TurboBlom: A light and resilient key predistribution scheme with application to Internet of Things

In the Internet of Things (IoT), there are often devices that are computationally too constrained to establish a security key using traditional key distribution mechanisms such as those based on the Diffie-Hellman key exchange. To address this, current solution commonly rely on key predistribution schemes (KPSs). Among KPSs, the Blom scheme provably provides the highest resilience against node capture attacks. This, however, comes at high computational overhead, because the Blom scheme requires many multiplications over a large finite field. To overcome this computational overhead, we present TurboBlom, a novel amendment of the Blom scheme. TurboBlom circumvents the need for field multiplications by utilizing specialized generator matrices, such as random zero-one matrices. We demonstrate that, through this approach, TurboBlom can significantly reduce the computational overhead of the Blom scheme by orders of magnitude. In our next key finding, we demonstrate that TurboBlom offers a level of resilience against node capture that is virtually on par with the Blom scheme. Notably, we prove that the gap between the resilience of the two schemes is exponentially small. These features of TurboBlom (i.e., low computational overhead and high resilience) make it suitable for computationally constrained devices. Such devices exist in abundance in IoT, for example, as part of Low Power and Lossy Networks (LLNs). To demonstrate a sample application of TurboBlom, we show how to use it to enable sender authentication in the Routing Protocol for LLNs (RPL), a standard routing protocol for IoT.


Introduction
To ensure the confidentiality and integrity of data exchanged, it is crucial that network devices are able to establish security keys between themselves.These keys are used to safeguard the privacy of user information and prevent various attacks such as protocol manipulation [1], and guarantee the integrity of the data [2].In networks such as LLNs and IoT, however, there are often devices that are computationally too constrained to establish a security key using traditional key distribution mechanisms such as those based on the Diffie-Hellman key exchange.These devices include Class 1 of constrained devices defined in RFC 7228 [3].Devices in this class are capable enough to run a protocol stack specifically designed for constrained nodes (e.g., the Constrained Application Protocol (CoAP) over UDP [4]) and communicate with nodes employing a full protocol stack with the help of a gateway.They are, however, unable to implement a full protocol stack such as Transport Layer Security (TLS), and related security protocols according to [3].
Given enough time, devices in higher classes in RFC 7228 have the potential to run traditional key exchange schemes.For example, experimental results in [5] show that their proposed Diffie-Hellman Protocol requires, on average, 54 seconds to establish a key between two TelosB IoT devices.It's important to note that the higher execution time of traditional key exchange schemes in these devices exposes them to denial of service attacks where, for instance, an adversary would consume their time/power resources by repeatedly initiating key exchanges with them.
An alternative to the traditional key distribution schemes is key predistribution scheme (KPS), commonly considered for networks with constrained devices [6,7] In a KPS, a trusted entity preloads each device/node with one or more secret keys before the node is deployed in the network.After deployment, a pair of nodes in the network use their preloaded secret keys to establish a pairwise key and consequently secure their communications.
The simplest key predistribution strategy is to use a single shared key over the entire network.This scheme is the most efficient KPS in terms of memory usage, as each node stores only a single secret key.On the negative side, the scheme is the most vulnerable KPS to node corruption as a single corrupted node (e.g., a node captured and compromised by an adversary) compromises the security of the entire network, as the entire network uses one identical security key.
An alternative strategy is to preload each node with many secret keys; one key for every other node in the network.This way, any node can securely communicate with any other node in the network using a unique secret key.This KPS is the most resilient scheme against node corruption/capture.The scheme is, however, the least efficient with regards to memory (memory requirement linearly increases with the number of nodes in the network).In addition, the scheme requires every existing node to securely receive a new secret key each time a new node is added to the network (the new keys are needed for secure communication of the existing nodes with the newly added node).The above shortcomings are not desired particularly in large-scale networks.
There are "middle-ground" KPS solutions as well.For instance, in random key predistribution schemes (e.g., [8,9]), each node is preloaded with a random subset of keys from a key pool.To generate a pairwise key, two deployed nodes exchange the indices of their keys to discover whether or not they share any keys.If the two nodes share at least one key, they use the common key(s) to generate a pairwise key.These solutions are memory-friendly, and are resilient against node capture.
Similar to the random KPSs, the Blom scheme [10] (which is the focus of this work) preloads each node with a number of secret keys.It, however, uses a deterministic key generation scheme, and brings two main advantages over random KPSs.First, it enables any two nodes in the network to generate a pairwise key with probability 100%.Second, and perhaps more importantly, the Blom scheme provides the highest resilience against node capture in the sense that the network remains completely secure as long as the number of compromised nodes is less than the number of secret keys preloaded in each node.For instance, if each node is preloaded with 200 secret keys, the Blom scheme guarantees that an adversary who has captured and extracted all the secret keys of up to 199 nodes gains no information about the pairwise keys between uncaptured nodes.This fully discourages/defends against small-scale attacks, which is important as small-scale attacks are less expensive and harder to detect than largescale attacks [9].We also note that in the Blom scheme, when a new node is added to the network, the existing nodes do not need to receive any additional secret keys.As will be describe in Section 3, this is because two nodes only require to know their public information in order to establish a pairwise key [10].
To put the above advantages into perspective, consider for instance the q-composite key scheme, a random KPS designed to improve resiliency against small-scale attacks [9].Suppose each node is preloaded with 200 keys, and that the probability that two nodes being able to generate a pairwise key is set to 50% (this is a parameter in the q-composite key scheme).Then, as demonstrated in [9], with probability of about 57% the communication between two uncaptured nodes is compromised if an adversary captures 150 nodes.The resilience of the qcomposite key scheme becomes even worse if we increase the probability that two nodes are being able to generate a pairwise key.In the Blom scheme, on the other hand, any two nodes are able to generate a pairwise key with probability 100%.Moreover, all the communications between uncaptured nodes remain secure if an adversary capture 150 nodes.
A limiting factor of the Blom scheme for computationally constrained devices is that its pairwise key generation requires many field multiplications.To address this, in this work, we introduce TurboBlom, our fast variant of the Blom scheme that does not require any field multiplications, hence is significantly faster (e.g., about three orders of magnitude faster as shown in Section 4) than the Blom scheme.
Despite being significantly lighter than the Blom scheme, we analytically show that Turbo-Blom has nearly the same level of resilience against node capture as the original Blom scheme.In particular, we show that the gap between the resilience of TurboBlom and Blom can be made exponentially small with respect to the number of pre-loaded keys.Consequently, when the number of preloaded keys is large enough (e.g.larger than 30), TurboBlom provides practically the same level of resilience against node capture as the Blom scheme itself.In addition, in Section 4, we propose techniques based on the use of finite fields of Mersenne prime order to improve resilience of TurboBlom, which is particularly helpful when the number of preloaded keys is rather small.
Finally, we demonstrate how to use TurboBlom to provide efficient (in terms of memory and computation) and resilient (against node capture and Sybil attack) sender authentication in RPL [11].RPL is the standard routing protocol for LLNs.These networks are a major component of IoT, and have a wide scope of applications including industrial monitoring and building automation.Consequently, the security of these networks is of great importance, especially when they are deployed in critical infrastructures such as smart grids [12].
In summary, we make the following contributions: • We introduce TurboBlom, a fast variant of the Blom scheme, which is significantly lighter than the original Blom scheme, hence is more suitable for constrained devices.The lightness of Turboblom is specially appreciated when we note that a key exchange/distribution scheme with non-negligible computational requirement can expose devices to denial of service attacks.
• We analyze the resilience of TurboBlom against node capture and show that TurboBlom can offer practically the same level of resilience against node capture as the Blom scheme.
• We propose a new secure mode for RPL using TurboBlom to enable efficient sender authentication.This new mode is particularly useful as many emerging applications in RPL networks rely on point-to-point communications (as opposed to merely relying on communications with the gateway).
The rest of the paper is organized as follows.Section 2 overviews related work.Section 3 covers the basics of the Blom Scheme.We introduce TurboBlom in Section 4, and analyze its resilience against node capture.We propose TAM in Section 5, and conclude the paper in Section 7.

Key predistribution
Early on, in the rise of large-volume industrial and consumer applications of wireless sensor networks, Carman, Kruus, and Matt [13] noticed that an adversary can physically capture nodes and acquire their data, since in practice they are typically left in an unattended/hostile environments and it is too costly, at large, to equip them with tamper-resistant hardware.In the quest for a solution, Eschenour and Gligor proposed the first random KPS in their seminal work [8].Since then, many variants of this basic scheme have been proposed.These variants include schemes that use deterministic methods (usually based on combinatorial designs or error-correcting codes) in selecting subsets of keys for each node [14][15][16][17][18][19][20], and multiple space KPSs [21][22][23] which combine subset-based schemes with other key predistribution schemes such as the Blom scheme [10].
A notable variant of the Eschenour and Gligor (EG) scheme is the q-composite KPS due to Chan, Perrig and Song [9].The q-composite scheme generalizes the EG scheme by requiring two devices to have at least q secret keys in common in order to establish a pairwise key.The q-composite offers greater resilience against node capture than EG when the number of nodes captured is relatively small, but is more vulnerable once a large number of nodes have been captured.This can be a desirable trade-off as small-scale attacks are less expensive and harder to detect [9].
When it comes to small-scale attacks, the optimum resilience is achieved by the Blom scheme [10]-it guarantees that the capture of a small number of nodes (up to the number of stored keys minus one) does not compromise any link between uncaptured nodes.In addition, the Blom scheme guarantees that any two nodes in the network are able to establish a pairwise key, whereas in the EG scheme and its variants, two nodes may not be able to establish a pairwise key as they may not have any secret key in common.The above advantages of the Blom scheme come at a price: to establish a pairwise key in the Blom scheme, a node must compute several field operations, including several computationally demanding field multiplications.In this work, we attempt to significantly reduce this cost by eliminating demanding field multiplications, while maintaining the scheme's high resilience against node capture.Our method is based on using random generator matrices such as random zero-one matrices in the Blom scheme.

RPL
Since RPL standardization in 2012, its security attracted a significant amount of research work on investigating potential threats, and proposing mitigation techniques for security attacks.In particular, many recent works have aimed at mitigating the sender's authentication problem (or closely related problems such as the Sybil attack) in RPL networks.
For instance, in a recent work, Raoof et al. [24] proposed a new secure mode, Chained Secure Mode (CSM), for the RPL protocol using intra-flow network coding.In CSM, each node encodes its outgoing messages using a randomly generated code, and updates its neighbors with the next code.While CSM can protect the network against external attackers, it is vulnerable to internal attacks.It is because CSM assumes that the first message comes from the original sender.Therefore, an internal attacker can convince a node, say, u of being another node, say v, if the attacker sends the first message to u pretending to be v.
In another work, Airehrour et al. [25] proposed SecTrust-RPL, a new security framework for RPL.The authors proposed to install extra hardware on IoT devices to calculate a trust factor for each node.The trust factor is calculated based on successful packet transmissions between nodes.They showed that SecTrust-RPL can significantly mitigate the impact of Rank attack and Sybil attack.To protect the network against Sybil attack, the author proposed to bind the physical location of each node with its identity.Although this method can provide some degree of mitigation to the sender's authentication problem, a node can still send messages using another node's ID.
Despite many attempts in the literature (e.g., [26][27][28][29]) there is still no lightweight countermeasure that can prevent an adversary from spoofing, i.e. claiming the identity of a valid uncaptured node.In this work, however, we present a lightweight solution that prevents an adversary to use the identity of an uncaptured node unless the adversary extracts security keys of at least λ + 1 nodes, where λ is a security parameter.

Overview of the Blom scheme
In this section, we provide an overview of the Blom scheme.Table 1 provides the list of symbols used in this paper.

Bootstrapping phase
Consider a network with at most n nodes.In the "bootstrapping phase" of the Blom scheme, a trusted server generates two matrices: a public matrix G referred to as the generator matrix, and a private matrix D. The matrix G is a (λ + 1) × n matrix over F q , where F q denotes the finite field of order q, and λ is a security parameter.The matrix D, on the other hand, is a (λ + 1)×(λ + 1) symmetric matrix over F q .The matrix D is a random matrix uniformly distributed over the set of all symmetric matrices over F q .
After generating matrices D and G, the server computes where (DG) T denotes the transpose of DG.It then preloads node u i , 1 � i � n, with the ith row of matrix A, denoted A i,: , and the ith column of matrix G, denoted G :,i .

Key establishment phase
Let K = AG.Since D is symmetric, we get thus K is a symmetric matrix, i.e., K i,j = K j,i .In the Blom scheme, K i,j (which is equal to K j,i ) is used as the pairwise key between u i and u j .
To generate the pairwise key K i,j , in a so-called key establishment phase, nodes u i and u j first exchange their public information, i.e., their columns of G.Then, as illustrated in Fig 1, they generate their pairwise key as where hx, yi denotes the inner product of vectors x and y.

Resilience of the Blom scheme
If every λ + 1 columns of the generator matrix G are linearly independent, it can be proven that no information about the pairwise keys between uncaptured nodes is revealed if the number of captured nodes is at most λ [10,22].We will generalize this result later in Theorem 2.

Constructing matrix G
When q > n, we can construct a matrix G in which every λ + 1 columns are linearly independent.For instance, it can be shown that when q > n, every λ + 1 columns of the following Vandermonde matrix (with g 2 F q being a primitive element) are linearly independent [22].
An advantage of using a Vandermonde matrix as the generator matrix in the Blom scheme is that node u i only needs to store g i , instead of the entire ith column of G (i.e.G :,i ), since the entire column G :,i can be constructed from g i -to construct the ith column of G, however, the node needs to perform λ − 1 field multiplications to compute (g i ) 2 , (g i ) 3 , . .., (g i ) λ from g i .
Example 1.Consider a network with n = 5 nodes.Let q = 19, λ = 2, and Before being deployed in the network, node u i is preloaded with the ith column of G and the i th row of A as its public and private information, respectively.Assume nodes u 2 and u 5 want to communicate securely with each other after they are deployed in the network.To establish a pairwise key, node u 2 calculates the following: K 2;5 ¼ hA In this example, the secret pairwise key between nodes u 2 and u 5 is 18.Note that, to provide enough security, the order of finite fields used in practice will be much larger than 19.

TurboBlom
In this section, we introduce TurboBlom, and show how it significantly reduces the computational cost of the Blom scheme while maintaining a high resilience against node capture.
Recall that nodes u i and u j need to compute the inner product (3) to generate a pairwise secret key.Computing this inner product requires λ + 1 field multiplications and λ field additions.Computing a field multiplication, in general, is considerably harder than computing a field addition.For example, Figs 2 and 3 show the average number of CPU clock cycles needed to compute a field multiplication and a field addition, respectively, on 16-bit MSP430 microprocessor family-this is a family of processors commonly used in IoT devices such as Tmote Sky and Zolertia Z1 [30,31].As shown in these figures, computing a field multiplication over a field of order 256 bits, for instance, requires 547 times more clock cycles than computing a field addition.Since computing field multiplications is the main cost of generating a pairwise key in the Blom scheme, in TurboBlom we aim to eliminate field multiplications in order to speed up pairwise key generation.

Eliminating field multiplications
As mentioned earlier, a node must compute the inner product (3) to generate a pairwise key.We can eliminate the need for field multiplication in (3) if we use a "confined" generator matrix G.In a confined matrix, elements can only come from a subset S � F q .For example, if we set S ¼ f0; 1g, we limit the elements of the generator matrix G to 0 and 1.That is, each element of G can be either the number 0 or the number 1, where 0 and 1 represent, respectively, the additive and multiplicative identities of F q .Such a "zero-one matrix" (We refer to the matrix as zero-one matrix rather than binary matrix to stress that the matrix is over F q rather than F 2 , although its elements are limited to zero and one) eliminates the need for field multiplication, because it turns every multiplications in (3) into a multiplication by 0 or a multiplication by 1 (which are both trivial).This makes pairwise key generation in the Blom scheme significantly faster.The important concern with using a confined generator matrix, such as a zero-one generator matrix, is its potential negative impact on the resilience of the scheme.A major contribution of this work is to answer this concern.Looking ahead, we later in this section show that this impact can be made exponentially small in practice.
Remark 1.Although the elements of G are limited to a small subset of F q , all the operations in computing the inner product (3) are still performed in the field F q .Moreover, the pairwise key between nodes can still take any value from F q , because the elements of matrix D can take any value from F q (see Example 2).We will formally prove this in Theorem 2.
We can also limit the elements of matrix G to S ¼ fÀ 1; 0; 1g: This, too, eliminates field multiplications, because multiplication by −1 is a fast operation (recall that −1 6 ¼ 1 in any finite field of odd order).This idea can be extended to even larger sets S if we use a finite field F p in which p is a Mersenne prime (in general, it is possible to use a field with characteristic p, where p is a Mersenne prime).A Mersenne prime is a prime of the form 2 n − 1, where n is an integer.An interesting property of F p , with p being a Mersenne prime, is that multiplying a number a 2 F p by a power of two (i.e, a number of the form 2 i ) is simply a circular shift of a, when a is represented in binary.In addition, negating a number a (i.e., computing −a) can be performed easily by reversing all the bits of a, when a is represented in binary.Considering the above properties, we can set S ¼ fÀ 2 nÀ 1 ; . . .; À 2 1 ; À 2 0 ; 0; 2 0 ; 2 1 ; . . .; 2 nÀ 1 g: ð5Þ Since all the non-zero elements of the above set S are powers of two, every field multiplication is either eliminated (due to multiplication by zero), or replaced by a simple shift operation (due to multiplication by a power of two), possibly followed by bit reversal (due to negation).
Remark 2. The set S defined in (5) has 2n + 1 distinct elements, i.e. jSj ¼ 2n þ 1.This is because ð2 i 6 ¼ 2 j mod pÞ and ð2 i 6 ¼ À 2 j mod pÞ for any Example 2. Consider a network with n = 4 nodes, u 1 , u 2 , u 3 and u 4 .Let λ = 1, and where the elements of the secret matrix D (i.e., a, b, and c) are random numbers uniformly distributed over F q , and q is an odd number (hence −1 6 ¼ 1).Notice that Matrix D is symmetric, and every two columns of G are linearly independent.The matrix A is then calculated as: Before being deployed in the network, node u i is preloaded with the ith row of A. For instance, u 1 is preloaded with secret numbers c and b, and u 2 is preloaded with secret numbers a and c.Fig 4 shows the set of two secret numbers each node is preloaded with, as well as the pairwise key between each pair of nodes (the number on each edge).For instance, as shown in the figure, the pairwise key between u 2 and u 3 is the number a + c.Note that, although the elements of matrix G are limited to S ¼ fÀ 1; 0; 1g, the pairwise key between two nodes can take any number from F q .This is because the elements of D (i.e., a, b, and c) are uniformly distributed over F q .Also, notice that each node can compute a pairwise key with any other node using its preloaded numbers.For instance, u 4 can compute the pairwise key a − b with node u 3 by adding its two secret numbers, i.e. (a − c) + (c − b).
As illustrated in Fig 5, suppose that the adversary captures node u 1 and extracts the secret numbers c and b.This will clearly compromise the links between node u 1 and the remaining three nodes u 2 , u 3 and u 4 .The adversary, however, gains no information about pairwise keys between uncaptured nodes (i.e., pairwise keys corresponding to green solid links) because the adversary has no information about a (as a is uniformly distributed over F q ).Similarly, we can verify that if adversary captures another node, they do not gain any information about the pairwise key between uncaptured nodes.Remark 3. In Example 2, the elements of matrix G were limited to the set S ¼ fÀ 1; 0; 1g.Yet, the pairwise keys between two nodes are uniformly distributed over F q .Furthermore, the adversary gains no information about the pairwise key of two nodes by capturing another node in the network.

Speedup of TurboBlom
In this section, we compare the speed of the TurboBlom and Blom schemes.In the next section, we will compare the resilience of the two schemes, a considerably more challenging task.
To compare the speed of the two schemes, we can compare the number of operations that each scheme needs.This is not difficult as both schemes perform the same inner inner product (3) to generate pairwise key.In the Blom scheme, computing this inner product needs λ + 1 field multiplications and λ filed additions.In the TurboBlom scheme, however, no field multiplication is required: any field multiplication in the Blom scheme is either completely eliminated in the TurboBlom scheme or is replaced with a simple operation such as circular shift, which is essentially as fast as field addition.Using this insight, the following theorem evaluates the speedup of TurboBlom over the Blom scheme.
Theorem 1. Suppose field multiplication and addition require, respectively, m and a units of time.
Then, the TurboBlom's speedup over the Blom scheme is at least Moreover, if we use a zero-one matrix in TurboBlom, the above speedup is improved to at least m a þ 1 À � ; in the worst case, and to at least 2 � m a þ 1 À � ; in the average.Proof.To generate a pairwise key specified by (3), the Blom scheme requires λ + 1 field multiplications and λ filed additions.This translates to the the computation time of In TurboBlom, each field multiplication is either eliminated or replaced with a simple operation (circular shift or bit reverse) which is practically as fast as field addition.Therefore, in the worst case, TurboBlom needs 2λ + 1 field additions, which translates to the computation time of Therefore, we get the speedup of at least If TurboBlom uses a zero-one matrix, then all of the field multiplications are eliminated.Therefore, in this case the speedup will be We note that, on average, half of all of the field additions are eliminated (due to zeros in the generator matrix) when the elements of the zero-one generator matrix are selected uniformly at random.Let 1 � λ 0 � λ be a random variable denoting the number of required field additions.Then, the expected speedup can be calculated as Where the last inequality is by the fact that for any positive random variable x.Note that Jensen's inequality states that E½�ðxÞ� � �ðE½x�Þ for any convex function ϕ.The function �ðxÞ ¼ 1 x is convex when x > 0, hence the inequality.Example 3. The speedup of TurboBlom can be significant in practice.For instance, as illustrated in Figs 2 and 3, when the field size is 256 bits, we have m a � 547.Therefore, if we use a zero-one matrix in TurboBlom, we can expect a speedup of around 2(547 + 1) = 1, 096 over the Blom scheme (i.e., TurboBlom requires about three orders of magnitude less number clock cycles as the Blom scheme to compute a pairwise key).

Resilience of TurboBlom
As mentioned earlier, we can eliminate all the field multiplications in the pairwise key generation process by using a confined generator matrix G.This makes TurboBlom significantly lighter and faster than the original Blom scheme.In addition, as we will show in the remaining of this section, TurboBlom can maintain a high resilience against node capture.To this end, we present Theorem 2, which proves that an adversary who has captured a number of nodes and extracted their secret keys gains no information about the pairwise key between any two uncaptured nodes u i and u j if neither the ith column nor the jth column of G is a linear combination of the columns of G that correspond to the captured nodes.Notably, this result holds for any generator matrix G including zero-one matrices.
Prior to presenting Theorem 2, let us first formally define what we mean by "adversary gains no information".Definition 1 (Adversary gaining no information).Let us fix the generator matrix G to an arbitrary (λ + 1) × n matrix over F q .Suppose the adversary has captured and extracted secret keys of nodes u i , i 2 L, where L represents the set of captured nodes.Let the 1 × (λ + 1) vector A i over F q denote the secret keys of node u i , i 2 L. Let D be the set of all (λ + 1) × (λ + 1) symmetric matrices that, when used with the generator matrix G, result in A i for every i 2 L, that is Given the above setup, consider a probabilistic experiment in which the random variable D is uniformly distributed over D. Let K s,d be the random variable representing the pairwise key between nodes u s and u d .We say that the adversary gains no information about K s,d if and only if K s,d is uniformly distributed over F q .
Lemma 1.Let V be a subspace of the vector space F m q , where m is a positive integer.Let W denote the null space of V.
Then, for every vectors y 1 ; y 2 2 F m q V, there exists a vector w 2 W such that w is not orthogonal to either y 1 or y 2 , i.e. 8y 1 ; y 2 2 F m q n V; 9w 2 W : hy 1 ; wi 6 ¼ 0 ^hy 2 ; wi 6 ¼ 0: Proof.A vector v 2 F m q is orthogonal to every vector in W if and only if v 2 V. Since y 1 = 2V, then there must exist a vector in W which is not orthogonal to y 1 .Therefore, the set W 1 defined as is non-empty.Similarly, the set W 2 W 2 ¼ fw 2 Wjhy 2 ; wi 6 ¼ 0g must be non-empty.If ðW 1 \ W 2 Þ 6 ¼ ;, then we are done because any vector is not orthogonal to either y 1 or y 2 .Otherwise, we can set w = w 1 + w 2 , where w 1 2 W 1 and w 2 2 W 2 .Note that w 2 W. Furthermore, . Therefore, by the definition of sets W 1 and W 2 , we get and Thus and hy 2 ; wi ¼ hy 2 ; ðw 1 þ w 2 Þi ¼ hy 2 ; w 1 i þ hy 2 ; w 2 i ¼ ð7Þ 0 þ hy 2 ; w 2 i 6 ¼ 0: Thus, the vector w = w 1 + w 2 is not orthogonal to either y 1 or y 2 .Lemma 2. Let B be a non-zero matrix over F q , and A be a non-empty set of matrices over F q such that 8c 2 Then, the binary relation * on A defined as Proof.The binary relation * on A is an equivalence relation because it is reflexive, symmetric and transitive: Therefore, the binary relation * partitions A into disjoint equivalence classes Finally, note that the coefficient c 2 F q takes q distinct values.Furthermore, B is non-zero, thus Therefore, every class [A i ] has exactly q distinct elements.
Theorem 2. Let G be an arbitrary (λ + 1) × n matrix over F q , where λ and n are positive integers.Note that, as a special case, G can be a zero-one matrix.Suppose we use G as the generator matrix of the Blom scheme.Suppose the secret random matrix D is uniformly distributed over the set of all (λ + 1) × (λ + 1) symmetric matrices.Assume that an adversary has captured and extracted the secret keys of a set L of l � 1 nodes.Let g 1 , g 2 , . .., g l be the column vectors of G that correspond to these l captured nodes.Let u s and u d be any two uncaptured nodes, and g s and g d be the two column vectors of G that correspond to u s and u d , respectively.
Then, the adversary gains no information about the pairwise key between u s and u d if and only if neither g s nor g d is a linear combination of g 1 , g 2 , . .., g l .
Proof.Let a 1 , a 2 , . .., a l be the row vectors of A that correspond to the captured nodes.We have Suppose g s is a linear combination of g 1 , g 2 , . .., g l , that is for some c i 2 F q .The adversary knows the values of c i , 1 � i � l, because the generator matrix G is public.In addition, the adversary knows a i , 1 � i � l, which are the secret keys of the captured nodes.Therefore, by ( 8) and ( 9), the adversary can compute a s as because Therefore, if g s is a linear combination of g 1 , g 2 , . .., g l , the adversary can compute the secret keys of node u s (i.e., a s ), thus can compute the pairwise key between u s and any other node (including u d ).Similarly, if g d is a linear combination of g 1 , g 2 , . .., g l , the adversary can compute the secret keys of node u d .
Next, we prove the challenging part, which is that the adversary gains no information about the pairwise key between u s and u d if neither g s nor g d is a linear combination of g 1 , g 2 , . .., g l .To this end, we assume that neither g s nor g d is a linear combination of g 1 , g 2 , . .., g l .
Let G 0 be the submatrix of G that includes only the column vectors g i , 1 � i � l.Let A 0 be the submatrix of A that includes only the row vectors a i , 1 � i � l.By (1), we have As in Definition 1, we define D to be the set of all symmetric matrices D that satisfy Eq (11).Note that the set D is not empty, because the secret matrix D used in the Blom scheme satisfies (11).
Let V denote the column space of G 0 , and W be the null space of V. Recall that neither g s nor g d is a linear combination of g 1 , g 2 , . .., g l .Thus, g s ; g d = 2V.Therefore, by Lemma 1, there exits w 2 W such that w is not orthogonal to either g s or g d .Let w ¼ ðw 1 ; w 2 ; . . .; w lþ1 Þ and B be a (λ + 1) × (λ + 1) matrix over F q whose ith row, 1 Furthermore, we have because each row of B is in W, hence is orthogonal to every column of G 0 .Therefore, we get 11), hence is in D by definition.Let us define the binary relation * on D as By Lemma 2, the binary relation * is an equivalence relation which partitions D into equivalent classes of size q.Let [D i ] denote the ith, 1 � i � k, equivalent class represented by the matrix D i 2 D. Since the matrix D in the Blom scheme is uniformly distributed over D, it can be represented as where j and r are random variables uniformly distributed over {1, 2, . .., k}, and F q , respectively.The random variable j indicates the class to which matrix D belongs, and the random variable r indicates which element of the class [D j ] is the matrix D.
Let a s ¼ hg s ; wi; ð13Þ and Note that a s 6 ¼ 0 and a d 6 ¼ 0, because w is not orthogonal to either g s or g d .By ( 1) and ( 3), the pairwise key between u s and u d is Recall that a s and a d are non-zero elements, and r is distributed uniformly over F q .Therefore, R = r � a s � a d , and consequently K s,d is distributed uniformly over F q .Therefore, by Definition 1, the adversary gains no information about K s,d .This concludes the proof.Using Theorem 2, we next evaluate the resilience of TurboBlom.We start with defining fail(l), a common measure of resilience against node capture.
Definition 2 (Resilience: fail(l)).We measure resilience of a scheme by the extent to which the scheme can withstand an adversary that captures a number of nodes.In line with previous works (e.g., [23]), we quantify this measure by fail(l), which is defined as the probability that the adversary gains information (as per Definition 1) about the pairwise key between two random nodes u i and u j by capturing l randomly chosen nodes not involving u i and u j .The probability space is determined by the above random choices, as well as the random choices made in constructing the secret matrix D, and the generator matrix G.
In the remaining of this section, we analyze fail(l) for TurboBlom.In Theorems 3, 4, and 5, we prove that fail(l) can be made exponentially small in TurboBlom when the generator matrix G is a random matrix.
Theorem 3. Let λ and n be positive integers, S be a non-empty subset of F q , G be the set of all (λ + 1) × n matrices over S, and D be the set of all (λ + 1) × (λ + 1) symmetric matrices over F q .Suppose TurboBlom uses random matrices G and D, uniformly distributed over G and D, respectively.
Then, for every integer 1 � l � λ, we have where jSj denotes the cardinality of the set S.
Proof.Suppose that the adversary has captured l random nodes and extracted their secret keys.Since G is uniformly distributed over G, we can w.l.g.assume that the nodes captured are u 1 , u 2 , . .., u l .Let u s and u d , s, d > l, be two random uncaptured nodes.Let g i be the ith column vector of G, which corresponds to node u i .By Theorem 2, the adversary gains no information about the pairwise key between u s and u d if and only if neither g s nor g d is a linear combination of g 1 , g 2 , . .., g l .
Let l 0 , l 0 � l, denote the maximum number of independent vectors among g 1 , g 2 , . .., g l .We can w.l.g.assume that vectors g 1 , g 2 , . .., g l 0 are linearly independent.By performing elementary column operations, we can convert the (λ + 1)×l 0 matrix [g 1 , g 2 , . .., g l 0 ] into a (λ + 1) × l 0 matrix that contains the identity matrix I l 0 , that is I l 0 is a submatrix of H.Note that g s is a linear combination of g 1 , g 2 , . .., g l if and only if g s is in the column vector space of matrix H, i.e.
where h i denotes the ith column vector of H.We have a i 2 S in (15) because i) the elements of g s are in S, and ii) the identity matrix for some a i 2 Sg; and B ¼ fgjg ¼ ½g 1 ; g 2 ; . . .; g lþ1 � T ; g i 2 Sg: The column vector g s is uniformly distributed over B.Moreover, Eq (15) holds if and only if g s 2 A. Therefore, the probability that (15) holds is equal to Thus, the probability that g s is a linear combination of g 1 , g 2 , . .., g l is at most 1 jSj lþ1À l : Similarly, we can show that probability that g d is a linear combination of g 1 , g 2 , . .., g l is at most 1 jSj lþ1À l .Therefore, the probability that either g s or g d is a linear combination of g 1 , g 2 , . .., g l is at most Example 4. Suppose TurboBlom uses a random generator matrix with elements from the set S defined in (5), over F p , where p is the Mersenne prime 2 127 − 1.By Theorem 3, we have By Remark (2), the set S has 2n + 1 distinct elements, where n = 127.Therefore, This shows that TurboBlom provides a high level of resilience even when λ − 2 nodes are captured.Recall that the Blom scheme is fully resilient up to λ node captures.
The case of zero-one matrices.By Theorem 3, TurboBlom can achieve a high resilient against node capture if jSj is large enough (e.g., jSj ¼ 255 as in Example 4).An interesting question is whether TurboBlom can still achieve a high level of resilience if it uses a random zero-one generator matrix (for which jSj ¼ 2).A positive answer means that we can further speed up TurboBlom.This is for two reasons.First, each zero in the generator matrix-which occurs with probability 50% in a random zero-one matrix with uniform distribution-eliminates not only one field multiplication but also one field addition (because adding a number to zero is trivial).Second, if we use a zero-one generator matrix, we do not even need shift operations as multiplication by 1 is trivial.
In the following, we show the positive news that zero-one matrices can result in a fail(l) that is exponentially small in λ.Informally, TurboBlom equipped with a random zero-one generator matrix achieves a high resilience against node capture if λ is large enough (e.g., λ � 30).
Theorem 4. Let λ and n be positive integers, G be the set of all (λ + 1) × n zero-one matrices, and D be the set of all (λ + 1) × (λ + 1) symmetric matrices over F p , where p > (λ + 1)! is a prime number.Suppose TurboBlom uses random matrices G and D, uniformly distributed over G and D, respectively.
Then, for every integer l, 1 � l � min{λ, n − 2}, we have Proof.Suppose the adversary has captured l, l � λ, random nodes and extracted their secret keys.Since G is uniformly distributed over G, we can w.l.g.assume that the nodes captured are u 1 , u 2 , . .., u l .Let u s and u d be two random uncaptured nodes (i.e., l < s, d � n).Let g i be the ith column vector of G (i.e., the column of G that corresponds to node u i ).By Theorem 2, the adversary gains no information about the pairwise key between u s and u d if and only if neither g s nor g d is a linear combination of g 1 , g 2 , . .., g l .
Let H c , 1 � c � λ+ 1, denote the set of all (λ + 1) × c zero-one matrices.Let H be a random matrix uniformly distributed over H λ+1 .Note that the matrix G s = [g s , g 1 , g 2 , . .., g l ] is a random matrix uniformly distributed over H l+1 .We have Pðg s is a linear combination g 1 ; g 2 ; . . .
because H is a (λ + 1) × (λ + 1) zero-one matrix.Furthermore, by the theorem statement, we have p > (λ + 1)!.Therefore, we get where the second equation is by Theorem A of [32].Therefore, the probability that g s (similarly g d ) is a linear combination of vectors g 1 , g 2 , . .., g l is at most 1 2 þ oð1Þ À � lþ1 .Thus, by a union bound, the probability that either g s or g d is a linear combination of vectors g 1 , g 2 , . .., g l Example 5. Let λ + 1 = 30, that is each node is preloaded with 30 secret keys.Let n be a positive integer, and G be the set of all (λ + 1) × n zero-one matrices over F p , where p is a prime number.Let us set the security level to 160 bits (i.e., set the size of pairwise keys to 160 bits) by choosing p to a prime number of 160 bits, i.e. 2 159 < p < 2 160 .Suppose TurboBlom uses a random zero-one generator matrix uniformly distributed over G.
We have p > (λ + 1)! in this example.Thus, by Theorem 4, we get that fail(λ) is of order 1 2 30 .This implies that there is only a small chance for the adversary to compromise the communication between two nodes u s and u d by capturing λ other nodes in the network.Note that fail(λ) is remarkably small in TurboBlom despite the use of a random zero-one matrix as the generator matrix.
In Theorem 4, we assumed that p > (λ + 1)!.This does not hold in all settings.For instance, as in Example 5, we may set the security level to 160 bits (i.e.use a prime p of size 160 bits), but preload nodes with 50 secret keys (instead of 30 as in Example 5).In this case we have p < (λ + 1)! because p < 2 160 < 50!.The next theorem addresses this issue by relaxing the assumption p > (λ + 1)!.
Theorem 5. Let λ and n be positive integers, G be the set of all (λ + 1) × n zero-one matrices, and D be the set of all (λ + 1) × (λ + 1) over F p , where p is a random prime number of size t bits, that is 2 t−1 < p < 2 t for an integer t.Suppose t � 16 (in practice, the value of t is set much larger than 16).Suppose TurboBlom uses random matrices G and D, uniformly distributed over G and D, respectively.
Then, for every integer l, 1 � l � min{λ, n − 2}, we have Proof.Suppose the adversary has captured l random nodes and extracted their secret keys.Since G is uniformly distributed over G, we can w.l.g.assume that the nodes captured are u 1 , u 2 , . .., u l .Let u s and u d be two random uncaptured nodes (i.e., 1 < s, d � n).Let g i be the ith column vector of G (i.e., the column of G that corresponds to node u i ).By Theorem 2, the adversary gains no information about the pairwise key between u s and u d if neither g s nor g d is a linear combination of g 1 , g 2 , . .., g l , that is both g s and g d are linearly independent of g 1 , g 2 , . .., g l .
Let H c , 1 � c � λ+ 1, denote the set of all (λ+ 1) × c zero-one matrices.Let H be a random matrix uniformly distributed over H λ+1 .Note that the matrix G s = [g s , g 1 , g 2 , . .., g l ] is a random matrix uniformly distributed over H l+1 .We have Pðg s is a linear combination of g 1 ; g 2 ; . . .
Thus, by a union bound, we get failðlÞ ¼ Pðg s or g d is a linear combination of g 1 ; g 2 ; . . .; Let E 1 , E 2 and E 3 be the following events: We have Therefore, by (17), we get where the last inequality is by the union bound.By Theorem A of [32], we have Next, to conclude the proof, we show that Suppose that det H is non-zero and has k � 0 different prime factors of size t bits.The product of k numbers each of size t bits is at least (2 t−1 ) k = 2 (t−1)k .Therefore, we must have det H � 2 ðtÀ 1Þk ; thus, by applying the log function on both sides of the above inequality, we get k � log 2 ðdet HÞ t À 1 Let z denote the number of prime numbers of size t bits.Since p is a random prime of size t bits, and det H has k different prime factors of size t bits, the probability that p is a factor of det H is Due to Dusart [33], for any integer x � 60184, we have where π(x) denotes the number of primes not greater than x.We have 2 16 > 60184.Therefore, the number of primes of size t bits, t � 16, is Therefore, by (18) we get as needed.

A sample application of TurboBlom
To showcase an application of TurboBlom, we use the scheme in this section to present an efficient way for end-to-end sender authentication in RPL.We start with covering the basics of the RPL standard, and explaining our system model.

Basics of RPL
RPL is a standard routing protocol for LLNs.RPL supports three types of traffic patterns; Point-to-Multipoint (P2MP), Multipoint-to-point (MP2P), and Point-to-Point (P2P).To support these traffic patterns, RPL builds one or more Destination Oriented Directed Acyclic Graph (DODAG) each of which is uniquely identified by a set of identifier consisting DODAG ID, instance ID, and version number (Fig 6).Each DODAG has a specific node, called root, that acts as a sink for other nodes in DODAG and connect the DODAG to other network.To create and maintain the DODAG RPL uses three different control messages; DODAG Information Object (DIO), DODAG Information Solicitation (DIS), and Destination Advertisement Object (DAO).RPL control messages are ICMPv6 message with type equal to 155.The root initiates and manages the DODAG by broadcasting DIO messages over the network.
Prior to joining the network, each node listens for DIO messages.When a node receives a DIO, it can join the network.After joining the network, a node continuously advertises DIO to indicate its presence.A node can send DIS to accelerate joining the network or to recover from topology errors.RPL uses DAO to propagate nodes' information toward the root and fill nodes' routing tables in support of P2MP and P2P traffic.
RPL may operate in one of the following security modes: • unsecured mode: In this mode, RPL does not provide a security measure.It may, however, utilize the link-layer security to protect its messages.
• pre-installed mode: In this mode, RPL messages are protected using pre-defined security mechanisms.secret keys are installed on nodes before they are deployed in the network.Nodes will use these preloaded keys to secure RPL messages.
• authenticated mode: similar to the previous mode, nodes have pre-installed keys, but these keys are used only for authenticating the nodes who want to join the network as a leaf.All nodes except the leaf nodes must obtain a second key from an authentication authority after joining the network.
The general format of an RPL control message is shown in Fig 7 .The ICMPv6 code field dictates the type of RPL control message: DIO, DIS, or DAO.The Algorithm field determines the algorithm used for authentication/encryption, and the LVL bits specify whether the message is only authenticated, encrypted, or both.

Sender authentication problem in RPL
Sender authentication may be provided using symmetric-key or public-key cryptography.With public-key cryptography (via signatures), a sender can be uniquely identified, whereas with symmetric-key-based techniques, sender authenticity is only provided relative to devices in a key-sharing group.Therefore, in the absence of computationally-heavy public-key-based techniques, RPL is unable to provide fine-grained authentication, which is needed in scenarios that require group communications or in scenarios that require non-repudiation.
Many recent works have attempted to mitigate the sender's authentication problem (or closely related problems such as the Sybil attack) in RPL networks.In a recent work, for instance, Raoof et al. [24] proposed a new secure mode, Chained Secure Mode (CSM), for the RPL protocol.In CSM, each node encodes its outgoing messages using a randomly generated code, and updates its neighbors with the next code.CSM only provides sender authentication between neighbors, requires a recovery mechanism, assumes that every first message truly comes from the original sender, and uses a default value of zero as the secret code for the first message from any sender.With regards to Sybil attack, current solutions (e.g., [25][26][27][28][29]) offer limited mitigation, can only detect a special kind of the attack, or solely detect the existence of Sybil attack in the network.To provide sender authentication in RPL, and prevent Sybil attacks (even in the presence of small-scale capture attacks), we propose a new lightweight TurboBlom-based solution in this section.A core feature of our solution is that it prevents an adversary, with high probability, to claim the identity of an uncaptured node even when the adversary has captured and extracted the secret keys of up to λ nodes, where λ is a security parameter.We formally state this feature in 6.
In contrast to the secure CSM mode [24], our solution • provides end-to-end sender authentication (i.e., communicating nodes do not have to be neighbors); • does not assume that the first message is truly from the original sender; • does not require a recovery mechanism when a message is lost (message loss can happen frequently in lossy networks such as LLNs); • is non-interactive: a sender does not require prior interactions with a receiver in order to send an authenticated message to the receiver.

System model
We consider an RPL network, which can support up to n nodes.We assume that there is a trusted entity that, prior to deployment, preloads each node with a set of λ + 1 secret keys.The trusted entity also preloads every node with public information including an IP address from a block of IP addresses [IP min , IP max ] with n IP addresses (i.e.IP max − IP min + 1 = n), as well as the range of the block (i.e., IP min and IP max ).
We consider an adversary who has captured and extracted the secret keys of l, l � λ, random nodes.The adversary can also be viewed as a coalition of l random malicious nodes.Our objective is to design a sender-authentication method with high resilience to the above adversary as defined below.
Definition 3 (A Resilient Sender-Authentication Method).Let 0 � l � λ be an integer, L � ½IP min ; IP max � be a set of l ¼ jLj IP addresses selected uniformly at random, and IP c be an IP address selected uniformly at random from ½IP min ; IP max � n L. Consider an adversary who has captured and extracted the secret keys of all the nodes with IP addresses in L. Given a senderauthentication method, let masq(l) denote the probability that the adversary is able to masquerade as IP c .Then, we call the method a resilient sender-authentication method if masq(l) is negligible, more specifically if masq(l) � c λ , for a fixed constant 0 < c < 1.

TAM: A TurboBlom-based authentication mode
In this section, we introduce TAM, a lightweight TurboBlom-based pre-installed mode that provides sender authentication in RPL and is resilient to capture attacks.First, we explain how it works before nodes are deployed in the network.
Prior to deployment.Before nodes are deployed in the network, the trusted entity generates a random public generator matrix G and a random symmetric private matrix D over a finite field F q of large order.To generate the random matrix G, the trusted entity uses a publicly-known random number generator (e.g., a cryptographic hash function).Since the used random number generator is publicly known, anyone can derive the column of G assigned to an IP address by applying the random number generator function to the IP address.This brings two advantages.First, it binds a column of G to an IP address.Second, nodes do not require to store any column of G (hence can save storage) as each column of G can be simply derived using the random number generator.
After deployment.Suppose that node u i with IP address IP i wants to send an authenticated message to another node u j , with IP address IP j .At the high level, u i first computes G :,j (the public information of u j ) from IP j by applying the random number generator to IP j , that is where the function H(.) represents the random number generator.It then uses the inner product (3) to compute the pairwise key K i,j .After computing K i,j , u i generates a HMAC of its message using the key K i,j and concatenate the MAC to the message.Note the the sender does not require to interact with the receiver to obtain G :,j because the receiver an simply calculate G :,j from the IP address of the sender (i.e. from IP j ) using (19).
The following steps explain the above procedure in more details (see also Fig 8).
5. Generate the HMAC of the entire message HMAC ¼ HashðK i;j ; messageÞ; using a proper lightweight MAC algorithm such as light-MAC [34], and concatenate the MAC to the message; 6. Send the packet to the destination u j as per the RPL standard.
At the receiver side, node u j first checks the header of the received message.If the TAM mode is enabled, u j checks if the sender's IP address (which exists in the header of the received packet) is within the range [IP min , IP max ].If so, u j generates G :,i using the IP address of the sender.It then computes the pairwise key, K j,i = K i,j , generates the HMAC of the received message, and compares it to the HMAC embedded in the message.If the two HMACs are equal, u j accepts the message as authenticated; otherwise, u j drops the message.The above procedure is illustrated in Fig 9 .Note that the procedure is non-interactive, does not assume that the first message truly comes from the sender, and does not assume that the sender and receiver are neighbors.
The following proposition shows that TAM is a resilient sender-authentication method as defined in Definition 3. Proposition 6. TAM is a resilient sender-authentication method.Proof.Let G denote the generator matrix of the TurboBlom used in TAM.We have where � is the probability that the column of G corresponding to IP c is a linear combination of the columns of G that correspond to the IP addresses in L (IP c and L are defined in Definition 3).By definition, we have masq(l) = �, thus substituting � with masq(l) in (20) we get masqðlÞÞ � failðlÞ: Therefore, if we use a random zero-one matrix G, by Theorem 4 we get fail(l) � c λ for a constant 0 < c < 1, which by (21) implies masq(l) � c λ for a constant 0 < c < 1.
Example 6.Consider a network which can support up to 1024 nodes (i.e., the network has been allocated a block with 1024 IP addresses).Suppose we use TurboBlom equipped with a random zero-one generator matrix.Let λ + 1 = 50, that is each node is pre-laoded with 50 secret keys.By Theorems 4 and 5, failðlÞ � 1 2 50 for any l � λ.Therefore, by the union bound, the probability that an adversary who has captured l < 50 random nodes is able to masquerade as any valid IP in the block of 1024 IPs (other than those 50 IP addresses that belong to the captured node) is at most ð1024 À 50Þ � masqðlÞÞ � 1024 À 50Þ � failðlÞÞ � 10 À 13 for any l � λ.Therefore, an adversary who has captured less than 50 random nodes has an extremely low chance (�10 −13 ) of being able to masquerade as any valid IP address that does not belong to the captured nodes.

A numerical case study
To confirm our analytical results, we evaluated the resilience of TurboBlom in a practical setting, where we assume a network with up to n = 1000 devices, each capable of storing λ + 1 = 30 secret keys.We set the order of the finite field to 160 bits, and constructed the generator matrix G randomly by choosing its elements from S ¼ fÀ 1; 0; 1g uniformly at random.The choice of S is because it reduces all operations in the key generation into simple additions and subtractions, yet it provides higher resilience than the case S ¼ f0; 1g.In simple words, the use of S ¼ fÀ 1; 0; 1g in practice is more justified than the use of S ¼ f0; 1g, as the former provides higher resilience at virtually the same computational cost as the latter.The simulation setting parameters are summarized in Table 2.
We simulated the capturing attack by selecting λ = 29 columns of G uniformly at random and checking if the capture of these 29 nodes (corresponding to the selected columns) would compromise the key of any of the uncaputured nodes.We repeated the above process 100, 000 times.The above numerical analysis took more than 240 hours on a Microsoft Azure sever with 64 virtual CPUs and 512 GB RAM, yet it was unable to find any set of 29 nodes whose capture results in the compromise of a pairwise key between uncaptured nodes.This is in line with our analytical results which showed that the chance of an adversary to compromise the pairwise key between two uncaptured nodes is extremely low when the adversary captures up to λ = 29 random nodes.A small value of λ to showcase the high resilience of TurboBlom.

Order of finite field 160 bits
To set the security bits to 160 bits The set S S ¼ fÀ 1; 0; 1g Provides higher resilience than S ¼ f0; 1g at virtually the same computational cost https://doi.org/10.1371/journal.pone.0295190.t002

Conclusion and future work
In this paper, we introduced TurboBlom, a variant of the well-known Blom key predistribution scheme.TurboBlom is significantly lighter that the Blom scheme as it does not require any field multiplications.Yet, similar to the Blom scheme, TurboBlom 1) guarantees that any two nodes can generate a pairwise key, and 2) is highly resilient against node capture attack.This is notable as the Blom scheme provides the highest level of resilience against small-scale node capture attacks.The above features of TurboBlom make it suitable for computationallyconstrained devices which exist in abundance in IoT, for instance as part of RPL networks.Finally, to showcase TurboBlom, we proposed TAM, a lightweight and TurboBlom-based secure mode that enables sender authentication in RPL networks.The proposed authentication method is highly resilient to node capture/collusion thanks to the proven resilience of TurboBlom.
One interesting future research direction is to improve the result of Theorem 3. Theorem 3 already establishes a lower bound on the resilience of the TurboBlom.By Theorems 4 and 5, we believe that there is substantial room for enhancing this lower bound.Another interesting direction is to analyze node capture attacks in a setting where the attacker can selectively, rather than randomly (as typically done in the literature), capture nodes.

Fig 1 .
Fig 1.The pairwise key between nodes u i and u j is the element K i,j of matrix K, where K = A � G. https://doi.org/10.1371/journal.pone.0295190.g001

Fig 4 .
Fig 4. Each node u 1 , u 2 , u 3 , and u 4 is preloaded with a pair of numbers.The number on each edge is the pairwise key between the two nodes incident to the edge.https://doi.org/10.1371/journal.pone.0295190.g004

Fig 5 .
Fig 5.The adversary captures node u 1 and extracts the secret numbers c and b.This will compromise the links between u 1 and the other three nodes (the red dashed links).The adversary, however, gains no information about the pairwise keys between u 2 , u 3 and u 4 , which are a − c, a − b and a + c.This is because a is uniformly distributed over F q , hence a − c, a − b and a + c are all uniformly distributed over F q .https://doi.org/10.1371/journal.pone.0295190.g005

Table 1 . List of symbols.
Notice that Matrix D is symmetric, and every four columns of matrix G are linearly independent.The matrix A is then calculated as: A ¼ ðDGÞ T ¼