Efficient Node Admission and CertificatelessSecure Communication in Short-Lived MANETsNitesh Saxena, Member, IEEE, Gene Tsudik, Senior Member, IEEE, and Jeong Hyun Yi, Member, IEEE

Abstract—Decentralized node admission is an essential and fundamental security service in mobile ad hoc networks (MANETs). It is

needed to securely cope with dynamic membership and topology as well as to bootstrap other important security primitives (such as

key management) and services (such as secure routing) without the assistance of any centralized trusted authority. An ideal admission

technique must involve minimal interaction among MANET nodes, since connectivity can be unstable. Also, since MANETs are often

composed of weak or resource-limited devices, admission must be efficient in terms of computation and communication. Most

previously proposed admission protocols are prohibitively expensive and require heavy interaction among MANET nodes. In this

paper, we focus on a common type of MANET that is formed on a temporary basis, and present a secure, efficient, and a fully

noninteractive admission technique geared for this type of a network. Our admission protocol is based on secret sharing techniques

using bivariate polynomials. We also present a new scheme that allows any pair of MANET nodes to efficiently establish an on-the-fly

secure communication channel.

Index Terms—Security, distributed access control, authentication, cryptographic protocols, ad hoc networks, mobile network

protocols.

Ç

1 INTRODUCTION

MOBILE ad hoc networks (MANETs) have many well-known applications in military, law enforcement,

emergency rescue, and humanitarian aid environments.However, lack of stable infrastructure and absence ofcentralized control exacerbate security problems in MANETsthus requiring very specialized security services. AdmissionControl (or secure node admission) is a fundamental securityservice in MANETs. It is needed to ascertain membershipeligibility and to bootstrap other important security services,such as secure routing [27], [26] and secure group commu-nication [51], [50].

Secure node admission in MANETs cannot be performedcentrally. This is because a centralized entity is a single pointof failure, which also represents an attractive and high-payoffattack target. Moreover, topology changes due to mobilityand node outages may cause the central entity to beunreachable and thus unable to perform admission controlfor the entire network. This motivates us to investigateadmission techniques that function in a distributed ordecentralized manner. Since our emphasis is on security,the natural technology to consider is threshold cryptography.

The notion of threshold cryptography involves distribut-ing cryptographic primitives (such as decryption or digital

signatures) in order to secure them against corruption of a

certain number of parties, called a threshold. For example, a

ðt; nÞ threshold signature scheme [14] allows a group of n

parties to distribute the ability to digitally sign messages,

such that any t parties can do so jointly, whereas no

coalition of less than t parties can sign. Such a threshold

signature scheme is resilient against the so-called static

adversary who corrupts at most ðt� 1Þ parties in the entire

lifetime of the system.Two features of MANETs make decentralized node

admission a very challenging problem. First, MANET

devices are often limited in terms of computational and

battery power. Second, MANET nodes usually function in

an asynchronous (on/off) manner, often becoming tem-

porarily unavailable. Therefore, an ideal admission protocol

must be efficient in terms of both computation and

communication.1 It must also involve minimal (ideally,

none at all) interaction among nodes.A number of admission techniques, which we will

discuss in the following section, have been proposed in

recent years [30], [29], [33], [32], [36], [44], [45]. Most are

based on ðt; nÞ threshold cryptography and allow any set of

t-out-of-n nodes (called sponsors) to admit a new node by

giving it

1. a share of a group secret (to be used in futureadmissions), and

2. a membership certificate (to be used for securecommunication).

Unfortunately, all previous schemes are far from ideal.

They all involve heavy sponsor interaction, in the process of

either item 1 or 2. Furthermore, they all are computationally

158 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 20, NO. 2, FEBRUARY 2009

. N. Saxena is with the Department of Computer and Information Science,Polytechnic University, Six MetroTech Center, LC228, Brooklyn,NY 11201. E-mail: nsaxena@poly.edu.

. G. Tsudik is with the Department of Computer Science, University ofCalifornia, Irvine, Bren Hall, 3rd Floor, Irvine, CA 92697-3435.E-mail: gts@ics.uci.edu.

. J.H. Yi is with the School of Computing, Soongsil University, 511 Sando-dong, Dongjak-gu, Seoul, 156-743, Korea. E-mail: jhyi@ssu.ac.kr.

Manuscript received 6 Sept. 2007; revised 29 Mar. 2008; accepted 1 May2008; published online 9 May 2008.Recommended for acceptance by A. Boukerche.For information on obtaining reprints of this article, please send e-mail to:tpds@computer.org, and reference IEEECS Log Number TPDS-2007-09-0306.Digital Object Identifier no. 10.1109/TPDS.2008.77.

1. Communication is directly related to the consumption of batterypower in MANET devices [1].

1045-9219/09/$25.00 � 2009 IEEE Published by the IEEE Computer Society

expensive in performing item 2. This severely limits theirpracticality.

Another common feature of prior techniques is therequirement that each new node be issued a certificate anda secret share, in a distributed manner. However, unlikewired networks, many MANETs are formed on a temporarybasis. Examples include: a MANET formed for the durationof a conference program committee meeting (typically, oneday), or a MANET formed by a group of rescuers in adisaster relief effort, as they remain in close proximity. Weclaim that such MANETs can benefit from much moreefficient admission techniques, without sacrificing security.In particular, we observe that, in temporary MANETs, nodeadmission can be realized by only issuing a node-specificsecret share—item 1 above—and thus obviating the needfor expensive membership certificate issuance. This point isdiscussed in more detail in Section 5.

Contributions. The contribution of this work is twofold:First, we present a secure, efficient, and fully noninteractiveadmission protocol for temporary MANETs. It is con-structed using secret sharing techniques based on bivariatepolynomials. In contrast with prior work, our protocoleschews interaction and avoids any costly reliable broad-casts among admission sponsors. Second, we present atechnique for setting up on-the-fly secure communicationchannels among MANET nodes. In particular, we showhow to perform public key operations without any nodecertificates. This is achieved by using verifiable polynomialsecret sharing as a key distribution scheme and treatingsecret shares as private keys. We thoroughly evaluate ourproposal via real experiments and show that it comparesvery favorably to previous work.

Organization. The rest of this paper is organized asfollows: We first review prior work in Section 2. Section 3describes some preliminaries. The generic admission pro-tocol is presented in Section 4, followed by the (inefficient)approach based on univariate polynomial secret sharing(UniAC) in Section 5. We then describe, in Section 6, theadmission protocol based on bivariate polynomial secretsharing (BiAC) and accompanying techniques for establish-ing pairwise secure communication channels. Securityarguments are presented in Section 7. Then, Section 8,describes another realization of our proposal that usesidentity-based cryptography. Finally, performance resultsare presented in Section 9.

2 RELATED WORK

We now overview relevant prior work in MANET security.Zhou and Haas [55] first suggested the use of thresholdcryptography for MANET security. The idea was todistribute trust among MANET nodes such that no lessthan a certain threshold is trusted. The key element in [55] isa distributed Certification Authority (CA), which issuescertificates (using a threshold signature [14] protocol) tonodes joining the network. Although attractive, this idea isnot directly applicable for MANET node admission. Theapproach is hierarchical in the sense that only select nodescan serve as components of the CA, i.e., take part inadmission decisions. Moreover, contacting distributed CA

nodes in a multihop and ever-changing MANET is notalways possible.

Kong et al. considered the same problem in a series ofpapers [30], [29], [33], [32] and proposed a set ubiquitousand robust admission protocols. The security of theseadmission mechanisms relies upon a special variant of theproactive threshold RSA signature scheme. Unfortunately,this scheme is neither robust [36] (i.e., it cannot toleratemalicious nodes) nor secure [28]. We note that, thus far, allattempts to construct secure MANET admission protocolsfrom secure threshold/proactive RSA signature schemeshave failed [47].

Recently, Narasimha et al. [36] and Saxena et al. [45]proposed similar admission protocols based on two kindsof discrete-logarithm-based threshold signatures: thresholdDSA [18] and threshold BLS [8], respectively. Whileprovably secure, both solutions are inefficient. Of all knowndiscrete-logarithm-based threshold signature schemes, i.e.,threshold DSA [18], threshold Schnorr [52], and thresholdBLS [8], only the last is noninteractive. However, theadmission protocol in [45] that uses threshold BLS stillrequires some interaction.

To summarize, both heavy interaction and costly crypto-graphic computation make prior techniques overly expen-sive for many MANET applications.

In contrast, the admission technique developed in thispaper is designed for short-lived MANETs and is com-pletely noninteractive. It uses secret sharing based on theso-called bivariate polynomials, which have been employedfor related purposes in the literature [6], [35], [7]. Inparticular, Liu and Ning [31] presents a key predistributionscheme for sensor networks using bivariate polynomials [7]in the presence of a centralized authority. The protocol wepropose is fully distributed and allows MANET nodes toreadily and efficiently share pairwise secret keys withoutany centralized support.

3 PRELIMINARIES

3.1 Computation, Communication, and AdversaryModel

We operate in the standard model of threshold cryptogra-phy and distributed algorithms known as synchronousreliable broadcast coupled with the static adversary [19].This model involves nodes equipped with synchronizedclocks.2 We assume the existence of a naming system thatpreassigns each node with a unique identifier. We alsoassume that it is computationally hard for an adversary toforge identities.

We assume the existence of an online trusted publicrepository where the MANET-wide public key is stored.The nodes (both inside and outside the MANET) areconnected by weakly synchronous communication networkoffering point-to-point channels and reliable broadcast.3 To

SAXENA ET AL.: EFFICIENT NODE ADMISSION AND CERTIFICATELESS SECURE COMMUNICATION IN SHORT-LIVED MANETS 159

2. Clock synchronization is needed for system initialization with thedistributed key generation protocol, such as [19]. The node admissionprotocol that we propose in this paper, on the other hand, does not requireany synchrony.

3. The reliable broadcast channel is needed to ascertain the verifiabilityof shares distributed during the distributed key generation protocol, suchas [19].

interact with a node in the network, an outsider must firstretrieve the group public key from the repository.

We consider the presence of the so-called “static”adversary, who at the beginning of system lifetime (i.e.,statically) schedules up to t < n=2 arbitrarily maliciousfaults among n MANET nodes. Such an adversary is said to“break” our scheme if it breaks the underlying nodeadmission, key establishment, signature, or encryptionschemes with respect to standard notions of security.

3.2 Discrete Logarithm Setting and UnderlyingAssumptions

In this paper, we work in the standard discrete logarithmsetting: p and q are large primes such that q divides p� 1and g denotes a generator of subgroup Gq of order q in ZZ�p.The primary cryptographic assumptions our protocols arebased upon are given as follows:

Assumption 1 (DL: Discrete logarithm). Informally, DLassumptions means that it is infeasible to compute x 2 Zq,given ðp; q; g; gxÞ.

Assumption 2 (CDH: Computational Diffie-Hellman).Informally, CDH assumption means that it is infeasible tocompute gxy, for x, y 2 Zq, given ðp; q; g; gx; gyÞ.

3.3 Random Oracle Model

Some of our proofs of security are in the standard, the so-called Random Oracle Model (ROM) [3]. Informally, thismeans that the hash functions that we use are treated asideal random functions. Doing security analysis in the ROMmodel effectively means that our proofs will consider onlysuch attacks on the cryptographic schemes we proposewhose success does not change if the fixed hash functionlike MD5 or SHA in these schemes are replaced with trulyrandom functions.

3.4 Verifiable Secret Sharing

We use Shamir’s secret sharing scheme [49], which isbased on polynomial interpolation. To distribute sharesamong n nodes, a trusted dealer chooses a large prime qand selects a polynomial fðzÞ over ZZq of degree t� 1 suchthat fð0Þ ¼ x. The dealer computes each node’s share xisuch that xi ¼ fðidiÞmod q and securely transfers xi tonode Pi. Then, any group of t nodes who have theirshares can recover the secret using the Lagrange inter-polation formula: x ¼ fð0Þ ¼

Pti¼1 xi�ið0Þ ðmod qÞ, where

�iðzÞ ¼Qt

j¼1;j6¼iz�idjidi�idj ðmod qÞ.

Intuitively, the secret sharing idea comes from the factthat to recover a t� 1 degree polynomial, one needs toknow t points on the polynomial. The knowledge of lessthan t points cannot be used to learn the polynomial.

The idea of Verifiable Secret Sharing (VSS) [16] allowsnodes to validate the correctness of the received shares.VSS setup involves two large primes p and q, and anelement g 2 ZZ�p chosen in a way that q divides p� 1 and g isan element of ZZ�p, which has order q. The dealer computescommitment to the coefficients ai ði ¼ 0; . . . ; t� 1Þ of thesecret sharing polynomial in the form of witnessesWi ði ¼ 0; . . . ; t� 1Þ, such that Wi ¼ gai ðmod pÞ, and pub-lishes these Wi’s in some public domain (e.g., a directoryserver). The secret share xi can be validated by checkingthat gxi ¼

Qt�1j¼0ðWjÞidi

j

ðmod pÞ.

3.5 Schnorr Signature Scheme

The private key is x, chosen at random in ZZq. The public keyis y ¼ gx ðmod pÞ. A Schnorr’s signature [48] on message mis computed as follows: The signer picks a one-time secret kat random in ZZq and then computes s ¼ kþ cx ðmod qÞ,c ¼ Hðm; rÞ, and r ¼ gk ðmod pÞ. Signature ðc; sÞ can bepublicly verified by computing r ¼ gsy�c ðmod pÞ and thenchecking if c ¼ Hðm; rÞ.

3.6 ElGamal Encryption Scheme

We use a variant of ElGamal Encryption [15], called HashedElGamal [5]. For a private and public key pair ðx; yÞ, theencrypter chooses a random r 2 ZZq and computes theciphertext ðc1; c2Þ, where c1 ¼ gr ðmod pÞ, and c2 ¼ m�HðyirÞ (� denotes the bit-wise XOR operator). The plaintextcan be obtained by computing c2 �Hðcxi1 Þ from theciphertext ðc1; c2Þ.

4 GENERIC ADMISSION PROTOCOL

The notation used in the rest of this paper is summarized inTable 1.

Distributed node admission can be generally describedas follows: At some point in time, all current MANETnodes: P1; . . . ; Pn share a secret x in a distributedmanner—each Pi has its own secret share xi. The require-ment is that any t� 1 (where t is a security parameter)secret shares do not yield any information about the secretx, whereas any t secret shares completely define x. Now, anew node Pnþ1 needs to be admitted to the group andexisting nodes need to supply Pnþ1 with its secret sharexnþ1 such that the new set: x1; x2; . . . ; xn; xnþ1 satisfies thesame requirement.

Definition 1 (node admission protocol). Let � be the set ofcurrent nodes fP1; . . . ; Png, where each Pi has xi, as above.Let � � � be any subset of t nodes and Pnþ1 be a newnode. The process by which Pnþ1 acquires its secret sharexnþ1 from � is called a (distributed) node admissionprotocol. This protocol needs to have the following threeproperties:

1. Correctness: if all nodes follow the protocol correctly,Pnþ1 successfully acquires xnþ1, and the new set ofsecret shares x1; x2; . . . ; xn; xnþ1 satisfies the samerequirement: any subset of t� 1 secret shares does not

160 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 20, NO. 2, FEBRUARY 2009

TABLE 1Notation Used in the Rest of This Paper

yield any information about x, while any subset oft secret shares yields x.

2. Security: the protocol does not leak any information

about neither the secret share of any existing node

(that takes part in the admission protocol) nor the

secret x, even to an adversary who has corrupted at

most t� 1 existing nodes.3. Robustness: if any malicious nodes that participate in

the protocol try to disrupt the protocol by providing

incorrect values, the new node can detect them.

The basic operations of a generic admission protocol are

composed of the following steps:

1. Bootstrapping: The group is initialized by either atrusted dealer or a set of founding nodes. The dealer ora set of founding nodes chooses the group secret key,then computes and publishes the correspondingpublic parameters. The group secret is shared amongthe initial member nodes using either Shamir’s secretsharing [49] or Joint Secret Sharing (JSS) [19] techni-ques. The share of the group secret held by each node iscalled its secret share.

2. Node Admission: A prospective new nodePnþ1 must be

issued its secret share by current nodes. Fig. 1 gives a

high-level view of admission protocol. Note that,

depending on the underlying cryptographic techni-

que, this step may involve multiple rounds and/or

coordination among nodes who commit to Pnþ1.

. Pnþ1 initiates the admission protocol by sendinga JOIN_REQ message to the group.

. A node that receives JOIN_REQ message andapproves the admission of Pnþ1 replies, over a

secure channel,4 with a partial secret share for

Pnþ1 derived from its own secret share.. Once Pnþ1 receives partial shares from at least

t different sponsors, it pools them together tocompute its new secret share.

. Finally, to achieve robustness, Pnþ1 verifies itsnew secret share. (This is needed since amalicious sponsor can sabotage admission ofPnþ1 by providing incorrect partial secret shares,leading to a denial-of-service (DoS) attack.) Thisfeature is called verifiability. Also, if Pnþ1 detectsthat its new secret share is invalid, it must beable to trace the bogus share(s) and thecorresponding malicious sponsor(s). This func-tionality is provided by the so-called traceabilityfeature. We note that verifiability is alwaysrequired, whereas traceability is only necessaryif a new node detects that its freshly recon-structed secret is invalid.

Once admitted, Pnþ1 becomes a genuine MANET

node (group member). Thereafter, the following

operations are needed to enable secure communica-

tion among nodes:3. Pairwise Key Establishment: This is needed to secure

communication between any pair of nodes, e.g., asrequired by secure routing protocols, such asAriadne [27].

4. Signing: This is required in cases when nonrepudia-tion is needed, e.g., as in ARAN secure routingprotocol [13], and in general, when a single messageneeds to be multicasted or broadcasted in anauthenticated manner.

5. Encryption: This is needed to allow outside entities tocommunicate securely with MANET nodes. Forexample, in a MANET where nodes function asmobile sensors, a base station might want to issue aconfidential query for a particular node (or a setthereof) to obtain measurements.

5 UniAC: PREVIOUS METHODS

As mentioned earlier, unlike wired networks, many

MANETs involve temporary operation and can benefit

from more efficient admission techniques, without sacrifi-

cing security. In such settings, we can consider only a static

adversary, and therefore, secret shares need not to be

periodically updated (as in the so-called proactive update

protocols, e.g., [24]). Therefore, the secret sharing poly-

nomial remains constant throughout the lifetime of the

MANET and the commitment to this polynomial can act

as the group public key. The commitment to each node’s

secret share is derivable from (and, thus, automatically

bound to) the group public key. Therefore, node-specific

membership certificates are not needed. Nodes can use their

secret shares (and/or the group public key) to secure

communication among themselves.Previous MANET admission techniques [30], [29], [33],

[36], [44], [45] constructed using the mobile adversary

model can be adapted for our purposes by removing the

unneeded certificate issuance procedure. In this section, we

briefly describe how to adapt these protocols. Since these

protocols are all based on univariate polynomial secret

sharing, we refer to them collectively as: Univariate

Admission Control (UniAC).

SAXENA ET AL.: EFFICIENT NODE ADMISSION AND CERTIFICATELESS SECURE COMMUNICATION IN SHORT-LIVED MANETS 161

Fig. 1. Overview of node admission protocol. P and M indicates

(honest) network node and malicious node, respectively.

4. One way to set up a secure (secret and authenticated) channel betweenPnþ1 and each sponsor is with device pairing techniques based on out-of-band (OOB) channels [34], [23], [43], [53]. Alternatively, if Pnþ1 and eachsponsor have a common trusted CA, a secure channel can be triviallyestablished using any secure authenticated key agreement protocol, e.g.,[54]. Our admission protocol allows Pnþ1 to establish secure channels withany node, once it establishes secure channels with any subset of t nodes.Since all communication between Pnþ1 and sponsors in the admissionprotocol flows over secure channels, “man-in-the-middle” attacks areprevented.

5.1 Bootstrapping

The system can be initialized by a trusted dealer TD or aset of founding nodes. As in Shamir’s secret sharing [49]based on univariate polynomials, the TD (or foundingnodes) choose(s) a large prime q and select(s) apolynomial fðzÞ ¼

Pt�1i¼0 aiz

iðmod qÞ such that fð0Þ ¼ x,where ai’s are the coefficients of the polynomial, q is alarge prime, and x is the group secret. The TD computeseach node’s secret share xi such that xi ¼ fðidiÞðmod qÞ,and securely transfers xi to node Pi. TD also publishes acommitment to the polynomial as in VSS.

5.2 Node Admission

During the admission protocol (see Fig. 2), Pnþ1 is given theshuffled partial secret share as ~x

ðjÞnþ1 ¼ xj�jðidnþ1Þ þRj�jð0Þ

by a sponsoring node Pj. Upon receiving partial sharevalues from t admitting nodes, Pnþ1 obtains its secret sharexnþ1 by simply summing up the partial shares, performingVSS and, if needed, the traceability procedure. (See [11] fordetails regarding the actual computation involved in theseprocedures.)

Note that, in order to compute Lagrange coefficients�jðidnþ1Þ in step 5, t sponsors need to be aware of eachother’s id’s. Also, since �jðidnþ1Þ’s are publicly known, Pnþ1

can derive xj from xðjÞnþ1. This is prevented by using the Joint

Zero Secret Sharing technique [47], which entails adding anextra random value Rj to each share. Rj’s are securelyshared between sponsors Pi and Pj and sum up to zero, byconstruction. This process—called Random Shuffling—isillustrated in Fig. 3a.

Note that, due to �jðidnþ1Þ computation and RandomShuffling, the admission protocol involved heavy interaction

among t sponsors: Oðt2Þ point-to-point and OðtÞ reliablebroadcast messages [10]. This overhead is impractical formost MANETs.

5.3 Pairwise Key Establishment

Any pair of genuine nodes Pi, Pj can establish a shared

secret key using their respective secret shares xi, xj and

public VSS information. Pi computes the public key yj of Pj

(only knowing its identifier idj) as yj ¼Qt�1

l¼0ðWlÞidjl

ðmod pÞfrom public witness values, and exponentiates the result

with its share xi to obtain key kij ¼ yjxi ¼ ðgxjÞxi ðmod pÞ.Similarly, Pj computes yi ¼

Qt�1k¼0ðWkÞidi

k

ðmod pÞ and ex-

ponentiates it with xj to obtain kji. Since kij = kji, Pi and Pj

can use Kij ¼ HðkijÞ ¼ HðkjiÞ, as a session key for secure

communication.This key establishment procedure is secure under the

CDH assumption. In other words, an adversary whocorrupts at most ðt� 1Þ nodes cannot compute a sharedkey between any pair of honest nodes (as long as the CDHassumption holds). A more detailed security argument canbe found in [42].

5.4 Signing

To sign a message m, Pi (who has a secret share xi) picks a

random secret k 2 Zq and computes r ¼ gk ðmod pÞ. It then

outputs the signature as a pair ðc; sÞ, where c ¼ Hðm; rÞ and

s ¼ kþ cxi ðmod qÞ. In order to verify the above signature

ðc; sÞ, a recipient first computes Pi’s public key yi ¼Qt�1l¼0ðWlÞidi

l

ðmod pÞ and verifies whether c ¼ Hðm; rÞ,where r ¼ gsyi�c ðmod pÞ. The security of this scheme is

discussed in [42].

5.5 Encryption

To encrypt a message m for Pi, the encrypter computes Pi’s

public key yi ¼Qt�1

j¼0ðWlÞidil

ðmod pÞ, chooses a random

r 2 ZZq, and then sends a pair ðc1; c2Þ to Pi, where

c1 ¼ gr ðmod pÞ, c2 ¼ m�HðyirÞ, and � denotes the bit-wise

XOR operation. Pi decrypts by computing c2 �Hðcxi1 Þ from

162 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 20, NO. 2, FEBRUARY 2009

Fig. 2. UniAC admission protocol. To secure the protocol against replay

attacks, appropriate nonces or timestamps and protocol message

identifiers need to be included in each step. However, we omit these

values to keep our description simple.

Fig. 3. Comparison of UniAC and BiAC. In UniAC, due to Lagrange interpolation, t sponsors need to be aware of each other’s id’s and random

shuffling is required. In contrast, BiAC requires neither. (a) UniAC. (b) BiAC.

ciphertext ðc1; c2Þ. Once again, the security of this scheme is

analyzed in [42].

6 BiAC: NONINTERACTIVE NODE ADMISSION

We now propose a new noninteractive admission protocol

based on secret sharing with bivariate polynomials. We call

it BiVariate Admission Control (BiAC).

6.1 Overview

As shown in Fig. 3b, we avoid interaction among sponsors

by using a bivariate polynomial fðz; yÞ.To distribute shares among n nodes, a trusted dealer TD

chooses a large prime q and selects a random symmetric

bivariate polynomial fðz; yÞ ¼Pt�1

�¼0

Pt�1�¼0 f��z

�y� ðmod qÞsuch that fð0; 0Þ ¼ x, where the constants f��’s are the

coefficients of the polynomial, and x is the group secret.

Since the polynomial is symmetric, f�� ¼ f�� for each �, �,

and fðz; yÞ ¼ fðy; zÞ. For each node Pi, TD computes a

univariate polynomial, called a share polynomial, xiðzÞ of

degree ðt� 1Þ such that xiðzÞ ¼ fðz; idiÞ ðmod qÞ, and se-

curely transfers xiðzÞ to each node Pi. Note that, after

initializing at least t nodes, the dealer is no longer needed.In order to admit Pnþ1, each sponsor must issue to it a

share polynomial xnþ1ðzÞ in a distributed manner. This is

achievable if at least t sponsors supply Pnþ1 with partial

shares xjðidnþ1Þ such that xjðidnþ1Þ ¼ fðidnþ1; idjÞ for

j 2 ½1; n�. Pnþ1 can then compute fðidnþ1; zÞ (which is

identical to fðz; idnþ1Þ since fðz; yÞ is symmetric) and, thus,

obtain its share polynomial xnþ1ðzÞ ¼ fðz; idnþ1Þ from

t partial shares xjðidnþ1Þ.Unlike UniAC, this scheme does not require any interac-

tion among sponsors.

6.2 Bootstrapping

The group is initialized by either a single node (centralized

initialization) or a set of nodes (decentralized initialization).

1. Centralized Initialization. TD computes a 2D sharingof the secret by choosing a random bivariatepolynomial:

fðz; yÞ ¼Xt�1

�¼0

Xt�1

�¼0

f��z�y� ðmod qÞ ð1Þ

such that fð0; 0Þ ¼ x, for the group secret x. TD

computes W�� ð�; � 2 ½0; t� 1�Þ, called witnesses:

W�� ¼ gf�� ðmod pÞ ð2Þ

and places W��’s into a public repository. Once

TD computes the witness matrix, it sends each

Pi ði 2 ½1; n�Þ a distinct share polynomial: xiðzÞ ¼fðz; idiÞ. TD’s presence is no longer needed after

this initialization phase.2. Decentralized Initialization. Assuming a set of t or more

founding nodes. These t nodes agree on a random

bivariate polynomial fðz; yÞ using the JSS protocol.

6.3 Node Admission

To join the group, Pnþ1 must collect at least t partial sharesof the polynomial. Fig. 4 shows the protocol messages.

1. Same as step 1 in Section 5.2. After verifying the signature of the JOIN_REQ

message, each prospective sponsor Pi who wantsto admit Pnþ1 computes a partial share xiðidnþ1Þusing its own share polynomial , such thatxiðidnþ1Þ ¼ fðidnþ1; idiÞ.Pi then replies to Pnþ1 with a JOIN_RLY message.

Each JOIN_RLY is signed by the sender and containsencrypted xiðidnþ1Þ along with idi and PKi.

To compute their partial shares, sponsors do notneed to be aware of each other, which avoidsinteraction. This is unlike UniAC, where each sponsorneeds know about all other sponsors in order tocompute the Lagrange coefficient in partial shareissuance.

3. Upon receiving t0ð� tÞ JOIN_RLY messages, Pnþ1

selects any t of them and computes its own sharepolynomial xnþ1ðzÞ using standard Gaussian elim-ination [41]. We denote the share polynomialxnþ1ðzÞ reconstructed by Pnþ1 as

Pt�1�¼0 A�z

�. Sincexiðidnþ1Þ ¼ xnþ1ðidiÞ, due to the symmetry, theselected t partial shares fxnþ1ðid1Þ; . . . ; xnþ1ðidtÞgcan be represented as

A0 þA1id1 þA2id12 þ � � � þAt�1id1

t�1 ¼xnþ1ðid1ÞA0 þA1id2 þA2id2

2 þ � � � þAt�1id2t�1 ¼xnþ1ðid2Þ

..

.

A0 þA1idt þA2idt2 þ � � � þAt�1idt

t�1 ¼xnþ1ðidtÞ:

Thus, the problem of interpolating xnþ1ðzÞ usingtxiðidnþ1Þ’s is equivalent to the problem of computing amatrix A, such that XA ¼ B:

ðid1Þ0 � � � ðid1Þt�1

ðid2Þ0 � � � ðid2Þt�1

..

.� � � ..

.

ðidtÞ0 � � � ðidtÞt�1

26664

37775

A0

A1

..

.

At�1

26664

37775 ¼

xnþ1ðid1Þxnþ1ðid2Þ

..

.

xnþ1ðidtÞ

26664

37775:

The above system of linear equations yields a uniquesolution since idi values are distinct and matrix X ¼ ½xij�,where xij ¼ ðidiÞj�1 for all i, j 2 ½0; t�, is invertible.

In order to validate the acquired share polynomial xnþ1ðzÞ,Pnþ1 must perform the following verifiability procedure:

A� ¼Xt�1

�¼0

f��ðidnþ1Þ� ð3Þ

SAXENA ET AL.: EFFICIENT NODE ADMISSION AND CERTIFICATELESS SECURE COMMUNICATION IN SHORT-LIVED MANETS 163

Fig. 4. BiAC admission protocol (no interaction among Pi ’s is required).

for � 2 ½0; t�1�. Using the public witness values W�� ¼gf�� ðmod pÞ, the polynomial can be verified as follows:

gA� ¼Yt�1

�¼0

ðW��Þðidnþ1Þ� ðmod pÞ ð4Þ

for � 2 ½0; t� 1�.The right-hand side in this equation can be precomputed

by Pnþ1 prior to starting the admission process.If verification fails, Pnþ1 must trace the faulty share(s)

via the traceability procedure. This involves verifying thevalidity of each partial share xiðidnþ1Þ ¼ fðidnþ1; idiÞ asfollows:

gxiðidnþ1Þ ¼Yt�1

�¼0

Yt�1

�¼0

ðW��Þðidnþ1Þ�ðidiÞ� ðmod pÞ: ð5Þ

Note thatQt�1

�¼0ðW��Þðidnþ1Þ� in the this equation can be

precomputed since W��’s and idnþ1 are known to Pnþ1 in

advance.

6.4 Pairwise Key Establishment

Once every node has its share polynomial, pairwise key

establishment is the same as in [7] and [31]. Any pair of

nodes Pi and Pj establish a shared key as follows: Pi uses its

share polynomial fðz; idiÞ to compute Kij ¼ fðidj; idiÞ.Similarly, Pj uses its fðz; idjÞ to compute Kji ¼ fðidi; idjÞ:Since fðz; yÞ is symmetric, Kij ¼ Kji. Thus, Pi and Pj share a

secret key usable for subsequent secure communication.

6.5 Signing

In the context of BiAC, signing is very similar to that in UniAC.

The only difference is that, when generating a signature, the

secret key of Pi is xi ¼ xið0Þ ¼ fð0; idiÞ. Pi’s public key yi ¼gxi ðmod pÞ is computed using VSS witnesses and node

identifier idi asyi ¼Qt�1

�¼0ðW0�Þid�i ðmod pÞ. The actual signing

is done using Schnorr’s signature scheme; it is denoted as

BiAC-Sig.

6.5.1 Signing

To sign a message m, Pi (having a private key xi) picks a

random secret k 2 Zq and computes r ¼ gk ðmod pÞ. It then

outputs the signature as a pair: ðc; sÞ, where c ¼ Hðm; rÞ and

s ¼ kþ cxi ðmod qÞ.

6.5.2 Verification

To verify a signature ðc; sÞ, a recipient first computes the

public key yi of the signer Pi as yi ¼Qt�1

�¼0 ðW0�Þid�i ðmod pÞ

and verifies whether c ¼ Hðm; rÞ, where r ¼ gsyi�c ðmod pÞ.The security of this scheme is discussed in Section 7.

6.6 Encryption

We use the hashed ElGamal encryption scheme (describedin Section 3.6) and refer to it as BiAC-Enc.

6.6.1 Encryption

To encrypt a message m for Pi, the encrypter first obtains

Pi’s public key yi ¼Qt�1

�¼0ðW0�Þid�i ðmod pÞ, picks a random

r 2 ZZq, and finally computes c1 ¼ gr ðmod pÞ and c2 ¼m�HðyirÞ. It then sends ðc1; c2Þ to Pi.

6.6.2 Decryption

Pi recovers m by computing c2 �Hðcxi1 Þ from ciphertextðc1; c2Þ.

The security argument of this scheme is discussed inSection 7.

7 SECURITY ARGUMENTS

We now discuss security arguments for BiAC nodeadmission and pairwise key establishment.

7.1 BiAC Node Admission

As shown in Section 6.3, BiAC satisfies both “correctness”and “robustness” properties. Security of BiAC protocol isbased on the DL assumption, as long as the adversarycannot corrupt more than ðt� 1Þð< n=2Þ nodes. We brieflysketch out this argument. Basically, as in the well-knownFeldman’s VSS [16], we use simulated adversarial view toshow that an adversary, who corrupts at most ðt� 1Þ nodes,learns nothing (other than the witness gx ðmod pÞ) about thesecret x, during the initialization and admission proceduresof the scheme. This is achieved by generating a simulatorthat, on input gx ðmod pÞ, produces public information andprivate information to the adversary that is statisticallyindistinguishable from the one produced in the actualexecution of these procedures.

7.2 BiAC Pairwise Key Establishment

Unlike pairwise key establishment in UniAC (for whichsecurity is based on the CDH assumption), security of BiACpairwise key establishment described in Section 6.4 isunconditional, i.e., not based on any complexity assump-tion. Detailed security arguments for this claim can befound in [7].

7.3 BiAC Signing

We argue that BiAC-Sig remains secure against thestandard notion of existential forgery under chosen mes-sage attack (CMA) [21] in ROM [3] as long as the DLassumption holds. Note that BiAC-Sig is different fromregular signatures in the sense that: 1) nodes generatesignatures with related (and not completely independent)secret keys and 2) the adversary knows at most t� 1 ofthese secret keys.

Theorem 1 (security of BiAC-Sig). Under the DL assumptionin ROM, as long as the adversary corrupts no more thant� 1 nodes, BiAC-Sig is secure against the chosen-messageattack for every remaining uncorrupted node.

The proof of the above theorem can be found inAppendix A.

7.4 BiAC Encryption

We show that BiAC-Enc is secure with respect to thestandard notion indistinguishability, as long as the DLassumption holds. Indistinguishability [20] is defined as thefollowing game: the adversary, who is given the public key,outputs two challenge messages. Next, one of these messagesis encrypted and given back to the adversary. The adversaryis said to win the game if he can determine—with probability

164 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 20, NO. 2, FEBRUARY 2009

nonnegligibly over 0.5—which of the two messages wasencrypted.

The indistinguishability notion was originally gearedfor a single node scenario, where multiple messages areencrypted for that one node. To capture the security ofBiAC-Enc (where we have multiple nodes and messagesare encrypted using related keys), we adopt the multinodeindistinguishability notion of Baudron et al. [2] andBellare et al. [4]. In this notion, the game is given asfollows: first, the adversary is given n public keysðPK1; . . . ; PKnÞ of all nodes. The adversary then outputstwo vectors of n messages M0 ¼ fm01; . . . ;m0ng andM1 ¼ fm11; . . . ;m1ng, which might be related or the same,as challenges. One of the vectors Mb (b is 0 or 1) is thenencrypted with n public keys (the order of the encryptionis preserved, i.e., mbi is encrypted with PKi). Theadversary wins the game if it succeeds—with probabilitynonnegligibly over 0.5—to determine which message wasencrypted. It has been shown in [4] and [2] that anencryption scheme secure in the sense of single-nodeindistinguishability is also secure in the sense of multi-node indistinguishability.

Theorem 2 (security of BiAC-Enc). Under the CDHassumption in ROM, as long as the adversary corrupts nomore than t� 1 nodes, BiAC-Enc is secure in terms ofmultinode indistinguishability.

The proof of this theorem can be found in Appendix B.

8 COMPARISON WITH ID-BASED CRYPTOGRAPHY

One interesting side effect of the discussion in Sections 7.3and 7.4 is that BiAC-Sig and BiAC-Enc can be viewed asidentity-based signature and encryption schemes, respec-tively. Basically, a trusted center provides each node with asecret value (VSS share, in our case) derived from thatnode’s unique identifier and publishes the VSS informationas its public key. Knowing the identifier of a particular nodeand the public key of the trusted center, one can sendencrypted messages and verify signatures. This is equiva-lent to IBE [9] and ID-based signatures [12], apart from thefact that our scheme becomes insecure if there are morethan t� 1 collusions or corruptions. However, unlike otherID-based schemes, our proposal is based on standard

cryptographic assumptions. Moreover, for reasonablegroup sizes and threshold values, BiAC-Enc is much moreefficient than other ID-based encryption schemes, whichrequire costly operations (e.g., scalar point multiplications,map-to-point operations, and bilinear mappings [9]) onelliptic curves.5

9 PERFORMANCE ANALYSIS

We now discuss the implementations of UniAC and BiAC

for temporary MANETs and compare them in terms ofnode admission, traceability, pairwise key establishment,signing, and encryption costs. We also summarize andcompare some salient features in Table 2. As expected, BiAC

significantly outperforms UniAC overall.

9.1 Complexity Analysis and Comparison

We summarize computation and communication complex-ities6 in Table 3. Note that computational cost is measuredin the number of modular exponentiations—the mostcomputationally intensive operation. Communication com-plexity reflects the costs of the admission protocol.

BiAC requires each sponsor Pi to perform OðtÞ modularmultiplications and Pnþ1 to perform Oðt3Þ modular multi-plications for Gaussian elimination and OðtÞ exponentia-tions for verifiability, whereas UniAC entails each Pi toperform OðtÞ multiplications and Pnþ1 to perform OðtÞmultiplications plus one exponentiation for verifiability. Fortraceability, both the schemes require Oðt2Þ multiplicationsand Oðt2Þ exponentiations, with precomputation. BiAC issignificantly more efficient than UniAC for computing

SAXENA ET AL.: EFFICIENT NODE ADMISSION AND CERTIFICATELESS SECURE COMMUNICATION IN SHORT-LIVED MANETS 165

5. For example, for n ¼ 100 and t ¼ 10 (10 percent of group size),BiAC-Enc would require < 70 squarings, < 70 modular multiplications,and only two modular exponentiations. The decryption would requireonly one exponentiation. In contrast, IBE encryption requires one map-to-point operation, two scalar point multiplications, and one bilinearmapping. IBE decryption costs one bilinear mapping. It is well knownthat for appropriate security parameters, IBE computations are extremelycostly (e.g., a single bilinear mapping takes around 80 ms, scalar pointmultiplication takes around 30 ms, while a modular exponentiation takesonly a few milliseconds). Refer to, e.g., [45] for details regarding thesecost comparisons.

TABLE 2Feature Comparison

6. Costs related to the signature scheme required for protecting eachprotocol message are not taken into account, since these vary with thespecific signature scheme.

TABLE 3Complexity Comparison

pairwise keys, since the former requires only OðtÞ multi-plications, while the latter needs OðtÞ exponentiations aswell as OðtÞ multiplications. We note that pairwise keyestablishment is a very frequent operation in a MANET;thus, its efficiency is extremely important. For singing, bothUniAC and BiAC require one exponentiation for signaturegeneration and OðtÞ for signature verification. The encryp-tion cost for both schemes follows the same pattern; OðtÞexponentiations for encryption and one exponentiation fordecryption.

As far as overall communication costs,7 BiAC consumesOðt log qÞ and Oðt log pÞ bits, while UniAC consumesOðt2 log qÞ plus Oðt log pÞ bits, due to the interactive randomshuffling procedure.

9.2 Experimental Setup

UniAC and BiAC protocols have been implemented usingthe popular OpenSSL library [38]. Our implementationconsists of approximately 20,000 lines of C code running onLinux 2.4. The source is publicly available in [39]. We nowdescribe the experimental setup used for performancemeasurements. Our experiments were conducted in a realwireless MANET environment and included measuringenergy costs for each scheme with power measuring systemdescribed below.

9.2.1 Wireless Mobile Ad Hoc Networks

We use five laptop computers for our wireless experi-mental setup: four with Pentium 3 800-MHz CPU and256-Mbyte RAM and one with Mobile Pentium 1.8-GHzCPU and 512-Mbyte RAM. Each laptop is configured with802:11b in ad hoc mode and runs the Optimized LinkState Routing Protocol (OLSR) [37]. Each machine runsLinux version 2.4.

9.2.2 Power Measurement Systems

To measure battery power consumption, we configured thefollowing equipment. The test machine was an iPAQ(model H5555) running Linux (Familiar-0.7.2). The CPUon the iPAQ is a 400-MHz Intel XScale with 48 Mbytes offlash memory and 128 Mbytes of SDRAM. To obtainaccurate power measurements, we removed the batteryfrom the iPAQ during the experiment and placed a resistorin series with a power supply. We used a NationalInstruments PCI Data AcQuisition (DAQ) board to samplethe voltage drops across the resistor to calculate the currentat 1,000 samples per second.

9.3 Test Methodology

9.3.1 Parameter Selection

To perform fair comparisons, we consider the followingparameters. The bit sizes of q and p were set to 160 and1,024, respectively. Measurements were performed withdifferent threshold values t, ranging between 1 and 9. Weused 1,024-bit RSA signature algorithm with the fixedpublic exponent 65;537 ð¼ 216 þ 1Þ for protocol messageauthentication. All experiments were repeated 1,000 timesfor each measurement in order to get accurate averageresults.

9.3.2 Test Cases

We measured separately the costs of admission, traceability,

pairwise key establishment, signing, encryption, and energy

consumption.

. Admission: four laptops with the same computingpower were used as current member nodes and thehigher end laptop was used as the joining node. Inthis experiment, each node (except the joining node)was emulated by a daemon and each machine wasrunning up to three daemons. We then measuredtotal processing time between sending of JOIN_REQby the prospective node and receiving (plus verifica-tion) of acquired secret shares. The measurementthus includes the average computation time of thebasic operations (e.g., modular multiplications andexponentiations) as well as communication costs,such as packet en/decoding time and network delay.

. Traceability: we measured the computation time fortracing partial shares received during the admissionprotocol. We measured this cost using precomputedvalues, to the extent possible.

. Pairwise Key Establishment: we measured the time tocompute a pairwise key on the higher end laptop.Note that no communication is involved in thismeasurement.

. Signature Verification: we measured the time forverifying a signature only, since the same methodfor signature generation has been applied to bothUniAC and BiAC.

. Encryption: we measured the time to encrypt sampledata. Decryption costs were not compared as theyare the same for UniAC and BiAC.

. Energy Consumption: we measured power consump-tion in terms of communication bandwidth in eachadmission protocol: we transmitted bulk data (e.g.,100 Mbytes) from a single iPAQ PDA, measuredpower consumed for transmission, and then com-puted the average power consumption per bit. Afterthat, we calculated power consumption of eachadmission protocol by multiplying this measure-ment result by the bit length of the transmitted data.

9.4 Experimental Results

. Admission: as shown in Fig. 5a, the admission cost inBiAC is much lower than that in UniAC. Thedifference is even higher for higher threshold values,since BiAC is not only computationally cheaper, butit also requires less communication.

. Traceability: Fig. 5b shows the traceability costs forthe two approaches. Even in the worst case, BiAC isas good as UniAC for performing the (very infre-quent) operation of tracing malicious nodes.

. Pairwise Key Establishment: Fig. 5c shows that BiAC ismuch more efficient than UniAC. The differencesrange from 115 ðt ¼ 1Þ to 412 ðt ¼ 9Þ. In other words,BiAC is 115-412 times faster than UniAC for estab-lishing a shared secret. This result was expectedsince pairwise key establishment in BiAC requiresonly OðtÞ multiplications for a 160-bit modulus. Incontrast, UniAC requires OðtÞ exponentiations with a

166 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 20, NO. 2, FEBRUARY 2009

7. We assume that the identity and the public key are log q bits long andlog p bits long, respectively.

modulus size of 1,024 as well as OðtÞ multiplicationswith a 160-bit modulus.

. Signature Verification: Fig. 5d shows that BiAC is ascomplicated as UniAC in verifying a signature andthe cost is proportional to a threshold due to specialconstruction of public key using the witnesses.

. Encryption: Fig. 5e shows that BiAC and UniACexhibit the same encryption costs.

. Energy Consumption: Fig. 5f clearly illustrates thatBiAC is much more energy efficient than UniAC.

10 CONCLUSIONS AND FUTURE WORK

This paper has considered node admission in temporaryMANETs and presented BiAC—an efficient and fullynoninteractive admission technique based on bivariatepolynomial secret sharing. We also showed how to obtainefficient public key encryption and signatures as well asestablish shared secret keys by treating nodes’ secret sharesas private keys. We demonstrated—via analytical andexperimental evaluation—that our technique comparesvery favorably to prior results. As part of future work, weplan to explore techniques for improving decentralizedgroup initialization. The currently used JSS protocol [19] isinefficient in terms of communication and requires areliable broadcast channel. We also intend to address theproblem of distributed membership revocation, e.g., toexpel malicious nodes from the group.

APPENDIX A

PROOF OF THEOREM 1

Proof. We prove the following claim: if there exists apolynomial time algorithm A, which, on inputs of the

secret keys of t� 1 corrupted users, is able to create an

existential forgery in the CMA model corresponding to an

uncorrupted user, then there exists a polynomial time

algorithm B, which can break the DL assumption in ROM.We construct an algorithm B, which runs on input of a

DL instance y ¼ gx ðmod pÞ and would translate theadversarial algorithm A into outputting x. We firstassume that the adversaryA corrupts t� 1 nodes denotedby P1; P2; . . . ; Pt�1, without any loss of generality.

Note that in our multiple user scenario, the adversaryA can request the signature oracle to sign chosenmessages corresponding to any honest node. In otherwords, when A sends ðm; idiÞ to the signature oracle, theoracle responds with a signature on message m signedwith xi.B picks x1; x2; . . . ; xt�1 values corresponding to the

secret keys of corrupted users, uniformly at random fromZZq. It then sets xi ¼ F ðidiÞ and employs appropriateLagrange interpolation coefficients in the exponent tocompute the public witnesses gA1 ; . . . ; gAt�1 ðmod pÞ,where F ðzÞ ¼ xþA1zþ � � � þAt�1z

t�1 ðmod qÞ. Since,x ¼

Pt�1k¼1 xk�kð0Þþxi�ið0Þ ðmod qÞ, B can compute the

public key yi, corresponding to an honest node Pi ði� tÞ as

yi ¼y

gPt�1

k¼1xk�kð0Þ

8<:

9=;

1=�ið0Þ

ðmod pÞ: ð6Þ

B now runs A on inputs x1; x2; . . . ; xt�1 and

simulates the signature oracle on A’s query ðm; idiÞ,by picking s and c at random in ZZq, computing

r ¼ gsyi�c ðmod pÞ and setting Hðm; rÞ ¼ c. A then

outputs a forgery ðC; SÞ on some message M

SAXENA ET AL.: EFFICIENT NODE ADMISSION AND CERTIFICATELESS SECURE COMMUNICATION IN SHORT-LIVED MANETS 167

Fig. 5. Experimental results. BiAC performs much better than UniAC in node admission, pairwise key establishment, and energy consumption

experiments and shows similar performance in the other experiments. (a) Node admission. (b) Traceability. (c) Key establishment. (d) Signature

verification. (e) Encryption. (f) Energy consumption.

corresponding to user Pi. Note that because H is a

random function, except for negligible probability, Amust have asked to H a query ðM;RÞ where

R ¼ gSyi�C ðmod pÞ, because otherwise it could not

have guessed the value of C ¼ HðM;RÞ. B then

reruns A by giving the same answers to queries to H

until the query ðM;RÞ, which it now answers with

new randomness C0. If A outputs the forgery on the

same message M, but this time for a different user

Pj ði 6¼ jÞ then, except for negligible probability, it

produces S0 such that R ¼ gS0y�C0j ðmod pÞ. B can now

[using (6)] compute

x ¼ S � S0 þ C

�ið0ÞXt�1

k¼1

xk�kð0Þ �C0

�0jð0ÞXt�1

k¼1

xk�0kð0Þ

( ),

C

�ið0Þ� C0

�0jð0Þ

( )ðmod qÞ:

As in the security proof of Schnorr’s signatures [40],the probability of success of B would be �2=4q, where �represents the success probability of A and q is the totalnumber of queries to HðÞ. tu

APPENDIX B

PROOF OF THEOREM 2

Proof. As usual, the proof goes by contradiction, i.e., we

prove that if there exists a polynomial time algorithm A,

which, on inputs of the secret keys of t� 1 corrupted

users, is able to break the multiuser indistinguishability

notion, then there exists a polynomial time algorithm B,

which can break the CDH assumption in ROM.We construct an algorithm B, which, running on input

of a CDH instance U ¼ gu; V ¼ gv, translates the algo-rithm A into outputting guv. As usual, we first assumethat the adversary A corrupts t� 1 nodes denoted byP1; P2; . . . ; Pt�1, without any loss of generality.

As in the security proof of BiAC-Sig, B picksx1; x2; . . . ; xt�1 values corresponding to the secret keysof corrupted users, uniformly at random from ZZq. Itthen sets xi ¼ F ðidiÞ and employs appropriateLagrange interpolation coefficients in the exponent tocompute the public witnesses gA1 ; . . . ; gAt�1 ðmod pÞ,where F ðzÞ ¼ uþA1zþ � � � þAt�1z

t�1 ðmod qÞ. Since,u ¼

Pt�1k¼1 xk�kð0Þ þ xi�ið0Þ ðmod qÞ, B can compute

the public key yi, corresponding to an honest nodePi ði� tÞ using (6).

To help the reader understand the construction of ourtranslator algorithm B, we first recall how the translatorworks in the security proof (under CDH and ROM) ofsingle-user hashed ElGamal. The translator works asfollows: on input of a CDH instance ðU ¼ gu; V ¼ gvÞ, itfirst runs the adversary on input gu. The adversaryoutputs two messages m0;m1. The translator picks onemessage mb ðb ¼ 0 or 1Þ at random and sends the encryp-tion ðc1; c2Þ to the adversary, where c1 ¼ V grðmod pÞ andc2 ¼ R (r is a random value in ZZq and R is a random padof the same length as the message). In the ROM, the only

way the adversary can distinguish this encryption is byquerying the random oracle on value O ¼ cu1 ¼ Urþv,which will be recorded by the translator and used tocompute guv ¼ OU�r. If there are a total of q queries beingmade to the oracle, this means that the probability ofsuccess of translator would be 1=q times the probability ofsuccess of the adversary.

Now, we are ready to describe the translation based on

our multiuser setting:B runsA on inputs of the secret keys

x1; . . . ; xt�1 corresponding to the corrupted users, and the

public keys yt; . . . ; yn of all honest ones. A outputs two

vectors of ðn�tþ 1ÞmessagesM0¼fm0ig andM1 ¼ fm1ig,where i ¼ t; . . . ; n, to be challenged upon. B then picksMb

(b is 0 or 1) and sends toA the vectorfðV gri ; RiÞg, where ri is

a random value in ZZq, andRi is a random pad equally long

as the messagembi, for i ¼ t; . . . ; n. The only possibility for

A to win this game is by querying the random oracle on at

least one of the valueO ¼ ðV grjÞxj , for some j 2 ft; . . . ; ng.B records this value, and assuming that it corresponds to

Pj, it computes guv as follows: u ¼Pt�1

k¼1 xk�0kð0Þ þ xj�0j

ð0Þðmod qÞ. This implies that guv ¼ gvPt�1

k¼1xk�

0kð0Þgvxj�

0jð0Þ

ðmod qÞ and guv ¼ VPt�1

k¼1xk�

0kð0ÞV xj�

0jð0Þ ðmod pÞ. Since

O ¼ ðV grjÞxj , this means V xj ¼ Oyj�rj and, therefore,

guv ¼ VPt�1

k¼1xk�

0kð0ÞOyj

�rj�0jð0Þ ðmod pÞ.Given that there are a total of q queries to the random

oracle, the probability of success of B would be theprobability of success of A times 1=qðn� tþ 1Þ, as onlyone query will yield a correct guv value and each querymight correspond to one j value in ft; ng. tu

Remark (extension to chosen ciphertext security). The

hybrid encryption techniques for extending standard

hashed ElGamal to chosen ciphertext security (refer to [5]

and [17]) can be used to achieve the chosen ciphertext

security for the BiAC-Enc scheme.

ACKNOWLEDGMENTS

Portions of this paper previously appeared in [46] and [42].

This work was done in part while at UCI. This work was

supported in part by an award from the Army Research

Office (ARO) Contract W911NF0410280, US National

Science Foundation (NSF) Awards 0331707 and 0331690

(ITR-RESCUE), and a grant from SUN Microsystems. Jeong

Hyun Yi is the corresponding author.

REFERENCES

[1] K. Barr and K. Asanovic, “Energy Aware Lossless DataCompression,” Proc. First ACM Int’l Conf. Mobile Systems, Applica-tions, and Services (MobiSys ’03), pp. 231-244, 2003.

[2] O. Baudron, D. Pointcheval, and J. Stern, “Extended Notions ofSecurity for Multicast Public Key Cryptosystems,” Proc. 27th Int’lColloquium on Automata, Languages and Programming (ICALP ’00),pp. 499-511, 2000.

168 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 20, NO. 2, FEBRUARY 2009

[3] M. Bellare and P. Rogaway, “Random Oracles Are Practical: AParadigm for Designing Efficient Protocols,” Proc. First ACM Conf.Computer and Comm. Security (CCS ’93), pp. 62-73, 1993.

[4] M. Bellare, A. Boldyreva, and S. Micali, “Public-Key Encryption ina Multi-User Setting: Security Proofs and Improvements,” Proc.Int’l Conf. Theory and Application of Cryptographic Techniques(EUROCRYPT ’00), pp. 259-274, 2000.

[5] M. Bellare, A. Boldyreva, and A. Palacio, “An UninstantiableRandom-Oracle-Model Scheme for a Hybrid Encryption Pro-blem,” Proc. Int’l Conf. Theory and Application of CryptographicTechniques (EUROCRYPT ’04), pp. 171-188, 2004.

[6] M. Ben-Or, S. Goldwasser, and A. Wigderson, “CompletenessTheorems for Non-Cryptographic Fault-Tolerant DistributedComputation,” Proc. 20th Ann. ACM Symp. Theory of Computing(STOC ’88), pp. 1-10, 1988.

[7] C. Blundo, A.D. Santis, A. Herzberg, S. Kutten, U. Vaccaro, andM. Yung, “Perfectly-Secure Key Distribution for DynamicConferences,” Proc. 12th Ann. Int’l Cryptology Conf. (CRYPTO ’92),pp. 471-486, 1992.

[8] A. Boldyreva, “Efficient Threshold Signatures, Multisignaturesand Blind Signatures Based on the Gap-Diffie-Hellman-GroupSignature Scheme,” Proc. Sixth Int’l Workshop Theory and Practice inPublic Key Cryptography (PKC ’03), pp. 31-46, 2003.

[9] D. Boneh and M.K. Franklin, “Identity-Based Encryption from theWeil Pairing,” Proc. 21st Ann. Int’l Cryptology Conf. (CRYPTO ’01),pp. 213-229, 2001.

[10] G. Bracha, “An Asynchronous bðn� 1Þ=3c-Resilient ConsensusProtocol,” Proc. Third Ann. ACM Symp. Principles of DistributedComputing (PODC ’84), pp. 154-162, 1984.

[11] C. Castelluccia, N. Saxena, and J.H. Yi, “Self-Configurable KeyPre-Distribution in Mobile Ad Hoc Networks,” Proc. Fourth Int’lIFIP Networking Conf. (Networking ’05), pp. 1083-1095, 2005.

[12] J.C. Cha and J.H. Cheon, “An ID-Based Signature from Gap-Diffie-Hellman Groups,” Proc. Sixth Int’l Workshop Theory and Practice inPublic Key Cryptography (PKC ’03), pp. 18-30, 2003.

[13] B. Dahill, B. Levine, E. Royer, and C. Shields, “A Secure RoutingProtocol for Ad Hoc Networks,” Technical Report UM-CS-2001-037, Univ. of Massachusetts, 2001.

[14] Y. Desmedt and Y. Frankel, “Threshold Cryptosystems,” Proc.Ninth Ann. Int’l Cryptology Conf. (CRYPTO ’89), pp. 307-315, 1989.

[15] T. ElGamal, “A Public-Key Cryptosystem and a Signature SchemeBased on Discrete Logarithms,” IEEE Trans. Information Theory,pp. 469-472, 1985.

[16] P. Feldman, “A Practical Scheme for Non-Interactive VerifiableSecret Sharing,” Proc. 28th Ann. Symp. Foundations of ComputerScience (FOCS ’87), pp. 427-437, 1987.

[17] E. Fujisaki and T. Okamoto, “Secure Integration of Asymmetricand Symmetric Encryption Schemes,” Proc. 19th Ann. Int’lCryptology Conf. (CRYPTO ’99), pp. 537-554, 1999.

[18] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “RobustThreshold DSS Signatures,” Proc. 16th Ann. Int’l Cryptology Conf.(CRYPTO ’96), pp. 354-371, 1996.

[19] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “SecureDistributed Key Generation for Discrete-Log Based Cryptosys-tems,” Proc. Int’l Conf. Theory and Application of CryptographicTechniques (EUROCRYPT ’99), pp. 295-310, 1999.

[20] S. Goldwasser and S. Micali, “Probabilistic Encryption,”J. Computer and System Sciences, vol. 28, pp. 270-299, 1989.

[21] S. Goldwasser, S. Micali, and R.L. Rivest, “A Paradoxical Solutionto the Signature Problem,” Proc. 25th Ann. Symp. Foundations ofComputer Science (FOCS ’84), pp. 441-448, 1984.

[22] S. Goldwasser, S. Micali, and R.L. Rivest, “A Digital SignatureScheme Secure Against Adaptive Chosen-Message Attacks,”SIAM J. Computing, vol. 17, no. 2, pp. 281-308, 1988.

[23] M.T. Goodrich, M. Sirivianos, J. Solis, G. Tsudik, and E. Uzun,“Loud and Clear: Human-Verifiable Authentication Based onAudio,” Proc. 26th Int’l Conf. Distributed Computing Systems(ICDCS), 2006.

[24] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung, “ProactiveSecret Sharing, or How to Cope with Perpetual Leakage,” Proc.15th Ann. Int’l Cryptology Conf. (CRYPTO ’95), pp. 339-352, 1995.

[25] R. Hills, “Sensing for Danger,” Science Technology Report,http://www.llnl.gov/str/JulAug01/Hills.html, July/Aug. 2001.

[26] Y.-C. Hu, D.B. Johnson, and A. Perrig, “SEAD: Secure EfficientDistance Vector Routing for Mobile Wireless Ad Hoc Networks,”Proc. Fourth IEEE Workshop Mobile Computing Systems and Applica-tions (WMCSA ’02), pp. 3-13, 2002.

[27] Y.-C. Hu, A. Perrig, and D.B. Johnson, “Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks,” Proc. ACMMobiCom ’02, pp. 12-23, 2002.

[28] S. Jarecki, N. Saxena, and J.H. Yi, “An Attack on the Proactive RSASignature Scheme in the URSA Ad Hoc Network Access ControlProtocol,” Proc. ACM Workshop Security of Ad Hoc and SensorNetworks (SASN ’04), pp. 1-9, 2004.

[29] J. Kong, H. Luo, K. Xu, D.L. Gu, M. Gerla, and S. Lu, “AdaptiveSecurity for Multi-Level Ad-hoc Networks,” Wireless Comm. andMobile Computing, vol. 2, no. 5, pp. 533-547, 2002.

[30] J. Kong, P. Zerfos, H. Luo, S. Lu, and L. Zhang, “Providing Robustand Ubiquitous Security Support for MANET,” Proc. Ninth IEEEInt’l Conf. Network Protocols (ICNP ’01), pp. 251-260, 2001.

[31] D. Liu and P. Ning, “Establishing Pairwise Keys in DistributedSensor Networks,” Proc. 10th ACM Conf. Computer and Comm.Security (CCS ’03), pp. 52-61, 2003.

[32] H. Luo, J. Kong, P. Zerfos, S. Lu, and L. Zhang, “URSA: Ubiquitousand Robust Access Control for Mobile Ad Hoc Networks,” IEEE/ACM Trans. Networking, vol. 12, no. 6, pp. 1049-1063, 2004.

[33] H. Luo, P. Zerfos, J. Kong, S. Lu, and L. Zhang, “Self-Securing AdHoc Wireless Networks,” Proc. Seventh IEEE Symp. Computers andComm. (ISCC ’02), pp. 567-574, 2002.

[34] J.M. McCune, A. Perrig, and M.K. Reiter, “Seeing-Is-Believing:Using Camera Phones for Human-Verifiable Authentication,”Proc. IEEE Symp. Security and Privacy (S&P ’05), pp. 110-124, 2005.

[35] M. Naor, B. Pinkas, and O. Reingold, “Distributed Pseudo-RandomFunctions and KDCs,” Proc. Int’l Conf. Theory and Application ofCryptographic Techniques (EUROCRYPT ’99), pp. 327-346, 1999.

[36] M. Narasimha, G. Tsudik, and J.H. Yi, “On the Utility ofDistributed Cryptography in P2P and MANETs: The Case ofMembership Control,” Proc. 11th IEEE Int’l Conf. Network Protocols(ICNP ’03), pp. 336-345, 2003.

[37] OLSR Protocol, http://menetou.inria.fr/olsr, 2008.[38] OpenSSL Project, http://www.openssl.org, 2008.[39] Peer Group Admission Control Project, http://sconce.ics.uci.edu/gac,

2008.[40] D. Pointcheval and J. Stern, “Security Proofs for Signature

Schemes,” Proc. Int’l Conf. Theory and Application of CryptographicTechniques (EUROCRYPT ’96), pp. 387-398, 1996.

[41] W.H. Press, B.P. Flannery, S.A. Teukolsky, and W.T. Vetterling,Numerical Recipes in C: The Art of Scientific Computing, ISBN 0-521-43108-5, Cambridge Univ. Press, 1992.

[42] N. Saxena, “Public Key Cryptography Sans Certificates in Ad HocNetworks,” Proc. Fourth Int’l Conf. Applied Cryptography andNetwork Security (ACNS ’06), pp. 375-389,

[43] N. Saxena, J.-E. Ekberg, K. Kostiainen, and N. Asokan, “SecureDevice Pairing Based on a Visual Channel (Short Paper),” Proc.IEEE Symp. Security and Privacy (S&P ’06), pp. 306-313, 2006.

[44] N. Saxena, G. Tsudik, and J.H. Yi, “Admission Control in Peer-to-Peer: Design and Performance Evaluation,” Proc. ACM WorkshopSecurity of Ad Hoc and Sensor Networks (SASN ’03), pp. 104-114,2003.

[45] N. Saxena, G. Tsudik, and J.H. Yi, “Identity-Based Access Controlfor Ad-Hoc Groups,” Proc. Seventh Int’l Conf. Information Securityand Cryptology (ICISC ’04), pp. 362-379, 2004.

[46] N. Saxena, G. Tsudik, and J.H. Yi, “Efficient Node Admission forShort-Lived Mobile Ad Hoc Networks,” Proc. 13th IEEE Int’l Conf.Network Protocols (ICNP ’05), pp. 269-278, 2005.

[47] N. Saxena, G. Tsudik, and J.H. Yi, “Threshold Cryptography inP2P and MANETs: The Case of Access Control,” ComputerNetworks, vol. 51, pp. 3632-3649, 2007.

[48] C.P. Schnorr, “Efficient Signature Generation by Smart Cards,”J. Cryptology, vol. 4, no. 3, pp. 161-174, 1991.

[49] A. Shamir, “How to Share a Secret,” Comm. ACM, vol. 22, no. 11,pp. 612-613, 1979.

[50] M. Steiner, G. Tsudik, and M. Waidner, “CLIQUES: A NewApproach to Group Key Agreement,” Proc. 18th IEEE Int’l Conf.Distributed Computing Systems (ICDCS ’98), pp. 380-387, 1998.

[51] M. Steiner, G. Tsudik, and M. Waidner, “Key Agreement inDynamic Peer Groups,” IEEE Trans. Parallel and DistributedSystems, vol. 11, no. 8, pp. 769-780, Aug. 2000.

[52] D.R. Stinson and R. Strobl, “Provably Secure Distributed SchnorrSignatures and a ðt; nÞ Threshold Scheme for Implicit Certificates,”Proc. Sixth Australasian Conf. Information Security and Privacy(ACISP ’01), pp. 417-434, 2001.

SAXENA ET AL.: EFFICIENT NODE ADMISSION AND CERTIFICATELESS SECURE COMMUNICATION IN SHORT-LIVED MANETS 169

[53] E. Uzun, K. Karvonen, and N. Asokan, “Usability Analysis ofSecure Pairing Methods,” Proc. First Int’l Workshop Usable Security(USEC ’07), pp. 15-16, 2007.

[54] P. van Oorschot, “Extending Cryptographic Logics of Belief to KeyAgreement Protocols,” Proc. First ACM Conf. Computer and Comm.Security (CCS ’93), pp. 232-243, 1993.

[55] L. Zhou and Z.J. Haas, “Securing Ad Hoc Networks,” IEEENetwork Magazine, vol. 13, no. 6, pp. 24-30, 1999.

Nitesh Saxena received the BS degree inmathematics and computing from the IndianInstitute of Technology, Kharagpur, India, theMS degree in computer science from theUniversity of California at Santa Barbara, andthe PhD degree in information and computerscience from the University of California, Irvine.He is an assistant professor in the Departmentof Computer and Information Science, Polytech-nic University. He works in the areas of

computer and network security and applied cryptography. His PhDdissertation on “Decentralized Security Services” has been nominatedfor the ACM Dissertation Award in 2006. He received the “Best StudentPaper” Award at the Third American Conference on Neutron Scattering(ACNS) 2006. He is a member of the IEEE.

Gene Tsudik received the PhD degree incomputer science in 1991 from the Universityof Southern California (USC), where his disser-tation focused on access control in internet-works. He is a professor of computer science atthe Department of Computer Science, Universityof California, Irvine (UCI) and the director ofSecure Computing and Networking Center(SCONCE). He has been conducting researchin internetworking, network security, and applied

cryptography since 1987. Before coming to UCI in 2000, he was a projectleader at IBM Research, Zurich Laboratory (1991-1996), and USCInformation Science Institute (1996-2000). Between 2002 and 2007, heserved as an associate dean of Research and Graduate Studies in theSchool of Information and Computer Sciences, UCI. In 2007, he was aFulbright senior lecturer at the University of Rome “La Sapienza.” Overthe years, his research interests included routing, firewalls, authentica-tion, mobile/wireless network security, secure e-commerce, anonymity,secure group communication, digital signatures, key management,secure ad hoc and sensor network routing, as well as database privacyand secure storage. He is a senior member of the IEEE.

Jeong Hyun Yi received the BS and MS degreesin computer science from Soongsil University,Seoul, in 1993 and 1995, respectively, and thePhD degree in information and computer sciencefrom the University of California, Irvine (UCI), in2005. He is an assistant professor in the Schoolof Computing at Soongsil University, Seoul,Korea. He was a member of research staff atElectronics and Telecommunication ResearchInstitute (ETRI), Daejeon, Korea, from 1995 to

2001, a guest researcher at the National Institute of Standards andTechnology (NIST), Gaithersburg, Maryland, from 2000 to 2001, and aprincipal researcher at Samsung Advanced Institute of Technology(SAIT), Yongin, Korea, from 2005 to 2008. His research interests includenetwork security, ubiquitous computing, RFID, wireless sensor networks,mobile privacy, PKI, and applied cryptography. Some of his notableresearch contributions include Certificate Management Protocol (CMP)for Korean PKI Standards and integration of Korea PKI and US FederalPKI. He is a member of the IEEE.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.

170 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 20, NO. 2, FEBRUARY 2009