Practical Approaches to Varying Network Size in Combinatorial Key Predistribution Schemes
Abstract
Combinatorial key predistribution schemes can provide a practical solution to the problem of distributing symmetric keys to the nodes of a wireless sensor network. Such schemes often inherently suit networks in which the number of nodes belongs to some restricted set of values (such as powers of primes). In a recent paper, Bose, Dey and Mukerjee have suggested that this might pose a problem, since discarding keyrings to suit a smaller network might adversely affect the properties of the scheme.
In this paper we explore this issue, with specific reference to classes of key predistribution schemes based on transversal designs. We demonstrate through experiments that, for a wide range of parameters, randomly removing keyrings in fact has a negligible and largely predictable effect on the parameters of the scheme. In order to facilitate these computations, we provide a new, efficient, generally applicable approach to computing important properties of combinatorial key predistribution schemes.
We also show that the structure of a resolvable transversal design can be exploited to give a deterministic method of removing keyrings to adjust the network size, in such a way that the properties of the resulting scheme are easy to analyse. We show that these schemes have the same asymptotic properties as the transversal design schemes on which they are based, and that for most parameter choices their behaviour is very similar.
Keywords
Wireless sensor network Key predistribution scheme Combinatorial design1 Introduction
In this paper, we consider wireless sensor networks (WSNs) consisting of a large number \(m\) of identical sensor nodes that are randomly deployed over a target area. After deployment, each node communicates in a wireless manner with other nodes that are within communication range, thus forming an ad hoc network. Due to the wireless nature of the communication, it is desirable for cryptographic tools to be used for provision of secrecy, data integrity, and/or authentication. The nodes’ restricted computational ability and battery power mean that, in many situations, it is preferable to use symmetric algorithms rather than relying on more computationallyintensive public key techniques. This requires nodes to share keys; one standard approach to providing such keys is the use of a key predistribution scheme (KPS), in which keys are stored in the nodes’ keyrings prior to deployment. For example, in the seminal scheme of Eschenauer and Gligor [4], the keys are randomly drawn from a common keypool.
After the nodes have been deployed, nodes that are within communication range execute a shared key discovery protocol to determine which keys they have in common. Two nodes that share at least \(\eta \) keys (for some predetermined intersection threshold \(\eta \ge 1\)) use all their common keys to derive a new key that is used to secure communication between them. This is referred to as a secure link between these nodes. There exists a large quantity of literature relating to the construction of KPSs for WSNs; surveys include [2, 7, 10].
KPSs based on combinatorial structures such as designs or codes have been studied as an alternative to random schemes (see [6, 9] for surveys of combinatorial schemes). Such schemes have several advantages over the random schemes: for instance, they make it possible to prove the scheme has desirable properties relating to connectivity and resilience, they enable more efficient discovery of shared keys, and they reduce the amount of randomness required when instantiating the schemes [5].
Key predistribution schemes for WSNs are typically evaluated using certain metrics that relate to the performance of the resulting networks. Firstly, it is desirable to restrict the total amount of memory each node must use for storing keys/keying material. Secondly, after the nodes have been deployed, it is desirable for there to be as many secure links as possible between neighbouring nodes, so as to increase the (secure) connectivity of the resulting network. The extent to which a KPS facilitates achieving this objective is frequently measured in terms of the quantity \(\mathsf {Pr}_1\), which denotes the probability that any two given nodes share at least \(\eta \) common keys.
Finally, we wish to measure the scheme’s ability to withstand adversarial attack. A widely studied attack model, which we follow in this paper, is that of random node capture [4], where the adversary can eavesdrop on all communication in the network, and can also comprise random nodes in order to extract any keys/keying material they contain. The resilience of a KPS in the face of an attacker is expressed in terms of the quantity \(\mathsf {fail}(\)s\()\), which is defined to be the probability that a randomly chosen link is broken when an attacker compromises \(s\) nodes uniformly at random, and then extracts their keys.
For simplicity, we focus particularly on \(\mathsf {fail}(1)\) in this work. In this case, a link \(\{A,B\}\) is broken by another node \(C\) when \(A \cap B \subseteq C\), where \(A,B\) and \(C\) denote the sets of keys held by the three corresponding nodes.
There is an inherent tension between the need to provide good connectivity and the need to maintain a high level of resilience without requiring an excessive number of keys to be stored. Designing a KPS involves finding a scheme that delivers a good tradeoff between these properties, and which is sufficiently flexible to be useful for a range of practical choices of parameters such as network size, available storage and desired level of security.
One feature of combinatorial schemes that could be viewed as a drawback is the fact that, due to the structure of the combinatorial object used, the number of nodes in the scheme may be required to be of a particular form, such as a power of a prime, for example. If the number \(n\) of nodes in the network in which we wish to employ such a scheme is not of this form, then the most commonly suggested remedy is to take the smallest number of that form that is larger than \(n\), and simply select some (randomly chosen) subset of \(n\) keyrings from the resulting scheme (e.g., see [5]). In a recent paper [1], Bose, Dey and Mukerjee have suggested that removing keyrings in this manner from a combinatorial scheme may adversely affect its properties, thus negating some of the main benefits of such schemes. Instead, they propose a deterministic KPS in which various block designs are combined to give a scheme in which the number of keyrings can be varied directly in a more flexible manner.
In this paper, we examine more closely the actual effects of removing keyrings from a combinatorial KPS. We focus specifically on the family of schemes proposed by Lee and Stinson based on transversal designs [5], since they have been shown to behave well for a wide range of parameters [9]. In Sect. 2, we exploit the structure of resolvable transversal designs to propose a deterministic method for selecting keyrings to remove from the schemes of Lee and Stinson without unduly affecting their performance. The properties of these modified schemes are easy to analyse using the framework established in [9], and we exploit this feature to compare their performance directly with the combinatorial schemes from which they were derived, demonstrating that they yield a family of schemes with a flexible choice of parameters whose properties compare favourably with those of existing schemes.
In addition, for a broad range of parameter choices, we consider networks consisting of various numbers of nodes with keyrings chosen uniformly at random from transversal design KPSs, and we compute the mean and standard deviation of the resulting values of the security and performance metrics for these schemes. The results, given in Sect. 3.2, demonstrate that the change in these metrics as keyrings are removed is in fact very limited, and largely predictable.
Computing properties of schemes obtained by randomly deleting some number of keyrings from a combinatorial scheme can be timeconsuming. Therefore, in Sect. 4 we describe a new approach to facilitate the efficient evaluation of metrics for connectivity and resilience in general KPSs. This approach is based on some new formulas for these metrics that are of independent interest.
1.1 Overview of the Construction and Analysis of Combinatorial Key Predistribution Schemes
A set system \((X, \mathcal {A})\) consists of a finite set \(X\) of points, together with a finite set \(\mathcal A\) of subsets of \(X\), which are known as blocks. A set system can be used to construct a KPS by associating each key in a certain keyspace with an element of \(X\) and each node with an element of \(\mathcal A\), so that a node is preloaded with the keys that correspond to points lying in its corresponding block. The point \(x\) acts as a key identifier for the corresponding secret key. Key identifiers (and which nodes hold which key identifiers) are public information, whereas the values of the keys are secret (known only to the nodes that hold them).
Example 1
It is easy to see that, in this model, the EschenauerGligor scheme [4] is obtained when the underlying set system consists of \(n\) random \(k\)subsets of the \(v\)set \(X\). On the other hand, combinatorial key predistribution schemes are typically based on set systems arising from combinatorial objects with nice properties that ensure the resulting schemes perform well and are amenable to analysis. Particular examples of combinatorial objects that have been proposed for use in key distribution in this way include projective planes, generalised quadrangles, configurations, common intersection designs, transversal designs of strength 2 or 3, partially balanced incomplete block designs, inversive planes [3], orthogonal arrays, ReedSolomon codes, mutuallyorthogonal Latin squares, and rational normal curves in projective spaces (see [9] for a survey and analysis of such schemes).
In this paper, we focus mainly on transversal designs, which we define now.
Definition 1
 1.
\(H \cap A = 1\) for every \(H \in \mathcal {H}\) and every \(A \in \mathcal {A}\), and
 2.
every subset of \(t\) elements of \(X\) from \(t\) different groups occurs in exactly one block in \(\mathcal {A}\).
We note that transversal designs are equivalent to other familiar combinatorial objects such as orthogonal arrays and maximum distance separable (MDS) codes; see [9, Sect. 2.7] for further discussion on these equivalences.
Example 2
Lee and Stinson [5] proposed a family of combinatorial KPSs based on transversal designs \(\mathrm{TD}(2,k,p)\). The set systems they use can be constructed explicitly as follows:
The values of \(\mathsf {fail}(1)\) and \(\mathsf {Pr}_1\) for these schemes, in the case of strength 2 with \(\eta = 1\) and strength 3 with \(\eta =1\) or \(\eta =2\), are given in Table 1.
Example 3
Bose et al. [1] proposed a family of KPSs obtained by combining \(\eta \) designs that are the duals of designs derived from association schemes. For the sake of clarity, we will restrict ourselves to the specific instantiation in which the designs are all copies of a \(\mathrm{TD}(2,k,n)\).
In the case of \(\eta =1\), the Bose et al. scheme instantiated with a \(\mathrm{TD}(2,k,n)\) coincides exactly with Lee and Stinson’s transversal design scheme.
For \(\eta =2\), they take two copies of a \(\mathrm{TD}(2,k,n)\) and construct a new set system by letting the set of points be the union of the sets of points of each of the designs, and by letting the blocks be given by all possible unions of the form \(B_1\cup B_2\) where \(B_1\) is a block of the first \(\mathrm{TD}(2,k,n)\) and \(B_2\) is a block of the second \(\mathrm{TD}(2,k,n)\). This scheme has \(2kn\) points, and \(n^4\) blocks. Each block contains \(2k\) points, and two blocks intersect in either 0, 1, 2, \(k\), or \(k+1\) points.

the deterministic nature and regular structure of combinatorial schemes ensure that the precise values of metrics of the scheme such as \(\mathsf {fail}(1)\) and \(\mathsf {Pr}_1\) can be computed exactly, rather than simply the expected value of these quantities;

combinatorial schemes reduce the quantity of random numbers that must be generated in setting up the scheme;

most importantly, for many combinatorial schemes, their regular structure leads to very efficient algorithms for performing tasks such as shared key discovery once the nodes are deployed.
A survey and analysis of many existing combinatorial schemes was carried out in [9]. The concept of a partially balanced tdesign (PB\( t \)D) was introduced, and explicit formulas for evaluating \(\mathsf {fail}(1)\) and \(\mathsf {Pr}_1\) were given for any combinatorial scheme that can be constructed from a PB\( t \)D.
Definition 2
 1.
\(X\) is a finite set whose elements are referred to as points, and \(\mathcal A\) is a finite set of \(k\)subsets of \(X\); its elements are referred to as blocks.
 2.
There are \(\lambda _0\) blocks in \(\mathcal A\).
 3.
For \(1\le i\le t1\), each subset of \(i\) points of \(X\) occurs in either no blocks, or in exactly \(\lambda _i\) blocks.
 4.
For \(t\le i \le k\), each subset of \(i\) points occurs in either \(0\) or \(1\) blocks.
Paterson and Stinson [9] showed that a wide range of existing combinatorial KPSs (including KPSs constructed from transversal designs) could be modelled as PB\( t \)Ds. The advantage of doing so is that the properties of these schemes can easily be evaluated and compared with the aid of the formulas given in [9]. The resulting values for a range of schemes are given in Table 1. The transversaldesign based schemes described in Example 2 were shown to provide a good degree of flexibility for the construction of KPSs relative to other PB\( t \)Ds, since they are easily constructed for a wide range of useful parameters, the block size can be chosen independently of the network size, and the values of \(t\) and \(\eta \) can also be varied independently.
The KPSs of Bose et al. [1] are not PB\( t \)Ds, and hence they cannot be analysed directly using the approach of [9]. One of the motivations behind their schemes is to provide constructions that can yield KPSs for a flexible choice of network size; in [1], they note that “the number of nodes need not be of the particular forms \(p^2\) or \(p^3\), with \(p\) prime or prime power”. The traditional view of combinatorial construction of KPSs is that, provided a range of parameters is available, then if a specific network size \(n\) is desired it suffices to choose parameters to give a scheme that suits a network of size greater than \(n\) and simply discard the unneeded keyrings. Bose et al. [1] object (with particular reference to [5]) that “if we then discard the unnecessary node allocations to get the final scheme for use, this final scheme will not preserve the \(\mathsf {Pr}_1\) and \(\mathsf {fail}(s)\) values of the original scheme and hence the properties of the final scheme in this regard can become quite erratic” [1]. One main goal of our paper is to refute this statement.
1.2 Outline of the Paper
In Sect. 2, we present two approaches to increasing the flexibility of combinatorial predistribution schemes based on transversal designs. One approach is randomized and the other is deterministic. In Sect. 3, we perform extensive comparisons of our generalized constructions to the original transversal design schemes. In Sect. 4, we derive new formulas that facilitate the computation of metrics for connectivity and resilience for arbitrary key predistribution schemes based on set systems. Finally, Sect. 5 is a short conclusion.
2 Two Approaches to Varying the Network Size in KPSs based on Transversal Designs
In this section we consider two distinct approaches to varying the network size in the transversal designbased KPSs of Lee and Stinson. One option is to use the standard approach of randomly removing blocks from the design.
Scheme 1 (Random scheme)
Suppose a KPS is desired for a network containing \(m\) nodes. Let \(n\) be the smallest prime power satisfying \(n^2\ge m\). Then by constructing a \(\mathrm{TD}(2,k,n)\) and selecting a subset of \(m\) blocks uniformly at random we obtain a set system that can be used to provide a KPS for the network.
Similarly, we can construct a KPS for this network based on a transversal design of strength 2 by taking \(n\) to be the smallest prime power with \(n^3\ge m\), and then selecting \(m\) blocks uniformly at random from the set of blocks of a \(\mathrm{TD}(3,k,n)\).
The benefits of such an approach include its simplicity and the fact that it can be applied for any value of \(m\). It is a very natural approach, given that it mirrors precisely the commonly anticipated situation in which a small number of nodes may fail or run out of power after deployment. We will see that this scheme performs well in practice: in Sect. 3.2 we demonstrate that for a wide range of parameter choices, restricting to a random subset of blocks of a TD\((2,k,n)\) does not adversely affect the expected performance of schemes based on these designs. Furthermore, we still retain some desirable properties of combinatorial schemes such as efficient shared key discovery.
One of the other underlying motivations of using combinatorial designs to construct KPSs is the fact that their deterministic and highly structured nature allows us to guarantee the values they attain for metrics such as \(\mathsf {fail}(1)\) and \(\mathsf {Pr}_1\). If blocks are deleted at random, we lose these guarantees, even though diminished performance is very unlikely. In this section we propose a second technique, to overcome this possible drawback. We demonstrate how to exploit the structure of transversal designs in order to select subsets of the blocks deterministically in such a way that the precise performance of the resulting structure is straightforward to evaluate. Specifically, we will make use of resolvable transversal designs to accomplish this objective.
2.1 Resolvable Transversal Designs of Strength 2
Definition 3
A transversal design TD\((2,k,n)\) is said to be resolvable if it is possible to partition the blocks of the design into sets \(\mathcal{B}_1, \mathcal{B}_2, \cdots ,\mathcal{B}_n\), such that each point of the design belongs to precisely one block in each set. The sets \(\mathcal{B}_i\) are known as parallel classes of the design.
Resolvable transversal designs have previously been exploited for constructing KPSs suited for networks where there is group deployment of nodes; see [8]. The transversal design KPSs proposed by Lee and Stinson do not require the resolvability property; however, the transversal designs TD\((2,k,n)\) used in [5] are in fact resolvable.
Example 4
A resolvable transversal design TD\((2,k,n)\) has \(n\) parallel classes with \(n\) blocks in each class. We propose using such designs for key predistribution as follows:
Scheme 2 (Linear scheme)
We construct a set system for use in a KPS by starting with a resolvable TD\((2,k,n)\), where \(n\) is a prime power. Let \(\ell \) be an integer between 1 and \(n\). Select \(\ell \) parallel classes of blocks of the design, and let the blocks in these parallel classes be the blocks of the set system. We refer to the resulting set system as a \(\overline{\mathrm{TD}}(2,k,n,\ell )\).
As each parallel class contains \(n\) blocks, this means that Scheme 2 yields a KPS with \(\ell n\) keyrings. This number can be varied as required by choosing an appropriate value of \(\ell \): roughly speaking, we require that \(n \ge \sqrt{m}\) and \(\ell \approx m/n\). One nice feature of this method of choosing blocks is that the resulting incidence structure is in fact a PB\( t \)D, and hence its properties can be determined in a straightforward manner simply by using the formulas given in [9]. We now perform this analysis to show that Scheme 2 performs well even for comparatively small values of \(\ell \).
Theorem 1
A \(\overline{\mathrm{TD}}(2,k,n,\ell )\) is a 2\((kn,k,\ell n,\ell )\)PB\( t \)D
Proof
Take \(\ell \) parallel classes of blocks from a resolvable TD\((2,k,n)\), and let \(\mathcal A\) be the set of blocks in these parallel classes. Let \(X\) be the set of points in the TD\((2,k,n)\); we note that \(X\) contains \(kn\) points. Now, \(\mathcal A\) contains \(\lambda _0=\ell n\) blocks, each containing \(k\) points. Every point of \(X\) is contained in precisely one block in each parallel class, and hence is contained in precisely \(\lambda _1=\ell \) blocks of \(\mathcal A\). Furthermore, since each pair of points in \(X\) is contained in either 0 or 1 blocks of the TD\((2,k,n)\), it follows that any pair of points is contained in either 0 or 1 blocks of \(\mathcal A\). Thus \((X,\mathcal{A})\) satisfies all the properties of a 2\((kn,k,\ell n,\ell )\)PB\( t \)D.
2.2 Transversal Designs of Higher Strength
Just as in the case of transversal designs of strength 2, it is possible to deterministically select subsets of blocks from transversal designs of higher strength, such as the TD\((3,k,n)\) suggested for use in key predistribution by Lee and Stinson, in a way that allows flexibility in the number of keyrings of the resulting scheme, while still maintaining good performance. We begin by illustrating a useful approach to partitioning the blocks of the TD\((3,k,n)\) described in Example 2.
Example 5
Scheme 3 (Quadratic scheme)
Let \(n\) be a prime power. Starting with a TD\((3,k,n)\), we define a set system by letting \(\ell \) be an integer between 1 and \(n\), selecting \(\ell \) of the sets \(\mathcal{B}_i\), and letting \(\mathcal A\) be the set of blocks in these \(\ell \) sets. We refer to the incidence structure \((X,\mathcal{A})\) as a \(\overline{\mathrm{TD}}(3,k,n,\ell )\). Using a \(\overline{\mathrm{TD}}(3,k,n,\ell )\) for constructing a KPS in the standard way yields a scheme with \(\ell n^2\) keyrings, for which we can choose an intersection threshold of either \(\eta =1\) or \(\eta =2\).
As before, this method of selecting blocks yields a structure that is easy to analyse:
Theorem 2
A \(\overline{\mathrm{TD}}(3,k,n,\ell )\) is a 3\((kn,k,\ell n^2,\ell n,\ell )\)PB\( t \)D.
Proof
A \(\overline{\mathrm{TD}}(3,k,n,\ell )\) consists of a set of \(kn\) points, together with \(\ell \) disjoint sets of \(n^2\) blocks of \(k\) points, and thus has \(\ell n^2\) blocks in total. Every point of the \(\overline{\mathrm{TD}}(3,k,n,\ell )\) is contained in \(n\) blocks in each of these sets, and therefore is contained in \(\ell n\) blocks in total. If a pair of points belong to a group of the underlying TD\((3,k,n)\) then they do not occur together in any block of the \(\overline{\mathrm{TD}}(3,k,n,\ell )\). If two points lie in different groups, then in each of the \(\ell \) sets \(\mathcal{B}_i\) there is precisely one block that contains them. Thus any pair of points occurs together in either 0 or \(\ell \) blocks of the \(\overline{\mathrm{TD}}(3,k,n,\ell )\). Finally, any set of three points occur together in either 0 or 1 blocks of the TD\((3,k,n)\) and thus also occur together in 0 or 1 blocks of the \(\overline{\mathrm{TD}}(3,k,n,\ell )\).
2.3 Finer Control Over the Number of Blocks
Scheme 3 provides KPSs with \(\ell n^2\) keyrings by selecting \(\ell \) disjoint sets of \(n^2\) blocks from a TD\((3,k,n)\). Each of these sets of blocks is in fact a resolvable TD\((2,k,n)\). Thus, if a more finegrained choice of network size is required, it would be possible to choose \(\ell \) sets of blocks, together with \(m\) parallel classes of blocks from an \((\ell +1)^\mathrm{th}\) copy of a TD\((2,k,n)\). This would yield a network with \(\ell n^2+m n\) keyrings; appropriate choices of \(\ell \) and \(m\) thus allow the network size to be adjusted to the nearest multiple of \(n\). The resulting combinatorial structure would be a 3\((kn,k,\ell n^2+mn,\ell n+m,\ell +1)\)PB\( t \)D, and hence could be analysed in a similar manner to the schemes based on a \(\overline{\mathrm{TD}}(3,k,n,\ell )\).
3 Analysis and Comparisons of the New Constructions with Previous Schemes
In this section, we compare the new schemes (Scheme 1, 2 and 3) with the transversal design schemes from which they were derived. Recall that Scheme 1 consists of random blocks chosen from a transversal design, while Scheme 2 and Scheme 3 are deterministic schemes consisting of specified blocks from transversal designs of strength 2 and 3, respectively.
 \(A\):

Scheme 2, based on a \(\overline{\mathrm{TD}}(2,k,n,\ell )\)
 \(B\):

Scheme 3, based on a \(\overline{\mathrm{TD}}(3,k,n,\ell ), \eta =2\)
 \(C\):

Scheme 3, based on a \(\overline{\mathrm{TD}}(3,k,n,\ell ), \eta =1\)
 \(D\):

Scheme 2, based on a \(\mathrm {TD}(2,k,n)\) (i.e., Scheme 2 with \(\ell = n\))
 \(E\):

Scheme 3, based on a \(\mathrm {TD}(3,k,n), \eta =2\) (i.e., Scheme 3 with \(\ell = n\))
 \(F\):

Scheme 3, based on a \(\mathrm {TD}(3,k,n), \eta =1\) (i.e., Scheme 3 with \(\ell = n\))
Metrics for some transversal design based schemes
Scheme  \(\mathsf {Pr}_1\)  \(\mathsf {fail}(1)\) 

\(A.\)  \(\displaystyle \frac{k(\ell 1)}{\ell n1}\)  \(\displaystyle \frac{\ell 2}{\ell n2}\) 
\(B.\)  \(\displaystyle \frac{k(k1)(\ell 1)}{2(\ell n^21)}\)  \(\displaystyle \frac{\ell 2}{\ell n^22}\) 
\(C.\)  \(\displaystyle \frac{k(2\ell n2(k1)(\ell 1))}{2(\ell n^21)}\)  \(\displaystyle \frac{2(\ell n1)(\ell n2)(k1)(\ell 1)(2\ell n\ell 2)}{(\ell n^22)(2\ell n2(k1)(\ell 1))}\) 
\(D.\)  \(\displaystyle \frac{k}{n+1}\)  \(\displaystyle \frac{n2}{n^2  2} \) 
\(E.\)  \(\displaystyle \frac{k(k1)}{2(n^2+n+1)}\)  \(\displaystyle \frac{n2}{n^3  2}\) 
\(F.\)  \(\displaystyle \frac{k(2nk+3)}{2(n^2+n+1)}\)  \(\displaystyle \frac{2n^3 +(42k)n^2 + (k5)n +2k6}{(2nk+3)(n^32)}\) 
In Sect. 3.1, we briefly discuss asymptotic comparisons between the deterministic schemes \(A\)–\(F\), using the formulas in Table 1. In Sect. 3.2, these formulas are evaluated for a range of parameter choices to provide a direct comparison with the corresponding values for equivalent parameter choices in Scheme 1 (the Random Scheme).
3.1 Asymptotic Comparisons
Thus, for example, if we use only \(n/1000\) of the \(n\) parallel classes, the connectivity of the partial scheme is asymptotically the same as the transversal design scheme on which it is based. A similar result holds for resilience, as can be seen by computing the ratios of the relevant \(\mathsf {fail}(1)\) values. Furthermore, a similar phenomenon is observed for Scheme 3, for both \(\eta = 1\) and \(\eta = 2\), i.e., when we use the formulas for the schemes labelled \(B\) and \(E\), as well as for the schemes labelled \(C\) and \(F\). We summarize this as follows.
Theorem 3
3.2 Comparisons for Explicit Parameter Choices

The transversal designs yielding maximum network size 5000 (approximately) are TD(2,15,71) and TD(3,15,17); note that \(71^2 = 5041\) and \(17^3 = 4913\). Here the block size is 15, which means that nodes will each store 15 keys.

The transversal designs for maximum network size 24000 (approximately) are TD(2,25,157) and TD(3,25,29); note that \(157^2 = 24649\) and \(29^3 = 24387\). Here the block size is 25, which means that nodes will each store 25 keys.

In Figs. 1–6, the plots of the values of \(\mathsf {fail}(1)\) or \(\mathsf {Pr}_1\) as blocks are selected uniformly from a \(\mathrm{TD}(2,k,n)\) or \(\mathrm{TD}(3,k,n)\) (Scheme 1) are all essentially a horizontal line, indicating that on average the values of \(\mathsf {fail}(1)\) and \(\mathsf {Pr}_1\) do not change greatly, even if the number of blocks selected is quite small. This is entirely to be expected: \(\mathsf {fail}(1)\) and \(\mathsf {Pr}_1\) by definition are quantities that represent an average over all the keyrings in the network, so taking the average over smaller, uniformly selected subsets of keyings should not affect these values too much. The average values computed in our experiments are in fact very close to the exact average values that are computed theoretically.

One quantity of particular interest here is the standard deviation of \(\mathsf {fail}(1)\) and \(\mathsf {Pr}_1\) for Scheme 1, since this determines the extent to which a particular random choice of subnetwork may have \(\mathsf {fail}(1)\) or \(\mathsf {Pr}_1\) values that differ from the average values for the scheme as a whole. Naturally, the standard deviation of these values increases slightly when the number blocks is very small. However, we can see from Figs. 1–6 that these standard deviations are still extremely low, especially in the case of schemes obtained from the larger designs. Moreover, there is a very low range of values of \(\mathsf {fail}(1)\) and \(\mathsf {Pr}_1\) encountered in our experiments. This is evident from Tables 3 and 4 in the Appendix, for the schemes derived from a TD(2,15,71). Schemes derived from other transversal designs exhibit similar behaviour in terms of the variability of these metrics. Thus we see that in practice, selecting random subsets of the keyrings is unlikely to have much of an effect on the values of \(\mathsf {fail}(1)\) and \(\mathsf {Pr}_1\) for the scheme.

In Scheme 2, when the number \(\ell \) of parallel classes is very small, the value of \(\mathsf {Pr}_1\) is low, due to the fact that no two blocks within a given parallel class have any points in common. Nevertheless, Figs. 1 and 4 demonstrate that this value grows rapidly as \(\ell \) increases, and soon approaches the \(\mathsf {Pr}_1\) value attained by Scheme 1. On the other hand, for Scheme 2, the value of \(\mathsf {fail}(1)\) is also low initially, and similarly becomes closer to that of Scheme 1 as \(\ell \) increases. Thus we see that the properties of Scheme 2 and Scheme 1 are very similar in practice, for even moderately large values of \(\ell \).

Figures 3 and 6 show that Scheme 3 with intersection threshold \(\eta =2\) exhibits a similar behaviour to that of Scheme 2: the \(\mathsf {Pr}_1\) and \(\mathsf {fail}(1)\) values are low when \(\ell \) is small, but increase rapidly as \(\ell \) becomes larger. The reason for this is entirely analogous: for any given set \(\mathcal{B}_i\) of blocks, no two of the blocks in that set intersect in two points, and hence for \(\eta =2\) there are no secure links formed between nodes whose keyrings are derived from such blocks.

Figures 2 and 5 are interesting, as they show a slightly different behaviour pattern for Scheme 3 in the case of intersection threshold \(\eta =1\). Here the \(\mathsf {Pr}_1\) and \(\mathsf {fail}(1)\) values are in fact higher when \(\ell \) is small, and then decrease for larger values of \(\ell \), eventually approaching the properties of Scheme 1. This is explained by the fact that two blocks within the same set \(\mathcal{B}_i\) have probability \(\frac{k}{n+1}\) of sharing a common key (cf. Table 2), which is higher (for the parameters under consideration) than the average probability \(\frac{k(2nk+3)}{2(n^2+n+1)}\) that two blocks chosen uniformly from a \(\mathrm{TD}(3,k,n)\) share at least one key. As in previous cases, it is clear from these graphs that once a reasonable number of the sets \(\mathcal{B}_i\) are chosen, the properties of Scheme 3 are very close to those of Scheme 1.
We conclude that removal of keyrings from a KPS based on transversal designs, whether randomly or deterministically as in Scheme 2 or 3, causes no undue disruption to the behaviour of the scheme.
4 An Efficient New Approach to Calculating Connectivity and Resilience for Arbitrary Set Systems
In this section, we describe a new approach to facilitate the efficient evaluation of metrics for connectivity and resilience in general KPSs. We were motivated to do this in order to compute the metrics of our random scheme that consists of random subsets of blocks of a transversal design. Suppose we start with any set system \((X,\mathcal {A})\) having blocks of size \(k\). Denote \(b = \mathcal {A}\). Suppose the maximum intersection of any two blocks in \(\mathcal {A}\) is \(t1\). (In a given application, the value of \(t\) may already be known beforehand. However, if it were not already known, it could be computed as the first step of the process we are about to describe.)
 1.
For various types of “structured” set systems (for example, a partially balanced \(t\)design) we know the relevant \(\lambda _C\)’s and so we can compute formulas for \(\mathsf {Pr}_1\) and \(\mathsf {fail}(1)\) in a straightforward manner.
 2.
For an arbitrary “unstructured” set system, we can use this approach to compute \(\mathsf {Pr}_1\) efficiently. In a “naive” approach, we would probably examine all pairs of blocks to see which pairs form links, which would already require time \(\varTheta (b^2)\). However, it is straightforward to tabulate all the relevant \(\lambda _C\) values in time \(\varTheta (b)\), and then apply the formulas we derive, in order to compute \(\mathsf {Pr}_1\). This will be discussed further in Sect. 4.3.
4.1 Formulas for Connectivity
Lemma 1
Lemma 2
Proof
In view of (2), we need to sum (1) over all \(C\) with \(C = i\). When we do this, each possible term \((1)^{D} \left( {\begin{array}{c}\lambda _{C \cup D}\\ 2\end{array}}\right) \) is included in the sum \(\left( {\begin{array}{c}{C \cup D}\\ C\end{array}}\right) = \left( {\begin{array}{c}D + i\\ i\end{array}}\right) \) times.
Theorem 4
Proof
We sum the formula (6) as \(i\) ranges from \(\eta \) to \(t1\). The number of times \(q_i\) is included in the sum is easily seen to be equal to \(a_i\).
Applications of Theorem 4
t  \(\eta \)  L 

2  1  \(q_1\) 
3  2  \(q_2\) 
3  1  \(q_1  q_2\) 
4  3  \(q_3\) 
4  2  \(q_2  2q_3\) 
4  1  \(q_1  q_2 + q_3\) 
5  4  \(q_4\) 
5  3  \(q_3  3q_4\) 
5  2  \(q_2  2q_3 + 3q_4\) 
5  1  \(q_1  q_2 + q_3  q_4\) 
Now, applying (8) and (4), we have the following formula for \(\mathsf {Pr}_1\).
Corollary 1
4.2 Formulas for Resilience
Lemma 3
Theorem 5
4.3 Computing Connectivity and Resilience
 1.Compute all the values \(\lambda _C\) for \(\eta \le C \le t1\). This can be done efficiently as follows:
 (a)
Initialise \(\lambda _C \leftarrow 0\) for all relevant \(C\).
 (b)
For every block \(A \in \mathcal {A}\) and for every \(C \subseteq A\) such that \(\eta \le C \le t1\), set \(\lambda _C \leftarrow \lambda _C + 1\).
 (a)
 2.
Compute all the values \(\mu _C\) for \(\eta \le C \le t1\), using the formula (12).
 3.
Compute the values \(q_i\) for \(\eta \le i \le t1\), using the formula (5).
 4.
Compute \(L\) using the formula (8).
 5.
Compute \(\mathsf {Pr}_1= L/\left( {\begin{array}{c}b\\ 2\end{array}}\right) \) and compute \(\mathsf {fail}(1)\) using the formula (15).
Remark
If we only wanted to compute \(\mathsf {Pr}_1\), then step 2 could be omitted.
4.4 Examples
Here are some small examples to illustrate the application of the formulas we have developed.
Example 6
Here is an example with \(t=4\). We just compute \(\mathsf {Pr}_1\) for this example.
Example 7
5 Conclusion
We have provided two methods of increasing the flexibility of combinatorial key predistribution schemes. These methods are discussed and evaluated in reference to the transversal design schemes introduced in [5]. The first method is to exploit the underlying structure of transversal designs to explicitly describe a wide range of “partial” designs whose properties can easily be analysed using existing formulas [9]. The schemes based on these partial designs have properties very similar to the transversal design schemes from which they are derived. The second method (e.g., see [5]) is to randomly delete blocks from a specified set system. We show by running extensive experiments that this method also does not affect performance adversely, which contradicts assertions made in [1]. Finally, we develop some new formulas that facilitate the efficient computation of metrics of KPS derived from arbitrary set systems. These formulas were useful in the experiments we carried out, but they may have additional applications in the theoretical study of combinatorial KPS for wireless sensor networks.
References
 1.Bose, M., Dey, A., Mukerjee, R.: Key predistribution schemes for distributed sensor networks via block designs. Des. Codes Crypt. 67(1), 111–136 (2013)CrossRefzbMATHMathSciNetGoogle Scholar
 2.Çamtepe, S.A., Yener, B.: Key distribution mechanisms for wireless sensor networks: a survey. Technical Report TR0507, Rensselaer Polytechnic Institute (2005)Google Scholar
 3.Dong, J., Pei, D., Wang, X.: A key predistribution scheme based on 3designs. In: Pei, D., Yung, M., Lin, D., Wu, C. (eds.) Inscrypt 2007. LNCS, vol. 4990, pp. 81–92. Springer, Heidelberg (2008)Google Scholar
 4.Eschenauer, L., Gligor, V.: A keymanagement scheme for distributed sensor networks. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 41–47. ACM (2002)Google Scholar
 5.Lee, J., Stinson, D.R.: On the construction of practical key predistribution schemes for distributed sensor networks using combinatorial designs. ACM Trans. Inf.Syst. Secur. 11(2), 1–35 (2008). (Article No. 1)CrossRefGoogle Scholar
 6.Martin, K.M.: On the applicability of combinatorial designs to key predistribution for wireless sensor networks. In: Chee, Y.M., Li, Ch., Ling, S., Wang, H., Xing, Ch. (eds.) IWCC 2009. LNCS, vol. 5557, pp. 124–145. Springer, Heidelberg (2009) Google Scholar
 7.Martin, K.M., Paterson, M.B.: An applicationoriented framework for wireless sensor network key establishment. Electron. Notes Theor. Comput. Sci. 192(2), 31–41 (2008)CrossRefGoogle Scholar
 8.Martin, K.M., Paterson, M.B., Stinson, D.R.: Key predistribution for homogeneous wireless sensor networks with group deployment of nodes. ACM Trans. Sens. Netw. 7(2), 1–27 (2010). (Article No. 11)CrossRefzbMATHGoogle Scholar
 9.Paterson, M.B., Stinson, D.R.: A unified approach to combinatorial key predistribution schemes for sensor networks. Des. Codes Crypt. 71, 433–457 (2014)CrossRefzbMATHMathSciNetGoogle Scholar
 10.Xiao, Y., Rayi, V.K., Sun, B., Du, X., Hu, F., Galloway, M.: A survey of key management schemes in wireless sensor networks. Comput. Commun. 30(11–12), 2314–2341 (2007)CrossRefGoogle Scholar