a survey on key management mechanisms for distributed wireless sensor networks

Computer Networks 54 (2010) 2591–2612

Contents lists available at ScienceDirect

Computer Networks

journal homepage: www.elsevier .com/ locate/comnet

A survey on key management mechanisms for distributed WirelessSensor Networks

Marcos A. Simplício Jr. *, Paulo S.L.M. Barreto 1, Cintia B. Margi, Tereza C.M.B. CarvalhoUniversity of São Paulo (Laboratory of Computer Architecture and Networks), Av. Prof. Luciano Gualberto 158, trav. 3, 05508-900 São Paulo, Brazil

a r t i c l e i n f o

Article history:Received 16 July 2009Received in revised form 22 January 2010Accepted 11 April 2010Available online 18 April 2010Responsible Editor: J. Lopez

Keywords:Distributed Wireless Sensor NetworkKey managementKey pre-distributionSecurity

1389-1286/$ - see front matter � 2010 Elsevier B.Vdoi:10.1016/j.comnet.2010.04.010

* Corresponding author. Tel.: +55 11 30915261; faE-mail addresses: [email protected] (M.A. Sim

larc.usp.br (P.S.L.M. Barreto), [email protected] (Clarc.usp.br (Tereza C.M.B. Carvalho).

1 Supported by the Brazilian National Council forlogical Development (CNPq) under Grant 312005/200

a b s t r a c t

Wireless Sensor Networks (WSNs) have a vast field of applications, including deploymentin hostile environments. Thus, the adoption of security mechanisms is fundamental. How-ever, the extremely constrained nature of sensors and the potentially dynamic behavior ofWSNs hinder the use of key management mechanisms commonly applied in modern net-works. For this reason, many lightweight key management solutions have been proposedto overcome these constraints. In this paper, we review the state of the art of these solu-tions and evaluate them based on metrics adequate for WSNs. We focus on pre-distributionschemes well-adapted for homogeneous networks (since this is a more general networkorganization), thus identifying generic features that can improve some of these metrics.We also discuss some challenges in the area and future research directions.

� 2010 Elsevier B.V. All rights reserved.

1. Introduction

A Wireless Sensor Network (WSN) can be considered aespecial type of ad hoc network composed by a large num-ber of tiny, cheap and highly resource constrained sensornodes, known as motes [29,61,72]. Usually, the distributedand autonomous nature of these sensors lead to a networkorganization highly dependent on its functionality, andalso very dynamic; for this reason, WSNs can also be seenas a ‘‘living being”, in which the sensors act as ‘‘cells” withsimilar functionalities, trying to achieve a common goal[60].

Sensors in WSNs can be used to gather and process datafrom the environment (e.g., mechanical, thermal, biologi-cal, chemical, and optical readings), enabling many appli-cations such as environment and habitat monitoring,support for logistics, health care and emergency response,

. All rights reserved.

x: +55 11 30915280.plício Jr.), [email protected]. Margi), carvalho@

Scientific & Techno-6-7.

as well as military operations [6,2]. Depending on theavailable hardware, WSNs can be either heterogeneous(in which nodes with different resources exist) or homoge-neous (all nodes are alike) [71]. Moreover, depending onthe roles assumed by each node, WSNs can be classifiedas hierarchical (each node assume a different role, depend-ing on its capacity) or distributed (all roles are alike) [13].Due to this large potential for integrating the computingpower of smart devices into everyday life, the study ofWSNs is a topic of continuous research interest.

Since the data are transmitted over the air, many ofthese applications need to employ security measures in or-der to prevent eavesdropping of private information andthe disruption of the system by enemies. This can beachieved by the deployment of cryptographic mechanismsfor assuring basic services such as data confidentiality,integrity and authenticity. As many cryptographic primi-tives (such as ciphers and Message Authentication Codes)need secret keys for their operation, techniques for distrib-uting these keys in a secure manner are also necessary. Keymanagement can be defined as a set of techniques and pro-cedures that support the establishment and maintenanceof keying relationships between authorized parties [53,Definition 13.1].

http://dx.doi.org/10.1016/j.comnet.2010.04.010

mailto:[email protected]






http://www.sciencedirect.com/science/journal/13891286

http://www.elsevier.com/locate/comnet

2592 M.A. Simplício Jr. et al. / Computer Networks 54 (2010) 2591–2612

Despite the great potential of WSNs in providing a vastmyriad of applications, they present a major security chal-lenge: since sensors have limited power, computation,storage and communication capabilities, they impose sev-eral constraints on the algorithms and protocols that canbe effectively deployed for such systems. Complex all-pur-pose cryptographic solutions typically adopted in modernsystems not only will take longer to run, but also consumemore energy. Additionally, WSNs are very dynamic, in thesense that a node’s neighborhood (i.e., the nodes within thesensor radio range) may change frequently. This can hap-pen due to their relative mobility, to the exhaustion oftheir batteries, to the addition of new nodes in the net-work, etc. In this scenario, lightweight and flexible key dis-tribution schemes are essential.

Historically, several schemes have been proposed foruse in WSNs. Although it is hard to accurately determinethe number of papers published every year, the searchfor key terms such as ‘‘key management” or ‘‘key establish-ment” in a scholarly source (e.g., Google Scholar2) shows aquick evolution on this number: while a few dozens resultsappear in the period of 2002–2003, hundreds are returned in2007, 2008 or 2009.

Depending on its characteristics, a key managementsolution can be classified in one of three general groups[16]: Self-enforcing Schemes, Arbitrated Keying Schemesand Pre-distribution Schemes.

Self-enforcing Schemes use asymmetric cryptographyin order to establish keys after deployment. The maindrawback of this strategy refers to the performance ofmost asymmetric algorithms currently available: althougha considerable effort devoted to the adaptation of public-key cryptography to highly constrained devices, boththrough the use of certificates [62,1] and elliptic-curvecryptography (ECC) [7,45,68], it is still unclear if theamount of resources necessary even for highly optimizedimplementations is already low enough for a wider accep-tance of this approach. For example, Szczechowiak et al.[68] have recently shown that a MICA2 mote can computea pairing in about 2.66 s. However, the assembly optimizedimplementation used in this manner requires 3.17 KiB orRAM and, since this device’s capacity is only 4 KiB, all othertasks (including the Operating System) are left with only0.83 KiB of RAM; moreover, the corresponding energy con-sumption is 62.73 mJ, equivalent to the transmission ofapproximately 7 KiB of data in the same platform [63].

Arbitrated Keying Schemes rely on a trusted centralpoint (e.g., a base station) for key establishment and man-agement. An issue with this strategy is that the centralpoint becomes a preferred target for attacks that, if suc-cessful, can disrupt the entire network. Nonetheless, whensuch a trusted point is available (which is often the case inheterogeneous hierarchical WSNs) and can be consideredsecure, these schemes become very attractive.

Finally, in Pre-distribution Schemes, an especial entityknown as Key Distribution Center (KDC) is responsible forloading the keys into the sensor nodes prior to deploy-ment, which can be done either through their physical or

2 http://scholar.google.com/.

wireless interfaces [40]. The reasoning behind this strategyis to avoid the overhead that could be originated from dy-namic key generation processes. Moreover, this approachresults in a network with little or no dependence on a cen-tral station after the nodes are deployed. For these reasons,this strategy is usually considered more adequate forWSNs.

In this document, we review the state of the art of keymanagement for WSNs based on the pre-distribution ap-proach. We also evaluate and compare these schemesbased on metrics that are of central importance in such re-source constrained applications. Our goal is to identifygeneral ideas and properties that could be used to improvefuture proposals, resulting in schemes with higher poten-tial for adoption by industry standards such as ZigBee [3]or WirelessHART/ISA100.11a [33,38]. Since standardizedsolutions should be well-adapted to a wide range of sce-narios, we do not aim at covering the whole universe ofexisting proposals, but rather focus on schemes applicableto homogeneous distributed networks – which can be con-sidered more general because they do not depend on pow-erful nodes (such as base stations) or on coordinator nodeswith higher responsibility than their neighbors.

1.1. Related work

The continuous appearance of new key managementproposals every year has motivated the development ofsome surveys covering this dynamic field of research.

An interesting example is the work of Çamtepe andYener [13], which covers a broad range of solutions: theyconsider deterministic, probabilist and hybrid pre-distri-bution schemes for distributed networks, as well as pro-posals for establishing pair-wise, group-wise andnetwork-wise keys in hierarchical networks. Together withtheir historical evolution, this work analyzes many of thesecurity- and efficiency-related characteristics.

Another example is the survey developed by Xiao et al.[70]. In this work, the authors provide a detailed review ofmany key management solutions (including public-keyschemes), considering different application scenarios.Their conclusion is that the suitability of each techniqueis mainly determined by the requirements and resourcesavailable in the target network.

In [8] and also in [67] the authors give an overview ofpromising pre-distribution solutions for WSNs, providingsome insight on future developments in the area.

Finally, in [75], Zhang and Varadharajan propose a tax-onomy of key management schemes based on theirencryption key mechanism, as well as on their key pre-dis-tribution and key establishment strategies.

While many of the existing surveys on key managementmechanisms for WSNs cover a wide range of solutions, onemain difference in our work is that we focus on proposalswell-adapted for general scenarios. This more focused ap-proach not only helps on identifying generic strategieswith higher potential for standardization and key featuresthat should be satisfied by future proposals, but also allowsa deeper comparative analysis of the schemes’ strengthsand weaknesses. Additionally, in this survey we analyze

http://scholar.google.com/

M.A. Simplício Jr. et al. / Computer Networks 54 (2010) 2591–2612 2593

schemes not covered in the above-mentioned papers,including more recent proposals.

1.2. Document organization

The remainder of this document is organized as follows.Section 2 outlines the main differences between hierarchi-cal and distributed WSN models. Section 3 describes thebasic requirements and metrics that should be consideredwhen designing WSN-oriented key management solutions.Section 4 covers schemes based on the distribution of net-work-wide keys, while their exact opposite, the full-pair-wise scheme, is discussed in Section 5. Probabilisticschemes are described in Section 6. Sections 7 and 8 pre-sents matrix-based and polynomial-based schemes,respectively. Solutions based on combinatorial designsare analyzed in Section 9. Schemes that explore deploy-ment knowledge are discussed in Section 10. In Section11, we summarize and analyze the characteristics of thesurveyed schemes, and then we conclude the discussionin Section 12.

2. Organization of WSNs: hierarchical vs. distributeddesigns

WSNs can be structured in hierarchical or distributedarchitectures. Both designs are illustrated in Fig. 1.

In a Hierarchical WSN (HWSN), each node assumes oneof the following roles depending on its capabilities: basestation, cluster head or sensor node. Sensor nodes are themost constrained entities in the network, being responsi-ble solely for collecting the data from the surroundingenvironment and forwarding them to the nearest clusterhead. Cluster heads typically have more resources thansensor nodes, and their main objective is to collect andmerge the readings from nearby sensors, routing the resul-tant data to a base station. Base stations collect and processthe received data, and are responsible for forwarding theresults to other networks. They also perform costly opera-tions on behalf of constrained nodes and manage the net-work. For this reason, usually they are able to reach allnodes in the network and, thus, they are much more pow-

Fig. 1. Hierarchical and

erful than any other entity in the HWSN. In a DistributedWSN (DWSN), there are no specific roles for each node. In-stead, the roles of all sensors are similar, and communica-tions may occur among any pair of neighbors.

3. Basic requirements and evaluation metrics

In this section, we define the most common metricsused for the evaluation of key management techniques inWSNs. While some of these metrics are very general, oth-ers are originated from the requirements imposed by theseveral constraints inherent to these systems. These met-rics can be classified in three main groups, which definethe (usually conflicting) requirements to which they areassociated: security, flexibility and efficiency.

3.1. Security metrics

Key management schemes must provide the secret keysin a secure way, thwarting the activities of malicious nodesin the network. In this sense, they must assure that only se-cure entities are able to assign and/or update keys in thenetwork, preventing external sources from doing so. More-over, the solution must prevent the disclosure of the keysto unauthorized parties.

1. Node authentication: Ideally, the key management tech-nique should guarantee that the communicating nodesare able to verify each other’s identity in a secure way.This feature helps the network to pinpoint misbehavingnodes, resulting in a higher resistance against the cap-ture of valid nodes and attempts of impersonatingthem.

2. Resilience: Refers to the resistance of the scheme againstnode capture, where an adversary physically attacks asensor and recovers secret information from its mem-ory. The scheme’s resilience is given by the fraction ofthe network communications that are exposed to theadversary, excluding the communications in whichthe compromised node is directly involved. An interest-ing discussion on how to calculate the effective resil-ience of a distribution scheme is presented in [32].

distributed WSNs.


3. Node revocation: Upon the discovery of compromisednodes, the key management solution should provideefficient ways to dynamically revoke them from thenetwork. Such mechanisms are useful to prevent anadversary from inserting malicious nodes into the net-work, even if this adversary obtained access to somesecret information (e.g., through node capture). Thereare currently many proposals for intrusion detectionin WSNs [10,57,65], which could be employed in thissituation.

3.2. Efficiency metrics

Any realistic scheme must be able to establish the keysneeded for the correct operation of the network and, at thesame time, take into account the heavy constraints inher-ent to WSNs. Thus, the key distribution itself shall not bea heavy burden in terms of:

1. Memory: Amount of memory needed for storing data(e.g., keys and IDs).

2. Processing: Number of processor cycles needed to estab-lish keys.

3. Bandwidth: The amount of data exchanged betweennodes during the key generation process.

4. Energy: The energy consumption involved in the keyagreement process. Data transmission and receptionare normally identified as the most energy-consumingoperations [44], especially when the communicationsinvolve large distances. However, when many complexoperations are required for generating the keys, thosecan also have a significant impact on the device’senergy usage (e.g., like in Self-Enforcing schemes).

5. Key connectivity: Probability that (groups of) sensornodes are able to establish shared keys. When onlythe connectivity between a pair of neighbor nodes isconsidered, this metric is called local connectivity; incontrast, global connectivity considers the connectivityof the whole network. Insufficient key connectivitymay seriously impair the entire network functioning,since neighbor nodes will not be able to communicatesecurely.

3.3. Flexibility metrics

The key management solution should be flexible en-ough for deployment in the wide range of scenarios cov-ered by WSN applications.

1. Lack of prior deployment knowledge: In many applica-tions, the sensors are deployed dynamically and at ran-dom, making it difficult to know the nodes’ finalpositions. In a few situations (e.g., when the nodes aredeployed by hand), it is possible to assume some degreeof proximity between groups of nodes, at least in theearly days of the network; in fact, even in applicationsthat use the nodes location for their normal operation,such knowledge is usually gathered after the nodesdeployment (e.g., using a built-in GPS). Therefore, moreflexible key establishment techniques do not depend onthe nodes positioning for initializing the network keys.

2. Scalability: During the sensor network lifetime, its sizemay vary dynamically; thus, the key distributionscheme must support large networks and, at the sametime, allow the introduction of new nodes without lossof security.

4. Using network-wide keys

The most straightforward key distribution possible is tohave a single master key which is loaded into all sensors.Such simplicity results in a high level of efficiency and flex-ibility, requiring minimal memory for the storage of keysno matter the size of the network. By loading the masterkey in new nodes, the scheme also allows the introductionof any number of sensors after the initial deployment. Fur-thermore, since all nodes certainly share the same masterkey, this scheme provides perfect key connectivity.

A simple scheme that adopts a single secret network-wide key for its operation is the BROadcast Session KeyNegotiation Protocol (BROSK) [41]. In this solution, the mas-ter-key K is used in combination with random nonces NA

and NB, exchanged by pairs of nodes A and B, for establish-ing a session key KA,B = PRF(KkNAkNB), where PRF is a Pseu-do-Random Function.

A related solution is the Symmetric-Key Key Establish-ment (SKKE), adopted by the ZigBee standard [3]. In thisscheme, nodes A and B exchange randomly generated chal-lenges NA and NB, both having a pre-agreed length. Usingthe master key K, a common shared secret is then com-puted as SA,B = PRF(KkIDAkB kNAkNB). SA,B is then used to cre-ate two keys, KA,B = Hash(SA,Bk1) and K 0A;B ¼ HashðSA;Bk2Þ.K 0A;B is used to compute the tag TagA ¼ PRFðK 0A;Bk3kSA;BÞ sentby A to B, and TagB ¼ PRFðK 0A;Bk2kSA;BÞ sent by B to A, allow-ing the nodes to confirm the computation of the same linkkey KA,B.

Another proposal that employs a single shared key is theLoop-Based Key Management Scheme (LBKMS) [74]. LBKMSconsiders a loop-based topology where each node A re-ceives a unique ID, a private key KA, and a master key K.After deployment, the nodes broadcast their IDs encryptedwith the global key. This information is used by the net-work for constructing a certain number of loops, each ofwhich contains a set S of nodes. If sensor A was responsiblefor the creation of loop L containing the set S, then A com-putes a loop-key KL ¼ HashðtimestampkKAjjIDAjjfIDigi2SÞ.The global key is then used to protect the distribution ofthe loop-key inside the loop. Moreover, LBKMS authors pro-pose the application of Blundo’s Scheme [12] (see Section 8)for key revocation if such mechanism is necessary.

Despite the numerous advantages, the Network-WideKey approach has serious security vulnerabilities: the cap-ture of a single node would disclose the common key, com-promising all the nodes in the network and theircommunications. Besides, an attacker with access to themaster key could easily insert malicious nodes into thenetwork. The revocation of such intruders would be verydifficult or even impossible, since it would require allremaining nodes to be re-keyed without using the old mas-ter key.

Finally, it is possible to slightly improve the networkresilience by using additional master keys. This is the


approach proposed in the Lightweight Key ManagementSystem (LKMS) [28], which assumes a WSN deployed insuccessive generations. In this scheme, the nodes of asame generation i share an authentication key ka

i and ageneration key kg

i ; each node A also stores a randomnonce NA, as well as a secret key KA,j for each possiblenew generation j > i. The session key between nodes Aand B from the same generation i can then be computedas KA;B ¼ PRFðkg

i kNAkNBÞ, where NA and NB are exchangedby the nodes. A node C from generation j can authenti-cate itself with an older node A (i.e., from a generationi < j) after receiving NA by computing KA;j ¼ PRFðkg

j kNAÞ;KA,j can then be used to generate the pairwise keyKA,C = PRF(KA,jkNAkNC). Therefore, it is important not tounderestimate the number of future generations withwhich a node must communicate, or this may affectthe network connectivity throughout different genera-tions. A vulnerability of this approach, though, is thatan attacker needs only to compromise a few keys(namely ka

i ; kgi and kg

j ) in order to compromise all com-munications of generations i and j.

The threats faced by Network-Wide Key proposals couldbe overcome in networks composed only by tamper-resis-tant devices, allowing the design of secure protocols, asproposed in [9]. However, efficient tamper-resistant solu-tions tend to add significant costs to the sensor hardware[56,58]. Nonetheless, even when devices having this fea-ture are available, the Network-Wide Key approach stilllacks some desirable features, such as individual nodeauthentication capabilities. For these reasons, the applica-bility of such schemes is very limited.

5. The full pairwise scheme

While the previous schemes used a single key for thecommunication between all sensors, the Full Pairwisescheme adopts the extreme opposite approach. In this case,each of the n nodes in the network receives n � 1 pairwisekeys to communicate with every other node. This approachassures a high security level, providing features such asnode-to-node authentication and perfect resilience, whichthwarts node replication attacks. It also makes the revoca-tion of individual sensor nodes easier: even without theintervention of a secure base station, the nodes on the net-work may identify malicious IDs and revoke the corre-sponding pairwise keys, e.g., by using voting schemes[20,22].

The main drawback of this solution is the great memoryoverhead it introduces, since each node have to store manykeys (and many of them may never be used). Due to thelack of resources in the sensors, this is a shortcoming thatcan greatly limit the scheme’s applicability. Moreover, theintroduction of new nodes in the network would only bepossible if their keys were already loaded from the begin-ning, which becomes a serious restriction when the net-work needs to be expanded over the initial expectations.Due to these flexibility issues, the Full Pairwise Key schemecould be effectively used basically in small networks wherethe maximum number of nodes can be predicted with goodreliability.

6. Probabilistic approaches

In probabilistic schemes, each node receives a group ofkeys, the so-called key chain, whose size is normally muchlower than the size of the network itself. The reasoning be-hind this strategy is to provide a fairly good key connectiv-ity and, at the same time, avoid both the memory overheadinvolved in the Full Pairwise scheme and the low securitylevel offered by a single master key. In general, it is possi-ble to identify three distinct and sequential phases on suchschemes, which also appear in other schemes that do notprovide perfect connectivity:

1. Key pre-distribution: In this initialization phase, the KeyDistribution Center (KDC) chooses each sensor’s keychain from a large pool of keys P. These chains are thenloaded into the sensors prior to deployment. Each key inthe pool usually receives a unique ID, used by the net-work for its identification.

2. Shared-key discovery: After deployment, the sensornodes try to discover who their neighbors are andwhich keys they have in common. This phase can beperformed either proactively (i.e., neighboring nodestry to establish keys even before they need to commu-nicate) or in a reactive manner (i.e., shared keys areestablished on demand) [69]. Whenever two nodesestablish a shared key, we say that there is a direct linkbetween them. We note that the number of neighborsfound in this manner can be increased if the nodes tem-porarily raise their radio transmission range, as pro-posed in [37].

3. Path-key establishment: Whenever the key managementscheme employed does not provide perfect key-connec-tivity, some neighboring nodes may not have keys incommon. Thus, if nodes A and B need to establish asecure communication, they have to find a intermediarynode C that shares a common key with both A and B.Node C can then act as a mediator for the messagesexchanged between A and B or, in order to avoid thisextra communication overhead, C can create and dis-tribute a new key to be used by A and B. In either case,we say that an indirect link exists between A and B;however, the revocation mechanisms for the keys gen-erated in the second case may become more complexthan those used for pre-existent keys [55].

6.1. Random key pre-distribution (Basic Scheme)

The Random Key Pre-distribution scheme [31] is consid-ered by many authors as the Basic Scheme. During its KeyPre-Distribution phase, a large key pool P is initializedwith jPj random keys and their respective identifiers. Foreach node, k keys are drawn at random from P. These keysare then loaded into the node’s memory, forming its keychain. Using the theory of random graphs [66, Section1.1.1], the exact values of jPj and k can be chosen in sucha manner that each pair of nodes share at least one keywith an arbitrary probability.

During the Shared-key Discovery phase, each nodebroadcasts a list containing the IDs of all keys in its chain,


allowing neighboring nodes to identify which keys theyhave in common.

Variants of this approach adopting a challenge-responsetechnique could also be used to improve the security ofthis phase. For example, node A could send a message ofthe form fa; EKi

ðaÞ; i ¼ 1; . . . ; kg where a is a challenge;the correct decryption of a by a node B receiving this mes-sage would allow B to discover the shared keys [31]. Thedisadvantage of this strategy, which is similar to MerklePuzzles [54], is the greater communication and processingoverheads it introduces.

In the Path-key Establishment phase, any pair of nodesA and B having no key in common must find an intermedi-ary node C. Any node whose key chain contains key IDspresent in both A’s and B’s chains is a suitable candidate.Upon request, C can choose unassigned keys from its keychain in order to create an indirect link between A and B.

A possible extension of this scheme for providing revo-cation capabilities deploys controller nodes, trusted entitieshaving a large communication range. During the pre-distri-bution phase, these especial nodes receive the identifica-tion of some sensors, the IDs of the keys in theircorresponding key chains and a shared key with all sensorsin the network. Whenever a compromised node needs tobe revoked, the controller broadcasts a single revocationmessage enclosing a signed list of the k key IDs pertainingto the revoked node’s key chain. The list signatures aregenerated using the keys shared between the controllernode and the other sensors, and it is sent in a unicast man-ner. After receiving and verifying the list signature, thenodes remove the corresponding keys from their memoryand, if needed, perform the Shared-key Discovery andPath-key Establishment phases in order to recover brokenlinks.

The Basic Scheme is fairly simple, but it is interesting toprovide a connected network with a reduced amount ofmemory for storing keys. The scalability and the resilienceof the scheme are highly dependent on the sizes of the keypool and key chains. Moreover, the existence of trustedcontroller nodes is not common in all applications (in fact,they are more common in heterogeneous networks), mak-ing the revocation of compromised nodes a difficult issue.Furthermore, this solution has some disadvantages suchas the lack of node-to-node authentication features andthe considerably high communication overhead. Thus,the Basic Scheme’s importance resides mainly in the factthat many subsequent key management proposals havebeen developed aiming at overcoming its limitations.

6.2. Cluster key grouping

The Cluster Key Grouping [36] scheme proposes a modi-fication to the Basic Scheme where the key chains are di-vided into c clusters. Each cluster receives a start key ID,which implicitly determines all other IDs in that cluster.

With this strategy, the messages broadcast during theShared-key Discovery phase can carry only c start keyIDs, while the Basic Scheme would require a total of k P cIDs. Hence, the adoption of large clusters result in thebroadcast of few IDs. However, the size of the clusters mustbe chosen carefully: for achieving a same key-connectivity,

networks with larger clusters require their nodes to store alarger number of keys. Therefore, the Cluster Key Groupingprovides an interesting trade-off between communication-and memory-efficiency to the Basic Scheme, while keepingthe flexibility and security properties of the latter.

6.3. Hashed random key pre-distribution

Another simple modification to the Basic Scheme is tohash the keys from the key pool a different number oftimes for distinct nodes, as proposed in the Hashed RandomKey Pre-distribution (RKP-H) scheme [64]. In this solution,only the first node getting the key Ki from the pool receivesit as is, while the jth node receive its (j � 1)-times hashedversion, Hashj�1(Ki), as well as the value of j. During theShared-key Discovery phase, nodes A and B inform not onlythe key IDs, but also the value of j for each of them; in thismanner, if nodes A and B are loaded, respectively, withKA ¼ Hashja ðKiÞ and KB ¼ Hashjb ðKiÞ (ja > jb), then B can eas-ily compute KA ¼ Hashja�jb ðKBÞ.

The net result of this modification is that the capture ofnode C and of its key KC ¼ Hashjc ðKiÞ will compromise onlythe keys KD ¼ Hashjd ðKiÞ for which jd > jc; in comparison,the capture of node C in the Basic Scheme would reveal Ki

itself, compromising all nodes that received that key.Therefore, the RKP-H scheme trades some storage, commu-nication and computation overhead for extra resilience,keeping the remaining properties of the Basic Scheme.

6.4. The Q-Composite scheme

Chan et al. [22] proposed a modification on the BasicScheme aiming to increase the network resilience at the costof some processing overhead. In this solution, denominatedQ-Composite scheme, two nodes can establish a direct linkonly if they have at least q > 1 keys in common, instead ofa single one. Hence, after the key-discovery phase, the keyeffectively used to encrypt the link between two nodes Aand B is computed as KA;B ¼ HashðK1kK2k � � � kKq0 Þ, whereq0 P q stands for the actual number of shared keys betweenthe nodes. So, as q increases, it becomes exponentiallyharder for an attacker to recover all the keys needed tobreak a link. However, for a given network connectivity,the size of the key pool in the Q-Composite scheme is smal-ler than in the Basic Scheme, thus allowing attackers torecover a larger portion of the network keys by capturingfewer nodes. The combination of these two factors resultsin a solution that, in comparison with the Basic Scheme, ismore resilient when few nodes are captured, but becomesless secure when many nodes are captured. This may actu-ally be an attractive trade-off in many applications becausesmall scale attacks are expected to be cheaper to mount andharder to detect than large-scale attacks.

6.5. Multipath key reinforcement

The motivation behind the Multipath Key Reinforcement[22] resides in the fact that, after the completion of theShared-key Discovery phase in solutions such as the BasicScheme, many direct links are protected by a same key Ki,which may be known by many nodes in the network. Thus,


the capture of a single node A having Ki in its key chain willcompromise all those links.

The Multipath Key Reinforcement is a proposal tostrengthen the security of established links, usingtechniques also explored in [5]. The basic idea of thescheme is to update the link keys for nodes A and B afterthe Shared-key Discovery phase. This update is per-formed through multiple disjoint paths, i.e., paths thatdo not have physical links in common. In order to doso, nodes A and B need to establish an initial link keyKA,B; additionally, node A needs to receive enough routinginformation to discover all disjoint paths to B that involveat most h hops. Node A then generates m random valuesvi, which are encrypted with KA,B and sent to B through mdisjoint paths. Finally, after receiving all key updates, Bgenerates the reinforced link key Kr

A;B ¼ KA;B � v1

� � � � � vm.The secrecy of the new link key Kr

A;B is protected by all mrandom values: unless the attackers successfully manageto compromise all m paths, they will not recover enoughinformation to reconstruct Kr

A;B. On the other hand, the lar-ger the number of hops in the paths used, the greater theprobability that the adversary can eavesdrop the key up-dates, since a single compromised link in the path willmake the entire path insecure. Furthermore, the communi-cation overhead introduced by the scheme is proportionalto the number of hops involved in those updates. Hence,depending on the requirements of the target deploymentscenario, this trade-off between security and efficiencymay hinder the applicability of the Multipath KeyReinforcement.

6.6. Session key scheme

The Session Key Scheme [35] provides a way to createsession keys for each interaction between nodes. In thisproposal, the Key Pre-Distribution and Shared-key Discov-ery phases proceed exactly as in the Basic Scheme com-bined with the Multipath Key Reinforcement. However, thekey KA,B established between nodes A and B is not used di-rectly for encrypting their communication. Instead, it isused as the initial key for computing the session key Ki = -Hashi(Ki�1,KA,B) (i > 0), where K0 is a publicly known seed.The exact value of i for each communication session is ta-ken from an agreed sequence I = {i1, . . ., is}, which is com-puted in the following (unencrypted) manner: m arrayscontaining s random numbers are sent from A to B via mdifferent paths; I is obtained as the result of XORing thesearrays together and then sorting the s values in ascendingorder.

The adoption of different keys for each session makesthe Session Key Scheme more secure than the simple com-bination of the Basic Scheme and the Multipath Key Rein-forcement. However, this strategy has a very limitedeffect over the network’s resilience, since an attacker thatis able to recover the initial keys needs only to eavesdropthe distribution of the arrays that form I to compute thecorrect session keys. Therefore, this slight security boostmay not compensate the added computation and commu-nication overheads.

6.7. Key redistribution scheme

Law et al. [42] proposed a modification of the BasicScheme where a phase called Key Redistribution replacesthe original Path-key Establishment. Suppose that nodesA and C share a common key K1, that B and C share a com-mon key K2, and that A and B have no key in common. Inthe Key Redistribution phase, A analyzes the lists of keyIDs received, determining that K2 could be used to estab-lish a link between B and itself. Then, A asks C to send K2

(encrypted with K1) and to delete this key from its mem-ory. If A gains the ownership of K2 in this manner, it nowhave a common key with B. If C refuses to send the key(e.g., C is already using K2 in one of its direct links, or K2

has already been moved), A needs to try other keys and/or nodes until it gets a common key with B or all alterna-tives are exhausted. In the latter case, A chooses an unusedkey K3 from its key chain and sends it to node C, which inreturn computes a reinforced key K2+3 = Hash(K2kK3). Thisnew key is encrypted with K1 and with K2, and then bothencryption results, ðEK1 ðK2þ3Þ and EK2 ðK2þ3ÞÞ, are sent backto A. Node A decrypts the EK1 ðK2þ3Þ and adds K2+3 to its ownkey chain; meanwhile, EK2 ðK2þ3Þ is forwarded to node B,which takes the same procedure. At the end of this process,nodes A and B will finally have a common key K2+3. Besides,after the Key Redistribution phase finishes, A has acommon key with all its neighbors and, hence, someunused keys can be removed at random in order to reducememory usage and the information that would be leakedby its capture.

According to the simulations presented in [42], the pro-posed modification leads to a higher key connectivity thanthe one obtained with the Basic Scheme’s original Path-keyEstablishment. This behavior is even more accentuatedwhen the keys moved from one node to another are takeninto account in several iterations of the Key Redistribution:in this case, these keys not only allow the communicationbetween a pair of nodes, but also create new opportunitiesfor key establishment in the entire neighborhood. Thescheme also improves the resilience of Basic Scheme, sinceit employs reinforced keys similar to those generated inthe Q-Composite Scheme. Nonetheless, this approach stillincurs in considerably high communication overheads,especially when the key chain updates are constantly in-formed to the neighborhood in order to allow further KeyRedistribution iterations.

6.8. Establishing pairwise keys

The Pairwise Key Establishment protocol [78] is a solu-tion that avoids some of the communication overhead in-volved in the Shared-Key Discovery phase. For this, aunique ID is attributed to each of the n nodes in the net-work, and each of the jPj keys in the key pool receives anID between 0 and jPj � 1. The IDs of the keys that are as-signed to a node are then chosen by a Pseudo-RandomFunction (PRF) which, using the node’s ID as seed, outputsa total of k integers between 0 and jPj � 1. Hence, in theShared-Key Discovery phase, any node A can determinewhich keys another node B possesses simply by applyingthe same PRF on the ID of B. When compared with the Basic


Scheme, where each node would have to broadcast a totalof k key IDs (i.e., its entire key chain), this approach is sig-nificantly more communication-efficient.

Moreover, like in the Multipath Key Reinforcement, thisscheme also addresses the issue of many direct links beingprotected by a same key Ki. The main difference betweenthe two solutions is that, in order to deliver the key up-dates, the Pairwise Key Establishment protocol uses logicalpaths, i.e., paths composed both by direct and indirect linksnot necessarily physically disjoint. Despite this difference,the resulting security improvement and communicationoverhead introduced by both strategies are similar. Thus,when compared to the combination of Basic Scheme andMultipath Key Reinforcement, the contribution of the Pair-wise Key Establishment is mainly a trade-off between pro-cessing and communication efficiency (which is desirablein sensor networks) during the Key-Distribution phase.

The Cooperative Pairwise Key Establishment protocol [59]builds on the Pairwise Key Establishment scheme in orderto provide a more resilient solution at the cost of addi-tional processing and communication overheads. In thisproposal, nodes A and B that share a key KA,B compute areinforced Kr

A;B key as follows. First, A chooses a set S ¼fC1; . . . ;CjgjP0 of cooperative nodes having keys in com-mon with both A and B. This selection process requires 2jexecutions, by node A, of the PRF used to distribute keys.Upon request from A, which sends IDB encrypted withKA;Ci

to node Ci, the latter computes MAC ¼ PRFðIDA;KCi ;BÞ.After both A and B receive Ci’s encrypted messages contain-ing the MAC result, they can compute the reinforced keyKr

A;B ¼ KA;B�Ci2SfPRFðIDA;KCi ;BÞg. As a consequence, thesecurity impact of compromised key chains over reinforcedlinks is reduced, since a certain number of these keys isneed to recover its Kr.

6.9. Addressing multiple deployments

One vulnerability of many probabilistic schemes, suchas the Basic Scheme, is that the continuous usage of a samekey pool for different generations of nodes facilitates thetask of compromising the network’s communications. Thishappens because the keys captured at any time can be usedduring the whole network’s lifetime. Some proposals foraddressing this issue, which is also considered in the LKMSscheme [28], are discussed in the following.

In the Robust Key (RoK) pre-distribution scheme [17], thekey chains of each each generation i are constructed fromtwo different key pools, Pi

f (the ‘‘forward key pool”) andPi

b (the ‘‘backward key pool”). Such pools are built with ran-dom keys, and updated for each generation as follows:every key FKi from Pi

f is such that FKi+1 = Hash(FKi); everykey BKi from Pi

b is such that BKi = Hash(BKi+1) (note that,since the hash function cannot be inversed, the backwardkey pool for the last expected generation must be generatedfirst). The scheme assumes that the lifetime of nodes fromgeneration i is upper-bounded by i + Gw, where Gw is a sys-tem parameter. During the Key Pre-Distribution phase,node A from generation i receives k/2 keys from bothPi

f and PiþGw�1b ; as a result, if A receives key

FKiu and BKiþGw�1

u , it can produce forward keys FKju for j > i,

as well as backward keys BKju for j < i + Gw � 1. Like in the

Pairwise Key Establishment protocol, the key IDs are chosenusing a PRF taking as seed the node’s ID and generation;thus, during the Shared-key Discovery phase, two nodes Aand B need only to broadcast their IDs and generations inorder to determine their shared keys. The link key KA,B isthen computed using both their forward and backward keysin common: if (u1, . . .,uz) are the IDs of these common keys,we have KA;B ¼ Hash FKi

u1kBKjþGw�1

u1k . . . FKi

uzkBKjþGw�1

uz

� �,

where i and j (i 6 j) are the generations of A and B,respectively.

With RoK, an attacker that recovers forward (respec-tively, backward) keys from some generation can onlydetermine future (respectively, previous) keys of thesame type. Corrupted forward keys used to computedKA,B as above are only useful if obtained before generationi, while the backward keys used in KA,B must be compro-mised after generation j. Therefore, the keys obtainedfrom the capture of a node from generation i can be usedto compromise only the keys used between generations[i,i + Gw[, affecting less than kGw=jPij of the network. Inconsequence, the resilience provided by RoK in the longrun is considerably superior to the one sustained by theBasic Scheme, forcing adversaries to capture nodes for alonger period of time – or to launch more aggressiveattacks – in order to compromise a large portion of thenetwork. The main disadvantages of RoK when comparedwith the Basic Scheme reside thus on the higher computa-tion effort for generating the keys, and on the fact thatthe total number of generations must be determined inadvance. Another inconvenient with this scheme is thatthe network should remain loosely synchronized: inorder to prevent attackers from capturing old forwardkeys, existing nodes must update their forward keys(deleting the previous data) whenever a new generationsis deployed.

The Random Generation Material (RGM) scheme [30] isalso focused on multi-generation deployments. UnlikeRoK, though, RGM adopts a single pool per generation; inthis case, nodes from generation g receive a set of genera-tion-wise keys Kgg

u (where u is the key’s ID) for communi-cating with each other, and there is no intrinsicrelationship (such as a hash function) linking the keysKgg

u to Kffu for f – g. Cross-generation connectivity is then

provided in the following manner: (1) for communicatingwith any nodes previously deployed, nodes from genera-tion g compute keys Kðg�iÞg

u ¼ HashðKðg�iþ1Þgu k � � � kKgg

u Þ usingKgg

u ; (2) for communicating with future nodes, nodes fromgeneration g also receive a second set of keys Kgf

u , withg < f < g + Gw, which are derived from Kff

u by the KDC. Likein RoK, the link key between any pair of nodes is computedby combining the keys they are both able to compute.

When compared to RoK, the RGM scheme provides aneven better resilience because the keys captured fromgenerations f and g can be used to compromise only thelinks involving nodes from these generations, and notfrom intermediary deployments. Additionally, this pro-posal allows the deployment of an unlimited number ofnodes.

On the other hand, this security and flexibility boostcomes at the cost of a higher memory overhead for storingkeys, especially if Gw is large.


6.10. Random pairwise schemes

One of the most interesting features of the Full PairwiseScheme is its security: it offers node-to-node authentica-tion, perfect resilience against node capture and a straight-forward way to revoke compromised nodes. On the otherhand, the Basic Scheme avoids unnecessary storage of keyswhile still providing a good network connectivity. Thecombination of these two factors results in schemes inwhich only a subset of all possible pairwise keys is used.This idea is explored in solutions such as the Node-Based[34] and Random Pairwise Key [22] schemes. The distribu-tion of keys in both schemes is very similar, and can be de-scribed as follows.

For a network composed of n nodes, m P n node IDsare created during the Key Pre-distribution phase. Everynode receives a unique ID, which means that a total ofm � n additional nodes may be added to the network inthe future. Each ID is then paired with k other randomlyselected IDs and a pairwise key is generated at randomfor each of these m � k pairs. Finally, each node is loadedwith: its own identifier, the k identifiers from the nodespaired with its ID, and the k corresponding pairwise keys.Like in the Basic Scheme, the exact value k is computedusing the theory of random graphs [66, Section 1.1.1],aiming to provide a connected graph with the desiredprobability.

In the Shared-key Discovery phase, each node broad-casts its ID. The neighboring nodes can then identify thenodes with which they share a common key and performa cryptographic handshake in order to ascertain this priorto the establishment of a secure link. It is also possible toextend this broadcasting process beyond the nodes’ radiorange by making the neighboring nodes re-broadcast theID packets for a certain number of hops. However, suchan extension approach should be carefully considered,since a malicious node may generate and broadcast multi-ple node identities in order to flood the network.

The main advantages of the above schemes refer totheir security: they provide perfect resilience and allownode-to-node authentication, which also facilitates noderevocation mechanisms, since only the keys used in linksincluding compromised nodes would be affected (brokenlinks are not introduced). On the other hand, they sufferfrom scalability issues. The maximum network size for agiven level of key connectivity is limited by the memoryavailable on the sensor nodes, since the probability thattwo nodes share a key is given by k/n, i.e., the memoryoverhead is O(n). Furthermore, they limit to m � n thenumber of nodes that can be added to the network afterthe initial deployment. Finally, for fixed key chain size,the key connectivity achieved is lower than in the BasicScheme.

3 A matrix M is MDS (Maximal Distance Separable) if and only if all thesquare sub-matrices from M are non-singular [52, p. 319, Corollary 3].

7. Matrix-based schemes

The adoption of a matrix-based scheme for establishingpairwise keys was originally proposed by Blom [11]. For anetwork of size n and using l-bit keys belonging to the fi-nite field GF(q), where q is a prime power, Blom’s Scheme

uses two matrices over GF(q): a public (k + 1) � n MDS3

matrix M and a secret (k + 1) � (k + 1) symmetric randommatrix D, known only by the KDC. These matrices are usedto compute the symmetric n � n matrix K = (DM)TM, whoseelement Ki,j � Kj,i corresponds to the key between nodes iand j. During the Key Pre-distribution phase, each node i isloaded with coli, the ith column of matrix M, which is usedas public information; each node also receives rowi, the ithrow of matrix (DM)T, which is kept private. This process isillustrated in Fig. 2.

After deployment, all nodes broadcast their column in-stances of M, allowing any pair of nodes i and j to computeKi,j = rowi � colj = rowj � coli. This scheme is k-secure,meaning that an attacker who captures up to k nodes is un-able to recover link keys from any other nodes. If morethan k nodes are compromised, however, all keys can berecovered.

Blom’s Scheme has some attractive properties. As it al-lows the creation of pairwise keys, the deployment of nodeauthentication and revocation functionalities are madeeasier. Additionally, the scheme provides perfect key con-nectivity and its resilience can be adjusted by choosingan adequate k parameter.

However, the larger the size of k, the larger become themessages broadcast, the storage requirements, and thecomplexity of the vector multiplications involved in thissolution. Thus, one has to choose the adequate trade-offbetween security and efficiency.

7.1. Multiple-space key pre-distribution scheme

Du et al. [27] propose a combination of the Basic Scheme[31] and Blom’s Scheme [11] in order to improve the resil-ience of this last solution without increasing k. The result-ing Multiple-Space Key Pre-Distribution Scheme employs a(k + 1) � n public MDS matrix M and a set containing x se-cret random n � (k + 1) matrices Di, 1 6 i 6x, which de-fine a set of x spaces (Di,M). During Key Pre-distribution,every sensor j is loaded with the jth column of M (i.e., colj);additionally, for s (2 6 s < x) randomly chosen spaces(Di,M), node j is loaded with the jth row from the corre-sponding matrices (DiM)T (i.e., the node receives s differentrowj instances). In the Shared Key Discovery phase, eachnode broadcasts its column instance together with the sIDs of the spaces it carries. If two neighboring nodes sharea common space, they can establish a pairwise key usingBlom’s Scheme; otherwise, a common key can be generatedusing the Basic Scheme’s Path-key Establishment protocol.

According to its author’s analysis, the Multiple-Space KeyPre-Distribution scheme presents a very good resilience.However, although its computational cost remains similarto that in Blom’s Scheme, it introduces higher storage andcommunication overheads. Moreover, it does not provideperfect key-connectivity, incurring in the exchange ofadditional messages whenever the Path-key Establishmentphase takes place.

Fig. 2. Matrices in Blom’s Scheme [11].


7.2. Using a temporary master key

Chien et al. [23] propose an extension of Blom’s Scheme[11] for use in WSNs. In this proposal, each node receivesa master key K, together with the information loaded byBlom’s Scheme (i.e., coli and rowi). During the Shared-keyDiscovery phase, node i generates a random number Ri,which is XORed with K and broadcast with its column in-stance coli; hence, any other node can recover Ri by usingthe master key stored in its own memory. After the com-mon key Ki,j = rowi � colj = rowj � coli is computed bynodes i and j, it is combined with the random numbersRi and Rj, resulting in the reinforced pairwise keyKr

i;j ¼ HashðKi;jkRikRjÞ. After a node i finishes computingthe reinforced shared key with all its neighbors, itpromptly erases K; coli and rowi from its memory, pre-venting an attacker from using such information in thefuture.

This solution does not address the performance issuespresent in Blom’s Scheme, but improves the system’s resil-ience through the generation of a reinforced key and dele-tion of pre-loaded data. In this manner, if the attackers areunable to obtain the master key K before it is erased, theycannot compute the reinforced keys with the informationrecovered from captured nodes. However, the deletion ofdata also brings some drawbacks, such as the impossibilityof adding new nodes into the network, which seriously im-pact this scheme’s flexibility.

8. Polynomial-based schemes

Assume a network adopting l-bit keys in the finite fieldGF(q), where q is a sufficiently large prime number. ThePolynomial Based Key Pre-distribution [12], also known asBlundo’s Scheme, uses a randomly generated k-degree poly-nomial f ðx; yÞ ¼

Pki;j¼0aijxiyj over GF(q) satisfying the prop-

erty f(x,y) = f(y,x). During the pre-distribution phase, eachsensor i receives a polynomial share f(i,y), i.e., a partiallyevaluated polynomial corresponding to its index i. In thismanner, the space occupied by the polynomial loaded intoeach node is (k + 1)log2(q). With this information, node ican establish a common key with node j by evaluatingf(i,y) at node j and vice versa: the key generated assumesthe form Ki,j = f(i, j) = f(j,i).

This solution shares some interesting features withBlom’s Scheme [11], such as the k-secure property, the per-fect key-connectivity and the ability to identify and

authenticate individual nodes. However, since this schemeis non-interactive, it does not add communication over-head to the key establishment process. Thus, the main con-straints in this solution are the memory required forstoring polynomial shares and the processing powerneeded for its operations (exponentiations and multiplica-tions). Some of these limitations are addressed by more re-cent schemes, discussed in the following.

8.1. Polynomial pool-based key pre-distribution

Liu and Ning [46] have proposed the Polynomial Pool-based Key Pre-distribution as a combination of the key-poolparadigm with the Blundo’s Scheme [12]. In fact, this solu-tion is analogous to the Multiple-Space Key Pre-DistributionScheme [27] when polynomials are used instead of matri-ces. Generally speaking, this scheme uses a set containingx randomly generated k-degree polynomials of the formf ðx; yÞ ¼

Pki;j¼0aijxiyj over GF(q), for a sufficiently large

prime q. The polynomial shares distributed to the net-work’s nodes are taken from this set. Liu and Ning pro-posed two instances of schemes employing suchpolynomials.

In the first instance, Random Subset Assignment [46],each node receives a subset of s (2 6 s < x) polynomials,which could be selected in two different ways. In the pre-distribution approach, each node would be loaded withthe IDs of all other nodes with which they share a commonpolynomial. This strategy could simplify the Shared-KeyDiscovery phase, but would impair the addition of newsensors into the network after the initial deployment. Forthis reason, the real-time discovery approach is preferred.In this case, each polynomial receives a unique ID. As a re-sult, during the Shared-Key Discovery phase, nodes canfind their common polynomials by broadcasting their IDlists, or else puzzles solvable only through the knowledgeof these polynomials (improving security). Afterward, inthe Path-key Establishment phase, neighboring nodes iand j that are unable to establish a direct link can computea shared key in the following manner. Node i broadcasts arequest message, containing both i’s and j’s lists of polyno-mial IDs. Any node that receives this request and is able toestablish a key Ki with i and a key Kj with j replies with amessage containing two copies of a randomly generatedkey Ki,j, one encrypted with Ki and the other with Kj. Nodesi and j recover this new pairwise key from the receivedmessage.

4 A r-regular graph is a graph where each vertex is connected to r edges.


The second instance, called Grid-Based Pre-distribution[46], involves the construction of an m �m 2-dimensionalgrid from a set of 2m polynomials ff c

a ðx; yÞ; f rb ðx; yÞg, where

1 6 a, b 6m, m ¼ dffiffiffinpe and n is the size of the network.

Each row a in the grid is associated with the polynomialf raðx; yÞ, and each column b is associated with the polyno-

mial f cb ðx; yÞ. Each sensor i in the network is assigned to a

unique intersection (a,b) in this grid, which determinesthe node’s ID (IDi = hci,rii = ha,bi) and the polynomial sharesit receives ðf c

a ðx; yÞ and f rb ðx; yÞÞ. To facilitate the Path-key

Establishment phase, the nodes are densely placed in arectangular area of the grid. During the Shared-key Discov-ery phase, nodes i and j have a polynomial share in com-mon if ci = cj or if ri = rj: this share is f c

i ðx; yÞ or f ri ðx; yÞ,

respectively. If ci – cj and ri – rj, nodes i and j need to per-form the Path-key Establishment protocol, which consistsin finding a number of non-compromised nodes in the net-work whose coordinates in the grid allow the constructionof a path between i and j.

The original Grid-Based scheme can be further extendedyielding the Hypercube-Based Scheme [51], which adopts as-dimensional grid instead of a 2-dimensional one. In gen-eral, the higher the value of s, the lower the key-connectiv-ity achieved during the Shared-key Discovery phase, thehigher the memory overhead introduced, but the higherthe security against node capture. Indeed, this generalizedscheme assures that any pair of nodes can establish a com-mon key using the Path-key Establishment protocol de-spite the number of compromised nodes in the network,as long as the adequate k and m ¼ d

ffiffiffinspe parameters are

chosen [51, Section 5.5.2].Some features of these solutions are inherited from

Blundo’s Scheme [12], such as the k-security property,node-to-node authentication capabilities and the possibil-ity of dynamically add nodes into the network. There are,though, relevant differences. The amount of data storedand exchanged by the nodes is increased in the RandomSubset Assignment, but the resulting resilience against thecapture of random nodes in the network is improved. Be-sides, when compared to this latter solution, both theGrid-Based Pre-distribution and the Hypercube-BasedScheme present additional advantages: due to the intrinsiclink between the ID of a node and the polynomial shares itcarries, there is no need to broadcast the IDs of these poly-nomials, which results in smaller communication over-heads; moreover, a superior key-connectivity is achievedwhen no nodes are compromised. Nonetheless, all threeapproaches also share limitations with Blundo’s Scheme,such as the usage of complex operations.

8.2. PIKE

The Peer Intermediaries for Key Establishment (PIKE) [21]approach shares some similarities with the Grid-Basedscheme [46]. For a network of size n, each node receivesa unique ID (x,y) corresponding to the coordinates of adffiffiffinpe � d

ffiffiffinpe matrix. Each node (x,y) then receives a pair-

wise key with every node in the same row (i.e., nodesði; yÞi¼1...d

ffiffinpe) or column (i.e., nodes ðx; jÞj¼1...d

ffiffinpe), totalizing

2ðdffiffiffinpe � 1Þ pairwise keys. After deployment, any pair of

nodes (xA,yA) and (xB,yB) that do not have a pairwise keys

in common can use node (xA,yB) or (xB,yA) as intermediateto establish an indirect link.

Since PIKE adopts only pairwise keys, it displays a highsecurity level. Moreover, PIKE’s memory overhead isO

ffiffiffinp� �

instead of the O(n) overhead observed in solutionssuch as [22,27] for a fixed security level. However, sincethere are at most two nodes that can act as intermediar-ies for each indirect link formation, this solution often in-volve network-wide communications during its Path-keyEstablishment phase. As a consequence, PIKE introducescommunication costs of O

ffiffiffinp� �

, which seriously impairsits applicability in large-scale scenarios.

9. Combinatorial designs

Some key management proposals assume that distribu-tion of nodes in the network can be modeled by combina-torial design techniques [4]. Thus, the keys that arepreloaded into each node can be carefully chosen in adeterministic and optimized manner. Some of these strat-egies are more adequate for adoption in dense networks,since the key connectivity achieved by them depends onthe proximity of the nodes, while others provide fully con-nectivity even in sparse networks. Some relevant schemesfrom this category are described in the following.

9.1. IOS and multiple-IOS

In the ID-based One-way function Scheme (IOS) [43], thenetwork is modeled as a connected r-regular graph4 G,whose edges are decomposed into star-like subgraphs. Withthis construction, each vertex of G (i.e., each node of the net-work) is the center of one star and a leaf of r/2 distinct stars.Every sensor node A receives a secret key KA, as well ashashed keys KA,B = Hash(KBkIDA) if A is a leaf of the star-likesub-graph centered at B, totalizing r/2 hashed keys. As a re-sult, a leaf node B can always generate a shared key with thecenter node A, simply by computing KA,B = Hash(KBkIDA)whenever necessary. Due to the adoption of pairwise keys,the resultant solution achieves a very good security, includ-ing perfect resilience. Furthermore, in sufficiently dense net-works, IOS provides a high probability that any pair of nodesis able to establish a shared key by applying path-key dis-covery methods over at most two hops. However, thescheme suffers from scalability issues. For a network havingn nodes, the probability that one node shares a key with aneighbor is given by r/(n � 1); this means means that IOS re-quires half of the memory needed in the Random PairwiseKey scheme for a same connectivity level, but the storagerequirements still are O(n). Besides, the scheme does not al-low the introduction of an arbitrarily large number of nodesafter deployment.

A better scalability can be achieved by sacrificing someresilience, as proposed in the Multiple-IOS [43]. The basicidea behind this scheme is to have not only one, but agroup of c sensor nodes in each vertex of the r-regulargraph G. Each sensor node A in group Gu only needs to re-ceive a group key Ku and r/2 hashed keys KA,v = Hash(Kv


kIDA) whenever Gu is a leaf of the star-like sub-graph cen-tered at another group Gv. Hence, any node B in group Gv

can easily compute KA,v and use it to communicate with anode A 2 Gu. When compared to the basic IOS, the memoryrequirements in the Multiple-IOS are decreased by a factorof about 1/c for a given connectivity level, and new nodescan be added in a vertex after deployment (modifyingthe value of c). Hence, the solution presents a better scala-bility. Nonetheless, the capture of a single node in group ucompromises any key computed from Ku, which has seri-ous impacts on the scheme’s resilience.

6

9.2. MBS and DMBS

It is also possible to combine combinatorial designstrategies with Blom’s Scheme [11] in order to improve itsresilience. While Blom’s Scheme provide perfect connectiv-ity among nodes (which can be represented by a completegraph), Lee and Stinson [43] propose a Modified Blom’sScheme (MBS) where the network is divided into twogroups u and v to form a complete bipartite graph.5 Inthe resultant scheme, each node i receives a column colifrom the public (k + 1) � n matrix M, exactly as in Blom’sScheme. However, the private information xi is not a rowfrom (DM)T, but is computed as xu

i ¼ colTi D for nodes that be-

long to group Gu, and as xvi ¼ Dcoli for nodes in Gv. Hence,

nodes i 2 Gu and j 2 Gv can compute a common keyKi;j ¼ colT

i Dcolj simply by using their secret information andeach other’s public column information, even if the secret(k + 1) � (k + 1) matrix D is not symmetric. Nodes that areunable to establish a common key in this manner may em-ploy Path-key Establishment protocols.

The improved resilience of this approach resides in thefact that attackers cannot recover any information unlessthey compromise at least k + 1 nodes either all in Gu orall in Gv (instead of any k + 1 nodes as in Blom’s Scheme).

In the Deterministic Multiple Space Blom’s Scheme (DMBS)[43], the scalability of MBS is improved at the expense ofresilience. This proposal uses c copies of an r-regular graphG, in such a manner that a group Gu with c sensors is placedin each vertex of G. Furthermore, every edge e receives anarbitrary direction and is associated to a random(k + 1)(k + 1) matrix De, not necessarily symmetric. Finally,each node i 2 Gu receives: a column coli from the public(k + 1) � n matrix M, a private xi ¼ colT

i De for every edgestarting at Gu, and a private yi = Decoli for every edge endingat Gu. Thus, nodes i 2 Gu and j 2 Gv can compute the com-mon key Ki;j ¼ colT

i Duvcolj. In a network with n nodes, theprobability that two nodes share a key in this manner is gi-ven by r � c/(n � 1).

As in Multiple-IOS, the result of using multiple copies ofG is that the DMBS requires about 1/c of the memoryneeded in MBS. However, the security impact is also simi-lar, since compromising a single sensor node i 2 Gu isequivalent to compromise all the c nodes in Gu.

5 A complete bipartite graph is a graph that can be decomposed into twogroups G1 and G2 such that each vertex in G1 is connected to all vertexes inG2 (and vice versa), but no connection exist among any two vertexes thatare both in G1 or both in G2.

9.3. Using block design techniques

Çamtepe and Yener [18,19] proposed three key distri-bution schemes where the key chains are built using blockdesign techniques: Symmetric Design, GQ Design and HybridDesign. They are described in the following.

In the Symmetric Design, a finite projective plane6 of or-der l (for a prime power l) is used to construct a key pool Pof size jPj ¼ l2 þ lþ 1. This scheme supports up to n ¼ jPjnodes, each of which receives a key chain with l + 1 ele-ments. Any pair of key chains designed using this strategycontains exactly one key in common and, hence, any pairof nodes can establish a direct link after receiving eachother’s list of key IDs. Therefore, the main advantage of thisscheme is that it provides perfect connectivity. Its securitydepends on the parameter l: when a node is compromised,a fraction of about 1/l links is compromised; moreover, anattacker can compromise all the keys of the network bycompromising at most l2 + 1 nodes. This solution requiresl to be a prime power in order to allow an easy constructionof the key pool. For this reason, not all network sizes aresupported by the scheme and, after deployment, a maxi-mum of l2 + l + 1 nodes can coexist, which affects itsscalability.

In the GQ Design, Generalized Quadrangles (GQ)7 areused to achieve a more scalable solution, at the cost of con-nectivity. In this construction, points in GQ(s,t) are seen asthe keys and lines as the key chains, each of which containss + 1 keys. As a result, any node shares a key with exactlyt(s � 1) other nodes; besides, if nodes A and B do not havea key in common, there are (s + 1) distinct nodes that sharekeys with both of them. Respectively, the proposed con-structions GQ(l,l), GQ(l,l2) and GQ(l2,l3) support networksizes of orders O(l3), O(l5) and O(l4), provide key sharingprobabilities of �1/l, �1/l2 and � 1/l1.5, and allow l + 1,l + 1 and l2 + 1 auxiliary nodes to participate in anyPath-key Establishment process. Moreover, the capture ofat most st2 + st + 1 nodes may be necessary in order torecover all the network keys. Despite this higher scalabilityand resilience, l still needs to be a prime power.

A third approach combines a core design with a com-plementary one, resulting in a Hybrid Design that sup-ports networks with an arbitrary size n. The core(Symmetric or GQ) design is used for generating n0 < nkey chains Ci¼1;...;n0 , in such a manner that each chain Ci

contains k keys taken from a key pool P. The comple-mentary design corresponds to the key chains Ci¼1;...;n0 ,where Ci ¼ fP � Cig and jCij ¼ jPj � k > k. The remaindern � n0 chains Ci¼n0þ1;...;n needed by the network are thenselected at random among the k-sized subsets of Ci, i.e.,they are constructed from the chains Ci in the comple-mentary design. Hybrid designs built in this mannerimprove scalability, but the resultant key connectivityis lower than that obtained by the core design alone.

Loosely speaking, a finite projective plane of order l is a geometricplane composed by l2 + l + 1 points where every point has l + 1 lines on itand every line contains n + 1 points.

7 In a Generalized Quadrangle GQ(s,t), an edge shares a vertex withexactly t(s + 1) other edges; moreover, if two edges e1 and e2 do not share avertex, there are s + 1 distinct edges that share a point with both e1 and e2.


9.4. Using complete graphs

Gupta and Kuri [32] have proposed a Complete GraphDesign where the network of size n is represented by a fullyconnected graph, which implies in a graph composed byn(n � 1)/2 edges. The key-pool P in this scheme is con-structed using n random keys and each edge is then asso-ciated with a pair of keys taken from P. Thus, thecommunication between nodes A and B in this scheme isprotected by a pair of keys (K1,K2) shared by these nodes.As every node is part of n � 1 edges, the scheme achievesperfect connectivity at the cost of k keys stored per node,in such a manner that k(k � 1)/2 = n � 1. However, themain disadvantage in this solution refers to its security:since each key is shared by a total of k nodes, an attackerthat captures nc nodes can compromise 1� ðn�k

ncÞ=ð n

ncÞ com-

munication links. Fig. 3 illustrates a simple example wherethe network is composed by four nodes; it also shows thesecurity impact from capturing a single node.

10. Improving efficiency by using deploymentknowledge

The efficiency of the previous schemes can be improvedin scenarios where the final position of the nodes can bedetermined at some extent and their mobility is reducedor non-existent. As this is not the most general scenario,the usefulness of these proposals is restricted to a certainnumber of applications where this condition is satisfied.However, whenever the position of nodes (or groups ofthem) can be estimated with enough precision, thistrade-off between flexibility and efficiency may be veryadvantageous.

10.1. Extending probabilistic schemes

Du et al. [25] combine the Basic Scheme [31] withdeployment knowledge in the Group-Based DeploymentScheme. They assume that the nodes are deployed ingroups of c sensors over a u � v rectangular area, such thatthe deployment points of the u � v groups Gi,j (1 6 i 6 u,1 6 j 6 v) form a rectangular grid. During the Key Pre-dis-tribution phase, the original key pool P is divided in smal-ler pools Pi;j, each of which is associated to a different

Fig. 3. Example of key graph for the Complete Graph Design [32] whereP ¼ fK1;K2;K3;K4g. Highlighted keys and links are the ones compro-mised by the capture of node A.

group Gi,j in such a manner that any pair of pools used bynearby groups have a big overlap (i.e., many keys is com-mon), while the pools for distant groups have a small orno overlap. After the keys and their IDs are loaded intothe sensors from the appropriate pools, the Shared-keyDiscovery and Path-key Establishment phases proceed asin the Basic Scheme.

For a desired connectivity level and network size, theGroup-Based Deployment Scheme associates each node to apool that is smaller than the one needed by the BasicScheme alone (e.g., 1/(u � v)). As a result, when comparedto the latter, this proposal is more efficient in terms ofmemory usage and bandwidth occupation, since each nodestores and broadcasts less keys; additionally, the numberof keys recovered thorough the capture of a single nodeis reduced and these keys can be used basically to compro-mise the communication of neighboring groups (not theentire network), leading to a better resilience. Hence, ittrades flexibility for security and efficiency.

The Group-Based Deployment Scheme can also be com-bined with RoK [17], leading to higher resilience through-out multiple deployments, as proposed in the Zone-basedRobust Key Distribution (Zo-RoK) [39]. The integration ofboth solutions is quite straightforward: each zone receivesits own forward and backward key pools, and also addi-tional backward and forward pools for communicatingwith neighboring groups in the rectangular area; boththe establishment of shared keys and the selection of eachnode’s key IDs proceeds as in RoK, with the only differencethat, in both processes, the PRF takes as input not only thenode’s ID and generation, but also its zone. By exploringthe deployment knowledge, Zo-RoK requires considerablyless memory for storing keys than RoK, while keeping itsresilience properties. Nonetheless, this solution still re-quires the maximum network size to be determined priorto the first nodes deployment.

By adding location information to the Random PairwiseScheme [22], Liu and Ning [47,48] were able to improvethe scalability and the key connectivity of the network,without impacting on the amount of memory needed forstoring keys. The idea behind their Closest Pairwise KeysScheme is to load each sensor with pairwise keys for com-municating with m of its closest neighbors. This is per-formed in the following manner. First, each sensor Areceives a private key KA; moreover, a set S ¼ fBigi¼1;...;m

composed by the m sensors that are the closest to A is se-lected and A is loaded with m pairwise keys of the formKA;Bi

¼ PRFðKBikIDAÞ. Hence, both sensors A and B can deter-

mine a common key during Key Establishment: A uses thekey already loaded into its memory, while B computes thesame key by using its own private key and the ID of A. Sen-sors that are unable to establish a common key in thismanner need to broadcast their IDs in search for a thirdnode that shares a key with either of them and, thus, canact as an intermediary during the Path-key Establishmentphase. After deployment, a new node A0 can be added tothe network by loading A0 with the pairwise keysKA0 ;Bi

¼ PRFðKBikIDA0 Þ, where the nodes Bi are expected to

be the closest neighbors of A0.The Closest Pairwise Keys Scheme is not only more scal-

able than the Random Pairwise Scheme [22], but also


inherits its security features, such as perfect resilienceand node-to-node authentication. The value of m is lim-ited by the memory available, and can be adjusted toachieve a good key connectivity if the nodes positioningcan be determined with low error.

Another proposal based on pairwise keys is the Efficientand Scalable Pairwise Key (ESPK) scheme [76], which alsotackles the security issues involved in successively deploy-ing nodes in the same area. This solution assumes that thesensors from the ith generation are deployed in groups Gi

u;vof c nodes, placed in the center of square cells located atcoordinates (u,v), thus forming a square grid. All nodesfrom the same Gi

u;v receive pairwise keys for communicat-ing with each other, resulting in perfect intra-group con-nectivity (but also in scalability issues if the groups arelarge). In order to allow inter-group communication, eachgroup Gi

u;v also creates t sequences of s keys through the re-peated application of a hash function Hash, in such a man-ner that the jth sequence-key is computed askj

a ¼ Hashj kj�1a ;a

� �for some secret anchor value a and

where k0a is set to a random seed. The anchor values (to-

gether with their seeds) are equally distributed to sensorsfrom vertically, horizontally and diagonally adjacentgroups, while the sequence-keys generated are distributedamong the group’s nodes. In this manner, if node A has theanchor value a and seed sa for some sequence-key kj

astored in node B (which is not in the same group as A), bothnodes are able to generate a common key, since A can com-pute kj

a ¼ Hashjðsa;aÞ. After deployment, when a has al-ready been used for this purpose, it should be deletedfrom the sensor’s memory in order to prevent the leakageof such information from the node’s capture; as long as thisis successfully done, the scheme provides perfectresilience.

The main interest of ESPK refers to its resiliencethroughout successive generations, since the generation-wise key pools assures that the capture of old (possibly ex-hausted) nodes provides little or even no informationabout the keys used by newer generations. As a drawback,this strategy reduces the connectivity between differentgenerations: although ESPK provides the same features asthe Full Pairwise scheme to all nodes from the same Gi

u;v ,these nodes are unable to communicate with nodes previ-ously deployed in the same area (e.g., from Gi�1

u;v ); more-over, the communication with older nodes from adjacentareas is only possible if the new nodes are loaded withthe anchor values previously used, which gives an extraopportunity to attackers to capture those keys. The con-nectivity of the network is thus highly dependent on thefrequency of new deployments and on the size of the grid.

The Group-based Key Establishment (GKE) [77] schemeexplores the fact that nodes are often deployed in groupsof c sensors, and sensors from a same group are likely tobe neighbors. While some schemes assume that the groupadjacencies can be determined at some extent prior orafter the deployment of sensors (e.g., the Group-BasedDeployment Scheme [25]), this weaker assumption in GKEmakes it suitable to a wider range of scenarios wheredeployment knowledge can be explored. During GKE’sKey Pre-distribution phase, every sensor receives apairwise key for each other sensor in its own group;

additionally, each sensor node is loaded with pairwise keysfor communication with nodes from other groups, in sucha manner that each pair of groups (Gi,Gj) have m > 0 pairsof nodes (A,B) sharing a common key. Thus, during Path-key Establishment, neighboring sensors that are not inthe same group need to rely in at most two intermediaries,chosen among m candidates, to establish a pairwise key.

GKE offers some interesting features for applicationswhere the group-based deployment requirement applies,such as a good level of security (due to the adoption ofpairwise keys) and perfect intra-group connectivity. Whenno nodes are compromised, the scheme also offers perfectinter-group connectivity through the use of group-widecommunications, keeping a communication overhead in alow level when compared to solutions such as PIKE. Finally,the memory requirements involved in this solution dependon the size of the group and on the desired inter-groupconnectivity after a certain number of nodes arecompromised.

10.2. Extending polynomial-based schemes

Liu and Ning [47,48] also have proposed a solution com-bining the Closest Pairwise Keys Scheme and Blundo’sScheme [12]. The resulting Polynomial Closest Pairwisescheme involves the partition of the deployment regionin g small areas, called cells, each of which is linked to abivariate k-degree polynomial. Thus, if a node A is goingto be deployed in cell CA, that node is loaded with a setof polynomial shares associated to the cells that are closestto CA, instead of receiving pairwise keys. During Shared-key Discovery, each node A broadcasts its ID and the IDsof the polynomials it carries, allowing any neighbor nodeB that shares a polynomial with A to compute the sharedkey KA,B as in Blundo’s Scheme. The Triangle-Based schemeproposed in [24] can be seen as an instance of this ap-proach in which the cells are triangles.

A similar solution that combines Blundo’s Scheme [12]with deployment knowledge is the Hexagonal Group-basedKey Management (HGKM) [14]. This scheme assumes thatthe nodes are deployed in groups, following a Gaussian dis-tribution around the point of deployment. The network isthen modeled as a hexagonal grid that follows this distri-bution pattern and covers all sensor nodes. Every hexagonreceives a coordinate (i, j) and is associated to three cellsC1 = {(i, j), (i + 1,j), (i + 1,j + 1)}, C2 = {(i, j), (i, j � 1), (i � 1, j)}and C3 = {(i, j), (i � 1, j + 1), (i, j + 1)}. Finally, each cell re-ceives a k-degree polynomial and, thus, each sensor storesthree polynomial shares for establishing keys in the samemanner as in Blundo’s Scheme.

More recently, a small modification to HGKM’s key-establishment process has been proposed [15]. In theresulting scheme, which we call Nonce-based-HGKM (N-HGKM), every node A receives a nonce NA together withits polynomial shares. These nonces are broadcast duringthe scheme’s Shared-Key Discovery phase, and two nodesA and B having shares of the same polynomial f can thencompute a common key KA,B = f(IDA � NA,IDB � NB). As a re-sult, even if adversaries are able to capture a set S (withjSj > k) of nodes having shares of the same polynomial,they would still need to know the nonces NA and NB in

Fig. 4. General framework for Group-based deployment [49,50].


order to compromise the communication between nodes Aand B that are not in S. This added protection provided bythe nonces is limited, though, since they are broadcast asplaintext during Shared-Key Discovery.

The above solutions can be seen as extensions of thePolynomial Pool-based Key Pre-distribution [46] where theassignment of polynomials from the pool is not random,but rather based on the nodes’ expected locations forachieving a higher key connectivity. The communicationoverhead is reduced, staying slightly below other loca-tion-based solutions such as [47,48]. The security achieveddepends on the number of nodes per cell: larger cells resultin a larger number of sensors sharing the same polynomial;this results in better key connectivity, but also lead to low-er resilience, since each cell inherits the k-security prop-erty from Blundo’s Scheme and the capture of one nodereveals information about three cells.

10.3. Extending matrix-based schemes

Yu and Guan [73] combine deployment knowledge withBlom’s Scheme [11], yielding a solution that resembles Liuand Ning’s proposal [47,48], but where the polynomialsare replaced by matrices. Similarly to (HGKM) [14], thisMatrical Closest Pairwise Keys Scheme assumes that thedeployment field can be divided into a grid with g hexago-nal cells and that nodes are deployment in groups. In thismanner, for a network having n nodes, the center of eachcell becomes the deployment point of a single group Gi,composed by c = n/g sensors. Prior to deployment, a public(k + 1) � g matrix M is generated and each node in a groupGi is loaded with the ith column of M. Moreover, eachgroup Gi is assigned a unique secret (k + 1) � (k + 1) matrixDi, in such a manner that each node j (1 6 j 6 jGij) in groupGi is loaded with the jth row of the matrix (DiM)T. With thisinformation, any pair of nodes from the same group cancompute a pairwise key just as in Blom’s Scheme. In orderto allow inter-group communication, each group is alsoassociated to t = {2, 3 or 7} additional secret (k + 1) �(k + 1) matrices D�i , in such a manner that each pair ofneighbor groups have at least one matrix D�i in common.Each node j from Gi then receives the jth row from s 6 tof its group’s ðD�i MÞT matrices. Therefore, nodes that arenot from the same group but that have at least one D* incommon can also compute a common key using Blom’sScheme. After deployment, each node broadcast its own in-dex, its group ID, the IDs of its D* matrices and its columninstance of M, allowing them to determine a shared matrixthat can be used during key-discovery. If no such a matrixexists, the nodes involved could employ path-key discov-ery mechanisms or simply stop communicating.

Yu and Guan provide some variants of the Matrical Clos-est Pairwise Keys Scheme, each of which adopt a differentvalue for t and s. For example, for given a value of t, a smallvalue of s leads to a lower connectivity because neighbornodes will not share many matrices, but a better resilienceis achieved because less information is obtained when anode is captured; on the other hand, a higher value of tfor a fixed s results in lower connectivity and strongerresilience. Hence, they offer different storage require-ments, security levels and key connectivity. Generally,

the connectivity in all variations remains close to 1 as longas the hypothesis on the nodes distribution (e.g., normaldistribution) inside the hexagonal grids holds true. More-over, due to the reduced size of the matrices used, thisscheme improve the scalability and bandwidth occupationof Blom’s Scheme, while taking advantage of the k-securityproperty in order to offer a good resilience.

10.4. The general group-based framework

In [49,50], Liu et al. explores group-based deploymentsin order to enhance the security and performance of exis-tent solutions. In the General Group-Based Framework pro-posed, nodes in each deployment group Gi are loadedwith keys according to an instance Di of any existent pre-distribution technique, which is called an in-group in-stance; every node is also included in one of m disjointcross-groups G0i¼1;...;m, each of which contains a single nodefrom each deployment group and is associated to a cross-group instance D0i¼1;...;m of an existing pre-distribution tech-nique. This situation is illustrated in Fig. 4.

After this pre-distribution step, each sensor node isloaded with information from two Key Pre-distribution in-stances. After deployment, if a pair of nodes A and B is in asame in-group Gi, they can establish a common key byentering the Key Establishment and, possibly, Path-keyDiscovery phases of the in-group instance Di. Analogously,nodes in the same cross-group G0i can use the cross-groupinstance D0i in order to establish a common key. If nodesA 2 Gu and B 2 Gv have no group in common, they canestablish a share key by using two intermediary nodesA0 2 Gu and B0 2 Gv pertaining to a same cross-group G0b(i.e., A,A0 2 Gu, B,B0 2 Gv and A0;B0 2 G0b).

The main advantage of this General Group-Based Frame-work is that it is based on groups whose size is typicallymuch smaller than the size of the network itself. Hence, se-cure and efficient Key Pre-distribution schemes which donot scale well could greatly benefit from such strategy.Moreover, cross-groups can be constructed in such a man-ner that each pair of nodes can determine if they have agroup in common simply by knowing their IDs, thus avoid-ing unnecessary communication overheads during theestablishment of shared keys. In [50], two efficient instan-tiations of this framework are proposed, showing theapplicability of this approach.


11. Summary and discussion

Table 1 displays a complete list of the schemes consid-ered in this survey, as well as their references.

Table 2 summarizes our security analysis, consideringthe following aspects. {A} Node Authentication: if node-to-node authentication is supported; schemes marked as‘‘no*” are those that support such feature only after the ini-tial key establishment. {R} Resilience: percentage or num-ber of nodes compromised when a single node is capturedbefore it is able to remove any redundant information (e.g.,an already used key) from its memory; we use ‘‘k-secure+”to distinguish the case where if nc 6 k nodes are captured,few nodes (or none) are compromised, while this numberincreases (usually rapidly) otherwise; we stress the factthat the impact of compromising a larger number of nodesusually involves much more complicated equations thanthose presented in this table. {V} Node Revocation: howdifficult it would be to revoke a node. Here, jPj stands forthe size of the pool, k for the size of the key chains usedand n for size of the network.

Table 3 summarizes the following efficiency properties.{M} Memory: amount of information, either keys (‘K’) orIDs (‘ID’), stored per node. {P} Processing: operations re-quired per key generation; ‘PRF’, ‘H’, ‘E’, ‘D’, ‘S’, ‘VecMul(x)’ and ‘PolyEval (x)’ stand, respectively, for Pseudoran-dom Function, Hash, Encryption, Decryption, Search, Mul-tiplication of two vectors with size x and polynomialevaluation over x points. {B} Bandwidth Utilization:amount of information [sent][received] per node duringkey establishment; we use ‘K’ to indicate data whose size

Table 1Summary: schemes and references.

Classification Schemes and references

Network-wide key Single Master Key, BROSK [41], SKKE [3],LBKMS [74], LKMS [28]

Full pairwise Full PairwiseProbabilistic Basic Scheme [31], Cluster Key Grouping

[36], RKP-H [64], Q-Composite [22],Multipath Key Reinforcement [22],Session Key [35], Key Redistribution [42],Pairwise Key Establishment [78],Cooperative Pairwise [59], RoK [17], RGM[30], Random Pairwise Key [22], Node-Based [34]

Matrix-based Blom’s Scheme [11], Temporary Master-Key [11], Multiple-Space [26]

Polynomial-based Blundo’s Scheme [12], Random Subset[46], Grid-Based [46], Hypercube-Based[51], PIKE [21]

Combinatorial design IOS [43], Multiple-IOS [43], MBS [43],DMBS [43], Symmetric Design [18,19],GQ Design [18,19], Hybrid Symmetric[18,19], Hybrid GQ [18,19], CompleteGraphs [32]

Deploymentknowledge

Group-Based Deployment [25], Zo-RoK[39], Closest Pairwise Keys [47,48], ESPK[76], GKE [77], Polynomial ClosestPairwise [47,48], Triangle-Based [24],HGKM [14], N-HGKM [15], MatricalClosest Pairwise [73], Group-BasedFramework [49,50]

is compatible with that of a key (e.g., nonces or polynomialcoefficients), and ‘ID’ to denote potentially smaller data(e.g., key IDs or the node’s generation). {C} Key Connectiv-ity: rank where higher values mean better connectivity fora given amount of keys stored. Here, k stands for the size ofthe key chains used, n for size of the network, and b for thenumber of a node’s neighbors. We note that some detailswere omitted because the overhead introduced can be bet-ter understood by reading the scheme’s description (‘extra’marks).

Finally, Table 4 takes into account flexibility parame-ters, as follows. {D} Deployment Knowledge: whether priordeployment knowledge is required. {L} Limited: whetherthe number of nodes that can be added to the networkafter deployment is limited or not. {S} Scalability: rankevaluating the maximum amount of nodes supported bythe network; higher values mean better scalability for a gi-ven amount of keys stored and key connectivity achieved;for limited networks, we evaluate how the network scalesup to the imposed limit (hence, we can have a high valuefor this parameter even if such a limit exists).

Even if there is no solution that perfectly fits all scenar-ios, the analysis of these tables reveals the existence ofsome generic tweaks that can be used to improve specificmetrics.

An obvious manner to improve most schemes’ effi-ciency and scalability is to explore location knowledge.However, since this kind of information is not availablein a generic deployment scenario, an alternative (althoughusually not as effective) approach is to use combinatorialdesign techniques during the construction of the nodes’key chains. Indeed, such techniques can lead to better re-source usage when compared to some purely probabilisticapproaches, as in the case of IOS, which requires half of thememory used by the Random Pairwise Key scheme.

Another observation concerning efficiency is that theamount of information broadcast by nodes trying toidentify common keys (or other type of data) can besignificantly reduced if that information is somehowindexed using a PRF; this is the case of the deterministicselection of key IDs in RoK and in the Pairwise KeyEstablishment scheme, which effectively decreases thenumber of key IDs sent during their Shared-key Discov-ery phases (especially when compared to solutions suchas the Basic Scheme). Additionally, it could also reducethe amount of information exchanged between nodeswhen revocation mechanisms are executed. This trade-off between processing and communication efficiency isdesirable in most sensor networks, since transmissionis usually much more expensive than computation inthese platforms.

The adoption of more energy-efficient schemes canalso leverage the deployment of some energy-demandingmeasures for enhancing security; in this case, such mea-sures could be used as a secondary mechanism, wheneverneeded by the network. One example is the distributionof additional material through neighboring nodes duringthe establishment of shared keys, as proposed in thePairwise Key Establishment and Multipath Key Reinforce-ment solutions, or the (more lightweight) usage of noncesin the same process, like in the N-HGKM proposal. Such

Table 2Summary: security.

Scheme {A} {R} {V}

Single Master Key No 100% Very difficult: revocation of master keyBROSK No* 100% Very difficult: revocation of master keySKKE No* 100% Very difficult: revocation of master keyLBKMS No 100% Very difficult: revocation of master keyLKMS (c) No* c � 1 nodes Very difficult: revocation of generation keyFull Pairwise Yes 0% Easy: revocation of node IDBasic Scheme No k=jPj Difficult: revoke k keys (may break links)Cluster Key Grouping No k=jPj Difficult: revoke k keys (may break links)RKP-H No � k=2jPj Difficult: revoke k keys (may break links)Q-Composite (q) No ðkqÞ=ð

jPjq Þ Difficult: revoke k keys (may break links)

Multipath Key Reinforcement No* 0% Difficult: revoke k keys (may break links)Session Key No* 0% Difficult: revoke k keys (may break links)Key Redistribution No � k=jPj Very difficult: key chains are dynamicPairwise Key Establishment No* 0% Difficult: revoke k keys (may break links)Cooperative Pairwise No* 0% Difficult: revoke k keys (may break links)RoK No*

6 k=jPj Difficult: revoke k keys (may break links)RGM No*

6 k=jPj Difficult: revoke k keys (may break links)Random Pairwise Key Yes 0% Easy: revoke node IDNode-Based Yes 0% Easy: revoke node IDBlom’s Scheme (k) Yes k-secure Medium: revoke ID (k + 1 parameters)Temporary Master-Key Yes 0% Easy: remove keys for revoked IDMultiple-Space Key (k) Yes k-secure+ Medium: revoke ID (k + 1 parameters)Blundo’s scheme (k) Yes k-secure Easy: revoke node IDRandom Subset (k) Yes k-secure+ Easy: revoke node IDGrid-Based (k) Yes k-secure+ Easy: revoke node IDHypercube-Based (k) Yes k-secure+ Easy: revoke node IDPIKE Yes 0% Easy: revoke node IDIOS Yes 0% Easy: revoke node IDMultiple-IOS (c) No c � 1 nodes Easy: revoke cluster IDMBS (k) Yes k-secure+ Medium: revoke ID (k + 1 parameters)DMBS (c) No c � 1 nodes Medium: revoke cluster ID (k + 1 parameters)Symmetric Design (l) No <1/l Difficult: revoke l + 1 keys (may break links)GQ Design (s,t) No <1/(1 + t � s) Difficult: revoke s + 1 keys (may break links)Hybrid Symmetric (l) No <1/l Difficult: revoke l + 1 keys (may break links)Hybrid GQ (s,t) No <1/(1 + t � s) Difficult: revoke s + 1 keys (may break links)Complete Graphs Yes 1-ðn�k

1 Þ=ð n1 Þ Difficult: revoke k keys (may break links)

Group-Based Deployment No � k � c=ðjPj � nÞ Difficult: revoke k keys (may break links)Zo-RoK No*

6 k � c=ðjPj � nÞ Difficult: revoke k keys (may break links)Closest Pairwise Keys Yes 0% Easy: revoke node IDESPK Yes 0% Easy: revoke node IDGKE Yes 0% Easy: revoke node IDPolynomial Closest Pairwise (k) Yes k-secure+ Easy: revoke node IDTriangle-Based (k) Yes k-secure+ Easy: revoke node IDHGKM (k) Yes k-secure+ Easy: revoke node IDN-HGKM (k) Yes k-secure+ Easy: revoke node IDMatrical Closest Pairwise (k) Yes k-secure+ Medium: revoke ID (k + 1 parameters)


strategies oblige attackers not only to capture nodes andrecover keys from their memories, but also to constantlyeavesdrop the network for the distribution of extramaterial.

Another interesting strategy for improving securityinvolved to amount of keying material used during theestablishment of link keys. Links formed using a singlekey (e.g., as in the Basic Scheme) are not as secure as thosederived from the combination of some keys. However, ifone forces every pair of nodes to have a minimum numberof keys in common for establishing links (like in the Q-Composite scheme), the added security leads to a negativeimpact on the network’s connectivity. Therefore, in scenar-ios where the network traffic is not composed only byhighly classified data, a less strict approach such as theone adopted in RoK and RGM seems more interesting:

every link is created using the maximum number of sharedkeys, creating very secure routes – which would be pre-ferred when transmitting more security-sensitive data –and also some alternative routes – useful for the fast deliv-ery of less sensitive packets. Note also that the usage ofadditional keys for establishing links also brings somebenefits when revoking nodes: in this case, there is no needto re-establish a link unless all keys used to form it arerevoked.

As final remark about security, we note that someschemes assume that the nodes can remove redundantinformation from their memories after use. One exampleis the Temporary Master Key scheme, in which a net-work-wide key is used right after deployment and thenerased in order to prevent its capture. Although thisapproach is not recommended in dynamic networks

Table 3Summary: efficiency.

Scheme {M} {P} {B} {C}

Single Master Key 1K None [0][0] 7BROSK 1K PRF + H [bK][bK] 7SKKE 1 2H + 3PRF ([2bK][2bK] 7LBKMS 1K H + E or D ([K][0] or [0][K])/key 7LKMS (c) 3K + c � K (1 or 2) PRF � [bK][bK]) 7Full Pairwise (n � 1)(K + ID) S [1ID][bID] 7Basic Scheme k (K+ID) S [kID][bkID] 3Cluster Key Grouping kK + cID S [cID][bcID] 3RPK-H kK + 2kID S + extra [2kID][2bkID] 3Q-Composite k (K + ID) S + H [kID][bkID] 1Multipath Key Reinforcement k (K + ID) S + extra [kID][bkID] + extra 3Session Key (s) kK+(k + bs)ID S + extra [kID][bkID] + extra 3Key Redistribution �k(K + ID) S + extra [kID][bkID] + extra 4Pairwise Key Establishment kK S + extra [1ID][bID] + extra 3Cooperative Pairwise kK S + extra [1ID][bID] + extra 3RoK kK+(k + 2)ID S + extra [2ID][2bID] 2RGM (Gw) kK+(k + Gw + 1)ID S + extra [2ID][2bID] 2Random Pairwise Key kK+(k + 1)ID S [1ID][bID] 1Node-Based kK+(k + 1)ID S [1ID][bID] 1Blom’s Scheme (k) 2(k + 1)K + 1ID VecMul (k + 1) [(k + 1)K][b(k + 1)K] 7Temporary Master-Key (k) (2k + 3)K + 1ID VecMul (k + 1) + H [(k + 2)K][b(k + 2)K] 7Multiple-Space Key (k,s) (s + 1)(k + 1)K+ VecMul (k + 1) [sID+(k + 1)K] 4

(s + 1)ID [b(sID+ (k + 1)K)]Blundo’s scheme (k) (k + 1)K + 1ID PolyEval (1) [1ID][bID] 7Random Subset (k,s) (s)(k + 1)K + 1ID PolyEval (1) [s + 1ID][b(s + 1)ID] 4Grid-Based (k) 2(k + 1)K + 1ID PolyEval (1) [1ID][bID] 5Hypercube-Based (k,s) s(k + 1)K + 1ID PolyEval (1) [1ID][bID] 5PIKE 2

ffiffiffinp� 1

� �K + 1ID S [1ID][bID] 4

IOS (r) (1 + r/2) (K+ID) H or S [1ID][bID] 4Multiple-IOS (r,c) (1 + r/2)/c (K+ID) H or S [1ID][bID] 5MBS (k) 2ID + 2(k + 1)K VecMul (k + 1) [(k + 1)K][b(k + 1)K] 4DMBS (k,r,c) (1 + r/c)ID+ VecMul (k + 1) [(k + 1)K][b(k + 1)K] 5

(1 + r/c)(k + 1)KSymmetric Design (l) (l + 1) (K+ID) S [(l + 1)ID][b(l + 1)ID] 7GQ Design (s,t) (s + 1) (K+ID) S [(s + 1)ID][b(s + 1)ID] 4Hybrid Symmetric (l) (l + 1) (K+ID) S [(l + 1)ID][b(l + 1)ID] 5Hybrid GQ (s,t) (s + 1) (K+ID) S [(s + 1)ID][b(s + 1)ID] 3Complete Graphs k (K+ID) 2S [kID][bkID] 7Group-Based Deployment k (K+ID) S [kID][bkID] 6Zo-RoK kK+(k + 3)ID S + extra [3ID][3bID] 6Closest Pairwise Keys kK+(k + 1)ID S or PRF [1ID][bID] 5ESPK (c,s,t) (c � 1 + 8ts/c) S or [c + 8ts/c4

(K+ID) �(s/2)H [b(c + 8ts/c)ID]GKE (c,m) (c + m) (K+ID) S [1ID][bID] 4Polynomial Closest 3(k + 1)K + + 4ID PolyEval (1) [4ID][4bID] 6Pairwise (k)Triangle-Based (k) 3(k + 1)K+4ID PolyEval (1) [4ID][4bID] 6HGKM (k) 3(k + 1)K + 4ID PolyEval (1) [4ID][4bID] 6N-HGKM (k) 3k + 4K + 4ID PolyEval (1) [1K+4ID][bK+4bID] 6Matrical Closest (2 + s)(k + 1)K+ VecMul (k + 1) [(2 + s)ID+(k + 1) K] 6Pairwise (k,s) (2 + s)ID [b((2 + s)ID+(k + 1)K)]


(e.g., in applications where the nodes have relative mobil-ity, or where there are multiple deployments), this couldbe an interesting secondary method for improving thesecurity of highly static scenarios.

Finally, the overall analysis of the above schemesshows that there are still opportunities for new proposals.One important aspect is security continuity, which so farhas been covered in few papers and is a central require-ment in networks built from successive deployments;for example, security continuity could be combined withthe k-security property in order to provide an ever moreresilient network. Another concern refers to the support

for node revocation mechanisms: if, as in many existingschemes, the revocation of a compromised node requiresmany keys to be revoked, such mechanisms become morecomplex and resource-demanding, and can bring seriousimpacts on the network connectivity; therefore, revoca-tion-awareness is an important requirement whendesigning and analyzing key management schemes. Final-ly, providing a higher scalability without serious impactson the network’s security or efficiency still is a difficultchallenge; the usage of deployment knowledge is one ofthe answers to this task, and there are indeed some solu-tions that have not been combined with such information

Table 4Summary: flexibility.

Scheme {D} {L} {S} Scheme {D} {L} {S}

Single Master Key No No 7 Random Subset No No 2BROSK No No 7 Grid-Based No No 3SKKE No No 7 Hypercube-Based No No 2LBKMS No No 7 PIKE No Yes 3LKMS No Yes 6 IOS No Yes 3Full Pairwise No Yes 1 Multiple-IOS No No 4Basic Scheme No No 4 MBS No No 3Cluster Key Grouping No No 4 DMBS No No 4RKP-H No No 4 Symmetric Design No Yes 3Q-Composite No No 3 GQ Design No Yes 4Multipath Key No No 4 Hybrid Symmetric No Yes *3ReinforcementSession Key No No 4 Hybrid GQ No Yes 4Key Redistribution No No 4 Complete Graphs No Yes 3Pairwise Key No No 4 Group-Based Yes No 5Establishment DeploymentCooperative Pairwise No No 4 Zo-RoK Yes Yes 5RoK No Yes 4 Closest Pairwise Keys Yes No 5RGM No No 3 ESPK Yes No 5Random Pairwise Key No Yes 2 GKE Yes Yes 4Node-based No Yes 2 Polynomial closest pairwise Yes No 4Blom’s Scheme No No 3 Triangle-based Yes No 4Temporary Master-Key No No 3 HGKM Yes No 4Multiple-Space Key No No 2 N-HGKM Yes No 4Blundo’s scheme No No 3 Matrical Closest Pairwise Yes No 4


(e.g., RGM or IOS), but more generic techniques wouldalso be welcome.

12. Conclusions

Security is essential in many of the proposed applica-tions for Wireless Sensor Networks (WSNs). Hence, to-gether with lightweight cryptographic algorithms, thedeployment of key management schemes for WSNs is acritical issue. The literature includes many WSN-orientedkey management proposals, which employ different tech-niques in an attempt to overcome the reduced availabilityof resources in the sensor’s hardware. It is important tonote, though, that even if efficiency is the most obviousrequirement for any key-distribution scheme, flexibility isalso essential for it to be employed in any standardizedsolution; indeed, the combination of these two factors isprobably the main reason why ZigBee adopts an schemebased on a network-wide key (SKKE), even though thesecurity of this approach is questionable.

In this paper, we presented a review and analysis ofsome relevant pre-distribution schemes suitable for dis-tributed homogeneous networks. The reasoning behindthis choice of focus is that the pre-distribution strategyusually involves less resources (which determines itswider acceptance) and that the distributed homogeneousmodel is more general (does not require the continuousinterference of a secure base station or the deploymentof powerful nodes). Although the suitability of the schemessurveyed depends on the target application’s needs interms of security, performance and flexibility, we identifya few generic features that can effectively improve someof these metrics, and also discuss some challenges in thearea. Therefore, this analysis should help to orient the

development of future proposals well adapted to a widerange of scenarios, and thus more suitable for adoptionin standardized protocols.

Acknowledgements

We thank Mats Näslund for the useful comments andreview of this paper. This work was supported by the Re-search and Development Centre, Ericsson Telecomuni-cações S.A., Brazil.

References

[1] C. Aguilar, P.-L. Cayrel, P. Gaborit, A new efficient threshold ringsignature scheme based on coding theory, in: PQCrypto, SpringerBerlin/Heidelberg, 2008, pp. 1–16.

[2] A. Alemdar, M. Ibnkahla, Wireless sensor networks: applications andchallenges, in: Proceedings of the Ninth International Symposium onSignal Processing and Its Applications (ISSPA 2007), IEEE ComputerSociety, Washington, DC, USA, 2007, pp. 1–6.

[3] ZigBee Alliance, Zigbee specification document 053474r06, v1.0.Technical report, ZigBee Alliance, 2004.

[4] I. Andersen, Combinatorial designs: construction methods,Mathematics and Its Applications, Ellis Horwood, Chichester, UK,1990.

[5] R. Anderson, H. Chan, A. Perrig, Key infection: smart trust for smartdust, in: Proceedings of the 12th IEEE International Conference onNetwork Protocols (ICNP’04), IEEE Computer Society, Washington,DC, USA, 2004, pp. 206–215.

[6] T. Arampatzis, J. Lygeros, S. Manesis, A survey of applications ofwireless sensors and wireless sensor networks, in: Proceedings ofthe 2005 IEEE International Symposium on Intelligent Control –Mediterranean Conference on Control and Automation, IEEEComputer Society, Washington, DC, USA, 2005, pp. 719–724.

[7] D. Aranha, L. Oliveira, J. López, R. Dahab, NanoPBC: implementingcryptographic pairings on an 8-bit platform. Conference onHyperelliptic curves, discrete Logarithms, Encryption, etc.(CHiLE’09), 2009.

[8] A. Barati, M. Dehghan, H. Barati, A. Mazreah, Key managementmechanisms in wireless sensor networks, in: Proceedings of theSecond International Conference on Sensor Technologies and


Applications (SENSORCOMM’08), IEEE Computer Society,Washington, DC, USA, 2008, pp. 81–86.

[9] S. Basagni, K. Herrin, D. Bruschi, E. Rosti, Secure pebblenets, in:Proceedings of the Second ACM International Symposium on MobileAd Hoc Networking & Computing (MobiHoc’01), ACM, New York, NY,USA, 2001, pp. 156–163.

[10] V. Bhuse, A. Gupta, Anomaly intrusion detection in wireless sensornetworks, Journal of High Speed Networks 15 (1) (2006) 33–51.

[11] R. Blom, An optimal class of symmetric key generation systems, in:Proceedings of the EUROCRYPT 84 Workshop on Advances inCryptology: Theory and Application of Cryptographic Techniques,Springer, New York, NY, USA, 1985, pp. 335–338.

[12] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, M. Yung,Perfectly secure key distribution for dynamic conferences, in: LNCS,vol. 740, Springer, New York, NY, USA, 1993, pp. 471–486.

[13] S. Çamtepe, B. Yener, Key distribution mechanisms for wirelesssensor networks: a survey (tr-05-07). Technical report, RensselaerPolytechnic Institute, 2005.

[14] N. Canh, Y.-K. Lee, S. Lee, HGKM: a group-based key managementscheme for sensor networks using deployment knowledge, in:Proceedings of the Sixth Annual Communication Networks andServices Research Conference (CNSR’08), IEEE Computer Society, LosAlamitos, CA, USA, 2008, pp. 544–551.

[15] N. Canh, P. Truc, T. Hai, L. Hung, Y. Lee, S. Lee, Enhanced group-basedkey management scheme for wireless sensor networks usingdeployment knowledge, in: Proceedings of the Sixth IEEEConsumer Communications and Networking Conference (CCNC’09),IEEE Computer Society, Los Alamitos, CA, USA, 2009, pp. 1–5.

[16] D. Carman, P. Kruus, B. Matt, Constraints and approaches fordistributed sensor network security. Technical Report 00-010, NAILabs, September 2000.

[17] C. Castelluccia, A. Spognardi, RoK: a robust key pre-distributionprotocol for multi-phase wireless sensor networks, in: Proceedingsof the Third International Conference on Security and Privacy inCommunications Networks (SecureComm’07), IEEE ComputerSociety, Los Alamitos, CA, USA, 2007, pp. 351–360.

[18] S. Çamtepe, B. Yener, Combinatorial design of key distributionmechanisms for wireless sensor networks, in: Proceedings of theNinth European Symposium on Research Computer Security, IEEEPress, Piscataway, NJ, USA, 2004, pp. 293–308.

[19] S. Çamtepe, B. Yener, Combinatorial design of key distributionmechanisms for wireless sensor networks, IEEE/ACM TransactionsNetworks 15 (2) (2007) 346–358.

[20] H. Chan, V. Gligor, A. Perrig, G. Muralidharan, On the distribution andrevocation of cryptographic keys in sensor networks, IEEETransactions on Dependable and Secure Computing 2 (3) (2005)233–247.

[21] H. Chan, A. Perrig, PIKE: peer intermediaries for key establishment insensor networks, in: Proceedings of the 24th Annual JointConference of the IEEE Computer and Communications Societies(INFOCOM’05), vol. 1, IEEE Communications Society, Washington,DC, USA, 2005, pp. 524–535.

[22] H. Chan, A. Perrig, D. Song, Random key pre-distribution schemes forsensor networks, in: Proceedings of the 2003 IEEE Symposium onSecurity and Privacy (SP’03), IEEE Computer Society, Washington,DC, USA, 2003, pp. 197–213.

[23] H. Chien, R.-C. Chen, A. Shen, Efficient key pre-distribution for sensornodes with strong connectivity and low storage space, in:Proceedings of the 22nd International Conference on AdvancedInformation Networking and Applications (AINA’08), IEEE ComputerSociety, Washington, DC, USA, 2008, pp. 327–333.

[24] H. Dai, H. Xu, Triangle-based key management scheme for wirelesssensor networks, Frontiers of Electrical and Electronic Engineering inChina 4 (3) (2009) 300–306.

[25] W. Du, J. Deng, Y. Han, S. Chen, P. Varshney, A key managementscheme for wireless sensor networks using deployment knowledge.Proceedings of the 23rd Annual Joint Conference of the IEEEComputer and Communications Societies (INFOCOM’04), vol. 1,IEEE Computer Society, Los Alamitos, CA, USA, 2004, pp. 586–597.

[26] W. Du, J. Deng, Y. Han, P. Varshney, J. Katz, A. Khalili, A pairwise keypre-distribution scheme for wireless sensor networks, in:Proceedings of the 10th ACM conference on Computer andcommunications security (CCS’03), ACM, New York, NY, USA, 2003,pp. 42–51.

[27] W. Du, J. Deng, Y. Han, P. Varshney, J. Katz, A. Khalili, A pairwise keypre-distribution scheme for wireless sensor networks, ACMTransactions on Information and System Security 8 (2) (2005)228–258.

[28] B. Dutertre, S. Cheung, J. Levy, Lightweight key management inwireless sensor networks by leveraging initial trust. TechnicalReport SRI-SDL-04-02, System Design Laboratory, SRI International,April 2004.

[29] J. Elson, K. Römer, Wireless sensor networks: a new regime for timesynchronization, SIGCOMM Computers and CommunicationReviews 33 (1) (2003) 149–154.

[30] M. Ergun, A. Levi, E. Savas, A resilient key pre-distribution schemefor multiphase wireless sensor networks, in: Proceedings of the 24thInternational Symposium on Computer and Information Sciences(ISCIS’09), IEEE Computer Society Washington, DC, USA, 2009, pp.375–380.

[31] L. Eschenauer, V. Gligor, A key-management scheme for distributedsensor networks, in: Proceedings of the Ninth ACM Conference onComputer and Communications Security (CCS’02), ACM, New York,NY, USA, 2002, pp. 41–47.

[32] A. Gupta, J. Kuri, Deterministic schemes for key distribution inwireless sensor networks, in: Proceedings of the Third InternationalConference on Communication Systems Software and Middlewareand Workshops (COMSWARE’08), IEEE Computer Society,Washington, DC, USA, 2008, pp. 452–459.

[33] HART. HART7 specification. September 2007. Available from:<www.hartcomm.org>.

[34] C. Huang, D. Du, New constructions on broadcast encryption keypre-distribution schemes, in: Proceedings of the 24th Annual JointConference of the IEEE Computer and Communications Societies(INFOCOM’05), vol. 1, IEEE Communications Society, Washington,DC, USA, 2005, pp. 515–523.

[35] S. Hussain, M. Rahman, L. Yang, Key pre-distribution scheme usingkeyed-hash chain and multipath key reinforcement for wirelesssensor networks, IEEE Computer Society, Los Alamitos, CA, USA,2009, pp. 1–6.

[36] D. Hwang, B. Lai, I. Verbauwhede, Energy-memory-security tradeoffsin distributed sensor networks, in: ADHOC-NOW, Springer, Berlin/Heidelberg, 2004, pp. 7081.

[37] J. Hwang, Y. Kim, Revisiting random key pre-distribution schemesfor wireless sensor networks, in: SASN04: Proceedings of the SecondACM Workshop on Security of Ad Hoc and Sensor Networks, ACM,New York, NY, USA, 2004, pp. 43–52.

[38] ISA, Wireless systems for industrial automation: process control andrelated applications (ISA-100.11a). Technical report, 2009. Availablefrom: <www.isa.org/ISA100-11a>.

[39] K. Kalkan, S. Yilmaz, O. Yilmaz, A. Levi, A highly resilient and zone-based key pre-distribution protocol for multiphase wireless sensornetworks, in: Proceedings of the Fifth ACM Symposium on QoS andSecurity for Wireless and Mobile Networks (Q2SWinet’09), ACM,New York, NY, USA, 2009, pp. 29–36.

[40] C. Kuo, M. Luk, R. Negi, A. Perrig, Message-in-a-bottle: userfriendlyand secure key deployment for sensor nodes, in: Proceedings of theFifth International Conference on Embedded Networked SensorSystems (SenSys’07), ACM, New York, NY, USA, 2007, pp. 233–246.

[41] B. Lai, S. Kim, I. Verbauwhede, Scalable session key constructionprotocol for wireless sensor networks, in: IEEE Workshop on LargeScale Real-Time and Embedded Systems (LARTES), IEEE ComputerSociety, Washington, DC, USA, 2002.

[42] C.-F. Law, K.-S. Hung, Y.-K. Kwok, A novel key redistribution schemefor wireless sensor networks, in: IEEE International Conference onCommunications(ICC’07), IEEE Computer Society, Washington, DC,USA, 2007, pp. 3437–3442.

[43] J. Lee, D. Stinson, Deterministic key pre-distribution schemes fordistributed sensor networks, in: LNCS – SAC’2004, vol. 3357,Springer Berlin/Heidelberg, 2005, pp. 294–307.

[44] J. Li, J. Li, Data sampling control and compression in sensor networks,in: Mobile Ad hoc and Sensor Networks (MSN), LNCS, vol. 3794,Springer, Berlin/Heidelberg, 2005, pp. 42–51.

[45] A. Liu, P. Ning, TinyECC: a configurable library for elliptic curvecryptography in wireless sensor networks, in: InternationalConference on Information Processing in Sensor Networks(IPSN’08), IEEE Computer Society, Washington, DC, USA, 2008, pp.245–256.

[46] D. Liu, P. Ning, Establishing pairwise keys in distributed sensornetworks, in: Proceedings of the 10th ACM Conference on Computerand communications Security (CCS’03), ACM, New York, NY, USA,2003, pp. 52–61.

[47] D. Liu, P. Ning, Location-based pairwise key establishments for staticsensor networks, in: Proceedings of the First ACM Workshop onSecurity of Ad Hoc and Sensor Networks (SASN’03), ACM, New York,NY, USA, 2003, pp. 72–82.

http://www.hartcomm.org

http://www.isa.org/ISA100-11a


[48] D. Liu, P. Ning, Improving key pre-distribution with deploymentknowledge in static sensor networks, ACM Transactions on Sensorsand Networks 1 (2) (2005) 204–239.

[49] D. Liu, P. Ning, W. Du, Group-based key pre-distribution in wirelesssensor networks, in: Proceedings of the ACM Workshop on WirelessSecurity (WiSe’05), ACM, New York, NY, USA, 2005, pp. 11–20.

[50] D. Liu, P. Ning, W. Du, Group-based key pre-distribution in wirelesssensor networks, ACM Transactions on Sensors and Networks 4 (2)(2008) 1–30.

[51] D. Liu, P. Ning, R. Li, Establishing pairwise keys in distributed sensornetworks, ACM Transactions on Information and System Security 8(1) (2005) 41–77.

[52] F.J. MacWilliams, N.J.A. Sloane, The Theory of Error-Correcting Codes,vol. 16, Mathematical Library, North-Holland, 1977.

[53] A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of AppliedCryptography, CRC Press, Boca Raton, FL, 1999.

[54] R. Merkle, Secure communications over insecure channels,Communications on ACM 21 (4) (1978) 294–299.

[55] T. Moore, J. Clulow, Secure path-key revocation for symmetric keypre-distribution schemes in sensor networks, in: IFIP InternationalFederation for Information Processing, Springer, Boston, MA, USA,2007, pp. 157–168.

[56] J. Newsome, E. Shi, D. Song, A. Perrig, The sybil attack in sensornetworks: analysis & defenses, in: Proceedings of the ThirdInternational Symposium on Information Processing in SensorNetworks (IPSN’04), ACM, New York, NY, USA, 2004, pp. 259–268.

[57] E. Ngai, J. Liu, M. Lyu, An efficient intruder detection algorithmagainst sinkhole attacks in wireless sensor networks, ComputerCommunications 30 (11–12) (2007) 2353–2364.

[58] A. Perrig, J. Stankovic, D. Wagner, Security in wireless sensornetworks, Communications on ACM 47 (6) (2004) 53–57.

[59] R. Di Pietro, L. Mancini, A. Mei, Random key-assignment for securewireless sensor networks, in: Proceedings of the First ACM workshopon Security of Ad Hoc and Sensor Networks (SASN’03), ACM, NewYork, NY, USA, 2003, pp. 62–71.

[60] J. Lopez, R. Roman, C. Alcaraz, Analysis of security threats,requirements, technologies and standards in wireless sensornetworks, in: Foundations of Security Analysis and Design V, LNCS,vol. 5705, Springer, Berlin/Heidelberg, 2009, pp. 289–338.

[61] P. Santi, Topology control in wireless ad hoc and sensor networks,ACM Computers and Survey 37 (2) (2005) 164–194.

[62] J. Sen, H. Subramanyam, An efficient certificate authority for ad hocnetworks, in: Proceedings of the Fourth International Conference onDistributed Computing and Internet Technology (ICDCIT’07), LNCS,vol. 4882, Springer, Berlin/Heidelberg, 2007, pp. 97–109.

[63] C. Sengul, M. Bakht, A. Harris, T. Abdelzaher, R. Kravets, Improvingenergy conservation using bulk transmission over high-power radiosin sensor networks, in: Proceedings of the 2008 The 28thInternational Conference on Distributed Computing Systems(ICDCS’08), IEEE Computer Society, Washington, DC, USA, 2008, pp.801–808.

[64] T. Shan, C. Liu, Enhancing the key pre-distribution scheme onwireless sensor networks, in: IEEE Asia-Pacific Conference onServices Computing, IEEE Computer Society, Los Alamitos, CA, USA,2008, pp. 1127–1131.

[65] A.P. Silva, M. Martins, B. Rocha, A. Loureiro, L. Ruiz, H. Wong,Decentralized intrusion detection in wireless sensor networks, in:Proceedings of the First ACM international workshop on Quality ofservice & Security in Wireless and Mobile Networks (Q2SWinet’05),ACM, New York, NY, USA, 2005, pp. 16–23.

[66] J. Spencer, The Strange Logic of Random Graphs Series: Algorithmsand Combinatorics, vol. 22, Springer, Berlin/Heidelberg, 2001.

[67] D. Sun, B. He, Classification of key management schemes for wirelesssensor networks, Acta Automatica Sinica 32 (2006) 900–906.

[68] P. Szczechowiak, A. Kargl, M. Scott, M. Collier, On the application ofpairing based cryptography to wireless sensor networks, in:Proceedings of the Second ACM Conference on Wireless NetworkSecurity (WiSec’09), ACM, New York, NY, USA, 2009, pp. 1–12.

[69] P. Traynor, C. Guohong, T. La Porta, The effects of probabilistic keymanagement on secure routing in sensor networks, in: WirelessCommunications and Networking Conference (WCNC’06), vol. 2,IEEE Computer Society, Washington, DC, USA, 2006, pp. 659–664.

[70] Y. Xiao, V. Rayi, B. Sun, X. Du, F. Hu, M. Galloway, A survey of keymanagement schemes in wireless sensor networks. ComputerCommunications, 30 (11–12) 2314–2341. Special issue on securityon wireless ad hoc and sensor networks. Elsevier North-Holland,Inc., New York, NY, USA, 2007.

[71] M. Yarvis, N. Kushalnagar, H. Singh, A. Rangarajan, Y. Liu, S. Singh,Exploiting heterogeneity in sensor networks, in: Proceedings of the

24th Annual Joint Conference of the IEEE Computer andCommunications Societies (INFOCOM’05), vol. 2, IEEECommunications Society, Washington, DC, USA, 2005, pp. 878–890.

[72] J. Yick, B. Mukherjee, D. Ghosal, Wireless sensor network survey,Computer Networks 52 (12) (2008) 2292–2330.

[73] Z. Yu, Y. Guan, A key management scheme using deploymentknowledge for wireless sensor networks, IEEE Transactions onParallel Distribution and Systems 19 (10) (2008) 1411–1425.

[74] Y. Zeng, B. Zhao, J. Su, X. Yan, Z. Shao, A loop-based key managementscheme for wireless sensor networks, in: Emerging Directions inEmbedded and Ubiquitous Computing (EUC Workshops), LNCS, vol.4809, Springer, Berlin/Heidelberg, 2007, pp. 103–114.

[75] J. Zhang, V. Varadharajan, Wireless sensor network key managementsurvey and taxonomy, Journal of Network and ComputerApplications 33 (2) (2010) 63–75.

[76] B. Zhou, S. Li, Q. Li, X. Sun, X. Wang, An efficient and scalablepairwise key pre-distribution scheme for sensor networks usingdeployment knowledge, Computers and Communication 32 (1)(2009) 124–133.

[77] L. Zhou, J. Ni, C. Ravishankar, Efficient key establishment for group-based wireless sensor deployments, in: Proceedings of the FourthACM workshop on Wireless security (WiSe’05), ACM, New York, NY,USA, 2005, pp. 1–10.

[78] S. Zhu, S. Xu, S. Setia, S. Jajodia, Establishing pairwise keys for securecommunication in ad hoc networks: a probabilistic approach, in:Proceedings of the 11th IEEE International Conference on NetworkProtocols (ICNP’03), IEEE Computer Society, Washington, DC, USA,2003, pp. 326–335.

Marcos A. Simplicio Jr. was born in Itapeva-SP, Brazil (1983). He received his B.Sc. inElectrical/Computing Engineering at the Uni-versity of Sao Paulo, Escola Politecnica (2006),his Master degree in Engineering at EcoleCentrale Des Arts Et Manufactures (EcoleCentrale Paris) (2006) and his M.Sc. degree inComputing Engineering at the University ofSao Paulo, Escola Politecnica (2008). He cur-rently follows his PhD at the University of SaoPaulo, where he works as a researcher at theLaboratory of Computers Network and Archi-

tecture – LARC. His research interests include applied cryptography,network security, wireless and sensor networks.

Paulo S.L.M. Barreto is a cryptographer born
in Salvador, capital of the state of Bahia, Brazil(1965). In 1987, he graduated in Physics at theUniversity of Sao Paulo. He subsequentlyworked at Unisys Brazil Ltd and ScopusTecnologia S/A as a software developer andthen as chief cryptographer. Barreto receivedhis Ph.D. degree in 2003. Currently he isassistant professor at the Department ofComputer and Digital Systems Engineering,Escola Politecnica, University of Sao Paulo.
Cintia B. Margi is currently Assistant Profes-
sor at the School of Arts, Sciences andHumanities of the University of Sao Paulo(EACH-USP), in the Networking area in theInformation Systems course. She worked aspost-doctorate in the Engineering School ofUniversity of Sao Paulo from October 2006until February 2007. She obtained her PhD inComputer Engineering at University of Cali-fornia Santa Cruz (2006), her M.Sc. in Electri-cal Engineering at University of Sao Paulo(2000) and her BS in Electrical Engineering at
University of Sao Paulo (1997). Her research interests include: computernetworks, distributed systems, wireless sensor networks.

ter Networks 54 (2010) 2591–2612

Tereza C.M.B. Carvalho was born in SaltoGrande S.P., Brazil (1958). She got her degreein B.Sc. in Electrical Engineering (1980), M.Sc.in Electronic Engineering (1988) and Ph.D. inElectronic Engineering (1996) from the Uni-versity of Sao Paulo, Escola Politecnica. Sheconcluded her Sloan Fellows Program (2002),as post-doctoral work, in MIT MassachusettsInstitute of Technology, USA. She currently isan Assistant Professor at the Computer Engi-neering Department. She is also the director ofCCE-USP (Electronic Computing Center of the

University of Sao Paulo) and technical director of LARC (Laboratory ofComputer Architecture and Networks), being responsible for the researchand development of systems in information, network communication

2612 M.A. Simplício Jr. et al. / Compu

convergent and wireless network, management, security and on-linebusiness. Her current research interests include optical network archi-tecture, wireless networks, security, management, financial engineeringapplied to network quality of service, e-learning, and virtual laboratoriesapplied to networking education.

a survey on key management mechanisms for distributed wireless sensor networks

Documents