Performance Analysis of Deterministic Key …sanyal/papers/Joy_Performance_Analysis...1 Performance Analysis of Deterministic Key Allocation Schemes for Wireless Sensor Networks Abhishek

1

Performance Analysis of Deterministic KeyAllocation Schemes for Wireless Sensor Networks

Abhishek GuptaSAIT India Lab.,

Samsung India Software Operations,Bangalore 560093, India

[email protected]

Joy KuriCentre for Electronics Design and Technology

Indian Institute of ScienceBangalore 560012, [email protected]

Sugata SanyalSchool of Technology & Computer Science

Tata Institute of Fundamental ResearchHomi Bhabha Road, Mumbai 400005, India

[email protected]

Abhishek Gupta:Abhishek Gupta is currently working for a networking

group at SAIT India Lab, Samsung, Bangalore. Hereceived his B. Tech. in Electrical Engineering fromInstitute of Technology, Banaras Hindu University in2004 and his M. Sc (Engg) in wireless communicationfrom Indian Institute of Science in 2007. His researchinterests include communication networks, wireless com-munication and computer algorithms.

Joy Kuri:Joy Kuri has a B.E. in Electronics and Telecommu-

nication Engineering from Jadavpur University, Kolkata,India. After a year in the industry, he joined the M.E.program in the Department of Electrical CommunicationEngineering at the Indian Institute of Science. He wenton to receive a PhD from the same department at IISc in1995. Subsequently, he spent two years at Ecole Poly-technique, University of Montreal, Canada and one anda half years in INRS-Telecommunications, University ofQuebec, Canada as a Research Associate.

Since 1999 he has been with the Centre for ElectronicsDesign and Technology, Indian Institute of Science,where he is currently Professor. He is a co-author ofthe books “Communication Networking: An AnalyticalApproach” and “Wireless Networking,” both published

by Morgan Kaufmann, an imprint of Elsevier. He hasover 75 publications in international journals and confer-ences. His research and teaching interests are in the areasof modelling, analysis and control of communicationnetworks and stochastic systems.

Sugata Sanyal:Sugata Sanyal is a Professor in the School

of Technology & Computer Science atthe Tata Institute of Fundamental Research(http://www.tifr.res.in/˜sanyal). Inthe early phase of his career, Sugata was involvedin huge developmental projects, designing RuggedMicro programmed Computers and Fault-TolerantComputerized systems. He has worked in diverse areasof Computer Architecture, Parallel Processing, FaultTolerance and Coding Theory and in the area of Security.Sanyal is in the Editorial Board of many InternationalJournals, and is collaborating with scientists from Indiaand abroad.

2

Abstract— Because of the resource-constrained natureof Wireless Sensor Networks (WSNs), it is easier to usea security system based on symmetric key cryptography.However, the distribution and management of crypto-graphic keys pose challenges of their own. In this paper,we study some deterministic methods of distribution ofkeys to nodes. We propose and analyze a polynomial-basedscheme and a complete connectivity scheme. An analyticalcomparison between the schemes, in terms of securityand connectivity, is presented next. Motivated by theschemes, we present a general key allocation scheme andderive general expressions for security and connectivitythat are applicable to any deterministic key distributionalgorithm in a certain class (not just the polynomial andfull-connectivity schemes mentioned above). With the helpof these expressions, we present a number of trade-offswhich should be taken into account while designing asecure system.

I. INTRODUCTION

Recent advances in wireless communication haveopened interesting and challenging areas for re-search. Wireless sensor networks [Akyildiz et al., 2002],[Culler et al., 2004] is one such field of research. Thesenetworks are formed by cheap and highly resourceconstrained sensor nodes, generally called as motes. Thesize of the network may vary from few hundreds of nodesto thousands, depending on the type of application forwhich they are being used.

A typical sensor node contains some sensors (light,temperature, acceleration etc.), a radio chipset for wire-less communication, an EEPROM chip for logging sen-sor data, a node-to-host communication interface (typi-cally a serial port), and a micro-controller which containssome amount of flash memory for program storage andRAM for program execution [Becher et al., 2006].

Wireless sensor networks find numerous applica-tions in many diverse areas. Some of these appli-cation areas include environmental and habitat moni-toring [Szewczyk et al., 2004], battle field surveillanceand border monitoring [Bokareva1 et al., 2006], healthcare applications and monitoring of vehicular move-ments in cities and highways [Akyildiz et al., 2002].When sensor networks are deployed in hostile environ-ments, some of the applications require communicationamong nodes and between nodes and base station tobe secure. For example, in a surveillance application[Chong and Kumar, 2003], it would be very undesirableif intruders can access the information being carried bythe network.

Since sensor networks are adhoc networks with nopreexisting infrastructure, public key cryptography maybe difficult to implement. Due to the resource constrained

nature of the sensors, implementations of public keycryptographic primitives turn out to be costly. Althoughrecent advances have shown the feasibility of publickey algorithms in sensor networks [Wang and Li, 2006],[Batina et al., 2006], [Uhsadel et al., 2007], it seemsthat frequent use of such systems could still make themexpensive in terms of computational time and energyconsumption. The alternative solution based on symmet-ric key cryptography is easier to implement. However,the distribution and management of cryptographic keyspose challenges. One requires efficient key distributionalgorithms for such type of networks.

A number of key distribution algorithms have beenproposed in the literature which require pre-distributingsome keys to each node from a given pool of keys. Thesealgorithms can be split into two broad categories, basedon the connectivity of the resultingkey graph. By a keygraph, we mean a graphG(V,E) whereV is the set ofvertices corresponding to nodes in the network andE

is the set of edges where an edge exists between twovertices only if the corresponding nodes share at leastone key.

• Partial connectivity schemes:The keys are dis-tributed in such a fashion that the resulting keygraph is partially connected. This means that someof the nodes share keys in common and some donot. Those which do not share a key in common,undertake pairwise key distribution. As will beshown later, such type of schemes show “good”security properties.

• Complete connectivity schemes:The keys are dis-tributed in such a fashion that the resulting keygraph is fully connected and does not require anypairwise key setup phase, leading to energy saving.Such type of schemes find applications in areaswhere sensor life-time is an important factor fordesign consideration and security comes only as asecondary design criterion.

Let P be the key pool size andSi (i = 1, 2, . . . n, nbeing the total number of nodes in the network) be theset of keys (called “key ring”) assigned to nodei. Thatis, Si = {ki1, k

i2, . . . , k

ik} wherek is the key ring size.

Also, let Skn = {S1, S2, . . . , Sn} be the set of key ringscorresponding to a network ofn nodes where| Si |= k ∀i = 1, 2, . . . n, | Skn | = n and |

⋃ni=1 Si | = P. Then, the

partial connectivity key distribution schemes satisfy thepropertyPr(Si∩Sj = φ) > 0 for i 6= j or Si ∩Sj = φ,for somei andj wherei 6= j. The complete connectivitykey distribution schemes satisfy the propertySi∩Sj 6= φ

∀ Si, Sj ∈ Skn and∀ i, j s.t. i 6= j. In other words, forcomplete connectivity schemes,Si ∩ Sj is always non-

3

empty.The key graph that will be considered in this paper

is independent of the communication range which deter-mines the underlying network graph. The reason for thisassumption is to have multi hop secure communicationbetween nodes of the network. In other words, we areonly concerned with the encryption/decryption of thedata sent by the sender and not on the its distance fromthe receiver. This is particularly useful in cases wherethe intermediate nodes are not allowed to see the datathat is sent by the sender.

In this paper, we analyze the behaviour of de-terministic schemes with respect to various perfor-mance metrics. We begin by discussing a polynomial-based scheme, which is a simple extension of theline-based scheme [Yuichi Kaji and Matsumoto, 2006].Polynomials have found use in security system de-sign earlier as well [Vasudevan and Sanyal, 2004],[Vasudevan et al., 2004]. Next, we discuss a schemebased on Symmetric Balanced Incomplete Block Design(SBIBD) [Anderson, 1990] belonging to the completeconnectivity category. We provide analytical expressionsfor resilience and connectivity to compare the threeschemes. Motivated by the analysis of the three schemes,we present a general analytical approach for obtainingthe resilience and connectivity metrics for a class ofkey distribution schemes that is not tied to any specifickey distribution algorithm. Lastly, we present a designexample using our analytical development.

This paper is an extended version of the conferencepaper [Gupta and Kuri, 2008] and it differs in the fol-lowing ways:(i) a better justification has been providedfor the distribution of the number of keys compromisedby the adversary,(ii) a general key allocation scheme ispresented along with generalized expressions for securityand connectivity measures,(iii) a design example is dis-cussed to give insights into the design of a secure systemand (iv) proofs for a number lemmas and theorems arealso discussed.

Objectives and contributions: In our paper, the focusis on obtaining analytical expressions for connectivity,and resilience whenc nodes are captured. We presentthree deterministic key allocation schemes in Section III,and analyze their performance in the following section.

Section V of the paper presents a general key al-location scheme. The general scheme is described byits properties. The schemes presented earlier are specialcases of this general one. Then, this general schemeis analyzed to obtain its connectivity and resilienceproperties.

The general expressions allow us to show explicitlythe trade-off between connectivity and resilience for

the three schemes considered. In other words, we showexplicitly how improved connectivity leads to decreasedresilience.

Further, we use the generalized expressions to un-derstand how user-specified requirements (target con-nectivity values and resilience values for a specifiednumber of compromised nodes) constrain choices ofa specific scheme’s parameters. We provide a designexample where we start from the user-specified targets,and obtain the ranges of values that the parameters mustlie in. The process indicates also when a feasible designmeeting the user’s requirements does not exist.

The paper is organized as follows. Backgroundis discussed in Section II. In Section III, we dis-cuss polynomial-based schemes and a full connectivityscheme. Analysis of the schemes with comparison isgiven in Section IV. A generalized analysis for a class ofkey distribution schemes is discussed in Section V alongwith a design example. Section VI concludes the paper.

II. RELATED WORK

Key distribution methods in sensor networks are di-vided into three categories:(a) Probabilistic (b) Deter-ministic and(c) Hybrid [Camtepe and Yener, 2005]. Incase of probabilistic distribution, the key ring for eachnode is selected randomly from a large pool of keys.Deterministic distribution allocates keys to nodes in adeterministic way to ensure better connectivity. Hybridschemes use probabilistic methods on deterministic solu-tions to increase scalability and resilience. In this paper,our focus is on deterministic schemes; however, we sur-vey probabilistic and hybrid schemes for completeness.

The random key pre-distribution scheme was first pro-posed in [Eschenauer and Gligor, 2002]. In that work,Eschenauer and Gligor suggested a probabilistic solutionto the problem of efficient key distribution. In thisscheme, each sensor node is assigned akey-ring con-sisting ofk keys chosen at random without replacementfrom a pool ofP keys. After deployment, two nodeswithin communication range exchange key-identifiers orchallenges to discover common keys. Then, a commonkey is selected for secure communication. Node pairswithout a common key establish a path key through asecure path.

Based on this, several probabilistic schemes withenhanced security features have been suggested. Aq-composite-random key pre-distribution scheme is pro-posed by [Chan et al., 2003] which achieves strength-ened security under small scale attack while tradingoff increased vulnerability in the face of a large scalephysical attack on network nodes. It then uses multi-path key reinforcement scheme to update the commu-

4

nication key to a random value after key set-up phase.In [Zhu et al., 2003], a seed-based approach is used forassigning keys to each node. Each key is associated witha unique key identifier or key-id. For any node, a setof key-ids is generated from a common pseudo-randomgenerator with the node identity acting as the seed. Thecorresponding keys are then stored in the node. Thismakes it possible for each node to identify the key-idsthat another node has, and thereby find if they shareany common keys. The seed-based approach reducesthe communication burden in sharing key identifiers.[Pietro et al., 2003] uses similar technique for sharedkey discovery phase.

[Du et al., 2004] gives a scheme where memory re-quirements can be reduced by utilizing pre-deploymentknowledge. In this scheme, knowledge about whichnodes are likely to be the neighbours of each sensornode is exploited such that the probability of any twoneighbouring nodes sharing a common key is maximizedwithout degrading the other performance metrics, suchas security and memory usage.

The scheme in [Du et al., 2003] exhibits a nice thresh-old property: When the number of compromised nodesis less than the threshold, the probability that any nodeother than these compromised nodes are affected isclose to zero. Their scheme builds on Blom’s key pre-distribution scheme [Blom, 1985] and combines the ran-dom key pre-distribution method with it.

In [Liu and Ning, 2003], sensor nodes are deployed ina two dimensional area and each sensor has an expectedlocation that can be predicted. The idea is to haveeach sensor to share pair-wise keys with itsl closestneighbors. In key setup phase, for each sensor nodeA,a unique keyκA and l closest neighborsB1 , . . . ,Bl are selected. For each pair (A, Bi ), a pair-wise keyκA,Bi

= PRF (κBi||a) is generated, wherea is the node-

id of A and PRF (.) is the pseudo-random function.NodeA stores all pair-wise keys, whereas nodeBi onlystores the keyκBi

and thePRF (.). Thus, each sensoruses2l + 1 units of memory to store its key-chain.

The key allocation schemes closest in spirit to theones we discuss in this paper are the deterministicschemes based on combinatorial design techniques[Lee and Stinson, 2005a], [Lee and Stinson, 2005b],[Camtepe and Yener, 2007]. [Lee and Stinson, 2005b]proposes two deterministic schemes:(i) ID-based one-way function scheme, and(ii) multiple space Blom’sscheme, where asymmetric key matrices are used insteadof symmetric ones. In [Camtepe and Yener, 2007],combinatorial design based pair-wise key pre-distribution scheme is defined, which is based on theblock design techniques in combinatorial design theory.

It employs symmetric and generalized quadranglesdesign techniques. The scheme uses a finite projectiveplane of ordern (for prime powern) to generate asymmetric design (or symmetric BIBD) with parameters(n2 + n+ 1, n + 1, 1). The design supportsn2 + n+ 1nodes and uses key-pool of sizen2+n+1. It generatesn2 +n+1 key-chains of sizen+1 where every pair ofkey-chains has exactly one key in common and everykey appears in exactlyn+ 1 key-chains.

[Lee and Stinson, 2005b] assumes that the connectiv-ity graph of the nodes satisfies a certain structure. Eachnode is allocated a secret key, and some other keyingmaterial that allows it to compute session keys for thosenodes with which it may need to communicate. On theother hand, the schemes that we study do not assumeany special structure of the communication graph. Thus,even though [Lee and Stinson, 2005b] allocates keys ina deterministic way, its approach is essentially differentfrom ours.

One of the schemes proposed in[Camtepe and Yener, 2007] is similar to the“complete connectivity” scheme we propose.[Camtepe and Yener, 2007] provides an approximateexpression for the fraction of links compromised(which we refer to as “resilience” for short) for asingle compromised node. In contrast, we provideanalytical expressions for connectivity, as well asresilience whenc nodes are compromised, for anyc.The other schemes in [Camtepe and Yener, 2007] areessentially different; they are based on the “GeneralizedQuadrangles” approach, while our schemes are based onpolynomials over a finite field. Moreover, motivated bythe three schemes discussed in Section III, we present ageneralized class of key allocation schemes, and obtainanalytical expressions for the resilience and connectivitymetrics. Further, we use these results to understandhow user-specified connectivity and resilience targetsindicate the ranges within which the parameters ofa specific scheme must lie; this is illustrated by anexample in Section V-C.

A part of the discussion in this paper is inspired bya deterministic scheme based on lines over finite plane[Yuichi Kaji and Matsumoto, 2006]. Ap×p grid of keysis chosen,p being prime and keys are distributed to nodesbased on the relationy(x) = ax+b (mod p). Two nodesshare a key if the corresponding lines, over a finite field,intersect each other. If the lines are parallel, then thecorresponding nodes do not share a key and needs toundergo pairwise key establishment phase.

An interesting study done by [Xu et al., 2007] hasshown that the advantages of the probabilistic approachover the deterministic approach, are not as much as

5

people have believed. The work, thus, supports ourfocus on using deterministic key distribution approachfor distributing keys in wireless sensor network.

III. T HREE KEY ALLOCATION SCHEMES

A. Polynomial-based Schemes

In the polynomial-based scheme, a polynomial of de-greem over a residue fieldZp = {0, 1, . . . , p−1}, p be-ing a prime, is used to assign keys to a node. The polyno-mial is represented as:y(x) = amx

m + am−1xm−1 +

. . .+ a0 (mod p), wherey(x), x, am, am−1, . . . , a0 ∈Zp. Two nodes share at least one key between them if thecorresponding polynomials intersect at at least one point.Each key is associated with an intersection point in thep

× p grid (Fig. 1). Nodes do not share a key in common

y(x)

x

0

1

2

3

4

0 1 2 3 4

L : y (x)1 1

L : y (x)2 2

L : y (x)3 3

Key ring size p = 5

Key pool size P = 25

Number of nodes n = 25

Fig. 1. A p× p grid containing lines wherep = 5. Each grid pointrepresents a key. A line through the grid represents a node. Anodeis assigned keys corresponding to the points through which its linepasses.

if the corresponding polynomials do not intersect at all.Sincex andy(x) in y(x) = amx

m + am−1xm−1 +

. . .+ a0 (mod p) belong toZp, the grid size will alwaysbe p × p and the total number of distinct intersectionpoints, corresponding to the points on the grid, will bealwaysp2. Each node storesp keys because of the factthat y(x) ∈ Zp.

We would like to point out here that in general, theexpression used for distributing keys to nodes couldcontain terms both inx and y like x2y3 and so on.But we want to restrict our attention to only a specificset of curves which have a particular structure. Forexample, in the case of polynomial-based scheme whenm = 1, the expression is given asy(x) = a1x +a0 (mod p). But there exists a more general expression,ax + by (mod p) = c wherey, x, a, b, c ∈ Zp

anda, b are not zero simultaneously, which we will notconsider in our analysis.

Since there are(m+ 1) independent coefficients andeach coefficient hasp possibilities, the total number of

curves possible will bep(m+1) and thus, the number ofnodes will bep(m+1). But, in practice, the requirementfor the number of nodes will be arbitrary. So, we designthe system by choosing a prime power close to thedesired value ofn but greater thann.

Now, we explain the polynomial-based scheme withthe help of two schemes: a line-based key distributionscheme [Yuichi Kaji and Matsumoto, 2006] and a de-gree two polynomial-based key distribution scheme.

1) Scheme 1: Line-based Key distribution scheme:The intuition behind the scheme, which appeared asa poster paper [Yuichi Kaji and Matsumoto, 2006], isbased on the fact that two lines in a plane eitherintersect at one point or they do not intersect atall [Yuichi Kaji and Matsumoto, 2006]. The authors de-fined the lines over a residue fieldZp = {0, 1, . . . , (p−1)} where p is a prime. The parametersa, b and thevariable x in y(x) = ax + b (mod p) takevalues from the set{0, 1, . . . , (p − 1)}. A par-ticular line L is thus parallel to(p − 1) other linesand intersects with all other lines at exactly one point[Yuichi Kaji and Matsumoto, 2006].

Figure 1 shows an example of such a scheme withp = 5. For the sake of clarity, only three lines are shown.Lines L1, L2 and L3 are, respectively, represented byy1(x) = x + 4 (mod 5), y2(x) = 2x + 1 (mod 5) andy3(x) = x + 2 (mod 5). We can see thatL1 intersectsL2 at exactly one point (having integer coordinates) andis parallel toL3. So, nodeN1 (corresponding toL1)shares a key, obtained by the mapping of the intersectionpoint to a key in the key pool, withN2 (correspondingto L2). Also, nodeN1 does not share a key with nodeN3 (corresponding toL3).

2) Scheme 2: Quadratic Key Distribution Scheme:Yet another example of a scheme belonging to thepolynomial-based schemes is a simple extension to theline-based scheme: instead of using a line, use a poly-nomial of degree two for distributing keys. In the degreetwo polynomial-based scheme, each node now storeskeys corresponding to the points of intersection of aparticular curveyj(x) = ajx

2 + bjx+ cj (mod p) withthe grid points.

Since there exists a one-to-one mapping betweencurves and nodes, the total number of nodes will besame as the total number of curves. In a degree twopolynomial-based scheme, the total number of nodes willbep3 as we have three independent coefficients to choosewith, each takingp values.

Figure 2 shows an example of such a scheme withp = 5. Only four curves are shown, for clarity. In thefigure, the curvesC1, C2, C3 and C4 are represented byy1(x) = 0x2 + x + 4 (mod 5), y2(x) = 4x2 +

6

y(x)

x

0

1

2

3

4

0 1 2 3 4

C : y (x)1 1

C : y (x)4 4

C : y (x)3 3

C : y (x)2 2

Key ring size p = 5

Key pool size P = 25

Number of nodes n = 125

Fig. 2. A p×p grid for degree two polynomial-based scheme,p = 5

0x + 1 (mod 5), y3(x) = 0x2 + 4x + 3 (mod 5)and y4(x) = 0x2 + x + 3 (mod 5) respectively.We can see thatC1 intersects withC2 at exactly twopoints, intersects withC3 at exactly one point and doesnot intersects withC4 i.e., is “parallel” to C4. In otherwords, nodeN1 (corresponding toC1) shares two keys,obtained by the mapping of the intersection points tothe keys in the key pool, withN2 (corresponding toC2),one key with nodeN3 ( corresponding toC3) and no keywith nodeN4 (corresponding toC4).

B. Scheme 3: Complete Connectivity Scheme

All the schemes discussed till now belong to the firstcategory. We now discuss a scheme belonging to thesecond category, i.e., a complete connectivity scheme.Here, we will consider| Si ∩ Sj |= 2, ∀ Si, Sj ∈ S

and∀ i, j s.t. i 6= j.

number of nodes n = 4

Key pool size P = 4

Key ring size p = 3

Pool P = {k , k , k , k }1 2 3 4

{k , k , k }1 3 4

(k , k )2 3 (k , k )2 4 (k , k )1 4(k , k )1 3

(k , k )1 2

(k , k )3 4

{k , k , k }1 2 3 {k , k , k }1 2 4

{k , k , k }2 3 4

Fig. 3. An example of the key graph for Scheme-3

The scheme is based on Symmetric Balanced Incom-plete Block Design (SBIBD) [Anderson, 1990]. A BIBDis an arrangement ofv distinct objects intob blockssuch that each block contains exactlyk distinct objects,each object occurs in exactlyr different blocks, andevery pair of distinct objects occurs together in exactly

λ blocks. The design can be expressed as(v, k, λ), orequivalently(v, b, r, k, λ) where:λ(v − 1) = r(k − 1)and bk = vr. A BIBD is called Symmetric BIBDwhen b = v and thereforer = k. The application ofSBIBD to sensor network security was first introducedby [Camtepe and Yener, 2007].

In the scheme,b is same as the number of nodes in thenetwork (n), v corresponds to the key pool size (P), kthe number of keys in each node (p) andr correspondsto the number of nodes containing a specific key (α).For the scheme,λ = 2 indicating that a pair of keys iscontained in exactly2 nodes. In other words, we considerall the two-combinationof the keys in the poolP andassign each pair of keys to a link in the network ofn

nodes. An example of such a scheme is given in Fig. 3wheren = P = 4 andp = 3.

IV. A NALYSIS OF SCHEMES AND COMPARISONS

A. Notation

For easy reference, we list in Table I the symbols usedin the paper.

TABLE I

P key pool sizen number of nodes for which the network is being designedα number of nodes containing a specific key; same for

all keysp, β size of the key ring for each nodeδj number ofj-key links containing a specific keyθ number of disjoint sets into which a key pool is

partitionedω number of keys in each partitioned setm maximum number of keys shared between nodesγ number of no key links per node; a connectivity measureRj number of links containing a specific collection of keys

{κ1, κ2, . . . , κj}K(j) number ofj-key links in the network (0 ≤ j ≤ m)c number of nodes captured by the adversaryXc the random variable denoting the number of keys

compromised whenc nodes are capturedpc the probability that a specific key is contained in at least

one out ofc compromised nodespc(i) probability that a particular key is contained ini out of c

compromised nodes

B. Definitions

We use the following definitions for our analysis ofvarious schemes.

Definition 4.1: The security measure is defined as thefraction of the total number ofkeyed links that arecompromised.

By keyed links we mean all those links in the networkwhich are secured by one or more keys. That is, all

7

the links in the key graph obtained after the shared-key discovery phase are referred to as keyed links.A somewhat similar definition is used by authors in[Conti et al., 2007] but for the probabilistic schemes.

Definition 4.2: The connectivity measure is defined asthe probability that two randomly chosen sensor nodesshare at least one key between them.

By connectivity, we mean the connectivity of the keygraph.

We will be frequently using the termj-key linksin oursubsequent discussions. Let us formally define it here.

Definition 4.3: By a j-key link, we mean the tuple(κ1, κ2, . . . , κj , Ni, Nl) whereNi & Nl, i 6= l are thenodes between whom thej-key link exists andκ1, κ2,. . . , κj are the keys that they share in common.

With these definitions in mind, we present the analysisfor the three key distribution schemes discussed in theprevious section.

C. Scheme 1: Line-based Key distribution scheme

Our aim is to find the expected fraction of links com-promised by the adversary whenc nodes are compro-mised. To find that, we first need to know the maximumnumber of keys shared between any pair of nodes andthen the number of nodes containing a specific collectionof keys. The following lemma puts a restriction on thenumber of intersection points for any pair of curves.

Lemma 4.1:Let p be a prime,Zp = {0, 1, . . . , (p −1)}. Let a0, a1, . . . , am, x & y(x) ∈ Zp. Letm < p.Then, any two curves of degreem, y(x) = amx

m +am−1x

m−1 + . . .+ a0 (mod p), cannot have more thanm common intersection points.

Proof: In the Appendix.

Lemma 4.1 shows that for the line-based scheme, therecannot be more than one intersection point for any pairof lines. Since each point of intersection is mapped toa unique key from the key poolP, any pair of nodeseither share a key or they do not. Moreover, since eachcurve is uniquely defined by two points, the total numberof curves will bep2 as each point can be chosen inpdifferent ways. Thus, we havep2 nodes in the network.

Number of nodes containing a specific collection ofkeys gives insight into the link structure in a key graph.Moreover, it is also required to find an expression forthe security measure. In the following lemma, we findthe number of curves passing through a given point onthe grid.

Lemma 4.2:Let p be a prime,Zp = {0, 1, . . . , (p −1)}. Let a0, a1, . . . , am, x & y(x) ∈ Zp. Letm < p

& j ≤ m. Then, the number of curves of degreem,y(x) = amx

m + am−1xm−1 + . . . + a0 (mod p),

passing throughj given points on thep × p grid Z2p is

p(m+1−j).


Intuitively, since there are(m+ 1) independent coef-ficients, the number of curves possible will bep(m+1).Now, if j points on the grid are fixed, then there are(m + 1 − j) independent points to be chosen to definea curve uniquely. Since each point can be chosen inp

ways, there will bep(m+1−j) curves passing throughjgiven points.

Using the above lemma, the number of lines passingthrough a given point (j = 1) will be p, asm = 1 forthe line-based scheme. Since each point on the grid ismapped uniquely to a key in the key pool, the numberof nodes containing a specific keyκ will also bep.

If we know the expected number of keys compromisedby the adversary and also the number of links containinga particular key, then one can easily find the expectednumber of links compromised by the adversary. Thus, thefollowing lemma gives the distribution of the number ofkeys compromised by the adversary.

Lemma 4.3:If n is the number of nodes in thenetwork andα is the number of nodes containing aparticular key, then for a sufficiently large number ofcompromised nodesc, the number of keys compromisedby the adversaryXc has a distribution that can beapproximated by Binomial[P,(1−pc(0))] wherepc(0) =(n−α

c)

(nc)

is the probability that a particular key is not

compromised.


From Fig. 4, we see that as the number of nodescompromised by the adversary increases, the distributionof Xc moves closer and closer to that of the Binomialdistribution. The proof of Lemma 4.3 in the Appendixshows that for tractability, it is necessary to assumethat the “state” of a key (defined in the Appendix) isindependent of the states of other keys; unless this sim-plifying approximation is made, the problem becomestoo complex to analyze. We see from the four plotsthat the approximation becomes better and better as thenumber of compromised nodesc increases.

Since the number of lines passing through a givenpoint is equal top (m = 1, j = 1 in Lemma 4.2),α= p. Thus, the probability that a particular keyκ isnot compromised, whenc nodes are captured by the

8

1.862 1.864 1.866 1.868 1.87 1.872 1.874 1.876 1.878 1.88 1.882

x 104

0

0.005

0.01

0.015

0.02

0.025

Number of keys compromised, Xc

Pro

ba

bility t

ha

t X

c k

eys a

re

co

mp

ro

mis

ed

SimulationTheoreticalp = 139

P = 19321

c = 475

(a) Distribution ofXc for c = 475

1.916 1.917 1.918 1.919 1.92 1.921 1.922 1.923 1.924 1.925

x 104

0

0.005

0.01

0.015

0.02

0.025

0.03

0.035

0.04

0.045


Pro

ba

bility t

ha

t X

c k

eys a

re

co

mp

ro

mis

ed


P = 19321

c = 700

(b) Distribution ofXc for c = 700

1.927 1.9275 1.928 1.9285 1.929 1.9295 1.93 1.9305 1.931 1.9315

x 104

0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0.08

0.09


Pro

ba

bility t

ha

t X

c k

eys a

re

co

mp

ro

mis

ed


P = 19321

c = 900

(c) Distribution ofXc for c = 900

1.9304 1.9306 1.9308 1.931 1.9312 1.9314 1.9316 1.9318 1.932 1.9322

x 104

0

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18


Pro

ba

bility t

ha

t X

c k

eys a

re

co

mp

ro

mis

ed

SimulationTheoretical

p = 139

P = 19321

c = 1100

(d) Distribution ofXc for c = 1100

Fig. 4. Theoretical and simulated comparison for distribution of Xc, the number of keys compromised by the adversary

adversary, will bepc(0) =(p

2−p

c)

(p2

c)

and hence,pc =

1− pc(0).

Based on the assumed distribution ofXc, the expectednumber of keys compromised in the scheme-1 will

be E(Xc) = p2pc = p2(

1−(p

2−p

c)

(p2

c)

)

. Now, since a

particular keyκ is present inp nodes (p lines passthrough a given point), the number of links having thekey κ will be

(

p2

)

= p(p−1)2 . Thus, the expected number

of links compromised, whenc nodes are captured by theadversary, will be given by the product of the expectednumber of keys compromised and the number of links

containing a particular key =p(p−1)2 × p2

(

1−(p

2−p

c)

(p2

c)

)

=p3(p−1)

(

1−(p

2−pc )

(p2

c )

)

2 . We note that, in the line-basedscheme, a link is secured by using only one key.

Now, let us find the total number ofkeyed linksin anetwork ofp2 nodes. Total number of linkspossibleina network ofp2 nodes will be

(

p2

2

)

= p2(p2−1)2 . Number

of no-key links per node (i.e., the links which are notsupported by a key) =(p − 1), which corresponds to(p− 1) parallel lines. Therefore, the total number of no-key links in a network ofp2 nodes will bep

2

2 ×(p−1) =

p2(p−1)2 where the factor of2 in the denominator is due

to the fact that a secure linkA → B is same as thesecure linkB → A. Once we know the total number oflinks possibleand the total number of no-key links, wecan easily calculate the total number ofkeyed linksinthe network as

(

p2(p2−1)2 − p2(p−1)

2

)

= p3(p−1)2 .

Thus, the expected fraction ofkeyed linkscompro-mised will be

Expected fraction of keyed links compromised

=Expected number of keyed links compromised

Total number of keyed links in the network

= 1−

(

p2−pc

)

(

p2

c

)

(1)

To find the connectivity probability, we need to knowthe total number of linkspossiblein the network and thetotal number ofkeyed linksin the network ofp2 nodes.As found earlier, the total number of linkspossibleisgiven as

(

p2

2

)

= p2(p2−1)2 and the total number ofkeyed

links = p3(p−1)2 . Thus, the connectivity probability is

given as

pcon =p3(p−1)

2p2(p2−1)

2

=p

p+ 1(2)

9

D. Scheme 2: Quadratic Key Distribution Scheme

As shown in Lemma 4.1 that the number of intersec-tion points for a polynomial of degree two cannot bemore than two, each node will now either share zero,one or two keys with(n − 1) other nodes, wheren isthe total number of nodes supportable by the scheme.

From Lemma 4.2, the number of curves passingthrough a given point will bep2. Thus, each key is nowcontained inp2 nodes. Now, the probability that a partic-ular key is not compromised whenc nodes are captured

will be p′

c =(p

3−p2

c)

(p3

c)

. Thus, the expected number of keys

compromised is given asE(Xc) = p2(

1−(p

3−p2

c)

(p3

c)

)

.

But this cannot be taken as a measure of security assome of the compromised keys will give rise to one-keylinks and some will give rise to two-key links. In caseof two-key links, it may happen that one key is presentin the list of compromised keys but not the other whichmeans that the link is not compromised.

Our aim is to find the expected fraction of thekeyedlinks that are compromised. To achieve this, we divideour analysis into two parts: first we find the expectednumber of one-key links that are compromised and thenwe find the expected number of two-key links that arecompromised. But before doing that we would first liketo find the total number of one-key and two-key links ina network ofp3 nodes.

Lemma 4.4:For anm (m < p) degree polynomial-based key distribution scheme overZp (p is prime), thetotal number ofj-key links (i.e., a link composed ofjkeys) in a network ofp(m+1) nodes is given as

p(m+1)

2(p(m+1−j) − 1)

(

p

j

)

−p(m+1)

2×

m∑

i=j+1

(−1)(i−j+1)

(

i

j

)[

(p(m+1−i) − 1)

(

p

i

)]


Thus, in a network ofp3 nodes, the total number ofone-key links will bep

3

2 (p2 − 1)p− p3

2

[

2(p− 1)(

p2

)]

=p4(p− 1) and the total number of two-key links will bep3

2 (p− 1)(

p2

)

= p4(p−1)2

4 .Now, since there arep2 keys in all and since a one-key

link is composed of only a single key, each one-key linkwill be repeatedp

4(p−1)p2

= p2(p− 1) times in a networkof p3 nodes. Thus, the total number of one-key linkscompromised will be

Expected number of one-key links compromised

= Expected number of keys compromised

× number of times a particular key is repeated

= p4(p − 1)

1−

(

p3−p2

c

)

(

p3

c

)

(3)

Next, let us find the expected number of two-key linkscompromised. SinceXc is the number of keys compro-mised and has a distribution Binomial[P, pc] (as justifiedearlier), the expected number of two-key links compro-mised will be E

(

Xc(Xc−1)2

)

. But E

(

Xc(Xc−1)2

)

=E(Xc)(E(Xc)−1)

2 +V ar(Xc)2 and hence, the expected number

of two-key links compromised is given asPpc(Ppc−1)2 +

Ppc(1−pc)2 =

p2(p2−1)

(

1−(p

3−p2

c )

(p3

c )

)2

2 .Now, there are two things we need to consider before

arriving at the final expression for the expected numberof two-key links that are compromised. First point tobe noted is that we cannot have all thetwo-combinationof the keys (i.e., 2-tuple (κi, κj) wherei 6= j) captured.This can be explained by referring to Fig. 2. We considerany vertical line along the grid corresponding to aparticular value ofx, say x = 3. A particular curve,sayC1: y1(x) = a1x

2 + b1x+ c1 (mod p) will intersectthis vertical line atonly one point on the grid. Hence,we cannot havetwo-combinationof the keys along thisvertical line. Thus, the number of distinct two-key linkswill be p2(p2−1)

2 −p× p(p−1)2 . The factor ofp in the second

expression is due to the fact that there arep vertical lineson the grid (sincex ∈ Zp). Therefore, the fraction oftwo-

combinationof keys that are valid isη =p2(p2−1)

2−

p2(p−1)

2p2(p2−1)

2

= (1− 1(p+1)) = p

(p+1) .Second point to be noted is that each two-key link

is repeated a number of times, a quantity which needsto found. From our previous analysis, the total num-ber of two-key links in a network ofp3 nodes isgiven as p4(p−1)2

4 . Now, the number ofdistinct two-

combinationof the keys possible isp2(p2−1)

2 −p× p(p−1)2 ,

as found earlier. Thus, each two-key link is repeatedψ =

total number of two-key linksnumber of distinct two-key links =

p4(p−1)2

4p2(p2−1)

2−p×

p(p−1)2

=

p(p−1)2

times in a network ofp3 nodes. Our final expres-sion for the expected number of two-key links compro-mised should include bothη andψ factors.

Thus, the expected number of two-key links compro-mised is given by

Expected number of two-key links compromised

= η × ψ ×

p2(p2 − 1)

(

1−

(

p3−p2

c

)

(

p3

c

)

)2

2

10

=

(

p

(p + 1)

)(

p(p− 1)

2

)

p2(p2 − 1)

(

1−

(

p3−p2

c

)

(

p3

c

)

)2

2

(4)

Now, let us find the total number ofkeyed linksina network ofp3 nodes. From our previous analysis, wefound that the total number of one-key links =p4(p−1)

and the total number of two-key links =p4(p−1)2

4 in anetwork ofp3 nodes. Thus,

Total number of keyed links = p4(p − 1) +p4(p− 1)2

4

=p4(p − 1)(p + 3)

4(5)

Therefore, the expected fraction ofkeyed linkscompro-mised is given by ((3) + (4))÷(5). That is,


=

4

(

1−

(

p3−p2

c

)

(

p3

c

)

)

+ (p− 1)

(

1−

(

p3−p2

c

)

(

p3

c

)

)2

(p + 3)(6)

To find the connectivity probability for the scheme, weneed to know the total number ofkeyed linksand thetotal number of linkspossiblein the network ofp3 nodes.The total number ofkeyed links, as found earlier, is givenas p4(p−1)(p+3)

4 and the total number of linkspossibleisgiven asp

3(p3−1)2 . Thus, the connectivity probability will

be

pcon =p4(p−1)(p+3)

4p3(p3−1)

2

=p(p+ 3)

2(p2 + p+ 1)(7)

E. Scheme 3: Complete Connectivity SchemeSince each node storesp keys and each node has

(n − 1) links, we should havep(p−1)2 = n − 1. Thus,

n = P = p(p−1)2 + 1. Now, the probability that a

particular key is not compromised whenc nodes are

captured will be(n−α

c)

(nc)

=(n−p

c)

(nc)

. Since there areP = n

keys in all, the expected number of keys compromised

is given asE(Xc) = n

(

1−(n−p

c)

(nc)

)

. Thus, the number

of two-key links compromised will beE(Xc(Xc−1)2 ) =

E(Xc)(E(Xc)−1)2 + V ar(Xc)

2 =n(n−1)

(

1−(n−p

c )(nc)

)2

2 . Now,there aren(n−1)

2 two-key links in a network ofn nodes.Thus, the expected fraction ofkeyed linkscompromisedwill be


=

n(n−1)

(

1−(n−p

c )(nc)

)2

2n(n−1)

2

=

(

1−

(

n−pc

)

(

nc

)

)2

(8)

We note that in this scheme,pcon = 1.

F. Comparison between the schemes

A comparison between various schemes for samestorage (p = 139) is given in Fig.5(a).

Figure 5(b) shows a plot of the probability of con-nectivity pcon with the number of nodes stored pernode p. Thus, the quadratic scheme performs betterin security but at the expense of connectivity and theline-based& the SBIBD-based schemes perform betterin connectivity at the expense of security. Now, aspbecomes large,pcon for the line-based scheme→ 1 andfor the quadratic scheme→ 1

2 which is why the curvesare almost horizontal for large values ofp.

We note that even though the storage is same, the de-gree two polynomial-based scheme accommodates manymore nodes than the line-based scheme (p3 instead ofp2). Because of the much increased number of nodes,the fractionpcon is smaller.

V. A GENERALIZED KEY ALLOCATION SCHEME AND

ITS ANALYSIS

The three schemes discussed before suggest a gener-alized class of key allocation algorithms. We identify theproperties that such a generalized scheme must satisfy.In this section, we do not consider any specific keyallocation algorithm; rather, our objective is to analyzean entire class of algorithms satisfying certain properties.The three schemes discussed in Section III are specificexamples of this class; indeed, they may be viewed asinstantiations of the general class of algorithms that weare concerned with.

The generalization presented here is significantly dif-ferent from the Symmetric BIBD schemes because weallow each node to shareat mostm keys with everyother node in the network, rather than exactlym keyswhich is the property of BIBD.

A. Generalized Key Distribution Scheme

Before presenting the analysis for the generalized case,we discuss some of the properties to be satisfied by thegeneralized class of key distribution algorithm.

1) The key pool set is partitioned into disjoint subsetssuch that the keys in each subset do not combineto generate aj-key link. In other words, a nodecan select at the most one key from any subset.This takes into account the factorη, the fractionof key combinations allowed (as defined earlier).

2) Any deterministic key distribution algorithm willsupport a maximum ofm keys that nodes canshare among themselves. For polynomial-basedschemes, the number of keys shared is at most

11

400 500 600 700 800 900 10000.88

0.9

0.92

0.94

0.96

0.98

1

Number of nodes compromised, c

Expe

cted

frac

tion

of k

eyed

lin

ks c

ompr

omis

ed, p

com

pr

Line−basedQuadraticSBIBD−based

p = 139n = P = p*(p−1)/2+1

(a) Security comparison between the three schemes

0 50 100 150 200 250 300

0.5

0.6

0.7

0.8

0.9

1

Number of keys stored per node, p

Pro

babi

lity

of c

onne

ctiv

ity,

pco

n Line −based Scheme Quadratic Scheme SBIBD−based Scheme

(b) Connectivity comparison

Fig. 5. Among the three schemes, the security measure of the quadratic scheme is best but it comes at the expense of connectivity. Theperformance of SBIBD based scheme is worst as compared to thepolynomial-based schemes.

m, while for SBIBD based scheme, the number isexactlym.

3) Each key is present in equal number of nodes, asdefined by the parameterα.

For polynomial-based schemes, property1 is satisfiedby choosing only one point from each vertical line in thegrid. For SBIBD, the number of disjoint subsets will besame as the number of elements in the key pool.

The setup for the generalized key allocation schemeis as follows:

1) The key pool set (of sizeP) is partitioned intoθdisjoint subsets, each set being of sizeω.

2) Each node is allocatedβ keys from the pool withthe following constraints:

a) No more thanm keys are shared between anypair of nodes.

b) Exactlyα nodes contain a particular keyc) At most one key can be chosen from each

disjoint subset. Thus, a particular disjointsubset will be present inωα nodes.

d) While allocating keys to the nodes, it isensured thatβ ≤ θ.

3) Number ofj-key links containing a particular keyis the same for all keys. In other words, there doesnot exist any special key set whose behaviour isdifferent from the rest of the keys’ set.

4) An algorithmΠ : Θ −→ N is defined to distributekeys from the key pool to the nodes in the networkwhereΘ is the set of subsets of disjoint subsetsandN denotes the set of nodes in the network.

In this paper, we will only concentrate on the analysisof the generalized scheme. Algorithmic aspects will bediscussed in our subsequent work.

B. Analysis of the Generalized Scheme

Our aim is to obtain a generalized expression for secu-rity and connectivity measures. Based on the generalizedscheme, we will first find the total number ofj-key linksin a network with parameters asn (the number of nodesin the network),γ (the number of no-key links per node),α (the number of nodes containing a particular keyκ)and β (the number of keys per node). Then, we willfind the expected number of links compromised by theadversary. Using the two quantities, we will obtain theexpression for the resilience measure.

The general expression for the number ofj-key linksK(j) is given as

Lemma 5.1:

K(j) =n

2

((

θ−j

m−j

)

ϕ(j)ω(m−j)

⌊

ω(θ −m)

β −m

⌋

− 1

)

(

β

j

)

−n

2

m∑

i=j+1

(−1)(i−j+1)

(

i

j

)

×

[((

θ−i

m−i

)

ϕ(i)ω(m−i)

⌊

ω(θ −m)

β −m

⌋

− 1

)

(

β

i

)

]


Here, ϕ(j) is a factor introduced to account for thegeneration of identical sets of disjoint subsets. Thesignificance ofϕ(j) will be clear if we consider thepolynomial-based schemes. In such schemes, each ofthe disjoint subset contains same type of elements{0, 1, . . . , (p−1)}, as shown in Fig. 6 forp = 5. We notethat for polynomial-based schemes, any set of(m + 1)disjoint subsets results in the same curve as any otherset of (m+ 1) disjoint subsets. Sincej sets are alreadyfixed, any set of(m−j) (< m) independent subsets will

12

Fig. 6. Partitioning of the key pool set

also result in same distribution of keys as any other set of(m−j) independent subsets. Thus,ϕ(j) for polynomial-based schemes will be

ϕ(j) =

(

θ − j

m− j

)

(9)

We note thatϕ(j) depends on the specific key distribu-tion algorithm.

Having obtained an expression for the number ofj-key links, we state the following theorem for the securityof a class of key distribution algorithm.

Theorem 5.1:pcompr =

∑mj=1

(P−j)!K(j)P! T (j)

n(n−1−γ)2

whereT (j) = E [Xc(Xc − 1)(Xc − 2) . . . (Xc − j + 1)]is known as thejth factorial moment of the distributionof Xc. Proof: In the Appendix.

Corollary 5.1: For sufficiently largec, the securitymeasure is given as

pcompr =

∑mj=1K(j)

(

1−(n−α

c)

(nc)

)j

n(n−1−γ)2


whereK(j) is given by Lemma 5.1.We observe that the security measure depends onn,

β, γ andα. We will see in the next section how one canadjust these independent parameters to suit the securityrequirements.

The connectivity measurepcon can be obtained bymaking use ofγ. Since the maximum number of linksper node can be(n− 1), we have:

Theorem 5.2:

pcon = 1−γ

n− 1

We observe that the connectivity measure depends onlyon n andγ and is independent of the other two designparameters:α andβ.

Also, we note thatθ, ω andm are not system designparameters and can be obtained by solving the followingset of three equations:

m∑

j=1

K(j) =n(n− 1− γ)

2(10)

1

P

m∑

j=1

jK(j) =α(α− 1)

2(11)

ω =P

θ(12)

Now, when we apply the developed framework, weobserve that the three schemes discussed earlier areinstantiations of this framework.

Line: P = p2, ω = p, θ = p, m = 1, n = p2, ϕ(j) =(

p−jm−j

)

, α = p, β = p, γ = p− 1;Quad: P = p2, ω = p, θ = p, m = 2, n = p3, ϕ(j) =

(

p−jm−j

)

, α = p2, β = p, γ = (p−1)(p2−p+2)2 ;

SBIBD: P = n, ω = 1, θ = P, m = 2, n = s(s−1)2 + 1, α

= s, β = s, γ = 0.

Equipped with general expressions forpcompr andpcon, we make the following observations:

• Sincepcompr =

∑

mj=1

nβδj

jα

(

1−(n−α

c )(nc)

)j

n(n−1−γ)

2

(in the proof

of Theorem 5.1), assumingn, δj ’s (the number ofj-key links containing a specific key) andpcompras constants, we observe that there exists a linearrelationship between storage and connectivity for agiven value ofc :

pcon = kβ (13)

wherek =

∑

mj=1

nδj

jα

(

1−(n−α

c )(nc)

)j

pcomprn(n−1)

2

. The above equation

says that, for the same level of security, one canincrease connectivity but only at the expense ofincrease in storage.

• The expression forpcompr for m = 2 can also beobtained in terms ofn, α, β andγ by solving Eqn.(10) and Eqn. (11) forK(1) andK(2) and then

13

0.1 0.12 0.14 0.16 0.18 0.2 0.220

0.02

0.04

0.06

0.08

0.1

0.12

Probability of connectivity, pcon

Exp

ecte

d fr

actio

n of

key

ed li

nks

com

prom

ised

, pco

mpr

α = 31β = 139c = 75n = β2

(a) Line-based Scheme

0.6 0.8 1 1.2 1.4 1.6

x 10−3

0

0.2

0.4

0.6

0.8

1x 10

−3

Probability of connectivity, pcon

Exp

ecte

d fra

ctio

n o

f ke

ye

d

links c

om

pro

mis

ed

, p

com

pr

α = 31β = 139n

2 = β3

c = 75

(b) Quadratic Scheme

Fig. 7. Variation ofpcompr with respect topcon; there exists a trade-off between security and connectivity: increasing connectivity decreasessecurity of the system and vice-versa.

substituting in the Theorem 5.1. We note thatP =nβα

. Thus, we have

pcompr =

2(

n(n− 1− γ) −nβ(α−1)

2

)

(

1−

(

n−αc

)

(

nc

)

)

n(n− 1− γ)

+

(nβ(α− 1)− n(n− 1− γ))

(

1−

(

n−αc

)

(

nc

)

)2

n(n− 1− γ)

(14)

By expressingγ in terms of pcon, we obtain arelation betweenpcompr and pcon. Figure 7 showsplots between the two, for the three schemes. Weexplicitly show here a widely accepted statementthat there exists a trade-off betweenpcompr andpcon. One can achieve better security but at theexpense of connectivity and vice-versa.

• Figure 8 shows plots forpcompr with respect toc (the number of nodes compromised by the ad-versary) for the three schemes, withα being theparameter. The plots show that the system becomesless secure as the number of nodes containing aparticular key increases.

C. Design Example

Now we consider a design example in which wefind appropriate values of the parameters satisfying thesystem constraints given by the user. For our example,we will considerm = 2, indicating that the nodes shareat most two keys. For this case, we use Eqn. 14 as theexpression forpcompr. We note here that sinceδ1 ≥ 0 andδ2 ≥ 0 in the proof of the Theorem 5.1,α cannot take allvalues and is limited by the constraintsα ≥ 1+ (n−1−γ)

β

andα ≤ 1+ 2(n−1−γ)β

. Also, sinceδ1 andδ2 should beintegers,(n− 1− γ) should be a multiple ofβ.

I 1 I 2 I 3 I 4

I 1 I 3 I 2 I 4

(ii)

(i)

Fig. 9. The two cases:(i) I2 < I3 and (ii) I2 ≥ I3

To start with, let the number of nodes in the networkben = n′. In our design, we would like to havepcon tobe at leasta (i.e., pcon ≥ a) and the security measureto be not more thanb for c = c′, the number of nodescompromised by the adversary (i.e., pcompr ≤ b at c =c′). In other words, we would like to have a system inwhich the security measurepcompr is always less thanb,for all values ofc less thanc′. Also, let us assume thatthe storage requirement isx ≤ β ≤ y. The reason whyone would like to have a minimum storage is because ofthe linear relationship betweenpcon andβ.

From the Theorem 5.2, we see thatγ ≤ n′(1−a). Letus assume thatγ = r wherer ≤ n′(1 − a). Now, sinceα ≥ 1 + (n−1−γ)

βandα ≤ 1 + 2(n−1−γ)

β, we have the

following four constraints corresponding to the allowedextreme values of theβ.

I1 : α ≥ 1 +(n′ − 1− r)

y(15)

I2 : α ≤ 1 +2(n′ − 1− r)

y(16)

I3 : α ≥ 1 +(n′ − 1− r)

x(17)

I4 : α ≤ 1 +2(n′ − 1− r)

x(18)

Based on the above constraints, one can have one ofthe two possibilities:(i) I2 < I3 and (ii) I2 ≥ I3, as

14

400 500 600 700 800 900 10000.94

0.95

0.96

0.97

0.98

0.99

1

Number of nodes compromised, c

Exp

ect

ed

fra

ctio

n o

f ke

yed

links

co

mp

rom

ise

d, p

com

pr

α = 139

α = 180

α = 200

α = 240

α = 260

α = 277

β = 139n = β2

γ = β−1

(a) Line-based Scheme

400 500 600 700 800 900 10000.75

0.8

0.85

0.9

0.95

1

number of nodes compromised, c

Exp

ecte

d fr

actio

n of

key

ed

lin

ks c

ompr

omis

ed, p

com

pr

α = 9799

α = 12000

α = 14000

α = 16000

α = 18000

α = 19597

β = 139n = β3

γ = (β−1)(β2−β+2)/2

(b) Quadratic Scheme

400 500 600 700 800 900 10000.94

0.95

0.96

0.97

0.98

0.99

1

number of nodes compromised, c

Exp

ecte

d fr

actio

n of

key

ed

links

com

prom

ised

, pco

mpr

α = 139

α = 118

α = 100

α = 90

α = 70

β = 139n = β(β−1)/2 +1γ = 0

(c) Complete Connectivity Scheme

Fig. 8. Variation ofpcompr with respect toα; As the number of nodes containing a particular key increases, the security of the systemdecreases. Butα cannot be arbitrarily small as it needs to satisfy the constraints:α ≥ 1 + (n−1−γ)

βandα ≤ 1 + 2(n−1−γ)

β.

18 20 22 24 26 28 300.62

0.64

0.66

0.68

0.7

0.72

0.74

0.76

0.78

0.8

Storage, β

Sec

urity

mea

sure

, pco

mpr

α = 6

α = 7

Fig. 10. Security measurepcompr w.r.t. storageβ with α = 6 andα = 7

shown in Fig. 9. In the first case, it is clear that thereexists no value ofα for which the storage constraintx ≤ β ≤ y is satisfied. Thus, in order to avoid thissituation, we should have the second case whereI2 ≥ I3which implies thaty ≤ 2x. Thus, we have

x ≤ β ≤ y ≤ 2x (19)

The consequence of the above relationship is that ifthe system designer puts a constraint on the maximumstorage value, then there exists a minimum value of thestorage below which the design does not exist at all.Now, in order to have more flexibility in choosing thestorage value, one needs to squeeze the interval betweenI3 and I2 (case(ii) in Fig. 9) which implies a lesserflexibility in choosing values forα (the number of nodescontaining a specific key) and thus, a trade-off.

To present a specific design, let us choose specificnumerical values of the parameters. Letn′ = 100, c′ =20, a = 0.9 and y = 30. Thus, r ≤ 10 and x ≥ 15.Let us assume thatr = 9 andx = 18. Now, I2 will beα ≤ 7 andI3 will be α ≥ 6. Thus, we have6 ≤ α ≤ 7.

Figure 10 shows a plot ofpcompr w.r.t. β for the twovalues ofα. The plot clearly shows that one cannotachievepcompr below 0.62 which means thatb > 0.62.Thus, with this design, the bestpcompr that one canachieve is≈ 0.62 at c′ = 20.

Now, let us consider a special case when our designdepends only on one parameter. All the three schemesdiscussed in the previous section belong to this category.We will take scheme-2 as an example. Letn′ = 125 andc′ = 10. Sincen = β3, the storage will beβ = 5. Withthis value of storage, the other parameters will beα =

β2 = 25 and γ = (p−1)(p2−p+2)2 = 44. Using Eqn. (6),

the expected fraction of keyed links compromised by theadversary =0.8584. In other words, our design should besuch that the security measure should be less than0.8584for all values of c less than10. Now, on simulatingthe above design, the expected fraction of keyed linkscompromised comes out to be0.8563, thus meetingthe user’s specifications and validating our analyticalexpressions.

VI. CONCLUSION

The paper discussed about key distribution in wirelesssensor networks. We presented three different schemes,each having advantages and disadvantages. A study ofthese schemes showed that links secured by two keys addto security. The degree two polynomial-based schemeperformed better in security but poorly in terms ofconnectivity. The line-based scheme performed betterin connectivity but poorly in terms of security. Finally,the complete connectivity scheme scored perfectly inconnectivity and performed variably in terms of security,as compared to the line-based scheme.

In a bottom-up approach for the key distributionprocedure, an analysis for a class of key distributionalgorithms is first carried out and then, subsequently,

15

the algorithm is presented. In this paper, we presentedthe first part of the procedure whereby we derivedgeneralized expressions for the security and connectivitymeasures, based on the learning from the three schemes.The expressions clearly showed that in order to designa system, one require four independent parameters: thenumber of nodes in the network, the number of no-key links per node, the number of nodes containing aparticular key and the number of keys per node.

Based on the generalized expressions, we explicitlyshowed some trade-offs between various design parame-ters. In particular, we showed that(i) for same security,one can increase connectivity but only at the expense ofincrease in storage,(ii) a trade-off exists between thesecurity and the connectivity measure and(iii) one cangain in security for less number of nodes compromisedbut only at the expense of lower security for largenumber of nodes compromised. Finally, with the help ofthe generalized expressions, we discussed an example fordesigning the security system with the given constraints.

The connectivity measure can be used for theenergyanalysis of a key exchange process, as discussed in[Gupta et al., 2007]. Withpcon in hand, a similar en-ergy analysis can be carried out for any key exchangealgorithm, thereby enabling an energy cost comparisonbetween various key exchange algorithms.

In this paper, we have only presented an analysisfor the generalized key allocation schemes. In our sub-sequent work, we plan to present a construction forthe distribution of keys to nodes based on the analysisand system requirements. Moreover, existence of suchan algorithm itself would be an interesting area ofexploration.

REFERENCES

[Akyildiz et al., 2002] Akyildiz, I. F., Su, W., Sankarasubramaniam,Y., and Cayirci, E. (2002). A survey on sensor networks. InIEEECommunications Magazine.

[Anderson, 1990] Anderson, I. (1990).Combinatorial designs: con-struction methods. Ellis Horwood Limited.

[Batina et al., 2006] Batina, L., Mentens, N., Sakiyama, K.,Preneel,B., and Verbauwhede, I. (2006). Low-cost elliptic curve cryptog-raphy for wireless sensor networks. InSecurity and Privacy inAd-Hoc and Sensor Networks, Third European Workshop, ESAS,volume 4357 ofLecture Notes in Computer Science, pages 6–17.Springer.

[Becher et al., 2006] Becher, A., Benenson, Z., and Dornseif, M.(2006). Tampering with motes: Real-world physical attacksonwireless sensor networks. InJ.A. Clark et al. (Eds.): SPC 2006,LNCS 3934, pages 104–118.

[Blom, 1985] Blom, R. (1985). An optimal class of symmetric keygeneration systems. InProc. of the EUROCRYPT 84 workshop onAdvances in cryptology: theory and application of cryptographictechniques, ISBN: 0-387-16076-0, pages 335–338, New York, NY,USA. Springer-Verlag New York, Inc.

[Bokareva1 et al., 2006] Bokareva1, T., Hu, W., Kanhere, S.,Ristic,B., Gordon, N., Bessell, T., Rutten, M., and Jha1, S. (2006).Wireless sensor networks for battlefield surveillance. InLandWarfare Conference, Brisbane.

[Camtepe and Yener, 2007] Camtepe, S. A. and Yener, B. (April,2007). Combinatorial design of key diistribution mechanisms forwireless sensor networks.IEEE/ACM Transactions On Network-ing, 15(2).

[Camtepe and Yener, 2005] Camtepe, S. A. and Yener, B. (March23, 2005). Key distribution mechanisms for wireless sensornetworks: A survey. Technical Report TR-05-07, RensselaerPolytechnic Institute, Computer Science Department. availableat http://www.cs.rpi.edu/research/pdf/05-07.pdf.

[Chan et al., 2003] Chan, H., Perrig, A., and Song, D. (2003).Random key predistribution schemes for sensor networks. InProceedings of IEEE Symposium on Research in Security andPrivacy.

[Chong and Kumar, 2003] Chong, C.-Y. and Kumar, S. P. (2003).Sensor networks: Evolution, opportunities, and challenges. InProceedings of the IEEE, volume 91, No.8.

[Conti et al., 2007] Conti, M., Pietro, R. D., and Mancini, L.V.(2007). Ecce: Enhanced cooperative channel establishmentforsecure pair-wise communication in wireless sensor networks. InAd Hoc Networks (Elsevier), volume 5(1): 49-62.

[Culler et al., 2004] Culler, D., Estrin, D., and Srivastava, M. (2004).An overview of sensor networks. InIEEE Computer Society.

[Du et al., 2004] Du, W., Deng, J., Han, Y. S., Chen, S., andVarshney, P. K. (2004). A key management scheme for wirelesssensor networks using deployment knowledge. InProceedings ofthe IEEE INFOCOM.

[Du et al., 2003] Du, W., Deng, J., Han, Y. S., and Varshney, P.K.(2003). A pairwise key pre-distribution scheme for wirelesssensor networks. InProceedings of the 10th ACM Conferenceon Computer and Communications Security (CCS).

[Eschenauer and Gligor, 2002] Eschenauer, L. and Gligor, V.D.(2002). A key-management scheme for distributed sensor net-works. In Proceedings of the 9th ACM Conference on Computerand Communications Security (CCS).

[Gupta and Kuri, 2008] Gupta, A. and Kuri, J. (2008). Deterministicschemes for key distribution in wireless sensor networks. In Pro-ceedings of the third IEEE/Create-Net/ICST Conference on COM-munication System softWAre and middlewaRE (COMSWARE).

[Gupta et al., 2007] Gupta, A., Nuggehalli, P., and Kuri, J. (2007).An efficient scheme for establishing pair-wise keys for wirelesssensor networks. InProceedings of the first annual workshopon WIreless Systems: Advanced Research and Development (WIS-ARD), Bangalore, India.

[Lee and Stinson, 2005a] Lee, J. and Stinson, D. R. (2005a). Acom-binatorial approach to key predistribution for distributed sensornetworks. InIEEE WCNC, pages 1200–1205.

[Lee and Stinson, 2005b] Lee, J. and Stinson, D. R. (2005b). De-terministic key pre-distribution schemes for distributedsensornetworks. InACM Symp. Applied Computing, volume LNCS 3357,pages 294–307.

[Liu and Ning, 2003] Liu, D. and Ning, P. (2003). Location-basedpairwise key establishments for relatively static sensor networks.In 2003 ACM Workshop on Security of Ad Hoc and SensorNetworks (SASN03), George W. Johnson Center at George MasonUniversity, Fairfax, VA, USA.

[Pietro et al., 2003] Pietro, R. D., Mancini, L. V., and Mei, A.(2003). Random key assignment for secure wireless sensornetworks. In2003 ACM Workshop on Security of Ad Hoc andSensor Networks, George W. Johnson Center at George MasonUniversity, Fairfax, VA, USA.

[Szewczyk et al., 2004] Szewczyk, R., Osterweil, E., Polastre, J.,Hamilton, M., Mainwaring, A., and Estrin, D. (2004). Habitat

16

monitoring with sensor networks. InCommunications of the ACM,volume 47, No.6.

[Uhsadel et al., 2007] Uhsadel, L., Poschmann, A., and Paar,C.(2007). Enabling full-size public-key algorithms on 8-bitsensornodes. InFourth European Workshop on Security and Privacyin Ad hoc and Sensor Networks - ESAS 2007, Lecture Notes inComputer Science, Cambridge, UK. Springer.

[Vasudevan and Sanyal, 2004] Vasudevan, R. and Sanyal, S. (2004).A Novel Multipath Approach to Security in Mobile Ad HocNetworks (MANETs). InProceedings of the International Confer-ence on Computers and Devices for Communication (CODEC’04),pages CAN0412 CO F 1–CAN 0412 CO F 4.

[Vasudevan et al., 2004] Vasudevan, R. A., Abraham, A., Sanyal,S., and Agrawal, D. P. (2004). Jigsaw-based Secure DataTransfer over Computer Networks. InProceedings of the IEEEInternational Conference on Information Technology, Coding andComputing (ITCC’04), pages 2–6.

[Wang and Li, 2006] Wang, H. and Li, Q. (2006). Efficient imple-mentation of public key cryptosystems on mote sensors (shortpaper). InInternational Conference of Information and Commu-nication Security (ICICS), pages 519–528, Raleigh, NC.

[Xu et al., 2007] Xu, D., Huang, J., Dowskin, J., Chiang, M., andLee, R. (2007). Reexamining probabilistic vs deterministic keymanagement in mobile ad hoc networks. InIEEE InternationalSymposium on Information Theory (ISIT), Nice, France.

[Yuichi Kaji and Matsumoto, 2006] Yuichi Kaji, H. M. and Mat-sumoto, R. (2006). Key predistribution schemes for sensornetworks using lines and points over a finite geometry. InIEEESECON(poster paper).

[Zhu et al., 2003] Zhu, S., Xu, S., Setia, S., and Jajodia, S. (2003).Establishing pairwise keys for secure communication in ad hocnetworks: a probabilistic approach. InProceedings of the 11thIEEE International Conference on Network Protocols (ICNP).

APPENDIX

PROOFS OFLEMMAS AND THEOREMS

Proof: [Lemma 4.1] To prove the lemma, weinvoke Lagrange’s Theorem for finite fields. It statesthat“For m ≥ 0, let x0, x1, . . . , xm be m + 1 distinctelements of a finite fieldF and let y0, y1, . . . , ym bem+1 arbitrary elements ofF . Then there exists exactlyone polynomialp(x) with coefficients in F and ofdegree≤ m such thatp(xj) = yj for j = 0, 1, . . . ,m.The polynomial is given by ”

p(x) =

m∑

j=0

bj

m∏

k=0,k 6=j

(xj − xk)−1(x− xk)

Sincep is prime, Lagrange’s theorem holds. Thus, wecannot have more thanm intersection points otherwisethe polynomial will not be unique.

Proof: [Lemma 4.2] Let thej given points beA1 =(x1, y(x1)), A2 = (x2, y(x2)), . . ., Aj = (xj , y(xj)).Now, in order to uniquely define a curveC : y(x), werequire(m + 1 − j) more grid points(xi, y(xi)), i =j+1, j+2, . . . , (m+1−j), other thanA1, A2, . . ., Aj .

This is because we require(m + 1) points to uniquelyconstruct anm degree polynomial by using Lagrange’smethod. But, for each value ofxi, there are

(

p1

)

ways inwhich y(xi) could be obtained (points corresponding tothe vertical line on the grid, for a given value ofx = xi[see Fig. 1]). As we require(m+1−j) points (apart fromA1, A2, . . ., Aj) to construct the curveC, the numberof ways in which such a curve could be constructed =p(m+1−j).

We note that even though there are(

p−jm+1−j

)

ways ofselecting(m+1−j) points, only one selection is actuallysufficient. This is because we are counting the samecurve

(

p−jm+1−j

)

times. Let us see why this is so. Given asetY = {yj+1, yj+2, ..., ym+1} of values ofy(x) corre-sponding to a particular setX = {xj+1, xj+2, ..., xm+1}of values ofx, there exists(p− (m+1)) values ofy(x)Y

′

= {ym+2, ym+3, ..., yp} corresponding to values ofxother than the(m + 1) values already used to generatethe unique curve. Now, let us define a setY

′′

= Y +Y

′

= {yj+1, yj+2, ..., ym+1, ym+2, ym+3, ..., yp} wherethese values are corresponding to the values ofx inthe setX

′′

= {xj+1, xj+2, ..., xp}. Choosing any of the(m + 1 − j) values ofx from the setX

′′

will result inthe same curve. Thus, each curve is counted

(

p−jm+1−j

)

times.Hence,p(m+1−j) curves pass throughj given points

A1, A2, . . ., Aj.

Proof: [Lemma 4.3] When an adversary capturescnodes, each of theP keys in the key pool are in any oneof the followingα+ 1 states:

• A0: a key in this state willnot be present in thecompromised pool of keys

• A1: a key in this state will be present onlyonce inthe compromised pool of keys

• A2: a key in this state will be present onlytwice inthe compromised pool of keys...

• Aα: a key in this state will be presentα times inthe compromised pool of keys

We note that hereα represents the number of nodescontaining a specific key, sayκ.

Let Yi, i = 0, 1, . . . , α be the random variable de-noting the number of keys in a particular stateAi. Now,whenc nodes are compromised, the total number of keyscompromised (including the repeated keys) =pc wherep is the key ring size for each node. Thus, for anyc, therandom variablesYi’s should satisfy the condition

1 ∗ Y1 + 2 ∗ Y2 + . . .+ α ∗ Yα = pc (20)

whereα is the number of nodes containing a specifickey.

17

Now, we are interested in the number of distinct keyscompromised which is given by the random variable

Xc = Y1 + Y2 + . . .+ Yα

We note that, for any value ofc, the following relation-ship holds:

P = Y0 + Y1 + Y2 + . . .+ Yα

which implies that

Xc = P − Y0 (21)

where Y0 and Xc are random variables andP is apositive constant (the key pool size). Thus, by knowingthe distribution ofY0, one can deduce the distribution ofXc and vice-versa.

Thus, the distribution ofXc can be found by usingthe expression in Eqn. (21). Letpc(i), i = 0, 1, . . . , α,denote the probability that a particular keyκ is in stateAi. Sinceα nodes contain the keyκ, the number of waysin which i nodes can be chosen from theseα nodes willbe(

αi

)

. So,pc(i) is given as

pc(i) =

(

αi

)(

n−αc−i

)

(

nc

) (22)

It can be seen thatmin(c,α)∑

i=0

pc(i) = 1

Now, let us find the probability thatYi = k which isnothing but the probability thatk out of P keys are instateAi. Now, assuming that each key takes a particularstate independent of other keys, it can be easily seen thatthe probabilityPr(Yi = k) is given as

Pr(Yi = k) =

(

P

k

)

pc(i)k(1− pc(i))

P−k

For i = 0, we have

Pr(Y0 = k) =

(

P

k

)

pc(0)k(1− pc(0))

P−k

Thus, the probability distribution ofXc is given by

Pr(Xc = k) = Pr(Y0 = P − k)

=

(

P

k

)

pc(0)P−k(1− pc(0))

k

(23)

wherepc(0) =(n−α

c)

(nc)

.

Proof: [Lemma 4.4] LetN denote the node setcorresponding to the nodes in the network. LetI

[ik]j

be the set ofj key sets each corresponding to theintersection points between a pair of polynomials of

degreem , yi(x) = amxm + am−1x

m−1 + . . .+ a0andyk(x) = bmx

m + bm−1xm−1 + . . .+ b0 , having

exactly j points of intersection. Let us also define thefollowing sets:

Xaj = {the set of all the sets of the form:

{{Ai, Ak}, I[ik]j } s.t. Ai, Ak ∈ N share exactly

j keys i.e., the set of all j-key links }

(24)

Y[ik]j = {the set of all the sets of the form:

{I[ik]j , κ1, . . . , κl} s.t. the nodes Ai, Ak

share exactly (j+l) keys containing j

keys from the set I[ik]j , ∀ l = 0, 1, 2, . . . ,

(m− j)} (25)

Z[ik]j = {the set of all the sets of the form:

{I[ik]j , κ1, . . . , κl} s.t. the nodes Ai, Ak

share exactly (j+l) keys containing j

keys from the set I[ik]j , ∀ l = 1, 2, . . . ,

(m− j)} (26)

X′

j = {the set of all the sets of the form:

{{Ai, Ak}, J[ik](.) } s.t. for each Ai, Ak ∈ N,

all the key sets J[ik](.) belong to the

corresponding set Y[ik]j } (27)

Xj = X′

j + xj (28)

where xj is the set accounting for over counting .

Wj = {the set of all the sets of the form:

{{Ai, Ak}, J[ik](.) } s.t. for each Ai, Ak ∈ N,

all the key sets J[ik](.) belong to the

corresponding set Z[ik]j } (29)

In other words,Xaj is the set in which a node pair

(Ai, Ak) results in an actualj-key link I[ik]j with all such

node pairs from the setN. Y[ik]j is the set of set of keys

in which each key set corresponds to anl-key link withj-keys belonging to the setI[ik]j (l ≥ j). Z[ik]

j is the same

set as the setY[ik]j but with the condition thatl > j. X

′

j

is the set in which each node pair(Ai, Ak) sharesl (≥ j)keys, with j keys belonging to the setI[ik]j . Wj is thesame set as the setXj but with the condition thatl > j.

Now, to find the number of elements in the setXj , wefirst find the number ofj-key links per node. Let us fixj (≤ m) keysκ1, κ2, . . . , κj , out of p (key ring size)

18

keys of a node, sayA. The number of nodes, other thannodeA, having the samej keysκ1, κ2, . . . , κj willbe (p(m+1−j) − 1) (using Lemma 4.2). But thej keysκ1, κ2, . . . , κj could be chosen in

(

pj

)

ways. Thus, thetotal number ofj-key links per node will be(p(m+1−j)−1) ×

(

pj

)

. Since there arep(m+1) nodes in all and sincelink from B → C is same as the linkC → B, we have

| Xj | =p(m+1)(p(m+1−j)−1)(p

j)

2 . But this cannot be takenas the actual number ofj-key links in the network. Thisis because| Xj | also includesj-key links from the keysconstituting a(j +1)-key link, a (j +2)-key link, . . ., am-key link.

Let us represent the number ofgeneratedj-key linksfrom the keys of ani-key link by | G

[j]i | where i =

(j + 1), (j + 2), . . . , m. Then, from the definitions ofXj andXaj , it is clear that| Xam | = | Xm | (Wm = φ)for a degree-m polynomial-based scheme. Now,

| Xam−1 | = | Xm−1 | − | Wm−1 |

| Xam−2 | = | Xm−2 | − | Wm−2 |... (30)

| Xaj | = | Xj | − | Wj |

But | Wm−1 |, | Wm−2 |, . . . , | Wj | can be written as

| Wm−1 | = | G[m−1]m |

| Wm−2 | = | G[m−2]m−1 | + | G[m−2]

m |

... (31)

| Wj | = | G[j]j+1 | + | G

[j]j+2 | + . . .+ | G[j]

m |

Thus, we have

| Xam−1 | = | Xm−1 | − | G[m−1]m |

Similarly, we have

| Xam−2 | = | Xm−2 | − | G[m−2]m−1 | − | G[m−2]

m |

...

| Xaj | = | Xj | − | G[j]j+1 | − | G

[j]j+1 | . . .− | G[j]

m |

Let us, now, find| G[j]i |, for i = j+1, j+2, . . . , m. The

number ofj-key links contributed by the keys of ani-keylink in Xai will be

(

ij

)

, wherei = j +1, j +2, . . . , m.Thus, we have

| G[j]i | =

(

i

j

)

| Xai |

Therefore, the number ofj-key links in a degree-mpolynomial-based scheme will be given as

| Xaj | = | Xj | −

(

j + 1

j

)

| Xaj+1 | −

(

j + 2

j

)

| Xaj+2 | − . . .

−

(

m

j

)

| Xam |

(32)

Rewriting the above equation in terms ofl (= m − j),we have

| Xam−l | = | Xm−l | −

(

m− l + 1

m− l

)

| Xam−l+1 |

−

(

m− l + 2

m− l

)

| Xam−l+2 | − . . .

−

(

m

m− l

)

| Xam |

(33)

Now, let us prove the formula forl = 1 and l = 2. Forl = 1, we have

| Xam | = | Xm |

=p(m+1)(p(m+1−m) − 1)

(

pm

)

2

For l = 2, we have

| Xam−1 | = | Xm−1 | −

(

m

m− 1

)

| Xam |

=p(m+1)(p(m+1−(m−1)) − 1)

(

p

m−1

)

2

−

(

m

m− 1

)(

p(m+1)(p(m+1−m) − 1)(

p

m

)

2

)

=p(m+1)

2(p(m+1−(m−1)) − 1)

(

p

m− 1

)

−p(m+1)

2

(

m

m− 1

)[

(p(m+1−m) − 1)

(

p

m

)]

The same expression can be obtained by substitutingj =(m− 1) in the formula to be proved.

Let us assume it to hold forl = k. That is, | Xam−k |is given as

| Xam−k | =

p(m+1)

2

m∑

i=m−k

(−1)(i−(m−k)+2)

(

i

m− k

)

×

[

(p(m+1−i) − 1)

(

p

i

)]

(34)

Now, let us prove it forl = k + 1. From equation (33),

19

we have

| Xam−(k+1) | = | Xm−(k+1) | −

(

m − (k + 1) + 1

m − (k + 1)

)

×

| Xam−(k+1)+1 | −

(

m − (k + 1) + 2

m − (k + 1)

)

×

| Xam−(k+1)+2 | − . . .

−

(

m − (k + 1) + (k + 1)

m − (k + 1)

)

| Xam |

= | Xm−(k+1) | −k∑

l=0

(

(m − k) + l

(m − k) − 1

)

| Xa(m−k)+l |

= | Xm−(k+1) | −k∑

l=0

[

(

(m − k) + l

(m − k) − 1

)

×

p(m+1)

2

m∑

i=m−k+l

(−1)(i−(m−k+l)+2)

(

i

m − k + l

)

×

[

(p(m+1−i)

− 1)

(

p

i

)]

= | Xm−(k+1) | −p(m+1)

2

k∑

l=0

(m−k+l)+(k−l)∑

i=m−k+l

(−1)(i−(m−k+l)+2)

(

(m − k) + l

(m − k) − 1

)(

i

m − k + l

)

×

[

(p(m+1−i)

− 1)

(

p

i

)]

(35)

Now, we consider only the summation factor. Writingfor each value ofl, we have

l = 0 : (−1)2 (m − k)!

1!(m − k − 1)!0!)

[

(p(k+1)

− 1)

(

p

m − k

)]

l = 1 :

(

(−1)1+2 (m − k + 1)!

1!(m − k − 1)!1!)+ (−1)

2 (m − k + 1)!

2!(m − k − 1)!0!)

)

×

[

(p((k+1)+1)

− 1)

(

p

m − k + l

)]

.

.

.

l = k :

k∑

r=0

(−1)r+2 (m − k + k)!

(r + 1)!(m − k − 1)!(l − r)!

(p(k+l)

− 1)

(

p

m − k + l

)

Thus, | Xam−(k+1) | is given as

| Xam−(k+1) | = | Xm−(k+1) | −

p(m+1)

2

(m−k)+k∑

i=m−k

i−(m−k)∑

r=0

(−1)r+2 i!

(r + 1)!(m − k − 1)!(i − (m − k) − r)!

×

[

(p(m+1−i)

− 1)

(

p

i

)]

= | Xm−(k+1) | −p(m+1)

2

(m−k)+k∑

i=m−k

i!

(m − k − 1)!×

i−(m−k)∑

r=0

(−1)r+2

(r + 1)!(i − (m − k) − r)!

×

[

(p(m+1−i)

− 1)

(

p

i

)]

Now, we consider the following expression

a∑

r=0

(−1)r+2

(r + 1)!(a − r)!=

1

(a + 1)!

a∑

r=0

(−1)r+2(a+ 1

r + 1

)

=1

(a + 1)!(36)

Using the above identity, we have

| Xam−(k+1) | = | Xm−(k+1) | −

p(m+1)

2

(m−k)+k∑

i=m−k

i!

(m − k − 1)!(i − (m − k) + 1)!

[

(p(m+1−i)

− 1)

(

p

i

)]

Using the expression| Xj | =p(m+1)(p(m+1−j)−1)(p

j)

2 , weobserve that the formula also holds forl = k+1. Hence,it holds for all l < m.

Proof: [Lemma 5.1] In case of the polynomial basedschemes, the expression derived for the number ofj-keylinks in a network is given by Lemma 4.4. Re-writingthe above expression in terms of the parameters definedabove, the number ofj-key links present in a networkof n nodes is given as

K(j) =n

2

(

(f(j)− 1)

(

β

j

))

−n

2

m∑

i=j+1

(−1)(i−j+1)

(

i

j

)[

(f(i)− 1)

(

β

i

)]

wheref(j) is defined as the number of nodes containinga specific collection of keys{κ1, κ2, . . . , κj}.

Now, let us try to find the most general expressionfor f(j). For this, let us partition the pool of keys intoθ disjoint sets, each containingP

θkeys (P = nβ

αis the

size of the key pool). Each of these sets has the propertythat the keys within each set do not combine to generatea link. Thus, a particular node can pick just one key perset.

Since we limit ourselves to a maximum ofm-keylinks, f(m) can be found by fixingm out of θ sets.Then, the number of nodes having samem-tuple of keyswill be equal to the number of sets (of size(β − m))into which (P −m) keys can be divided. Thus, we have

f(m) =

⌊

ω(θ −m)

β −m

⌋

(37)

whereω = Pθ

.Now, to find the expression forf(j) for j < m, we

fix j out of θ sets. The(m− j) sets can be chosen from(θ − j) sets in

(

θ−jm−j

)

ways. Since there areω keys ineach of the(m− j) sets, we have

f(j) =

(

θ − j

m− j

)

ω(m−j)

⌊

ω(θ −m)

β −m

⌋

(38)

Thus, the general expression for the number ofj-keylinks K(j) is given as

K(j) =n

2

((

θ−j

m−j

)

ϕ(j)ω(m−j)

⌊

ω(θ −m)

β −m

⌋

− 1

)

(

β

j

)

−n

2

m∑

i=j+1

(−1)(i−j+1)

(

i

j

)

×

[((

θ−im−i

)

ϕ(i)ω(m−i)

⌊

ω(θ −m)

β −m

⌋

− 1

)

(

β

i

)

]

whereϕ(j) is a factor introduced to account for thegeneration of identical sets of disjoint subsets. This

20

factor is introduced to nullify the extra counting whichcould be introduced by the factor

(

θ−jm−j

)

.

Proof: [Theorem 5.1] LetRj be the number oftimes a particular collection ofj keys{κ1, κ2, . . . , κj} isrepeated in the network andηj be the fraction ofj-keylinks allowed by the scheme (depends on the numberof disjoint sets into which the pool of keys is divided).Then, the security measure is given as

pcompr =

∑mj=1 ηjRjE

[

(

Xc

j

)

]

n(n−1−γ)2

Let us find the expression for each of thej factors inthe above equation. ExpandingE

[

(

Xc

j

)

]

, we have

E

[

(Xc

j

)

]

=1

j!E [Xc(Xc − 1)(Xc − 2) . . . (Xc − j + 1)]

=T (j)

j!(39)

whereT (j) = E [Xc(Xc − 1)(Xc − 2) . . . (Xc − j + 1)]is known as thejth factorial moment of the distributionof Xc.

Now, if δj denotes the number ofj-key links contain-ing a particular keyκ, allowed by the scheme, then wehave

ηj =δj

Rj(

P−1j−1

) (40)

Thus,pcompr will be

pcompr =

∑mj=1

(P−j)!δj(P−1)!

T (j)j

n(n−1−γ)2

(41)

What remains to be found is an expression forδj interms of the system design parameters. Since a specifickey is present inα nodes, the number of links amongthemselves will beα(α−1)

2 . Thus, we have the relation

m∑

j=1

δj =α(α− 1)

2(42)

Now, sinceK(j) is the number ofj-key links, thenumber ofdistinct j-keys links will be given asK(j)

Rj.

But the number of distinctj-links is also given by(

θj

)

ωj .Thus, we have

K(j)

Rj=

(

θ

j

)

ωj (43)

or Rj will be

Rj =K(j)(

θj

)

ωj(44)

Also, we have

δj = Rj

(

θ − 1

j − 1

)

ω(j−1)

=K(j)j

θω=K(j)j

P(45)

Thus, the security measure is given as

pcompr =

∑mj=1

K(j)j

P

(P−1

j−1)E

[

(

Xc

j

)

]

n(n−1−γ)2

(46)

To check the sanity of the above equation, substitutingXc by P, we have

pcompr =

∑mj=1

K(j)j

P

(P−1

j−1)

(

Pj

)

n(n−1−γ)2

=

∑mj=1K(j)

n(n−1−γ)2

= 1

Substituting various values in the Eqn. 46, we have

pcompr =

∑mj=1

(P−j)!K(j)P! T (j)

n(n−1−γ)2

(47)

where K(j) denotes the number ofj-key links in anetwork ofn nodes and is given by Lemma 5.1.

Proof: [Corollary 5.1] As discussed earlier, theprobabilitypc(0) that thec compromised nodes does notcontain a specific keyκ is given as

pc(0) =

(

n−αc

)

(

nc

)

whereα is the number of nodes containing a specifickey κ. Thus, the probabilitypc that a particular key iscompromised is given as

pc = 1− pc(0) = 1−

(

n−αc

)

(

nc

)

Now, since the probability distribution ofXc is ap-proximated by Binomial[P, pc] in Lemma 4.3,T (j) willbe nothing but thejth factorial moment for a binomialdistribution Binomial[n, p] and is given as

T (j) =n!

(n− j)!pj (48)

Thus, we have

E

[(

Xc

j

)]

=1

j!T (j)

=

(

P

j

)

pcj (49)

21

Thus, the security measure is given as

pcompr =

∑mj=1K(j)(1 − pc(0))

j

n(n−1−γ)2

(50)

Performance Analysis of Deterministic Key …sanyal/papers/Joy_Performance_Analysis...1 Performance Analysis of Deterministic Key Allocation Schemes for Wireless Sensor Networks Abhishek

Documents