Trust-based secure directed diffusion routing protocol in WSN

Deployed in the monitoring environment, Wireless Sensor Network (WSN) is a measurement and control network composed of miniature and low-cost sensors with sensing, computing, and communication capabilities. The design of the Directed Diffusion (DD) routing protocol is one of the key problems in WSN. In order to obtain the confidentiality of sensing data and solve the unreliability of relay nodes in the existing DD routing protocols, this paper designs an Energy Trust Model (ETM) by introducing the remaining energy and trust of a node. We further propose a Trust-based Secure Directed Diffusion Routing protocol (TSDDR) based on the model. The proposed protocol achieves the establishment of a credible communication path and the transmission of confidential data in WSN. Meanwhile, the balance of energy consumption and the privacy of sensing data can be ensured. The performance analysis results show that the TSDDR protocol can effectively defeat against MITM attacks and prevent the malicious nodes’ impersonation. At the same time, the protocol achieves secure end-to-end anonymous communication with acceptable energy overhead and computational complexity.


Introduction
Since the concept of Internet of Things (IoTs) was formally proposed in 2005, the idea of the interconnection of everything has gradually penetrated people's lives. From smart home, smart transportation and smart city to agricultural production, medical care, national defense and military, the application field of the Internet of Things has been involved in all aspects. In recent years, the Trust models and e-voting schemes ) are often used to assess the trustworthiness of entities in IoTs. Meanwhile, the high-resolution remote sensing image registration  and the crowd sensing in sensing applications (Jiang et al. 2020) have developed rapidly, which has put forward higher requirements for the Internet of Things.
The wireless sensor network has become an important part of the IoTs, and the sensor nodes are the key part of the wireless sensor network. However, the resource-constrained sensor nodes are usually distributed in various environments in a multi-hop, self-organizing manner and are vulnerable to attacks from internal or external adversaries. Furthermore, the balance of energy consumption, the reliability of routing selection, and the security of data transmission in wireless sensor networks are particularly important.

Related work
Researchers have designed routing protocols suitable for different practical scenarios. According to the network topology, the routing protocols can be divided into two categories, that is flat routing protocols and hierarchical routing protocols (Roy and Das 2014). In flat routing protocols, all sensor nodes are peer-to-peer. The typical flat routing protocols include Directed Diffusion routing protocol (DD) (Zheng et al. 2013), SPIN routing (Feng et al. 2014), and so on. Besides, the main problem to be solved is how to find an energy-saving and low delay route between the source node and the sink node. In hierarchical routing protocols, the source node transfers the sensing data to the cluster head node of the cluster, and a cluster head node can be selected among multiple cluster head nodes, thus forming a layered network structure. The hierarchical routing protocol is mainly concerned with the selection of the cluster head nodes and the formulation of update strategies, so as to achieve the purpose of saving energy. Therefore, the hierarchical routing protocol is suitable for situations requiring centralized data collection. The DD protocol in flat routing is a typical data-based, query-driven routing mechanism. In the DD protocol, each node only needs to save the information of the neighbor nodes and does not need to maintain the information of the whole network. In addition, the data is sent based on the user's needs, rather than being sent upward as soon as the nodes in the detection area perceive the data. Therefore, the DD routing protocol has the potential advantage of low power consumption and has a high research value in the field of wireless sensor networks. However, the energy consumption of sensor nodes in the original DD routing protocol is unbalanced, and the sensing data is transmitted in plaintext in the network, with poor confidentiality. Therefore, in order to improve network performance, there have been continuous improvements to the DD routing protocol.
Ren et al. proposed a gradient-based limited diffusion algorithm, which performs diffusion in the optimal set of forwarding nodes (Ren et al. 2006). A directed diffusion protocol based on the random key pre-distribution model (Fei et al. 2007) has been proposed in 2007, which can provide point-to-point secure data communication. Dai et al. applied the percolation algorithm to the interest diffusion stage of the directed diffusion protocol to reduce the network overhead (Dai et al. 2010). A cross-layer congestion control method based on directed diffusion routing protocol using the idea of cross-layer design is proposed (Ye et al. 2012), which can effectively relieve congestion and reduce energy consumption. Sengupta et al. proposed a Secure Directed Diffusion (SDD) protocol (Sengupta et al. 2018), which effectively prevents eavesdropping attacks, Sinkhole attacks and Sybil attacks through authentication between adjacent nodes. However, the relay nodes can learn the plaintext data by decryption, which cannot guarantee the confidentiality of the data. Therefore, they further designed an Improved Secure Directed Diffusion (ISDD) protocol (Sengupta et al. 2019), which realizes secure end-to-end data transmission and anonymous communication between nodes. However, the sink node will refuse to provide service due to a large amount of data if most relay nodes on the path are maliciously controlled to send false data to the sink node, which affects the reception of the legitimate data. In other words, the ISDD protocol cannot prevent relay nodes from launching DoS attacks.

Contributions
The credibility and reliability of relay nodes are very important in the DD protocol. However, if the node with a high trust value is directly selected to build the path, the node with high trust value will cause sharp energy attenuation or even become a "dead node" due to too many communication opportunities, thus affecting the performance of the entire network. Considering the energy limitation of sensor nodes, this paper takes the remaining energy value of nodes into the category of trust value and builds an Energy Trust Model. The energy trust value reflects the trust degree of the nodes in WSNs and provides a guarantee for the selection of reliable nodes in the DD routing protocols. The main contributions of this paper are as follows: First of all, this paper proposes a Secure Directed Diffusion Routing protocol based on the Energy Trust Model. The Energy Trust Model obtains the energy trust value of a node by weighted summing the direct trust value and the remaining energy to measure the credibility of the node. The proposed protocol establishes a reliable path and transmits sensing data in WSN by selecting relay nodes with high credibility.
Secondly, this paper proposes a secure key distribution method based on the DH protocol. By introducing the DH protocol, the DH session key negotiation between the sink node and each relay node is completed in the Path Reinforcement Phase of the Secure Directed Diffusion Routing protocol, and the secure distribution of the DH session keys is achieved.
Finally, the proposed protocol in this paper transmits sensing data with an idea similar to onion routing. Specifically, this paper utilizes the DH session keys and the pseudonym mechanism to realize multi-layers encryption of sensing data and anonymous communication of nodes in the Data Propagation Phase of the proposed protocol, which can effectively ensure the security of sensing data and the anonymity of nodes.
The remainder of the paper is organized as follows. Section 2 gives the basics used in this paper. An Energy Trust Model is presented in Sect. 3. Section 4 proposes a Trustbased Secure Directed Diffusion Routing protocol. Before summarizing the whole paper in Sect. 6, we analyze the performance of the routing protocol in terms of security and simulation results in Sect. 5.

Identity based cryptography (IBC)
The algorithm of Identity Based Cryptography (Zhao et al. 2012) consists of four parts: system initialization, private key extraction, encryption, and decryption.

System initialization
The Private Key Generation center (PKG) selects an appropriate elliptic curve E, a base point P, and two cyclic groups G 1 and G 2 of prime order q, where G 1 is an additive cyclic group and G 2 is a multiplicative cyclic group generated by g. The PKG determines the bilinear pairing ê ∶ G 1 × G 1 → G 2 , and chooses two hash functions H 1 and H 2 . H 1 ∶ {0, 1} * → G 1 is used to map the user's Id to G 1 and H 2 ∶ {0, 1} n → G 2 , is used to map the elements on G 2 to plaintext space M. The PKG also chooses a random value m s ∈ Z * q as the system master key and computes the system public key X = m s P . Finally, the PKG publishes the system parameter {q, g, P, X, G 1 , G 2 ,ê, H 1 , H 2 }.

Private key extraction
The PKG generates public key Q = H 1 (Id) and private key PK = m s Q for the user with the identity Id and sends PK to the user.

Encryption
User A selects a random value r → Z * q , computes C 1 = rP , C 2 = m ⊕ H 2 (ê(Q B , X) r ) , and sends cipher text (C 1 , C 2 ) to user B, where m is the plaintext message and Q B is the public key of user B.

Decryption
After receiving the cipher text, user B restores the message m = C 2 ⊕ H 2 (ê(PK B , C 1 )) , where the PK B is the private key of user B.

Bilinear pairing
Bilinear pairing (Zhang et al. 2004) can be described by (q, G 1 , G 2 ,ê) , where G 1 is an additive cyclic group whose order is the prime q, and G 2 is a multiplicative cyclic group with the same order q. Let ê ∶ G 1 × G 1 → G 2 be a map with the following properties:

Bilinearity
For all P, Q ∈ G 1 and a, b ∈ Z * q , we have:

Non-degeneracy
If P is a generator of G 1 , then the follows holds:

Computability
There is an efficient algorithm to compute ê(P, Q)for all P, Q ∈ G 1 .

DH key exchange protocol
The effectiveness of Diffie-Hellamn algorithm depends on the difficulty of calculating discrete logarithm problems Wang et al. 2019). Firstly, let's define the Discrete Logarithm. Assuming that a is a primitive root of the prime number q, its power can produce all integers between 1 and q − 1 . That is, a mod q, a 2 mod q, … , a q−1 mod q are different, which is a permutation between integers 1 and q − 1 . For any integer b and the primitive root a of prime q, we can find the unique exponent i(0 ≤ i ≤ q − 1) such that The exponent i is called the discrete logarithm of b with a as the base module q and is denoted as dlog a,q b.
The Discrete-Logarithm Problem in a cyclic group G with generator g is to compute log g h for a uniform element h ∈ G . The Discrete-Logarithm assumption is simply the assumption that there exists a G for which the Discrete-Logarithm Problem is hard. In short, it is easy to compute h = g x given x, but it is hard to compute x given h = g x .
In this paper, the multiplicative cyclic group G 2 is used as the number field of the DH algorithm. Assuming that users A and B want to negotiate a key. User A selects a random integer x ∈ Z * q and calculates his DH public key P A = g x mod q , and then sends it to B. User B also chooses a random integer y ∈ Z * q and calculates his public key P B = g y mod q , and then sends it to A. Users A and B keep x and y secret respectively, and finally calculate the DH session key: The two results are the same.

Interest message
The interest message describes the information that users want to query in the form of a set of attribute values and floods the wireless sensor network starting from the sink node. The attribute combination of an interest message should include the detection object, the location of the detection area, the start time of data collection, the transmission signal period, and the signal strength, etc. (Roy and Das 2014). The source node also uses a set of matching attribute values to represent the collected data.

Gradient
The gradient is a data structure used to transmit data. The direction of the gradient is the direction of data transmission, which is opposed to the direction of interest propagation. The gradient value reflects the similarity between the sensing data and the interest message, which is one of the measurement criteria of path selection.
Directed diffusion routing protocol is a query-based routing mechanism, which consists of Interest Propagation Phase, Gradient Establishment Phase, Path Reinforcement Phase, and Data Propagation Phase. In the Interest Propagation Phase, the sink node floods interest messages to all nodes in the target area. In the Gradient Establishment Phase, each node establishes a data transmission gradient with neighbor nodes that send interest messages. In the Path Reinforcement Phase, along the data transmission gradient, the source node floods the probe data to the sink node. After receiving the probe data from multiple paths, the sink node selects an optimal path for subsequent data transmission according to a certain reinforcement mechanism (such as lower delay or shorter hop). In the Data Propagation Phase, the source node sends the data it collected to the sink node along the enhanced path at a high speed.

Energy trust model
The Energy Trust Model (ETM) weighted summing the Direct Trust Value and the Energy Specification Value to obtain the Energy Trust Value of a node. In the proposed Energy Trust Model, we utilize the simplified Beta trust model (Ye et al. 2019) to calculate the Direct Trust Value. Our major contribution lies in the Energy Trust Model where we defined a new notion of Energy Specification Value and proposed its computing method using the remaining energy of a node.
Before formally defining the proposed model, we first prepare some initial settings. Supposing that there are n sensor nodes in a certain area when the wireless sensor network is initially formed. Each node saves a neighbor nodes list, which stores the Id, Direct Trust Value, Remaining Energy Value, Energy Specification Value, and Energy Trust Value of neighbor nodes. The initial direct trust value of each node is set to 0.5, and the initial energy value is E 0 . The initial state of the neighbor node list is like in Table 1.

Direct trust value
The Direct Trust Value is between [0, 1], with 0 indicates complete distrust and 1 indicates complete trust. As the number of interactions increases, the Direct Trust Value changes.

Definition 1 Direct Trust Value (DT)
First setting a time period t. We assume that in the time period t, the node i actively communicates with node j for a total of + times, in which the successful interaction is times and the failure interaction is times. The Direct Trust Value of i to j is defined as: is a penalty function, in which W is the total communication times between node i and j. The (1 − 1 + ) is a tuning function, in which is a positive constant used to adjust the speed close to 1.

Definition 2 Energy Consumption Value (EC)
Assuming that the node i sends k-bits data to node j and the distance between the two nodes is d ij . So the energy consumption of node i is defined as: The E elec is the energy consumed by each bit of data received by a node and d 0 is the distance threshold. E amp1 and E amp2 represent the unit energy consumption of the power amplifier in the Free Space Model and the Multipath Attenuation Model (Ye et al. 2019), respectively. When the communication distance is less than the threshold, the propagation consumption has a quadratic relationship with the distance. While on the opposite, the propagation consumption will have a quartic relationship with the distance. Thus, the greater the communication distance, the more energy is consumed.

Definition 3 Energy Remaining Value (ER)
The Energy Remaining Value of node i after sending k-bits data is defined as: The E t now is the remaining energy of node i in the current time period while the E t−1 now is the remaining energy of nodei in the previous period. The initial energy value of each node locally, updates it in real time according to the forwarded data, and periodically sends its latest remaining energy to its neighbor nodes.

Definition 4 Energy Specification Value (ES)
The Energy Specification Value is the ratio of the node's current remaining energy E t now to the initial energy E 0 , where ES ∈ [0, 1] and the closer the ES is to 1, the more remaining energy the node has.
The update process of the ES is as follows. Similar to the update of the DT, the update of the ES is also in the unit of time period t. After time t, the ES of node i to node j is It can be seen that when the initial energy E 0 is fixed, the size of the ES is related to the current remaining energy of the node. The more remaining energy, the larger the energy specification value, and the greater the probability of participating in data transmission. In this way, the energy consumption of the entire network is relatively balanced, and the average life of each node is also extended.

Definition 5 Energy Trust Value (ET)
The Energy Trust Value comprehensively considers the node's Direct Trust Value DT and Energy Specification Value ES, so as to obtain the node's energy-based comprehensive trust value. This value reflects the overall reliability and trustworthiness of the node, which is defined as follows: 1 and 2 are weight factors and 1 + 2 = 1 . The Energy Trust Value ET is updated periodically with DT and ES, that is, each node periodically updates its own neighbor nodes list.

The trust-based secure directed diffusion routing protocol (TSDDR)
The In addition, the DH key exchange protocol is also introduced at this phase to complete the key negotiation between the sink node and the trusted node. The generated key is used to encrypt data during the Data Propagation Phase.
In the schematic diagrams of the following phases, the size of the number represents the sequence of operations, and the same number represents that operations can occur synchronously. The main notations used in the TSDDR protocol and their meanings are shown in Table 2.

Predeployment phase
This phase occurs between the trusted Private Key Generation center and each sensor node newly added to the (10) ET i,j (t) = 1 DT i,j (t) + 2 ES i,j (t) The identity of node i Loc i The location of node i Q i The public key of node i PK i The private key of node i P i The DH public key of node i Z * q Integer multiplication group of order q RK i The random private key of node i PN i The random pseudonym of node i SK i,j The shared key of node i and node j K i,j The DH session key of node i and node j 1 3 network. The PKG assigns a private key to each node using the Identity Based Cryptography, which is used to calculate the random private key and shared key of the node in the Data Propagation Phase. We assume that each node (say, node i ) is provided with a unique, integer-valued and non-zero identity denoted by Id i . When the node i joins the network, it sends its own identity Id i to PKG. Correspondingly, the PKG calculates the public key Q i and private key PK i for node i (as shown in Formulae 11 and 12) and sends the system parameters and private key to node i. The specific communication process is shown in Fig. 1.

Interest propagation and gradient establishment phase
After Predeployment Phase, each node in the network is assigned the system parameters and a private key. The Interest Propagation is started by the sink node(SN) flooding an Interest package of the form < Interest, Id SN , Loc SN > containing the attribute-value pairs Interest, the identity Id SN of SN, and the location Loc SN of SN. Generally speaking, when a node j receives an Interest package < Interest, Id i , Loc i > (11) Q i =H 1 (Id i ) (12) PK i =m s Q i from node i, the node j will update its interest list and flood an Interest package < Interest, Id j , Loc j > to its neighbor nodes. In the Interest package, the set of the attribute-value pairs is essentially an Interest Message defined in Sect. 2.4, which describes the information that the user wants to query and is represented by Interest. The phase continues until all nodes in the network receive an Interest package.
The Gradient Establishment Phase is synchronized with the Interest Propagation Phase, thus both the phases complete together. In detail, at the same time of the interest propagation, the node j that has received an Interest package from node i will build a gradient towards i. And then the node j unicasts a three-tuple package < Gradient, Id j , Loc j > to i (as shown in Fig. 2). The gradient defined in Sect. 2.4 is a data structure used to store routing information and transmit data, whose direction is opposite to that of the interest propagation. As this phase continues, the gradient values are also updated in the cache of each node. The completion of the Interest Propagation Phase means that multiple paths established by gradients are formed between the source and the sink node. After that, the source node floods the probe data to the sink node along the gradient direction.

Path reinforcement phase
In this phase, a trusted path is established from the sink node to the source node (as shown in Fig. 3). In the process of path establishment, the sink node negotiates a DH session key with each new node that joins the path (as shown in Fig. 4). This phase uses the ET as the enhancement mechanism to select relay nodes. The higher the ET of a node, the more likely it is to be selected as a relay node. When a path is composed of a group of highly reliable nodes, the data propagation is more stable and reliable.
As shown in Fig. 3, the trusted path establishment process is as follows. The establishment process of the trusted path starts from the sink node SN. When a node i that has joined the path selects the next relay node from its neighbor node list, the following two checks are performed: (1) whether there is a source node in the neighbor node list of node i: if so, the path to the source node is directly established, otherwise, node i selects the node with the highest ET value from its neighbor node list; (2) whether the node is a sink node or has joined the path: if so, node i selects the node with the sub-highest ET value and performs the same check, otherwise the node will be added to the path to continue the first check. Until a path from the sink node to the source node is established, suppose the established trusted path is SN → A → B → S.
As shown in Fig. 4, the DH key negotiation process is as follows. In the path establishment process, each time a new relay node is added, the DH algorithm is used to calculate the session key with the sink node. The specific process is as follows.
1. SN randomly selects a positive integer x ∈ Z * q and calculates its DH public key P SN : 2. SN sends the package < Reinforcement > and P SN to node A. 3. After receiving the information, A randomly selects a positive integer y ∈ Z * q and calculates its DH public key P A : 4. A sends the P A along the path ( A → SN ) to the sink node SN. 5. A and SN calculate their DH session keys K A,SN and K SN,A respectively: (13) P SN = g x mod q (14) P A = g y mod q 6. A sends the package < Reinforcement > and P SN to node B. 7. After receiving the information, node B randomly selects a positive integer z ∈ Z * q and calculates its DH public key P B : 8. B sends the P B along the path ( B → A ) to the node A. 9. A sends the P B along the path ( A → SN ) to the sink node SN. 10. B and SN calculate their DH session keys K B,SN and K SN,B respectively: 11. B sends the package < Reinforcement > and P S N to the source node S. 12. After receiving the information, node S randomly selects a positive integer w ∈ Z * q and calculates its DH public key P S : 13. S sends the P S along the path ( S → B ) to the node B. 14. B sends the P S along the path ( B → A ) to the node A. 15. A sends the P S along the path ( A → SN ) to the sink node SN. 16. S and SN calculate their DH session keys K S,SN and K SN,S respectively:

Data propagation phase
In this phase, the TSDDR protocol will use the DH session keys negotiated between the sink node and relay nodes, and the shared keys generated between the adjacent relay nodes to produce multiple encryption layers thereby providing end to end data security. Specifically, the source node transmits the original data to the sink node along the path after multi-layers encryption, and the sink node gets the plaintext through multi-layers decryption. The whole encryption and decryption operations are similar to the process of the onion routing (El Mougy and Sameh 2018; Hiller et al. 2019).
(15) K A,SN =(P SN ) y mod q In the sequel, each relay node in the established path will calculate a random pseudonym to conceal its real identity thereby achieving anonymous communication. The random pseudonym is obtained by multiplying a random integer with the public key of a node and will be sent to the next relay node along with the encrypted data. The receiving node will retrieve the random pseudonym to calculate the shared key with the sending node. Figure 5 depicts each of the steps of the Data Propagation Phase for an example data path S → B → A → SN.
The source node S does the following before transmitting the original data.
1. S calculates the public key Q B according to the identity Id B of its direct successor node B: 2. S chooses a random integer n 1 ∈ Z * q , calculates a random pseudonym PN S and a random private key RK S : 3. S calculates the shared key SK S,B with B using bilinear pairing: 4. S uses the DH session key K S,SN with the sink node SN to encrypt the plaintext m: Fig. 4 The path establishment process 5. S encrypts c 1 using the shared key SK S,B with its successor node B: Next, S sends its pseudonym PN S and the cipher text c 2 which has two layers of encryption to B. B performs similar operations to S among steps 1 to 3 before receiving the message.
1. B calculates the public key Q A according to the identity Id A of its direct successor node A: 2. B chooses a random integer n 2 ∈ Z * q , calculates a random pseudonym PN B and a random private key RK B : 3. B calculates the shared key SK B,A with A using bilinear pairing: Then, B sends its pseudonym PN B and cipher text c 4 which has three layers of encryption to A. A performs the similar actions to B among steps 1 to 3 before receiving the message.
A uses the shared key SK A,SN with SN to encrypt c 5 : Then, A sends its pseudonym PN A and cipher text c 6 which has four layers of encryption to the sink node SN.
1. After receiving the message, SN calculates the shared key SK SN,A with A according to the pseudonym PN A : 2. SN uses SK SN,A to decrypt c 6 to get c 5 : 3. SN decrypts c 5 with K SN,A , K SN,B and K SN,S respectively to retrieve the plaintext:

Anonymous communication
During the data propagation, each relay node on the data path generates a fresh pseudonym to guarantee anonymous communication. We analyze the security goal by an example, a relay node i on the data path generates a random pseudonym PN i using PN i = nQ i = nH 1 (Id i ) , in which n ∈ Z * q is a random integer, H 1 () ∶ {0, 1} * → G 1 is a one-way hash function, and G 1 is a cyclic group of prime order. Therefore, the pseudonym PN i ∈ G 1 completely blinds the real identity information Id i of node i. Furthermore, when the node i acts as a relay node for multiple paths, it only knows the pseudonyms of its predecessor nodes but cannot precisely distinguish which one it is. That is, a relay node on the data path only knows the next hop but cannot identify the previous hop node, which can further realizes anonymous communication between the nodes.

End to end data security
As is shown in the Data Propagation Phase, the original plaintext data sent by the source node has multiple layers of encryption while arrived at the sink node. Furthermore, the innermost encryption layer of the encrypted data is calculated with the DH session key which is only known by the source node and the sink node. Therefore, the original plaintext data can only be decrypted by the sink node using its DH session key. Each relay node on the data path cannot retrieve the original plaintext data, thus our proposed protocol can ensure the end to end data security.

No impersonation
We consider an external adversary Adv with Id Adv , Q Adv , and PK Adv who wants to impersonate a legal relay node say B on the path S → B → A → SN . Assume that the adversary has obtained the pseudonym PN S of source node S and the public key Q B of node B. The adversary would need to compute the shared key SK B,S =ê(PN S , Q B ) m s after receiving the ciphertext from S to behave as the node B. However, the adversary has no idea of m s which is only known by the PKG, so he cannot calculate the key SK B,S shared between B and S. It is worthy to note that, it is computationally infeasible for the adversary to deduce m s through PK Adv = m s Q Adv given PK Adv and Q Adv , which is exactly the Discrete Logarithm Problem(DLP) defined in Sect. 2.3. Therefore, under the DLP assumption in the additive cyclic group G 1 , the impersonation of any other node is infeasible.

Defending against man-in-the-middle (MITM) attack
We will analyze the MITM Attack through an example. Let's consider a malicious node Adv that attempts to initiate a MITM Attack between the sink node SN and any legal node say node A on the data path S → B → A → SN . In this scene, assuming that the malicious node has the ability to eavesdrop the DH public keys of node A and SN. Besides, the malicious node computes its DH public key P Adv and sends it to node SN and A, respectively. Then, two DH session keys K A↔Adv and K Adv↔SN can be computed which belong to (A ↔ Adv) and (Adv ↔ SN) respectively. However, the plaintext message is layer-wise encrypted by each node on the data path and the outermost layer of encryption is calculated using the shared key. As demonstrated in Sect. 5.1.3, the malicious node cannot obtain the shared key. Therefore, it is infeasible for the malicious node to decrypt the ciphertext, thus MITM Attack is effectively defeated.

Simulation results
This paper uses Matlab for network simulation, and the initial parameters of simulation are set as shown in Table 3. Figure 6 shows the distribution of network nodes. The red node represents the unique sink node, and the remaining nodes represent the other sensor nodes. Figure 7 is the curve of the Energy Trust value ET of the nodes varying with the traffic W. At the beginning of network operation (i.e. traffic W = 0 ), the ET of all nodes is 0.75. The reason is that the initial Direct Trust value of each node is 0.5, and the ratio of remaining energy to initial energy is 1 (i.e. Energy Specification value ES = 1 ). According to the Eq. 10, ET(W = 0) = 0.5 × 0.5 + 0.5 × 1 = 0.75 . With the increase of traffic, the ET of normal nodes and malicious nodes is significantly different. In general, the ET of normal nodes increases with the increase of traffic, while that of malicious nodes decreases with the increase of traffic. For normal nodes, when the traffic W is between 0 and 60, the number of successful interactions of normal nodes accounts for a higher proportion of the traffic, and its remaining energy is more. Therefore, the ET of normal nodes increases with the increase of traffic. When the traffic W is between 60 and 80, the ET decreases due to the decrease of the remaining energy. At this time, in order to avoid premature depletion of energy, the traffic of normal nodes with low ET will be reduced. When the traffic W is between 80 and 100, the Direct Trust value increases significantly due to the large increase of the interaction times, so the ET of the normal node picks up. However, a large number of communication times bring rapid consumption of node energy. It can be inferred that when the traffic is greater than 100, the ET of the node will decrease.
For malicious nodes, when the traffic W is between 0 and 20, the ET of the node will be greatly reduced due to the large number of failed interactions caused by the malicious behaviors of the node. When the traffic W is between 20 and 40, the ET of malicious nodes is improved since the remaining energy of malicious nodes is slightly higher than that of normal nodes. However, with the further increase of traffic (i.e. W 40 ), the number of failed interactions of malicious nodes accounts for an increasing proportion of traffic, and its remaining energy is getting less. Therefore, the ET of malicious nodes gradually decreases. Therefore, when selecting a node to establish a path according to the ET, it can effectively distinguish the malicious node from the normal node and reduce the risk of selecting the malicious node. Table 4 compares the ETM proposed in this paper with the other three trust models. It can be seen that the four trust models can effectively exclude malicious nodes, but GTRFM (Sinha and Jagannatham 2014), BTMS (Fang et al. 2015), and ADTMS (Luo et al. 2016) all have large energy costs. The model proposed in this paper uses a simplified version of the Beta model and only considers the direct trust value and the remaining energy of the node. Therefore, the energy overhead and computational complexity are within the acceptable range of WSNs. Figure 8 shows the variation of the average remaining energy of the network with the running time under the DD, ISDD, and TSDDR protocols. The running time is 0, 10, 20, 30, 40, 50, 60, 70, 80, respectively, in seconds. In the initial operation of the network, the energy consumption of the nodes of TSDDR protocol and ISDD protocol is faster, and the average remaining energy of the network is lower than that of the DD protocol. The reason is that both TSDDR protocol and ISDD protocol use cryptography to encrypt plaintext data, which increases the computational complexity with the improvement of security and anonymity, so the nodes consume more energy. Moreover, the computational complexity of TSDDR protocol with the ETM is higher than that of ISDD protocol without the ETM. Therefore,  the average remaining energy of the network with TSDDR protocol is lower than that with ISDD protocol. However, with the extension of the running time, the average remaining energy of the network with TSDDR protocol is higher than the other two protocols. This is because the ETM takes into account the Direct Trust value and the remaining energy of a node. When the remaining energy of a normal node decreases, it will have a negative impact on its Energy Trust value, and the traffic of the node will be reduced accordingly. It can be seen that the normal nodes with high Direct Trust values will not be used frequently, thus avoiding the phenomenon of the network hole caused by the premature energy depletion of a single node. This makes the average remaining energy of the whole network in dynamic regulation. Therefore, the TSDDR protocol is suitable for a longterm running detection environment.

Conclusion
This paper designs an Energy-based Trust Model and applies it to the Directed Diffusion protocol in WSNs, and proposes a Trust-based Secure Directed Diffusion Routing protocol (TSDDR) to further improve the security and reliability of the data transmission. In addition, the TSDDR protocol uses IBC, DH key exchange protocol, and Bilinear Pairing to protect the confidentiality of data and the anonymity of nodes. Security analysis shows that the proposed protocol can not only achieve anonymous communication between nodes, end-to-end data security, but also prevent external malicious nodes from impersonating legitimate nodes on the path and launching man-in-the-middle attacks. Simulation results show that the proposed protocol can effectively eliminate malicious nodes when selecting relay nodes to establish paths. Moreover, the average remaining energy, that is, the life cycle of the network is also increased.