redoubtable sensor networks

13

Redoubtable Sensor Networks

ROBERTO DI PIETROUniversita di Roma Tre, ItalyLUIGI V. MANCINI, ALESSANDRO MEI, and ALESSANDRO PANCONESISapienza - Universita di Roma, ItalyandJAIKUMAR RADHAKRISHNANTata Istitute of Fundamental Research, Mumbai, India

We give, for the first time, a precise mathematical analysis of the connectivity and security proper-ties of sensor networks that make use of the random predistribution of keys. We also show how toset the parameters—pool and key ring size—in such a way that the network is not only connectedwith high probability via secure links but also provably resilient, in the following sense: We for-mally show that any adversary that captures sensors at random with the aim of compromisinga constant fraction of the secure links must capture at least a constant fraction of the nodes ofthe network. In the context of wireless sensor networks where random predistribution of keys isemployed, we are the first to provide a mathematically precise proof, with a clear indication ofparameter choice, that two crucial properties—connectivity via secure links and resilience againstmalicious attacks—can be obtained simultaneously. We also show in a mathematically rigorousway that the network enjoys another strong security property. The adversary cannot partitionthe network into two linear size components, compromising all the links between them, unless itcaptures linearly many nodes. This implies that the network is also fault tolerant with respect tonode failures. Our theoretical results are complemented by extensive simulations that reinforceour main conclusions.

Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General—Security and protection; C.2.1 [Computer-Communication Networks]: Network Architec-ture and Design—Wireless communication; C.2.4 [Computer Systems Organization]: computercommunication networks—Distributed Systems; D.4.6 [Operating systems]: Security and Pro-tection—Cryptographic controls; K.6.5 [Management of Computing and Information Sys-

tems]: Security and Protection; E.1 [Data]: data structures—graphs and networks

General Terms: Security, Design

Additional Key Words and Phrases: Wireless sensor network, random graphs, probabilistic keysharing, connectivity

Based on “Sensor Networks that are Provably Resilient” by Roberto Di Pietro, Luigi V. Mancini,Alessandro Mei, Alessandro Panconesi, Jaikumar Radhakrishnan which appeared in Proceed-

ings of 2nd International Conference on Security and Privacy in Communication Networks

(SecureComm), Baltimore, MD c© 2006 IEEE.Permission to make digital/hard copy of all or part of this material without fee for personal orclassroom use provided that the copies are not made or distributed for profit or commercial advan-tage, the ACM copyright/server notice, the title of the publication, and its date appear, and noticeis given that copying is by permission of the ACM, Inc. To copy otherwise, to republish, to poston servers, or to redistribute to lists requires prior specific permission and/or a fee. Permissionmay be requested from Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY10121-0701, USA, fax +1 (212) 869-0481, or [email protected]© 2008 ACM 1094-9224/2008/03-ART13 $5.00 DOI: 10.1145/1341731.1341734. http://doi.acm.org/

10.1145/1341731.1341734.

ACM Transactions on Information and Systems Security, Vol. 11, No. 3, Article 13, Pub. date: March 2008.

13: 2 · R. Di Pietro et al.

ACM Reference Format:

Di Pietro, R., Mancini, L. V., Mei, A., Panconesi, A., and Radhakrishnan, J. 2008. Redoubtablesensor networks. ACM Trans. Inform. Syst. Secur. 11, 3, Article 13 (March 2008), 22 pages.DOI = 10.1145/1341731.1341734. http://doi.acm.org/10.1145/1341731.1341734.

1. INTRODUCTION

A Wireless Sensor Network (WSN) is a collection of sensors whose size canrange from a few hundred sensors to a few hundred thousand or possiblymore. The sensors do not rely on any predeployed network architecture; thusthey communicate via an ad hoc wireless network. The power supply of eachindividual sensor is provided by a battery, whose consumption for both com-munication and computation activities must be optimized. Distributed in ir-regular patterns across remote and often hostile environments, sensors shouldautonomously aggregate into collaborative peer-to-peer networks. Sensor net-works must be robust and survivable to overcome individual sensor failureand intermittent connectivity (due, for instance, to a noisy channel or ashadow zone).

It is widely believed that WSNs can be useful in many diverse settings[Akyildiz et al. 2002], for instance, unattended surveillance, sensing in harshenvironments (ocean seabed), building access control, and to support point-to-point wireless multihop communication in infrastructureless environments.In many applications, establishing secure pairwise communications is very im-portant and, in some cases, critical. In particular, it is a prerequisite for theimplementation of secure routing, and it can be useful for secure group com-munications and secure data aggregation. However, due to the scarceness ofresources, public key cryptography may not be a viable solution. In this caseconfidentiality has to be enforced by using symmetric key algorithms [Perriget al. 2001]. Key management is thus a central issue in secure wireless sen-sor networks. One of the most promising approaches is the so-called random

predistribution of keys introduced by Eschenauer and Gligor [2002]. This modelis the object of study of this article.

We begin by describing the model introduced by Eschenauer and Gligor[2002]. A Secure Wireless Sensor Network (SWSN) is composed of N sensors.Each sensor is preassigned a key ring of k secret keys randomly drawn from acommon pool of K random keys. The sensors are then randomly deployed ina given geographical area. Two sensors share a secure communication link ifthey lie within communication range and they share a common preassignedkey. A first fundamental problem in secure wireless sensor networks is tochoose proper k and K such that the network is connected by using secure linksalone. This problem is addressed by Eschenauer and Eschenauer and Gligor[2002]. Their basic idea is that a SWSN can be considered to be a random graphin the sense of Erdos and Renyi [1960]. According to this well-known model, arandom graph of N vertices and parameter p is defined as follows: For everypair of vertices u and v, the edge uv is inserted with probability p by flippinga coin. Crucially, for every potential edge a new coin flip, independent of theprevious ones, is performed. Therefore edges exist independently of each other.


Redoubtable Sensor Networks · 13: 3

Fig. 1. Number of triangles in the Erdos and Renyi random graph and in the kryptograph as afunction of the network size.

Notice that a SWSN is generated by a completely different random process,and it is not clear that this process can be approximated and, if so, to whatextent, by a random graph in the sense of Erdos and Renyi. To appreciate theproblem, consider for instance the following situation. There are three sensorsx, y, and z, all within communication range, whose key rings are of size 2, andsuppose that the pool size is K = 104. Assume that we know already thatedges xy and yz exist. What is the probability that edge xz also exists? Ifwe assume independence, following Erdos and Renyi, then this probability is∼ 1

2500, but in reality Pr[xz exists | both xy and yz exist] ∼ 1

2. This choice of

parameters is made for the sake of clarity: The problem is present in everypractical situation.

In fact, random graphs and SWSNs have different structural properties, asillustrated in Figure 1, which reports the clustering coefficients and the num-ber of triangles for these two kinds of graphs. The clustering coefficient of avertex u is the number of links between neighbors of u divided by the num-ber of all such potential links, that is,

(deg(u)2

)

. The clustering coefficient of agraph is the average clustering coefficient, taken over all vertices. This quan-tity was introduced in the seminal paper by Watts and Strogatz [1998] in theirstudy of small-world networks and is a useful structural parameter of a net-work (see also Newman 2003 and references therein). All this clearly shows adiscrepancy between the classical Erdos-Renyi model proposed by Eschenauerand Gligor [2002] and the real networks generated by random predistributionof keys.



There are other difficulties. The Erdos-Renyi model assumes full-visibility:Any two devices can be connected by a direct link regardless of their geograph-ical position. There is no guarantee that the Erdos-Renyi Theorem as used byEschenauer and Gligor [2002] ensures a high probability of connectivity in thegeneral case, when devices are not within communication range. More impor-tantly perhaps, as shown in this article, using Erdos-Renyi is pessimistic in thesense that one can obtain connectivity using smaller key rings than prescribedby that model.

In this article, we present a precise mathematical analysis of SWSNs. Weremark that having a precise understanding of a model is always important,but especially so when security is at stake. Note a very important point inthis respect: If we keep K fixed and let k grow, the probability of connectivityincreases, but the security of the network decreases. Intuitively, if key ring sizeis large, then capturing just a few sensors is likely to be enough to reconstructthe entire pool and compromise the whole network. On the other hand, if k isvery small when compared to K, every key will be used by very few links, whichis good for security, but the network is likely to be disconnected. Thus, securityand connectivity are in conflict. It is a very important problem whether thereexists a choice of key ring size and pool size that ensures both. In this article,we show that the answer is yes.

Concerning connectivity, we show that if K ≥ N and

k2

K∼

log N

N(1)

then the network is connected with high probability—in fact, the condition

K ≥ N can be replaced by a weaker but more technical condition. The ratio k2

K

has a meaning. When k is small when compared to K, which is not only usuallythe case in the applications but also highly desirable for security reasons, theratio is roughly equal to the probability that a link exists between a given pairof nodes because

Pr[link exists] = 1 −(

1 −k

K

)k

∼k2

K

Further, note that when K ≥ N, condition 1 is in some sense optimal. As we

prove in this article, if the ratio k2

Kis smaller the network is likely to be discon-

nected; if the ratio is larger, the probability of connectivity can only improve.Let us now turn to security. A first observation is that the kind of stochastic

dependency exhibited by the model earlier described is bad for security. As-sume that an adversary is able to collect a subset of the sensors and extracttheir keys. Clearly, all links incident on captured nodes will be compromised,but can the damage extend to other links? The example above shows that oncea node u is captured, not only are the links incident to u compromised, but it islikely that many links between neighbors of u are also compromised. In gen-eral, the stochastic dependencies of the model can give raise to unexpectedcorrelations that an adversary can exploit and must therefore be carefullyanalyzed. If we make use of the Erdos-Renyi model, this crucial aspect iscompletely overlooked.



It is not hard to give examples where the adversary can compromise theentire network just by capturing a sublinear fraction of the vertices. The mainquestion is whether there exists a choice of the relevant parameters—key ringsize and pool size—such that, in essence, the damage is limited to the edgesincident on the captured nodes. In this article, we show that such a choiceof the parameters exists. Crucially, the same choice also ensures connectivity.The following definition embodies the notion of security just described. We saythat a network is redoubtable if the adversary needs to capture a large numberof nodes to compromise the confidentiality of the network. More precisely, thenetwork is redoubtable if any adversary that captures sensors at random withthe aim of compromising a constant fraction of the links must capture at leasta constant fraction of the nodes. Note that the random adversary is the onecommonly considered in the literature.

We formally prove that, if K ≥ N log N and k is chosen to satisfy (1), thenetwork is not only connected with high probability, but it is also redoubtable.For instance, we can choose k ∼ log N and K ∼ N log N. To the best of ourknowledge, this is the first asymptotic bound on the resilience of wireless sen-sor networks using random predistribution of keys. Note that results of thiskind cannot even be formulated in the Erdos-Renyi model.

We also establish in a mathematically rigorous way another strong secu-rity property. A random adversary cannot partition the network into two largechunks, that is, two linear size sets of vertices, and compromise all links be-tween them, unless it captures a linear fraction of the nodes. We call suchnetworks unsplittable and prove that our networks are unsplittable with highprobability. Note that this has implications for fault tolerance. Unless a linearnumber of nodes stop functioning, the network will remain connected.

Our results concerning connectivity, security, and unsplittability hold foruniform distribution of the nodes and standard network topology (square area),both in the full-visibility case (i.e., every two nodes are within communicationrange of each other) and in the general case.

To summarize, we show by a precise mathematical analysis how to designsensor networks that are at the same time connected (with high probability)and provably resilient. Thus, our results put on a firm theoretical foundationthe large body of experimental work that followed the original paper of Es-chenauer and Gligor and lay the foundations for the rigorous investigation ofsecurity properties.

Lastly, we complement the above-mentioned theoretical results with exten-sive simulations. The experiments support the conclusion that our designguidelines guarantee both connectivity and resilience for a wide interval ofpractical network sizes and communication ranges.

2. RELATED WORK

The idea of probabilistic key sharing for WSNs is introduced by Eschenauerand Gligor [2002]. The authors also provide a simple and centralized algo-rithm for rekeying in a distributed WSN. Later, Chan and colleagues [2003]describe three mechanisms in the framework of random key predistribution.



First of all, the q-composite random key predistribution scheme, a modificationof the basic scheme described by Eschenauer and Gligor [2002] achieves bet-ter security under small-scale attack while trading off increased vulnerabilityin the face of a large-scale physical attack on the network sensors. Secondly,the multipath key reinforcement protocol substantially increases the securityof the channel by leveraging the security of other links. Lastly, the randompairwise keys scheme assigns private pairwise keys to randomly selected pairsof sensors so as to guarantee that the rest of the network remains fully secureeven when some of the sensors have been compromised. Moreover, this latterscheme supports node-to-node authentication. Di Pietro and colleagues [2006]introduce a new protocol for fast and secure key discovery in the frameworkof random predistribution of keys. The protocol shows how pairs of nodes thatknow each other’s i.d. can compute what keys they share without exchang-ing additional messages. The protocol also guarantees minimal informationleakage and probabilistic authentication.

A preliminary result on secure connectivity for wireless sensor networksthat make use of random predistribution of keys was presented by Di Pietroand colleagues [2004]. In that article the authors prove that, if K = N/ log N,then for any choice of k ≥ 4, where k is bound to be a constant, the networkis connected with high probability. In this article we extend the connectivityresult to the general case when the key ring size is not a constant. In partic-ular, this also covers the more relevant case when the pool size can be largerthan network size. Furthermore, we extend the range of security propertiesthat are enjoyed by random key predistribution.

Two schemes build up a secure pairwise channel that combines a determin-istic technique with a predistribution random scheme. The first scheme is pro-posed by Du and colleagues [2003]. The authors use a deterministic protocolproposed by Blom [1985] that allows any pair of nodes in a network to find apairwise secret key. As a salient feature, Blom’s scheme guarantees a so-calledλ-secure property: As long as no more than λ nodes are compromised, the net-work is perfectly secure. A λ-secure data structure built this way is called akey space. Du and colleagues [2003] create a set W composed of ω key spacesand randomly assign up to τ spaces per sensor. Two nodes can find a commonsecret key if they have picked a common key space. The second scheme is pro-posed by Liu and Ning [2003]. In principle, this work is similar to that of Duand colleagues [2003], where Blundo and colleagues [1993] polynomial schemeis used instead of Blom’s. ECCE, a novel scheme to build up a secure pairwisechannel, is presented by Conti and colleagues [2007]. ECCE is a distributed,probabilistic, cooperative protocol to establish a secure pairwise communica-tion channel between any pair of sensors that do not share any predeployedkey by involving a set of sensors (cooperators) in the channel establishmentprotocol.

Connectivity properties have been studied for nonsecure wireless sensornetworks as well. Bettstetter [2002] uses a geometric random model to inves-tigate minimum node degree and h-connectivity. Using an asymptotic resultfrom Penrose [1999], Bettstetter experimentally shows how to compute a com-munication range r such that, for a given number of nodes and a given integer



h, the network is guaranteed to be h-connected. Equivalently, it is possible tocompute how many sensors are needed to cover a given geographical area withan h-connected network.

In 1945, E. Marczewski (see Karonski et al. 1999) considered graphs wheresets were associated with vertices and two vertices were connected if their as-sociated sets had an element in common. Recently, graphs obtained by choos-ing the sets randomly have been investigated [Fill et al. 2000; Karonski et al.1999; Singer-Cohen 1995; Stark 2004]. In these works, the sets associated withthe vertices are usually large. For a certain choice of parameters, this modelof random graphs is shown to be similar to the G(n, p) model of Erdos-Renyi.However, for the range of parameters of interest to us, these results are notapplicable.

3. PRELIMINARIES

We say that f (n) = o(1) if f (n) goes to zero as n goes to infinity. If an event(depending on n) happens with probability 1 − o(1), we say that it occurs withhigh probability or almost surely.

Fact 3.1 (Union Bound). Let E1, . . . , Em be m events. Then,

Pr

[

m⋃

i=1

Ei

]

≤m

∑

i=1

Pr [Ei]

Fact 3.2 (Chernoff-Hoeffding Bounds). Let X =∑n

i=1 X i where the X i’s areidentically and independently distributed in [0, 1]. Then,

Pr[X < EX − t] ≤ e−2t2/n

We recall some basic facts and definitions from graph theory (see, for in-stance, Bollobas 1998). As customary, V(G) and E(G) denote the vertex andthe edge set of a graph G, respectively. Given a graph G = (V, E), a cut is aproper subset S ⊆ V such that there is no edge connecting a vertex in S with avertex in V − S.

Fact 3.3. A graph G is connected if and only if it has no cuts.

The terms point, node, and vertex will be used interchangeably.

4. CONNECTIVITY OF SECURE WIRELESS SENSOR NETWORKS

The following definition exactly captures the kind of networks that are gener-ated with random predistribution of keys.

Definition 4.1. Let K be the size of a finite set of keys (the pool) and letk ≤ K be a fixed parameter. Let [K] = {1, 2, . . . , K} be the index set of the keysin the common pool of size K. The graph GN

r,k,K is defined as the geometricrandom graph obtained by the following procedure.

—First, each node u is assigned a subset of keys, its key ring, whose indexesare in Ku ⊆ [K] by sampling [K] without replacement k times.



—Second, the N nodes are distributed uniformly at random on the givensquare geographical area, which, without loss of generality, we assume tobe of side one (called the unit square).

—Third, uv is an edge if (a) the two nodes are within distance r and (b) Ku∩Kv 6= ∅.

The resulting graph GNr,k,K is called a kryptograph with parameters r, k, K and

N. In the special case in which every two nodes are within communicationrange, the so-called full visibility case, the resulting graph is denoted as GN

k,K .

In the sequel, for sake of simplicity we shall identify [K] with the set of keysand Ku with the key ring of a vertex u.

Note that all links of GNr,k,K are secure by definition (edge uv exists only

if vertices u and v share at least one key). Therefore, if the kryptograph isconnected, it is via secure links alone.

In the proof of connectivity we will assume that the key rings are generatedby sampling with replacement. This simplifies the analysis of connectivitywithout loss of generality. In fact, sampling without replacement can only bebetter, as it can be seen by the following coupling argument. Suppose eachnode picks a set of size k in the following way. It first picks a set by samplingwith replacement k times. Now, if the node did not pick k distinct elements,it picks whatever more is needed by sampling without replacement. So, inthe end, it has a set of size exactly k, and the distribution of this key ringis uniform. Thus, we can always assume that key rings sampled without re-placement were generated by this process, but the key rings we consider in theproofs (i.e., the first k samples) are actually subsets of the actual sets the nodeshold. So, if there is connectivity using sampling with replacement, there mustbe connectivity using sampling without replacement.

We now proceed to establish almost sure connectivity in the full visibilitycase under the following three assumptions on the parameters k and K. Thefirst is,

k2

K= c

log N

N(2)

where c ≥ 17 is a constant. Constant c tunes the relationship between keyring size, pool size, and the size of the network. In practice, a larger c meanseither a larger key ring or a smaller pool. The term k2/K is (very nearly) theprobability that a secure link exists between two given endpoints. It can beshown that if k2/K = o(log N/N), then the graph is disconnected with highprobability. Thus the condition k2/K = �(log N/N) is necessary to establishthat the graph is connected almost surely. If we establish connectivity undercondition (2), the result will follow immediately for higher values k2/K (by aneasy coupling argument). The second assumption is

K ≥ N (3)

In what follows, the weaker, but uglier condition(

N

s

)

≤(

K

ks/4

)



where s is the size of a vertex set, would do. We keep condition (3) because it iscleaner and always satisfied in practice. The last condition is

k ≥ 5 (4)

which, again, is easily satisfied in practice. To express our results in a para-meterized fashion we shall define

k := 2α (5)

where α ≥ 52 . The probability of connectivity will depend on the constants c

and α. As a rule of thumb the larger c and α the higher the probability ofconnectivity. In practical application, these conditions on the parameters areeasily seen to hold.

Definition 4.2. Let Sbe a set of vertices and let k(x) be the set of keys chosenby vertex x. We define

k(S) :=⋃

x∈S

k(x)

When the size of a set of vertices S is “small,” the expected size of k(S) is(roughly) sk. The next lemma says that it is unlikely that we deviate far belowthe expectation.

LEMMA 4.3. Assume conditions (2) through (4). Let S be the collection of

nonempty sets of vertices of size at most min{K/k, N/2}. Then

Pr

[

∃S ∈ S, |k(S)| ≤|S|k

4

]

≤ N

(

ec log N

N

)α

PROOF. By the union bound

Pr

[

∃S ∈ S, |k(S)| ≤|S|k

4

]

≤∑

s≤N/2

Pr[∃S, |S| = s, |k(S)| ≤ sk/4]

To estimate Pr[∃S, |S| = s, |k(S)| ≤ sk/4], we first choose a set S ⊆ V of size s.There are

(

N

s

)

many ways to do this. We then fix a set T ⊆ [K] of keys of size sk/4. This canbe done in

(

K

ks/4

)

different ways. Finally, we need to compute the probability that k(S) is includedin the set T. This probability is equal to

(

ks

4K

)ks

Therefore, recalling that N ≤ K and the basic inequality(

n

k

)

≤(en

k

)k



we have

Pr

[

∃S, |S| = s, |k(S)| ≤sk

4

]

≤(

N

s

)(

K

ks/4

) (

ks

4K

)ks

≤(

K

s

)(

K

ks/4

) (

ks

4K

)ks

≤(

K

ks/4

)2 (

ks

4K

)ks

≤(

4eK

ks

)ks/2 (

ks

4K

)ks

= eks/2

(

ks

4K

)ks/2

=

(

eks

4K

)ks/2

Let

p(s) :=

(

eks

4K

)ks/2

To compute the maximum value of this quantity as s varies, write it as

(zz)t

with

z :=eks

4K

and t = 2K/e. Note that z ≤ 1 and that t does not depend on s. The function zz

is monotone decreasing in the range z ≤ 1. So, the maximum is achieved forthe value of s, where z is as small as possible, that is, s = 1. The value of p(s)at s = 1 is

p(1) =

(

ek

4K

)k/2

≤(

ec log N

N

)α

(6)

By fixing the parameters c and α we can bound Pr[∃S ∈ S, |k(S)| ≤ |S|k/4] byany inverse polynomial (for large enough N), that is, N−t for any fixed t. In thefollowing corollary we commit to a particular choice of the parameters for therest of the section.

COROLLARY 4.4. Assume conditions (2) through (4). Let S be the collection

of nonempty sets of vertices of size at most min{K/k, N/2}. Then, for N large

enough,

Pr

[

∃S ∈ S, |k(S)| ≤|S|k

4

]

≤1

N

PROOF. If α ≥ 52 (i.e., k ≥ 5) the quantity

(

ec log N

N

)α

is (much) smaller than 1/N2, for N large enough.

LEMMA 4.5. Let Sbe a proper set of vertices and let x ∈ V − S. If k(x)∩k(S) 6=∅ then S is not a cut.

PROOF. Let a ∈ k(x) ∩ k(S). By definition, k(S) =⋃

y∈S k(y). Therefore thereexists z ∈ S such that a ∈ k(z). But then z and x have a key in common, andtherefore xz ∈ E.



The next theorem uses the previous two lemmas to establish that the graphis connected almost surely. The basic strategy is to prove that almost surelyno set of vertices is a cut. Lemma 4.3 says that, for all “small” sets S simul-taneously, the set of keys k(S) is almost surely “large.” Technically, this is thedifficult claim to establish because if S is “big” the odds that k(S) is “large” areeasily seen to be overwhelming (this is proven in the next theorem). Therefore,for all sets S simultaneously, k(S) is “large” with high probability. If we con-sider now the sets of vertices of type V − S we see in the following proof thatalmost surely there is a vertex x ∈ V − Ssuch that k(x) intersects both k(S) andits k(V − S). But this, by Lemma 4.5, implies that S is not a cut.

THEOREM 4.6. Assume conditions (2) through (4). Then, almost surely, the

graph is connected.

PROOF. We will show that, almost surely, there is no cut in the graph. Givenany nontrivial S ⊆ V, either Sor V−Shas size at most N/2. Therefore, withoutloss of generality we can assume that |S| ≤ N/2. Let E be the event: For all setsof vertices of size at most K/k, the size of k(S) is at least |S|k

4 . By Corollary 4.4,this event happens almost surely. We want to estimate the probability thatk(V − S) does not intersect k(S). Let s be fixed. Recalling the basic inequality1 − x ≤ e−x, by the union bound we have,

Pr[∃S, |S| = s, S is a cut | E] = Pr[∃S, |S| = s, k(S) ∩ k(V − S) = ∅ | E]

≤(

N

s

) (

1 −sk

4K

)k(N−s)

≤ Ns exp(−sk2(N − s)/4K)

≤ Ns exp(−sk2 N/8K)

= N−(c/8−1)s

where the last inequality follows from assumption (2). By summing over allsizes s and recalling that c ≥ 17, we have that the probability of having a cutin the graph is at most

N/2∑

s=1

N−(c/8−1)s ≤∞

∑

s=1

N−s ∼1

N

If K/k ≥ N/2, then we have already covered all cases. Otherwise, we haveto consider the sets of vertices of size s in the range K/k ≤ s ≤ N/2. Thereare at most 2N such sets. Assuming E , each such set has a key ring of size atleast K/4 (by restricting attention to a subset of size K/k). So, there exists anǫ > 0 such that the probability that one such set of vertices is a cut is at most,if k ≥ 5,

2N

(

1 −1

4

)kN/2

≤ 2−ǫN



To sum up:

Pr[∃S, S is a cut] ≤ Pr[∃S, S is a cut | E] + Pr[Ec] ≤1

N+ 2−ǫN +

1

N≪

3

N

for N large enough. The claim follows.

The proof of connectivity shows that the probability that the graph is notconnected goes to zero as N grows. How quickly this happens depends on theparameters c and α. In the experimental section we will show that for thekind of parameters that reflect practical usage the probability of connectivityis overwhelming. Here we try to get a feeling directly from the formulae. Byanalyzing the proofs one can see that the probability that the graph is discon-nected is at most

p :=

(

ek

4K

)α

+ 2N−(c/8−1) + 2N

(

3

4

)kN/2

Assume N = 28 = 256, K = 214 = 16,384 and that each sensor is given k =27 = 128 keys, which implies α = 64. With this choice we get c = 32. Assumingfurthermore for the sake of simplicity that logarithms are to the base 2, wehave that

p ≈ 2−23

Essentially the same results can be proven for the general, and more prac-tical case, when visibility is not full. Technically speaking the proofs would bemuch more involved without adding much in terms of new ideas. The generalcase will be fully analyzed in the experimental section.

5. SECURE WIRELESS SENSOR NETWORKS ARE PROVABLY RESILIENT

While connectivity is a fundamental property of SWSNs (we cannot really callit a network if it is disconnected), it is also fundamental to understand howresilient is a SWSN against external attacks.

We want to model the following attack: An external entity tampers withthe sensors and collects all the keys in the key rings. The sensors to tamperwith are chosen randomly among the ones yet to be compromised. The adver-sary’s goal is to be able to decrypt as many network messages as possible—thatmeans to collect as many keys as possible. This is the kind of an adversary thatis considered in the large majority of works on security for wireless sensor net-works in the literature. An equivalent attack can be carried on by a subset ofthe sensors in the network that are actually malicious and cooperate to subvertthe communication confidentiality by using all their knowledge and keys.

Definition 5.1. A collusion in a secure wireless sensor network is a subsetof the network sensors. Given a collusion, a key of the pool is compromised ifit belongs to the key ring of some sensor w in the collusion. We also say that,given two sensors u and v, secure link uv is compromised if and only if u andv share some keys (that is, the secure link exists) and all the shared keys arecompromised.



When random key predistribution is used, the adversary, by compromisinga sensor w, not only compromises all the communication links from sensor w

but also compromises a number of other links in the network—those using thesame compromised keys. This is a weakness. So, it is possible that the adver-sary takes control over a constant fraction of the network by compromising asublinear number of the sensors. When this is not possible, we say that thenetwork is redoubtable, that is, essentially secure against massive attacks.

Definition 5.2. A secure wireless sensor network is redoubtable if the proba-bility that a collusion of o(N) nodes uniformly chosen at random in the networkcompromises a constant fraction of the network links is o(1).

Note that the problem is probabilistic in nature; for example, it is possible thatall key rings turn out to be the same. In this case, by capturing just one node,the entire network is compromised. The point is that the key ring size and thepool size can be chosen in such a way that this event has negligible probability.This motivates our definition, where we stipulate that the probability of theunfavorable event is vanishingly small.

THEOREM 5.3. If a secure wireless sensor network is built in such a way that

k

K∼

1

N(7)

then the network is redoubtable.

PROOF. Let a collusion of c = o(N) nodes be uniformly chosen at randomin the network. Assume that the collusion can compromise a constant fractionof the network links with probability ǫ. Because every sensor is assigned k

keys, the collusion as a whole has a collection of o(kN) = o(K) compromisedkeys at most. Consider a secure link uv in the network. Clearly, Ku ∩ Kv

contains at least one key. Therefore, link uv is compromised with probabilityo(1). As a consequence, at most a fraction of o(1) edges are compromised, onaverage. This implies that also ǫ is o(1).

This result shows that secure wireless sensor networks can be designed in sucha way to be provably resilient. One of the key results of our work is to showthat there exists a way to choose the parameters k and K such that the networkis both redoubtable and connected with high probability. This is claimed in thefollowing corollary.

COROLLARY 5.4. If a secure wireless sensor network is built in such a way

that K ≥ N log N and such that

k2

K∼

log N

N(8)

then the network is redoubtable and connected with high probability.



PROOF. If k ∼ log N and k2

K∼ log N

N, then K ∼ N log N and the claim follows

immediately from Theorem 4.6 and Theorem 5.3. If k is asymptotically larger

and k2

K∼ log N

N, then

k

K= o

(

1

N

)

and Theorem 5.3 still holds.

Choosing k ∼ log N and K ∼ N log N minimizes the key ring size, which canbe especially important in devices with small memory, like sensors. If we takea larger key ring, say k ∼

√N, and set the pool size accordingly, that is K ∼

N2/ log N, we get a network that is provably resilient and connected with highprobability but not essentially more secure against massive attacks than theprevious one, in spite of the much larger key ring.

5.1 Unsplittable Networks

We now prove that a kryptograph enjoys other very strong security and fault-tolerance properties. Suppose that the aim of the adversary is to split thenetwork into two large chunks, both of linear size, and to compromise all linksbetween them, thereby partitioning the network. The goal is to control all theinformation flow between two large partitions, for instance to decrypt selectiveaggregated measurements from a large set of sensors. Is this possible by cap-turing few nodes, more specifically, by capturing the key rings of a sublinearfraction of the nodes? We show the probability that the random adversary cando this is negligible. Note that this also implies a strong fault tolerance. If asublinear number of nodes stop functioning, perhaps as a result of battery ex-tinction or malicious activity, the network cannot be partitioned into two largechunks. In other words, there will always be a giant component, while onlytiny fragments of the network can become disconnected from the network. Wenow define our notions precisely.

Assume that after the adversary selects o(N) nodes there exist two disjointsets of vertices A and B such that (a) all edges from A to B are compromisedand (b) they both have linear size. Such a pair is called a bad split.

Definition 5.5. A network is unsplittable if there are no bad splits after theadversary has captured o(N) nodes.

We will show that if the adversary captures t = o(N) many vertices then,with high probability, the network is unsplittable. In what follows we performour analysis for the full-visibility case. For the following analysis to work, weneed to assume c ≥ 17, where c is the constant of Assumption 2. We will alsoassume the premise of Corollary 5.4, namely that K ≥ N log N.

If the adversary captures o(N) vertices then, by our assumptions on k and K,it collects o(kN) = o(K) keys. So assume that the adversary owns o(N) verticesand o(K) keys. We will show that the remaining vertices form a connectedgraph with high probability and therefore that there is no bad set of linearsize. Let A be the set of keys owned by the adversary and let T be the set ofnodes it captured.



Definition 5.6. Let u ∈ V − T. We say that u is damaged if |Ku ∩ A| ≥ δk,where δ := 1

50 . A node that is not damaged is intact.

PROPOSITION 5.7. With probability 1−o(1), the number of damaged vertices

is o(N).

PROOF. Let A be the set of keys compromised by the adversary and let K

denote the pool. Fix any vertex u and compute the expected number of keysthat are compromised:

E[|Ku ∩ A|] = k|A||K|

= o(k)

Markov’s inequality states that, for a nonnegative random variable X ,Pr[X ≥ t] ≤ EX

t. So,

Pr[u is damaged] = Pr[|Ku ∩ A| ≥ δk] ≤o(k)

δk= o(1)

Let Xu denote the event that u is damaged and let X :=∑

u Xu be the numberof damaged nodes. Note that X is the sum of independent random variablesbecause nodes pick their keys uniformly at random; by the principle of deferreddecisions, we can assume that they make their choices after the adversary hasmade its choice. By linearity of expectation, E[X ] = o(N), and because X isthe sum of binary independent random variables, we can apply the Chernoff-Hoeffding bounds to X . It follows that, with probability 1 − o(1), X ≤ 2EX =o(N).

PROPOSITION 5.8. Let

k2

K≥ c

log N

N

where c ≥ 17 and K ≥ N log N. Then, with probability 1−o(1), the intact nodes

form a connected graph.

PROOF. Let K denote the pool and let A be the set of keys owned by theadversary. The intact nodes pick at least k′ = (1 − δ)k keys from the set K − A.So, we have

k′2

K≥

(1 − δ)2k2

K≥ (1 − δ)217

log N

N≥ 16

log N

N

Therefore assumptions (2) through (4) continue to hold, and because thechoices of the nodes restricted to K − A remain independent, we can applyTheorem 4.6 to the set of intact vertices, and the claim follows.

The two propositions, together with Corollary 5.4 and Theorem 4.6, imme-diately imply the following theorem.

THEOREM 5.9. Let GNk,K be a kryptograph (full-visibility case) such that

k2

K≥ c

log N

N

where c ≥ 17 an K ≥ N log N. Then, with probability 1 − o(1), the graph is at

the same time unsplittable, connected, and redoubtable. The term o(1) goes to

zero as N goes to infinity.



Fig. 2. Randomly generated secure sensor network of size 200. Communication range is 0.2,key ring size is 5, and pool size is 50. Lighter lines mean physical visibility, darker lines securevisibility. This graph is connected by using secure links alone.

Again, the result extends to the general case, when nodes can communicateonly if they are within communication range. The proof however would be verytechnical without adding much insight. Rather, we will rely on the experimentsfor a quantitative assessment (not solely asymptotic) of the kind of damagethat can be inflicted by the adversary in the general case.

6. SIMULATION RESULTS

As discussed in the introduction, the Erdos and Renyi random graph has beenused in the literature to model wireless sensor networks with random predis-tribution of keys. There are a number of problems with this approach. Toshow that the structure of a random graph and of a kryptograph are different,we have set up an experiment to measure the clustering coefficient of the twonetworks. In this experiment, we have set the key ring size to log N and thepool size to (1/2)N log N. This is enough to get connectivity in the full visibilitycase. Figure 1 shows the results: The kryptograph has a much higher numberof triangles (and consequently a much higher clustering coefficient). While thisdifference is small when N = 16, it gets larger and larger as the network sizegrows. When N = 128, the kryptograph shows twice the number of triangles ofthe random graph, and the gap keeps growing in larger networks. Moreover,the Erdos-Renyi model, as used by Eschenauer and Gligor [2002], leads to pa-rameter choices that are pessimistic. If you consider a sensor network of 1,000nodes, a communication range of 0.08 (e.g., if the network area is a square ofside 500 m, then the communication range is 500 m × 0.08 = 40 m), a keyring of 128 keys, and a probability of connectivity of 99.99%, then the pool size



Fig. 3. Randomly generated secure sensor network of size 200. Communication range is 0.2,key ring size is 5, and pool size is 100. Lighter lines mean physical visibility, darker lines securevisibility. The network has a few isolated sensors.

should be about 16,000 keys according to Eschenauer and Gligor [2002]. How-ever, with a careful tuning of constant c in Equation 2, it can be shown that thesame probability of connectivity can be obtained either with a smaller key ring(keeping the same pool size) or with a pool size of about 20,000 keys (keepingthe same key ring size). In both cases the network is connected, redoubtable,and unsplittable with high probability.

To help visualize the structure of secure wireless sensor networks, Figures 2,3, and 4 show three similar networks where the pool size is increased from50 to 100 and then to 150. Note that, as soon as the pool size is too big toguarantee connectivity, isolated sensors start to appear in the graph. This isperfectly analogous to what is predicted by well-known graph-theoretic resultson other random models and very important from a practical point of view.Indeed, even in the remote probability that our design methodology generatesa disconnected graph, it is almost surely connected except for a very smallnumber of isolated points.

In our experiments, we set the communication range to 0.2, while the net-work size N ranges from 1,000 to 10,000 sensors. To choose the parameters,we set c = 32 in Equation 2. Constant c depends on network density. Exper-imentally, c = 32 guarantees that high probability of connectivity holds fromvery-low-density networks. So, if we fix the key ring size to log N, then thepool size is equal to (1/32)N log N. Similarly, if we fix the key ring size to2 log N, then the pool size is equal to (1/8)N log N. Finally, a key ring size of8 log N implies a pool size of 2N log N. We performed a large set of experimentsfor all of the above options. These networks are virtually “always” connected,



Fig. 4. Randomly generated secure sensor network of size 200. Communication range is 0.2,key ring size is 5, and pool size is 150. Lighter lines mean physical visibility, darker lines securevisibility. The network has a slightly larger number of isolated sensors and even some very smalldisconnected components.

Fig. 5. Number of sensors that the adversary has to collect to compromise 50% and 25% of thenetwork links. Key ring size k is set to constant 10, and pool size K is set to 2N/ log N.



Fig. 6. Number of sensors that the adversary has to collect to compromise 50% and 25% of thenetwork links. Key ring size k is set to log N, and pool size K is set to (1/32)N log N.

meaning that we got no disconnected network among the 10,000 generated pereach parameter choice and network size.

Moreover, we performed experiments to validate our theoretical results onnetwork resilience. Figure 5 shows the number of sensors that the adversarymust collect to compromise 50% (and 25%) of the secure links in a networkwhere the pool size is set to N/ log N and the key ring to a constant. With theseparameters, the network is not redoubtable. Indeed, the graph in Figure 5 canbe almost exactly interpolated by function hN/ log N, for some constant h thatis sublinear. In a second experiment, we set the key ring to be a function ofN, specifically, to log N, and the pool size to (1/32)N log N. Our theory saysthat this choice leads to networks that are redoubtable. Experiments perfectlyconfirm our theoretical prediction—Figure 6 shows that, in this case, the num-ber of nodes that must be compromised grows linearly with the network size.These experimental evidences supports the asymptotic result in Theorem 5.3.

Lastly, we set up an experiment to support our theoretical result that theparameter choices that lead to a redoubtable network also lead to an unsplit-table network with high probability. Again, key ring size is set to log N andpool size to (1/32)N log N. Figure 7 shows the result: The number of sen-sors that the adversary has to compromise to split the network into two largedisconnected parts (each of them with at least one-third of the sensor nodes)



Fig. 7. Number of sensors that the adversary has to collect to split the network into two largedisconnected parts (each of them with at least one third of the sensor nodes of the network).Keyring size k is set to log N, pool size K is set to (1/32)N log N.

grows linearly with the network size, as predicted by our theory. Interestingly,the kryptograph turns out to be very resistant to this attack—it is not easy forthe adversary to split the network into two or more large chunks. When thenetwork has 10,000 sensors, the adversary must capture at least 1,200 sensorsand collect all of their key rings to be able to partition it.

7. CONCLUSION

In this article, we have shown that wireless sensor networks using randompredistribution of keys can be designed in such a way to be provably connectedand provably resilient against massive attacks with high probability. Specifi-cally, we formally prove that, if the key ring size and pool size are set accordingto our guidelines, the network is not only connected with high probability butit is also redoubtable and unsplittable, at the same time. Finally, extensivesimulations confirm our theoretical findings.

To the best of our knowledge, this is the first fundamental result that rig-orously combines two central properties of this kind of networks. We believethat the techniques developed in this article may be useful when applied tonon–purely random key predistribution protocols and other contexts as well.



ACKNOWLEDGMENTS

We would like to thank the three anonymous reviewers—their comments havebeen very useful to improve the quality of this article.

REFERENCES

AKYILDIZ, I. F., SANKARASUBRAMANIAM, Y., SU, W., AND CAYIRCI, E. 2002. Wireless sensornetworks: A survey. Comput. Netw. 38, 393–422.

BETTSTETTER, C. 2002. On the minimum node degree and connectivity of a wireless multihopnetwork. In Proceedings of the 3rd ACM International Symposium on Mobile ad hoc Networking

and Computing (MobiHoc02). 80–91.

BLOM, R. 1985. An optimal class of symmetric key generation systems. In Advances in Cryptol-

ogy: Proceedings of the 1984 International Conference of the Theory and Applications of Crypto-

graphic Techniques (EUROCRYPT’84), Lecture Notes in Computer Science, vol. 338.

BLUNDO, C., SANTIS, A. D., HERZBERG, A., KUTTEN, S., VACCARO, U., AND YUNG, M. 1993.Perfectly-secure key distribution for dynamic conferences. In Advances in Cryptology: Pro-

ceedings of the International Cryptology Conference (CRYPTO’92), Lecture Notes in ComputerScience, vol. 740.

BOLLOBAS, B. 1998. Modern Graph Theory. Springer.

CHAN, H., PERRIG, A., AND SONG, D. 2003. Random key predistribution schemes for sensor net-works. In Proceedings of the IEEE Symposium on Security and Privacy. Oakland, CA, 197–213.

CONTI, M., DI PIETRO, R., AND MANCINI, L. V. 2007. Ecce: Enhanced cooperative channel es-tablishment for secure pairwise communication in wireless sensor networks. Ad Hoc Netw. 5, 1,49–62.

DI PIETRO, R., MANCINI, L. V., AND MEI, A. 2006. Energy efficient node-to-node authenticationand communication confidentiality in wireless sensor networks. Wirel. Netw. 12, 6, 709–721.

DI PIETRO, R., MANCINI, L. V., MEI, A., PANCONESI, A., AND RADHAKRISHNAN, J. 2004. Con-nectivity properties of secure wireless sensor networks. In Proceedings of the 2nd ACM Workshop

on Security of ad hoc and Sensor Networks. ACM Press, New York, 53–58.

DU, W., DENG, J., HAN, Y. S., AND VARSHNEY, P. K. 2003. A pairwise key pre-distribution schemefor wireless sensor networks. In Proceedings of the 10th ACM Conference on Computer and Com-

munications Security (CCS’03). ACM Press, New York, 42–51.

ERDOS, P. AND RENYI, A. 1960. On the evolution of random graphs. Publ. Math. Inst. Hungar.

Acad. Sci. 5, 17–61.

ESCHENAUER, L. AND GLIGOR, V. D. 2002. A key-management scheme for distributed sensornetworks. In Proceedings of the 9th ACM Conference on Computer and Communications Security

(CCS). ACM Press, New York, 41–47.

FILL, J. A., SCHENERMAN, E. R., AND SINGER-COHEN, K. B. 2000. Random intersection graphswhen m = ω(n): An equivalence theorem relating the evolution of the g(n, m, p) and g(n, p) mod-els. Random Struct. Algor. 16, 156–176.

KARONSKI, M., SHEINERMAN, E. R., AND SINGER-COHEN, K. B. 1999. On random intersectiongraphs: The subgraph problem. Combin. Probab. Comput. 8, 131–159.

LIU, D. AND NING, P. 2003. Establishing pairwise keys in distributed sensor networks. In Proceed-

ings of the 10th ACM Conference on Computer and Communications Security (CCS’03). ACMPress, New York, 52–61.

NEWMAN, M. E. J. 2003. The structure and function of complex networks. SIAM Rev. 45,167–256.

PENROSE, M. D. 1999. On k-connectivity for a geometric random graph. Random Struct. Algor.

15, 2, 145–164.



PERRIG, A., SZEWCZYK, R., WEN, V., CULLER, D., AND TYGAR, J. 2001. SPINS: Security proto-cols for sensor networks. In Proceedings of the 7th Annual International Conference on Mobile

Computing and Networking (MobiCom’01). ACM Press, New York, 189–199.

SINGER-COHEN, K. B. 1995. Random intersection graphs. Ph.D. thesis, Department of Mathe-matical Sciences, The Johns Hopkins University.

STARK, D. 2004. The vertex degree distribution of random intersection. Random Struct. Algor. 24,249–258.

WATTS, D. J., AND STROGATZ, S. H. 1998. Collective dynamics of “small world” networks.Nature 393, 440–442.

Received February 2007; revised August 2007; accepted September 2007


redoubtable sensor networks

Documents