aa r X i v : . [ c s . R O ] F e b Securing emergent behaviour in swarm robotics
Liqun ChenDepartment of Computer Science,University of Surrey, Guildford, Surrey GU2 7XH, United Kingdom. [email protected]
Siaw-Lynn NgInformation Security Group,Royal Holloway, University of London, Egham, Surrey TW20 0EX, United Kingdom. [email protected]
February 8, 2021
Abstract
Swarm robotics is the study of how a large number of relatively simple robots can be designedso that a desired collective behaviour emerges from the local interactions among robots and be-tween the robots and their environment. While many aspects of a swarm may be modelled asvarious types of ad hoc networks, and accordingly many aspects of security of the swarm may beachieved by conventional means, here we will focus on swarm emergent behaviour as somethingthat most distinguishes swarm robotics from ad hoc networks. We discuss the challenges emergentbehaviour poses on communications security, and by classifying a swarm by types of robots, typesof communication channels, and types of adversaries, we examine what classes may be secured bytraditional methods and focus on aspects that are most relevant to allowing emergent behaviour.We will examine how this can be secured by ensuring that communication is secure. We proposea simple solution using hash chains, and by modelling swarm communications using a series ofrandom graphs, we show that this allows us to identify rogue robots with a high probability.
Keywords: swarm robotics, security protocols, distributed systems security, public key cryp-tography, digital sighatures, hash chains, random graphs
There are many variations on what the term “swarm robotics” means exactly. From [13, 12, 7, 10] wesee that it is generally agreed that a swarm is a collection of a large number of autonomous mobilerobots. The robots are generally resource-constrained and have low capability individually. They are1elf-organised, and no sychronicity is assumed. The swarm exhibits collective emergent behaviour: adesired collective behaviour emerges from the local interactions among the robots and between therobots and the environment.What differs in diverse applications and scenarios are the communication capabilites, the hierarchicalorganisation, and the presence or absence of a central control. Some swarms consist of homogeneousrobots but some may allow a few groups of homogeneous robots or allow some robots to take onspecial roles in communications or control. There is generally no centralised control, although insome applications a global channel is needed for a central control to download information onto therobots, or for robots to report back findings from the field. Robots are generally assumed to have localsensing and communication capabilities but may communicate with their neighbours in different ways,for example, they may communicate directly in a peer-to-peer fashion, or they may observe physicaltraits of their neighbours, or they may communicate by leaving messages in the environment. Thesevariations have impact on the provision of security to the swarm, and we will discuss them in moredetail in Section 2.1.In [12] basic behaviours of swarm robotics are enumerated, and in [10] it is argued that typicalbehaviours of swarm robots are either aggregation or dispersion, and in these behaviours it is theability to distinguish robots of the same swarm that is key to the success of the swarm. This canonly be done if there are some secret common to the swarm that is not available to adversaries orobservers. In [10] the use of public key cryptography and key predistribution is briefly explored. Wewill consider this with more depth here.Swarm robotics have applications in many areas, for example, military (such as mine clearance, access,surveillance), environmental monitoring, disaster relief and health care (such as medication provisionand monitoring). We refer the reader to [13] for a more detailed picture. In many of these applicationsit is paramount that the swarm is protected so that the goals can be achieved. What “security” meansdiffer from scenario to scenario, and is discussed in some detail in [7, 10]. In any case the desirableproperties of a swarm in many applications are common: data is collected by many robots so the lossof individual robots has little impact on the success of the task. This redundancy makes the swarmreliable. The distributed nature of the swarm also ensures that there are no single points of failure.Any measures taken to increase security must not adversely affect these properties.In [7, 10] a comparison is made between swarm robotics and other distributed networks such as mobilewireless sensor networks (WSN), mobile and vehicular ad hoc networks (MANETs and VANETs),multi-robot systems and software agents. We refer the readers to those references for more details.Here we concentrate on physical robots (hence the use of “robots” rather than “agents”) and emergentbehaviour , a feature that is not emphasised in most other distributed networks. We will examine thesecurity of the communications between robots, with a focus on preventing the disruption of emergentbehaviour. 2 .1 Stigmery and local sensing
We will rely heavily on peer-to-peer communications to secure emergent behaviour, but we will firstlydiscuss these two communications methods peculiar to swarm robotics.Stigmergy refers to the communication of robots via the environment. Robots modify the environmentwhich in turns affect the behaviour of other robots. These messages left in the environment may “fade”over time and eventually disappears. This is a feature seldom discussed in other types of network.However, there are parallels in some applications in other networks. For example, one could considerthe “environment” as a shared memory space such as a bulletin board. This is used commonly invoting schemes (for example, [1]). “Fading” messages can be modelled by using time-stamps or atime-discount function. For instance, in [11], a time-discount function is used to “fade” a reputation.All these have to be achieved while guaranteeing the authenticity or integrity or the messages. Muchof this have been discussed in [10].In some cases robot behaviour is determined not by direct communication with other robots or centralcontrol, but by what the robot can observe in its immediate surrounding, such as the configurationor behaviour (such as proximity or velocity of movement) of its neighbours. Some networks havethis feature. For example, in VANET, a vehicle may use the speed or location information of othervehicles to determine its own behaviour. Conventionally, when we discuss security, we consider theconfidentiality, integrity and authenticity of the information that is exchanged. Here the question ofconfidentiality does not arise, if the robots are observable by all. However, it is clear at least that theintegrity and authenticity of the information obtained by observation is tied in with the legitimacyof the observed robots. It was argued in [10] that the authenticity of a robot cannot be guaranteedunless there is some shared secret within the swarm. We will discuss later how we can obtain someassurance of whether a robot is still legitimate or whether it is malfunctioning or has been subverted.
The “emergent behaviour” aspect of swarm robotics presents one of the greatest challenge to security.Emergent behaviour arises from local interactions amongst robots and between robots and the envi-ronment. (We do not concern ourselves here in how to design individual behaviour in order to achievethe task at hand. We are concerned about the implication on communications security.) While itseems possible to guard against external adversaries using conventional peer-to-peer protocols of keydistribution and authentication, guarding against internal adversaries would appear to be a lot trick-ier. Robots are mobile and compromised robots may spread their influence throughout the swarm,affecting local behaviours which in turn may disrupt emergent behaviour. How would one distinguishbetween emergent and malicious or malfunctioning erratic behaviour? This is discussed in some depthin [10], arguing that traditional anomaly-based and misuse-based intrusion detection methods do notwork. We will consider how secure communications may be used to ameliorate the situation. It would3ppear that the policing of malicious/erratic behaviour should not be too tight, so that some erraticbehaviour is still allowed in case it is in fact emergent. This means that any solution would have tobe flexible so that it can be tuned by the designer of the swarm.
Before we describe our approach to securing swarm communications to preserve emergent behaviour,we give a rough classification of robotic swarms in terms of the homogeneity of its robots, the inter-action between robots, and the interaction with a central control. We will discuss the adversaries inthe next section.1.
Homogeneity of robots. (a) Homogeneous robots.It is most generally accepted that the swarm is composed of a large group or a few largegroups of homogeneous robots.(b) Hieracrchical structure.It is possible that some swarms may have “special” robots which are given a bigger role.This role may be that of control (the “master” robot may direct other robots to certainlocation or it may trigger an update of some kind in the neighbouring robots), or it maybe that of greater capability (the “master” robot may have more keys so that it couldcommunicate with more robots), or it may be that of a sink - it gathers all the data fromits neighbours and reports back to a central control. (This is not an uncommon scenario inwireless sensor networks [14].)2.
Interaction between robots.
We assume that there is no secret or hidden channels of communications, and that an adversarymay eavesdrop on or interfere with all communications.(a) Direct communication.This may be a broadcast, or it may be a peer-to-peer communication. The channel may bea WLAN channel, a Bluetooth channel, an RFID channel, or it may use infrared or audio.(b) Stigmergy.Robots communicate using stigmergy, that is, via the environment. They leave messagesfor other robots by modifying the environment. This message will “fade” over time andeventually disappears. 4c) Local sensing.A robot may make decisions on how to behave by observing the physical traits of itsneighbours, such as their proximity, velocity, or configuration.3.
Interaction with a central control.
Again we make the same assumption as above that there is no secret or hidden channels ofcommunications, and that an adversary may eavesdrop on or interfere with all communications.(a) No interaction between robots and central control after deployment.This is commonly assumed, though it is not clear that it is entirely necessary, desirable, orpractical.(b) Central control to robots.It is sometimes accepted that there may be a central control entity which can broadcastmessages to the swarm. These messages may include key management messages or softwareupdates.This is generally a broadcast channel, though it is possible that in a more hierarchicalswarm, the messages are relayed via the “higher” robots.(c) Robots to central control.It is also possible that robots of the swarm send messages back to central control. This isrequired in some applications, such as that of search and rescue. This can be done eitherby beaconing, or by relaying messages along to the sink (some designated reporting robot)which is responsible for reporting back.(d) Two-way communications between robots and central control.Certain applications may require that robots and central control remain in contact.
Computational abilities of robots vary. We will assume that the robots in this paper have enoughcapability to perform basic cryptographic computations . This is not unrealistic: advances in hardwaredesign and manufacturing has resulted in small embedded devices that are capable of executing publickey cryptography and other complex computational tasks [4]. For example, even the first generationRaspberry Pi provided a real-world performance roughly equivalent to a 300 MHz Pentium II of1997–99 . The robots used in [2, 9] are able to communicate at a range of up to 300m. Some swarmrobots are large machines used for precision agriculture and for these onboard computation is not agreat restriction. At the other end of the size spectrum, we have nanorobots. For example, the design https://en.wikipedia.org/wiki/Raspberry Pi
5f an artificial mechanical red blood cell or “respirocyte” envisions that a 104 bit/sec nanocomputermeeting all its computational requirements, which is roughly about 1/50th the capacity of a 1976-vintage Apple II microprocessor-based PC [5].
We assume that the aim of an adversary is to disrupt the swarm. It may do so by • discovering secrets and confidential information, or • impersonating or corrupting or introducing robots to masquerade as robots of the swarm togather information, plant false information or to change the swarm’s behaviour by its robots’own behaviour, or • removing robots or information from the system.We will not discuss the first threat in detail, since it is discussed in many other work (such as [7, 10]),and also we are more interested in what security can be vouchsafed in publicly observable behaviours.Instead we will focus on the second and third threats, specifically to emergent behaviour. We willconsider different classes of adversaries as follows.1. Insider/outsider. (What they know.)An adversary who is an outsider has no access to the cryptographic keys and credentials of therobots. This type of adversary and the threats it poses and possible mitigation are discussedin depth in [10]. Most threats can be dealt with by having some sort of secrets known onlyto the swarm, and both public key cryptography and key predistribution for symmetric keycryptography can be used to prevent any attacks. It is not clear what an outsider in thecontext of local sensing is - we will assume either that it would simply look different and will bedisregarded by robots of the swarm, or it would fail some sort of authentication process.Insiders, in contrast, have access to keys and credentials. They may be corrupted robots, or theymay have keys and credentials manufactured by an adversary. The use of threshold schemes andintrusion detection systems is discussed in [10], and it is found that neither of these solutions areideal in the context of local sensing and emergent behaviour: apart from the issue of removingsuch an adversary, it is not easy to distinguish bad behaviour from emergent behaviour.2. Active/passive. (What they can do.)A passive adversary eavesdrops and tries to deduce secrets and information. Using encryptionwould prevent an outsider from doing this but this is ineffective against an insider. In the context6f local sensing, we assume that an insider passive adversary would simply observe and possiblyrecord the behaviour of the swarm robots.An active adversary, in addition to eavesdropping, may modify or inject messages, or participatein the swarm while behaving incorrectly. Again, having some form of public key or symmetrickey cryptography and using this to authenticate messages and robots would thwart an activeoutsider. What is more difficult to address is an active insider behaving in a way to subvert thepurpose of the swarm. This is the issue we will deal with in this paper.3. Local/global. (How many robots do they affect.)A local adversary can only affect the robots local to it. It has no veiw of robots not local to it.It does not know whether they are communicating or what they are communicating, nor does itknow their behaviour or action. A global adversary, on the other hand, sees the behaviour of theentire swarm: the behaviour of the robots, and the presence of communication between robots.This class of adversaries appear to be different from the usual kinds of adversaries that arediscussed in the literature (1 and 2) and seems quite pertinent to swarm security. Given thatemergent behaviour arises out of local interactions, it may be that a global adversary couldcoordinate disruptions at different localities to effect a disruption of emergent behaviour moreefficiently. Hence, as a defence, we would like to ensure that local behaviours are not disrupted.Since outsiders can mostly be dealt with using appropriate cryptographic mechanisms we will focushere on insider adversaries. Passive insiders would appear to be hard to identify, and we will considerwhat can be done when such adversarise are active. In dealing with local disruptions we hope toprevent them propagating to disrupt global emergent behaviour. We will consider some examples to illustrate the usefulness of this classification of types of swarmsand threats to the swarm.Suppose we only expect adversaries who are passive outsiders, and suppose our swarm consists ofhomogeneous robots (1(a) of Section 2.1) with only direct communication between the robots (2(a)).Suppose there is no interaction with central control (3(a)). One simple solution could be to equip eachrobot with a single encryption key, to prevent eavesdropping.Suppose however that the adversaries are active outsiders who might attempt to manipulate messages,we could give each robot, in addition, a single signing key and its certificate, issued by central controlprior to deployment. These keys may not expire during the event or the action time.Another possibility is to deploy our robots with random key predistribution [3]. There is a fixedprobability, decided upon before deployment, that two robots can authenticate and communicate with7ach other. Such a solution is effective again active outsider adversaries. However, this does not allowadaptation if the environment should change. One may ask whether changing one of the conditionsmight allow more flexibility. Indeed, if a broadcast channel from central control to the robots shouldbe made available (3(b)) then one could deploy the broadcast enhanced key predistribution schemeproposed in [8]:1. Key pre-distribution: each robot is given a set of underlying keys prior to deployment. Thesekeys are used only for the encrytion and decryption of temporal keys.2. Periodic broadcast from control to robots after deployment: send temporal keys for use incommunication. Temporal keys are encrypted using underlying keys so that a robot learns atemporal key only if the temporal key is encrypted by an underlying key known to the robot.The distribution of temporal keys can be adjusted according to the desired connectivity andresilience at particular times.3. Robots discover common keys by broadcasting identifiers of temporal keys.In addition, if we choose the underlying key pre-distribution scheme carefully, we would be able torevoke a robot if it is known to be malfunctioning or captured. This gives the swarm some resilienceagainst an active insider adversary. This example was discussed in the “Further Research” section of[10].It would be interesting to study solutions to specific types of swarm and what might be adapted ifcertain conditions are tightened or relaxed.
Suppose that our robots are capable of public key cryptography, and are given individual public andprivate keys. If the public keys are signed by the central control, this guards against external adver-saries even though it is not secure against internal adversaries. Given that we can now authenticatea robot by its public key, how do we know if a robot is not malfunctioning or corrupt? If we knowa robot is malfunctioning or corrupt it can be revoked. There are many solutions to the revocationproblem, including revocation lists. However, how to decide whether a signer or a signing key shouldbe put into the revocation list is often the trickier problem . In this work, we try to give one solutionfor how to identify and revoke a bad robot.However, this on its own may not be sufficient. If a malicious or malfunctioning robot is not filteredout by the step above it could still behave badly to affect its neighbours’ behaviour. What we can8o about this is to take some sort of consensus from neighbours. For example, if a robot observes afew neighbours, and one of them behaves in a different way from the others, the robot could makea decision to follow the majority with some probability and follow the minority with some otherprobability. What these probabilities are would be up to the engineer of the swarm. Alternatively, arobot could consider another robot more trustworthy if it has encountered that robot regularly in thepast, and consider a robot less trustworthy if it has not encountered it before, or only has a reportof it from some other robot. Our goal is how to ensure that the information gathered by a robot istrustworthy.By identifying and revoking bad robots with high probability, and preventing bad robots from havingtoo much influence on local behaviour, we can maximise the chances of emergent behaviour.We assume that robots are capable of public key cryptography and that they are equipped with ahardware clock synchronised before deployment. Clocks may drift and we allow some margin of error.We assume there is a central control which installs all the necessarily credentials and algorithms beforedeployment and has no more contact with the robots after deployement. We also assume the presenceof an adversary who is an active insider with a global view, but we assume that the fraction of corruptand malfunctioning robots is small.To start with we assume that robots are deployed in one single area such that within some time interval∆ all robots would have exchanged information with some other robot. We consider a robot suspicious- they might be malfunctioning or they might have been tampered with - if they make false reportsor if they are taken out of the systems for a certain number of time intervals. We aim to identify thisbehaviour: when two robots meet they make a record of the encounter, and exchange their history -here this means a record of what robots they have met in a specified number of past time intervals.We will see that this simple mechanism allows us to achieve our goal with high probability.
We assume that central control has a signature scheme SS ( sig CC , ver CC ). Central control is assumedto be trusted. To set up a task for the swarm, it installs all the necessarily credentials and algorithmsin the robots before deployment and has no more contact with them afterwards until the task iscompleted.There are N robots R , . . . , R N . Each robot R i has: • a signature scheme SS ( sig i , ver i ), and a certificate cert i from central control (so each robot has aunique verifiable identity associated with ( ver i , cert i )); • the signature verification algorithm of the central control ver CC ; • a clock that is capable of measuring time intervals;9 a hash function h .We assume that time is divided into intervals, and the first time interval is t = 1. Each robot R i maintains a signed list for time interval t , Hist ti , and we set Hist i = ∅ . Within a time interval t arobot R i may meet other robots. When it does it records the encounter in Hist ti : if R i meets R j theyexchange their history from the previous time interval, so R i gives R j the signed list Hist t − i , and R j gives R i the signed list Hist t − j . They also exchange their authenticated verification algorithms( ver i , cert i ) and ( ver j , cert j ). Robot R i then checks the validity of the signed list Hist t − j it receives byverifying the signature on it. Similarly R j checks Hist t − i . We assume that a time interval is shortenough that a robot can only exchange history with its immediate neighbours once.At the end of time interval t , R i constructs an event list E ti : E ti = n ( R i , Hist t − i ) , ( R i , Hist t − i ) , . . . , ( R i k , Hist t − i k ) o , if R i encountered robots R i , R i , . . . , R i k in time interval t , or E ti = ∅ if it did not encounter any otherrobots. If any Hist t − i j is missing or does not verify, then the entry ( R i j , Hist t − i j ) is omitted. A newhistory list is also constructed: Hist ti = (cid:8) E ti , t, Hist t − i , sig i ( h ( E ti , t, Hist t − i )) (cid:9) . So each robot constructs a chain of events. At the end of each time interval t ≥ E ti , Hist ti ), where E ti contains information about events that happened in the timeinterval t , and Hist ti links E ti to events that happened in previous time intervals described in Hist t − i .In this way R i has a record of all the robots it has met as well as the robots that these robots claimedto have met. An encounter between two robots R i , R j in time interval t is accepted if R i has Hist t − j and R j has Hist t − i .Based on this record, R i can analyses the behaviour of each robot to discover a “bad” robot, such asa robot that makes false reports or that disappears for too long. The details of the analysis are givenin the next subsection. After analysis, R i can put bad robots into its local revocation list. The policyon what kind of behaviour a robot has that leads to revocation would be decided by the engineer ofthe swarm and this is out scope of this paper.After that task of the swarm finishes, the history lists of each robot will be collected by the centralcontrol and further analysis will be made. The whole swarm system can benefit from the aboveinformation collection during the job. As this procedure is straightforward, we do not discuss itfurther in the paper.(We note that robots in collusion may either simply share each other’s private keys, or create listsin advance and distribute them on each other’s behalf. Hence a challenge/response protocol may not10dd more security. However, while they can always vouch for each other, they can’t pretend to havemet honest robots, because these lists have to be signed too.) We model the activities of the N robots in any time interval t as vertices in a binomial random graph G t = G t ( N, p ), with an edge between vertices if the corresponding robots have exchanged informationwithin that interval, and this happens with probability p . We write E ( G t ) for the set of edges of G t ,and we write N G t ( R ) for the set of vertices that are neighbours of R in G t , that is, the set of verticesthat share an edge with R in G t . This gives all the robots that R meets in time interval t . Theexpected mean degree of a vertex is N p , and this gives the expected number of robots a robot willmeet in one interval (see [6]).
Example 4.1 (Numerical example)
In [2] an experiment involving exploration using robots used N = 25 robots in a km area, which gives robot density of about 1 in 40 000 m . If we consider thearea as a km × km square, subdivided into m × m grids, with a robot in the centre of each grid,then since the robots were able to communicate at over m , this allows a robot to see the 8 robotsin the neighbouring grids, out of 24 other robots, giving p = 0 . . At the upper end of the experiment, N = 48 robots were deployed in a larger area, giving p = 0 . using the same assumptions. We willrun a rudimentary Mathematica program with random graphs of these parameters to confirm ourtheoretical analysis.
We first discuss correctness of a swarm system and claim that a swarm system described in Subsec-tion 3.2 holds two correctness properties, namely
System Correctness and
Local Correctness . Under the assumption that every robot of the swarm is hon-est, a full collection of all robots’ individual history lists will be a true record of the communicationsamong them.
Proof:
This property can be argued straightforwardly. Let N be the total number of robots in theswarm and T be the total number of intervals during a task. Following the scheme description ofSubsection 3.2, a history list made by robot R i , i ∈ { , , ..., N } is: Hist Ti = n E Ti , T, Hist T − i , sig i ( h ( E Ti , T, Hist T − i )) o , Hist T = Hist T ∧ Hist T ∧ ... ∧ Hist TN . Because all robots are honest, every event where two robots, say R i and R j , met each other must berecorded in Hist Ti and Hist Tj , and each robot will correctly report every meeting that it was involvedin. More specifically, if there is a record of R i meeting R j in interval t then R i did indeed meet R j in interval t and there is a record of R j meeting R i , and vice versa: if R i met R j in interval t thenthere is a record in R i (and R j )’s history. Records must be paired. There is neither any forged reportsnor any missing reports. Therefore, Hist T must be a true record of the communications among all therobots of the swarm. So the theorem follows. ✷ Under the assumption that every robot of the swarm is honestand that the swarm communication patterns follow a binomial random graph as described at the startof Section 4, after a certain number of time intervals, the probability that each robot’s local history listwill cover more or less the same information of any other individual robot’s record, which is a truerecord of the communications of the whole swarm during these intervals, is significantly high.
Proof:
Because all the N robots are honest and their communication patterns follow a randomgraph G ( N, p ) in every interval, the probability that a robot does not meet another robot in ∆intervals is (1 − p ) (1+ (∆ − Np )∆ , as calculated in Section 4.4. Since 1 − p <
1, this probability tends to0 quadratically with increasing ∆. Hence the probability that a robot has met all other robots aftersome ∆ intervals is reasonably high. We can therefore assume that in every ∆ continuous intervals, arobot will meet every other robot and exchanged its history list with them at least once. The robotthen obtains a full collection of all robots’ individual history lists up to the point of time when it is thebeginning of these ∆ intervals. Based on the discussion of system correction above, the robot shouldhave a true record of the communications among all the robots of the swarm before that time. So thetheorem follows.To illustrate this property, let us recall the numerical example in Example 4.1, with N = 25, p = 0 . / ≈ . × − . Hence the probability that a robot has met all other robots in 3 intervals ineither case is very high ( ≈ . ✷ .2 Threat Model A robot is bad if it makes false reports, or if it disappears for too long. We will analyse these two badbehaviours respectively in the following two subsections. We assume that a bad robot has the samecapability as a good robot.Our goals are to prevent bad robots from having too much influence on local behaviour during theexecution of the task, and to identify bad robots. The first goal, as discussed in Section 3.1, can beachieve by identifying as many bad robots as we can during and after the execution of the task. Todo this, we identify two suspicious behaviours:1. If a robot disappears for too many intervals we suspect it of either malfunctioning or havingbeen captured and subverted. We aim to identify such a robot.2. A robot may make false reports in order to make a robot distrust the good robots around it orto disguise its own or its fellow bad robots’ status. We aim to prevent framing of good robotsand to detect collusion.We assume that a small fraction α of robots are corrupt or are malfunctioning (“bad”), 0 < α ≪ Suppose R i is a bad robot and wants to make a false report about an honest robot R j . There are twotypes of false reports:1. R i claims to have met R j in time interval t even though it has not.To claim this R i must prove that it has Hist t − j which contains R j ’s signature. This cannot bedone if the signature scheme is secure.Also, if R j does not have Hist t − i in its own Hist tj , a record of the fake meeting between R i and R j at time interval t will not be accepted by other honest robots later. To make the exchangerecord be paired and be accepted by others, R i also needs to let R j record Hist t − i . This cannotbe done by R i itself.Another possibility is that at time interval t ′ > t , some other, possibly corrupt, robot R k passesa legitimate Hist t − j to R i and a legitimate Hist t − i to R j , but R i cannot incorporate Hist t − j intoits history without modifying the hash chains, and this can be detected by other robots. Anyattempt of R k to pass Hist t − i to R j at time t will also be detected by R j when the signature isverified. 13. R i claims not to have met R j in time interval t even though it has, in order to give the impressionthat R j is a suspicious robot and has disappeared for too long.In this case R i simply does not record R j ’s chain Hist t − j . If R i is the only robot to meet R j then it can try to convince other robots that R j has disappeared. However, if the expected meandegree N p of the random graph G ( N, p ) is greater than 1 then it is likely that R j would havemet N p − R j .It is possible also that R i refuses to give Hist t − i to R j , but this would make it seem more likelythat R i is suspicious, and would be the correct outcome.Indeed, if we assume that the proportion of bad robots α is small, and we consider a record ofan encounter trustworthy if at least (1 − α ) N p of them are paired, then this sort of attack wouldnot succeed.
Numerical example:
We consider the case when a proportion α of the robots do not recordencounters with other robots. Our Mathematica program showed that, for N = 25, p = 0 . α = 1 / N = 48, p = 0 .
17, all robots were reported seen in ∆ = 4 intervalswith again α = 1 / R i and R j are corrupt, we may assume that they are in collusion, andshare each other’s private keys. In this case R i may construct a Hist t − j and claim that R j has beenseen. Indeed, robots in collusion may vouch for each other, even if they cannot fake uncorruptedrobots’ lists.However, we can then calculate the probability of a robot meeting another robot - R i meets R j withprobability p , so R i meets R j in all ∆ time intervals with probability p ∆ , and if we see that R i meets R j too often then we may assume they are in collusion. Numerical example:
With N = 25, p = 0 .
33, and ∆ = 3 intervals, this gives the probability of p ∆ ≈ .
036 for a pair of robots to meet in 3 time intervals. With N = 48, p = 0 .
17, the probability isapproximately 0 . A robot also becomes suspicious if it disappears for too many intervals. For example, let us considerthe probability that a robot R gets a report of another robot R ′ within, say, ∆ = 3 time intervals.This does not happen if 14 R does not meet R ′ at t = 3 , R, R ′ ) E ( G ) and ( R, R ′ ) E ( G ) and( R, R ′ ) E ( G ). This has probability (1 − p ) . • None of the robots R meets at t = 3 has met R ′ at t = 2 or t = 1, that is, ( R ′′ , R ′ ) E ( G ) ∪ E ( G ) for all R ′′ ∈ N G ( R ). This has probability (1 − p ) | N G ( R ) | . • None of the robots R meets at t = 2 has met R ′ at t = 1, that is, ( R ′′ , R ′ ) E ( G ) for all R ′′ ∈ N G ( R ). This has probability (1 − p ) | N G ( R ) | .Hence the probability that R has a report of R ′ withtin ∆ = 3 intervals is 1 − (1 − p ) | N G ( R ) | + | N G ( R ) | =1 − (1 − p ) Np since R is expected to have degree N p . If this is sufficiently high that means that alegitimate robot would have been seen by some other robot in two time intervals with high probability,and therefore a robot not seen in three time intervals may be regarded as suspicious and blacklisted.In general the probability that R has a report of R ′ withint ∆ intervals is 1 − (1 − p ) ∆+((∆ − − ··· +1) Np =1 − (1 − p ) (1+ (∆ − Np )∆ , which is increasing with ∆. Numerical example:
Using the same experiment as described above in Section 4.3, with N = 25and p = 0 .
33 this gives the probability of 0.99998 for a robot having a report of another robot within3 time intervals. With N = 48 and p = 0 .
17 the probability is 0.99403 within 3 intervals. Our
Mathematica program confirms this.
By modelling a swarm using random graphs, and ensuring that events are recorded securely in a hashchain, we can allow robots to identify “bad” robots with a high probability, while ensuring that “good”robots were not adversely affected. This goes some way towards protecting emergent behaviour, bylimiting the influence of bad robots locally.Note that here we have restricted ourselves to modelling the swarm as a binomial random graphs. Inthe situation where we desire the swarm to aggregate or disperse we may consider sequences of graphswhere the number of edges increases or decreases through time, or where the likelihood of having anedge between two vertices increases or decreases depending on whether there is an edge previously.It will also be interesting to examine the properties of the swarm where bad robots are modified tohave additional capability, such as broadcasting ability, or a higher communication range which maybe modelled as a subset of vertices with higher connectivity.
Acknowledgement
The authors would like to thank Professor Stefanie Gerke, Mathematics Depart-ment, Royal Holloway, University of London, for her assistance in random graphs.15 eferences [1] Fujioka A., Okamoto T., and Ohta K. A practical secret voting scheme for large scale elections.In Seberry J. and Zheng Y., editors,
Advances in Cryptology - AUSCRYPT ’92 , volume 718 of
Lecture Notes in Computer Science . Springer, Berlin, Heidelberg, 1993.[2] Mohammadreza Chamanbaz, David Mateo, Brandon M. Zoss, Grgur Toki´c, Erik Wilhelm, RolandBouffanais, and Dick K. P. Yue. Swarm-enabling technology for multi-robot systems.
Frontiersin Robotics and AI , 4:12, 2017.[3] Laurent Eschenauer and Virgil D Gligor. A key-management scheme for distributed sensor net-works. In
Proceedings of the 9th ACM conference on Computer and communications security ,pages 41–47, New York, United States, 2002. ACM, Association for Computing Machinery.[4] Eduardo Castell´o Ferrer. The blockchain: A new framework for robotic swarm systems. InKapoor S. Arai K., Bhatia R., editor,
Proceedings of the Future Technologies Conference (FTC)2018 , volume 881 of
Advances in Intelligent Systems and Computing , pages 1037–1058, Cham,2018. Springer.[5] Robert A. Freitas. Computational tasks in medical nanorobotics. In
Bio-inspired and nanoscaleintegrated computing . Wiley, November 2009.[6] Alan Frieze and Micha l Karo´nski.
Introduction to Random Graphs . Cambridge University Press,Cambridge, 2015.[7] Fiona Higgins, Allan Tomlinson, and Keith M Martin. Threats to the swarm: Security consid-erations for swarm robotics.
International Journal on Advances in Security , 2(2 and 3):288–297,2009.[8] Michelle Kendall, Keith M Martin, Siaw-Lynn Ng, Maura B Paterson, and Douglas R Stin-son. Broadcast-enhanced key predistribution schemes.
Accepted by ACM Transactions on SensorNetworks. Preprint , 2015:295, 2012. Available at http://eprint.iacr.org/2012/295.pdf [Ac-cessed 22nd October 2014].[9] JL Kit, AG Dharmawan, D Mateo, S Foong, GS Soh, R Bouffanais, and KL Wood. Decentralizedmulti-floor exploration by a swarm of miniature robots teaming with wall-climbing units. In
IEEE2019 International Symposium on Multi-Robot and Multi-Agent Systems (MRS) , pages 195–201.IEEE, 2019.[10] Thalia May Laing, Siaw-Lynn Ng, Allan Tomlinson, and Keith M Martin. Security in swarmrobotics. In Ying Tan, editor,
Handbook of Research on Design, Control, and Modeling of SwarmRobotics , pages 42–66. IGI Global, 2015. 1611] Q. Li, A. Malip, K. M. Martin, S. L. Ng, and J. Zhang. A reputation-based announcement schemefor vanets.
IEEE Transactions on Vehicular Technology , 61(9):4095–4108, Nov 2012.[12] I˜naki Navarro and Fernando Mat´ıa. An introduction to swarm robotics.
ISRN Robotics , 2013:1–10, 2012.[13] Erol S¸ahin. Swarm robotics: From sources of inspiration to domains of application. In
Swarmrobotics: SAB 2004 International Workshop, Lecture Notes in Computer Science , volume 3342,pages 10–20. Springer, Berlin, Heidelberg, 2005.[14] John Paul Walters, Zhengqiang Liang, Weisong Shi, and Vipin Chaudhary. Wireless sensornetwork security: A survey.