securing cluster-based ad hoc networks with distributed authorities

3072 IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 9, NO. 10, OCTOBER 2010

Securing Cluster-Based Ad Hoc Networks withDistributed Authorities

Lung-Chung Li and Ru-Sheng Liu

Abstract—In this paper, we address key management incluster-based mobile ad hoc networks (MANETs). Ensuring se-cure communication in an ad hoc network is extremely challeng-ing because of the dynamic nature of the network and the lackof centralized management. For this reason, key management isparticularly difficult to implement in such networks. We presenta fully-distributed ID-based multiple secrets key managementscheme (IMKM). This scheme is implemented via a combinationof ID-based multiple secrets and threshold cryptography. Iteliminates the need for certificate-based authenticated public-key distribution and provides an efficient mechanism for keyupdate and key revocation schemes, which leads to more suitable,economic, adaptable, scalable, and autonomous key managementfor mobile ad hoc networks.

Index Terms—Security, mobile ad hoc network, key manage-ment, ID-based cryptography, secret sharing.

I. INTRODUCTION

AD hoc networks are subject to various types of attacksranging from passive eavesdropping to active imperson-

ation, message replay, and message distortion. Moreover, it isdifficult to deploy security mechanisms in MANETs becauseof the absence of fixed infrastructure, shared wireless medium,node mobility, limited resources of mobile devices, bandwidth-restricted and error-prone communication links, and so on.

Recent literatures have sought to address the key man-agement issues in MANETs. Most schemes that have beenproposed depend on certificate-based cryptography (CBC) andID-based cryptography (IBC). In traditional certificate-basedpublic key cryptosystems, a user’s public key is certified witha certificate, which is issued by a certification authority (CA).Any participant that wishes to use a public key must firstverify its validity using the corresponding certificate. Themain concern with this approach is the need for public keydistribution.

The concept of ID-based public key systems was introducedby Shamir [1] in 1984. The main idea of such systems is thateach user uses his identity securing information, such as atelephone number or email address, as a public key. In otherwords, the user’s public key can be determined directly fromhis identifying information, rather than having to be extractedfrom a certificate issued by a CA. ID-based systems enableany pair of users to communicate securely without exchanging

Manuscript received May 31, 2009; revised September 26, 2010, January25, 2010, and April 29, 2010; accepted June 29, 2010. The associate editorcoordinating the review of this paper and approving it for publication was I.Habib.

L.-C. Li is with the Center for General Education, Chang Gung University,Taiwan (e-mail: [email protected]).

R.-S. Liu is with the Department of Computer Science and Engineering,Yuan Ze University, Taiwan (e-mail: [email protected]).

Digital Object Identifier 10.1109/TWC.2010.080610.090759

public key certificates, without keeping a public key directoryand without using the online services of a third party. Thisis enabled by a trusted Private Key Generator (PKG), whichissues a user a private key corresponding to each user’s identitywhen he first joins the network. Therefore, ID-based systemsare a powerful alternative to CA-based systems in terms ofboth efficiency and convenience. However, the PKG representsa single point of failure. If the private key of the PKG iscompromised, the entire system is compromised. To counterthis, Boneh and Franklin [2] have suggested spreading thePKG private key using threshold cryptography.

In contrast to fixed networks, a centralized public key in-frastructure (PKI) or a centralized certification authority is notfeasible in ad hoc networks. Distribution of a signing key andCA functionality over multiple nodes using secret sharing andthreshold cryptography is a possible solution to this problem.However, a number of issues must first be resolved. First,the security of the entire network is broken when a thresholdnumber of shareholders are compromised. Second, efficiencyis greatly reduced because updating public/private keys re-quires each node to individually contact a threshold numberof shareholders, which represents a significant communicationoverhead in large-scale MANETs. Third, shareholders joiningand evicting need an efficient share update protocol to reducethe communication costs.

Group key agreement (GKA) [3]-[4] is another importantchallenge of key management in MANETs. GKA protocolsallow two or more parties to agree on a common groupkey and exchange information among them over an insecurechannel. A key agreement that provides mutual key authenti-cation among parties is called an authenticated key agreement(AKA). Authenticated group key agreement (AGKA) protocolapplications proliferate in many modern collaborative anddistributed environments. As a consequence, the design ofa secure and efficient protocol for group key agreement hasreceived much attention as a significant research area.

In this paper, we propose an ID-based multiple secretskey management (IMKM) protocol to address all the aboveconcerns. Our scheme is a comprehensive solution for inter-and intra-cluster key management, including key revocation,key update, and group key agreement. Our major contributionsare as follows:

∙ A fully-distributed key management method. IMKM re-quires that clusterheads (CHs) participate in the construc-tion of the key, in order to establish a (𝑡, 𝑛) thresholdsharing of the master secret key. The advantages of usinga distributed method lie in its efficiency and flexibility inupdating CHs’ share keys.

1536-1276/10$25.00 c⃝ 2010 IEEE

LI and LIU: SECURING CLUSTER-BASED AD HOC NETWORKS WITH DISTRIBUTED AUTHORITIES 3073

TABLE INOTATION

𝑝,𝑞 Two large prime

𝑔 Generator of subgroup of order 𝑞 in 𝑍∗𝑝

𝑒 Bilinear pairing

𝑈 Maximum update phase index

𝑠/𝑃𝑝𝑢𝑏 private key/public key of PKG

𝑃𝑚 Generator of 𝐺1(0 ≤ 𝑚 ≤ 𝑈)

𝐺1, 𝐺2 Cyclic groups of order 𝑞

𝐶𝐻𝑖 Clusterhead 𝑖

𝐼𝐷𝑖 Network ID of 𝐶𝐻𝑖

𝑆𝑖, 𝑄𝑖 private/public key pair of 𝐶𝐻𝑖

𝐻1, 𝐻2, 𝐻3 Mapping {0, 1}∗ → 𝑍∗𝑝 , 𝐺1 → 𝐺𝑞 , 𝐺2 → 𝐺𝑞

𝐾𝑖,𝑗 Pair-wise key of 𝐶𝐻𝑖and 𝐶𝐻𝑗

(𝑡, 𝑛) Secret-sharing parameters

𝑓(𝑥), 𝑔(𝑥) (𝑡 − 1) degree polynomials

𝜆𝑣(𝑥) Lagrange coefficient

𝐷/𝐷𝑝𝑢𝑏 Master secret key/Public key of share

𝑑𝑖 Subshare of 𝐶𝐻𝑖

{𝑚}𝐾𝑖,𝑗Message m encrypted by pair-wise key

𝛽 Key revocation threshold 𝐾𝑖,𝑗

𝛾 Key update threshold

∙ Multiple secrets scheme. In order to withstand crypt-analysis, it is a good practice to periodically update theshare keys of CHs with a predefined time interval. Theproposed multiple secrets scheme is highly efficient, as itdoes not require the exchange or signing of any additionalmessages when the network is within security tolerance.

∙ Efficient key joining and eviction schemes. To addresssecurity concerns, we update the CHs’ share keys whenCHs are evicted and the number of revoked CHs reachesa predefined threshold. In addition, two schemes arepresented to distribute share keys when members join. Incontrast to prior work, we show that our schemes providemuch better performance by reducing computation andcommunication overheads.

∙ Efficient group key agreement scheme. We propose anID-AGKA protocol that provides authentication withoutverifying signatures, and which requires only one round.

The remainder of this paper is organized as follows: SectionII provides an overview of some existing work and basicconcepts of bilinear pairings. In section III, we introduce thedesign goals and system models, while in section IV, ourIMKM protocol is described in detail. The protocol analysis isthen proposed in section V. Finally, we provide a conclusionin section VI.

II. PRELIMINARIES

A. Notation

TABLE I specifies some important notations that we employherein.

B. Related Work on Private and Group Key Securing Systems

Several researchers have recently studied the certificate-based key management problem in ad hoc networks. Zhou and

Hass (Z & H) [5] describe a partially distributed PKI solution.They suggest using certificate-based cryptography and a (𝑡, 𝑛)threshold scheme [6]-[7] in MANETs. The services providedby the CA are distributed to specialized nodes in the network,referred to as servers (D-CAs). This solution assumes that asubset of nodes is able to take on the specialized server role.During network operation, any 𝑡 servers can jointly performcertificate generation and revocation, based on their secretshares. The scheme can tolerate the compromise of up to(𝑡 − 1) servers and the failure of up to (𝑛 − 𝑡) servers. Thedrawback is that the communication traffic between serversand certificate exchanges that handles management activitiesconsumes significant bandwidth. This means that the Z & Happroach does not scale well [8]-[10].

Yi and Kravets [11] proposed a Mobile Certificate Authority(MOCA) scheme. Their scheme suggests that the nodes withthe best physical security and computational resources shouldserve as MOCAs. This presents the question of how to chooseMOCAs. Furthermore, the protocol maintains its own routingtables and co-exists with a standard ad hoc routing protocol.This results in wasted bandwidth [8]-[10].

Kong et al. [12] presented a fully distributed threshold CAscheme, which they named URSA. In contrast to the partiallydistributed CA schemes Z & H and MOCA, with this scheme,all nodes act as servers and a maximum of 𝑘 neighboringnodes provide the certificate service. Further, URSA prescribesshare refreshing. The drawbacks of URSA are that it does notprovide verifiability [13] and that it is vulnerable to the Sybilattack [14]. In addition, it requires a dealer that has knowledgeof the certificate signing key and the associated polynomial.

Zhu et al. [15] provided a hierarchical security scheme, re-ferred to as Autonomous Key Management (AKM). When thenumber of shareholders reaches a certain level, the nodes splitinto smaller regional groups. When there are too few nodes toprovide CA service, regions are merged. The weakness of thisapproach is that it is quite difficult to detect regional bound-aries in a mobile and unstable ad hoc network. Furthermore,the regional hierarchical structure results in wasted bandwidth[8].

Recently, a few ID-based key management schemes havebeen proposed for MANETs. Khalili et al. [16] proposedan ID-based and threshold cryptography scheme. The PKG’sprivate key is spread over the initial set of nodes by a (𝑘, 𝑛)threshold. This eliminates the PKG as a single point of failureand adds intrusion tolerance. However, this work is conceptualand is an incomprehensive solution.

Since 2000, several ID-based group session key agreementprotocols have been proposed. Joux [17] presented a tripartitekey agreement protocol based on parings over the ellipticcurves; however, this scheme is vulnerable to the man-in-the-middle attack, because it does not authenticate the commu-nicating parties. Barua et al. [18] attempted to extend Joux’stripartite protocol to an ID-based AGKA (ID-AGKA) protocol;however, their scheme requires (𝑙𝑜𝑔3𝑛) rounds. Recently, Choiet al. [19] and Du et al. [20] proposed two ID-AGKA protocolsfrom bilinear pairings and BD [21] schemes. However, Zhangand Chen [22] demonstrated the possibility of an imper-sonation attack on these two protocols. To prevent such anattack, they suggest adding a time parameter to the message


being signed. However, SHIM [23] showed that the enhancedprotocol is still vulnerable to attacks by colluding insiders.Lin et al. [24] proposed a multiparty key agreement protocol.Their protocol needs only two rounds and less computationand communication bandwidth than other approaches.

C. Bilinear Pairings and DL Problem

Let 𝐺1 be a cyclic additive group generated by 𝑝, whoseorder is a prime 𝑞 , and let 𝐺2 be a cyclic multiplicative groupof the same order, 𝑞. We assume that the discrete logarithmproblems (DLP) in both 𝐺1 and 𝐺2 are difficult to solve. Let𝑒 : 𝐺1x𝐺1 → 𝐺2 be a pairing that satisfies the followingconditions:

1) Bilinear: 𝑒(𝑃1 + 𝑃2, 𝑄) = 𝑒(𝑃1, 𝑄) 𝑒(𝑃2, 𝑄) and𝑒(𝑃,𝑄1+𝑄2) = 𝑒(𝑃,𝑄1) 𝑒(𝑃,𝑄2) or 𝑒(𝑎𝑃, 𝑏𝑃 ) = 𝑒(𝑃,𝑄)𝑎𝑏.

2) Non-degenerate: There exists 𝑃,𝑄 ∈ 𝐺1 such that𝑒(𝑃,𝑄) ∕= 1.

3) Computability: There is an efficient algorithm to com-pute 𝑒(𝑃,𝑄) for all 𝑃,𝑄 ∈ 𝐺1.

We note that the Weil [2] and Tate [25] pairings associatedwith supersingular elliptic curves or abelian varieties can bemodified to create such bilinear maps.

Discrete Logarithm Problem (DLP): Given two groupelements 𝑃 and 𝑄, find an integer 𝑛, such that 𝑄 = 𝑛𝑃whenever such an integer exists.

We assume throughout this paper that the DLP is intractable,which means no polynomial time algorithm exists that solvesthe DLP with non-negligible probability. In practice, 𝐺1 willbe the point group on an elliptic curve or the Jacobian groupon a hyperelliptic curve over a finite field, and 𝐺2 will denotea subgroup of the multiplicative group of a finite field.

III. DESIGN GOALS AND SYSTEM MODELS

A. Design Goals

In this section, we will discuss some of the explicit designgoals for a secure key management scheme for MANETs.First, it must not have a single point of compromise orfailure because mobile nodes deployed in hostile environmentsare subject to attacks. Second, it should be compromise-tolerant, meaning that the compromise of a certain numberof nodes does not harm the communication security betweenuncompromised nodes. Third, it should be able to efficientlyand securely revoke the keys of compromised nodes oncedetected and update the keys of uncompromised nodes. Last,there should be efficient schemes to generate a group sessionkey and to refresh when members exit.

B. Network Model

We envision a cluster-based MANET [26]-[27] consistingof n CHs without any prior contact, trust, or authority relation.The size of the network may change dynamically with CHsjoining, leaving or failing over time. Each clusterhead 𝐶𝐻𝑖 hasa unique ID, denoted by 𝐼𝐷𝑖. CHs schedule transmissions andallocate resources amongst clusters, while gateways connectadjacent clusters. Clustering is also used in some routingprotocols for ad hoc networks. If a cluster-based routing pro-tocol is used, the clusters established by the routing protocol

can also be employed in our security conceptualization. It isimportant to recognize that, in reality, communications are notreliable. Any entity can go offline or become unreachable atany time; thus, communications are potentially insecure andprone to error.

C. Adversary Model

Consider an ad hoc network with n distributed authorities(clusterheads), referred to as D-PKGs in our IMKM, similar inrole to distributed CAs [11],[28]. Our D-PKGs are distributedamongst CHs that are selected to enable secure and robust keyrevocation and update during network operation. We assumethat compromised nodes will eventually exhibit detectablemisbehavior [29]-[30]. Our main objective is to drive identifiedcompromised nodes out of the network by revoking their keys.We also assume that adversaries compromise no more than(𝑡−1) out of n D-PKGs in a given time period, where (𝑡−1)must be smaller than 𝑛/2. This guarantees the existence of𝑡 honest D-PKGs in each time. Nor can adversaries breakthe underlying cryptographic primitive on which we base ourdesign.

IV. PROPOSED IMKM PROTOCOL

This section presents our IMKM protocol. It consists offive phases: network initialization, key revocation, multiplesecrets key update, member joining and eviction, and groupkey generation.

A. Network Initialization

A.1. Generation of Pairing Parameters and Key Initiation

We consider basic operations in the scenario where thereis an offline PKG center. These basic operations consist ofsystem setup and private key extraction. The PKG runs aBilinear Diffie-Hellman (BDH) parameter generator to gen-erate two groups, 𝐺1 and 𝐺2, as well as a bilinear pairing,𝑒 : 𝐺1x𝐺1 → 𝐺2, which we have described above. 𝑃0 is thegenerator for 𝐺1, 𝐻1 : {0, 1}∗ → 𝑍∗

𝑞 is a cryptographic hashfunction and 𝐻2 : 𝐺1 → 𝐺𝑞 , 𝐻3 : 𝐺2 → 𝐺𝑞 are two otherhash functions.

System Setup: the PKG chooses a random number, 𝑠 ∈ 𝑍∗𝑞 ,

as the its private key. 𝑃𝑝𝑢𝑏 = 𝑠𝑃0 is the PKG’s publickey. The PKG predefines the number of the key updatephase index, 𝑈 , and selects a set of generators, 𝑃𝑚(1 ≤𝑚 ≤ 𝑈), of 𝐺1, for the purposes of regular periodic keyupdates. The system parameters of PKG are as follows:< 𝑝, 𝑞, 𝑔,𝐺1, 𝐺2, 𝑒, 𝑃0, 𝑃𝑝𝑢𝑏, 𝑃𝑚, 𝐻1, 𝐻2, 𝐻3 >

Key Extraction: A user submits his identity information,𝐼𝐷𝑖, to the PKG, which then computes 𝐼𝑖 = 𝐻1(𝐼𝐷𝑖)(1 ≤𝑖 ≤ 𝑛) and the user’s public-private key pair: 𝑄𝑖 = (𝐼𝑖+𝑠)𝑃0,𝑆𝑖 = (𝐼𝑖 + 𝑠)−1𝑃0. The PKG then preloads the key pair andsystem parameters onto 𝐶𝐻𝑖(1 ≤ 𝑖 ≤ 𝑛), securely.

A.2. Generation of Pair-wise Keys

A pair-wise key agreement protocol allows two partiesto establish their session keys and use the keys to encryptthe communications between them. McCullagh and Barreto[31] proposed a two-party authenticated identity-based key


agreement using bilinear pairings. In order to provide perfectforward secrecy, we modified their scheme to generate ourpair-wise keys as follows:

1) Each 𝐶𝐻𝑖(1 ≤ 𝑖 ≤ 𝑛) randomly chooses its ephemeralkey, 𝑥𝑖 ∈ 𝑍∗

𝑞 , computes 𝑋𝑖,𝑗 = 𝑥𝑖(𝐼𝑗𝑃0 + 𝑃𝑝𝑢𝑏)(1 ≤𝑗 ≤ 𝑛, 𝑗 ∕= 𝑖) and sends 𝑋𝑖,𝑗 to 𝐶𝐻𝑗(1 ≤ 𝑗 ≤ 𝑛, 𝑗 ∕= 𝑖).

2) After exchanging the ephemeral values,all CHs can compute their pairwise keys:𝑘𝑖,𝑗 = 𝑒(𝑃0, 𝑃0)

𝑥𝑖𝑒(𝑋𝑗,𝑖, 𝑆𝑖) + 𝑒(𝑋𝑗,𝑖, 𝑆𝑖)𝑥𝑖 =

𝑒(𝑃0, 𝑃0)𝑥𝑖+𝑥𝑗 + 𝑒(𝑃0, 𝑃0)

𝑥𝑖𝑥𝑗(1 ≤ 𝑖, 𝑗 ≤ 𝑛, 𝑖 ∕= 𝑗)𝐾𝑖,𝑗 = 𝐻3(𝑘𝑖,𝑗)

The above pair-wise key agreement protocol satisfies all thefollowing security properties [31]: implicit key authentication,known session key security, no key-compromise imperson-ation, perfect forward secrecy, no unknown key-share andno key control. Therefore, it can be securely employed inMANETs.

A.3. Verifiable Secret Sharing

In order to establish a (𝑡, 𝑛) threshold sharing, we requirethat all clusterheads (CHs) participate in the construction ofthe master secret key, and that the role of distributed PKG(D-PKG) be assigned to the CHs of the network. Let the setof unrevoked CHs be 𝜑, and 𝜀 ⊂ 𝜑 be any subset of size 𝑡CHs. Let 𝑝 be a large prime and 𝑞 > 𝑚𝑎𝑥(𝑎𝑖,0, 𝑛) be a primedivisor of 𝑝 − 1. Let 𝑎𝑖,𝑙 ∈ 𝑍∗

𝑞 (1 ≤ 𝑖 ≤ 𝑛, 0 ≤ 𝑙 ≤ 𝑡 − 1)be random coefficients and 𝑔 be the generator with order 𝑞 in𝑍∗𝑝 . To perform secret sharing, the CHs act as follows:

1) Each clusterhead, 𝐶𝐻𝑖, creates a (𝑡, 𝑛) threshold sharingof 𝑎𝑖,0 by generating a random polynomial of degree𝑡− 1 over 𝑍∗

𝑞 , as: 𝑓𝑖(𝑥) =∑𝑡−1

𝑙=0 𝑎𝑖,𝑙𝑥𝑙(𝑚𝑜𝑑 𝑞)

2) Each 𝐶𝐻𝑖 computes 𝐼𝑗 = 𝐻1(𝐼𝐷𝑗)(1 ≤ 𝑗 ≤ 𝑛)and securely sends an encrypted subshare, 𝑓𝑖(𝐼𝑗), to𝐶𝐻𝑗(1 ≤ 𝑗 ≤ 𝑛, 𝑗 ∕= 𝑖) , using pair-wise key 𝐾𝑖,𝑗 .

3) Each 𝐶𝐻𝑖 broadcasts public values, 𝑦𝑖,𝑙 = 𝑔𝑎𝑖,𝑙(𝑚𝑜𝑑 𝑝)(0 ≤ 𝑙 ≤ 𝑡− 1). These values will be used to verify theconsistency of the subshares sent by 𝐶𝐻𝑖

4) Each 𝐶𝐻𝑗 verifies that subshare 𝑓𝑖(𝐼𝑗), received from𝐶𝐻𝑖, is valid, by checking that 𝑔𝑓𝑖(𝐼𝑗) =

∏𝑡−1𝑙=0(𝑦𝑖,𝑙)

(𝐼𝑗)𝑙

(𝑚𝑜𝑑 𝑝) . If this equality holds than the value receivedfrom 𝐶𝐻𝑖 is correct, otherwise 𝐶𝐻𝑗 considers 𝐶𝐻𝑖 tohave misbehaved and issues a signed accusation againstit accordingly (a number of verifiable secret sharing(VSS) schemes [32]-[33] have been proposed that allowone to detect incorrect subshares).

5) Each 𝐶𝐻𝑗 computes its share key, 𝑑𝑗 =∑𝑛

𝑖=1 𝑓𝑖(𝐼𝑗)𝑃0

After the above distributed key generation steps have beenperformed, each CH holds a subshare, 𝑑𝑗 , of the master secretkey, 𝐷, and broadcasts public key 𝑑𝑗𝑝𝑢𝑏

= 𝐻2(𝑃𝑝𝑢𝑏)𝑑𝑗 .The public key, 𝑑𝑗𝑝𝑢𝑏

, of the subshare, can be propa-gated via the CH beacons, which are broadcast periodically.Based on Lagrange interpolation, any subset, 𝜀 ⊂ 𝜑, ofsize 𝑡 CHs, can determine the master secret key: 𝐷 =∑

𝑗∈𝜀 𝜆𝑗(0)𝑑𝑗 = (𝑎1,0 + 𝑎2,0 + ⋅ ⋅ ⋅+ 𝑎𝑛,0)𝑃0, where 𝜆𝑗(0) =∏𝑖∈𝜀,𝑖∕=𝑗

−𝐼𝑖𝐼𝑗−𝐼𝑖

(𝑚𝑜𝑑 𝑞) , and 𝜀 is the set of 𝑡 unrevoked CHsparticipating in IMKM operations (the detailed derivation ofthe master secret key is presented in APPENDIX A).

The public key, 𝐷𝑝𝑢𝑏, of the master secret key, can be gener-ated from any 𝑡 CHs’ public keys: 𝐷𝑝𝑢𝑏 =

∑𝑗∈𝜀 𝜆𝑗(0)𝑑𝑗𝑝𝑢𝑏

=𝐻2(𝑃𝑝𝑢𝑏)𝐷

B. Key Revocation

The key revocation scheme [34]-[36] is comprised of threesub-processes: misbehavior notification, revocation generationand revocation verification.

B.1. Misbehavior Notification

Upon detection of 𝐶𝐻𝑖’s misbehavior, 𝐶𝐻𝑗 generates anaccusation, {𝐼𝐷𝑖, 𝑇𝑗}𝐾𝑗,𝑣 , against 𝐶𝐻𝑖 and securely trans-mits it to 𝐶𝐻𝑣 , where 𝑇𝑗 is a time stamp used to withstandmessage replay attacks and 𝐾𝑗,𝑣 is the pair-wise key of 𝐶𝐻𝑗

and 𝐶𝐻𝑣(1 ≤ 𝑣 ≤ 𝑛, 𝑣 ∕= 𝑖, 𝑗).To prevent 𝐶𝐻𝑖 from temporarily behaving normally (arti-

ficially), the accusation should not be sent to that node.

B.2. Revocation Generation

Upon receipt of an accusation from 𝐶𝐻𝑗 , the message willsimply be dropped if the accuser itself has been revoked. Theaccused 𝐶𝐻𝑖 is diagnosed as compromised when the numberof accusations against it reaches a predefined revocationthreshold, 𝛽.

In IMKM, generation of a revocation requires the jointeffort of 𝑡 CHs. We assume the D-PKG with the largest IDacts as the role of revocation leader. Each of the 𝑡 unrevoked𝐶𝐻𝑗 , having the smallest IDs, generates a partial revocation,𝑅𝐸𝑉𝑗 = 𝐻1(𝐼𝐷𝑖)𝑑𝑗 , and sends it to the revocation leadersecurely using the pair-wise key. The revocation leader checkswhether the equation 𝐻2(𝑃𝑝𝑢𝑏)𝑅𝐸𝑉𝑗 = 𝑑𝑗𝑝𝑢𝑏

𝐻1(𝐼𝐷𝑖) holds.If the partial revocation is not valid, the revocation leader con-siders 𝐶𝐻𝑗 to be misbehaving and issues a signed accusationagainst it.

The revocation leader can construct a complete revocationfrom these partials using Lagrange interpolation. A completerevocation is derived as follows: 𝐼𝐷

′𝑖 =

∑𝑗∈𝜀 𝜆𝑗(0)𝑅𝐸𝑉𝑗 =

𝐻1(𝐼𝐷𝑖)𝐷. The revocation leader then floods < 𝐼𝐷𝑖, 𝐼𝐷′𝑖 >

throughout the network to inform others that 𝐶𝐻𝑖 has beencompromised.

B.3. Revocation Verification

Upon receipt of 𝐼𝐷′𝑖 , each clusterhead verifies it by check-

ing whether the equation 𝐻2(𝑃𝑝𝑢𝑏)𝐼𝐷′𝑖 = 𝐻1(𝐼𝐷𝑖)𝐷𝑝𝑢𝑏

holds, where 𝐷𝑝𝑢𝑏 can be computed using the public keysof the shares of any 𝑡 unrevoked CHs. If the equation holds,this means that 𝐼𝐷

′𝑖 has been correctly accumulated from all

other 𝑡− 1 unrevoked CHs. The clusterhead then records 𝐼𝐷𝑖

in its key revocation list (KRL) and declines to interact withit thereafter.

C. Multiple Secrets Key Update Scheme

To resist cryptanalysis, it is a good practice to employfrequent key updates. A new phase begins at a predeterminedtime interval. In IMKM, all CHs’ private keys, 𝑆𝑗 , willlast for the entire lifetime of the network, while the share


keys, 𝑑𝑗 , used to enable key revocation and key update, arerefreshed periodically for 𝑈 predefined regular phases, usinga multiple secrets key update scheme. Alternatively, they maybe refreshed in key eviction process when the number ofrevocation CHs has reached a prescribed update threshold, 𝛾.

We use the multiple secrets scheme to update each CH’sshare key, 𝑑𝑗 , to 𝑑

′𝑗 =

∑𝑛𝑖=1 𝑓𝑖(𝐼𝑗)𝑃𝑚(1 ≤ 𝑚 ≤ 𝑈) by

replacing the generator, 𝑃0, with 𝑃𝑚 of 𝑑𝑗 , at each regularpredetermined time interval, where 𝑈 is the maximum updatephase index. In this way, key update is quite simple andefficient because there is no need to exchange and sign anymessages between the CHs.

D. Key Joining

In this section we show how to add a new clusterhead,𝐶𝐻𝑘, to the ad hoc network backbone. We shall propose twoschemes to fulfill the joining operation.

D.1. Scheme I

1) Each 𝐶𝐻𝑗 creates a new subshare, 𝑓𝑗(𝐼𝑘), and securelysends it to 𝐶𝐻𝑘. 𝐶𝐻𝑘 constructs its share as: 𝑑𝑘 =∑

𝑗∈𝜑,𝑗 ∕=𝑘 𝑓𝑗(𝐼𝑘)𝑃𝑚

2) 𝐶𝐻𝑘 creates a (𝑡, 𝑛) threshold sharing of 𝑎𝑘,0 bygenerating a random polynomial of degree 𝑡−1 ,𝑓𝑘(𝑥) =∑𝑡−1

𝑙=0 𝑎𝑘,𝑙𝑥𝑙(𝑚𝑜𝑑 𝑞), and securely sends 𝑓𝑘(𝐼𝑗) to each

𝐶𝐻𝑗(𝑗 ∈ 𝜑, 𝑗 ∕= 𝑘).3) Upon receiving 𝑓𝑘(𝐼𝑗) from 𝐶𝐻𝑘, each 𝐶𝐻𝑗 recon-

structs the share key, 𝑑′𝑗 = 𝑑𝑗 + 𝑓𝑘(𝐼𝑗)𝑃𝑚

D.2. Scheme II

To prevent the exposure of shares, we use the shufflingscheme to generate the partial share of a joining clusterhead,𝐶𝐻𝑘, and utilize the pair-wise key, described in section IV-A.2, as the shuffling factor. Note that most prior work hasassumed a pre-existing shuffling factor [15],[37].

1) Each 𝐶𝐻𝑗 generates the partial share for 𝐶𝐻𝑘:𝑑𝑗,𝑘 =

∑𝑖∈𝜑 𝑓𝑖(𝐼𝑗)𝜆𝑗(𝐼𝑘) + 𝛿𝑗 , where 𝜆𝑗(𝐼𝑘) is the

Lagrange coefficient∏

𝑖∈𝜑,𝑖∕=𝑗𝐼𝑘−𝐼𝑖𝐼𝑗−𝐼𝑖

(𝑚𝑜𝑑 𝑞), and 𝛿𝑗 =∑

𝑣∈𝜑,𝑣 ∕=𝑗 𝑠𝑖𝑔𝑛(𝐼𝑗−𝐼𝑣)𝐾𝑗,𝑣, where 𝑠𝑖𝑔𝑛(𝑥) = {−1,𝑥≤01,𝑥>0

and 𝐾𝑗,𝑣 is the shuffling factor.2) The shuffled share, 𝑑𝑗,𝑘, is then returned to 𝐶𝐻𝑘. After

receiving 𝑡 partial shares, 𝐶𝐻𝑘 can construct its share,𝑑𝑘 =

∑𝑗∈𝜑,𝑗 ∕=𝑘 𝑑𝑗,𝑘𝑃𝑚.

Obviously, scheme II requires lower volumes of commu-nication and computation than scheme I. Note that wirelesstransmission of a bit can require over 1000 times more energythan a single 32-bit computation [38]. It would therefore seemdesirable in many situations to perform significant volumes ofcomputation rather than communication.

E. Key Eviction

A clusterhead eviction can happen as a result of unavail-ability, communication failure or for security reasons, suchas revoked node. If the eviction of a CH is not considered asecurity vulnerability, such as a power failure, then no actionis required. If a CH is revoked, and the number of revoked

CHs reaches the predetermined update threshold, 𝛾(𝛾 < 𝑡), asa result, then the key eviction process will be initiated. Ourkey eviction process is as follows:

1) When 𝐶𝐻𝑘 is revoked, the revocation leader broadcastsa signed key update message, including threshold 𝑡. Inorder to update the share keys of all unrevoked CHs,each 𝐶𝐻𝑖 chooses a random number, Δ𝑖 ∈ 𝑍∗

𝑞 , changesits share, 𝑎𝑖,0, to 𝑎𝑖,0 +Δ𝑖 and securely sends Δ𝑖 to allunrevoked 𝐶𝐻𝑗(𝑗 ∈ 𝜑, 𝑗 ∕= 𝑖, 𝑘).

2) After receiving all Δ𝑖 values, each 𝐶𝐻𝑗 recon-structs the share key, 𝑑

′𝑗 = 𝑑𝑗 + (

∑𝑖∈𝜑,𝑖∕=𝑗 Δ𝑖 −

𝑓𝑘(𝐼𝑗))𝑃𝑚 = (𝑓1(𝐼𝑗) + 𝑓2(𝐼𝑗) + ⋅ ⋅ ⋅ + 𝑓𝑛(𝐼𝑗))𝑃𝑚 =∑𝑖∈𝜑,𝑖∕=𝑘 𝑓𝑖(𝐼𝑗)𝑃𝑚.

Because 𝑡 CHs are required to provide the D-PKG services,such as key revocation, we may initiate the key evictionscheme only when the number of revoked CHs reaches apredetermined update threshold, 𝛾(𝛾 < 𝑡).

By using the above distributed key management schemes,each CH can easily add or update its share key in a secureand efficient manner, thus greatly reducing communication andcomputation costs.

F. Group Key Agreement Protocol

In this section, we present an efficient, one round authenti-cated group key agreement protocol (AGKA) for cluster-basedMANETs, as follows:Round 1:

1) Each 𝐶𝐻𝑖(1 ≤ 𝑖 ≤ 𝑛) randomly chooses an ephemeralkey, 𝐿𝑖 ∈ 𝑍∗

𝑞 .2) Each 𝐶𝐻𝑖 constructs a Lagrange interpolating polyno-

mial with degree 𝑛− 1, as follows:𝐵𝑖(𝑥) =

∑𝑛𝑢=1 𝐿𝑖

∏𝑛𝑗=1,𝑗 ∕=𝑢

(𝑥−𝐾𝑖,𝑗)(𝐾𝑖,𝑢−𝐾𝑖,𝑗)

(𝑚𝑜𝑑 𝑞) =

𝑎𝑖𝑛−1𝑥𝑛−1 + ⋅ ⋅ ⋅ + 𝑎𝑖1𝑥 + 𝑎𝑖,0(𝑚𝑜𝑑 𝑞), where 𝐾𝑖,𝑗 is

the pair-wise session key of 𝐶𝐻𝑖 and 𝐶𝐻𝑗(1 ≤ 𝑗 ≤𝑛, 𝑗 ∕= 𝑖).

3) Each 𝐶𝐻𝑖 then broadcasts (𝑎𝑖0 , 𝑎𝑖1 , ⋅ ⋅ ⋅ , 𝑎𝑖𝑛−1).Group Key computation:

1) Upon the receipt of (𝑎𝑖0 , 𝑎𝑖1 , ⋅ ⋅ ⋅ , 𝑎𝑖𝑛−1) from otherCHs, each 𝐶𝐻𝑗(1 ≤ 𝑗 ≤ 𝑛) uses the pair-wise sessionkeys, 𝐾𝑗,𝑖, to recover keys, 𝐿𝑖(1 ≤ 𝑖 ≤ 𝑛, 𝑖 ∕= 𝑗), usingthe following equation: 𝐵(𝐾𝑗,𝑖) = [𝑎𝑖𝑛−1(𝐾𝑗,𝑖)

𝑛−1 +⋅ ⋅ ⋅+ 𝑎𝑖1(𝐾𝑗,𝑖) + 𝑎𝑖0 ](𝑚𝑜𝑑 𝑞) = 𝐿𝑖.

2) After recovering all the keys, 𝐿𝑖(1 ≤ 𝑖 ≤ 𝑛, 𝑖 ∕= 𝑗),each 𝐶𝐻𝑗 computes the group session key as follows:𝑆𝐾 = 𝑆𝐾𝑗 = (𝐿1 + 𝐿2 + ⋅ ⋅ ⋅+ 𝐿𝑛)𝑃𝑚.

We may use the multiple secrets key update scheme de-scribed in section IV-C to periodically update our groupsession key, and reprocess the AGKA protocol when membersleave.

G. Securing D-PKGs against DoS attacks

It has been suggested that wireless networks are highly sus-ceptible to malicious denial-of-service (DoS) attacks, whichprevent legitimate users from accessing the network. One suchtarget is the key management service. Proper authenticationcan prevent injected messages from being accepted by thenetwork. Under our scheme, external users cannot execute


such an attack because they cannot access to the network,being unauthenticated. For authenticated users, the majorityof such misbehaviors can be detected via local mechanismsof eavesdropping on the broadcast channel [39]-[40]. Further,several popular security solutions to attacks have been dis-cussed in [41]-[42].

The key eviction procedure in our scheme is expected tobe initiated very rarely. Therefore, if a malicious node wereto frequently initiate this procedure in a short time window,then such an abnormality would be detected very easily. Thelegitimate nodes would then record the malicious node’s IDin their key revocation lists and thereafter decline to interactwith it.

V. PROTOCOL ANALYSIS

In this section, we provide a security analysis of our pro-posed IMKM protocol and then analyze its performance. Weseparate our discussion into two parts: share key distributionand group key distribution.

A. Security Analysis

A.1. Share Key Distribution

We compare the security of our IMKM scheme to that ofRSA certificate-based cryptography (RCBC), such as MOCA[11], URSA [12] or AKM [15] and ID-based cryptography,such as IBC-K [16].

1) These five approaches are all based on (𝑡, 𝑛) thresholdschemes. The master secret key is spread over the initialset of nodes, enhancing intrusion tolerance. This makesthe service robust in the sense that an adversary mustcompromise a minimum of 𝑡 nodes in order to recoverthe master secret key. This also reduces vulnerability, asthe service is available as long as 𝑡 correctly-behavingshareholders are within reach. However, when adver-saries compromised more than 𝑡− 1 D-CAs or D-PKGsthey are then able to construct the CA’s private key, inthe case of RCBC, or the PKG’s master secret key, inthe case of IBC-K. In contrast, in the case of IMKM, themaster secret key is generated by the collaboration of alluncompromised D-PKGs. Therefore, the overall systemsecurity is still guaranteed even when 𝑡 shareholders arecompromised.

2) The RCBC and IBC-K master secret keys are generatedby a centralized authority and remain static afterward.Nevertheless, the primary function of the centralizedPKG in IMKM is to preload each node with pub-lic/private key pairs and all system parameters, exceptfor the master secret key. IMKM is a fully distributedkey management scheme; all the uncompromised D-PKGs are required to participate in the construction ofthe master secret key, therefore, even compromise of thePKG does not reveal the master secret key.

3) In addition, with the IBC-K scheme, the personal privatekey of a newly joined node is accumulated from 𝑡shareholders, therefore, a secure channel is required,such as physical contact or a dedicated communicationchannel, otherwise, the system is vulnerable to passiveeavesdropping or man-in-the-middle attacks.

In summary, IMKM outperforms RCBC and IBC-K withrespect to security.

A.2. Group Key Distribution

The proposed authenticated group key agreement (AGKA)protocol satisfies the following security attributes [43]-[44]:

Implicit Key Authentication: The pair-wise key is com-puted by each CH’s ephemeral and long-term private keys, asdescribed in session IV-A.2. Therefore, the CHs are assuredthat no other CHs can obtain the pair-wise keys, except fortheir partners that have the private keys.

Our group key is computed using each participant’s pair-wise keys, so it inherits an implicit key authentication property.Only those who have all the correct corresponding pair-wisekeys can generate the group session key.

Known Session Key Security: Each execution of theprotocol computes a unique session key, which depends on theephemeral key, 𝐿𝑖. Consequently, compromise of past sessionkeys does not result in the compromising of future sessionkeys.

Backward and Forward Secrecy: Forward secrecy pre-vents a user who has left a secure group from accessing futuresecure keys. Backward secrecy prevents a newly joined userfrom accessing past secure keys. Our AGKA protocol supportsboth of these properties.

No Key-compromise Impersonation: Suppose the long-term private key of a member is compromised, an adversarycan then impersonate that member in this protocol; however,the adversary cannot impersonate other members.

No Unknown Key-share: In an unknown key share attack,an adversary convinces a group of entities that they share akey with it, whereas, in fact, the key is shared between thegroup and some other party. This attack is unlikely to workunless the adversary obtains the pair-wise keys of some entity.

No Key Control: all members determine the group sessionkey in the protocol, so that no single party can control theoutcome. No single party can restrict the range of the groupkey to some predetermined value.

B. Performance Analysis

B.1. Simulation Setup

To evaluate performance, we run simulations on a Linuxmachine, having a P4-3.4GHz processor with 1GB of memory.We implement our IMKM security architecture into an NS-2[45] environment. The simulation area spans 900x900m2, inwhich nodes move from a random starting point to a randomdestination, with speeds of 5,10,15 m/s and a pause time of 5seconds. We vary the network cluster size between 10,20,30,40and use a DSR routing protocol [46]. All the cryptographicprimitives are built using the MIRACL [47] and PBC [48]libraries.

For RCBC, RSA with 1024-bit modules is used along witha popular choice for the public exponent, 𝑒 = 216 + 1. ForIMKM, the bilinear map, 𝑒, is the Tate pairing [25]. 𝑞 is a 160-bit solinas prime, 2159+217+1, and 𝑝 is a 512-bit prime. Theelliptic curve, E, is 𝑦2 = 𝑥3 + 𝑥, defined over 𝐹𝑝. Moreover,the hash function, SHA-512 [49], and the symmetric keyencryption primitive, RC6 [50], are used wherever applicable.


TABLE IIPERFORMANCE OF CRYPTOGRAPHIC PRIMITIVES

Primitive Time (ms)

RSA Key Generation 230

RSA Encryption/Verification 0.7

RSA Decryption/Signing 3.6

Modular Exponentiation (𝑔𝑥𝑚𝑜𝑑 𝑛) 1.65

RC6 0.03

𝐻1(Hash a string to a number) 0.02

𝐻2(Hash an 𝐹𝑝 to a number) 1.07

𝐻3(Hash 𝑒 to a number) 0.06

Scalar Multiplication in 𝐺1 0.61

Pairing (Preprocessed) 5.14

ID-based signing 21.28

ID-based signature verification 26.53

B.2. Computational Costs

In this section, we evaluate the computational costs of theproposed IMKM scheme and of the RCBC scheme. TABLEII shows the measured performance of primitives in RCBCand IMKM. The fundamental operation underlying RSA ismodular exponentiation in integer rings and its security stemsfrom the difficulty in factoring large integers. Elliptic CurveCryptography (ECC) [51] operates on groups of points overelliptic curves and derives its security from the difficultlyassociated with the elliptic curve discrete logarithm problem(ECDLP).

Our IMKM is based on ECC and ID-based cryptography.The advantages of ECC in comparison to RSA are that itrequires less memory and computation time. Key lengthsof 160 (224) bits, as in ECC, ensure the security of anRSA key of 1024 (2048) bits. With greater key lengths, theadvantages of ECC over RSA increase significantly. Becausethe capabilities of IT infrastructure are developing rapidly, useof RSA requires that one employ ever greater key lengthsto maintain the same security level. The difference betweenthese individual key lengths becomes fully apparent whenimplemented in a resource-restricted environment, such as aMANET.

Another advantage of our ID-based IMKM is that nocertificate is needed to bind user names with their publickeys, thus eliminating the need for public key distributionand certificates. Because no certificate is needed, the storagerequirements, network bandwidth and computational overheadare greatly reduced, when compared with RCBC.

B.3. Performance of verifiable secret sharing

We discuss the performance of the verifiable secret sharing(VSS) process in this section. In order to make our conceptscalable, to avoid expensive long-range traffic and to enhanceavailability by providing service locally, we utilize a cluster-based mechanism [26]-[28] to manage the size of the subgroupin the ad hoc network. Clustering gives the network a hierar-chical organization, hence scalability can be easily managedand our concept still holds as the number of secrets increases.Fig. 1 presents the average latency for each node in the VSSprocess. Each measurement is based on 50 simulation runs

Fig. 1. Verifiable secret sharing: avg. delay vs. node speed.

Fig. 2. Average messages sent, 20 nodes.

Fig. 3. Average messages sent, 40 nodes.

with a simulated duration of 900 s each. From Fig. 1, we seethat the VSS scheme scales well with network size and nodemobility; for a topology of 40 nodes with a node speed of15 m/sec, all nodes accomplish the process in less than 100seconds.


TABLE VCOMPARISON OF AGKA PROTOCOLS

Protocol Round Scalar Pairings Bandwidth

Barua’s ID-AGKA ⌈𝑙𝑜𝑔3𝑛⌉ ≤ 9(𝑛 − 1) ≤ 5𝑛⌈𝑙𝑜𝑔3𝑛⌉+ 3 < 5𝑛(𝑛 − 1)

Du’s ID-AGKA 2 𝑛(𝑛 + 5) 4𝑛 3(𝑛 − 1)

Lin’s AGKA 2 𝑛 2𝑛 2𝑛

Our ID-AGKA 1 𝑛 𝑁𝑜𝑛𝑒 𝑛

Fig. 4. Average bytes sent, 20 nodes.

Fig. 5. Average bytes sent, 40 nodes.

TABLE IIIIMKM KEY UPDATE AVG COMPLETION TIME (SEC)

Network cluster sizeSpeed (m/s)

10 20 30 40

5 3.729 8.106 16.174 27.977

10 4.029 9.032 16.594 29.741

15 3.964 9.613 17.103 30.241

B.4. Comparison in Key Update

In this section, we compare our IMKM with RCBC, withrespect to key updates. With RCBC, the threshold, 𝑡, is setto 5 and the duration of the key update spans from the firstpoint of contact between a node and 𝑡 random D-CAs, to

TABLE IVRCBC KEY UPDATE AVG COMPLETION TIME (SEC)

Network cluster sizeSpeed (m/s) 10 20 30 40

5 99.986 132.292 149.857 198.699

10 100.352 131.788 150.51 199.69

15 99.09 132.439 150.489 200.767

the point where the last node completes its key update. ForIMKM, the key eviction process starts when the revocationleader broadcasts a key update message to other D-PKGsand finishes after all the D-PKGs have securely exchangedthe key update materials. TABLE III and TABLE IV showthe average completion time for the key update process interms of different cluster sizes and speeds. The key updatetime includes packet transmission time and all cryptographicprocessing time.

We also count the key update bandwidth overhead in termsof number of messages and bytes, including all the keyrequests and replies in the IMKM and RCBC schemes. In Fig.2 and 3, we compare the average messages sent by all nodes.Fig. 4 and 5 show a comparison of the average total amountof traffic (in bytes) sent by all nodes. It should be notedthat overhead is similar at all mobility speeds, suggesting thatboth schemes are robust to mobility. However, RCBC requiressignificantly larger overhead than IMKM.

It should be noted as well that the key eviction process willonly initiate in the worst-case scenario, where the revokedD-PKGs reach the predefined key update threshold, 𝛾, in apredetermined time interval. If the revoked D-PKGs are lessthan 𝛾, IMKM only requires a periodic key update using themultiple secrets key update scheme (cf. Section IV-C.), whichentails no additional communication and requires only onepoint multiplication in 𝐺1.

B.5. Comparison in Group Key Distribution

We compare our ID-AGKA protocol with three others:Barua’s ID-AGKA [18], Du’s ID-AGKA [20] and Lin’s proto-col [24], in terms of communication and computational costs.

We use the following notations in this discussion:– Round: The total number of rounds.– Scalar: The total number of scalar multiplications in 𝐺1.– Pairings: The total number of pairing computations.– Bandwidth: The total number of messages sent by CHs.

As shown in TABLE V, our protocol performs better interms of number of rounds, pairing-computation and commu-nication bandwidth, when compared with Barua’s, Du’s andLin’s protocols.


Fig. 6. Subshares distribution.

VI. CONCLUSION

We have proposed a secure, efficient, and scalable dis-tributed ID-based multiple secrets key management scheme(IMKM) for cluster-based mobile ad hoc networks. In orderto address the highly dynamic topologies and varying linkqualities of ad hoc networks, the master secret key is generatedand distributed by all clusterheads. As a result, not only arecentral instances avoided, which constitute single points ofattack and failure, but this also leads to more autonomous andflexible key update methods.

Further, we presented an efficient one round ID-based au-thenticated group key agreement (ID-AGKA) protocol, whichminimizes the number of rounds and bandwidth usage, as wellas satisfies all primary security concerns.

According to our protocol analysis, we believe that theproposed IMKM scheme improves on the security and per-formance of previously proposed key management protocols(i.e., RCBC and IBC-K) for MANETs.

APPENDIX

MATHEMATICAL ANALYSIS

We provide a detailed mathematical analysis herein, of howwe construct the master secret key, 𝐷, described in SectionIV-A.3, by way of an example.

Suppose the network consists of 4 nodes (𝑖, 𝑗, 𝑘, 𝑙), asillustrated in Fig. 6. The threshold, 𝑡, is set to 3.

A. Sharing phase:

1) Since all 4 nodes are required to participate in theconstruction of the master secret key in our scheme,each node creates a (𝑡, 𝑛)=(3,4) threshold sharing of 𝑎0,by generating a random polynomial of degree 𝑡 − 1,𝑓(𝑥) =

∑𝑡−1𝑙=0 𝑎𝑙𝑥

𝑙(𝑚𝑜𝑑 𝑞), that is:Node 𝑖 generates 𝑓𝑖(𝑥) = 𝑎𝑖,0+𝑎𝑖,1𝑥

1+𝑎𝑖,2𝑥2(𝑚𝑜𝑑 𝑞)

Node 𝑗 generates 𝑓𝑗(𝑥) = 𝑎𝑗,0+𝑎𝑗,1𝑥1+𝑎𝑗,2𝑥

2(𝑚𝑜𝑑 𝑞)Node 𝑘 generates 𝑓𝑘(𝑥) = 𝑎𝑘,0 + 𝑎𝑘,1𝑥

1 +𝑎𝑘,2𝑥

2(𝑚𝑜𝑑 𝑞)Node 𝑙 generates 𝑓𝑙(𝑥) = 𝑎𝑙,0+𝑎𝑙,1𝑥

1+𝑎𝑙,2𝑥2(𝑚𝑜𝑑 𝑞)

2) Each node sends subshares to other nodes:Node 𝑖 sends 𝑓𝑖(𝐼𝐷𝑖), 𝑓𝑖(𝐼𝐷𝑗), 𝑓𝑖(𝐼𝐷𝑘), 𝑓𝑖(𝐼𝐷𝑙) to 𝑖,𝑗, 𝑘 and 𝑙, respectively.Node 𝑗 sends 𝑓𝑗(𝐼𝐷𝑖), 𝑓𝑗(𝐼𝐷𝑗), 𝑓𝑗(𝐼𝐷𝑘), 𝑓𝑗(𝐼𝐷𝑙) to 𝑖,

𝑗, 𝑘 and 𝑙, respectively.Node 𝑘 sends 𝑓𝑘(𝐼𝐷𝑖), 𝑓𝑘(𝐼𝐷𝑗), 𝑓𝑘(𝐼𝐷𝑘), 𝑓𝑘(𝐼𝐷𝑙) to𝑖, 𝑗, 𝑘 and 𝑙, respectively.Node 𝑙 sends 𝑓𝑙(𝐼𝐷𝑖), 𝑓𝑙(𝐼𝐷𝑗), 𝑓𝑙(𝐼𝐷𝑘), 𝑓𝑙(𝐼𝐷𝑙) to 𝑖,𝑗, 𝑘 and 𝑙, respectively.

3) Each node computes a share key:Node 𝑖 receives 𝑓𝑖(𝐼𝐷𝑖), 𝑓𝑗(𝐼𝐷𝑖), 𝑓𝑘(𝐼𝐷𝑖), 𝑓𝑙(𝐼𝐷𝑖)from 𝑖, 𝑗, 𝑘 and 𝑙, respectively and computes share key𝑑𝑖 = (𝑓𝑖(𝐼𝐷𝑖) + 𝑓𝑗(𝐼𝐷𝑖) + 𝑓𝑘(𝐼𝐷𝑖) + 𝑓𝑙(𝐼𝐷𝑖))𝑃0.Node 𝑗 receives 𝑓𝑖(𝐼𝐷𝑗), 𝑓𝑗(𝐼𝐷𝑗), 𝑓𝑘(𝐼𝐷𝑗), 𝑓𝑙(𝐼𝐷𝑗)from 𝑖, 𝑗, 𝑘 and 𝑙, respectively and computes share key𝑑𝑗 = (𝑓𝑖(𝐼𝐷𝑗) + 𝑓𝑗(𝐼𝐷𝑗) + 𝑓𝑘(𝐼𝐷𝑗) + 𝑓𝑙(𝐼𝐷𝑗))𝑃0.Node 𝑘 receives 𝑓𝑖(𝐼𝐷𝑘), 𝑓𝑗(𝐼𝐷𝑘), 𝑓𝑘(𝐼𝐷𝑘), 𝑓𝑙(𝐼𝐷𝑘)from 𝑖, 𝑗, 𝑘 and 𝑙, respectively and computes share key𝑑𝑘 = (𝑓𝑖(𝐼𝐷𝑘) + 𝑓𝑗(𝐼𝐷𝑘) + 𝑓𝑘(𝐼𝐷𝑘) + 𝑓𝑙(𝐼𝐷𝑘))𝑃0.Node 𝑙 receives 𝑓𝑖(𝐼𝐷𝑙), 𝑓𝑗(𝐼𝐷𝑙), 𝑓𝑘(𝐼𝐷𝑙), 𝑓𝑙(𝐼𝐷𝑙)from 𝑖, 𝑗, 𝑘 and 𝑙, respectively and computes share key𝑑𝑙 = (𝑓𝑖(𝐼𝐷𝑙) + 𝑓𝑗(𝐼𝐷𝑙) + 𝑓𝑘(𝐼𝐷𝑙) + 𝑓𝑙(𝐼𝐷𝑙))𝑃0.

B. Reconstruction phase:

Any subset, 𝜀, of size 𝑡 nodes (ex. 𝑖, 𝑗, 𝑘) can determine themaster secret key, 𝐷:𝐷 =

∑𝑟∈𝜀 𝑑𝑟𝜆𝑟(0)

= 𝑑𝑖𝜆𝑖(0) + 𝑑𝑗𝜆𝑗(0) + 𝑑𝑘𝜆𝑘(0)= ((𝑓𝑖(𝐼𝐷𝑖) + 𝑓𝑗(𝐼𝐷𝑖) + 𝑓𝑘(𝐼𝐷𝑖) + 𝑓𝑙(𝐼𝐷𝑖))𝜆𝑖(0)+

(𝑓𝑖(𝐼𝐷𝑗) + 𝑓𝑗(𝐼𝐷𝑗) + 𝑓𝑘(𝐼𝐷𝑗) + 𝑓𝑙(𝐼𝐷𝑗))𝜆𝑗(0)+(𝑓𝑖(𝐼𝐷𝑘) + 𝑓𝑗(𝐼𝐷𝑘) + 𝑓𝑘(𝐼𝐷𝑘) + 𝑓𝑙(𝐼𝐷𝑘))𝜆𝑘(0))𝑃0

= (𝑓𝑖(𝐼𝐷𝑖)𝜆𝑖(0) + 𝑓𝑖(𝐼𝐷𝑗)𝜆𝑗(0) + 𝑓𝑖(𝐼𝐷𝑘)𝜆𝑘(0)+𝑓𝑗(𝐼𝐷𝑖)𝜆𝑖(0) + 𝑓𝑗(𝐼𝐷𝑗)𝜆𝑗(0) + 𝑓𝑗(𝐼𝐷𝑘)𝜆𝑘(0)+𝑓𝑘(𝐼𝐷𝑖)𝜆𝑖(0) + 𝑓𝑘(𝐼𝐷𝑗)𝜆𝑗(0) + 𝑓𝑘(𝐼𝐷𝑘)𝜆𝑘(0)+𝑓𝑙(𝐼𝐷𝑖)𝜆𝑖(0) + 𝑓𝑙(𝐼𝐷𝑗)𝜆𝑗(0) + 𝑓𝑙(𝐼𝐷𝑘)𝜆𝑘(0))𝑃0

= (∑

𝑟∈𝜀 𝑓𝑖(𝐼𝐷𝑟)𝜆𝑟(0) +∑

𝑟∈𝜀 𝑓𝑗(𝐼𝐷𝑟)𝜆𝑟(0)+∑𝑟∈𝜀 𝑓𝑘(𝐼𝐷𝑟)𝜆𝑟(0) +

∑𝑟∈𝜀 𝑓𝑙(𝐼𝐷𝑟)𝜆𝑟(0))𝑃0

= (𝑎𝑖,0 + 𝑎𝑗,0 + 𝑎𝑘,0 + 𝑎𝑙,0)𝑃0

Where 𝜀 is the set of 𝑡 nodes, and 𝜆𝑟(0) =∏𝑢∈𝜀,𝑟 ∕=𝑢

−𝐼𝐷𝑢

𝐼𝐷𝑟−𝐼𝐷𝑢(𝑚𝑜𝑑 𝑞).

REFERENCES

[1] A. Shamir, “Identity-based cryptosystems and signature schemes," Ad-vances in Cryptology-Crypto 84, LNCS 196, pp. 47-53, Springer-Verlag,1984.

[2] D. Boneh and M. Franklin, “Identity-based encryption from the weilpairing," Advances in Cryptology-Crypto’2001, vol. 2139 of LectureNotes in Computer Science, pages 21329. Springer-Verlag, 2001.

[3] S. Shin and T. Kwon, “Efficient and secure key agreement for mergingclusters in ad-hoc networking environments," IEICE Trans. Commun.,pp. 1575-1583, vol. E90-B, no. 7, 2007.

[4] J. Zhang, L. Sun, Y. Tang, and S. Yang, “D-VKT: a scalable distributedkey agreement scheme for dynamic collaborative groups," IEICE Trans.vol. 90-B, no. 4, pp. 750-760, 2007.

[5] L. Zhou and Z. J. Haas, “Securing ad hoc networks," IEEE NetworkMag., vol. 13, no. 6, 1999.

[6] A. Shamir, “How to share a secret," Commun. ACM, vol. 22, no. 11,pp. 612-613, 1979.

[7] Y. Desmedt and Y. Frankel, “Threshold cryptosystems," CRYPTO 9, pp.307-315, Aug. 1989.

[8] A. M. Hegland, E. Winjum, S. Mjolsnes, C. Rong, Kure, and P. Spilling,“A survey of key management in ad hoc networks," IEEE Commun.Surveys Tutorials, 3rd Quarter 2006.

[9] J. van der Merwe, D. Dawoud, and S. McDonald, “A survey on peer-to-peer key management for mobile ad hoc networks," ACM Comput.Surveys, vol. 39, no. 1, 2007.

[10] A. Baayer, N. Enneya, and M. El Koutbi, “A recent survey on keymanagement schemes in MANET," in International Conf. Inf. Commun.Technol.: From Theory to Applications, Damascus, Syria, Apr. 2008.


[11] S. Yi and R. Kravets, “Moca: mobile certificate authority for wirelessad hoc networks," in Proc. Second Ann. PKI Research Workshop (PKI3), Apr. 2003.

[12] H. Luo, J. Kong, P. Zerfos, S. Lu, and L. Zhang, “URSA: ubiquitous androbust access control for mobile ad hoc networks," IEEE/ACM Trans.Networking, vol. 12, no. 6, pp. 1049-1063, Dec. 2004.

[13] M. Narasimha, G. Tsudik, and J. H. Yi, “On the unitility of distributedcryptography in P2P and manets: the case of membership control," IEEEInt’l Conf. Netw. Protocols, Nov. 2003.

[14] J. R. Douceur, “The Sybil attack," in Proc. First Int’l Workshop Peer-to-Peer Systems (IPTPS 2), pp. 251-260, Mar. 2002.

[15] B. Zhu et al., “Efficient and robust key management for large mobilead hoc networks," Comput. Netw., vol. 48, no. 4, pp. 6572, July 2005.

[16] A. Khalili, J. Katz, and W. A. Arbaugh, “Towards secure key distributionin truly ad-hoc networks," in Proc. IEEE Wksp. Security Assurance AdHoc Netw., 2003.

[17] A. Joux, “A one round protocol for tripartite Diffie-Hellman," in Proc.ANTS IV, LNCS 1838, pp. 38594, Springer-Verlag, 2000.

[18] R. Barua, R. Dutta, and P. Sarkar, “Extending Joux’s protocol to multiparty key agreement," Indocrypt3, LNCS 2904, pp. 20517, Springer-Verlag, 2003.

[19] K. Choi, J. Hwang, and D. Lee, “Efficient ID-based group key agreementwith bilinear maps," PKC4, LNCS 2947, pp. 13044, Springer-Verlag,2004.

[20] X. Du, Y. Wang, J. Ge, and Y. Wang, “ID-based authenticated tworound multi-party key agreement," Cryptology ePrint Archive: Report2003/247.

[21] M. Burmester and Y. Desmedt, “A secure and efficient conferencekey distribution system," Advances Cryptology-EURO-CRYPT4, LectureNotes Comp. Science, Springer-Verlag, Berlin Germany, 1994.

[22] F. G. Zhang and X. F. Chen, “Attack on two ID-based authenticatedgroup key agreement schemes," Cryptology ePrint Archive: Report2003/259.

[23] K. Shim, “Further analysis of ID-based authenticated group key agree-ment protocol from bilinear maps," IEICE Trans., vol. E90-A, no. 1,Jan. 2007.

[24] C. H. Lin, H. H. Lin, and J. H. Chang, “Multiparty key agreement forsecure teleconferencing," in Proc. IEEE International Conf. Systems,Man Cybernetics 2006, vol. 5, pp. 3702-3707.

[25] P. S. L. M. Barreto, H. Y. Kim, and M. Scott, “Efficient algorithmsfor pairing-based cryptosystems," Advances in Cryptology-Crypto’2002,Springer-Verlag, LNCS 2442, pp. 354-368.

[26] L. Kleinrock and F. Kamoun, “Optimal clustering structures for hier-archicall topological design of large computer networks," Netw., pp.221-248, Fall 1980.

[27] R. Krishnan, R. Ramanathan, and M. Steenstrup, “Optimization algo-rithms for large self-structuring networks," in Proc. IEEE INFOCOM,pp. 71-78, Mar. 1999.

[28] M. Bechler, H.-J. Hof, D. Kraft, F. Pahlke, and L. Wolf, “A cluster basedsecurity architecture for ad hoc networks," in Proc. IEEE INFOCOM,Mar. 2004.

[29] Y. Zhang and W. Lee, “Intrusion detection in wireless ad-hoc networks,"in Proc. ACM MobiCom, Aug. 2000.

[30] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung, “Proactive secretsharing or: how to cope with perpetual leakage," in Proc. CRYPTO 5,pp. 339-352, 1995.

[31] N. McCullagh and P. S. L. M. Barreto, “A new two-party identity-basedauthenticated key agreement," Cryptology CT-RSA 2005, Springer-Verlag LNCS 3376, 26274, 2005.

[32] P. Feldman, “A practical scheme for non-interactive verifiable secretsharing," in Proc. 28th IEEE Symp. Foundations Comput. Science, 1987,pp. 42737.

[33] T. Pedersen, “Non-interactive and information-theoretic secure verifiablesecret sharing," Advances Cryptology-Crypto 91, LNCS 576, 1992, pp.12940.

[34] D. Liu, P. Ning, and K. Sun, “Efficient self-healing key distributionwith revocation capability," in Proc. 10th ACM Conf. Comput. Commun.Security, pp. 231-240, 2003.

[35] J. Staddon, S. Miner, M. Franklin, D. Balfanz, M. Malkin, and D. Dean,“Self-healing key distribution with revocation," IEEE Symp. SecurityPrivacy, pp. 224-240, 2002.

[36] C. Blundo, P. D’Arco, A. Santis, and M. Listo, “Design of self-healingkey distribution schemes," Design Codes Cryptography, no. 32, pp. 15-44, 2004.

[37] H. Deng, A. Mukherjee, and D. Agrawal, “Threshold and identity-basedkey management and authentication for wireless ad hoc networks," inProc. Int’l Conf. Inf. Technol.: Coding Comput. (ITCC 4), Apr. 2004.

[38] K. Barr and K. Asanovic, “Energy aware lossless data compression," inProc. First Int’l Conf. Mobile Systems, Applications, Services (MobiSys3), pp. 231-244, May 2003.

[39] S. Marti, T. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehaviorin mobile ad hoc networks," ACM MOBICOM, 2000.

[40] H. Yang, X. Meng, and S. Lu, “Self-organized network layer securityin mobile ad hoc networks," First ACM Workshop Wireless Security(WiSe), 2002.

[41] W. Li and A. Joshi, “Security issues in mobile ad hoc networks—asurvey," Dept. Computer Science Electrical Engineering, University ofMaryland, Baltimore County.

[42] D. Djenouri, L. Khelladi, and A. N. Badache. “A survey of securityissues in mobile ad hoc and sensor networks," IEEE Commun. SurveysTutorials, vol. 7, no. 4, pp. 2-28, Fourth Quarter 2005.

[43] S. Blake-Wilson, D. Johnson, and A. Menezes, “Key agreement proto-cols and their security analysis," Sixth IMA International Conf. Cryp-tography Coding, Cirencester, England, 1997.

[44] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of AppliedCryptography. CRC Press, 1996.

[45] NS-2 (The Network Simulator). [Online]. Available: http://www.isi.edu/nsnam/ns/.

[46] D. B. Johnson and D. A. Maltz, “Dynamic source routing in adhoc wireless networks," T. Imielinski and H. Korth, editors, MobileComputing, vol. 353, pp. 15381, Kluwer Academic Publishers, 1996.

[47] Shamus Software Ltd., “Miracl library." [Online]. Available:http://www.shamus.ie/.

[48] GNU General Public License, “PBC library." [Online]. Available:http://crypto.stanford.edu/pbc/.

[49] National Institute of Standards and Technology, Secure Hash Standard,FIPS PUB 180-2.

[50] R. Rivest, M. Robshaw, R. Sidney, and L. Yin,“The rc6 block cipher(v1.1)." [Online]. Available:ftp://ftp.rsasecurity.com/pub/rsalabs/rc6/rc6v11.pdf, Aug. 2006.

[51] N. Koblitz, “Elliptic curve cryptosystems, mathematics of computation,"vol. 48, no. 177. Jan. 1987, pp. 203-209.

Lung-Chung Li received the B.S. degree in Me-chanical Engineering from St. John’s University,Taiwan, in 1983 and M.S. degree in Computer andInformation Science from New Jersey Institute ofTechnology, New Jersey, in 1990. He is currently alecturer in Center for General Education at ChangGung University, and also a Ph.D. candidate in theDepartment of Computer Engineering and Science atYuan-Ze University, Chungli, Taiwan. His researchinterests include mobile ad hoc networks, wirelesssensor networks and network security.

Ru-Sheng Liu received the B.S. degree in ElectricalEngineering from National Cheng Kung University,Taiwan, in 1972 and the M.S. and Ph.D. degreesin Computer Science from University of Texas atDallas, Richardson, Texas, in 1981 and 1985, respec-tively. He is currently an associate professor in theDepartment of Computer Engineering and Science atYuan-Ze University, Chungli, Taiwan. His researchinterests are in the areas of mobile computing,internet technology, and computer algorithms.

securing cluster-based ad hoc networks with distributed authorities

Documents