˘ Osman Yagan

Virgil Gligor

CyLab and Dept. of ECE Carnegie Mellon University Pittsburgh, PA 15213

CyLab and Dept. of ECE Carnegie Mellon University Moffett Field, CA 94035

CyLab and Dept. of ECE Carnegie Mellon University Pittsburgh, PA 15213

[email protected]

[email protected]

[email protected]

ABSTRACT

Given the randomness involved in the key predistribution mechanism, and the unreliability of wireless communication links, there arises a basic question as to how one can adjust the scheme parameters Kn and Pn so that the resulting network is both secure and reliable. Reliability against the failure of sensors or links is particularly important in WSN applications where sensors are deployed in hostile environments (e.g., battlefield surveillance), or, are unattended for long periods of time (e.g., environmental monitoring), or, are used in life-critical applications (e.g., patient monitoring). With these in mind, this paper is devoted to analyzing k-connectivity of secure WSNs under the EG scheme; a network (or a graph) is said to be kconnected if it remains connected despite the deletion of any (k − 1) nodes or links. Our analysis is conducted under a wireless communication model comprising independent channels that are either on or off. Such on/off channel model has been extensively used recently [10, 12, 13] in the context of secure WSNs, and is also shown to well approximate the disk model [7, 10–13] (whereby any two sensors need to be within a certain distance of each other to have a wireless link in between). Under the on/off channel model, we perform a precise mathematical analysis on k-connectivity for arbitrary k and the minimum node degree in WSNs that employ the EG scheme. Given the scheme parameters Kn and Pn , and the probability pn of a wireless channel being on, we derive the asymptotically exact probabilities that i) the WSN is kconnected; and ii) the WSN has a minimum node degree at least k; i.e., all sensors are connected to at least k other sensors. These results complement the zero-one laws established in [12, 13] for k-connectivity of WSNs under the same setting, and are significant to obtain a precise understanding of the connectivity behaviors of WSNs. First, with zero-one laws, one is only provided with design choices which lead to k-connectivity almost surely or to a network that

The Eschenauer–Gligor (EG) random key predistribution scheme has been widely recognized as a typical approach to secure communications in wireless sensor networks (WSNs). However, there is a lack of precise probability analysis on the reliable connectivity of WSNs under the EG scheme. To address this, through rigorous arguments, we derive asymptotically exact probabilities for two network properties with arbitrary k respectively: k-connectivity and the property that the minimum node degree is at least k in WSNs employing the EG scheme; k-connectivity ensures that the network remains connected despite the failure of any (k − 1) sensors or links. The analysis is done under a communication model consisting of independent channels which are either on or off. Our analytical results are confirmed via numerical experiments; and they provide precise guidelines for the design of secure WSNs that exhibit a desired level of reliability against node and link failures.

Keywords Connectivity, key predistribution, minimum degree, random graphs, security, wireless sensor networks.

1. INTRODUCTION Random key predistribution schemes have been extensively studied in the literature over the last decade and they are widely regarded as appropriate solutions to secure communications in resourceconstrained wireless sensor networks [1,5,8–13]. The idea of randomly assigning cryptographic keys to sensors before deployment has been introduced in the seminal work by Eschenauer and Gligor [5]. Their scheme, hereafter referred to as the EG scheme, has received much interest [8–13] and operates as follows. In a WSN with n sensors, prior to deployment, each sensor is independently assigned Kn distinct keys which are selected uniformly at random from a pool of Pn keys, where Kn and Pn are both functions of n. After deployment, any two sensors can securely communicate over an existing wireless link if and only if they share at least one key. 1

is not k-connected almost surely, where an event happens “almost surely” if its probability asymptotically converges to 1. Given the trade-offs involved between connectivity, security and memory load [5, 10], it would be more useful to have a complete picture, e.g., by obtaining the exact probability of k-connectivity for all parameter choices. In addition, there may be situations where the network designer is interested in having a guaranteed level of reliability (one-laws would provide conditions for that) but may also be interested in having a higher level of reliability without such guarantees (one-laws would fall short in providing this). Our results fill this gap. Finally, it is not possible to determine the width of the phase transition from zero-one laws; the width of the phase transition is often calculated by the difference in parameters that it takes to increase the probability of k-connectivity from (1 − q) to q, for some q < 0.5. In other words, it is not clear from zero-one laws how sensitive the probability of k-connectivity is to the variations in the scheme parameters Kn and Pn , or the channel parameter pn . By providing exact asymptotic probabilities, our findings provide a clear picture of these intricate relationships. We organize the rest of the paper as follows. Section 2 describes the system model in detail. We present the main results in Section 3. In Section 4, we detail the steps of establishing Theorem 1 through Lemma 1. Afterwards, Section 5 provides the proof of Lemma 1 by the help of Propositions 1 and 2, which are proved in Sections 6 and 7, respectively. In Section 8, we present numerical experiments that confirm our analytical findings, whereas Section 9 is devoted to comparing our results with the relevant ones from the literature. We conclude the paper in Section 10. In addition, the Appendix offers a few useful lemmas.

The EG key predistribution scheme results in a random key graph [1,8,11], denoted by G(n, Kn , Pn ). Graph G(n, Kn , Pn ) is defined on the node set V such that any two distinct nodes vi and vj have an edge in between, an event denoted by Γij , if and only if they have at least one key in common. With Sij := Si ∩ Sj , we clearly have Γij = Sij 6= ∅ . Under the on/off channel model, wireless channels are independent; and each has probability pn of being on and probability (1 − pn ) of being off, where pn is a function of n. Defining Cij as the event that the channel between vi and vj is on, we have P [Cij ] = pn , with P[A] throughout the paper meaning the probability that event A happens. The on/off channel model induces an Erd˝ os-R´enyi graph G(n, pn ) [3] defined on the node set V such that vi and vj have an edge in between if Cij takes place. Finally, we denote by G(n, Kn , Pn , pn ) the underlying graph of the n-node WSN operating under the EG scheme and the on/off channel model. We often write G rather than G(n, Kn , Pn , pn ) for notation brevity. Graph G is defined on the node set V such that there exists an edge between nodes vi and vj if events Γij and Cij happen at the same time. We set event Eij := Γij ∩ Cij and also write Eij as Evi vj when necessary. It is clear that G is the intersection of G(n, Kn , Pn ) and G(n, pn ); i.e.,

2. SYSTEM MODEL

Then by the independence of Cij and Γij , we have

G = G(n, Kn , Pn ) ∩ G(n, pn ).

We define ps as the probability that two distinct nodes share at least one key and pe as the probability that two distinct nodes have a link in between in graph G. Clearly, ps and pe both depend on Kn and Pn , while pe depends also on pn . As shown in previous work [1, 8, 11], ps is determined through ( Pn n 1 − PnK−K Kn , if Pn > 2Kn , n ps = P[Γij ] = 1, if Pn ≤ 2Kn .

We now explain our modeling framework which is based on representing a WSN by the intersection of two random graphs; in fact, this is what renders our analysis challenging due to the intertwining of the two distinct types of random graphs [10]. Consider a WSN with n sensors operating under the EG key predistribution scheme and with wireless links modeled by independent on/off channels. Let V = {v1 , v2 , . . . , vn } be the set of nodes that represent the n sensors. According to the EG scheme, each node vi ∈ V is independently assigned a set (denoted by Si ) of Kn distinct cryptographic keys, which are selected uniformly at random from a key pool of Pn keys. Any pair of nodes can then secure an existing communication link as long as they share at least one key.

pe = P[Eij ] = P[Cij ] · P[Γij ] = pn · ps ( Pn n pn · 1 − PnK−K Kn , if Pn > 2Kn , n = pn , if Pn ≤ 2Kn .

3. THE RESULTS We introduce the results in Theorem 1 below. Throughout the paper, k is a positive integer and does not scale with n; N0 stands for the set of all positive integers; R is the set of all real numbers; and e is the base of the natural logarithm function, ln. The term “for all n sufficiently large” means “for any n ≥ N , where N ∈ N0 is selected appropriately”. We use the standard asymptotic notation o(·), O(·), ω(·), Ω(·), Θ(·) and ∼; in particular, for 2

two positive functions f (n) and g(n), f (n) ∼ g(n) signifies limn→∞ f (n)/g(n) = 1.

1

e−α

Theorem 1. Consider a positive integer k and scalings K : N0 → N0 , P : N0 → N0 and p : N0 → (0, 1], with Pn ≥ 3Kn for all n sufficiently large. Let the sequence α: N0 → R be defined through

0.6 k k k k

0.4 0.2 0 −5

ln n + (k − 1) ln ln n + αn pe = . (1) n For limn→∞ αn = α∗ ∈ (−∞, ∞), the properties (a) and (b) below hold. (a) If Kn = ω(1), then as n → ∞, ∗ e−α The minimum node degree P → e− (k−1)! . of graph G is at least k. (b) If Pn = Ω(n), then as n → ∞,

e− (k−1)!

0.8

−4

−3

−2

−1

0

α

1

= 1 or k = 2 =3 =4 =5

2

3

4

5

e−α

Figure 1: A plot of the term e− (k−1)! versus α, for k = 1, 2, 3, 4, 5. distribution to a Poisson random variable. Namely, with φh counting the number of nodes with degree h in G, h = 0, 1, . . ., we show that φh asymptotically follows a Poisson distribution with mean λh . This is done by using the method of moments; specifically, in view of [2, Theorem 2.13] or [?, Theorem 7], we will obtain the desired result upon establishing

∗ e−α

P [Graph G is k-connected. ] → e− (k−1)! .

Theorem 1 presents asymptotically exact probabilities for two properties in graph G: k-connectivity and the property that the minimum node degree is no less than k. Setting pn = 1, we also obtain the corresponding results for random key graph G(n, Kn , Pn ). Further, an easy monotonicity argument leads to the so-called zero-one laws [10] in G for k-connectivity and for the property that the minimum degree is at least k. Namely, we have ( 1, if αn → ∞, lim P [G is k-connected ] = n→∞ 0, if αn → −∞.

P[Nodes v1 , v2 , . . . , vm have degree h] ∼ λh m /nm . (2) Therefore, if Lemma 1 below holds, then for any integers h ≥ 0 and ℓ ≥ 0, it follows that P[φh = ℓ] ∼ (ℓ!)−1 λh ℓ e−λh .

(3)

Lemma 1. Given Pn ≥ 3Kn for all n sufficiently large, (1) with limn→∞ αn = α⋆ ∈ (−∞, +∞), and Kn = ω(1), then for any integers m ≥ 1 and h ≥ 0, it holds that P[Nodes v1 , v2 , . . . , vm have degree h] ∼ (h!)−m (npe )hm e−mnpe ;

and similarly for the property that the minimum node degree of G is at least k. The proof of Theorem 1 is given in the next four sections. Figure 1 depicts the double exponential

i.e., we have (2) with λh set by

λh = n(h!)−1 (npe )h e−npe .

e−α − (k−1)!

(4)

Section 5 details the proof of Lemma 1. Since k does not scale with n, and |αn | is bounded (i.e., |αn | = O(1)), from (1), we obtain the following, which is frequently used in the rest of the paper: ln n , (5) pe ∼ n and 2 ln n pe ≤ for all n sufficiently large. (6) n We now show Theorem 1 by Lemma 1 (or (3)).

for k = 1, 2, 3, 4, 5. We see that the asympe totic probability of k-connectivity and that of minimum node degree being at least k increase monotonically from 0 to 1, as α varies from −∞ to ∞. We explain the practicality of the conditions asserted by Theorem 1: Pn ≥ 3Kn for all n sufficiently large, Kn = ω(1) and Pn = Ω(n). First, Pn ≥ 3Kn is trivially the case since the key pool size Pn is expected to be several orders of magnitude larger than Kn [5]. In addition, the condition Kn = ω(1) follows in wireless sensor network applications since Kn is often at least logarithmic with n, the number of sensor nodes in the network [10]. Finally, the condition Pn = Ω(n) indicates that the size of the key pool Pn should grow at least linearly with n, which also holds in practice [5, 10, 11].

4.1

Proving Property (a) of Theorem 1

With δ defined as the minimum node degree of graph G, then event (δ ≥ k) is equivalent to event Tk−1 h=0 (φh = 0) (i.e., no node has a degree falling in {0, 1, . . . , k − 1}). Hence, we obtain k−1 \ P[δ ≥ k] = P (φh = 0) ≤ P[φk−1 = 0]; (7)

4. ESTABLISHING THEOREM 1 We prove Theorem 1 by showing that the number of nodes in G with a certain degree converges in

h=0

3

the indicator variable of event Cij by ( 1, if the channel between vi and vj is on; 1[Cij ]:= 0, if the channel between vi and vj is off . We denote by Cm a m 2 -tuple consisting of all possible 1[Cij ] with 1 ≤ i < j ≤ m as follows:

and by the union bound, it holds that

P[δ ≥ k] = P (φk−1 = 0) ∩ ≥ P[φk−1 = 0] −

k−2 [

k−2 X

h=0

(φh = 6 0)

h=0

P[φh 6= 0].

(8)

Cm := (1[C12 ], , . . . , 1[C1m ], 1[C23 ], , . . . , 1[C2m ], 1[C34 ], . . . , 1[C3m ], . . . , 1[C(m−1),m ]).

To use (7) and (8), we compute P[φh 6= 0] given (3) and thus evaluate λh defined in (4). Applying (1) and (5) to (4), and considering limn→∞ αn = α∗ with |α⋆ | < ∞, we establish

Recalling Si as the key set on node vi , we define a m-tuple Tm through Tm := (S1 , S2 , . . . , Sm ).

λh = n(h!)−1 (npe )h e−npe

Then we define Lm as

∼ n(h!)−1 (ln n)h · e− ln n−(k−1) ln ln n−αn = (h!)−1 (ln n)h+1−k e−αn for h = 0, 1, . . . , k − 2; 0, ∗ −α e → (k−1)! , for h = k − 1; ∞, for h = k, k + 1, . . . .

Lm := (Cm , Tm ). With Lm , we have the on/off states of all channels between nodes v1 , v2 , . . . , vm and the key sets S1 , S2 , . . . , Sm on these m nodes, so all edges between these nodes in graph G are determined. Let Cm , Tm and Lm be the sets of all possible (0) Cm , Tm and Lm , respectively. We define Lm such (0) that Lm ∈ Lm is the event that there is no edge between any two of nodes v1 , v2 , . . . , vm ; i.e.,

(9)

By (3) and (9), we conclude that as n → ∞, for h = 0, 1, . . . , k − 2; 1, −α∗ e − P[φh = 0] → e (k−1)! , for h = k − 1; 0, for h = k, k + 1, . . . . (10)

L(0) m := {Lm |(Si ∩ Sj = ∅) or (1[Cij ] = 0), ∀i, j with 1 ≤ i < j ≤ m.}. (11)

We define Ni as the neighborhood set of node vi for i = 1, 2, . . . , m, and define the node set Mj1 j2 ...jm for all j1 , j2 , . . . , jm ∈ {0, 1} by

Finally, property (a) of Theorem 1 follows from (7) (8) and (10).

4.2

Proving Property (b) of Theorem 1

Mj1 j2 ...jm

Similar to Lemma 7 in [12], from Pn = Ω(n) √ and (1) with |αn | = O(1), we obtain Kn = Ω( ln n) = ω(1). Consequently, with Kn = ω(1), property (a)

) ( w ∈ V \ {v , v , . . . , v }; and 1 2 m ( w ∈ Ni if ji = 1; . := w for i = 1, 2, . . . , m, w ∈/ N if j = 0.

∗ e−α

i

of Theorem 1 holds here; i.e., P[δ ≥ k] → e− (k−1)! . In graph G, the connectivity denoted by ν is at most the minimum node degree δ since each node in a ν-connected graph has a degree at least ν. Then

Clearly, the sets Mj1 j2 ...jm for j1 , j2 , . . . , jm ∈ {0, 1} are mutually disjoint. Setting Vm := {v1 , v2 , . . . , vm } and Vm := V \ Vm , we obtain [ (12) |Mj1 j2 ...jm | = Vm ,

P[ν ≥ k] = P[δ ≥ k] − P[(ν < k) ∩ (δ ≥ k)].

j1 ,j2 ,...,jm ∈{0,1}

Therefore, the proof of property (b) of Theorem 1 is completed given P[(ν < k) ∩ (δ ≥ k)] = o(1), which follows from Lemma 4 in the Appendix and P[(ν < k) ∩ (δ ≥ k)] ≤

k−1 X

h=0

i

and [

|Mj1 j2 ...jm | =

j1 ,jP 2 ,...,jm ∈{0,1}: m i=1 ji ≥1.

P[(ν = h) ∩ (δ > h)].

[ m

Ni

i=1

∩ Vm . (13)

We define 2m -tuple Mm through1

5. THE PROOF OF LEMMA 1

Mm := |Mj1 j2 ...jm | | j1 , j2 , . . . , jm ∈ {0, 1}

To start with, we consider several notation that will be used throughout. We recall that Cij is the event that the communication channel between distinct nodes vi and vj is on. Then we set 1[Cij ] as

1

= |M0m |, |M0m−1 1 |, |M0m−2 1,0 |, |M0m−2 1,1 |, . . . .

For a non-negative integer x, the term 0x is short for 00 . . . 0} . | {z

“x” number of “0”

4

and (w2 ∈ Mj1 j2 ...jm ) are not independent [8], but are conditionally independent given (Tm = Tm∗ ) (with ∗ the key sets S1 , S2 , . . . , Sm specified as S1∗ , S2∗ , . . . , Sm , respectively). Therefore,

Let E be the event that each of v1 , v2 , . . . , vm has a degree of h. Given Lm ∈ Lm , we define Mm (Lm ) as the set of Mm under the condition that E occurs. Then it’s straightforward to compute P[E] via X P[E] = P Lm = L∗m ∩ Mm = M∗m . L∗ m ∈Lm , ∗ M∗ m ∈Mm (Lm ).

∗

(17) = f (n − m, M∗m )P[w ∈ M0∗m |Tm = Tm∗ ]|M0m | × Y ∗ P[w ∈ Mj∗1 j2 ...jm |Tm = Tm∗ ]|Mj1 j2 ...jm | ,

(14)

j1 ,jP 2 ,...,jm ∈{0,1}: m i=1 ji ≥1.

Given that event E happens, if any two of nodes v1 , v2 , . . . , vm do not have any common neighbor in Vm = V \ {v1 , v2 , . . . , vm }, then Mm is determined (0) and denoted by Mm which satisfies for i = 1, 2, . . . , m; |M0i−1 ,1,0m−i | = h, Pm for |Mj1 j2 ...jm | = 0, i=1 ji > 1; |M m | = n − m − hm. 0

(18) where f i=1 xi , (x1 , x2 , . . . , xℓ ) for integers ℓ ≥ 1 and xi ≥ 0 with i = 1, 2, . . . , ℓ is determined by X ℓ xi , (x1 , x2 , . . . , xℓ ) f Pℓ

i=1

:=

By (14), we further write P[E] as the sum of X P Lm = L∗m ∩ Mm = M∗m (15)

or

(

xi

x1 Pℓ

Pℓ

i=2

xi

x2

From (19) and X

)

and (0) P Lm ∈ L(0) . m ∩ Mm = Mm

i=1

i=1 xi ! . = x1 !x2 ! . . . xℓ !

L∗ m ∈Lm , ∗ M∗ m ∈Mm (Lm ): / (0) (L∗m ∈L m ) (0) M∗ m 6=Mm

Pℓ

...

Pℓ

i=ℓ−1

xi

xℓ−1

xℓ xℓ (19)

j1 ,j2 ,...,jm ∈{0,1}

(16)

|Mj∗1 j2 ...jm | = n − m

(20)

which holds by (12), we have f (n − m, M∗m ) P ( j1 ,j2 ,...,jm ∈{0,1} |Mj∗1 j2 ...jm |)! =Q ∗ j1 ,j2 ,...,jm ∈{0,1} (|Mj1 j2 ...jm |!) . P ∗ (n−m)! n−m − j1 ,jP | |M ,...,j ∈{0,1}: j1 j2 ...jm ! 2 m

Consequently, Lemma 1 holds after we prove the following Propositions 1 and 2. In the rest of the paper, we will often use 1 + x ≤ ex for any x ∈ R and 1−xy ≤ (1−x)y ≤ 1−xy + 12 x2 y 2 for 0 ≤ x < 1 and y = 0, 1, 2, . . . (Fact 2 in [12]). Proposition 1. Given Pn ≥ 3Kn for all n sufficiently large, (1) with |αn | = O(1), and Kn = ω(1), we have (15) = o (h!)−m (npe )hm e−mnpe .

=

≤n

Proposition 2. Given Pn ≥ 3Kn for all n sufficiently large, (1) with |αn | = O(1), and Kn = ω(1), we have

Q

P

m i=1

ji ≥1. (|Mj∗1 j2 ...jm |!) j1 ,jP 2 ,...,jm ∈{0,1}: m j ≥1. i i=1

(21)

|Mj∗1 j2 ...jm | j1 ,jP 2 ,...,jm ∈{0,1}: m i=1 ji ≥1. .

(22)

P

Denoting j1 ,jP |Mj∗1 j2 ...jm | by Λ, we prove 2 ,...,jm ∈{0,1}: m j ≥1. i=1 i (0) (0) Λ ≤ hm−1 below if L∗m ∈ / Lm or M∗m 6= Mm . (0) On the one hand, assuming L∗m ∈ / Lm , there exist

(16) ∼ (h!)−m (npe )hm e−mnpe .

6. THE PROOF OF PROPOSITION 1

i1 and i2 with 1 ≤ i1 < i2 ≤ m such that nodes vi1 and vi2 are Smneighbors T with each other. Hence, {vi1 , vi2 } ⊆ [( i=1 Ni ) Vm ]. Then from (13), [ [ m m Ni ∩ Vm ≤ hm − 2. Ni − Λ=

We embark on the evaluation of (15) by computing P Mm = M∗m | Lm = L∗m . (17)

∗ ∗ With Cm and Tm∗ defined such that L∗m = (Cm , Tm∗ ), ∗ ∗ event Lm = Lm is the union of events Cm = Cm ∗ ) and (Mm = M∗m ) and Tm = Tm∗ . Since (Cm = Cm are independent, we obtain (17) = P Mm = M∗m | Tm = Tm∗ .

i=1

i=1

(0)

For any j1 , j2 , . . . , jm ∈ {0, 1}, for any distinct nodes w1 ∈Vm and w2 ∈Vm , events (w1 ∈Mj1 j2 ...jm )

On the other hand, assuming M∗m 6= Mm , there exist i3 and i4 with 1 ≤ i3 < i4 ≤ m such that Ni3 ∩ Ni4 6= ∅. Then from (13), X [ m m Ni ≤ |Ni | − |Ni3 ∩ Ni4 | ≤ hm − 1. Λ ≤ i=1

5

i=1

(0) (0) To summarize, if L∗m ∈ / Lm or M∗m 6= Mm , we have Λ ≤ hm − 1, (23)

along with (20) leading to |M0∗m | = n − m − Λ > n − m − hm. Pm For any j1 , j2 , . . . , jm ∈ {0, 1} with i=1 ji there exists t ∈ {0, 1, . . . , m} such that jt = 1, P w ∈ Mj1 j2 ...jm | Tm = Tm∗ ≤ P[Ewvt | Tm = Tm∗ ] = P[Ewvt ] = pe ,

∗ = Si∗ ∩ Sj∗ . With (5) (i.e., pe ∼ lnnn ), where Sij 2 we have m npe 2 = o(1) and mpe = o(1), which are substituted into (31) to induce (30) once we prove X npe pn P ∗ 1≤i

(24)

∗ ∈T Tm m

≥ 1, so

L.H.S. of (32) is denoted by Hn,m and evaluated below. For each fixed and sufficiently large n, we consider: a) pn < n−δ (ln n)−1 and b) pn ≥ n−δ (ln n)−1 , where δ is an arbitrary constant with 0 < δ < 1. a) pn < n−δ (ln n)−1 n From pn < n−δ (ln n)−1 , (6) (namely, pe ≤ 2 ln n ) ∗ and |Sij | ≤ Kn for 1 ≤ i < j ≤ m, it holds that

(25)

where Ewvt is the event that there exists an edge between nodes w and vt in graph G. Substituting (22-25) into (18), we obtain that if (0) (0) L∗m ∈ / Lm or M∗m 6= Mm , then

e

(17) < (npe )hm−1 × P[w ∈ M0m | Tm = Tm∗ ]n−m−hm . (26)

i=1

m

ji ≥1.

|Mm (L∗m )| ≤ (h + 1)2

−1

∗ Tm−1 ∈Tm−1 , ∗ Sm ∈Sm

(28) Using (28) in (27), and considering Lm = L∗m ∗ is the union events∗ Tm = Tm and of independent P ∗ Cm = Cm , and C ∗ ∈Cm P Cm = Cm = 1, we derive m X n 2m −1 P Tm = Tm∗ (15) < (h + 1) (npe )hm−1 ×

e

(29)

e

From (60) and (61) (viz., Lemma 2 in the Appendix), it holds that P[w ∈ M0∗m | Tm = Tm∗ ]n−m−hm

2

n−δ

,

∗ ∗ P[(Tm−1 = Tm−1 ) ∩ (Sm = Sm )]×

P

X

1≤i

∗ |Sij |

e

∗ P[Sm = Sm ]e

∗ ∈S Sm m

npe pn Kn

P m−1 i=1

∗ |Sim |

u=0

npe pn Kn npe pn Kn

P m−1 i=1

P m−1 i=1

∗ |Sim | ∗ |Sim |

.

≤e

S 2mpn ln n ∗ |Sm ∩( m−1 i=1 Kn

Si∗ )|

,

i=1

Sm−1 Denoting i=1 Si∗ by v, then we obtain that for u ∈ [max{0, Kn + v − Pn }, Kn ], Pn −v [ v ∗ \ m−1 u Kn −u ∗ , (35) Si = u = P Sm Pn

=P[w ∈M0∗m |Tm =Tm∗ ]n P[w ∈M0∗m |Tm =Tm∗ ]−m−hm P

< em

Hn,m /Hn,m−1 [ Kn X ∗ \ m−1 2umpn ln n Si∗ = u e Kn . (34) ≤ P Sm

(30)

6.1 Establishing (30)

npe 2+ npKenpn

(ln n)−1 ·(m 2)

further leading to

∗ ∈T Tm m

2

−δ

< e2 ln n·n

(33) ∗ Sm−1 ∗ Pm−1 ∗ Pm−1 ∗ By i=1 |Sim |= i=1 |Si∗ ∩Sm |≤m Sm ∩ i=1 Si 2 ln n and (6) (i.e., pe ≤ n ), we get

From (29) and limn→∞ npe = ∞ by (5), the proof of Proposition 1 is completed once we show X P[Tm = Tm∗ ]P[w ∈ M0m | Tm = Tm∗ ]n−m−hm

≤e−mnpe+m

npe pn Kn

= Hn,m−1 ·

∗ ∈T Tm m

≤ e−mnpe · [1 + o(1)].

X

=

.

o × P[w ∈ M0m | Tm = Tm∗ ]n−m−hm .

∗ |Sim |

Hn,m

most h; and the remaining element |M0m | can be determined by (20). Then it’s straightforward that m

i=1

b) pn ≥ n−δ (ln n)−1 We relate Hn,m to Hn,m−1 and assess Hn,m it∗ eratively. First, with Tm∗ = (S1∗ , S2∗ , . . . , Sm ), event (Tm = Tm∗ ) is the intersection of independent events: ∗ ∗ (Tm−1 = Tm−1 ) and (Sm = Sm ). Then we have

(27)

To bound |Mm (L∗m )|, note that Mm is a 2m tuple. Among the 2m elements of the tuple, each of |Mj1 j2 ...jm | j ,j ,...,j ∈{0,1}: is at least 0 and at 2 P m

P m−1

∗ ∈T Tm m

L∗ m ∈Lm

1

npe pn Kn

which is substituted into Hn,m to bring about X 2 −δ 2 −δ Hn,m < em n P[Tm = Tm∗ ] = em n ,

Applying (17) and (26) to (15),we get X n (15) < |Mm (L∗m )|

o × R.H.S. of (26) × P Lm = L∗m .

(32)

∗ 1≤i

(1−mpe )−m−hm , (31)

i=1

6

Kn

which together with Kn ≤ v ≤ mKn yields

Therefore, it holds via (42) and (44) that δ−1 m+(m−1)+...+3 δ−1 Hn,m ≤ e3n c ln n · e6n c

L.H.S. of (35) Kn ! (mKn )u (Pn − Kn )Kn −u · · ≤ u! (Kn − u)! (Pn − Kn )Kn 2 u 1 mKn ≤ . (36) u! Pn − Kn

3

= e 2 (m

≤e

2mpn ln n Kn ·e

.

(0)

Kn

≥ 1 − e−Kn

2

/Pn

.

and

T(0) m ={Tm |Si ∩ Sj = ∅, ∀i, j with 1 ≤ i < j ≤ m.}. (0) (0) Clearly, Cm = Cm or Tm ∈ Tm each implies (0) (0) (0) Lm ∈ Lm . Also, Cm = Cm and Mm = Mm are independent with each other. Therefore, with (0) (0) (16) = P Lm ∈ Lm ∩ Mm = Mm , we get (0) (45) P Mm = M(0) (16) ≥ P Cm = Cm m ,

and

Given Kn = ω(1), for arbitrary constant c > 2 and 4c·m n for all n sufficiently large, K pn ≥ (c−2)(1−δ) holds. Then (c−2)(1−δ) 2c

ln n

=n

(c−2)(1−δ) 2c

.

(0) (0) . (16) ≥ P Tm ∈ T(0) m P Mm = Mm | Tm ∈ Tm (46) S (0) Given Cm = Cm = 1≤i

(41)

The use of (37) (40) and (41) in (34) yields Hn,m /Hn,m−1 ≤ R.H.S. of (34) δ−1 (c−2)(1−δ) δ−1 √ 2c ·ln n ≤ e3n c ≤ e2 2mn 2 ·n

ln n

m

.

1≤i

(47)

(42)

and ≥1− P Tm ∈ T(0) m

To derive Hn,m iteratively based on (42), we compute Hn,2 below. By definition, setting m = 2 in L.H.S. of (32) and considering the independence between events (S1 = S1∗ ) and (S2 = S2∗ ), we gain X X npe pn ∗ ∗ Hn,2 = P[S1 = S1∗ ] P[S2 = S2∗ ]e Kn |S1 ∩S2 | . P

S2∗ ∈Sm

(43)

npe pn Kn

|S1∗ ∩S2∗ |

Clearly, S ∗ ∈SmP[S2 = S2∗ ]e equals R.H.S. 2 of (34) with m = 2. Then from (42) and (43), δ−1 δ−1 X P[S1 = S1∗ ]e6n c ln n = e6n c ln n . Hn,2 ≤ S1∗ ∈Sm

0, 0, . . . , 0 ), | {z } (m2 ) number of “0”

(38)

Kn 2 /(Pn − Kn ) < 2Kn 2 /Pn ≤ −2 ln(1 − ps ) √ δ−1 ≤ −2 ln(1 − 2nδ−1 (ln n)2 ) ≤ 2 2n 2 ln n. (40)

S1∗ ∈Sm

(0)

(0) Cm =(

Hence, for n sufficiently large, we apply (38) (39) and Pn ≥ 3Kn > 2Kn to produce

≤e

.

We define Cm and Tm by

(37)

ps = pn −1 pe ≤ pn −1 · 2n−1 ln n ≤ 2nδ−1 (ln n)2 . (39)

2mpn ln n Kn

ln n

7. THE PROOF OF PROPOSITION 2

For n sufficiently large, from pn ≥ n−δ (ln n)−1 and n (6) (i.e., pe = pn ps ≤ 2 ln n ), we have

e

δ−1 c

With n → ∞, Hn,m ≤ 1 + o(1) (i.e., (32)) follows.

By Fact 5 in [12], ps ≥ 1 − 1 − Kn /Pn

+m−2)n

Finally, summarizing cases a) and b), we report δ−1 2 3 c ln n (m +m−2)n m2 n−δ . Hn,m ≤ max e , e2

For u ∈ / [max{0, Kn + v − Pn }, Kn ], L.H.S. of (35) equals 0. Then from (34) and (36), u Kn X 2mpn ln n 1 mKn 2 K n R.H.S. of (34) ≤ ·e u! Pn − Kn u=0 mKn 2 Pn −Kn

2

ln n

(44)

7

X

1≤i

P[Γij ] ≥ 1 − m2 ps /2. (48)

In the following two subsections, we will prove ∼ (h!)−m (npe )hm e−mnpe , (49) P Mm = M(0) m

and

P Mm = M(0) | Tm ∈ T(0) m m

≥ (h!)−m (npe )hm e−mnpe · [1 − o(1)].

(50)

Substituting (47) and (49) into (45), and applying (48) and (50) to (46), we have

(16) hm e−mnpe e)

Then (49) follows from (55) and (56). Namely, (49) holds upon the establishment of (54), which is proved below. First, from (63) in Lemma 2, with ∗ ∗ ) and Sij = Si∗ ∩ Sj∗ , we get Tm∗ = (S1∗ , S2∗ , . . . , Sm

(h!)−m (np

≥ (1 − min{ps , pn } · m2 /2) · [1 − o(1)]. From (49), we get (16) ≤ P Mm ∈ M(0) m

≤ (h!)−m (npe )hm e−mnpe · [1 + o(1)].

(51)

m Y h (0) P w ∈ M0i−1 ,1,0m−i | Tm = Tm∗ i=1

(52)

Combining (51) and q (52), and using min{ps , pn } ≤ √ √ 2 ln n = o(1) which holds from ps pn = pe ≤ n pe = ps pn and (6), Proposition 2 follows. Below we detail the proofs of (49) and (50).

≥ pe hm

Tm ∈Tm

∗ ∈T Tm m

7.2 Establishing (50) (0) (0) P Mm = Mm | Tm ∈ Tm (denoted by ∆) (0) is equivalent to P Mm = Mm | Tm = Tm∗ for (0) any Tm∗ ∈ Tm , so it follows that ∗ n−m−hm ∆=f n − m, M(0) m P[w ∈ M0m |Tm = Tm ] m Y P[w ∈ M0i−1 ,1,0m−i | Tm = Tm∗ ]h , (58) × i=1

(54)

(0) (0) with f n − m, Mm given by (53). For Tm∗ ∈ Tm , ∗ from |Sij | = 0 and (63) in Lemma 2, we derive P w ∈ M0i−1 ,1,0m−i | Tm = Tm∗ ≥ pe (1 − 2mpe ). (59)

We use (53) and (54) as well as (60) (viz., Lemma (0) 2 in the Appendix) in evaluating P Mm = Mm above. Then P Mm = M(0) m

≥ (h!)−m nhm · [1 − o(1)] · (1 − mpe )n × m X Y P[w ∈M0i−1 ,1,0m−i |Tm =Tm∗ ]h P[Tm =Tm∗ ]

Substituting (53) (59) above and (60) in Lemma 2 into (58), we conclude that ∆ ≥ (h!)−m nhm · [1 − o(1)]

i=1

≥ (h!)

(npe )

e

· [1 − o(1)].

× (pe )hm (1 − 2mpe )hm · (1 − mpe )n−m−hm

(55)

∼ (h!)−m (npe )hm e−mnpe .

Substituting (30) (53) above and (62) in Lemma (0) 2 into the computation of P Mm = Mm yields P Mm = M(0) m

8. NUMERICAL EXPERIMENTS To confirm our analytical results, we now provide numerical experiments in the non-asymptotic regime; i.e., when parameter values are set according to real-world wireless sensor network scenarios. In Figure 2, we depict the probability that graph G(n, K, P, p) has 2-connectivity from both the simulation and the analysis, as elaborated below. In all

≤ (h!)−m nhm pe hm × [1 + o(1)]× X P[Tm = Tm∗ ]P[w ∈ M0m | Tm = Tm∗ ]n−m−hm

∗ ∈T Tm m

∼ (h!)−m (npe )hm e−mnpe .

1≤i

≤ pn · m2 /2 · m2 ps /2 ≤ m4 n−1 ln n/2 = o(1).

i=1

hm −mnpe

1≤i

.

∗ |Sij |

≤ pn · m(m − 1)/2 · P[Tm∗ ∈ Tm \ T(0) m ]

We will establish m Y Xn h o (0) P[Tm =Tm∗ ] {P w ∈M0i−1 ,1,0m−i |Tm =Tm∗ }

−m

X

L.H.S. of (57)

with function f specified in (19). From (21), (n − m)! f n − m, M(0) ∼(h!)−m nhm . m = (n − m − hm)!(h!)m (53)

∗ ∈T Tm m

j∈{1,2,...,m}\{i}

∗ If Tm∗ ∈ then |Sij | = 0. Consequently, from (48), the proof of (57) becomes evident by

i=1

· [1 − o(1)].

h ∗ |Sij |

(0) Tm ,

(0) where P Mm = Mm | Tm = Tm∗ equals ∗ n−m−hm f n − m, M(0) m P[w ∈ M0m | Tm = Tm ] m Y P[w ∈ M0i−1 ,1,0m−i | Tm = Tm∗ ]h , ×

≥ pe

X

With pe = o(1) by (5), we obtain (54) once proving X pn X ∗ ∗ P[Tm = Tm ] |Sij | = o(1). (57) Kn ∗

(0) We write P Mm = Mm as X n o P Tm =Tm∗ P Mm =M(0) | Tm =Tm∗ , m

hm

i=1

pn 1 − 2mpe + Kn

2hpn hm 1 − 2hm2 pe − ≥ pe Kn

7.1 Establishing (49)

∗ ∈T Tm m

m Y

(56) 8

∗ e−α

P[Graph G(n, K, P, p) has 2-connectivity]

1

converge to e− (k−1)! as n → ∞. For random key graph G(n, Kn , Pn ) (viz., Section 2), Rybarczyk [8] derives asymptotically exact probabilities of connectivity and of the property that the minimum node degree is no less than 1, covering a weaker form of the results – the zero-one laws which are also obtained in [1, 11]. As demonstrated in [8], 2 n and in G(n, Kn , Pn ) with Kn ≥ 2, KPnn = ln n+α n ∗ limn→∞ αn = α , the probability of connectivity and that of the minimum degree being at least 1 −α∗ both approach to e−e as n → ∞. Rybarczyk [9] further establishes zero-one laws for k-connectivity and for the property that the minimum degree is at least k. As proved, if Pn = Θ(nβ ) for some β > 1 2 and KPnn = ln n+(k−1)nln ln n+αn , graph G(n, Kn , Pn ) has (resp., does not have) the two properties with probability approaching to 1, given that αn tends to ∞ (resp., −∞) as n → ∞. As noted after Theorem 1, our results also imply zero-one laws for the two properties in graph G(n, Kn , Pn ). For graph G that this paper studies, Ya˘ gan [10] establishes zero-one laws for connectivity and for the property that the minimum degree is at least 1. Zhao et al. [12, 13] extend Ya˘ gan’s results to general k and show that with Kn ≥ 2 and pe set as ln n+(k−1) ln ln n+αn , the probability for each of the n two properties tends to 1 if limn→∞ αn = ∞ pron vided Pn = Ω(n) and K Pn = o(1), and converges

0.8

0.6

0.4

p = 0.2 p = 0.2 p = 0.5 p = 0.5 p = 0.8 p = 0.8

0.2

0 5

7

9

11

13

15

17

(Simulation) (Analysis) (Simulation) (Analysis) (Simulation) (Analysis)

19

21

23

K

Figure 2: A plot generated from the simulation and the analysis for the probability that G(n, K, P, p) has 2-connectivity versus K with n = 2, 000, P = 10, 000 and p = 0.2, 0.5, 0.8. set of experiments, we fix the number of nodes at n = 2, 000 and the key pool size at P = 10, 000. For the probability p of a communication channel being on, we consider p = 0.2, 0.5, 0.8, while varying the parameter K from 5 to 23 (K is the number of keys on each sensor). For each pair (K, p), we generate 1, 000 independent samples of G(n, K, P, p) and count the number of times that the obtained graphs are 2-connected or have minimum node degree at least 2. Then the counts divided by 1, 000 become the empirical probabilities. We observe that the empirical probabilities for the two properties are close to each other, in accordance with Theorem 1. The curves in Figure 2 corresponding to the analysis are determined as follows. We use the asymptotical result to approximate the probability of 2connectivity in G(n, K, P, p); specifically, given n, K, P, p and we first determine α by consider k = P2, ) ( −K ln ln n+α = ln n+(k−1) , a condiing p · 1 − K P n (K ) tion stemming from (1) and the computation of pe

2

to 0 if limn→∞ αn = −∞ given KPnn = o(1) and pe n is either Ω(1) or o(1). Compared with the results in [12, 13], as noted after Theorem 1, our results on asymptotically exact probabilities also imply zero-one laws which do not require conditions Kn Kn 2 Pn = o(1) or even Pn = o(1) in [12, 13]. In addition, our results on asymptotically exact probabilities are stronger than zero-one laws and significantly more challenging to derive than the latter [12, 13].

e−α

in Section 2, and then use e− (k−1)! as the analytical reference of P[G(n, K, P, p) has 2-connectivity] for a comparison with the empirical probabilities. Figure 2 indicates that the experimental results are in agreement with our analysis.

10. CONCLUSION AND FUTURE WORK In this paper, we consider secure WSNs employing the Eschenauer–Gligor (EG) key predistribution scheme under the on/off channel model and obtain asymptotically exact probabilities for k-connectivity and for the property that the minimum node degree is at least k. Numerical simulation is shown to be in agreement with our analytical findings. A future research direction is to explore link constraints different from the on/off channel model, e.g., the disk model in which two nodes have to be within a certain distance for communication [7, 10].

9. RELATED WORK Erd˝ os and R´enyi [3] and Gilbert [6] propose the random graph model G(n, pn ) (viz., Section 2). Erd˝ os and R´enyi consider connectivity and the property that the minimum degree is at least 1 (i.e., no node is isolated) for graph G(n, pn ) in [3] and extend the results to general k in [4], proving that for G(n, pn ) with pn = ln n+(k−1)nln ln n+αn and limn→∞ αn = α∗ , the probability of k-connectivity and the probability of the minimum degree being at least k both

11. REFERENCES [1] S. R. Blackburn and S. Gerke. Connectivity of the

9

[2] [3] [4] [5] [6] [7]

[8] [9] [10] [11] [12]

[13]

Lemma 4. In graph G, given (1) with |αn | = O(1), Pn ≥ 3Kn for all n sufficiently large, and Pn = Ω(n), then for any non-negative integer h, P[(ν = h) ∩ (δ > h)] = o(1).

uniform random intersection graph. Discrete Mathematics, 309(16), August 2009. A. DasGupta. Asymptotic Theory of Statistics and Probability, volume 17. Springer Texts in Statistics, 2008. P. Erd˝ os and A. R´ enyi. On random graphs, I. Publicationes Mathematicae (Debrecen), 6:290–297, 1959. P. Erd˝ os and A. R´ enyi. On the strength of connectedness of random graphs. Acta Math. Acad. Sci. Hungar., pages 261–267, 1961. L. Eschenauer and V. Gligor. A key-management scheme for distributed sensor networks. In Proc. of ACM CCS, 2002. E. N. Gilbert. Random graphs. The Annals of Mathematical Statistics, 30:1141–1144, 1959. B. Krishnan, A. Ganesh, and D. Manjunath. On connectivity thresholds in superposition of random key graphs on random geometric graphs. In Proc. of IEEE ISIT, pages 2389–2393, 2013. K. Rybarczyk. Diameter, connectivity and phase transition of the uniform random intersection graph. Discrete Mathematics, 311, 2011. K. Rybarczyk. Sharp threshold functions for the random intersection graph via a coupling method. Electr. Journal of Combinatorics, 18:36–47, 2011. O. Ya˘ gan. Performance of the Eschenauer-Gligor key distribution scheme under an on/off channel. IEEE Trans. on Information Theory, 58(6):3821–3835, 2012. O. Ya˘ gan and A. M. Makowski. Zero-one laws for connectivity in random key graphs. IEEE Transactions on Information Theory, 58(5):2983–2999, May 2012. J. Zhao, O. Ya˘ gan, and V. Gligor. k-Connectivity in secure wireless sensor networks with physical link constraints – the on/off channel model. Arxiv, 2012. Available online at http://arxiv.org/abs/1206.1531. J. Zhao, O. Ya˘ gan, and V. Gligor. Secure k-connectivity in wireless sensor networks under an on/off channel model. In Proc. of IEEE ISIT, pages 2790–2794, 2013.

A.2 The Proof of Lemma S 2 m

Event (w ∈ M0m ) equals i=1 Ewvi , where Ewvi is the event that there exists an edge between nodes w and vi in G. Thus, byPa union bound, L.H.S. of m (60) is no less than 1 − i=1 P[Ewvi | Tm = Tm∗ ] = 1 − mpe ; and given Lemma 3, we establish (61) by P[w ∈ M0m | Tm = Tm∗ ] m X P[Ewvi | Tm = Tm∗ ] ≤1− i=1

+

X

1≤i

P[Ewvi ∩ Ewvj | Tm = Tm∗ ]

≤ 1 − mpe + pn 2 ≤e

X

1≤i

−mpe +m2 pe 2 +Kn −1 pe pn (0)

∗ | + 2ps 2 Kn −1 ps |Sij P

1≤i

∗ |Sij |

.

Since event w ∈ M0i−1 ,1,0m−i equals the intersecS tion of Ewvi and j∈{1,2,...,m}\{i} Ewvj , L.H.S. of (62) is at most P[Ewvi | Tm = Tm∗ ] = P[Ewvi ] = pe ; and given Lemma 3, we obtain (63) by (0) P w ∈ M0i−1 ,1,0m−i | Tm = Tm∗ ≥ P[Ewvi | Tm = Tm∗ ] X P[Ewvi ∩ Ewvj | Tm = Tm∗ ] − j∈{1,2,...,m}\{i}

APPENDIX A.1 Useful Lemmas

= pe − Tm∗

≤ e−mpe +m

2

pe 2 +Kn −1 pe pn

P

1≤i

∗ |Sij |

and for any i = 1, 2, . . . , m, we get P w ∈ M0i−1 ,1,0m−i | Tm = Tm∗ ≤ pe , and P w ∈ M0i−1 ,1,0m−i | Tm = Tm∗ X ≥ pe 1−2mpe −Kn −1 pn

j∈{1,2,...,m}\{i}

j∈{1,2,...,m}\{i}

∗ | + 2ps 2 pn 2 Kn −1 ps |Sij

≥ pe 1 − 2mpe − Kn −1 pn

(S1∗ ,

Lemma 2. Given Pn ≥ 3Kn and any = ∗ S2∗ , . . . , Sm ) ∈ Tm , for any node w ∈ Vm , we obtain P[w ∈ M0m | Tm = Tm∗ ] ≥ 1 − mpe , and P[w ∈ M0m | Tm = Tm∗ ]

X

(60)

X

j∈{1,2,...,m}\{i}

∗ |Sij | .

A.3 The Proof of Lemma 3 P[Γit ∩ Γjt | (|Sij | = u)] = P[Γit | (|Sij | = u)] + P[Γjt | (|Sij | = u)]

; (61)

− (1 − P[Γit ∩ Γjt | (|Sij | = u)]) Pn − (2Kn − u) Pn = 2ps − 1 + Kn Kn

(62) ,

≤ 2ps − 1 + (1 − ps )

2Kn −u Kn

(by Lemma 5.1 in [10]) 2 ≤ 2ps − ps (2Kn − u)/Kn + ps 2 (2Kn − u)/Kn 2

∗ |Sij |

≤ Kn −1 ps u + 2ps 2 .

(63)

∗ where Sij = Si∗ ∩ Sj∗ .

A.4 The Proof of Lemma 4 Lemma 4 has a proof similar to that of Equation (128) in [12]. We visit the relevant steps of establishing the latter therein and remove unnecessary conditions to establish Lemma 4. The details are omitted here due to the space limitation.

Lemma 3. If Pn ≥ 3Kn , then for any three distinct nodes vi , vj and vt in graph G and for any u = 0, 1, . . . , Kn , we have P[(Γit ∩ Γjt | (|Sij | = u)] ≤ Kn −1 ps u + 2ps 2 . 10