Research Article Protecting Data Source Location Privacy ...downloads.hindawi.com/journals/ijdsn/2014/492802.pdf · Data source location privacy (DSLP) is of great importance for

Research ArticleProtecting Data Source Location Privacy in Wireless SensorNetworks against a Global Eavesdropper

Rong-hua Hu Xiao-mei Dong and Da-ling Wang

School of Information Science and Engineering Northeastern University Shenyang 110004 China

Correspondence should be addressed to Xiao-mei Dong dongxiaomeiiseneueducn

Received 28 September 2013 Revised 10 February 2014 Accepted 15 July 2014 Published 13 August 2014

Academic Editor Zujun Hou

Copyright copy 2014 Rong-hua Hu et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Data source location privacy (DSLP) is of great importance for some asset monitoring applications in wireless sensor networks(WSNs) Besides the source simulation (SS) method to protect the DSLP against a global eavesdropper in WSNs other existingmethods are based on the panda-hunter game model (PHGM) without considering the communication between data sources andreporter sources which can cause them to be ineffective Moreover there are two limitations in SS First the reporter source cannotgenerate effective event reports Second it is unsuitable to track multiobjects accurately To address the former issue an improvedsource simulation (ISS) method is proposed which adjusts the event report strategy To solve the latter issue an updated-panda-hunter game model (UPHGM) is proposed and a formal model of the DSLP issues is also presented Then based on the UPHGMan energy-efficient grid-based pull (GBP) scheme is designed to protect the DSLP by combining a light-weight security objectcollection scheme with an effective grid partition method Analysis and simulation results show that GBP outperforms SS and ISSin terms of energy cost on the whole

1 Introduction

A wireless sensor network (WSN) typically consists of alarge number of nodes which integrate sensor modulesprocessing modules wireless communication modules andenergy modules to sense physical or environmental con-ditions and collect data WSNs have promising applicationprospects in bothmilitary and civil domains such as militarysurveillance wildlife habitat monitoring target trackingand home automation [1ndash3] Compared with traditionalnetworks and ad hoc networks WSNs have several typicalcharacteristics such as restricted-resource no infrastructureand large number of nodesThese characteristics lead tomorechallenges in the research of security problems in WSNs[4 5]

Many works to date in WSN security have focusedon providing authentication confidentiality integrity andfreshness services However for some special applicationsit is not enough to provide those security services solelyFor example in the panda-hunter scenario [6] called panda-hunter game model (PHGM) a WSN is deployed to trackendangered giant pandas in a vast panda habitat Each panda

carries an electronic tag called tag-node in this paper toemit event-trigger-signals which can be detected by sensorsWhen a sensor node called reporter source detects thissignal it generates an event report and then sends it to asink node with the help of a security route mechanism Anadversary (the hunter) may locate the monitored pandascalled data sources in this paper either by detecting the event-trigger-signals or via eavesdropping on the communicationbetween the reporter sources and the sink nodesTherefore itis very important to provide the data source location privacy(DSLP) service for this kind of applications

At present many efforts have been done to protect theDSLP in WSNs [7 8] However most of them are effectiveonly for local adversaries who merely monitor the localnetwork traffic For a global adversary who can monitorthe whole network traffic these approaches would not workRecently several schemes have been proposed to protectthe DSLP against a global adversary [9ndash19] However mostof them except the source simulation (SS) method in [910] ignore the communication between data sources andreporter sources which makes these approaches ineffective

Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2014 Article ID 492802 17 pageshttpdxdoiorg1011552014492802

2 International Journal of Distributed Sensor Networks

Moreover the SS method also has two limitations (1) Thereporter source cannot generate effective event reports (2) Itis unsuitable to track multiobjects accurately

In this paper we focus on protecting the DSLP against aglobal adversarywho canmonitor and collect all themessagestransmitted in the network at all time The contributions ofthis work are summarized in the following

(i) We point out the existing problems of the source sim-ulation method in [9 10] and propose an improvedsource simulation (ISS) method under the panda-hunter game model (PHGM) by adjusting the eventreport strategy The ISS method copes with the defectexisting in SS in which the reporter source cannotgenerate effective event reports

(ii) We propose an updated-panda-hunter game model(UPHGM) which overcomes the disadvantage of thePHGMand is suitable tomonitormultiobject sourcesAlso a formal model of the DSLP issues under theUPHGM is given

(iii) We present an energy-efficient grid-based pull schemeto protect the DSLP under the UPHGM whichincludes a light-weight security object collectionscheme and an effective grid partition method It canmake sure at wherever a data source lies there is atleast one node which can authenticate and collectits related information meanwhile it can providesecurity services including confidentiality authenti-cation integrity freshness and source location pri-vacy Compared with the source simulation methodand the improved source simulation method it ismore energy-efficient

(iv) We evaluate the energy overhead in both theory andsimulation The results show that (1) the grid-basedpull (GBP) method outperforms the SS method andthe ISS method on energy overhead on the whole(2) the energy cost of ISS is comparable to that of SSunder low privacy requirement

The rest of the paper is organized as follows Section 2discusses related work In Section 3 the improved sourcesimulation (ISS) method under the panda-hunter gamemodel (PHGM) is described In Section 4 the updated-panda-hunter game model (UPHGM) and the formal modelof the DSLP issues are presented In Section 5 the grid-based pull scheme under the UPHGM is proposed Section 6describes our evaluations and Section 7 concludes the paper

2 Related Work

In [7 8] extensive surveys have been conducted on thelocation privacy problem inWSNs According to adversariesrsquocapability of monitoring network traffic existing approachescan be classified into three classes countering a local adver-sary [6 20ndash28] countering several local adversaries [29]and countering a global adversary [9ndash19] In this section webriefly survey the major related works to provide the DSLPunder a global adversary in WSNs

In [9 10] two techniques called periodic collection andsource simulation respectively were proposed to preventthe leakage of the DSLP The main idea of the periodiccollection method also called ConstRate scheme in [11] is tomake the traffic pattern independent of the presence of realobjects Each node periodically sends packets at a reasonablefrequency regardless of whether it has real data to send ornot However this approach consumes a substantial amountof energy for latency sensitive applications And it does notconsider the traffic generated by electronic tags which canalso be used to infer the locations of monitored objects bythe adversary By simulating the movement patterns of realobjects the source simulation (SS) method creates candidatetraces in the network to hide the traffic generated by realobjects It works as follows before deployment select 119871

nodes as token node and preload each of them with aunique token ID After deployment each token node canmask as a real object to emit event-trigger-signals for eventdetection When a node detects the signal it generates anevent report and delivers it to the sink node The tokennode then determines the token node of the next round inits neighborhood (including itself) and passes the token tothe selected node In order to prevent the adversary usingthe token pass messages to distinguish real objects fromfake ones the nodes that detect the real object also need tosend a masked token pass message each round Howeverthis approach has two problems to affect the informationcollection about real objects First as the event-trigger-signals emitted by token nodes and real objects are the samenot only the adversary cannot distinguish from them butalso nodes in the network cannot distinguish from them Asa result nodes cannot determine whether real event reportsor dummy event reports are generated Second when thereare two or more objects in the network if a node detectstwo event-trigger-signals in two rounds it cannot distinguishwhether the signals come from two objects or from oneobject Hence it cannot track multiobjects accurately

A fitted probabilistic rate scheme called FitProbRate wasdevised in [11] to reduce the event report delay in ProbRatescheme In ProbRate scheme the time intervals betweenmessage transmissions follow the exponential distributionIn order to reduce the real event report latency the nodessend the real event reports as soon as possible while keepingthe message transmission intervals following the same dis-tribution Based on the FitProbRate a distributed resourceallocation algorithm was proposed to achieve data sourceanonymity by mixing real event messages with carefullychosen dummy traffic in [12] However the FitProbRatescheme only considers the event indistinguishability inwhich the intertransmission times of the real event reportsare indistinguishable from the desired distribution of faketransmissions and ignores the interval indistinguishabilityinwhich the intertransmission times of fake and real intervalsare indistinguishable The adversary can distinguish the realintervals from the fake intervals and then discovers thereal objects In order to solve this problem an improvedmethod was proposed in [13 14] They introduced the samecorrelation of intertransmission times during real intervals tointertransmission times during fake intervals

International Journal of Distributed Sensor Networks 3

To reduce the traffic caused by the ConstRate scheme in[9 10] and the ProbRate scheme in [11] based on proxiesand data aggregation a proxy-based filtering scheme (PFS)and a tree-based filtering scheme (TFS) were presentedin [15] In PFS proxies are selected to collect and filterdummy messages from surrounding nodes Also proxies areformed into a tree hierarchy and the dummy messages aredropped on the way from proxies to sink nodes In order toexplore the impacts on the network lifetime of proxy filteringapproaches different proxy assignment strategies and differ-ent deployment scenarios were investigated in [16] In [17] adata aggregation scheme based on a cluster-tree hierarchicalarchitecture was proposed to reduce the message overheadby aggregating multiple messages in a single transmissionHowever these approaches are also not suited for latencysensitive applications because when a node detects a realevent it delays the transmission of the real event reportsuch that the next intermessage interval follows the normalapplication distribution Similar to periodic collection in[9 10] these approaches also do not consider the trafficgenerated by electronic tags

In [18] four schemes called naıve global greedy andprobabilistic were proposed to protect the DSLP againsta global adversary The naıve scheme is similar to theperiodic collectionmethod in [9 10] Every node periodicallysends a real or forge message The time interval betweenmessage transmissions is usually quite long to reduce thecommunication costTherefore this approach can cause longdelay In order to reduce the delivery latency the global andthe greedy approaches were presented to discover the shortestdelivery latency path However the global approach requiresthe knowledge of global network topology and transmissionschedules which are impractical for every node to store thetopology of the whole network and to compute the fastestpath The greedy approach is a heuristic method Everynode chooses the neighbor that has the shortest waitingtime and is closer to the sink node as the next hop routenode In order to reduce the communication overhead aprobabilistic approach was proposed This approach letsevery node probabilistically transmit messages to guaranteethat every node can hear amessage during any fixed period oftime However it ignores that a real objectmay be detected bysomenodes simultaneously whichwill generate event reportsand lead to more network traffic around the object Thisabnormal traffic can help the adversary to discover the realobject

In [19] a spatiotemporal process replication scheme forgenerating dummy network traffic was proposed to disguisethe real event report The method assumed that monitoredevents obey a Poisson temporal distribution with a knownrate and uniform spatial distribution over the network areaA subset of nodes regularly acts as fake sources and generatesdummy network traffic with the same event distributionHowever themethod ignores the spatial correlation of eventsabout a real object which can help the adversary locatethe real object For example the traces of a panda do notfollow uniform spatial distribution over the network during

a relatively short period of timeThe adversary can locate thepanda by observing the traces in a relatively small networkarea

3 Improved Source Simulation (ISS)Method under the PHGM

As mentioned above all of the prior approaches except theSS method in [9 10] ignored the event trigger process fromtag-nodesThe adversary can defeat all of these approaches bymonitoring the additional traffic from tag-nodes Thereforeto avoid this situation we should adopt the SS method tosimulate the additional traffic pattern generated by tag-nodesHowever as described in Section 2 the SS method has twodefects First a reporter source cannot generate effectiveevent reports since the event-trigger-signals emitted by tokennodes and tag-nodes are indistinguishable Second it is notsuited to trackmultiobjects accurately In this section we pro-pose an improved source simulation (ISS)method to solve thefirst problem for single-object monitoring applications Formultiobjects monitoring applications in order to track theobjects effectively and accurately the event-trigger-signalsshould contain related information of the monitored objectsThe corresponding solving approach will be presented inSection 5

31 Protocol Description Before deployment randomlyselect 119871 nodes as token nodes and preload each of them witha unique token ID Every token node will mask as a realobject to emit event-trigger-signals for event detection Weassume that the infrastructure of secure communicationshas been established after deployment Note that in thisapproach the adversary is similar to the one considered in[9ndash16 18 19] that is it cannot compromise any sensor nodeThe event report process includes the following three stepsas shown in Figure 1

(1) Emit Event-Trigger-Signal A token node or a tag-nodeemits an event-trigger-signal for event detection around itslocal area A node that detects the signal sets itself as acandidate reporter source

(2) Pass Token The token node and the candidate reportersources send the messages called token-pass-msg accordingto their roles respectively We assume that the length of thetime interval for passing the token-pass-msg called token-pass-slot is Δ tk

After the token node emits an event-trigger-signal itsets a timer called timer-for-token-passing with value 119879tk isin

(0 Δ tk) When the timer expires the token node broadcastsa real token-pass-msg as follows

token-pass-msg = ID119878 119905119904 119864119870next

(DATA1)

119864119870grp

(DATA2) MAC1MAC2

DATA1 = token-ID 119905119904

DATA2 = chosen-report-ID 119905119904


advxadvy

(2) Mimic passtoken

(3) Generate event report

(1) Emit a

signal

advyadvx

(1) Emit a

signal

EK(u)event-report(3) Generate event reportu

e f

2(b) Pass token

2(a) Mimic pass token

Common node

Reporter source

Eavesdropping node

Tag-nodeToken node

Sink

t

EK(ef)event-report

Figure 1 Event report process of the ISS scheme

MAC1 = MAC119870next

(DATA3)

MAC2 = MAC119870grp

(DATA3)

DATA3 = ID119878 119905119904 119864119870next

(DATA1) 119864119870grp(DATA2)

(1)

where ID119878 is the identifier (ID) of the sending node 119905119904 is atimestamp used to distinguish different events and to providefreshness service and its value is the sending delay plus thetime when the event-trigger-signal is emitted token-ID isthe token identifier of the token node chose-report-ID isthe ID of the node which is selected by the token node togenerate the event report with the shortest distance to thesink node 119870next is the pairwise key between the token nodeand the one in the next round which is selected by the tokennode in its neighborhood (including itself)119870grp is the groupkey shared among the sending node and its neighborhood119864119870(DATA) is the ciphertext of DATA encrypted with key

119870 and MAC119870(DATA) is the message authentication code

(MAC) of DATA computed by using key 119870Upon detecting the event-trigger-signal the candidate

reporter source also sets a timer called timer-for-token-passing with value 119879tk isin (0 Δ tk) When the timer expires thecandidate reporter source broadcasts a fake token-pass-msgas follows

token-pass-msg = IDS 119905119889 randomDATA (2)

where 119905119889is a timestamp to distinguish different events and its

value is the time when the event-trigger-signal is detected byit randomDATA is a random binary sequence code and itslength should satisfy the fact that all token-pass-msgs have

the same length to prevent the adversary fromdistinguishingthe real token-pass-msg from the fake token-pass-msg viapacket length Note that as the transmission delay is negli-gible for example transmitting one bit information to 50mdistance only needs 017 120583s for the same event the differencebetween 119905

119889and 119905119904is equal to the error of synchronized clocks

Therefore we can distinguish different events via comparingthe time field in the token-pass-msgs

Upon receiving a token-pass-msg the node ID119894 firstchecks the MAC2 using the shared group key 119870grp with thesending node ID119904 If the MAC2 is verified it sets a flag calledreport-flag as true decrypts the corresponding encryptedfield using the shared group key and checks the MAC1 usingthe pairwise key 119870next with node ID119904 If chose-report-ID =ID119894 it sets a flag called generate-flag as true If the MAC1 is

verified it decrypts the corresponding encrypted field usingthe pairwise key119870next records the token-ID and sets itself asthe token node of the next round

(3) Generate and Send Event Reports When the token-pass-slot is over the token node and the candidate reporter sourcesgenerate and send event reports according to the followingsituations

(i) If the generate-flag of the node ID119894is true it means

that (1) the event-trigger-signal is emitted by a tokennode and (2) it is selected by a token node to generatethe event report It generates a fake event report anddelivers it to the sink node through an establishedrouting path using the pairwise key between them

(ii) If the report-flag of the node ID119894is false it means that

the event-trigger-signal is emitted by a tag-node Ifit also does not receive any token-pass-msg for thesame event from a node closer to the sink node itgenerates a real event report and delivers it to the sinknode through an established routing path using thepairwise key between them

Compared with source simulation method in [9 10]the ISS method has two main advantages (1) Candidatereport sources can distinguish real events from fake events byauthenticating token-pass-msgs (2) Only one node generatesan event report for each event-trigger-signal and the amountof network traffic can be reduced largely

4 UPHGM and Problem Formalization

Although prior work for protecting the DSLP against a globaladversary was mainly based on the PHGM described insection one only the SSmethod in [9 10] considered reportersources to generate real event reports depending on event-trigger-signals It is more realistic than the assumption thatnodes of the protected network can sense the monitoredobjects while the adversary cannot In practice directlyrecognizing an object is a very challenging work due to thedifficulty of distinguishing the physical features of the objectsfrom background noises [10] In this section we will presentan updated-panda-hunter game model (UPHGM) We alsoassume that everymonitored object is equipped with a sensor


Sink

Common node

Reporter source

Eavesdropping node

Tag-node

Relay-node

Figure 2 The considered network architecture

node to emit signals which can be detected by nodes in thenetwork as [9 10] The UPHGM includes a network modeland an attack model

41 Network Model We assume that a homogeneous WSNcalled obj-WSN is deployed by an organization to monitorspecific objects such as giant pandas as shown in Figure 2The obj-WSN consists of 119873 common nodes and one sinknode All of the common nodes have roughly the sameresources Each common node 119906 has a unique node identifier(ID119906) and knows its own locationThe communication radius

of every common node is 119877 Since directly recognizing theobject is very difficult in order to avoid directly sensing theobjects every monitored object is embedded a sensor nodethat is tag-node to emit event-trigger-signals called Object-msg A reporter source which receives an Object-msg willgenerate a real event report and transmit it to the sink nodeaccording to a chosen routemechanismThe communicationradius of every tag-node is 119903 To distinguish different objectseach tag-node V also has a unique tag identifier (TIDV)Each Object-msg contains the TID of the tag-node and otherinformation of interest (interest-info)

42 Attack Model We assume that the adversary has hisherown sensor network deployed in the same area as shownin Figure 2 to monitor the global network traffic of theobj-WSN as [9 10] Note that the deployment time of theadversaryrsquos network is later than that of the obj-WSN Morespecifically we assume that when the infrastructure of securecommunications of the obj-WSN has been established thenthe adversaryrsquos network can be deployed The adversary canmonitor the whole network traffic including the Object-msgsemitted by tag-nodes Knowing a global view of the networktraffic the adversary can easily deduce where the objectsare moving around For example an object is very likely

close to tag-nodes and reporter sources We do not considerthe situations that the monitored objects can be directlyrecognized by sensors If that happens then the adversary canlaunch the direct sensing attack and any defense mechanismcannot protect the location privacy of the monitored objects

In addition the adversary has the following characteris-tics

(1) To appropriately study privacy we apply Kerckhoff rsquosprinciple [30] We assume that the adversary knowsthe communication protocols and defense mecha-nisms of the obj-WSN Each eavesdropping nodeknows its own location as shown in Figure 2

(2) To be invisible from obj-WSN the adversary consid-ered in this papermay launch only passive attacks andavoid active attacks as [9 10] However since the net-work may also be attacked by other adversaries withthe different attack aims we also need to prevent themfrom launching some active attacks such as injectingbogus data by utilizing the security weaknesses of thedefense mechanisms

43 Distinguish with the PHGM The main differencebetween UPHGM and PHGM is that the former considersthe Object-msg containing the TID of the tag-node andother interest-info which is more suitable for many prac-tical applications For example for multiobjects monitoringapplications if Object-msg contains no information of amonitored object and is only used to trigger event detectiona reporter source cannot generate an accurate event reportfor the corresponding object because it does not knowwhich tag-node emits the receivedObject-msg And formanyapplications we may want to know the state information orhealth characteristic information about monitored objectsTherefore the UPHGM is more realistic and effective thanthe PHGM for many applications to monitor multiobjects

Compared with the PHGM the UPHGM yields a newproblem which needs to be solved That is how to forwardObject-msgs to the sink node securely while providing loca-tion privacy to tag-nodes and reporter sources under a globaladversary Prior work only considered the location privacyof reporter sources and ignored the location privacy of tag-nodes Although reporter sources can use the establishedpairwise keys to communicate with common nodes securelydue to tag-nodes being of moving characteristic and theirresource constraints the tag-nodes cannot firstly establishpairwise keys with all common nodes in the network andthen use the corresponding keys to communicate with thecorresponding nodes securelyTherefore secure and effectiveprotocols have to be designed to implement the securecommunications between tag-nodes and reporter sourceswhile providing their location privacy

44 Formal Model The problem Ω for protecting the sourcelocation privacy against a global adversary in WSNs can berepresented by an eight-tuple (119874 Net119874 Net119860 119863 119862

119863 119860 119878119860

and 119887) where one has the following


(1) 119874 is the set of monitored objects We assume thatthe size of 119874 is 119872 Every monitored object can movearound in the deployment area

(2) Net119874 is the monitoring network deployed by a validorganization such as the obj-WSN

(3) Net119860is the hunting network deployed by an adversary

to eavesdrop on the network transmissions of Net119874

(4) 119863 is the set of defense strategies to protect the sourcelocation privacy

(5) 119862119863 is the cost of defense strategies mainly consistingof energy cost

(6) 119860 is the set of attack strategies to infer the locations ofmonitored objects

(7) 119878119860is the set of candidate objects in whose range the

adversary expects to find the monitored objects(8) 119887 is the level of privacy in terms of bits It is defined as

[9 10]

119887 = minus sum

|119878119860|

1

10038161003816100381610038161198781198601003816100381610038161003816

log2

|119874|

10038161003816100381610038161198781198601003816100381610038161003816

= log2

10038161003816100381610038161198781198601003816100381610038161003816

119872 (3)

where |119878119860| and |119874| are the size of 119878119860 and 119874 respec-tively

Given the level of privacy 119887 our goal is to achieve it withminimum defense overhead 119862

119863

5 Grid-Based Pull (GBP) Schemeunder the UPHGM

As we have pointed out in Section 4 the UPHGM is morerealistic than the PHGM and is suitable to monitor multi-objects accurately However there are still more challengesIn this section we will propose a grid-based pull scheme toprotect the DSLP under the UPHGM by combining a light-weight security object collection scheme with an effectivegrid partition method It includes selecting communicationscheme and determining grid size And its implementation isthen presented

51 Selecting Communication Scheme The first main chal-lenge is to effectively authenticate and communicate betweenamobile tag-node and each potential communication node inthe networkThere are two kinds of communication schemespush scheme and pull scheme For push scheme each tag-node broadcasts Object-msg periodically As the tag-nodesare mobile every node in the network has to be able toauthenticate each tag-node For pull scheme the query nodesbroadcast query messages periodically In this case each tag-node must be able to authenticate every node in the network

Compared with the push scheme the pull scheme ismoresecure to solve our problem For the push scheme if any nodeis compromised by the adversary he or she can obtain thesecret information such as secure keys stored in a compro-mised node and then upload the obtained secrete informationto every eavesdropping node As a result when any tag-node broadcasts an Object-msg eavesdropping nodes can

Table 1 Comparison of communication schemes

Reporting wayof tag-nodes

Authenticationrequirement

Resistance to nodecompromise

Push Activebroadcast

Each sensornode is able toauthenticate all

tag-nodes

Single-point failure

Pull Passive reply

Each tag-node isable to

authenticate allsensor nodes

Only tag-nodesnearby the

compromised nodesprobably fail

authenticate themessage and recognize themonitored objectFor pull scheme if any node is compromised by the adversaryto launch the stealthy attacks he or she shall not broadcastquery message using the obtained secure information Ifhe or she does so then it is very probably to expose theeavesdropping nodes to the obj-WSN and to trigger alarmsOnly in this situation when a monitored object lies in thecommunication range of the compromised node and thecompromised node is just the query node the location ofthe monitored object is exposed to the adversary withouttriggering alarmsTherefore as shown in Table 1 consideringsecurity we should select the pull scheme

However due to resource constrains for example thestorage resource in order to let a tag-node be able to authen-ticate every node in the network obviously we cannot selectsymmetric approaches which require the tag-node store alarge number of pairwise keys Hence for storage efficiencywe should adopt an asymmetric authentication approachConsidering the asymmetric feature between tag-nodes andcommon nodes in the obj-WSN we design an authenticationapproach based on the identity-based cryptography (IBC)which will be described in Section 53

52 Determining Grid Size The second problem we consideris how to reduce the number of query nodes as largelyas possible while keeping the high quality tracing of themonitored objects To reduce the number of query nodeswe divide the whole network area into a number of virtualgrids And in each grid a node called duty node is selectedto collect information of the monitored objects To balanceenergy load among nodes each node can be responsiblefor collecting the information for a certain time intervalin turn as duty node Hence the second problem can betranslated into the problem that how to determine the sizeof the virtual grid to satisfy both query requirement andconnectivity requirementThe query requirementmeans thatno matter where a tag-node is in the network its relevantinformation can be detected by at least one query node Theconnectivity requirement means that nodes in a grid arecapable of communicating with those nodes in an adjacentgrid

On the one hand to meet the query requirement thereshould be at least one full grid in the circle with the tag-nodeas the center and with the communication radius 119903 of the tag-node as the radius just as illustrated in Figure 3 Obviously


r

Figure 3 Example of query requirement in the communicationrange of the tag-node containing at least a full grid

the smaller the size of the gird is the more full grids are inthe circle To reduce the number of query nodes as largely aspossible we need to determine themaximum size of the gridWe have derived the theoreticalmaximum size of the grid andhave the following theorem

Theorem 1 To ensure that no matter where a tag-node is inthe network there is at least one full grid in the circle 119862

119903with

the tag-node as the center and with the communication radiusr of the tag-node as the radius the maximum length 119886 of thegrid is 119903radic2

Proof Firstly we prove that there is at least one full grid in thecircle 119862

119903when 119886 = 119903radic2 We assume that the circle 119862

119903does

not contain any full grid Obviously in this case the center ofthe circle is at the common vertex of four grids most likelyas shown in Figure 4 In this case the circle 119862119903 just containsfour full grids as shown in Figure 4 That is the assumptiondoes not hold In other words there is at least one full grid inthe circle 119862119903

Secondly we prove that the 119886 is the maximum length Weassume that the length 119886

lowast= 119886 + 120576 (120576 gt 0) also satisfies the

requirement in the theorem However when the center of thecircle is at the common vertex of four grids the length of thediagonal line of one grid 119897

119889= radic2119886

lowast= radic2(119886+120576) = radic2(119903radic2+

120576) gt 119903 the circle 119862119903does not contain any full grid which is

paradox with the assumption as shown in Figure 4 That isthe assumption does not hold This proves that the 119886 is themaximum length

On the other hand according to [31] to satisfy theconnectivity requirement the length 119886 of the grid shouldsatisfy 119886 le 119877radic5 where 119877 is the communication radius ofevery common node as shown in Figure 5

As the communication radius of the common node isusually not less than that of the tag-node we assume that

alowast

alowast

a

a

rl dgtr

Figure 4 Example of one tag-node at the common vertex of fourgrids

R

aaa

a

Figure 5 Example of connectivity requirement according to [31]

119877 = 120582119903 where 120582 ge 1 Let 119897 be the length of the networkDefine119898 and 119899 by

119898 =119897

(119903radic2)

119899 =119897

(119877radic5)

(4)

That is119898 and 119899 are the number of grids according to theabove two dividing methods respectively Then we have thefollowing conclusions

(i) If 119898 = 119899 that is 120582 = radic25 the above two dividingmethods are the same

(ii) If 119898 gt 119899 that is 120582 gt radic25 to satisfy the above tworequirements we should select the former dividingmethod

(iii) If 119898 lt 119899 that is 1 le 120582 lt radic25 to satisfy the abovetwo requirements we should select the latter dividingmethod

53 Implementation of the Grid-Based Pull Scheme In thissubsection we introduce the implementation of the grid-based pull scheme including predeployment phase gridformation phase and report collection phase

531 Predeployment Phase Before deploying the obj-WSNwe assume that a trusted authority (TA) does the followingoperations


(1) Generate system parameters (119901 119902 119864119864119901 and 119866

119886)

where 119901 119902 are two large primes 119864119865119901indicates an

elliptic curve 1199102= 1199093+ 119886119909 + 119887 over the finite field 119865

119901

and 119866119886is a 119902-order subgroup of the additive group of

points of 119864119865119901

(2) Choose two hash functions 119867 0 1lowast

rarr 119866119886

mapping strings to nonzero elements in 119866119886 and ℎ

mapping arbitrary inputs to fixed-length outputs forexample SHA-1 [32]

(3) Select a random element 119896 isin 119885lowast

119902= 119909 | 1 le 119909 le 119902minus1

as the network master secret(4) Calculate the 119867(ID

119906) = (119883

119906 119884119906) and the IBC key

IK119906

= 119896119867(ID119906) isin 119866

119886for each common node 119906

Note that due to the elliptic curve discrete logarithmproblem (ECDLP) it is computationally infeasible toobtain 119896 from any (IK

119906 ID119906) pair

(5) Randomly select119871 commonnodes as tokennodes andpreload each of them with a unique token ID

Each common node 119906 is preloaded with the pubic systemparameters (119901 119902 119864119865

119901 119866119886 119867 and ℎ) its private key IK

119906

its public key (119883119906 119884119906) and a pairwise key with the sink

node 119870119906-bs Each tag-node V is preloaded with the same

public system parameters as each common node the networkmaster secret 119896 and a pairwise key with the sink node119870V-bs

532 Grid Formation Phase After deploying the obj-WSNwe assume that every common node can obtain its ownlocation information using some localization methods suchas [33 34] Also we assume that every common node canobtain the location information (119909bs 119910bs) of the sink nodeeither via preloading method or via broadcasting methodThe grid identifier 119866119906 = (119892119909-119906 119892119910-119906) of node 119906 can becalculated using the following

119892119909minus119906 = lceil(119909119906minus 119909bs)

119886rceil


119886rceil

(5)

where 119909119906and 119910

119906indicate the geographic location of node

119906 and 119886 is the side length of a grid which is determinedaccording to Section 52

To form virtual grids in network initialization phaseeach common node 119894 broadcasts a hello message (hello-msg)as follows

hello-msg = ID119894 119909119894 119910119894 (6)

Upon receiving the hello-msg from node 119894 the node119906 first calculates the grid identifier 119866119894 of node 119894 usingthe (119909

119894 119910119894) information If 119866

119894= 119866

119906 it then puts the

information (ID119894 119909119894 119910119894) of node 119894 into its same-grid table

in descending order of ID number otherwise it puts theinformation (ID

119894 119909119894 119910119894) of node 119894 into its non-same-grid table

in increasing order of distance to the sink node

To avoid additional communication overhead caused bythe duty node role rotation we can stipulate the rotationorder for example in descending (or increasing) order of IDnumber in each grid Thus each grid will have a duty nodewhen the network initialization finishes and also each nodewill rotate as duty node in a stipulated order

533 Report Collection Phase We assume that in networkinitialization phase an effective key-based mechanism isadopted such as [35ndash37]That is an infrastructure for securecommunication has been established To achieve anonymitynodes may need to use pseudonyms to communicate witheach other according to the requirement We adopt themethod in [29] to generate pseudonyms Assuming twonodes 119906 and V with a shared key 119870119906V we can generatea sequence of pseudonyms using the hash function ℎ byiteratively hashing a random value 119881rdm as follows

id(1)119906V = ℎ (119870

119906V119881rdm) (7)

id(i)119906V = ℎ (119870119906Vid

(119894minus1)

uv ) (8)

(1) Broadcast Query Message After network initializationevery duty node 119906 periodically broadcasts query message(query-msg) as follows

query-msg = ID119906 119905119876 119883119906MACIK119906 (ID119906 119905119876 119883119906)

MAC119870grp

(ID119906 119905119876 119883119906)

(9)

where 119905119876is the timestamp and its value is the time when the

query-msg is broadcast by the duty node 119870grp is the groupkey shared among the sending node and its neighborhoodand119883

119906is the119883 coordinate of the node 119906 on the elliptic curve

119864119865119901 Since119867(ID

119906) = (119883

119906 119884119906) is a point of 119864119865

119901 only one of

119883119906and 119884

119906coordinates needs to be transmitted and the other

can be easily derived using the curve equation

(2) Reply Query Message

(i) For Tag-Node We assume that tag-nodes and commonnodes are loosely synchronized Every tag-node periodicallymonitors the query-msg for a specific time interval Δ119898called monitoring slot Each monitoring period is called amonitoring round Upon receiving a query-msg from a dutynode 119906 a tag-node V performs the following operations

(I) Calculate the 119884119906using 119883

119906and the curve and then

calculate the IBC key IK119906

= 119896(119883119906 119884119906) isin 119866

119886using

the (119883119906 119884119906) and the network master secret 119896

(II) Check the first MAC in (9) calculate MAC1015840 =

ℎIK119906(ID119906119905119876119883119906) and compare whether the receivedcorresponding MAC is the same as the MAC1015840 If theMAC is verified it puts the ID

119906into a candidate reply-

list and stops receiving the query-msg in currentmonitoring slot otherwise it ignores the query-msg


(III) Send a reply message (reply-msg) The tag-node Vselects a node in its candidate reply-list to reply Weassume that query node 119906 is the candidate node thentag-node V sends a reply-msg to node 119906 as follows

reply-msg = ID119906 id(lowast)

V-bs id119906 119864119870V-bs

(TIDV 119905 others1)

MACKV-bs(DATA1) MACIK119906 (DATA2)

(10)

id119906 = ℎ (IK119906t119876) (11)

DATA1 = id(lowast)V-bs 119864119870V-bs (TIDV 119905 others1) (12)

DATA2 = ID119906 id119906 119864119870V-bs (TIDV 119905 others1) (13)

collectInfo = DATA1MAC119870V-bs

(DATA1) (14)

where id(lowast)V-bs is the pseudonym shared between tag-node V and the sink node TIDV is the tag ID of tag-node V and 119905 is the sending timestamp After that Vupdates the corresponding pseudonym using (8)

(ii) For Token Node In the same manner as tag-nodes whena token node 119908 receives a query-msg from a duty node 119906which we assume is the candidate node to reply it sends areply-msg to node 119906 Note that token nodes do not performthe operations (I) and (II) as tag-node does do A token nodejust checks the second MAC in (9) with the correspondingshared group key Token node 119908 sends the following reply-msg to node 119906

reply-msg

= ID119906 id(lowast)

119908-next id(lowast)

119908119906

119864119870119908-next

(token-ID 119905 others2)

MAC119870119908-next

(DATA1) MAC119870119908119906

(DATA2)

(15)

DATA1 = id(lowast)119908-next 119864119870119908-next (token-ID 119905 others2) (16)

DATA2 = ID119906 id(lowast)

119908119906 119864119870119908-next

(token-ID 119905 others2) (17)

where id(lowast)119908-next and119870

119908-next are the pseudonym and key sharedbetween token node 119908 and the next roundrsquos token node(nextTkNode) respectively which is selected by token node119908 in its neighborhood (including itself) id(lowast)

119908119906and 119870119908119906 are

the pseudonym and key shared between token node 119908 andquery node 119906 respectively and 119905 is the sending timestampAfter that 119908 updates the corresponding pseudonyms using(8)

As the reply-msg sent from token node 119908 containsthe pseudonym shared between 119908 and nextTkNode hencenextTkNode also receives the reply-msg When receivingthis message it first checks the corresponding MAC usingthe pairwise key shared between 119908 and itself If the corre-sponding MAC is verified it updates the pseudonym sharedbetween 119908 and itself using (8) decrypts the corresponding

encrypted field obtains the token-ID and sets itself as thenext roundrsquos token node

(3) Generate and Forward Event Report Message Due to thedifferent schemes used by tag-nodes and token nodes togenerate pseudonyms as shown in (11) and (8) a query nodewhich receives a reply-msg can know whether the message issent from a tag-node or a token node Therefore the querynode can check the MAC using the corresponding key Uponreceiving a reply-msg from a tag-node V or a token node 119908a query node 119906 first checks the corresponding MAC If thecorresponding MAC is verified it generates an event report(rpt-msg) and forwards the rpt-msg to the duty node closestto the sink node in its communication range

Query node 119906 forwards the following real rpt-msg to thechosen next hop node (nextHop) if it receives a verified reply-msg from tag-node V

rpt-msg = ID119906 IDnextHop 119905rs IDrs

119864119870rs-bs

(collectInfo) MAC119870119906-nextHop

(DATA)

(18)

DATA = ID119906 IDnextHop 119905rs IDrs 119864119870rs-bs (collectInfo)

(19)

where IDrs is the ID of the reporter source that is the firstreporter node and in this case its tag-node 119906 119905rs is the sendingtimestamp from the reporter source and collectInfo is shownin (14)

If query node 119906 receives a verified reply-msg from tokennode 119908 it forwards the following fake rpt-msg to the chosennext hop node (nextHop)


rdmDATAMAC119870119906-nextHop (DATA)

(20)

DATA = ID119906 IDnextHop 119905rs IDrs rdmDATA (21)

where rdmDATA is a random binary sequence code and itslength shall satisfy the fact that all rpt-msgs have the samelength to prevent the adversary from distinguishing the realrpt-msgs from the fake ones via packet length

When a relay-node receives a rpt-msg it checks theMACIf the MAC is verified the relay-node regenerates a MACusing the pairwise key shared with the next hop node Thenit forwards the rpt-msg to the next hop node as quickly aspossible whenever the channel is free In this way the rpt-msgwill evenly reach the sink node

When the sink node receives a verified rpt-msg generatedfrom a reporter source 119906 it first obtains the collectInfofield via decrypting the encrypted part using the key sharedbetween119906 and itself with the help of the IDrs field in (18)Thenit can verify the collectInfo and decrypt the encrypted field in(12) using the key shared with the tag-node if the pseudonymfield in (12) of the received rpt-msg is the pseudonym ofa tag-node Therefore the sink node can evenly obtain theinteresting information about the monitored objects


534 Security Analysis The GBP scheme provides the fol-lowing security services

(1) Confidentiality Service The confidentiality service pro-vided by the GBP scheme is shown in two aspects On theone hand the GBP scheme achieves the confidentiality ofidentifications of the tag-nodes and the token nodes at thereply query message phase via the pseudonym technique asshown in (10) and (15) In other words when receiving areply-msg the adversary cannot know whether the messageis sent by a tag-node or a token node from the pseudonymfields that is from id(lowast)V-bs and id(lowast)

119908-next This is because theadversary does not have the corresponding secret keys 119870V-bsand119870119908-next to generate corresponding pseudonyms as shownin (22) and (23) However query nodes and the chosennext roundrsquos token nodes can receive reply-msgs effectivelywith the help of the corresponding secret keys such as IK119906119870119908119906 and 119870119908-next as shown in (11) (24) and (23) If thecorresponding pseudonym is id

119906 it implies that the reply-

msg is sent from a tag-node if the corresponding pseudonymis id(lowast)119908119906 it implies that the reply-msg is sent from token node

119908 And if a node has the pseudonym id(lowast)119908-next it implies that it

is the chosen token node of next round It not only guaranteesthat tag-nodes reply the query messages confidentially butalso guarantees that token nodes pass tokens confidentially

id(lowast)V-bs = ℎ (119870V-bsid(lowastminus1)

V-bs ) (22)

id(lowast)119908-next = ℎ (119870

119908-nextid(lowastminus1)

119908-next) (23)

id(lowast)119908119906

= ℎ (119870119908119906id(lowastminus1)

119908119906) (24)

However using the pseudonym technique we have tosolve the influence of pseudonym collision that is morethan one node has the same pseudonym because the hashfunction may generate same outputs from different inputsThe birthday paradox implies that the pseudonym collisionprobability is 2

minus119899bit2 where 119899bit is the number of bits of apseudonym Given an 8-byte pseudonym then the collisionprobability is 23119890

minus10 which implies that this probabilitycan be negligible At the same time as we also provide theauthentication service via checking MACs even though apseudonym collision happens a node can judge whether areceived message is delivered to it or not In other wordsusing 8-byte pseudonyms and with the help of the authen-tication service we can guarantee that tag-nodes reply querymessages and token nodes pass tokens unambiguously

On the other hand the GBP scheme guarantees confi-dentiality of the contents of messages via encrypting theircontents using secret pairwise keys 119870V-bs 119870119908-next and 119870rs-bsas shown in (10) (15) and (18)

(2) Authentication Service The authentication service ofthe GBP scheme is provided via checking MACs andpseudonyms For example in (9) tag-nodes and token nodescan authenticate duty nodes via using corresponding keyssuch as IK

119906and 119870grp to check the first MACMAC(1) and the

secondMACMAC(2) respectively as shown in (25) and (26)

Obviously if the corresponding MAC is verified it impliesthat the corresponding duty node owns the required keyand the authentication is verified In order to defend againstan adversary forging a valid MAC for a particular messagewe adopt a 4-byte MAC as the TinySec-AE [38] packetdoes This implies that an adversary has a 1 in 232 chancein blindly forging a valid MAC for a particular messagewhich can provide an adequate level of security for WSNs[38] Similarly duty nodes and chosen next roundrsquos tokennodes can authenticate tag-nodes and current token nodesvia checking MACs relay-nodes can authenticate each otherusing MACs And duty nodes and chosen next roundrsquos tokennodes can authenticate tag-nodes and current token nodesvia checking pseudonyms as shown in (11) (24) and (23)

MAC(1) = ℎIK119906 (ID119906119905119876119883119906) (25)

MAC(2) = ℎ119870grp(ID119906119905119876119883119906) (26)

(3) Integrity ServiceThe integrity service of the GBP schemeis provided via checking MACs similar to the analysis for theauthentication service such as in (9) (10) and (15)

(4) Freshness ServiceThefreshness service of theGBP schemecan be provided via the timestamp in (9) (18) and (20) Forexample if a tag-node receives a query-msg it can comparethe timestamp field 119905

119876in (9) with its local time 119905self as (27)

If Δ119905 is above a certain threshold Δ 119905-fresh we can believe that

the received query-msg is a replay message and the tag-nodeshall discard the message If Δ

119905le Δ119905-fresh then the tag-node

will check the first MAC field in (9) as shown in (25) Ifthe MAC field is incorrect the received query-msg may be aforged message using a fresh timestamp Else we can believethe received message is fresh At the same time the freshnessservice of the GBP scheme can be provided by the secondpseudonym field in (10) and (15) In (10) the pseudonymid119906is generated with the help of the query timestamp 119905

119876 as

shown in (11) When a query node 119906 receives a reply-msgfrom a tag-node it can judge whether the receivedmessage isfresh or not via comparing the pseudonym field id

119906 In (15)

if a query node 119906 receives a reply-msg from a token node119908 it can also judge whether the received message is freshor not via comparing the pseudonym field id(lowast)

119908119906 If they own

the synchronous pseudonym then it can believe the receivedmessage is fresh

Δ119905=

1003816100381610038161003816119905119876 minus 119905self1003816100381610038161003816 (27)

(5) Privacy Service As both the adversary and the defenderhave similar knowledge about the behavior of real objectswe assume that any candidate trace created by the tokennodes in the network will be considered as a valid candidatetrace by the adversary as [9 10] On the one hand asthe confidentiality service is provided by the GBP schemehence the adversary cannot distinguish between tag-nodesand token nodes based on the contents of messages inthe network On the other hand as the communication


schemes of tag-nodes and token nodes are the same andindistinguishable for the adversary hence the adversarycannot distinguish between tag-nodes and token nodes basedon the communication schemesThat is the adversary cannotuse the content information and the contextual informationto distinguish tag-nodes from token nodes In other words 119871token nodes create 119871 valid candidate tracesTherefore we cansee that the set of candidate locations includes an average of(119872+119871) candidate objects that is |119878119860| = (119872+119871) As a resultaccording to (3) the privacy provided by theGBP scheme canbe estimated by

119887 = log2

119872 + 119871

119872 (28)

Let us have a look at the following example where we haveone monitored object 119872 = 1 and one fake object 119871 = 1 inthe networkThen according to (28) 119887 = 1 It means that oneof the two candidate objects is themonitored object since onebit can denote two possibilities

6 Evaluations

In this section we first give the communication and compu-tation overhead of both our schemes and the SS scheme in[9 10]Then we present performance results of them in termsof communication overhead

61 Numerical Discussion In this subsection we providemathematical analysis to get the numerical results of bothour methods and the SS scheme in [9 10] in terms ofcommunication overhead and computation overhead

611 Packet Format and Length In order to analyze thecommunication cost accurately in this section we providethe packet format and length for each type of messagesAccording to IEEE 802154 frame format [39] each packetincludes 9 bytes constant information which consists of the4-byte preamble sequence the 1-byte start of frame delimiterthe 1-byte frame length the 2-byte frame control field andthe 1-byte data sequence number That is to say each type ofmessages in both our schemes and SS includes the 9 bytesconstant information

In GBP a query-msg carries a 2-byte source addresswhich is denoted by the identification of the broadcastingnode a 4-byte timestamp a 64-byte X coordinate of thebroadcasting node on the elliptic curve 119864119865

119901 and two 4-byte

MACs in addition to the 9-byte constant information A 2-byte source address means that the network can contain 2

16minus

1 = 65535 nodes and may be sufficient for most applicationsA 64-byte X coordinate means that 119901 is a 512-bit prime Letthe order 119902 of119866119886 be a 160-bit prime According to [40 41] thechosen parameters deliver an equivalent level of security tothat of 1024-bit RSA We denote the byte length of the query-msg by lenquery-msg So we have lenquery-msg = 87

In GBP a reply-msg consists of the 9-byte constantinformation two 8-byte pseudonymfields an encrypted fieldand two 4-byte MACs fields We assume that the encryptedfunction is implemented using the AES-128 with a 16-byte

output Then the byte length of the reply-msg lenreply-msg =

49In GBP a rpt-msg carries three 2-byte ID fields a 4-byte

timestamp an encrypted field and a 4-byte MAC field inaddition to the 9-byte constant information As shown in (12)and (14) since the byte length of the encrypted informationcollectInfo is 28 including an 8-byte pseudonym a 16-byteencrypted field and a 4-byte MAC the byte length of theencrypted field of the rpt-msg is 32 using the AES-128 withtwo 16-byte outputsTherefore the byte length of the rpt-msglenrpt-msg-gbp = 55 in GBP

In both ISS and SS we assume that an event-trigger-signalcarries a 4-byte timestamp and a 4-byte MAC in addition tothe 9-byte constant information Thus the byte length of theevent-trigger-signal lentrig-msg = 17

In ISS a token-pass-msg consists of the 9-byte constantinformation a 2-byte ID field a 4-byte timestamp twoencrypted fields and two 4-byte MACs fields Similar to theencrypted field of the reply-msg in GBP the byte length of theencrypted field of the token-pass-msg in ISS is 16 Thereforethe byte length of the token-pass-msg lentoken-pass-msg-iss = 55

in ISSIn SS a token-pass-msg carries a 2-byte ID field a 4-byte

timestamp a 16-byte encrypted field and a 4-byteMACs fieldin addition to the 9-byte constant informationThus the bytelength of the token-pass-msg lentoken-pass-msg-ss = 35 in SS

In both ISS and SS similar to in GBP a rpt-msg consistsof the 9-byte constant information three 2-byte ID fieldsa 4-byte timestamp a 16-byte encrypted field and a 4-byte MAC field Therefore the byte length of the rpt-msglenrpt-msg-issss = 39 in ISS and SS

612 Communication Overhead In GBP the communica-tion overhead includes broadcasting and receiving query-msg overhead replying and receiving query-msg overheadand sending and receiving event report message (rpt-msg)overhead (1) In the broadcasting query-msg phase duty-nodes broadcast query-msgs and tag-nodes and token nodeslisten on the chosen channel Note that in order to reducethe interinfluence caused by broadcasting query-msg andreplying query-msg we can transmit them on two differentchannels Therefore the number of query-msg broadcast119873Tx-qry-msg in the network will be equal to the number of theduty nodes the number of query-msg received 119873Rx-qry-msgin the network will be equal to the number of token nodes(fake objects) plus tag-nodes (real objects) Suppose that thesensor field is divided into 119899row times 119899clm square grids That isthe number of duty nodes is 119899row times 119899clm Thus 119873Tx-qry-msg =

119899row times 119899clm Assume that the number of fake objects is 119871 andthe number of real objects is 119872 then 119873Rx-qry-msg = (119871 + 119872)(2) In the replying query-msg phase tag-nodes and tokennodes send reply-msgs and their neighbor nodes receivereply-msgsTherefore the number of reply-msgs transmitted119873Tx-rpl-msg in the network will be equal to the number oftoken nodes and tag-nodes that is 119873Tx-rpl-msg = (119871 +

119872) the number of query-msg received 119873Rx-rpl-msg in thenetwork will be equal to the number of their neighboringnodes Let 120588node denote the average number of neighboring


nodes of one node in the network Then 119873Rx-rpl-msg =

(119871 + 119872)120588node (3) In the sending rpt-msgs phase the chosenduty-nodes generate rpt-msgs and deliver them to the sinknode with the help of intermediate duty nodes along theforwarding paths Let hopavg be the average hopdistance froma reporter source to the sink node and let 119873Tx-rpt-msg-gbp and119873Rx-rpt-msg-gbp be the number of rpt-msgs transmitted andreceived in the network respectively Since there are 119871 + 119872

reporter sources and every reporter source generates a rpt-msg and delivers it to the sink node we have119873Tx-rpt-msg-gbp =

119873Rx-rpt-msg-gbp and 119873Tx-rpt-msg-gbp = (119871 + 119872)hopavg Table 2shows the total number of messages transmitted and receivedin each phase in the GBP scheme Let 119864Tx and 119864Rx bethe energy consumption for transmitting and receiving onebyte respectively And let 119864Tx-GBP and 119864Rx-GBP be the energyconsumption for transmitting and receiving messages in theGBP scheme respectively Then we have

119864Tx-GBP = (119873Tx-qry-msglenquery-msg

+ 119873Tx-rpl-msglenreply-msg

+ 119873Tx-rpt-msg-gbplenrpt-msg-gbp) 119864Tx

= 119864Tx times 119899row times 119899clm times 87

+ 119864Tx times (119871 + 119872) times 49

+ 119864Tx times (119871 + 119872) hopavg times 55

(29)

119864Rx-GBP = (119873Rx-qry-msglenquery-msg

+ 119873Rx-rpl-msglenreply-msg

+119873Rx-rpt-msg-gbplenrpt-msg-gbp) 119864Rx

= 119864Rx times (119871 + 119872) times 87

+ 119864Rx times (119871 + 119872) 120588node times 49

+ 119864Rx times (119871 + 119872) hopavg times 55

(30)

In ISS communication overhead includes broadcastingand receiving event-trigger-signal overhead transmittingand receiving token-pass-msg overhead and sending andreceiving event report message (rpt-msg) overhead (1) Inthe transmitting event-trigger-signal phase tag-nodes andtoken nodes send event-trigger-signals and their neighbornodes receive event-trigger-signals which is similar to thereplying query-msg phase inGBPThus the number of event-trigger-signals transmitted119873Tx-trig-msg-iss and the number ofevent-trigger-signals received 119873Rx-trig-msg-iss are 119871 + 119872 and(119871+119872)120588node respectively (2) In the transmitting token-pass-msg phase token nodes their neighboring nodes and tag-nodesrsquo neighbor nodes transmit token-pass-msgs Thus thenumber of token-pass-msgs transmitted119873Tx-token-msg-iss andthe number of token-pass-msgs received 119873Rx-token-msg-iss are(119871+119872)120588node and (119871+119872)120588

2

node respectively (3) In the sendingrpt-msgs phase the chosen reporter nodes generate rpt-msgsand deliver them to the sink node Since one tag-node or one

token node triggers a rpt-msg similar to the sending rpt-msgs phase in GBP we have119873Tx-rpt-msg-iss = 119873Rx-rpt-msg-iss and119873Tx-rpt-msg-iss = (119871+119872)hopavg Table 3 shows the total numberof messages transmitted and received in each phase in the ISSscheme Let 119864Tx-ISS and 119864RxminusISS be the energy consumptionfor transmitting and receiving messages in the ISS schemerespectively Then we have

119864Tx-ISS = (119873Tx-trig-msg-isslentrig-msg

+ 119873Tx-token-msg-isslentoken-pass-msg-iss

+119873Tx-rpt-msg-isslenrpt-msg-issss) 119864Tx

= 119864Tx times (119871 + 119872) times 17

+ 119864Tx times (119871 + 119872) 120588node times 55


(31)

119864Rx-ISS = (119873Rx-trig-msg-isslentrig-msg

+ 119873Rx-token-msg-isslentoken-pass-msg-iss

+119873Rx-rpt-msg-isslenrpt-msg-issss) 119864Rx

= 119864Rx times (119871 + 119872) 120588node times 17

+ 119864Rx times (119871 + 119872) 1205882

node times 55


(32)

In SS communication overhead includes broadcastingand receiving event-trigger-signal overhead sending andreceiving event report message (rpt-msg) overhead andtransmitting and receiving token-pass-msg overhead In bothtransmitting event-trigger-signal phase and sending token-pass-msg phase it is similar to the corresponding phasesin the ISS scheme In the sending rpt-msgs phase sinceevery node which receives the event-trigger-signal gener-ates a rpt-msg and delivers it toward the sink node thenumber of token-pass-msgs transmitted 119873Tx-rpt-msg-ss is (119871 +

119872)120588nodehopavg Table 4 shows the total number of messagestransmitted and received in each phase in the SS scheme Let119864Tx-SS and 119864Rx-SS be the energy consumption for transmittingand receiving messages in the SS scheme respectively Thenwe have

119864Tx-SS = (119873Tx-trig-msg-sslentrig-msg

+ 119873Tx-token-msg-sslentoken-pass-msg-ss

+ 119873Tx-rpt-msg-sslenrpt-msg-issss) 119864Tx

= 119864Tx times (119871 + 119872) times 17


+ 119864Tx times (119871 + 119872) 120588nodehopavg times 39

(33)


Table 2 Total number of messages transmitted and received of eachtype in the GBP scheme

Type Tx Rxquery-msg 119899row times 119899clm 119871 + 119872

reply-msg 119871 + 119872 (119871 + 119872)120588node

rpt-msg (119871 + 119872)hopavg (119871 + 119872)hopavg

Table 3 Total number of messages transmitted and received of eachtype in the ISS scheme

Type Tx Rxevent-trigger-signal 119871 + 119872 (119871 + 119872)120588node

token-pass-msg (119871 + 119872)120588node (119871 + 119872)1205882

noderpt-msg (119871 + 119872)hopavg (119871 + 119872)hopavg

119864Rx-SS = (119873Rx-trig-msg-sslentrig-msg

+ 119873Rx-token-msg-sslentoken-pass-msg-ss

+ 119873Rx-rpt-msg-sslenrpt-msg-issss) 119864Rx


+ 119864Rx times (119871 + 119872) 1205882

node times 35

+ 119864Rx times (119871 + 119872) 120588nodehopavg times 39

(34)

According to (29) (31) and (33) we can derive

119864Tx-GBP minus 119864Tx-ISS

= 119864Tx [119899row times 119899clw times 87 + (119871 + 119872)

times (32 + 16hopavg minus 55120588node)]

(35)

119864Tx-GBP minus 119864Tx-SS


times (32 + 55hopavg minus 35120588node minus 39120588nodehopavg)] (36)

119864Tx-ISS minus 119864Tx-SS

= 119864Tx (119871 + 119872) (20120588node + 39hopavg minus 39120588nodehopavg) (37)

SinceWSNs are usually densely deployed 120588node ge hopavgFrom (35) and (36) we can see that with the privacy levelincreasing the energy consumed to transmit messages inGBPwill be less than that in ISS and SS From (37) we can seethat the energy consumed to transmit messages in ISS will beless than that in SS

Table 4 Total number ofmessages transmitted and received of eachtype in the SS scheme



noderpt-msg (119871 + 119872)120588nodehopavg (119871 + 119872)120588nodehopavg

Similarly according to (30) (32) and (34) we can derive

119864Rx-GBP minus 119864Rx-ISS = 119864Rx (119871 + 119872)

times (87 + 32120588node + 16hopavg minus 551205882

node)

(38)

119864Rx-GBP minus 119864Rx-SS = 119864Rx (119871 + 119872)

times (87 + 32120588node + 55hopavg

minus351205882

node minus 39120588nodehopavg)

(39)

119864Rx-ISS minus 119864Rx-SS = 119864Rx (119871 + 119872)

times (201205882

node + 39hopavg minus 39120588nodehopavg) (40)

In (38) if

120588node ge

32 + radic1024 + 220 (87 + 16hopavg)110

(41)

then119864Rx-GBP le 119864Rx-ISS that is the energy consumed to receivemessages in GBP will be less than that in ISS For example lethopavg = 20 thus if 120588node ge 4 then the energy consumed toreceive messages in GBP is less than that in ISS Obviously inmost cases asWSNs are densely deployed we have 119864Rx-GBP le

119864Rx-ISSIn (39) if

120588node ge

minus + radic2 + 140 (87 + 55hopavg)70

(42)

where = (39hopavg minus 32) then 119864Rx-GBP le 119864Rx-SS that isthe energy consumed to receive messages in GBP will be lessthan that in SS For example let hopavg = 20 thus if 120588node ge 2then the energy consumed to receive messages in GBP is lessthan that in SS Obviously inmost cases asWSNs are denselydeployed we have 119864Rx-GBP le 119864Rx-SS

In (40) if

120588node ge

39hopavg minus radic(39hopavg)2

minus 3120hopavg40

120588node le

39hopavg + radic(39hopavg)2

minus 3120hopavg40

(43)

with hopavg ge 3 then 119864Rx-ISS le 119864Rx-SS Otherwise 119864Rx-ISS ge

119864Rx-SS


613 Computation Overhead Compared with the SS schemeand the ISS scheme the most time-consuming task for com-putation in the GBP scheme is the scalar point multiplicationoperation Similar to [9 10 41 42] we ignore conventionalhash operations and symmetric-key encryptiondecryptionoperations as they consume much less energy than scalarpoint multiplications and transmittingreceiving operationsAccording to [43 44] the energy consumption of the ECC-160 scalar point multiplication on TelosB sensor nodeswith the 16-bit MSP430 microcontroller running at 4MHzis approximately 17mJ As reported in [44] a CC2420transceiver with a claimed data rate of 250 kbps used inTelosB nodes consumes 576 and 648 120583J to transmit andreceive one byte respectively As mentioned above the bytelength of a query-msg and a reply-msg in GBP are 87 and49 bytes respectively Thus the energy cost for receivinga query-msg and replying a reply-msg by a tag-node isapproximately 0846mJ Let 119864rx-auth-tx denote the total energyconsumption for receiving one query-msg authenticatingone query-msg and replying one reply-msg Thus we have119864rx-auth-tx = 17846mJ (ie 17 + 0846) Assume that on averagean object (a tag-node) in the network monitors the query-msg every 1 minute Then the energy consumption is 24 times

60 times 17846 = 25699 J for a tag-node per day Since sensornodes are usually powered by 2AAbatteries with 18720 J [45]so a tag-node could work about 2 years with GBP Thereforethe computation cost and the communication cost of GBP areacceptable for sensor nodes

62 Simulation Results In this section we present thesimulation results of our methods and the SS method interms of communication overhead For the convenience ofcomparison we assume that the event-trigger-signals emittedby token nodes and tag-nodes are distinguishable for reportersources in SS

621 Simulation Setup The simulation is based on theCastalia simulator [46] In the simulation 6000 sensor nodesare randomly generated and distributed in a 1000m times 1000mareaThe sink node is located at the center of the field Duringthe simulation we assume that there is only one monitoredobject in the network as [9 10] that is there is only one tag-node in the network Multiple fake monitored objects thatis token nodes are randomly chosen from the sensor nodesand simulated in the field For each node including the tag-node the transmission range is 50m Thus on average eachnode has 47 neighbors As [9 10] we focus our simulationevaluation on how much communication cost we have topay to achieve a given level of location privacy For eachexperiment there is only one event generated by each tag-node or by each token node We repeated the experiment20 times with different network topologies and all the resultswere obtained by computing the average of all correspondingresults

622 Simulation Results Figures 6 and 7 show the com-munication costs for transmitting and receiving messages ofthe network at different privacy levels respectively Figure 8

05

101520253035404550

1 2 3 4 5 6 7 8 9 10Privacy in terms of number of bits (b)

Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS

Figure 6 Communication cost for transmitting messages of thenetwork at different privacy levels

0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS

Figure 7 Communication cost for receiving messages of thenetwork at different privacy levels

shows the total communication costs in the network atdifferent privacy levels

Figure 6 shows that (1) with the privacy level increasingthe energy consumed to transmitmessages inGBP is less thanthat in both ISS and SS (2) the energy consumed to transmitmessages in ISS is less than that in SSwhich are in accordwiththe analysis in Section 612 Figure 7 shows that (1) the energyconsumed to receivemessages in GBP is less than that in bothISS and SS (2) the energy consumed to receive messages inSS is less than that in ISS The reason is that 120588node = 47 gt

hopavgThemain communication cost for receiving messagesin both ISS and SS is the part for receiving token-pass-msgsand that is proportional to O(120588

2

node) Figure 8 shows that thecommunication overhead of GBP is much lower than thatof both SS and ISS with the privacy requirement increasingAlthough the total communication cost of ISS is higher thanthat of SS on the whole the communication cost of ISS iscomparable to that of SS under lowprivacy requirement and itcan let a reporter source generate effective event reports whilethe SS cannot


0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS

Figure 8 Total communication cost of the network at differentprivacy levels

From Figure 6 to Figure 8 we also see that in the threeschemes the communication overhead increases with theprivacy requirement However the communication overheadof GBP demonstrates a relatively slower increase comparedto the SS scheme and the ISS scheme Note that whenwe also consider the computation overhead as mentionedearlier we only need to add the additional computationoverhead of GBP to our results (ie 17mJ the scalar pointmultiplication operation of the tag-nodes) However fromFigure 6 to Figure 8 we can see that it would not have muchinfluence on the results

In summary both the ISS method and the GBP methodare good choices to provide the data source location privacyservice Moreover the GBP scheme is the better choice withlower energy cost

7 Conclusions

Prior work on protecting the DSLP against a global eaves-dropper was based on the panda-hunter game model(PHGM) and rarely considered the communication betweendata sources and reporter sources which restricts their appli-cations and even causes their methods to fail Only the SSmethod considered the event trigger process frommonitoredobjects However the SS method still has two limitationsFirst the reporter source cannot generate effective eventreports as the event-trigger-signals emitted by token nodesand tag-nodes are indistinguishable which was ignored inSS Second it is unsuitable to track multiobjects accuratelyIn order to solve the first problem of SS an improved sourcesimulation (ISS) method was proposed by adjusting theevent report strategy under the PHGM To overcome thedisadvantage of the PHGM we proposed an updated-panda-hunter game model (UPHGM) and gave the formal modelof the DSLP issues And an energy-efficient grid-based pull(GBP) scheme was presented to protect the DSLP under theUPHGM as well as to provide security services includingconfidentiality authentication integrity and freshness

The ISS scheme uses the token pass message to dis-tinguish different events and only one node will generate

event report message for each event-trigger-signal henceits communication overhead for transmitting messages islower than that of SS which causes the neighbor nodes ofeach event-trigger-signal to generate event reports Althoughthe total communication cost of ISS is higher than thatof SS the communication cost of ISS is comparable tothat of SS under low privacy requirement and it allows areporter source to generate effective event reports while theSS scheme cannot The GBP scheme adopts the pull schemeIBC-based technique and pseudonym technique to providethe authentication service and to reduce storage overheadof key material In order to reduce the communicationoverhead of GBP we presented the optimal grid size to meetconnectivity requirement and query requirement Both thetheoretical analysis and the simulation results show that GBPoutperforms both ISS and SS in terms of energy cost on thewhole

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This work was supported by National Natural Science Foun-dation of China under Grant no 60873199 The authorsare grateful to the anonymous reviewers for their insightfulcomments

References

[1] I F Akyildiz W Su Y Sankarasubramaniam and E Cayirci ldquoAsurvey on sensor networksrdquo IEEE Communications Magazinevol 40 no 8 pp 102ndash105 2002

[2] T Arampatzis J Lygeros and S Manesis ldquoA survey of appli-cations of wireless sensors and wireless sensor networksrdquoin Proceedings of the 20th IEEE International Symposium onIntelligent Control and the 13th Mediterranean Conference onControl and Automation (ISIC rsquo05 and MED rsquo05) pp 719ndash724Limassol Cyprus June 2005

[3] C F Garcia-Hernandez P H Ibarguengoytia-Gonzalez JGarcia-Hernandez and J A Perez-Diaz ldquoWireless sensor net-works and applications a surveyrdquo International Journal ofComputer Science and Network Security vol 7 no 3 pp 264ndash273 2007

[4] Y Zhou Y Fang and Y Zhang ldquoSecuring wireless sensor net-works a surveyrdquo IEEE Communications Surveys and Tutorialsvol 10 no 3 pp 6ndash28 2008

[5] X Q Chen KMakki K Yen andN Pissinou ldquoSensor networksecurity a surveyrdquo IEEECommunications Surveys andTutorialsvol 11 no 2 pp 52ndash73 2009

[6] P Kamat Y Zhang W Trappe and C Ozturk ldquoEnhancingsource-location privacy in sensor network routingrdquo in Proceed-ings of the 25th IEEE International Conference on DistributedComputing Systems (ICDCS rsquo05) pp 599ndash608 Columbus OhioUSA June 2005

[7] R Rios and J Lopez ldquoAnalysis of location privacy solutions inwireless sensor networksrdquo IET Communications vol 5 no 17pp 2518ndash2532 2011


[8] N Li N Zhang S K Das and B Thuraisingham ldquoPrivacypreservation in wireless sensor networks a state-of-the-artsurveyrdquo Ad Hoc Networks vol 7 no 8 pp 1501ndash1514 2009

[9] K Mehta D Liu and M Wright ldquoLocation privacy in sensornetworks against a global eavesdropperrdquo in Proceedings of the15th IEEE International Conference on Network Protocols (ICNPrsquo07) pp 314ndash323 Beijing China October 2007

[10] K Mehta D Liu and M Wright ldquoProtecting location privacyin sensor networks against a global eavesdropperrdquo IEEE Trans-actions on Mobile Computing vol 11 no 2 pp 320ndash336 2012

[11] M Shao Y Yang S Zhu and G Cao ldquoTowards statisticallystrong source anonymity for sensor networksrdquo in Proceedingsof the IEEE Communications Society Conference on ComputerCommunications (INFOCOM 08) pp 466ndash474 Phoenix ArizUSA April 2008

[12] A Abbasi A Khonsari and M S Talebi ldquoSource locationanonymity for sensor networksrdquo in Proceedings of the 6th IEEEConsumer Communications and Networking Conference (CCNC09) pp 1ndash5 Las Vegas Nev USA January 2009

[13] B Alomair A Clark J Cuellar and R Poovendran ldquoStatisti-cal framework for source anonymity in sensor networksrdquo inProceedings of the IEEE Global Telecommunications Conference(GLOBECOM rsquo10) pp 1ndash6 Miami Fla USA December 2010

[14] B Alomair A Clark J Cuellar and R Poovendran ldquoToward astatistical framework for source anonymity in sensor networksrdquoIEEE Transactions on Mobile Computing vol 12 no 2 pp 248ndash260 2013

[15] Y Yang M Shao S Zhu B Urgaonkar and G Cao ldquoTowardsevent source unobservability with minimum network traffic insensor networksrdquo in Proceedings of the 1st ACM Conference onWireless Network Security ( WiSec rsquo08) pp 77ndash88 AlexandriaVa USA March 2008

[16] K Bicakci H Gultekin B Tavli and I E Bagci ldquoMaximizinglifetime of event-unobservable wireless sensor networksrdquo Com-puter Standards and Interfaces vol 33 no 4 pp 401ndash410 2011

[17] W Yang and W Zhu ldquoProtecting source location privacy inwireless sensor networks with data aggregationrdquo in Proceedingsof the International Conference on Ubiquitous Intelligence andComputing (UIC rsquo10) pp 252ndash266 Xian China October 2010

[18] Y Ouyang Z Le D Liu J Ford and F Makedon ldquoSource loca-tion privacy against laptop-class attacks in sensor networksrdquoin Proceedings of the 4th International Conference on Securityand Privacy in Communication Networks (SecureComm rsquo08)Istanbul Turkey September 2008

[19] S Kokalj-Filipovic F le Fessant and P Spasojevic ldquoThe qual-ity of source location protection in globally attacked sensornetworksrdquo in Proceedings of the IEEE International Conferenceon Pervasive Computing and CommunicationsWorkshops (PER-COM Workshops rsquo11) pp 44ndash49 Seattle Wash USA March2011

[20] C Ozturk Y Zhang and W Trappe ldquoSource-location privacyin energy-constrained sensor network routingrdquo in Proceedingsof theACMWorkshop on Security of AdHoc and SensorNetworks(SASN 04) pp 88ndash93 Washington DC USA October 2004

[21] Y Xi L Schwiebert and W Shi ldquoPreserving source locationprivacy in monitoring-based wireless sensor networksrdquo in Pro-ceedings of the International Parallel and Distributed ProcessingSymposium (IPDPS 06) pp 1ndash8 2006

[22] W Wang L Chen and J Wang ldquoA source-location privacyprotocol in WSN based on locational anglerdquo in Proceedingsof the IEEE International Conference on Communications (ICCrsquo08) pp 1630ndash1634 Beijing China May 2008

[23] J Yao and G Wen ldquoPreserving source-location privacy inenergy-constrained wireless sensor networksrdquo in Proceedings ofthe 28th International Conference onDistributed Computing Sys-tems Workshops (ICDCS Workshops rsquo08) pp 412ndash416 BeijingChina June 2008

[24] H Wang B Sheng and Q Li ldquoPrivacy-aware routing in sensornetworksrdquo Computer Networks vol 53 no 9 pp 1512ndash15292009

[25] Y Li and J Ren ldquoProviding source-location privacy in wirelesssensor networksrdquo in Proceedings of the International Conferenceon Wireless Algorithms Systems and Applications (WASA rsquo09)pp 338ndash347 Boston Mass USA August 2009

[26] Y Li and J Ren ldquoPreserving source-location privacy in wire-less sensor networksrdquo in Proceedings of the 6th Annual IEEECommunications Society Conference on SensorMesh andAdHocCommunications and Networks (SECON rsquo09) pp 1ndash9 RomeItaly June 2009

[27] Y Li J Ren and J Wu ldquoQuantitative measurement and designof source-location privacy schemes for wireless sensor net-worksrdquo IEEE Transactions on Parallel and Distributed Systemsvol 23 no 7 pp 1302ndash1311 2012

[28] O Yi L Zhengyi C Guanling J Ford and F MakedonldquoEntrapping adversaries for source protection in sensor net-worksrdquo in Proceedings of the International Symposium on aWorld of Wireless Mobile and Multimedia Networks (WOW-MOM rsquo06) pp 23ndash32 Buffalo-Niagara Falls NY USA June2006

[29] M M E A Mahmoud and X Shen ldquoA cloud-based schemefor protecting source-location privacy against hotspot-locatingattack in wireless sensor networksrdquo IEEE Transactions onParallel and Distributed Systems vol 23 no 10 pp 1805ndash18182012

[30] W Trappe and L C Washington Introduction to Cryptographywith Coding Theory Prentice Hall New York NY USA 2002

[31] Y Xu J Heidemann and D Estrin ldquoGeography-informedenergy conservation for ad hoc routingrdquo in Proceedings of the7th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo01) pp 70ndash84 Rome Italy July 2001

[32] Digital Hash Standard Federal Information Processing Stan-dards Publication 180-1 1995

[33] Y Zhang W Liu Y Fang and D Wu ldquoSecure localizationand authentication in ultra-wideband sensor networksrdquo IEEEJournal on Selected Areas in Communications vol 24 no 4 Ipp 829ndash835 2006

[34] X Cheng A Thaeler G Xue and D Chen ldquoTPS a time-basedpositioning scheme for outdoor wireless sensor networksrdquo inProceedings of Annual Joint Conference of the IEEE Computerand Communications Societies (INFOCOM rsquo04) pp 2685ndash2696HongKong China March 2004

[35] H Chan A Perrig and D Song ldquoRandom key predistributionschemes for sensor networksrdquo in Proceedings of the IEEE Com-puter Society Symposium on Research in Security and Privacy(SampP 03) pp 197ndash213 Berkeley Calif USA May 2003

[36] L Eschenauer and V D Gligor ldquoA key-management schemefor distributed sensor networksrdquo in Proceedings of the 9th ACMConference on Computer and Communications Security (CCSrsquo02) pp 41ndash47 Washington DC USA November 2002

[37] D Liu P Ning and L I Rongfang ldquoEstablishing pairwisekeys in distributed sensor networksrdquo ACM Transactions onInformation and System Security vol 8 no 1 pp 41ndash77 2005

[38] C Karlof N Sastry and DWagner ldquoTinySec a link layer secu-rity architecture for wireless sensor networksrdquo in Proceedings


of the 2nd International Conference on Embedded NetworkedSensor Systems (SenSys rsquo04) pp 162ndash175 Baltimore Mass USANovember 2004

[39] ldquoTheIEEE 802154 standard (ver 2006)rdquo 2006 httpstandardsieeeorggetieee802download802154-2006

[40] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo SIAM Journal on Computing vol 32 no 3 pp586ndash615 2003

[41] Y Zhang W Liu W Lou and Y Fang ldquoLocation-basedcompromise-tolerant security mechanisms for wireless sensornetworksrdquo IEEE Journal on Selected Areas in Communicationsvol 24 no 2 pp 247ndash260 2006

[42] M Duan and J Xu ldquoAn efficient location-based compromise-tolerant key management scheme for sensor networksrdquo Infor-mation Processing Letters vol 111 no 11 pp 503ndash507 2011

[43] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo Tech RepTR-2007-36 North Carolina State University Department ofComputer Science 2007

[44] G De Meulenaer F Gosset F Standaert and O Pereira ldquoOnthe energy cost of communication and cryptography in wirelesssensor networksrdquo in Proceedings of the 4th IEEE InternationalConference on Wireless and Mobile Computing Networking andCommunication (WiMob rsquo08) pp 580ndash585 Avignon FranceOctober 2008

[45] A Boulis Castalia Userrsquos Manual httpcastaliaresearchnictacomauindexphpen

[46] Wireless Sensor Networks Simulator Castalia httpcastaliaresearchnictacomauindexphpen

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



Moreover the SS method also has two limitations (1) Thereporter source cannot generate effective event reports (2) Itis unsuitable to track multiobjects accurately

In this paper we focus on protecting the DSLP against aglobal adversarywho canmonitor and collect all themessagestransmitted in the network at all time The contributions ofthis work are summarized in the following

(i) We point out the existing problems of the source sim-ulation method in [9 10] and propose an improvedsource simulation (ISS) method under the panda-hunter game model (PHGM) by adjusting the eventreport strategy The ISS method copes with the defectexisting in SS in which the reporter source cannotgenerate effective event reports

(ii) We propose an updated-panda-hunter game model(UPHGM) which overcomes the disadvantage of thePHGMand is suitable tomonitormultiobject sourcesAlso a formal model of the DSLP issues under theUPHGM is given

(iii) We present an energy-efficient grid-based pull schemeto protect the DSLP under the UPHGM whichincludes a light-weight security object collectionscheme and an effective grid partition method It canmake sure at wherever a data source lies there is atleast one node which can authenticate and collectits related information meanwhile it can providesecurity services including confidentiality authenti-cation integrity freshness and source location pri-vacy Compared with the source simulation methodand the improved source simulation method it ismore energy-efficient

(iv) We evaluate the energy overhead in both theory andsimulation The results show that (1) the grid-basedpull (GBP) method outperforms the SS method andthe ISS method on energy overhead on the whole(2) the energy cost of ISS is comparable to that of SSunder low privacy requirement

The rest of the paper is organized as follows Section 2discusses related work In Section 3 the improved sourcesimulation (ISS) method under the panda-hunter gamemodel (PHGM) is described In Section 4 the updated-panda-hunter game model (UPHGM) and the formal modelof the DSLP issues are presented In Section 5 the grid-based pull scheme under the UPHGM is proposed Section 6describes our evaluations and Section 7 concludes the paper

2 Related Work

In [7 8] extensive surveys have been conducted on thelocation privacy problem inWSNs According to adversariesrsquocapability of monitoring network traffic existing approachescan be classified into three classes countering a local adver-sary [6 20ndash28] countering several local adversaries [29]and countering a global adversary [9ndash19] In this section webriefly survey the major related works to provide the DSLPunder a global adversary in WSNs

In [9 10] two techniques called periodic collection andsource simulation respectively were proposed to preventthe leakage of the DSLP The main idea of the periodiccollection method also called ConstRate scheme in [11] is tomake the traffic pattern independent of the presence of realobjects Each node periodically sends packets at a reasonablefrequency regardless of whether it has real data to send ornot However this approach consumes a substantial amountof energy for latency sensitive applications And it does notconsider the traffic generated by electronic tags which canalso be used to infer the locations of monitored objects bythe adversary By simulating the movement patterns of realobjects the source simulation (SS) method creates candidatetraces in the network to hide the traffic generated by realobjects It works as follows before deployment select 119871

nodes as token node and preload each of them with aunique token ID After deployment each token node canmask as a real object to emit event-trigger-signals for eventdetection When a node detects the signal it generates anevent report and delivers it to the sink node The tokennode then determines the token node of the next round inits neighborhood (including itself) and passes the token tothe selected node In order to prevent the adversary usingthe token pass messages to distinguish real objects fromfake ones the nodes that detect the real object also need tosend a masked token pass message each round Howeverthis approach has two problems to affect the informationcollection about real objects First as the event-trigger-signals emitted by token nodes and real objects are the samenot only the adversary cannot distinguish from them butalso nodes in the network cannot distinguish from them Asa result nodes cannot determine whether real event reportsor dummy event reports are generated Second when thereare two or more objects in the network if a node detectstwo event-trigger-signals in two rounds it cannot distinguishwhether the signals come from two objects or from oneobject Hence it cannot track multiobjects accurately

A fitted probabilistic rate scheme called FitProbRate wasdevised in [11] to reduce the event report delay in ProbRatescheme In ProbRate scheme the time intervals betweenmessage transmissions follow the exponential distributionIn order to reduce the real event report latency the nodessend the real event reports as soon as possible while keepingthe message transmission intervals following the same dis-tribution Based on the FitProbRate a distributed resourceallocation algorithm was proposed to achieve data sourceanonymity by mixing real event messages with carefullychosen dummy traffic in [12] However the FitProbRatescheme only considers the event indistinguishability inwhich the intertransmission times of the real event reportsare indistinguishable from the desired distribution of faketransmissions and ignores the interval indistinguishabilityinwhich the intertransmission times of fake and real intervalsare indistinguishable The adversary can distinguish the realintervals from the fake intervals and then discovers thereal objects In order to solve this problem an improvedmethod was proposed in [13 14] They introduced the samecorrelation of intertransmission times during real intervals tointertransmission times during fake intervals














(DATA1)

119864119870grp

(DATA2) MAC1MAC2

DATA1 = token-ID 119905119904



advxadvy

(2) Mimic passtoken


(1) Emit a

signal

advyadvx

(1) Emit a

signal


e f

2(b) Pass token


Common node

Reporter source

Eavesdropping node

Tag-nodeToken node

Sink

t

EK(ef)event-report



(DATA3)

MAC2 = MAC119870grp

(DATA3)

DATA3 = ID119878 119905119904 119864119870next

(DATA1) 119864119870grp(DATA2)

(1)






















Sink

Common node

Reporter source

Eavesdropping node

Tag-node

Relay-node













119863 119860 119878119860












[9 10]

119887 = minus sum

|119878119860|

1

10038161003816100381610038161198781198601003816100381610038161003816

log2

|119874|

10038161003816100381610038161198781198601003816100381610038161003816

= log2

10038161003816100381610038161198781198601003816100381610038161003816

119872 (3)



119863











tag-nodes


Pull Passive reply










r




119903with




119903does





119889= radic2119886






alowast

alowast

a

a

rl dgtr


R

aaa

a



119898 =119897

(119903radic2)

119899 =119897

(119877radic5)

(4)









119886)



119901


points of 119864119865119901


rarr 119866119886




119902= 119909 | 1 le 119909 le 119902minus1


119906) = (119883

119906 119884119906) and the IBC key

IK119906

= 119896119867(ID119906) isin 119866



119906 ID119906) pair




119906






119886rceil


119886rceil

(5)

where 119909119906and 119910




hello-msg = ID119894 119909119894 119910119894 (6)


119894 119910119894) information If 119866

119894= 119866








id(1)119906V = ℎ (119870

119906V119881rdm) (7)

id(i)119906V = ℎ (119870119906Vid

(119894minus1)

uv ) (8)



MAC119870grp

(ID119906 119905119876 119883119906)

(9)




119864119865119901 Since119867(ID

119906) = (119883

119906 119884119906) is a point of 119864119865

119901 only one of

119883119906and 119884








= 119896(119883119906 119884119906) isin 119866

119886using









V-bs id119906 119864119870V-bs



(10)

id119906 = ℎ (IK119906t119876) (11)




(DATA1) (14)



reply-msg



119908119906

119864119870119908-next


MAC119870119908-next

(DATA1) MAC119870119908119906

(DATA2)

(15)



119908119906 119864119870119908-next




119908119906and 119870119908119906 are







119864119870rs-bs


(DATA)

(18)


(19)





(20)














V-bs ) (22)

id(lowast)119908-next = ℎ (119870


119908-next) (23)

id(lowast)119908119906

= ℎ (119870119908119906id(lowastminus1)

119908119906) (24)









MAC(1) = ℎIK119906 (ID119906119905119876119883119906) (25)

MAC(2) = ℎ119870grp(ID119906119905119876119883119906) (26)








119876 as


119906 In (15)


119908119906 If they own


Δ119905=

1003816100381610038161003816119905119876 minus 119905self1003816100381610038161003816 (27)




119887 = log2

119872 + 119871

119872 (28)


6 Evaluations







16minus























+ 119864Tx times (119871 + 119872) times 49


(29)




= 119864Rx times (119871 + 119872) times 87



(30)


2






= 119864Tx times (119871 + 119872) times 17



(31)





+ 119864Rx times (119871 + 119872) 1205882

node times 55


(32)






= 119864Tx times (119871 + 119872) times 17



(33)




reply-msg 119871 + 119872 (119871 + 119872)120588node










+ 119864Rx times (119871 + 119872) 1205882

node times 35


(34)





(35)














node)

(38)



minus351205882


(39)


times (201205882


In (38) if

120588node ge

32 + radic1024 + 220 (87 + 16hopavg)110

(41)



120588node ge


(42)


In (40) if

120588node ge


minus 3120hopavg40

120588node le


minus 3120hopavg40

(43)


119864Rx-SS







05

101520253035404550


Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS


0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS





2



0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation






















(DATA1)

119864119870grp

(DATA2) MAC1MAC2

DATA1 = token-ID 119905119904



advxadvy

(2) Mimic passtoken


(1) Emit a

signal

advyadvx

(1) Emit a

signal


e f

2(b) Pass token


Common node

Reporter source

Eavesdropping node

Tag-nodeToken node

Sink

t

EK(ef)event-report



(DATA3)

MAC2 = MAC119870grp

(DATA3)

DATA3 = ID119878 119905119904 119864119870next

(DATA1) 119864119870grp(DATA2)

(1)






















Sink

Common node

Reporter source

Eavesdropping node

Tag-node

Relay-node













119863 119860 119878119860












[9 10]

119887 = minus sum

|119878119860|

1

10038161003816100381610038161198781198601003816100381610038161003816

log2

|119874|

10038161003816100381610038161198781198601003816100381610038161003816

= log2

10038161003816100381610038161198781198601003816100381610038161003816

119872 (3)



119863











tag-nodes


Pull Passive reply










r




119903with




119903does





119889= radic2119886






alowast

alowast

a

a

rl dgtr


R

aaa

a



119898 =119897

(119903radic2)

119899 =119897

(119877radic5)

(4)









119886)



119901


points of 119864119865119901


rarr 119866119886




119902= 119909 | 1 le 119909 le 119902minus1


119906) = (119883

119906 119884119906) and the IBC key

IK119906

= 119896119867(ID119906) isin 119866



119906 ID119906) pair




119906






119886rceil


119886rceil

(5)

where 119909119906and 119910




hello-msg = ID119894 119909119894 119910119894 (6)


119894 119910119894) information If 119866

119894= 119866








id(1)119906V = ℎ (119870

119906V119881rdm) (7)

id(i)119906V = ℎ (119870119906Vid

(119894minus1)

uv ) (8)



MAC119870grp

(ID119906 119905119876 119883119906)

(9)




119864119865119901 Since119867(ID

119906) = (119883

119906 119884119906) is a point of 119864119865

119901 only one of

119883119906and 119884








= 119896(119883119906 119884119906) isin 119866

119886using









V-bs id119906 119864119870V-bs



(10)

id119906 = ℎ (IK119906t119876) (11)




(DATA1) (14)



reply-msg



119908119906

119864119870119908-next


MAC119870119908-next

(DATA1) MAC119870119908119906

(DATA2)

(15)



119908119906 119864119870119908-next




119908119906and 119870119908119906 are







119864119870rs-bs


(DATA)

(18)


(19)





(20)














V-bs ) (22)

id(lowast)119908-next = ℎ (119870


119908-next) (23)

id(lowast)119908119906

= ℎ (119870119908119906id(lowastminus1)

119908119906) (24)









MAC(1) = ℎIK119906 (ID119906119905119876119883119906) (25)

MAC(2) = ℎ119870grp(ID119906119905119876119883119906) (26)








119876 as


119906 In (15)


119908119906 If they own


Δ119905=

1003816100381610038161003816119905119876 minus 119905self1003816100381610038161003816 (27)




119887 = log2

119872 + 119871

119872 (28)


6 Evaluations







16minus























+ 119864Tx times (119871 + 119872) times 49


(29)




= 119864Rx times (119871 + 119872) times 87



(30)


2






= 119864Tx times (119871 + 119872) times 17



(31)





+ 119864Rx times (119871 + 119872) 1205882

node times 55


(32)






= 119864Tx times (119871 + 119872) times 17



(33)




reply-msg 119871 + 119872 (119871 + 119872)120588node










+ 119864Rx times (119871 + 119872) 1205882

node times 35


(34)





(35)














node)

(38)



minus351205882


(39)


times (201205882


In (38) if

120588node ge

32 + radic1024 + 220 (87 + 16hopavg)110

(41)



120588node ge


(42)


In (40) if

120588node ge


minus 3120hopavg40

120588node le


minus 3120hopavg40

(43)


119864Rx-SS







05

101520253035404550


Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS


0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS





2



0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










advxadvy

(2) Mimic passtoken


(1) Emit a

signal

advyadvx

(1) Emit a

signal


e f

2(b) Pass token


Common node

Reporter source

Eavesdropping node

Tag-nodeToken node

Sink

t

EK(ef)event-report



(DATA3)

MAC2 = MAC119870grp

(DATA3)

DATA3 = ID119878 119905119904 119864119870next

(DATA1) 119864119870grp(DATA2)

(1)






















Sink

Common node

Reporter source

Eavesdropping node

Tag-node

Relay-node













119863 119860 119878119860












[9 10]

119887 = minus sum

|119878119860|

1

10038161003816100381610038161198781198601003816100381610038161003816

log2

|119874|

10038161003816100381610038161198781198601003816100381610038161003816

= log2

10038161003816100381610038161198781198601003816100381610038161003816

119872 (3)



119863











tag-nodes


Pull Passive reply










r




119903with




119903does





119889= radic2119886






alowast

alowast

a

a

rl dgtr


R

aaa

a



119898 =119897

(119903radic2)

119899 =119897

(119877radic5)

(4)









119886)



119901


points of 119864119865119901


rarr 119866119886




119902= 119909 | 1 le 119909 le 119902minus1


119906) = (119883

119906 119884119906) and the IBC key

IK119906

= 119896119867(ID119906) isin 119866



119906 ID119906) pair




119906






119886rceil


119886rceil

(5)

where 119909119906and 119910




hello-msg = ID119894 119909119894 119910119894 (6)


119894 119910119894) information If 119866

119894= 119866








id(1)119906V = ℎ (119870

119906V119881rdm) (7)

id(i)119906V = ℎ (119870119906Vid

(119894minus1)

uv ) (8)



MAC119870grp

(ID119906 119905119876 119883119906)

(9)




119864119865119901 Since119867(ID

119906) = (119883

119906 119884119906) is a point of 119864119865

119901 only one of

119883119906and 119884








= 119896(119883119906 119884119906) isin 119866

119886using









V-bs id119906 119864119870V-bs



(10)

id119906 = ℎ (IK119906t119876) (11)




(DATA1) (14)



reply-msg



119908119906

119864119870119908-next


MAC119870119908-next

(DATA1) MAC119870119908119906

(DATA2)

(15)



119908119906 119864119870119908-next




119908119906and 119870119908119906 are







119864119870rs-bs


(DATA)

(18)


(19)





(20)














V-bs ) (22)

id(lowast)119908-next = ℎ (119870


119908-next) (23)

id(lowast)119908119906

= ℎ (119870119908119906id(lowastminus1)

119908119906) (24)









MAC(1) = ℎIK119906 (ID119906119905119876119883119906) (25)

MAC(2) = ℎ119870grp(ID119906119905119876119883119906) (26)








119876 as


119906 In (15)


119908119906 If they own


Δ119905=

1003816100381610038161003816119905119876 minus 119905self1003816100381610038161003816 (27)




119887 = log2

119872 + 119871

119872 (28)


6 Evaluations







16minus























+ 119864Tx times (119871 + 119872) times 49


(29)




= 119864Rx times (119871 + 119872) times 87



(30)


2






= 119864Tx times (119871 + 119872) times 17



(31)





+ 119864Rx times (119871 + 119872) 1205882

node times 55


(32)






= 119864Tx times (119871 + 119872) times 17



(33)




reply-msg 119871 + 119872 (119871 + 119872)120588node










+ 119864Rx times (119871 + 119872) 1205882

node times 35


(34)





(35)














node)

(38)



minus351205882


(39)


times (201205882


In (38) if

120588node ge

32 + radic1024 + 220 (87 + 16hopavg)110

(41)



120588node ge


(42)


In (40) if

120588node ge


minus 3120hopavg40

120588node le


minus 3120hopavg40

(43)


119864Rx-SS







05

101520253035404550


Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS


0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS





2



0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










Sink

Common node

Reporter source

Eavesdropping node

Tag-node

Relay-node













119863 119860 119878119860












[9 10]

119887 = minus sum

|119878119860|

1

10038161003816100381610038161198781198601003816100381610038161003816

log2

|119874|

10038161003816100381610038161198781198601003816100381610038161003816

= log2

10038161003816100381610038161198781198601003816100381610038161003816

119872 (3)



119863











tag-nodes


Pull Passive reply










r




119903with




119903does





119889= radic2119886






alowast

alowast

a

a

rl dgtr


R

aaa

a



119898 =119897

(119903radic2)

119899 =119897

(119877radic5)

(4)









119886)



119901


points of 119864119865119901


rarr 119866119886




119902= 119909 | 1 le 119909 le 119902minus1


119906) = (119883

119906 119884119906) and the IBC key

IK119906

= 119896119867(ID119906) isin 119866



119906 ID119906) pair




119906






119886rceil


119886rceil

(5)

where 119909119906and 119910




hello-msg = ID119894 119909119894 119910119894 (6)


119894 119910119894) information If 119866

119894= 119866








id(1)119906V = ℎ (119870

119906V119881rdm) (7)

id(i)119906V = ℎ (119870119906Vid

(119894minus1)

uv ) (8)



MAC119870grp

(ID119906 119905119876 119883119906)

(9)




119864119865119901 Since119867(ID

119906) = (119883

119906 119884119906) is a point of 119864119865

119901 only one of

119883119906and 119884








= 119896(119883119906 119884119906) isin 119866

119886using









V-bs id119906 119864119870V-bs



(10)

id119906 = ℎ (IK119906t119876) (11)




(DATA1) (14)



reply-msg



119908119906

119864119870119908-next


MAC119870119908-next

(DATA1) MAC119870119908119906

(DATA2)

(15)



119908119906 119864119870119908-next




119908119906and 119870119908119906 are







119864119870rs-bs


(DATA)

(18)


(19)





(20)














V-bs ) (22)

id(lowast)119908-next = ℎ (119870


119908-next) (23)

id(lowast)119908119906

= ℎ (119870119908119906id(lowastminus1)

119908119906) (24)









MAC(1) = ℎIK119906 (ID119906119905119876119883119906) (25)

MAC(2) = ℎ119870grp(ID119906119905119876119883119906) (26)








119876 as


119906 In (15)


119908119906 If they own


Δ119905=

1003816100381610038161003816119905119876 minus 119905self1003816100381610038161003816 (27)




119887 = log2

119872 + 119871

119872 (28)


6 Evaluations







16minus























+ 119864Tx times (119871 + 119872) times 49


(29)




= 119864Rx times (119871 + 119872) times 87



(30)


2






= 119864Tx times (119871 + 119872) times 17



(31)





+ 119864Rx times (119871 + 119872) 1205882

node times 55


(32)






= 119864Tx times (119871 + 119872) times 17



(33)




reply-msg 119871 + 119872 (119871 + 119872)120588node










+ 119864Rx times (119871 + 119872) 1205882

node times 35


(34)





(35)














node)

(38)



minus351205882


(39)


times (201205882


In (38) if

120588node ge

32 + radic1024 + 220 (87 + 16hopavg)110

(41)



120588node ge


(42)


In (40) if

120588node ge


minus 3120hopavg40

120588node le


minus 3120hopavg40

(43)


119864Rx-SS







05

101520253035404550


Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS


0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS





2



0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation



















[9 10]

119887 = minus sum

|119878119860|

1

10038161003816100381610038161198781198601003816100381610038161003816

log2

|119874|

10038161003816100381610038161198781198601003816100381610038161003816

= log2

10038161003816100381610038161198781198601003816100381610038161003816

119872 (3)



119863











tag-nodes


Pull Passive reply










r




119903with




119903does





119889= radic2119886






alowast

alowast

a

a

rl dgtr


R

aaa

a



119898 =119897

(119903radic2)

119899 =119897

(119877radic5)

(4)









119886)



119901


points of 119864119865119901


rarr 119866119886




119902= 119909 | 1 le 119909 le 119902minus1


119906) = (119883

119906 119884119906) and the IBC key

IK119906

= 119896119867(ID119906) isin 119866



119906 ID119906) pair




119906






119886rceil


119886rceil

(5)

where 119909119906and 119910




hello-msg = ID119894 119909119894 119910119894 (6)


119894 119910119894) information If 119866

119894= 119866








id(1)119906V = ℎ (119870

119906V119881rdm) (7)

id(i)119906V = ℎ (119870119906Vid

(119894minus1)

uv ) (8)



MAC119870grp

(ID119906 119905119876 119883119906)

(9)




119864119865119901 Since119867(ID

119906) = (119883

119906 119884119906) is a point of 119864119865

119901 only one of

119883119906and 119884








= 119896(119883119906 119884119906) isin 119866

119886using









V-bs id119906 119864119870V-bs



(10)

id119906 = ℎ (IK119906t119876) (11)




(DATA1) (14)



reply-msg



119908119906

119864119870119908-next


MAC119870119908-next

(DATA1) MAC119870119908119906

(DATA2)

(15)



119908119906 119864119870119908-next




119908119906and 119870119908119906 are







119864119870rs-bs


(DATA)

(18)


(19)





(20)














V-bs ) (22)

id(lowast)119908-next = ℎ (119870


119908-next) (23)

id(lowast)119908119906

= ℎ (119870119908119906id(lowastminus1)

119908119906) (24)









MAC(1) = ℎIK119906 (ID119906119905119876119883119906) (25)

MAC(2) = ℎ119870grp(ID119906119905119876119883119906) (26)








119876 as


119906 In (15)


119908119906 If they own


Δ119905=

1003816100381610038161003816119905119876 minus 119905self1003816100381610038161003816 (27)




119887 = log2

119872 + 119871

119872 (28)


6 Evaluations







16minus























+ 119864Tx times (119871 + 119872) times 49


(29)




= 119864Rx times (119871 + 119872) times 87



(30)


2






= 119864Tx times (119871 + 119872) times 17



(31)





+ 119864Rx times (119871 + 119872) 1205882

node times 55


(32)






= 119864Tx times (119871 + 119872) times 17



(33)




reply-msg 119871 + 119872 (119871 + 119872)120588node










+ 119864Rx times (119871 + 119872) 1205882

node times 35


(34)





(35)














node)

(38)



minus351205882


(39)


times (201205882


In (38) if

120588node ge

32 + radic1024 + 220 (87 + 16hopavg)110

(41)



120588node ge


(42)


In (40) if

120588node ge


minus 3120hopavg40

120588node le


minus 3120hopavg40

(43)


119864Rx-SS







05

101520253035404550


Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS


0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS





2



0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










r




119903with




119903does





119889= radic2119886






alowast

alowast

a

a

rl dgtr


R

aaa

a



119898 =119897

(119903radic2)

119899 =119897

(119877radic5)

(4)









119886)



119901


points of 119864119865119901


rarr 119866119886




119902= 119909 | 1 le 119909 le 119902minus1


119906) = (119883

119906 119884119906) and the IBC key

IK119906

= 119896119867(ID119906) isin 119866



119906 ID119906) pair




119906






119886rceil


119886rceil

(5)

where 119909119906and 119910




hello-msg = ID119894 119909119894 119910119894 (6)


119894 119910119894) information If 119866

119894= 119866








id(1)119906V = ℎ (119870

119906V119881rdm) (7)

id(i)119906V = ℎ (119870119906Vid

(119894minus1)

uv ) (8)



MAC119870grp

(ID119906 119905119876 119883119906)

(9)




119864119865119901 Since119867(ID

119906) = (119883

119906 119884119906) is a point of 119864119865

119901 only one of

119883119906and 119884








= 119896(119883119906 119884119906) isin 119866

119886using









V-bs id119906 119864119870V-bs



(10)

id119906 = ℎ (IK119906t119876) (11)




(DATA1) (14)



reply-msg



119908119906

119864119870119908-next


MAC119870119908-next

(DATA1) MAC119870119908119906

(DATA2)

(15)



119908119906 119864119870119908-next




119908119906and 119870119908119906 are







119864119870rs-bs


(DATA)

(18)


(19)





(20)














V-bs ) (22)

id(lowast)119908-next = ℎ (119870


119908-next) (23)

id(lowast)119908119906

= ℎ (119870119908119906id(lowastminus1)

119908119906) (24)









MAC(1) = ℎIK119906 (ID119906119905119876119883119906) (25)

MAC(2) = ℎ119870grp(ID119906119905119876119883119906) (26)








119876 as


119906 In (15)


119908119906 If they own


Δ119905=

1003816100381610038161003816119905119876 minus 119905self1003816100381610038161003816 (27)




119887 = log2

119872 + 119871

119872 (28)


6 Evaluations







16minus























+ 119864Tx times (119871 + 119872) times 49


(29)




= 119864Rx times (119871 + 119872) times 87



(30)


2






= 119864Tx times (119871 + 119872) times 17



(31)





+ 119864Rx times (119871 + 119872) 1205882

node times 55


(32)






= 119864Tx times (119871 + 119872) times 17



(33)




reply-msg 119871 + 119872 (119871 + 119872)120588node










+ 119864Rx times (119871 + 119872) 1205882

node times 35


(34)





(35)














node)

(38)



minus351205882


(39)


times (201205882


In (38) if

120588node ge

32 + radic1024 + 220 (87 + 16hopavg)110

(41)



120588node ge


(42)


In (40) if

120588node ge


minus 3120hopavg40

120588node le


minus 3120hopavg40

(43)


119864Rx-SS







05

101520253035404550


Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS


0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS





2



0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











119886)



119901


points of 119864119865119901


rarr 119866119886




119902= 119909 | 1 le 119909 le 119902minus1


119906) = (119883

119906 119884119906) and the IBC key

IK119906

= 119896119867(ID119906) isin 119866



119906 ID119906) pair




119906






119886rceil


119886rceil

(5)

where 119909119906and 119910




hello-msg = ID119894 119909119894 119910119894 (6)


119894 119910119894) information If 119866

119894= 119866








id(1)119906V = ℎ (119870

119906V119881rdm) (7)

id(i)119906V = ℎ (119870119906Vid

(119894minus1)

uv ) (8)



MAC119870grp

(ID119906 119905119876 119883119906)

(9)




119864119865119901 Since119867(ID

119906) = (119883

119906 119884119906) is a point of 119864119865

119901 only one of

119883119906and 119884








= 119896(119883119906 119884119906) isin 119866

119886using









V-bs id119906 119864119870V-bs



(10)

id119906 = ℎ (IK119906t119876) (11)




(DATA1) (14)



reply-msg



119908119906

119864119870119908-next


MAC119870119908-next

(DATA1) MAC119870119908119906

(DATA2)

(15)



119908119906 119864119870119908-next




119908119906and 119870119908119906 are







119864119870rs-bs


(DATA)

(18)


(19)





(20)














V-bs ) (22)

id(lowast)119908-next = ℎ (119870


119908-next) (23)

id(lowast)119908119906

= ℎ (119870119908119906id(lowastminus1)

119908119906) (24)









MAC(1) = ℎIK119906 (ID119906119905119876119883119906) (25)

MAC(2) = ℎ119870grp(ID119906119905119876119883119906) (26)








119876 as


119906 In (15)


119908119906 If they own


Δ119905=

1003816100381610038161003816119905119876 minus 119905self1003816100381610038161003816 (27)




119887 = log2

119872 + 119871

119872 (28)


6 Evaluations







16minus























+ 119864Tx times (119871 + 119872) times 49


(29)




= 119864Rx times (119871 + 119872) times 87



(30)


2






= 119864Tx times (119871 + 119872) times 17



(31)





+ 119864Rx times (119871 + 119872) 1205882

node times 55


(32)






= 119864Tx times (119871 + 119872) times 17



(33)




reply-msg 119871 + 119872 (119871 + 119872)120588node










+ 119864Rx times (119871 + 119872) 1205882

node times 35


(34)





(35)














node)

(38)



minus351205882


(39)


times (201205882


In (38) if

120588node ge

32 + radic1024 + 220 (87 + 16hopavg)110

(41)



120588node ge


(42)


In (40) if

120588node ge


minus 3120hopavg40

120588node le


minus 3120hopavg40

(43)


119864Rx-SS







05

101520253035404550


Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS


0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS





2



0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












V-bs id119906 119864119870V-bs



(10)

id119906 = ℎ (IK119906t119876) (11)




(DATA1) (14)



reply-msg



119908119906

119864119870119908-next


MAC119870119908-next

(DATA1) MAC119870119908119906

(DATA2)

(15)



119908119906 119864119870119908-next




119908119906and 119870119908119906 are







119864119870rs-bs


(DATA)

(18)


(19)





(20)














V-bs ) (22)

id(lowast)119908-next = ℎ (119870


119908-next) (23)

id(lowast)119908119906

= ℎ (119870119908119906id(lowastminus1)

119908119906) (24)









MAC(1) = ℎIK119906 (ID119906119905119876119883119906) (25)

MAC(2) = ℎ119870grp(ID119906119905119876119883119906) (26)








119876 as


119906 In (15)


119908119906 If they own


Δ119905=

1003816100381610038161003816119905119876 minus 119905self1003816100381610038161003816 (27)




119887 = log2

119872 + 119871

119872 (28)


6 Evaluations







16minus























+ 119864Tx times (119871 + 119872) times 49


(29)




= 119864Rx times (119871 + 119872) times 87



(30)


2






= 119864Tx times (119871 + 119872) times 17



(31)





+ 119864Rx times (119871 + 119872) 1205882

node times 55


(32)






= 119864Tx times (119871 + 119872) times 17



(33)




reply-msg 119871 + 119872 (119871 + 119872)120588node










+ 119864Rx times (119871 + 119872) 1205882

node times 35


(34)





(35)














node)

(38)



minus351205882


(39)


times (201205882


In (38) if

120588node ge

32 + radic1024 + 220 (87 + 16hopavg)110

(41)



120588node ge


(42)


In (40) if

120588node ge


minus 3120hopavg40

120588node le


minus 3120hopavg40

(43)


119864Rx-SS







05

101520253035404550


Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS


0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS





2



0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation


















V-bs ) (22)

id(lowast)119908-next = ℎ (119870


119908-next) (23)

id(lowast)119908119906

= ℎ (119870119908119906id(lowastminus1)

119908119906) (24)









MAC(1) = ℎIK119906 (ID119906119905119876119883119906) (25)

MAC(2) = ℎ119870grp(ID119906119905119876119883119906) (26)








119876 as


119906 In (15)


119908119906 If they own


Δ119905=

1003816100381610038161003816119905119876 minus 119905self1003816100381610038161003816 (27)




119887 = log2

119872 + 119871

119872 (28)


6 Evaluations







16minus























+ 119864Tx times (119871 + 119872) times 49


(29)




= 119864Rx times (119871 + 119872) times 87



(30)


2






= 119864Tx times (119871 + 119872) times 17



(31)





+ 119864Rx times (119871 + 119872) 1205882

node times 55


(32)






= 119864Tx times (119871 + 119872) times 17



(33)




reply-msg 119871 + 119872 (119871 + 119872)120588node










+ 119864Rx times (119871 + 119872) 1205882

node times 35


(34)





(35)














node)

(38)



minus351205882


(39)


times (201205882


In (38) if

120588node ge

32 + radic1024 + 220 (87 + 16hopavg)110

(41)



120588node ge


(42)


In (40) if

120588node ge


minus 3120hopavg40

120588node le


minus 3120hopavg40

(43)


119864Rx-SS







05

101520253035404550


Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS


0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS





2



0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











119887 = log2

119872 + 119871

119872 (28)


6 Evaluations







16minus























+ 119864Tx times (119871 + 119872) times 49


(29)




= 119864Rx times (119871 + 119872) times 87



(30)


2






= 119864Tx times (119871 + 119872) times 17



(31)





+ 119864Rx times (119871 + 119872) 1205882

node times 55


(32)






= 119864Tx times (119871 + 119872) times 17



(33)




reply-msg 119871 + 119872 (119871 + 119872)120588node










+ 119864Rx times (119871 + 119872) 1205882

node times 35


(34)





(35)














node)

(38)



minus351205882


(39)


times (201205882


In (38) if

120588node ge

32 + radic1024 + 220 (87 + 16hopavg)110

(41)



120588node ge


(42)


In (40) if

120588node ge


minus 3120hopavg40

120588node le


minus 3120hopavg40

(43)


119864Rx-SS







05

101520253035404550


Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS


0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS





2



0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation


















+ 119864Tx times (119871 + 119872) times 49


(29)




= 119864Rx times (119871 + 119872) times 87



(30)


2






= 119864Tx times (119871 + 119872) times 17



(31)





+ 119864Rx times (119871 + 119872) 1205882

node times 55


(32)






= 119864Tx times (119871 + 119872) times 17



(33)




reply-msg 119871 + 119872 (119871 + 119872)120588node










+ 119864Rx times (119871 + 119872) 1205882

node times 35


(34)





(35)














node)

(38)



minus351205882


(39)


times (201205882


In (38) if

120588node ge

32 + radic1024 + 220 (87 + 16hopavg)110

(41)



120588node ge


(42)


In (40) if

120588node ge


minus 3120hopavg40

120588node le


minus 3120hopavg40

(43)


119864Rx-SS







05

101520253035404550


Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS


0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS





2



0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












reply-msg 119871 + 119872 (119871 + 119872)120588node










+ 119864Rx times (119871 + 119872) 1205882

node times 35


(34)





(35)














node)

(38)



minus351205882


(39)


times (201205882


In (38) if

120588node ge

32 + radic1024 + 220 (87 + 16hopavg)110

(41)



120588node ge


(42)


In (40) if

120588node ge


minus 3120hopavg40

120588node le


minus 3120hopavg40

(43)


119864Rx-SS







05

101520253035404550


Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS


0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS





2



0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation















05

101520253035404550


Com

mun

icat

ion

cost

for

tran

smitt

ing

mes

sage

s (J)

GBPISSSS


0100200300400500600700800


Com

mun

icat

ion

cost

for

rece

ivin

g m

essa

ges (

J)

GBPISSSS





2



0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










0100200300400500600700800


Com

mun

icat

ion

cost

(J)

GBPISSSS




7 Conclusions






Acknowledgments


References




















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation





















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation





















RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









Documents

Research Article Protecting Data Source Location Privacy ...downloads.hindawi.com/journals/ijdsn/2014/492802.pdf · Data source location privacy (DSLP) is of great importance for