An Efficient and Secure Group Rekeying Scheme for WSNs via Symmetric Polynomial Key Pre-Distribution

Abstract

In wireless sensor networks (WSNs), establishing a robust key agreement is essential for securing communications. Various performance metrics are typically employed to evaluate these schemes, including storage requirements, communication overhead, and computational costs. Group key establishment ensures that sensitive information remains confidential, as only authorized nodes can decrypt broadcast messages. This paper proposes a group rekeying scheme based on symmetric polynomial key pre-distribution. By leveraging multivariable symmetric polynomials, a secure group key is constructed. Furthermore, the scheme incorporates a dynamic rekeying mechanism to update the group key whenever a sensor node is compromised, ensuring continuous forward and backward secrecy. Performance analysis demonstrates that the proposed scheme significantly reduces both communication overhead and computational complexity compared to existing methods.

1. Introduction

Sensors are widely used to detect forest fires, monitor the battlefield, and control remote environments due to their advantages, including low cost, simple architecture, small size, weight, and more. However, as wireless sensor networks become an important component of the Internet of Things (IoT), they face increasingly sophisticated security threats, including node compromise, malicious data injection, message replay, and message eavesdropping. Recent studies have shown that modern IoT environments require not only cryptographic protection mechanisms but also intelligent and adaptive security strategies to address evolving cyber threats [1,2]. AI-driven cybersecurity frameworks have been proposed to enhance threat detection and network resilience through automated analysis and decision-making [3]. Nevertheless, secure key management remains a fundamental prerequisite for protecting data confidentiality and communication integrity in resource-constrained WSN environments. Therefore, lightweight and secure group rekeying mechanisms continue to play a critical role in IoT security architectures.

In WSNs, many researchers classify the key agreement protocol into a trusted server, public key infrastructure, and key pre-distribution [4,5]:

1.

Trusted server. SPINS is one of the most famous secure architectures in WSNs [6]. Each sensor shares a secret key with the base station in this scheme. Hence, sensors can communicate secretly with each other through the base station. However, sensors might have trouble saving battery power when they transmit massive request data to the base station for key agreement. The sensors will be in a state of exhaustion after the long transmission. In addition to power exhaustion, communicating frequently with the base station will limit the elasticity. The protocol is applied mostly in the commanding sensor case.

2.

The public key infrastructure [7,8] protocol does as well as schemes like ECC and RSA. The protocol has already been used in general computers; most schemes are complex and have high computational overhead. Consequently, it is usually unfeasible to execute asymmetric cryptography operations in WSNs because the sensor has limited resources.

3.

Key pre-distribution [9,10,11,12]. The secret keys are distributed to all sensor nodes before deployment. The protocol does not require us to perform discrete logarithm algorithms or authenticate with a trusted third party, and we also achieve the goal of secure communication. Therefore, many researchers have offered secure mechanisms based on key pre-distribution to make WSNs more practical.

In wireless sensor networks, we are particularly concerned about the node capture attack when a few nodes are controlled by an adversary, which can start various attacks on the network. For example, the base station may be wrong due to malicious information received to make the wrong response, which could cause irreparable damage. For this reason, we begin to detect for long periods which node is compromised so that the non-compromised sensors will mount a group rekeying mechanism. To achieve such a goal, a lot of papers have been published on this research [6,13,14,15,16,17,18,19,20,21,22].

Blundo et al. proposed two polynomial-based non-interactive conference key distribution schemes [10]. Their method is more straightforward and reduces computation costs more than public key infrastructure. However, the protocol for the non-interactive key distribution scheme is inflexible because the base station needs to redistribute a new polynomial when a sensor is compromised. In addition, their protocol for the interactive key distribution scheme has unstable loading because the sensor number decides the cost of rekeying.

The computation overhead of group key management schemes is a critical factor in wireless sensor networks (WSNs) and mobile ad hoc networks (MANETs), since sensor nodes generally possess limited computation capability, memory capacity, and battery power. Therefore, an efficient rekeying mechanism should minimize encryption/decryption operations, modular arithmetic computations, and communication-related update processes while still preserving forward and backward secrecy.

Janani and Manikandan [23] proposed a genetic algorithm-based stateless group key management scheme for MANET environments. Their approach mainly focuses on optimizing rekeying efficiency through genetic-based selection and broadcast stateless mechanisms. Since the scheme dynamically reconstructs group keys without maintaining extensive key trees, the computation overhead at mobile nodes is relatively moderate. However, the genetic optimization process introduces additional computational complexity at the controller side, particularly during chromosome evaluation, fitness computation, and rekey generation. Consequently, although the scheme reduces communication overhead compared with traditional Logical Key Hierarchy (LKH)-based approaches, its centralized optimization process still incurs noticeable processing costs in highly dynamic MANET scenarios.

In this paper, we propose an efficient polynomial-based group rekeying scheme. First, we expand the bivariate polynomial-based key agreement scheme into a multivariate polynomial-based group rekeying scheme, and then we use a timestamp to reach the flexible target. In addition, we modify Blundo’s scheme to make our scheme adapt to WSNs. The multivariable polynomial-based group rekeying scheme has enhanced the goal of resilience. Compared with the related works, the proposed scheme is more efficient and valuable for secure communication. Therefore, our scheme is better than Blundo et al.’s method.

The main contributions of this work are summarized as follows:

1.

We extend Blundo’s static polynomial key pre-distribution mechanism into a dynamic group rekeying framework suitable for wireless sensor networks with changing membership.

2.

We introduce a timestamp-assisted polynomial update mechanism that enables lightweight group rekeying without redistributing a new polynomial from the base station whenever a node joins or leaves the network.

3.

We provide a simple variable-substitution rekeying strategy that preserves forward secrecy and backward secrecy while significantly reducing communication overhead compared with conventional centralized rekeying approaches.

4.

We analytically demonstrate that the proposed scheme requires only node-ID exchanges during rekeying, thereby reducing communication and computational costs while maintaining the security properties of polynomial-based key establishment.

The rest of our paper is organized as follows: In Section 2, we propose the related schemes. In Section 3, we present our method. In Section 4, the experimental results and discussion are presented. Finally, the conclusion of this paper is given in Section 5.

2. Related Works

In this section, we will introduce Blundo et al.’s scheme.

2.1. Non-Interactive Polynomial-Based Key Pre-Distribution Scheme

In 1998, Blundo et al. [10] considered the limit of mobile devices on key agreement. They found that building a public key infrastructure with limited resources is unsuitable. Therefore, they proposed the basic polynomial-based key pre-distribution protocol.

In the key pre-distribution phase, the base station randomly generates a symmetric k-variable t-degree polynomial $f(x_1,\cdots ,x_k)$. There is a property that defines the requirements to which they are associated. Now, we introduce how to generate the polynomial $f(x_1,\cdots ,x_k)$ in detail. We first compute the symmetric polynomial by the following equation:

$${\displaystyle \sum _{i_1=0}^t}\cdots {\displaystyle \sum _{i_k=0}^t}{a}_{i_1,i_2,\dots ,i_k}{\displaystyle \prod _{j=1}^k}{x}_j^{i_j}\left(\mathrm{mod}q\right),$$

where

$$a_{i_1,i_2,\dots ,i_k}\in GF\left(q\right).$$

The polynomial is symmetric if

$$f(x_{\pi \left(1\right)},x_{\pi \left(2\right)},\dots ,x_{\pi \left(k\right)})$$

for every permutation $\pi$.

Here, $f(x_1,\cdots ,x_k)$ are over a finite field $F_q$ and q is a prime number. The prime number is large enough to be used as a key, and the property is shown as:

$$f(x_1,x_2,\cdots ,x_n)=f(x_2,x_1,\cdots ,x_n)=\cdots =f(x_n,x_{n-1},\cdots ,x_1).$$

After generating the equation, the base station then computes the preloaded polynomial $f(S_{I{D}_u},\cdots ,x_k)$ for each sensor node $S_{I{D}_u}$. Finally, the unique identifier and the coefficients of ${\prod }_{j=2}^n{x}_j^{i_j}$ of $f(S_{I{D}_u},\cdots ,x_k)$ are loaded into the memory of the sensor node u.

In the direct key establishment phase, each sensor broadcasts its ID to the neighbors and receives the IDs of neighboring nodes. We assume that sensor u and sensor $v_i(2\le i\le k)$ are neighboring nodes. After the sensor receives the IDs of neighboring nodes, the sensor node u computes the secret key $k_{u{v}_i}=f(S_{I{D}_u},\cdots ,S_{I{D}_{v_k}})$. The variable $x_2,\cdots ,x_k$ is being substituted for $S_{I{D}_{v_k}}$. Likewise, sensors $v_i$ compute the secret value $k_{u{v}_i}=f(S_{I{D}_u},\cdots ,S_{I{D}_{v_k}})$. Due to the symmetric property, they can secretly communicate using the common secret key. The benefit of this scheme is that the communication overhead and computation cost are acceptable for WSNs. In addition to cost reduction, Blundo et al. [10] proved to the world that this scheme was unconditionally secure and t-collision resistant. On the other hand, we can securely use this scheme in WSNs because the number of compromised nodes is less than t.

2.2. Interactive Polynomial-Based Key Pre-Distribution Scheme

Blundo et al. [10] also proposed an interactive method. This method can reduce the storage space more than the non-interactive method.

In the key pre-distribution phase, the base station randomly generates a symmetric bivariate t-degree polynomial $f(x,y)$. There is a property that defines the requirements to which they are associated. We introduce how to generate the polynomial $f(x,y)$ in detail. We first compute the symmetric polynomial in the following equation:

$$\begin{array}{c}\hfill f(x,y)={\displaystyle \sum _{i=0}^t}{\displaystyle \sum _{j=0}^t}{a}_{ij}{x}^i{y}^j\mathrm{for}{a}_{ij}(0\le i,j\le t).\end{array}$$

Here, $f(x,y)$ is over a finite field $F_q$ and q is a prime number. The prime number is large enough to be used as a key, and the property is shown as:

$$\begin{array}{c}\hfill f(x,y)=f(y,x).\end{array}$$

After generating the equation, the base station then computes the preloaded polynomial $f(S_{I{D}_u},y)$ for each sensor node u:

$$\begin{array}{c}\hfill f(S_{I{D}_u},y)={\displaystyle \sum _{i=0}^t}{\displaystyle \sum _{j=0}^t}{a}_{ij}{S_{I{D}_u}}^i{y}^j\mathrm{for}{a}_{ij}(0\le i,j\le t).\end{array}$$

Here, $f(S_{I{D}_u},y)$ are over a finite field $F_q$. Finally, the unique identifier $S_{I{D}_u}$ and the coefficients of $y^j$ of $f(S_{I{D}_u},y)$ are loaded into the memory of the sensor node u.

In the direct key establishment phase, if group $u_i(1\le i\le k)$, where $u_1<u_2<u_3<\cdots <u_k,$ wants to set up a conference key, first $u_k$ computes temporary keys $f(S_{I{D}_{u_k}},S_{I{D}_{u_i}})$, for $i=1,\cdots ,k-1$; second, $u_k$ chooses a secret key s; then $u_k$ computes public values $(temporarykey+s)\mathrm{mod}q$ for each sensor node $u_i(1\le i\le k-1)$, where q is a prime number. Third, $u_k$ sends public values to another sensor. Finally, each sensor node $u_i(1\le i\le k-1)$ computes $(publicvalue-temporarykey)\mathrm{mod}q$ to gain the secret value s.

3. The Proposed Method

Although the proposed scheme is built upon the polynomial key pre-distribution framework introduced by Blundo et al. [10], the objectives of the two schemes are fundamentally different.

Blundo’s scheme focuses on establishing pairwise or conference keys among a fixed set of sensor nodes. Once a node is compromised or membership changes occur, the original polynomial must be redistributed, or a new key establishment process must be executed. Consequently, the scheme does not explicitly support lightweight group rekeying for dynamic wireless sensor networks.

In contrast, the proposed scheme introduces a timestamp-assisted variable-substitution mechanism that allows legitimate nodes to update group keys locally without redistributing an entirely new polynomial. When a node leaves the group, a polynomial variable is replaced by a constant value. When a node joins, the constant value is restored as a variable associated with the new node. This design enables efficient group rekeying while preserving forward and backward secrecy.

Therefore, the novelty of the proposed scheme lies not in constructing a new polynomial function but in transforming a static polynomial key establishment mechanism into a lightweight dynamic group rekeying framework suitable for resource-constrained WSN environments.

In this section, we introduce our proposed method. In our scheme, we use the timestamp to achieve the flexible target. Additionally, we modify Blundo’s scheme [10] to adapt our scheme to WSNs.

The notations used in this article are listed in

Table 1. Notation definitions.

Symbol	Description
q	A large prime number defining the finite field $GF\left(q\right)$
t	Polynomial degree and security threshold
k	Number of participating sensor nodes
$SI{D}_i$	Unique identifier of sensor node $S_i$
$f(·)$	Symmetric multivariable polynomial
$T_s$	Timestamp of the current session
$K_G$	Group key generated from the polynomial
$\Delta T$	Synchronization tolerance window
n	Total number of deployed sensor nodes

.

3.1. Key Pre-Distribution and Direct Key Establishment Phase

The procedures of the key pre-distribution and direct key establishment phase are listed as follows:

1.

The base station randomly generates a symmetric (t+1)-variable t-degree polynomial $f(x_1,\cdots ,x_{t+1})$ with coefficients over $GF\left(q\right)$. Here, a symmetric property is equivalent to Blundo’s polynomial. After generating the equation, the base station then computes the preloaded polynomial $f(S_{I{D}_u},\cdots ,x_{t+1})$ for each sensor node u. Finally, the unique identifier $S_{I{D}_u}$ and the coefficients of ${\prod }_{j=2}^n{x}_j^{i_j}$ of $f(S_{I{D}_u}$, …, $x_{t+1})$ are loaded into the memory of the sensor node u.

2.

In the direct key establishment phase, each sensor broadcasts its ID to the neighbors and receives the IDs of neighboring nodes. We assume that sensor u and sensors $v_i(2\le i\le k)$ are neighboring nodes. After the IDs of neighboring nodes are received, the sensor node u computes the secret key $k_{u{v}_i}=f(S_{I{D}_u},\cdots ,S_{I{D}_{v_i}},timestamp)$ at the moment. The variable $x_2,\cdots ,x_t$ is substituted for $S_{I{D}_{v_i}}(2\le i\le t)$. Likewise, sensors $v_i$ compute the secret value $k_{v_{i}u}=f(S_{I{D}_{v_i}},\cdots ,S_{I{D}_u},timestamp)$.

The timestamp serves two purposes in the proposed scheme:

1.

First, it guarantees session freshness by ensuring that different communication sessions generate different group keys.

2.

Second, it enables lightweight rekeying without requiring redistribution of polynomial coefficients. Whenever a membership change occurs, the base station updates the session timestamp and broadcasts the new timestamp to legitimate nodes.

In practical deployments, sensor clocks may experience slight drift and packet transmission delays. Therefore, the proposed scheme adopts a synchronization tolerance window $\Delta T$. A received timestamp is considered valid if it falls within the interval

$$\begin{array}{c}\hfill |T_r-T_l|\le \Delta T,\end{array}$$

where $T_r$ and $T_l$ denote the received and local timestamps, respectively. Since timestamps are only used to identify the current rekeying session, small timing variations within the tolerance window do not influence the generated group key. Consequently, minor clock drift and network latency can be accommodated without requiring highly accurate clock synchronization.

We use timestamps to achieve the goal of a one-time session key. Timestamps are of great use to sensors. In addition, due to their symmetric property, they can secretly communicate using the common secret key. The benefit of this scheme will reduce the communication overhead and computation cost. Therefore, we proposed a Blundo-based group key agreement scheme in WSNs to make it more useful than other schemes.

3.2. Sensor Leave

Assume that node $S_r$ has been identified as compromised and must be revoked from the group. In other words, we must start rekeying to the non-compromised sensors. The procedures of the sensor leave phase are listed as follows:

1.

The base station generates a new session timestamp $T_s^{\prime }$.

2.

The base station broadcasts a rekeying message

$$M_{leave}=\{I{D}_r,T_s^{\prime }\},$$

where $I{D}_r$ denotes the identifier of the revoked node.

3.

Upon receiving $M_{leave}$, every legitimate sensor removes the contribution of $I{D}_r$ from the polynomial by replacing the corresponding variable with a predefined constant value c.

4.

Each legitimate node computes the updated group key

$$K_G^{\prime }=f(SI{D}_1,\cdots ,SI{D}_{r-1},c,SI{D}_{r+1},\cdots ,SI{D}_t,T_s^{\prime }).$$

5.

Because the revoked node does not receive the new timestamp $T_s^{\prime }$, it cannot derive the updated group key.

3.3. Sensor Join

Let us examine the key update procedures of sensor join events. First, we assume that there are initially $t-1$ sensors and the sensor t joins the group. Then the held keys of the non-compromised sensors should also be updated to prevent the joining sensor from decrypting the past messages (backward secrecy). Assume that a new node $S_j$ is authenticated and admitted into the group. The procedures of the sensor join phase are listed as follows:

1.

The base station generates a new session timestamp $T_s^{\prime }$.

2.

The base station securely delivers the corresponding polynomial share

$$f(SI{D}_j,x_2,\cdots ,x_{t+1})$$

to the joining node.

3.

The base station broadcasts

$$M_{join}=\{I{D}_j,T_s^{\prime }\}$$

to all legitimate nodes.

4.

Each legitimate node restores the previously fixed constant value c as a new variable associated with the joining node.

5.

All group members compute

$$K_G^{\prime }=f(SI{D}_1,\cdots ,SI{D}_j,\cdots ,SI{D}_t,T_s^{\prime }).$$

6.

Because the joining node does not possess previous timestamps and previous group keys, it cannot recover historical communications.

For clarity, the transmitted information during the key establishment and rekeying procedures is summarized in

Table 2. Transmitted data during rekeying.

Phase	Sender	Message Content
Key Establishment	Sensor Node	$SI{D}_i$
Node Leave	Base Station	$\{I{D}_r,T_s^{\prime }\}$
Node Join	Base Station	$\{I{D}_j,T_s^{\prime }\}$
Node Join	Base Station $\to S_j$	Polynomial Share $f(SI{D}_j,x_2,\cdots ,x_{t+1})$

.

3.4. Consistency of Group Key Updates

To ensure that all legitimate sensor nodes derive the same group key after a membership change, the base station distributes a common rekeying message containing the updated session timestamp and the identifier of the joining or revoked node.

Upon receiving the rekeying message, each legitimate sensor performs the same polynomial update operation according to the predefined rule. In a node-leaving event, the corresponding polynomial variable is replaced with a constant value. In a node-joining event, the constant value is restored as a variable associated with the joining node.

Since all legitimate nodes possess valid polynomial shares, receive the same timestamp, and execute identical update procedures, they independently derive the same updated group key

$$K_G^{\prime }=f(SI{D}_1,SI{D}_2,\cdots ,SI{D}_t,T_s^{\prime }).$$

Furthermore, because the polynomial is symmetric, the ordering of node identifiers does not affect the resulting key value. Therefore, no additional coordination messages are required after the rekeying notification, and consistency is maintained throughout the network.

3.5. An Example

We use three sensors as an example to introduce our proposed scheme. In our scheme, a simple example of the symmetric $(t+1)$ variable t-degree polynomial is as follows:

$$f(x_1,x_2,x_3,x_4)=5x_1^3{x}_2^3{x}_3^3{x}_4^3+7\mathrm{mod}17.$$

Step 1.

Each sensor node ID, e.g., 1, 2, and 3, is substituted for the variable $x_1$, and the results are shown as follows:

$$\begin{array}{ccc}\hfill f(1,x_2,x_3,x_4)& =& 5x_2^3{x}_3^3{x}_4^3+7\mathrm{mod}17\hfill \\ \hfill f(2,x_2,x_3,x_4)& =& 40x_2^3{x}_3^3{x}_4^3+7\mathrm{mod}17\hfill \\ \hfill f(3,x_2,x_3,x_4)& =& 135x_2^3{x}_3^3{x}_4^3+7\mathrm{mod}17.\hfill \end{array}$$

Step 2.

The base station loads the coefficient of the result into each sensor.

Step 3.

Each sensor node broadcasts its ID.

Step 4.

Each receiver uses the ID to compute a shared secret conference key. Now, we assume that the timestamp is 1, and the results are shown as follows:

$$\begin{array}{ccc}\hfill f(1,2,3,1)& =& 1087\mathrm{mod}17=16\hfill \\ \hfill f(2,1,3,1)& =& 1087\mathrm{mod}17=16\hfill \\ \hfill f(3,1,2,1)& =& 1087\mathrm{mod}17=16.\hfill \end{array}$$

Step 5.

The sensors update the polynomial when Sensor 3 leaves the group. The sensors convert $x_3$ into a constant value, and the new polynomials are shown as follows:

$$\begin{array}{ccc}\hfill f(1,x_2,1,x_4)& =& 5x_2^3{x}_4^3+7\mathrm{mod}17\hfill \\ \hfill f(2,x_2,1,x_4)& =& 40x_2^3{x}_4^3+7\mathrm{mod}17.\hfill \end{array}$$

Step 6.

If a new sensor joins the group, polynomial updating is required to preserve backward secrecy. Assume that Sensor 4 joins the group. After Step 5, the polynomial held by the remaining legitimate sensors is

$$f(x_1,x_2,1,x_4)=5x_1^3{x}_2^3{x}_4^3+7\mathrm{mod}17.$$

To incorporate the newly joined sensor, the constant value is replaced by the new sensor identifier. Therefore, the updated polynomial becomes

$$f(x_1,x_2,x_3,x_4)=5x_1^3{x}_2^3{x}_3^3{x}_4^3+7\mathrm{mod}17,$$

where $x_3=4$ denotes the joining sensor. Assume that the timestamp is still equal to 1. The new conference key can be computed as

$$\begin{array}{ccc}\hfill f(1,2,4,1)& =& 5{\left(1\right)}^3{\left(2\right)}^3{\left(4\right)}^3{\left(1\right)}^3+7\hfill \\ & =& 2567\mathrm{mod}17\hfill \\ & =& 0.\hfill \end{array}$$

Similarly,

$$f(2,1,4,1)=0,$$

and

$$f(4,1,2,1)=0.$$

Therefore, all legitimate members derive the same updated group key. Since the previous group key was generated from the polynomial before the joining operation, the newly joined sensor cannot recover any historical communication keys, thereby achieving backward secrecy.

4. Security Analysis

4.1. Threat Model

The following assumptions are adopted in the security analysis:

1.

The base station is trusted and cannot be compromised.

2.

The adversary can eavesdrop, replay, modify, and inject messages over wireless channels.

3.

The adversary may physically capture a limited number of sensor nodes and extract their stored information.

4.

The number of compromised nodes is assumed to be smaller than the polynomial threshold t.

5.

Legitimate sensor nodes can obtain synchronized timestamps within a tolerance window.

Under these assumptions, the proposed scheme is evaluated against impersonation attacks, replay attacks, node capture attacks, and collusion attacks.

4.2. Security Requirements

We list the security requirements before security analysis. A secure group rekeying scheme must have the following characteristics:

1.

The members of the same group exchanging information are confidential; any non-members cannot eavesdrop, and that is to say, the secret data cannot be revealed even if the sensor is a forwarding intermediate node.

2.

When the base station finds the compromised node, the scheme can make legitimate sensors protected by group rekeying.

3.

A sensor cannot get previous information while entering the group. Moreover, a sensor cannot get future information while leaving the group. In other words, the proposed scheme must have backward and forward secrecy.

4.

According to the requirement of the WSN, the proposed scheme has to implement lightweight group rekeying.

4.3. Resistance to Insider Attacks

This section analyzes the typical attack model from insiders and outsiders. An outsider means an adversary has no critical information beyond what is generally available. An insider means an adversary can acquire secret information from the base station.

To execute such an attack, the adversary must know the base station’s private multivariable polynomial or the sensor’s secret polynomial. Since these polynomials are only known to their owners, the adversary cannot succeed if only the keys are secured.

1.

Impersonation attack prevention: The base station inserts a unique secret polynomial into each sensor before deployment. Hence, the adversary cannot impersonate if only the polynomials are secured.

2.

Backward and forward secrecy: During node leaving or node joining, each group member will refresh the polynomial to keep forward and backward secrecy. In addition, each sensor has a unique identity to ensure that the polynomial will be unique.

3.

Node capture resilience: The proposed scheme inherits the threshold security property of polynomial-based key pre-distribution. An adversary must compromise more than t sensor nodes to reconstruct the underlying symmetric polynomial. Therefore, as long as the number of compromised nodes does not exceed the polynomial degree threshold, communications among uncompromised nodes remain secure. Consequently, the proposed scheme provides resilience against limited node capture attacks rather than perfect resistance.

4.4. Resistance to Outsider Attacks

Using a personal secret polynomial function and encryption provides our scheme with data security. And further, the timestamp ensures that the messages are not dangerous. For this reason, an eavesdropper may not reveal any secret information.

1.

Replay attack prevention: In our proposed scheme, a replay attack is almost impossible when we insert a timestamp into the polynomial. Moreover, each sensor is used to synchronize the timestamp. Therefore, the group members will get the same secret value in a session.

2.

Authentication of the rekeying messages: In the proposed scheme, the messages only contain the sensor’s ID. Due to this reason, the sensor’s ID cannot be forged when the base station executes a compromised node locator scheme to find out the compromised sensor.

4.5. Quantitative Security Analysis

Table 3. Comparison of security among the proposed scheme and other schemes.

Items	ASW-GR [24]	PRKC [25]	BIBD [26,27]	Ours
Security Basis	Integer Congruence	PHY-layer Randomness	Block Covering Property	t-degree Threshold
Key Establishment	Broadcast (via X value)	Chaining (Synchronized)	Conditional (Shared Keys)	Direct (via Node ID)
Security Level	Medium	Low	Medium	High (Safe up to t nodes)
BS Dependency	Low (Independent)	High (Needs X update)	Medium	Medium
Rekeying Process	Variable Substitution	CRT Reconstruction	Chain Resync	Map/Pool Update

is a comparison of security among the proposed scheme and other schemes. Compared to the other schemes, the proposed scheme offers the following distinct advantages in security:

1.

Superior Resilience to Collusion (vs. ASW-GR [24], PRKC [25], BIBD [26,27]: The proposed polynomial key distribution scheme (especially t-degree polynomials) has a classic characteristic: as long as the number of compromised nodes does not exceed the degree t of the polynomial, an attacker cannot reconstruct the complete symmetric polynomial and, therefore, cannot break the communication between other unaffected nodes. In comparison to ASW-GR [24], if the $P_i$ and corresponding residual values of multiple nodes are collected, a collusion attack may more easily deduce the overall broadcast parameters.

Its core security is based on the order of a polynomial t. Unless an attacker can simultaneously capture more than t nodes and obtain their polynomial shares, they cannot break the entire system or the communication of other undamaged nodes. This provides a mathematical security boundary. The PRKC scheme [25] primarily relies on pseudo-random sequences and keychains generated by the physical layer. While lightweight, if an attacker can simultaneously observe the characteristics of the physical layer or break the current keychain logic, it may affect the security of all subsequent keys. In terms of resisting multi-node collusion attacks, the polynomial scheme has more explicit mathematical theoretical support.

The security strength of the proposed scheme is determined by the threshold parameter t of the symmetric polynomial. An adversary must compromise more than t sensor nodes to reconstruct the underlying polynomial. Therefore, the probability of successful polynomial reconstruction can be expressed as

$$P_{break}=0,m\le t,$$

where m denotes the number of compromised nodes. Only when

$$m>t$$

does polynomial reconstruction become possible.

The proposed scheme does not provide unconditional protection against unlimited node capture attacks. Instead, its security is based on the threshold property of polynomial-based key pre-distribution. As long as the number of compromised nodes does not exceed the polynomial degree threshold t, an adversary cannot reconstruct the complete symmetric polynomial or derive future group keys.

The security of the proposed symmetric polynomial scheme is determined by the order t of the polynomial. The original polynomial cannot be recovered unless an attacker captures and obtains information from more than t nodes. This security is “threshold-like,” with strong mathematical hard boundaries. The BIBD schemes’ [26,27] combinatorial designs typically operate by distributing the key space across different blocks. Their drawback is that if an attacker captures a certain number of nodes and these nodes hold a set of keys that just covers the other blocks, the entire system’s security will quickly collapse. In terms of collusion resistance, polynomial schemes generally outperform combinatorial designs.

In addition, unlike BIBD [26,27], where capturing a specific set of nodes can compromise the entire key pool, or PRKC [25], which relies on link synchronization, the polynomial scheme provides a “hard mathematical threshold.” As long as the number of compromised nodes is $\le t$, the rest of the network remains perfectly secure.

2.

Enhanced Forward and Backward Secrecy: In the proposed symmetric polynomial scheme, key updates are based on the replacement of polynomial variables (e.g., incorporating timestamps or specific dynamic parameters). The main advantage is that even if an attacker cracks the “past” group key, they cannot deduce the “future” key (forward security); similarly, newly joined nodes cannot revert to previous communications (backward security). In comparison to ASW-GR [24], while ASW-GR also has an update mechanism, its security heavily relies on the strict management of the X value and the prime number $P_i$ sent by the server. Once the parameter allocation logic on the server side is compromised, the affected scope is wide.

4.6. Discussion on Base Station Compromise

The security of the proposed scheme depends on the integrity of the base station. If the base station is fully compromised, an adversary may obtain polynomial generation parameters and affect the security of the entire network. Therefore, the proposed scheme focuses on protecting against sensor-node compromise and communication-layer attacks rather than attacks targeting the trusted authority itself.

The proposed scheme assumes that the base station (BS) operates as a trusted authority during the key management process. This assumption is commonly adopted in polynomial-based key pre-distribution schemes because the BS is responsible for generating and distributing polynomial shares.

In practical deployments, the BS may become a target of sophisticated attacks. Therefore, the security guarantees of the proposed scheme hold under the assumption that the BS remains operational and uncompromised. Protection of the BS itself is beyond the scope of this work and remains an important direction for future research.

Therefore, the proposed scheme primarily focuses on protecting against sensor-node compromise, eavesdropping, replay attacks, and collusion attacks. Protection against BS compromise is beyond the scope of the current work and remains an important direction for future research.

5. Performance Evaluation

In this section, we evaluate the performance of the proposed scheme in three aspects: computational overhead, communication overhead, and storage requirement. In the analysis, we let $BS$, L, I, N, $UP$, and t denote the base station, the length of the sensor ID, the length of the key, the number of rekeying sensors, the univariable polynomial, and the number of coefficients, respectively.

5.1. Computational Overhead Analysis

According to the participation of base stations or not, differentiating between the centralized scheme and the distributed scheme, the results for computational overhead are shown as follows. In Hugh et al.’s scheme [28], the base station has been used to lighten the load of the sensors. First, the base station must encrypt each sensor’s rekeying messages. Here, the number of encryptions is N in the base station, and the number of sensors decrypted is N. The total cost is N encryptions for BS and N decryptions for sensors. The interactive Blundo et al. scheme [10] shows that the base station has no computation cost because it is a distributed scheme. In the direct key establishment phase, the starter needs to compute temporary keys and public values for $N-1$ sensors, and then the non-starter $N-1$ sensors also have to gain the secret values. Finally, the total computational cost is $2(N-1)$ for BS and $2(N-1)$ for sensors.

In our scheme, each sensor computes one multivariable polynomial. For the convenience of the comparison, we initially define that one multivariable polynomial is similar to $(N-1)$ univariable polynomials. We can see that there is little cost overhead during rekeying the group key. Because the polynomial variable is just substituted for each sensor node ID, our method may result in the computational resource having better utility.

Estimated Execution Time Analysis: Although the primary objective of this work is to reduce computational complexity, practical execution time is also an important consideration in WSN environments.

To provide a realistic estimation, we assume a typical low-power sensor node equipped with a microcontroller operating at 16–32 MHz. Since the proposed scheme mainly involves polynomial evaluation and simple arithmetic operations over a finite field, its computational cost is significantly lower than that of public key cryptographic approaches.

Assuming that a single finite-field multiplication requires approximately 10–20 $\mathsf{\mu }$s and a polynomial evaluation consists of several multiplication and addition operations, the total execution time of the proposed rekeying process is estimated to be within a few milliseconds.

Because no modular exponentiation, elliptic-curve operations, or repeated encryption/decryption procedures are required, the proposed scheme is suitable for resource-constrained WSN devices.

5.2. Communication Overhead Analysis

In the communication overhead, the base station sends N messages to each sensor, and then the m middle sensor needs to forward these messages to N sensors in Hugh et al.’s scheme [28]. Finally, each sensor receives one message $(L+I)$. Hugh et al.’s scheme spends $2(NL+NI+mNL)$ for communication. In Blundo et al.’s interactive scheme [10], we do not have to compute the overhead for the base station and the middle sensor. We focus our eyes on the members of the group rekeying. The starter sensor transmits the $N-1$ messages, and then each non-starter sensor will receive the message. Moreover, $N^{2}I$ must be spent because each sensor should broadcast its ID and receive $N-1$ IDs of the member sensors. Hence, the communication consumption of Blundo et al.’s interactive scheme is $2(N-1)L+\left(N^2\right)I$. We do not have to send public values to another sensor in the proposed scheme. Each sensor needs to receive $(N-1)$ sensor IDs and send their IDs. For this reason, the overhead of our scheme is lower than that of other schemes. In other words, our scheme can usually save overhead very efficiently. Hugh et al.’s scheme requires that the base station stores N keys for message encryption. In addition, each sensor requires storing one key for message decryption. In Blundo et al.’s interactive scheme, each sensor needs to store one $(N-1)$-member t-coefficient polynomial.

5.3. Storage Requirement Analysis

In the proposed symmetric polynomial scheme, nodes only need to store the coefficients of a polynomial of order t. Storage space increases linearly with t and is not directly correlated with the overall network size N. The BIBD schemes [26,27] need to ensure high network connectivity; each node typically needs to pre-store a large number of keys. As the number of network nodes N increases, the number of keys borne by each node often increases significantly in order to maintain the properties of BIBD (such as parameters $\lambda ,k$, etc).

The improvement achieved by the proposed scheme originates from eliminating the transmission of rekeying parameters and public values during group membership updates.

In the interactive scheme of Blundo et al., [10] the initiator must generate and distribute temporary keys and public values to all participating nodes during each key establishment process. Consequently, the communication overhead grows with the group size.

In the proposed scheme, all nodes already possess polynomial shares. Rekeying is performed through local polynomial variable substitution and timestamp updates. Therefore, no temporary keys, public values, or additional key distribution messages are required. Only node identifiers are exchanged, resulting in lower communication overhead and reduced computational complexity.

5.4. Security Comparison

Table 4. Comprehensive comparison of the proposed scheme and other schemes.

Items	ASW-GR [24]	PRKC [25]	BIBD [26,27]	Ours
Core Technology	Chinese Remainder Theorem	Key Chaining (PRKC)	Combinatorial Design	Multivariable Polynomial
Storage Overhead	Low (Prime/Tokens)	Very Low (Current Key)	High (Key Pools)	Low (t Coefficients)
Connectivity	Full (Server-based)	Point-to-Point	Probabilistic	100% Deterministic
Environment	Medical IoMT	Industrial IIoT	Hierarchical WSNs	Hostile WSNs
Main Advantages	Minimized Sensor Cost	Lightweight, Real-time	Hierarchical Structure	Autonomous, Collusion-resilient

is a comprehensive comparison of the proposed scheme and other schemes. The ASW-GR scheme [24] focuses on minimizing terminal computation using large number theory (CRT), while the proposed symmetric polynomial scheme focuses on enhancing network resilience and independence using the mathematical properties of polynomials. Although ASW-GR has a significant advantage in single-process speed, the symmetric polynomial scheme has the following key advantages:

1.

Autonomy Advantage: The proposed symmetric polynomial scheme allows nodes to establish pairwise keys in certain situations through simple parameter exchanges (such as swapping IDs and incorporating the polynomial) after pre-distributing polynomial coefficients, without having to wait for the base station (BS) to broadcast CRT messages each time. In comparison, the ASW-GR scheme [24] heavily relies on the base station to calculate and send the CRT combination value X. If the base station disconnects or communication is disrupted, the node will be unable to update the group key.

2.

Structural Stability: Advantages include independence from large integer arithmetic libraries. The proposed polynomial operations primarily involve addition and multiplication. Although it appears as $(N-1)$ UP, the numerical range of these operations can usually be controlled within a small finite field. In comparison, the ASW-GR scheme [24] uses CRTs; as the number of group members N increases, the product of CRT values becomes extremely large, placing high demands on sensor storage space and libraries for handling large integer operations.

3.

Improved Group Member Management Flexibility (Node Revocation/Join): The proposed symmetric polynomial scheme uses the properties of polynomials; when a node is revoked, the base station (BS) only needs to broadcast a new parameter. The remaining legitimate nodes can independently calculate the new key, while the revoked node, lacking the updated parameter, cannot decrypt. The PRKC scheme [25] emphasizes “transmission-triggered” key updates (automatically refreshed during communication). When dynamic changes in group membership are involved (such as removing a specific node), the PRKC scheme typically requires a more complex resynchronization process or a restart of a new keychain, making management overhead quite heavy when nodes change frequently.

In the proposed symmetric polynomial scheme, when processing node additions or departures, only one variable of the polynomial needs to be updated (e.g., incorporating a new timestamp or version number), and all legitimate nodes can be updated synchronously. Although the BIBD scheme (nested BIBD) [26,27] improves hierarchical management, combinatorial designs often require the reallocation of blocks or the updating of a large number of key mapping tables when facing large-scale “revocations,” making the management computational logic more complex than simple polynomial evaluation.

4.

Peer-to-Peer Independence: The proposed pre-distributed polynomials allow any two nodes to establish a one-to-one pairwise key simply by exchanging their IDs without base station intervention. This is highly advantageous when the network is unstable or the base station is temporarily offline. The PRKC scheme [25] is more commonly used for continuous updates of point-to-point or broadcast links, and its keychain synchronization is highly dependent on the success of the previous communication. If severe packet loss occurs, the keychains between nodes may lose synchronization, requiring additional mechanisms for recovery.

In the proposed symmetric polynomial scheme, any two nodes i and j can calculate their shared key $f(i,j)$ simply by exchanging their IDs and directly inputting their respective polynomial shares $f(i,y)$. No base station intervention is required, nor is it necessary to pre-store the shared key. The BIBD schemes [26,27] are based on a combinatorial design; nodes must possess shared key identifiers to communicate. If the block designs of two nodes do not overlap, they cannot establish a direct connection and must use path forwarding, increasing communication latency and complexity.

5.

Theoretical Soundness of Mathematical Proofs: The proposed symmetric polynomial scheme is based on classical polynomial key pre-distribution theory; the security strength can be calculated precisely. While the PRKC scheme [25] passed randomness tests such as NIST SP 800-22, its security is more based on statistical randomness and the unpredictability of physical layer characteristics, rather than hard difficulties in computational complexity.

5.5. Scalability Analysis

To further evaluate the efficiency of the proposed scheme, we analyze the communication overhead, computation cost, and storage requirement as the number of sensor nodes increases.

Table 4 illustrates the performance. The results demonstrate that the communication overhead of the proposed scheme increases more slowly than that of the compared schemes because no temporary public values or rekeying parameters need to be distributed among group members.

Similarly, the computation cost remains relatively stable because each node performs only one polynomial evaluation and one timestamp update during rekeying. In contrast, the compared schemes require multiple encryption, decryption, or temporary- key computations.

The storage requirement of the proposed scheme depends mainly on the polynomial coefficients and is independent of the number of participating nodes, thereby providing better scalability for large-scale WSN deployments.

5.6. Timestamp-Based Rekeying Discussion

In conventional rekeying approaches, a new constant value must be generated and distributed whenever a membership change occurs. This requires explicit propagation of the updated value to all legitimate nodes and introduces additional management overhead.

In contrast, the proposed scheme employs a session timestamp that is already available in the rekeying message. Therefore, no additional parameter distribution is required beyond the normal rekeying notification. As a result, the timestamp-based approach simplifies key synchronization and improves scalability in dynamic WSN environments.

5.7. Discussion on Evaluation Methodology

The primary objective of the proposed scheme is to reduce the communication, computation, and storage costs associated with group rekeying operations in wireless sensor networks. Therefore, the evaluation focuses on the complexity of key management procedures rather than network-layer performance metrics.

Simulation platforms such as NS-3 are widely used to evaluate routing protocols, packet delivery ratios, end-to-end delays, throughput, and other network communication behaviors. In contrast, the proposed work addresses a cryptographic key management mechanism whose performance is mainly determined by the number of transmitted messages, polynomial evaluations, and storage requirements. These metrics can be directly quantified through analytical evaluation and are independent of the underlying routing protocol and network topology.

To strengthen the evaluation, this study provides quantitative comparisons of communication overhead, computation cost, storage requirement, scalability analysis under different network sizes, and estimated execution latency. Since the proposed scheme does not modify packet forwarding, routing decisions, medium access control, or transport-layer behavior, packet-level simulation in NS-3 would have limited influence on the key management complexity results reported in this work.

Nevertheless, future work may incorporate NS-3-based simulations to investigate the impact of wireless channel conditions, packet loss, and network latency on the practical deployment of the proposed rekeying mechanism.

6. Conclusions

In this paper, we have proposed a group rekeying protocol using the symmetric polynomial. Our scheme combines a symmetric polynomial with a timestamp. According to the performance evaluation comparisons, the proposed scheme is more practical than the related works. In addition, our proposed scheme has accomplished forward secrecy successfully; moreover, the proposed scheme is more efficient in communication overhead. In the future, we will put forward a scheme for improving the limitations of symmetric polynomials. We believe that the storage requirement will reduce.