This section analyzes the properties of deterministic predeployment key distribution according to its configurations.
We shall assume that an adversary can perform a replay attack and eavesdrop on all the links of the network. An adversary can also capture a node and find all the secret information from its memory.
4.1. Resilience
One of the greatest risks in a WSN is that some nodes are compromised, and their secret material is used to attack other nodes. The strength of a scheme against this attack is called resilience. In particular, it is of special interest the resilience against eavesdropping, which is evaluated according to the quantity of links that an adversary can eavesdrop after compromising a specific amount of nodes.
The quantity of links that can be eavesdropped by an adversary with one key, is always . This value represents the quantity of links based on each key. The equations are more complicated if some nodes with their rings are compromised. The equations must consider how many keys can be present in more than one compromised ring, and that the links of the compromised nodes are no longer active and so they must not be considered. The formulas to compute the probability that a link is compromised, i.e., the average percentage of compromised links, in the deterministic predeployment key distribution scheme are (7) and (8), for the minimum key redundancy and for SBIBD configuration, respectively. With the introduction of redundancy, it is possible that an adversary compromises identical nodes. However, only different rings provide new secret material to the adversary. Therefore, by considering x compromised nodes, both formulas start with a summation from to which represents the minimum and the maximum quantity of compromised rings (k), respectively. In fact, corresponds to the quantity of nodes with the same ring. The first part inside the summation represents the probability that exactly k rings are compromised. It is computed as . The denominator of this fraction () represents the number of possible groups of x compromised nodes. The first binomial represents the number of possible groups of k different rings. The second element of the numerator computes the number of possible groups of x nodes with k different rings among the nodes that share those rings. This result is computed as a difference. Since this formula does not guarantee that at least a node per ring is present, the subtrahend is the summation of all the possible groups of x nodes that are included in less than k rings. The summation is alternatively positive and negative since each superior group redundantly includes all the smaller groups. The result of the described part of the formulas represents the probabilistic weight that will be multiplied by the corresponding quantity of compromised links. Therefore, always considering one compromised link, the results of (7) and (8) would be 1.
The subsequent part of the formulas depends on the considered scheme. With the minimum key redundancy configuration, represents the quantity of not-compromised nodes with a ring identical to a compromised one. Each of these nodes has possible links with a node with a not-compromised ring. All these links are compromised. Moreover, all the links among the not-compromised nodes with a compromised ring are compromised. Finally, computes the quantity of links among the nodes with the same ring that randomly selected a compromised key. In details, the quantity of not-compromised rings is multiplied by the number of links per ring , multiplied by the quantity of compromised keys per ring k, divided by the quantity of keys per ring . The final result is divided by which is the number of links among all the not-compromised nodes.
The first part of (8) is identical to the first part of (7). Also in this case the second part, on the second line, computes the number of compromised links.
The index of the initial summation is
i, which represents the quantity of keys not compromised by the adversary. The part of the formula on the second line computes the probability that
i has a specific value. The minimum value corresponds to
, since the quantity of different rings
and since with
k compromised rings, the maximum number of compromised keys is the minimum between
and
, which represents the number of keys compromised by a set rings that share the same key (i.e., among all the compromised keys only one is repeated, and the number of different keys is maximum). The maximum value is (
), which corresponds to the number of not-compromised keys when one ring is compromised. The first fraction within the summation computes the probability of the current value of
i. The numerator is
which is a function that computes the quantity of groups of
k compromised rings compliant with
i not-compromised keys. This value is divided by the total quantity of groups of
k compromised rings. The value of function
is computed through tables. The tables for
are reported in
Appendix A. The last part of the formula is the fraction of compromised links. The denominator
computes the number of possible links between not-compromised nodes. The first part of the numerator is the total quantity of links
multiplied by the number of compromised keys
and divided by the total number of keys
. The result corresponds to the quantity of compromised links, but it also counts the links with compromised nodes. Therefore, the
links of the
x compromised nodes, minus the
links among the compromised nodes that would be counted two times, are subtracted.
4.2. Experimental Analysis
To provide a clear idea of the properties of the deterministic predeployment key distribution, the resilience of some configurations has been computed and plotted.
Figure 1 shows the level of resilience for a network composed by 84 nodes. The number 84 was selected since it is perfectly compliant with all the tested configurations. Each curve represents a configuration. The graph shows the [0,1] ratio of compromised links according to the number of compromised nodes. As expected, for all the curves, as the number of compromised nodes increases, the ratio of compromised links increases too. The continuous lines are referred to configurations with
, fine dots are referred to
, while sparse dots
. The ring redundancy is computed according to
r and
n. Both for the minimum key redundancy and for SBIBD configuration, as
r increases the ratio of compromised links decreases. By comparing the minimum key redundancy configuration to SBIBD configuration, it is observed that SBIBD always provides a better level of resilience. Only when
the two curves are identical. However, this is a special case, such as for
, since both the approaches generate the same key distribution.
A representation similar to the previous one is presented in
Figure 2. However, in this case, the size of the network is not constant. For each value of
r, the minimum value of
n compliant with the two approaches was selected. Therefore, it is not possible to directly compare the configurations with different values of
r. However, it is possible to observe that all the general properties showed by the previous chart are confirmed.
The resilience provided by a configuration with a fixed value of
r on networks with various sizes is shown in
Figure 3. Each curve is matched to a distribution strategy and to a specific number of compromised nodes. The graph shows the [0,1] ratio of compromised links according to the number of nodes in the network. It is observed that the size of the network only provides a slight decrease in the resilience, while each curve is quite stable.
To provide a whole overview on the contribution of
r and
on the resilience,
Figure 4 shows the [0,1] ratio of compromised links according to the value of
. When the values of
are very low, there is a visible variation in the level of resilience. However, the ratio of compromised links increases always more slowly and for high value of
the difference is negligible. This result is because of the links of the compromised nodes. These links are considered not existing, since they are no more used by the nodes of the network, but they cannot be eavesdropped, since the adversary directly use them. When
is high, the adversary gains an advantage by eavesdropping on all the links of the nodes identical to the compromised ones. However, if
is small, the relative weight of the links of the compromised nodes is higher, and the other identical nodes are lower.
To evaluate the performance of a redundant scheme within the key-management scenario, SBIBD with
is compared to EG with the same ring size. EG does not guarantee a full connectivity, since some nodes could share no common keys, so its connectivity is imposed higher than 0.99. In order to reach this connectivity level the value of
p must be properly set. The formula that computes the connectivity of EG is (9).
According to
the configuration of EG that guarantees the best resilience is
, while in redundant SBIBD
. By using the formula of resilience for EG presented in [
20] it is possible to compare these schemes. The comparison is shown in
Figure 5. It is possible to observe that the redundant scheme provides a better level of resilience.
4.3. Validation
A simulator has been developed to validate the proposed formulas. The simulator generates a set of rings of keys compliant with the requirements. Then, it randomly selects a specific quantity of nodes that are considered compromised. Finally, some links are checked to verify if the keys that they use are compromised.
In particular, for every tested configuration
sets of rings have been selected and
links per selected set have been checked. The results validated the correctness of the formulas.
Figure 6 shows some examples of comparison between the results provided by the theoretical formulas and the simulations. The relative difference is always lower than
, and it is attributed to the statistical error. As a further proof,
Figure 7 compares the curve obtained with
, with the same configuration, but in this case the double of the sets of rings are selected and the double of the links per set are selected. It is possible to observe that the new curve is not steady, but the picks are strongly reduced.