Wireless Sensor Networks

Transcription

1 Scaling Laws of Key Pre-distribution Protocols in 1 Wireless Sensor Networks Wenjun Gu, Xiaole Bai and Sriram Chellappan Abstract A host of key pre-distribution (KP) protocols have been proposed for secure communications in randomly deployed wireless sensor networks (WSNs). The common perception on these protocols is that they are scalable w.r.t. node density and network dimension due to their being purely distributed and localized. While it is true in terms of communication and computation overhead, their scalability is questionable in terms of secure communication performance. In this paper, we conduct a detailed theoretical investigation to answer this question. Our findings reveal that contrary to the common perception, the KP protocols are not scalable in terms of secure communication performance. We theoretically prove that the performance tends to zero as node density grows very large, and that the performance monotonically decreases as network dimension increases. We also conduct extensive numerical studies on the sensitivity of the performance w.r.t. node density and network dimension under different KP protocols, attack and network parameters. Our findings provide important foundations in design and deployment of secure wireless sensor networks, and other network systems like secure overlay forwarding systems and file sharing systems. Index Terms Wireless Sensor Networks, Secure Communications, Network Scale, Key Pre-distribution, Resilient Connectivity Wenjun Gu, Xiaole Bai and Sriram Chellappan are with the Department of Computer Science and Engineering, The Ohio State University, Columbus, OH 4321, U.S.A. {gu, baixia, chellapp, xuan}@cse.ohio-state.edu. This work is partially supported by NSF Career Award and ARO under grants No. CCF and AMSRD-ACC-R-5521-CI, respectively. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of NSF and ARO.

2 I. INTRODUCTION An important agenda in many Wireless Sensors Network (WSN) applications is security. With many applications for WSNs being envisaged in military, mission-critical and hostile environments, protecting sensor communication information from adversaries is becoming critical. The standard approach to securing sensor communications is to establish secure pair-wise keys between communicating sensors. However, in many WSNs, placement of sensors cannot always be controlled, and random deployment is the only option. This, coupled with other salient features of sensor networks like energy/ memory constraints, ease of node capture etc., makes key management challenging in sensor networks. It also precludes the applicability of traditional key management schemes like public key cryptography, centralized key distribution center, establishing a single master key to sensor networks. The standard and well accepted protocol for key management in WSNs is based on initial key predistribution, followed by pair-wise key establishment [1]. We call this protocol as the key pre-distribution (KP) protocol. In this protocol, each sensor node is initially pre-distributed with k distinct keys chosen from a large key pool of K keys, and the nodes are deployed randomly in the network. After this, nodes use these pre-distributed keys and local neighborhood communications to establish pair-wise keys between themselves for future communications. Two nodes within communication range of each other (called physical neighbors) can directly establish a pair-wise key between them if they share at least one pre-distributed key. Alternatively, two physically neighboring sensors can establish a pair-wise key indirectly through a key path traversing through other sensors (called proxies), where any two physically neighboring sensors on this path share at least one pre-distributed key (detailed discussions on the KP protocol appear in Section II). So far, many key management protocols have been proposed for sensor networks, which are variations of the basic KP protocol. While some of them are based on random key pre-distribution (RKP ) [1], [2], [3], [4], [5], [6], [7], [8], [9], [1], [11], [12], [13], [14], [15],[16], [17], [18], [19], [2], [21], [22], [22], [23], [24], [25], [26], [27], [28], [29], [3], [31], [32], [33], [34], others are based on deterministic key pre-distribution (DKP ) [35], [36], [37], [38]. 2

3 A. Common Perceptions It is widely believed that the KP protocols are scalable with respect to network size. There are two key properties that determine network size in sensor networks: node density (i.e., average number of neighbors per node) and network dimension (i.e., geographical size of the network). The common perception has been that the KP protocols scale well with node density. This perception stems from the fact that the KP protocols are purely distributed and localized. Nodes establish pair-wise keys between themselves using only local neighborhood information exchanges. When node density increases, the increase in communication overhead per sensor is small. On the other hand, it is believed that secure communication performance improves with node density. With more neighbors per node, the chances of pair-wise key establishment between neighbors increase, which improves connectivity (the probability that two physically neighboring nodes are able to establish a pair-wise key between them). An increase in node density also enables more key paths between nodes, which improves resilience (the probability that a pair-wise key between two nodes is not compromised). As a matter of fact, many existing KP protocols assume a very high node density ( 2 neighbors per node) with the notion that it enhances secure communication performance [1], [2], [3]. From the perspective of network dimension also, the KP protocols are perceived to be scalable. This is because, being distributed and localized, an increase in network dimension is not considered to increase computation, memory, messaging overhead per sensor. It is true that the KP protocols are scalable in terms of communication and computation overhead. However, it is questionable whether they are really scalable in terms of secure communication performance with respect to node density and network dimension. The focus of this paper is to conduct a thorough investigation to answer this question. B. Our Findings Our investigation reveals that contrary to the common perceptions, the KP protocols do not scale w.r.t. node density and network dimension from the perspective of secure communication performance. In order 3

4 to quantify secure communication performance, we define a new metric called Resilient Connectivity (RC), which is product of connectivity and resilience. RC has a strong physical meaning, which is the probability that two neighboring nodes are able to establish a secure pair-wise key between them under attacks (i.e., node capture attack and link monitor attack as discussed in Section II). In this paper, we rigorously derive a closed form expression for RC. Following this, we conduct a detailed analytical investigation on how the KP protocols scale w.r.t. node density and network dimension in terms of RC. Based on our analysis, we theoretically prove that RC does not monotonically increase with node density. Furthermore, we also prove that when node density grows very large, RC tends to zero (Theorem 3.1 in Section III). We then prove that when network dimension increases, RC monotonically decreases (Theorem 3.2 in Section III). A further finding of ours is that the above results are not limited to a particular protocol or choice of parameters. Rather, they hold true for a wide spectrum of the KP protocols, attack and network parameters. We then conduct extensive numerical studies on the scalability of the KP protocols in terms of secure communication performance (RC) w.r.t. node density (D) and network dimension (S) for different protocols under different attack and network parameters. We find that the above trends in RC vs. D and S are present in all scenarios. However, we observe that the trends are sensitive to different parameters. Our analysis demonstrates that deploying sensors in groups is an effective solution to enhance secure communication performance in networks with large network dimension. The fundamental explanation for our findings stems from the redundancy of keys in key pre-distribution. Clearly, redundancy helps the network side to overcome inherent randomness by enabling the discovery of more neighbors and proxies. However, this redundancy can itself be a double-edged sword. Malicious attackers can also use the increased redundancy as a potential vehicle to further increase attack impacts by disclosing more keys. Eventually, it may happen that the benefits of increased redundancy to the attacker outpace that to the network, causing performance degradation as the network scale (node density and network dimension) grows larger. 4

5 C. Significance of our Work Our work in this paper has broad significances. To the best of our knowledge, ours is the first work to conduct a detailed investigation on scalability of the protocols w.r.t. node density and network dimension in terms of secure communication performance. We believe that our findings are fundamental in nature and identify inherent limitations in key management in randomly deployed sensor networks. Our findings provide critical insights for both network deployers and protocol designers. Care should be taken during resource provisioning for deploying secure sensor networks under attacks. While the focus on protocol scalability in terms of communication and computation overhead is definitely important, we now show that it is equally (if not more) critical for designers to also consider protocol scalability from the perspective of secure communication performance. Our work in this paper also has quantitative significances. In some situations, network deployers may have some knowledge about attack occurrences and their intensities. Our closed form expressions can be complemented with existing optimization tools to derive optimum node densities and network dimensions to achieve best secure communication performance in sensor networks. Also, it is straightforward to apply our closed form expressions to study RC under other parameters like sensor s communication range, memory size etc. Finally, the significances of our work is not limited to sensor networks alone. They are applicable to other network systems, where redundancy can be exploited at both network and attacker side. An example is secure overlay forwarding systems [39], [4], [41], [42], [43], [44] where redundancy in system connectivity enables clients to find more paths to communicate with the server. However, redundancy in connectivity also enables the attacker to disclose the server rapidly (and subsequently attack it). Another example is overlay based file sharing systems, where popular content is replicated [45]. While content replication enhances load sharing among servers and faster service, it also can be exploited by the attacker to disrupt the system quality by corrupting such popular files. We believe that our work in this paper can be directly extended to such systems to understand their inherent trade-offs and provisioning corresponding resources carefully. 5

6 The rest of our paper is organized as follows. In Section II, we present discussions on the KP protocol, its variations, attack models and metrics used for secure communications. In Section III, we study how the KP protocols scale w.r.t. node density and network dimension. We present related work in Section IV and conclude our paper in Section V. II. KEY MANAGEMENT PROTOCOLS IN RANDOMLY DEPLOYED SENSOR NETWORKS In this section, we discuss existing protocols for key management in randomly deployed WSNs, attack models and performance metrics to evaluate them. A. Protocols Description The random key pre-distribution protocol: The first key management protocol for randomly deployed WSNs is the random key pre-distribution (RKP ) protocol [1]. There are two stages in RKP : key predistribution and pair-wise key establishment. At the key pre-distribution stage, each node is pre-distributed with k distinct keys randomly chosen from a large key pool of K keys, and nodes are deployed randomly in the network. In Fig. 1, we show a deployment instance consisting of 1 nodes, where k = 3 and K = 9. Nodes inside the circle are within the communication range (r) of node a. The pre-distributed keys for these nodes are also shown in Fig. 1. The values of k and K denote the degree of redundancy in key pre-distribution. The performance of the protocol is sensitive to these values. At the pair-wise key establishment stage, each node communicates with each physical neighbor, to establish a pair-wise key between themselves using pre-distributed keys. There are two cases here. If two physical neighbors already share a pre-distributed key (e.g., node a shares keys k 3 and k 2 with nodes b and e respectively), they can establish a pair-wise key between them directly. However, this may not happen frequently due to the randomness in key pre-distribution. If two physical neighbors do not share a pre-distributed key, they will use proxies for pair-wise key establishment between them. For example, nodes a and f use node b as a proxy between them (since nodes b and f share keys k 4, k 7 and are physical neighbors). Note that physical neighbors a and c cannot establish a pair-wise between them. This 6

7 f e b a d g r c a: {k 1, k 2, k 3 } b: {k 3, k 4, k 7 } c: {k 5, k 8, k 9 } d: {k 4, k 6, k 7 } e: {k 2, k 6, k 9 } f: {k 5, k 4, k 7 } g: {k 1, k 2, k 6 } Fig. 1. An initial deployment of sensors pre-distributed with keys. is because they do not share any pre-distributed key and cannot find any proxies. Clearly, the performance of RKP improves when more proxies can be discovered. Other KP Protocols: In [3], [4], [17], [31], the basic RKP protocol is extended by pre-distributing each sensor with k key structures (either polynomials or vectors) from a key structure pool of size K. When polynomial is used, each polynomial has degree λ. When λ =, the scheme degrades to the basic RKP. The advantage is that no polynomial is disclosed until at least λ + 1 nodes predistributed with this polynomial are captured, which significantly increases resilience. The authors in [35], [36], [37], [38] propose deterministic key pre-distribution (DKP ) based protocols to achieve better connectivity. Optimization design is used to deterministically pre-distribute keys in each sensor to increase the probability that two sensors share at least one key. However, in order to maintain high connectivity, k needs to be large, which will be exploited by the attacker. B. Attack Models The standard attack model used in secure communications in WSNs is one where the attacker does not attempt to disrupt network operation; rather it attempts to decipher sensor communications [1], [2], [3], [4]. As such, the attacker will launch two types of attacks. In node capture attack, the attacker will physically capture a certain percent of nodes in the network, and disclose their pre-distributed and pair-wise keys. In link monitor attack, the attacker also has the ability to monitor information on all network links immediately after deployment. Clearly, all communications to and from captured nodes can be deciphered by the attacker. Furthermore, by combining the disclosed pre-distributed keys and messages recorded, 7

8 the attacker can infer some pair-wise keys between other uncaptured nodes. For instance in Fig. 1, by capturing node b, the attacker automatically obtains the pair-wise key between nodes a and f (without capturing either node), since node b is the only proxy between them during pair-wise key establishment. When multiple key paths are used to establish a pair-wise key, this pair-wise key is not compromised unless all the key paths are compromised. When a key path is not compromised, it is called as a secure key path. We emphasize that the above attack model is the de-facto one used in almost all key management works and is not our contribution. C. Performance Metrics To evaluate the performance of key management protocols, two standard metrics are considered: Connectivity and Resilience. Connectivity is the probability that two physical neighbors are able to establish a pair-wise key between them. Note that while the above definition refers to local connectivity and is the standard metric, one could also define global connectivity as the probability that the entire network is securely connected, or as the number of nodes in the largest connected component of the secure network. Global connectivity can be inferred by local connectivity [46], we focus only on local connectivity (henceforth called connectivity) in this paper. The other performance metric is resilience, which is the probability that a pair-wise key between two nodes is not compromised. The overall goal of any key management protocol is to achieve high connectivity and resilience. III. SCALABILITY OF KEY PRE-DISTRIBUTION PROTOCOLS IN WSNS In this section, we first discuss our performance metric Resilient Connectivity (RC) and how to derive it. We then conduct a detailed analytical investigation on the scalability of the KP protocols with respect to node density (D) and network dimension (S) from the perspective of RC. A. Resilient Connectivity (RC) 1) Definition of RC: The traditional metrics to evaluate the performance of key management protocols have so far been connectivity and resilience. These two metrics are disjoint in the sense that the connectivity 8

9 metric itself measures only the probability that physical neighbors can establish pair-wise keys, irrespective of how secure these keys are from being compromised to the attacker. On the other hand, the resilience metric itself measures only how secure the established pair-wise keys between physical neighbors are from being compromised to the attacker, irrespective of the probability of physical neighbors actually establishing pair-wise keys between them. In order to quantify secure communication performance, we combine the above two metrics and define a new metric called Resilient Connectivity (RC). Formally, RC = Connectivity Resilience. There exists a strong physical meaning for RC, which is the probability that two physically neighboring sensors are able to communicate securely with each other under attacks. Clearly, RC naturally encompasses both connectivity and resilience, and is the metric to evaluate the scalability of KP protocols in terms of performance in this paper. 2) Derivation of RC: We first discuss the derivation of the expression of RC for the random key pre-distribution (RKP ) protocol as an example. The same methodology can be used to derive RC for the DKP protocols as well, which will be discussed later. In our analysis, the attack model used is the standard one as defined in Section II. In this model, all network links are monitored by the attacker, and a certain percentage of nodes (denoted as P c ) are captured by the attacker. We assume nodes are uniformly deployed, and nodes exchange information with neighbors within their communication range to establish key paths. We point out that the RKP protocol we consider is general, where polynomial degree λ, number of pre-distributed keys on each node k, size of key pool K and maximum number of proxies on a key path H can take any value. Table I defines the notations used in RC computation. Table II gives out the formulas in deriving RC. We present here a basic overview of the derivation process. In Table II, P [E A ] is the probability that an arbitrary node (say node a) cannot construct a secure key path to its physical neighbor (say node b) within a s communication disk (A). P [E A EA o ] is the probability that node b cannot construct a secure key path to node a given that node a cannot construct a secure key path to node b in the overlapped communication range (A o ) of nodes a and b. 9

10 TABLE I NOTATIONS FOR RC DERIVATION RC Resilient Connectivity D Expected number of nodes in a communication disk L Network dimension S The area of network, S = L L P c Probability for each node to be captured λ The polynomial degree H The maximum number of proxies on one key path A The area of communication disk, A = πr 2, where r is the communication range A o The expected overlapping area created by two communication disks of two neighboring nodes A o =.5865A [2] N The total number of nodes deployed, N = DS/A N c The number of nodes in the communication disk of a given sensor, 1 N c N 1 k The number of keys pre-distributed in each sensor K The total number of keys in the key pool E Ω The event that, given a pair of neighboring nodes a and b, node a can construct one secure key path to node b with all the proxies in the area Ω. E Ω denotes its negative E Ω The event that, given a pair of neighboring nodes a and b, node b can construct one secure key path to node a with all the proxies in the area Ω. E Ω denotes its negative E i Ω The event that a node can construct a secure key path with minimum hops i to a neighbor with all the proxies in the area Ω Ei sk The event that two nodes totally share i common pre-distributed keys Ei dis The event that all i shared keys between two nodes are disclosed to the attacker P [E] Probability of occurrence of event E Consequently, (1 P [E A ]P [EA EAo ]) is the probability that two arbitrary neighboring nodes a and b are able to construct a secure key path between them. This value, times the probability that nodes a and b are themselves not captured (i.e., (1 P c ) 2 ) is RC (for discussions on the further sequence of formulas in Table II, please refer to Appendix A). For the DKP protocols, we can follow the same derivation above except that we need to replace the expression of P [Ei sk ] in Table II (7) by the corresponding one determined by the DKP protocols (discussed in Appendix A). Remarks: Recall that RC is the product of connectivity and resilience. There have been some previous works that conduct rigorous analysis on connectivity [1], [3], [29]. However, no rigorous analysis on resilience has been conducted, except on the expected percent of disclosed pre-distributed keys. The primary difficulty is due to the significant complexities in considering the overlaps among multiple key 1

11 TABLE II RC COMPUTATION FORMULAS RC = (1 P c ) 2 (1 P [E A ]P [EA EA o ]), (1) where P [E A ] = 1 P [EA ] = 1 H i=1 P [EA i], (2) P [E A EAo ] = 1 H i=1 P [EA i ] H i=1 P [EA o i ] 1 H i=1 P [EA o, (3) i ] P [E 1] A = 1 ( ) k i= P [Ei sk ]P [Ei dis ], (4) P [E 2] A = (1 P [E 1]) [ A N 2 N c = F(N 2, N c, A) ( )] N c S n 1 =1 F(N c, n 1, P 1 )P 2 (n 1 ), (5) P [E i] A = (1 P [E 1]) [ A N 2 N c = F(N 2, N c, A) ( N c i+2 S n 1 =1 F(N c, n 1, P 1 ) )] (1 Ao P A [EA 1]) n 1 H(i 1, N c, n 1 ) (6) P [Ei sk ] = ( )( K K i )( 2(k i) ) ( i 2(k i) k i / K ) 2, k (7) P [Ei dis ] = K m=i F(K, m, P dis) ( ) ( m i / K ) i, (8) P dis = P c DS/A i=λ+1 F(P c DS/A, i, k ), (9) K F(N 1, N 2, p) = ( N 1 ) N 2 p N 2 (1 p) N 1 N 2, (1) H(i j, N c, n 1, n 2,, n j ) = n max j+1 n j+1 =1 P 3 (n j+1 )H(i j 1, N c, n 1,, n j+1 ), for 1 j i 2, (11) H(1, N c, n 1,, n i 1 ) = 1 (1 A o P [E 1]/A) A n i 1, (12) P 1 = P [E 1](1 A P c ), (13) P 2 (n 1 ) = 1 (1 A o P [E 1]/A) A n 1, (14) P 3 (n i ) = F(N c i 1 j=1 n j, n i, 1 (1 A o P [E 1]/A) A n i 1 )(1 A o P [E 1]/A) A n i. (15) paths. In this paper, we have rigorously derived RC, which encompasses the analysis of both connectivity and resilience. To the best of our knowledge, ours is the first work to do so. B. Scalability w.r.t. Node Density 1) Theoretical Findings: Having discussed RC derivation above, we are now ready to present our first finding on the scalability of the KP protocols w.r.t. node density in terms of RC. Based on the derivation formulas of RC in Section III.A, we are able to treat RC as a function of node density D, given other variables, e.g., P c, A, etc., are decided. RC is then denoted as RC(D). We obtain the following theorem: Theorem 3.1: For any KP protocol (k, K, λ, H), any network parameters (S, A) and any attack intensity (P c > ), (1) D 1, D 2 : D 1, D 2 (, + ), D 1 > D 2 : RC(D 1 ) < RC(D 2 ); (2) lim D + RC(D) =. (Please refer to Appendix B for proof.) 11

12 .6 RC D P c.2 RC D K 4 5 x 1 4 Fig. 2. RC vs. D under different P c Fig. 3. RC vs. D under different K Theorem 3.1 first states that for any non-zero node capture probability P c, the performance of the KP protocols does not always increase with node density D. There exists densities D 1 and D 2, where RC at a smaller node density is higher than RC at larger node density for any protocol and network parameters. The second point of this theorem states that RC tends to zero when D tends to. It implies there is a finite value of node density D to achieve optimal performance for any KP protocol. This theorem reveals the KP protocols are not scalable w.r.t. node density in terms of secure communication performance. 2) Numerical Results: In the following, we conduct an extensive numerical study on the sensitivity of resilient connectivity (RC) to node density (D) for different protocols under varying node capture probabilities (P c ), number of keys (k, K), maximum number of proxies used (H) and key polynomial degree (λ). Furthermore, we also demonstrate the soundness of numerical data by comparing its fidelity with simulation data. Unless otherwise stated, the following are default values for the various parameters: S = 1m 1m, r = 1m, D = 15, k = 1, K = 3, P c =.5, H =, λ =. The first observation we make from Figs. 2 to 8 is that RC does not monotonically increase with D. Secondly, in all figures we observe that there is a particular point in the density, beyond which RC monotonically decreases. We denote this D as density threshold D th. As we can see, D th is sensitive to different parameters and protocols. We explain this phenomenon in the following. In Figs. 2, 3, 4 and 5, we study RC vs. D under different P c, K, k and H respectively. In Fig. 2, 12

13 RC (%) 4 3 RC D k D H 1 Fig. 4. RC vs. D under different k Fig. 5. RC vs. D under different H when P c is large, RC starts to decrease from much lower values in D. This is because a large P c means a powerful attacker. Increasing density means the attacker can capture more nodes and disclose more keys. Consequently D th is low (near zero) when P c is large. However, when P c decreases it implies a moderate attacker. Increasing density (up to a point) will better facilitate the network side, and D th consequently increases. For instance, in Fig. 2, when P c =.5, RC increases up to D th = 15 before decreasing. When P c decreases further it implies a very mild attacker and D th further increases. In Figs. 3 and 5, we see that when K and H are small, D th is small. This is once again because attack impacts are stronger leading to more pair-wise keys compromised under smaller K (key pool size) and smaller H (number of proxies) even at low densities. Increasing density further will better facilitate the attacker. When K and H are large, the attacker effectiveness decreases, which naturally increases D th. We point out that there is a relationship between K and k from the perspective of key disclosure. A small k means fewer keys are disclosed, while large k means more keys are disclosed. This effect is opposite as that of K. In Fig. 4, we show the sensitivity of RC to D under different k. The trend is that, when k is small D th is large, and when k is large D th is small. In order to demonstrate the soundness of our analysis, we report data comparing of numerical and simulation data for the case of RC vs. P c in Fig. 6 (other parameters are default). As we can see, the numerical data match very well with simulation data. In Fig. 7, we study RC vs. D for the RKP protocol with different λ. As we can see, the fundamental 13

14 RC P c +: analysis o: simulation RC x : * :. : o : + : λ = 9 λ = 19 λ = 24 λ = 32 λ = D RC : p c =.5 o: p c =.1 *: p c =.15 x: p c = D Fig. 6. Comparison of analysis and simulation data of RC under different P c Fig. 7. RC vs. D under different λ Fig. 8. RC vs. D under different P c for DKP trade-off in RC vs. D exists in all cases. Recall from Section II that a polynomial is compromised if at least λ+1 nodes pre-distributed with this polynomial are captured. A small λ means even mild attack (low node density) can compromise many polynomials. Therefore, when λ is small D th is small, and when λ is large D th is large in Fig. 7. In Fig. 8, we study RC vs. D for DKP protocol [38] under different P c. Similar to the trend in the RKP, when P c is large D th is small, and D th increases when P c decreases. Note that in our studies here so far, we have been using a basic communication model, where the communication range is a circular disc for all sensors. In the following, we conduct further investigations on RC vs. D under irregular communication model. The irregular communication model we use is the Degree of Irregularity (DOI) model [47]. In this model, there exist a lower bound (r min ) and an upper bound (r max ) for communication range. The real communication range at a specific direction of a specific sensor node is a random variable distributed within the lower and upper bounds. In this model, we have a parameter (DOI) which denotes the irregularity of the communication range. The DOI is defined as the maximum communication range difference per unit degree change in the radio direction. We note that no matter what the value of DOI is, communication range can be treated as a random variable uniformly distributed within the range of [r min, r max ]. Our analysis only cares about the average size of the communication range, so our analysis above can be applied directly. If we denote r eff as the effective (average) communication range under DOI model, it can be derived by 1 r max r min rmax r=r min πr 2 dr = πr 2 eff. In Figs. 9 and 1, we study the RC vs. D for the RKP protocol with different P c under DOI model. We set r min = 5m and r max = 15m. In Fig. 9, we find that the RC vs. D for the RKP protocol with 14

15 .9.8 +: analysis o: simulation RC.4 RC D P.15 c P c Fig. 9. RC vs. D under different P c with DOI model Fig. 1. Comparison of analysis and simulation data of RC under different P c with DOI model different P c under DOI model is similar to that under unit disk model in Fig. 2. When P c is large, D th is low, while D th increases when P c decreases. In Fig. 1, we compare our numerical results in Fig. 9 with the simulation (D = 15). In the simulation, we set r = r eff = 1.41m, which is calculated based on the analysis above. We find that the numerical data match very well with simulation data. Remarks: In the above, we conducted detailed analysis and simulations to demonstrate the trade-off in RC vs. D. We observed that our findings hold true in a wide spectrum of protocols, attack and system parameters. The key reason for this stems from the redundancy in key pre-distribution amplified by high node density, which can be a double edged-sword. While redundancy helps the network side, it can also be exploited by attacker, resulting in the fundamental and unavoidable trade-off discussed above. We wish to emphasize here an important observation we make from the above figures. Note that RC decreases monotonically beyond D th in all figures. We further notice that there is only one D th at which RC is maximum in all figures. Towards this extent, we state the following conjecture: Conjecture: For any KP protocol (k, K, λ, H), any network parameters (S, A) and any attack intensity (P c > ), (1) there is one and only one maximum RC for D (, + ); (2) D th : ( D 1, D 2 : D 1 > D 2 > D th : RC(D 1 ) < RC(D 2 )). A rigorous proof of this conjecture is too hard if not impossible. We provide an informal argument 15

16 below. An increase in node density will help both the network and the attacker. From the perspective of RC, it translates to improved connectivity or decreased resilience respectively. The overall impact to RC is contingent on which factor dominates: connectivity improvement or resilience degradation. Considering that there is an upper bound of connectivity in the network (at most one) that increased density can achieve, there is a point from which degradation in resilience begins to always dominate with increase in density, resulting in a density threshold (D th ). However as our data shows, the value of D th itself is sensitive to the protocol, attack, network parameters. C. Scalability w.r.t. Network Dimension 1) Theoretical Findings: Based on our earlier discussions on RC in Section III-B, we can see that RC is dependent on network dimension S. In the following, we denote RC(S) as the resilient connectivity for a network with dimension S, given all other parameters are decided. We now have the following theorem. Theorem 3.2: For any KP protocol (k, K, λ, H), any network parameters (S, A) and any attack intensity (P c > ), S 1, S 2 : S 1 > S 2, RC(S 1 ) < RC(S 2 ). (Please refer to Appendix B for proof.) Theorem 3.2 states that for any non-zero node capture probability P c, the secure communication performance for any KP protocol monotonically decreases as network dimension increases for any protocol and network parameters. It reveals that any KP protocol is not scalable with network dimension in terms of secure communication performance. In the following, we conduct a numerical study on the sensitivity of resilient connectivity (RC) to network dimension (S = L L) under different density D. Other parameters are set as default. First, in Fig. 11, we observe that RC monotonically decreases as L increases for all D. We also see that density threshold D th (discussed earlier) decreases as L increases. This is because when network dimension is larger, more nodes are captured, resulting in more powerful attack impacts (even at low densities). Consequently RC decreases from an early D th as L increases. When L decreases, D th naturally increases. Data to compare fidelity of numerical data with experimental data is shown in Fig. 9. As we can see, 16

17 .9.8 +: analysis o: simulation RC D L 2 RC L RC : p c =.5 o: p c =.1 *: p c =.15 x: p c = L/L grid Fig. 11. RC vs. L under different D Fig. 12. Comparison of analysis and simulation data of RC under different L different P Fig. 13. RC vs. group dimension under c : analysis o: simulation.8.6 RC RC D L L Fig. 14. RC vs. L under different D with DOI model Fig. 15. Comparison of analysis and simulation data of RC under different L with DOI model both data match very well, demonstrating the soundness of our analysis. We also study the effect of DOI model here. In Figs. 14 and 15, we show the sensitivity of resilient connectivity (RC) to network dimension under different density D with DOI model. We also set r min = 5m, r max = 15m and have r eff = 1.41m. We have the same observation as that for Figs. 11 and 12. 2) Group Deployment: In many sensor network applications today, large areas of deployment are becoming realities. However, Theorem 3.2 shows that RC degrades with increasing network dimension L. In the following, we discuss how to alleviate this problem. Recently, the idea of group deployment has been proposed for sensor networks [8], [2]. Here, sensors are deployed independently in groups, where the knowledge as to which sensor belongs to which group is known a priori, which can be exploited to improve performance with fewer keys pre-distributed in a node. Generally, sensors in the same group share the same key pool, while sensors in different groups share different key pools. Thus the capture of 17

18 nodes in one group will not affect the pair-wise keys established in other groups. However, in order to facilitate the pair-wise key establishment between two nodes from two adjacent groups, the key pools of two adjacent groups have certain overlap. Note that there are two types of relationships between any two adjacent groups here. They can be edge adjacent or corner adjacent. The derivation of RC in the case of group deployment is different from RC in one-time deployment. In one-time deployment, sensors are deployed at one time and not in groups. This was the case we discussed earlier in Section III. A and B. Care should be taken to consider these overlaps, and relationships of adjacent edges. The formula for RC under group deployment is presented in Appendix C. Here, we only show numerical results on sensitivity of RC to group deployment. In Fig. 13, we study the sensitivity of KP protocol performance to group dimension L grid under different P c. Note that when L grid = L, there is only one group (one-time deployment). In our data here, we set the percent of key overlaps among edge adjacent grids as α =.2 and the percent of key overlaps among corner adjacent grids β =.5, which are representative values as discussed in [8]. All other parameters are default (as given in Section III-B.2). In Fig. 13, L grid denotes the dimension of each group. First, we observe that deploying sensors in groups improves performance compared to one-time deployment. We also observe that RC increases with more groups (smaller L grid ). This is because, the number of nodes sharing a single key pool is decreased, which increases resilience, hence increasing RC. However, there is a limit beyond which increase in RC is negligible. In Fig. 13, the upper bound for RC is reached when L/L grid = 5 (i.e., L grid = 2m). Remarks: To summarize our findings here, secure communication performance monotonically decreases as network dimension increases for any protocol, attack and network parameters. Group deployment is an effective way to enhance scalability of the KP protocols to a certain degree. By minimizing the chances of intra group key disclosures, much better secure communication performance can be obtained even in large networks. However, there is an upper bound on the number of groups, beyond which performance improvement is negligible. Note that, an increase in number of groups increases deployment 18

19 cost. Consequently, there is a trade-off between secure communication performance and deployment cost in this realm. IV. RELATED WORK Our discussions so far have focused on a broad spectrum of key pre-distribution protocols in randomly deployed WSNs across various network and attack parameters. In the following, we further discuss some important related work in the areas of key management and sensor network scaling effects. A host of recent works have appeared that orthogonally discuss extensions to the basic RKP protocol to improve performance. Power control, mobilit, channel diversity and network hierarchy are proposed in [9], [13], [32], [33] to enhance the security performance under various sensor hardware and network topology assumptions. In a recent work, we proposed the methodology of network decoupling to release strong constraints in key path construction in RKP protocol, greatly enhancing its performance in non-highly dense networks [34]. However, we point out that while all of the above works improve key establishment across some respects, they are all subject to scalability problems in terms of secure communication performance when node density and network dimension increases. In random key pre-distribution, another inherent trade-off exists between connectivity, resilience and storage overhead under different values of k and K. Intuitively, connectivity can be improved by either increasing k or decreasing K. When the difference between k and K is smaller, the probability that two physically neighboring nodes share at least one key increases, which increases connectivity (with an increase in storage overhead due to larger k). On the other hand, it has been revealed in [2] that increasing k or decreasing K may compromise resilience. This is because, when certain number of nodes are captured, a larger percent of pre-distributed keys are disclosed which naturally decreases the resilience. Our work is different in the sense that we study the trade-offs in key management introduced due to network scale (node density and network dimension), which is orthogonal to the trade-off due to k and K. Finally, there have been some works showing the negative effects of over-provisioning nodes in other aspects of sensor networks performance. In [48], it is shown that per node throughput asymptotically 19

20 reaches zero as number of nodes increases in the network, due to contention of the wireless medium. In works like [49], the impacts of node number on collisions is investigated, and mechanisms are suggested to alleviate collision issues. We wish to point out that our work is orthogonal to the above, in that we are focusing on the downside of network scale in terms of security in sensor networks, and how malicious attackers can exploit resources, which has not been addressed before. V. FINAL REMARKS In this paper, we have conducted a detailed investigation on scalability of key pre-distribution protocols in randomly deployed WSNs from the perspective of secure communication performance w.r.t. node density and network dimension. Contrary to the common perception, we find that the key pre-distribution protocols are not scalable in terms of secure communication performance. The rationale of our findings stems from the redundancy in key pre-distribution, which can be exploited by the attacker. Our findings provide important foundations in design and deployment of secure sensor networks, and other network systems like secure overlay forwarding systems and file sharing systems. REFERENCES [1] L. Eschenauer and V. D. Gligor, A key-management scheme for distributed sensor networks, in Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), November 22. [2] H. Chan, A. Perrig, and D. Song, Random key predistribution schemes for sensor networks, in Proceedings of IEEE Symposium on Research in Security and Privacy, May 23. [3] W. Du, J. Deng, Y. S. Han, and P. K. Varshney, A pairwise key pre-distribution scheme for wireless sensor networks, in Proceedings of the 1th ACM Conference on Computer and Communications Security (CCS), October 23. [4] D. Liu and P. Ning, Establishing pairwise keys in distributed sensor networks, in Proceedings of the 1th ACM Conference on Computer and Communications Security (CCS), October 23. [5] S. Zhu, S. Xu, S. Setia, and S. Jajodia, Establishing pairwise keys for secure communication in ad hoc networks: a probabilistic approach, in Proceedings of the 11th IEEE International Conference on Network Protocols (ICNP), November 23. [6] D. Liu and P. Ning, Location-based pairwise key establishments for relatively static sensor networks, in Proceedings of the 1st ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), October 23. 2

21 [7] R. D. Pietro, L. V. Mancini, and A. Mei, Random key-assignment for secure wireless sensor networks, in Proceedings of the 1st ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), October 23. [8] W. Du, J. Deng, Y. Han, S. Chen, and P. Varshney, A key management scheme for wireless sensor networks using deployment knowledge, in Proceedings of the 23rd IEEE Conference on Computer Communications (INFOCOM), March 24. [9] J. Hwang and Y. Kim, Revisiting random key pre-distribution schemes for wireless sensor networks, in Proceedings of the 2nd ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), October 24. [1] R. D. Pietro, L. Mancini, A. Mei, A. Panconesi, and J. Radhakrishnan, Connectivity properties of secure wireless sensor networks, in Proceedings of the 2nd ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), October 24. [11] D. Huang, M. Mehta, D. Medhi, and L. Harn, Location-aware key management scheme for wireless sensor networks, in Proceedings of the 2nd ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), October 24. [12] R. D. Pietro, L. V. Mancini, and A. Mei, Efficient and resilient key discovery based on pseudo-random key pre-deployment, in Proceedings of the 18th IEEE International Parallel and Distributed Processing Symposium (IPDPS), April 24. [13] Y. Mao and M. Wu, Coordinated sensor deployment for improving secure communications and sensing coverage, in Proceedings of the 3rd ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), November 25. [14] T. Ito, H. Ohta, N. Matsuda, and T. Yoneda, A key pre-distribution scheme for secure sensor networks using probability density function of node deployment, in Proceedings of the 3rd ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), November 25. [15] H. Chan and A. Perrig, Pike: peer intermediaries for key establishment, in Proceedings of the 24th IEEE Conference on Computer Communications (INFOCOM), March 25. [16] P. Tague, J. Lee, and R. Poovendran, A set-covering approach for modeling attacks on key predistribution in wireless sensor networks, in Proceedings of the 3rd IEEE International Conference on Intelligent Sensing and Information Processing (ICISIP), December 25. [17] F. Delgosha and F. Fekri, Key predistribution in wireless sensor networks using multivariate polynomials, in Proceedings of the 2nd IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks (SECON), September 25. [18] Z. Yu and Y. Guan, A key pre-distribution scheme using deployment knowledge for wireless sensor networks, in Proceedings of the 4th International Conference on Information Processing in Sensor Networks (IPSN), April 25. [19] L. Zhou, J. Ni, and C. V. Ravishankar, Efficient key establishment for group-based wireless sensor deployments, in Proceedings of ACM Workshop on Wireless Security (WiSe), September 25. [2] D. Liu, P. Ning, and W. Du, Group-based key pre-distribution in wireless sensor networks, in Proceedings of ACM Workshop on Wireless Security (WiSe), September 25. [21] S. Chan, R. Poovendran, and M. Sun, A key management scheme in distributed sensor networks using attack probabilities, in Proceedings of IEEE Global Telecommunications Conference (Globecom), November-December 25. [22] G. Li, H. Ling, and T. Znati, Path key establishment using multiple secured paths in wireless sensor networks, in Proceedings of the 1st Conference on Future Networking Technologies (CoNEXT), October 25. [23] D. Huang and D. Medhi, A byzantine resilient multi-path key establishment scheme and its robustness analysis for sensor networks, 21

22 in Proceedings of the 5th IEEE International Workshop on Algorithms for Wireless, Mobile, Ad Hoc and Sensor Networks (WMAN), April 25. [24] D. Huang, M. Mehta, and D. Medhi, Source routing based pairwise key establishment protocol for sensor networks, in Proceedings of the 24th IEEE International Performance Computing and Communications Conference (IPCCC), April 25. [25] M. Mehta, D. Huang, and L. Harn, Rink-rkp: a scheme for key predistribution and shared-key discovery in sensor networks, in Proceedings of the 24th IEEE International Performance Computing and Communications Conference (IPCCC), April 25. [26] Y. Zhou, Y. Zhang, and Y. Fang, Llk: a link-layer key establishment scheme for wireless sensor networks, in Proceedings of IEEE Wireless Communications and Networking Conference (WCNC), March 25. [27] Y. Cheng and D. P. Agrawal, Efficient pairwise key establishment and management in static wireless sensor networks, in Proceedings of 2nd IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS), November 25. [28] J. Park, Z. Kim, and K. Kim, State-based key management scheme for wireless sensor networks, in Proceedings of the International Workshop on Wireless and Sensor Networks Security (WSNS), November 25. [29] D. Huang, M. Mehta, D. Medhi, and L. Harn. (25, March) Modeling pairwise key establishment for random key predistribution in large-scale sensor networks. [Online]. Available: pair-wise key establishment schemes-v2.pdf [3] S. A. Camtepe and B. Yener, Key distribution mechanisms for wireless sensor networks: a survey, Technical Report, Computer Science Department, Rensselaer Polytechnic Institute, March 25. [31] F. Delgosha and F. Fekri, Threshold key-establishment in distributed sensor networks using a multivariate scheme, in Proceedings of the 25th IEEE Conference on Computer Communications (INFOCOM), April 26. [32] M. Miller and N. Vaidya, Leveraging channel diversity for key establishment in wireless sensor networks, in Proceedings of the 25th IEEE Conference on Computer Communications (INFOCOM), April 26. [33] P. Traynor, H. Choi, G. Cao, S. Zhu, and T. L. Porta, Establishing pair-wise keys in heterogeneous sensor networks, in Proceedings of the 25th IEEE Conference on Computer Communications (INFOCOM), April 26. [34] W. Gu, X. Bai, S. Chellappan, and D. Xuan, Nework decoupling for secure communications in sensor networks, in Proceedings of the 14th IEEE International Workshop on Quality of Service (IWQoS), June 26. [35] J. Lee and D. R. Stinson, Deterministic key predistribution schemes for distributed sensor networks, in Proceedings of the 11th workshop on Selected Areas in Cryptography (SAC), August 24. [36] R. Wei and J. Wu, Product construction of key distribution schemes for sensor networks, in Proceedings of the 11th workshop on Selected Areas in Cryptography (SAC), August 24. [37] S. A. Camtepe and B. Yener, Combinatorial design of key distribution mechanisms for wireless sensor networks, in Proceedings of the 9th European Symposium On Research in Computer Security (ESORICS), September 24. [38] J. Lee and D. R. Stinson, A combinatorial approach to key predistribution for distributed sensor networks, in Proceedings of IEEE Wireless Communications and Networking Conference (WCNC), March

23 [39] A. D. Keromytis, V. Misra, and D. Rubenstein, Sos: secure overlay services, in Proceedings of the 2th Special Interest Group on Data Communications (SIGCOMM), August 22. [4] D. G. Andersen, Mayday: Distributed filtering for internet services, in Proceedings of the 4th USENIX Symposium on Internet Technologies and Systems (USITS), March 23. [41] K. Lakshminarayanan, D. Adkins, A. Perrig, and I. Stoica, Taming ip packet flooding attacks, ACM Computer Communication Review, vol. 34, no. 1, pp. 45 5, 24. [42] T. Bu, S. Norden, and T. Y. C. Woo, Trading resiliency for security: Model and algorithms, in Proceedings of the 12th IEEE International Conference on Network Protocols (ICNP), October 24. [43] D. Xuan, S. Chellappan, X. Wang, and S. Wang, Analyzing the secure overlay services architecture under intelligent ddos attacks, in Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS), March 24. [44] X. Wang, S. Chellappan, C. Boyer, and D. Xuan, On the effectiveness of secure overlay forwarding systems under intelligent distributed dos attacks, to appear in IEEE Transactions on Parallel and Distributed Systems, 26. [45] S. Rhea, B. Godfrey, B. Karp, J. Kubiatowicz, S. Ratnasamy, S. Shenker, I. Stoica, and H. Yu, Opendht: A public dht service and its uses, in Proceedings of the ACM Special Interest Group on Data Communications (SIGCOMM), 25. [46] J. Spencer, The Strange Logic of Random Graphs, Algorithms and Combinatorics 22. Springer-Verlag, 2. [47] T. He, C. Huang, B. M. Blum, J. A. Stankovic, and T. F. Abdelzaher, Range-free localization schemes for large scale sensor networks, in Proceedings of the 9th Annual International Conference on Mobile Computing and Networking (Mobicom), September 23. [48] P. Gupta and P. R. Kumar, The capacity of wireless networks, IEEE Transactions on Information Theory, vol. IT-46, no. 2, pp , 2. [49] W. Ye, J. Heidemann, and D. Estrin, An energy-efficient mac protocol for wireless sensor networks, in Proceedings of the 21st International Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), June 22. APPENDIX A. Theoretical Derivation for RC Recall that RC denotes the probability that two physical neighbors are able to communicate securely with each other under attacks. From Table II, we have, RC = (1 P c ) 2 (1 P [E A ]P [EA EA o ]), where P [EA ] is the probability that an arbitrary node (node a) cannot construct a secure key path to its physical neighbor (node b) within a s communication disk (A). P [E A EA o] is the probability that node b cannot construct a secure key path to node a given that node a cannot construct a secure key path to node b in the overlapped communication range (A o ) of nodes a and b. 23

24 We introduce a new term, P [E A o ], which is the probability that node a can construct a secure key path to node b with all the proxies along the path within the overlapping communication disks (A o ) of these two nodes. We have P [E A EA ] = P [EA EA o definition of E i Ω, we have the expression in Table II (2). ]. We first derive P [EA ]. We have P [EA ] = 1 P [EA ]. Based on We now derive P [E A EA o]. We have P [EA EA o ] = 1 P [EA E A o ] = 1 P [EA E A o ]. By Bayer s Theorem, P [E ] A can also be represented as P [E ] A = P [E A o ]P [E E A A o ]+ P [E Ao ]P [EA E Ao ], where P [EA o ] = H i=1 P [EAo i ] and P [E A E Ao ] = 1 (A o is a subset of A). Therefore, we obtain the expression in Table II (3). Now we derive P [E i A ] and P [EA o i ]. Recall that P [EA i ] is the probability that node a can construct a secure key path to a physical neighbor node b within the communication disk of node a with minimum hops i given both nodes a and b are uncaptured. The expression for this when i = 1 is given by Table II (4). The probability that, given two nodes within the communication disk of node a, denoted as nodes b and c, node b is a physical neighbor of node c and node b shares at least one pre-distributed key with node c, is A o P [E 1]/A. A This will be used in deriving P [E i A ] (i > 1) below. In order to derive P [EA i ] (i > 1), we divide the nodes in the communication disk of node a (except nodes a and b) into disjoint groups G(a, j) (j 1). A node s is in group G(a, j) if node a can construct a secure key path from itself to node s within the communication disk of node a with minimum j hops. We first derive P [E A 2]. Considering there are N 2 other nodes in the network excluding nodes a and b, the probability that there are N c nodes, excluding node b, in the communication disk of node a is F(N 2, N c, A/S). Recall F(N 1, N 2, p) = ( N 1 N 2 ) p N 2 (1 p) N 1 N 2. Notice N c is the number of physical neighbors, excluding node b, of node a. Given N c nodes in the communication disk of node a, the probability that there are n 1 (1 n 1 N c ) uncaptured nodes in G(a, 1) is F(N c, n 1, P 1 ), in which P 1 denotes P [E A 1](1 P c ). The probability that at least one of these n 1 nodes shares key with node b and is a physical neighbor of node b is 1 (1 A o P [E A 1]/A) n1, which is denoted as P 2 (n 1 ) in our expression. Hence, we have the expression in Table II (5). 24

25 We now analyze P [E i A ] for i > 2. Given there are N c nodes in the communication disk of node a, excluding node b, the probability that there are n 1 (1 n 1 N c (i 2)) uncaptured nodes in G(a, 1) is F(N c, n 1, P 1 )(1 A o P [E 1]/A) A n 1. Notice there is at least one uncaptured node in G(a, j) (2 j i 1), so n 1 can be N c (i 2) at most. Besides there is no secure key path between nodes a and b within the communication disk of node a with fewer than i hops. We denote H(i j, N c, n 1,, n j ) (1 j i 1) as the probability that there is at least one secure key path from a node in G(a, j) to node b with minimum hops i j, given N c nodes excluding node b in the communication disk of node a and n l nodes in G(a, l) (1 l j). Then we obtain the expression in Table II (6). The expression of H(i j, N c, n 1,, n j ) (1 j i 1) can be derived in an iterative way. Given there are n j (1 j i 1) nodes in G(a, j) (1 j i 1), the number of nodes in G(a, j + 1) is at most N c j l=1 n l (i j 2), which is denoted by n max j+1. We further notice that, the probability there are n i uncaptured nodes in G(a, i) is given in Table II (15). Therefore, the probability that there is at least one secure key path from a node in G(a, j) to node b with minimum hops i j, given N c nodes excluding node b in the communication disk of node a and n l (1 l j) nodes in G(a, l) (1 l j), is given in Table II (11). According to the definition, H(1, N c, n 1,, n i 1 ) is the probability that there is at least one secure key path from a node in G(a, i 1) to node b with minimum hop 1, given N c nodes excluding node b in the communication disk of node a and n j (1 j i 1) nodes in G(a, j) (1 j i 1). This is also the probability that at least one node in G(a, i 1) shares a key with node b and is a physical neighbor of node b. Therefore, we have the expression in Table II (12). We now derive P [E Ao i ]. Recall that P [EAo i ] is the probability that a node can construct a secure key path to a physical neighbor node within the overlapped communication disks of both nodes, with minimum of i hops given both nodes are uncaptured. Consequently, instead of considering the total communication disk A, we only need to consider the overlapped area A o, where A o =.5865A [2]. The derivation of P [E Ao i ] thus is the same as that for P [E i A ] except that we replace A by A o. As shown above, P [E i A ] is the function 25

26 of P [E 1], A which in turn depends on P [Ei sk ] and P [Ei dis ]. In random key pre-distribution (RKP ) based scheme, the probability for any two nodes to share i keys is given in Table II (7). For deterministic key pre-distribution (DKP ) based scheme utilizing µ CID [38], it is given by P [E sk 1 ] = k( K 1)/(K 1), P [E sk ] = 1 k( K 1)/(K 1), and all other P [E sk i ] = (i > 1). The expression of P [Ei dis ] is given in Table II (8), where P dis is the probability that any single key is disclosed. Since there are N nodes in the network, we have the expression in Table II (9), where P c N is the expected number of captured nodes. By substituting P [E i A ] and P [EA o i ] into Table II (3). we can obtain P [EA EA o ],, hence arriving at the closed form expression for RC in Table II (1). B. Proof Sketches for Theorems 3.1 and 3.2 Proof of Theorem 3.1: To prove this theorem, we need to show that for any protocol and parameters P c >, S, A, k, K, λ, H, the following inequalities are true (1) lim D + RC = and (2) lim D RC >. When D +, P dis 1. Then K dis m for m < K and K dis m 1 for m = K. Therefore, P [Ei dis ] 1 for all i. Also we have P [E A 1] and P [E A o 1 ]. So P [EA i ] and P [EA o i ] for all i > 1. Therefore, both P [EA ] and P [E A o ]. Hence, RC. When D, we have P dis. Then Km dis for m > and Km dis 1 when m =. Therefore, P [E dis i ] for i > and P [E dis ] 1 when i =. Hence, P [E 1] A 1 P [E sk ], which is a positive constant decided by k and K. Recall P [E 1] A = P [E A o 1 ]. Hence, P [EA o 1 ] also approaches the same positive constant. Notice that P [E i A ] and P [EAo] for any i > 1 are non-negative. Hence, RC approaches a positive constant. Proof of Theorem 3.2: To prove this theorem, we notice that when S increases, P dis increases, which means the probability of key discloser increases. Therefore, P [Ei dis ] increases, and P [E 1] A decreases, which means the probability that a physical link between two neighboring nodes is secure under attack decreases. Under fixed node density, number of available key paths diminishes and RC decreases. i i C. Derivation of RC for Group Deployment The network model in our analysis is shown in Fig. 16. The network is divided into multiple grids, in 26

27 Fig. 16. Network model in group deployment analysis. The four edge-adjacent neighboring grids for Grid i,j are Grid i 1,j,Grid i+1,j, Grid i,j 1 and Grid i,j+1. The four corner-adjacent neighboring grids for Grid i,j are Grid i 1,j 1, Grid i+1,j+1, Grid i+1,j 1 and Grid i 1,j+1. We divide each square into nine small areas that can be classified into three types (type 1, 2 and 3) with different shadings. each of which a group of sensors are uniformly deployed. We consider each grid to be square in shape. Each grid, ignoring those at the boundary, has four edge-adjacent neighboring grids and four corneradjacent neighboring grids. As before, each node in a grid is pre-distributed with k keys randomly chosen from a key pool of size K. Typically, the key pools for different grids are the same in size and may have some overlap among them. Based on the work in [8], the key pools of any two edge-adjacent neighboring grids have αk keys in overlap, and that of any two corner-adjacent neighboring grids have βk keys in overlap. Any single key exists in at most two different grid key pools. Sensors construct key paths in the same way as the traditional RKP based protocol. There are three types of neighbors for a node: (1) both the node and its neighbor are in the same grid, (2) in edge-adjacent grids and (3) in corner-adjacent grids. Clearly, what types of neighbors two nodes belong to depends on their positions in their grid. Hence, the overall resilient connectivity (RC) in group deployment is composed of RC derived from these three types of node neighbors. Therefore, we have the expression for RC in Table IV. Table III gives the notations used in deriving RC for group deployment, which is illustrated in Table IV. In the following, we will describe the detailed derivation. First, we derive P [E A,i 1], in that, we consider type i (1 i 3) neighbors now. We denote s as an arbitrary node, and denote s as a type i neighbor of node s. We need to consider the case where node s resides in type j (1 j 3) area individually, which is given in the expression of P [E A,i 1] in Table IV. 27