matrix C .
If C = C, it is showed that the consistency of eigenvalues is ensured. Besides, solving the unit orthogonal matrix C , if B = B, it is showed that the sequence of multiple eigenvalues is consistent.
With these two conditions, the consistency of information can be judged before and after. Therefore, in order to judge whether the information f w a (x 1 , x 2 , . . . , x n ) is tampered or not, it can be judged by the following equations: The information judgment process is also equivalent to make an identity authentication of node a (as shown in Figure 2). of the eigenvectors belonged to the same eigenvalue will also affect the correctness of the resu Therefore, in order to judge the correctness of the received information ( , , . . . , ) , it required that the eigenvalues , , . . . , solved by the node should also be arranged in order of small to large to form the diagonal matrix ′ . If = , it is showed that the consistency of eigenvalues is ensured. Besides, solving the u orthogonal matrix , if ′ = , it is showed that the sequence of multiple eigenvalues is consiste With these two conditions, the consistency of information can be judged before and af Therefore, in order to judge whether the information ( , , . . . , ) is tampered or not, it can judged by the following equations: The information judgment process is also equivalent to make an identity authentication of no (as shown in Figure 2). Based on above works, it is time to build the secure session key between node and node  Building session key Similarly, node broadcasts its own key informat ( , , . . . , )||ℎ( )||ℎ( )|| , and node decrypts the key information and judges identity of node . After completing the above task, the session key between two neighbor nodes can be built. addition, the key information received by each other should be deleted to avoid information disclosur Assuming that the session key between node and is = ℎ( ) and the session k between node and node is = ℎ( ). If the works of information analysis and ident judgment have been completed based on step b and step c, and then = , Because matrix C and matrix G are the standardized diagonal matrix after orthogonal, and calculation between diagonal matrices is exchangeable, such as = . Therefore: It is shown in Equation (33) that the only session key between node and node has be built, which can guarantee independence the session key for each pair neighbor nodes because of different private quadratic polynomials belonged to the different nodes.
Considering the independence of the session key, in order to enhance the efficiency of netwo security management and the privacy of communication, it needs to be noted that the ident Based on above works, it is time to build the secure session key between node a and node m: •

Building session key
Similarly, node m broadcasts its own key information E K i+l f w m (x 1 , x 2 , . . . , x n ) h(F) h(G) ID m , and node a decrypts the key information and judges the identity of node m. After completing the above task, the session key between two neighbor nodes can be built. In addition, the key information received by each other should be deleted to avoid information disclosure.
Assuming that the session key between node m and a is K ma = h(GC ) and the session key between node a and node m is K am = h(CG ). If the works of information analysis and identity judgment have been completed based on step b and step c, and then C = C, G = G, Because matrix C and matrix G are the standardized diagonal matrix after orthogonal, and the calculation between diagonal matrices is exchangeable, such as CG = GC. Therefore: It is shown in Equation (33) that the only session key between node a and node m has been built, which can guarantee independence the session key for each pair neighbor nodes because of the different private quadratic polynomials belonged to the different nodes.
Considering the independence of the session key, in order to enhance the efficiency of network security management and the privacy of communication, it needs to be noted that the identity authentication key will not be used in the next steps except for keys updating.

Group Key Management Scheme Based on Lagrange Interpolation Polynomial
Session keys can solve the problem of secure sessions between neighbor nodes, while the common communication pattern of the layer-cluster network of WSN is broadcasting in clusters, so in order to realize secure broadcasting of the shared information among the nodes in the cluster, it is necessary to set the group key based on the session key, and the cluster is the most natural communication group, so the main purpose of this part is to study and build a WSN group key management scheme based on the size of a cluster.
Group keys are the keys shared by the nodes in the same cluster, and the group keys used for encryption and decryption can only be known by the cluster members, which means that only the group members can get the encrypted message. The key point of using group keys is to solve the security problem of generation and distribution of keys.
At present, the popular group key management schemes, such as LKH and EBS, have clear structures and are easy to manage, and they support the deletion of multiple members at once. However, there are obvious problems in these schemes that the generation or acquisition of group key requires the participation of all nodes or associated nodes in the group, which is called the single point failure.
In addition, that all associated nodes need to be deleted when the group key is attacked, which will influence the network structure heavily.
Therefore, the purpose of this part is to build a group key management scheme based on the above two works, identity authentication and building of session key scheme. Based on the special form Lagrange interpolation polynomial of the Chinese Remainder Theorem [40], the main idea of this scheme is that the group key can be generated without the direct participation of cluster members, which avoid the key problem of single point failure included in the above schemes [44] proposed by the first author.
The specific steps for establishing group key based on Lagrange interpolation polynomials are as follows: Assuming that the group key of cluster j is K CH j , where the cluster head is CH j and the cluster size is n.
(1) Sending the key information Firstly, each group member of cluster j generates its own key information randomly named as m(1), m(2), . . . , m(n), where m(i) is the key information of group member i.
Secondly, each group member encrypts its own key information by the session key generated between the group member and the cluster head independently in session key scheme. For instance, some group member i encrypts the key information m(i) by its session key K i,CH j recorded as E K i,CH j (m(i)).
After that, the group member i sends E K i,CH j (m(i)) to the cluster head CH j .
Thirdly, the cluster head CH j decrypts the key information m(1), m(2), . . . , m(n) respectively and uses the upper layer session key (K CH j, CH k or K CH j, BS generated between the cluster head CH j and the more upper layer cluster head or BS) to re-encrypt all the key information m(1), m(2), . . . , m(n). After that, CH j sends the key information E K CH j ,CH k y(x) = a 1 M 1 (x) + a 2 M 2 (x) + · · · + a n M n (x) = n j=1 a j ), i = 1, 2, . . . , n, b i (i = 1, 2, . . . , n) are constant and not equal each other.
Secondly, setting b i = m(i) and regenerating y(x) based on m(1), m(2), . . . , m(n), and: where . Thirdly, BS generates the group key K j randomly and resets a new composite function y(x) , and: Last, BS re-encrypts y(x) by the related session key K CH j, BS and sends it to the related cluster head CH j .
(3) Getting the group key Firstly, CH j decrypts E K CH j ,CH k y(x) based on the last step.
Secondly, CH j sends the encrypted information E K i,CH j y(x) , i = 1, . . . , n to each group member.
Thirdly, node i decrypts E K i,CH j y(x) by K i,CH j and gets y(x) . Since: If set x = m(i), and it is concluded that: Therefore, y(m(i)) = a i . Similarly, y(m(i)) = a i K CH j . If a i = 1, y(m(i)) = K CH j , which means that each group member can get the group key K CH j by taking its own key information m(i) into f (x) respectively. By now, the task of getting the group key is completed. What is shown in this scheme is that the group key is generated without the direct participation of cluster members, which can solve the problem of single point failure displayed by LKH and EBS.

Network Key Management Scheme
According to the above works, the authentication key, session key and group key have been established. Without considering the efficiency of network management, these three types of keys can basically guarantee the security of the layer-cluster network. Firstly, BS sends the information encrypted by the private session key to the neighbor cluster heads. Secondly, the first layer cluster heads re-encrypt the information and send it to the next layer cluster heads, and all the cluster heads can get the information level-by-level. Last, each cluster head uses its own group key to broadcast the information to their group members. What the problem of above scheme is that the multiple independent encryption and decryption and multi-level transmission are needed, which will cause too much computing and time cost.
According to the work of group key, if BS and all cluster heads are regarded members of a group, the base station can broadcast messages encrypted by a group key to the near cluster heads once time. If the power of the BS is large enough, all cluster heads will receive the broadcast information, and then all cluster members can receive the information encrypted by the group key belonged to different clusters.
Since this key is responsible for the broadcast information of the whole network, it is called network key K N .
In this paper, the network key K N is defined as the communication key shared by the base station and all cluster head nodes, and the generation and management of the network key is similar with the group key: (1) Each cluster head generates its own key information randomly named as m(1), m(2), . . . , m(r), and these cluster heads will send the key information encrypted by session keys to BS layer by layer.
(3) Conversely, BS sends y(x) encrypted by session key to each cluster head layer by layer, and all cluster heads can obtain the network key K N independently based on their own key information m(i).
By now, BS can make a secure whole network broadcasting through the cooperation of K N and the established group key.

Personal Key Management Scheme
These above four types of keys not only can satisfy the privacy of the information transmission, but also ensure the efficiency of network broadcasts. It is known that all the neighbor nodes communicate directly each other (including cluster head and cluster head, cluster head and BS), and the key information is encrypted or decrypted only once time between them. While there is a special situation that the communication between BS and the cluster members should be resolved and transmitted indirectly by cluster heads. It doesn't matter if it is a broadcast information resolved and transmitted by cluster heads. But if it is a private information known only by BS and some cluster member, there will be a secure problem because of the decryption by middle cluster heads.
The requirement for personal key is usually applicable to the network with high security level and strong privacy. Therefore, in order to make the key management scheme of layer-cluster network more comprehensive and useful, the fifth key is defined as the personal key shared by common node and BS. The generation and management of personal keys is similar to that of group keys.
Assume that K S ij ,BS is the personal key of BS and one common node S i , where S i is one of the members of cluster j, CH j is the cluster head. The generation process of K S ij ,BS is as follows: (1) Generating Lagrange interpolation polynomial y(x) Firstly, same as the group key, BS obtains the key information m(1), m(2), . . . , m(n) generated randomly by the group members of cluster j.
Secondly, BS generates the Lagrange interpolation polynomial y(x) according to Corollary 2: y(x) = a 1 M 1 (x) + a 2 M 2 (x) + · · · + a n M n (x) = n j=1 a j where M i (x) = (2) Generating key function y(x) Firstly, compared with the group key, assuming that the coefficients of y(x) are defined as a i = K S ij ,BS , i = 1, 2, . . . , n. and: Secondly, BS sends the encrypted information E K CH l ,BS (y(x) ) to cluster head CH l , where K CH l ,BS . is the session key between CH l and BS. With the same method, CH l will send the encrypted information y(x) to the destination cluster node CH j layer by layer and CH j will obtain the encrypted information E K CH j ,CH k (y(x) ) at last. Thirdly, according to the agreement built by the group key scheme, each cluster head has deleted the random key information m(1), m(2), . . . , m(n) after completing upward delivery. Therefore, every cluster head cannot get any useful information from y(x) by m(1), m(2), . . . , m(n) when downward transmission of y(x) .
(3) Obtaining personal key Firstly, based on above step, CH j has obtained y(x) and then sends E K CH j (y(x) ) to its cluster members, where K CH j is the group key of cluster j.
Secondly, each cluster member can decrypt y(x) by K CH j . If x = m(i), M i (m(i)) = 1 and M i (m( j)) = 0, i j, and further, y(m(i)) = a i = K S ij ,BS . It is shown that each cluster member node can obtain its own personal key by its own random key information m(i), which can ensure the specificity and security of the personal key.
The personal key K S ij ,BS can guarantee the private communication between BS and any common cluster node S ij .
Firstly, BS encrypts the private information with the session key K CH l ,BS generated with the neighbor cluster head CH l : Secondly, each cluster head of the routing link can obtain the target cluster head address ID j from the upper cluster head and also send the private information to the next neighbor cluster head based on the neighbor list and routing table until the target cluster head CH j obtains the private information and verifies its identity by hash ID j .
Thirdly, CH j obtains the final target node address ID i by group key CH j of cluster j and verifies its identity by hash(ID i ), and then re-send the information again encrypted by session key K i,CH j : Last, S i obtains the plaintext information P(x) by twice decryptions with session key K i,CH j and personal key K S ij ,BS , and then verifies the correction of P(x) by hash(P(x)).
Therefore, it is indicated that only BS and S ij can get the plaintext information P(x) in the whole private communication process.
It is known that the main function of the personal key is to guarantee the privacy of communications between each common node and BS. While, based on such one-to-one private communication, BS can verify the identity of each node which is called the reverse authentication in this paper.
Assume that the layer-cluster network needs to make a reverse authentication periodically to ensure the identity of each node, and the authentication steps are as follows: Firstly, based on the main idea of the broadcast authentication scheme, each node uses its own private function g(x) and personal key to generate the reverse authentication information L (i) and g(x) is a continuous and integrable function in the real field [−π,π] which also satisfy the condition of the Fourier series: where K i,CH j is the session key between S i and CH j , K S ij ,BS is the personal key between S i and BS, K j = a 0 2 + j k=1 (a k cos kx + b k sin kx) is the authentication key allocated in the j-th time slice, a j = 1 π π −π g(x) cos ixdx and b j = 1 π π −π g(x) sin ixdx are the two Fourier coefficients of time slice j, P j(t) is the plaintext information of time j(t), h E K j P j(t) , j(t) guarantees that K j is unpublished, j(t) is the time t of time slice j.
Secondly, sending L (i), and then CH j decrypts L (i) with K i,CH j and obtains ID BS which shows that L (i) is the information for BS. After that, re-encrypting the information L (i) and sending it to the upper cluster head CH l , where: If assuming CH l and BS are neighbors, and Therefore, BS can decrypt L (i) with K CH l ,BS and learned that it is an authentication message sent by personal key.
Thirdly, for reverse authentication, entity authentication is performed first. Unlike forward authentication scheme, BS knows the private function g(x) of each node and calculates the Fourier coefficients a j and b j of current time slice j of S i according to the characteristics of Fourier coefficients.
If h a j = h a j and h b j = h b j , it is indicated that the message is sent by node S i at time slice j and the entity identity authentication work is completed. Otherwise, the sending node's identity has a problem.
Last, for source authentication, it is needed to judge whether the plaintext message P j(t) has been tampered through the authentication key. Then, BS calculates the authentication key K j of time slice j: and if h E K j P j(t) , j(t) = h E K j P j(t) , j(t) , it is indicated that the message sent by the S i is not tampered and the reverse authentication key K j generated by the node S i is correct. By now, the identity authentication work is finished including forward authentication and reverse authentication.
To sum up, this proposed layer-cluster key management scheme of this paper guarantees the identity of network nodes through forward authentication and reverse authentication, and session key, group key and network key guarantee the security and efficiency of network, and personal key guarantees the privacy of network. These five keys complement each other, which not only ensures the independence of the keys' management and avoids the problem of single point failure, but also enables WSN to make perform efficient key management in a reasonable network structure.
The generation principles and association of these five keys are shown in Figure 3.

Updating ( )
( ) is the private quadratic polynomial function preset for each node during network initialization, and the private function belonged to each node is different. According to the above schemes, ( ) is the key factor for the session key generation and the reverse authentication. So, the measure of updating ( ) periodically is important for network secure management. Updating ( ) can be realized by the coordination and cooperation of BS and the personal key.
(1) Assume that BS generates the updating information ( ), and ( ) is the private function for updating:

Updating f (x)
f (x) is the sharing function preset for each node during network initialization. For considering the security, f (x) needs to be updated periodically.
(1) BS generates the updating information R f (m).
To facilitate the discussion, assuming that BS and cluster head CH j are neighbors and R f (m) is encrypted by their session key K BS,CH j . After that, CH j decrypts R f (m) and obtains f (x) new and time slice m(t). In addition, verifying the integrity of f (x) new and the timeliness of m(t) by hash function.
(2) After verifying, CH j re-encrypts the updating information named R f (m) by group key K CH j .
Through broadcasting, every cluster member can receive R f (m) and obtains f (x) new and time slice m(t) by K CH j , and also can verify the integrity of f (x) new and the timeliness of m(t) by hash function.
After the verification, each cluster member stores the new sharing function f (x) new and deletes the old sharing function f (x). According to the same method, all the network nodes can complete the updating of f (x).

Updating g(x)
g(x) is the private quadratic polynomial function preset for each node during network initialization, and the private function belonged to each node is different. According to the above schemes, g(x) is the key factor for the session key generation and the reverse authentication. So, the measure of updating g(x) periodically is important for network secure management.
Updating g(x) can be realized by the coordination and cooperation of BS and the personal key.
(1) Assume that BS generates the updating information R g (n), and g(x) new is the private function for updating: For simplicity of the discussion, also assuming that BS and cluster head CH j are neighbors and R g (n) is encrypted by their session key K BS,CH j . CH j can decrypt R g (n) and judge that R g (n) is the private information sent by BS at time slice n(t). After that, CH j will re-encrypt the updating information R g (n) by K CH j ,S ij : (2) S ij decrypts R g (n) by K CH j ,S ij and judges that R g (n) is the private information for itself by verifying ID S ij and n(t). After that, S ij continues to decrypt g(x) new by the personal key E K S ij ,BS and verifies the integrity of g(x) new and the timeliness of n(t) by hash function.
By this way, each cluster member node can obtain its new private function g(x) new and deletes the old one g(x).

Session Key Updating
As mentioned above, after the updating of g(x), each node has obtained its new privacy function g(x) new . According to the session key scheme, each pair of neighbor nodes can regenerate a new session key, and the difference compared with before is that the key information is encrypted by the group key.
Assuming that the neighbor nodes a and m of cluster j are building a new session key, and the steps are as follows: (1) Node a resolves the new private quadratic function g w a (x 1 , x 2 , . . . , x n ) new and gets the quadratic matrix A new . In addition, based on Theorem 3, solving the new unit orthogonal matrix B new , diagonal matrix C new and eigenvector matrix D new , where the diagonal values are arranged in the order of eigenvalues from small to large. (2) Broadcasting key information encrypted by group key K CH j to all neighbor nodes: (3) Information judgement. node m resolves the key information by K CH j and gets f w a (x 1 , x 2 , . . . , x n ) new . Based on Theorem 3, solving the unit orthogonal matrix B new and diagonal matrix C new . If: It is indicated in Equation (54) that the key information is not tampered with and the identity of node a also is authenticated.
(4) Building the new session key. Node m also broadcasts its key information encrypted by group key K CH j to all neighbor nodes.
Node a resolves the key information from m by K CH j and judges the identity. Therefore, defining the new session key K manew between m and a.

Group Key Updating
Updating of the group key is still based on the idea of Lagrange interpolation polynomial. The difference of the new key generation is that the random key information m(1), m(2), . . . , m(n) are encrypted by the personal key respectively which can guarantee that the intermediate transfer nodes or cluster nodes cannot decrypt the key information and also can guarantee the security of subsequent new network group key, network key and personal key.
The main updating ideas are as follows: (1) Assume that m(i) new is the new key information generated by node a of cluster j, and then a encrypts m(i) new with its own personal key and the session key and sends it to cluster head CH j , and the encrypted information is written as E K S ij ,CH j E K S ij ,BS (m(i) new ) .
(2) CH j decrypts E K S ij ,CH j E K S ij ,BS (m(i) new ) with K S ij ,CH j and finds that it is a private information sent to BS. For facilitating and saving computing resources, CH j will wait for the all key information of the cluster members and send it to BS together (supposing CH j is adjacent to BS here), and the encrypted information is written as: (3) BS receives and decrypts the information m(1) new , m(2) new , . . . , m(n) new from CH j by the session key K BS,CH j and the personal keys of the members of cluster j.
(4) Generating the new group key based on the group key scheme and the steps are as follows: Step 1: BS generates a new Lagrange interpolation polynomial y(x) new = n j=1 a j where K CH j new is the new group key; Step 2: BS encrypts y(x) new , it is written as E K BS,CH j y(x) new and sends it to CH j ; Step 3: CH j decrypts y(x) new and re-encrypts it with old group key, it is written as E K CH j y(x) new ; Step 4: every cluster member receives the broadcast information from CH j and gets y(x) new by K CH j ; Step 5: every cluster member obtains the new group key K CH j new by putting m(i) new into y(x) new ; Step 6: all members delete the old group key K CH j and enable the new group key K CH j new .
There are two obvious advantages of the group key updating scheme: (1) m(i) new is encrypted by personal key and the intermediate transfer nodes or cluster nodes cannot obtain m(i) new . (2) y(x) new is encrypted by old group key K CH j when it is broadcasted by cluster head, where the advantage is that the cluster members can receive the broadcast information once time and save the computing resources heavily.
In addition, m(i) new can guarantee the security of subsequent new network key and personal key.

Network Key Updating
The updating scheme of network key is similar with the building scheme of network key, and the specific steps are as follows: (1) Assume that the key information m(1) new , m(2) new , . . . , m(r) new are generated respectively by r cluster heads and the transmitted information is encrypted by session key. In addition, for easy to discuss, it is supposed that CH j is adjacent to BS and encrypted information is written as (2) BS receives and decrypts the information m(1) new , m(2) new , . . . , m(r) new from all r cluster heads and generates a new Lagrange interpolation polynomial function y(x) new : where, K Nnew is the new updating network key. (3) BS sends y(x) new to each cluster heads. The difference compared with former building scheme of network key is that y(x) new is not encrypted by session key and not transmitted layer by layer, it is encrypted as E K N (y(x) new ) by the old network key K N and only broadcasted once time. (4) Each cluster head obtains y(x) new by K N after receiving E K N (y(x) new ) and then obtains the new network key K Nnew by putting m(i) new into y(x) new , where the old network key K N will be deleted when enabling K Nnew .
To sum up, y(x) new is encrypted by the old network key K N when it is broadcasted to all cluster heads, where the advantage is that the all cluster heads can receive the broadcast information once time and save the computing resources heavily.

Personal Key Updating
From those above updating schemes, personal key is the key factor to guarantee the security of other keys' updating. So, it is very important to update the personal key.
The personal key updating scheme is similar with the building scheme of personal key, and the specific steps are as follows: (1) According to the group key updating scheme, BS has obtained the random key information m(1) new , m(2) new , . . . , m(n) new of cluster j and CH j cannot decrypt these information. So, BS generates a new Lagrange interpolation polynomial y(x) new same as the former personal scheme procedure: where M i (x) = (2) BS sends the encrypted information E K CH j ,BS (y(x) new ) to CH j (supposing CH j is adjacent to BS), where K CH j ,BS is the session key. And then, CH j decrypts and gets y(x) new , where CH j cannot get any useful information from y(x) new because of the lack of m(1) new , m(2) new , . . . , m(n) new .
(3) CH j sends the encrypted information E K CH j new (y(x) new ) to each cluster member of cluster j, where K CH jnew is the new updating group key.
(4) Obtaining new personal key. S ij receives and obtains y(x) new by K CH jnew . If assuming x = m(i) new and putting m(i) new into y(x) new , then y(m(i)) new = a i = K S ij ,BSnew and the old personal key K S ij ,BS will be deleted when enabling K S ij ,BSnew .
To sum up, it is shown that these five keys all can be updated periodically. On one hand, these updating measures can keep the freshness of keys management; on the other hand, it makes the management of key information and the establishment of new key more secure.

Network Connectivity Analysis
Connectivity is one of the important factors of reflecting the function of the key management scheme, while the main disadvantage of popular schemes such as E-G and q-composite is that they cannot guarantee the absolute existence of shared key between any two nodes. Therefore, based on the layer-cluster network structure, the LCKMS-QPLIP scheme proposed in this paper can realize 100% secure connectivity between any pair nodes of one cluster.
For discussing the connectivity within a cluster, the main task is to build a session communication key between any non-adjacent nodes. If assuming that node a and node f are not adjacent, the specific steps of building the session key of these two nodes are as follows: (1) Address query. node a encrypts the information K S aj ,CH j ID a ID f and sends it to the cluster head CH j , where K S aj ,CH j is the session key between a and CH j .
(2) CH j decrypts the information and get the communication request between node a and node f . If it is queried from the neighbor list by CH j that node m is the common neighbor node of a and f , CH j will send K S aj ,CH j ID a ||ID m ||ID f and K S mj ,CH j ID a ||ID m ||ID f to a and f respectively which means that m is their intermediate communication node. Meanwhile, sending K S f j ,CH j ID a ||ID m ||ID f to f which means that a and f need its help to finish the non-adjacent communication. The advantage of the above two steps is that they can reduce the probability of a cluster head CH j acting as the intermediate node. Actually, according to the traditional scheme, if the neighbor list of a doesn't contain f , CH j has to act as the intermediate node which will increase the communication cost of CH j . It is known that the cluster size is the one hop range of the cluster head according to de definition of layer-cluster network and the communication distance of each pair nodes in the cluster usually does not exceed 2 hops. Therefore, it is better to query and select the communication route of non-adjacent nodes by cluster head. (3) Building the non-adjacent session key K a f . Node a sends the encrypted information E K am l a ID f to node m, where l a = f w a (x 1 , x 2 , . . . , x n ) h(B) h(C) ID a is the key information of node a. Node m sends the encrypted information E K m f l a ID f to node f . Node f decrypts and obtains l a and also sends E K m f l f ID a to node m, where l f is the key information of node f . Node m also sends the encrypted information E K am l f ID a to node a. Node a decrypts and obtains l f . After sending the key information, node a and node f can build the non-adjacent session key K a f based on the former session key scheme, and then node m deletes l f and l a .
(4) Non-adjacent communication. Based on the non-adjacent session key K a f , node a sends the encrypted information E K am E K a f (M)||ID a ||ID f to node m, where M is the plaintext. Node m decrypts the information and gets that it is the information sent to f , and then m re-encrypts the information E K m f E K a f (M)||ID a ||ID f and sends it to f . After receiving the information, node f gets that it is the information from node a and decrypts it again by K a f to get the plaintext M.
By now, the non-adjacent communication is completed. To sum up, there are three advantages for building the non-adjacent session key: • The cluster head query and select the communication route of non-adjacent nodes which can reduce the communication cost.

•
The intermediate node m is only responsible for forwarding the encrypted information and cannot get the plaintext, which can ensure the security of the forwarding process.

•
The routing cooperation by cluster head nodes can ensure the 100% connectivity between nodes of the cluster, which is the most prominent advantage and feature of the scheme.
In addition, for realizing the non-adjacent nodes communication of different clusters, BS can act as the routing coordination node referring the above scheme, which can completely realize the secure communication of the whole network. The only difference is that the intermediate nodes need at least two cluster heads, which can increase the routing cost.

Security Analysis of Network Topology Change
After a period of operation, the new network will inevitably encounter two situations: one is the addition of new nodes, the other is the deletion of old nodes.

New Node Joining
Assuming that b is the new node for joining cluster j and BS has preset ID, private quadratic polynomial function g ω b (x 1 , x 2 , . . . , x n ), and the sharing function f (x), group key K CH j of current time slice of cluster j for the new node b in advance.
Firstly, node b broadcasts the encrypted information E K CH j (ID b ) by K CH j . Secondly, building the neighbor list. After receiving the broadcast information, all neighbor nodes of node b in cluster j decrypt it and find that it is a new ID and not in their own neighbor list, and judge that node b is the joining node and add the new ID into their neighbor list. Similarly, node b can receive the reply information from the all neighbor nodes of cluster j, such as the reply information E K CH j (ID k ) of node k. And then building the neighbor list ID j ID k ||. . .||ID m of node b and sending the encrypted Thirdly, BS reorganizes the neighbor lists. CH j sends the encrypted information E K CH j ,BS ID b ID j ID k ||. . .||ID m to BS (supposing CH j and BS are adjacent). And then BS gets that it is the neighbor list of new joining node b. In addition, BS will add ID b to all neighbor lists of the neighbor nodes. Last, building the neighbor session key. Node b establishes its own broadcast key information . , x n ) and broadcasts it. All neighbor nodes also send their own key information to node b after receiving the key information and then building the session key between new neighbors based on the former session key scheme. After building the session, node b will delete the all key information of other nodes. By now, the new node joining is completed.
To sum up, the new node joining does not affect topological structure of the network which shows the strong scalability of the scheme.

Node Quitting
There are two situations for node quitting: one is energy exhaustion, the other is to be judged as an abnormal node.

• Energy Exhaustion Quitting
In WSN, the nodes in the high event area are often very active and their energy will be exhausted rapidly because of the high-frequency communication. For this case, when the energy of the node is close to the warning value (setting the warning value is that the left energy cannot meet the communication with the farthest neighbor node), it will notify its neighbor nodes and BS in advance, and then the node will quit the network when the energy is lower than the warning value. For this kind of node, the quitting does not affect the security of network, and the quitting scheme is relatively simple. It is assumed that node a of cluster j is about to run out of energy and quit network.
Firstly, node a periodically measures its own energy. When the energy value is close to the warning value, it will send two alarm messages to the relevant nodes: one is a broadcast message E K CH j ID a i(t) 0 , where i(t) is the sending time of message, 0 represents the energy warning of node a; the other is a private message E K CH j ,S ij ID BS E K S ij ,BS ID a i(t) 0 .
Secondly, all neighbor nodes (including cluster head CH j ) of node a decrypt the broadcast message and learn that it is a warning message of energy sent at time i(t), and then delete ID a from the neighbor lists.
Thirdly, CH j decrypts the private message and learns that it is a private message sent to BS, and then sends the re-encrypted information E K CH j ,BS ID CH j ||ID a ||E K S ij ,BS ID a i(t) 0 to BS (supposing CH j and BS are adjacent). Last, BS decrypts the private message and learns that it is a private information from node a, and then further learns that it is an energy warning message of node a sent at time i(t) sends the energy alarm information at any time. After that, BS reorganizes the neighbor lists and deletes ID a from the all neighbor nodes' lists of node a, and then deletes the neighbor lists of node a.
By now, node a has quitted the network, and it can be judged directly that it is an abnormal node if the network nodes still can receive some information from node a.

Abnormal Node Quitting
If BS has detected that node c is an abnormal node of cluster j, and it needs to cut off all the associated relationship between node c and the network. According to the proposed scheme LCKMS-QPLIP, the associated information includes sharing function f (x), session key and group key. Although the anti-capture capability of the scheme can prove that the capture of a single node will not affect the security of the network, for further security, the scheme is still designed to update the associated information including f (x), g(x), session key, group key and private key.
The updating steps are as follows: Firstly, BS judges the abnormal behavior of node c and marks c as the quitting node.
Secondly, BS broadcasts the encrypted abnormal information E K N ID c ID CH j danger to network by K N . Thirdly, each cluster head decrypts the broadcast information and gets that node c is an abnormal node of cluster j, and then all cluster heads broadcast the abnormal information encrypted by their group keys to their cluster members, e.g., E K CH j (ID c danger). Fourthly, all nodes in the network knows that node c is the abnormal quitting node, and all communication with node c is stopped, where all neighbor nodes of node c delete ID c from their neighbor lists and BS reorganizes the all neighbor nodes' lists of node c after deleting ID c .
Last, after deleting the associated information of node c, cluster j needs to update the associated information again including f (x), g(x), session key, group key and private key.
After the updating, node c will not be able to participate in any communication of the network. This quitting scheme not only implements the measures to abnormal nodes, but also lows the updating cost and keeps the updating measures in a cluster. to solve n(n+1) 2 elements including the diagonal elements and the elements of above or below the diagonal of matrix A. According to Corollary 3, E-G uses the symmetry of binary t-th-order symmetric polynomials to build the session key, and it can be broken as long as t related neighbors is obtained by enemy.
For LCKMS-QPLIP, firstly, each node is preset with an asymmetric n-ary quadratic polynomial whose characteristic of multivariate asymmetric polynomial enhances the complexity and irregularity of the algorithm, and the external attackers cannot set up the polynomial groups like Equation (61) to break the matrix by obtaining the nodes' neighbor lists. Secondly, because each quadratic polynomial is independent and unique, it is not useful to capture other nodes. Thirdly, based on the above analysis of matrix A, the attacker needs to solve n(n+1) 2 elements to break the quadratic polynomial, and it is obvious that the difficulty of breaking will increase greatly as long as the dimension n of the quadratic changes slightly, which is far greater than the security of E-G.
In order to illustrate the difficulty and intuitiveness of breaking LCKMS-QPLIP, with the help of the idea of breaking E-G (the session key built by symmetric function is difficult to resist t-collusion attack), it is assumed that the parameter n is the order of binary symmetric polynomial in E-G scheme and that n also represents the number of quadratic polynomial's variables in LCKMS-QPLIP. From the above analysis, it is known that the E-G scheme is difficult to resist the n-collusion attack. While for LCKMS-QPLIP, it is needed to break the private quadratic polynomial g(x 1 , x 2 , . . . , x n ) which means that at least n(n+1) 2 parameters need to be obtained from matrix A (it is the minimum difficulty of breaking function based on the assumption that g(x 1 , x 2 , . . . , x n ) is a symmetric polynomial). Figure 4 shows the comparison of anti-capture between the two schemes based on parameter n. below the diagonal of matrix A. According to Corollary 3, E-G uses the symmetry of binary t-th-order symmetric polynomials to build the session key, and it can be broken as long as related neighbors is obtained by enemy. For LCKMS-QPLIP, firstly, each node is preset with an asymmetric n-ary quadratic polynomial whose characteristic of multivariate asymmetric polynomial enhances the complexity and irregularity of the algorithm, and the external attackers cannot set up the polynomial groups like Equation (61) to break the matrix by obtaining the nodes' neighbor lists. Secondly, because each quadratic polynomial is independent and unique, it is not useful to capture other nodes. Thirdly, based on the above analysis of matrix A, the attacker needs to solve ( ) elements to break the quadratic polynomial, and it is obvious that the difficulty of breaking will increase greatly as long as the dimension of the quadratic changes slightly, which is far greater than the security of E-G.
In order to illustrate the difficulty and intuitiveness of breaking LCKMS-QPLIP, with the help of the idea of breaking E-G (the session key built by symmetric function is difficult to resist t-collusion attack), it is assumed that the parameter is the order of binary symmetric polynomial in E-G scheme and that also represents the number of quadratic polynomial's variables in LCKMS-QPLIP. From the above analysis, it is known that the E-G scheme is difficult to resist the n-collusion attack. While for LCKMS-QPLIP, it is needed to break the private quadratic polynomial ( , , . . . , ) which means that at least ( ) parameters need to be obtained from matrix A (it is the minimum difficulty of breaking function based on the assumption that ( , , . . . , ) is a symmetric polynomial). Figure 4 shows the comparison of anti-capture between the two schemes based on parameter .  It can be seen in Figure 4 that with the increase of captured parameter , the anti-capture ability of E-G scheme is linearly proportional change and it is possible to threaten the network as long as the enemy captures nodes of the same proportion. In contrast, LCKMS-QPLIP in this paper does not have this problem, since the anti-capture property changes exponentially, the larger the parameter is, the more obvious the advantage is. The network is absolutely safe as long as it can guarantee ( ) > , where is the network size, because the number of network nodes is not enough to support the enemy to break any quadratic proportional.

Anti-Capture Analysis of Broadcast Authentication Key
According to the above scheme of broadcast authentication key, the anti-capture property of broadcast authentication key is to ensure that the single captured node will not affect the security of broadcast authentication scheme, and the key factor is security of the shared function ( ). Once ( ) is leaked, it will affect the security of authentication, which illustrates that the pattern of ( ) is very important. It can be seen in Figure 4 that with the increase of captured parameter n, the anti-capture ability of E-G scheme is linearly proportional change and it is possible to threaten the network as long as the enemy captures nodes of the same proportion. In contrast, LCKMS-QPLIP in this paper does not have this problem, since the anti-capture property changes exponentially, the larger the parameter n is, the more obvious the advantage is. The network is absolutely safe as long as it can guarantee n(n+1) 2 > N, where N is the network size, because the number of network nodes is not enough to support the enemy to break any quadratic proportional.

Anti-Capture Analysis of Broadcast Authentication Key
According to the above scheme of broadcast authentication key, the anti-capture property of broadcast authentication key is to ensure that the single captured node will not affect the security of broadcast authentication scheme, and the key factor is security of the shared function f (x). Once f (x) is leaked, it will affect the security of authentication, which illustrates that the pattern of f (x) is very important.
In order to detect the security or anti-capture property of f (x), it is assumed that f (x) is also a quadratic polynomial and also a continuous and integrable function about one variable x i on [−π, π], and the specific sharing function is f (x i ).
According to security analysis in last step, it is needed to break the symmetric matrix A for breaking f (x i ). While for breaking A, it is needed to obtain n(n+1) 2 elements including the diagonal elements and the elements of above or below the diagonal of matrix A, which means that f (x i ) is absolutely safe as long as n(n+1) 2 > N, where N is the network size.

Anti-Capture Analysis of Group Key, Network Key and Personal Key
It is known from LCKMS-QPLIP that the security of group key, network key and personal key are consistent, and there are two main factors that affect the security of these three keys.
The one is the base station. Since these three keys are generated randomly by BS according to the former proposed schemes and it is hard to capture a BS, the source of key generation is quite safe.
The other one is the key information m(i). It is known that all nodes in the cluster rely on m(i) to obtain group key K CH j and personal key K S ij ,BS , and the cluster head also obtains network key K N through m(i).
While according to the building process of these three keys, m(i) is the key to obtain these keys, and m(i) is encrypted by K S ij ,CH j and K BS,CH j , which means that it is needed to obtain K S ij ,CH j and K BS,CH j for obtaining m(i).
It is indicated from above equivalent security relationship that the security of m(i) is equivalent to the security of group key, network key and personal key, and the security of m(i) is also equivalent to the security of session key, which means the anti-capture property of group key, network key and personal key is equivalent to the anti-capture property of session key. It is known from above analysis that and the anti-capture property of session key can be reflected by the relation N < n(n+1) 2 .

Efficiency Analysis
The efficiency of the proposed scheme LCKMS-QPLIP includes delay, storage and computation cost. The first author of this paper has discussed some efficiency of the scheme in the proposed literature [42,44].
(1) Authentication delay cost in [42] It is indicated from Figure 5 to Figure 8 in [42] that the authentication delay of the proposed two protocols are all increased with the time changes, but the authentication delay of µTESLA are increased much faster with the authentication calculation increasing, while the authentication delay of MBAP included in LCKMS-QPLIP is changed stably.
(2) Storage cost in [44] The storage cost of the proposed three schemes (LKH, EBS, AGKMS) for common sensor nodes are shown in Figure 5 of [44], and it is indicated that AGKMS included in LCKMS-QPLIP is much better than LKH and EBS in storage cost.
(3) Computation cost in [44] The computation cost of the proposed three schemes (LKH, EBS, AGKMS) is shown in Figure 6 of [44], and it is indicated that the computation cost of AGKMS included in LCKMS-QPLIP in the situation of existing one captured node is much better than LKH and EBS.
Specially, compared with LKH and EBS, the computation cost for new node joining in LKH and EBS is very small because of the management by GC. Though the computation cost for new node joining in AGKMS a little larger than LKH and EBS, AGKMS scheme does not affect the structure of the network for new nodes and has a good scalability, and AGKMS can avoid the collusion problem and keep more security so, the AGKMS included in LCKMS-QPLIP in this paper has a good computation cost.

Network Robustness Analysis
In LCKMS-QPLIP, each network node has been preset a sharing function f (x) and a private function g(x) at the network initialization stage and sends the neighbor list information encrypted by the time-based authentication key to BS, which indicates that there is no plaintext information transmitted when the information begins to interact each other. For external attackers, they are unable to participate in any network information interaction because of the lack of f (x) and g(x). Since each session key is calculated by the key information of each two neighbor nodes, the attacker cannot obtain the session key directly from a single node without knowing the key calculation protocol. According to the above analysis of equivalent security, the security of other keys can be guaranteed if the security of the session key is ensured.
(1) Anti-collusion attack capability Since the private quadratic polynomials g(x) are multivariate asymmetric polynomials, they are impossible to be obtained by attackers based on the collusion attack same as E-G scheme and q-composite scheme. Therefore, LCKMS-QPLIP can resist collusion attacks.
(2) Anti-flooding attack capability An attacker can launch an attack flooding attack that the attacker can fake various identities and reply many forged messages to node a, and node a needs to authenticate these identities after receiving these messages. Each authentication requires a certain amount of computation, so that the attackers can send a lot of messages to consume the energy of a.
While LCKMS-QPLIP can resist such attacks, and the attackers cannot participate in any information interaction without the sharing function f (x) and private function g(x).

(3) Authentication analysis
In LCKMS-QPLIP, neighbor nodes can exchange their key information, calculate each other's eigenvalues and eigenvectors, and judge the correctness of orthogonal matrix and symmetric matrix to complete the identity authentication. While these random key pre-distribution schemes such as E-G and q-composite can't support the identity authentication of neighbor nodes, and it is vulnerable to disclose the keys when the nodes are captured by attackers.

(4) Scalability analysis
In the initialization stage of LCKMS-QPLIP, network nodes only need to be preset ID, f (x) and g(x). When a new node a is added, BS will preset ID, f (x), g(x) and current group key. The new node a broadcasts its own ID encrypted by the group key and establishes the neighbor list after obtaining all neighbor nodes' ID. The new node a broadcasts its own key information encrypted by the group key and all neighbor nodes also send their own key information to node a after receiving the key information, and then building the session key between new neighbors based on above session key scheme.
In the whole process, the neighbor nodes only need to add the session key with the new node, and the irrelevant nodes have not changed, which means that the addition of new node does not affect any communication structure of the network. So, the LCKMS-QPLIP has strong scalability.
In addition, LCKMS-QPLIP is applicable to almost all symmetric cryptosystems and lightweight crypto-algorithms, and it does not rely on the additional auxiliary equipment and can be applied to various scales of wireless sensor networks.

Conclusions
The proposed layer-cluster key management scheme LCKMS-QPLIP in this paper has five important parts, it can guarantee the identity of network nodes through forward authentication