 Research
 Open Access
A new key predistribution scheme for general and gridgroup deployment of wireless sensor networks
 Samiran Bag^{1}Email author and
 Bimal Roy^{1}
https://doi.org/10.1186/168714992013145
© Bag and Roy; licensee Springer. 2013
 Received: 16 October 2012
 Accepted: 16 May 2013
 Published: 30 May 2013
Abstract
Key predistribution for wireless sensor networks has been a challenging field of research because stringent resource constraints make the key predistribution schemes difficult to implement. Despite this, key predistribution scheme is regarded as the best option for key management in wireless sensor networks. Here, the authors have proposed a new key predistribution scheme. This scheme exhibits better performance than existing schemes of its kind. Moreover, our scheme ensures constant time of key establishment between two nodes. We provide some bounds on the resiliency of this scheme.
Next, we use this new key predistribution scheme in a gridgroup deployment of sensor nodes. The entire deployment zone is broken into square regions. The sensor nodes falling within a single square region can communicate directly. Sensor nodes belonging to different square regions can communicate by means of special nodes deployed in each of the square region. We measure the resiliency in terms of fraction of links disconnected as well as fraction of nodes and regions disconnected. We show that our key predistribution scheme when applied to gridgroup deployment performs better than standard models in existence.
Keywords
 Sensor Node
 Wireless Sensor Network
 Security Parameter
 Node Capture
 Transversal Design
1 Introduction
Key predistribution in wireless sensor networks has attracted attention of researchers for a decade. Key predistribution schemes are classified into two groups viz. probabilistic key predistribution and deterministic key predistribution. In probabilistic key predistribution scheme, as the name implies, the keys are randomly drawn from a large pool of keys and are placed into the individual sensor nodes. This scheme does not ensure full connectivity between nodes. However, due to this scheme’s randomness, it does ensure resiliency against selective node capture attack. Some probabilistic schemes can be found in [1–3]. The main disadvantage of probabilistic key predistribution schemes are that they do not ensure full connectivity between each and every pair of nodes. On the other hand, in deterministic key predistribution scheme, a deterministic method is employed to load the keys into the sensor nodes. This scheme may or may not offer full connectivity between every pair of nodes of the Wireless Sensor Network (WSN). Several deterministic key predistribution schemes have been proposed by researchers. Blom [4] proposed a scheme for key for pairwise key establishment in a group of users. This scheme, though primarily not intended for WSNs, was later used for key establishment in WSN. A symmetric polynomialbased scheme was proposed by Blundo et al. in [5]. Key predistribution schemes based on combinatorial design can be found in [6–12].
Combinatorial designs have been extensively used in deterministic key management. Mitchel and Piper [13] first used this in key distribution. In combinatorial designbased key distribution, a set system is used. The elements of the set system are regarded as the keys. A block is regarded as the key ring of a node. Çamptepe and Yener [6, 7] were first to use combinatorial designs for key predistribution in sensor networks. They used projective geometry and generalized quadrangles. Lee and Stinson [8, 9] used transversal designs for key distribution. Chakrabarti et al. [11] proposed a hybrid key predistribution scheme by randomly merging the blocks of the transversal design proposed by Lee and Stinson. Their merging technique enhances the resiliency of the key predistribution scheme of Lee and Stinson. Three designs were used by Dong et al. [14]. They also proposed a class of key predistribution scheme based on orthogonal array [15]. Blackburn et al. [16] proposed Costas arrays and distinct difference configuration. Product construction was used by [17]. The scheme is based on the product of key distribution scheme and set systems. They deduce the conditions of the set systems that provide optimum connectivity and resiliency of the network. Ruj and Roy proposed several schemes using partially balanced design, transversal design, and ReedSolomon codes [10, 18, 19].
Key predistribution in wireless sensor networks using deployment knowledge was first studied by Liu and Ning [3]. They proposed two predistribution schemes both of which took advantage of the deployment knowledge of sensor nodes. The first scheme called the closest pairwise scheme was a modification of the pairwise key predistribution scheme. The second predistribution scheme uses the polynomialbased key predistribution scheme of Blundo et al. [5].
Several research works followed, e.g., [18, 20–27]. In Du et al. scheme [20, 21], the sensors are deployed in groups at a single point of deployment. The probability density function of the ultimate position of all sensors in a group are the same. They used multiple space Blom scheme [4] for key predistribution.
Yu and Guan [28, 29] studied key predistribution schemes using deployment knowledge and compared the effect of deployment on triangular, hexagonal, and square grids. Huang et al. [24, 25] proposed a gridgroupbased key predistribution scheme. These schemes are perfectly secure to selective and random node capture attack. Here, the deployment area is divided into smaller rectangular zones of the same size. Every rectangular area contains equal number of sensors deployed uniformly in that zone. The keys in the sensors are deployed following multiple space Blom scheme similar to Du et al. scheme [20]. Each sensor node chooses keys from two key spaces such that no more than c sensors are chosen from the same key space, thus eliminating the possibility of node capture attacks. In [23], Zhou et al. discussed a key predistribution scheme where sensor nodes are mobile. There are static sensor which are deployed in groups. There are mobile collectors which are used to collect and aggregate sensor data and forward to the base station. The mobility of collectors enhance the data consistency.
Ruj and Roy [18] proposed a key predistribution for gridgroupbased deployment. In this scheme, the deployment area is divided into smaller square regions. There are n^{2} such smaller regions. There are two types of nodes viz. common nodes and agents. Their scheme offers full connectivity between the set of agents of the regions within the communication range.
Bag proposed a key predistribution scheme using the deployment knowledge in [30]. Here, the author considered a threedimensional deployment zone where the sensor nodes are deployed not only along the length and breadth of the deployment zone but also along the height of the deployment zone.
In this paper, we propose a key predistribution scheme for homogeneous wireless sensor networks using the scheme of Blom [4] as well as symmetric balanced incomplete block design (SBIBD). The main advantage of using this scheme for key predistribution is that for this scheme, the adversary needs to capture large number of nodes in order to compromise all the keys in an uncompromised node. In other words, in order to disconnect an uncaptured node from all other nodes, the adversary needs to capture many more nodes than the other standard schemes.
Then, we use this new key predistribution scheme in a gridgroup deployment of sensor nodes. A gridgroup deployment refers to such a deployment where the entire deployment zone is broken into smaller twodimensional square regions giving rise to an n × n gridgroup structure. Equal number of sensor nodes are deployed in each of the smaller square regions of the deployment zone. Sensor nodes deployed inside one smaller square region forms a group. Sensor nodes within the same group communicate more frequently than a pair of nodes falling in two different groups. This is driven by the fact that sensor nodes in proximity to each other communicate more frequently than distant nodes. Sensor nodes deployed in this fashion grid form a heterogeneous network. This type of deployment scheme is applied in battlefields where sensors belonging to a compromised zone need to be completely disconnected from the rest of the network. Because if an adversary compromises an area, all the sensor nodes deployed in that area are considered to be captured.
This type of deployment is proposed by Liu and Ning [3, 22]. There are two types of sensor nodes in this heterogeneous network. They mainly differ in resource. One type of nodes have a low amount of storage capacity, power, and computational power, and the other type of nodes are richer in the amount of computational resources that they posses. We shall use the name ‘supernode’ for the nodes which are more powerful than common nodes. Common sensors belonging to one region contain a set of keys that are completely disjoint from the sensors in some other region. This ensures that even if one region is totally disconnected, the other regions are not affected. For each sensor node, the keys are preloaded in such a way that all the nodes belonging to a particular square region (group) can communicate with each other directly. Sensor nodes belonging to different square regions (group) communicate through two or more supernodes.
Our general key predistribution scheme offers better resiliency than the schemes in [4, 6, 7]. For example, in key predistribution scheme by Blom [4], the adversary can compromise all the keys of the entire WSN merely by capturing c nodes, where c is the security parameter of the design. However, in our scheme, the adversary can only compromise few links by capturing c nodes. Our scheme also offers better resiliency than [6, 7] in terms of the number of links that get exposed when some nodes are compromised. In both key predistribution schemes based on symmetric BIBD and generalized quadrangles in [6, 7], the attacker can compromise many key links between pairs of uncaptured nodes by capturing a single node. However, in our scheme, the attacker needs to capture multiple nodes for compromising the key links between some pairs of nodes. We have compared our scheme with [18] and other similar schemes on the basis of fraction of links that gets exposed when some nodes get captured by the adversary. This is a wellknown measure of the resiliency of a key predistribution scheme. Our scheme is shown to exhibit the best performance as far as the resiliency is concerned. The scheme of Ruj and Roy in [18] uses three times the number of supernodes we use in our scheme for full connectivity. Our scheme offers better resiliency using less number of supernodes.
2 Preliminaries
Table of notations
Notations  

X  The set of varieties of the design 
$\mathcal{A}$  The set of blocks of the design 
x_{1},…,x_{ v }  The varieties of X 
B_{1},…,B_{ b }  Blocks of $\mathcal{A}$ 
G F(q)  The finite field of q elements 
α  The primitive element of G F(q) 
G  A c×r matrix as defined below 
t  The total number of nodes in deployment 
p  A prime power where t ≤ p^{2} + p + 1 
$\mathcal{N}$  The set of nodes in deployment 
f  One to one map $\mathcal{N}\to \mathcal{A}$ 
D _{ i }  c×c symmetric matrices over G F(q) for i = 1,2,…,v 
2.1 Combinatorial design
 1.
X = v.
 2.
$\left\mathcal{A}\right=b$.
 3.
$\forall B\in \mathcal{A},\leftB\right=k$.
 4.
$\forall x\in X,\left\right\{B:B\in \mathcal{A},x\in B\left\}\right=r$.
 5.
$\forall x,y\in X,x\ne y,\left\right\{B:B\in \mathcal{A},\phantom{\rule{2.77626pt}{0ex}}x,y\in B\left\}\right=\lambda $.
A (v, b, r, k, λ)BIBD, where v = b is called a symmetric BIBD or SBIBD. It can be shown that in a symmetric BIBD, k = r[31].
A (n^{2} + n + 1,n + 1,1)BIBD with n ≥ 2 is called a projective plane of order n. It can be proven (Theorem 2.10, [31]) that for every prime power q ≥ 2, there exists a symmetric (q^{2} + q + 1,q + 1,1)BIBD i.e., a projective plane of order q.
2.1.1 Construction of SBIBD
Çamptepe and Yener used mutually orthogonal Latin squares in constructing the key predistribution scheme of [6]. Another construction of the same scheme can be found in [32]. Let V_{3}(q) be the set of a threedimensional vector space over a finite field F_{ q } of q elements. A projective geometry P G(2, q) over a finite field F_{ q } is defined like the following:

The points are given by the onedimensional subspaces of V_{3}(q).

The lines are given by the twodimensional subspaces of V_{3}(q).

A point belongs to a line if the corresponding onedimensional subspace of the point is contained in the twodimensional subspace corresponding to the line.

Two lines are incident to each other iff the intersection of the corresponding twodimensional subspaces of them is a nonempty onedimensional subspace.
It can be shown that there are (q^{3}  1) / (q  1) or q^{2} + q + 1 number of distinct subspaces of dimension one of V_{3}(q) [32]. Similarly, the number of distinct subspaces of dimension two of V_{3}(q) is also q^{2} + q + 1. Each twodimensional subspace contains q + 1 distinct onedimensional subspaces. The intersection of twodimensional subspaces is a onedimensional subspace of V_{3}(q). So, the number of points and lines in P G(2, q) is q^{2} +q + 1. Every line contains q + 1 number of points. So, taking points as varieties and lines as block P G(2, q) is a symmetric (q^{2} + q + 1,q + 1,1) BIBD.
Since the lines of P G(2, q) are twodimensional subspaces of V_{3}(q), we can represent each block by the basis of the subspaces they correspond to. The basis of a twodimensional subspace of V_{3}(q) contains exactly two elements. So, each block in P G(2, q) will be identified by two elements of V_{3}(q).
Similarly, the points of P G(2, q) are onedimensional subspaces of V_{3}(q). So, every variety of (q^{2} + q + 1,q + 1,1) SBIBD can be represented by the basis of the onedimensional subspace it belongs to.
It can be shown that each element of $\mathcal{S}$ is a basis of a distinct onedimensional subspace of V_{3}(q). Throughout this article, we shall represent the q^{2} + q + 1 number of varieties of the (q^{2} + q + 1,q + 1,1) SBIBD by the elements of $\mathcal{S}$.
2.1.2 Shared variety discovery of (q^{2} + q + 1,q + 1, 1) SBIBD
Any two blocks of a symmetric (q^{2} + q + 1, q + 1, 1) BIBD do share one and unique variety. Given a (q^{2} + q + 1, q + 1, 1) SBIBD, Algorithm 1 finds the common variety of two blocks of the design. This algorithm uses the basis of the nullspace of A.x = 0. This basis can be computed using GaussJordan elimination method [33, 34] in a constant time. Therefore, the runtime of Algorithm 1 is O(1).
Algorithm 1 Computing the shared variety between two blocks of (q^{2} + q + 1,q + 1,1) SBIBD
2.2 Key predistribution using combinatorial design

Let $\mathcal{K}$ be a set of v keys.

$\mathcal{N}$ be a set of b nodes in the WSN.

Let $\mathcal{A}=\{{B}_{1},{B}_{2},\dots ,{B}_{b}\}$ be the blocks of the design.

Let $f:\mathcal{K}\to X$ be a map and $g:\mathcal{N}\to \mathcal{A}$ be another map.

For each ${B}_{i}\in \mathcal{A},i=1,2,\dots ,b$ and ∀ a_{ j } ∈ X,j = 1,2,…,v if a_{ j } ∈ B_{ i } and both f^{1}(a_{ j }) and g^{1}(B_{ i }) exist, load key f(a_{ j }) into node g(B_{ i }).
In plain language, what we do here is to use varieties as keys and blocks as node. A node corresponding to a block contains all the keys corresponding to the varieties that the particular block contains. Two nodes will have a common key if and only if the corresponding blocks do share at least one common variety. Again, the number of keys in a node will be equal to the number of varieties in a block that corresponds to the node.
2.3 Blom’s scheme
Blom [4] proposed a scheme for key predistribution where the members of a group can establish pairwise keys. Let N be the size of the network. The distribution server first chooses a c × N matrix G over a finite field G F(q). The matrix G is considered to be a public information. Now, the distribution server constructs a c × c symmetric matrix D over G F(q). This matrix is a private information of the system. Now, the server computes the c × N matrix A, where A = (D G)^{ T }, T being the transposition operator. Now, A G = (D G)^{ T }G = G^{ T }D^{ T }G = G^{ T }D G = G^{ T }A^{ T } = (A G)^{ T }.
Thus, AG is a symmetric matrix. Let K = A G, we know that K_{ i j } = K_{ j i }, where K_{ i j } is the element in K located in the i th row and j th column. K_{ i j } (or K_{ j i }) is the pairwise key between node U_{ i } and node U_{ j }. To carry out the above computation, nodes U_{ i } and U_{ j } should be able to compute K_{ i j } and K_{ j i }, respectively. This can be easily achieved using the following key predistribution scheme, for w = 1,2,…,N,

Store the w th row of matrix A in node U_{ w }.

Store the w th column of matrix G in node U_{ w }.
Now, if two nodes (say U_{ x } and U_{ y }) want to communicate, they need to establish a common key. Node U_{ x } has row x of A and column x of G. Node U_{ y } has row y of A and column y of G. Now, they can establish a pairwise key this way:

Node U_{ x } and U_{ y } exchange column x and column y of matrix G, respectively.

Node U_{ x } calculates K_{ x y } = (row x of A). (column y of G).

Node U_{ y } calculates K_{ y x } = (row y of A). (column x of G).
The matrix G is a public information. Therefore, the rows of G could be sent without encryption. Since K is a symmetric matrix, K_{ x y } = K_{ y x }. Hence, K_{ x y } can be used as the common key between the two nodes.
2.3.1 csecure property
It has been proved that the above scheme is csecure [4], i.e., if any c + 1 columns of G are linearly independent; then, no member other than U_{ x } and U_{ y } can compute K_{ x y } or K_{ y x } if no more than c members are compromised.
2.3.2 A construction for matrix G
We note that any c + 1 columns of G[35] must be linearly independent in order to achieve the csecure property. Let α be a primitive element of a finite field G F(q) where q is a prime power.
It is well known that α^{ i } ≠ α^{ j } if i ≠ j (this is a property of primitive elements). Since G is a Vandermonde matrix, it can be shown that any c + 1 columns of G are linearly independent when α, α^{2}, α^{3}, …, α^{ N } are all distinct. In practice, G can be generated by the primitive element α of G F(q). Therefore, the w th column of G is stored at node U_{ w }; it is only required to store the seed α^{ w }, and any node can regenerate the column given the seed.
2.4 Threat model
Wireless sensor nodes are deployed in unattended environment often in an area under the control of adversaries. Thus, the sensor nodes that gather and communicate sensitive information are vulnerable to attacks. An active adversary can physically capture a number of nodes, and it can get to know the stored keys into them. These keys can thereafter be used by the adversary to decrypt messages communicated across sensor nodes. We shall discuss two types of attacks to our proposed scheme.
2.4.1 Random node capture
In this type of attack, the adversary randomly captures nodes from the deployment zone and exposes the keys loaded into them.
2.4.2 Selective node capture
This attack was first introduced in [37]. An active attacker is in attempt to obtain a set T of keys. For achieving this, the attacker is compromising sensor nodes. It has already obtained a set of keys S this way, where S ⊂ T. For each node s in the WSN, the random variable G(s) is equal to the number of keys belonging to T ∖ S; the attacker gains by compromising s nodes. At each step of the attack sequence, the next sensor to be tampered with is sensor s, where s maximizes E[G(s)I(s)], the expectation of the key information gain G(s) given the information I(s) that the attacker knows on sensor s’s key ring.
3 Proposed scheme
3.1 Key predistribution in the group
Here, our aim is to design a key predistribution scheme for a sensor network consisting $\mathcal{N}$ nodes where $\mathcal{N}\le {p}^{2}+p+1$ where p is a prime number.
We use the scheme in [6, 7] by Çamtepe and Yener and Blom’s scheme [4]. This scheme is based on symmetric design (Section 2). They used a symmetric (p^{2} + p + 1,p + 1,1) design to build a key predistribution scheme for WSN.
We shall be using a (p^{2} + p + 1,p + 1,1) symmetric balanced incomplete block design $(X,\mathcal{A})$. Here, X = {x_{1},x_{2},…,x_{ v }},v = p^{2} + p + 1. $\mathcal{A}=\{B:B=\{{x}_{{j}_{1}},{x}_{{j}_{2}},\dots ,{x}_{{j}_{p+1}}\},{j}_{1},{j}_{2},\dots ,{j}_{p+1}\in \{1,2,\dots ,v\},{j}_{m}\ne {j}_{n},1\le m,n\le p+1\}$. $\left\mathcal{A}\right={p}^{2}+p+1$. Here, B_{ i }s are the individual blocks for all i ∈ {1,2,…,p^{2} + p + 1}. B_{ i } = p + 1,∀ i ∈ {1,2,…,p^{2} + p + 1}.
3.1.1 The scheme
Definition 1
For any node ${n}_{i}\in \mathcal{N}$, and a variety x_{ l } ∈ X and a block ${B}_{d}\in \mathcal{A}$, P O S(B_{ d }, x_{ l }) is an integer taking values from the set {1, 2, …, k}, where f(n_{ i }) = B_{ d } and x_{ l } ∈B_{ d }. The node n_{ i } stores the values of P O S(B_{ d }, x_{ l }), ∀ x_{ l } ∈ B_{ d }.
Since, $\left{B}_{d}\right=k,\forall {B}_{d}\in \mathcal{A}$, so each node stores k number of P O S (∗,∗) values.
Definition 2
f is a onetoone map from the set of nodes of the sensor network to the blocks of the symmetric (p^{2} + p + 1,p + 1,1) design. In addition to that, we assume that f^{1} can be computed in constant time.
It can be noted that the nodes can be identified by the identifier of the blocks they correspond to. Therefore, one example of the function f is the identity mapping if $\mathcal{N}\subseteq \mathcal{A}$.
Algorithm 2 maps a (v, b, r, k, λ) design $(X,\mathcal{A})$ of Section 2.1 into a key predistribution scheme. Let $\mathcal{N}=\{{n}_{1},{n}_{2},\dots ,{n}_{t}\}$ be the set of nodes in the WSN. We can design a key predistribution in these nodes using Algorithm 2 and taking v = b = p^{2} + p + 1,r = p + 1. In Algorithm 2, we take v = p^{2} + p + 1 many different key spaces of the Blom scheme [4]. We compute one c × r public matrix G and a set of v many c × c secret symmetric matrix D_{ i },i ∈ {1,2,…,v}. Thus, we can compute v many A matrices like this : ${A}_{i}={\left({D}_{i}\u0120\right)}^{T}$. Hence, there are v many distinct key spaces of Blom scheme. Now, we can have a key distribution scheme by considering each of the v key space as a variety of the (p^{2} + p + 1,p + 1,1) SBIBD, where each block of the SBIBD corresponds to a node of the WSN. Since a block of a (p^{2} + p + 1,p + 1,1) SBIBD contains p + 1 many varieties, every node will have its key share from exactly p + 1 many key spaces.
Algorithm 2 Algorithm for key predistribution in nodes
3.1.2 Memory requirement
It is easy to see that one node n_{ h } contains one row from each matrix of the set M_{ h } where M_{ h } ⊂ {A_{1},A_{2},…,A_{ v }} where M_{ h } = k. The dimension of each row is c. Also, the node contains row 2 of matrix G which is (α,α^{2},…,α^{ r }). It can be seen that for (p^{2} + p + 1,p + 1,1) SBIBD r = k. Again, a node n_{ i } stores P O S(f(n_{ i }),x_{ i }) for $i\in \mathbb{V},\mathbb{V}\subset \{1,2,\dots ,v\},\left\mathbb{V}\right=k$. So, the overhead on each node is O(k c + r + k). For most of the cases, c is a small constant. In this design k = p + 1. Therefore, the memory overhead is O(p) or $O\left(\sqrt{\left\mathcal{N}\right}\right)$.
3.1.3 Shared key discovery between two nodes
Two nodes wishing to communicate securely need to agree upon a secret key. In the scheme discussed in Section 3.1.1, any two nodes can surely compute a shared key. We provide an algorithm that takes all arguments of Algorithm 2 and finds a shared key between two nodes. In addition, the algorithm takes two nodes as input and finds a common key shared by both of them.
The most costly computation of Algorithm 3 is at step 3. This step reduces in finding all the blocks of a design that contains a particular variety. This can be found using a different construction of symmetric BIBD as discussed in Section 8.4 of [32].
Algorithm 3 Algorithm to compute common key between noden_{ i } ann_{ j }
3.1.3.0 Time complexity of Algorithm 3
The first step reduces in inverting the node ids. We assumed that f is invertible in constant time. So, the first step can be done in time O(1). The second step computes a common variety belonging to two different blocks in the design used in Algorithm 2. Note that in a (p^{2} + p + 1,p + 1,1)SBIBD, any two blocks will share a unique common variety. Computing such a variety in a (p^{2} + p + 1,p + 1,1)SBIBD is equivalent to computing a basis of the intersection of twodimensional subspaces. This can be done in constant time using the Algorithm 1. The third step is a lookup of memory and is, too, of time complexity O(1) if the items are stored in an indexed table. In the fourth step, the w th column of matrix G is calculated which is given by (1,α^{ w },(α^{ w })^{2},(α^{ w })^{3},…,(α^{ w })^{c1})^{′}. Since the nodes store α^{ i } for each i = 1,2,3,…,r and c is a constant, so computing the w th column of matrix G requires O(1) computation. Finally, the fifth step can also be done in constant time since the vectors are of constant dimension. Therefore, the overall runtime of Algorithm 3 is O(1).
Note that node n_{ i } stores the value u = P O S(B_{ y },x_{ m }) in the Algorithm 3, and node n_{ j } stores the value of w = P O S(B_{ z },x_{ m }). However, for computing the shared key, both the nodes need the values of u and w. So, the two nodes must exchange the values of u and w which will incur an additional communication cost of O(1). To avoid this, every node can store the values of P O S(∗,∗) for other nodes. For example node n_{ i }=f^{1}(B_{ y }) needs to store the values of $\mathit{\text{POS}}({B}_{e},{x}_{l}):1\le e\le v,e\ne y,{x}_{l}={B}_{e}\bigcap {B}_{y}$. This will require a memory overhead of $O\left(\mathcal{N}\right)$.
3.2 Proof of correctness of algorithms
Here, we establish the correctness of Algorithm 2 and Algorithm 3. It will be sufficient to show that after deployment, a pair of distinct nodes n_{ i } and n_{ j },1 ≤ i,j ≤ v will be able to compute their common key ${K}_{{n}_{i}{n}_{j}}={K}_{{n}_{j}{n}_{i}}$ using the shared key discovery method of Algorithm 3. According to Algorithm 3, both node n_{ i } and node n_{ j } will compute the blocks B_{ y } = f(n_{ i }) and B_{ z } = f(n_{ j }). Now, they can find the common element ${x}_{m}\in {B}_{y}\bigcap {B}_{z}:1\le m\le v$ using Algorithm 1. Now, node n_{ i } will compute u = P O S(B_{ y },x_{ m }). Similarly, node n_{ j } will calculate w = P O S(B_{ z },x_{ m }). Node n_{ i } and n_{ j } will exchange the values u and v. Node n_{ i } will compute the w th column of matrix G from (α,α^{2},…,α^{ r }) stored in it. Similarly, node n_{ j } will calculate the u th column of matrix G from (α,α^{2},α^{ r }) stored in it. From Algorithm 1, we can see that node n_{ i } and n_{ j } have got the u th and w th row of matrix A_{ m } = (D_{ m }.G)^{ T }. Hence, node n_{ i } can compute K_{ u w } = (u th row of matrix A_{ m }).(w th column of matrix G. Node n_{ j } will compute K_{ w u } = (w th row of matrix A_{ m }).(u th column of matrix G in a similar way. Since A_{ m }.G is a symmetric matrix, ${K}_{\mathit{\text{uw}}}={K}_{\mathit{\text{wu}}}={K}_{{n}_{i}{n}_{j}}$. Hence, the two nodes will end up computing the same key using Algorithm 3. Therefore, the Algorithm 2 and 3 are correct. It can be noted that any row of matrix A_{ k },1 ≤ k ≤ v is contained only in exactly one node according to Algorithm 2. So, only node n_{ i } contains the u th row of A_{ m } and only node n_{ j } contains the w th row of A_{ m }. Hence, no other node can compute the common key ${K}_{{n}_{i}{n}_{j}}$.
4 Performance analysis of proposed scheme
In this section, we shall investigate the security aspects of the proposed scheme. As discussed in Section 1, sensor nodes are deployed in unattended environment often in area controlled by an adversary. So, an active adversary can compromise one or more sensor nodes of the deployment zone. If the sensor nodes are not tamper proof, the adversary can extract sensitive information from the set of sensor nodes compromised by the adversary and can use those informations to overhear the conversation between active sensor nodes.
Lemma 3
For the proposed scheme, let S be the set of compromised sensor nodes. Let, f(S) = {f(n):n∈S}. Two uncompromised nodes n_{1} and n_{2} will have an uncompromised link between them if and only if {B:B ∈ f(S)&x∈B} ≤ c1, where x = B_{1} ∩ B_{2} and f(n_{1}) = B_{1},f(n_{2}) = B_{2}.
Proof
Follows from the fact that c is the security parameter of the scheme in Section 2.3.
Let, x = x_{ κ }, where κ ∈ {1,2,…,v}. Then by Algorithm 2 and 2.3, it can be said that if the matrix A_{ κ } can be compromised, then the common key between node n_{1} and n_{2} can be computed. This can only be possible if and only if any c number of rows of the matrix A_{ κ } are compromised. Let $\psi =\{n:n\in \mathcal{N}\&{x}_{\kappa}\in f(n\left)\right\}$. Hence, the nodes in ψ contain one distinct row of A_{ κ } each. So, successful computation of the shared key is possible if and only if S ∩ ψ ≥ c. In other words, the common key between the two nodes n_{1} and n_{2} will remain active if and only if {B:B ∈ f(S)&x ∈ B} ≤ c1. □
Proposition 4
Let the total number of nodes be N and the security parameter be c. If s number of nodes are compromised and s ≥ c, the probability that two uncompromised nodes will have an uncompromised link is given by $\frac{\sum _{e=0}^{c1}\left(\genfrac{}{}{0ex}{}{k2}{e}\right)\left(\genfrac{}{}{0ex}{}{Nk}{se}\right)}{\left(\genfrac{}{}{0ex}{}{N2}{s}\right)}$.
Proof
. $\therefore P\left(C\right)=\sum _{e=0}^{c1}P\left(\right\{B:B\in f(\mathbf{S})\&{x}_{i}\in B,{n}_{1},{n}_{2}\notin S\}=e)=\frac{\sum _{e=0}^{c1}\left(\genfrac{}{}{0ex}{}{k2}{e}\right)\left(\genfrac{}{}{0ex}{}{Nk}{se}\right)}{\left(\genfrac{}{}{0ex}{}{N2}{s}\right)}$. □
Probability of existence of an active link between two uncompromised nodes in our scheme for different parameters
p  c  s  Probability of existence of link 

37  4  34  0.998651 
37  4  77  0.869753 
47  4  77  0.930515 
61  4  89  0.948484 
67  5  89  0.991089 
67  4  128  0.886519 
61  5  110  0.970800 
71  5  223  0.810936 
4.1 Performance analysis in terms of known measures
We shall analyze the performance of our scheme in terms of two wellknown measures viz. E(s) and V(s). These are the standard measures used for evaluating the resiliency of any key predistribution scheme.
Definition 5
E(s) is defined to be the ratio of the number of links exposed in the network when s number of nodes are compromised to the number of links present in the network before s number of nodes were compromised.
Let, L be the total number of links in a network and l be the number of links exposed after s number of nodes are compromised.
Here, we will consider only the resiliency of the subnetwork consisting of nodes. E(s) is the measure that shows the performance of the scheme in terms of it’s resiliency against node captures. As defined above, E(s) is the measure that shows the fraction of links that gets exposed when s number of nodes get compromised. So, the lesser the value of E(s) is, the more resilient is the scheme to node capture attack.
Let$\phi \left(\mathbf{S}\right)=\frac{\sum _{i=1}^{t}\sum _{\begin{array}{c}j=1\\ j\ne i\end{array}}^{t}\mathit{\text{LNK}}({n}_{i},{n}_{j})}{t(t1)}$Hence, E(s) = E X P(φ(S)), where E X P() is the expectation operator.
Theorem 6
For our scheme with p^{2} + p + 1 many nodes, $E\left(s\right)\le \frac{c}{{p}^{2}+p+1}$ for$s\le \frac{c(c+1)}{2}$
Proof
The total number of nodes is p^{2} + p + 1. That makes the number of links equal to $\left(\genfrac{}{}{0ex}{}{{p}^{2}+p+1}{2}\right)$.
We take the attacker’s point of view who would try to expose more links through compromising as less number of nodes as possible. In our design, a link can be exposed only if at least c number of nodes are compromised that contain one row of matrix A_{ h }, each for some h ∈ {1,2,…,v}. If c number of rows are compromised, then the attacker would be able to reconstruct the matrix A_{ h }. Since A is a (p + 1) × c, the attacker would be able to compute the common keys between $\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$ pair of nodes or in other words $\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$ links would get exposed. Let, n_{0},n_{1},…,n_{ p } be p + 1nodes such that ${x}_{i}={\cap}_{j=0}^{p}f\left({n}_{j}\right)$ for any x_{ i } ∈ X,i ∈ {1,2,…,v}. If any c of the nodes n_{0},n_{1},…,n_{ p } is compromised by the adversary, then we would be able to reconstruct matrix A_{ i } and hence, the links between nodes n_{0},n_{1},…,n_{ p } will get exposed. So, the total number of exposed links will be $\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$. Let the set of nodes compromised by the advisor for obtaining A_{ i } be S. Hence, S≥c. Since, the attacker’s intention is to compromise as less number of nodes as possible, we can say, S = c. Again, the attacker would attempt to expose another set of $\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$ links by compromising more nodes. The attacker can do this through compromising another matrix A_{ j },j ≠ h,j ∈ {1,2,…,v}. This time, the attacker needs to compromise c1 nodes. First, an attacker selects a j ≠ h such that a node in S does contain a row A_{ j }. Choosing such a j will ensure that the attacker will have to compromise c1 more nodes. It can be proved that for any j ≠ h, there is at most one node in S that contains a row of matrix A_{ j }. So, the attacker would require to compromise c1 additional nodes for exposing $\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$ links. This way, it can be proved that the attacker would require to compromise c2 nodes for exposing the next set of $\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$ number of links and so on. This way, the attacker can compromise $c\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)$ number of links by capturing c + (c  1) + (c  2) + … + 1 nodes or $\frac{c(c+1)}{2}$ nodes.
Hence, for $s\le \frac{c(c+1)}{2},E\left(s\right)\le c\left(\genfrac{}{}{0ex}{}{p+1}{2}\right)/\left(\genfrac{}{}{0ex}{}{{p}^{2}+p+1}{2}\right)$ or, $E\left(s\right)\le \frac{c}{{p}^{2}+p+1}$. □
Theorem 6 gives an upper bound of the extent of damage that occurs to the subnetwork consisting of nodes. Since p^{2} + p + 1 > > c, so E(s) is very close to zero or, in other words, the number of links that get exposed is small when less than $\frac{c(c+1)}{2}$ number of nodes are captured.
Lemma 7
If a set of S sensor nodes get captured, then a node n_{ i } ∉ S will get disconnected from the rest of the network if and only if ∀ x ∈ f(n_{ i }), {B:B ∈ f(S),x ∈ B} ≥ c.
Proof
The proof follows from Lemma 3 and the c security property. □
Definition 8
V(s) is the fraction of nodes that get disconnected from the rest of the networks. Let m be the number of uncompromised nodes that get disconnected from the rest of the network of size N when s nodes are compromised, then $V\left(s\right)=\frac{m}{Nsm}$.
Theorem 9
V(s) = 0, ∀ s < (p + 1)c.
Proof
Let the attacker wants to disconnect a particular node n_{ i },i ∈ {1,2,…,v} from the rest of the network. Let, S be the minimal set of nodes that the attacker needs to capture for disconnecting the first (uncompromised) node from the rest of the network. Let B_{ j } = f(n_{ i }),j ∈ {1,2,…,v}. Hence, B_{ j } ∈ X. Let, {x_{1},x_{2},…,x_{p + 1}} = B_{ j }. Let ∀ k ∈ {1,2,…,p + 1},C_{ k } = {B:B ∈ f(S)&x_{ k } ∈ B}. It can be seen that $f\left(S\right)={\cup}_{k=1}^{p+1}{C}_{k}$.
We claim that ${C}_{k}\cap {C}_{k}^{\prime}=\varphi ,k\ne {k}^{\prime},1\le k,{k}^{\prime}\le p+1$. If not, then suppose there exists a block B_{ m } ∈ C_{ k } ∩ C k ′. Hence, ${x}_{k},{x}_{k}^{\prime}\in {B}_{m}$. So, B_{ m } ∩ B_{ j } ≥ 2. This is not possible since the design we used is a symmetric (p^{2} + p + 1,p + 1,1) design. So our assumption is wrong.
From the csecurity property, we can say that C_{ k } = c ∀ k ∈ {1,2,…,p + 1}. Hence, f(S) = S = (p + 1)c. Hence the result. □
4.2 Comparative study of the scheme
Here, we compare the resiliency of our proposed scheme with other existing schemes. Some wellknown standard schemes are the basic scheme of Eschenauer and Gligor [1], Lee and Stinson’s quadratic and linear scheme based on transversal design in [8, 9, 38], Çamptepe and Yener’s scheme in [7], the scheme of Chakrabarti et al. [11], and partially balanced incomplete block design based scheme by Ruj and Roy in [10].
The scheme of Eschenauer and Gligor in [1] is a probabilistic key predistribution scheme. This scheme uses a pool of keys. Keys are drawn randomly from the key pool with replacement and are placed in the sensor nodes. All nodes are loaded with same number of keys. This scheme does not ensure the existence of a common key between a pair of nodes. This scheme is known as the basic scheme.
 1.
X = {(x,y):0 ≤ x < k,0 ≤ y < r}.
 3.
A = {A _{i,j}:0 ≤ i < r& 0 ≤ j < r}.
They defined block A_{i,j} by A_{i,j} = (x,x i + j mod r):0 ≤ x < k,0 ≤ i,j < r. Similarly for a quadratic scheme, they defined a block A_{i,j,k} by A_{i,j,k} = (x,x i^{2} + x j + k mod r) : 0 ≤ x < k,0 ≤ i,j < r.
Each block is assigned to a node. So, the linear LeeStinson’s scheme supports r^{2} nodes, and the quadratic scheme supports as many as p^{3} nodes.
Çamtepe and Yener used symmetric balanced incomplete block design in [7]. A SBIBD is a (p^{2} + p + 1,p + 1,1) design where p is a prime number. They used projective geometry for constructing the SBIBD. This scheme ensures full connectivity between nodes. Each node in this scheme contains p+1 keys, and every key is contained in p + 1 nodes.
Chakrabarti et al. [11] proposed a hybrid key predistribution scheme by merging the blocks in combinatorial designs. They considered the blocks constructed from the transversal design proposed by Lee and Stinson and randomly selected them and merged them to form the sensor nodes. Though this scheme increases the number of the keys per node, it improves the resiliency of the network. The probability that two nodes share a common key is also high. Thus, it has a better connectivity.
Ruj and Roy proposed two schemes for key predistribution in [10]. They used partially balanced incomplete block design. In the first scheme, the number of nodes as well as the number of keys are equal to n(n  1)/2 for some positive integer n. The number of keys in a node is equal to 2(n2). The number of nodes containing the same key is also 2(n  2). They presented another design that augments the size of the network, keeping the same number of keys in each node. The keys in the key pool also remain the same. They showed that network size can be increased in steps, keeping the same number of keys per node. However, to ensure that any pair of nodes can communicate directly, we cannot go on adding nodes in this scheme.
5 New gridgroup deploymentbased design
We shall use our proposed key predistribution scheme in developing a key predistribution scheme for gridgroup deployment. As mentioned earlier in Section 1, a gridgroup deployment refers to such deployment where the entire network is broken into smaller regions called groups. The sensor nodes belonging to one group could be deemed as a miniWSN where the sensors of a certain group communicates among themselves more frequently than with sensors of different groups. We propose a key predistribution scheme for a WSN where the network is divided into a n×n square grid. Each group in this group has got identical number of sensors.
5.1 The scheme
Let p be a prime number. Let $\mathcal{N}\le {p}^{2}+p+1$ be the number of sensors in each group. The groups are denoted by the two tuple $(i,j),0\le i,j\le \mathcal{N}$. We shall denote the nodes of any group (i,j) as ${n}_{\mathit{\text{ij}}}^{l},0\le l\le t1$. We designate one node from each group as a supernode. This supernode has got more amount of resources than ordinary nodes in terms of memory, computational power, battery power, etc. This special node will be used for intergroup communication. The supernode of group (i,j) is denoted by S_{i,j}. It can be noted that a supernode S_{i,j} of any group (i,j) does belong to the set $\{{n}_{\mathit{\text{ij}}}^{l}:0\le l\le t1\}$. If a node ${n}_{i,j}^{\alpha}$ of group (i,j) wants to communicate with node ${n}_{{i}^{\prime},{j}^{\prime}}^{\beta}$ of group (i^{′},j^{′}), then the following steps are taken:

Node ${n}_{i,j}^{\alpha}$ generates a random key $\mathbb{K}$.

Node ${n}_{i,j}^{\alpha}$ send $\mathbb{K}$ to the supernode S_{ i j }.

S_{ i j } passes $\mathbb{K}$ to ${S}_{{i}^{\prime}{j}^{\prime}}$.

${S}_{{i}^{\prime}{j}^{\prime}}$ sends $\mathbb{K}$ to node ${n}_{{i}^{\prime},{j}^{\prime}}^{\beta}$.
Now, the two nodes viz ${n}_{i,j}^{\alpha}$ and ${n}_{{i}^{\prime},{j}^{\prime}}^{\beta}$ can communicate using the key $\mathbb{K}$.
 1.
Any two pair of nodes ${n}_{i,j}^{\alpha}$ and ${n}_{i,j}^{{\alpha}^{\prime}}$ belonging to group (i,j) must be able to communicate securely ∀ α ∈ {0,1,2,…,t1} and 0 ≤ i,j ≤ p1.
 2.
Any pair of supernodes S _{i,j} and ${S}_{{i}^{\prime},{j}^{\prime}}$ belonging to two different groups (i,j) and (i ^{′},j ^{′}) must be able to communicate securely where 0 ≤ i,j,i ^{′},j ^{′} ≤ p1,(i,j) ≠ (i ^{′},j ^{′}).
 1.
Key predistribution for each of the n ^{2} groups is done by using the scheme of Section 3 using exclusive key spaces for all the groups.
 2.
A separate key predistribution using the same scheme of Section 3 is done for all the supernodes belonging to all the groups.
We assume that it is hard to capture a supernode until the entire square region where the supernode is located is compromised. We have assumed that the nodes within the same square region communicate more frequently than the two nodes each belonging to a separate square region. Hence, one supernode per group is sufficient to handle the burden of intergroup communication.
5.2 Resiliency of the network
When it comes to the resiliency of the key predistribution scheme in a gridgroup deployment of the sensor network, there are three types of resiliency:

Intragroup resiliency : resiliency within a certain group.

Resiliency of the interlinks : resiliency in the set of supernodes.

Overall resiliency : resiliency of the entire network.
Within a group, the nodes work as a single WSN. Hence, the resiliency of the key predistribution is same as in Section 4. In this section, we study the resiliency of the interlinks in our key predistribution scheme. Here, too, similar to Section 4, we shall be using the standard measures for evaluating the resiliency of our scheme. The two measures we shall be using are E^{′}(s) and V^{′}(s).
Definition 10
E^{′}(s) is defined to be the fraction of interlinks between groups that get exposed when s number of supernodes are captured by the adversary. In other words, E^{′}(s) is the ratio of the interlinks present in the grid after s many supernodes are captured to the number of interlinks present in the network before s many supernodes are captured.
It can be seen that in our design, all the supernodes have a common key between each other. Hence,$T(i,j)={N}^{2}1\phantom{\rule{56.9055pt}{0ex}}\forall (i,j)\in \mathbb{S}$.
where E X P is the expectation over all $S\subseteq \mathbb{S}$ of size S = s.
Parameters used in comparison of the proposed scheme and the Ruj and Roy scheme in Figure 3
Parameters  RujRoy scheme  Scheme of the 

current study  
Number of square regions  1,369  1,369 
Security parameter    4 
Number of keys per node  13   
Total number of nodes  4,107  1,369 
Definition 11
V^{′}(s) is the fraction of groups that are disconnected from the rest of the groups with respect to the total number of groups when s number of supernodes are captured. In other words V^{′}(s) is the ratio of the number of groups that do not have any link to other groups after the s number of supernodes are captured to the total number of active supernodes present in the network before s many supernodes are captured.
The result proved in Theorem 9 is also applicable for the interlinks between supernodes in different groups. Hence, for our scheme, individual groups do not get disconnected from the rest of the network unless a large number of supernodes get captured.
Parameters used in comparison of the proposed scheme and the Ruj and Roy scheme in Figure 4
Parameters  RujRoy scheme  Scheme of the 

current study  
Number of square regions  1,369  1,369 
Security parameter    5 
Number of keys per node  23   
Total number of nodes  4,107  1,369 
5.3 Overall resiliency
We shall now study the resiliency of the entire network taking into account all the groups, nodes, and supernodes.
We define E^{′′}(s) as a new measure of overall resiliency in the entire network. It is defined to be the weighted average of the fractions of links exposed in every region (i,j),0 ≤ i,j ≤ N  1 as well as the fraction of links exposed among the pair of supernodes when some nodes are compromised by the adversary in the entire network. The weight corresponding to the fraction of exposed links in a region (i,j) is equal to the number of pairs of uncompromised nodes present in that region (i,j). The weight corresponding to the fraction of exposed links between the supernodes are equal to the number of pairs of uncompromised supernodes remaining in the network. We are the first to propose this as a measure of overall resiliency in terms of fraction of links exposed in the entire network. In this measure, we separately compute the values of fraction of links exposed(E(s_{ i j })) in every region (i,j):0 ≤ i,j ≤ N  1. We also measure the value of E(s) among the set of supernodes in the network. Then, we compute the weighted average of all these values of E(s).
Here, we take into account the entire network consisting of all the nodes and supernodes in all the regions. Let S_{ i j } be the number of nodes compromised in group (i,j) and $s=\sum _{i=0}^{N1}\sum _{j=0}^{N1}{s}_{\mathit{\text{ij}}}$. Also, let s_{ g } be the number of supernodes compromised. Hence, 0 ≤ s_{ g } ≤ N^{2}.
Hence, when the number of nodes captured from different groups is fixed, the overall E^{′′}(s) is the weighted average of the value of E(s_{ i j }) of all groups and the group of all supernodes.
Lemma 12
When S_{ i j } number of nodes are compromised in group (i,j),0 ≤ i,j ≤ N  1 then E^{′′}(s) < max 0 ≤ i,j < N(E(s_{ i j })) with a high probability where $s=\sum _{i=0}^{N1}\sum _{j=0}^{N1}{s}_{\mathit{\text{ij}}}$ and s is notsolarge.
Proof
with a high probability, and the result follows from this. □
Corollary 13
When S_{ i j } number of nodes are compromised in group (i,j),0 ≤ i,j ≤ N  1 then ${E}^{\mathrm{\prime \prime}}\left(s\right)<\frac{c}{{p}^{2}+p+1}$ with a high probability where $s=\sum _{i=0}^{N1}\sum _{j=0}^{N1}{s}_{\mathit{\text{ij}}}$ and s is notsolarge and for all $(i,j):0\le i,j<N,{s}_{\mathit{\text{ij}}}\le \frac{1}{2}c(c+1)$.
Proof
Follows directly from Lemma 12 and Theorem 6. □
Corollary 13 gives an upper bound of the numeric value of fraction of links disconnected in the set of all uncompromised nodes of the network.
Definition 14
V^{′′}(s) is defined to be the weighted average of the fractions of nodes disconnected from the rest of the network in a region (i,j) or in the set of supernodes when some nodes get compromised. Here, the weights are proportional to the number of pairs of uncompromised nodes present among the nodes in any region or among the supernodes. We propose and apply this measure for the first time for measuring the resiliency for such deployment of wireless sensor network.
Lemma 15
When S_{ i j } number of nodes are compromised in group (i,j),0 ≤ i,j ≤ N  1 then V^{′′}(s) < max 0 ≤ i,j < N(V(s_{ i j })) with a high probability where $s=\sum _{i=0}^{N1}\sum _{j=0}^{N1}{s}_{\mathit{\text{ij}}}$ and s is not so large.
Proof
The proof is same as Lemma 12. □
Corollary 16
When S_{ i j } number of nodes are compromised in group (i,j),0 ≤ i,j ≤ N  1 then V^{′′}(s) = 0 with a high probability where $s=\sum _{i=0}^{N1}\sum _{j=0}^{N1}{s}_{\mathit{\text{ij}}}$ and s is notsolarge and for all (i,j):0 ≤ i,j < N,s_{ i j } ≤ (p + 1)c.
Proof
Follows immediately from Lemma 15 and Theorem 9. □
Corollary 16 provides a bound for the value of fraction of uncompromised nodes that get totally disconnected from the network.
We have done simulation of the performance of the key predistribution scheme for gridgroup deployment taking E^{′′}(s) and V^{′′}(s) as the measure of the performance in the entire network. In this simulation, we randomly chose/compromised s many nodes from the entire network and then computed the values of E^{′′}(s) and V^{′′}(s) for them. Hence, it is equally probable for every chosen node to belong to a certain region. We measured the values of E^{′′}(s)/V^{′′}(s) for any value of s by repeating the process 100 times and taking averages of the calculated values of the E^{′′}(s)/V^{′′}(s) for this 100 iterations.
Values of E ^{ ′ ′ } ( s ) for different values of s , size of grid and number of nodes in each group
Size of grid  Number of nodes  Number of  Security  s  Value ofE^{ ′ ′ }( s) 

in each group  supernodes  parameter  
13  553  169  4  4,801  0.033041 
14  307  196  4  3,001  0.010839 
15  183  225  4  4,001  0.042171 
18  183  324  4  5,001  0.025552 
11  553  121  4  3,001  0.021120 
15  381  225  3  3,126  0.034396 
18  307  324  3  3,886  0.031764 
16  381  256  3  5,626  0.105274 
18  307  324  3  6,106  0.095601 
The values of E^{′′}(s) for different values of the system parameters are obtained through simulation of the key predistribution model using C program. The first column of Table 6 shows the dimension of the grid used as deployment zone. The second column gives the number of nodes contained in a single group. The third column shows the number of supernodes in the entire network which is equal to R × R, R being the dimension of the square grid. The fourth column corresponds to the security parameter c. The fifth column gives the number of nodes compromised. The last column shows the values of E^{′′}(s). It can be seen in Table 6 that as the grid size increases, the value of E^{′′}(s) decreases while other parameters remain the same. So, the adversary needs to capture more nodes to damage the communication model considerably if the grid size is high enough. This happens as when the grid size increases, the total number of nodes in the network increases and the number of links between nodes also increases. It can be noted in this table that if the value of the security parameter is kept as low as 3 or 4, the key predistribution model can offer sufficient resiliency against node capture.
Values of V ^{ ′ ′ } ( s ) for different values of s , size of grid and number of nodes in each group
Size of grid  Number of nodes  Number of  Security  s  Value ofV^{ ′ ′ }( s) 

in each group  supernodes  parameter  
14  553  196  3  24,000  0.114369 
15  307  225  3  20,000  0.187892 
14  183  196  3  18,009  0.841926 
11  381  121  4  24,000  0.959935 
15  307  225  4  21,002  0.027675 
13  871  169  3  25,000  0.033112 
7  553  49  3  6,000  0.112729 
9  553  81  4  11,000  0.030479 
14  307  196  4  14,000  0.000322 
7  381  49  3  10,000  0.976503 
5.4 Comparison with other schemes
Next, we compare our proposed scheme with some other key predistribution schemes that use deployment knowledge. These schemes include Du et al. 2004 [20] and 2006 [21], Liu and Ning 2003 [39] and 2005 [40], Yu and Guan 2005 [28] and 2008 [29], Zhou et al. 2006 [23], Huang et al. [24], Huang and Medhi 2007 [25], Chan and Perrig 2005 [26], Simonova et al. 2006 [27].
Huang et al. [24, 25] used rectangular deployment zone which is divided into equalsized regions of smaller size. In this scheme, the sensors randomly choose the keys. Huang et al. used multispace Blom scheme [4] for key predistribution. In this scheme, all nodes are identical with respect to the amount of resources they possess. This is where this scheme is different from ours. In our scheme, there are two different types of nodes viz. common nodes and agents giving rise to a heterogeneous network. Moreover, in Huang et al. scheme, the nodes in a region can communicate directly with each other with probability of >0.5; whereas, in our scheme, they can do so with a probability equal to 1 as our scheme ensures full interregion connectivity. Hence, in this scheme, more amount of computation will be required for communication than our scheme. The scheme of Huang et al. is perfectly secure against selective and random node capture attack. Hence, capture of some number of nodes by an adversary will have negligible effect to the links among the uncompromised nodes. However, if we take all the links of compromised and uncompromised nodes into account, then the fraction of links compromised will be higher.
Zhou et al. [23] used two types of sensor nodes viz. static and mobile. This scheme uses pairwise keys with each sensor within the same region. Hence, it requires high amount of memory to hold the pairwise keys if the number of sensors within a region is high enough. If there are n number of nodes within a region, then the number of keys to be stored in a node is O(n^{2}) under the Zhou et al. scheme; whereas, it is $O\left(\sqrt{N}\right)$ in Çamptepe and Yener scheme which is used in our key predistribution scheme. Hence, our scheme is much better than Zhou et al. in terms of memory efficiency.
Liu and Ning [39, 40] used deployment knowledge. There, the whole deployment zone is split into smaller square regions like our scheme. However, in their schemes, only a single node is deployed in a square region as opposed to our scheme where there are a group of nodes deployed in a region. They used the polynomialbased scheme of Blundo et al. [5]. The deployment region is broken down into equalsized squares $\left\{{C}_{{i}_{c},{i}_{r}}\right\}{i}_{c}=0,1,\dots ,C1,{i}_{r}=0,1,\dots ,R1$, each of which is a cell with coordinates (i_{ c },i_{ r }) denoting row i_{ r } and column i_{ c }. Each of the cells is associated with a bivariate polynomial. For a R × C grid, the setup server generates RC tdegree polynomials $\left\{{f}_{{i}_{c},{i}_{r}}\right(x,y\left)\right\}{i}_{c}=0,1,\dots ,C1,{i}_{r}=0,1,\dots ,R1$, and assigns ${f}_{{i}_{c},{i}_{r}}(x,y)$ to cell ${C}_{{i}_{c},{i}_{r}}$. For each sensor, the setup server determine its home cell and its four neighboring cells which lie adjacent to the home cell in the same row and column. The setup server distributes to the sensor the coordinates of the home cell and the polynomial shares of the home cell and its neighboring cell. For example, for a sensor U_{ u } in the cell with coordinate (r^{′},c^{′}), the polynomial shares ${f}_{{r}^{\prime}1,{c}^{\prime}}(u,y),{f}_{{r}^{\prime},{c}^{\prime}1}(u,y),{f}_{{r}^{\prime}+1,{c}^{\prime}}(u,y),{f}_{{r}^{\prime},{c}^{\prime}+1}(u,y),{f}_{r,c}(u,y)$ are given. For direct key establishment, a node broadcasts the coordinates of its home cell. From this coordinate, the destination node finds out the common polynomial that it shares with the broadcasting node if at all. Now, the common key can be calculated using the same method as [5].
In Simonova et al.’s [27] scheme, the number of specialized nodes depends upon the size of the network unlike ours which is constant (=1). The resiliency as given in the graph is much lower compared to our scheme. Also, resiliency in terms of nodes or regions disconnected has not been presented.
Du et al. [21] proposed another key predistribution using deployment knowledge that uses multiple space Blom scheme [4]. Under this scheme, sensors randomly choose keys from a set of different instances of Blom space. Unlike our scheme, this scheme does not guaranty full connectivity.
As we have discussed earlier, the key predistribution scheme of Ruj and Roy in [18] uses deployment knowledge. Similar to our scheme, this scheme uses the Çamptepe and Yener scheme for key predistribution within the same region. This scheme exhibits lower resiliency among the set of agents that provide interregion connectivity as discussed in previous sections. In other words, our scheme offers more resilient interregion connectivity than Ruj and Roy scheme.
DDHV scheme has parameters k = 200,ω = 11, and τ = 2. LN scheme has parameters k = 200,m = 60, and L = 1; YG scheme has parameters k = 100; ZNR scheme has parameters k = 100; HMMH scheme has parameters k = 200,ω = 27, and τ = 3; SLW scheme has parameters k = 16,p = 11, and m = 4; RujRoy scheme has parameters k = 12. Our scheme has parameters p = 11 and c = 4. The size of the network in DDHV, LN, YG, ZNR, and HMMH is 10,000; for SLW, it is 12,100. It is 16,093 for RujRoy scheme and in our scheme. We simulated the behavior of the key predistribution schemes for random node capture attack. All schemes are implemented identical network. It can be seen in Figure 5 that our scheme offers better performance than similar schemes that make use of deployment knowledge up to a certain limit of the number of nodes captured by the adversary. We used C program for running the simulation.
The reason why our scheme excels in performance can be inferred from Lemma 3 and Proposition 4. Lemma 3 says that in order to compromise the links between any two nodes, the adversary is required to compromise at least c (c is the security parameter) nodes having information from the same key space as the two nodes. However, in most of the other schemes, the same thing can be done by capturing a single node. Again, Proposition 4 says that the probability of existence of a link between a pair of nodes is high even if many nodes are compromised. So, even if the number of captured nodes is high enough, the value of fraction of broken links can be very low in our scheme. This fact is corroborated by the performance of our scheme as shown in Figure 5.
Comparison of schemes with respect to type of deployment, node, communication, and storage overhead and scalability
Schemes  Deployment  Nodes  Communication cost  Storage  Scalability 

Gridgroup  Homogeneous  O(1)  O(1)  Scalable  
Grid  Homogeneous  O(logN)  $O\left(\sqrt{N}\right)$  Not scalable  
Gridgroup  Homogeneous  O(1)  O(1)  Not scalable  
ZNR [23]  Group  Heterogeneous  O(logN)  O(N/g)^{a}  Not scalable 
O(N)^{b}  
HMMH [24]  Gridgroup  Homogeneous  O(1)  $O\left(\sqrt{N}\right)$  Scalable 
HM [25]  Gridgroup  Homogeneous  O(1)  $O\left(\sqrt{N}\right)$  Scalable 
PIKE [26]  Grid  Homogeneous  O(logN)  $O\left(\sqrt{N}\right)$  Not scalable 
SLW [27]2  Gridgroup  Heterogeneous  O(logN)  $O\left(\sqrt{N/g}\right)$  Scalable 
RujRoy [18]  Gridgroup  Heterogeneous  O(logN)  $O{\left({N}^{\frac{1}{4}}\right)}^{\mathrm{a}}$  Not scalable 
$O{\left({N}^{\frac{1}{4}}\right)}^{\mathrm{b}}$  
Current scheme  Gridgroup  Heterogeneous  O(logN)  $O{\left({N}^{\frac{1}{4}}\right)}^{\mathrm{a}}$  Not scalable 
$O{\left({N}^{\frac{1}{4}}\right)}^{\mathrm{b}}$ 
6 Conclusions
In this paper, we have presented a key predistribution scheme for a wireless sensor for a gridgroupbased deployment. Here, the entire deployment zone is a square which is divided into a number of smaller squares. Each square is identical in terms of physical area and number of sensor nodes. The sensor nodes belonging to a smaller square form a group among themselves. All the groups contain two types of nodes viz. ordinary and nodes. A node within a group can make direct communication to any other node in the same group or region. Nodes belonging to two different group communicate via special nodes called nodes. These nodes are more resourceful than ordinary nodes in terms of memory, computational power, and energy. We used two types of different key predistribution schemes for this deployment. The ordinary sensor nodes and the node within a group use symmetric designbased key predistribution scheme proposed in [6] for within group communication. The nodes contain two types of keys. It can communicate to other sensor nodes belonging to the same group. Moreover, it can communicate with other nodes by means of a separate key predistribution scheme. Our scheme offers better resiliency than other existing schemes like the most notable scheme by Ruj & Roy [18] and the Zhou et al. scheme in [23]. We have shown that our scheme ensures that there will be high probability of existence of a common unexposed link between two nodes belonging to two different groups even if a considerable number of nodes are compromised by the adversary.
Declarations
Authors’ Affiliations
References
 Eschenauer L, Gligor VD: A keymanagement scheme for distributed sensor networks. In ACM Conference on Computer and Communications Security. Edited by: Atluri V. ACM New York; 2002:4147.Google Scholar
 Chan H, Perrig A, Song DX: Random key predistribution schemes for sensor networks. In IEEE Symposium on Security and Privacy. IEEE Computer Society, Berkeley, CA, USA; 11–14 May 2003:197197.Google Scholar
 Liu D, Ning P: Establishing pairwise keys in distributed sensor networks. In ACM Conference on Computer and Communications Security. Edited by: Jajodia S, Atluri V, Jaeger T. ACM New York; 2003:5261.Google Scholar
 Blom R: An optimal class of symmetric key generation systems. In Proceedings of EUROCRYPT 84, A Workshop on the Theory and Application of Cryptographic Techniques. Edited by: Beth T, Cot N, Ingemarsson I. Springer Berlin; 1984:335338.Google Scholar
 Blundo C, Santis AD, Herzberg A, Kutten S, Vaccaro U, Yung M: Perfectlysecure key distribution for dynamic conferences. In Advances in Cryptology–CRYPTO ‘92. Edited by: Brickell EF. Springer Berlin; 1992:471486.Google Scholar
 Çamtepe SA, Yener B: Combinatorial design of key distribution mechanisms for wireless sensor networks. In Computer Securtiy–ESORICS. Edited by: Samarati P, Ryan PYA, Gollmann D, Molva R. Springer Berlin; 2004:293308.Google Scholar
 Çamtepe SA, Yener B: Combinatorial design of key distribution mechanisms for wireless sensor networks. IEEE/ACM Trans. Netw 2007, 15(2):346358.View ArticleGoogle Scholar
 Lee J, Stinson DR: A combinatorial approach to key predistribution for distributed sensor networks. In IEEE Wireless Communications and Networking Conference. IEEE, New Orleans; 13–17 Mar 2005.Google Scholar
 Lee J, Stinson DR: Deterministic key predistribution schemes for distributed sensor networks. In Selected Areas in Cryptography. Edited by: Handschuh and Hasan. Springer Berlin; 2004:294307.View ArticleGoogle Scholar
 Ruj S, Roy BK: Key predistribution using partially balanced designs in wireless sensor networks. In ISPA, Parallel and Distributed Processing and Applications. Edited by: Stojmenovic I, Thulasiram RK, Yang LT, Jia W, Guo M, de Mello RF. Springer Berlin; 2007:431445.View ArticleGoogle Scholar
 Chakrabarti D, Maitra S, Roy BK: A key predistribution scheme for wireless sensor networks: merging blocks in combinatorial design. In Information Security. Edited by: Zhou J, Lopez J, Deng RH, Bao F. Springer Berlin; 2005:89103.View ArticleGoogle Scholar
 Bag S, Ruj S: Key distribution in wireless sensor networks using finite affine plane. In IEEE Workshops of International Conference on Advance Information Networking and Applications (WAINA). Singapore; 22–25 Mar 2011:436441.View ArticleGoogle Scholar
 Mitchell CJ, Piper F: Key storage in secure networks. Discrete Appl. Math 1988, 21(3):215228. 10.1016/0166218X(88)900686MathSciNetView ArticleGoogle Scholar
 Dong J, Pei D, Wang X: A key predistribution scheme using 3designs. In Information Security and Cryptology. Springer Berlin; 2007.Google Scholar
 Dong J, Pei D, Wang X: A class of key predistribution schemes based on orthogonal arrays. JCST 2008, 23: 825831.MathSciNetGoogle Scholar
 Blackburn S, Etzion T, Martin K, Paterson M: Efficient key predistribution for gridbased wireless sensor networks. In Information Theoretic Security. Lecture Notes in Computer Science 5155. Edited by: Fehr S. Springer Berlin; 2008:5469.Google Scholar
 Wei R, Wu J: Product construction of key distribution schemes for sensor networks. In Selected Areas in Cryptography. Edited by: Handschuh and Hasan. Springer Berlin; 2004:280293.View ArticleGoogle Scholar
 Ruj S, Roy BK: Key predistribution using combinatorial designs for gridgroup deployment scheme in wireless sensor networks. TOSN 2009, 6(1):4:14:28.View ArticleGoogle Scholar
 Ruj S, Roy BK: Key predistribution schemes using codes in wireless sensor networks. In Information Security and Cryptology. Edited by: Yung M, Liu P, Lin D. Springer Berlin; 2008:275288.Google Scholar
 Du W, Deng J, Han YS, Chen S, Varshney PK: A key management scheme for wireless sensor networks using deployment knowledge. In Proceedings of the Twentythird Annual Joint Conference of the IEEE Computer and Communications. IEEE Hong Kong; 7–11 Mar 2004.Google Scholar
 Du W, Deng J, Han YS, Varshney PK: A key predistribution scheme for sensor networks using deployment knowledge. IEEE Trans. Dependable Sec. Comput 2006, 3: 6277. 10.1109/TDSC.2006.2View ArticleGoogle Scholar
 Liu D, Ning P: Improving key predistribution with deployment knowledge in static sensor networks. TOSN 2005, 1(2):204239. 10.1145/1105688.1105691View ArticleGoogle Scholar
 Zhou L, Ni J, Ravishankar CV: Supporting secure communication and data collection in mobile sensor networks. In Proceedings of 25th IEEE International Conference on Computer Communications. Barcelona; 23–29 April 2006.Google Scholar
 Huang D, Mehta M, Medhi D, Harn L: Locationaware key management scheme for wireless sensor networks, Washington. In Proceedings of the 2nd ACM workshop on Security of ad hoc and sensor networks. ACM New York; 2004:2942.View ArticleGoogle Scholar
 Huang D, Medhi D: Secure pairwise key establishment in largescale sensor networks: an area partitioning and multigroup key predistribution approach. TOSN 2007., 3(3):Google Scholar
 Chan H, Perrig A: PIKE: peer intermediaries for key establishment in sensor networks. In Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Miami; 13–17 Mar 2005:524535.View ArticleGoogle Scholar
 Simonova K, Ling ACH, Wang XS: Locationaware key predistribution scheme for wide area wireless sensor networks. In Proceedings of the fourth ACM workshop on Security of ad hoc and sensor networks. Edited by: Zhu S, Liu D. ACM New York; 2006:157168.View ArticleGoogle Scholar
 Yu Z, Guan Y: A key predistribution scheme using deployment knowledge for wireless sensor networks. In Proceedings of the Fourth International Symposium on Information Processing in Sensor Networks. IEEE, Los Angeles; 15 Apr 2005:261268.Google Scholar
 Yu Z, Guan Y: A key management scheme using deployment knowledge for wireless sensor networks. IEEE Trans. Parallel Distrib. Syst 2008, 19(10):14111425.View ArticleGoogle Scholar
 Bag S: Key predistribution in 3dimensional gridgroup deployment scheme. In 4th International Conference, CNSA 2011. Springer, Chennai, India; 15–17 Jul 2011:302319.Google Scholar
 Stinson DR: Combinatorial Designs: Construction and Analysis. Springer, New York; 2004.Google Scholar
 Street AP, Street DJ: Combinatorics of Experimental Design. Clarendon Press, Oxford; 1987.Google Scholar
 Lay DC: Linear Algebra and Its Applications. Addison Wesley, 75 Arlington Street, Boston, MA 02116; 2005.Google Scholar
 Meyer CD: Matrix Analysis and Applied Linear Algebra. Society for Industrial and Applied Mathematics (SIAM) Philadelphia, United States; 2001.Google Scholar
 Du W, Deng J, Han YS, Varshney PK: A pairwise key predistribution scheme for wireless sensor networks. In Intelligence and Security Informatics. Edited by: Jajodia S, Atluri V, Jaeger T. Springer Berlin; 2003:4251.Google Scholar
 MacWilliams FJ, Sloane NJA: The Theory of Error Correcting Codes. Northland Holland, Amsterdam; 1988.Google Scholar
 Pietro RD, Mancini LV, Mei A: Energy efficient nodetonode authentication and communication confidentiality in wireless sensor networks. Wireless Netw 2006, 12(6):709721. 10.1007/s1127600665305View ArticleGoogle Scholar
 Lee J, Stinson DR: On the construction of practical key predistribution schemes for distributed sensor networks usin combinatorial designs. ACM Trans. Inf. Syst. Secur 2008., 11(2):Google Scholar
 Liu D, Ning P: Establishing pairwise keys in distributed sensor networks. In Proceedings of the 10th ACM conference on Computer and communications security. ACM New York; 2003:5261.Google Scholar
 Liu D, Ning P: Improving key predistribution with deployment knowledge in static sensor networks. TOSN 2005, 1(2):204239. 10.1145/1105688.1105691View ArticleGoogle Scholar
Copyright
This article is published under license to BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.