Sensor nodes in clustered WSNs should be securely partitioned into clusters. Therefore, we assume that if the adversaries exist in the field, they are unable to comprehend the exchanged information. In Figure 1, a simple network with two gateways ( and ) and 16 sensor nodes ( to ) is illustrated. The gateway in each cluster should securely discover all the sensor nodes which belong to it. Additionally, sensor nodes should be aware of their assigned gateway/cluster.
As depicted in Figure 2(b), each gateway broadcasts the message to all sensor nodes with a random delay, that is,
Here, denotes the broadcast message and as presented in (1) calculates as follows. First, a oneway hash function is executed over the , where "" denotes the concatenation operator. Second, an elliptic curve digital signature [30] is calculated over the hash results using the private key of the gateway , that is, . The final message should be accompanied by the public key of the gateway , that is, , message , and . This broadcast will be repeated several times to ensure that the maximum number of sensor nodes receives it.
For the purpose of message authentication, upon receiving the broadcast message, the sensor node makes a list for all the received messages from the gateways as , where , , is the number of gateways from which a sensor node received a broadcast message. Priority of the generated list is based on signaltonoise ratio (SNR) of the received message, that is, , where the is the received signal power from the gateway for . Afterwards, each sensor node will verify the message integrity using ECDSA with public key of the gateways and compares the received public key with its preloaded one. Note that verifying the authenticity of the public key of a gateway is finding out whether the attached public key of the gateway is the same as the one embedded in the memory of a sensor node. If the received public key does not match the preloaded one, sensor node will reject the broadcast message. This prevents sensor nodes from performing expensive verification on the fake signatures broadcasted from the adversaries [37].
Furthermore, each sensor node can determine the distance from the desired gateway incorporating received signal strength indicator (RSSI) [38]. The minimum distance from the gateway is called onehop distance as , in which sensor nodes in this distance can communicate with the gateway directly. Using a global positioning system (GPS) for location finding [36] and time distance calculation [15] requires extra hardware costs and tight time synchronization, respectively. Furthermore, it has been shown in [38] that employing RSSI is more reliable in determining connectivity compared to the location information, as the location information is not available in various applications.
The BreadthFirst search algorithm [39] is used by the gateway in each cluster to find which sensor nodes select the gateway as their cluster head. Note that a similar algorithm is used in [6]. The gateway broadcasts a message requesting sensor nodes to notify the gateway if they are within the communication distance from the gateway. In this case, each sensor node encrypts its ID concatenated with its public key using the public key of the desired gateway. This message is transmitted by a sensor node at maximum power to acknowledge the desired gateway in the top of its list as follows:
where denotes the encryption function using the public key of gateway . Then, the gateway decrypts this message by using its private key as follows:
In this case, the gateway compares the received public key from the sensor nodes with the ones that are embedded in its memory prior to deployment. This helps to prevent an adversary from throwing illegitimate nodes into a cluster and mounting a denialofservice (DoS) attack.
As a large number of sensor nodes will respond to a gateway, avoiding contention is difficult. Since contention causes collisions, this affects the survivability of the network. Therefore, a suitable medium access control (MAC) protocol is required to be installed in each sensor node. It is noted that assuming sensor nodes to be time synchronized is infeasible because of the large number of nodes. To overcome this problem, the contentionbased and selfstabilizing MAC protocol presented in [40] is incorporated here. Eventually, each gateway will compile a list of all the sensor nodes in its cluster along with their IDs and public keys.
At this point, the public keys of sensor nodes and gateways are authenticated. Now, each gateway will ask its onehop sensor nodes (e.g., , , and of cluster 2 in Figure 1) within the cluster to broadcast a message to ask its onehop neighbors in the cluster to report to . In this case, sensor node acts as the parent node to the nodes in its onehop neighborhood. Similarly, the other neighbors ask their onehop neighbors to report themselves. Therefore, every node within the cluster will connect to the gateway in a single or multihop route, that is, , , , , , where is the number of hops from a node to the gateway . All these sensor nodes send their information to the node, and notifies the gateways about these sensor nodes.
Every sensor node which has selected as the gateway and is within the preferred cluster will be discovered by the gateway . Note that a unique path exists from each node to the gateway as each node has just one parent. For routing the information to the gateway in each cluster, an appropriate routing algorithm is required. It defines the path that the packets can be forwarded to the gateway. Therefore, a minimum cost path algorithm can be used to find the optimal spanning tree rooted at the given node.
Theorem 5.
The nodes that immediately follow the root node in the minimum cost tree constitute the minimum neighborhood of node . The minimum cost routes between the node and the gateway are all contained in the minimum neighborhoods of the nodes [25].
4.1. Secure and Survivable Routing
In this subsection, we present the routing algorithm for the sensor nodes to forward data toward the gateway in each cluster. If data from neighborhoods are highly correlated, then the minimum spanning tree (MST) is beneficial in terms of survivability and network lifetime [41]. However, in the case of low correlation amongst sensor nodes, shortest path tree (SPT) should be incorporated to achieve survivability and better network lifetime [41]. Additionally, shorter paths are more secure than the longer paths (as we explain more in Section 6.1). Note that using the shortest path limits the number of paths which can be used to relay data toward the gateway. In [42], a shortest cost path routing algorithm for maximizing network lifetime based on link costs is presented. The costs reflect both the communication energy consumption rates and the residual energy level.
Here, the use of link estimation and parent selection (LEPS) scheme was employed as proposed in [43] as a routing algorithm. In this method, each node monitors all traffic received within the onehop range, including route updates from the neighbor nodes. Using the least cost path, it manages the nearest available neighbor node and decides the next hop. To find a least cost path, one needs to calculate the costs of all edges between each sensor node then obtain a set of least cost paths. To accomplish this, we use the cost function as formulated in [5].

(i)
: the function of remaining energy of the sensor node , for all .

(ii)
: the distance between sensor nodes and .

(iii)
: the error function between sensor node and .
Then, the cost function for a link between sensor node and can be estimated as
where α is free space loss exponent and typically . The error function is related to the maximum data buffered in sensor node and the distance between sensor nodes and . Then one can write it as
where is a constant coefficient. To find the least cost path from a sensor node to the gateway , the number of hops should be considered as well [5].
4.2. Symmetric Key Establishment
After secure clustering, broadcast authentication, and determining the desired routing algorithm among sensor nodes and gateways, sensor nodes should establish secure communication between each other to reach the gateway securely in a multihop path. Since gateways are aware of the onehop neighbors of the sensor nodes and have enough information to control sensor nodes, they send pairwise keys to each sensor node and its potential onehop neighbors. To achieve this, gateway will send the pairwise key to the sensor node which is common between its neighbors regarding the leastcost path routing algorithm.
First, the symmetric key generated for the sensor node and , that is, , should be encrypted using the public key of the sensor node , that is, , for . Then, each gateway unicasts this message to the sensor node . Each sensor node decrypts this message using its own private key and obtains the symmetric key . Since this message should be encrypted by the public key (based on ECC) of every individual sensor node, then disclosing symmetric key is not possible to the adversary. As an example, in Figure 1, the sensor node will receive the symmetric keys for nodes , , and as , , and , respectively.
In the proposed scheme, we do not consider unicast authentication for performance reasons. However, the following explains unicast authentication mechanism for the proposed symmetric key establishment method.
Unicast Authentication
The question is how sensor node ensures that the encrypted symmetric key, that is, , is originated from gateway and not from the adversary?
To address this issue, ECDSA authentication can be incorporated as follows. To ensure that the message, that is, , is unicasted from the gateway , the elliptic curve digital signature can be calculated by the gateway on the message. Therefore, sensor node can verify the signature using the public key of gateway , and this assures that the message is coming from a legitimate gateway, and not from an adversary. This scheme requires times signature generation by the gateways, and all the sensor nodes should verify and decrypt the unicasted message. Note that this increases the computation cost as the verification of a signature is an expensive operation. However, a onetime digital signature generation can reduce some of the overheads.
Another scheme is to allow each sensor node and its corresponding gateway to obtain a shared symmetric key during the first broadcast authentication (secure clustering) incorporating elliptic curve DiffieHellman (ECDH) method. Then, using symmetric key, the unicast authentication can be performed by generating a message authentication code (MAC). Therefore, any unicast from the gateway can be authenticated by the sensor nodes.
Authentication methods imply overheads in computation and communication times. Therefore, a tradeoff must be achieved between the required level of security in the authentication and the time costs, otherwise the arising overheads could be against the survivability of the network.
Message Freshness
Beyond guaranteeing confidentiality and authentication, it is important to ensure that data is recent, fresh, and no adversary replayed old messages. A sensor node can achieve this through a nonce (which is a unpredictable random number). In the proposed scheme, before unicasting the symmetric keys by the gateways, sensor node can send a key request message to the gateway accompanying with a random nonce, i.e., and encrypted by . Therefore, when a gateway wants to unicast the symmetric key (encrypted by ) to node , gateway includes its random nonce, that is, and to the unicast message. After this exchange, node ensures that the message is recently initiated and is not a replay of old messages.
4.3. SurvivableSecure Connectivity
To better present the connectivity in each cluster of the proposed infrastructure for a WSN, we define a graph to model the connectivity between a set of sensor nodes. Each sensor node is represented by a vertex in , , where represents the number of sensor nodes within each cluster (In Section 5.1, we study the average number of sensor nodes inside a cluster.). For any two nodes and in , the edge exists if and only if the nodes are within communication range of each other. The node degree is defined as the number of edges connected to the node. For example, in Figure 1, . Now, let us assume that node wishes to send information to the node , and let be the received power at . In this case, gateway compares the SNR with the environment noise threshold, and if it is more than the noise threshold, then can send a message to the . In this situation, these nodes have achieved survivable connectivity and the edge exists. To obtain the in each cluster, the following steps should be completed.

(1)
The gateway broadcasts a start message.

(2)
Each sensor node transmits a message with its .

(3)
All the sensor nodes record the received signal strength.

(4)
The gateways request each sensor node to report (the recorded information) to the gateway.
To achieve secure connectivity, in addition to the above conditions for survivable connectivity, sensor nodes should have previously established a symmetric/secret common key for each edge in . In this case, the proposed graph is securely connected. Finally, the gateway will be aware of the degree of each sensor node within its cluster. Note that determines the amount of symmetric keys which should be loaded from the gateway to each sensor node.