Development of an extended topology-based lightweight cryptographic scheme for IEEE 802.15.4 wireless sensor networks

Among the classes of wireless personal area networks, a wireless sensor network typically refers to a versatile and densely distributed sensing platform that enables the support of a wide variety of application domains. Among the various technical challenges addressed by more than one decade of research in wireless sensor networks, security across wireless links is by far one of the most critical ones and relates to the need of guaranteeing reliability and trustiness of the collected data. This article deals with the cryptographic aspects involved in securing wireless sensor networks, in terms of confidentiality and authentication. In particular, moving from some results previously achieved in our research activity, this article extends a cryptography scheme in order to better comply with the security requirements that arise from real-world wireless sensor network installations. The proposed scheme, called topology-authenticated key scheme 2, takes advantage of hybrid cryptography to provide security in the presence of resource-constrained sensor nodes using topology-authenticated keys to provide increased robustness to the scheme itself. The proposed extensions provide full practical support to star-topology wireless sensor networks and the article presents also some experimental results obtained by implementing the scheme on two different wireless sensor network platforms available for protocol stacks compliant with the IEEE 802.15.4 standard.


Introduction
A wireless sensor network (WSN) is a network class where small, battery-powered sensor-equipped nodes (called sensor nodes or also motes) communicate using low-power, short-range, and low-data rate wireless technologies. WSNs are designed to provide high flexibility, high measurement redundancy, and potential wide sensor area coverage with small costs. A typical mote consists of a micro-controller unit and a radio transceiver powered by a battery pack. Computational power and available memory on a mote are normally highly constrained. As a consequence, software running on motes has to be as lightweight as possible. Moreover, such limitations led software developers to adopt low-level programming languages (and, sometimes, also assembly) to minimize both WSN software execution time and memory occupation. However, projects such as TinyOS, 1 ContikiOS 2 , and RIOT-OS 3 propose lightweight low-level software frameworks (assimilable to Operating Systems, hence the OS suffix) to enhance and make easier the software development process for WSNs. An important characteristic of these operating systems is the ready-to-use software primitives and components for, for example, resource management, communication protocols, and stacks, as well as the compatibility with different hardware platforms, so that developers can focus on writing the high-level logic of WSN applications, leaving the hardware heterogeneity issues to the OS code.
Depending on the context in which a WSN is deployed, the need for security in motes communications may arise. As any other network, confidentiality, integrity, and authentication can be enforced by means of cryptography, error detection/correction, and message authentication techniques. However, due to the hard constraints on computing power, memory, and available energy in WSN motes, standard state-of-theart mechanisms and implementations of securityrelated algorithms are not always possible. In particular, considering confidentiality and authentications, the accepted techniques require the usage of public-key (i.e. asymmetric) cryptography, which implementations require an amount of memory (e.g. keys, temporary data, and look-up tables) and computing power (e.g. modular arithmetic, random number generation, factorization, exponentiation, and operations on points) which can represent an issue when combined with the actual applications on the motes. On the other hand, techniques involving symmetric cryptography, which are inexpensive and fast, require a key management mechanism to provide each mote the right key to use.
In order to overcome the described issues, a modern and effective approach is represented by the hybrid cryptography. Such techniques mix the public-key and symmetric cryptography in order to overcome the limitations of both approaches.

Background and motivations
Providing security primitives in traditional networks often implies the use of asymmetric cryptography mechanisms. This strategy guarantees an high degree of security, which is sustainable thanks to the ever increasing amount of available resources in terms of computation, memory, and energy. In fact, the robustness of asymmetric cryptography algorithms is highly dependent on the size of the keys that in turn affects the algorithms complexity and the performance of their implementations. In this sense, the elliptic curve cryptography (ECC) 4 is able to provide a very high degree of security with keys shorter than the ones used in other state-of-art public-key algorithms (e.g. Rivest-Shamir-Adleman (RSA), 5 ElGamal, 6 etc.). On the other hand, while symmetric cryptography schemes can grant equivalent security and better performances, they require a mechanism for securely exchanging, updating and revoking the cryptographic keys among the parties. However, when the computation resources, the memory and the available energy become scarce, the complexity associated to asymmetric cryptography make it unfeasible in practice.
Although modified asymmetric cryptography schemes have been discussed, 7,8 in this context, the role of symmetric cryptography coupled to a key management technique becomes relevant again. In fact, key management is a fundamental problem in symmetric cryptography, and it has a wide coverage in literature. 9 In the scheme proposed in this article, with respect to the existing key management solutions (see section ''Comparison with state-of-the-art solutions''), keys are not fully distributed to each node of the network. Instead, they are the result of a dynamic generation phase based on partial key components (pre-distributed and locally stored in each node) as inputs, as in Pugliese and Santucci's study. 10 By combining components with low-complexity operations, nodes are able to compute the symmetric decrypt/encrypt key without any prior setup/negotiation. More in detail, the proposed scheme (topologyauthenticated key scheme (TAKS)) represents a quite extension of ephemeral Diffie-Hellman-like cryptographic protocol providing security over a resourceconstrained network (typically ad hoc networks, for example, sensor networks for monitoring services) to establish both point-to-point and point-to-multipoint secure links among nodes. Such a scheme, called TAKS2, uses hybrid cryptography, and only partial components of symmetric keys are predistributed (and not the whole keys). It is an evolution of the original TAKS, that was earlier presented by Pugliese and colleagues. 10,11 The authentication mechanism of the scheme is based on nodes topology rather than on nodes identity, due to the limited lifetime of nodes in a resource-constrained network. Indeed, while nodes in infrastructure networks can rely on an external power supply and on a stable planned maintenance service with human intervention, the nodes in ad hoc networks can rely only on their own battery or some other energy harvesting mechanism, and maintenance services are usually remotely performed without human intervention. When an off-duty node is replaced with a new node, the new node identity enters in the network, but node topology remains unchanged and the authentication mechanism does not need any updating. Security features of TAKS2 include confidentiality (data encryption), data integrity, and sender authentication (signature). In TAKS2, the shared secret is a symmetric key generated by each party involved in the communication session upon a successful authentication process: each party verifies if the other party belongs to its authenticated network. The assignment parameter to each node is carried out by an external certification authority (CA), next the scheme parameters are pre-loaded into the nodes. Vector space rather than scalars over Galois fields has been introduced to allow the setup of truly scalable multicast communication sessions, hence without setting up multiple unicast sessions: the added dimensionality respect to scalars introduces a further degree of freedom for CA in the procedure of scheme parameters computation and assignment. From an engineering point of view, multicast sessions provide a relevant feature, especially for clustered networks, where time synchronization in data transmission is required as well as lighter memory storage: multicast sessions avoid traffic flooding, hence wasting of energy, when maintenance services are activated on such clustered networks (e.g. the updating of some configuration parameters in a specific portion of the network). With respect to classical solutions of key-assignment schemes on network, the scheme proposed in this article does not rely on pre-distribution of the complete keys but of a component of them: this is a nice property from a robustness point of view because the shared secret in elliptic curve TAKS (ECTAKS) is a function of both sender and receiver private key components, while in ordinary ephemeral Diffie-Hellman-like schemes typically the shared secret is a function of the complete sender whole private key and the receiver whole public key.
Moreover, the article reports the details of the implementation of the proposed scheme both in nesC/ TinyOS 2.x, an operating system for a variety of families of sensor nodes, 1 and in bare-metal C language (supported by Atmel legacy libraries). 12 Finally, the article describes the experimental results obtained by means of real deployments on two hardware platforms: a clone of the famous Texas Instruments TelosB sensor node and a legacy sensor node provided by Atmel A testbed application has been developed to simulate a real-world monitoring scenario (sections ''Basic network configuration'' and ''Scenarios description''). This testbed has been used to validate the correctness of the scheme and to evaluate its performances in terms of computation time and memory occupation (sections ''Performance evaluation'' and ''Results'').

Comparison with state-of-the-art solutions
Symmetric cryptography schemes, such as Advanced Encryption Standard (AES 13 ), have usually very high performance and limited footprint in memory. Moreover, to improve performance, various microcontrollers and radio transceivers provide symmetric cryptography primitives directly as hardware accelerators. However, in symmetric schemes, the symmetric key needs to be known and available by every node before sending or receiving messages.
This requirement leads to the Key Distribution and Key Management issues frequently addressed in the literature. In fact, there are solutions based on key predistribution, 14 which consist of the deterministic predistribution of keys. The trivial security solution consists in distributing a key for each pair of nodes, and, as extreme (and less secure) case, the same symmetric key for each node of the network. A derivation of the previous mechanism is the random pair-wise key schemes which consist of storing only a subset of all possible keys in each node. 15 Nodes that wish to communicate have to negotiate a key with their peers, by selecting a random key from their subset. A simplification is possible if nodes locations are known, by providing to each node only the keys for the actual neighbors. 16 In cluster-based networks, it is possible to adopt a cluster pre-distribution scheme. Clusters use different keys, 17 while, within a cluster, the same key is used. Some mechanisms, for example, the master key pre-distribution 9 define a master key which is used (combined with some previously exchanged nonce values) by nodes to re-create the symmetric key. Some schemes 18 use different paradigms to distribute the keys, such as the use of mobile-agents capable of moving inside and distribute the cluster key dynamically and with reduced energy consumption. Alternative schemes use the key-matrix based dynamic key generation, 19 the identity-based encryption 20 and the threshold cryptography 21 to manage and distribute keys while reducing the energy consumption.
In this context, while TAKS2 does not achieve the same performance of a pure symmetric scheme, it resolves the secure key distribution problem with a small impact on performance. On the other side, public-key schemes (e.g. RSA and ECC) solve the key distribution problem and provide a higher degree of security at the cost of increased impact on performance and memory. For example, in a typical WSN node with a 8-bit micro-controller, the modular arithmetic operations, such as addition and multiplication, have to be implemented by means of algorithms which operate byte-wise on the numbers/points, introducing a non-negligible impact on performance and memory. In TAKS2, instead, the complexity and impact of such operations are moved to the key components generation: once the key components are available to nodes, the operation to combine them so obtaining the symmetric key (i.e. TAK( Á )) has a very lightweight impact on performance. This advantage also affects the communication throughput, since faster encryption/decryption operations result in faster communications.
In comparison with other hybrid-cryptography schemes, 22225 TAKS is suitable for real-world WSN motes, has lower average overhead both in timing performance and memory occupation, and provides the possibility of choosing different approaches for symmetric encryption/decryption and for authentication of received messages. In Table 1, we present a brief comparison of common general cryptographic solutions and TAKS2, while in Table 2 a comparison with other state-of-the-art hybrid cryptographic schemes for WSN is shown. TAKS supports all the hardware platforms supported by the TinyOS 1 operating system, whereas in most of the state-of-the-art hybrid cryptography schemes the OS/hardware support is not clear or limited to software simulations. The performance overhead (apart from the networking stack overheads) is comparable or better than the other schemes with a memory occupation which is beaten only by adopting external hardware modules (as in Hu et al. 27 ). TAKS provides its own lightweight key exchange protocol (described by Pomante et al. 11 and reported in this article), symmetric key encryption with no restriction on the key size or the cipher used and an authentication primitive based on the message authentication code (MAC) check. Other schemes, instead, have only a single 23,24 or fewer cryptographic capabilities.

Paper organization
The next sections of the article are organized as follows. In section ''TAKS,'' original TAKS scheme is resumed   along with the enhancements of its second version, that is, TAKS2. Section ''Security analysis'' covers the security analysis of TAKS2. Section ''Computational and spatial complexity analysis'' describes the theoretical computational and spatial complexity of TAKS2. In section ''Design and implementation issues,'' design and implementation issues over two different WSN platforms are discussed while, in section ''Verification and performance evaluation,'' the verification and the performance evaluation processes, with related experimental results, are described in detail. Finally, section ''Conclusions and future works'' concludes the article with some comments and planned future works.

TAKS
TAKS is a cryptographic scheme to provide passive security at link layer. TAKS is a hybrid deterministic key establishment protocol (KEP) to establish both pair-wise and cluster-wise secure links. Its security functions include confidentiality (data encryption/ decryption), data integrity, and sender authentication (signature). The symmetric key is generated by the parties on a successful authentication process (TAKS Authentication) based on the verification that the involved parties belong to a predefined planned network topology (PNT). We define qualitatively a PNT to be the network topology planned by the network planner in order to fulfill given requirements. In this context, the eligible neighbor nodes are defined as the nodes authorized to communicate with a target node. A PNT represents the network topology as it is expected to be at service runtime: therefore, the PNT can be considered as the authenticated network topology (ANT) for that portion of network. Each node pre-stores a set of TAKS security parameters (denoted as local configuration data, LCD) namely the local key component (LKC), a set of transmitted key components (TKCs) and and a set of topology vectors (TVs), each TV associated to a node belonging to the ANT. LKC takes the role of private key of the node while TKCs and TVs take the role of public key of the node/cluster of nodes. An (external) CA binds LKC to the node ID and TKCs/TVs to the nodes IDs (or Cluster IDs) associated to the ANT. Therefore, the membership of a node to a specific ANT is certified by the assignment of the associated TV. Any node in a specific ANT is an authenticated node. A TAK is generated if the involved parties belong to the same ANT (hence the attribute of ''topology-authenticated key''). The PNT is implemented as a distributed data structure, in which the information on the available communication links are stored for each node in the network. In particular, each node portion of the PNT contains (at minimum) the subset of TKCs and TVs relative to each one available to the node. Additional information could be stored if required by the TAKS implementation. TAKS2 is the enhanced version: 11 both represent a hybrid cryptography scheme, since they do not rely explicitly on asymmetric or symmetric keys to secure the WSN data transmissions. In literature, there exist other hybrid cryptography schemes 25,28,29 but TAKS2 is the only scheme proving WSNs with a secure encryption mechanism along a topology-based authentication with minimal performance overhead and memory footprint.

Description of the cryptographic scheme
Before describing the inner mechanisms of the cryptographic scheme, we present the security level definitions that will be adopted in the rest of the article: 11 Public: general public information, accessible by anyone (attackers included). Restricted: network-level private information (accessible by nodes in the network). Private: node-level private information. Secret: planner-level private information.
As a requirement of the scheme, a data structure called LCD has to be stored inside the WSN nodes. The LCD contains the definition of scheme parameters, including the key partial components and topology information. Topology definition can be physical (e.g. with geographical position of nodes) or logical (i.e. in terms of which node pairs can communicate) depending if the scheme is applied on physical/MAC layer or upper layers, respectively. LCD includes: The local key component (LKC); The (ephemeral) transmit key component (TKC); And planned network topology (PNT).
LKC is a component that is kept secret and stored in the target node, while TKC is a public component that is distributed to every node enabled to communicate with the target node. PNT is a set of TVs used to describe the relationship (one-to-one or one-to-many) among eligible neighbor nodes for pair-wise and cluster-wise link configuration, respectively. The security of the proposed scheme is based on the confidentiality of some offline secret parameters (denoted as ''TAKS primitives'' in the following sections) used to generate the keys.
In the following paragraph, we introduce the scheme (details can be found in Pugliese and colleagues' studies). 10,11 Choose a large prime number p such that p ) N where N is the total number of nodes in the WSN. Let U be a tri-dimensional vector space over GF(p) with Let be a function, called TAK( Á , Á ) with the following characteristics: R1. It must be a surjective function and TAK(u, u 0 ) 6 ¼ 0, 8u, u 0 2 U . R2. TAK(u, h(u 0 ))=TAK(u 0 , Àh(u)), 8u, u 0 2 U , where h() is an arbitrary vector function in U . R3. TAK(au, u 0 ) = TAK(u, au 0 ) = aTAK(u, u 0 ), 8u, u 0 2 U and a 2 GF(p).
The TAK( Á , Á ) function is used to generate the topology-authenticated keys from the pre-distributed components.
Let g( Á , Á ) be a function satisfying the following requirements: R4. It must be a surjective function. R5. g(p, v) = 0 only for a predefined set of distinct values of p, v.
The g( Á , Á ) function is used to verify the authenticity of every incoming message.
In Figure 1, a representation of the proposed scheme is shown.
Given the set of eligible neighbors nodes of node n i (the set s(i), the PNT of node n i is defined to be the set of TVs TV (i) = fTKC s(i) g. Along the PNT, each node stores also its TKC i and LKC i .
In every communication, a nonce value a 2 GF(p) has to be generated. If the node n i wants to communicate with n j , it builds a message payload containing: The result of the symmetric key encryption of the message, the cipher text (c), using SS = aTAK(LKC i , TKC j ) as a symmetric key.
The key reconstruction information (KRI, d), where d 2 U and d =À aTKC i ; A MAC (t) (denoted as MAC( Á )) and computed using any secure cryptographic keyed hash function with aTAK(LKC i , TKC j ) as key.
As shown in Figure 1, alpha and all the values generated from it (e.g. SS, d, etc.) are generated for each communication and never stored.
Upon the reception of a message, the node n j calculates back the symmetric key to correctly decrypt the content of the message. The key is computed with TAK(LKC j , d) because: The message authenticity function g( Á , Á ) has to return zero when original encryption key and computed decryption key are identical. As shown in Figure  1, this computation uses t to verify whether this condition is met. Starting from the first version, TAKS has evolved into TAKS2. 10,11 This second version has the following main features: TVs in a node can now coincide with the TKCs of its eligible neighbors. This reduces the memory occupation in nodes when pair-wise communications are adopted. In TAKS2, the transmission protocol uses only a single phase for the setup of the scheme, that is, no prior exchange of the TKCs between nodes is needed. This is possible thanks to the d information contained in each message. In TAKS2, authentication is performed by a standard authentication function (e.g. HMAC).
The main drawback in TAKS2 is the ephemeral TKC to be transmitted each time a new SS is needed. Although this increases message size and thus energy consumption per transmission, in monitoring applications, the sample rate depends on the dynamics of the monitored system: if high transmission rates are needed, key size (hence message size) should be reduced without degrading security. In this context, as described in the previous section, TAKS2 can adopt ECC in order to reduce key size. 30

Formal apparatus of TAKS/TAKS2
Building blocks of the proposed scheme are as follows: 1. Hybrid-key cryptography. 2. Topology-based network authentication.
Hybrid-key cryptography. Let nodes n i and n j be a pair of nodes. The following definitions are assumed: Let GF(p) be a prime-based Galois Field such that p ) N with N equal to the number of nodes in the network and p a large prime number such that p À 1 has a suitable large prime divisor (p should be a safe prime number). Otherwise, let GF(p n ) be an extended Galois Field with p prime (e.g. p = 2), n an integer and p n ) N . Hereinafter simply Let u = (u 1 , u 2 , u 3 , :::, u d ) be a vector over GF( Á ) and ku 2 GF( Á ) = (ku 1 , ku 2 , :::, ku d ) for k = 1, 2, 3, :::p À 1.
the TAKS node IDs (these IDs are used only during the key components computation).
Let LKC, TKC, t be result of public hardly invertible (i.e. one-way) functions of the TAK generators (A, b, c, m). Let: Pair-wise TAKS2. In pair-wise communications, the scheme can be simplified using the following additional definitions: Applying the definition of TAK j Using the vector algebra property x Á (y 3 z) = yÁ (z 3 x), we have So, in TAKS2: The transmitter TAK is the scalar product between the LKC and the TV associated to the destination node. The receiver TAK is the scalar product between the LKC and the TKC.
Furthermore, fixing m, c, b and letting a i , a j 2 A, the following properties hold: The LKC components are different for different nodes since k li k a i and k lj k a j with a i 3 a j 6 ¼ 0.
Hence k li 3 k lj 6 ¼ 0. 3. The TKC components are different for different nodes since k ti k m 0 3 k li and k tj k m 0 3 k lj and k li 3 k lj 6 ¼ 0.
Topology-based authentication. As by Pugliese and Santucci, 10 TAKS/TAKS2 authentication is based on two main elements: a verification function g( Á , Á ) and a set of TVs, one for each eligible neighbors nodes of n i . With the definition of TV (i) = fTKC s(i) g = fk ts(i) g as the set of s(i) TV stored in node n i , we can directly set t j [k tj .
Given a user-selected keyed hash function, 31 MAC( Á ) we define the authentication function as g(p, v) = g(SS j , SS i ) = MAC(SS j ) À MAC(SS i ). This latter definition is compliant with R4 and R5 requirements defined in the previous section.
Theorem 2 (network topology authentication). In a node pair n i and n j , if MAC(SS j ) computed by receiver n j is equal to MAC(SS i ) sent by transmitter n i , then n i is network topology authenticated by n j .
Proof. Node n j computes SS j = k lj Á d. Node n i computes SS i = ak li Á k tj . If g(SS j , SS i ) = 0, we have that MAC(SS j ) = MAC(SS i ). Cryptographic hash function collision property 30 implies that SS j = SS i or that k li , k lj , k ti , and k tj are compliant to R2 and R3. Thus, n i is network topology authenticated by n j .

Security analysis
Security analysis can be performed along three proofs: entropy highness of the secret share, robustness (or reliability) of data transmissions for a single node (node level) and for a set of connected nodes (network level). The former deals with the goodness and effectiveness of the generated TAK as a cryptographic key for an highentropy encoding. The latter with the complexity of the reverse problem associated to the cryptosystem to derive the private key materials from publicly known parameters: the lower the complexity, the lower the reliability can be assured by the cryptosystem in data transmission: at a node level this means the evaluation of the computational complexity of the reverse problem. However, in case of a compromised node (e.g. the node has been physically captured by the attacker), next problem would become how reliability in data transmission for other nodes could be reduced in case where one or more nodes were compromised. Therefore, robustness at network level can be straightforwardly defined as the maximum percentage of compromised nodes that cannot reduce reliability in data transmissions for the other nodes in the network.
Let us start with TAK entropy evaluation. TAK entropy relies on the randomness of the secret TAKS primitives m, c, a, and b. By definition, these primitives are randomly chosen. Key components k l and k t are injective functions of secret TAKS primitives as well as TAK function defined as the scalar products, again an injective function, between vectors k li and k tj or, equivalently, between vectors k lj and k ti : therefore, randomness is preserved from TAKS primitives to TAK. Randomness of k ti (k tj ) can be further enhanced by a random multiplicative factor to be locally applied to build the ephemeral k t is being transmitted from node i (node j) to node j (node i). Therefore, particular care has been used in designing and implementing the pseudo-random number generator (PRNG) algorithm in the nodes.
For what concerns TAKS robustness at single node and network levels, the following proofs can be provided. Scheme robustness at single node level: In TAKS2, the reverse problem derives the secret TAKS primitives m, c, a, and b from the knowledge of k l , k t , and the (public) expression of f ( Á ). Prudentially, we include also k l even if this is the private key component because both k l , k t are preloaded in the node and therefore exposed to attacks ranging from power analysis or side-channel attacks to physical capture.
Proof. Each equation in (q) shows that the functional relationship between k lj , k ti , m, c, a, and b to be a discrete logarithm which is a problem of well-known complexity by cryptologists (also denoted as the Diffie-Hellman problem) k l = ab mÁ(a + c) k t = (m 3 a)b mÁa Scheme robustness at network level: Given a network with N nodes, a cryptographic scheme is Tsecure if an attacker should capture at least T + 1\N nodes and therefore should compromise at least T + 1 sets of their preloaded key materials to gain enough information to derive the other N À (T + 1) key materials preloaded in the other nodes of the network or, in other words, compromising only T sets of preloaded key materials cannot reduce the reliability in data transmissions for the other N À T nodes.
The maximum value for T depends on the capability of network protocols to rearrange connection among the residual N À T nodes without degradation of the overlying services. However, usually is provided the proof for the case T = N so that any choice for T is covered. It can be proved that TAKS is N -secure (i.e. T = N ).
Proof. Equations in (q) should be both solved for a, m, c, and b to derive k l , k t and therefore, all TAKs in the network. According to the definition of T -Security, the proof is iteratively developed: in case node i has been captured, equations in (q) return ' p 4 free solutions for (a, m, c, b), hence ' p 4 À 1 spurious solutions for TAK. A solution is defined spurious when part of it is computed by assigning arbitrary values to some unknowns due to lack of information on them (in this case ' p 4 À 1 constraints are missing) and the corresponding TAK results incorrect and useless for the attacker. Therefore, another node, say node j = 2, should be captured to compromise another set of key materials: equations in (q) now return ' p 4 À p free solutions for (a, m, c, b), hence ' p 4 À p À 1 spurious solutions for TAK. Note that the constraint a i 3 a j 6 ¼ 0 indicates that a i and a j cannot be parallel which eliminates ' p solutions for (a, m, c, b). Next step for the node j = 3, equations (q) would return ' p 4 À 2p free solutions for (a, m, c, b), hence ' p 4 À 2p À 1 spurious solutions for TAK. Note that the constraint a i 3 a j 6 ¼ 0 shall be applied twice (for nodes j with j = 2 and j = 3) and ' 2p solutions for (a, m, c, b) shall be eliminated.
Iteratively, if the node j = n has been captured and its set of key materials compromised, equations in (q) return ' p 4 À np free solutions for (a, m, c, b), therefore still ' p 4 À np À 1 spurious solutions for TAK: as N ( p, there are still p 4 À Np ' p 4 spurious solutions for TAK even for n = N .

Computational and spatial complexity analysis
In this section, we describe the computational and spatial complexity of proposed scheme regardless of which symmetric encryption/decryption algorithm and MAC function are adopted. Table 3 shows the computational complexity of TAKS2. Also, assuming that: n is the adopted key size (in bytes). #s(i) is the cardinality of the set s(i). Data are made of words of 1 or multiple bytes. The generation of a random word costs O(1).

The sum of two words costs O(1). The multiplication of two words costs O(1).
Then: To generate a n-bytes random byte-stream (rand()), we need to generate (1=s)O(n) random words, so the cost is O(n) (s is the size of the word in bytes). To add two n-bytes number, we need to perform O(n) additions of word, so a full addition costs O(n). To multiply two n-bytes number, we need to perform O(n(n + 1)=2) multiplications and O(n) additions. So a multiplication costs O(n 2 ). An inner product of two vectors of n-bytes components, consists of three n-bytes multiplications and two n-bytes additions, so an inner product costs O(n 2 ). To compute TAK at the destination node, we need to search for the right TKC/TV (e.g. linear search: O(#s(i))) and to compute the inner product with the LKC, for a total cost of O(n 2 + #s(i)).
In a point-to-point communication scenario, since sending a complete message using TAKS2 consists of executing the functions rand(), get tak(), and multiply(), the total computational complexity of TAKS2 encryption is O(n 2 + #s(i)) ' O(n 2 ). The decryption step performed by the destination node has a complexity equal to the complexity of an inner product(), so O(n 2 ).
The spatial complexity is analyzed as follows. Assuming: Each key component (LKC, TKC) requires k bytes to be stored in the node memory. The a random value, the key reconstruction information KRI and the SS require k bytes each. Each node has to store its LKC and the TKCs of each neighbor node inside the PNT.
We can state that: a, KRI, SS, and t require a constant memory size (O(1)). Each node has to reserve an additional space of O(k + n Ã k) = O(n Ã k) for storing the PNT, where n is the maximum number of neighbor nodes (i.e. the maximum degree that can be found in the WSN topology graph).

Design and implementation issues
The topic of this section is the design and implementation of TAKS2 for a real-world star topology WSN. First, a basic background on 802.15.4 is provided, followed by specific considerations for TAKS2; then, implementation issues are analyzed for software architecture and details about two different available MAC layers are explained.

Introduction to 802.15.4
The IEEE 802.15.4 32 is the reference standard on low rate wireless personal area networks (abbr. LR-WPAN). It describes the first two layers of the ISO/ OSI networking protocol stack (the physical layer and the MAC layer). The IEEE 802.15.4 defines two types of nodes: the full function devices (FFD) and the reduced function devices (RFD). While the RFD are devices capable to perform only basic computation and data retrieval, the FFD are more complex and computational powerful devices, capable also to act as WPAN coordinator of the network. The WPAN coordinator (i.e. coordinator) is the device responsible of creating, maintaining, and synchronizing the network.
The standard defines some basic network topologies (e.g. basic peer-to-peer, star topology, and cluster tree) and two WPAN types. The nodes in a beacon-enabled WPAN have an isochronous channel access obtained through the use of beacon frames emitted by the coordinator. Instead, in a beaconless WPAN, the nodes communicates without such frames. In both cases, the CSMA-CA channel access mechanism is used: in the case of beacon-enabled PANs, the slotted CSMA-CA is used, while the unslotted CSMA-CA (ALOHA) is used in the beaconless PANs.
In the case of beacon-enabled PANs, the standard defines a Superframe structure (Figure 2). This structure can be further divided into the active and the inactive portion. Inside the active portion, a set of optional contention-free slots can be defined to reserve communication slots to a chosen set of devices (up to 7).
Each of the two provided layers offers a set of services via a corresponding set of interfaces. The services offered by the PHY layer to the MAC layer are the PHY data service (PD) and the PHY management service (PLME). The services provided by the MAC layer to the higher layers are the MAC data service (MCPS), and the MAC management service (MLME).
While the IEEE 802.15.4 PHY layer is commonly implemented in radio chips, the MAC layer specification has not a wide selection of available implementations. This is due the fact that applications often use simpler techniques for accessing the communication channel instead of implementing a 802.15.4 compliant Table 3. Computational complexity of TAKS2 functions.

TAKS2 design considerations
In order to provide an efficient TAKS2 architecture design, the features of the IEEE 802.15.4 standard have been taken into consideration in the design phase. First of all, in order to provide a seamless and efficient integration with the IEEE 802.15.4 standard, TAKS2 is designed to operate directly at the MAC layer although it is possible, in general, to implement TAKS also in upper layers. TAKS2 cryptographic primitives are made available to the MAC layer services, for example, during the device association, to achieve a better control over incoming and outgoing transmissions and smaller latency during encryption, decryption, and authentication.
As a consequence, a device inside a TAKS2-enabled WSN has to pass two kinds of association before being able to transmit and receive data from the coordinator. The first is the IEEE 802.15.4 MAC association step (via the MLME-ASSOCIATE interface defined in the standard), while, the second is the TAKS2 association, a primitive that enables a device-coordinator link to be validated through the TAKS2 authentication function defined in the previous sections.
TAKS2 uses a set of finite state machines (FSMs; Figure 3) to control the behavior of cryptographic primitives. In particular, each device node has a tri-state machine with the following states: Unknown-the device is not currently associated to the coordinator. Associated-the device is associated (via the IEEE 802.15.4 association mechanism) to the coordinator. Ready-the associated device is authenticated also via the TAKS2 association. In this state, the device can exchange messages with the coordinator.
The coordinator keeps and updates a copy of the state of each device FSM, so that is also possible for it to monitor the overall WSN state. TAKS2 uses a set of additional data structures (Figure 4) to support the IEEE 802.15.4 standard: The Address Pool represents the set of available device addresses. Each entry in the data structure contains the short and extended 802.15.4 address and an availability flag.
The Neighbor Table stores a set of neighbor control blocks (NCB), one for each device. An NCB contains the address information of the device (short and extended address), its FSM state and the private cryptographic information (key reconstruction information, SS and TKC/ TVs).

SW architecture and implementation issues
In this section, we describe two implementations of TAKS2 based on the design described in the previous section. One adopts the TKN154 MAC layer and the other is based on the Atmel proprietary stack. The main goal is to demonstrate the feasibility of using TAKS2 on top of well-known IEEE 802.15.4-compliant network stacks. In the following sections, the two implementations are discussed and the feasibility of introducing TAKS is analyzed. Then, both of them are verified and compared to highlight the advantages and disadvantages of each one, with particular attention to their performance results.
Software architecture. The software architecture adopted in both implementation is shown in Figure 5. The architecture uses the bridge design pattern in order to provide a non-intrusive, de-coupled, and flexible approach to connect the target MAC layer with the TAKS2 components. In Figure 5, the IEEE 802.15.4 MAC layer (bottom box) offers two of the available services (MCPS-Data and MLME-ASSOCIATE) to the bridge, which calls the TAKS2 key generator and the inner symmetric block cipher to provide to the upper layer the TAKS2 primitives. For sake of example, in the figure, the MAC layer shown is based on the TKN154 while the block cipher is based on the AES cipher in cipher block chaining (CBC) mode with a key length of 192 bits. The bridge layer takes care of: monitoring MAC layers requests; building proper responses; retrieving the TAKS2 key components; and combining them according the scheme to generate the shared secret, which is then used as symmetric key in the AES encryption/decryption. Such an architecture allows TAKS2 implementations to adapt and evolve, supporting new features and new symmetric ciphers without the need of a code refactoring process. Also, since the bridge layer can optionally be disabled, it offers also a compile-time on-demand security option, so that a WSN network operator can choose which node has to use TAKS2 (increasing the communication security) or to use direct MAC layer primitives (increasing the performances) seamlessly. are kept in separated components, making possible to enable or disable them selectively. 4. The whole TKN154 architecture is organized in various abstraction levels, allowing it to be highly customizable.
One drawback of the TKN154 is the pre-requisites needed by a platform to be fully compatible with it. The most evident of these prerequisites is a proper and stable hardware timer, which should be able to output a 62.5 kHz frequency clock with a maximum error of 40 ppm. Atmel MAC. The TKN154 project is not the only 802.15.4 MAC implementation available: Atmel provides a proprietary network stack 34 for its AVR platforms which complies on the 802.15.4 standard. The stack is organized into sub-layers. Among those, the platform abstraction layer (PAL), the transceiver abstraction layer (TAL), and the MAC core layer (MCL) constitute the part of the stack that can be seen as the MAC layer. The first provides hardwaredependent code needed to interface to available peripherals, the TAL takes care of frame handling, power management, CSMA handling and general state transitions while, the MCL implements the basic 802.15.4 MAC standard primitives, such as the MAC Management Service (MLME).
Random number generation. The a value in the scheme has to be randomly generated to ensure it is unpredictable by attackers. This aspect is critical since a vulnerability in the random number generation can affect the security of the overall scheme. In particular, a has to be generated by a PRNG which has some specific properties that make it suitable for cryptography (CSPRNG). A PRNG is defined by a deterministic algorithm which is able to generate, given an input value called seed, a pseudo-random numbers sequence. The output sequence of a PRNG, approximately, has the same statistical properties of a sequence generated by a truly random process. In the cryptography context, it is fundamental that the PRNG generates a pseudo-random numbers sequence which is unfeasible to be entirely reconstructed starting from a sub-sequence of it: an attacker could listen to the sequence, retrieve the seed and hence, learn the future pseudo-random values. In TAKS2, the a value in the scheme is generated by a PRNG based on Mersenne Twister algorithm. 35 In order to increase randomness of the value, we have used the sensing functionality of WSN nodes (i.e. the temperature and the humidity sensors) combined with LQI and RSSI values coming from the radio transceiver. Given the unfeasibility to learn about the values of the physical phenomena in the area around the WSN nodes, we have used such values to create the seed for our implementation of the Mersenne Twister algorithm.

Verification and performance evaluation
In order to check the correctness of the implementations of the scheme and their performance, in this section, we describe the verification phase of TAKS2. A set of scenarios, each one using a different operating conditions for devices and coordinator, has been selected to test TAKS2 components. For each scenario, we have verified the correctness and the effectiveness of the TAKS2 implementations when deployed in a star topology (the verification of the basic point-to-point configuration can be found in Pomante et al.'s 11 study).

Basic network configuration
The basic network configuration used in the verification phase (Figure 6) consists of a star-topology WSN formed by one cluster head node (coordinator) connected to nine different cluster member nodes (device). This is a common topology that is used in data collection environments, where the cluster members are meant to retrieve data while the cluster head collects, elaborates, and transmits them.
The sensor nodes used in the experiments are the following: For the TKN154-based implementation, we have adopted the Advanticsys CM5000 36 (Figure 7), a clone of the more famous TelosB 37 node. This node embeds an MSP430 micro-controller unit, a CC2420 radio chip (IEEE 802.15.4 compliant), a 48 kb of flash memory, and 10 kb of RAM. For the Atmel MAC implementation, we have adopted the nodes included inside the Atmel REB212BSMA-EK kit 38 (Figure 8). They are based on the Atmel ATMega1281 microcontroller unit with 128 kb of flash, 8 kb of RAM memory, and the AT86RF212B (IEEE 802.15.4 compliant) radio transceiver.
Testbed application. During the experiments, the coordinator and the devices have been programmed with a testbed application. This testbed performs a typical monitoring application using directly the interfaces provided by the MAC layer. In this way, we can verify the correctness of TAKS2 primitives and the communication between TAKS2 and the MAC layer in a realistic environment. In such a testbed, the nodes have the following roles: Each device periodically samples its installed sensors (i.e. temperature and humidity), builds a message with the retrieved measures and sends it to the coordinator. The coordinator receives messages, parses their content, aggregate the measurements, and sends the result to the PC via the UART port.
This testbed is deployed in two flavors, the un-secure version (i.e. no TAKS2) and the secure version (i.e. using TAKS2). The two versions differ on the components involved in the communication: the un-secure testbed communicates using no additional layers, while the secure version uses TAKS2 via the bridge layer discussed in section ''Computational and spatial complexity analysis.'' The two versions of the testbed have been deployed and tested on the CM5000 WSN nodes (using the TKN154 MAC) and on the REB212BSMA kit nodes (using the Atmel 802.15.4 MAC). The discussion of the obtained results is reported in the following paragraphs.

Scenarios description
In order to verify the implementations and to evaluate performances, we have used both the un-secure and secure versions of the testbed application against five different scenarios, each one with a different set of network parameter (more information about these parameters can be found in IEEE 802. 15.4-2015 32 ) values. The network parameters we have considered are shown in Table 4.
The selected length (in bits) for the elements in GF(p) and the key components (LKC, TKC) has been set to 192, which it is a good compromise between memory size and security level.
Verification results. The verification of both TAKS2 implementations with the two testbed versions across the different MAC parameters sets has been successful: by analyzing the outputs of the communications between the coordinator toward the PC, it is possible to reasonably state that TAKS2 works as intended: the SS reconstruction (on the receiver side) is correct, the authentication code is verified and the encrypted messages are successfully decrypted (Figure 9 shows a screen-capture of the TKN154 testbed). This result highlights the feasibility of adopting TAKS2 in real-

Performance evaluation
Following the initial verification, a performance evaluation has been conducted in order to analyze the overhead related to the usage of the scheme. So, in this section, we first introduce the metrics that have been defined to evaluate the performance, then we report some of the obtained results, mainly focusing on the scheme impact on performances.
Metrics. In order to evaluate the performance of TAKS2 scheme implementations and the impact on the MAC layer performance, we have defined two set of metrics. The first set is composed of metrics related to the overall MAC layer performance: MAC layer association (MAC Assoc). This is the time needed by a device node to successfully perform the IEEE 802.15.4 association process (MLME-ASSOCIATE) with the coordinator. Transmission time (TX time). This is the delay between the MAC data request (MCPS-DATA.request) and actual transmission of the first frame of the message. Reception time (RX Time). This is the delay between the MAC layer data arrival (MCPS-DATA.indication) and when such data are passed to the higher layers. Frame Error Rate. This is the number of unsuccessfully received frames by the MAC layer with respect to the total transmitted frames.
The second set of metrics has been used to evaluate the performances of TAKS primitives (e.g. encryption, decryption, key generation, etc.): TAKS2 key computation time (TX key gen): This is the time required by TAKS2 to successfully generate a Shared Secret from the key components. TAKS2 key retrieval time (RX key gen): This is the time required by TAKS2 to successfully recreate the proper Shared Secret from the KRI and the receiver's key components. TAKS2 Association Delay (TAKS2 Assoc): This is the delay introduced by the TAKS2 Association, which takes place after the IEEE 802.15.4 default MAC association process (MLME-ASSOCIATE).

Results
In order to correctly evaluate the MAC layer and TAKS2 performance, we have conducted tests  Figure 9. TAKS2: data from a sender node (left) and a receiver node (right) sent to PC via UART. considering all the parameters set reported in Table 4.
The tests have been replicated for the un-secure and TAKS2-enabled versions of the testbed for both the MAC layer implementations. The results reported in this section are the average values of the metrics described in section ''Verification and performance evaluation'' performed across the different parameter sets and each device node. The results for the TKN154based implementation are shown in Table 5 for unsecure testbed application and in Table 6 for the secure version, while, in Tables 7 and 8, we show the results related to the Atmel Stack. The total memory overhead of the secure version for storing the LCD in our test scenario ( Figure 6) has been ;400 bytes for the clusterhead node and ;200 bytes for the other nodes. The size of additional code required to implement the TAK( Á ) function has been ;400 bytes for the TKN154 testbed and ;300 bytes for the Atmel testbed. Additional memory is required by the adopted symmetric cipher (i.e. AES) implementation. In our case, for the TKN154 testbed application, the memory required by the AES implementation (as a TinyOS component) has been ;1300 bytes, while, for the Atmel-based testbed, the memory required has been ;800 bytes.
Result analysis. The results show that in the TKN154 secure version of the testbed, the performance loss introduced in Tx/Rx operations is around 20 ms (from + 150% to + 330%). In the same tables, it is possible to observe that TAKS2 does not interfere with the standard 802.15.4 MAC association. The frame error rate is almost the same for the un-secure and secure version of the testbed, although the longer transmission times reported in the secure version slightly affected the rate ( + 0:8%). From the values, it is noticeable that the transmission time (TX time) in both the secure and unsecure results shows a higher deviation. This is due to different factors, although the higher contribution is related to the channel access protocol (CSMA). Finally, in the secure version, the Tx key gen and the Rx key gen show an average 8 ms difference. This difference is expected, since the key computation step during transmission is different and requires more operations (e.g. the random number computation, the SS retrieval, etc.     time is more than three times the TKN154 one. The reason of this difference is partly due to the different computations required during transmission and also due to the different code style of the key generation primitives (i.e. the TKN154 uses TinyOS 2.x as lower-level code, while the Atmel MAC uses its own low-level code substrate). Considering a typical monitoring application deployed on a WSN, for example, a star-topology with the local PAN coordinator acting also as sink-node a the center, the performance overhead could be neglected if the transmission frequency is less than the maximum time required to sample, encrypt, associate, and transmit the measurements. As the results show, baseline TAKS2 implementation on common WSN nodes is effective in the case of slow-monitoring application. In order to make TAKS2 effective also for higher transmission frequency, the following solutions could be adopted while preserving the security level: 1. Encrypting and sending multiple samples per transmission. 2. Providing a platform-specific implementation of TAKS2 to gain advantages from the platformspecific features (e.g. hardware multiplicators).
On the memory impact, both implementations use less than 2 kb of additional memory to store data and code required by the scheme. Considering state-of-theart cryptographic schemes and their implementation on WSN platforms (e.g. AES, RSA, ECC-ECIES), we can state that, generally, TAKS requires more memory than pure symmetric schemes (since TAKS itself requires a symmetric encryption scheme), but less than any public-key schemes. In fact, considering public-key schemes such as the ECC-based encryption scheme ECIES 39 and using the least possible memory, each node is still required to store, in addition to its private and public keys, at minimum, the curve domain parameters for each supported curve and the code required to implements elliptic curve basic point operations (in the order of tens of kilobytes).

Conclusions and future works
This article has presented the evolution of a hybrid cryptography scheme, based on the generation of topology-authenticated keys, specifically designed for WSN platforms. The scheme has been demonstrated formally by proving that the scheme is N-secure, which guarantees that attackers should retrieve N node keys before being able to compromise the security of the WSN. In order to validate the scheme, we have developed two implementation of TAKS2, based on two state-of-art IEEE 802.15.4 MAC layers. A testbed application has been developed to evaluate their performances. The validation and performance evaluation results have shown that the scheme provides security with a performance loss which is negligible in common environmental monitoring applications, that is, when slow-changing physical phenomena is monitored (e.g. temperature, light intensity, humidity, etc.). While TAKS2 is, by design, a lightweight scheme, yet the performance overhead introduced on the WSN nodes (which are resource-constrained by themselves) make TAKS2 less effective in those situations when an highframe throughput (along security) is required (e.g. audio/video streaming, high data-rate data exchanges etc.).
The work described in this article is part of a wider research project that aims to create a secure framework for WSN to provide a encryption/decryption scheme associated with an Intrusion Detection System (IDS). 40 In the future, we plan to implement the schema also for cluster-tree WSNs and to adapt it to be compliant to the key management protocol (KMP) as defined in the recent IEEE 802.15.9-2016 41 standard. The final goal is to integrate all such features in a MW for WSN (e.g. Agilla2) 42 able to provide efficient and effective security services.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.