An Efficient Key Management Scheme Based on ECC and AVL Tree for Large Scale Wireless Sensor Networks

With the wide adoption of wireless sensor network (WSN), security problems emerge as a challenging issue because of the limited computational power and energy of the sensor nodes. Furthermore, the deployment of WSN in the hostile area with a large number of nodes also poses a threat. In this paper, we proposed a new efficient key management scheme based on Elliptic Curve Cryptography (ECC) and AVL tree for large scale WSNs. In our scheme the Elliptic Curve Paillier Encryption (ECPE) cryptography is adopted for communication and the AVL tree is used to store the neighbors' ID and public key. The number of keys used in our scheme is smaller than the proposed schemes as we store these keys using AVL tree to shorten the search time. Regular key updates are also designed to further improve the security of the whole network. Our scheme has a good scalability where the node addition and deletion are supported. Experimental results and analysis show our scheme can significantly reduce the energy consumed by the node and reduce the memory and computational overhead.


Introduction
Nowadays, wireless sensor networks (WSNs) have a critical application in military, medical, and industrial sectors. WSNs consist of a large number of tiny, cheap sensor nodes which are computational and energy-constrained. The security in WSNs is gaining importance as a large number of nodes may be exposed in hostile environments. If only one node is captured by the attacker, the whole network can be compromised.
Because of the wireless connectivity, the absence of the physical protection, and the unattended deployment, the security in WSNs becomes a challenging research hotspot. Key management protocols are the core of the secure communications [1][2][3]. The goal of the key management in WSNs is to establish secure links between neighbor sensors at network formation phase.
Basically, there are two architectures available for WSNs. One is a distributed flat architecture and the other is a hierarchical architecture. Considering the limitations of WSNs, the hierarchical network model has more operational advantages than the flat homogeneous model. One of the most famous hierarchical algorithms is Low-Energy Adaptive Clustering Hierarchy (LEACH) [4,5], which was proposed by Chandrakasan to balance the energy consuming among nodes by randomly rotating cluster head memberships among all nodes.
In this paper, we propose an efficient key management scheme built on LEACH protocol. Furthermore, Elliptic Curve Paillier Encryption (ECPE) algorithm rather than general public key algorithms is adopted to achieve the key agreement with fewer keys and meet the needs of storage while catering to computing limited sensor nodes. We also use AVL tree (Georgy Adelson-Velsky and Evgenii Landis' tree, named after the inventors) [6], which is a self-balancing binary search tree, to store the nodes' ID and public keys which can greatly reduce the key search time and thus reduce the energy consumption. Combined with the energy-saving property of LEACH, our scheme can significantly reduce the energy consumed by the node and extend the network lifetime. The contributions of this paper are as follows: (1) We are the first to use the AVL tree to store the neighbors' ID and public keys; thus less search time and computing energy are consumed in large scale WSN.
(2) A combined scheme including LEACH and ECPE is proposed in which fewer keys are needed to be stored in the node. Storage overhead is reduced for each sensor node and the network lifetime is extended.
(3) Quantitative memory and computation overhead with a particular security analysis are provided. The obtained results show that our scheme can significantly reduce the energy consumed by the node and reduce the memory and computational overhead.
As for the rest of this paper, Section 2 introduces the related works; we give some preliminaries about ECPE algorithm and AVL tree in Section 3; Section 4 describes the scheme we proposed in detail; the performance analysis to the proposed scheme is elaborated in Section 5; finally this paper is concluded in Section 6.

Related Works
Key management problems in WSNs have been extensively studied in the literature and various solutions have been presented. In this work, we mainly classify these schemes into two categories: symmetric schemes and asymmetric ones. In symmetric key schemes, a preinstalled system-wide symmetric key or pairwise keys are usually stored on the devices. Symmetric key schemes are used in most of WSNs because they consume less computation time. Asymmetric key schemes adopt public key technology, such as Elliptic Curve Cryptography (ECC), to realize key distribution. Though public key technology was thought to be too computationally expensive for WSNs, recent studies [7,8] have successfully implemented it in wireless sensor networks.
Since there are lots of symmetric key management schemes in WSNs, we will not give them a review. Useful surveys on symmetric key management schemes can be found in [3,9,10].
The key management schemes based on public key cryptography (PKC) are convenient for WSNs compared with those based on symmetric cryptographic algorithm. Usually the PKC schemes are considered resource-rich so that they are not suitable for WSN; but recently many researchers put their eyes on the adoption of PKC in WSN. Wandert et al. made a comparison between RSA (the Rivest-Shamir-Adleman cryptosystem, named after the inventors) and ECC in the nodes of WSNs and gave the conclusion that ECC behaves better on storage, computation, and communication overhead [11]. Ren et al. come up with several effective PKC based schemes upon the integration of several cryptographic techniques, including the Bloom filter, the partial messagerecovery signature scheme, and the Merkle hash tree [12]. In terms of the elliptic curve discrete logarithm problem difficulty, they propose a key management scheme without secure channel by adopting the key threshold theory, but they did not take into account security issues confronted by each node when the share transfers in secret. A key management scheme without secure channel was proposed in [13], which is a combination of the discrete logarithm problem on elliptic curve and the threshold key theory, but has left out the security issues that arise in the exchange of the secret share between nodes. In [14], the network was divided into three levels: central authority (CA), server nodes (SN), and ordinary nodes (ON). SN generate session private/public keys for each node in the network, which makes them the most vulnerable part in the whole network when captured. Rajendiran et al. proposed a key predistribution technique using the ECC for WSNs. They choose elliptic curve points as the key pool to achieve better connectivity. But they still cannot resist the node capture attack [15]. Azarderakhsh et al. proposed a key management for heterogeneous sensor networks using a hybrid technique of public key and symmetric key cryptography, while they assume that the CHs cannot be captured and nodes know their own location [16]. In [17], VEGK is proposed for key management in heterogeneous cluster based WSNs using hybrid key management technique between public key cryptography ECC and pairwise symmetric keys.
Altogether, state-of-the-art public key cryptography schemes do not meet the strict limitation of resource-constrained sensor nodes, because a large computational overhead is introduced especially with large scale networks, which is the common case for WSNs. In this paper, we proposed a novel efficient key management scheme based on ECPE public key cryptography for WSNs. We also use AVL tree to store the ID and public key in our scheme so as to shorten the search time. Meanwhile, we design regular key updates to further improve the security of the network and our scheme also provides perfect scalability to allow nodes addition and removal.
It must be stated that in [18] the AVL tree is also used to store the ECC keys, but they store the keys in a whole WSN. In their method, each sensor node is associated with a leaf, and all keys located along the path from the leaf to the root of the AVL tree belong to that node. If two nodes need a shared key, they find the common ECC key which is at the highest level and closest to the leaves in the AVL tree. However, in our scheme, the AVL tree is used to store the neighbors' public keys in one node so as to reduce search time. When there are many neighbors in a large scale WSN, there is no need to generate the shared communication key in our scheme with the AVL tree available.

Preliminaries
3.1. LEACH. LEACH was proposed by Heinzelman et al. to balance the energy consumption among nodes by randomly rotating cluster head memberships among all nodes [19], and it can extend the network lifetime by 15%. The operation of LEACH is broken up into rounds. Every round of LEACH has two phases: one is the setup phase, where nodes elect CH, and the other is the steady state phase, where nodes communicate with their CHs. During the setup phase, node chooses a International Journal of Distributed Sensor Networks 3 random number between 0 and 1. If the number is less than the threshold ( ), the node becomes a cluster head for the current round. The threshold is set as where is the desirable percentage to be CH, is the current round, and is a set of nodes that have not been selected as CH in previous rounds.

Elliptic Curve Paillier Encryption (ECPE)
. ECPE [20] was first proposed by Paillier in 2000. It is a probabilistic encryption scheme employing elliptic curves over rings based on the use of twists of anomalous curves. It is known that curves ( , ) over which have trace of Frobenius one (they are said to be anomalous) present the property that computing discrete logarithms on them is very easy [21]. Okamato extended this property to -subgroup of 2 ( , ) so that the projection onto gives the twist of an anomalous curve.
The details of this cryptosystem are as follows.
Initialization. = is generated which is a product of two large primes, and , while ≡ ≡ 2 (mod 3). Choose an elliptic curve 2 ( , ) and a base point ∈ 2 on this curve.

The AVL
Tree. An AVL tree is a self-balancing binary search tree. For each node of the tree, the height difference of its subtrees is at most 1; therefore, it is also height-balanced.
(log ) time is needed for search, insertion, and deletion operations in both the average and worst cases. Figure 1 shows an example of the AVL tree. The values of left subtree are always smaller than the ones of the root node, while the values of the right subtree are always larger than the ones of the root node. In order to find a particular element in the tree, for example, 28, we firstly compare the element with the root node 54. We turn left because 28 is smaller than 54, and then we find 28 larger than 17 so we turn right and find 28.

The Proposed Scheme
Our scheme is based on the network model of LEACH which includes a base station and a large number of sensor nodes. The base station is assumed to be trusted and capable of computation and has storage ability. Special cluster heads are not needed in our model, which makes it more practical for WSNs. We assume the node in our network is capable of running the ECPE algorithm. The notations used in this paper are listed in "Notations." Our scheme can be divided into two phases: (1) network formation phase, where nodes elect CHs and generate the session key with each other, and (2) network steady state phase, where nodes communicate with each other with the session key. Node addition, node deletion, and key updating are also allowed during the second phase.
The details of our scheme are as follows.

Key Predeployment.
Following the rules of ECPE, firstly, base station chooses a large integer = as a product of two odd primes, and , while ≡ ≡ 2 (mod 3). Then base station chooses a safe elliptic curve 2 and a point on this curve. Afterwards base station calculates the parameters of ECPE for the nodes: the public key = , the private key = lcm( + 2, + 2), the identity of the node ID, and an initial shared symmetric key ikey. Finally, the base station stores these parameters, that is, , , ID , and ikey, into the nodes.

Cluster Head Election.
During this phase, all nodes are able to compete for the CHs for the current round using (1). The elected CHs send their own ID and public key to the base station to get registered. The base station makes an AVL tree list of all the CHs' public keys and IDs and sends this list to the nodes encrypted by the ikey. This phase is shown as follows: → All Nodes. (2)

Cluster Formation.
After the last step, each node gets the list of the CHs' ID and the public key. In order to form the clusters, each CH broadcasts its own ID and public key to its neighbors. The neighboring nodes can verify their identifiers according to the list received from the base station. Once a sensor node decides to join cluster , it replies its ID and public key to CH . CH stores the nodes' ID and public key in a form of AVL tree. This phase is shown as follows:

The AVL Tree Formation of Nodes' Information.
After the clusters are formed, each node broadcasts its own ID and public key to its neighboring nodes. The node gathers its neighbors' IDs and public keys and then stores them in AVL tree. The creation of AVL tree is shown in Figure 2; the IDs of five nodes in this AVL tree are listed from small to large: ID 1 < ID 2 < ID 3 < ID 4 < ID 5 . We put smaller nodes in left subtrees and larger nodes in right subtrees. Then the rotation operation of AVL tree is used to keep the balance so that the height difference of the subtrees is 1 at most. Consider Node ikey (ID ‖ ) → Node neighbor .

The Session Key Agreement between Nodes.
Suppose node wants to communicate with node ; then node needs to generate a session key with node . Firstly, queries 's public key in its AVL tree and then generates a random number sKey as the session key. then encrypts sKey and the timestamp 1 with its own private key and reencrypts the ciphertext plus 's public key and ID using 's public key. After decrypts the message, verifies the legitimacy of 's public key using its AVL tree. If authentication passed uses 's public key to obtain the session key sKey and the timestamp and checks the timestamp 1 to prevent the replay attack. then encrypts sKey and the timestamp 2 with its own private key and reencrypts them together with 's public key and ID using 's public key. takes similar procedure to verify the identity of . In this way, mutual authentication is finished and a session key is generated. The above process is shown as follows:

New Node Addition.
It is essential to add new nodes due to the node energy depletion or capture. The new node has to be registered at BS before being added to the network and BS will store the current CH list to it. After the deployment of the new node, it sends a "join-in" request message including its ID and public key encrypted by its private key to the nearby CH. The CH will reencrypt the message with its own private key and then send it to BS. BS verifies the identity of the new node and replies with a confirming message to CH. Then CH broadcasts the new node's ID and public key to the nodes in its cluster. Now the new node can exchange public keys with its neighbor nodes and negotiate session keys with them. This above process is shown as follows:

Node Deletion.
If a sensor node does not send data for a long time, it will be considered as a dead node and will be removed from the network. CH broadcasts a message including the node's ID and public key to all nodes in this cluster. CH and the live node will update their AVL tree at the same time.

Key Update.
In LEACH algorithm reclustering is needed after a certain period of time. New CH will be elected according to formula (1). With the establishment of the new clusters, the nodes will update the session key with its neighbors. Therefore, the energy consumption can be balanced, which will extend the lifetime of the whole network. Meanwhile security is also enhanced by the updated session key.

Security Analysis.
Prior to the deployment of sensor nodes in our scheme, a shared key is preset to encrypt the information exchanged during the network formation phase; therefore the adversary is unable to acquire the nodes' identity. What is more, each node mutually verifies the other's identity by AVL tree when they try to agree on a session key. Hence it is impossible for the adversary to launch identity related attacks, for instance, the Sybil attack. The usage of ECPE cryptography makes our network more secure than either symmetric cryptography or the traditional public key cryptography like RSA. Public key cryptography prevents plenty of frequent attacks on the network like selective forwarding, Flooding, and Sinkhole attack. In addition, signature verification can be achieved by the private key encryption. A timestamp is also adopted in our scheme to avoid the replay attack. We use public key cryptography to generate a session key, which will be updated after a certain period of time, between two nodes. In our scheme, different pairs of nodes share different session keys. Even if the adversary captures a few sensor nodes he cannot get the session key between other nodes and cannot recover the keys used before, so that the forward secrecy of the network is ensured. On the contrary, in Rajendiran et al. 's scheme, if an adversary compromises one more node every time, he can obtain more information about the ECC key pool. When the number of captured nodes exceeds some threshold, the adversary will be able to recover the entire ECC key pool and thus compromise the whole network.

Memory Overhead.
For the convenience of comparison on memory overhead, we follow the network size of Azarderakhsh et al. 's [16], 1000 nodes and 10 clusters every round, while each node has 31 neighbor nodes. As stated previously, a sensor node in our scheme only needs to store the public keys of its cluster head and neighbors, and the CH needs to store the nodes' public keys in its cluster. In El-Din et al. 's scheme, CH only stores its neighbors' keys, which makes it hard for the CH to manage the cluster. However, in Azarderakhsh et al. 's scheme, a node needs to store its neighbors' public keys plus the public keys of all CHs. In Rajendiran et al. 's scheme, they combined ECC with E-G scheme to distribute keys. The probability of a sensor node sharing one key with its neighbor is where is the size of key pool and is the size of key chain. For Rajendiran et al. 's scheme, they need = 5000 and a chain of 120 keys to achieve a 95% connectivity, while 328 keys are needed to have 99.999% connectivity. Suppose the length of ECC key is 160 bits; Table 1 shows the superiority of our proposed scheme compared to those proposed by El-Din et al. [22], Azarderakhsh et al. [16], and Rajendiran et al. [15].

Computational Overhead.
Our scheme uses along with El-Din et al. 's and Azarderakhsh et al. 's schemes, ECC based algorithm for encryption and decryption. Since ECC based encryption and decryption are the most energy consuming operations in the schemes, we make a comparison on the times of ECC based encryption and decryption to show the computational efficiency. In order to facilitate the comparison, we assume a small cluster with one cluster head (CH) and 10 normal nodes. We first compare the ECC operations  Table 2. We can see from the table that our scheme has superiority in overall computational overhead.

Energy Consumption.
Given the large number of nodes, WSNs usually take a long time and lot of energy to find the public key of a certain node. In our scheme, we use the AVL tree to store the data so that search time and the energy cost can also be significantly reduced. For instance, it needs ( + 1)/2 operations to search one node among nodes in direct search; namely, the time complexity is (  Figure 3 shows the comparison of search time between the direct search and the AVL tree. We also implement our proposed scheme in Microsoft Visual C++ 6.0. The operating system is Windows 7 Ultimate. The computer configuration is as follows: CPU, Intel Core i5 3.2 GHz; memory, 4 GB; hard disc, 500 GB. We test our AVL tree method in 3 scenarios: 100 nodes, 2000 nodes, and 10000 nodes. Ten searches are executed for every scenario and the average time cost is listed in Table 3. The result shows that, with the increasing nodes number, the AVL tree method demonstrates its superiority in search time. In other words, the energy consumption of searching in our scheme is much less than in the schemes using direct search method.

Conclusion
In this paper, an efficient key management scheme based on ECPE and AVL tree for large scale wireless sensor networks is  proposed. Our scheme follows the network model of LEACH. We use ECPE to generate session keys between nodes since ECPE can achieve the same security as normal public key cryptography but with shorter keys, thus saving storage. In addition, our approach adopts AVL tree for storing public keys which can significantly reduce the search time in large scale WSN. Experimental results and theory analysis show the memory and computational overhead are reduced and the energy consumption is also cut down. Furthermore, our scheme has a good scalability that supports the node addition and deletion; key updates also support guaranteeing the security of WSN.

Notations
: P u b l i ck ey : P ri v a t ek ey , : Largeprimenumbers 2 : A random elliptic curve : Apoin ton (⋅): Symmetric encryption with key BS: Base station CH: Cluster head Node: Normal node ID CH : Identity of cluster head CH ID , ID : Identity of node and node , : Publickeyandprivatekeyofnode AVL : The AVL tree stored by node sKey: Shared secret key between two nodes : Timestamp.