PREDISTRIBUTION SCHEME FOR WIRELESS SENSOR NETWORKS

We propose a probabilistic key predistribution scheme for wireless sensor networks, where keying materials are distributed to sensor nodes for secure communication. We use a two-tier approach in which there are two types of nodes: regular nodes and agent nodes. Agent nodes are more capable than regular nodes. Our node deployment model is zone-based such that the nodes that may end up with closer positions on ground are grouped together. The keying material of nodes that belong to different zones is non-overlapping. However, it is still possible for nodes that belong to different zones to communicate with each other via agent nodes when needed. We give a comparative analysis of our scheme through simulations and show that our scheme provides good connectivity figures at reasonable communication cost. Most importantly, simulation results show that our scheme is highly resilient to node captures.


INTRODUCTION
When sensor networks [3] are used in a hostile setting, confidentiality, confidentiality and authenticity of communication among the sensor nodes should be provided.While fulfilling these security requirements, fast and energy-efficient methods should be used.Although there are some recent works to make public key cryptography (PKC) practical to be used sensor nodes [4,5,6], symmetric cryptography is still more efficient to provide security in sensor networks.Symmetric cryptography necessitates pairwise keys distributed among the sensor nodes.The problem of distribution of keys to large number of sensor nodes is an active research area.Key predistribution schemes [1,[7][8][9][10][11][12] are shown to provide practical and efficient solutions.In such schemes, redundant amount of keys are stored in nodes' memory before deployment and a matching algorithm is processed between neighboring node pairs after the deployment.As a result of this match, some of the stored keys are used in secure communication of neighbors.If two neighboring nodes share a key, then a secure link exists between those nodes.Due to probabilistic nature of the scheme, some neighboring nodes may not share a key.In the literature, there are some location-aware approaches [8,11,15,16,17], where expected location information of sensor nodes is utilized, in order to improve the key sharing probability and the resiliency of the system by reducing the number of reused keys.In such location-aware approaches, it is assumed that nodes are prepared in small groups and deployed as bundles.Thus, the nodes in the same group have a large chance of being in the radio communication range of each other.Keys are stored in nodes such that nodes in the same or neighboring groups have common keys, but nodes in distant groups do not share any.
Blom's key management scheme [2] is used as a powerful tool in key predistribution schemes [9].Blom's scheme shows a threshold property; until λ nodes are captured, the network is perfectly secure, but if λ+1 or more nodes are captured all secure links are compromised.
In this paper, we propose a zone-based and two-tier approach for key predistribution problem in sensor networks, where there are two types of sensor nodes with different capabilities: regular nodes and agent nodes.Agent nodes have larger memory and can share keys with agent nodes from neighboring zones.Agent nodes constitute a small part of sensor network.Regular nodes can establish secure links only with same-zone neighbors without intervention of agent nodes.We show that our approach significantly increases the resiliency of the system while still keeping the network connected via secure links to a large extent.Moreover the proposed scheme has node-to-node authentication property.Keys and IDs of nodes are linked, so that nodes can verify the identity of each other.
The rest of this paper is organized as follows: in Section 2, we describe our key predistribution scheme.In Section 3, we provide a comparative analysis of our scheme.Finally, we provide some concluding remarks in Section 4.

TWO-TIER, LOCATION-AWARE KEY PREDISTRIBUTION SCHEME
In our scheme, we exploit the deployment location knowledge of sensor nodes in order to improve the performance of key predistribution.If a group of sensor nodes is deployed at a deployment point, they will likely reside in close proximity with each other.We arrange target locations in a grid fashion and determine which bundle will be deployed at which target location.We name each cell of the grid as a zone.Before deployment, separate key spaces are created for each zone according to our key predistribution scheme.Using this method, we increase the average number of shared keys between nodes.
The parameters and symbols used in this scheme are given in Table 1.

ID of group of nodes deployed at d ij
The key predistribution scheme consists of four phases; predistribution phase, direct key establishment phase, hybrid key establishment phase, path key establishment phase.

Zone Based Deployment Model
We employ a classical zone based deployment model similar to the one used in [8].

Predistribution Phase
In key predistribution phase, we describe the method of how keys are distributed to nodes.We define two methods in this phase: intra-zone key predistribution method and inter-zone key predistribution method.In intra-zone key predistribution method, setup server distributes the keys required for establishing secure links between nodes from the same zone.This step applies for both regular nodes and agent nodes.In inter-zone key predistribution method, setup server distributes the keys to agent nodes for their secure communication with other agent nodes of neighboring eight zones.
In the intra-zone key predistribution, we adopted the method proposed in [9], which is for the whole sensor field, into a zone.The method in [9] and also our method are based on wellknown Blom's key predistribution scheme [2], Using Blom's scheme, any two nodes having shares from the same matrix can compute a secret pairwise key.Setup server generates a single public matrix G, whose size is (λ+1)×N.All λ+1 columns of matrix are linearly independent.For each zone, setup server generates ω random and symmetric matrices with size (λ+1)×(λ+1) and uses these matrices to compute ω matrices.Size of each matrix is N×(λ+1).Each and matrix pair make up a key space.Each key space has a unique ID, k mp , where 1 ≤ m ≤ Z and 1 ≤ p ≤ ω.Sensors can use key space IDs to find out if they have common key spaces with their neighbors.Then, for each node s mn , setup server picks τ key spaces and stores n th row of matrix and n th column of matrix to node s mn .
In order for two neighboring nodes to compute a common key, they need to know each other's public columns in matrix.As shown in [9], it is feasible to generate a public matrix by using a single primitive element.Instead of storing matrix columns, nodes only store a single primitive element.At the end of intra-zone key predistribution method, all nodes have τ rows with λ+1 elements and one primitive element stored in their memory.
In our method, each zone has distinct key spaces.This guarantees that the keys used in one zone are not used in another zone.In this way, the resiliency improves significantly as analyzed in Section 3.
As a unique feature of our method, in the inter-zone key predistribution method, we distribute random-pairwise keys to establish common keys between agent nodes.Before sensor deployment, setup server generates unique random pairwise keys for each agent node pair; there are only two copies of a pairwise key.For an agent node s mn , setup server generates pairwise keys that s mn shares with all agent nodes in neighboring zones of zone m.Then, these pairwise keys are stored in s mn along with IDs of corresponding agent nodes.
Random pairwise keys have node-to-node authentication property and have perfect node capture resiliency, meaning that when a pairwise key is compromised by adversaries, only the secure link that compromised key is used, is affected.Agent nodes will carry keys from both intra-zone and inter-zone key predistribution method.Thus, agent nodes must have larger memory as compared to regular nodes.Considering that there will be limited number of agent nodes in each zone, this is a practical approach.

Direct Key Establishment Phase
After deployment, sensor devices try to establish secure links with all of their neighbors.In direct key establishment phase, two neighboring nodes of the same group/zone compute shared keys with their neighbors.Here, we use a similar method as the one described in [9].The two neighboring sensor nodes can be regular nodes or agent nodes.In order to find out if they share any key spaces, each node broadcasts a message containing the node's id and the indices of the stored key spaces.If two neighboring nodes, s mn and s mq , share a common key space, then they can compute a pairwise key using Blom's scheme.s mn can compute the pairwise key by using its private row from matrix and s mq 's column of public matrix , which s mn can generate by using s mq 's ID and the primitive root, which is already stored in every node.Similarly, s mq calculates the same key using its private row and s mn 's column of .This shared key is called the direct key.
Neighboring sensor nodes may belong to different groups/zones.If at least one of the nodes is a regular node, they cannot directly establish a secure link because they do not have any common key spaces.In Section 2.5, we describe an original method how two regular nodes from different zones can establish a secure link with the help of agent nodes.If both of the nodes are agent nodes from neighboring zones, they can easily establish a secure link by exchanging IDs.Each agent node can find the pairwise key shared with the other agent node just by using other node's ID.
After the direct key establishment phase, the entire sensor network forms a secure link graph in which two nodes can have an edge between them only if they are neighbors and they share a secret key.

Hybrid Key Establishment Method
Every regular node needs to have a contact with an agent node in order to perform inter-zone path key establishment that will be explained in Section 2.5.Direct key establishment phase can be used to establish direct keys between a regular node and an agent node.However, if a regular node has no agent node within its radio communication range (i.e.none of regular node's 1-hop neighbors is an agent node), they cannot run the direct key establishment procedures.In such as case, the nodes may run the hybrid key establishment method.In this method, the regular node tries to find an agent node within several hops range to establish a pairwise key.
Regular nodes may share key spaces with agent nodes even if they are several hops away from each other.If they can exchange their key space IDs over a secure path, they can compute their secret shared key as explained in Section 2.3.Hybrid key establishment method basically aims the exchange of such key space IDs over a secure path.
The hybrid key establishment method works as follows.Suppose a regular node, s mn , where 1 ≤ m ≤ Z and 1 ≤ n ≤ N, multicasts a query including its key space IDs to its secure neighbors with whom it shares a direct key.If s mn 's secure neighbors have an agent node in their neighbor lists, they forward the query to the agent node.If there are no agent nodes in two hops, secure neighbors of s mn forward the query to their secure neighbors and this flooding of queries goes on until either a hop-limit is reached or an agent node is found.If the secure link graph is connected, s mn eventually finds an agent node.If more than one agent node is found in this way, then the closest one is preferred.In this method, not only a key is exchanged, but also a secure path is established between s mn and its closest agent node.This secure path is later utilized in inter-zone path key establishment phase.
An example of hybrid key establishment method is shown in Figure 1.Here the regular node s ib has an agent node s ia which is 3-hops away from it.
It is possible that regular node s mn does not share any key spaces with any of the agent nodes in its zone.In this case, a path key can be established between s mn and its nearest agent node using the method explained in Section 2.5.

Intra-zone and Inter-zone Path Key Establishment Phases
After direct key establishment phase, a sensor node, s mn may end up in a case where it cannot find any shared key spaces with one or more of its neighbors.In this case, s mn tries to find secure paths to such neighbors with the help of its secure neighbors.The process of establishing a secure link over a secure path between same zone nodes is called intra-zone path key establishment.The process works as follows.Assume node s mn of zone Z m does not have a secure link with its neighbor node s mp .Node s mn floods a query to other nodes to see if they have secure links with node s mp .If at some hop level any of the neighbors, say s mq , has such a secure link, then s mq generates a random key and sends this key to both node s mn and s mp over secure links.Then, s mq removes this random key from its memory.
When node s mn 's neighbor, s tk , is from a neighboring zone, s mn needs an agent node to communicate securely with s tk .That is why every regular node needs a secure path to its nearest agent node before initiating inter-zone path key establishment process.Assuming both s mn and s tk have direct or hybrid links with an agent node, inter-zone path key establishment process works as follows: 1.They exchange their and their nearest agent node's ID. 2. One of the regular nodes, say s tk , sends IDs received from the other node to its nearest agent node over a secure link.3. Since s mn and s tk are from neighboring zones, their agent nodes must share a pairwise key, as explained in Section 2.2.Agent nodes can easily find out their shared pairwise key, K p , via a simple lookup.Node s tk has either a direct or hybrid key, K s , to its agent node.Node s tk 's agent node generates a random key, K r , and encrypts it with K p as E Kp {K r }.Then s tk 's agent node prepares and sends the message E Ks {K r ,E Kp {K r }} to s tk over a secure path or secure link.4. Node s tk decrypts the message and retrieves K r .Then it sends E Kp {K r } to its neighbor, s mn . 5. Node s mn sends the message, E Kp {K r }, to its agent node.The agent node decrypts E Kp {K r } and sends K r back to s mn over a secure link or secure path.6.Now both s mn and s tk shares the same key K r .

PERFORMANCE EVALUATION
In order to evaluate the performance of our scheme, various simulations are performed in Matlab ® .We used the well-known metrics such as local connectivity, global connectivity, communication cost, and resilience against node compromise.We also simulated some of the well-known key predistribution schemes [1], [8], and [9] for comparison purposes.

System Parameters
In our analysis and simulation, we use the following configuration.− Deployment area is 1000m x 1000m − Deployment area is divided into 10 x 10 zones, i.e.Z x = Z y = 10 and Z = 100

Communication range
Agent node Regular node − Total number of sensor nodes is 10000 and there are 100 nodes in each zone, i.e.N = 100.− Communication range, R, for each node is 40m.

Local Connectivity
Local connectivity can be referred as the probability of two neighboring nodes sharing at least one key space, in other words having a direct secure link.Assuming that key spaces are homogenously distributed among sensor nodes, local connectivity can also be defined as the average number of secure neighbors of a node.This probability is denoted as P local .In Figure 2, local connectivity values of our scheme and Du et al.'s scheme [9] are shown.It can be observed that the ratio τ/ω is the determiner P local .As τ increases and ω decreases, the probability that two neighboring nodes share at least one key space increases.In this analysis, the ω values of Du et al.'s scheme is taken 100 times larger than our scheme in order to equalize the total number of key spaces in the whole sensor network.Figure 3 shows local connectivity values obtained from simulation results of our scheme and Du et al's scheme using deployment knowledge [8] (from now on we call this scheme "Du et al.'s scheme 2").Their approach is a modified version of Eschenauer and Gligor's scheme [1].They improve the scheme in [1] by using deployment knowledge on a grid environment.
In Figure 3, we simulated our scheme for various values of λ+1 and τ values.We took 15, 25 and 35 as λ+1, and 2, 3 and 4 as τ.For our scheme, τ × (λ+1) gives the number of keys in a node which is shown on the horizontal axis of Figure 3.When λ+1 is 15 and τ is less than 4, our scheme has better local connectivity than Du et al.'s scheme 2. However, P local of our scheme does not increase more than 0.6209.However, P local of Du et al's scheme 2 reaches 0.9522 when number of keys is as high as 150.Local connectivity for our scheme stops increasing after a specific value, because regular nodes cannot establish direct secure links with their differentzone neighbors, whereas in Du et al.'s scheme 2, nodes have the capability to share keys with nodes from neighboring zones.Although it seems here that our scheme has a drawback here for large number of keys, since it is possible to reach good global connectivity and resiliency figures with 50-60 keys, as discussed in subsequent sections, larger amount of keys only marginally affects the overall performance of the system at a high cost of larger memory at tiny sensor nodes.

Global Connectivity
Even if a sensor node cannot establish a direct secure link with its neighbor, it is possible to establish a link via path key establishment phases provided that the node has a secure path to this neighbor.If we generalize this to all sensor nodes, in order to establish secure links via path key establishment phases, the network must be securely connected after the direct key establishment phase.Global connectivity is the measure of this secure connectedness.Global connectivity is computed by finding the ratio of the largest securely connected block of nodes (obtained after direct key establishment phase) over total number of nodes.Global connectivity also indicates the amount of wasted nodes.If some nodes have no secure connection with the main block of sensor nodes, then they cannot contribute to the sensor network securely.For example, consider 0.99 global connectivity for a sensor network.This means 99% of all nodes can establish direct or path keys among themselves; however, 1% of the nodes cannot reach the rest of the network in a secure way.
Figure 4 shows global connectivity of our scheme for τ=2, 3, 4 and ω=4, 5, 6. Simulation results indicate that even in the worst case where τ = 2 and ω=6, global connectivity is higher than 0.99, which means more than 99% of nodes securely join and contribute to the sensor network.

Communication Cost
In this section, communication overhead of our key predistribution scheme, when two neighboring nodes cannot establish a direct secure link, is examined.In our scheme, a sensor network incurs most of communication cost during three operations: intra-zone path key establishment, hybrid key establishment and inter-zone path key establishment.During intrazone path key and hybrid key establishment processes, flooding is used in broadcast and multicast manner, respectively.
We first determine average number of hops required to connect two neighboring nodes using intra-zone path key establishment.Figure 5 illustrates number of hops and connectivity values of corresponding secure link graphs for various τ and ω combinations.It can be observed from Figure 5 that when τ/ω ratio is high, a node can establish direct links with most of its same-zone neighbors.For example, when τ is 3 and ω is 6, a node can reach 0.9503 of its same-zone   The number of hops, that a regular node can reach its nearest agent node, is an important indicator of network connectivity and an important parameter in overall communication cost.We show in Figure 6 that majority of regular nodes can reach their nearest agent nodes in only one hop when the number of node agents in a zone, A z = 10.
Here it should be noted that while a hybrid key is being established, flooding is required only for one time.Then the same path can be used for all subsequent inter-zone path key establishment processes.This is an important advantage of our scheme.When two neighboring regular nodes are from different zones, they try to establish a secure link by inter-zone path key establishment process, as discussed in Section 2.5.Assuming that one of the regular nodes is h 1 hops away from its zone agent and hop length between the other node and its zone agent is h 2 , total number of messages exchanged during inter-zone path key establishment process can be found as: + + h h [1] We calculate the number of messages exchanged for each inter-zone path key. Figure 7 illustrates the ratio of inter-zone path keys established by exchanging different amounts of protocol messages.For example, when ω = 6, τ = 2 and A z = 5, 80 % of all inter-zone path keys are established by exchanging 9 or less protocol messages.Maximum number of messages required in order to establish all inter-zone path keys is 13 when ω = 6, τ = 2 and A z = 10.Here one may argue that the number messages is quite larger than the intra-zone path key establishment process.However, it should be noted that inter-zone path key establishment does not make flooding which may exponentially increase the number of messages distributed in the network.

Resiliency against Node Capture
The most obvious attack against a sensor network is capturing sensor nodes.We will assume when a node is captured, all of its cryptographic material is compromised.Using those compromised material, attacker can also compromise some additional links that use the same material.A key distribution scheme's resiliency against node capture can be defined as the ratio of additional compromised links over total number of links except those of captured nodes.The smaller this ratio is the more resilient network.One possible way to protect keys inside a sensor node is to tamper-proof the device.However tamper-proofing is both costly [18] and is not perfectly safe [13].For a key space to be compromised, λ+1 nodes carrying shares from that key space must be compromised [2].An attacker with λ shares from the same matrix cannot gain any extra information about that key space and cannot learn private shares of nodes that are not captured.
In Figure 8, we show node capture resiliency of our scheme, Du et al's scheme 2 [8] and Du et al's scheme [9].For our scheme, ω=7, τ=3, λ+1=17 and P local =0.5605.For Du et al's scheme 2, m=50, S c =1000 and P local =0.5569.For Du et al's scheme, ω=43, τ=4, λ+1=13 and P local =0.56.As shown from these figures, three of the systems are compared using similar values for the number of keys per node and local connectivity.It can be observed from Figure 8 that both Du et al's scheme 2 and our scheme have substantially better resiliency than Du et al's scheme [9].The most important reason for such a difference is that scheme in [9] does not utilize deployment knowledge.
Our scheme has stronger resiliency than Du et al's scheme 2, especially against small-scale attacks.When number of captured nodes is less than 2000, our scheme causes zero or negligible number of additionally compromised links.However, in Du et al's scheme 2, an adversary can compromise 62 percent of secure links by capturing only 2000 nodes.The reason is that our scheme is based on Blom's scheme and in Blom's scheme an attacker can gain no information on a key space with less than λ+1 shares.Therefore, attacker must capture a substantial number of nodes before compromising any additional links.However, with Du et al.'s scheme 2, when an attacker captures only one node, he can start to compromise additional secure links.Another reason that makes our scheme more resilient than Du et al.'s scheme 2 is the independence of the key spaces in different zones.In this way, when a key space is compromised, only the current zone is affected; the nodes in any other zone are not.

CONCLUSIONS
In this paper, we presented a two-tier random key predistribution scheme for sensor networks.In our scheme, we used a zone-based approach, in which each zone has its own separate key spaces.Secure links between zones are established through agent nodes, which are higher capacity nodes.We utilized Blom's scheme [2] for key establishment among the nodes of the same zones.
Our scheme achieves high local and global connectivity values while consuming minimal memory.The communication cost of our scheme is within practical limits.We showed that by using a two-tier approach, our scheme achieves substantially strong node capture resiliency.Ratio of additionally compromised links when 2000 nodes (out of 10000 total nodes) are captured is almost zero.

FIGURE 1 :
FIGURE 1:Regular node s ib establishes a pairwise key with agent node s ia using hybrid key establishment method

FIGURE 2 :
FIGURE 2: Local connectivity, P local , vs. τ, number of key spaces installed in a node

FIGURE 4 :
FIGURE 4: Global connectivity of our scheme

FIGURE 5 :
FIGURE 5:Communication overhead for intra-zone path key establishment in our scheme neighbors in one hop, and the rest in two hops.Although we could not show here for space limitations, the performances of flooding based path key establishment of our scheme and Du et al.'s scheme 2[8] are similar.
Conference 2008 -Visions of Computer Science

FIGURE 6 :
FIGURE 6:Ratio nodes reaching their nearest zone agent in i hops when A z =10 (for our scheme) Ratio of nodes reaching their nearest agent in # hops

FIGURE 7 :
FIGURE 7:Communication cost for inter-zone path key establishment in our scheme, where ω=6 and τ =2

FIGURE 8 :
FIGURE 8:Ratio of additionally compromised links vs. number of nodes captured for our scheme, Du et al's scheme 2[8] and Du et al's scheme[9].P local is approximately 0.56 for al schemes.

1 BCS
International Academic Conference 2008 -Visions of Computer Science

TABLE 1 :
Symbols and Parameters Nnumber of nodes in each zone Z number of zones in the sensor network (= Z x x Z y ) mn ID of n th sensor node in zone m, m=1 .. Z, n=1 .. N r mn resident point of node s mn In our deployment model, we divide the rectangular sensor field into a grid of Z = Z x x Z y equal sized zones.Sensor nodes are grouped into Z equal sized groups each has N nodes.Centre point of zone Z ij is the deployment point, d ij of group G ij , where i = 1 .. Z x and j = 1 .. Z y .The nodes that belong to G ij are dropped over deployment point d ij .The actual location of sensor nodes after deployment is their resident points, r mn where m = 1 .. Z and n = 1 .. N. Resident points of sensor nodes in the same group follow the same probability distribution function.In our deployment model, we employ two-dimensional Gaussian distribution.Using a Gaussian distribution, sensor nodes dropped at the same deployment point tend to be closer to each other.