New key management scheme lattice-based for clustered wireless sensor networks

Aiming at the quantum algorithm which can solve the problem of large integer decomposition and discrete logarithm in polynomial time, an anti-quantum computing key management scheme for clustered sensor networks is proposed in this paper. The lattice-based cryptosystem is used to achieve the anti-quantum performance of the key management scheme, and the security of the network is further improved through the mutual authentication of sensor network nodes. Due to the limited storage space of sensor nodes, this paper adopts the cluster management of wireless sensor networks, and most sensor nodes only need a small amount of storage space, thus reducing the deployment cost. Cluster management is suitable for medium and large-scale deployment of sensor networks. Because the data traffic is much larger than that of mutual authentication, the sensor nodes in wireless sensor networks use symmetric keys to communicate with each other after mutual authentication, which can effectively improve the communication efficiency in the case of frequent data communication. Experiments show that the authentication scheme based on lattice cryptosystem proposed in this paper will not improve with the continuous improvement of the security level, and its authentication scale will maintain a relatively stable state, while the algorithm scheme based on RSA will increase the authentication cost with the continuous improvement of the security level, so the scheme proposed in this paper is more suitable for application in the environment with high security level. This scheme can effectively reduce the cost of mutual authentication of sensor nodes, is conducive to the expansion of the network, and can ensure the security of authentication between sensor nodes even in the post-quantum era.


Introduction
Wireless sensor network integrates micro-electric technology, sensor technology and communication technology, and can be widely used in education, military, medical, transportation and other fields [1][2][3][4][5].The security problems of wireless sensor networks come from the characteristics of wireless communication, the strict limitation of sensor node resources and the extensive and dense distribution area of sensor networks.Therefore, it is urgent to ensure the security of wireless sensor networks [6][7][8][9].In 2016, Mehmood et al.A secure inter-cluster multi-key distribution scheme for wireless sensor networks is proposed [10].In 2017, Zhang et al.A key establishment scheme for wireless sensor networks based on polynomial and random key pre-distribution scheme is proposed [11].In 2022, Kumar et al.The cryptanalysis and improvement of mutual authentication protocol for real-time data access in industrial wireless sensor networks are proposed [12].At the end of last century, Shor proposed a quantum algorithm to solve the problem of large integer decomposition and discrete logarithm in polynomial time, which made the research of cryptosystem against quantum computing attacks received great attention.At present, the development of special quantum computer is very rapid, and the solving time of traditional mathematical difficult problems such as large integer decomposition and discrete logarithm has reached the order of minutes, which brings a great threat to the classical encryption algorithms based on this kind of difficult problems.Post-quantum cryptography algorithm plays an important role in the security protection of user information in distributed systems in the quantum era when general quantum computers are widely used in the future.Among them, lattice cryptosystem has been concerned and studied by many scholars in recent years because of its advantages in efficiency and security [13][14][15][16][17][18].Lattice cipher is a more practical post-quantum cryptographic algorithm [19][20][21][22].

Related work
In 2018, Mehmood et al. proposed a novel secure session key establishment scheme for wireless body area networks in the medical field.In the proposed scheme, in order to address the important issues of security and patient information privacy in wireless body area networks in medical applications, session keys are established for a specific period of time in order to securely communicate information related to patient health vital signs.Important data, ensuring the security and privacy of vital signs related to the human body [23].In 2019, Bootle et al. proposed the algebraic techniques for short exact lattice-based zero-knowledge argument of knowledge systems [24].In 2020, Mehmood et al. proposed an energy-efficient and reliable trust-based communication scheme for remote patient monitoring in wireless body-area networks, where trust and privacy-preserving enforcement is critical as important parameters are communicated to remote locations.In WBAN, trust among stakeholders is very important and is considered as a critical success factor for the reliability of information exchange between them [25].In 2021, Lyubashevsky et al. proposed a shorter lattice-based zero-knowledge argument of knowledge systems via one-time commitments [26].In 2021, Mehmood et al. proposed an efficient and secure session key management scheme for wireless sensor networks is proposed.In the proposed scheme, the main steps of public-key encryption in asymmetric cryptosystems are minimized, and most public-key encryption operations are based on symmetric-key encryption.This solution can greatly reduce the energy consumption of the wireless sensor network and ensure better security [27].In 2022, Mehmood et al. proposed a Mobile Agent-Based Energy-Efficient Data Aggregation Scheme for Wireless Body Area Networks.Among the proposed schemes, reliable data aggregation in WBAN is very important to ensure data delivery as soon as possible in healthcare applications.This scheme solves the shortcoming of client-server sending data, and the mechanism of mobile agent proposed in this scheme proves to be a more feasible solution [28].In 2023, Dharminder et al. [29] an efficient lattice-based authenticated key exchange protocol using a ring-based learning assumption with errors is designed for IoT smart devices, which is robust to different attacks.
In practical applications, most of the existing wireless sensor network key management schemes are based on traditional cryptographic systems such as large integer decomposition and discrete logarithm problems.In the quantum era when general-purpose quantum computers are popularized in the future, these algorithms will pose a huge threat.Therefore, it is necessary to study how to combine sensor network technology with anti-quantum attack technology, so that wireless sensor networks have the security against quantum computing attacks, and design and optimize the deployment scheme of sensor nodes according to the application scenarios of wireless sensor networks to reduce the deployment time.cost and improve communication efficiency.This paper studies the security protocol based on lattice cryptography, which can provide ideas for the security of wireless sensor networks and better protect the privacy data security of wireless sensor networks.

Overview of the paper
In practical applications, most of the existing key management is based on traditional cryptosystems such as large integer decomposition and discrete logarithm problems.In the future quantum era of universal quantum computers, these algorithms will pose a great threat.Therefore, it is necessary to research and develop a negotiation method and system based on key update in the post-quantum era.The rest of the paper is organized as follows: in Section 2, we introduce some basic concepts and algorithms of lattice schemes.In Section 3, we give our network model.In Section 4, we proposed a key management scheme.In Section 5, we analyze the correctness, security.In Section 6, finally, we summarize the key management scheme.

Lemma 2.2 ([30]
).For any n-dimensional lattice Λ with basis B and ε>0, we have: ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffiffi lnð2n=ð1 þ 1=εÞÞ=p p Lemma 2.3 ([31]).Let m,k>1, Λ be m-dimensional lattice and c2Z m .Then: 31]).Let Q2Z m×n and Λ be an n-dimensional lattice.Then, for any s 2 R m >0 and s2R m we have: ([32]).Let A2Z n×m and W2Z k×m be arbitrary matrices and denote w i 2Z m to be the i-th row of W. Furthermore, suppose σ = (σ 1 ,σ 2 ,� � �,σ k ) satisfies for Then, for any s2R k , we have: Definition 2.6 Module-SIS(MSIS n,m,B ) ( [31]).Given A R n�m q , the Module-SIS problem with parameters n,m>0 and 0<B<q asks to find z 2 R m q such that Az = 0 over R q and 0<kzk<B.An algorithm ψ is said to have advantages � in solving MSIS n,m,B if: 32]).Given A R n�m q , a secret vector s χ m and error vector e χ n , the Module-LWE problem with parameters n,m>0 and an error distribution χ over R asks the adversary ψ to distinguish between the following the cases: (A,As+e) for A. Then, ψ is said to have advantages [30]).TrapSamp(1 n ,1 m ,q).That, given any integers n�1, q�2, and sufficiently large m = O(nlogq), outputs a matrix A 2 Z n�m q and a trapdoor matrix T2Z n×m such that the distribution of A is negl(n)-close to uniform.
Lemma 2.9 ([33]).Let n, p be positive integers.Let Λ be a lattice of rank n, and let ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffiffi 5nð1 þ dÞ=8 p , where Define h the distribution obtained by sampling α from [−p,p] and s from c n 1 and outputting v = α�s.Further, let M>1, t ¼ ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ðl þ 2Þ=ðplog 2 eÞ p and definitely Let σ�σ min .We now define two distributions P 1 : Sample v h and y D Λ,σ .Define z = y + v. Output (v, z) with probability min 1; D L;s ðzÞ M � D L;s ðz À vÞ !: P 2 : Sample v h and z D Λ,σ .Output (v, z) with probability 1/M.Then, it holds that P 1 outputs something with probability at least (1−2 −λ )/M, and that

Network model
Wireless sensor networks generally have two kinds of topologies: planar structure and hierarchical structure.All the nodes in the flat structure network are equal, and there is no bottleneck in principle, so it is relatively robust.However, its biggest disadvantage is that the network size is limited, the routing maintenance cost is high, and the energy consumption is relatively high.In the hierarchical structure, the network is divided into clusters, and each cluster is composed of a cluster head node and multiple cluster members, so it is also called heterogeneous network.Cluster head nodes form a higher-level network, which is responsible for the collection and forwarding of data between clusters.The use of cluster structure can reduce the energy cost caused by transmission and is conducive to network expansion.In this method, the clustered wireless sensor network model will be used to manage the key of the sensor nodes.The sensor network model is shown in Fig 1 .In this paper, an anti-quantum key management method for clustered sensor networks is proposed.The details include: 1.This paper assumes that each cluster head sensor node is assigned its own identity and a pair of public and private keys based on lattice public key cryptosystem.The cluster head sensor node plays a key role in the network, which can communicate directly with the host, collect the information sent by the ordinary sensor node in the cluster and forward it to the host.
2. All sensor nodes in each cluster communicate securely through the symmetric key shared by the cluster, and the ordinary sensor nodes in the cluster can communicate directly.Indirect communication can be carried out through the cluster head and the host or sensor node outside the cluster.
3. When the cluster head sensor node finds that the communication key is not secure, it should deal with it in time and redistribute the new communication key through the host.4. In special cases, the cluster head sensor node can also communicate directly by negotiating the communication key.In order to further enhance the security of the symmetric key used for communication, the aging of the symmetric key can be specified, which will be invalidated automatically if it exceeds the specified time period.

Key management scheme
In the anti-quantum key management method for clustered sensor networks proposed in this scheme, the trusted third-party security host generates the system security parameters needed for the key management scheme.then the identity and public-private key pairs of each cluster head sensor node are generated by these security parameters, and the privacy information is pre-distributed to the corresponding cluster head sensor nodes.The cluster head sensor node plays a key role in the network, collecting the information sent by the ordinary sensor node in the cluster and forwarding it to the host.The sensor nodes in each cluster communicate securely through the symmetric key shared in the cluster, and the ordinary sensor nodes in the cluster can communicate directly.Indirect communication can be carried out through the cluster head and the sensor nodes outside the cluster.When both sides of the communication feel threatened, the cluster head sensor node can also communicate directly by negotiating the communication key.In order to further improve the security of the symmetric key used for communication, the scheme proposed in this paper stipulates that if the specified period of time is exceeded, the symmetric key will automatically expire and the new communication key will be redistributed through the host.
The key management scheme involves a few parameters: a prime q 1 and prime q modulus, q,q 1 �2 and integer dimensions n,k,d,τ,λ�1.The key management scheme will be generated as shown in the following:

Sensor node identity and key distribution
1. Distribution of public and private key pairs, communication keys and identification of Host (Host) and cluster head sensor nodes 1. Choose a random public matrix A 2 Z n�m q .
2. Choose random parameter x: , where i, h and Q represents the i-th cluster head sensor node, h represents the Host and total number of cluster head sensor node respectively.

Compute:
The public key of the Host is (A,y h ), the private key of the Host is x h , identification of the Host is ID h .
5. The public key of the i-th cluster head sensor node is (A,y i ), the private key of of the i-th cluster head sensor node is x i .
7. The communication key of each cluster head sensor node is k i , i = 1,2,� � �,Q, which is the symmetric key of some traditional symmetric cryptosystem (RSA encryption system, etc.).

Distribution of public and private key pairs, communication keys and identification of ordinary sensor nodes
1.The identification of C i j (the i-th ordinary sensor node) is ID i , ID i j 2 f0; 1g n ; i ¼ 1; 2; � � � ; Q; j ¼ 1; 2; � � � ; Q i , where, i represents that the ordinary sensor node belongs to the i-th cluster, j represents that the ordinary sensor node is the j-th sensor node in the i-th t cluster, and Q i represents the total number of ordinary sensor nodes in the i-th cluster.
2. The communication key of the ordinary sensor node in each cluster is k i , i = 1,2,� � �,Q, where, i represents the i-th cluster.
3. The public key of the ordinary sensor node in each cluster is (A,y i ), which is the public key of the i-th cluster head sensor node.

Communication key invalidation
Assuming that the communication key of the i-th cluster is a failure (including various cases such as theft, etc.), the i-th cluster head sensor node immediately broadcasts a communication key failure information to all sensor nodes in the i-th cluster, and re-authenticates and negotiates the new communication key with the host.Finally, the negotiated new communication key is peer-to-peer sent to the valid sensor node in the i-th cluster.The specific process of renegotiating the new communication key with: 1) First of all, it is necessary to carry out mutual authentication, the authentication process of Host to C i The i-th cluster head sensor node C i : 1. Input the public key (A,y i ), the private key x i , and identification ID i .
Otherwise, return to regenerate the signature.

The verification process of Host:
1. Input the public key (A,y i ), the signature message (η,η',μ i ), and the identification ID i .

Verification:
If the above equation is true and the authentication process of Host to C i is successful, proceed to the next step, otherwise terminate the key negotiation process.

2) The authentication process of C i to Host
The host Host: 1. Input the public key (A,y h ), the private key x h , and identification ID h .

The verification process of C i :
1. Input the public key (A,y h ), the signature message ðZ h ; Z 0 h ; m h Þ, and the identification ID h .

Compute:
If the above equation is true and the authentication process of Host to C i is successful, proceed to the next step, otherwise terminate the key negotiation process.

The decryption process of C i :
1. Input the private key x i , the ciphertext message ðm k ; m If the above equation is true and the decryption process is successful, C i get a new communication key k Otherwise, decryption fails.

4) C i assign a new communication key for the i-th cluster
The i-th cluster head sensor node encrypts the new communication key k 0 i with its own private key x i : and then sends the ciphertext message ðm i ; m 0 i ; k i Þ point to point to all valid ordinary sensor nodes of the i-th cluster.After receiving the message from the i-th cluster head sensor node, the ordinary sensor node of the i-th cluster decrypts the ciphertext message ðm i ; m 0 i ; k i Þ with the public key of the i-th cluster head sensor node.After decryption, the ordinary sensor node of the i-th cluster obtains a new communication key k 0 i , and the specific process of encryption and decryption has referred to the process of Host reassigns a new communication key.Finally, the new communication key k 0 i can be used to communicate securely with all sensor nodes (including cluster head nodes) of the i-th cluster.

Cluster head node key negotiation process
The communication key is not distributed between the cluster heads, because in general, the cluster heads do not communicate directly.If the cluster head sensor nodes in special cases must communicate directly, they can first authenticate each other and negotiate the communication key between each other.Suppose that the i-th cluster head sensor node and the j-th cluster head sensor node needs to communicate directly, and the negotiation process is as follows: 1.The i-th cluster head sensor node and the j-th cluster head sensor node authenticate each other, and the mutual authentication process is referred to the first two steps of communication key invalidation steps.If the authentication is successful, proceed to the next step, otherwise the key negotiation process is terminated.

2.
The key agreement process between the i-th cluster head sensor node and the j-th cluster head sensor node the last step of communication key invalidation steps.
3. Finally, the i-th cluster head sensor node and the j-th cluster head sensor node obtains the communication key k i,j , through the process of mutual authentication and negotiation, and the i-th cluster head sensor node and the j-th cluster head sensor node can communicate securely with the communication key k i,j directly.

Correctness
The correctness of the decryption in the key management scheme follows from our choice of parameters.Specifically, to show correctness, we follow the proof strategy from [32], we first compute k We have: The correctness of the signature in the scheme follows from our choice of parameters.Specifically, to show correctness, we first compute m H ¼ Z � A À Z 0 modq.We have:

Security
Unforgettability: a successful interaction between the signer and the user can only generate a legitimate signature.Here, it is proved that if there is an adversary A with the ability to resist unforgeable attacks, then the MLWE difficult problem can be solved in the polynomial time algorithm.That is, assuming that there is an adversary A who can successfully forge a valid message signature with a non-negligible probability δ, then a valid solution to the MLWE difficult problem can be found in polynomial time: Proof: first of all, it is emphasized that the output of the proposed signature authentication scheme is independent of the signature key.For the two main output hashes in the scheme and the signature of the message to be signed, the adversary A queries the two algorithms.
Once the opponent has the ability to resist unforgeable attacks, the challenger T will be able to solve the MLWE difficult problems.
Hash query: the challenger T creates an initially empty list L H to store the hash query value for the message ID T i � Amodq.When the challenger T receives a hash query about the message from the adversary A, the challenger T first checks the list L H to see if the message has been queried.If queried, the message and hash result pair ðID T i � Amodq; HðID T i � AmodqÞÞ is sent to the adversary A, otherwise, the challenger T runs the algorithm to regenerate the hash value ðID T i � Amodq; HðID T i � AmodqÞÞ of a message ID T i � Amodq, sends the result to the adversary A, and stores the message and hash result pair ðID T i � Amodq; HðID T i � AmodqÞÞ in the list L H . 1. Choose random parameters: Forgery: suppose μ H,j is the result of a hash query returned to the adversary A, which can be obtained for two different signature pairs ðZ; Z 0 ; m H;j Þ and ðZ * ; Z 0 * ; m * H;j Þ, then there will have a hash collision.But the hash collision can hardly happen because of the collision resistance of the hash function.Therefore, it can be obtained with a higher probability η = η* and Finally, it can be claimed that the MLWE difficult problem has been successfully solved, the detailed process is as follows: The μ H,j is assumed that the challenger returns the result of the hash query to the adversary A.
Therefore, the adversary A can forge a new signature ðZ * ; Z 0 * ; m * H;j Þ and Z � A À Z 0 ¼ Z * � A À Z 0 * according to the system parameter setting of the signature authentication scheme, the following equation can be obtained: can be obtained with a non-negligible probability, that is, a solution of the MLWE difficult problem is solved in the polynomial time.
However, because the MLWE difficult problem can't be solved in polynomial time, the assumption of adversary A is not valid.Therefore, the proposed signature authentication of key management scheme satisfies the unforgeability in the random prophecy model.

Efficiency analysis
In this section, we mainly focus on the algorithm computational complexity between our lattice-based key management protocol and other related secret key protocols, ref. [4] protocol, ref. [15] protocol and ref. [20] protocol.The test environment of this scheme is that the Intel Core i7-12700 processor is configured with 32G-DDR4 memory, the operating system is Win-dows10; test programming language is Python3.9, and the code function is implemented by PyCryptodome library.The results are shown in Table 1.
According to the above analysis, the message authentication size of the proposed authentication protocol is mlog(12σ), which is only related to the message m and the parameter σ.The authentication sizes corresponding to different security levels (such as 64bits, 128bits, 192bits, 256bits, 320bits, 384bits,448bits and 512bits) can be calculated when the selected system parameter is n = 256,q = 2 32 .The results are shown in Table 1.The algorithm authentication size corresponding to different security levels of our proposed lattice-based cipher scheme and RSA and ECC authentication algorithms is given.As shown in Table 1, with the continuous improvement of the security level of the RSA algorithm, the required authentication size increases very quickly, which is not suitable for encrypting large data in high-level security.However, the size of the lattice-based authentication proposed in this paper does not change much.The size of the authentication is kept at a stable level, which is more suitable for encrypting large data in high-level security.The size of the certification of the ECC algorithm grows slightly slower than that of the RSA algorithm, but its certification also doubles as the security level of the algorithm increases.In addition, the schemes implemented with RSA and ECC algorithms cannot resist quantum computing attacks, so the lattice-based authentication protocol in this paper has good anti-quantum security.With the development of quantum computers and quantum computing, lattice cryptography will be a very practical cryptographic algorithm in the quantum era.
Therefore, the lattice-based scheme proposed in this paper has better security, and when the security level is higher, the algorithm efficiency has certain advantages.

Conclusions
Utilizing the cluster management of wireless sensor networks, most sensor nodes only need a small amount of storage space, effectively reducing deployment costs and reducing the number of mutual authentication between sensor nodes, which is suitable for medium and large-scale deployment of sensor networks.After mutual authentication, the sensor nodes in the wireless sensor network use symmetric keys for data communication.Since the amount of data that needs to be communicated is much greater than the amount of data that needs to be authenticated, the data communication is carried out through the traditional cryptographic system, which effectively improves the data security and communication efficiency.The cluster sensor network key management method proposed in this paper has the advantages of simple process, high security and high efficiency.The use of cluster structure can reduce the cost of frequent mutual authentication brought by transmission, which is beneficial to the expansion of the network.It is suitable for deployment in applications such as forest fire prevention and urban air quality monitoring.Even in the post-quantum era, it can well guarantee the security of mutual authentication between sensor nodes, and has broad practical application prospects.The size of the lattice-based authentication proposed in this paper does not change much with the continuous improvement of the security level of the RSA algorithm.The size of the certificate is kept at a stable level, which is more suitable for encrypting large data at a high security level.
For future work, we will continue to investigate lattice-based quantum computing-resistant key management schemes that support more flexible signature strategies.

3 )i , encrypts k 0 i
The Host reassigns a new communication key The Host generates a new communication key k 0 with its own private key x h , and then sends the encrypted message ðm k ; m 0 k ; k H Þ to the i-th cluster head sensor node C i .After receiving the message from the host, C i decrypts the message ðm k ; m 0 k ; k H Þ with the public key (A,y h ) of the Host.After decryption, the i-th cluster head sensor node C i obtains a new communication key k 0 i , and the i-th cluster head sensor node can securely communicate with the Host with the new communication key k 0 i .The specific process is as follows: The encryption process of Host: 1. Input the public key (A,y i ) of C i and the new communication key k 0 i .2. Choose random parameters: θ k {−τ,� � �,τ} m , e {−τ,� � �,τ} n , e' {−τ,� � �,τ}.

7 .
Output the ciphertext message ðm k ; m 0 k ; k H Þ, and Host send the signed message ðm k ; m 0 Output the signature message ðZ h ; Z 0 h ; m h Þ, and Host send the signed message ðZ h ; Z 0 h ; m h Þ to C i .Otherwise, return to regenerate the signature.
For the signature of the message ðZ * ; Z