A new key predistribution scheme for general and grid-group deployment of wireless sensor networks

Key predistribution for wireless sensor networks has been a challenging field of research because stringent resource constraints make the key predistribution schemes difficult to implement. Despite this, key predistribution scheme is regarded as the best option for key management in wireless sensor networks. Here, the authors have proposed a new key predistribution scheme. This scheme exhibits better performance than existing schemes of its kind. Moreover, our scheme ensures constant time of key establishment between two nodes. We provide some bounds on the resiliency of this scheme.

Next, we use this new key predistribution scheme in a grid-group deployment of sensor nodes. The entire deployment zone is broken into square regions. The sensor nodes falling within a single square region can communicate directly. Sensor nodes belonging to different square regions can communicate by means of special nodes deployed in each of the square region. We measure the resiliency in terms of fraction of links disconnected as well as fraction of nodes and regions disconnected. We show that our key predistribution scheme when applied to grid-group deployment performs better than standard models in existence.

Key predistribution in wireless sensor networks has attracted attention of researchers for a decade. Key predistribution schemes are classified into two groups viz. probabilistic key predistribution and deterministic key predistribution. In probabilistic key predistribution scheme, as the name implies, the keys are randomly drawn from a large pool of keys and are placed into the individual sensor nodes. This scheme does not ensure full connectivity between nodes. However, due to this scheme’s randomness, it does ensure resiliency against selective node capture attack. Some probabilistic schemes can be found in [1–3]. The main disadvantage of probabilistic key predistribution schemes are that they do not ensure full connectivity between each and every pair of nodes. On the other hand, in deterministic key predistribution scheme, a deterministic method is employed to load the keys into the sensor nodes. This scheme may or may not offer full connectivity between every pair of nodes of the Wireless Sensor Network (WSN). Several deterministic key predistribution schemes have been proposed by researchers. Blom [4] proposed a scheme for key for pairwise key establishment in a group of users. This scheme, though primarily not intended for WSNs, was later used for key establishment in WSN. A symmetric polynomial-based scheme was proposed by Blundo et al. in [5]. Key predistribution schemes based on combinatorial design can be found in [6–12].

Combinatorial designs have been extensively used in deterministic key management. Mitchel and Piper [13] first used this in key distribution. In combinatorial design-based key distribution, a set system is used. The elements of the set system are regarded as the keys. A block is regarded as the key ring of a node. Çamptepe and Yener [6, 7] were first to use combinatorial designs for key predistribution in sensor networks. They used projective geometry and generalized quadrangles. Lee and Stinson [8, 9] used transversal designs for key distribution. Chakrabarti et al. [11] proposed a hybrid key predistribution scheme by randomly merging the blocks of the transversal design proposed by Lee and Stinson. Their merging technique enhances the resiliency of the key predistribution scheme of Lee and Stinson. Three designs were used by Dong et al. [14]. They also proposed a class of key predistribution scheme based on orthogonal array [15]. Blackburn et al. [16] proposed Costas arrays and distinct difference configuration. Product construction was used by [17]. The scheme is based on the product of key distribution scheme and set systems. They deduce the conditions of the set systems that provide optimum connectivity and resiliency of the network. Ruj and Roy proposed several schemes using partially balanced design, transversal design, and Reed-Solomon codes [10, 18, 19].

Key predistribution in wireless sensor networks using deployment knowledge was first studied by Liu and Ning [3]. They proposed two predistribution schemes both of which took advantage of the deployment knowledge of sensor nodes. The first scheme called the closest pairwise scheme was a modification of the pairwise key predistribution scheme. The second predistribution scheme uses the polynomial-based key predistribution scheme of Blundo et al. [5].

Several research works followed, e.g., [18, 20–27]. In Du et al. scheme [20, 21], the sensors are deployed in groups at a single point of deployment. The probability density function of the ultimate position of all sensors in a group are the same. They used multiple space Blom scheme [4] for key predistribution.

Yu and Guan [28, 29] studied key predistribution schemes using deployment knowledge and compared the effect of deployment on triangular, hexagonal, and square grids. Huang et al. [24, 25] proposed a grid-group-based key predistribution scheme. These schemes are perfectly secure to selective and random node capture attack. Here, the deployment area is divided into smaller rectangular zones of the same size. Every rectangular area contains equal number of sensors deployed uniformly in that zone. The keys in the sensors are deployed following multiple space Blom scheme similar to Du et al. scheme [20]. Each sensor node chooses keys from two key spaces such that no more than c sensors are chosen from the same key space, thus eliminating the possibility of node capture attacks. In [23], Zhou et al. discussed a key predistribution scheme where sensor nodes are mobile. There are static sensor which are deployed in groups. There are mobile collectors which are used to collect and aggregate sensor data and forward to the base station. The mobility of collectors enhance the data consistency.

Ruj and Roy [18] proposed a key predistribution for grid-group-based deployment. In this scheme, the deployment area is divided into smaller square regions. There are n² such smaller regions. There are two types of nodes viz. common nodes and agents. Their scheme offers full connectivity between the set of agents of the regions within the communication range.

Bag proposed a key predistribution scheme using the deployment knowledge in [30]. Here, the author considered a three-dimensional deployment zone where the sensor nodes are deployed not only along the length and breadth of the deployment zone but also along the height of the deployment zone.

In this paper, we propose a key predistribution scheme for homogeneous wireless sensor networks using the scheme of Blom [4] as well as symmetric balanced incomplete block design (SBIBD). The main advantage of using this scheme for key predistribution is that for this scheme, the adversary needs to capture large number of nodes in order to compromise all the keys in an uncompromised node. In other words, in order to disconnect an uncaptured node from all other nodes, the adversary needs to capture many more nodes than the other standard schemes.

Then, we use this new key predistribution scheme in a grid-group deployment of sensor nodes. A grid-group deployment refers to such a deployment where the entire deployment zone is broken into smaller two-dimensional square regions giving rise to an n × n grid-group structure. Equal number of sensor nodes are deployed in each of the smaller square regions of the deployment zone. Sensor nodes deployed inside one smaller square region forms a group. Sensor nodes within the same group communicate more frequently than a pair of nodes falling in two different groups. This is driven by the fact that sensor nodes in proximity to each other communicate more frequently than distant nodes. Sensor nodes deployed in this fashion grid form a heterogeneous network. This type of deployment scheme is applied in battlefields where sensors belonging to a compromised zone need to be completely disconnected from the rest of the network. Because if an adversary compromises an area, all the sensor nodes deployed in that area are considered to be captured.

This type of deployment is proposed by Liu and Ning [3, 22]. There are two types of sensor nodes in this heterogeneous network. They mainly differ in resource. One type of nodes have a low amount of storage capacity, power, and computational power, and the other type of nodes are richer in the amount of computational resources that they posses. We shall use the name ‘supernode’ for the nodes which are more powerful than common nodes. Common sensors belonging to one region contain a set of keys that are completely disjoint from the sensors in some other region. This ensures that even if one region is totally disconnected, the other regions are not affected. For each sensor node, the keys are preloaded in such a way that all the nodes belonging to a particular square region (group) can communicate with each other directly. Sensor nodes belonging to different square regions (group) communicate through two or more supernodes.

Our general key predistribution scheme offers better resiliency than the schemes in [4, 6, 7]. For example, in key predistribution scheme by Blom [4], the adversary can compromise all the keys of the entire WSN merely by capturing c nodes, where c is the security parameter of the design. However, in our scheme, the adversary can only compromise few links by capturing c nodes. Our scheme also offers better resiliency than [6, 7] in terms of the number of links that get exposed when some nodes are compromised. In both key predistribution schemes based on symmetric BIBD and generalized quadrangles in [6, 7], the attacker can compromise many key links between pairs of uncaptured nodes by capturing a single node. However, in our scheme, the attacker needs to capture multiple nodes for compromising the key links between some pairs of nodes. We have compared our scheme with [18] and other similar schemes on the basis of fraction of links that gets exposed when some nodes get captured by the adversary. This is a well-known measure of the resiliency of a key predistribution scheme. Our scheme is shown to exhibit the best performance as far as the resiliency is concerned. The scheme of Ruj and Roy in [18] uses three times the number of supernodes we use in our scheme for full connectivity. Our scheme offers better resiliency using less number of supernodes.

Here, we discuss some mathematical structures that we have used in our key predistribution scheme. Table 1 provides the meaning of different notations used in this section and in the next section.

2.1 Combinatorial design

A design [31] is a two tuple $(X,\mathcal{A})$ where X is a set of varieties, and $\mathcal{A}$ is a set of subsets of X:

A (v, b, r, k, λ)-BIBD is a design satisfying these properties:

1. 1.

   |X| = v.

2. 2.

   $\left|\mathcal{A}\right|=b$.

3. 3.

   $\forall B\in \mathcal{A},\left|B\right|=k$.

4. 4.

   $\forall x\in X,\left|\right\{B:B\in \mathcal{A},x\in B\left\}\right|=r$.

5. 5.

   $\forall x,y\in X,x\ne y,\left|\right\{B:B\in \mathcal{A},x,y\in B\left\}\right|=\lambda$.

A (v, b, r, k, λ)-BIBD, where v = b is called a symmetric BIBD or SBIBD. It can be shown that in a symmetric BIBD, k = r[31].

A (n² + n + 1,n + 1,1)-BIBD with n ≥ 2 is called a projective plane of order n. It can be proven (Theorem 2.10, [31]) that for every prime power q ≥ 2, there exists a symmetric (q² + q + 1,q + 1,1)-BIBD i.e., a projective plane of order q.

2.1.1 Construction of SBIBD

Çamptepe and Yener used mutually orthogonal Latin squares in constructing the key predistribution scheme of [6]. Another construction of the same scheme can be found in [32]. Let V₃(q) be the set of a three-dimensional vector space over a finite field F _q of q elements. A projective geometry P G(2, q) over a finite field F _q  is defined like the following:

•  The points are given by the one-dimensional subspaces of V₃(q).

•  The lines are given by the two-dimensional subspaces of V₃(q).

•  A point belongs to a line if the corresponding one-dimensional subspace of the point is contained in the two-dimensional subspace corresponding to the line.

•  Two lines are incident to each other iff the intersection of the corresponding two-dimensional subspaces of them is a nonempty one-dimensional subspace.

It can be shown that there are (q³ - 1) / (q - 1) or q² + q + 1 number of distinct subspaces of dimension one of V₃(q) [32]. Similarly, the number of distinct subspaces of dimension two of V₃(q) is also q² + q + 1. Each two-dimensional subspace contains q + 1 distinct one-dimensional subspaces. The intersection of two-dimensional subspaces is a one-dimensional subspace of V₃(q). So, the number of points and lines in P G(2, q) is q² +q + 1. Every line contains q + 1 number of points. So, taking points as varieties and lines as block P G(2, q) is a symmetric (q² + q + 1,q + 1,1) BIBD.

Since the lines of P G(2, q) are two-dimensional subspaces of V₃(q), we can represent each block by the basis of the subspaces they correspond to. The basis of a two-dimensional subspace of V₃(q) contains exactly two elements. So, each block in P G(2, q) will be identified by two elements of V₃(q).

Similarly, the points of P G(2, q) are one-dimensional subspaces of V₃(q). So, every variety of (q² + q + 1,q + 1,1) SBIBD can be represented by the basis of the one-dimensional subspace it belongs to.

Let L₁ = {(1, s, t):s, t ∈ G F(q)}

Let, $\mathcal{S}=L_1\cup L_2\cup L_3$.

It can be shown that each element of $\mathcal{S}$ is a basis of a distinct one-dimensional subspace of V₃(q). Throughout this article, we shall represent the q² + q + 1 number of varieties of the (q² + q + 1,q + 1,1) SBIBD by the elements of $\mathcal{S}$.

2.1.2 Shared variety discovery of (q² + q + 1,q + 1, 1) SBIBD

Any two blocks of a symmetric (q² + q + 1, q + 1, 1) BIBD do share one and unique variety. Given a (q² + q + 1, q + 1, 1) SBIBD, Algorithm 1 finds the common variety of two blocks of the design. This algorithm uses the basis of the nullspace of A.x = 0. This basis can be computed using Gauss-Jordan elimination method [33, 34] in a constant time. Therefore, the runtime of Algorithm 1 is O(1).

Algorithm 1 Computing the shared variety between two blocks of (q² + q + 1,q + 1,1) SBIBD

2.2 Key predistribution using combinatorial design

Once we have a (v, b, r, k, λ)-design $(X,\mathcal{A})$, we can map it to a key predistribution scheme in the following way:

• Let $\mathcal{K}$ be a set of v keys.

• $\mathcal{N}$ be a set of b nodes in the WSN.

• Let $\mathcal{A}=\{B_1,B_2,\dots ,B_b\}$ be the blocks of the design.

• Let $f:\mathcal{K}\to X$ be a map and $g:\mathcal{N}\to \mathcal{A}$ be another map.

• For each $B_i\in \mathcal{A},i=1,2,\dots ,b$ and  ∀ a _j  ∈ X,j = 1,2,…,v if a _j  ∈ B _i  and both f^-1(a _j ) and g^-1(B _i ) exist, load key f(a _j ) into node g(B _i ).

In plain language, what we do here is to use varieties as keys and blocks as node. A node corresponding to a block contains all the keys corresponding to the varieties that the particular block contains. Two nodes will have a common key if and only if the corresponding blocks do share at least one common variety. Again, the number of keys in a node will be equal to the number of varieties in a block that corresponds to the node.

2.3 Blom’s scheme

Blom [4] proposed a scheme for key predistribution where the members of a group can establish pairwise keys. Let N be the size of the network. The distribution server first chooses a c × N matrix G over a finite field G F(q). The matrix G is considered to be a public information. Now, the distribution server constructs a c × c symmetric matrix D over G F(q). This matrix is a private information of the system. Now, the server computes the c × N matrix A, where A = (D G)^T, T being the transposition operator. Now, A G = (D G)^TG = G^TD^TG = G^TD G = G^TA^T = (A G)^T.

Thus, AG is a symmetric matrix. Let K = A G, we know that K _{i j}  = K _{j i} , where K _{i j} is the element in K located in the i th row and j th column. K _{i j} (or K _{j i} ) is the pairwise key between node U _i  and node U _j . To carry out the above computation, nodes U _i and U _j  should be able to compute K _{i j}  and K _{j i} , respectively. This can be easily achieved using the following key predistribution scheme, for w = 1,2,…,N,

•  Store the w th row of matrix A in node U _w .

•  Store the w th column of matrix G in node U _w .

Now, if two nodes (say U _x  and U _y ) want to communicate, they need to establish a common key. Node U _x  has row x of A and column x of G. Node U _y  has row y of A and column y of G. Now, they can establish a pairwise key this way:

•  Node U _x  and U _y exchange column x and column y of matrix G, respectively.

•  Node U _x calculates K _{x y}  = (row x of A). (column y of G).

•  Node U _y  calculates K _{y x}  = (row y of A). (column x of G).

The matrix G is a public information. Therefore, the rows of G could be sent without encryption. Since K is a symmetric matrix, K _{x y}  = K _{y x} . Hence, K _{x y}  can be used as the common key between the two nodes.

2.3.1 c-secure property

It has been proved that the above scheme is c-secure [4], i.e., if any c + 1 columns of G are linearly independent; then, no member other than U _x  and U _y  can compute K _{x y}  or K _{y x}  if no more than c members are compromised.

2.3.2 A construction for matrix G

We note that any c + 1 columns of G[35] must be linearly independent in order to achieve the c-secure property. Let α be a primitive element of a finite field G F(q) where q is a prime power.

A feasible G can be designed as follows [36]:

It is well known that αⁱ ≠ α^j if i ≠ j (this is a property of primitive elements). Since G is a Vandermonde matrix, it can be shown that any c + 1 columns of G are linearly independent when α, α², α³, …, α^N are all distinct. In practice, G can be generated by the primitive element α of G F(q). Therefore, the w th column of G is stored at node U _w ; it is only required to store the seed α^w, and any node can regenerate the column given the seed.

2.4 Threat model

Wireless sensor nodes are deployed in unattended environment often in an area under the control of adversaries. Thus, the sensor nodes that gather and communicate sensitive information are vulnerable to attacks. An active adversary can physically capture a number of nodes, and it can get to know the stored keys into them. These keys can thereafter be used by the adversary to decrypt messages communicated across sensor nodes. We shall discuss two types of attacks to our proposed scheme.

2.4.1 Random node capture

In this type of attack, the adversary randomly captures nodes from the deployment zone and exposes the keys loaded into them.

2.4.2 Selective node capture

This attack was first introduced in [37]. An active attacker is in attempt to obtain a set T of keys. For achieving this, the attacker is compromising sensor nodes. It has already obtained a set of keys S this way, where S ⊂ T. For each node s in the WSN, the random variable G(s) is equal to the number of keys belonging to T ∖ S; the attacker gains by compromising s nodes. At each step of the attack sequence, the next sensor to be tampered with is sensor s, where s maximizes E[G(s)|I(s)], the expectation of the key information gain G(s) given the information I(s) that the attacker knows on sensor s’s key ring.

3.1 Key predistribution in the group

Here, our aim is to design a key predistribution scheme for a sensor network consisting $\mathcal{N}$ nodes where $\mathcal{N}\le p^2+p+1$ where p is a prime number.

We use the scheme in [6, 7] by Çamtepe and Yener and Blom’s scheme [4]. This scheme is based on symmetric design (Section 2). They used a symmetric (p² + p + 1,p + 1,1) design to build a key predistribution scheme for WSN.

We shall be using a (p² + p + 1,p + 1,1) -symmetric balanced incomplete block design $(X,\mathcal{A})$. Here, X = {x₁,x₂,…,x _v },v = p² + p + 1. $\mathcal{A}=\{B:B=\{x_{j_1},x_{j_2},\dots ,x_{j_{p+1}}\},j_1,j_2,\dots ,j_{p+1}\in \{1,2,\dots ,v\},j_m\ne j_n,1\le m,n\le p+1\}$. $\left|\mathcal{A}\right|=p^2+p+1$. Here, B _i s are the individual blocks for all i ∈ {1,2,…,p² + p + 1}. |B _i | = p + 1,∀ i ∈ {1,2,…,p² + p + 1}.

3.1.1 The scheme

Definition 1

For any node $n_i\in \mathcal{N}$, and a variety x _l  ∈ X and a block $B_d\in \mathcal{A}$, P O S(B _d , x _l ) is an integer taking values from the set {1, 2, …, k}, where f(n _i ) = B _d  and x _l  ∈B _d . The node n _i  stores the values of P O S(B _d , x _l ), ∀ x _l  ∈ B _d .

Since, $\left|B_d\right|=k,\forall B_d\in \mathcal{A}$, so each node stores k number of P O S (∗,∗) values.

Definition 2

f is a one-to-one map from the set of nodes of the sensor network to the blocks of the symmetric (p² + p + 1,p + 1,1) design. In addition to that, we assume that f^-1 can be computed in constant time.

It can be noted that the nodes can be identified by the identifier of the blocks they correspond to. Therefore, one example of the function f is the identity mapping if $\mathcal{N}\subseteq \mathcal{A}$.

The total number of nodes in deployment be $t=\left|\mathcal{N}\right|$. Choose a prime power p such that t ≤ p² + p + 1. Now, design a symmetric (p² + p + 1,p + 1, 1) BIBD using Algorithm 1 of [7]. Comparing a (v,b,r,k,λ)-design to this symmetric (p² + p + 1,p + 1, 1)-design, we get v = b = p² + p + 1,k = r = p + 1 and λ = 1. The varieties of the design are denoted by $x_1,x_2,\dots ,x_{p^2+p+1}$ and the blocks as $B_1,B_2,\dots ,B_{p^2+p+1}$. We shall design our key predistribution scheme in nodes using this symmetric (p² + p + 1,p + 1,1)-design. Let the security parameter be c as in Section 2.3. We shall later discuss on a feasible value the integer c. Now, compute p² + p + 1 symmetric c × c matrices $D_1,D_2,\dots ,D_{p^2+p+1}$ over a finite field G F(q). Now, construct a c × r matrix G using the method described in 2.3 i.e. if α is a primitive element of G F(q), compute:

Algorithm 2 maps a (v, b, r, k, λ) design $(X,\mathcal{A})$ of Section 2.1 into a key predistribution scheme. Let $\mathcal{N}=\{n_1,n_2,\dots ,n_t\}$ be the set of nodes in the WSN. We can design a key predistribution in these nodes using Algorithm 2 and taking v = b = p² + p + 1,r = p + 1. In Algorithm 2, we take v = p² + p + 1 many different key spaces of the Blom scheme [4]. We compute one c × r public matrix G and a set of v many c × c secret symmetric matrix D _i ,i ∈ {1,2,…,v}. Thus, we can compute v many A matrices like this : $A_i={\left(D_iĠ\right)}^T$. Hence, there are v many distinct key spaces of Blom scheme. Now, we can have a key distribution scheme by considering each of the v key space as a variety of the (p² + p + 1,p + 1,1)- SBIBD, where each block of the SBIBD corresponds to a node of the WSN. Since a block of a (p² + p + 1,p + 1,1)- SBIBD contains p + 1 many varieties, every node will have its key share from exactly p + 1 many key spaces.

Algorithm 2 Algorithm for key predistribution in nodes

3.1.2 Memory requirement

It is easy to see that one node n _h  contains one row from each matrix of the set M _h  where M _h  ⊂ {A₁,A₂,…,A _v } where |M _h | = k. The dimension of each row is c. Also, the node contains row 2 of matrix G which is (α,α²,…,α^r). It can be seen that for (p² + p + 1,p + 1,1) SBIBD r = k. Again, a node n _i stores P O S(f(n _i ),x _i ) for $i\in \mathbb{V},\mathbb{V}\subset \{1,2,\dots ,v\},\left|\mathbb{V}\right|=k$. So, the overhead on each node is O(k c + r + k). For most of the cases, c is a small constant. In this design k = p + 1. Therefore, the memory overhead is O(p) or $O\left(\sqrt{\left|\mathcal{N}\right|}\right)$.

3.1.3 Shared key discovery between two nodes

Two nodes wishing to communicate securely need to agree upon a secret key. In the scheme discussed in Section 3.1.1, any two nodes can surely compute a shared key. We provide an algorithm that takes all arguments of Algorithm 2 and finds a shared key between two nodes. In addition, the algorithm takes two nodes as input and finds a common key shared by both of them.

The most costly computation of Algorithm 3 is at step 3. This step reduces in finding all the blocks of a design that contains a particular variety. This can be found using a different construction of symmetric BIBD as discussed in Section 8.4 of [32].

Algorithm 3 Algorithm to compute common key between noden _i  ann _j

3.1.3.0 Time complexity of Algorithm 3

The first step reduces in inverting the node ids. We assumed that f is invertible in constant time. So, the first step can be done in time O(1). The second step computes a common variety belonging to two different blocks in the design used in Algorithm 2. Note that in a (p² + p + 1,p + 1,1)-SBIBD, any two blocks will share a unique common variety. Computing such a variety in a (p² + p + 1,p + 1,1)-SBIBD is equivalent to computing a basis of the intersection of two-dimensional subspaces. This can be done in constant time using the Algorithm 1. The third step is a lookup of memory and is, too, of time complexity O(1) if the items are stored in an indexed table. In the fourth step, the w th column of matrix G is calculated which is given by (1,α^w,(α^w)²,(α^w)³,…,(α^w)^c-1)^′. Since the nodes store αⁱ for each i = 1,2,3,…,r and c is a constant, so computing the w th column of matrix G requires O(1) computation. Finally, the fifth step can also be done in constant time since the vectors are of constant dimension. Therefore, the overall runtime of Algorithm 3 is O(1).

Note that node n _i stores the value u = P O S(B _y ,x _m ) in the Algorithm 3, and node n _j stores the value of w = P O S(B _z ,x _m ). However, for computing the shared key, both the nodes need the values of u and w. So, the two nodes must exchange the values of u and w which will incur an additional communication cost of O(1). To avoid this, every node can store the values of P O S(∗,∗) for other nodes. For example node n _i =f^-1(B _y ) needs to store the values of $\mathit{\text{POS}}(B_e,x_l):1\le e\le v,e\ne y,x_l=B_e\bigcap B_y$. This will require a memory overhead of $O\left(\mathcal{N}\right)$.

3.2 Proof of correctness of algorithms

Here, we establish the correctness of Algorithm 2 and Algorithm 3. It will be sufficient to show that after deployment, a pair of distinct nodes n _i  and n _j ,1 ≤ i,j ≤ v will be able to compute their common key $K_{n_i{n}_j}=K_{n_j{n}_i}$ using the shared key discovery method of Algorithm 3. According to Algorithm 3, both node n _i  and node n _j  will compute the blocks B _y  = f(n _i ) and B _z  = f(n _j ). Now, they can find the common element $x_m\in B_y\bigcap B_z:1\le m\le v$ using Algorithm 1. Now, node n _i  will compute u = P O S(B _y ,x _m ). Similarly, node n _j will calculate w = P O S(B _z ,x _m ). Node n _i  and n _j  will exchange the values u and v. Node n _i  will compute the w th column of matrix G from (α,α²,…,α^r) stored in it. Similarly, node n _j  will calculate the u th column of matrix G from (α,α²,α^r) stored in it. From Algorithm 1, we can see that node n _i  and n _j  have got the u th and w th row of matrix A _m  = (D _m .G)^T. Hence, node n _i  can compute K _{u w}  = (u th row of matrix A _m ).(w th column of matrix G. Node n _j will compute K _{w u}  = (w th row of matrix A _m ).(u th column of matrix G in a similar way. Since A _m .G is a symmetric matrix, $K_{\mathit{\text{uw}}}=K_{\mathit{\text{wu}}}=K_{n_i{n}_j}$. Hence, the two nodes will end up computing the same key using Algorithm 3. Therefore, the Algorithm 2 and 3 are correct. It can be noted that any row of matrix A _k ,1 ≤ k ≤ v is contained only in exactly one node according to Algorithm 2. So, only node n _i  contains the u th row of A _m  and only node n _j  contains the w th row of A _m . Hence, no other node can compute the common key $K_{n_i{n}_j}$.

In this section, we shall investigate the security aspects of the proposed scheme. As discussed in Section 1, sensor nodes are deployed in unattended environment often in area controlled by an adversary. So, an active adversary can compromise one or more sensor nodes of the deployment zone. If the sensor nodes are not tamper proof, the adversary can extract sensitive information from the set of sensor nodes compromised by the adversary and can use those informations to overhear the conversation between active sensor nodes.

Lemma 3

For the proposed scheme, let S be the set of compromised sensor nodes. Let, f(S) = {f(n):n∈S}. Two uncompromised nodes n₁ and n₂ will have an uncompromised link between them if and only if |{B:B ∈ f(S)&x∈B}| ≤ c-1, where x = B₁ ∩ B₂ and f(n₁) = B₁,f(n₂) = B₂.

Proof

Follows from the fact that c is the security parameter of the scheme in Section 2.3.

Let, x = x _κ , where κ ∈ {1,2,…,v}. Then by Algorithm 2 and 2.3, it can be said that if the matrix A _κ  can be compromised, then the common key between node n₁ and n₂ can be computed. This can only be possible if and only if any c number of rows of the matrix A _κ  are compromised. Let $\psi =\{n:n\in \mathcal{N}\&x_{\kappa }\in f(n\left)\right\}$. Hence, the nodes in ψ contain one distinct row of A _κ  each. So, successful computation of the shared key is possible if and only if |S ∩ ψ| ≥ c. In other words, the common key between the two nodes n₁ and n₂ will remain active if and only if |{B:B ∈ f(S)&x ∈ B}| ≤ c-1. □

Proposition 4

Let the total number of nodes be N and the security parameter be c. If s number of nodes are compromised and s ≥ c, the probability that two uncompromised nodes will have an uncompromised link is given by $\frac{\sum _{e=0}^{c-1}\left(\genfrac{}{}{0ex}{}{k-2}{e}\right)\left(\genfrac{}{}{0ex}{}{N-k}{s-e}\right)}{\left(\genfrac{}{}{0ex}{}{N-2}{s}\right)}$.

Proof

Let C denote the event that the two nodes will share an uncompromised link. Let the two nodes be given by n₁ and n₂. Let, f(n₁) = B₁ and f(n₂) = B₂, where $B_1,B_2\in \mathcal{A}$. There must be a unique x _i  ∈ X such that {x _i } = B₁ ∩ B₂. Again, let the set of compromised nodes be S, where |S| = s. The adversary cannot compute the shared key between n₁ and n₂ iff |{B:B ∈ f(S)&x _i  ∈ B}| ≤ c-1. In a symmetric (v,k,λ) design, there are k number of blocks containing a particular variety. So, for any particular variety x _i  ∈ X, $\left|\right\{B:B\in \mathcal{A}\&x_i\in B\left\}\right|=k$. Again, $B_1,B_2\in \{B:B\in \mathcal{A}\&x_i\in B\}$. Therefore, $\left|\right\{B:B\in \mathcal{A}\&x_i\in B,B\ne B_1,B\ne B_2\left\}\right|=k-2$.

. $\therefore P\left(C\right)=\sum _{e=0}^{c-1}P\left(\right|\{B:B\in f(\mathbf{S})\&x_i\in B,n_1,n_2\notin S\}|=e)=\frac{\sum _{e=0}^{c-1}\left(\genfrac{}{}{0ex}{}{k-2}{e}\right)\left(\genfrac{}{}{0ex}{}{N-k}{s-e}\right)}{\left(\genfrac{}{}{0ex}{}{N-2}{s}\right)}$. □

We provide the values of P(C) for different sets of parameters in Table 2. It can be seen that our scheme has high probability of existence of a live link between two uncaptured nodes even when large number of nodes are compromised. Here, p is the prime number of the symmetric balanced incomplete block design that is used in the scheme. c is the security parameter of Blom’s scheme. s is the number of compromised nodes. Table 2 shows that this scheme has a high probability of existence of a key link between two nodes even when many nodes are compromised. Also, if p increases, the number of nodes increases and so does the probability of existence of a link between a pair of nodes.

4.1 Performance analysis in terms of known measures

We shall analyze the performance of our scheme in terms of two well-known measures viz. E(s) and V(s). These are the standard measures used for evaluating the resiliency of any key predistribution scheme.

Definition 5

E(s) is defined to be the ratio of the number of links exposed in the network when s number of nodes are compromised to the number of links present in the network before s number of nodes were compromised.

Let, L be the total number of links in a network and l be the number of links exposed after s number of nodes are compromised.

then

Here, we will consider only the resiliency of the subnetwork consisting of nodes. E(s) is the measure that shows the performance of the scheme in terms of it’s resiliency against node captures. As defined above, E(s) is the measure that shows the fraction of links that gets exposed when s number of nodes get compromised. So, the lesser the value of E(s) is, the more resilient is the scheme to node capture attack.

Let S be the set of s sensor nodes. $\mathbf{S}\subseteq \mathcal{N}$. For two sensor nodes $n_i,n_j\in \mathcal{N}$, define

From Lemma 3,

Let$\phi \left(\mathbf{S}\right)=\frac{\sum _{i=1}^t\sum _{\begin{array}{c}j=1\\ j\ne i\end{array}}^t\mathit{\text{LNK}}(n_i,n_j)}{t(t-1)}$Hence, E(s) = E X P(φ(S)), where E X P() is the expectation operator.

Theorem 6

For our scheme with p² + p + 1 many nodes, $E\left(s\right)\le \frac{c}{p^2+p+1}$ for$s\le \frac{c(c+1)}{2}$

Proof

The total number of nodes is p² + p + 1. That makes the number of links equal to $\left(\genfrac{}{}{0ex}{}{p^2+p+1}{2}\right)$.

We take the attacker’s point of view who would try to expose more links through compromising as less number of nodes as possible. In our design, a link can be exposed only if at least c number of nodes are compromised that contain one row of matrix A _h , each for some h ∈ {1,2,…,v}. If c number of rows are compromised, then the attacker would be able to reconstruct the matrix A _h . Since A is a (p + 1) × c, the attacker would be able to compute the common keys between $\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$ pair of nodes or in other words $\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$ links would get exposed. Let, n₀,n₁,…,n _p  be p + 1nodes such that $x_i={\cap }_{j=0}^{p}f\left(n_j\right)$ for any x _i  ∈ X,i ∈ {1,2,…,v}. If any c of the nodes n₀,n₁,…,n _p  is compromised by the adversary, then we would be able to reconstruct matrix A _i  and hence, the links between nodes n₀,n₁,…,n _p will get exposed. So, the total number of exposed links will be $\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$. Let the set of nodes compromised by the advisor for obtaining A _i  be S. Hence, |S|≥c. Since, the attacker’s intention is to compromise as less number of nodes as possible, we can say, |S| = c. Again, the attacker would attempt to expose another set of $\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$ links by compromising more nodes. The attacker can do this through compromising another matrix A _j ,j ≠ h,j ∈ {1,2,…,v}. This time, the attacker needs to compromise c-1 nodes. First, an attacker selects a j ≠ h such that a node in S does contain a row A _j . Choosing such a j will ensure that the attacker will have to compromise c-1 more nodes. It can be proved that for any j ≠ h, there is at most one node in S that contains a row of matrix A _j . So, the attacker would require to compromise c-1 additional nodes for exposing $\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$ links. This way, it can be proved that the attacker would require to compromise c-2 nodes for exposing the next set of $\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$ number of links and so on. This way, the attacker can compromise $c\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$ number of links by capturing c + (c - 1) + (c - 2) + … + 1 nodes or $\frac{c(c+1)}{2}$ nodes.

Hence, for $s\le \frac{c(c+1)}{2},E\left(s\right)\le c\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)/\left(\genfrac{}{}{0ex}{}{p^2+p+1}{2}\right)$ or, $E\left(s\right)\le \frac{c}{p^2+p+1}$. □

Theorem 6 gives an upper bound of the extent of damage that occurs to the subnetwork consisting of nodes. Since p² + p + 1 > > c, so E(s) is very close to zero or, in other words, the number of links that get exposed is small when less than $\frac{c(c+1)}{2}$ number of nodes are captured.

Lemma 7

If a set of S sensor nodes get captured, then a node n _i  ∉ S will get disconnected from the rest of the network if and only if ∀ x ∈ f(n _i ), |{B:B ∈ f(S),x ∈ B}| ≥ c.

Proof

The proof follows from Lemma 3 and the c security property. □

Definition 8

V(s) is the fraction of nodes that get disconnected from the rest of the networks. Let m be the number of uncompromised nodes that get disconnected from the rest of the network of size N when s nodes are compromised, then $V\left(s\right)=\frac{m}{N-s-m}$.

Theorem 9

V(s) = 0, ∀ s < (p + 1)c.

Proof

Let the attacker wants to disconnect a particular node n _i ,i ∈ {1,2,…,v} from the rest of the network. Let, S be the minimal set of nodes that the attacker needs to capture for disconnecting the first (uncompromised) node from the rest of the network. Let B _j  = f(n _i ),j ∈ {1,2,…,v}. Hence, B _j  ∈ X. Let, {x₁,x₂,…,x_p + 1} = B _j . Let ∀ k ∈ {1,2,…,p + 1},C _k  = {B:B ∈ f(S)&x _k  ∈ B}. It can be seen that $f\left(S\right)={\cup }_{k=1}^{p+1}{C}_k$.

We claim that $C_k\cap C_k^{\prime }=\varphi ,k\ne k^{\prime },1\le k,k^{\prime }\le p+1$. If not, then suppose there exists a block B _m  ∈ C _k  ∩ C k ′. Hence, $x_k,x_k^{\prime }\in B_m$. So, |B _m  ∩ B _j | ≥ 2. This is not possible since the design we used is a symmetric (p² + p + 1,p + 1,1) design. So our assumption is wrong.

From the c-security property, we can say that |C _k | = c ∀ k ∈ {1,2,…,p + 1}. Hence, |f(S)| = |S| = (p + 1)c. Hence the result. □

The performance of our scheme in terms of V(s) for certain value of parameters is shown in Figure 1. It can be seen that the value of V(s) in Figure 1 is in agreement with the result stated in Theorem 9.

Graphical representation of the value of V ( s ) with respect to the number of nodes compromised for our scheme. The parameters for this graph is p=29,c=4, and number of nodes=871.

Full size image

4.2 Comparative study of the scheme

Here, we compare the resiliency of our proposed scheme with other existing schemes. Some well-known standard schemes are the basic scheme of Eschenauer and Gligor [1], Lee and Stinson’s quadratic and linear scheme based on transversal design in [8, 9, 38], Çamptepe and Yener’s scheme in [7], the scheme of Chakrabarti et al. [11], and partially balanced incomplete block design based scheme by Ruj and Roy in [10].

The scheme of Eschenauer and Gligor in [1] is a probabilistic key predistribution scheme. This scheme uses a pool of keys. Keys are drawn randomly from the key pool with replacement and are placed in the sensor nodes. All nodes are loaded with same number of keys. This scheme does not ensure the existence of a common key between a pair of nodes. This scheme is known as the basic scheme.

Lee and Stinson [8, 38] used transversal design in key predistribution. They proposed two types of transversal design viz. linear and quadratic. In these schemes, a pair of nodes can have zero or one key in common. They used the following construction of a transversal design T D(k,r) [8].

1. 1.

   X = {(x,y):0 ≤ x < k,0 ≤ y < r}.

2. ∀ i,G _i  = {(i,y):0 ≤ y < r}.

1. 3.

   A = {A _i,j:0 ≤ i < r& 0 ≤ j < r}.

They defined block A_i,j by A_i,j = (x,x i + j mod r):0 ≤ x < k,0 ≤ i,j < r. Similarly for a quadratic scheme, they defined a block A_i,j,k by A_i,j,k = (x,x i² + x j + k mod r) : 0 ≤ x  < k,0 ≤ i,j < r.

Each block is assigned to a node. So, the linear Lee-Stinson’s scheme supports r² nodes, and the quadratic scheme supports as many as p³ nodes.

Çamtepe and Yener used symmetric balanced incomplete block design in [7]. A SBIBD is a (p² + p + 1,p + 1,1) design where p is a prime number. They used projective geometry for constructing the SBIBD. This scheme ensures full connectivity between nodes. Each node in this scheme contains p+1 keys, and every key is contained in p + 1 nodes.

Chakrabarti et al. [11] proposed a hybrid key predistribution scheme by merging the blocks in combinatorial designs. They considered the blocks constructed from the transversal design proposed by Lee and Stinson and randomly selected them and merged them to form the sensor nodes. Though this scheme increases the number of the keys per node, it improves the resiliency of the network. The probability that two nodes share a common key is also high. Thus, it has a better connectivity.

Ruj and Roy proposed two schemes for key predistribution in [10]. They used partially balanced incomplete block design. In the first scheme, the number of nodes as well as the number of keys are equal to n(n - 1)/2 for some positive integer n. The number of keys in a node is equal to 2(n-2). The number of nodes containing the same key is also 2(n - 2). They presented another design that augments the size of the network, keeping the same number of keys in each node. The keys in the key pool also remain the same. They showed that network size can be increased in steps, keeping the same number of keys per node. However, to ensure that any pair of nodes can communicate directly, we cannot go on adding nodes in this scheme.

We have defined E(s) in Section 4.1. E(s) is the best measure of resiliency of any key predistribution scheme. A key predistribution scheme for which the value of E(s) is lower offers better resiliency against node capture. So, a key predistribution scheme having low value of E(s) for different values of captured nodes can withstand key compromise. Figure 2 shows a comparison between our scheme with these schemes in terms of E(s). We measured the resiliency of the key predistribution schemes by means of simulation. The parameters of different key predistribution schemes and the number of nodes in the WSN are given in Table 3. We have chosen nearly equal sizes of networks for different schemes in consideration. The other parameters are chosen depending upon the network size and the system models so that the key predistribution schemes exhibit optimal performance. N is the total number of nodes in the network, and k is the number of keys per node. The value of k depends upon the other parameters of the network which in turn depend upon the network size. The last column of Table 3 shows whether the key predistribution scheme ensures full connectivity among the nodes or not. We used C program to evaluate the values of E(s) for different values of s for all the schemes mentioned above. We compiled the source using GNU C compiler GCC 4.5.4. We considered random node capture by the adversary. In Figure 2, the line corresponding to the performance of our scheme almost touches the x-axis throughout the range. Hence, it can be inferred that less number of links get exposed in our scheme as compared to other schemes when same number of nodes are captured by the adversary. In other words, our scheme offers better performance than all the other schemes in terms of E(s). The reason why our scheme excels in performance can be inferred from Lemma 3. Lemma 3 says that in order to compromise the links between any two nodes, the adversary is required to compromise at least c (c is the security parameter) nodes having information from the same key space as the two nodes. However, in other schemes, the same thing can be done by capturing a single node. So, even if the number of captured nodes is high enough, the value of E(s) can be very low in our scheme. This fact is corroborated by the performance of our scheme as shown in Figure 2.

Graphical comparison of fraction of links exposed. With respect to the number of nodes compromised for our scheme and other schemes. The parameters for this comparison can be found in Table 3. The line corresponding to the performance of our scheme almost touches the horizontal axis and hence can hardly be seen.

Full size image

We shall use our proposed key predistribution scheme in developing a key predistribution scheme for grid-group deployment. As mentioned earlier in Section 1, a grid-group deployment refers to such deployment where the entire network is broken into smaller regions called groups. The sensor nodes belonging to one group could be deemed as a mini-WSN where the sensors of a certain group communicates among themselves more frequently than with sensors of different groups. We propose a key predistribution scheme for a WSN where the network is divided into a n×n square grid. Each group in this group has got identical number of sensors.

5.1 The scheme

Let p be a prime number. Let $\mathcal{N}\le p^2+p+1$ be the number of sensors in each group. The groups are denoted by the two tuple $(i,j),0\le i,j\le \mathcal{N}$. We shall denote the nodes of any group (i,j) as $n_{\mathit{\text{ij}}}^l,0\le l\le t-1$. We designate one node from each group as a supernode. This supernode has got more amount of resources than ordinary nodes in terms of memory, computational power, battery power, etc. This special node will be used for intergroup communication. The supernode of group (i,j) is denoted by S_i,j. It can be noted that a supernode S_i,j of any group (i,j) does belong to the set $\{n_{\mathit{\text{ij}}}^l:0\le l\le t-1\}$. If a node $n_{i,j}^{\alpha }$ of group (i,j) wants to communicate with node $n_{i^{\prime },j^{\prime }}^{\beta }$ of group (i^′,j^′), then the following steps are taken:

•  Node $n_{i,j}^{\alpha }$ generates a random key $\mathbb{K}$.

•  Node $n_{i,j}^{\alpha }$ send $\mathbb{K}$ to the supernode S _{i j} .

•  S _{i j}  passes $\mathbb{K}$ to $S_{i^{\prime }{j}^{\prime }}$.

•  $S_{i^{\prime }{j}^{\prime }}$ sends $\mathbb{K}$ to node $n_{i^{\prime },j^{\prime }}^{\beta }$.

Now, the two nodes viz $n_{i,j}^{\alpha }$ and $n_{i^{\prime },j^{\prime }}^{\beta }$ can communicate using the key $\mathbb{K}$.

It can be noted that for accomplishing all the steps mentioned above, it is necessary to have:

1. 1.

   Any two pair of nodes $n_{i,j}^{\alpha }$ and $n_{i,j}^{{\alpha }^{\prime }}$ belonging to group (i,j) must be able to communicate securely ∀ α ∈ {0,1,2,…,t-1} and 0 ≤ i,j ≤ p-1.

2. 2.

   Any pair of supernodes S _i,j and $S_{i^{\prime },j^{\prime }}$ belonging to two different groups (i,j) and (i ^′,j ^′) must be able to communicate securely where 0 ≤ i,j,i ^′,j ^′ ≤ p-1,(i,j) ≠ (i ^′,j ^′).

We now state our key predistribution scheme in detail. From the above discussion, it is clear that we need to have two types of key predistribution. One type of key predistribution is for the nodes within each of the groups and the other for the supernodes belonging to distinct groups. For each of the n² groups, we use our key predistribution scheme discussed in Section 3 for key predistribution. However, we do use distinct key spaces for key predistribution in each of the groups. Hence, if all the nodes corresponding to one region get captured in the hands of the adversary, the keys in sensor nodes in other groups remain unaffected. It should be kept in mind that a supernode belongs to the group corresponding to the square region they are deployed in. Hence, a supernode contains two types of keys, one that allows it to communicate securely with other nodes in the same group they belong to and the other that allows it to communicate with other supernodes belonging to different groups. Therefore, the key predistribution in the whole network looks like the following :

1. 1.

   Key predistribution for each of the n ² groups is done by using the scheme of Section 3 using exclusive key spaces for all the groups.

2. 2.

   A separate key predistribution using the same scheme of Section 3 is done for all the supernodes belonging to all the groups.

We assume that it is hard to capture a supernode until the entire square region where the supernode is located is compromised. We have assumed that the nodes within the same square region communicate more frequently than the two nodes each belonging to a separate square region. Hence, one supernode per group is sufficient to handle the burden of intergroup communication.

5.2 Resiliency of the network

When it comes to the resiliency of the key predistribution scheme in a grid-group deployment of the sensor network, there are three types of resiliency:

•  Intragroup resiliency : resiliency within a certain group.

•  Resiliency of the interlinks : resiliency in the set of supernodes.

•  Overall resiliency : resiliency of the entire network.

Within a group, the nodes work as a single WSN. Hence, the resiliency of the key predistribution is same as in Section 4. In this section, we study the resiliency of the interlinks in our key predistribution scheme. Here, too, similar to Section 4, we shall be using the standard measures for evaluating the resiliency of our scheme. The two measures we shall be using are E^′(s) and V^′(s).

Definition 10

E^′(s) is defined to be the fraction of interlinks between groups that get exposed when s number of supernodes are captured by the adversary. In other words, E^′(s) is the ratio of the interlinks present in the grid after s many supernodes are captured to the number of interlinks present in the network before s many supernodes are captured.

Let $\mathbb{S}=\left\{\right(i,j):0\le i,j\le N-1\}$

Also, let for any group (i,j),

It can be seen that in our design, all the supernodes have a common key between each other. Hence,$T(i,j)=N^2-1\forall (i,j)\in \mathbb{S}$.

Let $S\subseteq \mathbb{S}$ and |S| = s. Let

Let us denote,

Then,

where E X P is the expectation over all $S\subseteq \mathbb{S}$ of size |S| = s.

We compare the experimental values of E^′(s) of our scheme with the experimental values of the key predistribution scheme for grid-group deployment by Ruj and Roy in [18]. Ruj and Roy considered similar deployment of sensor nodes as we did except that they used three supernodes per region whereas we used a single one. The supernodes are meant to provide interregion connectivity similar to our scheme. Both the schemes offer full connectivity between regions through supernodes. Ruj and Roy used transversal designs for key predistribution in supernodes. Figure 3 shows the comparison of the performance of our scheme with the scheme by Ruj and Roy in terms of E^′(s). The parameters of this graph can be found in Table 4. We considered a 37×37 square grid as the deployment zone in both the cases. In our scheme every square region contains one supernode and in Ruj and Roy scheme the number of supernodes per region is 3. Hence, the total number of supernodes is 1369 in our scheme and 4107 in Ruj-Roy scheme. The value of the security parameter of our key predistribution scheme is taken to be 4. We used C program to evaluate the values of E^′(s) for different values of s for both schemes. We compiled the source using GNU C compiler GCC 4.5.4. Figure 3 shows that our scheme is better than the scheme in [18] in terms of the number of interlinks broken when same number of supernodes are compromised in the hand of the adversary. So, for our scheme, less number of links will get broken than the Ruj-Roy scheme when the same number of nodes are captured. So, in our scheme, more interregion links remain intact than the Ruj-Roy scheme when some supernodes are captured. Thus, our scheme exhibits better performance than the Ruj-Roy scheme though it makes use of only one-third of the number of supernodes used in Ruj-Roy scheme. Our scheme reduces the cost incurred due to the deployment of large number of supernodes and also enhances the resiliency of the network against node capture.

Graphical comparison of fraction of interlinks disconnected. This comparison is done with respect to the number of supernodes compromised for our scheme and the scheme in [18].

Full size image

Definition 11

V^′(s) is the fraction of groups that are disconnected from the rest of the groups with respect to the total number of groups when s number of supernodes are captured. In other words V^′(s) is the ratio of the number of groups that do not have any link to other groups after the s number of supernodes are captured to the total number of active supernodes present in the network before s many supernodes are captured.

The result proved in Theorem 9 is also applicable for the interlinks between supernodes in different groups. Hence, for our scheme, individual groups do not get disconnected from the rest of the network unless a large number of supernodes get captured.

Figure 4 shows the comparative performance of our scheme, and the Ruj-Roy scheme where the comparison is done in terms of V^′(s). The parameters of the graphical plot of Figure 4 is shown in Table 5. As defined above, V^′(s) is the fraction of nodes that get entirely disconnected from the rest of the network when s number of nodes get exposed. We used a 37×37 square grid in each case. The total number of supernodes in the entire network is 4,107 in Ruj-Roy scheme and 1,369 in our scheme. We have taken the security parameter of our scheme to be 4. The value of p in our scheme is 37. The number of keys (k) in a supernode is 23 in Ruj-Roy scheme. We used C program to evaluate the values of E^′(s) for different values of s for both schemes. We compiled the source using GNU C compiler GCC 4.5.4. Figure 4 shows that in our scheme, less number of nodes get detached from the network than the Ruj-Roy scheme in [18] when same number of nodes get captured by the adversary. Hence, our scheme is better than the Ruj-Roy scheme as it can keep more nodes connected to the network.

Graphical comparison of fraction of nodes disconnected. This comparison is done with respect to the number of nodes compromised for our scheme and the scheme in [18].

Full size image

5.3 Overall resiliency

We shall now study the resiliency of the entire network taking into account all the groups, nodes, and supernodes.

We define E^′′(s) as a new measure of overall resiliency in the entire network. It is defined to be the weighted average of the fractions of links exposed in every region (i,j),0 ≤ i,j ≤ N - 1 as well as the fraction of links exposed among the pair of supernodes when some nodes are compromised by the adversary in the entire network. The weight corresponding to the fraction of exposed links in a region (i,j) is equal to the number of pairs of uncompromised nodes present in that region (i,j). The weight corresponding to the fraction of exposed links between the supernodes are equal to the number of pairs of uncompromised supernodes remaining in the network. We are the first to propose this as a measure of overall resiliency in terms of fraction of links exposed in the entire network. In this measure, we separately compute the values of fraction of links exposed(E(s _{i j} )) in every region (i,j):0 ≤ i,j ≤ N - 1. We also measure the value of E(s) among the set of supernodes in the network. Then, we compute the weighted average of all these values of E(s).

Here, we take into account the entire network consisting of all the nodes and supernodes in all the regions. Let S _{i j}  be the number of nodes compromised in group (i,j) and $s=\sum _{i=0}^{N-1}\sum _{j=0}^{N-1}{s}_{\mathit{\text{ij}}}$. Also, let s _g  be the number of supernodes compromised. Hence, 0 ≤ s _g  ≤ N².

Let E(s _{i j} ) be the value of fraction of links exposed in group (i,j) when S _{i j}  many nodes are captured in group (i,j). Also, let E^g(s _g ) be the fraction of links exposed when s _g  many supernodes are compromised. After S _{i j}  many nodes are compromised in region (i,j), the number of uncompromised nodes present in region (i,j) is $\mathcal{N}-s_{\mathit{\text{ij}}}$. Hence, the weight corresponding to any region (i,j) is $\left(\genfrac{}{}{0ex}{}{\mathcal{N}-s_{\mathit{\text{ij}}}}{2}\right)$ which is equal to the number of pairs of uncompromised nodes in region (i,j). Similarly, for the set of supernodes, the weight assigned is $\left(\genfrac{}{}{0ex}{}{N^2-s_g}{2}\right)$. Therefore,

Hence, when the number of nodes captured from different groups is fixed, the overall E^′′(s) is the weighted average of the value of E(s _{i j} ) of all groups and the group of all supernodes.

Lemma 12

When S _{i j}  number of nodes are compromised in group (i,j),0 ≤ i,j ≤ N - 1 then E^′′(s) < max 0 ≤ i,j < N(E(s _{i j} )) with a high probability where $s=\sum _{i=0}^{N-1}\sum _{j=0}^{N-1}{s}_{\mathit{\text{ij}}}$ and s is not-so-large.

Proof

Hence,

Now, there are p² + p + 1 many nodes in any group which includes one supernode. If S _{i j}  number of nodes are captured in group (i,j), the probability that the supernode will get captured is $\frac{s_{\mathit{\text{ij}}}}{p^2+p+1}$. In order to expose at least one link between two uncompromised supernodes, the adversary will have to compromise at least c nodes containing informations from the same key space of our scheme. The probability of compromising c many supernodes containing information from the same key space is very close to zero. Hence, E^g(s _g ) = 0 with a high probability. So,

with a high probability, and the result follows from this. □

Corollary 13

When S _{i j}  number of nodes are compromised in group (i,j),0 ≤ i,j ≤ N - 1 then $E^{\mathrm{\prime \prime }}\left(s\right)<\frac{c}{p^2+p+1}$ with a high probability where $s=\sum _{i=0}^{N-1}\sum _{j=0}^{N-1}{s}_{\mathit{\text{ij}}}$ and s is not-so-large and for all $(i,j):0\le i,j<N,s_{\mathit{\text{ij}}}\le \frac{1}{2}c(c+1)$.

Proof

Follows directly from Lemma 12 and Theorem 6. □

Corollary 13 gives an upper bound of the numeric value of fraction of links disconnected in the set of all uncompromised nodes of the network.

Definition 14

V^′′(s) is defined to be the weighted average of the fractions of nodes disconnected from the rest of the network in a region (i,j) or in the set of supernodes when some nodes get compromised. Here, the weights are proportional to the number of pairs of uncompromised nodes present among the nodes in any region or among the supernodes. We propose and apply this measure for the first time for measuring the resiliency for such deployment of wireless sensor network.

Let V(s _{i j} ) be the value of the fraction of nodes disconnected in region (i,j) when S _{i j}  many nodes are captured. Again, let $s=\sum _{i=0}^{N-1}\sum _{j=0}^{N-1}{s}_{\mathit{\text{ij}}}$. Also let s _g  be the number of supernodes captured by the adversary and V^g(s _g ) be the fraction of supernodes disconnected from other supernodes when s _g  many supernodes are captured. After S _{i j}  many nodes are compromised in region (i,j), the number of uncompromised nodes present in region (i,j) is $\mathcal{N}-s_{\mathit{\text{ij}}}$. Hence, the weight corresponding to any region (i,j) is $\left(\genfrac{}{}{0ex}{}{\mathcal{N}-s_{\mathit{\text{ij}}}}{2}\right)$ which is equal to the number of pairs of uncompromised nodes in region (i,j). Similarly, for the set of supernodes, the weight assigned is $\left(\genfrac{}{}{0ex}{}{N^2-s_g}{2}\right)$. Therefore,

Lemma 15

When S _{i j}  number of nodes are compromised in group (i,j),0 ≤ i,j ≤ N - 1 then V^′′(s) < max 0 ≤ i,j < N(V(s _{i j} )) with a high probability where $s=\sum _{i=0}^{N-1}\sum _{j=0}^{N-1}{s}_{\mathit{\text{ij}}}$ and s is not so large.

Proof

The proof is same as Lemma 12. □

Corollary 16

When S _{i j} number of nodes are compromised in group (i,j),0 ≤ i,j ≤ N - 1 then V^′′(s) = 0 with a high probability where $s=\sum _{i=0}^{N-1}\sum _{j=0}^{N-1}{s}_{\mathit{\text{ij}}}$ and s is not-so-large and for all (i,j):0 ≤ i,j < N,s _{i j}  ≤ (p + 1)c.

Proof

Follows immediately from Lemma 15 and Theorem 9. □

Corollary 16 provides a bound for the value of fraction of uncompromised nodes that get totally disconnected from the network.

We have done simulation of the performance of the key predistribution scheme for grid-group deployment taking E^′′(s) and V^′′(s) as the measure of the performance in the entire network. In this simulation, we randomly chose/compromised s many nodes from the entire network and then computed the values of E^′′(s) and V^′′(s) for them. Hence, it is equally probable for every chosen node to belong to a certain region. We measured the values of E^′′(s)/V^′′(s) for any value of s by repeating the process 100 times and taking averages of the calculated values of the E^′′(s)/V^′′(s) for this 100 iterations.

The value of E^′′(s) for different values of s can be found in Table 6.

The values of E^′′(s) for different values of the system parameters are obtained through simulation of the key predistribution model using C program. The first column of Table 6 shows the dimension of the grid used as deployment zone. The second column gives the number of nodes contained in a single group. The third column shows the number of supernodes in the entire network which is equal to R × R, R being the dimension of the square grid. The fourth column corresponds to the security parameter c. The fifth column gives the number of nodes compromised. The last column shows the values of E^′′(s). It can be seen in Table 6 that as the grid size increases, the value of E^′′(s) decreases while other parameters remain the same. So, the adversary needs to capture more nodes to damage the communication model considerably if the grid size is high enough. This happens as when the grid size increases, the total number of nodes in the network increases and the number of links between nodes also increases. It can be noted in this table that if the value of the security parameter is kept as low as 3 or 4, the key predistribution model can offer sufficient resiliency against node capture.

Table 7 gives the values of V^′′(s) for different values of the number of captured nodes. It can be seen from Table 7 that the value of V^′′(s) is very low even if a high number of nodes are captured. So, the key predistribution model is highly resilient as far as the V^′′(s) is concerned. Also, if the size of the grid is increased, the value of V^′′(s) gets reduced.

5.4 Comparison with other schemes

Next, we compare our proposed scheme with some other key predistribution schemes that use deployment knowledge. These schemes include Du et al. 2004 [20] and 2006 [21], Liu and Ning 2003 [39] and 2005 [40], Yu and Guan 2005 [28] and 2008 [29], Zhou et al. 2006 [23], Huang et al. [24], Huang and Medhi 2007 [25], Chan and Perrig 2005 [26], Simonova et al. 2006 [27].

Huang et al. [24, 25] used rectangular deployment zone which is divided into equal-sized regions of smaller size. In this scheme, the sensors randomly choose the keys. Huang et al. used multispace Blom scheme [4] for key predistribution. In this scheme, all nodes are identical with respect to the amount of resources they possess. This is where this scheme is different from ours. In our scheme, there are two different types of nodes viz. common nodes and agents giving rise to a heterogeneous network. Moreover, in Huang et al. scheme, the nodes in a region can communicate directly with each other with probability of >0.5; whereas, in our scheme, they can do so with a probability equal to 1 as our scheme ensures full interregion connectivity. Hence, in this scheme, more amount of computation will be required for communication than our scheme. The scheme of Huang et al. is perfectly secure against selective and random node capture attack. Hence, capture of some number of nodes by an adversary will have negligible effect to the links among the uncompromised nodes. However, if we take all the links of compromised and uncompromised nodes into account, then the fraction of links compromised will be higher.

Zhou et al. [23] used two types of sensor nodes viz. static and mobile. This scheme uses pairwise keys with each sensor within the same region. Hence, it requires high amount of memory to hold the pairwise keys if the number of sensors within a region is high enough. If there are n number of nodes within a region, then the number of keys to be stored in a node is O(n²) under the Zhou et al. scheme; whereas, it is $O\left(\sqrt{N}\right)$ in Çamptepe and Yener scheme which is used in our key predistribution scheme. Hence, our scheme is much better than Zhou et al. in terms of memory efficiency.

Liu and Ning [39, 40] used deployment knowledge. There, the whole deployment zone is split into smaller square regions like our scheme. However, in their schemes, only a single node is deployed in a square region as opposed to our scheme where there are a group of nodes deployed in a region. They used the polynomial-based scheme of Blundo et al. [5]. The deployment region is broken down into equal-sized squares $\left\{C_{i_c,i_r}\right\}{i}_c=0,1,\dots ,C-1,i_r=0,1,\dots ,R-1$, each of which is a cell with coordinates (i _c ,i _r ) denoting row i _r  and column i _c . Each of the cells is associated with a bivariate polynomial. For a R × C grid, the setup server generates RC t-degree polynomials $\left\{f_{i_c,i_r}\right(x,y\left)\right\}{i}_c=0,1,\dots ,C-1,i_r=0,1,\dots ,R-1$, and assigns $f_{i_c,i_r}(x,y)$ to cell $C_{i_c,i_r}$. For each sensor, the setup server determine its home cell and its four neighboring cells which lie adjacent to the home cell in the same row and column. The setup server distributes to the sensor the coordinates of the home cell and the polynomial shares of the home cell and its neighboring cell. For example, for a sensor U _u  in the cell with coordinate (r^′,c^′), the polynomial shares $f_{r^{\prime }-1,c^{\prime }}(u,y),f_{r^{\prime },c^{\prime }-1}(u,y),f_{r^{\prime }+1,c^{\prime }}(u,y),f_{r^{\prime },c^{\prime }+1}(u,y),f_{r,c}(u,y)$ are given. For direct key establishment, a node broadcasts the coordinates of its home cell. From this coordinate, the destination node finds out the common polynomial that it shares with the broadcasting node if at all. Now, the common key can be calculated using the same method as [5].

In Simonova et al.’s [27] scheme, the number of specialized nodes depends upon the size of the network unlike ours which is constant (=1). The resiliency as given in the graph is much lower compared to our scheme. Also, resiliency in terms of nodes or regions disconnected has not been presented.

Du et al. [21] proposed another key predistribution using deployment knowledge that uses multiple space Blom scheme [4]. Under this scheme, sensors randomly choose keys from a set of different instances of Blom space. Unlike our scheme, this scheme does not guaranty full connectivity.

As we have discussed earlier, the key predistribution scheme of Ruj and Roy in [18] uses deployment knowledge. Similar to our scheme, this scheme uses the Çamptepe and Yener scheme for key predistribution within the same region. This scheme exhibits lower resiliency among the set of agents that provide interregion connectivity as discussed in previous sections. In other words, our scheme offers more resilient interregion connectivity than Ruj and Roy scheme.

Figure 5 shows a pictorial comparison of our scheme with standard schemes that use deployment knowledge. This comparison is based on the values of fraction of total links broken when some nodes get captured. This comparison takes into account all the links in the network which includes the links in compromised nodes as well. The parameters of the different schemes are following:

Graphical comparison of fraction of links disconnected. This comparison is done with respect to the number of nodes compromised for our scheme and the schemes in [18, 20, 21, 23–29, 39, 40].

Full size image

DDHV scheme has parameters k = 200,ω = 11, and τ = 2. LN scheme has parameters k = 200,m = 60, and L = 1; YG scheme has parameters k = 100; ZNR scheme has parameters k = 100; HMMH scheme has parameters k = 200,ω = 27, and τ = 3; SLW scheme has parameters k = 16,p = 11, and m = 4; Ruj-Roy scheme has parameters k = 12. Our scheme has parameters p = 11 and c = 4. The size of the network in DDHV, LN, YG, ZNR, and HMMH is 10,000; for SLW, it is 12,100. It is 16,093 for Ruj-Roy scheme and in our scheme. We simulated the behavior of the key predistribution schemes for random node capture attack. All schemes are implemented identical network. It can be seen in Figure 5 that our scheme offers better performance than similar schemes that make use of deployment knowledge up to a certain limit of the number of nodes captured by the adversary. We used C program for running the simulation.

The reason why our scheme excels in performance can be inferred from Lemma 3 and Proposition 4. Lemma 3 says that in order to compromise the links between any two nodes, the adversary is required to compromise at least c (c is the security parameter) nodes having information from the same key space as the two nodes. However, in most of the other schemes, the same thing can be done by capturing a single node. Again, Proposition 4 says that the probability of existence of a link between a pair of nodes is high even if many nodes are compromised. So, even if the number of captured nodes is high enough, the value of fraction of broken links can be very low in our scheme. This fact is corroborated by the performance of our scheme as shown in Figure 5.

We present a comparative study of communication, storage, and scalability of several schemes in Table 8. This table gives a comparison with respect to communication, storage cost, etc. of our scheme and the schemes in [18, 21, 23–29, 39, 40]. The first column of Table 8 shows the name of the scheme. The second column corresponds to the type of deployment used by the key predistribution scheme. The third column shows the type of nodes in the WSN. There are two types of sensor nodes viz. homogeneous and heterogeneous. All the nodes in a homogeneous network are identical in terms of the resources they possess. However, in heterogeneous networks, there are different types of nodes who mainly differ in the amount of computational resource built inside them. The fourth column shows the communication cost of each key predistribution scheme. When two nodes wish to communicate, they need to exchange some information before a secure communication can start. This information may be their unique identifiers or something else that is required to compute the shared key between them. The storage column gives the amount of memory needed to store the keys a node. Here, N is the number of sensors in the network, and g is the number of groups. The last column says whether the key predistribution scheme is scalable or not. The communication cost of our scheme is O(logN), and the storage overhead is $O\left(N^{\frac{1}{4}}\right)$. Our scheme consumes less amount of memory than other schemes except the DDHV scheme in [20, 21] and the Yu-Guan scheme in [28, 29] that uses constant amount of storage. However, our scheme outperforms both of them in terms of resiliency measure used in the comparison in Figure 5.

In this paper, we have presented a key predistribution scheme for a wireless sensor for a grid-group-based deployment. Here, the entire deployment zone is a square which is divided into a number of smaller squares. Each square is identical in terms of physical area and number of sensor nodes. The sensor nodes belonging to a smaller square form a group among themselves. All the groups contain two types of nodes viz. ordinary and nodes. A node within a group can make direct communication to any other node in the same group or region. Nodes belonging to two different group communicate via special nodes called nodes. These nodes are more resourceful than ordinary nodes in terms of memory, computational power, and energy. We used two types of different key predistribution schemes for this deployment. The ordinary sensor nodes and the node within a group use symmetric design-based key predistribution scheme proposed in [6] for within group communication. The nodes contain two types of keys. It can communicate to other sensor nodes belonging to the same group. Moreover, it can communicate with other nodes by means of a separate key predistribution scheme. Our scheme offers better resiliency than other existing schemes like the most notable scheme by Ruj & Roy [18] and the Zhou et al. scheme in [23]. We have shown that our scheme ensures that there will be high probability of existence of a common unexposed link between two nodes belonging to two different groups even if a considerable number of nodes are compromised by the adversary.

Authors and Affiliations

1. Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata, WB, 700108, India

   Samiran Bag & Bimal Roy

Corresponding author

Correspondence to Samiran Bag.

Competing interests

The authors declare that they have no competing interests.

Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (https://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Reprints and permissions