A Group Key Management Scheme for WSN Based on Lagrange Interpolation Polynomial Characteristic

Abstract

According to the main group key management schemes logical key hierarchy (LKH), exclusion basis systems (EBS) and other group key schemes are limited in network structure, collusion attack, high energy consumption, and the single point of failure, this paper presents a group key management scheme for wireless sensor networks based on Lagrange interpolation polynomial characteristic (AGKMS). That Chinese remainder theorem is turned into a Lagrange interpolation polynomial based on the function property of Chinese remainder theorem firstly. And then the base station (BS) generates a Lagrange interpolation polynomial function f(x) and turns it to be a mix-function f(x)' based on the key information m(i) of node i. In the end, node i can obtain the group key K by receiving the message f(m(i))' from the cluster head node j. The analysis results of safety performance show that AGKMS has good network security, key independence, anti-capture, low storage cost, low computation cost, and good scalability.

1. Introduction

 Wireless sensor network (WSN) has become an active research branch in the field of internet of things (IoT) and has a very wide application prospect [1, 2]. Compared with the communication mode of point to point unicast in traditional internet network, the main communication mode of WSN is broadcasting or multicast [3,4], but the broadcast communication mode is more vulnerable to security threats because of the characteristic of the open channel mode which makes it vulnerable to be eavesdropped by malicious nodes [5-8]. Therefore, the multicast broadcast security schemes in traditional network can’t be fully applied to WSN because of the reason that WSN is a resource constrained network limited in computing speed, power supply, communication ability and storage space [9-11].

 Multicast technology can solve the problem that the primary node sends messages to multiple receiving nodes efficiently for reducing unnecessary repeated transmission, utilizing network bandwidth effectively, reducing server load and network congestion. So, WSN is the most suitable multicast technology for solving this problem based on the technical features of WSN.

 For the network security problem that the multicast communications are accessed by unauthorized users associated with WSN broadcast features, which can be solved by making a message encryption that all group members share a group key to encrypt or decrypt the data packets [12-15]. While, the group keys must be updated to meet forward security and backward security when some node joins or leaves the group because of the dynamic WSN network structure [16,17].

 The existing group key management schemes can be divided into 3 types: the centralized, the distributed and the clustered.

 1. The centralized group key management scheme

 The centralized key management scheme is the earliest form of group key management, in which there is a trusted third party referred to as the group controller GC (Group Controller) commonly or the key distribution center KDC (Key Distribution Center). GC is responsible for the key generation, distribution, update, revocation and identity authentication for all group members. The advantage of this class scheme is easy to control the group members based on the simple structure, while the disadvantage is that the whole system will be in a state of paralysis and easily become the performance bottleneck of the system because of the problem of single point failure. The most representative of this class scheme are the group key management protocol (GKMP) [18], the logic key hierarchy (LKH) [19] and the exclusion basis systems(EBS) [20].

 In GKMP, all group members can communicate with GC, GC manages the group key and controls all group members’ personal key, the member only saves the group key and his personal key. It’s obviously, the scalability of GKMP is poor and inefficient when the members of the group change frequently. In addition, the computation cost and communication overhead of GKMP are linearly related to the group size.

 In LKH, a trusted GC is used to manage the network keys by building a key tree. There are 3 types of nodes in the key tree: the root node, the intermediate node and the leaf node. The root node represents the only group key, the intermediate node represents the encryption key which is used to deliver the new key when the group membership changes, leaf node represents the group member which has all the keys from his leaf node to the root node. The advantage of LKH is that it has good scalability with the increase of the group members, and the messages, computation, the number of keys stored in each member are all linearly related to the group size when updating the new key, and the number of keys stored in GC is linearly related to the group size too. In addition, it has the ability to support multiple members to drop out the network at the same time and prevent the withdrawn members getting the new group key. While the disadvantage of LKH is like GKMP that the whole system will be in a state of paralysis and easily become the performance bottleneck of the system because of the problem of single point failure.

 In EBS, Eltoweissy proposed the concept of dynamic key management based on the clustered structure of sensor networks. Compared with static key management, the advantage of EBS is that it can delete all the keys owned by any node dynamically and efficiently and expel the nodes captured by the enemy to ensure the security performance of the network, storage space and energy efficiency. The drawback of EBS is the existence of collusion problem in which the enemy can obtain the nodes’ keys by capturing nodes and affect the safety of the internet. In addition, when the captured nodes are within the radius of node communication, these captured nodes can make the collusion problem which can destroy the whole key system and made the network loses security.

 2. The distributed group key management scheme [21-24]

 There is no group controller (GC) in this class scheme , and in which the nodes are peer to peer and build the group key by negotiating together. The advantage of distributed scheme is that it avoids the problem of single point failure and has stronger fault-tolerant ability. The disadvantage is that it is not good for the control of the group, and the communication cost will increase linearly with the number of the group members. The most representative of this class scheme is CLIQUES [24], in which the key transmission delay is O(N), the computation cost for group key updating is O(N²) , and the communication cost for group key updating is O(N²), where the N is the size of group, so the CLIQUES scalability is poor.

 3. The clustered group key management scheme [25-28]

 The clustered group key management scheme combines the characteristics of the centralized and the distributed schemes. In this scheme, group members are divided into several subgroups and each sub group has one control node, in which there are two layers structure consisting of a management layer by the control nodes and a member layer by the member nodes. The management layer and the member layer can choose different key management schemes independently. The most representative of this class scheme is lolus[24], in which each member of the sub group shares a secret key and the control node will decrypt the new encrypted information and send the decrypted information to each group member by the shared key. Although lolus has good reliability and scalability, it needs the control nodes fully trusted.

 In recent years, the problem of the group key management scheme has been widely studied, where the main objective of the study is to reduce the communication cost, the computing cost and the storage cost for the group key updating. In addition, the updating cost of the group key is one of the important criteria to evaluate a group key management scheme, so the group key management scheme should reduce the updating cost of as much as possible.

 1. The computing cost

 In general, the greater the encryption strength, the more secure the system is, and it is not easy to be cracked, but the cost is increased in the ratio of the computing cost. In addition, the amount of computation produced by different encryption methods is different in the process of computing the group key.

 2. The storage cost

 The group members and the group controllers generally have a certain amount of storage space to store some key information for assisting the generation and distribution of the group key. In general, the key information stored by the group controller is much larger than the group members for managing the whole group, so the storage cost of group members and group controllers should be reduced as much as possible when designing some new group key management schemes.

 3. The communication cost

 In the large-scale wireless multicast network, the group members will frequently join or leave because of the mobility of the members, which will cause the group key updating and make some more communication cost. Therefore, it is an important content for WSN research to find a secure and efficient group key management scheme.

 According to the schemes logical key hierarchy (LKH), exclusion basis systems (EBS) and other group key schemes are limited in the network structure, collusion attack, high energy consumption, and the single point failure, this paper presents a group key management scheme for wireless sensor networks based on (AGKMS). It utilizes the special characteristic that Chinese remainder theorem can be expressed into the form of Lagrange polynomial interpolation to realize the generation of group key with no cluster nodes directly involved. Firstly, each cluster member (CM) generates key information m(i) randomly and sends it to cluster head (CH) with the unique session key between cluster member and cluster head. Secondly, cluster head decrypts the key information m(1), m(2),...,m(n) and sends it to base station (BS) with the shared key between cluster head and base station. Thirdly, base station decrypts m(1), m(2),...,m(n) and generates a Lagrange interpolation polynomial function f(x) and group key K_j, and then tends it to be a mix-function \(f(x)^{\prime}=f(x) K_{j}\) by \(f(m(i))=1\) and sends it to cluster member by two encrypting. Lastly, cluster member obtains the group key K_j by receiving the message \(f(m(i))^{\prime}=K_{j}\) from the cluster head. The analysis results of safety performance show that AGKMS has good network security, key independence, anti-capture, low storage cost, low communication cost, low computation cost, and good scalability.

 The paper is organized as follows. In Section 2, analyze the characteristics of Chinese remainder theorem, such as polynomial characteristic and Lagrange interpolation polynomial characteristic. In Section 3, discuss the specific steps of AGKMS and the method of group key update. In Section 4, analyze the security of AGKMS. In Section 5, make a simulation analysis to verify the effectiveness of AGKMS security features in cost. In Section 6, some summary and forecast are given.

2. Related Work

2.1 Chinese remainder theorem

Chinese remainder theorem sourced in ancient China, “Sun Tzu Suan Jing” [29], also known as “Sun Tzu theorem”, for solving the congruence group. It is one of the important theorems in elementary number theory, and has important applications in the field of algebraic mathematics and computer security. The specific definition of the Chinese remainder theorem is as followed:

 Definition 1: Set that m₁,m₂,...,m_r are positive integer and pairwise coprime, where a₁,a₂,...,a_r are integer, and the congruence equations are

\(\left\{\begin{array}{l} x \equiv a_{1}\left(\bmod m_{1}\right) \\ x \equiv a_{2}\left(\bmod m_{2}\right) \\ \ldots \ldots \\ x \equiv a_{r}\left(\bmod m_{r}\right) \end{array}\right\}, i=1,2, \ldots, r\)       (1)

 There is a unique solution x for formula (1) mod M , where \(M=m_{1} m_{2} \cdots m_{r}\), and

\(x \equiv \sum_{i=1}^{r} a_{i} M_{i} y_{i} \bmod M\)       (2)

Where \(M_{i}=M / m_{i}, y_{i}=M_{i}^{-1} \bmod m_{i}, i=1,2, \ldots, r\).

2.2 Polynomial characteristic of Chinese remainder theorem

 Deduction 1: Set that \(m_{1}(x), m_{2}(x), \ldots, m_{r}(x)\) are polynomial for x and pairwise coprime, where r(r≥1) is the degree of \(m_{i}(x), i=1,2, \ldots, r\), and \(a_{1}(x), a_{2}(x), \ldots, a_{r}(x)\) are all polynomial for x , then there must be a polynomial f(x)

\(\left\{\begin{array}{l} f(x) \equiv a_{1}(x)\left(\bmod m_{1}(x)\right) \\ f(x) \equiv a_{2}(x)\left(\bmod m_{2}(x)\right) \\ \dots \cdots \\ f(x) \equiv a_{r}(x)\left(\bmod m_{r}(x)\right) \end{array}\right\}, i=1,2, \dots, r\)       (3)

 And there is a unique solution f(x) for formula (3) mod M(x), where \(M(x)=m_{1}(x) m_{2}(x) \ldots m_{r}(x)\).

 Proof: Since m₁(x) and m₂(x) are relatively prime, using Euclidean algorithm find p(x) and q(x), and then

\(p(x) m_{1}(x)+q(x) m_{2}(x)=1\)       (4)

 And multiplying by both sides with \(a_{1}(x)-a_{2}(x)\) to formula (4), then

\(a_{1}(x)-a_{2}(x)=p(x)\left(a_{1}(x)-a_{2}(x)\right) m_{1}(x)+q(x)\left(a_{1}(x)-a_{2}(x)\right) m_{2}(x)\)       (5)

\(a_{1}(x)-p(x)\left(a_{1}(x)-a_{2}(x)\right) m_{1}(x)=a_{2}(x)+q(x)\left(a_{1}(x)-a_{2}(x)\right) m_{2}(x)\)       (6)

 Set

\(f(x)=a_{1}(x)-p(x)\left(a_{1}(x)-a_{2}(x)\right) m_{1}(x)=a_{2}(x)+q(x)\left(a_{1}(x)-a_{2}(x)\right) m_{2}(x)\)       (7)

 Then

\(\left\{\begin{array}{l} a_{1}(x)-f(x)=p(x)\left(a_{1}(x)-a_{2}(x)\right) m_{1}(x) \\ f(x)-a_{2}(x)=q(x)\left(a_{1}(x)-a_{2}(x)\right) m_{2}(x) \end{array}\right.\)       (8)

 From formula (8) get

\(\left\{\begin{array}{l} m_{1}(x) |\left(a_{1}(x)-f(x)\right) \\ m_{2}(x) |\left(f(x)-a_{2}(x)\right) \end{array}\right.\)       (9)

  Therefore

\(\left\{\begin{array}{l} f(x) \equiv a_{1}(x)\left(\bmod m_{1}(x)\right) \\ f(x) \equiv a_{2}(x)\left(\bmod m_{2}(x)\right) \end{array}\right.\)       (10)

 Similarly, the same equation can be obtained in the rest of the formula (3). Thus deduction 1 is proved.

2.3 Lagrange interpolation polynomial characteristic of Chinese remainder theorem

 Definition 2: Because of the uniqueness of the n-th interpolation polynomial, define the corresponding n-th interpolation basis function l_i(x) for each interpolation point x_i, where there are n +1 different interpolation points \(x_{i}, i=0,1,2, \dots, n\).

 Set that \(x_{0}, x_{1}, \ldots, x_{i-1}, x_{i+1}, \ldots, x_{n}\) are the zero points of function l_i(x) , and it can be assumed that

\(l_{i}(x)=a_{i}\left(x-x_{0}\right)\left(x-x_{1}\right) \ldots\left(x-x_{i-1}\right)\left(x-x_{i+1}\right) \ldots\left(x-x_{n}\right)\)       (11)

 If set \(l_{i}(x)=1, x=x_{i}\), and

\(l_{i}\left(x_{i}\right)=a_{i}\left(x_{i}-x_{0}\right)\left(x_{i}-x_{1}\right) \ldots\left(x_{i}-x_{i-1}\right)\left(x_{i}-x_{i+1}\right) \ldots\left(x_{i}-x_{n}\right)=1\)       (12)

 And

\(a_{i}=\frac{1}{\left(x_{i}-x_{0}\right)\left(x_{i}-x_{1}\right) \ldots\left(x_{i}-x_{i-1}\right)\left(x_{i}-x_{i+1}\right) \ldots\left(x_{i}-x_{n}\right)}\)       (13)

 Therefore

\(l_{i}(x)=\frac{\left(x-x_{0}\right)\left(x-x_{1}\right) \ldots\left(x-x_{i-1}\right)\left(x-x_{i+1}\right) \ldots\left(x-x_{n}\right)}{\left(x_{i}-x_{0}\right)\left(x_{i}-x_{1}\right) \ldots\left(x_{i}-x_{i-1}\right)\left(x_{i}-x_{i+1}\right) \ldots\left(x_{i}-x_{n}\right)}\)       (14)

 And set

\(L_{n}(x)=\sum_{i=0}^{n} l_{i}(x) f\left(x_{i}\right)\)       (15)

 It is shown in (15) that the degree of L_n(x) is less than n , and \(L_{n}\left(x_{i}\right)=f\left(x_{i}\right), i=0,1,2, \ldots, n\). Therefore , L x n ( )is the interpolation polynomial for 0 1 , ,..., n xx x which known as Lagrange interpolation polynomial.

 Deduction 2: Lagrange interpolation polynomial is a special form of Chinese remainder theorem.

 Proof: Based on deduction 1, set that \(m_{1}(x), m_{2}(x), \ldots, m_{n}(x)\) are polynomial for x and pairwise coprime, where \(a_{1}(x), a_{2}(x), \ldots, a_{n}(x)\) are all polynomial for x , then there must be a polynomial f(x)

\(\left\{\begin{array}{l} f(x) \equiv a_{1}(x)\left(\bmod m_{1}(x)\right) \\ f(x) \equiv a_{2}(x)\left(\bmod m_{2}(x)\right) \\ \dots \cdots \\ f(x) \equiv a_{n}(x)\left(\bmod m_{n}(x)\right) \end{array}\right.\)       (16)

 There is a unique solution for formula (16) When the degree of f(x) is less than M(x) , where \(M(x)=m_{1}(x) m_{2}(x) \ldots m_{r}(x)\).

 Specially, when \(m_{i}(x)=x-b_{i} \in Q[x]\) (or \(R[x]\) ), \(i=1,2, \ldots, n, \quad b_{i}(i=1,2, \ldots, n)\) is constant and not equal each other, \(m_{i}(x)(i=1,2, \ldots, n)\) is polynomial and pairwise coprime, so we can get

\(m_{i}(x) \equiv m_{i}\left(b_{i}\right)\left(\bmod \left(x-b_{i}\right)\right)\)       (17)

 And deduction 1 can be expressed into a polynomial f x( )

\(\left\{\begin{array}{l} f(x) \equiv a_{1}(x)\left(\bmod \left(x-b_{1}\right)\right) \\ f(x) \equiv a_{2}(x)\left(\bmod \left(x-b_{2}\right)\right) \\ \dots \cdots \\ f(x) \equiv a_{n}(x)\left(\bmod \left(x-b_{n}\right)\right) \end{array}\right.\)       (18)

 There is a unique solution for formula (18) when the degree of f(x) is less than n, where \(a_{i}(x)(i=1,2, \ldots, n)\) are random constant.

 Because \(f(x) \equiv a_{i}\left(\bmod \left(x-b_{i}\right)\right)\) is equivalent to \(f\left(b_{i}\right) \equiv a_{i}(i=1,2, \ldots, n)\), we can get from \(f\left(b_{i}\right) \equiv a_{i}\) that there is a unique f(x) which degree is less than n for each different \(b_{i}(i=1,2, \ldots, n)\). It is the existence and uniqueness of interpolation polynomial.

 According to the proof of deduction 1, there is a polynomial \(M_{i}(x)(i=1,2, \ldots, n)\), and

\(\left\{\begin{array}{l} M_{i}(x) \equiv 1\left(\bmod \left(x-b_{i}\right)\right) \\ M_{j}(x) \equiv 0\left(\bmod \left(x-b_{j}\right)\right)^{, i \neq j} \end{array}\right.\)       (19)

 And because \(M_{i}(x)=\frac{\left(x-b_{1}\right) \cdots\left(x-b_{i-1}\right)\left(x-b_{i+1}\right) \ldots\left(x-b_{n}\right)}{\left(b_{i}-b_{1}\right) \cdots\left(b_{i}-b_{i-1}\right)\left(b_{i}-b_{i+1}\right) \ldots\left(b_{i}-b_{n}\right)}\) can meet up (19), there is a interpolation polynomial f(x)

\(f(x)=a_{1} M_{1}(x)+a_{2} M_{2}(x)+\cdots+a_{n} M_{n}(x)=\sum_{j=1}^{n} a_{j} \prod_{i=1}^{n} \frac{\left(x-b_{i}\right)}{\left(b_{j}-b_{i}\right)}(i \neq j)\)       (20)

 It’s showed in (20) that f(x) is a Lagrange interpolation polynomial. So Lagrange interpolation polynomial is a special form of Chinese remainder theorem.

3. AGKMS

3.1 Network model assumptions

 Firstly, based on WSN broadcast communication, the group size is usually dynamically changing that can be varied from dozens to thousands or even tens of thousands. Secondly, the cluster members’ computing ability is always a great difference in different network environment. Thirdly, the cluster members are dynamically changing that nodes joining or leaving are not regular. So, the larger the group size is, the more dynamic the members are. The above characteristics show the difference between group key management and unicast key management [30-32], where the multicast communication is carried out in a group, the cluster members are dynamic, and the group key can’t be used in the whole process of group communication.

 The key point of this paper is to discuss the Chinese remainder theorem how to generate the WSN group key with the special form of Lagrange interpolation polynomial. For ease of discussion, this paper is based on the following assumptions:

• Assume that the network is isomorphic and static, each group member has same configure in software and hardware, and will not move any more once they are deployed, where the network size is , including 3 types of nodes: base station (BS), cluster head (CH), cluster members (CM), as shown in Fig. 1.
•  

Fig. 1. The WSN framework

• Assume that base station (BS) is equipped with abundant software and hardware resources, it is responsible for storing the basic information of all the nodes in network and receiving the information from cluster head, it has the ability to detect compromised or captured nodes.
• Cluster member is responsible for collecting environmental data and sending the data to the cluster head. The ability to process data of cluster members is much low, which is limited by storage space, energy reserves, and communication distance. The main symbols in the text are shown in Table 1:

Table 1. Explanation of the main symbols in AGKMS.

3.2 Establishing group key

 Encrypting the broadcast message is one kind of methods to ensure secure broadcast, and the keys for encryption and decryption are only obtained by cluster members which can ensure the encrypted message only decrypted by cluster members. The key advantage of the multi-shared key to solve the security problem is to generate and distribute keys, and the generation and distribution must be exclusive, which means non-cluster members can’t get the keys.

 The specific step sfor establishing group key in AGKMS are as followed: 

 Step1. Initializing 

• Assume that the network size is N and divided into m clusters, each node is assigned a random number ID_i that represents the unique identity of the node (such as cluster head and cluster members).
• Each cluster head is pre-distributed a session key, \(K_{C H_{i}, B S}\) shared with BS.
• The session keys between cluster members are generated by the pre-distributed quadratic \(f_{\omega_{i}}\left(x_{1}, x_{2}, \ldots, x_{n}\right)=X^{T} A X\) [33].

 Step2. Establishing group key

 Assume that the group key of cluster j is K_j , where the cluster head is CH_j , the cluster size is n. 

 1. Sending key information

 Firstly, each cluster member of cluster j generates their own key information \(m(1), m(2), \ldots, m(n)\) randomly, where m(i) is the key information of cluster memberi .

 Secondly, cluster member i encrypts the key information \(E_{K_{i, C H_{j}}}(m(i))\) and sends it to cluster head CH_j , where \(K_{i, C H_{j}}\) is the session key between node i and cluster head CH_j . For \(K_{i, C H_{j}}\), we refer to the definition of the session key in [33] by author Xiao-gang Wang which is used to generate a session key between neighbor nodes by pre-distributed quadratic. On the one hand, the session key in [33] ensures the network connectivity and coverage rate which is 100%. On the other hand, each session key between neighbor nodes is absolute independent and secure, and it is hard to decrypt.

 Thirdly, the cluster head CH_j decrypts the key information m m mn (1, 2, , ) ( )  ( ) and sends ( ( ) ( ) ( )) , 1, 2, , CH BS j E m m mn K  to base station.

 Last, BS decrypts and get the key information m m mn (1, 2, , ) ( )  ( ).

 By now, transmitting the key information of cluster members to base station is completed.

 2. Generating Lagrange interpolation polynomial function

 Firstly, the base station generates a Lagrange interpolation polynomial function f x( ) .

 Set that m (x) m (x) m (x) n , , , 1 2  are polynomial and pairwise coprime, where a (x) a (x) a (x) n , , , 1 2  are polynomial for x , then there must be a polynomial f x( ) based on deduction 2.

 In (20), ( ) ( ) ( ) ( ) ( ) ( ) ∑ ∏ ( ) = = ≠ − − = + + + = n j n i j i i n n j i j b b x b f x a M x a M x a M x a 1 1 1 1 2 2  , Where ( ) ( ) ( )( ) ( ) ( ) ( )( ) ( ) i i i i i i n i i n i b b b b b b b b x b x b x b x b M x − − − − − − − − = − + − + ... ... 1 1 1 1 1 1   , m (x) x b Q[x] i = − i ∈ (or R[x] ), i =1,2,,n , b (i n) i =1,2,, is constant and not equal each other.

 Secondly, regenerating f x( ) by m m mn (1, 2, , ) ( )  ( ) , set ( ) i b mi = , and

\(f(x)=a_{1} M_{1}^{\prime}(x)+a_{2} M_{2}^{\prime}(x)+\cdots+a_{n} M_{n}^{\prime}(x)=\sum_{j=1}^{n} a_{j} \prod_{i=1}^{n} \frac{(x-m(i))}{(m(j)-m(i))},(i \neq j)\)       (21)

 Where ( ) ( ( )) ( ( ))( ( )) ( ( )) (m(i) m( )) (m(i) m(i ))(m(i) m(i )) (m(i) m(n)) x m x m i x m i x m n M x i − − − − + − − − − − + − = 1 1 1 ... 1 1 1 ... '   .

 Thirdly, the base station generates a group key Kj randomly, and set

\(f(x)=\sum_{j=1}^{n} a_{j} \prod_{i=1}^{n} \frac{(x-m(i))}{(m(j)-m(i))} K_{j},(i \neq j)\)       (22)

 Last, encrypting , ( ( ) ) ' CH BS j E fx K and sending it toCH_j.

 3. Getting group key

 Firstly, the cluster head CH_j decrypts , ( ( ) ) ' CH BS j E fx K .

 Secondly, the cluster head CH_j encrypts , ( ( ) ) ' , 1,..., i CH j E fx i n K = and sends it to each cluster member.

 Thirdly, node i decrypts , ( ( ) ) ' i CH j E fx K by \(K_{i, C H_{j}}\) and gets ( ) ' f x .

 Last, node i gets the group key Kj .

 Because

\(\left\{\begin{array}{l} f(x)=a_{1} M'_{1}(x)+a_{2} M_{2}^{\prime}(x)+\dots+a_{n} M_{n}^{\prime}(x)=\sum_{j=1}^{n} a_{j} \prod_{i=1}^{n} \frac{(x-m(i))}{(m(j)-m(i))},(i \neq j) \\ M_{i}'(x)=\frac{(x-m(1)) \cdots(x-m(i-1))(x-m(i+1)) \ldots(x-m(n))}{(m(i)-m(1)) \cdots(m(i)-m(i-1))(m(i)-m(i+1)) \ldots(m(i)-m(n))} \end{array}\right. \)

 When , and

\(\left\{\begin{array}{l} M_{i}^{\prime}(m(i))=1 \\ M_{i}^{\prime}(m(j))=0, i \neq j \end{array}\right.\)       (23)

 Therefore,

 Similarly,

 And if ，then .

 It shows that each cluster member can get group key by taking its own key information into .

 By now, getting group key is completed.

 The group key generation process is shown in Fig. 2.

Fig. 2. The group key generation process in AGKMS

3.3 Group key update

 1. Periodic group key update

 In order to prevent the enemy from monitoring traffic and getting the entire network topology information when the nodes in the cluster run for a period of time, it is necessary to update the group key periodically.

 On the one hand, the base station only need to regenerate a new Lagrange interpolation polynomial function ( ) ' f x which is generated by old f x( ) mixed with a new group key Kj , and sends it to the cluster members. The cluster members can get the new group key Kj by taking their own key information into ( ) ' f x . This approach has a strong autonomy and can change group key Kj at any time without affecting the network.

 On the other hand, the cluster members periodically change the key information and get the new group key Kj following as step 2 of section 3.2.

 2. Adding new nodes

 After the establishment of initial group key, if a new node wants to add in some cluster, the new node needs to submit an application through the cluster head to the base station first of all, and then the base station will judge whether is a good or malicious node. At last, the new node will be distributed some related key information after authenticated by the base station.

 In AGKMS, the base station will notify the cluster head to update the group key if a new node wants to add in some cluster. For example, assume that node a wants to add in cluster j which has been authenticated by the base station, but it can’t carry out multicast communication because of no group key. For establishing group key, node a needs to build session key , j Ka CH with cluster head CH_j and send key information m a( ) encrypted by , j Ka CH to CH_j. Then node a can get the new group key Kj following as step 2 of section 3.2.

 In the whole process, the addition of new nodes does not affect the communication structure of the network, thus AGKMS has good scalability.

 3. Removing the captured nodes

 The sensor nodes need to consider the factors of manufacturing cost and deployment environment, and it’s vulnerable to be captured without special physical protection. Once the nodes are captured, the enemy will get all the keys to decrypt information stored in the nodes in a limited time. Therefore, in order to ensure the authenticity, reliability and integrity of the monitoring nodes information, it is necessary to remove the captured nodes in time, and update and delete the captured keys dynamically.

 In AGKMS, in order to ensure the removed nodes can’t get the group key every time when the nodes are removed from clusters due to energy depletion or be captured by enemy, and we needs to follow as two steps.

 Step1: If the removed nodes are the cluster members, it needs the base station deleting their key information and regenerate the new Lagrange interpolation polynomial function ( ) ' f x with the rest key information of good nodes. And the rest cluster members can get the new group key Kj from ( ) ' f x following as step 2 of section 3.2

 Step2: If the removed nodes are cluster heads, it needs to regenerate the new cluster heads according to the routing protocol [34, 35], and the rest steps are same as section 3.1-3.2.

4. Security Analysis

 In WSN, the cluster members are dynamically changing, and the larger the group size is, the more dynamic the members are. This characteristic shows the difference between group key management and unicast key management. Unicast key management mainly includes two aspects: identity authentication and key distribution, and the secure communication channel between two neighbor nodes will be established after identity authentication and key agreement. The multicast communication is carried out in a group, the cluster members are dynamic, and the group key can’t be used in the whole process of group communication. Therefore, the group key management is one of the most challenging problems to ensure the security applications of WSN broadcast communication.

 AGKMS reflects its own security features which are much better than LKH and EBS in network security, key independence, anti-capture, low storage cost, low computation cost, and good scalability.

 1. Key independence

 It’s showed in formula (20), the Lagrange interpolation polynomial function is ( ) ( ( )) ∑= ∏( ( ) ( )) = − − = n j n i j K j m j m i x m i f x a 1 1 ' , where i j ≠ , Kj is the group key, and there are two factors affecting the group key Kj .

 One is the base station, because Kj is randomly generated by the base station and has no relationship with cluster members, so it is impossible to capture the base station. It shows that the source of the group key is safe and indicates that the existing group key has no correlation with the abandoned group key.

 The other one is the cluster members’ key information m(i). In section 3.2, we know that the cluster members get the group key Kj rely on m(i), but m(i) just is the key to get Kj and not the factor of generating Kj . It is indicated that the enemy can’t find any rules from the old group keys to decrypt the existing or future group key though enemy can get all old used group keys. Similarly, even if the enemy can get the existing or future group key, but it is also impossible to get any key information from the group key.

 Therefore, the group key Kj in AGKMS has good independence.

 2. Anti-capture

 Because of ( ) , ( ) i CH j E mi K and , ( ( ) ) ' i CH j E fx K , it would have to obtain the key \(K_{i, C H_{j}}\) if enemy wants to get the key information m(i) and the group key Kj , where \(K_{i, C H_{j}}\) is the session key between node i and cluster head CH_j. For \(K_{i, C H_{j}}\) , this paper refers to the definition of the session key in [33] by author Xiao-gang Wang which is used to generate a session key between neighbor nodes by pre-distributed quadratic.

 Define 3: assume that 1 2 ( , ,..., ) n fxx x is a multiple asymmetric quadratic form polynomial in field P.

\(\begin{aligned} f\left(x_{1}, x_{2}, \ldots, x_{n}\right) &=a_{11} x_{1}^{2}+a_{12} x_{1} x_{2}+\ldots+a_{1 n} x_{1} x_{n}+a_{21} x_{2} x_{1}+a_{22} x_{2}^{2}+\ldots+a_{2 n} x_{2} x_{n} \ldots \ldots+a_{n 1} x_{n} x_{1}+a_{n 2} x_{n} x_{2}+\ldots+a_{n n} x_{n}^{2} \\ &\left.=\left(x_{1}, x_{2}, \ldots, x_{n}\right)\left[\begin{array}{cccc} a_{11} & a_{12} & \ldots & a_{1 n} \\ a_{21} & a_{22} & \ldots & a_{2 n} \\ & \ldots \ldots \ldots \ldots \ldots & \\ a_{n 1} & a_{n 2} & \ldots & a_{nn} \end{array}\right] \begin{array}{l} x_{1} \\ x_{2} \\ \ldots \\ x_{n} \end{array}\right]=X^{T} A X \end{aligned}\)       (24)

Where A is the quadratic matrix of 1 2 ( , ,..., ) n fxx x , , , 1,..., ij ji a a ij n = = , T A A = .

 For example, for building the session key between neighbor nodes a and m in [33], 1 2 ( , ,..., ) w n a f xx x is the quadratic polynomial of node a , 1 2 ( , ,..., ) w n m f xx x is the quadratic polynomial of node m , and their session key is ()() Kh h K am = = = BF FB ma , where B and F are the diagonal matrix of 1 2 ( , ,..., ) w n a f xx x and 1 2 ( , ,..., ) w n m f xx x respectively. So, the quadratic polynomial is key point to decrypt session key , j Ki CH for the enemy.

 Based on formula (24), it must decrypt A for decrypting 1 2 ( , ,..., ) n fxx x , but there are ( 1) 2 n n + different elements in symmetric matrix A, and the difficulty of decrypting A will be multiplied when the matrix A dimension n is slightly changed (as shown in Fig. 3).

 Assume that the size of cluster j is Nj , if ( 1) 2 j n n N + < , that enemy is unable to decrypt the matrix A, and also unable to decrypt 1 2 ( , ,..., ) n fxx x .

 Therefore, for small and middle size network, the session keys for neighbor nodes are absolutely safe as long as ( 1) 2 j n n N + < . And for large network, it also can guarantee the network security as long as distribute a reasonable network structure, such as increasing the number of clusters space, and limiting the number of cluster members. It is indicated that the session key in AGKMS built by quadratic polynomial has good anti-capture performance.

 In addition, the quadratic polynomials 1 2 ( , ,..., ) i n f xx x ω pre-distributed by the base station are independent and different between each other, and these keys only exist in a paired node which ensures that no same session key used in network. It’s indicated that the nodes captured will not affect the other nodes.

 Fig. 3 shows the illustration of the difficulty for decrypting matrix A when the dimension n of matrix A is slightly changed in AGKMS.

Fig. 3. The anti-capture performance of AGKMS

 3. Scalability

 The base station BS will notify the cluster header to update the group key when a new node joins the network. Assume that node a is the new node for joining the cluster j , and node a can’t make broadcast communication because the group key is not assigned to node a . Firstly, node a needs to build the session key , j Ka CH with the cluster header CH_j based on the quadratic form polynomial 1 2 ( , ,..., ) a n f xx x ω pre-distributed by BS . Secondly, node a sends the key information m a( ) encrypted by , j Ka CH to CH_j . Then, CH_jwill send m a( ) to BS with key , CH BS j K . Lastly, BS can get new the key information m ma mn (1 1 )  ( ) ( + ) , and BS will generate a new group key ' Kj by reference to AGKMS or Fig. 2.

 Within the process, the new joining node a doesn’t affect the steps of group key generation and else nodes of cluster j do not change their communication keys. So, the process of new node joining is safe and convenient.

5. Simulation Analysis

 In order to verify the effectiveness of AGKMS security features in cost, the simulation is carried out on the MATLAB R2014a.

 The main setting parameters of simulation process are shown in Table 2:

Table 2. The main parameters value of simulation in AGKMS

 1. Storage cost

 Assume that the storage cost is the number of keys stored by one node and the storage space occupied by one key is 1.

 In LKH, the group controller (GC) is responsible for managing the keys of the network, and assume that the key tree in LKH is a binary tree (as shown in Fig. 4), the common nodes in group are the leaf nodes in the key tree which get all the keys on the path from their own leaf node to the root node. The number of keys stored in each leaf node is , where N is the network size.

 In addition, all leaf nodes in LKH needs to save their own identity ID, computing parameter E, and public parameter P.

 So, the storage cost of each leaf node is , where is a constant and can be set to 3 in here ( assume that the parameter ID, E, P all occupy the same storage space which can be set to 1 ), so .

Fig. 4. 8 members LKH tree

 In EBS, the EBS system is a triple system which is represented as and defined as a set of user subsets. In which, each subset corresponds to a key, and each element in some subset all share this key. In addition to this, each element in one subset can be included in else subsets at the same time, which indicates that each node can store keys at most, where is the size of network, is the total number of keys. For instance, the key distribution scheme of EBS(8,3,2) is shown in Table 3, where M is the matrix, Mij (, ) 1 = indicates that the key Ki is assigned to the node j S .

 In addition, each node also needs to save its own identity ID and the group key S.

 So, the storage cost of each node is 2 2 lck ≤ + , where 2 c is a constant and 2 c can be set to 2 in here ( assume that the parameter ID and S occupy the same storage space which can be set to 1 ). However, the existence of subset Γ is the key problem for building EBS N k m ( ,, ), if Γ does not exist that EBS N k m ( ,, ) will not be established which indicates that k in ( ,, ) Nkm is not fixed.

Table 3. Matrix of EBS(8,3,2)

 In AGKMS of this paper, each cluster common node needs to store group key Kj , session key i CH , j EK , key information m i( ), identity ID. The cluster head CH_j needs to store Nj session keys between all common nodes of cluster j , a session key , CH BS j K , and Nj cluster members’ identity ID.

 So, the storage cost of each common node is 3 3 l c = , where 3 c is a constant and 3 c can be set to 4 in here ( assume that the parameter ID and m i( ) occupy the same storage space which can be set to 1 ). And the average storage cost of each cluster head is 4 2N l M = , where M is the number of cluster heads and take 2% of the network size.

 The storage cost of these 3 schemes for common sensor nodes (LKH, EBS, AGKMS) are shown in Fig. 5, and it’s indicated that AGKMS is much better than LKH and EBS in storage cost.

Fig. 5. Compare for storage cost

 2. Communication cost

 Assume that the communication cost is the number of communication for establishing group key.

 In LKH and EBS, the group key is pre-distributed for each common node by the group controller (GC) when network initialization. It’s indicated that communication cost is 0 in LKH and EBS, but the real cost is the sacrifice of network security which is analyzed in section 4.

 In AGKMS, the group key Kj of cluster j can be obtained by 2 times communication shown in Fig. 2, one is sending key information m i( ), and the other one is receiving encrypted information , ( ( ) ) ' i CH j E fx K .

 So, the AGKMS has a good communication cost in the condition of network security.

 3. Computation cost

 Assume that the computation cost is the amount of computation for building a group key or updating a group key.

 In LKH, assume that the key tree is a binary tree (as shown in Fig. 4), the common nodes in group are the leaf nodes in the key tree which get all the keys on the path from their own leaf node to the root node. The number of keys stored in each leaf node is 2 log +1 N , where N is the network size.

 Assume that some leaf node Mi is left or captured, and all left leaf nodes need to update the keys shared with Mi , where N 2 nodes in the other side of binary tree need to update one key K (the group key), N 4 nodes need to update two keys shared with Mi , and the neighbor node of Mi needs to update 2 log N keys shared with Mistep by step.

 So, the updating computation cost of LKH for some leaf node Mi left or captured is 52 2 log log -1 2 ... log -i 2 ... ( ) ( 2 ) 2 l = + ⋅+ + ⋅ + N N N i N . It’s indicated that the deeper the binary tree degree ( 2 log N ) is, the more computation cost ( 5l ) is.

 In EBS, assume that i S is a node of some subset in EBS N k m ( ,, )system. If i S is left or removed, GC needs to broadcast m messages to update keys, and the left nodes need to make k times decryption operation to get the new keys.

 Such as EBS(8,3,2) shown in Table 3, each node needs to make 3 times decryption operation to get the new keys. Assume that node 1 S is removed, the left nodes ( S S 2 8 ~ ) need to update keys K3 , K4 , K5 belonged to 1 S , and GC need to broadcast 2 messages:

(a) \(E_{K_{1}}\left(K^{\prime}, E_{K_{3}}\left(K_{3}^{\prime}\right), E_{K_{4}}\left(K_{4}^{\prime}\right), E_{K_{5}}\left(K_{5}^{\prime}\right)\right)\),

(b) \(E_{K_{2}}\left(K^{\prime}, E_{K_{3}}\left(K_{3}^{\prime}\right), E_{K_{4}}\left(K_{4}^{\prime}\right), E_{K_{5}}\left(K_{5}^{\prime}\right)\right)\).

Where ' Ki is the new key for replacing Ki , ' K is the new group key.

 So, the updating computation cost of EBS for some node i S left or captured is l6 = (N-1 k) , where k is an unfixed constant . It’s indicated that 6l is a fluctuating variable in some way, but the computation cost is basically proportional to the network size N .

 In AGKMS, as shown in Fig. 2, the computation cost for establishing a group key Kj of cluster j is as follows: according to the steps of AGKMS, each cluster common node needs to encrypt its own key information ( ) , ( ) i CH j E mi K first of all, and the cluster head needs to get m m mn (1, 2, , ) ( )  ( ) by n times decryption and make one encryption ( ( ) ( ) ( )) , 1, 2, , CH BS j E m m mn K  , then the base station BS needs to getm m mn (1, 2, , ) ( )  ( ) by one decryption and generate a Lagrange interpolation polynomial function ( ) ' f x and make one encryption , ( ( ) ) ' CH BS j E fx K , the cluster head needs to get ( ) ' f x by one decryption , ( ( ) ) ' CH BS j E fx K and make n times encryption , ( ( ) ) ' i CH j E fx K sent to cluster common nodes, and each cluster common node needs to get ( ) ' f x by one decryption and get the group key Kj by taking m i( )into ( ) ' f x at last.

 It’s indicated that each cluster common node needs to make 3 times computation to get the group key Kj and the main computation cost are concentrated in the cluster heads. So the whole computation cost is very small based on the cluster head accounted for less than 2% of network size. In addition, it can balance the network load by replacing the cluster heads periodically.

 According to the above analysis, assume that BS has the ability to detect the occurrence of node captured or energy exhaustion for ensuring that the captured node can’t obtain the group key Kj , and the following steps are required: assume that the captured node i S is a common node of cluster j , BS only needs to delete the key information m i( ) of i S and generates a new Lagrange interpolation polynomial function ( ) new ' f x by the key information of the remaining common nodes, where ( ) new ' f x contains the new group key Kjnew , and remaining common nodes will get the new group key Kjnew by getting ( ) new ' f x following the steps of AGKMS.

 For computing the computation cost of AGKMS in the situation of existing one captured node, assume that the size of cluster j is N , BS needs to make a routine computation for generating the new Lagrange interpolation polynomial function ( ) new ' f x , and each node of the remaining N − 2 common nodes (removing the cluster head CH_j and the captured node i S ) has 2 computation cost (getting ( ) new ' f x by one decryption and getting Kjnew by taking m i( ) into ( ) ' f x ) , and the cluster head CH_j has N −1 computation cost (getting ( ) new ' f x by one decryption , ( ( ) ) ' KCH BS j new E fx and making N − 2 times encryption , ( ( ) ) ' i CH j E fx K sent to the remaining common nodes) .

 Assume that one computation cost is 1, so the computation cost of AGKMS in the situation of existing one captured node is 7l =3N-4 .

Fig. 6. Compare for computer cost

 The computation cost of the 3 schemes (LKH, EBS, AGKMS) is shown in Fig. 6, and it’s indicated that the computation cost of AGKMS in the situation of existing one captured node is much better than LKH and EBS.

 In addition, if a new node new S want to join cluster j in AGKMS, the following steps are required: new S needs to submit a joining application to BS firstly, BS will judge whether new S is a malicious node secondly, and then BS will allow the new node new S to join cluster j after the judgment and set a key information m(new) and quadratic form 1 2 ( , ,..., ) Snew n f xx x w for new S .

 Since the new node new S is added to cluster j , BS will notify the cluster head CH_j to update the group key, the following steps are required: new S needs to build a session key , new j KS CH between CH_j  based on the pre-distributed quadratic form 1 2 ( , ,..., ) Snew n f xx x w by BS firstly, new S will send the encryption information ( ( )) S CH , new j E m new K to CH_j, and then all cluster common nodes will get the new group key new Kj following the steps of AGKMS.

 Compared with LKH and EBS, the computation cost for new node joining in LKH and EBS is very small because of the management byGC . Though the computation cost for new node joining in AGKMS a little larger than LKH and EBS, AGKMS scheme does not affect the structure of the network for new nodes and has a good scalability, and AGKMS can avoid the collusion problem and keep more security.

 So, the AGKMS in this paper has a good computation cost.

6. Conclusions

 This paper presents a group key management scheme for wireless sensor networks based on Lagrange interpolation polynomial characteristic, it utilizes the characteristic that Chinese remainder theorem can be expressed into the form of Lagrange polynomial interpolation to realize the generation of group key with no cluster nodes directly involved. The analysis results of safety performance show that AGKMS has good network security, key independence, anti-capture, low storage cost, low computation cost, and good scalability. Building group key management of wireless sensor networks is a hot research topic, many scholars have carried out the research, but no scheme can meet all the security requirements. At present, there are still many problems that need to be further solved by building some wireless sensor networks group key management protocols:

 1. Performance of group key management scheme

 In the existing schemes, there is no scheme which can meet all the security performance and have low cost in all aspects at the same time. Most schemes could reduce one kind of cost, but will increase the cost of other aspects. So, there is no group key management scheme that is applicable to all types of groups.

 2. Application of group key management scheme

 How to use the existing network security technologies to realize the group key management scheme, how to combine group key management schemes and group communication application system to achieve secure group communication, how to deal with the practical application of secure channels and the trusted third party in some group key management schemes, they are all important problems which should be considered to make group key management schemes from theory to reality.