• Open Access

Novel distributed key revocation scheme for wireless sensor networks

Authors

  • Chih-Hung Chao,

    1. Department of Library and Information Center, National University of Kaohsiung, Kaohsiung City, Taiwan
    Search for more papers by this author
  • Ching-Fang Yang,

    1. Department of Electrical Engineering, Institute of Computer and Communication Engineering, National Cheng Kung University, Tainan City, Taiwan
    Search for more papers by this author
  • Po-Ting Lin,

    1. Department of Electrical Engineering, Institute of Computer and Communication Engineering, National Cheng Kung University, Tainan City, Taiwan
    Search for more papers by this author
  • Jung-Shian Li

    Corresponding author
    • Department of Electrical Engineering, Institute of Computer and Communication Engineering, National Cheng Kung University, Tainan City, Taiwan
    Search for more papers by this author

Correspondence: Jung-Shian Li, Department of Electrical Engineering, Institute of Computer and Communication Engineering, National Cheng Kung University, Tainan City 701, Taiwan.

E-mail: jsli@mail.ncku.edu.tw

ABSTRACT

Key revocation plays an essential role in ensuring the confidentiality of wireless sensor networks following the compromise of one or more of the network nodes. The distributed key revocation protocol presented by Chan et al. has a rapid reaction time and avoids the single-point failure problem inherent in centralized schemes. However, the scheme is computationally complex, requires a large storage space, and incurs high communication overheads. Accordingly, this paper proposes a novel distributed, scalable, and cost-effective key revocation scheme based on Blom's t-secure property. In the proposed approach, any node identified as having a malicious behavior by t or more sensor nodes is categorized as a compromised node, and its keys are immediately revoked from the entire network. The proposed scheme not only satisfies the rigorous definition of a distributed key revocation protocol but also yields a significant improvement over Chan's revocation scheme in terms of a lower storage space requirement, a reduced communication overhead, and a lower computational cost. Copyright © 2013 John Wiley & Sons, Ltd.

1 INTRODUCTION

Wireless sensor networks (WSNs) are specialized ad hoc networks comprising numerous low-cost and limited-power sensor nodes and are designed to perform a wide variety of applications, including military sensing and tracking, environmental monitoring, patient monitoring and tracking, and so on. When the sensor nodes are deployed in hostile areas, maintaining the security of the network is a crucial concern. The security of the WSN is based on the robust key management mechanism. However, the key management task in WSNs is more complicated than that in traditional networks because WSNs have no fixed infrastructure, large-scale deployments with no prior knowledge of the node locations, limited capacity resources, and the risk of one or more of the nodes being physically captured by adversaries. Thus, a robust key management is important to WSN.

There are many network attack detection mechanisms in the literature. The intrusion detection mechanisms are used to detect the abnormal behaviors and are generally classified into misuse intrusion detection (MID) and anomaly-based intrusion detection (AID) [1]. MID algorithms are designed to detect the attacks exhibiting certain unique characteristics. The network must be constantly monitored to detect the activity that matches the attack signatures. AID mechanism can detect unknown attacks when the adversary's behavior deviates from the normal rules. Each sensor node monitors its neighbors to keep track of the abnormal behavior. Any malicious node will trigger a secure alarm in its neighbors. However, normal profiles are usually difficult to specify, and it is a challenge to distinguish between false alarms and real intrusions. Besides, there are two kinds of mechanisms to detect malicious nodes: single-sensing detection and multiple-sensing detection. In the single-sensing detection, the adversary can be detected by a single node. On the other hand, the multiple-sensing detection can detect the malicious node by multiple collaborating nodes [2]. Generally speaking, the judgment provided by a single node might be inadequate for detecting the adversary because of the insufficient information.

Key management includes two basic tasks, namely key distribution and key revocation. Key distribution is the task of distributing secret keys to the sensor nodes within the WSN to facilitate secret communications between them. Meanwhile, key revocation is the task of withdrawing the key information relating to any nodes that have been compromised to ensure the continued confidentiality of the network. Although the literature contains many studies discussing the key predistribution issue [3-7], the key revocation problem has attracted relatively less attention [8-10].

Generally speaking, existing key revocation methods can be categorized as either centralized or distributed depending on the level of authority used to make the revocation decision. In centralized key revocation schemes, the decision to revoke a particular node and the subsequent broadcasting of a revocation message take place at a single designated authority. Eschenauer and Gligor [5] proposed a key revocation scheme based on a random key allocation method in which revocation messages containing all the key identifiers possessed by a compromised node were broadcast by controller nodes with a large communication range or a mobile capacity. To prevent adversaries from tampering with the information, each controller generates a signature key Ke to sign the broadcast message and distributes it to all the uncompromised nodes by encrypting it with a key Kci (note that each node preloads the key Kci and the key is shared by ith controller with each sensor node). After the uncompromised nodes obtain the signature key Ke, they verify the broadcast message. If the message is successfully verified, the corresponding key is removed from the nodes' key rings. The nodes then enter a share-key discovery phase or a path-key establishment phase to reestablish secure links with all their neighboring nodes. In [10], Wang et al. proposed an efficient centralized key revocation scheme designated as KeyRev for removing compromised keys via a key-updating mechanism. The scheme uses a group key distribution concept to assign a session key that can generate new available communication key by processing the preloaded information in each node.

However, as with all centralized schemes, EG scheme is liable to the single-point failure problem. By contrast, in decentralized schemes, the revocation process is invoked by local neighboring nodes. Chan et al. [3] proposed a preliminary distributed revocation scheme in which votes are preloaded in the participant nodes together with a pairwise key associated with the target node. Chan's revocation scheme assumes that the keys are random pairwisely distributed in the network. In other words, each node has a unique identification and is matched up with m other randomly selected distinct node IDs. A pairwise key is generated for each pair of nodes and is stored in the key rings of both nodes, thereby facilitating node-to-node authentication. In the revocation protocol, once the voting verification process has been successfully completed, the corresponding node ID is marked as revoked, and a message to this effect is disseminated to all the other nodes in the network. On receiving the revocation message, the nodes remove the keys corresponding to the revoked node ID from their key rings, thereby eliminating the node from the network. However, the revocation protocol uses the Merkle hash tree [11], and thus, each node must store not only the revocation votes received from the other nodes in the network but also the hash values required to authenticate these messages. As a result, the vote verification mechanism leads to a significant increase in the storage space requirement, communication cost, and computational complexity of the revocation protocol. To eliminate the target node, the participant nodes are required to execute a network-wide broadcast of their votes and verifiable information. Once vote messages have been broadcast by more than t participant nodes, each participant deletes the pairwise key corresponding to the target node. However, the proposed scheme requires network-wide broadcasts and lacks a session concept. Consequently, the network has a large communication overhead and is susceptible to replay attacks. In a later study [8], Chan et al. proposed an improved distributed key revocation scheme (referred to as Chan's revocation scheme) based on [3] and defined the five basic properties necessary for a distributed key revocation protocol that not only overcame the single-point failure problem but also enabled a rapid reaction in the event that one or more of the sensor nodes were compromised by a malicious attacker.

Distributed revocation methods have no need to communicate with a central authority and are therefore both more efficient than centralized methods and more robust toward the risk of single-point failures. However, in the distributed scheme, all of the neighboring nodes may have qualification have the authority to revoke compromised nodes. Consequently, a risk exists that legitimate nodes may be revoked by a malicious node. Therefore, distributed key revocation schemes are generally more complex than centralized schemes.

The present study proposes an alternative distributed key revocation scheme based on Blom's t-secure property [12]. In the proposed approach, any node voted against by a minimum of t sensor nodes is assumed to have been compromised such that its confidentiality can no longer be assured. Accordingly, once the votes cast against the node have been verified, the corresponding key is revoked and removed from all the nodes in the network. The decentralized approach adopted in the proposed scheme reduces the storage space requirement, communication cost, and computational complexity compared with the method proposed in [8] and therefore renders the scheme more suitable for key revocation in large-scale WSNs. Moreover, it is shown that the proposed method satisfies the five basic properties of a distributed key revocation protocol defined in [8] and provides an effective protection against all common forms of network attack.

The goal of the distributed revocation scheme proposed in this study is to enable all the sensor nodes within communication range of one another to detect any neighbors with a malicious behavior and to revoke the corresponding nodes if required. The main contributions of this paper can be summarized as follows:

  1. The proposed protocol satisfies the rigorous definitions of a distributed key revocation protocol defined in [8], namely completeness, soundness, bounded time revocation completion, unitary revocation, and revocation attack resistance.
  2. The proposed scheme has a lower storage space requirement, communication overhead, and computational complexity than Chan's revocation scheme and therefore provides a more cost-effective solution for large-scale wireless sensor networks.

The remainder of this paper is organized as follows. Section 2 describes the attack model and assumptions and then presents the details of the proposed key revocation scheme. Section 3 shows that the proposed scheme satisfies the five properties of a distributed key revocation protocol. Section 4 compares the performance of the proposed revocation scheme with that of Chan's scheme in terms of the storage space requirement, the communication overhead, and the computational complexity, respectively. Finally, Section 5 presents some brief concluding remarks.

2 SYSTEM ARCHITECTURE

This section describes the distributed key revocation protocol proposed in this study based on the random pairwise distribution scheme presented by Chan et al. [3]. Table 1 defines the notations utilized in the protocol.

Table 1. Notation used in this paper.
NotationDescription
mNumber of nodes that share pairwise key with one node
tThreshold number of votes needed to revoke a node
EK{Q}Message Q encrypted with key K in authenticated encryption mode
ΔnMaximum time required for network-wide broadcast to fully propagate
ΔlMaximum time required for local neighborhood broadcast to fully propagate
ΔsDuration of each revocation session
ΔrMaximum duration from time that the first vote is cast until node is revoked
dminMinimum degree threshold at which node is centrally revoked by designated authority
dmaxMaximum number of local participants for any node
stotalTotal number of revocation sessions available against each node

2.1 Definitions and assumptions

In developing the protocol, it is assumed that the key revocation process is performed amongst m uncompromised nodes and that the network contains a single compromised node. In addition, it is assumed that the nodes share pairwise keys with one another. The other network assumptions are presented in the following discussions, together with a definition of the terms used in developing the model and the assumptions made regarding the adversary model.

The major terms used in the proposal are defined as follows.

  1. Neighboring node—node i is a neighboring node of node j if it is located within communication range of node j.
  2. Target node—the target node is the node that is considered for revocation in the revocation process.
  3. Participant—a participant of node i is any node that shares a secret key with node i. Participant nodes are classified as either local or nonlocal depending on their proximity to node i. Specifically, participant nodes within a one-hop communication range of node i are defined as local participants, whereas those located at a greater distance from node i are defined as nonlocal participants.
  4. Centralized authority—a unit having a pairwise key with every node in the network and therefore able to perform the centralized revocation of any node (e.g., the base station in the WSN).

The major assumptions in developing the adversary model are as follows:

  1. When an adversary attacks the network, it can selectively capture legitimate nodes to piece together all the information it requires.
  2. The adversary can transmit and receive arbitrary messages throughout the entire network and can therefore exchange information with any compromised node.
  3. If a node is captured by the adversary, all of the information relating to this node, including its secret key, is revealed to the adversary. The adversary can therefore control the compromised nodes in such a way as to collaborate with one another in performing revocation attacks.
  4. Compromised nodes can drop received packets or refuse to forward broadcast messages. However, the adversary cannot jam or delay the communications between neighboring nodes. Furthermore, the adversary is unable to split up the network by chosen compromised nodes. Accordingly, a maximum bound exists on the propagation time in the network. The maximum time required for a broadcast message to be fully propagated within the neighborhood is denoted as Δl, whereas the maximum network-wide broadcast time is denoted as Δn, where Δn > Δl.

The revocation protocol proposed in this study is based on the following assumptions:

  1. The sensor nodes are immobile.
  2. Each sensor node has a unique identification number in the range from 1 to m + 1, and the target node identification is assigned as m + 1 by default.
  3. The revocation scheme is equipped with functionality such as that proposed in [13, 14] to deal with Sybil problem.
  4. The events that prompt neighboring nodes to launch the voting process are known throughout.
  5. If the node degree is lower than the threshold dmin, the node is centrally revoked by the designated authority.
  6. The voting process occurs infrequently that only stotal sessions need to be stored on each sensor node. The value of stotal is larger than t but has a low value (e.g., less than 10). Any attempt by an adversary to exhaust the revocation sessions against any particular node is therefore infeasible because the actions of the adversary will be known within the neighborhood in accordance with Assumption 5 and the node will therefore be centrally revoked. Hence, we also assume that revocation sessions are always available to revoke any target node.
  7. New node deployments do not occur when there are active revocation sessions in the network.

2.2 Proposed distributed revocation protocol

As described in the following, the proposed scheme consists of four phases, namely offline initialization, connection establishment, voting, and revocation completion.

2.2.1 Offline initialization

In the offline initialization phase, public and private matrices are generated for each sensor node in the WSN. The former matrices contain public information that is freely available to all the nodes in the network, whereas the latter matrices, used in each voting session, contain secret information for vote verification purposes. An assumption is made that each node has several available revocation sessions. In each session, the nodes preload the encrypted votes from the vote matrix (generated by the multiplication of the public and private matrices) and the corresponding column information of the public matrices. In addition, each node stores a set of hash values to verify the validity of the revocation decision made for a malicious node. Accordingly, a t × (mi + 1) matrix Gi is generated over a finite field GF(q) for each node i in the network, where t is the threshold number of votes required to revoke a node, mi is the number of participants of node i, and q > (mi + 1). The contents of matrix Gi are regarded as public information, that is, the information is freely available to every sensor node in the network, including those compromised by an adversary. The system then creates random t × t symmetric matrices Ri(s) over GF(q) for s = 1,…,stotal, where stotal is the total number of available revocation sessions against each node. The (mi + 1) × t vote matrices are then computed via Equation (1) for s = 1,…,stotal, where the superscript T denotes the matrix transpose operator. Note that the matrix Ri(s) is kept a secret from the sensor nodes.

display math(1)

Let math formula represent the jth row of matrix Vi(s) and correspond to participant j of target node i. Node j preloads the encrypted votes math formula, where the activation masks Maskji(s) are used to enable node j to decrypt the votes against node i and the corresponding jth column of matrix Gi denoted as math formula. Note that within matrix Vi(s), there exists one row, referred to as the secret-sharing row math formula, which is not preloaded in any node during each session s.

Finally, each participant of node i also stores H2(math formula), namely the hash function of the elements in the secret-sharing row, H(λ0(s) ∥ λ1(s) ∥ ⋯ ∥ λ(t − 1)(s)), where λk(s) denotes the kth element in the secret-sharing row math formula and k = 0,…,t − 1. The double hash value H2(math formula) enables the nonlocal participants of target node i to confirm the validity of the revocation decision for node i.

2.2.2 Connection establishment

When the nodes receive a message indicating a vote against a malicious node from one of their neighbors or by one of the nodes directly detecting a malicious node with unusual behavior, the nodes enter the connection establishment phase. In this phase, the activation masks used to decrypt the votes are exchanged among the participants and the target node at the beginning of each session. The two nodes in each participant pair have knowledge of the votes against the other, but the votes are encrypted by the mask stored in their counterpart, and thus a mutual exchange of the masks is required to establish a connection. However, a malicious node may refuse to reveal its mask or may deliberately reveal a fake mask. In this case, the participants of the malicious node will receive no decrypted votes against the target node. After a number of attempts to establish a connection, the participants simply drop the links between them and the malicious node, causing a reduction in the node degree. Once the degree falls below a certain predetermined threshold, the node is revoked by a central degree-counting mechanism.

2.2.3 Stages of revocation session

The function of the voting sessions is to prevent replay attacks and to keep the vote information up to date. For each revocation session s, two specific node states are defined, namely waiting and voting. The state of each participant node j is set to waiting at the beginning of each session s, and the nodes subsequently wait to receive a vote message from one of their neighbors. The state of node j in session s transits from waiting to voting as a result of two possible scenarios, namely (i) the node receives the first vote message from one of the other participants or (ii) the node detects directly that the target node has a malicious behavior.

Having switched from a waiting state to a voting state, participant j immediately starts its session timer Δs. The predetermined value of the timer Δs depends on the time expected to reach a revocation decision. In general, the condition Δs > 2Δl holds, where Δl is the maximum time required for any node in the network to propagate a voting message to each of its neighboring nodes. Having activated the session timer, participant j continuously verifies any received votes and records the valid votes until the timer expires. In the event that participant j does not cast its own vote for the target node before the timer expires, the timer expiry event prompts the node to decide whether or not to cast a vote depending on its own observations of the target node. Once the timer expires, the participant j reverts to the waiting state for the next session s + 1 and terminates the revocation process for the session s.

2.2.4 Voting in revocation session

When a local participant detects a malicious behavior of the target node, it casts its vote against this node in both the current and the following sessions to prevent the risk that any votes cast near the timer expiry time will be lost because of broadcasting delays. In Figure 1, suppose that participant nodes j and k have both tallied t − 2 votes against target node i and simultaneously detect a misbehavior of the target node i at the end of session s. Assume also that neither of their votes arrives at the other node before the corresponding timers expire. As a result, both nodes record only t − 1 votes and therefore fail to revoke the target node in session s. However, by adopting the double voting process described earlier, both nodes successfully revoke node i in the following session (s + 1).

Figure 1.

Illustrative example of failure revocation process.

When participant j votes against target node i, it locally broadcasts both its vote math formula, that is, the jth row of the vote matrix Vi(s), and math formula, that is, the jth column of the public matrix Gi. Note that to prevent denial of service (DoS) attacks, only the participants of the target node disseminate vote messages. Upon receipt of these messages, the participant nodes perform a verification process to confirm the validity of the vote.

The verification process is illustrated schematically in Figure 2. Assume that participant node j broadcasts a message to all the nodes within its neighborhood casting a vote against target node i. When node k receives the voting message, it calculates the products of math formula and math formula, and math formula and math formula, respectively, where math formula and math formula are contained within the voting message and math formula and math formula are stored within memory. The results of the two products, that is, math formula and math formula, are the elements of matrix Qi(s), which is given by the dot product Vi(s) ⋅ Gi. From Equation (2), it can be shown that matrix Qi(s) is symmetric. Thus, if the values of math formula and math formula are equal, then the vote against the target node i can be trusted. Accordingly, participant k adds the vote from participant j against target node i to its tally.

display math(2)
Figure 2.

Illustrative example of vote verification process.

2.2.5 Completion of revocation process

Having completed the voting stage, all the neighboring nodes of the malicious node enter the completion phase of the revocation process and individually tally the votes received during the voting session. In the event that one of the nodes records at least t votes against a particular malicious node, it solves the secret-sharing information of the node and computes the corresponding hash value. The node (referred to as the revocation initiator) then broadcasts a revocation message to the entire network. Any nodes receiving the message verify the authenticity of the message by comparing the hash value stored in memory with the revocation message. If the message is successfully verified, the node removes all the key information relating to the malicious node from its memory and adds the node ID to a revoked list. However, if the verification process fails, the node simply disregards the revocation message. The mathematical notation is described as follows. Any participant node j with a minimum of t votes against target node i computes the secret-sharing row corresponding to node i. For example, in Figure 3, corresponding to an assumed threshold of t = 3, participants j, k, and l each cast their votes against target node i and therefore calculate the values of math formula, math formula, and math formula, respectively, by multiplying their respective votes, that is, math formula, math formula, and math formula, by column math formula of the public matrix Gi. Because matrix Qi(s) is symmetric, the value of math formula is equivalent to that of math formula. Similarly, the value of math formula is equivalent to that of math formula, whereas the value of math formula is equivalent to that of math formula.

Figure 3.

Illustrative example showing the computation of the elements of the secret-sharing row for the case of t = 3.

Each local participant then calculates the elements of the secret-sharing row math formula by solving the linear system of t equations and t unknown variables shown in Equation (3). Having solved Equation (3), the nodes compute the corresponding hash value of the elements and broadcast the revocation message math formula to the entire network. The nonlocal participants that receive this message verify it by comparing the value of math formula contained in the revocation message with that of math formula stored in memory. If the verification process succeeds (i.e., the two hash values are the same), the participants remove the key information relating to target node i from their memory and add the node ID to a revoked list. Conversely, if the verification process fails, the participant nodes simply drop the revocation message and take no further action.

Finally, when each participant completes the voting stage and reverts to a waiting state, it notifies the centralized authority (e.g., the base station) of the revoked list such that this information can be used to update the information preloaded in any subsequently deployed new nodes.

display math(3)

3 PROOF OF DISTRIBUTED REVOCATION PROPERTIES

In this section, the efficacy of the proposed revocation scheme is evaluated by means of the five rigorous properties of a distributed revocation protocol proposed in [8], namely completeness, soundness, bounded time revocation completion, unitary revocation, and revocation attack resistance.

Property 1. (Completeness) If a compromised node is detected by t or more uncompromised neighboring nodes in any session s, then it is permanently revoked from the entire network, that is, it cannot be subsequently reinserted into another part of the network.

Proof. Suppose that node i is compromised by an adversary and is detected by a set S of t or more uncompromised local participants in session s. Let node j be the node within set S that casts the first vote against node i in session s. The completeness of the proposed revocation scheme can be verified by considering two different voting scenarios.

Scenario 1 (Figure 4): each local participant k (where k ≠ j in set S) detects the malicious behavior of node i and votes against it at a time t2 prior to a time t3 before the session timer of node j expires. Because the time interval between t2 and t4 (the time of the session timer expiry of node j) is larger than the time Δl, each node has an enough time to propagate its vote to all its neighbors. Every node receives more than t votes against node i in session s in accordance with adversary model property 4 in Section 2.1 (i.e., local broadcasting messages are received by all the nodes within the local neighborhood within a time of at most Δl).

Figure 4.

Illustrative example of Scenario 1 of Property 1.

Scenario 2 (Figure 5): if a local participant k (where k ≠ j in set S) detects the malicious behavior of node i and votes against it after a time t3 before the session timer of node j expires, node i will not be revoked in the current session. However, because in the proposed protocol, the participant nodes cast their votes against the target node in both the present and the following sessions, the participants record a vote against node i at the beginning of session s + 1. For local participant j, because the nodes cast their votes at a time t5 within the time of Δl after node j starts session s + 1, node j receives their votes before the end of the session, and thus, every node receives more than t votes against node i in session s + 1.

Figure 5.

Illustrative example of Scenario 2 of Property 1.

In both scenarios described earlier, any node receiving t or more votes against node i can compute all of the elements in the secret-sharing row for node i and can therefore verify the revocation decision. If the verification decision is confirmed, the local participant nodes broadcast a revocation message to the entire network, causing node i and all its related keys to be permanently removed.

Property 2. (Soundness) If the key information of a node is revoked from the network by using the proposed scheme, then its revocation must have been agreed by at least t nodes.

Proof. To revoke a malicious node, any local participant of the node must receive more than t votes to retrieve the secret information of the node by computing the elements of the corresponding secret-sharing row (see Section 2.2.5). Therefore, if more than t local participants of node i cast their votes against it, all of the participants in the neighborhood of node i can compute all of the elements of the secret-sharing row by solving the linear system comprising t unknown variables and more than t equations (see Equation (3)). However, if fewer than t local participants cast their votes against node i, the neighborhood nodes have insufficient information to solve the linear system. In other words, they cannot revoke the node.

Property 3. (Bounded time revocation completion) Revocation decision and execution occur within a bounded time Δr from the time of sending the first revocation vote.

Proof. Because the local broadcast messages are received by all the participants in the neighborhood within a time Δl of their broadcast, the maximum duration of the voting stage, that is, the time from which the first vote is cast until all of the session timers of the local participants expire is equal to (Δl + Δs). In accordance with adversary model property 4, the time required to fully propagate the revocation messages to all of the participants in the network is equal to Δn. Therefore, the total time required to accomplish revocation is at most Δl + Δs + Δn.

Property 4. (Unitary revocation) Revocations of nodes are unitary (all-or-nothing) in the network. Specifically, if a node is revoked in one part of the network, it will be revoked in the entire network within time Δn, where Δn is the time taken for any message to be propagated across the entire network. Conversely, if the node is not revoked in any part of the network, it will not be revoked in any other part of the network in the time prior to the last Δn time.

Proof. First, it is proven that if a node is revoked in part of the network, it will be revoked in the entire network within a time Δn. If a node is revoked in one part of the network, all the nodes in that part of the network receive the correct revocation value math formula and then rebroadcast this value to all their neighboring nodes. According to adversary model property 4, the time required to broadcast a message to all the nodes in the network is equal to Δn. Thus, the other nodes in the remainder of the network receive the revocation message within time Δn.

Second, it is proven that if a node is not revoked in any part of the network at any time prior to the last Δn time, it will not be revoked in any other part of the network either. The proof can be obtained using the contrapositive property, namely a node must be revoked in every part of the network if it is revoked in one part of the network at any time prior to the last Δn. In other words, if a node is revoked in any part of the network at any time prior to the last Δn, then it must necessarily be revoked in the whole network at the present time. If the node is revoked in the entire network, it must by definition be revoked within any specific part of the network.

Property 5. (Revocation attack resistance) If ω nodes are compromised, they can revoke at most κω other nodes, where κ is a constant with a value of κ ≪ m/t.

Proof. If ω nodes are compromised by an adversary, they can obtain at most ω ⋅ dmax unmasked votes with which to revoke uncompromised nodes, where dmax is the maximum number of local participants of any node. Because the nodes are assumed to be immobile, there are at most ω ⋅ dmax/t = κω uncompromised nodes that can be revoked, and dmax ≪ m. As a result, κ = dmax/t  is a constant and has a value of κ ≪ m/t.

4 PERFORMANCE EVALUATION

In this section, the performance of the proposed distributed key revocation scheme is compared with that of the scheme presented by Chan et al. [8] in terms of its storage space requirement, communication overhead, and computational complexity. In performing the analysis, it is assumed that the key revocation process is performed in a network comprising m uncompromised nodes and a single compromised node. The nodes share pairwise keys with one another and have a total of stotal revocation sessions available to them.

4.1 Space requirement

In Chan's revocation scheme, each node must preload various items of information in each session (e.g., the revocation secret votes, logm authenticating hash values in the Merkle hash tree [11] for each vote, the root of the Merkle hash tree, and the double hash verification of the revocation polynomial). The space required to store all this information at each node is equal to O(stotal ⋅ m ⋅ log m).

In the key revocation scheme proposed in this study, each node is required to preload t elements of one row in the vote matrix and t elements of one column in the public matrix in every voting session (Section 2.2.1). Thus, a storage space of O(stotal ⋅ m ⋅ t) is required at each node. The value of t is independent of the network size and has a small constant value far less than m for most practical WSNs. Thus, the per-node storage space requirement in the proposed scheme is equal to approximately O(stotal ⋅ m).

4.2 Communication overhead

In both the key revocation scheme proposed in this study and that proposed in [8], a mask exchange process is required to decrypt the votes against the target node i. Therefore, in comparing the communication overheads of the two schemes, it is necessary to consider only the overhead incurred in the voting process itself. In the scheme proposed by Chan et al. [8], each voting message includes not only the encrypted vote but also the logm hash values of the Merkle hash tree used to verify the correctness of the vote. Thus, the communication overhead is equal to O(log m). By contrast, in the proposed scheme, each voting message carries only t elements of one row in the vote matrix and t elements of one column in the public matrix. As a result, the communication overhead is just O(1).

4.3 Computational complexity

In evaluating the computational complexity of the two schemes, it is necessary to consider two components, namely the complexity of the vote verification process and the complexity of the vote calculation process itself. Regarding the vote verification process, in Chan's revocation scheme, every node that receives the vote message verifies the vote by comparing the root of the Merkle hash tree calculated from the received vote information with the root value held in storage. In other words, the scheme executes the hash operation a total of (logm) + 1 times. The computational complexity of each vote verification process is equal to O(log m). However, in the revocation scheme proposed in this study, the vote verification process requires only the execution of a dot product operation involving t multiplications and t − 1 additions. Therefore, the computational complexity is just O(1). Regarding the complexity of the vote calculation process, both schemes need to solve a t degree linear system to obtain the secret information. Thus, the computational complexity of the two schemes is the same and can therefore be ignored for comparison purposes.

Table 2 summarizes the space requirements, communication overheads, and computational complexities of the two schemes. It is evident that the proposed scheme outperforms Chan's revocation scheme by a significant margin in each of the three comparison criteria. Because the proposed scheme applied the random pairwise key distribution that were also adopted by Chan's proposal, both schemes have the same performance in terms of scalability, key connectivity, and resilience [15].

Table 2. Comparison of proposed scheme and Chan's scheme.
 Proposed schemeChan's scheme
Space requirement for storing vote informationO(stotal ⋅ m)O(stotal ⋅ m ⋅ log m)
Communication overhead incurred per voting messageO(1)O(log m)
Computational complexity per vote verificationO(1)O(log m)

5 CONCLUSION

Key revocation is an essential task in WSNs to minimize the damage caused by the compromise of one or more sensor nodes by an adversary and enhance the network security. Broadly speaking, existing proposals for key revocation can be categorized as either centralized or decentralized, depending on the level at which the revocation decision is made. Of the two methods, decentralized schemes are commonly preferred because they avoid the single-point failure problem and yield a more rapid reaction time.

Accordingly, this paper has proposed a novel distributed and scalable scheme for removing all the key information relating to malicious sensor nodes in a WSN in a cost-effective manner. It has been shown that the proposed protocol conforms to the five definitions of a distributed key revocation scheme proposed by Chan et al. [8]. In addition, the analytical results have shown that the proposed scheme has a lower storage space requirement, a lower communication overhead, and a lower computational complexity than Chan's scheme and therefore provides a more cost-effective solution for key revocation in large-scale WSNs.

Ancillary