1
Self-Certied Group Key Generation for Ad Hoc
Clusters in Wireless Sensor Networks
Ortal Arazi, Student Member, IEEE, Hairong Qi, Senior Member, IEEE
Abstract – Dynamic formation of node clusters is inher-
ently embedded in a wide range of emerging wireless sensor
network (WSN) applications. It is expected that security
will play a key role in the design and successful deploy-
ment of these, as well as many other, applications. The
ad-hoc nature and unique power-constraint characteristics
of WSN suggest that a prerequisite for achieving security is
the ability to encrypt and decrypt condential data among
an arbitrary set of sensor nodes. Consequently, the nodes
are required to generate a joint secret key. Elliptic Curve
Cryptography (ECC) has emerged as a suitable public key
cryptographic foundation for WSN. This paper describes a
pragmatic ECC-based methodology for self-certied group
key generation in ad hoc clusters of sensor nodes. A novel
load-balancing technique and chained data exchange yield
reduced overall communications and facilitate an ecient
distribution of the computational eort involved.
Keywords – Security in Wireless Sensor Networks,
Resource-Constraint Cryptography, Group Public Key Gen-
eration.
I. Introduction
Recent advancements in the design and fabrication of
low-power VLSI circuitry, as well as wireless communica-
tions, have broadened the applications prospect for wire-
less sensor networks (WSNs). The latter promise to revo-
lutionize our ability to sense and control diverse physical
environments using large numbers of small, inexpensive de-
vices that integrate sensing, computation and communica-
tion. These sensors can collaborate with each other and
achieve complex information gathering and dissemination
tasks such as infrastructure security, environment and habi-
tat monitoring, industrial sensing and trac control.
In addition to the many unique characteristics of WSNs
that stem from the resource-constrained environments in
which they operate, many applications, whereby collabora-
tive processing is carried out, necessitate the ad hoc forma-
tion of node clusters [1][2]. These clusters of nodes typically
emerge around an event. Since the location and extent of
the event are often unknown a priori, cluster members are
decided upon in an ad-hoc manner. Many WSN applica-
tions, spanning military and civilian, assume that sensor
nodes are deployed in hostile environments where they are
prone to a wide variety of malicious attacks. As a result,
security becomes a key concern [3][4][5]. The ad-hoc nature
and unique power-constraint characteristics of WSNs sug-
gest that a prerequisite for achieving security is the ability
to encrypt and decrypt condential data among an arbi-
trary set of sensor nodes. Consequently, an ad-hoc cluster
of nodes is required to generate a joint secret key, mak-
The authors are with the Electrical & Computer Engineering
department at The University of Tennessee, Knoxville. Email:
{oarazi,hqi}@utk.edu.
ing it highly desirable to have a secure and ecient key-
distribution mechanism facilitating simple key-generation
for large-scale sensor networks.
Although a variety of key-generation methods have been
proposed for WSNs, they cannot be directly transplanted
in sensor network environments. A simple solution for key
establishment is a single network-wide shared key. Unfor-
tunately, a single node in the network being captured would
easily reveal the network secret key. Therefore, a current
mainstream eort consists of random key pre-distribution,
in which a dierent set of pre-established keys is issued
to each node, thereby reducing the probability that cap-
turing one node will jeopardize the entire network [5][6].
These schemes oer partial solution with respect to scala-
bility, cryptographic robustness and the ability to append
and revoke security attributes. More recent work addresses
topics such as intruder identication in WSNs, relying on
key predistribution [7].
The necessity for public key cryptographic key-
generation in WSNs is widely acknowledged. Public key
cryptography oers scalability and decentralized manage-
ment, both of which are strongly coherent with the ad-hoc
nature of WSNs. Elliptic Curve Cryptography (ECC) [8]
emerges as a suitable public key cryptographic foundation
for sensor networks, providing high security for relatively
small key sizes. Recent results [9] indicate that the exe-
cution of ECC operations in sensor nodes is feasible, with
predictable improved performance.
This paper describes a pragmatic, scalable and resource-
ecient ECC-based group key-generation methodology,
specically optimized for WSNs. In particular, we address
the need for minimizing communications as well as dis-
tributing the computation load across the network. Based
on a novel algebraic exploration of standard ECC cryp-
tographic techniques, we derive a group key distribution
scheme, which is resource-ecient, scalable and robust.
Once a secret key is generated between two or more nodes,
data encryption and decryption is carried out using sym-
metric algorithms, which necessitate, at their core, simple
XOR operations.
The rest of the paper is structured as follows. In Sec. II
we briey review prior work in the area of key establish-
ment for WSNs and outline the unique attributes of key
generation in WSNs. Sec. III presents the mathematical
foundations from which the methodologies proposed are
derived. Sec. IV describes a key-generation scheme for ad-
hoc clusters of sensor nodes, while in Sec. V discussions on
future directions are presented.

II. Resource-Efficient Key-Generation for
Wireless Sensor Networks
A. Related Work
This paper inherently reinforces a recent trend [9][10]
which challenges the notion that Die-Hellman (DH) and
public-key based schemes, are not feasible in WSNs. It is
due to this infeasibility assumption that many publications
in recent years focus on key pre-distribution techniques
[5][6][11][12][13]. A trivial key pre-distribution scheme is
to allow each node to hold Q  1 secret pairwise keys,
each of which is known only to the node and to one of
the other Q  1 nodes (assuming there are Q nodes in the
network). However, the constrained memory resources and
the diculty in adding new nodes to the network, limit the
eectiveness of this general scheme.
Other researchers have extended the original notion of
key pre-distribution to include a statistical element. In
particular, methods such as those proposed in [14] assume
that each sensor node receives a random subset of keys
drawn from a large key pool. To agree on a key for com-
munication, two nodes nd one common key within their
subsets and use that key as their shared secret key. Ad-
ditional information, such as data concerning the position
and/or geographical distribution of the sensor nodes, can
be used to further improve the key pre-distribution concept
[6].
Nonetheless, the problems identied in the key pre-
distribution approach triggered an in-depth study of pub-
lic key cryptographic key-generation for WSNs. The main
reasons are two-fold. First, both scalability and security ro-
bustness are compromised if keys are pre-distributed based
on future predictions of the deployment of nodes, or if a
centralized entity manages the key-generation process. Sec-
ond, due to the ad-hoc nature of WSNs, online central man-
agement is impractical. Fundamental questions, addressed
by this paper, pertain to the implications of implementing
public key cryptography in WSNs.
B. Security Considerations and Requirements
This paper treats public key cryptographic xed as well
as ephemeral key-generation. The former relates to the case
where two specic nodes generate the same secret value
whenever they wish to establish a joint key. In ephemeral
key-generation, the two nodes generate a dierent key for
each session established, based on a random component
introduced by each node. Ephemeral key-generation is
more secure and is generally preferred in many applica-
tions. In this paper (as shown in gure 1), we will develop
an ephemeral key generation method only for nodes ap-
pearing in more than one cluster. All other nodes will
generate a xed group key. As will later be shown, an
ECC self-certied xed key-generation can be executed by
a single exponentiation.
In a public cryptographic session, a need emerges to au-
thenticate the public values submitted by the participants.
Customarily, this is facilitated by the use of a certicate,
issued by a CA (Certifying Authority/Agent), attesting to
2
Cluster A Cluster B
Fig. 1. Illustration of two clusters established in accordance with a
moving target. Only nodes shared by both clusters are issued an
ephemeral key. Nodes belonging to only one cluster are issued a
xed key.
the connection between a user’s public key and his ID. Veri-
fying the authenticity of certied values requires a reference
to the public key of the CA. An authentication procedure
which is based on certication therefore needs the following
values as input: the user’s public key, his ID, the certicate
and the CA’s public key. The latter value is considered to
be universal and expected to be known to all relevant par-
ties. The rst three values are unique to each user. In
self-certied public key cryptographic applications [15][16],
a user submits its ID along with its public key, but does
not submit an explicit certicate, thereby reducing com-
munication and management overheads, which is a vital
consideration in WSNs. Verifying the validity of a user’s
public key, that is, verifying that the public key is associ-
ated with the user’s ID, is achieved in an implied manner
that still needs an explicit reference to the CA’s public key.
In identity-based systems [17], the user’s public key is its
actual ID, which saves the need for any public value other
than the user’s ID. Nevertheless, an explicit reference to
the CA’s public key is required.
Public key cryptographic applications are customarily
based on one of two possible intractable mathematical
problems: factorizing a large (e.g., 1024-bit) composite in-
teger, or performing a discrete-log operation. The latter
also includes Elliptic Curve Cryptography (ECC), which
has attractive features when considering for use in WSNs.
A 163-bit ECC application has the same cryptocomplexity
as a 1024-bit application over a composite integer. In recent
work [9], it has been shown that point by scalar multipli-
cation - a fundamental ECC operation - can be performed
in 34 seconds on MICA2 motes. The latter pertained to
163-bit keys.
There are known ECC ephemeral-key-generation meth-
ods, in which the validity of a received ephemeral value is
based on the validity of a received static value. In these
cases, however, it is still necessary to provide for explicit
certication of the received static value. To that end, we
present a comprehensive ECC self-certied ephemeral key
generation methodology, suitable for WSN environments.
Furthermore, a method for generating a joint secret key
between an ad-hoc cluster of nodes is described. Although
group key generation based on public key cryptography
has been considered in the literature [18], there is no treat-

ment of the issue of authenticating the exchanged values.
In fact, a common assumption made by these schemes is
that an authentication mechanism is already available. To
that end, our method also concerns the ecient integration
of self-certied authentications.
Finally, in an eort to eectively distribute the computa-
tional load between the nodes, we propose to partition the
self-certied key-generation process into secure and non-
secure operations. The latter enables ooading the non-
secure operations from a node participating in the key-
generation process to available neighboring nodes. Such
ooading assists in load balancing the computational eort
and, consequently, power-consumption across the network.
Since many application, in which collaborative process-
ing is carried out, necessitate the ad hoc formation of node
clusters, it is imperative to generate a group key for these
clusters. In this paper we will show that generating such
a group key is accomplished in two steps. The rst step
would be to generate a shared key between pairs of nodes in
the cluster, while the second would be to generate a group
key by utilizing the shared keys established during the rst
step. We further illustrate how the key exchange and key
conrmation procedures establish self certication as well
as a group shared key.
III. Mathematical Foundations for Efficient
Two-Node DH Key Generation
A. Notation and Terminology
Our mathematical foundations rely on ECC crypto-
graphic techniques pertaining to operations over a nite
group of points in which the discrete log problem applies.
In order to describe the formalism for ecient two-node
DH key generation, we must rst dene some notation and
terminology. As we are using ECC, the need to distinguish
between a scalar and a point on the curve in evident. A
group-point is hereby denoted by a capital letter in bold
font (e.g. P), and a scalar will be presented in regular low-
ercase letters. Multiplication of a point by a scalar (e.g.
v × P) will be referred to as an exponentiation, where v is
the exponent. The intractability of a discrete log operation
means that given the points P and v × P, the complexity
of nding v is exponential. The following notations will be
used throughout the reminder of the paper:
• G  a generating group-point, used by all relevant nodes
• rugG  the order of G.(exponents are calculated prgxor
rugG)
• CA  a Certifying Authority
• g  the CA’s private key
• R  the CA’s public key (where R = d × G)
• {l  the private key of node l served by the CA
• Ui  the public key of a node i served by the CA
• LGl  the identication details, or attributes, of node l
• K(y> W)  a scalar obtained by performing a hash trans-
formation on the scalar y and group point W
• kl  a random 163-bit scalar generated by the CA (for
the purpose of calculating xl )
• Ql > Qm  sensor nodes l and m, respectively
3
B. Keys Issued to Nodes by the CA
The private and public keys discussed in this section are
issued by the CA to all nodes in the network. We will begin
our discussion by focusing only on keys issued to Ql . As
indicated above, the CA holds a pair of keys (private (g)
and public (R)). By using g, LGl , kl , a hash function and
G, it establishes the pair of private and public keys issued
to node l. We consider two scenarios for issuing the private
key ({l ), and the public key (Ui ) of node i . The node key
{l > used in the following applications, can be derived by
either one of the scenarios described in this section. In the
rst scenario, the CA knows the node’s secret keys. In this
case Ql ’s private key ({l ), and the public value (Ui ) can
be generated as follows:
1. The CA generates a random scalar kl and calculates
kl × G;
2. The CA then generates node l’s public and private keys
as follows:
Ui = kl × G (1)
{l = [K(LGl > Ui ) × hi + d] prg rugG
3. The CA issues the values {l and Ui to Ql ;
4. Ql can establish the validity of the values issued to him
by checking whether xi × G = H (ID i > Ui ) × Ui + R.
In the second scenario considered, the CA is not allowed
to know the node’s secret keys. In this case Ql ’s private
key and public key can be generated as follows:
1. The node generates a random value yl and submits Wi
= yl × G to the CA;
2. The CA generates a random kl and calculates kl × G.
3. The CA then generates the pair of private and public
keys as follows:
Ui = Wi + hi × G (2)
sl = [K(LGl > Ui ) × hi + d] prg rugG
The CA issues the values sl and Ui to Ql ;
4. Ql generates his secret key as
{l = [sl + K(LGl > Ui ) × vi ] prg rugJ= (3)
5. Ql can establish the validity of the values sl and Ui
issued to him by checking whether sl × G = H (ID i > Ui ) ×
(Ui  Wi ) + R.
Two important points should be noted here: (1) in
both cases {l × G = H (ID i > Ui ) × Ui + R> and (2) since
{l = [K(ID i > Ui ) × (hi +v i ) + d] prg rugG, {l × G =
H (ID i > Ui ) × Ui + R, which is identical to the case of the
CA being allowed to know the node’s secret keys.
IV. Self-Certified Diffie-Hellman
Key-Generations
A. Fixed Key-Generation
A self-certied DH xed-key-generation (gure 2), is
achieved by the following two steps: (1) Ql and Qm ex-
change the pairs (LGl > Ui ) and (LGm > Uj ), respectively, and

Node i Node j
IDi ,Ui IDj ,Uj
?
xi [H(IDj,Uj) u Uj+R] = xj [H(IDi,Ui) u Ui+R]
Fig. 2. A self-certied Die-Hellman xed-key generation.
(2) Ql and Qm generate the session-key,
Nlm (generated by Ql ) = {l × [K(LGm > Uj ) × Uj + R]
Nml (generated by Qm ) = {m × [K(LGl > Ui ) × Ui + R]=
(4)
If indeed Nlm = Nml >then not only is key conrmation
obtained (verication of key equivalence), we also observe
key self-certication= The two keys are expected to be iden-
tical, having the value xi × xj × G. (i.e. Ql calculates: {l ×
[K(LGm > Uj )×Uj +R] = {l ×[K(LGm > Uj )×hi ×G+d ×G]
= xi × [H (IDj > Uj )× hi + d ] × G =xi × xj × G= Similar
logic is applied by the calculations performed at Qm ). To
complete the authentication cycle there is a need for key-
conrmation, during which the two nodes either verify that
they share an identical key by encrypting and decrypting a
test value, or establish a communication session and implic-
itly verify that they share the same key. Verifying that the
keys generated by the two nodes are equal also establishes
their correct identities.
A primary contribution oered by this method of self-
certied xed key DH key generation lies in the number of
exponentiations needed to calculate the value {l × {m × J=
As indicated above, each node (among each pair of nodes)
calculates the value {l × {m × J= Note that the calculations
performed by Ql are Nlm = {l × [K(LGm > Uj ) × Uj + R] =
{l K(LGm > Uj )× Uj + {l R= Further note that the calcu-
lations have been separated into two parts. The rst is
a dynamic scalar by point multiplication executed in an
ad hoc manner (as it contains the value Uj )= The second
is a scalar by point multiplication that can be calculated
and stored "before" the key-generation session commences,
thereby avoiding the need for a real-time exponentiation
(as it contains information known a priori by node l). It is
clear that Ql is able to calculate its session-key by a single
ad-hoc exponentiation instead of two, {l K(LGm > Uj ),× Uj ,
where similar considerations apply to Qm .
B. Ephemeral Key-Generation
A self-certied DH ephemeral key-generation is achieved
by the following steps: (1) Ql and Qm generate a random
syl and sym , respectively, (2) Ql calculates the ephemeral
value EVi = pv i × G, Qm calculates the ephemeral value
EVj = pv j × G (performed prior to establishing the com-
munication session between the two nodes), (3) Ql and Qm
exchange the values (LGl > Ui > EVi ) and (LGm > Uj > EVj ),
respectively, and (4) Ql and Qm generate the ephemeral
4
session key,
Nlm (generated by Ql ) = syl × [K(LGm > Uj )] × Uj + R]
+ ({l + syl ) × EVj (5)
Nml (generated by Qm ) = sym × [K(LGl > Ui)] × Ui + R]
+ ({m + sym ) × EVi (6)
As listed in the xed-key scenario, if indeed Nlm = Nml >
then not only is key conrmation obtained (verication of
key equivalence). but we also observe key self-certication=
The two keys are expected to be identical, having the value
syl × xj × G + xi × pv j × G + pv i × pv j × G= (i.e. Ql
calculates: pv i ×[H (IDj > Uj )]×Uj +R]+(xi +pv i )×EVj =
syl × xj × G + xi × pv j × G + pv i × pv j × G= Similar logic is
applied by the calculations performed at Qm . To complete
the authentication cycle we need to follow the same steps
described in the section on xed key generation.
B.1 Partitioning of Secure and Non-secure Operations
A primary contribution oered by this method of self-
certied ephemeral-key DH key generation lies in the
number of exponentiations needed to calculate the value
pv i × xj × G + xi × pv j × G + pv i × pv j × G= As indicated
above, each node (among each pair of nodes) computes the
value pv i × xj × G + xi × pv j × G + pv i × pv j × G= Note
that the calculations performed by Ql correspond to
Nlm = syl × [K(LGm > Uj )] × Uj + R] +
({l + syl ) × EVj
= syl × K(LGm > Uj ) × Uj + (xi +pv i ) × EVj
+syl × R
= syl × K(LGm > Uj ) × Uj + (xi +pv i ) ×
(EVj + R)  xi × R= (7)
Therefore:
Nlm = syl × K(LGm > Uj ) × Uj + (xi +pv i ) × (EVj + R)
{l × R
Nml = sym × K(LGl > Ui ) × Ui + (xj +pv j ) × (EVi + R)
{m × R (8)
The pre-calculation and storage of {l × R would enable Ql
to calculate its session-key by performing the two exponen-
tiations: syl ×K(LGm > Uj )×Uj and ({l +pv i )×(EVj +R)=
B.2 Ooading the Non-Secure Operation to an Untrusted
Neighboring Node
As indicated above, Ql is required to calculate its ses-
sion key by performing the four exponentiations: pv i ×
H (IDj > Uj ) × Uj , ({l + syl ) × (EVj + R)> {l × R and
EVj = pv j × G= Among these four exponentiations, xi × R
is a scalar by point multiplication that can be calculated
and stored before the key-generation session commences.
This would avoid the need for a real-time exponentiation
(as it contains information known a priori by node l). Sim-
ilarly, sym × G is also performed prior to establishing the

communication session between the two nodes. We are left
with the following two operations: syl × K(LGm > Uj ) × Uj ,
and ({l + syl ) × (EVj + R)= The rst is a dynamic scalar
by point multiplication executed in an ad hoc manner (as
it contains the value Uj )= In the interest of distributing the
power consumption across the sensor network, we employ
an ooading technique in which nodes assist other nodes
by performing part of the required calculations.
In the context of security operations, we must prove
that calculations that are ooaded, and are subsequently
transmitted over potentially eavesdrop-prone media, do
not jeopardize the trustworthiness of the process. As-
sisting neighbor nodes (not included in the ad hoc clus-
ter, but with proximity to it) will calculate the value
({l + syl ) × (EVj + R)= It should be noted that all nodes
are assumed to have knowledge of R. Moreover, none of
the ooaded values are assumed to be secret, and while {l
and syl are secret, their sum does not disclose their values.
Furthermore, even though {l is xed, syl never repeats it-
self. In other words, the secret key {l is masked with the
random noise syl . It is further noted that the neighbor-
ing assisting node is not necessarily trusted in delivering a
correct answer. The assisting node merely performs math-
ematical processing with no decisions being made by it. An
attempt to send a misleading result by the assisting node
will be detected in the key conrmation step.
All procedures presented this far are also valid for the
case where nodes use dierent CAs. That is, if the user
keys of Ql were issued by a CA whose public key is R1
with a private key g1 = orjR1 > and the user keys of Qm
were issued by a CA whose public key is R2 with a private
key g2 = orjR2 , all derived expressions, for both xed and
ephemeral session keys, are valid. That is, a node refers to
the public key of the CA of his counterpart when generating
a session key with that counterpart.
V. Group-Key Generation based on Pairwise DH
Key Generation
Based on the presented procedure for generating a self-
authenticated DH secret key joint to a pair of nodes, it is
next shown how a group of p nodes generates a secret ses-
sion key Nv joint to all nodes in the group and not known
to any party outside the group. In this respect it is noted
that the self authentication of the DH keys is based on
the identity, LGv , of the participants. These identity val-
ues can also be associated with attributes of nodes, rather
than their explicit identities. For example, they can be as-
sociated with parameters that specify the meaning of the
group. That is, nodes that do not posses appropriate pa-
rameters allowing them to participate in the group cannot
force themselves into the group.
Let the nodes in the group be indexed in a chain, where
node Ql generates two DH keys, one jointly generated with
node Ql1 and one with Ql+1 > l = 0> 1> = = = > p  1. Al-
though this is not a necessity, the indexing is cyclic. That
is, Qp1 and Q0 also generate a joint key. For simplicity,
let us further assume that p is even. These 2p DH keys
can all be generated in two time slots. Let Nl+ denote the
5
DH key joint to nodes Ql and Ql+1 , generated during the
rst time slot for even l’s, and Nl denote the DH keys
generated during the second time slot for odd l’s. This
way, during each slot, each node is busy generating a joint
DH key with exactly one other node.
Based on each node having two DH keys, one joint to the
preceding node in the chain and one joint to the following
node (where Qp1 and Q0 are considered to be consecu-
tive), the secret session key Nv , joint to all members in the
group, is then generated as follows. A certain node Qm in
the group (Qm can be an arbitrary node, or a node with
some distinct preferences such as the cluster head or group
lead) generates a random Nv . It encrypts Nv with Nm+
and sends the ciphertext to Qm+1 . Node Qm+1 decrypts
the ciphertext, as it also has Nm+ , thereby recovering Nv .
It then encrypts Nv with the DH key joint to Qm+1 and
Qm+2 , etc. This way, Nv securely propagates in the chain,
by decryption and encryption operations taking place at
each node. Nv nally gets back to the originator Qm , who
veries that the received Nv equals to the original.
Although calculations are carried out concurrently by
the odd and even nodes, we must consider the fact that
transmission of information is done sequentially, since the
same media is shared by all nodes. Letting wdffhvv and
w{ denote the expected channel access time and transmis-
sion/reception times, respectively, the aggregate time con-
sumed by the group key generation process, Wjn , can be
expressed as
Wjn = 2p(wdffhvv + w{ ) + wGK > (9)
where wGK is the overall time required to perform the ac-
tual DH calculations. One should note that the access and
transmission times are expected to be in the order of mil-
liseconds, while the DH related computations are in the
order of seconds (shown for MICA2 motes in [9]). To that
end, the fact that communications are done sequentially
has little impact on the overall delay of the group key gen-
eration process.
A remark on the encryption/decryption operation per-
formed at each node: This is a symmetric operation that
can be based on standard procedures like DES or AES.
However, let us also consider the case where this operation
is a simple exclusive-OR (XOR) operation between Nv and
Nm+ . That is,
fm = Nv XOR Nm+ (10)
where fm is the ciphertext sent from Qm to Qm+1 . Node
Qm+1 then performs the following to propagate Nv to Qm+2 ,
noted that Qm and Qm+1 share the same key Nm+ , and Qm+1
and Qm+2 share Nm+1 ,
Nv = fm XOR Nm+ XOR Nm+1 (11)
However, as all nodes nally share Nv , and they also receive
all exchanged ciphertexts, this suggests that all pairwise
DH keys will also be known to all nodes in the group (each
node simply XORs Nv with all ciphertexts). The question,
and this is a strategic consideration, is what kind of a threat
can be posed by this procedure. After all, if the members of

the group nally know the joint secret key, Nv , they might
as well know the individual DH keys. This surely holds if
the DH keys expire when the key Nv expires.
VI. Discussion and Future Work
This paper presented an ecient methodology for ECC-
based public key generation in wireless sensor networks.
A novel algebraic approach for partitioning the key gen-
eration process was described, addressing both xed and
ephemeral key establishments. A unique feature of the
scheme relies on distributing the computation load among
neighboring nodes thereby gaining execution speed and
load-balancing the power consumption. Based on these
foundations, a procedure for group key generation within
a cluster of nodes was presented, oering scalability with
respect to network size and robustness.
The paper presented a comprehensive approach for
a practical implementation of group key generation in
resource-constraint WSNs. Remaining challenges include
the study of fault tolerance issues, neighbor-node selection
and analysis of energy consumption.
As the described procedure relies on a cyclic exchange
of information, future work will address the issue of fault
tolerance. The “fault” is two-fold. First of all, how to
guarantee that all the nodes within the cluster will be in-
cluded in the chain without disconnections. Second, what
happens when one or more nodes fail in the chain. Future
work will concern the generation of redundant paths, while
altogether minimizing the overall computational complex-
ity. Moreover, the existence of malicious node (whether
part of the cluster or assisting nodes) will be addressed to
contribute to the robustness of the key generation process.
As stated in the paper, o-loading non-secure computa-
tions to neighboring nodes would provide load balancing,
elongating the network lifetime. A question that naturally
arises pertains to the manner by which neighboring nodes
are selected. We will study the joint eect of geographi-
cal distance between nodes and the remaining energy on
the neighboring nodes in order to generate a fair selection.
Although the communication time associated with the of-
oading process is much shorter than the DH key genera-
tion time, the energy consumed during data transmission
and reception is not negligible. We will study the tradeos
between energy consumption and real-time key generation
in order to reach an optimal solution. In this paper, we
assume the sensor nodes are all static. However, the pro-
posed scheme, in particular the ephemeral key-generation
methodology, has great potential in mobile sensor network
applications, in which issues like speed of mobility and key
generation turnaround time need to be evaluated.
The framework presented in this paper can be utilized
and broadened to address a wide range of security chal-
lenges in resource-constrained sensor networks.
VII. Acknowledgment
The authors would like to thank Benjamin Arazi and
Itamar Elhanany for their valuable comments and useful
discussions.
6
References
[1] H. Qi, Y. Xu, and X. Wang, “Mobile-agent-based collaborative
signal and information processing in sensor networks,” in Pro-
ceedings of the IEEE, vol. 91, pp. 1172—1183, August 2003.
[2] H. Qi and Y. Xu, “Decentralized reactive clustering for collabo-
rative processing in sensor networks,” in Proc. of the IEEE 10th
International Conference on Parallel and Distributed Systems
(ICPADS), vol. 91, (Newport Beach, CA), pp. 54—61, July 2004.
[3] A. Perrig, J. Stankovic, and D. Wagner, “Security in wireless
sensor networks,” Communications of the ACM, vol. 47, pp. 53—
57, June 2004.
[4] R. Watro, D. Kong, S. Cuti, C. Gardiner, C. Lynn, and P. Kruus,
“Tinypk: Securing sensor networks with public key technology,”
in Proceedings of the Second ACM Workshop on Security of Ad
Hoc and Sensor Networks, (Washington DC, USA), pp. 59—64,
2004.
[5] H. Chan, A. Perrig, and D. Song, “Random key predistribution
schemes for sensor networks,” in Proceedings of the 2003 IEEE
Symposium on Security and Privacy, (Washington DC, USA),
pp. 197—214, 2003.
[6] W. Du, J. Deng, Y. S. Han, S. Chen, and P. K. Varshney, “A
key management scheme for wireless sensor networks using de-
ployment knowledge,” in Proc. of IEEE INFOCOM 2004, (Hong
Kong, China), 2004.
[7] W. Zhang and G. Cao, “Group rekeying for ltering false data
in sensor networks: A predistribution and local collaboration-
based approach,” in Proceedings of the 2005 IEEE INFOCOM,
(Miami, FL, USA), 2005.
[8] A. J. Menezes, Elliptic Curve Public Key Cryptosystems.
Boston, MA: Kluwer Academic Publishers, 1993.
[9] D. Malan, M. Welsh, and M. D. Smith, “A public-key infrastruc-
ture for key distribution in tinyos based on elliptic curve cryp-
tography,” in Proc. of 1st IEEE International Conference on
Sensor and Ad Hoc Communications and Networks (SECON),
(Santa Clara, CA), October 2004.
[10] A. S. Wander, N. Gura, H. Eberle, V. Gupta, and S. C. Shantz,
“Energy analysis of public-key cryptography for wireless sensor
networks,” in Proceedings of the third IEEE International Con-
ference on Pervasive Computing and Communication (PerCom
2005), pp. 324—328, 2005.
[11] W. Du, J. Deng, Y. S. Han, and P. Varshney, “A pairwise key
pre-distribution scheme for wireless sensor networks,” in Pro-
ceedings of the 10th ACM Conference on Computer and Com-
munications Security (CCS), (Washington DC, USA), pp. 42—
51, October 2003.
[12] A. Chan, “Probabilistic distributed key pre-distribution for mo-
bile and ad hoc networks,” in Proceedings of the 2004 IEEE
International Conference on Communications, pp. 3743—3747,
June 20-24 2004.
[13] M. Ramkumar and N. Memon, “An ecient key predistribution
scheme for ad hoc networks security,”
[14] L. Eschenauer and V. D. Gligor, “A key-management scheme
for distributed sensor networks,” in Proceedings of the 9th ACM
conference on Computer and communications security, (Wash-
ington, DC), pp. 41—47, November 2002.
[15] M. Girault, “Self-certied public keys,” in Advances in
Cryptology—EUROCRYPT’91, pp. 491—497, March 1991. LNCS
- Springer-Verlag.
[16] B. Arazi, “Certication of dl/ec keys,” in Proceedings
of the IEEE P1363 Study Group for Future Public-Key
Cryptography Standards, May 1999. Also available as
http://grouper.ieee.org/groups/1363/StudyGroup/submissions.
html#Hybrid.
[17] A. Fiat and A. Shamir, “How to prove yourself: Practical solu-
tions to identication and signature problems,” in Advances in
Cryptology - CRYPTO ’86, vol. 263, pp. 186—196, March 1987.
Springer-Verlag.
[18] Y. Kim, A. Perrig, and G. Tsudik, “Group key agreement e-
cient in communication,” Communications of the ACM, vol. 53,
pp. 905—921, July 2004.