14th International Conference on Wireless Communications, Networking and Mobile Computing (WiCOM 2018)

ISBN: 978-1-60595-578-0

A Novel Mutual Healing Group Key Distribution

Scheme for WSN
Zimeng Dai1, Fangwei Wang1,2 and Changguang Wang1,2*

ABSTRACT
In order to solve the security problems in the existing self-healing group
key distribution strategies, this paper proposes a new mutual healing group
key distribution scheme. Based on the access polynomials, this scheme can
hide the keys by using hash function and enable the communication group
nodes to restore the lost session keys through the use of broadcasting
messages and private keys. Besides, this scheme can restore the key of the last
time with the help of neighbor nodes, which is impossible for the self-healing
key distribution scheme. Analytical results show that the proposed scheme can
guarantee the forward and backward security and resist the collusion attack,
which is suitable for WSN.

Keywords: wireless sensor network; access polynomial; self-healing group

key distribution; mutual-healing group key distribution

1. INTRODUCTION

Wireless sensor network (WSN) has been widely used in all areas of our
lives and its security becomes more and more important. Compared with
wired networks, WSN uses different communication protocols, thus has
different characteristics- decentralized nodes, limited resources, self-organized
network, variable network topology, limited transmission range, multiple-hop
routing, vulnerable security, large scale, weak controllability, etc. It is because
of these characteristics that WSN faces security threats. Packet loss is an
inevitable problem in wireless network communication, where key updated
messages may not reach a specified node[1]. Therefore, the node cannot
participate in group communication normally. The most straightforward

1
College of Information Technology, No. 20 Road East. 2nd Ring South, Shijiazhuang,
Hebei, China
2
Key Laboratory of Network and Information Security of Hebei Province, No.20 Road
East. 2nd Ring South, Shijiazhuang, Hebei, China
*
Corresponding author, wangcg@mail.hebtu.edu.cn

111
solution is to require the Group Manager (GM) to retransmit the unreached
message. But the consequent is that the network traffic becomes heavier, more
communication resources are occupied, and even network congestions will be
caused.
Staddon et al proposed a self-healing group key distribution scheme which
could partly solve the above problems caused by the unreliability of WSN. Itis
the first time that the method of self-healing group key distribution is
proposed. In this mechanism, the redundant information is added to the
broadcasted messages by GM, so the node that loses the session key can
recover it from the redundant information, while not requiring GM to
retransmit it. Accordingly, the network traffic is lowered and the risk of traffic
analysis is reduced.
Blundo et al proposed an SGKD (Self-healing Group Key Distribution)
scheme, in which less node memory cost is needed, self-healing mechanism is
improved, and the lost session key can be recovered from the broadcasting.
Based on access polynomials, Dutta[2] et al proposed a self-healing group key
distribution scheme, in which the storage overhead is reduced to a constant for
the secret polynomials being constant. However, it also brings about some
security issues[3]. Recently, several self-healing group key distribution
schemes based on single hash chains have been proposed one by one, but most
schemes cannot resist collusion attack[4-6].
Wang[7] et al proposed a self-healing group key distribution scheme based
on access polynomials. But the scheme has been shown that the revoked node
conspiracy can restore the session key, that is, does not meet the forward
security features[8].
Furthermore, if a node does not receive the last updating package of the
key, it cannot be repaired through the known self-healing group key
distribution scheme. The mutual-healing group key distribution scheme
proposed by Tian[9] et al solves this problem well. With the help of neighbor
nodes, the purpose of mutual aided repairing is achieved after the last key
update being lost. The node is responsible for self-healing the lost key before
the last session. This scheme, however, can only play a role in the fixed sensor
networks. It cannot complete the mutual repairing for WSN nodes.
Some other key distribution solutions[10] have been proposed, but each
has some certain security problems and limited efficiency.
This paper proposes a mutual-healing group key distribution scheme based
on the self-healing group key distribution scheme of access polynomials,
which is suitable for WSN.

112
2. BASIC MODEL

The basic network model, security model and symbol settings will be
introduced first. Symbols and notations are described as in tableI.

Network Model

In our network model, a GM and n groups of member nodes constitute a

communication group. Define Uas a set of group member nodes,
U={U1,U2,U3…,Ui,…Un}. A unique ID is assigned to each member si
(0<i<n+1,n∈Z+).n is selected by GM, and represents the total number of
group member nodes. G represents the set of all sessions, Gj represents the set
of all legal member nodes in the communication group which is established in
session j, and j is the session tag. Kj represents the session key which is
selected independently by GM. When Ui joins the communication group in
session j, GM distributes the private key Si to Ui through the secure channel,
and then sends the broadcast message Bj to nodes during the session, so that
all the nodes can use the private key Si and the broadcast message Bj to
calculate the session key. The symbolic meaning is shown in table I.

TABLE I. Notations.
Parameters Denotations

GM Group manager

U Members of the group set

Ui Group member node with ID i

n The largest number of ID identity

G Session set

Gj The seto fall legal group members during session j, j= 1, 2, . . .

Si The private key of group node Ui

Kj The Group key in session j

113
 m Maximum number of sessions supported

Bj The broadcast message for key updating in session j

R The set of all revoked nodes in session j and before j.

Rj The set of nodes that were revoked before session j

J The set of all new nodes added after session j

Jj The set of new nodes added during session j

t The maximum number of points that a group manager can delete

Fq Finite field, q is the prime number

H(·) A one-way hash function

Ek(·)/Dk(·) Encryption and decryption functions

Security Model

In order to describe the scheme clearly, we use the security model to

quantify some security attributes.
Definition 1(the scheme with t-revocation function) If the following
conditions are satisfied, the scheme has t-revocation function.
(1)For any node in Gj, Kj is determined by the broadcast message Bj and
the private key Si of user Ui.
(2) Kj can't be determined independently by Si or Bj.
(3) Let Rj represent the set of nodes that have been revoked before the
session j, if each node in Rj cannot obtain information of Kj, and for any node
in UiRj can obtain information of Kj, the scheme hast-revocation function.
Definition 2 (self-healing function) If for any session j, Ui is the legal
member of session j1 and j2 (1≤j1≤j≤j2≤m)and it can recover the key Kj of
session jfrom broadcast messageBj1 and Bj2, the scheme has self-healing
function.
Definition 3 (mutual healing function) If any node loses the last session
key update package, it can resort to the legal neighbor node. If it can use the
message sent by its neighbor node to recover the last session key, the scheme
has mutual healing function.
Definition 4 (t-forward secrecy) R represents the set of all revocation

114
nodes in and before session j,(|R|≤t). If each node belonging to R cannot get
the session key Kj, even by collusion, the scheme has t- forward secrecy.
Definition 5 (t- backward secrecy) J represents the set of all new nodes
added after sessionj(|J|≤t). If each node belonging to J cannot get the session
keyKj1(1≤j1≤j), even by collusion, the scheme has t-backward secrecy.
Definition 6 (t-collusion resistance) Let Rj1represent the set of nodes
revoked in and before session j1, and Jj2represent the set of nodes added after
the session j2 (j1≤j≤j2). If the nodes in Rj1 and Jj2 cannot obtain the key Kj of
session j by collusion, the scheme has t-collusion resistance.

3. SGKD SCHEME BASED ON ACCESS POLYNOMIALS

Workflow

In order to ensure the security of communication, session keys need to be

changed continuously throughout the lifetime. The lifetime of the group is
divided into different session periods, each session has a unique group key. In
each session, GM allocates a new session key Kj to the nodes in Gj by the
broadcast key update message. The specific workflow is shown in Figure 1.

Initialization
Session k1
Key update

Session k2

Session k3

……

kj

Figure 1. Program flow chart.

115
 Scheme Description

INITIALIZATION
GM selects t-degree polynomial f(x)=a0+a1x+a2x2+…+atxt from the finite
field Fq (q is a large prime number) randomly. In order to ensure security, GM
choosesj( j[1,m])from the finite field randomly, and usesjf(si) to hide the
private key of the node. GM distributes the node's private key Si={si,jf(si)} to
the node Ui which is added in session j through a secure channel.

BROADCAST
Let G be the set of all legal nodes in the sessions, Gj represent the set of all
legal nodes in session j, Gj1 represent the set of nodes that join in session j1
and still exist in session j. Similarly, let R be the set of all revoked nodes in
and before session j, Rj represent the set of nodes revoked in session
j,𝑅𝑖𝑗 represent the node with ID si revoked in session j, and J represent the set
of all new joining nodes after session j. The seed 𝑆1𝐹𝐵 is randomly selected
from the finite field Fq, and GM uses the hash function H (.) to perform the
hash chain with a length of m:
S1FB  H (S1FB ) S2FB  H 2 (S1FB ) S3FB  H 3 (S1FB ) SmFB  H m (S1FB ) (1)

Select k1 (0＜j≤m) randomly from the finite field Fq as the hidden key of
session j, and we do the secret calculation for k1:
k2  k1 H (S1FB ) k3  k2 S2FB  k2 H 2 (S1FB ) ….

j 1
k j  k j 1 S FB
j 1  k j 1 H (S1FB ) (2)

GM uses the node identity to establish the following polynomials:

t 1|G j1 |
Aj1 ( x)  ( x   j1 ) i 1j1 ( x  si ) i 1 ( x  i ) ( | G j | t  1 )
|G |
1
(3)

Aj1 ( x)  ( x   j1 ) i 1j1 ( x  si ) ( | G j | t  1 )
|G |
1
(4)

Where δi and θj1 are randomly selected from a finite field and cannot be used
for node identity.
If node Ui joins in sessionj1 and is still a legal node in session j, the above
polynomial can be calculated as Aj1(si)=0. If Ui is not a legal node in Gj1, the
result of Aj1(si)would be a random value.
Next, GM will perform calculation as follows:

116
 S j1 ( x)  (1  Aj1 ( x)) k j1 1 H j 1 (S1FB )   j1 f ( x) (5)

GM broadcasts Bj, which mainly contains the following contents:

 j 1
{( Aj1 ( x)  1)k j1 1 H ( S1 )   j1 f ( x)} j1 [1, j ]
FB

 (6)
{Ek1 ( K1 ), Ek H ( S FB ) ( K 2 )...Ek H j1 ( S FB ) ( Ek j )
 1 1 j 1 1

SESSION KEY SELF-HEALING

Use the formula (5) to perform this calculation:

S j1 ( si )   j1 f ( si )
k j1  k j1 1 H j 1 ( S1FB )  (7)
1  Aj1 ( si )

If nodeUiis a legal node that joins in sessionj1 and still exists in session j,
then Aj1(si)=0.
k j1  k j1 1 H j 1 (S1FB )  S j1 (si )   j1 f (si ) (8)

Otherwise, the result will be formula (7). As θj1 is a random value, if Ui is

illegal, Aj1(si)would be a random value which is kj1≠kj1-1·Hj-1(𝑆1𝐹𝐵 ).
For session j2 (j1≤j2≤j), node Ui can use formula (1) and (2) together to
get kj2. Then, the encryption function Ek(·)in formula (6)will be used to get Kj.

SESSION KEY MUTUAL HEALING

If any node Ui loses the key update package of the last session m, it can
resort to the legal neighbor node Uj to fix it.
(1) Node Ui sends a request message to node Uj at time ti, indicating that it
needs to get the key update package of session m;
(2) After receiving the request message at time tj, the node Uj firstly judges
whether |tj-ti|≤Δt is true or false. If it is false, Uj will not reply to the request
message. If it is true, it will send its ID j and broadcast message Bm to node Ui;
(3) Node Ui will use the formula (6), (7) and (8) to calculate the last
session key after it obtains the message from node Uj.

NODE JOINING

If a node Ui joins in the communication group in session j-1, GM transmits

the identity ID number si and the node private key Si={si,j-1f(si)} for it through
the security channel. In order to ensure the forward security, GM restarts a session
and establishes a new access polynomialAj1(x) which should include(x-si).

117
 NODE REVOCATION

If a node Uijoins in session j1and is revoked in sessionj, GM needs to

remove (x-si) from Aj1(x) and starts a new session.

SECURITY ANALYSIS

Safety Performance Analysis

t-REVOCATION

Assume that UrR, where 0≤r≤t, for any Ur, asAj1(x) is a random value,
kj1cannot be recovered from the broadcast message. As a result, Kj cannot be
derived. Because f(x) which is chosen from a limited file dist-polynomial, if
the revoked nodes want to get Kj by collusion, at least t+1 nodes will be
needed.For0≤r≤t, it has t- revocation function.

SELF-HEALING FUNCTION

If the legal nodes in any session group lose session key, nodes can recover
the lost session key by performing Ek(·)with broadcast message and the node
private key, instead of requiring GM to retransmit, it has self-healing function.

MUTUAL HEALING FUNCTION

For any node Ui that has lost the key update packet of the last session m, it
can repair the last session key by the message which is sent by its neighbor
node. Therefore, this scheme has a mutual healing function.

118
t-FORWARD SECRECY

Forward secrecy requires that the nodes revoked in and before session j
cannot recover key alone or by collusion. For the set of revoked nodes, if any
node UrR and 0≤r≤t, there existsAj1(x)of a random value. Thus, Ur cannot
get the related information to the key recovery. And as shown in Section 4.1,
the collusion of revoked nodes needs at least t+1 nodes to recoverjf(x), so
the scheme has forward secrecy.

t-BACKWARD SECRECY

Backward secrecy requires that all new nodes joining after the session j
cannot recover the previous session key Kj1 even by collusion. For all nodes in
J(JU), recoveringj1f(x) first is needed to recover Kj1.For f(x)is t-polynomial,
there should be at least t+1 nodes. Because |J|≤t, namely,j1f(x)cannot be
recovered through collusion, the scheme is proved to ensure the backward
secrecy.

t-COLLUSION RESISTANCE

Let Rj1 indicate the set of nodes revoked before session j1, Jj2betheset of
nodes added after session j2. There existsj1＜j2,| Rj1 Jj2|≤t and Rj1 Jj2=, so
the nodes in Rj1 and Jj2 cannot get Kj(j1<j<j2) even by collusion. Let Ui denote
the nodes joining in session j’, Ur denote the nodes revoked in session j’’. For
j2< j’ and j’’< j1,Ui can getj’f(si), also Ur can get j’’f(si). As Ui and Ur are two
different sessions, namely, it can neither obtain any information about f(x)nor
the key Kj by conspiracy. So this scheme has t-collusion resistance.

Storage overhead

In this scheme, the storage overhead is2log2q. The comparison between

this scheme and other schemes in storage overhead is given in tableⅡ.

119
 TABLE II. COMPARISON OF THE STORAGE OVERHEAD OF EACH SCHEME.

Scheme Storage Overhead

scheme [3] m-j+1

scheme [4] 2log2q

scheme [9] 3log2q
The scheme of
this paper 2log2q

Communication overhead

In this scheme, the communication overhead is

max{(t+2)v+j,|Gj|+3v+j}log2q(1≤v＜j≤m, which mainly comes from the
t-polynomial in broadcast packets, where |Gj| represents the total number of
nodes in Gj, v represents the number of sessions that have added new nodes
before session j, and m represents the maximum number of sessions.

TABLE III. COMPARISON OF COMMUNICATION COSTS OF EACH SCHEME.

Scheme Communication Overhead

scheme [3] (2t+1)log2q

scheme [4] (t+1)log2q

scheme [9] max{(t+1)v+j,|Gj|+2v+j}log2q

The scheme of
max{(t+2)v+j,|Gj|+3v+j}log2q
this paper

CONCLUSION

This paper made an improvement on problems existing in group key

distribution scheme, and proposed a new mutual healing group key
distribution scheme based on access polynomial. The performance analysis
shows that the scheme has t-revocation function, self healing function, mutual
healing function, t-forward secrecy property, t-backward secrecy property and
t-collusion resistance. This scheme is suitable for wireless sensor network.

120
 ACKNOWLEDGEMENTS

This work was supported by the National Natural Science Foundation of

China (No.61672206, No.61572170), Natural Science Foundation of HeBei
Province of China under (No. F2015205157), Natural Science Foundation of
Hebei Normal University of China under (No. L2018Z10).

REFERENCES

[1]S. Agrawal, M. Das. Node revocation and key update protocol in wireless sensor
networks[C]// Proceedings of IEEE International Conference on Advanced Networks and
Telecommunications Systems. ANTS,2016.
[2]R. Dutta. Access Polynomial Based Self-healing Key Distribution with Improved
Security and Performance[C]// International Conference on Security Aspects in
Information Technology. Springer-Verlag, 2011.
[3]H. Guo, Y. Zheng, X. Zhang, et al. Exponential Arithmetic Based Self-Healing Group
Key Distribution Scheme with Backward Secrecy under the Resource-Constrained
Wireless Networks [J]. Sensors, 2016, 16(5):609.
[4]Q. Wang, H. Chen, L. Xie. One-way hash chain-based self-healing group key
distribution scheme with collusion resistance capability in wireless sensor networks [J].
Ad Hoc Networks, 2013, 11(8): 2500-2511.
[5]X. Sun, X. Wu, C. Huang, et al. Modified access polynomial based self-healing key
management schemes with broadcast authentication and enhanced collusion resistance in
wireless sensor networks[J]. Ad Hoc Networks, 2016, 37 (2):324-336.
[6]O. Cheikhrouhou. Secure Group Communication in Wireless Sensor Networks: A
Survey[J]. Journal of Network & Computer Applications, 2016.61:115-132.
[7]Wang, Qiuhua, Chen H, Xie L, et al. Access-polynomial-based self-healing group key
distribution scheme for resource-constrained wireless networks[J]. Security &
Communication Networks, 2012, 5(12):1363-1374.
[8] H. Guo, Y. Zheng. On the Security of a Self-healing Group Key Distribution Scheme
[J]. Wireless Personal Communications, 2016, 91(3):1109-1121.
[9]Tian B, Han S, Hu J et al. A mutual-healing key distribution scheme in wireless sensor
networks[j]. Journal of Network and Computer Applications, 2011, 34(1): 80-88.
[10]Sarita Agrawal, Manik Lal Das. Mutual healing enabled group-key distribution
protocol in Wireless Sensor Networks[J]. Computer Communications, 2017, 112:
131-140.

121