346
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 15, NO. 2, APRIL 2007
Combinatorial Design of Key Distribution Mechanisms for Wireless Sensor Networks Seyit A. Çamtepe, Student Member, IEEE, and Bülent Yener, Senior Member, IEEE
Abstract—Secure communications in wireless sensor networks operating under adversarial conditions require providing pairwise (symmetric) keys to sensor nodes. In large scale deployment scenarios, there is no priory knowledge of post deployment network configuration since nodes may be randomly scattered over a hostile territory. Thus, shared keys must be distributed before deployment to provide each node a key-chain. For large sensor networks it is infeasible to store a unique key for all other nodes in the key-chain of a sensor node. Consequently, for secure communication either two nodes have a key in common in their key-chains and they have a wireless link between them, or there is a path, called key-path, among these two nodes where each pair of neighboring nodes on this path have a key in common. Length of the key-path is the key factor for efficiency of the design. This paper presents novel deterministic and hybrid approaches based on Combinatorial Design for deciding how many and which keys to assign to each key-chain before the sensor network deployment. In particular, Balanced Incomplete Block Designs (BIBD) and Generalized Quadrangles (GQ) are mapped to obtain efficient key distribution schemes. Performance and security properties of the proposed schemes are studied both analytically and computationally. Comparison to related work shows that the combinatorial approach produces better connectivity with smaller key-chain sizes. Index Terms—Combinatorial design theory, generalized quadrangles (GQ), key-chains, key management, key pre-distribution (deterministic and hybrid), security in wireless sensor networks (WSN), symmetric balanced incomplete block design (BIBD).
I. INTRODUCTION AND PROBLEM DEFINITION N THIS WORK, we consider a sensor network in which sensor nodes need to communicate with each other for data processing and routing. We assume that sensor nodes are distributed to a target area in large numbers and their locations within this area are determined randomly. This type of sensor networks are typically deployed in adversarial environments such as military applications where large number of sensors may be dropped from airplanes. Secure communication between a pair of sensor nodes requires authentication, privacy and integrity. Therefore, there must be a secret key shared between a pair of communicating sensor nodes. Since the network topology is unknown prior to deployment, a key pre-distribution scheme is required where
I
Manuscript received October 5, 2004; revised August 6, 2005, and January 17, 2006; approved by IEEE/ACM TRANSACTIONS ON NETWORKING Editor R. Caceres. A preliminary version of this paper appeared in Computer Security—ESORICS (European Symposium On Research in Computer Security), Proceedings, 2004, pp. 293–308. The authors are with the Computer Science Department, Rensselaer Polytechnic Institute, Troy, NY 12180 USA (e-mail:
[email protected]; yener@cs. rpi.edu). Digital Object Identifier 10.1109/TNET.2007.892879
keys are stored into ROMs of sensors before the deployment. The keys stored must be carefully selected so to increase the probability that two neighboring sensor nodes, which are within each other’s wireless communication range, have at least one key in common. Nodes which do not share a key may communicate through a path on which each pair of neighboring nodes share a key. The length of this path is called key-path length. Average key-path length is an important performance metric and design consideration. Common approach is to assign each sensor node multiple keys, randomly drawn from a key-pool, to construct a key-chain to ensure that either two neighboring nodes have a key in common in their key-chains, or there is a key-path. Thus, challenge is to decide on size of the key-chain and key-pool so that every pair of nodes can establish a session key directly or through a path. Key-chain size is limited by storage capacity of sensor nodes. Moreover, very small key-pool increases probability of key share between any pair of sensor nodes by decreasing security in that number of keys to be discovered by an adversary decreases. Similarly, very large key-pool decreases probability of key share by increasing the security. Eschenauer et al. in [1] propose a random key pre-distribution scheme where tens to hundreds of keys are uploaded to sensors before the deployment. In their solution, initially a large is generated. For each sensor, keys are rankey-pool of domly drawn from the key-pool without replacement. These keys and their identities form a key-chain which is loaded to the sensor node. Two neighboring nodes compare the list of key identities in their key-chains. Eschenauer et al. also propose to employ a Merkle Puzzle [2] similar approach to secure the key identities which requires too much processing and storage for a resource limited sensor node. After exchanging key identities, common keys are used to secure the link in between two sensor nodes. It may be the case that some of the neighboring nodes may not be able to find a key in common. These nodes can communicate securely through other nodes, through other secured links. Chan et al. in [3] propose a modification to the basic scheme of Eschenauer et al. They increase amount of key overlap required for key-setup. That is, common keys are needed instead of one to be able to increase the security of communication between two neighboring nodes. Their proposal requires larger key-chains and smaller key-pools than the original proposal of Eschenauer et al. In [4], common keys in the key-chains are used to establish multiple logical paths over which costly threshold key sharing scheme is used to agree on a new secret. Random-pairwise key scheme in [3] is based on Erdos and Renyi’s work; to achieve probability that any two nodes are nodes, each node needs securely connected in a network of
1063-6692/$25.00 © 2007 IEEE
ÇAMTEPE AND YENER: COMBINATORIAL DESIGN OF KEY DISTRIBUTION MECHANISMS FOR WIRELESS SENSOR NETWORKS
to store only a random set of pairwise keys instead of . This scheme provides perfect resilience since each pairwise key is unique. But, it cannot support large networks because the keychain size is linearly dependent on the network size. Camtepe et al. in [5] propose a deterministic pairwise key pre-distribution scheme based on expander graphs. Slijepcevic et al. in [6] propose that sensor nodes share a list of master keys, a pseudorandom function and a seed. Every sensor uses shared pseudorandom function and shared seed to select a network-wise or a group-wise master key. In [7] and [8], a polynomial-based key pre-distribution scheme is proposed for group key pre-distribution. In [9], polynomial pool-based key pre-distribution is used for pairwise key establishment. For each sensor, a random or a grid based pre-distribution scheme is used to select a set of polynomials from a pool of polynomials. In [10], Blom proposes a -secure key pre-distribution scheme where each node stores relatively small secret and public data from which it can derive a unique pairwise key for any neighbor. Each node stores a row of a private matrix and a column of a public matrix. A pair of nodes first exchange their public column information then each makes partial matrix multiplication to generate the common pair-wise key. Blom’s scheme is a deterministic scheme where any pair of nodes can calculate a common secret key. That is, probability of key share and average key-path length are both one. Blom’s scheme can resist capture of at most nodes; credentials stored in nodes are enough to recover all the keys used in the network. For the same key-chain size , our symmetric block design algorithm provides the same probability of key share and better resilience with the same storage requirements but without any costly multiplication operations. Du et al. in [11] use Blom’s scheme with private matrices to increase its resilience. Each node is randomly assigned rows from private matrices out of . It may be the case that two neighboring nodes do not share a key space. Unlike Du et al., we use smaller key-chains and Generalized Quadrangles (GQ) Block Design techniques to improve the resilience. In [12], Lee et al. propose two deterministic schemes: 1) ID-based one-way function scheme, and 2) multiple space Blom’s scheme where asymmetric key matrices are used instead of symmetric ones. They use a modification of Blom’s scheme on strong regular graphs and provide better resilience than the scheme proposed by Du et al. in [11]. A. Our Contributions and Organization of This Work The main contribution of this work is deterministic and hybrid approaches to the key distribution problem. In particular, we bring in a novel construction methodology from combinatorial design theory to address this problem. Although there are some applications of combinatorial design theory in cryptography and secret sharing [13]–[15], and in network design [16], [17], to the best of our knowledge this work is the first to apply design theory to key distribution in distributed wireless sensor networks [18], and others followed on this approach [19]. Our analysis indicate that deterministic approach has strong advantages over the randomized one since: 1) it increases probability that two nodes share a key, and 2) it decreases average key-path length.
347
This paper is organized as follows. In Section II, we provide a brief background to combinatorial design theory without exceeding the scope of this paper. In Section III, we introduce our key distribution construction and explain the mapping from design theory to this practical problem. In Section IV, we address scalability issues. In Section V, we present our analysis and comparison with randomized methods. Finally in Section VI, we conclude. II. BACKGROUND ON COMBINATORIAL DESIGNS A. Basics Combinatorial design theory is interested in arranging elements of a finite set into subsets to satisfy certain properties. A Balanced Incomplete Block Design (BIBD) is one of such designs. A BIBD is an arrangement of v distinct objects into b blocks such that each block contains exactly k distinct objects, each object occurs in exactly r different blocks, and every pair of distinct objects occurs together in exactly blocks. The de, or equivalently , sign can be expressed as and . where: In this paper, we are interested in the Finite Projective Plane which is a subset of Symmetric BIBD. Finite Projective Plane of consists of points and lines of the projective space of didimension 2 and order . A projective space mension over a field is constructed from the vector space of dimension over as follows: (i) objects are all subspaces of the vector space, (ii) two objects are incident if one contains the other. Subspaces with dimensions 1, 2, and are called points, lines, and hyperplanes, respectively. Order of a projective space is one less than the number of points incident consists of to a line. For example, projective space points and lines which are dimension 1 and 2 subspaces of the vector space with dimension 3, respectively. Order of is , meaning that each line includes points. A partial linear space provides arrangements of objects into subsets in a form of incidence structure in which subsets are called as lines. An incidence structure can be defined as a set of points and a set of lines with a symmetric relation of incidence between points and lines. A symmetric point-line inci(point is dence relation for point and line is then (line includes point ). A partial linear on line ) and space has two properties: 1) every line is incident with at least two points, and 2) any two points are incident with at most one line. A partial geometry is a partial linear space where: 1) the number of points on a line is constant; 2) the number of lines through a point is constant; and 3) given a point not on a line , the number of points on collinear with is constant. In this work, we are interested in Finite Generalized Quadrangles (GQ) which is a special case of the partial geometry. In the following two sections, we define Symmetric BIBD, Finite Projective Planes, and Finite Generalized Quadrangles in detail. B. Symmetric BIBD A BIBD is called Symmetric BIBD or Symmetric Design when and therefore [20]. A Symmetric Design has four
348
properties: 1) every block contains objects; 2) every obblocks; 3) every pair of objects occurs in ject occurs in blocks; and 4) every pair of blocks intersects on objects. Example 1: Consider or equivaSymmetric Design. Let lently be a set of objects. There blocks and each block contains objects. are Every object occurs in blocks. Every pair of distinct block and every pair of blocks interobjects occurs in object. Based on the construction algorithm sects in described in Section III-A2, the blocks are: . A Finite Projective Plane consists of a finite set of points and a set of subsets of , called lines. For an integer q where , Finite Projective Plane of order q has four properties: 1) every line contains exactly points; 2) every point occurs lines; 3) there are exactly points; and on exactly lines. If we consider lines as blocks 4) there are exactly and points as objects, then a Finite Projective Plane of order q is a Symmetric Design with parameters [20]. , there exist a Symmetric DeFor every prime power sign (Finite Projective Plane of order ) [21, Theorem 2.10]. Finite projective plane of order consists which corof points and lines of the projective space respond to 1 and 2 dimension subspaces of the vector space with dimension 3. with a set of Given a block design objects and of blocks where each block contains exactly objects, Complementary Design has the complement blocks as its blocks for . is a block design with parameters where [20, Theorem 1.1.6]. If is a Symmetric Design, then is also a Symmetric Design [20, Corollary 1.1.7]. Example 2: Consider Symmetric Design of Example 1. Complementary Design of this design . Given the same is objects, there are blocks and set of each block contains objects. Every object occurs blocks. Every pair of distinct objects occurs in in blocks, and every pair of blocks intersects on objects. The Complementary Design blocks are: , .
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 15, NO. 2, APRIL 2007
with , 3) If is a point and is a line not incident for which then there is a unique pair . In a , there are points and lines where each line includes points and each lines. In this work, we are interested in point appears on from three known GQs as defined in [22] and [23]: 1) projective space ; 2) from projective space ; and 3) from projective space . , lines are mapped to For example in blocks and points are mapped to objects where there are blocks and objects. Each block contains objects, and each object is contained in blocks. GQ parameters are given in Table II and will be discussed in the next section. for . Example 3: Consider blocks and objects where each There are objects and each object is conblock contains blocks. Assume the set of objects tained in . Based on the construction algorithm given in Section III-B2, the blocks are: . Blocks and do not share an object. But, there are three other blocks sharing an object with each: 1) block shares objects 0 and 7; 2) block shares objects 3 and 1; and 3) block shares objects 4 and 9. Example 4: Complementary Design of Example 3 has blocks where each block has objects:
C. Finite Generalized Quadrangle is an incidence A Finite Generalized Quadrangle where and are disjoint and structure nonempty sets of points and lines, respectively, and is a symmetric point-line incidence relation satisfying the following axioms: lines and two 1) Each point is incident with distinct points are incident with at most one line. points and two 2) Each line is incident with distinct lines are incident with at most one point.
III. COMBINATORIAL DESIGN TO KEY DISTRIBUTION In the following two sections, we describe how Symmetric Designs and Generalized Quadrangles are used to generate keychains for the sensors in a sensor network.
ÇAMTEPE AND YENER: COMBINATORIAL DESIGN OF KEY DISTRIBUTION MECHANISMS FOR WIRELESS SENSOR NETWORKS
349
TABLE I MAPPING FROM SYMMETRIC, GQ AND HYBRID DESIGNS TO KEY DISTRIBUTION
A. Mapping From Symmetric Design to Key Distribution In this work, we are interested in Finite Projective Plane of order which is a Symmetric Design (Symmetric BIBD) with parameters . 1) Mapping: We assume a distributed sensor network where there are sensor nodes. Sensor nodes communicate with each other and require pairwise keys to secure their communication. keys which is stored to it Each sensor has a key-chain of before the deployment. Keys are selected from a set of keypool. Two sensor nodes need to have keys in common in their key-chains to secure their communication. Based on this, we define the mapping given in Table I. For a sensor network with nodes, a Symmetric Design with blocks needs to be constructed by using a set with objects. That means for a prime power [20]. Each object in can be associated with a distinct random key and each block can be used as a key-chain, key-chains each having providing keys. Symmetric Design guarantees that any pair of blocks have objects in common, meaning that any pair of key-chains or key in common. equivalently sensor nodes have 2) Construction: There are several methods to construct . Symmetric Designs of the form One approach is to find points and lines of the projective . Another approach is to use Difference space difference set is a set Method. A cyclic of distinct elements in such that each one of the non-zero elements, say , can be expressed in ways where in the form of [20, Definition 2.1.1]. Then, blocks of the Symmetric Design can be obtained by [20, Theorem 2.1.3]. For example, difference set can be used to generate (7, 3, 1) Symmetric Design which is isomorphic to design given in Example 1 with the following object renaming: and . Difference sets for small designs are listed in [20]. But, generating a difference set for a large design is not trivial [20, Theorem 2.5.2]. Mutually OrthogIn this work, we use complete set of onal Latin Squares (MOLS) to construct Symmetric Design. A latin square on symbols is a array such that each of the symbols occurs exactly once in each row and in each column. The number is called order of the square. If and are any two arrays, the join array whose th element is the pair of A and B is a . Latin squares and of order are orthogonal if all entries of A join B are distinct. Latin squares
are MOLS if they are orthogonal in pairs. For prime power , a MOLS of order is called a complete set [20]. A set of complete set of MOLS can be used to construct affine design. Affine plane of order plane of order which is a q can be converted to a projective plane of order q which is a Symmetric Design. The construction algorithm is summarized in Algorithm 1. The algorithm accepts MOLS in network size . It generates a complete set of , constructs the affine plane of order step 2 in ( -design) from MOLS in step 3 in , and finally converts the affine plane into the projective plane in step . Thus, the overall running time of the algorithm is 4 in where is the object set size. Algorithm 1: Symmetric Design Require 1. Find minimum prime power 2. Construct
s.t.
;
MOLS of order ; [20, Theorem 5.1.1]
blocks of affine plane of order ; 3. Construct [20, Theorem 1.3.5] 4. Affine Plane
Projective Plane. [20, Theorem 1.2.5]
3) Analysis: Symmetric Design has a very nice property that any pair of blocks share exactly one object. The probability of , so that key share between any pair of nodes is Average Key-Path Length is 1. Resilience is an important security metric, but it contradicts with probability of key share because as more keys are shared between blocks more blocks are effected by compromise of a block. Thus, our symmetric algorithm provides better probability of key share than probabilistic algorithms by sacrificing the resilience. We first look at the amount of blocks to be captured to compromise the object set. There are two ways to capture nodes: selectively or randomly. In the case of selective capture, we may simply assume that the attacker has ability to monitor whole network and selects the nodes wisely. Since for a Symmetric Design with key-chain size is nodes and keys, an attacker needs at least key-chains to be able to recover the key-pool. A wise attacker may select to capture the nodes which have the same specific key in their key-chains. From the properties of Symmetric Design, we such key-chains. Since every pair of know that there are keys keys can occur in exactly one key-chain then every
350
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 15, NO. 2, APRIL 2007
must be pairing with the specific key in these key-chains. But, an unlucky attacker who selects the nodes randomly might key-chains which do not include the specific be capturing key. Therefore, an unlucky attacker may need to capture key-chains to be able to recover the key-pool. In terms of resilience, we are interested in the probability that a link is compromised when an attacker captures x key-chains. This probability can also be considered as a fraction of compromised links between uncompromised nodes [1], [3], [12], [14]. The resilience of Symmetric Design is compared with two basic key pre-distribution schemes: random [1] and q-composite [3]. In the q-composite key scheme, two sensor nodes need or more common keys among their key-chains to secure their links. The random key pre-distribution scheme [1] is equivalent to the . The probability that a link is q-composite scheme for compromised when an attacker captures key-chains is defined by Chan et al. in [3] as
The probability that one or more of includes key can be defined as
compromised blocks
Note that . When , the whole key-pool becomes compromised. The probability that a link is compromised when an attacker captures key-chains in Symmetric Design can be defined as
(1) (2) is the key-pool size, is the key-chain size, is where the probability that a link is established with keys and . Chan et al. [3] define as
The probability that a link is compromised when an attacker captures key-chains in Symmetric Design can be defined as
where: • event that a given link is secured with key ; event that a given link is secured; • event that a link secured with key is compromised; • event that a link is compromised; • • event that a block which includes key is compromised; event that nodes, thus key-chains are captured. • For a Symmetric Design with parameters , the probability that a link is secured is 1. A key can appear in of blocks and a link is secured with a key if it is included in key-chains of both nodes of the link. Thus
In Fig. 1, the resilience of Symmetric Design is compared with random [1] and q-composite [3] key pre-distribution schemes based on (1) and (2). Symmetric Design slightly sacrifices resilience while providing probability of key share 1. is not a Symmetric Design of the form , scalable solution itself. Given a fixed key-chain size . For networks it can support networks of size , simply some of the blocks may not of size be used, still preserving key sharing probability . , key-chain size must For the networks where be increased; that is, must be increased to next prime power. Due to memory limitations of a sensor node, this may not be a good solution. Moreover, such an increase in may produce designs which can support much bigger networks than required. In probabilistic key distribution schemes, it is always possible to increase the size of the key-pool for a fixed key-chain size to increase the possible number of distinct key-chains. But, such an approach sacrifices the key share probability and requires better connectivity at underlying physical network. It is possible to merge deterministic and probabilistic designs to inherit advantages of both. Later in Section IV, we propose Hybrid of Symmetric and Probabilistic Designs to cope with scalability probblocks of Symmetric Design lems. Basically, we use and select uniformly at random remaining blocks among -subsets of the Complementary Symmetric Design. B. Mapping From Generalized Quadrangles to Key Distribution In this work, we are interested in three known : , , and . Table II gives details about their parameters. 1) Mapping: Consider a sensor network with nodes where each node requires a key-chain having keys coming from a key-pool . Assume also that not all pairs of neighboring nodes need to share a key directly; they can communicate through a
ÇAMTEPE AND YENER: COMBINATORIAL DESIGN OF KEY DISTRIBUTION MECHANISMS FOR WIRELESS SENSOR NETWORKS
351
Fig. 1. Resilience Comparison. (a) Resilience of Symmetric Design is compared with random [1] and q-composite [3] key pre-distribution schemes. Solutions are compared for the same key-pool size P = 39801 and key-chain size k = 200. Probability of key share for random scheme and q-composite scheme with (q = 1) is 0.6358, with (q = 2) is 0.2661 and with (q = 3) is 0.0803. Symmetric Design slightly sacrifices resilience while providing probability of key share of 1. (b) Resilience of GQ(q; q ) is compared with random and q-composite key pre-distribution schemes. Solutions are compared for the same key-pool size P = 106080 and key-chain size k = 48. Probability of key share for random scheme and q-composite scheme with (q = 1) is 0.0215, with (q = 2) is 2:2 10 and with (q = 3) is 1:4 10 . GQ(q; q ) has probability of key share 0.0213 and provides similar resilience as random scheme. (c) Resilience of GQ(q; q ) is compared with random and q-composite key pre-distribution schemes. Solutions are compared for the same key-pool size P = 88452 and key-chain size k = 18. Probability of key share for random scheme and q-composite scheme with (q = 1) is 0.0037, with (q = 2) is 5:9 10 and with (q = 3) is 5:7 10 . GQ(q; q ) has probability of key share 0.0037 and provides better resilience than random and q-composite key pre-distribution schemes. Due to scaling, curve for GQ(q; q ) seems to be linear, but it is not. In the worst case for an adversary, 1424770 out of 1425060 nodes need to be captured to compromise all communications. (d) Resilience of GQ(q ; q ) is compared with random and q-composite key pre-distribution schemes. Solutions are compared for the same key-pool size P = 81276 and key-chain size k = 26. Probability of key share for random scheme and q-composite scheme with (q = 1) is 0.0083, with (q = 2) is 3:1 10 and with (q = 3) is 7:5 10 . GQ(q ; q ) has probability of key share 0.0083 and provides better resilience than random and q-composite key pre-distribution schemes. Due to scaling, curve for GQ(q ; q ) seems to be linear, but it is not. In the worst case for an adversary, 393750 out of 393876 nodes need to be captured to compromise all communications.
j j
j j
2
2
j j 2
2
2
j j
2
secure path on which every pair of neighboring nodes share a key. GQ can be used to generate key-chains for such networks. Namely, points in GQ can be considered as the keys and lines as the key-chains. Mapping between GQ and Key Distribution is given in Table I. , there are lines passing through a point, and In points. That means a line shares a point with a line has other lines. Moreover, if two lines and exactly do not share a point then for each point on line , there is on line such that there exists a line passing a point and . That means if two lines and through both points do not share a point, there are distinct lines which share a point with both. In terms of Key Distribution, it means that other blocks. Additionally, a block shares a key with other blocks if two blocks do not share a key, there are sharing a key with both. used in this work 2) Construction: The three are incidence relations between points and lines in proand with dimension . jective spaces
A point is a vector for and in from projective space
for
in . is with canonical equation is from
. with canonical equation where is an irreducible binary quadratic of the form . If is even, is a number so that has no root. If is odd, in is a number in so that is not a square. Finally, is from which is a nonsinwith canonical equation gular hermitian variety of . is in the projective space A point with the canonical equation if . Points and are said to be collinear if where for . Let represents the set is a line conof points collinear with point , then necting two distinct and collinear points and [22]. The GQ
352
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 15, NO. 2, APRIL 2007
TABLE II PARAMETERS OF SYMMETRIC, GQ AND THEIR COMPLEMENTARY DESIGNS
construction algorithm is summarized in Algorithm 2. In step points in the projective space 2, are generated for in . In step 3, for each . In step 4, point is generated in lines with points are generated by checking for pairs of points in . Thus, the overall running time of . the algorithm is
secured with a key if it is included in key-chains of both nodes of the link. Thus
Algorithm 2: GQ Design
The probability that one or more of cludes the key can be defined as
compromised blocks in-
Require: Type Require: 1. Find minimum prime power 2. Find canonical equation;
s.t.
; Table II
points holding the corresponding
3. For each point , generate the set of points collinear with . 4. Construct
lines with
points.
Note that . When , the whole keypool becomes compromised. The probability that a link is compromised when an attacker captures key-chains in can be defined as (4)
3) Analysis: In a , there are lines, other lines. Thus, in a design and a line intersects with generated from a GQ, a block shares an object with other that two blocks share an object, or blocks. The probability that a pair of nodes shares a equivalently, the probability key is
(3) , an unlucky attacker may need to capture In nodes before reaching a node which includes a specific key. Therefore, an unlucky attacker needs to capture nodes to recover the key-pool. For example, with a key-chain in design, an unlucky size of nodes before recovering attacker needs to capture the key-pool. A wise attacker who is capturing nodes having the nodes. Attacker can then same specific key needs to capture out of keys this time. With recover design, a wise attacker capturing nodes having the same specific key can recover keys out of keys. provides better resilience than Symmetric Design. is as The probability that a link is secured in of blocks, and a link is given in (3). A key can appear in
In Fig. 1 the resilience of and is compared with random [1] and q-composite [3] key pre-distribution schemes based on (1) and (4). provides similar resilience as random scheme. and provide better resilience than both random and q-composite key pre-distribution schemes. 4) Comparison of Symmetric and GQ Designs for Key Distribution: We are interested in five metrics when comparing the designs: 1) probability of object share between any pair of blocks; 2) block size which is the number of objects in a block; 3) number of blocks generated by the design; 4) complexity of the design which is the running time of construction algorithm for a fixed block size; and 5) resilience of the design. Object set size might be another metric; however, it shows the same characteristics as the number of blocks metric. Symmetric Design is the simplest design and provides the highest number of provides the highest number of blocks object share. for the fixed block size. provides the smallest block size for the fixed number of blocks, and it has the highest resilience. Probabilistic key distribution is the simplest and most scalable solution when compared with GQ and Symmetric Designs. Next, in Section IV, we propose Hybrid Symmetric and GQ Designs which provide solutions as scalable as probabilistic key distribution schemes, yet which take advantage of underlying GQ and Symmetric Designs.
ÇAMTEPE AND YENER: COMBINATORIAL DESIGN OF KEY DISTRIBUTION MECHANISMS FOR WIRELESS SENSOR NETWORKS
IV. HYBRID DESIGNS FOR SCALABLE KEY DISTRIBUTIONS The main drawback of the combinatorial approach comes from the difficulty of its construction. Given a desired number of sensor nodes or a desired number of keys in the key-pool, we may not be able to construct a combinatorial design for the target parameters. In this work, we present a novel approach called Hybrid Design which combines a deterministic core with a probabilistic extension. We will consider two Hybrid Designs: Hybrid Symmetric and Hybrid GQ Designs. By using Symmetric or GQ Design and its complement, we preserve the nice properties of combinatorial design, yet take advantage of flexibility and scalability of probabilistic approaches to support any network sizes. A. Mapping Consider a sensor network where there are nodes, therefore key-chains are required. Due to memory limitations, keykeys coming from a key-pool . chains can store at most We can employ Hybrid Design for the cases where there is no known combinatorial design technique to generate design with nodes for a key-chain size . Basically, Hybrid Design finds the largest prime power such that for ( for GQ) values in Table II and generates blocks of size where objects . The of blocks come from object set of size blocks are generated by base Symmetric or GQ Design. are randomly selected among -subsets of the Complementary Design blocks. We define mappings as in Table I. B. Construction For a given key-chain size and network size , Hybrid Design first generates base Symmetric or GQ Design with largest for ( for GQ) values given prime power where in Table II. Table II also lists relations between block size ( for GQ) and number of blocks for a prime power . The next step is to generate Complementary Design where there are blocks of size . Table II lists parameters of the Complemenfor Symmetric and tary Designs. Due to the fact that GQ designs, Complementary Design blocks cannot be used as key-chains, but their subsets can. To scale the base design up to a given network size, Hybrid Design randomly selects remaining blocks uniformly at random among -subsets of the Complementary Design blocks. Selected -subsets along with blocks of the base design form blocks of Hybrid Design. The algorithm is summarized in Algorithm 3. In step 2, base Symmetric or GQ and respectively. In step Design is generated in 3, complementary design is generated in . Finally in step . For and 4, hybrid blocks are selected in values given in Table II, the overall running time of the algo. rithm is Algorithm 3: Hybrid Design Require: Require: 1. Find largest prime power such that 2. Generate base Symmetric or GQ Design:
; Table II
• •
353
objects blocks
, of size ;
3. Generate Complementary Design of the base design: • Blocks and
where ;
for
hybrid blocks 4. Generate of size . For th block where
:
• Randomly select a block in , say , where • Randomly select a -subset of the block , • Let and , • Use the variable to hold index of the block from which the block is obtained; .
5. Blocks of the Hybrid Design are
Example 5: Assume that we would like to generate nodes. Assume also that key-chains for a network with nodes have very limited memories so that they can store at most keys in their key-chains. Hybrid Symmetric Design can be used to generate design for this network. Symmetric of Example 1 can be used as the Design blocks out of objects base design to generate . Blocks of the Base Symmetric where block size is Design are . Remaining blocks are selected uniformly at random among 3-subsets of the Complementary Symmetric Design blocks . Assume that seand which lected blocks are are 3-subsets of the Complementary Symmetric Design and respecblocks tively. The blocks form the probabilistic extension. The blocks of Hybrid Symmetric Design are then . C. Analysis In this section, we analyze some important properties of Hybrid Symmetric and GQ Designs. We look for some useful properties coming from underlying combinatorial design. Based on these properties, we analyze object share probabilities between where B is the set of blocks from the any pair of blocks in base Symmetric or GQ Design and is the set of blocks which are uniformly at random selected among -subsets of the Complementary Design blocks . Variable for th block holds index of the block in from which is obtained. Proofs for the properties and theorems are given in the Appendix. Depending on the size of deterministic core (Symmetric, , resilience of the Hybrid Design resides in between resilience of deterministic designs and resilience of random key distribution scheme as given in Fig. 1. Because hybrid design becomes more like a random
354
key-pre-distribution scheme as the deterministic core gets smaller due to introduced randomness. 1) Hybrid Symmetric Design: Property 1: Given Hybrid Design and . Property 1 does not hold among the blocks in . Consider and where two such distinct blocks as an example. Complementary Design of a Symmetric Design objects in has the property that any pair of blocks have , when , it can be the common. For and of case that randomly selected blocks ( -subsets) size are equivalent. and the Property 2: Given the key-chain size , Hybrid Symmetric Design can key-pool size support network sizes up to
This is the maximum network size that can be supported by a simple probabilistic key pre-distribution scheme. The probabilistic scheme can go beyond this limit by simply increasing key-pool size for a fixed key-chain size . Same scalability is provided by our Hybrid GQ Designs which are analyzed in the next section. For a fixed key-chain size generates designs for networks up to
This is the upper limit of our deterministic algorithms. Numer, our Hybrid Deically, for the key-chain size sign supports network sizes up to 6,210,820. It supports nodes for nodes for nodes for nodes for and so on. of Hybrid Symmetric Design. Any Consider blocks selected from the set can be either pair of blocks one of the following four types: and ; 1) Type-BB: and and ; 2) Type-HH: and and ; 3) Type-H: 4) Type-HB: and or and . Properties 3 to 6 below give probability of sharing at least one and respectively. object for pairs of types Property 7 presents probabilities that these block types occur. Finally, Theorem 1 presents probability of object share in Hybrid Symmetric Design. that any pair of blocks Property 3: The probability (where and from base Symmetric Design have exactly one object in common is . that any pair of blocks Property 4: The probability where and have at least one object in common approaches to 1 as block size increases. that any pair of blocks Property 5: The probability where and have at least one
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 15, NO. 2, APRIL 2007
object in common is
Property 6: The probability that any pair of blocks where and or and have at least one object in common is
and
Thus, falls into interval as . For a large falls into interval . block where Property 7: Consider any pairing between blocks of of Hybrid Symmetric or GQ Design. Any pair of blocks selected from this set can be either one of the four types: or . The probability that a pair of blocks is Type- for is
where . Thus, we have the following theorem: that any pair of blocks Theorem 1: The probability shares one or more objects in Hybrid Symmetric Design can be bounded as
and
2) Hybrid GQ Designs: Property 8: Given key-chain size Design can support network sizes up to
, Hybrid GQ
Consider blocks of Hybrid GQ Design. Any pair of blocks selected from the set can be either one of and . Properties 9 to 12 below the four types: give probability of sharing at least one object between pairs of
ÇAMTEPE AND YENER: COMBINATORIAL DESIGN OF KEY DISTRIBUTION MECHANISMS FOR WIRELESS SENSOR NETWORKS
the types and , respectively. Finally, Theorem 2 presents the probability of object share in Hybrid GQ Design. that any pair of blocks Property 9: The probability (where and of the base GQ Design have an object in common is given by (3). that any pair of blocks Property 10: The probability where and have at least one object in common approaches to 1 as block size increases. that any pair of blocks Property 11: The probability where and have at least one object in common is
Property 12: The probability where and or at least one object in common is
that any pair of blocks and have
For parameters given in Table II, as , equivalently, . In fact, for a large block where falls into interval in . that any pair of blocks Theorem 2: The probability share an object in Hybrid GQ Design can be approximated as
V. COMPUTATIONAL RESULTS We implemented the random key pre-distribution scheme of , Eschenauer et al. [1], Symmetric Design, and Hybrid Symmetric Design. We used the GAP4r4 PG Design. In the random package [25] to generate the key pre-distribution scheme, we initially generate a large pool of keys and their identities. For each sensor, we uniformly at random draw keys from the key-pool without replacement. These keys and their identities form the key-chain for a sensor node. Basically, for a network of size , we generate key-chains sensor nodes. Then, we uniformly at and assign them to random distribute nodes into a 1 1 unit grid. Every wireless . All sensor has a coverage of radius where nodes within this coverage area is accepted as neighbors. Note that parameter can be used to play with radius and therefore the average degree of the network. After the deployment, two neighboring nodes compare their key-chains. If they have one or more keys in common, the common keys are used to secure the communication. If there is no key in common, they try to find a shortest path where each pair of nodes on the path shares a key. The length of this path is called the key-path length where the key-path length for two nodes directly sharing a key is 1. Average key-path length is one of the metrics that we use to compare the random key
355
pre-distribution scheme with our Deterministic and Hybrid schemes. The probability that two key-chains share at least one key is another metric we use in comparison. For the random key predistribution scheme, for a given key-pool size and key-chain size , Eschenauer et al. in [1] approximate probability as
In Symmetric Design, since any pair of key-chains , the probability of key share shares exactly one key. In is given by (3). is given in the analysis The probability of key share section of Hybrid Symmetric Design. Similarly, the probability for Hybrid GQ Designs is given in the analof key share ysis section of Hybrid GQ Designs. Table III summarizes the computational results: 1) analytical solution for probability that two key-chains share at least one key, and 2) simulation results for the average key-path length. Symmetric Design is compared with the random key pre-distribution scheme in Table III. For the same network size, keychain size, and pool size, Symmetric Design provides better probability of key share. Simulation results for average key-path length supports this advantage. In the random key pre-distribution scheme, a pair of nodes are required to go through a path of 1.35 hops on average to share a key and communicate securely. This path length is 1 for Symmetric Design. and is compared with the random key pre-distribution scheme in Table III. decreases key-chain size, causing a decrease in key sharing probability when compared to Symmetric Design. Anprovides almost the same alytical solutions show that probability of key share as the random key pre-distribution scheme for the same key-chain and key-pool size. Simulation results for average key-path length supports this; and random key pre-distribution scheme provide almost the is same average key-path length. An advantage of and provide better resilience than that random and q-composite key pre-distribution schemes. Hybrid Symmetric Design is compared with random key predistributionschemeinTableIII. HybridSymmetricDesignmakes use of Symmetric Design yet taking advantages of the scalability of probabilistic approach. Given a target network size and keychain size , for which there is no known design, analytical solution shows that Hybrid Symmetric Design provides much better probability of key share between any two key-chains. Simulation results support this advantage where Hybrid Symmetric Design provides shorter average key-path length. Hybrid Design also improves resilience of underlying Symmetric Design. VI. CONCLUSION In this work, we present novel approaches to the key distribution problem in large scale sensor networks. In contrast with prior work, our approach is combinatorial based on Combinatorial Block Designs. We showed how to map from two classes of combinatorial designs to deterministic key distribution mechanisms. We remarked the scalability issues in the
356
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 15, NO. 2, APRIL 2007
TABLE III COMPARISON OF SYMMETRIC, GQ AND HYBRID SYMMETRIC DESIGNS WITH RANDOM KEY PRE-DISTRIBUTION SCHEME
deterministic constructions and proposed hybrid mechanisms. Hybrid constructions combine a deterministic core design with probabilistic extensions to achieve key distributions to any network sizes. The analysis and computational comparison to the randomized methods show that the combinatorial approach has clear advantages: 1) it increases the probability of a pair of sensor nodes to share a key, and 2) decreases the average key-path length while providing scalability with hybrid approaches.
is neither a base Symmetric Design block nor subset of any Complementary Design block, and elements of are from distinct Complementary Design blocks. Blocks generated by our Hybrid Symmetric Design only hold first two cases. We will show that case three is not possible for such , and our Hybrid Symmetric Design algorithm can generate all such blocks . Due to definition of Symmetric Design: any such with objects may be 1) one of the blocks of symmetric core (case 1), 2) may share at most objects with one of the blocks in , or 3)
3) APPENDIX I PROOFS OF THE PROPERTIES AND THEOREMS Proof: (Property 1) From the definition of Symmetric Design. Since any pair of blocks share exactly one object, a block in cannot be the subset of complement of another block in . , consider any block Given Hybrid Design where . Assume that . We know that and . That means blocks and do not share an object contradicting the fact that and are blocks of Symmetric Design. Therefore, all blocks in are distinct from the blocks in B. Proof: (Property 2) This can be shown by proving that any objects from the block formed by random selection of set can also be generated by Hybrid Symmetric Design. where and , either one of following cases must be true: ; 1) is a base Symmetric Design block 2) is a subset of Complementary Design block;
may share at least 2 objects with
blocks in
.
Consider the case where shares exactly objects with one of the blocks in . Due to definition of Symmetric Design: th ob1) each of these objects needs to pair with ject once in a separate block, 2) th object appears in one block alone, and 3) each of the objects appears in other blocks alone. In total, shares one or more objects with blocks in . Consider the case where shares exactly 2 objects with blocks in
. Since each object has paired with other
objects in , each one just needs to appear alone in one shares exactly one object with block in . Thus, other blocks in . In total, shares one or two objects with blocks in . That is, shares one or more objects with at least and at most blocks in . Since , if , then third case is not possible and there always where and . Thus, our Hybrid Symmetric Design generates all such blocks .
ÇAMTEPE AND YENER: COMBINATORIAL DESIGN OF KEY DISTRIBUTION MECHANISMS FOR WIRELESS SENSOR NETWORKS
Proof: (Property 3) From the definition of Symmetric Design. Proof: (Property 4) Instead of finding the probability, we bound it. Given Hybrid Design , consider blocks and in which are subsets of and respecand for . tively. Consider random variables takes on value 1 if th common element in is selected. Similarly takes on value 1 if th common element in is seand both takes lected. We are interested in the case where on value 1 meaning that the th common element is selected for where both blocks. We define new indicator
using Markov bound and after checking second moment which shows no significant variance, approaches to 1 as increases. we conclude that Proof: (Property 5) Given Hybrid Design , consider are picked uniComplementary Design where blocks in formly at random among -subsets of the blocks in . Let be the probability that two -subsets of a block have no objects in common. Then, . Let L be the number of . does not share all -subsets of . Consider a -subset . Let M be the number an object with -subsets of the set . may pair with -subsets of -subsets of the set and does not share an object with of them. Therefore
Proof: (Property 6) Given Hybrid Design in shares one or more objects with at least and at most blocks in is proof of Property 2. Thus, probability
, any block blocks due to the
Proof: (Property 7) There are blocks in block set of Hybrid Symmetric (or GQ) Design. Consider two blocks which are uniformly at random selected from this set. that both blocks come from is (1) Probability
357
(2) Probability that one block comes from and the other from is
The probability that both blocks are selected from
is
(3) blocks in are uniformly at random selected among -subsets of blocks in . That means average blocks are selected among -subsets of a block in . Therefore, probability that both blocks are from , and are subsets of the same block in is
(4) The probability that both blocks are from subsets of two distinct blocks in is
and are
Proof: (Theorem 1) Consider any pairing between blocks of Hybrid Symmetric Design . Any pair of blocks selected from this set can be either one of the four types given in Property 7 with probabilities and . The probability of sharing at least one object for each type of pairs is given in Properties 3, 4, 5, and that any pair of blocks share 6. Thus, probability one or more objects in Hybrid Symmetric Design can be and bounded as: . Proof: (Property 8) Similar to the discussion in the Proof objects selected from the of Property 2. Let be set of where and either object set . Then, one of the cases given in Proof of Property 2 must be true. Any objects may be one of the blocks in of such with GQ core (case 1). If not, may share at least 1 and at most objects with some blocks in . Consider the case where shares exactly one object. That means each object appears in blocks. In total shares exactly one object with separate blocks in . Consider the case where shares exactly objects with one of the blocks in (1) th object can pair exactly one of these objects and can appear in one block due to third property object appears alone in more blocks. of GQ, and (2) each
358
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 15, NO. 2, APRIL 2007
Thus, shares exactly one object with blocks in . In blocks in . total shares one or two objects with and That is, shares one or more objects with at least at most blocks in . Since , if , then the third case is not possible and where and . Thus, our there always Hybrid GQ Design generates all such blocks . Proof of Property 9 follows the discussion in Section III-B3. Proofs of Properties 10, 11, and 12 are similar to discussions in proofs of Properties 4, 5, and 6, respectively. Proof: (Theorem 2) Similar to Theorem 1. From Properties 7, 9, 10, 11, and 12, it follows: For large block sizes, we approximate (Property 10), and (Property that any pair of blocks shares an 12). Thus, probability object in Hybrid GQ Design can be approximated as
ACKNOWLEDGMENT The authors would like to thank to M. Magdon-Ismail for his useful comments and suggestions on the Proof of Property 4. REFERENCES [1] L. Eschenauer and V. D. Gligor, “A key-management scheme for distributed sensor networks,” in Proc. ACM Conf. Computer and Communication Security, 2002, pp. 41–47. [2] R. Merkle, “Secure communication over insecure channels,” Commun. ACM, vol. 21, no. 4, pp. 294–299, 1978. [3] H. Chan, A. Perrig, and D. Song, “Random key predistribution schemes for sensor networks,” in Proc. IEEE Symp. Security and Privacy, 2003, p. 197. [4] S. Zhu, S. Xu, S. Setia, and S. Jajodia, “Establishing pairwise keys for secure communication in ad hoc networks: A probabilistic approach,” in Proc. IEEE ICNP, 2003, p. 326. [5] S. A. Camtepe, B. Yener, and M. Yung, “Expander graph based key distribution mechanisms in wireless sensor networks,” in Proc. IEEE Int. Conf. Communication, 2006, pp. 2262–2267. [6] S. Slijepcevic, M. Potkonjak, V. Tsiatsis, S. Zimbeck, and M. B. Srivastava, “On communication security in wireless ad hoc sensor network,” in Proc. IEEE WETICE, 2002, pp. 139–144. [7] C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung, “Perfectly-secure key distribution for dynamic conferences,” in Proc. Advances in Cryptology (CRYPTO ’92), 1992, pp. 471–486. [8] D. Liu, P. Ning, and K. Sun, “Efficient self-healing group key distribution with revocation capability,” in Proc. ACM Conf. Computer and Communication Security, 2003, pp. 231–240. [9] D. Liu and P. Ning, “Establishing pairwise keys in distributed sensor networks,” in ACM Conf. Computer and Communication Security, 2003, pp. 52–61. [10] R. Blom, “An optimal class of symmetric key generation systems,” in Proc. EUROCRYPT, 1984, pp. 335–338. [11] W. Du, J. Deng, Y. S. Han, and P. Varshney, “A pairwise key predistribution scheme for wireless sensor networks,” in Proc. ACM Conf. Computer and Communication Security, 2003, pp. 42–51. [12] J. Lee and D. R. Stinson, “Deterministic key pre-distribution schemes for distributed sensor networks,” in Proc. ACM Symp. Applied Computing, 2005, vol. LNCS 3357, pp. 294–307.
[13] D. R. Stinson and S. A. Vanstone, “A combinatorial approach to threshold schemes,” SIAM J. Disc. Math., vol. 1, no. 2, pp. 230–236, 1988. [14] D. R. Stinson, “Combinatorial characterizations of authentication codes,” Designs, Codes and Cryptography, vol. 2, no. 2, pp. 175–187, 1992. [15] D. R. Stinson and T. van Trung, “Some new results on key distribution patterns and broadcast encryption,” Designs, Codes and Cryptography, no. 14, pp. 261–279, 1998. [16] B. Yener, Y. Ofek, and M. Yung, “Combinatorial design of congestion free networks,” IEEE/ACM Trans. Networking, vol. 5, no. 6, pp. 989–1000, Dec. 1997. [17] Y. Song, A. Wool, and B. Yener, “Combinatorial design of multi-ring networks with combined routing and flow control,” Elsevier J. Comput. Netw., vol. 3, no. 3, pp. 247–267, 2003. [18] S. A. Camtepe and B. Yener, “Key distribution mechanisms for wireless sensor networks: a survey,” Rensselaer Polytechnic Inst., Comput. Sci. Dept., Troy, NY, Tech. Rep. TR-05-07, 2005. [19] J. Lee and D. R. Stinson, “A combinatorial approach to key predistribution for distributed sensor networks,” in Proc. IEEE WCNC, 2005, pp. 1200–1205. [20] I. Anderson, Combinatorial Designs: Construction Methods. Chicester, U.K.: Ellis Horwood, 1990. [21] D. R. Stinson, Combinatorial Designs: Construction and Analysis. New York: Springer-Verlag, 2004. [22] S. E. Payne and J. A. Thas, Finite Generalized Quadrangles. Boston, MA: Pitman Advanced Publishing Program, 1984. [23] J. Hirschfeld, Projective Geometries Over Finite Fields. Oxford, U.K.: Clarendon Press, 1979. [24] D. Liu and P. Ning, “Efficient distribution of key chain commitments for broadcast authentication in distributed sensor networks,” in Proc. Network and Distributed System Security Symp., 2003, pp. 263–276. [25] L. Storme, P. Govaerts, J. D. Beule, and P. Lemens, Projective Geometries (pg) Share Package for gap4. Oct. 2004 [Online]. Available: http://cage.rug.ac.be/~jdebeule/pg/ Seyit A. Çamtepe (S’04) received the B.S. and M.S. degrees in computer engineering from Boˇgaziçi University, Istanbul, Turkey, in 1996 and 2001, respectively. During the years 1996–2002, he worked as a Network Engineer in Pamukbank (currently Halkbank), Istanbul, Turkey. He is currently pursuing the Ph.D. degree in computer science at Rensselaer Polytechnic Institute, Troy, NY. His research interests include key management in wireless sensor networks, attack modeling and detection, social network analysis, VoIP security, Internet and wireless security in general.
Bülent Yener (M’97–SM’03) received the M.S. and Ph.D. degrees in computer science, both from Columbia University, New York, NY, in 1987 and 1994, respectively. He is an Associate Professor in the Department of Computer Science and Co-Director of the Pervasive Computing and Networking Center at Rensselaer Polytechnic Institute (RPI), Troy, NY. He is also a member of the Griffiss Institute, Rome, NY. Before joining RPI, he was a Member of Technical Staff at Bell Laboratories, Murray Hill, NJ. His current research interests include biological networks, bioinformatics, wireless networks, and Internet security. Dr. Yener has served on the technical program committees of leading IEEE conferences and workshops. Currently, he is an associate editor of ACM/Kluwer WINET journal and the IEEE Network Magazine. He is a Senior Member of the IEEE Computer Society and the Chair of IEEE TCCC.
