Wireless Netw

DOI 10.1007/s11276-016-1208-0

On security of wireless sensor networks: a data authentication

protocol using digital signature
Huei-Wen Ferng1 • Nguyen Minh Khoa1

 Springer Science+Business Media New York 2016

Abstract Guaranteeing end-to-end data security in wire- DoS Denial of service

less sensor networks (WSNs) is important and has drawn MAC Message authentication code
much attention of researchers over past years. Because an PCREF Polynomial-based compromise-resilient en-
attacker may take control of compromised sensor nodes to route filtering
inject bogus reports into WSNs, enhancing data authenticity MAP Message authentication polynomial
becomes a necessary issue in WSNs. Unlike PCREF (Yang MKMP Multi-BS key management protocol
et al. in IEEE Trans Comput 64(1):4–18, 2015) (LEDS, Ren DSEDA Digital signature assisted end-to-end data
et al. in IEEE Trans Mobile Comput 7(5):585–598, 2008), authentication
digital signature rather than message authentication poly- LSSS Linear secret sharing scheme
nomials (message authentication codes) is adopted by our SEF Statistical en-route filtering
protocol in en-route filtering. Keeping the advantages of IHA Interleaved hop-by-hop authentication
clusters in PCREF and overcoming the drawbacks in LEDS, LBRS Location-based resilient secrecy
an enhanced and efficient cluster-based security protocol is CFFS Cluster-based false data filtering scheme
proposed in this paper. The proposed protocol can guarantee ECC Elliptic curve cryptography
end-to-end data authentication with the aid of digital sig- ID Identity
nature and exhibits its effectiveness and efficiency through OOS Online/offline signature
security analysis and performance analysis. Our analytical ECDSA Elliptic curve digital signature algorithm
results show that the proposed protocol significantly out- LEAP Localized encryption and authentication
performs the closely related protocols in the literature in protocol
term of security strength and protocol overhead. LNCS Location-aware network-coding security
GPS Global positioning system
Keywords Wireless sensor network  Security  CH Cluster head
Protocol  Authentication PK Public key
SK Secret key
Abbreviations DHT Distributed hash table
WSN Wireless sensor network P2P Peer-to-peer
LEDS Location-aware end-to-end data security SHA Secure hash algorithm
BS Base station HMAC Keyed-hashing for message authentication

& Huei-Wen Ferng 1 Introduction

hwferng@mail.ntust.edu.tw
1 Wireless sensor networks, namely, WSNs, have been
Department of Computer Science and Information
Engineering, National Taiwan University of Science and deployed for various applications, such as monitoring,
Technology, Taipei 106, Taiwan military sensing and tracking, traffic flow measuring, and

123

environmental pollutant tracking etc. To fulfill the missions
in these applications, sensor nodes monitor physical and
environmental variations, e.g., temperature, pressure, and
smoke etc., and deliver data over multi-hop wireless paths
to the sink or base station (BS). Typically, sensor nodes are
resource-constrained devices with limited energy, memory
size, and capabilities of communication and computation.
Because of the broadcast nature of wireless links, an
adversary can easily eavesdrop and inject/modify packets
etc. in WSNs. Besides, sensor nodes in WSNs are
inevitable to be compromised due to lack of tamper resis-
tance [4]. Therefore, guaranteeing security in WSNs is a
non-trivial and urgent task [35]. To elaborate on the status
of the security issues in WSNs, a separate section, i.e.,
Sect. 2, is arranged for this purpose.
For avoiding possible attackers in WSNs, data authen-
tication becomes a feasible approach. In the past, Ren et al.
[31] proposed a location-aware end-to-end data security
framework, i.e., LEDS, to provide end-to-end data security
for WSNs. In LEDS, each sensor node merely stores a few
location-oriented secret keys. By doing so, the impact of
compromised sensor nodes can be effectively confined to
their vicinity. Besides, LEDS provides both node-to-sink
and node-to-node authentication schemes along the report
forwarding paths. Finally, data delivery of LEDS offers en-
route bogus data filtering, making LEDS robust against the
denial of service (DoS) attack. However, LEDS suffers
from the following drawbacks. First, due to the fact that
LEDS has no mechanism to block compromised sensor
nodes to inject bogus reports, any compromised sensor
node in the event cell can participate in generating bogus
reports. Therefore, an adversary can inject a bogus report to
fool the sink with a non-existing event by compromising
enough sensor nodes in the event cell. Second, LEDS has
no mechanism to compensate the lack of legitimate secret
shares1 [31], causing the problem of data availability.
Third, no sensor node in LEDS is responsible for checking
the legitimacy of the report at the very beginning of the
report lifetime. Therefore, a bogus report travels before it is
dropped and this results in additional communication
overheads. Fourth, the recipients of the report in LEDS can
attach a forged message authentication code (MAC) to the
message to fool the followers, implying that fraud com-
mitment is possible in LEDS. Finally, every sensor node
must store a set of keys shared with the sensor nodes along
the report-authentication forwarding path, causing high
storage overheads at sensor nodes. In the literature, Yang
1
Let us briefly explain as follows. In LEDS, a (t, T) threshold linear
secret sharing scheme (LSSS) is employed. Therefore, multiple sensor
nodes may detect the event of interest simultaneously and are asked to
generate shares based on the encrypted report. These shares generated
from these non-compromised sensor nodes are then called legitimate
secret shares. For details, one can refer to [31].
123
Wireless Netw
et al. [38] proposed a polynomial-based compromise-re-
silient en-route filtering (PCREF) scheme for cyber-phys-
ical networked systems, e.g., WSNs. PCREF is designed by
adopting message authentication polynomials (MAPs)
rather than MACs and clusters to avoid utilizing node
localization. Of course, PCREF performs better than LEDS
as illustrated in [38]. Considering multiple sinks instead of
a single sink in WSNs, Ferng et al. [9] designed a suit-
able key management protocol called multi-BS key man-
agement protocol (MKMP) accordingly. Likewise, MKMP
can outperform LEDS as shown in [9].
Like [31] and [38] but unlike [9], we still consider a
WSN with a single sink and shall design a data authenti-
cation protocol. In our design, the concept of clusters as
employed by PCREF [38] is taken into account. Unlike
PCREF, MAPs are not utilized in our protocol. Instead,
digital signature is adopted by our protocol in en-route
filtering. Therefore, we shall design an efficient security
protocol to guarantee end-to-end data authentication in
cluster-based WSNs with the aid of digital signature in this
paper. Such a protocol is called digital signature assisted
end-to-end data authentication (DSEDA). The contribu-
tions of this paper can be summarized as follows. First, the
advantages of clusters for WSNs when designing a security
protocol have been preserved as PCREF [38]. However, we
avoid high storage and computation overheads observed in
PCREF by adopting digital signature. Second, an efficient
report generation method is proposed to block bogus
reports injected by compromised sensor nodes. Third, a
report collection mechanism is proposed to guarantee that
every report will be verified at the very beginning of the
report lifetime. With this mechanism, bogus reports can be
filtered out as soon as possible. Fourth, data availability is
enhanced by guaranteeing enough legitimate secret shares
in report generation. Fifth, an efficient en-route filtering
method is proposed with the aid of digital signature to
avoid forgery or false information at intermediate nodes. It
is crystal clear that DSEDA can get rid of the drawbacks of
LEDS [31]. However, no benefits of multiple sinks as
reported in [9] are gained because our protocol is still
designed for a single-sink WSN. As for the strength of
DSEDA, it will be analyzed later (Sects. 5 and 6) in this
paper. Based on the results there, it can be shown that
DSEDA performs better than LEDS as well as PCREF.
The rest of this paper is organized as follows. The
related work is reviewed in Sect. 2. As for the system and
threat models, they are given in Sect. 3. Section 4 presents
the proposed protocol in detail and Sect. 5 gives the
security analyses on the proposed protocol and the closely
related protocols. In Sect. 6, the performance of the pro-
posed protocol is evaluated with comparison to those
protocols closest to ours. Finally, Sect. 7 concludes this
paper.
Wireless Netw
2 Related work
In the literature, many security protocols for WSNs have
been proposed. Because of limited resources, most of past
protocols were designed according to the symmetric
cryptography, e.g., those in [37, 41, 43]. To allow the BS
and en-route nodes to detect false data with a certain
probability, the statistical en-route filtering (SEF) [41] was
proposed. For minimizing serious damages by detecting
and filtering false reports at the very early en-route nodes,
the interleaved hop-by-hop authentication (IHA) [43] was
then proposed. Later, the location-based resilient secrecy
(LBRS) [37] was proposed to solve the problems previ-
ously reported for SEF and IHA. Using the message
authentication code, i.e., MAC, lTesla [28] and its variants
[5, 19, 20] were proposed for the BS broadcast authenti-
cation. In [17], a multi-level key chain method was pro-
posed for the initial commitment distribution in lTesla. In
[22], a sink-rooted tree of cluster heads was constructed for
the cluster-based false data filtering scheme (CFFS). With a
distributed key assignment according to the node overhead
within the tree, CFFS is able to filter the false report
generated by the source cluster earlier.
As mentioned earlier, sensor nodes are extremely
resource-constrained. For such a reason, Raymond et al.
[29] explored the denial-of-sleep attack targeted to exhaust
the power supply of sensor nodes and examined its effects
in detail. Considering the same reason, the asymmetric key
cryptography was thought to be expensive and infeasible
for WSNs in the past although it could provide better
resilience against attackers. However, Liu et al. [21]
recently showed that the elliptic curve cryptography (ECC)
signature verification only takes 14.49 ms with 160-bit
keys on a Crossbow Imote2 platform2 when running at 416
MHz [25]. As the computing technology advances, it is
expected that the asymmetric key cryptography will be
widely adopted by WSNs in the near future. Therefore,
some researchers have begun to investigate the feasibility
to apply the asymmetric key cryptography to sensor-wise
platforms. To possibly take care of the fact that sensor
nodes are extremely resource-constrained, some other
possible approaches could be investigated, too. For coming
up with some feasible approaches, the following ideas
proposed in the literature could be employed with proper
modification. The possible ideas are stated as follows. To
reduce the storage overhead of certificates, an ID-based
cryptography was introduced by Shamir [34]. In [8], an
online/offline signature (OOS) scheme, which divides the
2
Undoubtedly, an Imote2 was a widely employed wireless sensor
node. To save power consumption, one can design low-power
wireless sensor nodes for this purpose, e.g., Mica2 [25]. Therefore, an
Imote2 serves as a cluster head and a Mica2 serves as a low-power
sensor node in the section of performance analysis.
signing process into offline and online phases to reduce the
computation cost of signature generation, was proposed.
The offline phase is performed to cover most computation
of signature generation and to form a partial signature
before the message to be signed becomes available. To
achieve lower computation cost, an efficient and practical
ID-based OOS scheme was proposed by Li et al. for WSNs
in [15]. In [39], a variant of the Fiat-Shamir transformation
was introduced by Yao and Zhao to enable the so-called C-
signatures for low-power devices. To optimize the signa-
ture size, a partial message recovery algorithm was pro-
posed in [26]. Using this algorithm, the signature is
appended to a truncated message and the lost bytes are
recovered by the verification algorithm. In [2, 30, 32],
digital signature based authentication schemes were pro-
posed and discussed. However, broadcast is only allowed
for a powerful sender. Therefore, the schemes in [2, 30, 32]
are not feasible for WSNs. To suit WSNs, Yasmin et al.
[40] proposed an appropriate scheme by adopting ID-based
OOS to provide both broadcast authentication and user
authentication. At the same time, Liu et al. [8] also pro-
posed an efficient ID-based OOS scheme without any
certificate attached to the signature for verification. In [23],
Liu et al. proposed a novel public key cryptography based
broadcast authentication scheme. It utilizes signature
amortization and employs only one elliptic curve digital
signature algorithm (ECDSA) to authenticate all broadcast
messages in WSNs.
To achieve efficient key management, several symmet-
ric-key-based techniques were proposed in the literature,
e.g., those in [3, 6, 7, 18, 42]. Eschenauer and Gligor [7]
proposed a probabilistic key pre-distribution technique to
guarantee that any pair of sensor nodes can share at least
one common key with a certain probability. Chan et al. [3]
proposed the q-composite key pre-distribution to allow a
pair of sensor nodes to set up a pairwise key when they
share at least q common keys. Du et al. [6] developed a
pairwise key management scheme which was also inde-
pendently developed by Liu and Ning [18]. In [42], Zhu
et al. proposed an efficient security mechanism named
localized encryption and authentication protocol which is
denoted by LEAP?. This protocol helps establish indi-
vidual keys between sensor nodes and the BS, pairwise
keys between sensor nodes, cluster keys within a local area,
and a group key shared by all sensor nodes.
Actually, most of the previous designs provided data
security for WSNs in a hop-by-hop manner. Unlike those
designs, Ren et al. [31] proposed LEDS to provide end-to-
end data security for WSNs. Via a differentiated key pre-
distribution, an end-to-end secure communication protocol
was designed by Gu et al. [10] for randomly deployed
WSNs. In [1], Ayday et al. provided a location-aware
network-coding security (LNCS) protocol to enhance data
123

confidentiality, authenticity, and availability in multi-hop
WSNs. Adopting MAPs rather than MACs, Yang et al. [38]
proposed a polynomial-based compromise-resilient en-
route filtering scheme, i.e., PCREF, for cyber-physical
networked systems, e.g., WSNs. Considering multiple
sinks instead of a single sink in WSNs, Ferng et al. [9]
designed a suitable key management protocol accordingly.
In LEDS, the symmetric secret keys are bound to geo-
graphic locations. By this means, attackers cannot utilize
the secret keys obtained from the compromised sensor
nodes to launch attacks at the other places. LEDS also
achieves high-level assurance on data availability under
both report disruption and selective forwarding attacks.
Finally, data delivery of LEDS guarantees the ability to
detect and drop a bogus report early in an effective and
deterministic manner. However, LEDS still cannot prevent
from the following drawbacks. Note that any sensor node
in the event cell can participate in report generation.
Therefore, attackers only need to compromise enough
sensor nodes in an event cell to generate a valid report for a
non-existing event. Besides, LEDS is not able to detect and
replace lost or illegitimate secret shares early, resulting in a
data availability problem. Moreover, bogus reports cannot
be filtered out at the very beginning of the report lifetime in
LEDS, causing inevitable communication overheads. Last
but not least, non-repudiation is not provided by LEDS
because MACs are possibly forged. Any recipient can
verify the report and generate a fake MAC to fool the
following recipients.
Unlike [9], a single-sink WSN is to be considered to
design a data authentication protocol in this paper with
inclusion of clusters like PCREF [38]. Unlike PCREF
(LEDS), digital signature rather than MAPs (MACs) is
adopted by our protocol in en-route filtering. Keeping the
advantages of clusters in PCREF and overcoming the
drawbacks in LEDS, an enhanced authentication protocol
is proposed in this paper with the contributions mentioned
in the section of introduction, which are not stated here for
saving space.
3 System and threat models
Let us depict the system model first. In this paper, a cluster-
based WSN [14, 16] consisting of a stationary sink and a
huge number of static sensor nodes is considered with the
following assumptions.
• Each sensor node can obtain its location information
via a built-in global positioning system (GPS) or a
localization scheme. Although GPS is employed, GPS
location errors are tolerable for our solution because
123
Wireless Netw
only the centers of a home cell and an event cell are
concerned as explained later.
• Without loss of generality, the deployment area is
divided into multiple hexagonal clusters as illustrated in
Fig. 1. Each cluster contains many subareas called cells
like those defined in [31] and has a cluster head (CH)
located at the center of the hexagon. CHs are assumed
to be more powerful in computation and storage than
the other sensor nodes. Therefore, they have the
capability to implement the public key system.
• Each event of interest can be detected by multiple
sensor nodes in the corresponding cell called event cell
with densely deployed sensor nodes. When an event
occurs, some sensor nodes in the event cell having
detected it can generate reports. These reports are
collected by the CH in the cluster and then forwarded
toward the sink via CHs over multi-hop paths.
• Each sensor node has a unique ID and the sink is
capable of getting information of all sensor nodes.
• Finally, a report-authentication forwarding area is
defined as a set of clusters participating in the report
forwarding to the sink. The report-authentication for-
warding area is determined by the line segment
connecting the center of the source cluster and the
sink. Specifically, it consists of all the clusters inter-
sected by this line segment. As shown in Fig. 1, an
event occurs in the blue (starting) cluster and the report-
authentication forwarding area is indicated by the red
(remaining) clusters.
Fig. 1 Hexagonal clusters and an example of the report authentica-
tion forwarding area
Wireless Netw
Next, let us detail the threat model by posing the fol-
lowing assumptions.
• An adversary could compromise multiple sensor nodes.
If a sensor node is compromised, the adversary is able
to get all the information held by that sensor node.
• However, the sink will not be compromised because it
is usually well-protected.
• The adversary can eavesdrop the channel, inject false
packets, and replay older packets. Moreover, the
adversary could exploit the compromised sensor nodes
and use them to drop or alter messages passing through
them.
4 Proposed authentication protocol
4.1 Deployment and initialization
Following the system and threat models in the previous
section, the deployment is stated as follows:
• Supposed that the WSN has at most N sensor nodes, all
the sensor nodes are deployed in a two-dimensional
area which could be divided into multiple hexagonal
clusters as shown in Fig. 1.
• Illustrated by Fig. 2 are the cluster indicated by a blue
hexagon, the event cell indicated by a white circle with
radius (or sensing range) of rs , and the communication
Fig. 2 Illustration of a cluster (blue hexagon), an event cell (white circle),
and the communication range of the CH (yellow circle) (Color figure online)
range of the CH denoted by Rc which is the radius of
the yellow circle. Typically, Rc is greater than 2rs .
• For convenience, the numbers of sensor nodes in the
cluster with originating events and the event cell are
denoted by Nc and n, respectively.
• According to Nc , n, rs , and Rc , the network planner can
further determine the number of secret shares T [31] to
be included in a valid report and the minimum number
of correct secret shares t [31] required to validate a
report.
As far as the sensor node initialization is concerned, two
different parts are stated in the following subsequent
paragraphs:
4.1.1 The initialization for each sensor node
Regarding node u, two secret keys Ku1 and Ku2 shared with
the sink and a large prime number p are preloaded. Like
[31], the two secret keys are associated with the home cell
location, i.e., the center of the home cell, Iu and ID u of
sensor node u. They can be generated by two preselected
pseudorandom functions Hs1 ðÞ and Hs2 ðÞ as follows:
Ku1 ¼ Hs1 ðujIu Þ; Ku2 ¼ Hs2 ðujIu Þ; ð1Þ
where the subscript s denotes secret and | denotes the
operation of concatenation.
4.1.2 The initialization for each CH
Three different types of keys are preloaded as follows:
• Firstly, a pairwise key pool is associated with a CH
using the following procedure:
Step 1: The size of the key pool is properly set so that
it is greater than the number of sensor nodes in a
cluster Nc .
Step 2: After the deployment phase, each sensor
node, say, node u, registers to the CH to let the CH
store necessary information of the sensor node.
Step 3: Then, the CH randomly selects a pairwise
key Ku;CH from the pairwise key pool3 for the
registered sensor node to have a secure communica-
tion between the CH and the sensor node.
• Secondly, a public/secret key (PK/SK) pair like that
built by [21] is preloaded. The CH signs every message
with the SK using a digital signature scheme and
broadcasts the PK to all the CHs in the same report-
authentication forwarding area for message verification.
3
As for how to establish a pairwise key pool, one can refer to the
literature for details, e.g., [3, 7] etc.
123

1 2
• Finally, two secret keys KCH and KCH shared between
the CH and the sink are preloaded to protect the
communication between them. As for the generation of
these two secret keys, they can be generated as follows:
1 1 2 2
KCH ¼ HCH ðCHjICH Þ; KCH ¼ HCH ðCHjICH Þ;
where HCH1 2
ðÞ and HCH ðÞ are two preselected pseudo-
random functions, the CH in the argument stands for
the ID of the CH, and ICH denotes the center of the
cluster which the CH belongs to.
Algorithm 1: Report Generation
1. Once the sensor nodes in the event cell detect an event, each of
them computes vr ¼ hðte kle Þ.
2. The T sensor nodes with the IDs closer to vr than the others then
participate in report generation.
3. Each of them, say, node u, computes a unique secret share Su for
the report S using the predefined (t, T) LSSS.
4. Encrypt Su to obtain Eu ¼ EKu;CH ðSu Þ.
5. Compute MAC Ku;CH ðEu ; uÞ and send fEu ; u; MAC Ku;CH ðEu ; uÞg
the CH.
6. The non-participating sensor nodes start timers and overhear the
channel.
7. Generate alternative secret shares to be sent to the CH to maintain
enough secret shares for generating a legitimate report by some non-
participating sensor nodes, if necessary.
4.2 Report generation
The procedure of report generation is shown in Algo-
rithm 1. When an event occurs, multiple sensor nodes in
the event cell can detect it (based on the assumption in
Sect. 3). In LEDS, any T ð\nÞ of these sensor nodes can
participate in report generation. Therefore, an attacker only
needs to compromise at least t sensor nodes from the T
sensor nodes in the event cell to successfully generate a
fake report to fool the sink with a non-existing event.
Instead of allowing any T sensor nodes in the event cell to
participate in report generation, our proposed protocol, i.e.,
DSEDA, needs to choose T sensor nodes in the event cell
properly for generating the report. In particular, the sensor
nodes in the event cell will use a hash function to map the
event to a reference value vr within the same range of
sensor node IDs which are pre-configurable and in inte-
gers.4 Because a WSN is considered, sensor nodes are
static and can be pre-configured. Therefore, the IDs in each
cell can be configurable. The information of the event may
4
This is a feasible approach because it comes from the concept of a
distributed hash table (DHT) in a peer-to-peer (P2P) network.
123
Wireless Netw
include the event location le which is the center of the event
cell along with the post-processed event time te which is a
rounded integer5 derived from the time in seconds when
the event is sensed ts , e.g., te ¼ dts e or other suitable forms.
As aforementioned, the IDs in each cell can be config-
ð2Þ
urable. This allows us to assume that each sensor node
knows the range of sensor node IDs in the same event cell.
Therefore, sensor nodes can determine the T IDs closer to
vr than the others. The T sensor nodes with such IDs are
then picked to generate the report. In this paper, the closest
ID to the reference value is defined as the most immediate
successor of the reference value. As for the most imme-
diate successor with ID IDis regarding a reference value vr ,
it is determined as follows: IDis is the smallest ID among
the subset of IDs fIDjID [ vr g if vr \IDmax or
fIDjID  IDmin g if vr  IDmax . Note that IDmax and IDmin
denote the maximum ID and the minimum ID, respec-
tively. Following this definition, the T IDs closer to the
reference value vr than the others can be defined accord-
ingly. They are the ID of the most immediate successor to
to vr and T  1 IDs of the next most immediate successors to
the current most immediate successors. Each sensor node
in the event cell checks whether it belongs to the set of
sensor nodes with closer IDs to vr or not. If yes, it com-
putes a unique secret share Su (here u denotes the node ID)
of the report S using the predefined (t, T) threshold LSSS
[33]. Specifically, Su can be obtained through the following
bivariate polynomial of degree t over the finite field GF(p)
by using two secret keys shared with the sink, i.e., Ku1 and
Ku2 .
X  iþ1  t
Su ¼ ai Ku1 þat1 Ku2 mod p; ð3Þ
0  i  t2
where the set of ai , i ¼ 0; 1; . . .; t  1, denotes a full partition
of S. For each participating sensor node, say, node u, it
encrypts Su using the secret key shared with the CH to obtain
Eu ¼ EKu;CH ðSu Þ. It then computes its MAC, i.e.,
MAC Ku;CH ðEu ; uÞ, and sends the encrypted secret share
along with its ID and MAC, i.e., fEu ; u; MAC Ku;CH ðEu ; uÞg,
to the CH.
5
As stated in Sect. 4.1, the size of a cell (an event cell) is covered by
a circle with the radius of sensing range rs . Therefore, an event in the
event cell falls within the sensing range of the sensor nodes in the
event cell. This implies that the difference between two time instants
to sense that event by two sensor nodes should be negligible even if it
exists. To achieve the same event time calculated by the sensor nodes
in the same event cell sensing the event for sure, such a rounded value
is then used by sensor nodes to stand for the ‘‘true’’ event time.
Undoubtedly, time synchronization is an important issue in the
wireless sensor network but it does not fall within the scope of this
paper. However, our solution does not rely on perfect time
synchronization because a post-processed event time rather than an
exact event time is utilized.
Wireless Netw
Explicitly, some of the sensor nodes chosen to generate
the report may not contribute the secret share for generat-
ing a legitimate report if they are compromised or not
operating, causing the problem of data availability. For
LEDS, it has no mechanism to compensate the lack of
participating sensor nodes in report generation due to the
refusal of the compromised (non-operating) sensor nodes.
This forces the report to be discarded. To avoid such a
drawback, DSEDA tries to maintain enough sensor nodes
to participate in report generation. Specifically, non-par-
ticipating sensor nodes, i.e., those sensor nodes do not
participate in report generation initially, are asked to start
timers and overhear the channel.6 Within a time period,
say, Tr which denotes the report generation time for the CH
to collect enough (i.e., T) secret shares, participating sensor
nodes generate the secret shares and send them to the CH.
Meanwhile, the non-participating sensor nodes count the
number of secret shares overheard over the channel. After
the report generation time elapses, some of the non-par-
ticipating sensor nodes with IDs closer to the reference
value vr than the other non-participating sensor nodes may
respond as follows. They are allowed to generate alterna-
tive secret shares to be sent to the CH if the count is less
than T. By doing so,7 enough sensor nodes are maintained
to participate in report generation.
4.3 Report collection at the CH
Note that T participating sensor nodes agree on the event
report S in LEDS and generate secret shares to form the
report to be sent to the sink. The report will be endorsed by
multiple sensor nodes along the report-authentication for-
warding path. One can easily find the following two dis-
advantages of LEDS. First, no sensor node in LEDS is
responsible for checking the legitimacy of the report at the
very beginning of the report lifetime. Therefore, the bogus
report from an affected cell can travel before it is dropped.
Second, no mechanism to compensate the lack of legiti-
mate secret shares, causing the problem of data availability.
In the proposed protocol, each report is first endorsed by
6
Such overhearing happens in an individual event cell only.
Therefore, the range of overhearing is limited to the range of an
event cell. This will not become difficult for such a communication
range even if the real-world development with different geographical
areas or buildings is considered.
7
Of course, a tradeoff between energy consumption in overhearing
and security enhancement is inevitable. To alleviate possible energy
consumption incurred, the number of non-participating sensor nodes
to overhear can be properly controlled. For example, a random
approach my be utilized to allow each non-participating sensor node
to overhear and participate later or not by specifying a suitable prob-
ability po . Such a random approach can then reduce the number of
non-participating sensor nodes to overhear by a factor of 1  po on
average.
the CH. Therefore, the bogus report is possibly dropped by
the CH. On the other hand, the CH can check the legiti-
macy of secret shares. If the CH detects any illegitimate
secret share, it will further request some of the non-par-
ticipating sensor nodes to send alternative secret shares.
Algorithm 2: Report Collection at the CH
1. Check the freshness of secret shares according to the event time.
2. Checks the condition dðIs ; lu Þ\rs for all the sensor nodes in the
current event cell.
3. Check the legitimacy of the participating sensor nodes.
4. Discard the report if fewer than t legitimate sensor nodes
participate in report generation within time period Tr .
5. Verify the MAC of each secret share and drop secret shares with
incorrect MACs.
6. Request alternative secret shares from the other sensor nodes in the
event cell, if necessary.
7. Stop report collection when the CH collects T legitimate secret
shares or all the sensor nodes are exhausted.
8. Discard the report if fewer than t legitimate secret shares are
collected.
Now, let us detail the procedure of report collection at
the CH (see Algorithm 2).
• Upon receiving secret shares, the CH checks the
freshness of secret shares according to the event time.
• Then, the CH checks the location information of all the
sensor nodes in the current event cell. In particular, the
condition dðIs ; lu Þ\rs should be satisfied, where Is is
the center of the event cell (event location), lu is the
position of sensor node u, and dðIs ; lu Þ stands for the
distance between Is and lu .
• If the CH detects any illegitimate secret share which is
either sent from an illegitimate sensor node not
belonging to the event cell or is not one of the T secret
shares generated by the participating sensor nodes, it
takes the following action. It drops that secret share
immediately.
• If fewer than t sensor nodes among the participating
sensor nodes send secret shares to the CH, the report
will be discarded.
• Otherwise, the CH verifies the MAC of each secret
share. If it is incorrect, the corresponding secret share
will be dropped accordingly.
• For each illegitimate secret share detected, the CH
requests an alternative secret share from the other
sensor nodes in the event cell. The CH finishes report
collection when T legitimate secret shares are collected.
• If the CH cannot collect T legitimate secret shares even
if all the sensor nodes in the event cell have participated
123

in report generation already, it needs to collect at least
t legitimate secret shares for a legitimate report.
• Otherwise, the report will be discarded by the CH.
Afterwards, the CH prepares a message to be sent to the
sink as illustrated in Fig. 3. The message typically consists
of a header and payload data. Here, the payload data
include two parts: ID part with T IDs of sensor nodes
generating the report and data part of the T corresponding
secret shares. For achieving communication efficiency, the
field of T IDs can be properly reduced by using a bloom
filter [24]. In the bloom filter, k system-wide hash functions
h1 ; h2 ; . . .; hk are applied to map the ID part of 2T bytes
(two bytes for each ID) to l-bit string F ¼ b0 b1    bl1 .
Specifically, bl ð0  l  l  1Þ can be obtained via

1; if 9 i; 1  i  k; s.t. hi ð ID Þ ¼ l;
bl ¼ ð4Þ
0; otherwise.
In Fig. 4, an example is illustrated for a bloom filter with 6
hash functions and a 24-bit string. Therefore, the size of ID
part can be reduced to 3 bytes (24 bits).
Fig. 3 Message format of the message sent to the sink prepared by
the CH
Fig. 4 A Bloom filter using 6 hash functions to map IDs to a 24-bit
string
123
Wireless Netw
Algorithm 3: Signature Generation Using the Partial Message
Recovery
1. Break message m into two parts: m1 and m2 .
2. Generate a random key pair ft; V g, where t 2 ½1; r  1 and
V ¼ t  G ¼ ðx1 ; y1 Þ. Note that x1 mod r 6¼ 0, operator  denotes the
elliptic curve point multiplication by a scalar, G is a base point on
the elliptic curve and serves as a generator of the elliptic curve, and
r is a large multiplicative prime order of G.
3. Encode and hash V into an integer i (see [26] for details).
4. Form f1 from m1 by adding proper redundancy (see [12] for
details).
5. Compute h ¼ ði þ f1 Þ mod r.
6. If h ¼ 0, go to Step 2.
hðm2 Þ and d ¼ t1 ðf2 þ jhÞ mod r, where hðÞ is a
7. Compute f2 ¼ 
SHA-1 hash function and j is the private key of the CH.
8. If d ¼ 0, go to Step 2.
9. Output the pair of fh; dg as the signature.
4.4 En-route filtering
Once the CH finishes data preparation for report forward-
ing, it uses digital signature for signing the message before
being sent to the sink. The main reason to use digital sig-
nature rather than the MAC technique relies on the fact that
digital signature eliminates the possibility of committing a
fraud. By doing so, the other CHs can authenticate the
source directly to avoid forged signature. Although digital
signature guarantees that the recipients of the message are
free from forgery or false information, it might cause a
message overhead. To minimize the message overhead, a
good digital signature scheme should be adopted. There-
fore, the partial message recovery algorithm from [26] is
adopted by DSEDA. The main idea behind the partial
message recovery relies on the fact that the message can be
recovered using the attached signature. By this way, up to
14 bytes of the message overhead can be saved as
explained in [26]. To sign a message m, the CH then takes
the steps as depicted in Algorithm 3 which illustrates the
signature generation using the partial message recovery.
After generating the signature successfully, the CH for-
wards fm2 ; h; dg towards the sink through the report-au-
thentication forwarding area, where m2 , h, and d can be
referred to Algorithm 3. Because the CHs closer to the sink
must verify the signature of the CHs farther the sink, all the
public keys of the CHs farther the sink should be stored in
the same report-authentication forwarding area. The longer
the length of the report-authentication forwarding is, the
more public keys must be stored. However, the CH might
belong to the other report-authentication forwarding area,
causing more public keys to be stored. For the asymmetric
Wireless Netw
key system, the key length is at least 160 bits when
ECDSA-160 [11] is used. Given a storage limit of 5
Kbytes, only 256 public keys can be stored at most.
Actually, the CHs store not only public keys of other CHs
but also the other information required. This implies that
reducing the number of the public keys to be stored by the
CH is a must. Now, a method to solve such a problem is
proposed as follows.
Allowing a sub-authentication area (sub-auth) to cover a
fixed number of CHs, say, /, one can divide the report-
authentication forwarding area into several sub-auths. For
each CH, it merely stores the public keys of the CHs that k
ð1  k  /Þ cluster away from itself. The CHs which are
exactly i/ (i ¼ 1; 2; . . .) cluster away from the souce CH
then serve as the main CHs. As illustrated in Fig. 5, where
/ ¼ 3 and 3 sub-auths are formed, CH1 is the source CH
with an originating event and CH1 , CH4 , and CH7 are the
main CHs in sub-auths. For the main CHs, two operations,
i.e., verifying and signing messages are performed using
private keys. For the other CHs, the public key of the main
CH in the same sub-auth is used for message verification.
Specifically, the CH which is f clusters away from the
source CH uses the public key of the CH which is v ¼
/b/f c clusters away from the source CH to verify the sig-
nature. In Fig. 5, CH9 is 8 clusters away from the source
CH, then CH9 finds the public key of the CH which is
v ¼ 3b83c ¼ 6 clusters away from the source CH, i.e., CH7 ,
in its memory for signature verification using the algorithm
depicted in Algorithm 4.
Algorithm 4: Signature Verification Using the Partial Message
Recovery
1. Discard the message if h 62 [1, r  1] or d 62 [1, r  1].
2. Compute f2 =hðm2 Þ, h^ ¼ d1 mod r, and h^1 ¼ f2 h^ mod r.
3. Compute h^2 ¼ hh^ mod r and P ¼ h^1  G þ h^2  K, where K is the
public key of the CH on the elliptic curve.
4. Discard the message if P ¼ O, where O is the point at infinity.
5. Encode and hash P into an integer i [26] and compute
f1 ¼ ðh  iÞ mod r.
6. Discard the message if the redundancy of f1 is incorrect [26].
7. Otherwise, accept m1 which is obtained from f1 and the signature.
Finally, reconstruct m ¼ m1 jjm2 .
Fig. 5 En-route filtering
Algorithm 5: Sink Verification
1. Verify signature, recover message m, and check the freshness of the
report.
2. Determine all the sensor nodes in the current event cell via the
condition dðIs ; lu Þ\rs .
3. Concatenate any T distinct IDs in the event cell.
4. Compute hash functions hi ðÞ (1  i  k) of these T distinct IDs and
check whether the corresponding bit is 1 or not in bit stream F.
5. If at least one of them is 0, go to step 3 with another T distinct IDs.
6. If all of them are 1, try to recover S from any t secret shares to get
the report.
7. If the report is meaningful, the recovery operation is successful.
Otherwise, try to recover S from another t secret shares.
8. If no correct report can be got from the T secret shares, the report
will be discarded.
4.5 Sink verification
One can refer to Algorithm 5 for the sink verification
procedure. In the following, this procedure is described
with explanation.
• Upon receiving the report, the sink verifies the signa-
ture and recovers message m. Then, it checks the
freshness of the report with the help of the event time.
• Next, it determines all the sensor nodes in the current
event cell via the condition dðIs ; lu Þ\rs .
• Using the property of the bloom filter, all the sensor
nodes participating in report generation are determined
accordingly. Specifically, the sink computes hash
functions hi ðÞ (1  i  k) of T distinct IDs in the event
cell and checks whether the corresponding bit is ‘‘1’’ or
not in bit stream F.
• If at least one of the corresponding bits is ‘‘0’’, it tries
another T distinct IDs.
• If all of them are ‘‘1’’, it can then determine all the IDs
of the sensor nodes participating in report generation.
• If fewer than t legitimate sensor nodes generate the
report, the sink will discard the report. Otherwise, the
sink tries to recover S from any t secret shares to get the
report.
123
 Wireless Netw

• If the report is meaningful, the recovery operation is needs to compromise at least t sensor nodes in the corre-
successful. If not, it tries to recover S from other t secret sponding event cell. Given that the number of compro-
shares. mised sensor nodes in the cluster with originating events is
• If it cannot get a correct report from the received x, the probability that an event cell is compromised
message, the report will be discarded accordingly. regarding data authenticity is given by
nN n
Xn Xn c
LEDS LEDS i  xi
PAuth ðxÞ ¼ Pi;Comp ðxÞ ¼ N
 ; ð5Þ
c
5 Security analysis of the proposed protocol i¼t i¼t x

where PLEDS
i;Comp ðxÞ denotes the probability that exactly i
As far as the analysis on security of the signature and ver-
sensor nodes in the event cell are compromised given x
ification algorithms, i.e., Algorithms 3-4, is concerned, it
compromised sensor nodes in the cluster with originating
can be referred to [26] which has proven that these algo-
events and is given as follows:
rithms are secure under the adaptive message attacks. nN n
c
Therefore, we further examine the security strength of the LEDS
Pi;Comp ðxÞ ¼ i Nxi : ð6Þ
proposed protocol with respect to data authenticity, data c
x
availability, and expected filtering position of the bogus
report via an analytical approach in this section. With the
analytical results, it can be shown later that the proposed 5.1.2 Data authenticity for PCREF and t-PCREF
protocol offers a much higher resilience capability against
attacks as compared to LEDS, PCREF, and t-PCREF [38]. As claimed in [38], it is quite hard to derived the desired
In the following paragraphs, the analysis is to be carried out. primitive polynomial for the adversary in PCREF and t-
PCREF. Therefore, the following calculation ignores such
5.1 Security strength regarding data authenticity a case and simply considers the random node capture
attack. For PCREF and t-PCREF, an attacker needs to
As mentioned previously, sensor nodes are inevitable to be compromise at least T and t, respectively, sensor nodes in
compromised in WSNs due to lack of tamper resistance. the corresponding event cell to pass both the en-route fil-
The attacker could launch the random node capture attack tering and sink verification successfully to inject a bogus
[31] to compromise multiple sensor nodes in the event cell report. Given that the number of compromised sensor
to inject bogus reports to fool the sink with non-existing nodes in the cluster with originating events is x, the
events. Note that the random node capture attack has been probability that an event cell is compromised regarding
employed by [31] for LEDS and [38] for PCREF and t- data authenticity is given by
nN n
PCREF to investigate the security analysis. Of course, a Xn c
PCREF i  xi
coordinated attack which may compromise some or all PAuth ðxÞ ¼ N
 ; ð7Þ
c
i¼T x
neighboring nodes can bring a strong impact on the
nN n
aforementioned protocols. However, such a coordinated X
n c

attack requires high capability and more resources to PtPCREF

achieve its goal and seems to be a specifically tailored
attack. To ease the purpose of comparison and to avoid
focusing on a tailored attack, we decide to employ the
random node capture attack in this paper, too. For evalu-
ating our proposed protocol, i.e., DSEDA, with comparison
to LEDS, PCREF, and t-PCREF regarding data authentic-
ity, the probabilities of being able to inject a bogus report
to fool the sink are considered. These probabilities for
LEDS, PCREF, t-PCREF and our proposed protocol under
the random node capture attack are derived as follows.
Note that the higher this probability is, the lower the data
authenticity is.
5.1.1 Data authenticity for LEDS
To pass both the en-route filtering and sink verification
successfully to inject a bogus report in LEDS, an attacker
Auth ðxÞ ¼ N
 ¼ PLEDS
i  xi
c Auth ðxÞ: ð8Þ
i¼t x
5.1.3 Data authenticity for DSEDA
It is obvious that DSEDA always outperforms LEDS and t-
PCREF which performs the same as LEDS as observed
from Eq. (8) in data authenticity except for some extreme
cases where DSEDA, LEDS, and t-PCREF perform com-
parably. This mainly comes from both of its report gen-
eration and report collection at the CH. Now, this property
of DSEDA is proven in the following theorem.
Theorem 1 DSEDA always outperforms LEDS and t-
PCREF in data authenticity except for some extreme cases
where DSEDA, LEDS, and t-PCREF perform comparably.
Proof To inject a bogus report to fool the sink in DSEDA,
the attacker has to compromise at least t sensor nodes

123
Wireless Netw

participating in report generation in the event cell. Note
that the T participating sensor nodes are selected/deter-
mined according to the event location and event time. It
then becomes harder for the attacker to take control of this
process to compromise these participating sensor nodes to
generate a bogus report arbitrarily. For the purpose of
comparison, the probability that the attacker is able to
inject a bogus report to fool the sink in DSEDA is derived
as follows. Given x compromised sensor nodes in the
cluster with originating events, the probability that exactly
i sensor nodes in the event cell are compromised is given in
(6). To inject a bogus report to fool the sink in DSEDA, it
is further asked that j sensor nodes out of the i compro-
mised sensor nodes in the event cell should come from the
T participating sensor nodes with the following constraints:
j  t; i  j  n  T; j  i; j  T; ð9Þ
i.e.,
max ðt; i  n þ TÞ  j  min ði; TÞ: ð10Þ
The first constraint of (9) asks that at least t participating
sensor nodes in the event cell are compromised. The sec-
ond constraint of (9) says that the remaining i  j com-
promised nodes should be chosen from the n  T non-
participating sensor nodes in the event cell. The third
constraint of (9) indicates that j sensor nodes out of the i
compromised sensor nodes in the event cell. The final
constraint of (9) stands for that at most T participating
sensor nodes in the event cell can be compromised. As for
the corresponding probability for this further requirement,
it follows the probability mass function (pmf) of the
ðT ÞðnT Þ
hypergeometric distribution, i.e., j n ij . Putting the
5.1.4 Comparison on data authenticity among DSEDA,
LEDS, PCREF, and t-PCREF
Figure 6 illustrates the comparison among DSEDA, LEDS,
PCREF, and t-PCREF regarding data authenticity under
Nc ¼ 100, n ¼ 10, and ðT; tÞ ¼ ð5; 4Þ. The data authentic-
ity here is shown through the probability that an attacker is
able to inject a bogus report to fool the sink versus the
number of compromised sensor nodes in the cluster with
originating events, i.e., x defined previously. From this
figure, one can explicitly see that DSEDA significantly
outperforms LEDS, PCREF, and t-PCREF when
10\x\100. Specifically checking the results at x ¼ 40,
the corresponding probabilities are about 0.626 for LEDS
(and t-PCREF), 0.361 for PCREF, and 0.082 for DSEDA.
The previous results yield approximately 87% and 77% of
improvement achieved by DSEDA as compared to LEDS
(or t-PCREF) and PCREF, respectively. As for the results
at x ¼ 60, the corresponding probabilities are about 0.954
for LEDS (and t-PCREF), 0.846 for PCREF, and 0.332 for
DSEDA. These results yield approximately 65% and 61%
of improvement achieved by DSEDA as compared to
LEDS (or t-PCREF) and PCREF, respectively. According
to the aforementioned description, it is crystal clear that
DSEDA is superior to LEDS, PCREF, and t-PCREF in
terms of data authenticity. No doubt, it is harder for the
attacker in DSEDA than that in LEDS, PCREF, and t-
PCREF to inject a bogus report to fool the sink.
1
LEDS
DSEDA
Probability of injecting a bogus report

ðiÞ 0.9 PCREF

t-PCREF
aforementioned descriptions together leads to the following 0.8
probability that the attacker is able to inject a bogus report
to fool the sink in DSEDA. 0.7
  1
nN n 0 minði;TÞ T nT 0.6
Xn c X j ij
DSEDA
PAuth ðxÞ ¼  @
i  xi
Nc
n A: 0.5
i¼t x j¼maxðt;inþTÞ i
0.4
ð11Þ
Pminði;TÞ ð Þð ÞT
j
nT
ij 0.3
Noting that j¼maxðt;inþTÞ  1 because of partial
ðÞ n
i
summation of pmf of the hypergeometric distribution, 0.2
Pn ðniÞðNxi
c n
Þ
we then have PDSEDA Auth ðxÞ  i¼t ¼ PLEDS
Auth ðxÞ ¼ 0.1
ðxÞ
Nc

PtPCREF
Auth ðxÞ: To make the equality hold, the full summation 0
0 20 40 60 80 100
of pmf of the hypergeometric distribution is required.
Number of compromised nodes in the cluster (x)
Obviously, this happens under the extreme cases only.
With the aforementioned statements, the proof of this Fig. 6 Data authenticity comparison among DSEDA, LEDS, PCREF,
theorem is then completed. h and t-PCREF, where Nc ¼ 100, n ¼ 10, and ðT; tÞ ¼ ð5; 4Þ

123
 Wireless Netw

5.2 Expected filtering position of the bogus report 5.2.2 Expected filtering position of the bogus report
for PCREF and t-PCREF
In the following, we consider the situation that an attacker
can take control of some compromised sensor nodes in the Given x and y, the expected filtering positions in cell of the
event cell to insert a bogus report into the WSN. We derive bogus report sent from an affected cell for PCREF
the expected filtering positions of the bogus report sent p^PCREF ðx; yÞ and t-PCREF p^tPCREF ðx; yÞ are given as fol-
from an affected event cell in which at least one but at most lows [38]:
t  1 cells are compromised given the number of com-
X
y
promised sensor nodes in the cluster, i.e., x. In the subse- p^PCREF ðx; yÞ ¼ ipif ;PCREF ; ð13Þ
quent paragraphs, the corresponding results for LEDS, i¼1
PCREF, t-PCREF, and DSEDA will be derived.
X
y
p^tPCREF ðx; yÞ ¼ ipfi ;tPCREF ; ð14Þ
5.2.1 Expected filtering position of the bogus report i¼1
for LEDS
where pfi ;PCREF and pfi ;tPCREF are the probabilities that the
Notice that an event cell will become an affected cell if the bogus report is filtered after being forwarded i cells away
attacker in that event cell is able to compromise from that affected cell and follow the following
i ð1  i  t  1Þ sensor nodes in the event cell. The asso- relationship:
  
ciated probability given x compromised sensor nodes in the T 1 n Nc n
P X j xj
cluster can then be denoted by t1 LEDS
i¼1 Pi;Comp ðxÞ. Under the pfi ;PCREF ¼ N  ð1  pf Þi1 pf ; i ¼ 1; 2; . . .; y;
c
precondition that an event cell becomes an affected cell, j¼1 x
the attacker has to forge at least t  i MACs to insert a ð15Þ
bogus report. To let these forged MACs pass through the   
n Nc n
en-route filtering, at least t  i cells of the first T cells in its X
t1
j xj
report-authentication forwarding area should be pfi ;tPCREF ¼ N 
c
ð1  pf Þi1 pf ; i ¼ 1; 2; . . .; y;
P   j¼1 x
affected/compromised with the probability of Tj¼ti Tj ð16Þ
j Tj
ð1  PLEDS LEDS
Secure ðxÞÞ ðPSecure ðxÞÞ . Note that PLEDS
Secure ðxÞ ¼ where pf is the probability that a sensor node in an inter-
ð Þ
Nc n mediate cell can filter the bogus report.
x
stands for the probability that the cell is secure
ð Þ
Nc
x

without being compromised or affected. If so, the bogus 5.2.3 Expected filtering position of the bogus report
report can be relayed to the sink but then filtered by the for DSEDA
sink. Otherwise, the report will be dropped at the T2 -th cell
on average under the random node capture attack. Further If there are fewer than t sensor nodes among the T par-
denoting y (y  T) to be the distance in cell from this ticipating sensor nodes sending secret shares to the CH in
affected event cell to the sink, the expected filtering posi- DSEDA, the report will be rejected immediately by the CH
tion in cell of the bogus report sent from an affected cell for if it is not compromised. Note that the probability that the
LEDS p^LEDS ðx; yÞ given x and y is then expressed as CH is not compromised is 1  Nxi c T
given that i cells are
follows: compromised among the T participating sensor nodes
T  
sending secret shares to the CH and x cells are compro-
X
t1 X T
LEDS
ðx;yÞ ¼y LEDS
Pi;Comp ðxÞ ð1PLEDS j mised in the cluster. Therefore, any bogus report sent from
p^ Secure ðxÞÞ
i¼1 j¼ti
j an affected cell will be rejected at the CH after one-hop
communication with distance z in cell on average. Under
Tj TXt1
ðPLEDS
Secure ðxÞÞ þ PLEDS ðxÞ the homogeneous node deployment, z can be related to Nc
2 i¼1 i;Comp pffiffiffiffiffiffiffi
N =n
XT   and n via z ¼ 2c . However, The report will be relayed
T j LEDS Tj
ð1 ð1PLEDS
Secure ðxÞÞ ðPSecure ðxÞÞ Þ: to the sink if the CH is compromised and then rejected by
j¼ti
j the sink. For the latter case, the bogus report is filtered y
ð12Þ cells away from this affected event cell. Note that the CH

123
Wireless Netw

will be compromised with the probability of Nxi

c T
given that the bogus report. Note that the bogus reports are dropped as
i cells are compromised among the T participating sensor soon as possible in DSEDA. For example, let us consider
nodes sending secret shares to the CH and x cells are the case with a the bogus report sent from an affected cell
compromised in the cluster. Therefore, the expected fil- that is 30 cells away from the sink given 20 compromised
tering position in cell of the bogus report sent from an sensor nodes in the cluster. This bogus report will be fil-
affected cell for DSEDA p^DSEDA ðx; y; zÞ given x, y, and z is tered at no more than 24, 8, 7 cells away in the report-
shown as follows: authentication forwarding area on average in LEDS,
PCREF, and t-PCREF, respectively. As for DSEDA, it will
X
t1
xi
p^DSEDA ðx; y; zÞ ¼ y PDSEDA be filtered at no more than 5 cells away in the report-
i;Comp ðxÞ
i¼1
Nc  T authentication forwarding area on average.
X
t1
xi
þz PDSEDA
i;Comp ðxÞð1  Þ: 5.3 Security strength regarding data availability
i¼1
Nc  T
ð17Þ In WSNs, there are two types of attack that could affect its
ð Þð Þ T Nc T Pt1 data availability, including the report disruption attack and
Here, ¼ PDSEDA
and i¼1 PDSEDA
i;Comp ðxÞ
i;Comp ðxÞ denote the
i xi
ð Þ Nc
x the selective forwarding attack [31]. Under the report dis-
probability that exactly i sensor nodes among the T partic-
ruption attack, the compromised sensor nodes can attach
ipating sensor nodes sending secret shares to the CH are
incorrect MACs. As a result, the legitimate report will be
compromised and the probability that the cell is affected,
dropped by the CH or the sink. However, the compromised
respectively. As for x, it is a given value and stands for the
sensor nodes may refuse to participate in report generation
number of compromised sensor nodes in the cluster with
under the selective forwarding attack. Therefore, the CH
originating events.
cannot collect enough legitimate secret shares for a legit-
imate report to forward to the sink. The legitimate report is
5.2.4 Comparison on expected filtering position
then rejected by the CH. Given a number of compromised
of the bogus report among DSEDA, LEDS, PCREF,
sensor nodes in the cluster, the security strength regarding
and t-PCREF
data availability under the report disruption attack and
selective forwarding attack for LEDS, PCREF, t-PCREF,
Figure 7 compares the expected filtering positions of the
and DSEDA is analyzed as follows. This is done by
bogus report sent from an affected cell in DSEDA, LEDS,
showing the probability that a legitimate report is suc-
PCREF, and t-PCREF. Obviously, DSEDA shows good
cessfully generated.
improvement over LEDS and performs better than PCREF
and t-PCREF regarding the expected filtering position of
5.3.1 Data availability for LEDS under the report
disruption and selective forwarding attacks

First, let us consider the report disruption attack. In LEDS,

a legitimate report will be dropped (accepted) if more than
(no more than) T  t sensor nodes among the T partici-
LEDS
pating sensor nodes in the event cell are compromised.
25 DSEDA
Expected filtering position

PCREF
Given x compromised sensor nodes in the cluster, the
20 security strength regarding data availability in LEDS under
t-PCREF
15 the report disruption attack is then derived as follows:
  
10 X
Tt T Nc T
LEDS i  xi
PAvail;D ðxÞ ¼ N
 : ð18Þ
c
5 30 i¼0 x
25
0 (y) Next, the selective forwarding attack is considered. If any
0 20 ink
5 es sensor node from the T participating sensor nodes refuses
15 o th
Numb 10 t
er o f
comp 15
10 nce to participate in report generation in LEDS, then sensor
romis sta
e d nod
es (x) 20
5 Di nodes will fail to collect enough (i.e., T) secret shares to
forward to the sink, causing the legitimate report to be
Fig. 7 Comparison on the expected filtering position of the bogus rejected. Given x compromised sensor nodes in the cluster,
report among DSEDA, LEDS, PCREF, and t-PCREF, where the security strength regarding data availability in LEDS
Nc ¼ 100, n ¼ 10, pf ¼ 0:1, and ðT; tÞ ¼ ð5; 4Þ under the selective forwarding attack is derived as follows:

123
 Wireless Netw

N T 
c contributing incorrect MACs in the corresponding event
PLEDS
Avail;S ðxÞ ¼ Nx  :
c
ð19Þ cell. Given x compromised sensor nodes in the cluster, the
x
security strength regarding data availability in DSEDA
under the report disruption attack is derived as follows:
5.3.2 Data availability for PCREF and t-PCREF   
X
nt n Nc n
DSEDA i  xi
under the report disruption and selective forwarding PAvail;D ðxÞ ¼ N
 : ð24Þ
c
attacks i¼0 x

In DSEDA, the non-participating sensor nodes will take

Again, let us first consider the report disruption attack. To over the compromised participating sensor nodes refusing
have a legitimate report in both PCREF and t-PCREF, none to participate in report generation to guarantee enough
of message authentication polynomials generated by the participating sensor nodes in report generation. By doing
compromised sensor nodes can be included in the report. so, the CH can still collect enough secret shares. As long as
Therefore, the security strength regarding data availability there are at least t legitimate (at most T  t compromised)
in PCREF and t-PCREF under the report disruption attack sensor nodes from the T participating sensor nodes, the
given x compromised sensor nodes in the cluster is then report will be accepted. Therefore, the security strength
derived as follows: regarding data availability in DSEDA under the selective
   ni nT nN nni
X
nT n Nc n X c forwarding attack given x compromised sensor nodes in the
PPCREF
Avail;D ðxÞ ¼ i  xi
N

c
 Tn  ¼ i  xi
N
 n  T ;
c cluster is derived as follows:
i¼0 x T i¼0 x T   
ð20Þ X
Tt T Nc T
DSEDA i  xi
PAvail;S ðxÞ ¼ N
 : ð25Þ
            c
X
nT n Nc n ni X
nT n Nc n ni i¼0 x
tPCREF i  xi T i xi T
PAvail;D ðxÞ ¼ Nc
  n ¼ N  n  :
i¼0 x T i¼0
c
x T
For facilitating comparison, the above equation has an
alternative form coming from the theorem of total proba-
ð21Þ
bility as follows:
  
As far as the selective forwarding attack is concerned,    0minðTt;iÞ T nT 1
PCREF (t-PCREF) can tolerate at most n  T (n  t) X
nt n Nc n X j ij
PDSEDA
Avail;S ðxÞ ¼  @
i  xi n A: ð26Þ
compromised sensor nodes in the event cell to refuse to N c
i¼0 x j¼0 i
participate in report generation to keep a legitimate report.
Given x compromised sensor nodes in the cluster, the In the following theorem, let us further explore the rela-
security strength regarding data availability in PCREF and tionship among PLEDS PCREF tPCREF
Avail;D ðxÞ, PAvail;D ðxÞ, PAvail;D ðxÞ, and
that in t-PCREF under the selective forwarding attack are PDSEDA
Avail;D ðxÞ
then derived as follows:
   Theorem 2 PPCREF tPCREF LEDS
Avail;D ðxÞ ¼ PAvail;D ðxÞ  PAvail;D ðxÞ 
X
nT n Nc n
PCREF i  xi
PAvail;S ðxÞ ¼ N
 ; ð22Þ PDSEDA DSEDA
Avail;D ðxÞ: Moreover, PAvail;D ðxÞ with a larger n is greater
c
i¼0 x
nN n than or equal to PDSEDA
Avail;D ðxÞ with a smaller n.
X
nt c

PtPCREF
Avail;S ðxÞ ¼ i  xi
N
 :
c
ð23Þ Proof First, it is trivial to show PPCREF tPCREF
Avail;D ðxÞ ¼ PAvail;D ðxÞ
i¼0 x PnT ðniÞðNxic n
Þðni
T Þ
because PPCREF
Avail;D ðxÞ ¼ i¼0 ¼ PtPCREF
Avail;D ðxÞ.
ðNxc ÞðTn Þ
5.3.3 Data availability for DSEDA under the report Next, let us show PPCREF tPCREF LEDS
Avail;D ðxÞ ¼ PAvail;D ðxÞ  PAvail;D ðxÞ.
LEDS DSEDA
disruption and selective forwarding attacks Further checking PAvail;D ðxÞ and PAvail;S ðxÞ, we know that
 
Pnt ðniÞðNxi
c n
Þ PminðTt;iÞ ðTj ÞðnT ij Þ
In DSEDA, the secret share with an incorrect MAC con- PLEDS
Avail;D ðxÞ¼P DSEDA
Avail;S ðxÞ¼ i¼0 ðNc Þ j¼0
x ðniÞ
tributed by any compromised sensor node participating in which can be further written as
report generation will be dropped by the CH and an   
   0minðTt;iÞ T nT 1
alternative secret share from the non-participating sensor Xnt n Nc n X j ij
nodes will be required further. Therefore, the legitimate PLEDS
Avail;D ðxÞ ¼ N
 @
i  xi n A; ð27Þ
c
i¼0 x j¼0 i
report will be dropped only when there are fewer than t
  1
legitimate sensor nodes left in the event cell. In other nN n  0  minðTt;iÞ T nT
X
nt c nT X j ij
words, the sink can still obtain the legitimate report even if ¼ i  xi
 @ i
n þ n A; ð28Þ
Nc
there are up to n  t compromised sensor nodes i¼0 x i j¼1 i

123
Wireless Netw

  
nN n 0ni minðTt;iÞ T nT 1 when s2½xjþ1;nT, yielding
Pntj
X
nt c X     Pxj nT  Nc n 

j ij s¼0
¼  @ Tn  þ
i  xi  n  A; ð29Þ nT  N n PnT nT  Nc n
xjs ¼ xjs ¼
N
xjs .
c c
i¼0 x T j¼1 i s s¼0 s s¼0 s

nN nni The aforementioned description then makes the second

X
nT c
equality of (32) hold. With the similar reasoning like that
 i  xi
N
 n  T ¼ PPCREF tPCREF
Avail;D ðxÞ ¼ PAvail;D ðxÞ: ð30Þ  
c
c T
i¼0 x T for the first equality of (31), we have Nxj ¼
Pxj nT  Nc n 
Finally, let us show PLEDS DSEDA
Avail;D ðxÞ  PAvail;D ðxÞ. Rewrite
Pnt nNc n s¼0 s xjs , then making the third equality of (32)
as follows: hold. The inequality of (32) then reaches PLEDS Avail;D ðxÞ
i¼0 i xi
Xnt     X nt Xi     DSEDA
n Nc  n T nT Nc  n  PAvail;D ðxÞ. Using steps similar to (31)–(32) by noting
¼
i¼0
i xi i¼0 j¼0
j ij xi n [ T, one can easily show that PDSEDA Avail;D ðxÞ with a larger n
Xnt X
nt      is greater than or equal to PDSEDA ðxÞ with a smaller n. The
T nT Nc  n Avail;D
¼ proof of this theorem is then totally completed. h
j¼0 i¼j
j ij xi
X       Remark 1 Theorem 2 shows that DSEDA always out-
T X nT
nt ntj
Nc  n
¼ : performs LEDS, PCREF, and t-PCREF in data availability
j¼0
j s¼0 s xjs
when considering the report disruption attack for sure. As
ð31Þ for PCREF and t-PCREF, they perform even worse than
 LEDS.
The first equality of (31) holds because of ni ¼
Pi T nT  As for the relationship among PLEDS PCREF
Avail;S ðxÞ, PAvail;S ðxÞ,
coming from the fact that the summation PtPCREF DSEDA
j¼0 j ij Avail;S ðxÞ, and PAvail;S ðxÞ, it can be explored in the fol-
over the entire range for hypergeometric pmf lowing theorem.
ðTj ÞðnT
ij Þ
f ðjÞ ¼ , j ¼ 0; 1; . . .; i yields 1. Exchanging the Theorem 3 PLEDS DSEDA tPCREF
Avail;S ðxÞ  PAvail;S ðxÞ  PAvail;S ðxÞ and
ðniÞ
order of summations with proper ranges reaches the second PLEDS PCREF tPCREF
Avail;S ðxÞ  PAvail;S ðxÞ  PAvail;S ðxÞ.
equality of (31). By introducing a new dummy variable
s ¼ i  j, one can have the third equality of (31). Splitting Proof First, let us show PLEDS DSEDA
Avail;S ðxÞ  PAvail;S ðxÞ 

(31) into two summations over range f0; . . .; T  tg and PtPCREF DSEDA
Avail;S ðxÞ. Note that PAvail;S ðxÞ can be written as follows:
fT  t þ 1; . . .; n  tg, respectively, regarding the outer-    N T  Tt T N T 
X
Tt T Nc T c X c

most summation of (31) yields PDSEDA

Avail;S ðxÞ ¼ i  xi
N
 ¼ Nx  þ
c c
i  xi
N
 :
c
i¼0 x x i¼1 x
nt  
X  Tt   ntj
X   
n Nc  n T X nT Nc  n PTt ðTi ÞðNxi
¼ þw c T
Þ
i xi j s¼0 s xjs Because i¼1  0, we then have
i¼0 j¼0 ðNxc Þ
Tt   X
X xj    ðNcxT Þ
T nT Nc  n PDSEDA LEDS
Avail;S ðxÞ  ðNc Þ ¼ PAvail;S ðxÞ. Using the alternative
¼ þw x
j s¼0 s xjs
j¼0 form of PDSEDA Avail;S ðxÞ, i.e., (26), we have PAvail;S ðxÞ ¼
DSEDA
Tt  
X   
T Nc  T Pnt ðniÞðNxic n
Þ PminðTt;iÞ ð j Þð ij Þ
T nT Pnt ðniÞðNxi
c n
Þ
¼ þw i¼0  j¼0  i¼0 ¼
j xj ðNxc Þ ðniÞ ðNxc Þ
j¼0
PminðTt;iÞ ðTj ÞðnT ij Þ
Tt  
X  PtPCREF
T Nc  T Avail;S ðxÞ because j¼0 ðniÞ
 1. Next, let us
 ; ð32Þ
i xi show PLEDS PCREF tPCREF
i¼0 Avail;S ðxÞ  PAvail;S ðxÞ  PAvail;S ðxÞ. Splitting
where w stands for the second summation, i.e., w ¼ PtPCREF
Avail;S ðxÞ into two terms, we have
 P  
Pnt T ntj nT  Nc n X
 
nt n Nc n

j¼Ttþ1 j s¼0 s xjs  0. Noting that j 2
  PtPCREF
Avail;S ðxÞ ¼ i  xi
N
 ;
½0; T  t implies n  t  j 2 ½n  T; n  t and nT
c
s i¼0 x
Pntj nT     nN n
becomes 0 when s  n  T þ 1, we have s¼0
X
nT n Nc n X
nt c
  P   s
¼ i  xi
 þ i  xi
 :
Nc n nT nT  Nc n Pxj N c N c
xjs ¼ s¼0 s xjs . If x  j  n  T, s¼0 i¼0 x i¼nTþ1 x
nT   N n  PnT nT  N n  Pntj nT  N n  Pnt ðniÞðNxic n
Þ PnT
s xjs ¼
c
s¼0 s xjs ¼
c
s¼0 s
c
xjs . Because of i¼nTþ1 ðNc Þ  0, PtPCREF
Avail;S ðxÞ ¼ i¼0
  ðniÞðNxi
c n
Þ Pnt ðniÞðNxi Þ PnT ðniÞðNxi
c n x c n
Þ PCREF
If xj\nT, xjs Nc n
vanishes (is zero equivalently) þ i¼nTþ1 ðNc Þ  i¼0 ¼ P Avail;S ðxÞ.
ðNxc Þ x ðNxc Þ

123
 Wireless Netw

From the fact that the summation over the entire range for t-PCREF). Notice that PCREF and t-PCREF perform even
ðnT ÞðNc nÞ worse than LEDS in terms of data availability under the
hypergeometric pmf gðiÞ ¼ i Nc Txi , i ¼ 0; 1; . . .; n  T
ð Þ report disruption attack. In Fig. 8(b), we show the data
  P x nT N n
yields 1, we have NcxT ¼ nT i¼0 i xi . Therefore,
c
availability comparison among DSEDA, LEDS, PCREF,
ð x Þ
Nc T P nT ð i Þð xi Þ
nT Nc n P ðniÞðNxi
c n
Þ and t-PCREF under the selective forwarding attack. Again,
PLEDS
Avail;S ðxÞ ¼ ðNc Þ ¼ i¼0  nT
i¼0 ¼
x ðxÞ
Nc
ðxÞ
Nc
DSEDA significantly outperforms LEDS. Fixing x at 40,
PPCREF
Avail;S ðxÞ. The proof of this theorem is then totally com- DSEDA reveals 357% of improvement as compared to
pleted. h LEDS. This firmly indicates that DSEDA is much more
resilient against the selective forwarding attack than LEDS.
Remark 2 Theorem 3 shows that t-PCREF always out- However, DSEDA shows 61% and 65% of decline as
performs LEDS, PCREF, and DSEDA in data availability compared to PCREF and t-PCREF, respectively. It says that
when considering the selective forwarding attack for sure. PCREF and t-PCREF are much more effective to combat
However, LEDS performs worst among these four the selective forwarding attack than DSEDA.
protocols.
To deeply explore the data availability of DSEDA,
LEDS, PCREF, and t-PCREF, the following paragraph 6 Performance analysis of the proposed protocol
shows the comparison on data availability among them via
some numerical examples. In this section, performance, including key storage, com-
putation overhead, computation time, and communication
5.3.4 Comparison on data availability among DSEDA, overhead, is evaluated for LEDS, DSEDA, PCREF and t-
LEDS, PCREF, and t-PCREF PCREF. Generally speaking, sensor nodes are resource-
limited devices. Therefore, a Mica2 [25] is employed to
Shown in Fig. 8(a) is the data availability protection for serve as a regular sensor node. As for CHs, they are
DSEDA, LEDS, PCREF, and t-PCREF under the report resourceful devices. We then employ an Imote2 [25] to
disruption attack. It clearly shows that the probability of serve as a CH. Let us check the key storage overhead first.
successfully generating a legitimate report is much higher
for DSEDA than LEDS, PCREF, and t-PCREF. When 6.1 Key storage overhead
x ¼ 40, the corresponding probabilities in LEDS, DSEDA,
and PCREF as well as t-PCREF are 0.332, 0.954, and 0.073, As shown in [31] for LEDS, the total number of keys stored
respectively, revealing 188% and 1200% of improvement in each sensor node is bounded by ðT þ 1ÞðT þ 2Þ=2 þ 5.
achieved by DSEDA as compared to LEDS and PCREF (or The corresponding number is 26 when T ¼ 5. Unlike

(a) (b)
1 1
Probability of successfully generating a legitimate report

Probability of successfully generating a legitimate report

LEDS LEDS
DSEDA DSEDA
0.9 PCREF 0.9 PCREF
t-PCREF t-PCREF
0.8 0.8

0.7 0.7

0.6 0.6

0.5 0.5

0.4 0.4

0.3 0.3

0.2 0.2

0.1 0.1

0 0
0 20 40 60 80 100 0 20 40 60 80 100
Number of compromised nodes in the cluster (x) Number of compromised nodes in the cluster (x)

Fig. 8 Data availability comparison among DSEDA, LEDS, PCREF, and t-PCREF where Nc ¼ 100, n ¼ 10, and ðT; tÞ ¼ ð5; 4Þ. a Under the
report disruption attack. b Under the selective forwarding attack

123
Wireless Netw
LEDS, DSEDA does not ask sensor nodes to store
authentication keys shared with the sensor nodes in the
report-authentication forwarding area. Each sensor node in
DSEDA then stores two unique secret keys shared with the
166 mJ . Further
sink and one secret key shared with the CH only. There-
fore, the total number of keys stored in each sensor node
for DSEDA is fixed at 3 which is significantly less than that
for LEDS because ðT þ 1ÞðT þ 2Þ=2 þ 5  3 for positive
integer T. Therefore, DSEDA gains storage efficiency for
each sensor node as compared to LEDS. As for PCREF or
t-PCREF, each sensor node stores not only a large amount
of keys but also many polynomials as shown in [38].
Compared to both LEDS and DSEDA, much more storage
overhead is required in PCREF or t-PCREF. In our design,
CHs are responsible for en-route filtering. Therefore, each
CH needs to store the public keys of / sensor nodes in its
downstream report-authentication forwarding area.
Besides, it stores two secret keys shared with the sink and
Nc secret keys shared with the sensor nodes in the cluster.
In short, the total number of keys stored in each CH is
given by Nc þ 2 symmetric keys plus / asymmetric keys.
Although CHs must store more keys than sensor nodes, the
storage capacity of CHs is much higher than that of sensor
nodes. Specifically, CHs may be powerful Imote2 devices
with 32 MB of flash memory, whereas sensor nodes are
resource-constrained Mica2 devices with 4 KB of storage
302:4) ms when running
capacity. Considering the storage capacity of CHs, the key
storage overhead brought by our design causes little burden
to CHs and falls within an acceptable level.
6.2 Computation overhead and computation time
The main computation overhead in LEDS comes from
MAC operations. The one-to-many forwarding paradigm
for delivering data in LEDS forces all the sensor nodes in
the report-authentication forwarding area to verify the
message. Consider the case that the number of sensor nodes
in a cell is 10 on average and the event cell is 20 cells away
from the sink. Then, 20 sensor nodes need to generate a new
MAC to forward to next cell and the total number of sensor
nodes for message verification is bounded by 200. As
reported in [36], Mica2 consumes 5.9 lJ for hashing 1 byte
of data when SHA-1 is employed. If HMAC [27], which
contains two SHA-1 operations, and 64-byte data message
are considered, the total energy consumption for this case in
LEDS is then approximated by ð200 þ 20Þ  2  5:9  64
lJ ¼ 166 mJ. In DSEDA, the computation overhead lies in
signature verification at CHs. As reported in [21], Imote2
needs 2.86 mJ and 3.51 mJ, respectively, to generate an
ECDSA signature and verify it when running at 104 MHz.
pffiffiffiffiffiffiffiffiffiffi
Because the radius of a CH is Nc =n in cell, it turns to be
pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
100=10 3:16 if Nc ¼ 100 and n ¼ 10. Considering a
similar case for DSEDA, the total energy consumption for
signature generation (verification) of DSEDA is then
2:86  d20=3:16e ¼ 20:02 mJ (3:51  d20=3:16e ¼ 24:57
mJ). Clearly, ð20:02 þ 24:57Þ mJ
distinguishing the power/computation capacity of CHs and
sensor nodes, moving computation overhead from sensor
nodes to CHs is more desired for sure. The aforementioned
description clearly indicates that DSEDA is more efficient
than LEDS in terms of energy consumption, i.e., compu-
tation overhead. As for PCREF or t-PCREF, the computa-
tion overhead becomes higher than both DSEDA and LEDS
if the generation of authentication and check polynomials is
further included.
Therefore, let us further examine the computation time
for report verification in DSEDA and LEDS. As reported in
[13], it takes 7.56 ms to perform the SHA-1 hash function
on the Mica2 platform. For sensor nodes in LEDS, they
then take 2  7:56 ¼ 15:12 ms for report verification.
Considering the previous case, the total computation time
required when the report travels from the source to the sink
is 15:12  20 ¼ 302:4 ms. As illustrated in [21], Imote2
takes 14.49 ms to verify an ECDSA signature when run-
ning at 416 MHz and 56.02 ms to verify an ECDSA sig-
nature when running at 104 MHz. This then gives the total
computation time to verify the report in DSEDA, i.e.,
14:49  d20=3:16e ¼ 101:43 (
at 416 MHz and 56:02  d20=3:16e ¼ 392:14 ( [ 302:4)
ms when running at 104 MHz. Therefore, DSEDA may
process comparably as LEDS in terms of computation time
as far as the report verification is concerned.
6.3 Communication overhead
Let us first compare the size of payload data between
DSEDA and LEDS. Each message in LEDS contains T IDs
and T secret shares in payload data, while DSEDA utilizes
the bloom filter to reduce the size of T IDs to 3 bytes only.
If T ¼ 5, the size of T IDs will be 10 bytes in LEDS, giving
7 bytes of reduction in payload data for such a case. Then,
the communication overhead coming from signature is
compared. In LEDS, each report contains T þ 1 MACs. As
reported in [27], the minimum length of MAC is 4 bytes.
With this minimum size and T ¼ 5, the data size for MACs
in LEDS then becomes 24 bytes. Note that the size of
ECDSA signature is 40 bytes and up to 14 bytes can be
saved if the partial message recovery algorithm is applied
as reported in [26]. The communication overhead of sig-
nature in DSEDA is then 26 bytes, giving 2 additional
bytes in signature as compared to that of LEDS. However,
the situation can be totally changed when T  6, for which
at least 2 bytes can be saved for DSEDA as compared to
LEDS in signature. As shown in [38], the extra commu-
nication overhead of PCREF is 40 bytes which is explicitly
123

higher than those of DSEDA and LEDS. Finally, let us
check some additional messages brought by DSEDA.
Sensor nodes and CHs must exchange some additional
messages to compensate lack of secret shares in DSEDA.
By doing so, it helps improve data availability against
compromised sensor nodes greatly as compared to LEDS.
Therefore, this minus of communication overhead brings a
great advantage in security strength, showing that it
deserves.
7 Conclusions
An efficient security protocol, i.e., DSEDA, to guarantee
end-to-end data authentication in cluster-based WSNs has
been proposed in this paper. DSEDA contains a mechanism
to compensate lack of legitimate secret shares to greatly
enhance data availability. Moreover, it employs CHs to
verify the report at the very beginning of report lifetime so
that the bogus report can be dropped as soon as possible.
Based on digital signature, an en-route filtering mechanism
is further endowed with DSEDA to prevent intermediate
nodes from forgery or false information. Through evalua-
tion on security strength and performance, we have suc-
cessfully demonstrated that the DSEDA significantly
outperforms LEDS in terms of both security strength and
performance. Except for the data availability under the
selective forwarding attack, DSEDA also performs better
than PCREF and t-PCREF. No doubt, DSEDA is strongly
recommended for use in WSNs.
Acknowledgments The work of H. W. Ferng was supported by the
Ministry of Science and Technology (MOST), Taiwan under con-
tracts MOST 104-2221-E-011-052-MY2, MOST 103-2221-E-011-
012, and MOST 102-2221-E-011-004.
References
1. Ayday, E., Delgosha, F., & Fekri, F. (2012). Data authenticity
and availability in multihop wireless sensor networks. ACM
Transactions on Sensor Networks (TOSN), 8(2), 10–26.
2. Cao, X., Kou, W., Dang, L., & Zhao, B. (2008). IMBAS: Iden-
tity-based multi-user broadcast authentication in wireless sensor
networks. Computer Communications, 31(4), 659–667.
3. Chan, H., Perrig, A., & Song, D. (2003, May). Random key pre-
distribution schemes for sensor networks. In Proceedings of IEEE
symposium on security and privacy (SP’03) (pp. 197–213).
4. Chan, H., & Perrig, A. (2003). Security and privacy in sensor
networks. IEEE Computer Magazine, 36(10), 103–105.
5. Drissi, J., & Gu, Q. (2006, July). Localized broadcast authenti-
cation in large sensor networks. In Proceedings of IEEE inter-
national conference on networking and services (ICNS’06).
6. Du, W., Deng, J., Han, Y. S., & Varshney, P. K. (2005). A
pairwise key pre-distribution scheme for wireless sensor net-
works. ACM Transactions on Information and System Security,
8(2), 228–258.
123
Wireless Netw
7. Eschenauer, L., & Gligor, V. D. (2002, November). A key-
management scheme for distributed sensor networks. In Pro-
ceedings of ACM conference on computer and communications
security (CCS’02) (pp. 41–47).
8. Even, S., Goldreich, O., & Micali, S. (1996). On-line/off-line
digital signatures. Journal of Cryptology, 9(1), 35–67.
9. Ferng, H. W., Nurhakim, J., & Horng, S. J. (2014). Key management
protocol with end-to-end data security and key revocation for a multi-
BS wireless sensor network. Wireless Networks, 20(4), 625–637.
10. Gu, W., Dutta, N., Chellappan, S., & Bai, X. (2011). Providing
end-to-end secure communications in wireless sensor networks.
IEEE Transactions on Network and Service Management, 8(3),
205–218.
11. Hankerson, D., Menezes, A., & Vanstone, S. (2004). Guide to
elliptic curve cryptography. New York: Springer.
12. IEEE. (2000, May). Standard specifications for public key cryp-
tography, IEEE P1363a/D4. http://grouper.ieee.org/groups/1363/
index.html.
13. Krontiris, I., & Dimitriou, T. (2006, June). A practical authenti-
cation scheme for in-network programming in wireless sensor
networks. In Proceedings of ACM REALWSN’06.
14. Lee, S., & Kim, K. (2010, November). Sensor authentication
scheme for clustering routing protocols in wireless sensor net-
works. In Proceedings of IEEE sensors (pp. 1819–1822).
15. Li, F., Zhong, D., & Takagi, T. (2012). Practical identity-based
signature for wireless sensor networks. IEEE Wireless Commu-
nications Letters, 1(6), 637–640.
16. Li, X., Zhou, F., & Du, J. (2013). LDTS: A lightweight and
dependable trust system for clustered wireless sensor networks.
IEEE Transactions on Information Forensics and Security, 8(6),
924–935.
17. Liu, D., & Ning, P. (2003). Efficient distribution of key chain
commitments for broadcast authentication in distributed sensor
networks. In Proceedings of network and distributed system
security symposium (NDSS’03).
18. Liu, D., Ning, P., & Li, R. (2005). Establishing pairwise keys in
distributed sensor networks. ACM Transactions on Information
and System Security, 8(1), 41–77.
19. Liu, D., & Ning, P. (2004). Multilevel lTESLA: Broadcast
authentication for distributed sensor networks. ACM Transactions
on Embeded Computing Systems, 3(4), 800–836.
20. Liu, D., Ning, P., Zhu, S., & Jajodia, S. (2005, July). Practical
broadcast authentication in sensor networks. In Proceedings of
IEEE international conference on mobile and ubiquitous systems:
Networking and services (MobiQuitous’05) (pp. 118–129).
21. Liu, A., & Ning, P. (2008, April). TinyECC: A configurable
library for elliptic curve cryptography in wireless sensor networks.
In Proceedings of IEEE international conference on information
processing in sensor networks (IPSN ’08) (pp. 245–256).
22. Liu, Z., Wang, J., & Zhang, X. (2011, June). A false data filtering
scheme using cluster-based organization in sensor networks. In
Proceedings of IEEE international conference on communica-
tions (ICC’11) (pp. 1–5).
23. Liu, Y., Li, J., & Guizani, M. (2012). PKC based broadcast
authentication using signature amortization for WSNs. IEEE
Transactions on Wireless Communications, 11(6), 2106–2115.
24. Mitzenmacher, M. (2002). Compressed bloom filters. IEEE/ACM
Transactions on Networking, 10(5), 604–612.
25. Moog Crossbow. (2008). Mica2/Imote2 Mote datasheet. http://
www.xbow.com.
26. Naccache, D., & Stern, J. (2001). Signing on a postcard. In
Proceedings of international conference on financial cryptogra-
phy (FC ’01) (pp. 121–135).
27. National Institute of Standards and Technology. (2002, March).
Keyed-hashing for message authentication (HMAC). Federal
Information processing Standards Publication.
Wireless Netw

28. Perrig, A., Szewczyk, R., Tygar, J. D., Wen, V., & Culler, D. E. injected false data in sensor networks. In Proceedings of IEEE
(2002). SPINS: Security protocols for sensor networks. Wireless symposium on security and privacy (SP’04) (pp. 259–271).
Networks, 8(5), 521–534.
29. Raymond, D. R., Marchany, R. C., Brownfield, M. I., & Midkiff,
S. F. (2009). Effects of denial-of-sleep attacks on wireless sensor Huei-Wen Ferng received the
network MAC protocols. IEEE Transactions on Vehicular B.S. degree in electrical engi-
Technology, 58(1), 367–380. neering from the National Tsing
30. Ren, K., Lou, W., Zeng, K., & Moran, P. J. (2007). On broadcast Hua University, Hsinchu, Tai-
authentication in wireless sensor networks. IEEE Transactions on wan, in 1993 and the Ph.D.
Wireless Communications, 6(11), 4136–4144. degree in electrical engineering
31. Ren, K., Lou, W., & Zhang, Y. (2008). LEDS: Providing loca- from the National Taiwan
tion-aware end-to-end data security in wireless sensor networks. University, Taipei, Taiwan, in
IEEE Transactions on Mobile Computing, 7(5), 585–598. 2000. He joined the Department
32. Ren, K., Lou, W., & Zhang, Y. (2009). Multi-user broadcast of Computer Science and
authentication in wireless sensor networks. IEEE Transactions on Information Engineering,
Vehicular Technology, 58(8), 4554–4564. National Taiwan University of
33. Shamir, A. (1979). How to share a secret. Communications of the Science and Technology, Tai-
ACM, 22(11), 612–613. pei, as an assistant professor in
34. Shamir, A. (1984). Identity-based cryptosystems and signature August 2001. From February
schemes. In Proceedings of CRYPTO’84. 2005 to January 2011, he was an associate professor. Since February
35. Shi, E., & Perrig, A. (2004). Designing secure sensor networks. 2011 and June 2012, he has been a professor and a distinguished
IEEE Wireless Communications Magazine, 11(6), 38–43. professor, respectively. Funded by the Pan Wen-Yuan Foundation,
36. Wander, A. S., Gura, N., Eberle, H., Gupta, V., & Shantz, S. C. Taiwan, he spent the summer of 2003 visiting the Department of
(2005, March). Energy analysis of public-key cryptography on Electrical Engineering and Computer Science, University of Michi-
small wireless devices. In Proceedings of IEEE international gan, Ann Arbor. His research interests include wireless networks,
conference on pervasive computing and communications (Per- mobile computing, high-speed networks, design of fair scheduling,
Com’05) (pp. 324–328). teletraffic modeling, queuing theory, and performance analysis. He
37. Yang, H., Ye, F., Yuan, Y., Lu, S., & Arbaugh, W. (2005, May). was a recipient of the research award for young researchers from the
Toward resilient security in wireless sensor networks. In Pro- Pan Wen-Yuan Foundation, Taiwan, in 2003 and was a recipient of
ceedings of ACM international symposium on mobile ad hoc the Outstanding Young Electrical Engineer Award from the Chinese
networking and computing (MobiHoc’05) (pp. 34–45). Institute of Electrical Engineering (CIEE), Taiwan, in 2008. He is a
38. Yang, X., Lin, J., Yu, W., Moulema, P., Fu, X., & Zhao, W. senior member of the IEEE.
(2015). A novel en-route filtering scheme against false data
injection attacks in cyber-physical networked systems. IEEE Nguyen Minh Khoa received
Transactions on Computers, 64(1), 4–18. the M.S. degree in computer
39. Yao, A. C.-C., & Zhao, Y. (2013). Online/offline signatures for science and information engi-
low-power devices. IEEE Transactions on Information Forensics neering from the National Tai-
and Security, 8(2), 283–294. wan University of Science and
40. Yasmin, R., Ritter, E., & Wang, G. (2010, June–July). An Technology, Taipei, in 2011.
authentication framework for wireless sensor networks using His research interests include
identity-based signatures. In Proceedings of IEEE international wireless sensor networks, secu-
conference on computer and information technology (CIT’10) rity, and performance analysis.
(pp. 882–889).
41. Ye, F., Luo, H., Lu, S., & Zhang, L. (2004). Statiscal enroute
filtering of injected false data in sensor networks. In Proceedings
of IEEE INFOCOM’04.
42. Zhu, S., Setia, S., & Jajodia, S. (2006). LEAP?: Efficient security
mechanisms for large-scale distributed sensor networks. ACM
Transactions on Sensor Networks, 2(4), 500–528.
43. Zhu, S., Setia, S., Jajodia, S., & Ning, P. (2004, May). An
interleaved hop-by-hop authentication scheme for filtering of

123