Key predistribution schemes for wireless sensor networks based on combinations of orthogonal arrays

Key predistribution schemes for wireless sensor networks based on combinations of orthogonal arrays

Ad Hoc Networks 73 (2018) 40–50 Contents lists available at ScienceDirect Ad Hoc Networks journal homepage: www.elsevier.com/locate/adhoc Key predi...

1009KB Sizes 0 Downloads 43 Views

Ad Hoc Networks 73 (2018) 40–50

Contents lists available at ScienceDirect

Ad Hoc Networks journal homepage: www.elsevier.com/locate/adhoc

Key predistribution schemes for wireless sensor networks based on combinations of orthogonal arraysR Qiang Gao a,b,∗, Wenping Ma b, Wei Luo b a b

College of Mathematics and Information Science, Henan Normal University, Xinxiang, 453007, China State Key Laboratory of Integrated Service Networks, Xidian University, Xi’an, 710071, China

a r t i c l e

i n f o

Article history: Received 21 December 2016 Revised 6 November 2017 Accepted 14 February 2018 Available online 15 February 2018 Keywords: Wireless sensor network Key predistribution scheme Combinatorial design Orthogonal array

a b s t r a c t In general, combinatorial key predistribution schemes (KPSs) have higher local connectivity but lower resilience against a node capture attack than random KPSs for a given key storage. We seek to find an approach to improving the weakness of combinatorial KPSs while maintaining the strength as much as possible. In this paper, by combining a class of saturated symmetric orthogonal arrays (OAs), a family of KPSs are proposed and the explicit formulas for local connectivity and resilience of the resulting KPSs are also derived. KPSs are typically designed to provide a trade-off between the key storage, the local connectivity and the resilience. It is found that in the resulting schemes, any two nodes can communicate directly with each other and for a given key storage, the resilience against node capture increases as the number of OAs increases so that the resilience can be enhanced without degrading the other two metrics.

1. Introduction WSNs have a wide range of applications [1], including environmental monitoring, health care, traffic control, target tracking and military purposes and so on. These applications require that communications in WSNs must be secure. However, the sensor nodes in WSNs have restricted resources such as battery power, storage and computational capabilities and so on. Hence, for many WSNs, public key cryptography is unsuitable due to its expensive computational costs. A recommended approach is to make use of a KPS, where secret keys are installed in each sensor node before deployment. In the seminal paper [13], Eschenauer and Gligor proposed a probabilistic KPS, commonly called the basic scheme. In the seminal scheme of Eschenauer and Gligor, there are three phases: key predistribution, shared-key discovery and path-key establishment. First, a large pool of keys and their key identifiers are generated. Then a fixed number of keys randomly chosen from the key pool, along with their key identifiers, are stored in each sensor node prior to deployment. After deployment of the WSN, any two sensor nodes in communication range look for their common keys. If they share one or more common keys, they can select one of them R This work was supported by National Science Foundation of China under grant No. 61373171 and The 111 Project under grant No. B08038. ∗ Corresponding author. E-mail addresses: [email protected] (Q. Gao), [email protected] (W. Ma), [email protected] (W. Luo).

https://doi.org/10.1016/j.adhoc.2018.02.006 1570-8705/© 2018 Elsevier B.V. All rights reserved.

© 2018 Elsevier B.V. All rights reserved.

as their secret key or use all of them to compute a pairwise secret key for cryptography communication. A successive sequence of nodes is called a path, where any two adjacent nodes share at least one common key. If a pair of nodes within wireless communication range do not share any key, they need to find a path between them to ensure that they can communication in an encrypted form. The η-composite scheme, a generalization of the basic scheme, was proposed by Chan, Perring and Song [8]. In this scheme, two nodes will compute a pairwise key only if they share at least η common keys, where the integer η ≥ 1 is a pre-specified intersection threshold. (In the basic scheme, η = 1.) Çamtepe and Yener [6] first proposed the use of combinatorial designs in key predistribution for sensor networks, using symmetric balanced incomplete block design (in particular, finite projective planes (FPPs)) and generalized quadrangles (GQs). Many researchers appreciated the advantages of combinatorial KPSs and continued to further develop this area. Some related work is presented in Table 1. For more details on other approaches the readers can refer to [7,9,26,27,31] for a brief survey. Due to the limited resources at each sensor, KPSs are typically designed for WSNs to provide a trade-off between three conflicting metrics which are widely used to analyse KPSs. The three metrics are the key storage requirement for each node, the local connectivity and the resilience. Compared to random KPSs, combinatorial KPSs typically have higher local connectivity and lower resilience against node capture for a given key storage. To improve the weakness of combinatorial KPSs, we propose a family of KPSs based on combinations of a class of saturated symmetric OAs. In

Q. Gao et al. / Ad Hoc Networks 73 (2018) 40–50

41

Table 1 Some related work. Schemes

References

Blom’s method based on matrices Method by Blundo et al. based on polynomials The basic scheme η-composite scheme Two pairwise KPSs by using sensors’ expected locations KPSs based on FPPs and GQs ID-based one-way function schemes, multiple space Blom’s scheme Combinatorial constructions for KPSs KPSs based on polynomial pools KPSs based on partially balanced incomplete block designs (PBIBDs) KPSs based on 3-designs KPSs based on OAs KPSs based on transversal designs (TDs) Group-based KPSs KPSs based on rational normal curves Hash chain-based schemes KPSs by combining η designs KPSs based on partially balanced t-designs (PBtDs) Broadcast-enhanced KPSs KPSs based on graph theory

[2] [3] [13] [8] [23] [6] [20] [21] [24] [32] [10] [11] [16,22] [25,28] [30] [12,19] [4] [29] [18] [17]

the KPSs based on this class of saturated symmetric OAs, any pair of nodes can communicate with each other directly. In the resulting schemes, the local connectivity is maintained and for a given key storage , the resilience increases as the number of OAs increases. That is, one can enhance the resilience against a node capture attack while maintaining the other two metrics. The rest of this paper is organized as follows. In Section 2, some basics on combinatorial KPSs are provided. Section 3 presents a family of KPSs based on combinations of OAs and the expressions for the metrics of the resulting KPSs. In Section 4, some examples are given to illustrate the applications of the formulas. In Section 5, we analyze the resulting KPSs and compare them with some existing ones. Finally, the conclusion of this paper is described in Section 6. 2. Preliminaries In this section, we revisit some related theoretic background which will be used throughout the rest of the paper. First, we begin with definition of a design.

Fig. 1. Plot of the values of Pr1 and fail1 of the proposed KPSs with η = 4 and the KPSs based on TD(t, k, n)s, where n is the smallest prime power such that n ≥ k − 1.

After deployment, if two nodes are within each other’s communication range and have at least η common keys, then they can communicate with each other securely and directly. To improve the resilience of KPSs, all the common keys shared by a pair of nodes are used to compute secret key. Assume that Ka1 , Ka2 , ..., Kac are the common keys shared by two nodes Ni and Nj , where a1 < a2 <  < ac and c ≥ η. Then they can compute the secret key which is used to secure the communication between them,

Ki j = h(Ka1

 Ka2  · · ·  Kac  i  j ),

using an appropriate key derivation function h. We assume that an adversary compromises each node with equal probability in this paper. An adversary can compromise some sensor nodes in the network randomly and learn the keys stored in them. For the combinatorial KPSs, after the compromise of s random nodes corresponding to s blocks B1 , B2 , ..., Bs , a link formed by a pair of nodes corresponding to two blocks A1 and A2 such that |A1 ∩ A2 | ≥ η will be broken if for 1 ≤ u ≤ s and 1 ≤ v ≤ 2, Bu = Av and

A1 ∩ A2 ⊆

s 

Bu .

u=1

2.1. Combinatorial KPSs 2.2. Main metrics of KPSs Definition 2.1 [33]. A design is a pair (X, A) such that the following properties are satisfied: 1. X is a set of elements called points, and 2. A is a collection (i.e., multiset) of nonempty subsets of X called blocks. The degree of a point x ∈ X is the number of blocks containing x. (X, A) is regular if all points have the same degree. The rank of (X, A) is the size of the largest block. (X, A) is said to be uniform if all blocks have the same size. Any combinatorial design can be used to establish a KPS for a sensor network. Assume the sensor network has b sensor nodes denoted by N1 , N2 , . . . , Nb . Suppose that X = {x1 , x2 , . . . , xv } and A = {A1 , A2 , . . . , Ab }. We identify the v points in X and the b blocks in A with a set of v keys and the b sensor nodes, respectively. That is, for 1 ≤ i ≤ v, a key Ki is chosen uniformly at random from some specified key space, then, for 1 ≤ j ≤ b, the sensor node Nj receives the set of keys {Ki |xi ∈ Aj }. Then the sensor nodes are deployed randomly over a certain area.

In a KPS, there are mainly four metrics for evaluating it. Size of network. The network size is the number of nodes in the network. A combinatorial design having b blocks can be used to construct a KPS for a network having no more than b nodes. Key storage. The key storage is the number of keys stored in each node. For a combinatorial KPS, the number of keys stored per node is equal to the rank of the design, commonly denoted by k. We want to minimize key storage. Network connectivity. We usually consider the local connectivity since the locations of nodes are typically unknown. It is usual to measure local connectivity of networks by computing the probability that a randomly chosen pair of nodes form a link (i.e. share η common temporal keys). This probability is commonly denoted by Pr1 . It is usually desirable to maximize connectivity.

42

Q. Gao et al. / Ad Hoc Networks 73 (2018) 40–50

Example 2.1. There exists an OA L9 (34 )



0 ⎜0 ⎝0 0

0 1 1 1

0 2 2 2

1 0 1 2

1 1 2 0

1 2 0 1

2 0 2 1

⎞T

2 1 0 2

2 2⎟ . 1⎠ 0

We regard symbols in different columns as different points and obtain



1 ⎜4 ⎝7 10

1 5 8 11

1 6 9 12

2 4 8 12

2 5 9 10

2 6 7 11

3 4 9 11

3 5 7 12

⎞T

3 6⎟ . 8⎠ 10

Then we obtain a KPS appropriate for a WSN having 9 nodes as follows: Fig. 2. Plot of the values of Pr1 and fail1 of the proposed KPSs with η = 4 and the KPSs based on TD(t, k, n)s, where n is the smallest prime power such that both schemes have approximately the same parameter fail1 for a given k.

Network resilience. We calculate resilience against node capture by fails , the probability that a random link is broken by the compromise of a set of s random nodes not in the link. It is usually desirable to minimize fails (i.e. maximize resilience). For the ease of comparing schemes and analysis, we will mainly consider the value of fail1 in this paper and the probability fails is approximately equal to

f ails ≈ 1 − (1 − f ail1 )s .

(1)

N1 K1 K4 K7 K10

N2 K1 K5 K8 K11

N3 K1 K6 K9 K12

N4 K2 K4 K8 K12

N5 K2 K5 K9 K10

N6 K2 K6 K7 K11

N7 K3 K4 K9 K11

N8 K3 K5 K7 K12

N9 K3 K6 , K8 K10

where K = {K1 , . . . , K12 } and the key storage k = 4. Example 2.2. By combining 2 OAs L9 (34 ) in Example 2.1, we obtain the following array

⎛0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0111111111111111111111111111222222222222222222222222222⎞T ⎜0 0 0 0 0 0 0 0 01111111112222222220 0 0 0 0 0 0 0 01111111112222222220 0 0 0 0 0 0 0 0111111111222222222⎟ ⎜0 0 0 0 0 0 0 0 01111111112222222221111111112222222220 0 0 0 0 0 0 0 02222222220 0 0 0 0 0 0 0 0111111111⎟ ⎜ ⎟ ⎜0 0 0 0 0 0 0 0 01111111112222222222222222220 0 0 0 0 0 0 0 01111111111111111112222222220 0 0 0 0 0 0 0 0⎟ 4 4 L = [ L 9 ( 3 )  1 9 , 1 9  L 9 ( 3 )] = ⎜ ⎟ , ⎜ 0 0 01112220 0 01112220 0 01112220 0 01112220 0 01112220 0 01112220 0 01112220 0 01112220 0 0111222⎟ ⎜ 012012012012012012012012012012012012012012012012012012012012012012012012012012012 ⎟ ⎝ ⎠ 012120201012120201012120201012120201012120201012120201012120201012120201012120201 012201120012201120012201120012201120012201120012201120012201120012201120012201120

2.3. Some related theoretic background on combinatorial designs Definition 2.2 [14]. An n × s matrix A, denoted by Ln (q1 qs ) with entries 0, 1, · · · , q j − 1 at the jth column is called an orthogonal array (OA) if it satisfies the following conditions: 1. Each entry in each column occurs the same number of times. 2. In any two columns, each pair (0, 0 ), . . . , (0, q j − 1 ), (1, 0 ), . . . , (1, q j − 1 ), . . . , (qi − 1, q j − 1 ) occurs the same number of times for any 1 ≤ i < j ≤ s. If some of the qj are the same, the matrix is denoted by t

Ln (q11 · · · qtmm ), t1 + · · · + tm = s. In particular, Ln (qs ) has s columns, each having the same number of levels q (called an symmetric OA). t If m ≥ 2, Ln (q11 · · · qtmm ) is called a mixed-level OA or an asymmetrical OA. If (q1 − 1 ) + · · · + (qs − 1 ) = n − 1, A is called saturated. If every n × d subarray of A contains all possible 1 × d row vectors and all these vectors occur the same number of times, then we call A an OA of strength d. If we regard symbols in different columns as different points and each row of the OA as a block, then we obtain a combinatorial design. So any OA can be used to construct a combinatorial design and establish a KPS.

where  is ordinary Kronecker product in matrix theory and 19 is the 9 × 1 vector of 1s. By Definition 2.2, it is easy to see that L is an OA L81 (38 ). Based on L, we can obtain a KPS appropriate for a WSN having 81 nodes as follows:

N1 K1 K4 K7 K10 K13 K16 K19 K22 N10 K1 K5 K8 K11 K13 K16 K19 K22

N2 K1 K4 K7 K10 K13 K17 K20 K23 N11 K1 K5 K8 K11 K13 K17 K20 K23

N3 K1 K4 K7 K10 K13 K18 K21 K24 N12 K1 K5 K8 K11 K13 K18 K21 K24

N4 K1 K4 K7 K10 K14 K16 K20 K24 N13 K1 K5 K8 K11 K14 K16 K20 K24

N5 K1 K4 K7 K10 K14 K17 K21 K22 N14 K1 K5 K8 K11 K14 K17 K21 K22

N6 K1 K4 K7 K10 K14 K18 K19 K23 N15 K1 K5 K8 K11 K14 K18 K19 K23

N7 K1 K4 K7 K10 K15 K16 K21 K23 N16 K1 K5 K8 K11 K15 K16 K21 K23

N8 K1 K4 K7 K10 K15 K17 K19 K24 N17 K1 K5 K8 K11 K15 K17 K19 K24

N9 K1 K4 K7 K10 K15 K18 K20 K22 N18 K1 K5 K8 K11 K15 K18 K20 K22

Q. Gao et al. / Ad Hoc Networks 73 (2018) 40–50

N19 K1 K6 K9 K12 K13 K16 K19 K22 N28 K2 K4 K8 K12 K13 K16 K19 K22 N37 K2 K5 K9 K10 K13 K16 K19 K22 N46 K2 K6 K7 K11 K13 K16 K19 K22 N55 K3 K4 K9 K11 K13 K16 K19 K22 N64 K3 K5 K7 K12 K13 K16 K19 K22 N73 K3 K6 K8 K10 K13 K16 K19 K22

N20 K1 K6 K9 K12 K13 K17 K20 K23 N29 K2 K4 K8 K12 K13 K17 K20 K23 N38 K2 K5 K9 K10 K13 K17 K20 K23 N47 K2 K6 K7 K11 K13 K17 K20 K23 N56 K3 K4 K9 K11 K13 K17 K20 K23 N65 K3 K5 K7 K12 K13 K17 K20 K23 N74 K3 K6 K8 K10 K13 K17 K20 K23

N21 K1 K6 K9 K12 K13 K18 K21 K24 N30 K2 K4 K8 K12 K13 K18 K21 K24 N39 K2 K5 K9 K10 K13 K18 K21 K24 N48 K2 K6 K7 K11 K13 K18 K21 K24 N57 K3 K4 K9 K11 K13 K18 K21 K24 N66 K3 K5 K7 K12 K13 K18 K21 K24 N75 K3 K6 K8 K10 K13 K18 K21 K24

N22 K1 K6 K9 K12 K14 K16 K20 K24 N31 K2 K4 K8 K12 K14 K16 K20 K24 N40 K2 K5 K9 K10 K14 K16 K20 K24 N49 K2 K6 K7 K11 K14 K16 K20 K24 N58 K3 K4 K9 K11 K14 K16 K20 K24 N67 K3 K5 K7 K12 K14 K16 K20 K24 N76 K3 K6 K8 K10 K14 K16 K20 K24

N23 K1 K6 K9 K12 K14 K17 K21 K22 N32 K2 K4 K8 K12 K14 K17 K21 K22 N41 K2 K5 K9 K10 K14 K17 K21 K22 N50 K2 K6 K7 K11 K14 K17 K21 K22 N59 K3 K4 K9 K11 K14 K17 K21 K22 N68 K3 K5 K7 K12 K14 K17 K21 K22 N77 K3 K6 K8 K10 K14 K17 K21 K22

N24 K1 K6 K9 K12 K14 K18 K19 K23 N33 K2 K4 K8 K12 K14 K18 K19 K23 N42 K2 K5 K9 K10 K14 K18 K19 K23 N51 K2 K6 K7 K11 K14 K18 K19 K23 N60 K3 K4 K9 K11 K14 K18 K19 K23 N69 K3 K5 K7 K12 K14 K18 K19 K23 N78 K3 K6 K8 K10 K14 K18 K19 K23

N25 K1 K6 K9 K12 K15 K16 K21 K23 N34 K2 K4 K8 K12 K15 K16 K21 K23 N43 K2 K5 K9 K10 K15 K16 K21 K23 N52 K2 K6 K7 K11 K15 K16 K21 K23 N61 K3 K4 K9 K11 K15 K16 K21 K23 N70 K3 K5 K7 K12 K15 K16 K21 K23 N79 K3 K6 K8 K10 K15 K16 K21 K23

N26 K1 K6 K9 K12 K15 K17 K19 K24 N35 K2 K4 K8 K12 K15 K17 K19 K24 N44 K2 K5 K9 K10 K15 K17 K19 K24 N53 K2 K6 K7 K11 K15 K17 K19 K24 N62 K3 K4 K9 K11 K15 K17 K19 K24 N71 K3 K5 K7 K12 K15 K17 K19 K24 N80 K3 K6 K8 K10 K15 K17 K19 K24

where K = {K1 , . . . , K24 } and the key storage k = 8.

N27 K1 K6 K9 K12 K15 K18 K20 K22 N36 K2 K4 K8 K12 K15 K18 K20 K22 N45 K2 K5 K9 K10 K15 K18 K20 K22 N54 K2 K6 K7 K11 K15 K18 K20 K22 N63 K3 K4 K9 K11 K15 K18 K20 K22 N72 K3 K5 K7 K12 K15 K18 K20 K22 N81 K3 K6 K8 K10 K15 K18 K20 K22

43

Lemma 2.1 [5]. If n is a prime power, then there exists an OA Lnt (nn+1 ) of strength t, where n > t. Definition 2.3 [15]. Let S be a set of symbols of size s and Sk be the set of all sk vectors of length k. The Hamming weight w(u) of a vector u = (u1 , . . . , uk ) ∈ Sk is defined to be the number of nonzero components ui . The Hamming distance dist(u, v) between two vectors u, v ∈ Sk is defined to be the number of positions where they differ, or in other words

dist(u, v ) = w(u − v ). Lemma 2.2 [34]. Let Ln (sm ) be a saturated symmetric OA and x, y be any two row vectors of Ln (sm ). Then the Hamming distance

dist(x, y ) =

n , s

that is, the saturated symmetric OAs are equidistant with respect to Hamming distance. Definition 2.4 [29]. Let n, k and t be positive integers such that n + 1 ≥ k ≥ t. A transversal design TD(t, k, n) is a triple(X, H, A) such that the following properties are satisfied: 1. 2. 3. 4.

X is a set of kn elements called points, H is partition of X into k subsets of size n called groups, A is a set of k-subsets of X called blocks, any group and any block contain exactly one common point and 5. every t points from t distinct groups is contained in exactly one block. Definition 2.5 [33]. Let v, k and λ be positive integers such that v > k ≥ 2. A (v, k, λ)-balanced incomplete block design (which we abbreviate to (v, k, λ)-BIBD) is a design (X, A) such that the following properties are satisfied: 1. |X | = v, 2. each block contains exactly k points and 3. every pair of distinct points is contained in exactly λ blocks. Definition 2.6 [32]. An association scheme with m associate classes on the set X is a family of m symmetric anti-reflexive binary relations on X such that: 1. any two distinct elements of X are ith associates for exactly one value of i, where 1 ≤ i ≤ m, 2. each element of X has ni ith associates, 1 ≤ i ≤ m, 3. for each i, 1 ≤ i ≤ m, if x and y are ith associates, then there are pijl elements of X which are both jth associates of x and lth associates of y. The numbers |X | = v, ni (1 ≤ i ≤ m) and pijl (1 ≤ i, j, l ≤ m) are called the parameters of the association scheme. Definition 2.7 ([32]). A partially balanced incomplete block design with m associate classes, denoted by PBIBD(m) is a design on a v-set X, with b blocks each of size k and with each element of X being repeated r times, such that if there is an association scheme with m classes defined on X where, two elements x and y are ith (1 ≤ i ≤ m) associates, then they occur together in λi blocks. We denote such a design by PB[k, λ1 , λ2 , . . . , λm ; v]. In [4] and [32], PBIBDs with 2 associate classes are used. Definition 2.8 ([33]). Let (X, A) be a design where X = {x1 , . . . , xv } and A = {A1 , . . . , Ab }. The incidence matrix of (X, A) is the v × b 0– 1 matrix M = (mi, j ) defined by the rule



mi, j =

1 if xi ∈ A j . 0 if xi ∈ / Aj

The design having incidence matrix MT is called the dual design of (X, A). Suppose that (Y, B) is the dual design of (X, A), then |Y | = |A| = b and |B| = |X | = v.

44

Q. Gao et al. / Ad Hoc Networks 73 (2018) 40–50

3.1. Notations In this subsection, we present some notations which will be used later. For the sake of the reader’s convenience, we use the notations similar to those in [29]. n +1 Let (Xi , Ai ) be the design obtained from Ln2 (ni i ) and KPSi i

be the KPS based on (Xi , Ai ) for 1 ≤ i ≤ η. {Ai, ji , Ai, j } is said to i

be an si -link provided that |Ai, ji ∩ Ai, j | = si . By Definition 2.2 and i

Lemma 2.2, each point of Xi occurs in λi,1 = ni blocks and the cardinality of the intersection of any two blocks of Ai is 1, i.e.,

|Ai, ji ∩ Ai, ji | = 1,

(3)

where 1 ≤ ji , ji ≤ n2i and ji = ji . So for 2 ≤ ui ≤ ni + 1, every ui subset of X occurs in either 0 or λi,ui = 1 block, all the links in KPSi Fig. 3. Plot of the values of fail1 of the KPSs based on FPPs and Ln2 (nn+1 ) and the proposed KPSs with η = 4 for a given k.

are 1-links and a fixed block is contained in αi,1 = n2i − 1 1-links. Let (X, A) be the design obtained from (2). {A j1 ... jη , A j ... j } is η

1

said to be an s1 s2 . . . sη -link if

|Ai, ji ∩ Ai, ji | = si

(4)

for 1 ≤ i ≤ η. By Lemma 2.2, we have the following lemma. Lemma 3.1. Let A j1 ... jη and A j ... j be any two distinct blocks of η

1

A. Then |A j1 ... jη ∩ A j ... j | ≥ η. Suppose that {A j1 ... jη , A j ... j } is an 1

η

1

s1 s2 . . . sη -link. Then either si = ni + 1 or si = 1 for 1 ≤ i ≤ η.

η

Proof. For a given i, when ji = ji , |Ai, ji ∩ Ai, j | = 1 and when ji = ji , |Ai, ji ∩ Ai, j | = |Ai, ji | = ni + 1. i

i



Let B be a subset of X. B is called an s1 s2 . . . sη -subset of X if

η for 1 ≤ i ≤ q, |B ∩ Xi | = si and |B| = i=1 si . By (2), every s1 s2 . . . sη subset of X occurs in either 0 or λs1 s2 ...sη block(s). Let αs1 s2 ...sη denote the total number of s1 s2 . . . sη -links that a fixed block is contained in, Ls1 s2 ...sη denote the total number of s1 s2 . . . sη -links and L denote the total number of links. It is easy to see that Fig. 4. Plot of the values of fails of the basic scheme, the scheme in [12] and the proposed KPS with η = 2, 3, 4 when k = 200, Pr1 ≈ 1 and the size of the chain l = 10.

Ls1 s2 ...sη = and

k = n1 + 1 + n2 + 1 + · · · + nη + 1, where for 1 ≤ i ≤ η, ni are prime powers and ni ≥ 3. Based on the n +1

1

n +1

), Ln2 (nn22 +1 ), ..., Ln2 (nηη 2

design (X, A) is obtained, where |X | = η n2 . Any block in A is given by i=1 i

A j1 ... jη =

η 

Ai, ji , 1 ≤ ji ≤ n2i , 1 ≤ i ≤ η,

η

i=1

η

), a new

ni (ni + 1 ) and |A| =

(5)

Ls1 s2 ...sη .

(6)

sη ∈{1,nη +1}

3.2. Formulas for the metrics Next, some formulas for the notations stated above and the metrics of the resulting KPS are presented. First, we define three sets I, H1 and H2 as

I = {1, 2, . . . , η}, H1 = {v : v ∈ I, sv = 1} and H2 =

{v : v ∈ I, sv = nv + 1}

which will be used throughout the rest of this section. It follows from Lemma 3.1 that for a given s1 . . . sη -link, I = H1 ∪ H2 . Theorem 3.1. The probability Pr1 is given by

(2)

i=1

where Ai, ji is a block of the design (Xi , Ai ) obtained from the OA n +1 Ln2 ( ni i ). i

···

s1 ∈{1,n1 +1}

In this section, we present the KPSs based on combinations of the class of OAs Ln2 (nn+1 ), where n is a prime power. Let k be the number of keys stored in each node. Suppose that k can be written as

combination of η OAs Ln2 (n11



L=

3. KPSs obtained by combining OAs

b αs s ...s 2 12 η

Then for the given k, a KPS based on the design (X, A) is obtained. The KPS is suitable for a network having no more than b = |A| nodes, the size of key pool is |X| and for 1 ≤ ji ≤ n2i , 1 ≤ i ≤ η, the node N j1 ... jη receives the set of keys {Kc |xc ∈ A j1 ... jη }. In combinatorial KPS, the blocks correspond to the nodes. For simplicity, unless otherwise indicated, we use the blocks to represent the nodes in the rest of this paper.

P r1 = 1.

(7)

Proof. The proof of Theorem 3.1 follows from Lemma 3.1. It follows from Theorem 3.1 that L =

b 2



.

Lemma 3.2. For si ∈ {1, 2, . . . , ni + 1}, 1 ≤ i ≤ η, we have that

λs1 ...sη =

η 

λi,si ,

(8)

i=1

where λi,1 = ni and λi,si = 1 when 2 ≤ si ≤ ni + 1. Proof. By Definition 2.2 and Lemma 2.2, (Xi Ai ) satisfies the following two properties:

Q. Gao et al. / Ad Hoc Networks 73 (2018) 40–50

1. Each point of Xi occurs in λi,1 = ni blocks. 2. For 2 ≤ si ≤ ni + 1, every si -subset of Xi occurs in either 0 or λi,si = 1 block. Hence by (2), every s1 s2 . . . sη -subset of X occurs η in either 0 or λs1 ...sη = i=1 λi,si block(s).  Lemma 3.3. For si ∈ {1, ni + 1}, 1 ≤ i ≤ η, we have that

αs1 ...sη =



  L = L11 + L41 + L15 = 10296 = By (12), we have

(9)

i∈H1

when H1 = ∅ (i.e. H2 = I) and

(10)

when H1 = ∅ (i.e. H2 = I). Proof. For a given block A j1 ... jη of (X, A) and a given i ∈ I, if si = ni + 1, λi,ni +1 = 1, i.e., there is only one block of (Xi , Ai ) containing

the ni + 1 points and if si = 1, αi,1 = n2i − 1, i.e., there are n2i − 1 blocks Ai, j of (Xi , Ai ), 1 ≤ ji = ji ≤ n2i , such that |Ai, j ∩ Ai, ji | = 1. i

i

It follows from (2) that (9) holds when H1 = ∅. When H2 = I, by Lemma 3.2, λn1 +1...nη +1 = 1. Hence αn1 +1...nη +1 = 0.  Lemma 3.4. The probability that a random s1 . . . sq -link is broken by the compromise of a random node not in the link is given by

λs1 ...sη − 2

λs ...sη −2 1

1

b−2 

=

1

λs1 ...sη − 2 b−2

...





Ls1 ...sη f ail1,s1 ...sη L

.

(12)

Proof. By Lemma 3.4, a random s1 . . . sq -link is broken by the compromise of a random node not in the link with probability f ail1,s1 ...sη . Hence there are Ls1 ...sη f ail1,s1 ...sη s1 . . . sq -links that are broken by a random node not in the link and by compromising a node, the total number of links that are broken is



s1 . . . sη Ls1 ...sq f ail1,s1 ...sq . Since there are L links, (12) follows.  4. Examples

λ1,4 = 1 λ2,5 = 1

α1,1 = 8 α2,1 = 15

By (2), we obtain a design (X, A) with parameters v = 3 × 4 + 4 × 5 = 32 and b = 9 × 16 = 144. It follows from (8) and (9) that

λ41 = 4 α41 = 15

λ15 = 3 α15 = 8

By (11), (5) and (6), it is easy to compute that

10 2 1 f ail1,41 = f ail1,15 = 142 142 142 = 8640 L41 = 1080 L15 = 576

f ail1,11 = L11

η

|ni −

k−η

η

|.

It follows from Table 2 that for a given k, different schemes are obtained by varying η, n1 , . . . , nη , the resilience of the KPSs increases as η increases and for a given k and a given η, the resilience of the KPSs increases as θ decreases. When η increases, the resilience increases due to the increased b for a given k. For a given k and a given η, when θ increases, b decreases and there exist some ni , i ∈ {1, . . . , η}, such that the values of them are larger which leads to some larger f ail1,s1 ...sη and Ls1 ...sη . So the resilience increases as θ decreases when k and η are given. Consider the example where k = 20. When k = 19 + 1, we can take L361 (1920 ) as the underlying design. In the resulting KPS, all the links are 1-links and the parameters b = 192 = 361, λ1 = 19. λ1 −2 So the probability f ail1 = = 0.0473538. When k = (9 + 1 ) + b −2

Example 4.1. Suppose k = 9. It is easy to see that k can be written as k = (3 + 1 ) + (4 + 1 ), i.e., n1 = 3 and n2 = 4. Then we take L9 (34 ) and L16 (45 ) as the underlying designs and we have

λ11 = 12 α11 = 120

We analyze the proposed scheme and compare it with some existing ones in this section. Some numerical values of the parameters of the proposed KPSs are presented in Table 2. We define θ to be

(9 + 1 ), two OAs L81 (910 ) can be taken as the underlying designs.

In this section, two examples are given to illustrate the application of the formulas in Section 3.2.

λ1,1 = 3 λ2,1 = 4

= 1.

Example 4.2. Let k = 22. When k is written as k = (9 + 1 ) + (11 + 1 ), we have f ail1 = 0.00971403; when k = (7 + 1 ) + (13 + 1 ), we have f ail1 = 0.0105001; when k = (4 + 1 ) + (16 + 1 ), we have f ail1 = 0.0143603; when k = (5 + 1 ) + (7 + 1 ) + (7 + 1 ), we have f ail1 = 0.00378087; when k = (4 + 1 ) + (7 + 1 ) + (8 + 1 ), we have f ail1 = 0.00408382; when k = (4 + 1 ) + (4 + 1 ) + (5 + 1 ) + (5 + 1 ), we have f ail1 = 0.00211563; when k = (3 + 1 ) + (5 + 1 ) + (5 + 1 ) + (5 + 1 ), we have f ail1 = 0.00222543.

i=1

Theorem 3.2. The probability fail1 is given by s1

b−1

Since the probability P r1 = 1, we only compute fail1 in the following example.

θ=

.





α11 + α41 + α15

5. Analysis and comparisons

Proof. Suppose that {A1 , A2 } is an s1 . . . sη -link and C is an s1 . . . sη subset of both A1 and A2 . By Lemma 3.2, there are λs1 ...sη blocks containing C. So the number of nodes that can break the link {A1 , A2 } is λs1 ...sη − 2. Since the total number of nodes not in {A1 , A2 } is b − 2, the probability

f ail1 =

P r1 =

(11)

b−2

f ail1,s1 ...sη =



It is also not hard to verify that

αn1 +1...nη +1 = 0

f ail1,s1 ...sη =



b 2

106 2 1 1 × 8640 × + 1080 × + 576 × 10296 142 142 142 619 = ≈ 0.0609672. 10153

f ail1 =

αi,si

45

In the resulting KPS, there exist 10 1-links, 1 10-links and 1 1-links and the parameters b = 92 × 92 = 6561, λ10 1 = λ1 10 = 9, λ11 = −2 −2 81. So f ail1,10 1 = f ail1,1 10 = 9b−2 = 0.00106724, f ail1,11 = 81 = b−2 0.0120445 and f ail1 = 0.0117768. It follows from the example that although λ11 = 81 > λ1 = 19, f ail1 < f ail1 due to the increased

network size (i.e. b > b ). By (8), (11) and (12), λs1 ...sη ≤ λ1...1 , f ail1,s1 ...sη ≤ f ail1,1...1 and f ail1 ≤ f ail1,1...1 (when η = 1, f ail1 = f ail1,1 and when η ≥ 2, f ail1 < f ail1,1...1 ). Since λ1...1 = n1 × · · · ×

nη , b = n21 × · · · × n2η and ni ≈ k−ηη , f ail1,1...1 ≈ k−1η η . It is easy to ( η ) verify that λ1...1 increases as b increases and b increases as η increases, but f ail1,1...1 decreases as η increases. For a KPS, key storage (k), local connectivity (Pr1 ) and resilience (fail1 ) are three conflicting metrics. In general, keeping one of the parameters constant, improving one of the remaining two properties always leads to the other’s decrease. However, for a given k, the proposed approach can increase the resilience by increasing η and decreasing θ , while maintaining the connectivity.

46

Q. Gao et al. / Ad Hoc Networks 73 (2018) 40–50 Table 2 Some numerical values of the parameters of the proposed KPSs. k = 20 k

η

b

fail1

9+1+9+1 7+1+11+1 5+1+13+1 5+1+5+1+7+1 4+1+5+1+8+1 3+1+7+1+7+1 4+1+4+1+9+1 3+1+5+1+9+1 4+1+4+1+4+1+4+1 3+1+4+1+4+1+5+1 3+1+3+1+5+1+5+1

2 2 2 3 3 3 3 3 4 4 4

6561 5929 4225 30,625 25,600 21,609 20,736 18,225 65,536 57,600 50,625

0.0117768 0.0123329 0.0143478 0.00519596 0.0056101 0.00598866 0.00614387 0.0064577 0.00319336 0.00335811 0.00353113

k

η

b

fail1

11+1+17+1 9+1+19+1 5+1+23+1 3+1+25+1 9+1+9+1+9+1 7+1+9+1+11+1 7+1+7+1+13+1 5+1+11+1+11+1 5+1+9+1+13+1 5+1+7+1+7+1+7+1 5+1+5+1+8+1+8+1 5+1+5+1+7+1+9+1

2 2 2 2 3 3 3 3 3 4 4 4

34,969 29,241 13,225 5625 531,441 480,249 405,769 366,025 342,225 2,941,225 2,560,0 0 0 2,480,625

0.00523339 0.0 0570 079 0.00825282 0.0156006 0.00132332 0.00138751 0.00150222 0.0015706 0.00162177 0.0 0 0534647 0.0 0 0568955 0.0 0 0577309

k = 30

k = 40 k

η

b

fail1

19+1+19+1 13+1+25+1 11+1+27+1 9+1+29+1 7+1+31+1 4+1+29+1 11+1+13+1+13+1 9+1+11+1+17+1 7+1+13+1+17+1 9+1+9+1+19+1 7+1+11+1+19+1 9+1+9+1+9+1+ 9+1 8+1+8+1+9+1+11+1 7+1+9+1+9+1+11+1

2 2 2 2 2 2 3 3 3 3 3 4 4 4

130,321 105,625 88,209 68,121 47,089 13,456 3,455,881 2,832,489 2,393,209 2,368,521 2,140,369 43,046,721 40,144,896 38,900,169

0.00274028 0.00303657 0.00331473 0.00375583 0.00448094 0.00806033 0.0 0 0527488 0.0 0 0580637 0.0 0 0628744 0.0 0 0633078 0.0 0 0663842 0.0 0 0145788 0.0 0 0150666 0.0 0 0152881

k

η

b

fail1

23+1+25+1 19+1+29+1 17+1+31+1 16+1+32+1 11+1+37+1 7+1+41+1 5+1+43+1 13+1+17+1+17+1 11+1+17+1+19+1 11+1+13+1+23+1 11+1+11+1+25+1 9+1+13+1+25+1 9+1+11+1+13+1+13+1 8+1+9+1+13+1+16+1 8+1+8+1+13+1+17+1

2 2 2 2 2 2 2 3 3 3 3 3 4 4 4

330,625 303,601 277,729 262,144 165,649 82,369 46,225 14,115,049 12,623,809 10,817,521 9,150,625 8,555,625 279,926,361 224,280,576 200,052,736

0.00172729 0.00180147 0.00188227 0.00193652 0.00242478 0.00339723 0.00445697 0.0 0 0262853 0.0 0 0277539 0.0 0 0299384 0.0 0 0324911 0.0 0 0335532 0.0 0 0 058023 0.0 0 0 0645359 0.0 0 0 0681729

k = 50

k = 60 k

η

b

fail1

29+1+29+1 27+1+31+1 17+1+41+1 11+1+47+1 9+1+49+1 5+1+53+1 19+1+19+1+19+1

2 2 2 2 2 2 3

707,281 700,569 485,809 267,289 194,481 70,225 47,045,881

0.00118351 0.00118911 0.00142511 0.00191139 0.00223153 0.00362323 0.0 0 0144607 (continued on next page)

Q. Gao et al. / Ad Hoc Networks 73 (2018) 40–50

47

Table 2 (continued) 17+1+17+1+23+1 16+1+16+1+25+1 13+1+19+1+25+1 13+1+17+1+27+1 13+1+13+1+13+1+17+1 11+1+13+1+16+1+16+1 11+1+13+1+13+1+19+1

3 3 3 3 4 4 4

44,182,609 40,960,0 0 0 38,130,625 35,605,089 1,394,947,801 1,340,145,664 1,247,573,041

0.0 0 014915 0.0 0 0154821 0.0 0 0160337 0.0 0 0165855 0.0 0 0 0262509 0.0 0 0 0267645 0.0 0 0 0277184

k

η

b

fail1

31+1+37+1 27+1+41+1 25+1+43+1 19+1+49+1 9+1+59+1 7+1+61+1 4+1+64+1 19+1+23+1+25+1 17+1+23+1+27+1 19+1+19+1+29+1 17+1+19+1+31+1 16+1+19+1+32+1 16+1+16+1+17+1+17+1 13+1+17+1+17+1+19+1 13+1+13+1+17+1+23+1

2 2 2 2 2 2 2 3 3 3 3 3 4 4 4

1,315,609 1,225,449 1,155,625 866,761 281,961 182,329 65,536 119,355,625 111,450,249 109,599,961 100,260,169 94,633,984 5,473,632,256 5,095,532,689 4,366,434,241

0.0 0 0868824 0.0 0 0899996 0.0 0 0926585 0.00106855 0.00185497 0.00228941 0.0036919 0.0 0 0 0909712 0.0 0 0 0941022 0.0 0 0 0948921 0.0 0 0 0991638 0.0 0 0102033 0.0 0 0 01333 0.0 0 0 0138051 0.0 0 0 0148924

k = 70

k = 80 k

η

b

fail1

37+1+41+1 31+1+47+1 29+1+49+1 25+1+53+1 19+1+59+1 17+1+61+1 11+1+67+1 7+1+71+1 5+1+73+1 25+1+25+1+27+1 23+1+27+1+27+1 23+1+25+1+29+1 23+1+23+1+31+1 19+1+29+1+29+1 19+1+19+1+19+1+19+1 17+1+17+1+19+1+23+1 17+1+17+1+17+1+25+1

2 2 2 2 2 2 2 2 2 3 3 3 3 3 4 4 4

2,301,289 2,122,849 2,019,241 1,755,625 1,256,641 1,075,369 543,169 247,009 133,225 284,765,625 281,132,289 278,055,625 268,927,201 255,328,441 16,983,563,041 15,949,921,849 15,085,980,625

0.0 0 0657477 0.0 0 0684406 0.0 0 0701646 0.0 0 0752157 0.0 0 0887879 0.0 0 0959068 0.00134269 0.00196842 0.00263661 0.0 0 0 0589923 0.0 0 0 0593688 0.0 0 0 0596938 0.0 0 0 0606904 0.0 0 0 0622668 0.0 0 0 0 0759301 0.0 0 0 0 0783165 0.0 0 0 0 0804986

k = 90 k

η

b

fail1

41+1+47+1 29+1+59+1 27+1+61+1 17+1+71+1 9+1+79+1 7+1+81+1 5+1+83+1 29+1+29+1+29+1 27+1+29+1+31+1 23+1+32+1+32+1 23+1+27+1+37+1 23+1+23+1+41+1 19+1+19+1+23+1+25+1 17+1+23+1+23+1+23+1 19+1+19+1+19+1+29+1

2 2 2 2 2 2 2 3 3 3 3 3 4 4 4

3,713,329 2,927,521 2,712,609 1,456,849 505,521 321,489 172,225 594,823,321 589,178,529 554,696,704 527,942,529 470,412,721 43,087,380,625 42,782,371,921 39,565,585,921

0.0 0 0517872 0.0 0 0582935 0.0 0 0605466 0.0 0 082427 0.00138687 0.00172635 0.00232062 0.0 0 0 0408577 0.0 0 0 0410516 0.0 0 0 0422987 0.0 0 0 0433511 0.0 0 0 0459088 0.0 0 0 0 0477622 0.0 0 0 0 0479279 0.0 0 0 0 0498212

k = 100 k

η

b

fail1

4 9+1+4 9+1 37+1+61+1 31+1+67+1 27+1+71+1 25+1+73+1 19+1+79+1 17+1+81+1 9+1+89+1 29+1+31+1+37+1 27+1+29+1+41+1

2 2 2 2 2 2 2 2 3 3

5,764,801 5,094,049 4,313,929 3,674,889 3,330,625 2,253,001 1,896,129 641,601 1,106,427,169 1,030,602,609

0.0 0 0415807 0.0 0 0442242 0.0 0 048041 0.0 0 0520314 0.0 0 0546402 0.0 0 0663482 0.0 0 0722689 0.00123147 0.0 0 0 0299756 0.0 0 0 0310529 (continued on next page)

48

Q. Gao et al. / Ad Hoc Networks 73 (2018) 40–50 Table 2 (continued) 25+1+31+1+41+1 27+1+27+1+43+1 25+1+29+1+43+1 23+1+23+1+25+1+25+1 23+1+23+1+23+1+27+1 19+1+25+1+25+1+27+1

3 3 3 4 4 4

1,009,650,625 982,634,409 971,880,625 109,312,890,625 107,918,163,081 102,800,390,625

0.0 0 0 0313711 0.0 0 0 0317979 0.0 0 0 031972 0.0 0 0 0 030 0438 0.0 0 0 0 0302356 0.0 0 0 0 0309706

Table 3 Comparisons between the proposed KPSs and the KPSs in [4]. KPSs based on the dual designs of a PBIBD based on the group divisible association scheme and a BIBD a

f

g

k

b

Pr1

fail1

2 2

21 23

25 22

46 45

2142 2070

0.532929 0.532141

0.00206820 0.00222235

The proposed KPSs k

η

b

Pr1

fail1

46=19+1+25+1 46=13+1+13+1+17+1 46=9+1+11+1+11+1+11+1 45=16+1+27+1 45=13+1+13+1+16+1 45=8+1+11+1+11+1+11+1

2 3 4 2 3 4

225,625 8,254,129 143,496,441 186,624 7,311,616 113,379,904

1 1 1 1 1 1

0.00208768 0.0 0 0342913 0.0 0 0 0807024 0.00229261 0.0 0 0364181 0.0 0 0 0905405

KPSs based on the dual designs of a PBIBD based on the triangular association scheme and a BIBD m

g

k

b

Pr1

fail1

9 27 8 31 The proposed KPSs

48 46

1980 1764

0.617989 0.577992

0.00209417 0.00228017

k

η

b

Pr1

fail1

48=23+1+23+1 48=13+1+16+1+16+1 48=11+1+11+1+11+1+11+1 46=19+1+25+1 46=13+1+13+1+17+1 46=9+1+11+1+11+1+11+1

2 3 4 2 3 4

279,841 11,075,584 214,358,881 225,625 8,254,129 143,496,441

1 1 1 1 1 1

0.00187640 0.0 0 0296474 0.0 0 0 0662624 0.00208768 0.0 0 0342913 0.0 0 0 0807024

KPSs based on the dual designs of a PBIBD based on the Latin square type association scheme and a BIBD p



g

k

b

Pr1

fail1

17 19

12 13

28 28

40 41

16,473 20,577

0.673628 0.657076

0.00304951 0.00276801

The proposed KPSs k

η

b

Pr1

fail1

40=19+1+19+1 40=11+1+13+1+13+1 40=9+1+9+1+9+1+9+1 41=16+1+23+1 41=11+1+11+1+16+1 41=8+1+9+1+9+1+11+1

2 3 4 2 3 4

130,321 3,455,881 43,046,721 135,424 3,748,096 50,808,384

1 1 1 1 1 1

0.00274028 0.0 0 0527488 0.0 0 0145788 0.00268784 0.0 0 050640 0 0.0 0 0134297

Since it has been shown that TDs perform well for a wide range of parameters [29], we compare the proposed KPSs with the KPSs based on TDs [22]. It follows from Figs. 1 and 2 that for a given k, when the KPSs based on TDs have the maximum values of Pr1 , the proposed schemes with η = 4 have a better trade-off between connectivity and resilience and when both schemes have approximately the same resilience, the proposed schemes have better connectivity than the KPSs based on TDs. In [4], the method of combining designs is proposed and the dual designs of PBIBDs based on association schemes with two associate classes and BIBDs with λ = 1 are chosen as the underlying designs. We compare the proposed KPSs with the KPSs in [4]. It follows from Table 3 that for a given k, the proposed KPSs have a better trade-off between Pr1 and fail1 and when η > 2, the proposed KPSs have better connectivity and resilience than the KPSs in [4]. By the same construction, both the KPSs in this paper and in [4] are suitable for WSNs with a large number of sensor nodes

having relatively small storage. However, for a given k, the parameter b of the proposed KPSs is much larger than that of the KPSs in [4]. In [6], based on FPPs ((n2 + n + 1, n + 1, 1)-BIBDs where b = v), KPSs offering P r1 = 1 are proposed. In [11], KPSs based on OAs Lnt (nn+1 ) (equivalent to TD(t, n + 1, n)) are proposed and when t = 2, P r1 = 1. We compare the proposed KPSs with the combinatorial KPSs offering P r1 = 1 in [6,11]. It follows from Fig. 3 that when P r1 = 1, for the given k, the proposed KPSs have better resilience than that of the ones in [6,11]. In addition, if the metric P r1 = 1 is maintained, then when the number of sensor nodes is large, the key storage k of the KPSs based on FPP and Ln2 (nn+1 ) are too high to be practical. For example, when the network size b = 106 , in the KPSs based on FPPs and Ln2 (nn+1 ), we should take n = 1009 such that n2 + n + 1 > b and n2 > b, respectively, and the key storage k = n + 1 = 1010. However, since 52 × 52 × 72 × 72 =

Q. Gao et al. / Ad Hoc Networks 73 (2018) 40–50

Fig. 5. Plot of the values of fails of the basic scheme, the scheme in [12] when k = 200, Pr1 ≈ 0.33, the size of the chain l = 10 and the proposed KPS with η = 2, 3, 4 when k = 200.

1500625 > b, in the proposed KPS with η = 4, the key storage k = 5 + 1 + 5 + 1 + 7 + 1 + 7 + 1 = 28. In [12], a new method based on 2-Dimensional Hash Chains is proposed and is applied on the basic scheme to improve the resilience of the initial scheme at the cost of a few additional computations, while maintaining network connectivity at the same level. We compare the KPSs in this paper with the one in [12]. It follows from Figs. 4 and 5 that when the schemes have the same key storage and local connectivity, the proposed schemes have better resilience than the one in [12] and for the same key storage, when the parameter of the scheme in [12] Pr1 ≈ 0.33, the proposed schemes still have better resilience. 6. Conclusion In this paper, we propose the KPSs for WSNs by combining η OAs. The proposed KPSs work for the storage k which can be written as k = n1 + 1 + · · · + nη + 1, where for 1 ≤ i ≤ η, ni ≥ 3 are prime n +1

powers. By using saturated symmetric OAs Ln2 (ni i i

), 1 ≤ i ≤ η, as

the underlying designs, Pr1 of the resulting schemes are equal to 1 and for a given key storage k, we can obtain the schemes having better resilience by increasing η. General formulas for the metrics of the resulting schemes are derived and some examples are given to illustrate the applications of the formulas. In general, key storage, local connectivity and resilience are three conflicting metrics for evaluating a KPS. In the proposed schemes, one can enhance the resilience by increasing η while maintaining the key storage and the local connectivity. By comparing the proposed KPSs with some existing ones, it is found that the KPSs in this paper have some advantages over them. For future work, there are some problems: 1. Are there other combinatorial designs having advantages over saturated symmetric OAs Ln2 (nn+1 ) as the underlying designs? 2. Are there other scenarios where the proposed schemes can perform better? 3. Can the proposed schemes work for any key storage k? References [1] H.M. Ammari, N. Gomes, M. Jacques, B. Maxim, D. Yoon, A survey of sensor network applications and architectural components, Ad Hoc Sensor Wireless Netw. 25 (1–2) (2015) 1–44. [2] R. Blom, An optimal class of symmetric key generation systems, in: EUROCRYPT, 1984. Lecture Notes in Computer Science, volume 209, 1985, pp. 335–338.

49

[3] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, M. Yung, Perfectly-secure key distribution for dynamic conferences, in: Annual International Cryptology Conference, Springer Berlin Heidelberg, 1992, pp. 471–486. [4] M. Bose, A. Dey, R. Mukerjee, Key predistribution schemes for distributed sensor networks via block designs, Des. Codes Cryptogr. 67 (1) (2013) 111–136. [5] K.A. Bush, Orthogonal arrays of index unity, Ann. Math. Stat. 23 (1952) 426–434. [6] S. Çamtepe, B. Yener, Combinatorial design of key distributionmechanisms forwireless sensor networks, in: ESORICS, 2004. Lecture Notes in Computer Science, volume 3193, 2004, pp. 293–308. [7] S. Çamtepe, B. Yener, Key Distribution Mechanisms for Wireless Sensor Networks: a Survey, 2005 Technical report tr-05-07. [8] H. Chan, A. Perrig, D. Song, Random key predistribution schemes for sensor networks, in: Proceedings of the 2003 symposium on security and privacy, IEEE Computer Society, 2003, pp. 197–213. [9] C.Y. Chen, H.C. Chao, A survey of key predistribution in wireless sensor networks, Secur. Commun. Netw. (2011). [10] J.W. Dong, D.Y. Pei, X.L. Wang, A key predistribution scheme based on 3-designs, in: Information Security and Cryptology, 2007. Lecture Notes in Computer Science, volume 4990, 2008, pp. 81–92. [11] J.W. Dong, D.Y. Pei, X.L. Wang, A class of key predistribution schemes based on orthogonal arrays, J. Comput. Sci. Technol. 23 (2008) 825–831. [12] M. Ehdaie, N. Alexiou, M. Ahmadian, M.R. Aref, P. Papadimitratos, 2d hash chain robust random key distribution scheme, Inf. Process. Lett. 116 (5) (2016) 367–372. [13] L. Eschenauer, V. Gligor, A key-management scheme for distributed sensor networks, in: Proceedings of the 9th ACM conference on computer and communications security, ACM Press, 2002, pp. 41–47. [14] K.T. Fang, D.K.J. Lin, P. Winker, Y. Zhang, Uniform design: theory and application. technometrics, 20 0 0. 42, 3, 237–248. [15] A.S. Hedayat, N.J.A. Sloane, J. Stufken, Orthogonal Arrays: Theory and Applications, Springer-Verlag, New York, 1999. [16] K. Henry, M.B. Paterson, D.R. Stinson, Practical approaches to varying network size in combinatorial key predistribution schemes, in: SAC, 2013. Lecture Notes in Computer Science, volume 8282, 2014, pp. 89–117. [17] M. Kendall, K.M. Martin, Graph-theoretic design and analysis of key predistribution schemes, Designs, Codes Cryptogr. 81 (1) (2016) 11–34. [18] M. Kendall, K.M. Martin, S.L. Ng, M.B. Paterson, D.R. Stinson, Broadcast-enhanced key predistribution schemes, ACM Trans. Sens. Netw. 11 (1) (2014). Article No. 6. ˚ , V. Matyáš, P. Švenda, Two improvements of random key predistribution [19] J. Kur for wireless sensor networks, in: International Conference on Security and Privacy in Communication Systems, Springer Berlin Heidelberg, 2012, pp. 61–75. [20] J. Lee, D.R. Stinson, Deterministic key predistribution schemes for distributed sensor networks, in: SAC, 2004. Lecture Notes in Computer Science, volume 3357, 2005, pp. 294–307. [21] J. Lee, D.R. Stinson, A combinatorial approach to key predistribution for distributed sensor networks, in: IEEE Wireless Communications and Networking Conference (WCNC 2005), volume 2, 2005, pp. 1200–1205. [22] J. Lee, D.R. Stinson, On the construction of practical key predistribution schemes for distributed sensor networks using combinatorial designs, ACM Trans. Inf. Syst. Secur. 11 (2) (2008). Article No. 1. [23] D. Liu, P. Ning, Location-based pairwise key establishments for static sensor networks, in: Proceedings of the 1st ACM workshop security of ad hoc and sensor networks, ACM Press, 2003, pp. 72–82. [24] D. Liu, P. Ning, R. Li, Establishing pairwise keys in distributed sensor networks, ACM Trans. Inf. Syst. Secur. 8 (2005) 41–77. [25] D. Liu, P. Ning, W. Du, Group-based key pre-distribution in wireless sensor networks, ACM Trans. Sens. Netw. 4 (2) (2008) 1–30. [26] K.M. Martin, M. Paterson, An application-oriented framework for wireless sensor network key establishment, Electron. Notes Theor. Comput. Sci. 192 (2) (2008) 31–41. [27] K.M. Martin, On the applicability of combinatorial designs to key predistribution for wireless sensor networks, in: IWCC, 2009. Lecture Notes in Computer Science, volume 5557, 2009, pp. 124–145. [28] K.M. Martin, M.B. Paterson, D.R. Stinson, Key predistribution for homogeneous wireless sensor networks with group deployment of nodes, ACM Trans. Sens. Netw. 7 (2) (2010). Article No. 11. [29] M.B. Paterson, D.R. Stinson, A unified approach to combinatorial key predistribution schemes for sensor networks, Des. Codes Cryptogr. 71 (3) (2014) 433–457. [30] D.Y. Pei, J.W. Dong, C.M. Rong, A novel key predistribution scheme for wireless distributed sensor networks, Sci. China Inf. Sci. 53 (2010) 288–298. [31] T.P. Rani, C.J. Kumar, Survey on key pre distribution for sucurity in wireless sensor networks, Lect. Notes Instit. Comput. Sci. 84 (2012) 248–252. [32] S. Ruj, B. Roy, Key predistribution using partially balanced designs in wireless sensor networks, in: ISPA, 2007. Lecture Notes in Computer Science, volume 4742, 2007, pp. 431–445. [33] D.R. Stinson, Combinatorial Designs: Constructions and Analysis, Springer, Berlin, 2003. [34] Y.L. Zhang, On schematic orthogonal arrays of strength two, Ars Combinatoria 91 (2009) 147–163.

50

Q. Gao et al. / Ad Hoc Networks 73 (2018) 40–50 Qiang Gao received the B.S. degree in applied mathematics from Henan University, Kaifeng, China, in 2009, the M.S. degree in applied mathematics from Henan Normal University, Xinxiang, China, in 2012 and the Ph.D. degree in cryptography from Xidian University, Xi’an, China, in 2018. He is currently working at College of Mathematics and Information Science, Henan Normal University, Xinxiang, China. His current research interests are centered on the area of key predistribution schemes for wireless sensor networks.

Wenping Ma received the B.S. and the M.S. degrees in basic mathematics from Shaanxi Normal University, Xian, China, in 1987 and 1990, respectively, and the Ph.D. degree in communication and information system from Xidian University, Xian, China, in 1999. He was a Post-Doctorial Fellow with Chonbuk National University, Jeonju, South Korea, from 2003 to 2004, and acted as a senior visiting scholar in South Korea from 2004 to 2005. He is currently a Professor with the State Key Laboratory of Integrated Service Networks, School of Telecommunications Engineering, Xidian University, Xian, China. His research work mainly focuses on information theory, communication theory, error correcting code and information security.

Wei Luo received the B.S. degree in Electronic and Information Engineering from Xian Shiyou University, Xian, China, in 2012. He is currently pursuing the Ph.D. degree at the State Key Laboratory of Integrated Service Networks, School of Telecommunications Engineering, Xidian University, Xian, China. His current research interestsare centered on the security issues in wireless sensor networksnetwork security and cloud storage security.