# Reliability of Wireless Sensor Networks under a Heterogeneous Key Predistribution Scheme

###### Abstract

We consider the network reliability problem in secure wireless sensor networks that employ a heterogeneous random key predistribution scheme. This scheme is introduced recently, as a generalization of the Eschenauer-Gligor scheme, to account for the cases when the network comprises sensors with varying level of resources or connectivity requirements; e.g., regular nodes vs. cluster heads. The scheme induces the inhomogeneous random key graph, denoted , where each of the nodes are independently assigned to one of classes according to a probability distribution and then a class- node is assigned keys uniformly at random from a pool of size ; two nodes that share a key are then connected by an edge. We analyze the reliability of against random link failures. Namely, we consider formed by deleting each edge of independently with probability , and study the probability that the resulting graph i) has no isolated node; and ii) is connected. We present scaling conditions on , , and such that both events take place with probability zero or one, respectively, as the number of nodes gets large. We also present numerical results to support these zero-one laws in the finite-node regime.

IEEEexample:BSTcontrol

## 1 Introduction

Wireless sensor networks (WSNs) consist of low-cost, low-power, small sensor nodes that are typically deployed in large numbers in application areas as diverse as military, health, environmental monitoring, etc [1]. In most cases, WSNs are deployed in hostile environments (e.g., battlefields) making it crucial to use cryptographic protection to secure sensor communications. To that end, significant efforts have been devoted to developing methods for securing WSNs, and random key predistribution schemes have been widely accepted as feasible solutions in the face of unique challenges WSNs present: limited computational capabilities and transmission power, lack of a priori knowledge of deployment configuration, and vulnerability to node capture attacks; e.g., see [2, 3, 4, 5] for a detailed discussion on security challenges in WSNs and solutions based on key predistribution.

In this paper, we consider a heterogeneous key predistribution scheme introduced recently by Yağan [6] as a variation of the classical Eschenauer-Gligor (EG) scheme [2]. The heterogeneous key predistribution scheme accounts for the cases when the network comprises sensor nodes with varying level of resources (e.g., computational, memory, power) and varying level of security and connectivity requirements (e.g., regular nodes vs. cluster heads); this is indeed likely to be the case for many WSN applications [7]. According to this scheme, each of the sensors is independently assigned to class- with probability , for each ; obviously we have . Sensors from class- are each given keys selected uniformly at random from a pool of size ; put differently, the number of cryptographic keys assigned to a sensor is controlled by its priority class. Then, pairs of sensors that have at least one key in common can communicate securely after deployment. With and , we let denote the random graph induced by the heterogeneous key predistribution scheme. This model was referred to as the inhomogeneous random key graph in [6], wherein, zero-one laws for absence of isolated nodes and connectivity are established.

The main goal of this paper is to investigate the reliability of secure WSNs under the heterogeneous key predistribution scheme. To account for the possibility that links between two sensor nodes may fail (e.g., due to random failures, adversarial attacks, etc.), we apply a Bernoulli link-failure model to the inhomogeneous random key graph . Namely, we assume that each link in is operational with probability and fails with probability , independently from others. This models random attacks as well as random failures due to sensor malfunctioning or harsh environmental conditions. Understanding the reliability of WSNs against link failures is of interest in a multitude of applications where sensors are deployed in hostile environments (e.g., battlefield surveillance), or, are unattended for long periods of time (e.g., environmental monitoring), or, are used in life-critical applications (e.g., patient monitoring).

Let denote the resulting random graph that contains all operational links in . The network reliability problem is concerned [8], [9, Section 7.5] with deriving the probability that exhibits certain desired properties – that captures the ability of the network to continue its services – as a function of the link failure probability . Here, we focus on two standard and related properties that the network i) has no isolated node, and ii) is connected. For arbitrary graphs with fixed size , deriving these probabilities are known [10, 11] to be -complete, meaning that no polynomial algorithm exists for their solution, unless . Given that it is not feasible to derive them, we study the asymptotic behavior of these probabilities as gets large, when the model parameters are scaled with . We also consider the finite-node case via simulations.

Our contributions are as follows. We present conditions on how to scale and the link failure probability such that the network is connected with probability approaching to one and zero, respectively, as grows unboundedly large. We establish an analogous zero-one law for to have no node that is isolated (i.e., that has zero edges). These sharp results are likely to be useful in dimensioning the heterogeneous scheme, namely controlling the key ring parameters , and the key pool size such that the network has a desired level of reliability against link failures. A particularly surprising conclusion derived from our results is that for a fixed mean number of keys per sensor, network reliability is tightly dependent on the smallest key ring size used in the network; see Section 3-A for details.

Our results complement and generalize several previous work in the literature. In particular, we complement the works [12, 13] that study the reliability of secure WSNs against a fixed number of link failures; in our case the number of failed links can be unboundedly large. Our results also contain as special cases the zero-one laws for connectivity in inhomogeneous random key graphs [6] and the network reliability results for the (homogeneous) random key graph [14]; see Section 3-B for details.

All limiting statements, including asymptotic equivalences are considered with the number of sensor nodes going to infinity. The indicator function of an event is denoted by . We say that an event holds with high probability (whp) if it holds with probability as . In comparing the asymptotic behavior of the sequences , we use the standard Landau notation, e.g., , , , , and . We also use to denote the asymptotic equivalence .

## 2 The Model

The heterogeneous random key predistribution scheme introduced in [6] works as follows. Consider a network of sensors labeled as . Each sensor node is classified into one of the classes (e.g., priority levels) according to a probability distribution with for and . Then, a class- node is assigned cryptographic keys selected uniformly at random from a key pool of size . It follows that the key ring of node is a random variable (rv) with

where denotes the class of and is the collection of all subsets of with size . The classical key predistribution scheme of Eschenauer and Gligor [2] constitutes a special case of this model with , i.e., when all sensors belong to the same class and receive the same number of keys; see also [15].

Let and assume without loss of generality that . Consider a random graph induced on the vertex set such that a pair of nodes and are adjacent, denoted by , if they have at least one cryptographic key in common, i.e.,

(1) |

The adjacency condition (1) defines the inhomogeneous random key graph denoted by [6]. This model is also known in the literature as the general random intersection graph; e.g., see [12, 16, 17]. The probability that a class- node and a class- node are adjacent is given by

(2) |

as long as ; otherwise if , we have . Let denote the mean probability that a class- node is connected to another node in . We have

(3) |

We also find it useful to define the mean key ring size by ; i.e.,

(4) |

To account for the possibility that links between two sensor nodes may fail (e.g., due to random failures, adversarial attacks, etc.), we apply
a Bernoulli link-failure model to the inhomogeneous random key graph
:
With let denote independent Bernoulli rvs, each with success probability . Then
the link between sensors and is deemed to be operational (i.e., up) if , and not operational (i.e., down) if . Put differently, every edge in is deleted independently with probability ^{1}^{1}1An interesting direction for future work would be to consider a heterogeneous link-failure model, where the link between a type- and type- node fails with probability ..

Let denote the resulting random graph that contains all the operational links in . To simplify notation, we let , and . In , distinct nodes and are adjacent, denoted , if and only if they are adjacent in and the edge is operational, i.e., has not failed. By independence, the probability of an edge between a class- node and a class- node in is then given by

Similar to (3), we denote the mean edge probability for a class- node in as . It is clear that

(5) |

Throughout, we assume that the number of classes is fixed and does not scale with , and so are the probabilities . All other parameters are scaled with .

## 3 Main Results and Discussion

We refer to a mapping as a scaling if

(6) |

for all . We note that under (6), the edge probability is given by (2).

### 3-a Results

We first present a zero-one law for the absence of isolated nodes in .

###### Theorem 3.1.

Consider a probability distribution with for and a scaling such that

(7) |

for some . We have

(8) |

Next, we present an analogous result for connectivity.

###### Theorem 3.2.

Consider a probability distribution with for and a scaling such that (7) holds for some . Then, we have

(10) |

under the additional conditions that

(11) |

for some and

(12) |

The resemblance of the results presented in Theorem 3.1 and Theorem 3.2 indicates that absence of isolated nodes and connectivity are asymptotically equivalent properties for . Similar observations were made for other well-known random graph models as well; e.g., inhomogeneous random key graphs [6], ER graphs [9], and (homogeneous) random key graphs [15].

Conditions (11) and (12) are enforced mainly for technical reasons and they are only needed in the proof of the one-law of Theorem 3.2. We remark that these conditions are not constraining in real-world WSN implementations. In fact, (11) should hold in practice to ensure the resiliency of the WSN against node capture attacks [18]; typically it is suggested to have the key pool size be much larger than network size, i.e., . Condition (12) takes away from the flexibility of assigning very small key rings to a certain fraction of sensors, but it can still be satisfied easily in most real-world implementations. To provide a concrete example, one can set and have with any to satisfy (12) (see Lemma 5.2) for any . By setting , we obtain a network that remains connected under random link failures with probability (up to) (see Corollary 3.3).

Theorem 3.1 (resp. Theorem 3.2) states that has no isolated node (resp. is connected) whp if the mean degree of class- nodes (that receive the smallest number of keys) is scaled as for some . On the other hand, if this minimal mean degree scales as for some , then whp has an isolated node, and hence not connected. These results indicate that the minimum key ring size in the network has a significant impact on the reliability of .

The importance of the minimum key ring size on reliability can be seen more explicitly under a mild condition on the scaling, as shown in the next corollary.

###### Corollary 3.3.

Consider a probability distribution with for and a scaling such that and

(13) |

for some , where is as defined at (4). Then we have the zero-one law (8) for absence of isolated nodes. If, in addition, the conditions (11) and (12) are satisfied, then we also have the zero-one law (10) for connectivity.

Proof. In view of (3), we see that implies for . From Lemma 5.2, this then leads to , whence

Thus, the scaling conditions (7) and (13) are equivalent under
and Corollary 3.3 follows from Theorem 3.1 and Theorem 3.2.

We see from Corollary 3.3 that for a fixed mean number of keys per sensor, network reliability is directly affected by the minimum key ring size . For example, reducing by half means that the smallest for which the network remains connected whp is increased by two-fold, which then reduces the largest link failure probability that can be sustained by a similar order; e.g., see Figure 2 for a numerical example demonstrating this phenomenon.

### 3-B Comparison with related work

Our main results extend the work by Yağan [6] who established zero-one laws for the connectivity of inhomogeneous random key graph without employing a link-failure model. It is clear that, although a crucial first step in the study of heterogeneous key predistribution schemes, the assumption that all links are operational, i.e., reliable, is not likely to hold in most practical settings. In this regard, our work extends the results [6] to more practical WSN scenarios where the unreliability of links are taken into account. In fact, by setting for each (i.e., by assuming that all links are reliable), our results reduce to those given in [6].

The reliability of secure WSNs was also studied in [14, 19], but under the Eschenauer-Gligor scheme [2] where all sensors receive the same number of keys. However, when the network consists of sensors with varying level of resources (e.g., computational, memory, power) and/or with varying level of security and connectivity requirements, it may no longer be sensible to assign the same number of keys to all sensors. Our work addresses this issue by generalizing [14] to the cases where nodes can be assigned different number of keys. When , i.e., when all nodes belong to the same class and receive the same number of keys, our result recovers the main result in [14].

Another notable work that is related to ours is by Zhao et al. [12, 13], who studied the -connectivity and -robustness in the inhomogeneous random key graph. A graph is said to be -connected if it remains connected after removal (i.e., failure) of any nodes. Thus, the results obtained in [12] ensure the reliability of the network against the failure of nodes, for some integer constant . Our work complements these results by considering the case when each and every edge fails with probability , so that the total number of failed links is possibly infinite; e.g., as many as links may fail.

Considering the asymptotic regime, a key question in network reliability analysis is whether or not there exists a threshold such that if is slightly smaller than (resp. slightly larger than) then the probability that is connected is close to zero (resp. close to one); e.g., see [9, Section 7.5]. Our results provide an answer to this question, in the affirmative, for inhomogeneous random key graphs. In particular, we see from (7) that the critical threshold is given by

(14) |

with leading to network connectivity with probability one and zero, respectively, with arbitrarily small . Although asymptotic in nature, these results can still provide useful insights about the reliability of heterogeneous WSNs with number of sensors being on the order of hundreds; see Section 4 for numerical experiments.

## 4 Numerical Results

We present numerical results that support Theorem 3.1 and Theorem 3.2 in the finite node regime. In Figure 1, we fix the number of nodes at , the size of the key pool at , and consider the link-failure parameters , , , and , while varying the parameter (i.e., the smallest key ring size) from to . The number of classes is fixed at with and we set , , and . For each parameter pair , we generate independent samples of the graph and count the number of times (out of a possible 200) that the obtained graphs i) have no isolated nodes and ii) are connected. Dividing the counts by , we obtain the (empirical) probabilities for the events of interest. We observed that is connected whenever it has no isolated nodes yielding the same empirical probability for both events. This is in parallel with the asymptotic equivalence of the two properties as implied by Theorems 3.1 and 3.2.

In Figure 1, we plot the empirical probability that is connected as a function of ; for better visualization, we use the curve fitting tool of MATLAB. For each curve, we also show the critical threshold of connectivity “predicted” by Theorem 3.2 by a vertical dashed line. More specifically, the vertical dashed lines stand for the minimum integer such that

(15) |

We see that the probability of connectivity transitions from zero to one within relatively small variation of , with critical values of from (15) lying within this transition interval.

Figure 2 is generated in a similar manner with Figure 1, this time with an eye towards understanding the impact of the minimum key ring size on network reliability. To that end, we fix the number of classes at with and consider four different key ring sizes each with mean 40; we consider , , , and . We compare the probability of connectivity in the resulting networks with link failure probability ranging from zero to one. We see that although the average number of keys per sensor is kept constant in all four cases, network reliability improves dramatically as the minimum key ring size increases; e.g., with link failure probability , the probability of connectivity is one when while it drops to zero if we set while increasing to so that the mean key ring size is still 40. This confirms the observations made via Corollary 3.3.

Next, we turn our attention to revealing the maximum tolerable link failure probability in ; i.e., the maximum value of for which is connected with probability one. After all, one of the main questions in sensor network design is to understand how we can control key ring sizes to achieve a desired level of reliability. Of particular interest will be to reveal the differences between the asymptotical results given in Theorem 3.2 and the simulation results with finite .

A naive application of Theorem 3.2 suggests that for fixed , and , is connected with probability one as long as

for some , where is defined at (3). This suggests that the inhomogeneous random key graph can tolerate a maximum link failure probability of

(16) |

with arbitrary . Of course, given the asymptotic nature of Theorem 3.2, one would expect this result to have good accuracy only when is very large. Here, we are interested in checking the accuracy of (16) when is relatively small. To that end, we consider in Figure 3 two different settings, i) , , , and ii) , , . In both cases, we vary from to . For each , we obtain the numerical value of the maximum tolerable link failure probability by identifying the maximum value of for which all independently generated realizations of the graph turn out to be connected. We then compare these with the theoretical value of the maximum link failure probability (using (16)) for various values.

Figure 3 shows, for both parameter settings, the simulation results along with the theoretical value at the value that best matches to it; to provide a baseline, we also plot the values corresponding to case in both cases. We see that almost perfect match is obtained with only in the case where , and with when , indicating that the results obtained here can be useful in designing WSNs with only hundreds of sensors; as gets large, one would expect to obtain a match with even smaller values, eventually approaching to . For instance, a desired level of reliability can be attained in a network with sensors by using key ring sizes that are only -times larger from those prescribed for the asymptotic regime with going to .

## 5 Preliminaries

Several technical results are collected here for convenience. The first result follows easily from the scaling condition (6).

###### Lemma 5.2 ([6, Lemma 4.2]).

Consider any scaling . For any ,

and we have the asymptotic equivalence

(18) |

###### Proposition 5.3 ([6, Proposition 4.4]).

For any set of positive integers and any scalar , we have

(19) |

###### Lemma 5.4.

###### Lemma 5.5.

Proof. It is a simple matter to check that ; see [15, Proposition 7.1-7.2] for a proof. In view of (6) this gives . Thus, we have

Other useful bounds that will be used throughout are

(24) | |||

(25) | |||

(26) |

Finally, we find it useful to write

(27) |

where . From L’Hôpital’s Rule, we have

(28) |

## 6 Proof of Theorem 3.1

### 6-a Establishing the one-law

The proof of Theorem 3.1 relies on the method of first and second moments applied to the number of isolated nodes in . Let denote the total number of isolated nodes in , namely,

(29) |

The method of first moment [20, Eqn. (3.10), p. 55] gives

It is clear that in order to establish the one-law, namely that , we need to show that

(30) |

Recalling (29), we have

(31) |

where (31) follows by the independence of the rvs given . By conditioning on the class of , we find

(32) |

Using (32) in (31), and recalling (17) and (24), we obtain

Taking the limit as goes to infinity, we immediately get
(30)
since under the enforced assumptions (with ) and the one-law is established.

### 6-B Establishing the zero-law

Our approach in establishing the zero-law relies on the method of second moment applied to a variable that counts the number of nodes that are class- and isolated. Clearly if we can show that whp there exists at least one class- node that is isolated under the enforced assumptions (with ) then the zero-law would immediately follow.

Let denote the number of nodes that are class- and isolated in , and let

then we have . By applying the method of second moments [20, Remark 3.1, p. 55] on , we get

(33) |

where

(34) |

and

(35) |

by exchangeability and the binary nature of the rvs . Using (34) and (35), we get

In order to establish the zero-law, we need to show that

and

(36) |

###### Proposition 6.1.

Consider a scaling and a scaling such that (7) holds with . Then, we have

###### Proof.

###### Proposition 6.2.

###### Proof.

Consider fixed .

Now we condition on and and note that i) and determine and ; and ii) the events are mutually independent given and . Thus, we have

(41) | |||

Define the -valued rv by

(42) |

Next, with , define by

(43) |

for each . Namely, is the set of nodes in whose potential link with node will not fail. With these definitions in mind, (41) gives

Conditioned on and being class-1, we have

Also, we have

Thus, we get