One-Time Broadcast Encryption Schemes in Distributed Sensor Networks

Broadcasting is a message-transferring method characteristic for majority of sensor networks. Broadcast encryption (BE) is broadcasting encrypted messages in such a way that only legitimate nodes of a network can decrypt them. It has many potential applications in distributed wireless sensor networks (WSNs) but perfect deploying of that method is very difficult. This is because of a WSN is a very dynamic network which includes nodes with limited computational, storage, and communication capabilities. Furthermore, an attacker in this environment is powerful. He can eavesdrop, modify, and inject messages or even capture a large number of nodes, so the solutions must be both secure and efficient. This paper describes several BE schemes from the point of view of WSNs. We present in details the schemes called onetime, and we show how these methods can be applied in distributed sensor networks. We mainly focus on data origin authentication and rekeying processes, crucial for security in such a hostile environment. An analysis and evaluations of proposed schemes are also provided.


Introduction
The popularity of WSNs is an effect of recent advances in communication and development of the microelectromechanical systems (MEMS) technology. Now we have lowcost, low-power, and small devices which are mainly used for sensing, measuring, gathering, and then transmitting data from distributed locations (or an environment) to some acquisition center. Potential applications of WSNs are military (surveillance, command control, reconnaissance, intelligence, etc.), environmental (flood or fire detection, pollution transport, hostile objects observation, etc.), medical (elder people or patients monitoring), and other home and commercial applications. Surveys on the sensor network technology and its applications are presented in, for example, [1][2][3]. WSNs need communication protocols with special properties. Such approaches must be self-organizing [4], selfhealing, fault tolerant, and secure. It is difficult to achieve all these features for devices with as limited hardware resources as wireless sensors are. Therefore the protocols must be additionally lightweight.
Broadcast encryption is an ideal proposition for WSNs. Sending encrypted messages which can be decrypted only by a predefined group of nodes can be very helpful in a WSN. Additionally, with this method we can manage strictly selected nodes [5] or configure them. Furthermore, by BE, we can fix a group of nodes and equip them with a shared key limited to just this group. Since then participants of the group can communicate each other in a secure way. However, BE must be realized in a very efficient and secure way and this is the crucial problem of BE. There are BE schemes using symmetric and asymmetric (public key) cryptography; in this paper, we focus mainly on the symmetric cryptography approaches. As we already mentioned, a typical node in a WSN has very limited resources. A small battery and weak computation efficiency make usage of the public key cryptography (PKC) impracticable. Although there are many BE schemes based on PKC, in further considerations we will not focus on them in this paper. A lightweight PKC is an objective of many research papers, but its implementations are too slow for many applications, see for example, [6][7][8]. Furthermore, an imprudent application of PKC (or of 2 International Journal of Distributed Sensor Networks some other expensive method) can make a wireless network susceptible to denial of service (DoS) attacks. Another crucial resource is memory. Constructing a security protocol, we must minimize amount of a key-storage memory. Next hardware constraint is the radio bandwidth. Because of lowtransmission power, messages sent and received should be as short as possible, which gives an advantage to the symmetric cryptography.
In contrast, adversaries in these environments are very powerful [9,10]. Eavesdropping, modifying, replying, and injecting packets are very easy when radio waves are used as a medium. Moreover, we should assume that an adversary can physically capture a number of sensors or can take control over them. Hence, the BE schemes for WSNs should be resistant to these types of attacks or at least should discover them.
The rest of the paper is organized as follows. We define the BE (with related issues) and present some significant approaches in Section 2. In Section 3, we give detailed overview of the schemes called one-time schemes. Some improvements of these schemes we present in Section 4 and next we analyze them in Section 5. Finally, in Section 6 we give conclusions and propose future research.

Broadcast Encryption
BE is some special class of key distribution schemes, which belongs to the conference key distribution protocols. Its goal is to allow a broadcast center (BC) to distribute an encrypted content to an arbitrary dynamically changing set of destination nodes. Only these nodes are able to decrypt messages. Let U be a set of all nodes in a WSN, T be a set of privileged (destination) nodes, and S = U − T be a set of unprivileged nodes. Each member of U is equipped with a secret key (or, in some protocols, with several secret keys) shared with the BC. This key is called the preshared key (PSK). Further in this paper, we use the terms "node" and "user" interchangeably. They both denote a regular sensor in the network.
The BC in a BE scheme uses two types of messages that are sent together. They are a header and a ciphertext. A transmission of these messages is called a session. The ciphertext is a message encrypted with the session key (SK) K e , while the header provides information which is necessary for the privileged nodes to obtain the key K e . The BC sends a communication package, msg, where E Ke (M) denotes a ciphertext, that is, the message M encrypted with a symmetric cipher and the key K e . For the node x, PSK x denotes a set of preshared keys stored by x.
The BE protocol requires some pre-defined function F which should enable the SK recovering only by the privileged nodes: and such that F( header , PSK x ) must not provide any information about K e to the node x and to an attacker.
In BE schemes, the length of the header is a transmission (communication) overhead, the time of F( header , PSK x ) calculation is a computation overhead and the size of PSK x is a memory (storage) overhead in nodes' functioning. In further considerations, we assume that all cryptographic primitives used are secure and all secret keys are sufficiently strong that means that no adversary with limited computational resources is able to break a cryptographic primitive or exhaustively search a secret key space.
Analyzing security of BE, we need basic definitions and terms. Now we define some of them. Resiliency. To the set S of a BE scheme means that even if an eavesdropper obtained all preshared keys of nodes from some set S then he can obtain no knowledge about a secret common to the member nodes of any other set of nodes T, for the sets such that S, The scheme is called k-resilient if it is resilient to any set S ⊆ U of size k. Managing. It is adding, deleting, and revocation of users; it should be performed without a significant overhead. Backward Secrecy. It is a property of BE which ensures that newly added users (to the set T) are not able to decrypt previous broadcast content. Forward Secrecy. It means that when a user is removed from the privileged set T, then he is not able to decrypt later broadcast content. Traitor Tracing. It is a mechanism for identifying traitor users who gave keys (or decrypted ciphertext) to unprivileged users.
BE systems can be classified as stateful and stateless schemes. The stateful approach requires that users are always connected to a broadcast center. The BC is used for keys update. Users in stateless schemes cannot update their keys, so a permanent connection with the BC is not required.
In a distributed WSN environment we need an efficient and secure communication protocol. Since nodes are vulnerable to malicious tampering, the BE approach must be resilient or at least k-resilient for high k. The network management should be very efficient from sensor resources point of view. We must note that in a typical network the nodes are not designed for computing but rather for data transmitting [6]. Thus, to decrease energy consumption, the right strategy is to perform heavy computations at the BC. Wireless Sensor Networks are dynamic by nature, so the backward and forward secrecy must be provided by a BE scheme designed for WSNs. Broadcast encryption is also often used in digital rights management (DRM) systems. For these applications (pay TV, DVD protections, etc.), the traitor tracing feature is very helpful to counteract a copyright piracy. This problem has been addressed in past years in many papers, see for example, [11][12][13][14][15]. Full tracing traitors schemes seem to be too exhaustive for WSNs, which are low cost by nature. Nevertheless, in our review, of BE we treat this function as an advantage of the schemes.

Related Approaches.
The broadcast encryption problem is connected with group key agreement protocols, multicast security, and other constructs designed for secure group International Journal of Distributed Sensor Networks 3 communication. Some of these methods can be used to solve the BE problem in sensor networks.
In literature there are many decentralized schemes for key agreement in distributed sensor networks, see for example, [16][17][18]. They play a similar role as BE but they work in a quite different way, because these protocols' objective is to agree on a key between two nodes (or, eventually, a larger group of nodes) and to achieve this a Broadcast Center is not deployed. Usually, this class of schemes consists of the following phases: pre-distribution, key discovery and path/channel establishment. Pre-distribution is realized during nodes' preparation before the network deployment, but the second and the third phases are realized when the network's nodes are active. Such protocols are ideal for self-organizing applications, but absence of a BC in a key discovery and the path/channel establishment phase may lead to security flaws. In such a case, a malicious attacker can abuse these phases and as a consequence, establish a fake path, revoke some legitimate nodes or perform DoS attack for example, by sending many discovery messages. Ramkumar in [19] described a BE scheme based on a random key predistribution. His solution is also decentralized and it does not need the PKC. In further considerations we will concentrate on a group key agreement driven by a broadcast center but the solutions based on the PKC are also noteworthy.
Other efficient constructs in related problems of key distribution are presented in [20]. Besides, introducing a novel authentication scheme, this paper presents a performance comparison of several authentication schemes (including PKC approaches). Brooks et al. in [21] introduced a special infrastructure for security in sensor networks. A network is partitioned into special regions with a chosen node as a key server. Further, within these regions a secure multicast communication is performed.
Papers [22,23] present surveys of key management schemes in WSNs. The performance of selected schemes is also presented in [24]. A general conclusion from the above reviews is that no key distribution technique is ideal to all scenarios where sensor networks are used. A key distribution protocol selection must depend on a specific network's application, its resources, and characteristics.

The Broadcast Encryption Schemes.
Let us assume for the rest of the paper that n = |U| is a number of users in the whole network and r is a number of users that revoke cooperation. The first formal study of a BE problem was presented in the paper [25] where Fiat and Naor introduced several approaches with different properties. There are schemes that do not require a broadcast center to broadcast messages (they are called Zero Message Schemes). These protocols are 1-resilient. Later there were introduced some k-resilient approaches with a low-memory requirement. The most efficient protocol needs storing by each node O(k log k log n) preshared keys and broadcasting by a BC O(k 2 log 2 k log n) messages. In the paper [26] there is a survey of such related methods. Generally, the review papers focus on comparison of BE schemes in terms of a transmission overhead and a memory overhead. A computational overhead is only slightly remarked. However, in a sensors' case, the computation Figure 1: Tree-based broadcast encryption (forming and revocation processes).
efforts (and what it follows, energy consumption) is a crucial issue and must be thoroughly analyzed in each solution proposed. The next class of protocols are tree-based schemes. This type of secure group communication was proposed independently in two papers. The paper [27] focuses on binary trees, while the paper [28] assumes the degree of the tree as a parameter. The keys are derived by a symmetric cipher and the properties of these protocols are similar. Each user needs to store O(log n) keys, and the protocol sends O(log n) (exactly 2 log n) messages to establish a new group key after a revocation. An example of the binary tree-based broadcast encryption is showed in Figure 1. Each node has its own PSK and it derives the upper keys with a neighbor using some pairwise key agreement mechanisms. A shared session key (SK) is produced as a root key. The revocation process is presented in the right-hand side of Figure 1. A wrong leaf is deleted, and all keys it possesses should be securely updated. The node with PSK 2 updates K 12 and SK; next, the nodes with PSK 3 and PSK 4 update only the session key. As we can see, the forming and deleting processes are very important in pairwise key agreement solutions. For such protocols, the communication overhead was reduced in [20,29]. The improved protocols require only log n messages to send after a user revocation. Additionally, the methods base mainly on fast cryptographic constructs (hash functions or symmetric ciphers), so they should be applied in networks with limited capabilities. Other wellknown, tree-based schemes are complete subtree (CS), subset difference (SD) [30], and a layered version of the Subset Difference (LSD) [31]. These schemes are very efficient. The CS method needs O(log n) PSKs for every node and its transmission cost is O(r log(n/r)) messages sent. In the SD, each node needs to storage O(log 2 n) PSKs. Next a broadcast center forms a privileged subset by sending O(r) short messages, which mark r revoked nodes. Later, each node has to execute O(log n) computations. The LSD protocol can achieve the same goal with O(log 1+ n) PSKs, O(r) messages, and O(log n) computations.
Some attempts of reducing the nodes' key storage and eliminating the rekeying process are presented in [32]. Another hierarchical scheme that was designed to increase efficiency can be found in [33]. Daza in [34] presented a BE approach for mobile ad-hoc networks. In his method the transmission overhead is low, but the approach bases on a secret-sharing scheme and the ElGamal-based PKC. The method is interesting but the application of PKC makes it too expensive for standard sensors. In paper [35] Yoo et al., basing on polynomial interpolations, increased the efficiency of the Naor-Pinkas scheme [14]. Their protocol requires O(log(n/m)) PSKs and O(αr + m) messages, where m is the number of partitions of the users set (its choice influence the efficiency of the protocol) and α ∈ (1, 2) is a predetermined constant. Security of this scheme is provided by the Diffie-Hellman protocol, so deployment of that solution in a WSN may be inefficient.
Sometimes users (nodes of a network) are represented in an alternative way. For example, a novel approach where the set of privileged users is described by attributes, was introduced in [36]. Each node has a set of attributes and a decryption key depends on this set. The advantage of that proposition is that BC can revoke a group of the nodes (not only a single one) sending messages of a size linear with respect to the number of all attributes. It is realized by decryption and restriction of access policy, driven by AND/OR functions on attributes. This solution is resilient and the attributes make it easy to manage, but the challenge is to construct an efficient attribute-based encryption scheme. Another approach is the BE scheme proposed in [37], which operates on users' profiles. It is realized by introducing different types of broadcasts with corresponding probabilities. For each user his profile is created, which denotes probabilities that the given user will subscribe the given broadcast. Next, using profiles, the scheme can optimize some popular treebased BE protocols. In particular, the solution can reduce a bandwidth required by the complete subtree and by the subset difference approaches. This reduction is significant when the scheme allows some unprivileged nodes to decrypt a content. A tradeoff between storage and communication in BE schemes is an important subject of research. The results of this aspect are presented in papers [38][39][40]. It is especially important for such environments like a WSN, because of nodes' limitations. A rational tradeoff between a number of preshared keys stored in each node and a volume of broadcast transmission is crucial especially for Wireless Sensor Networks.

The One-Time Schemes
The one-time schemes were chronologically the first solutions for the BE problem. We say that a protocol is one time if, while using this protocol, PSKs must be updated after every usage. Generally, this is treated as a disadvantage but we will show that the key update after a session period can provide us some additional security benefits. Moreover, such protocols are very efficient from the storage overhead point of view. In majority of one-time solutions, a node needs to store O(1) PSKs that is a small number in many scenarios for protocols' efficiency. In Section 4, we will show how to improve the one-time schemes using different PSKs' derivation and authentication methods. Additionally, the one-time schemes can be easily transformed for example, into stateful tree-based schemes. The authentication of nodes is s generic part of BE protocols. Now, we will describe two such schemes of authentication.
Chiou and chen in the paper [41] introduced methods for the BE using a secure lock. Their paper presents publickey and symmetric-key based broadcast protocols. The lock is constructed in such a way, that only a privileged node is able to open it. The construction is based on the Chinese Remainder Theorem (CRT). Each user belonging to T (a privileged node) adds its congruence equation to a set. The system of such equations must be solved by each node to obtain a common secret. The CRT is used as the solution algorithm. Unfortunately, the computational overhead of this scheme is acceptable only for very small groups of nodes, and it is definitely too expensive for sensors with limited capabilities.
Protocols presented by Berkovits in [42] belong to first authentication solutions for BE. The methods are based on two threshold secret sharing schemes: the Shamir's scheme [43] and the Brickell's scheme [44]. We will shortly describe only the first scheme; the second one has similar properties. The Shamir's method uses the polynomial interpolation. Each ith user has the point (x i , y i ) shared with a Broadcast center as a preshared key. BC carries out the following steps: (i) it selects the random secret (0, S) and some number (say, j) of additional dummy points (x i , y i ) with x i unassigned to a node, (ii) it finds a polynomial P of degree k + j that passes through the points (0, S) and (x i , y i ) of the privileged set of k members and through j dummy points and no point of an unprivileged node, (iii) it broadcasts k + j other points of the graph of P.
By the Lagrange interpolation polynomial, any privileged user is able to calculate (0, S). Next, this secret is used as a session key. The scheme is secure (as the Shamir's scheme is), resilient, and the interpolation can be implemented in a fast way. The BC needs to broadcast k + j messages, each node stores only one PSK. After any change in a privileged set the protocol must be repeated and the PSKs must be updated. In the next section we will show how to enhance that scheme, to make it more secure and flexible.

The One-Time Scheme with Additional Capabilities
In this section, at first we will propose methods for keys generation. We will show how a broadcast center and nodes can use a session key and preshared keys to achieve security goals (secret communication). Next we will consider the aspect of the source authentication. We will describe some popular methods realizing this security service that is crucial, especially for WSNs. Adequate keys management and authentication can really improve security and efficiency of BE schemes. The methods that will be proposed in this section are applicable in different schemes but we will show them in case of the Berkovits scheme [42] described in Section 4. Security analysis of the improvements proposed will be presented in Section 5. Now, let us introduce a notation required in the rest of the paper: H(·) denotes a secure cryptographic hash function, Mac K (·) denotes a secure message authentication code (MAC) with the key K, is a concatenation of two blocks of bits, ⊕ is a XOR (exclusive OR) operation.
In the Berkovits' scheme, a node needs to store one secret point (a point of the polynomial's graph) that is coded as a block of bits. In each session, that point must be updated. During network's operation, one must enumerate the updated session keys. Let's assume that: K i e is a session key during ith session, k i x is a secret point (coded as a key) assigned to the node x during ith session. Its value is shared only with the BC, s x is a secret seed of the node x. Its value is shared only with the BC, PSK i x denotes the set of preshared keys of the node x in ith session. The node stores only one set of PSKs at the same time (used in an actual session).

PSK and SK Derivation.
As mentioned before, users using a one-time scheme must update keys every session. Now we describe this process. Let us define a generic function Gen(·), which is used for updating keys. In order to synchronize the keys k i x = Gen(i, PSK i−1 x ) is computed by the node x and by the BC. The BC and the nodes must share the same keys to make the steps of the protocol successfully. Additionally, the parties update PSK i−1 x to PSK i x . Of course, the BC must generate a new session key (K i e ) for a new session and create a new header. The number of a session (i) is passed by BC in the broadcast message msg: Now let us introduce two methods of key derivation. Method I. The first approach is simpler and therefore fast. In this solution, we define a key update as The key derivation is realized by hashing the concatenation of the session number and the secret seed shared among the node x and the BC. We assume that the output length of H(·) is sufficient to produce a secure key. Each node holds only the actual key and the secret seed and it can generate a key for every session very fast. Method II. The second method is more secure, but sometimes it requires more computations. The key derivation is realized as follows: A key for the first session (k 0 x ) is preloaded before deployment.
In a new session the previous key k i−1 x is replaced by k i x , and we must ensure that after such an exchange the old key k i−1 x is erased from the node's memory. Each node stores only one key.

Source Authentication.
Providing strong authentication in a distributed sensor network is a hard task [45]. To do this one must at first modify the broadcast message msg in (3). Now the BC sends Besides a header and an encrypted content, the broadcast message must contain the authentication tag (AuthTag). Each legitimate node, using that tag, should be able to check authenticity of the message. Let us denote Auth(msg) is an authentication function that can be realized in several ways. We will present two popular and one novel method.
The PKC Approach. PKC provides us digital signatures. It is an ideal method to authenticate BE messages, but only when the sender's resources are able to do this. The BC authenticates the broadcast traffic by signing it: AuthTag is a message signed by the BC and when a user wants to check its authenticity, he uses the function of verification Veri f y(msg, AuthTag). Such a function is easy to manage and is secure and scalable, but is rather impractical in environments like WSNs. Usually, PKC-based signatures are long and signing/verification operations require a computational overhead exceeding nodes' capabilities. We related to this aspect above, in Section 1. The Standard Approach. Because PKC in WSNs is not recommended, we must use symmetric methods. Assume that K a is an authentication key shared between legitimate nodes of a network and the BC. Source authentication is realized by means of MACs as follows: Verification in this and the next method is a simple computation of the tag Mac Ka (· · · ) as in (9) and checking if the computed tag and AuthTag (appended with message) are equal. When the authentication key is shared among all members of a group then a sender of a message cannot be identified in a clear-cut way. Note that each owner of K a can authenticate any message. It is acceptable when a BC has solely an ability to broadcast a content (e.g., in pay TV), but in sensor networks it may cause problems. The Enhanced Approach. Now we want to improve the standard approach presented above making it useful for WSNs. We propose to attach the list of privileged nodes T to the broadcast message. Additionally, we XOR the session key K i e with K a . Thus, the steps of the authentication protocol are 6 International Journal of Distributed Sensor Networks Next, the BC distributes the broadcast message bmsg: These small modifications have some consequences on security and efficiency of the protocol. We will present them in Section 5.

Analysis
Now, we will analyze the foregoing methods. We will start from analyzing functions of the BE scheme, next we will focus on the rekeying process and the authentication approaches while an analysis of security and performance will summarize this section. The BE Functions. A newcomer is a node which is new in a privileged set in an actual session. j is the number of newcomers, and i is the number of an actual session. When we want add nodes to a privileged set, a natural way is to create a new set T, a new SK and a new header, and next broadcast them. In our case, this needs sending O(|T|) messages, performing O(1) computations in each node (using the key derivation in (5b) requires O(i) computations for newcomers). Such a solution holds the backward secrecy, but the communication overhead is significant. The easiest way is sending unicast to newcomers an encrypted message containing the session number i and the key k i e . It requires only O( j) messages and no computations is required. However, this solution contradicts the backward secrecy and new nodes can decrypt all traffic along the session i. We must ensure that the newcomers are not able to decrypt previous messages. It can be achieved by sending only one additional message and performing one operation in the privileged nodes. During the session i the BC derives the new key K i+1 e = H(K i e ), next it sends the key K i+1 e to the newcomers and broadcasts an update message, which denotes that any privileged node should perform the calculation K i+1 e = H(K i e ). The key K i e should be erased from the memory. Now, the session is updated to i + 1 and the broadcast traffic is encrypted with the key K i+1 e . This is an efficient method. It requires only O( j) short unicast messages and O(1) computations in each node. The main advantage of that approach is assurance of the backward secrecy. The newcomers in the session i + 1 have the key K i+1 e and they are not able to compute the previous key K i e . Efficient deletion of nodes from T is one of the hardest tasks in BE protocols. Nodes leave, fail and sometimes we want to revoke malicious nodes. Presented BE scheme does not provide an efficient deletion function. If we want to delete some nodes then the BC must make a new session without these nodes. When we want to delete some nodes the BC must make a new session without these nodes. In that operation the forward secrecy is ensured. The BC generates a new SK independently, so the revoked node cannot decrypt present and future messages. Such an operation requires O(|T|) messages and O(1) operations in nodes.
An interesting solution for improving the performance of revocation is forming subsets of privileged nodes. We can divide T into several subsets and perform a BE scheme on these subsets separately. This way we achieve subkeys and now we can repeat the process until we will generate a common SK. That strategy is related to tree-based schemes that are described in Section 2, or to other hierarchical constructions. Such a method can be used for pairwise key derivation in tree-based settings. Thus, the overheads are similar to overheads in other tree-based solutions presented in Section 2.
A traitors-tracing service known from DRM systems is not available, but the scheme allows to trace the source of a preshared key leak. When a pirate node uses a passed SK to decrypt the content, we are not able to determine the source of the leak. However, the SK for any session is different, so a traitor must pass a SK in each session. In a WSN it may be discovered by an anomaly detection or an intrusion detection system. More serious is an adversary's active attack. A privileged node can be captured and its session can be cloned into other nodes. Now an attacker is able to decrypt the traffic. When we detect a piracy hardware and tamper it, we can determine which node was captured. The BC keeps all seeds and actual keys of the node what requires O(n) keys at the BC. When a protocol uses the method of key derivation proposed in (4b) then the BC needs to perform O(n) operations, while using the tracing given in (5b) requires O(in) computations. This second effort (O(in)) can be reduced using the method presented in [46] to O(nlog 2 i). Rekeying versus Not ReKeying. BE schemes are designed to hold backward secrecy and forward secrecy properties in a sense of protection of unassigned messages against users joining or leaving the privileged set. However, in WSN-like applications, we should be more demanding. Consider a situation presented previously when an adversary captures a privileged node. It is standard assumption in environments like sensor networks. If a BE protocol does not require rekeying in each session, then an adversary having PSKs of a privileged node and its previous traffic can decrypt it all. In networks, where an adversary has capabilities to compromise nodes, we need backward secrecy assurance. To achieve this property, we must deploy some method of rekeying. We presented two approaches: in (4b) and in (5b). By solution given in (4b), we can generate a key of any session and at any moment. It is fast, but after compromising PSKs, also an adversary is able to obtain a key of any session. The approach given in (5b) holds backward secrecy. An actual user's key is produced from the previous key k i x = H(k i−1 x ). An adversary capturing a node has only one key which is the actual key. He can decrypt present and future messages, but he has no way to achieve previous keys. The only disadvantage is that a node which joins the privileged set must synchronize its key. In the extreme case a computational overhead of such a synchronization is O(i). How to improve it by unicast messages we already described in this section. Authentication. In this paragraph of the paper, we will present an analysis of authentication schemes presented in Section 4. We omit authentication schemes based on PKC due to reasons mentioned throughout the paper and we will focus on symmetric methods of authentication that are very efficient in WSNs, see for example, [47,48]. At first we consider standard approach from (9). It is a good method 7 when authentication is realized between two parties. When a large group shares the same authentication key, each member can send or modify a message and the authentication will pass. We can improve (9) by a concatenation of the key K i e to an input of the MAC function: Mac Ka (K i e msg). Nevertheless, that approach is still insecure. First, when verification process fails, a node is not sure if a message is false or if it is outside of a privileged set (it is not able to achieve the key K i e ). Next, an adversary with a compromised privileged node can disrupt sessions, each message can be authenticated by him. He can jam the original broadcast data and can create fake sessions with higher session numbers, in order to force nodes to synchronize session numbers and session keys. Such an attack can be destructive, when nodes derive keys using the method given in (5b). An adversary can also try to execute a DoS attack. Nodes, to verify AuthTag, must compute the key K i e . The adversary can just send (many times) big instance of BE problems and the nodes will be exhausted by computing them. These disadvantages are generic if a large group shares one authentication key. Now, we will analyze next authentication method given in (10), which improves the previous one. The BC broadcasts the following message mes: Sending the privileged set T as a list of receivers T is an additional communication overhead. However, consider random nodes' enumeration from the set 0, . . . , n. Only a node (and the BC) knows its own number. Then, we can encode the set T as a log 2 |T|-bits long binary mask. 0s and 1s on corresponding places in the mask denote that 0-marked nodes are unprivileged and 1-marked ones are privileged. Thus, even in large networks that overhead is acceptable. The solution presented influences efficiency. A node before any processing only checks if its bit is 1, otherwise it discards the message. In the previous methods, nodes always tried to achieve the SK. That improvement saves energy and provides other capabilities to the network (e.g., a possibility of routing). However, the main goal is the authentication. The BC, by sending list of T members, declares for which nodes the message is destined. This declaration means that any privileged node, after obtaining the key K i e from the header, is able to verify the signature AuthTag. If the verification fails then this means that the message is fake or a transmission error occurred. In both cases the node should send an alarm message. Consider now an adversary owning a group of nodes. He can create a message like in (12), but he must declare only the captured nodes in the list T of privileged nodes. Thus, any honest node even does not start processing a malicious message because it is not on the list of receivers attached by the adversary. If the adversary adds to that list a node, which is not compromised, then the node will start obtaining the key K i e and the signature's AuthTag verification will fail. This is because the adversary does not know the node's PSKs and he is not able to create a correct header without such a knowledge. An uncompromised node should alarm the network. This way we achieved such useful properties of the network as (i) authentication of a fake message will pass if and only if the list of receiver nodes contains only compromised nodes, (ii) if an adversary adds an uncompromised node to the receivers' list then that added node is able to detect the forgery.
This means that a source which broadcasts a content must know all PSKs of the set of nodes T he declared, otherwise a regular node from that list can detect a forgery. However, the node processes a message only if it is on declared in the list, so a fake messages will not desynchronize a session. These features make our authentication scheme very useful in broadcast communication.
Security and Performance. Now we consider security of the scheme given in (10).

Security of Scheme based on Shamir's Secret Sharing
Scheme which is perfect secure (information-theoretic secure) [42,43].
Construction is resilient [42], so an attacker cannot obtain a session key.
Now we should consider confidentiality and integrity of the scheme.
Assume that encryption E K (·) is indistinguishable under chosen plaintext attack (IND-CPA secure) and MAC scheme Mac K (·) is strongly unforgeable under chosen-message attack (SUF-CMA secure).
Then, Theorems 4.4 and 3.2 from the paper [49] imply that construction from (10) is IND-CCA secure.
Now, we evaluate performance of our scheme. We assume that we use the presented scheme in tree-based setting (Figure 1), and we compare it also with the stateful treebased broadcast encryption. We also assume that its security level is 128 bits. According to the properties of the schemes, their transmission and storage overheads are the same. The only difference is a computational overhead in the pairwise keys agreement process. The standard solutions use cryptographic primitives, thus for tests we chose assembler implementation [48] of the AES [50] block cipher. The polynomial interpolation required was implemented in C. ATmega1281 Microcontroller (with 8 MHz clock speed, 8 KB of RAM and 128 KB of Flash) was selected as a characteristic platform for a regular node in the sensor network. One pairwise rekeying function takes 0.4 ms on each sensor using the block cipher. At the same platform, the polynomial interpolation takes less than 0.1 ms. The implementation of the polynomial interpolation needs only 1329 bytes, while the AES uses 2141 bytes of storage.

Conclusions and Future Research
In this paper, we considered the BE problem in distributed wireless sensor networks. We defined the problem, described International Journal of Distributed Sensor Networks main existing solutions, and next focused on one-time schemes, a type of schemes that are most suitable for WSNs. The one-time schemes are resilient, that is essential in such applications. Such protocols are very attractive for WSNs also in other respects. Their storage overhead of the range O(1) (exactly up to 2 PSKs) is minimized as possible. We shown how standard BE operations may be realized to achieve efficient protocols, that is, with O(1) operations and O( j) messages in add operation and with O(1) computations and O(|T|) transmissions for delete operation. To improve transmission and revocation overheads, the protocols can be easily optimized, for example, by applying a tree-based structure. The schemes satisfy the backward secrecy and the forward secrecy properties. The one-time protocols are criticized due to a requirement of rekeying in each session. In our paper we showed that, unexpectedly, the one-time schemes in some applications are much better than other protocols. Because of the rekeying process in each session we can achieve the backward secrecy of PSKs. Another contribution to BE is including the authentication service to the protocols. We presented a symmetric cryptographybased method which has very useful security features. The scheme is also very efficient. The polynomial interpolation used is about four times faster than a fast block cipher encryption. This method ideally fits to WSNs and ensures that only a BC can generate authenticated sessions.
In this paper we extended the specific Berkovits' scheme [42], but we did not stress this fact, because our modifications are mainly generic and can be adopted in majority of BE schemes. The scheme used is relatively fast but in future research we will focus on designing more efficient one-time BE schemes. The new constructions will be dedicated to sensor networks. Another interesting subject of research is the freshness aspect in BE. It ensures that data transmitted is fresh beside of being confidential and authentic. Compiling the security services of data confidentiality, authenticity and freshness will make BE protocols more secure remaining them lightweight.