A Key Pre-Distribution Scheme Based on µ-PBIBD for Enhancing Resilience in Wireless Sensor Networks

Many key pre-distribution (KPD) schemes based on combinatorial design were proposed for secure communication of wireless sensor networks (WSNs). Due to complexity of constructing the combinatorial design, it is infeasible to generate key rings using the corresponding combinatorial design in large scale deployment of WSNs. In this paper, we present a definition of new combinatorial design, termed “µ-partially balanced incomplete block design (µ-PBIBD)”, which is a refinement of partially balanced incomplete block design (PBIBD), and then describe a 2-D construction of µ-PBIBD which is mapped to KPD in WSNs. Our approach is of simple construction which provides a strong key connectivity and a poor network resilience. To improve the network resilience of KPD based on 2-D µ-PBIBD, we propose a KPD scheme based on 3-D Ex-µ-PBIBD which is a construction of µ-PBIBD from 2-D space to 3-D space. Ex-µ-PBIBD KPD scheme improves network scalability and resilience while has better key connectivity. Theoretical analysis and comparison with the related schemes show that key pre-distribution scheme based on Ex-µ-PBIBD provides high network resilience and better key scalability, while it achieves a trade-off between network resilience and network connectivity.


Introduction
Wireless sensor networks have more and more extensive applications due to their properties in lower cost, low power consumption, easy deployment and self-organization [1,2]. Sensor nodes in wireless sensor networks are responsible for monitoring surrounding environment and transmitting the information on-request to base station in one-hop or multi-hop path. A general environment of wireless sensor networks is shown in Figure 1. When sensor networks are deployed in a hostile territory or a special region, they should secure the communication between two sensor nodes by encryption/decryption, safety authentication techniques and others [3][4][5][6][7][8]. Key management is a core of cryptographic system in WSNs, which is used to protect security in application of WSNs [9][10][11][12][13]. Although study on key management in WSNs becomes more mature, it still has a lot of challenges because of different required network size, wide application background, limited sensor performance and so on [14]. Key pre-distribution (KPD) scheme is one of the most extensive research directions of symmetric key management in WSNs [15][16][17]. A typical KPD scheme contains three phases: key pre-distribution, shared-key discovery and path-key establishment [13,18]. Key pre-distribution is an initialization phase, in which some keys selected from a large key pool are pre-distributed to each sensor to build a key ring. Shared-key discovery is to discover common pairwise keys between two nearby nodes by matching their key rings. In a path-key establishment phase, two nodes try to find one or more intermediary nodes that share common keys with them when the two neighboring nodes have no common pairwise keys. Various metrics of key pre-distribution scheme, such as network scalability, key connectivity, network resilience et al., are used for analyzing the merits and demerits of schemes in WSNs [19,20].
KPD schemes in WSNs are classified into probabilistic KPD scheme and deterministic KPD scheme based on the manner of key selection [6,12,16]. Typical probabilistic KPD schemes include random KPD, Q-composite KPD and polynomial pool based KPD [13]. Probabilistic KPD scheme randomly extracts a number of keys from key pool to form key rings of nodes, and its advantage is easy implementation due to its simple algorithm [21]. However, probabilistic KPD scheme only judges whether a pair of nodes have common keys by the mean of a probability value, and computers key connectivity by probabilistic result. Deterministic KPD scheme constructs key rings with a simple, straightforward model instead of selecting random key, which contributes to implementing shared-key discovery and path-key establishment. However, operations of these two phases, due to the absence of structure in key pre-distribution, are inherently complicated in randomized KDP scheme [20]. Meanwhile, performance metrics, such as scalability and connectivity, can be proven to be deterministic in a deterministic KPD scheme [22]. On the contrary, the deterministic value can not be obtained in a probabilistic scheme.
Combinatorial design theory is usually used for implementing deterministic KPD schemes. Due to the structural features of combinatorial design, metrics of combinatorial KPD scheme can easily be depicted. A general problem on existing combinatorial KPD schemes for WSNs is that construction of combinatorial designs mapped to KPD are complicated in implementation. Therefore, we focus on constructing a simpler combinatorial design applied to KPD scheme of WSNs, while performance metrics of KPD scheme should not be affected. A novel key pre-distribution scheme based on two-dimensional combinatorial design is introduced. Moreover, to enhance resilience and improve scalability, an extended three-dimensional combinatorial KPD scheme is proposed. The main contributions of our work are described as follows: • A new combinatorial design (µ-PBIBD) is defined based on partially symmetric balanced incomplete block design. • A µ-PBIBD is constructed in 2-D space, and a key pre-distribution scheme based on 2-D µ-PBIBD is proposed in which blocks are mapped to key rings. That is, shared-keys between nodes can be generated from common points between corresponding blocks. As a result, key connectivity of the proposed scheme depends on the construction of µ-PBIBD. • To enhance network resilience of 2-D µ-PBIBD scheme, an Ex-µ-PBIBD is constructed by extending µ-PBIBD from 2-D space to 3-D space. Further, a key pre-distribution scheme based on 3-D Ex-µ-PBIBD is presented. • Performance metrics of the proposed schemes are evaluated by theoretical analyses. Comparing with sBIBD scheme, RD and TD scheme, the results show that the proposed scheme has better scalability and higher resilience.
The remainder of this paper is organized as follows: In Section 2, related works on combinatorial design KPD schemes are introduced. Background knowledge of combinatorial design is described and a new combinatorial design is defined in Section 3. A µ-PBIBD is constructed and KPD scheme based on µ-PBIBD for WSNs is presented in Section 4. Then Section 5 proposes an extended µ-PBIBD based KPD scheme. Performance of the proposed scheme is analyzed and compared with the corresponding schemes in Section 6. Finally, the conclusions are drawn in Section 7.

Related Works
Combinatorial design theory is the part of combinatorial mathematics that deals with the existence and construction of systems of finite sets whose the existence have specified numerical properties [23]. Just because of these specified, easy-to-implement, numerical properties of combinatorial design theory, a series of studies on KPD scheme based on combinatorial design theory have been developed rapidly [24][25][26][27][28][29][30][31][32][33]. The first deterministic KPD scheme proposed by Comtepe and Yene [1] based on combinatorial design theory, which mapped Balanced Incomplete Block designs (BIBD) and Generalized Quadrangles (GQ) to KPD schemes, made key connectivity up to 1. Because of the difficulty of constructing BIBD and GQ, this KPD scheme supported only limited network size [9,30] and could not ensure keys pre-distribution according to actual demand about wireless sensor networks. Scheme [32] proposed a hybrid design according to complement of each block, i.e., when blocks of combinatorial design assigned to nodes were used up, a random subset of the complementary design blocks was distributed to the new-added nodes as key rings. This scheme supported larger-scale WSNs and improved the resilience of networks. Modiri et al. [30] introduced a new combinatorial design called residual design and mapped it to key pre-distribution scheme. This KPD scheme provided high connectivity while maintaining better scalability and resilience.
Stinson et al. [20,22,24,25] had been studying a series of combinatorial design based KPD since 2004. Lee and Stinson [20] introduced related knowledge of combinatorial set system to deterministic KPD schemes for WSNs. A strongly regular graph in [24] was used to product a network graph that represented whether two nodes share secret keys, and both one-way hash function and modified multi-space Bolm' scheme were introduced to reduce efficiently storage overheads of keys and increase resilience. In schemes [25], Lee defined two basic types of combinatorial designs as "configurations" and "µ-common intersection design" and discussed their influence on the local connectivity and two-hop paths in WSNs. In schemes [20], Lee proposed a general framework to construct KPD schemes based on a transversal design (TD), and represented KPD schemes based on linear polynomials and quadratic polynomials. These schemes provided higher efficiency in a shared-key discovery phase with better connectivity and resiliency. Paterson and Stinson in [22] defined a general class of designs as "partially balanced t-designs", which encompassed almost all of the proposed combinatorial designs used for KPD schemes. This general framework contributed to analyzing proposals of combinatorial KPD schemes and comparing with existing schemes, and easily evaluated which schemes possessed better performance metrics for a certain application. In [33], taking the problem with the restricted number of sensor nodes in combinatorial KPD into consideration, a universal method was proposed to compute metrics for connectivity and resilience of combinatorial KPD schemes. A deterministic method exploited a resolvable TD to adjust the network size by removing key rings and easily analyzed the properties of the scheme using the framework constructed in [22].
Taking into account the difficulty of implementation of scheme [32], Xia et al. [21] first constructed BIBD with Hadamard matrix, and then mapped it to a KPD scheme in WSNs. Furthermore, the network size of WSNs was doubled by complementary set design and the shared-key intensity was enhanced by key slicing. In [26], based on the divisible core pair-wise balanced design, key rings of nodes were constructed, where common blocks and particular blocks were mapped to key rings of common nodes and key rings of cluster head nodes, respectively. This scheme increased network scalability and had better resilience. Gao et al. [31] proposed a combinatorial design based KDP scheme for two-layer hierarchical WSNs. In this scheme, a key pre-distribution scheme was constructed with orthogonal array. A block associated with keys was assigned to a more capable node, and a random subset of a block associated with keys was allotted to a less capable node. This scheme obtained higher resilience and better tradeoff between performance metrics than some probabilistic schemes.

Preliminaries
Combinatorial design theory is the branch of combinatorics which focuses on designing subsets of a finite set to satisfy certain properties [23]. Block design is a type of combinatorial design. In the following section, a brief introduction of definitions and prerequisites of combinatorial design theory used in this paper are given.

Combinatorial Design
Definition 1 [34]. Let V be a basic set of v elements (called points) with V = {p 1 , p 2 , · · · , p v } and B be a finite set of subsets (called blocks) of V. B is described as B = {B 1 , B 2 , · · · , B d } in which B 1 , B 2 , · · · , B d are d subsets of V. Then B is called "block design" of V.
Definition 2 [32]. If B is a block design of V that satisfies the following properties: (1) Uniformity: Each block in B contains exactly k distinct points. B is called "balanced incomplete block design (BIBD)" and denoted as B(v, d, r, k, λ). v, d, r, k, λ are parameters of the BIBD that satisfy dk = vr and λ(v − 1) = r(k − 1). In particular, when d = v and therefore r = k, a BIBD is called symmetric BIBD (sBIBD) which can be denoted as sB(v, k, λ). For every prime or prime power q ≥ 2, there exists a sB(q 2 + q + 1, q + 1, 1). Comtepe et al. [32] defined a mapping from sB(q 2 + q + 1, q + 1, 1) to KPD and proposed a KPD scheme base on sBIBD. In this scheme, each point in V was associated with a distinct random key and each block was used as a key ring, providing the key pool having v = q 2 + q + 1 keys and d = q 2 + q + 1 key rings each having k = q + 1 keys. In sBIBD, each pair of blocks intersected on one point and was mapped to KPD scheme in which each pair of key rings shared one key. As a result, the probability of key shared between each pair of nodes was always 1. When value of q was large, constructing sB(q 2 + q + 1, q + 1, 1) was a NP-problem [32] which limited the size of sensor networks whose keys were pre-distributed. That is, this scheme was only theoretically feasible for a large scale of WSNs. Definition 3 [20]. A set system is a tripe (V, G, B), where V is a finite set of cardinality v, G is a partition of V into k parts (called groups) of size q and B is a block design of V with size k of blocks, which satisfies the following properties: (1) |G ∩ B| = 1, for every G ∈ G and every B ∈ B.
(2) Every two points from different groups occurs in exactly λ blocks of B.
A TD(k, q), where q is a prime or a prime power, was constructed by Lee et al. in [20] as follows. Let the point in V be denoted as (a, b), where a ∈ {0, 1, · · · , k − 1}, b ∈ Fq and 2 ≤ k ≤ q. The construction of V is For every ordered pair (i, j) ∈ Fq × Fq, a block of B is defined as Compared with sBIBD scheme proposed by Comtepe and Yener, this transversal design was simple in construction and corresponding KPD scheme was no limit to network size of WSNs.

µ-Partially Balanced Incomplete Block Design
A PBIBD is a generalization of a BIBD, in which each pair of points does not need to appear the same number of times [34]. The definition of PBIBD is given as follows: Definition 4. If B is a block design of V that satisfies the following properties: (1) Uniformity: Each block in B contains exactly k distinct points. B is called "partial balanced incomplete block design (PBIBD)". Further, we refine PBIBD to define a µ-PBIBD. Definition 5. Let F = {λ1, λ2, · · · , λµ} be a set of positive integers. A µ-PBIBD is a pair (V, B), where V is a finite set of v elements (called "points") and B is a set of d k-subsets (called "block") of V, which satisfies the following properties: (1) (V, B) is regular, i.e., each point of V appears in exactly r different blocks of B.
(2) (V, B) is uniform, i.e., the number of points in every block is k.
The µ-PBIBD can be expressed as µ − PB(v, d, r, k, λ1, · · · , λµ), in which parameter r is called the degree of a point in V, k is called the rank of (V, B), and µ is called the class of (V, B).
Theorem 2. The number of common points in any two blocks is λi (1 ≤ i ≤ µ). If µ = 1, a µ-PBIBD will degenerate into a BIBD, in which case any pair of points exists in λ1 blocks.

Key Pre-Distribution Based on µ-sPBIBD
In this section, we construct a basic sPBIBD and describe the mapping from µ-sPBIBD to KPD in WSNs.

A Construction of 2-D µ-sPBIBD
By combining with sB(v, k, λ) and TD(k, q) in Section 3.1, we use the representation of data elements in 2-D space to construct µ-sPB(v, k, λ 1 , · · · , λ µ ) which can be described as follows.

Property 1.
In (V, B), V has mn points, B has exactly mn blocks, and the number of points in each block is exactly m + n − 2.
Proof. Constructed as before, V can be viewed as a 2-D space with the dimension m × n. Therefore, the number of points in V is mn; Proof. There are three cases on position relationship between two points in V. One is that, if points (a 1 , b 1 ) and (a 2 , b 2 ) in V lie on the different rows and columns, the two points should occur in blocks B a 1 ,b 2 and B a 2 ,b 1 , and then λ = 2. Another is that, if points (a 1 , b 1 ) and (a 2 , b 2 ) lie on the same row and different column, the two points should occur in exactly the blocks whose subscript are expressed by other points on the same row except these two points, and then λ = n − 2. The third is that, if points (a 1 , b 1 ) and (a 2 , b 2 ) lie on the same column and different row, the two points should occur in exactly the blocks whose subscript are expressed by other points on the same column except these two points, and then λ = m − 2. Therefore, inferred from the three properties, (V, B) is µ-sPBIBD which can be denoted as

2-D µ-sPBIBD Based KDP Scheme
A key pool contains keys which will be selected in various ways to form key rings. These key rings need to be pre-distributed to sensor nodes before sensor nodes of WSNs are deployed. When nodes in WSNs transfer messages to their neighbor nodes, secure communications should be guaranteed by the common keys in key rings of communication nodes.
In KPD schemes based on 2-D µ-sPBIBD for WSNs with M sensor nodes, the mapping from 2-D µ-sPBIBD to KPD is described in Table 1. Each point in V can act as a key in the key pool and each block can be viewed as a key ring to distribute a sensor node, meaning that the number d of blocks should satisfy d ≥ M and if two blocks have common points, the two nodes which contain respectively the two blocks will have share-keys.  , (a, b), . . . , (m, 1), . . . , (m, n) in V are view as key IDs which are associated with keys in key pool. Point (a, b) and the corresponding key key a,b can be represented as a whole P a,b , where 1 ≤ a ≤ m and 1 ≤ b ≤ n, Then the key pool can be described as a set of P a,b . According to the construction of blocks proposed in Section 4.1, mn blocks B a,b are generated, where (a, b) ∈ Z m × Z n , which can be denoted as B a,b = (P a,j , Elements P a,b in block B a,b are distributed as a key ring to a sensor node. Table 1. Mapping from 2-D µ-sPBIBD to key pre-distribution (KPD).

µ-sPBIBD KPD Parameter Value of Parameter
Basic set (point set) When a sensor node needs to transmit the message to neighbor nodes, the node broadcasts its key IDs in key ring. The neighbors discover shared-keys with source node by comparing with their key IDs. Property 3 shows that there are three possibilities for the number of shared-keys between the two nodes: 2, m − 2 or n − 2.
Suppose that two sensor nodes N i and N j have s shared-keys, say key 1 , key 2 , · · · , key s , where key 1 , key 2 , · · · , key s ∈ V and value of s is 2, m − 2 or n − 2, respectively. A session key between the two nodes can be generated from the shared-keys corresponding to common points between blocks. According to [20], a session key K i,j is established by a hash function h, This approach that computes session key by a hash function of common keys can improve the network resilience [6,20].
If two communication nodes fail to discover their shared-keys in the shared-key discovery phase, then path-key will be established. In 2-D µ-sPBIBD scheme, any pair of nodes can share at least two keys. Therefore, path-key establishment phase will not be considered.

3-D Ex-µ-sPBIBD Based KPD Scheme
In combinatorial KPD scheme, the more keys the blocks share, the more blocks are effected by a compromised block [32]. That is, network resilience contradicts with key connectivity [18].
Complete key connectivity inevitably leads to poor resilience in 2-D µ-sPBIBD based KPD scheme. In order to make a trade-off between resilience and connectivity, we propose an extended µ-PBIBD that can improve the resilience by reducing properly connectivity.
As mentioned in Section 4.1, a key pool can be viewed as 2-D space to store keys, in which key IDs are expressed by corresponding row-column coordinates of elements in 2-D space. In this subsection, we extend a key pool from 2-D space to 3-D space in which each key ID can be expressed by corresponding row-column-page coordinate of element in 3-D space. A extending µ-sPBIBD (Ex-µ-sPIBD) based KPD is proposed and KPD in 3-D space is described as follows. Let V be a set of coordinates of q × q × q elements in 3-D space, which can be defined by In 3-D Ex-µ-sPBIBD, the number of blocks is q 3 and a block has 3q − 3 points. Mapping from Ex-µ-sPBIBD to KPD can be described in Table 2. ey Connectivity ey connectivity is one of important metrics to evaluate the performance of KPD schem . Connectivity represents the ability of secure communication between nodes [26] and ca bed by the probability that sensor nodes have shared-keys. If two nodes have no shared-k unication between them will use the third node to forward who has shared-keys with the , which will result in energy waste. Therefore, direct key connectivity can not only secure rks but also save the communication overhead. s noted in Section 4.2, KPD scheme based on 2-D µ-sPBIBD guarantees that any pair of has i λ common keys, which means key connectivity of the proposed scheme can achie following, we study key connectivity of 3-D Ex-µ-sPBIBD scheme in WSNs.
-D space with dimension   q q q is depicted in Figure 2. Taking N1 as example, the rela g node, block and 3-D space in 3-D Ex-µ-sPBIBD scheme are descripted as follow. Sup 1 is a sensor node in WSNs. Then a block constructed by Equation (2) is preloade a key ring. For simplicity, location of N1 in 3-D space is denoted as (a1, b1, c1). f two nodes in 3-D space are coplanar, 3-D Ex-µ-sPBIBD will degenerate into 2-D µ-sPB has been described in Section 4.1. Therefore, two blocks have 2 or q − 2 common po means the two nodes have 2 or q − 2 shared-keys. If two nodes are preloaded non-copl as key rings, they will have no shared-key and need to use path-key to secure communic et V be a set of |V| = v = 6   6 6 points and be expressed by Equation (1) where q ding to Figure 2, nodes are denoted as N1, N2, N3, N4 and N5, while the corresponding bl  If two nodes in 3-D space are coplanar, 3-D Ex-µ-sPBIBD will degenerate into 2-D µ-sPBIBD which has been described in Section 4.1. Therefore, two blocks have 2 or q − 2 common points, which means the two nodes have 2 or q − 2 shared-keys. If two nodes are preloaded non-coplanar blocks as key rings, they will have no shared-key and need to use path-key to secure communicate.
Taking nodes N 1 and N 3 as example, we analyze the establishment of path-key between the two nodes. In Figure 2, N 2 has shared-key with N 1 and N 3 , and then a secure two-hop path between N 1 and N 3 (i.e., N 1 , N 2 , N 3 ) is established.
Taking example for node N 5 in Figure 2, we analyze the connectivity of Ex-µ-sPBIBD scheme. All nodes that are coplanar with N 5 have the share-keys with N 5 . Therefore, the number of nodes on plane A, B and C that have share-keys with N 5 is 3q (q − 1). The total number of nodes except N 5 in WSNs is q 3 − 1. Then direct connectivity of Ex-µ-sPBIBD is given by Figure 2 illustrates shared relation of blocks and key connectivity of key rings. For simplicity, we replace block with node to illustrate key shared. There are three cases of key-shared between nodes: If two nodes, such as N 4 and N 5 , lie on the same plane and have the different row and column subscript, the two nodes should have 2 shared-keys; If two nodes, such as N 2 and N 3 , lie on the same plane and have the same row (or column subscript), the two nodes should share q − 2 keys; If two nodes, such as N 1 and N 3 , are not coplanar, the two nodes should have no direct shared-key.

Network Scalability
Network scalability reflects flexibility metrics of KPD scheme in WSNs and fails to effect security of network when new nodes join WSNs. Scalability can be expressed as the maximum number of nodes supported by KPD in WSNs. In the combinatorial KPD scheme, blocks are mapped to key rings. Therefore network scalability is equivalent to the number of blocks in combinatorial design.
In 2-D µ-sPBIBD, let the number of points in V be v, v can be decomposed into multiple forms as m 1 × n 1 , m 2 × n 2 , · · · . In terms of property 1, if V is described by 2-D spaces with different dimensions, the number of blocks of µ-sPBIBD will also be different which is m 1 + n 1 − 2, m 2 + n 2 − 2, · · · , respectively. That is, scalability of KPD scheme based on 2-D µ-sPBIBD varies with the number of the corresponding key rings. Let v be expressed as q × q, m 1 × n 1 , m 2 × n 2 · · · . In 2-D space, the form q × q corresponds to the minimum number of points in block.
Proof. Suppose that v can be described by two forms such as q × q and q e × (q × e), where e, q e ∈ Z + and e = 1. In both cases, the number of points in blocks are 2q − 2 and q e + (q × e) − 2, respectively. Comparing with the number of points in the two blocks, the result is as follow.
As described above, if v can be decomposed into many forms of multiplication of two numbers, the number of points of blocks will be the minimum in the case of v being expressed by a square of a certain number. That is, the corresponding 2-D space should hold the same row and column.
In 2-D µ-sPBIBD, the number of blocks is the same as the number of points in V. Therefore, the number of nodes in WSNs is also v. According to Theorem 3, in our proposed KPD scheme based on µ-sPBIBD, the number of keys in the key pool should be a minimum square of a number, which will lead to shorter key ring size under similar network scalability in WSNs. If the number of sensor nodes of WSNs is n and n = q 2 , the scalability of WSNs can be described as min q 2 q 2 > n, q, n ∈ Z + .
In 3-D Ex-µ-sPBIBD, each point in V is denoted as coordinate of 3-D space which is the same as subscript of each block. As analyzed above, 3-D space should be defined as q × q × q, and then number of blocks in V is q 3 . That is, if the number of nodes in WSNs is q 3 , the scalability of WSNs can be described as min q 3 q 3 > n, q, n ∈ Z + .

Network Resilience
Resilience represents security metrics of KPD against node capture in WSN. Because low performance nodes in WSNs are not equipped with tamper-resistant hardware [35] once one node is captured by an adversary, all of the information stored in the node including key material will be exposed. The adversary may use the captured keys to decrypt communication between other nodes that using the same keys. When the number of compromised sensor nodes reaches a certain value, all keys in the key pool will be exposed and the whole WSNs will be collapsed.
Resilience reflects the extent that the compromised nodes affect the remaining non-compromised nodes when WSNs suffer from attack of node capture. Resilience of WSNs is expressed as Res(x), which denotes the broken probability of a link between two fixed non-compromised nodes when an attacker captures x other nodes [20]. The lower the value of Res(x) is, the stronger the resilience of WSNs will be.

Resilience of 2-D µ-sPBIBD
As noted in Section 5.2, let V be square of q in 2-D µ-sPBIBD. Then two nodes have 2 or q − 2 shared-keys. In Figure 3, 2-D space with dimension q × q is depicted. Taking N 1 in Figure 3a as example, the relation among node, block and 2-D space in 2-D µ-sPBIBD scheme is descripted as follows. Suppose that N 1 is a sensor node in WSNs, a block B a 1 ,b 1 constructed in Section 4.1 is preloaded to N 1 as a key ring in which (a 1 , b 1 ) is a point of V. Then, for simplicity, location of N 1 in 2-D space is denoted as (a 1 , b 1 ).

If the number of shared-keys is 2
Suppose that node N 1 and N 2 share two keys. Two blocks corresponding to key rings preloaded to N 1 and N 2 are denoted as B a 1 ,b 1 and B a 2 ,b 2 . As presented in Figure 3, in 2-D space, points in B a 1 ,b 1 cover orange and blue segments, while points in B a 2 ,b 2 cover green and blue segments. Figure 3a illustrates that B a 1 ,b 1 and B a 2 ,b 2 have common points (a 1 , b 2 ) and (a 2 , b 1 ) which represent key ID of two shared-keys between N 1 and N 2 (for simplicity, in the following analyses, we replace key with key ID).
preloaded to N1 as a key ring in which (a1, b1) is a point of V. Then, for simplicity, location of N1 in 2-D space is denoted as (a1, b1).

If the number of shared-keys is 2
Suppose that node N1 and N2 share two keys. Two blocks corresponding to key rings preloaded to N1 and N2 are denoted as represent key ID of two shared-keys between N1 and N2 (for simplicity, in the following analyses, we replace key with key ID). Resilience is repressed by the probability that communication between N1 and N2 will be compromised after x random nodes are captured. Suppose that To secure the communication between N1 and N2, (a1, b2) or (a2, b1) should not exist in the blocks associated with the x captured nodes. The number of ways of choosing x nodes unrelated to (a1, b2) is Similarly, the number of ways of choosing x nodes unrelated to (a2, b1) is . Then the number of ways of choosing x nodes unrelated to . Therefore, if x nodes are captured, network resilience, which is represented by the probability that communication with two fixed nodes is broken, can be given by Resilience is repressed by the probability that communication between N 1 and N 2 will be compromised after x random nodes are captured. Suppose that H a 1 ,b 2 and H a 2 ,b 1 are two sets of blocks including (a 1 , b 2 ) and (a 2 , b 1 ), respectively. From Property 3, we have that To secure the communication between N 1 and N 2 , (a 1 , b 2 ) or (a 2 , b 1 ) should not exist in the blocks associated with the x captured nodes. The number of ways of choosing x nodes unrelated to Similarly, the number of ways of choosing x nodes unrelated to (a 2 , b 1 ) is . Then the number of ways of choosing x nodes unrelated to H a 1 ,b 1 ∪ H a 2 ,b 2 is . Therefore, if x nodes are captured, network resilience, which is represented by the probability that communication with two fixed nodes is broken, can be given by 2. If the number of shared-key is q − 2 Two blocks will share q − 2 keys if the two blocks corresponding to two key rings in node N 1 and N 2 have the same row-subscript (or column-subscript). In Figure 3b, blocks B a 1 ,b 3 and B a 1 ,b 4 have the same row-subscript. Then the common points between B a 1 ,b 3 and B a 1 ,b 4 are all elements in a 1 row except (a 1 , b 3 ) and (a 1 , b 4 ).
As illustrated in Figure 3b, suppose blocks in N 1 and N 2 have the same row (or column). If an attacker captures x nodes, N 1 and N 2 will compromise in the following three cases: (1) In x captured nodes, there are at last two nodes, such as N 3 and N 4 , that the corresponding blocks have the same row (or column) subscript as the blocks in N 1 and N 2 . (2) In x captured nodes, there are one node, such as N 3 , that the corresponding block has the same row (or column) subscript as the blocks in N 1 and N 2 , and then another node, such as N 5 , must be the node that corresponding block has the same column (or row) subscript as block in N 3 . Resilience of the first two cases will be given by In the third case, the number of ways of choosing x compromised nodes is given by and resilience of the third case will be given by Then, if two nodes have q − 2 shared-keys, resilience can be written as: In terms of the construction of µ-sPBIBD, the probability that two blocks share q − 2 points is given by The probability that two blocks share 2 points is given by Finally, resilience of KPD scheme based on µ-sPBIBD can be computed by Equations (4) and (8)- (10). The resilience is expressed as follows:

Resilience of 3-D Ex-µ-sPBIBD
Resilience of 3-D Ex-µ-sPBIBD are similar to 2-D µ-sPBIBD. Suppose that x random nodes are captured. Resilience can be analyzed as follows.

If the number of shared-keys is 2
Suppose that subscripts of blocks of two nodes have different row and column in the same plane. The two nodes have two shared-keys, say (a 1 , b 1 , c 1 ) and (a 2 , b 2 , c 2 ). For example, suppose N 1 and N 2 in Figure 2 have two shared-keys and the corresponding points are (3,5,3) and (3,4,2). H a 1 ,b 1 ,c 1 and H a 2 ,b 2 ,c 2 are sets of blocks containing (a 1 , b 1 , c 1 ) and (a 2 , b 2 , c 2 ), respectively, where a 1 = a 2 , b 1 = b 2 and c 1 = c 2 . According to Property 3, we have H a 1 ,b 1 ,c 1 = H a 2 ,b 2 ,c 2 = 3q − 3 and H a 1 ,b 1 ,c 1 ∩ H a 2 ,b 2 ,c 2 = 2. Then In order to ensure the security of a link between N 1 and N 2 , key rings of x captured nodes fail to contain the two keys (a 1 , b 1 , c 1 ) and (a 2 , b 2 , c 2 ). The number of ways of choosing x nodes unrelated to (a 1 , b 1 , c 1 ) is Similarly, the number of ways of choosing x nodes unrelated to (a 2 , b 2 , c 2 ) is Then the number of ways of choosing x nodes unrelated to H a 1 ,b 1 ,c 1 ∪ H a 2 ,b 2 ,c 2 is q 3 − 6q + 8 x . Therefore, if x nodes are captured, the probability Res 1 (x) which a link between the two fixed nodes is broken will be given as follows: 2. If the number of shared-keys is q − 2 If subscripts of two blocks are coplanar and with the same row (or column), their corresponding nodes will have q − 2 shared-keys. Taking N 2 and N 3 as example in Figure 2, we compute network resilience.
Coplanar two blocks in 3-D Ex-µ-sPBIBD can be viewed as two blocks in 2-D µ-sPBIBD. For simplicity, as analyzed in Section 5.3.1, it is similar to Equations (4)-(7) that the resilience of this case can be given by In terms of construction of 3-D Ex-µ-sPBIBD, the probability that two blocks share 2 points can be given by The probability that two blocks share q − 2 points can be given by Finally, resiliency of KPD scheme based on 3-D Ex-µ-sPBIBD can be computed by Equations (12)- (15). Resilience can be expressed as follows,

Performance Comparison
In order to better analyze the performance of the proposed method, we compare with other combinatorial design based KPD schemes. Symmetric BIBD scheme [32] is a classical combinatorial design based deterministic key pre-distribution scheme, which mapped a symmetric design with parameters (q 2 + q + 1, q + 1, 1) to KPD scheme. RD scheme [30] constructed a residual design (RD) based on sBIBD with parameters (q 2 + q + 1, q + 1, 1) and was first time that used RD to KPD scheme, which improved the resilience and scalability comparing with sBIBD scheme. TD scheme [20] employed linear construction and quadratic construction of transversal designs which were expressed as TD(k, q) and TD(λ, k, q), respectively, and it offered a lot of flexibility in trading off the various metrics.
In this section, we compare the proposed schemes with sBIBD scheme, RD scheme and linear TD scheme according to different criteria. For the sake of clarity, the parameters of different KPD schemes are listed in Table 3. We can find that metrics of linear TD scheme depend on two parameters k and q, which is different from others combinatorial schemes that only depend on one parameter.

Network Scalability
According to Table 3, we can obtain network scalability of these schemes. In sBIBD scheme, the key ring size was k = q + 1 and the maximum size of network supported by sBIBD scheme was q 2 + q + 1. In RD scheme, the key ring size was k = q and the scalability of RD scheme was computed as (q 2 + q + 1)(q + 1). In linear TD scheme, the key ring size was k and the probability that two sensor nodes shared a common key was Pr 1 . Then a prime q was chosen such that q + 1 ≤ k/Pr 1 , and the maximum scale of network supported by linear TD scheme was q 2 [20]. In 2-D µ-PBIBD scheme, each node is preloaded with k = 2q − 2 distinct keys and the maximum network size that can be supported by 2-D µ-PBIBD scheme is q 2 . The key ring size is k = 3q − 3 in 3-D Ex-µ-PBIBD scheme which can support network size up to q 3 . Table 3. Parameters of BIBD, RD, TD, 2-D µ-PBIBD and 3-DEx-µ-PBIBD.

Combinatorial Design Key Pool Size Number of Key Rings Key Ring Size
BIBD [3] q 2 + q + 1 q 2 + q + 1 q + 1 RD [30] q 2 + q + 1 (q 2 + q + 1)(q + 1) q Linear TD [20] kq The scalability of µ-PBIBD and Ex-µ-PBIBD are compared with sBIBD, RD and TD schemes when size of key ring increases from 10 to 100 by increments of 10. For linear TD scheme, we analyze the scalability in the case of Pr 1 = 0.3 and Pr 1 = 0.9. As expected, Ex-µ-PBIBD scheme performs better network scalability than µ-PBIBD scheme. Figure 4 shows that at the same key ring size, scalability of Ex-PBIBD is higher than, PBIBD, BIBD and TD(Pr 1 = 0.9) scheme, while it is lower than RD and TD(Pr 1 = 0.3) scheme. When key ring size is up to 100, the network sizes of the schemes in Figure 4 are 1020201, 110224, 40471, 12100, 9901, and 2601, respectively. Although the scalability of Ex-µ-PBIBD scheme is not the best among the above schemes, according to the data in Figure 4, we achieve that the key ring size in Ex-µ-PBIBD scheme can enough support the corresponding network size in practical WSNs. Sensors 2018, 18, x FOR PEER REVIEW 18 of 23 Figure 4. Comparison of network scalability of different KPD schemes at the same key ring size k.

Key Connectivity
In sBIBD scheme with parameters (q 2 + q + 1, q + 1, 1), the probability of key shared between each pair of nodes was always 1. Thus, direct key connectivity of BIBD scheme is 1.
In RD scheme with parameters (q 2 + q + 1, (q 2 + q + 1)(q + 1), q(q + 1), q, 1), the probability that any pair of blocks come from same class was given by 1 ( )( 1) 1 SC q + q -Q = q + q q + q + - (17) and the probability of the pair of blocks shared one or more points was computed as The probability that any pair of blocks come from different classes was given by DC q + q Q = q + q + q + q q + q + - (19) and the probability that any pair of blocks shared one or more points was computed as The formula for QSC, PSC, QDC and PDC were given in Ref. [30]. Then key connectivity of RD scheme was expressed as where QSC, PSC, QDC and PDC could be computed using Equations (17)- (20).
The key connectivity of Linear TD scheme was estimated as follows:

Key Connectivity
In sBIBD scheme with parameters (q 2 + q + 1, q + 1, 1), the probability of key shared between each pair of nodes was always 1. Thus, direct key connectivity of BIBD scheme is 1.
In RD scheme with parameters (q 2 + q + 1, (q 2 + q + 1)(q + 1), q(q + 1), q, 1), the probability that any pair of blocks come from same class was given by (17) and the probability of the pair of blocks shared one or more points was computed as The probability that any pair of blocks come from different classes was given by and the probability that any pair of blocks shared one or more points was computed as The formula for Q SC , P SC , Q DC and P DC were given in Ref. [30]. Then key connectivity of RD scheme was expressed as Con RD = Q SC * P SC + Q DC * P DC where Q SC , P SC , Q DC and P DC could be computed using Equations (17)- (20).
The key connectivity of Linear TD scheme was estimated as follows: Figure 5 shows key connectivity of the four combinatorial schemes. Any pair of nodes in sBIBD scheme and µ-sPBIBD scheme have at least one common key. Thus the two schemes have complete connectivity property. The connectivity of Linear TD scheme was determined by parameters k and q. In order to compare with the connectivity of Linear TD scheme, the network scale of TD scheme should be the same as that of Ex-µ-PBIBD. Figure 5 shows that at equal key ring size, Ex-µ-sPBIBD scheme has better connectivity than RD scheme when key ring size is more than 13. While it has worse connectivity than TD scheme. We can find that, as key ring size increases, direct connectivity of the proposed scheme decreases in Figure 5. This is due to fact that the probability of key-share tends to O(1/k) when k tends to infinity.
Sensors 2018, 18, x FOR PEER REVIEW 19 of 23 Figure 5 shows key connectivity of the four combinatorial schemes. Any pair of nodes in sBIBD scheme and µ-sPBIBD scheme have at least one common key. Thus the two schemes have complete connectivity property. The connectivity of Linear TD scheme was determined by parameters k and q. In order to compare with the connectivity of Linear TD scheme, the network scale of TD scheme should be the same as that of Ex-µ-PBIBD. Figure 5 shows that at equal key ring size, Ex-µ-sPBIBD scheme has better connectivity than RD scheme when key ring size is more than 13. While it has worse connectivity than TD scheme. We can find that, as key ring size increases, direct connectivity of the proposed scheme decreases in Figure 5. This is due to fact that the probability of key-share tends to O(1/k) when k tends to infinity.

Network Resilience
In this subsection, we discuss network resilience of the five schemes. The network resilience of the sBIBD scheme [32] was calculated as where x represented the number of captured nodes. In RD scheme, the network resilience [30] was given by where x was the number of captured nodes. The network resilience of TD scheme in Reference [23] was computed using the following equation:

Network Resilience
In this subsection, we discuss network resilience of the five schemes. The network resilience of the sBIBD scheme [32] was calculated as where x represented the number of captured nodes. In RD scheme, the network resilience [30] was given by where x was the number of captured nodes. The network resilience of TD scheme in Reference [23] was computed using the following equation: In Figure 6, we compare the network resilience of the five schemes at equal number of captured nodes for k = 24 and k = 48, respectively. In order to compare the performance of TD scheme in a similar setting, we consider two cases of TD schemes which have the same scalability and connectivity as those of our scheme, respectively. According to Figure 6, we can find that Ex-µ-sPBIBD scheme provides the best network resilience against compromised nodes in the five schemes. The figures reflect the fact that the network resilience of Ex-µ-PBIBD scheme hardly substantially declines, as the number of compromised node increases. Comparing Figure 6a with Figure 6b, the higher k is, the better the network resilience is in the case of the same number of captured nodes. That is because the session key between nodes is constructed by shared-keys of key rings between the two nodes. Then more nodes are needed to capture along with the increase of key ring size.
In Figure 6, we compare the network resilience of the five schemes at equal number of captured nodes for k = 24 and k = 48, respectively. In order to compare the performance of TD scheme in a similar setting, we consider two cases of TD schemes which have the same scalability and connectivity as those of our scheme, respectively. According to Figure 6, we can find that Ex-µ-sPBIBD scheme provides the best network resilience against compromised nodes in the five schemes. The figures reflect the fact that the network resilience of Ex-µ-PBIBD scheme hardly substantially declines, as the number of compromised node increases. Comparing Figure 6a with Figure 6b, the higher k is, the better the network resilience is in the case of the same number of captured nodes. That is because the session key between nodes is constructed by shared-keys of key rings between the two nodes. Then more nodes are needed to capture along with the increase of key ring size.

Additional Analysis
In Ex-µ-sPBIBD scheme, connectivity, scalability and resilience are determined by size of key ring (denoted by k). Thus, choosing the proper parameter k could achieve a trade-off between connectivity and resiliency. Comparing with TD scheme, we should normalize by fixing the size of key ring, k, and key connectivity, Con. Firstly, we computer connectivity of Ex-µ-PBIBD scheme using Equation (3). Next, fixing the size of key ring and the key connectivity, we obtain resilience of TD scheme from Equations (21) and (24) and scalability from Table 3. In Table 4, the parameter choices of schemes are summarized. Then we list the maximum network size (denoted by M) and resilience Res(x) of two schemes. We could select the value of k according to requirement of practical WSN. Table 4. Performance of schemes for values of k and Con fixed.

Additional Analysis
In Ex-µ-sPBIBD scheme, connectivity, scalability and resilience are determined by size of key ring (denoted by k). Thus, choosing the proper parameter k could achieve a trade-off between connectivity and resiliency. Comparing with TD scheme, we should normalize by fixing the size of key ring, k, and key connectivity, Con. Firstly, we computer connectivity of Ex-µ-PBIBD scheme using Equation (3). Next, fixing the size of key ring and the key connectivity, we obtain resilience of TD scheme from Equations (21) and (24) and scalability from Table 3. In Table 4, the parameter choices of schemes are summarized. Then we list the maximum network size (denoted by M) and resilience Res(x) of two schemes. We could select the value of k according to requirement of practical WSN.

Conclusions
In this work, we defined a new combinatorial design, termed "µ-PBIBD" and constructed a 2-D µ-sPBIBD. We proposed a basic mapping from 2-D µ-sPBIBD to KPD which could achieve complete key connectivity and a poor network resilience. To enhance network resilience, we extended a set of keys V from 2-D space to 3-D space and proposed an extended 3-D Ex-µ-sPBIBD KPD scheme with better network scalability and high network resilience. The theoretical analysis and performance comparison with the existing schemes show that KPD scheme based on Ex-µ-sPBIBD increases the network scalability and provides the better network resilience.
Author Contributions: Q.Y. conceive and designed the research, and contributed as the lead author of the paper; H.Y. performed the experiments; X.B. analyzed the data; C.M. gave more valuable suggestion of the paper and revised the paper; Q.Y. and H.Y. wrote this paper.
Funding: This work was supported by National Nature Science Foundation of China (No. 61170241, 61472097).

Conflicts of Interest:
The authors declare no conflict of interest.

V
The basic set p i The i point of V v The number of points in V B The block design of V B i The i block in B d The number of blocks in B k The number of points in a block (i.e., key ring size) r The number of blocks in which a point is contain λ The number of blocks in which each pair of elements exist B(v, d, r, k, λ) Balanced incomplete block design with parameter v, d, r, k,λ q The order of finite projective plane corresponding to sB(q 2 + q + 1, q + 1, 1) The number of cases on the number of blocks in which each pair of points exist M the number of senor nodes in WSNs (a, b) The point in V in 2-D µ-PBIBD m, n The number of row and column when V is viewed as 2-D space K i,j The session key between nodes Ni and Nj Res(x) The network resilience when an attacker captures x nodes pro 1 The probability that two blocks share 2 keys pro 2 The probability that two blocks share q − 2 keys (a, b, c) The point in V in 3-D µ-PBIBD Con The probability that two blocks have shared-key in Ex-µ-sPBIBD Ni The i node in WSNs