A Mutual Broadcast Authentication Protocol for Wireless Sensor Networks Based on Fourier Series

This thesis presents a mural broadcast authentication protocol (MBAP) for wireless sensor networks based on Fourier series according to the issues of the main broadcast authentication protocol µTESLA being limited in authentication delay, more initial parameters, limited time, large key chain, and network congestion. Firstly, achieving the forward authentication work for common sensor nodes to base station is based on the characteristic of continuous-integrability function f ( x ) in [ - π , π ] which could be expanded into Fourier series, including entity authentication and source attestation. Secondly, assume that f ( x ) is the quadratic form function, and achieve the reverse authentication work for base station to common sensor nodes by detecting the security of f ( x ) . The analysis results of safety performance in MBAP show that the captured nodes in WSN will not affect the security of broadcast authentication protocol and have low computation and communication cost, the base station can make broadcast randomly, and common sensor nodes can authenticate messages instantly, which solves the problem of network congestion well. The most important thing of MBAP is the mutual broadcast authentication method which ensures the security of the network greatly.


Introduction
In wireless sensor networks (WSN), in order to save the network bandwidth and the communication time, the base station and the cluster heads generally send messages to the common sensor nodes by broadcasting.And broadcast communication plays a very important role in WSN, and its security has a direct impact on the security of the entire network [1][2][3][4][5].Therefore, it must be able to authenticate the source, the accuracy, and the integrity of the broadcast packets when the receiving nodes get the broadcast packets; it is also known as broadcast authentication.
The broadcast authentication includes two parts: entity authentication and source attestation.Entity authentication is the process for confirming the identity of the sending nodes based on some authentication protocol, which insures the security for network access.And source attestation is mainly to ensure the integrity of the messages and prevent unauthorized nodes sending, forging, and tampering messages.These two parts' authentication can be achieved by the generation and verification of message authentication code (MAC).If the broadcast authentication takes the symmetric encryption mechanism, each captured node can modify or forge the messages and threaten the whole network security.So, it is necessary to use asymmetric encryption technique for broadcast authentication.
There are many efficient broadcast protocols that have been proposed, such as broadcast transmission capacity (BTC) of heterogeneous wireless ad hoc networks with secrecy outage constraints [6], a qos-based broadcast protocol (QBBP) for multihop cognitive radio ad hoc networks under blind information [7], and a reliable and total order tree-based (RTOT) broadcast in wireless sensor network [8].But it is hard to design broadcast authentication protocols for WSN because of the limitations of WSN.There are two kinds of WSN broadcast authentication protocols: one is the signature authentication [9][10][11], but it is hard to be applied because of the disadvantage of using public key cryptography and large cost, and the other one is the message authentication code (MAC) [12][13][14][15], such as the TESLA which is proposed as the broadcast authentication protocol by Perrig based on the security protocols for sensor networks in [15],

Related Work
2.1.TESLA Protocol.In TESLA, the asymmetric characteristic of broadcast authentication is realized by using the symmetric encryption mechanism on condition of the loose time synchronization of sending nodes and receiving nodes.
The key points of TESLA protocol are using hash key chain and publishing key delayed, as showed in Figure 1, a oneway function key chain is established by the sending node, where the length of key chain is  + 1, and the first key   of the key chain is generated randomly by the sending node, but the next keys are all generated by the one-way function ℎℎ acting on the last key repeatedly, such as   = ( +1 ).
The sending node divides the communication time into equal time slices, where the length of each time slice is , and each time slice is assigned a key in order, but the order of the assigned keys is the opposite order of the key chain, and each message   of time slice  is encrypted by   , such as MAC   (  ).The sending node determines the key delay time  based on the time slice length, and the key   on time slice  will be published after , such as  = 2 in Figure 1.
To avoid the additional communication cost, the published key is sent to the receiving nodes by being attached with the data packet.If there is no data packet on some time slice, the key attached with the data packet will not be published, and this key can be calculated by the next keys in one-way function ℎℎ.More importantly, the initial parameters  0 , , and  and starting time  0 should be sent to receiving nodes before authentication.

Computation Cost.
The TESLA protocol has higher authentication efficiency in the case of sending data packets frequently, but it has a very low sending frequency in some applications, such as fire alarm and other event-driven applications, where the transmission interval of the adjacent data packets may be far greater than the time slice  of TESLA and causes lots of keys not to be used for the data packets authentication, and the distance between adjacent keys on the key chain is also increased and causes a large computation cost and authentication delay.
Increasing  can alleviate this problem, but it also causes a lot of authentication delay, and the receiving nodes also need more memory space for buffering packets.

Delay.
In TESLA, the time interval of sending message {MAC   (  ) ‖  −2 ‖   ‖ ()} will be increased gradually, and the time for buffering data packets is also increased because of the authentication delay, which also makes the protocol more vulnerable to be attacked by DoS.Therefore, the authentication mechanism of TESLA is not suitable for the situation of large sending time interval.

Problem of Initialization Parameters.
The most important problem of TESLA is the distribution of initialization parameters.Each sending node has an independent authentication key chain for encrypting its own data packets, and each receiving node makes authentication for {MAC   (  ) ‖  −2 ‖   ‖ ()} after receiving the initialization parameters  0 , , and  and starting time  0 .If the nodes send the initialization parameters { 0 , , ,  0 } in unicast way, it will cause much resource consumption, because the sending node needs to encrypt the { 0 , , ,  0 } in different keys shared with the receiving node, which will cause the delay for data packet transmission and authentication, and the delay may lead to DoS attacks.

Authentication Aging Problem.
There are some applications that require real-time authentication for broadcasting, such as real-time audio frequency, video stream, and alarm Publish Publish Publish information.Obviously, TESLA is not suitable for high ageing applications because of the authentication delay.

Fixed Key Chain Length.
In TESLA, the authentication key of each time slice is predistributed upon network initialization.On the one hand, if the work time is too long, it means that the length of key chain is too large, which will cause a large computation cost and storage cost.On the other hand, if the work time is too short, it cannot meet the requirement of frequent data exchange and long-term work.
Therefore, in order to meet the characteristics of lower delay, better aging, less key storage, computing fast, and better flexibility for the general broadcast authentication in WSN, this paper introduces the mathematical theory of Fourier series, which simplifies the practical issues based on characteristic of Fourier series coefficients and makes a simple and efficient broadcast authentication.

Network Model Assumptions.
In WSN, either the base station or the sensor node is the broadcaster (as shown in Figure 2).
According to the topology of the network, it can broadcast directly when the base station is the broadcaster which can send the information to the prerecipient without intermediate nodes or can send the information to the prerecipient layer by layer, such that the base station will send the information to each cluster head first of all, and the cluster head will send the information to each common sensor node after authentication.
When the sensor nodes are the broadcasters, they can only send the information to their neighbor nodes directly without intermediate nodes.
In order to facilitate the description of MBAP, the network is assumed as follows: (1) Assume that the network is isomorphic and static and each of the sensor nodes has been uniformly deployed in the target area and has same configuration in software and hardware and will not move any more once they are deployed, where the network size is

Analyzing Characteristics of Fourier Series
Definition 1.If the function () period is , it is satisfied on the following conditions: And claim that formula (1) is the Fourier series determined by ().

Orthogonal Analysis of Trigonometric Function.
Assume that  is a real number and cos  and sin  are the periodic function in [,  + 2], where the period is 2, and then And it is easy to prove with product and difference (4)

Fourier Series Coefficient Analysis
Deduction 1. Assume that function () has been expanded to a uniformly convergent trigonometric series: Then Proof.Assume that () is an integrable function in [−, ], where the right side of ( 5) can be integrable term by term.So we can get ( 7) by (2).Consider Set that  is a positive integer and multiplying by both sides with cos  for () and integration in [−, ] then we can get ( 8) by ( 2), (3), and (4): Therefore Similarly Thus Deduction 1 is proved.

MBAP Authentication
Principle.We assume that () is a continuous-integrability function in [−, ] which is predistributed for each node upon initializing.So, the MBAP authentication principle is as follows.
Step 1 (establishing authentication key).The base station divides the communication time into equal time slices, where the length of each time slice is , and each time slice is assigned a key in order.Set () to be the authentication key distributed for the time slice , and set It is obvious that the keys for each time slice are different based on Deduction 1, and It is showed in (12) that the authentication key ( + 1) on time slice  + 1 can be calculated by () and Fourier series coefficients  +1 and  +1 .
Step 2 (building broadcast authentication information).We assume that () is the broadcast authentication information of the time () on time slice , where  is a certain time on time slice , and set where sin   are last two Fourier series coefficients of (),  () is the plaintext message of time (), and MAC = ℎ((),  () , ()) makes sure that () is undisclosed which ensures the security of the key in the process of message communication.
Then there are base station broadcasts ().
Step 3 (application verification).The common sensor node gets the authentication information () and time ().
If the common sensor node has received the authentication information () on time ( + 1), it is showed that the authentication information () is outdated, and it is likely to be caused by network congestion or may be an enemy in disguise after being captured.For this unusual situation, the first step is to abandon () on time (), and the second step is to verify the legitimacy of () on time () by BS.
Conversely, if () is the latest time, it is showed that () is the authentication information which needs to be authenticated currently, and go to Step 4.
Step 4 (entity authentication).Because () is predistributed for each sensor node, according to the Definition 1 and Deduction 1, set If ℎ(   ) = ℎ(  ) and ℎ(   ) = ℎ(  ), it is showed that () is the authentication information sent by BS on the time slice , and entity authentication is completed by now.
Step 5 (source attestation).After the completion of entity authentication, it is necessary to determine whether the plaintext message  () has been tampered by enemy, and set Or   () =  ( − 1) + (   cos  +    sin ) , where ( − 1) is the authentication key on time slice  − 1 which has been authenticated on last time slice and ℎ(   ) = ℎ(  ) and ℎ(   ) = ℎ(  ) have been authenticated in Step 4, so   () = () based on (12), where () encrypted by hash function cannot be got by enemy.
It is showed in (16) that the calculation of   () avoids amounts of the calculation of Fourier series coefficients each time and reduces the computation cost greatly.
And if it is showed that the plaintext message  () is integrity and not tampered by enemy, and source attestation is completed by now.
The forward authentication work for common sensor nodes to base station is completed from now on, and the forward flow chart of MBAP protocol is showed in Figure 3.
Step 6 (reverse authentication)  the reverse authentication work for the base station to the common sensor nodes can be completed by detecting the security of (), and it also means that the MBAP protocol can achieve mutual security authentication.
Based on [17], we can get that the eigenvalues  1 ,  2 , . . .,   of quadratic polynomial    ( 1 ,  2 , . . .,   ) in different sequence or incorrectness will affect the accuracy of eigenvectors { 1 ,  2 , . . .,   } or D  , and the eigenvectors in different sequence that belonged to the same eigenvalue also can affect the accuracy of D  .For this reason, we can assume that the sequence of eigenvalues and eigenvectors of each sensor node are predistributed by base station, which can avoid the same response information by different nodes and ensure the independence of the reverse authentication Therefore, a mutual broadcasting authentication work is achieved by now and Deduction 2 is proved.
Step 7 (update ()).For the network security, () should be updated periodically, so we modify the broadcast authentication information () by the base station and set where the first part { () ‖ ℎ(  ) ‖ ℎ(  ) ‖ MAC = ℎ((),  () , ())} of ()  is still the broadcast authentication information (), so the common sensor nodes can still make forward authentication work.After forward authentication, each sensor node can get () new by   and verify () new by ℎ(() new ), removing the old () at last.
And the updating for () is completed by now.

Security Analysis
Because of the limited resource in WSN, it should meet 3 basic requirements for designing efficient broadcast authentication protocol: Firstly, insure the lower computation and communication cost.Secondly, the base station can make authentication randomly.Thirdly, the sensor nodes can make a real-time authentication.In this paper, the TWBAP protocol has some own security features besides the above the 3 conditions.
4.1.Anticapture.In MBAP, we know that () is the key point of authentication, and the network will not be safe once () leaked, so the selection of () is very important.On the basis of [17], we assume that () is -variate quadratic polynomial in field , which has a high anticapture.For example, a key management scheme for distributed sensor networks is proposed by Eschenauer and Gligor in [18], and the main idea of this scheme is based on the binary th symmetric polynomials, if the enemy captures some nodes which all include the same binary th symmetric polynomial, and the nodes' number is more than , such that the communication key will be decrypted by enemy, it is also called -collusion attack.In MBAP, if the enemy wants to get the communication keys, it should decrypt the binary th symmetric polynomial () or the matrix  in formula ( 18), but  is a symmetric matrix, it means that there are (+1)/2 different elements in matrix  needed to be decrypted, and the difficulty of decrypting  will be multiplied when the dimension  of matrix  is slightly changed (as shown in Figure 4).So it shows that it is very difficult to capture the binary th symmetric polynomial().
In addition to this, we assume that the size of the network in WSN is , and if  < (+1)/2, it shows that the enemy is unable to decrypt matrix  and also unable to decrypt ().Therefore, for the small or middle size network, the network is absolutely safe as long as  < ( + 1)/2.And, for the large network, it also can guarantee the network security as long as there is reasonable network structure, such as increasing the number of clusters space and limiting the number of cluster members.It shows that MBAP in this paper has good anticapture performance.

Low Cost.
In this paper, the computation cost and communication cost of MBAP protocol are relatively low, which can meet the requirements of low cost.Firstly, the broadcast authentication information () = { () ‖ ℎ(  ) ‖ ℎ(  ) ‖ MAC = ℎ((),  () , ()) ‖ ()} is verified by single hash operation, while the TESLA is operated by key chain.Secondly, we can get   () = ( − 1) + (   cos +   sin ) in ( 16), where (−1) is the authentication key on time slice −1 which has been authenticated on last time slice, so we can get   () = () by verifying ℎ(   ) = ℎ(  ) and ℎ(   ) = ℎ(  ) in Step 4 of Section 3.3, which shows that the calculation of () avoids amounts of the calculation for Fourier series coefficients each time and reduces the computation cost greatly.

Instant Authentication.
In MBAP, we can make authentication immediately based on the characteristics of Fourier series coefficients when the authentication information () is broadcasted by the base station.But the TESLA protocol needs to make the authentication after the delay time , which may cause a communication blocking.

Delay.
In TESLA, we know that the time interval of sending message {MAC   (  ) ‖  −2 ‖   ‖ ()} will be increased gradually, and the time for buffering data packets is also increased because of the authentication delay, which also makes the protocol more vulnerable to be attacked by DoS.
We know that authentication delay includes the transmission cost and the computation cost, where the transmission cost is the necessary cost which cannot be avoided.For TESLA, the authentication delay should also include delay time .
In order to analyze the delay problems between MBAP and TESLA by simulation, we assume that  is the authentication delay and  is the length of time slice, which can be set to 1 in here, and assume delay time  = 2,  0 is the initial key, and  is the computation time of a hash calculation.
In TESLA, {MAC   (  ) ‖  −2 ‖   ‖ ()} is the message authentication code on time slice , we can judge the correctness of  −2 by  0 =  −2 ( −2 ), it shows that the entity authentication is completed by  − 2 times hash calculation, and we can verify the integrity of  −2 by MAC  −2 ( −2 ), and it shows that the source attestation is completed by a hash calculation.So, we assume that  1 is the authentication cost on time slice  in TESLA, and ∑  =1 (   cos  +    sin ) by a conventional operation and calculate ℎ(  (),  () , ()) = ℎ((),  () , ()) by a hash calculation.For ease of calculation, we assume that a conventional operation cost also is  and  2 is the authentication cost on time slice  in MBAP, and And the authentication cost of  1 and  2 is showed in Figure 5, where  = 0.01 s.It is obvious that  1 is increased gradually with the time change, which also shows that the TESLA needs more authentication cost with the time change, while the authentication cost of MBAP is not changed all the time.
It shows the cost changes of once authentication calculation on different time slices in Figure 5, but there will be amounts of authentication calculation happening on each time slice actually, which can cause some time delay for each authentication calculation.So, the authentication delay is increased with the time changes.For this reason, we assume that there will be  times authentication calculation happening on each time slice, and we assume that  3 is the authentication cost on time slice  by  times authentication calculation in TESLA, and Similarly, we assume that  4 is the authentication cost on time slice  by  times authentication calculation in MBAP, and For ease of calculating, we assume  = 10, and the authentication cost of these two protocols is showed in Figures 6, 7, and 8.
It is indicated in Figures 6 and 7 that the authentication delays of these two protocols are all increased with the time Time slice, i (s) changes, but the authentication delays of TESLA are increased much faster with the authentication calculation increasing, while the authentication delay of MBAP is changed stably.It is indicated in Figure 8 that there will be some messages abandoned on some slices with the authentication delay increasing in TESLA; it is one of the issues in TESLA analyzed in Section 2.

Initialization Parameter.
In MBAP, the only predistributed initialization parameter is (), and if () is a quadratic polynomial, this can make a mutual authentication.
While in TESLA the initialization parameters are { 0 , , ,  0 } and if the nodes send the initialization parameters { 0 , , ,  0 } in unicast way upon network initialization, that will cause much resource consumption, because the sending node needs to encrypt { 0 , , ,  0 } in different keys shared with the receiving node, which will cause the delay for data packet transmission and authentication, and the delay may lead to DoS attacks.

Length of the Key Chain.
In TESLA, when the sensor nodes receive the published key   , we can verify the correctness of   by  0 =   (  ) or   =  (−) (  ), where   is the verified key before   and  0 is the initial key.So in order to complete the authentication task in TESLA, it needs to save a long secret key chain and needs to reconstruct the key chain sometimes, which makes a large network load.
In MBAP, the authentication key () is Fourier series, and we can get   () = ( − 1) + (   cos  +    sin ) in ( 16), where ( − 1) is the authentication key on time slice  − 1 which has been authenticated on last time slice, so we can get   () = () by verifying ℎ(   ) = ℎ(  ) and ℎ(   ) = ℎ(  ) in Step 4 of Section 3.3, which shows that the calculation of () avoids amounts of the calculation of Fourier series coefficients each time and reduces the computation cost greatly.

Summary
This thesis presents a mutual broadcast authentication protocol (MBAP) for wireless sensor networks based on Fourier series according to the problems of the main broadcasting authentication protocol TESLA being limited in authentication delay, more initial parameters, limited time, large key chain, and network congestion.And the mutual authentication between nodes and base station is achieved according to the characteristic of continuous-integrability function () in [−, ] which could be expanded into Fourier series.Firstly, one has predistributing () for each node upon network initializing, calculating the current Fourier series coefficients, establishing authentication key   , verifying the correctness of the broadcast authentication information, achieving entity authentication, and source attestation.Secondly, assuming that () is the quadratic form function and achieving the reverse authentication work for base station to common sensor nodes by detecting the security of (), it also means that the MBAP protocol can achieve mutual security authentication.The analysis results of safety performance in MBAP show that the captured nodes in WSN will not affect the security of broadcast authentication protocol and have a low computation and communication cost, the base station can make broadcast randomly, and common sensor nodes can authenticate messages instantly, which solves the problem of network congestion well.The most important thing of MBAP is the mutual broadcast authentication method which ensures the security of the network greatly.

Figure 2 :
Figure 2: Broadcasting communication in centralized network.

Deduction 2 .
In order to detect the security of (), assume that () is a quadratic polynomial and a continuousintegrability function for some variable in [−, ].And International Journal of Distributed Sensor Networks
work.For example,  = {() ‖ ℎ(C  ) ‖ ℎ(D  ) ‖ ID  } is the response information of node   , and the base station can get C   and D   based on the sequence of eigenvalues and eigenvectors of node   .If ℎ(C  ) ̸ = ℎ(C   ) or ℎ(D  ) ̸ = ℎ(D   ), it is showed that node   is captured by enemy and removed by base station.If ℎ(C  ) = ℎ(C   ) and ℎ(D  ) = ℎ(D   ), it is showed that identity of node   is authenticated base station.