Research ArticleSecure Collaborative Key Management for Dynamic Groups inMobile Networks
Sukin Kang Cheongmin Ji and Manpyo Hong
Department of Computer Engineering Ajou University Suwon 443-749 Republic of Korea
Correspondence should be addressed to Manpyo Hong mphongajouackr
Received 29 March 2014 Accepted 31 July 2014 Published 21 August 2014
Academic Editor Young-Sik Jeong
Copyright copy 2014 Sukin Kang et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
Mobile networks are composed of heterogeneous mobile devices with peer-to-peer wireless communication Their dynamic andself-organizing natures pose security challenge We consider secure group key management for peer dynamic groups in mobilewireless networks Many group based applications have achieved remarkable growth along with increasing use of multicastbased services The key sharing among the group members is an important issue for secure group communication because thecommunication for many participants implies that the likelihood of illegal overhearing increases We propose a group key sharingscheme and efficient rekeying methods for frequent membership changes from network dynamics The proposed method enablesthe group members to simply establish a group key and provide high flexibility for dynamic group changes such as member joinor leave and group merging or partition We conduct mathematical evaluation with other group key management protocols andfinally prove its security by demonstrating group key secrecy backward and forward secrecy key independence and implicit keyauthentication under the decisional Diffie-Hellman (DDH) assumption
1 Introduction
Advances in wireless communications and mobile deviceshave made various types of mobile networks such as mobilead hoc networks (MANETs) wirelessmobile sensor networks(WMSNs) and Internet of things (IoT) In mobile networksheterogeneous devices such as smartphones laptops andsmart sensors perform peer-to-peer (machine-to-machine)communications without depending on any fixed infrastruc-ture Mobile networks have features distinct from conven-tional networks First network topology changes dynamicallydue to themobility of nodes which causes frequent switchingof network connection state Additionally many applica-tions in mobile networks support one-to-many (multicast)communication where common data are transferred tomultiple destinations from a source for instance militarycommunication (battlefield) health care system industrialmonitoring on-line conferencing collaborative workspaceand disastermanagementThey build a collaborative group of
entities called groupmembers which participate inmulticastgroup communications as a group member and managegroup membership changed by node mobility
Group communication over wireless networks is suscep-tible to illegal overhearing such as packet sniffing When agroup deals with sensitive information secure group com-munication must be achieved by sharing a common secretkeymdashgroup key for confidentiality of group messages withdata encryption In other words it is essential to decidehow to share a key among group members and how toupdate the group key for group membership change [1ndash3]A typical approach is based on centralized key distributionwith a trusted third party (TTP) [4ndash8] It provides scalablegroup key management for large groups using symmetricencryption such as advanced encryption standard (AES) andhierarchical logical key tree However it fairly depends on aconstantly accessible TTP This requirement is not suitablefor mobile networks with peer-to-peer communication Toapply a symmetric key based approach without a TTP a node
Hindawi Publishing CorporationJournal of Applied MathematicsVolume 2014 Article ID 601625 10 pageshttpdxdoiorg1011552014601625
2 Journal of Applied Mathematics
should establish secure connection for sharing a pairwisekey with all other mobile nodes in a group It requiresmuch communication and depends on another key sharingscheme [9] Diffie-Hellman (DH) key exchange [10] is aprotocol to establish a common key based on asymmetrickeys without any TTP It allows two parties to share a keyusing their secrets over an insecure channel To extend DHinto group setting group key agreement (GKA) protocolshave been developed [11ndash16] In the protocols also known ascontributory key agreement all groupmembers contribute togeneration of a commonkeyWhile providing dynamic groupkey management they require considerable messages oroperations to establish and update group keys An approachfor reducing computation cost deploys tree structure tohandle keymanagement Tree-based group key protocols [15ndash18] need to supportmanagement of tree structure and requireordered message delivery for calculation from leaves to theroot of the tree
In this paper we investigate secure group key distributionand management for collaborative groups with high groupflexibility We propose a DH-based group key managementprotocol and show security proof of the proposed scheme andmathematical evaluation with other GKA protocols
The remainder of the paper is organized as follows InSection 2 we address related works Section 3 explains ourgroup key management scheme with group membershipevents and security requirements Section 4 describes per-formance analysis and Section 5 shows security proof forthe proposed key management We conclude the paper inSection 6
2 Related Work
Over the past few decades a considerable number of studieshave been conducted on group key establishment and man-agement A typical approach is centralized key distributionbased on constantly accessible TTP and pairwise keys [4ndash8] These studies showed apparent efficiency for large groupssuch as wireless sensor network (WSN) Since however amobile network is comprised of peer-to-peer communica-tions with dynamic mobility and without a TTP it is difficultto provide scalable group keymanagement on arbitrary groupsetting [15]
We focus on DH based group key management knownas group key agreement (GKA) in which a common keyis generated by all group membersrsquo equal contributionsDH protocol allows two parties to share a key using theirsecrets over an insecure channel [10] The key computationof DH uses the multiplicative group of integer modulo 119901where 119901 is a large prime number Each party chooses arandom number 119909
119894in Z119901and computes 119892
119909119894 mod 119901 where119892 is a primitive root (generator) mod119901 They exchange thecomputed values 1198921199091 mod 119901 and 119892
1199092 mod 119901 and agree onthe common key
119870 = (1198921199091)1199092 mod 119901 = (119892
1199092)1199091 mod 119901 (1)
For extending it to group setting Burmester andDesmedt(BD) proposed a conference key exchange system [11]
depending on a broadcast manner When the number ofgroup members is n the group key (GK) of BD becomes
GK = 11989211990911199092+11990921199093+sdotsdotsdot+119909119899minus1119909119899 mod 119901 (2)
As BD system requires large communication messagesSteiner et al proposed group key agreement protocols calledgroup Diffie-Hellman (GDH) [12 13] In GDH
GK = 11989211990911199092 119909119899minus1119909119899 mod 119901 (3)
They showed not only that DH can be extended efficientlyto group setting but also that their protocol can dealefficiently with group membership change They presentedthree distinct group key agreements GDH1 GDH2 andGDH3 which later was advanced as a protocol suite knownasCLIQUES [13] InGDHx groupmembers can individuallyor massively join and leave CLIQUES also considers groupintegration and group division A variant of GDH protocolis a centralized key distribution (CKD) scheme In CKD acontroller distributes the group key to every member usingpairwise temporal keys between the controller and each ofthe members which is computed using DH fashion
As group dynamics have become an important issuesome studies have adopted tree-based approach [15ndash18]Skinny tree (STR) protocol [16] has good performance formember addition In STR
GK = 119892119909119899119892119909119899minus1119892119892119909311989211990911199092
mod 119901 (4)
While STR uses unbalanced key tree for group key compu-tation tree-based group Diffie-Hellman (TGDH) leveragesbalanced tree structure Given eight group members inTGDH the group key is computed as follows
GK = 11989211989211989211990911199092 1198921199093119909411989211989211990951199096 11989211990971199098
mod 119901 (5)
STR and TGDH require a sponsor node which distributesintermediate computing keys in the tree during membershipevent changes As tree-based protocols apparently help toreduce communication cost and operation cost there havebeen several variants of TGDH [17 18] However they needto support management for tree balance and require messagedelivery order due to hierarchical tree structure In mobilenetworks much communication would be required to makesure that the group members can keep the synchronized treestructure
In summary DH-based group key protocol is generallyknown as GKA protocol Although our protocol is basedon DH we do not classify it as a GKA protocol becauseof key distribution feature from a controller Our proposedscheme provides the advantage of dynamics and collaborativecontribution in computing group keys with a modified keyagreement method
3 Secure Group Key Management forMobile Networks
31 Membership and Security Requirements Groupmember-ship events occur with either insertion of a new node or
Journal of Applied Mathematics 3
Member join
Member leave
Group partitionGroup merging
Figure 1 Four kinds ofmembership events (1)member join (singlejoin ormass join) (2)member leave (a single leave ormass leave) (3)group merging (group join) and (4) group partition (group leave)A small circle represents a node while a big circle represents a groupof nodes
deletion of an existingmemberWe define the insertion eventasmember join and the deletion event asmember leaveWhenthere is only one event node specifically we call each singlejoin and single leave and when there are two or more eventnodes we call eachmass join andmass leave Furthermore weconsider a group insertion into a group and a group partitioninto two distinct groups We define them as group mergingand group partition respectively Figure 1 shows summary ofdefined membership events
Group membership change is closely related to securityof group communication Outgoingmembers should have noaccess to group communication after it leaves the group andingoing nodes should be prevented from accessing previousgroup communication before it joins the group We definecryptographic properties in which a secure group dependingon a group key should meet (1) group key secrecy thatguarantees an adversary who knows that messages sent togroupmembers cannot discover any group key in polynomialtime (2) backward secrecy that guarantees a new member oran adversary who knows that the current group key cannotdiscover any previous group key in polynomial time (3)forward secrecy that guarantees a former group member oran adversary who knows that previous group keys cannotdiscover any subsequent group key in polynomial time (4)key independence that guarantees an adversary who knowsthat a proper subset of group keys cannot discover anyother group keys in polynomial time and (5) (implicit) keyauthentication that guarantees that no one apart from a groupmember recovers the group key
32 Group Key Establishment We present a new group keyprotocol collaborative Diffie-Hellman (CODH) CODH hascentralized topology and key distribution property from aleader node But unlike conventional centralized schemewith TTP in CODH a group leader computes and distributesa group key by using public keys of group members Weformalize the group key protocol and prove its security
CODH has one leader called master The leader is alsoone of groupmembers It consumesmore energy thannormalnodes for communication and operation in managing groupkeys There will be a policy for choosing a leader In mobilenetworks signal strength degree to neighbors identity andresources (CPU memory battery and bandwidth) would becriteria for leader election [19ndash21] When a group is createdthe first master is elected among group members and per-forms group key initialization Afterwards group membersselect a new master when receiving master notification forleader change Once a new groupmaster is selected for groupmanagement the previous master forwards informationabout group members to the newmaster that is a delegationprocess is run (refer to Sections 33 and 34) On the otherhand connection failure may occur by network isolation ordenial of service attacks (We assume that group participantsare honest and not compromised However they can bethreatened by network adversaries who can perform all ofnetwork-based attacks) We consider the connection failureas a kind of member leave whether the left node is a memberor the master
Notation section represents notations used to illustrateour group key protocol The index ldquosrdquo stands for the masternode in a group that is distinct from 119894 or 119895 which indicates ageneralmember nodeTherefore119872
119894or119872119895means an identity
for general member while119872119904denotes themaster Lock-secret
is defined as a secret value of a member It locks the groupkey so that 119872
119904can securely transfer the group key to the
members General members use their unlock-secret to extractthe group key from119872
119904rsquos broadcast message of a locked group
keyWe adopt inverse exponentiation for obtaining the group
key Let119862119899be a group of size 119899 that is119862
119899= 11987211198722 119872
119899
and119872119904isin 119862119899 To share the initial group key the group119862
119899runs
steps in Box 1 for the initial phaseThe initial phase consists of two rounds In the first round
all members except the group master send their locker 119892119909119894
to the master via unicast and the master produces the lockerlist 119883119871
119862 from receiving messages In the second round
the master 119872119904selects a random secret 119896 and computes and
broadcasts the locked group key (119883119894)119896= (119892119909119894)119896 using 119883119871
119862
Then each member can compute the group key GK usingtheir own unlock-secret 119910
119894 as follows
GK equiv (119883119896
119894)119910119894 mod 119901 equiv (119892
119909119894119910119894)119896 mod 119901 equiv 119892
119896 mod 119901 (6)
The group key is equal to the locker of the group masterwhen 119896 is the masterrsquos secret Therefore operations forcomputing119883
119896
119894and group messages never include119883
119904
33 Group Rekeying for Member Join and Leave Themaster-secret should be renewed when membership changes sinceit is used for the new group key GK1015840 In Box 2 (member joinprocess) 1198961015840 means a new master-secret that 119872
119904selects Let
119872119899+1
be the first new member and let 119872119899+119898
be the last newmember when119898 newmembers join the group 119862
119899(if a single
member joins the new member is only one node 119872119899+1
) Anewmember119872
119895(119899+1 le 119895 le 119899+119898) sends its locker119883
119895to the
4 Journal of Applied Mathematics
Assume that the group of 119899members establish a group keyStep 1 Each member selects random 119909
119894isin Z119902and computes119883
119894= 119892119909119894 mod p
119872119894rarr 119872
119904119883119894(119894 isin [1 119899] 119894 = 119904)
Step 2119872119904selects random 119896 in Z
119902for group key sharing and computes key-locks
119872119904rArr 119862119899 (119883119894)119896| 119894 isin [1 119899] 119894 = 119904
Box 1 Group key initialization
Assume thatmmembers are added to the group 119862119899
Step 1 Each new member119872119895(119899 + 1 le 119895 le 119899 + 119898) selects random 119909
119895isin Z119902and computes119883
119895= 119892119909119895 mod p
119872119895rarr 119872
119904119883119895(119895 isin [119899 + 1 119899 + 119898])
Step 2119872119904selects random 119896
1015840 in Z119902for new group key and computes key-locks
119872119904rArr 119862119899 (119883119894)1198961015840
| 119894 isin [1 119899 + 119898] 119894 = 119904
Box 2 Group rekeying for member join
Assume that a subset 119871119898of current group 119862
119899is composed ofm leaving members in
the group and does not include the group master119872119904
Step 1119872119904selects random 119896
1015840 in Z119902for new group key and computes key-locks with updated locker list
119872119904rArr 119862119899 119871119898 (119883119894)1198961015840
| 119894 isin [1 119899] and 119872119894notin 119871119898 119894 = 119904
Box 3 Group rekeying for member leave
master and then119872119904broadcasts locked new group key GK1015840 =
1198921198961015840
to all the group members in the same manner as secondround of initial phase as in Box 2 All members includingnewmembers can extract the new group keyGK1015840 in the sameway as (6)
Unlike the join event member leave process does notrequire the first round for sending lockers to the master Let asubset of 119862
119899for leaving members be 119871
119898sub 119862119899(119872119904notin 119871119898)
Group members conduct rekeying operations for the newgroup key GK1015840 as in Box 3
The leaving nodes cannot learn the new group keybecause the broadcast message from 119872
119904does not contain
any locker 119883119894for leaving members Note that the set 119871
119898for
the leaving node does not include the master Leaving of themaster requires lsquodelegationrsquo duringwhich themaster forwardslocker list 119883119871
119862for group 119862
119899to new group master(119872
1199041015840) as
follows
119872119904997888rarr 119872
1199041015840 119883119871
119862= 119883119895| 119872119895isin 119862119899 119895 = 119904 (7)
The delegation can be used for another case where the masterwishes to finish its masterrsquos role for a reason such as networktopology change or resource exhaustion that is the masterturns to a group member not leaving the group In this casethe delegation message includes the former masterrsquos lockergenerated with new selected secret 119909
119904as follows
119872119904997888rarr 119872
1199041015840 119883119871
119862= 119883119895| 119872119895isin 119862119899 119909119904
= 119896 119909119904
= 1198961015840 (8)
When group members detect unexpected disconnectionfrom themaster they restart group key initializationwith new
master selection At the worst case members can suffer fromfrequent connection failure with the master In this case thefirst protocol should be slightly modified tomake all of groupmembers have the locker list and any member be the groupmaster to proceed Box 3 For instance a general member atthe first step of Box 1 broadcasts its locker to the group asfollows
119872119894997904rArr 119862
119899 119883119894 (119894 isin [1 119899] 119894 = 119904) (9)
The group members continue secure communication with afresh group key obtained through group rekeyingWeprovideformal security proofs in Section 5
34 Group Rekeying for Group Merging and Partition Thereare two ways to integrate two groups into one group com-pletely individual join and group join The former is thatmembers of a group join another group individually It issimilar to the mass joining process saving that the joiningmaster should generate his lock-secret 119909
119904 and locker 119892119909119904
The latter way is that a group is absorbed into the other groupvia delegation process between both group masters
Let two groups be merged 119862119899
= 11987211198722 119872
119899 and
119877119898
= 11987211198722 119872
119898 (119899 ge 119898) The master 119872
119904of 119862119899
survives after group merging while the master 1198721199041015840 of 119877
119898
becomes a member of the merged group Smaller groupmembers (isin 119877
119898) become a member of 119862
119899+119898 that is 119862
119899+119898=
11987211198722 119872
119899119872119899+1
119872119899+119898
and 119872119904isin 119862119899after group
merging Groupmerging process runs with delegation (in thefirst round) as in Box 4 Figure 2 represents an instance for amerging process for a current group 119862
4and a merged group
Journal of Applied Mathematics 5
Assume that a group 119877119898is merged into a group 119862
119899where 119899 ge 119898 and the merged
group 119862119899+119898
= 119862119899cup 1198771198981198721199041015840 is the master of 119877
119898and119872
119904is the master of 119862
119899
Step 11198721199041015840 selects a random number 119909
1199041015840 in Z
119902 computes119883
1199041015840= 1198921199091199041015840mod p and updates
the locker list into119883119871119877= 11988311198832 119883
119898 cup 119883
1199041015840
(delegation)1198721199041015840 rarr 119872
119904119883119871119877
Step 2119872119904selects random 119896
1015840 in Z119902for new group key and computes key-locks with updated locker list
119872119904rArr 119862119899+119898
(119883119894)1198961015840
| 119894 isin [1 119899 + 119898] 119894 = 119904
Box 4 Group merging
Assume that a current group 119862119899is partitioned into two groups 119875
119898(sub 119862119899) and 119862
119899minus119898(=119862119899 119875119898)
The master of 119877119898is1198721199041015840 and the master of 119862
119899is119872119904(notin 119875119898)
Step 1119872119904generate119883119871
119875= 119883119895|119872119895isin 119875119898 119895 = 119904 from119883119871
119862
(delegation)119872119904rarr 119872
1199041015840 119883119871
119875
Step 2119872119904and119872
1199041015840 select random 119896
1015840 11989610158401015840 in Z119902respectively and compute key-locks with their locker list
119872119904rArr 119862119899minus119898
(119883119894)1198961015840
| 119894 isin [1 119899] and 119872119894notin 119875119898 119894 = 119904
1198721199041015840 rArr 119875
119898 (119883119895)11989610158401015840
|119872119895isin 119875119898 119895 = 119904
Box 5 Group partition
1198773 In Figure 2 the number in a circle indicates membersrsquo
index (such as by a joined order) Before they are merged thenumber of the current group 119862 is four including the groupmaster (ie 119899 = 4 119862
4) and the number of members of
joining group is three (ie 119898 = 3 1198773) To be merged the
master of 1198773sends the master of 119862
4the locker list 119883119871
119877for
1198721and 119872
2 Note that the master 119872
119904of 119877119898must forward its
locker after changing its own secret because it was used as theformer group key The master of 119862
4becomes the master for
the merged group It updates 119883119871119862and generates key-locks
119883119871119896
119862with a new selected random 119896
As shown in Figure 3 the current group will be dividedinto two groups When the number of left members is119898 thecurrent group will have (119899 minus 119898) members after the partitionprocess Group partition requires one more master 119872
1199041015840 for
a separated subgroup 119875119898
sub 119862119899(119872119904notin 119875119898) Group partition
process can be easily conducted through delegation from themaster 119872
119904of group 119862
119899to the fresh master 119872
1199041015840 of subgroup
119875119898Thedivided groups performa group key initial phase after
the delegation process as in Box 5
35 Implicit Key Authentication For the secure key authenti-cation the messages sent from all members should be signedwith a signature key Hash-based signature such as messageauthentication code (MAC) is fairly efficient in terms ofcomputation cost However it is too costly to share one-to-one pairwise keys between all of group members in advance
We assume that a member holds long-term private andpublic keys certified by a trusted certificate authority (CA)(Each member can use a different signature algorithm suchas RSA-based signature algorithm digital signature algo-rithm (DSA) and elliptic curve digital signature algorithm(ECDSA) Note that some of them do not provide messageencryption that is it is used for message signing and
verifyingWe consider thatDSA is better for our scheme sinceits public key includes119892119909mod119901)Thegroupmembers send tothemaster the signedmessageswith their own private key forexample in the first step of Box 1 a member119872
119894 sends to the
master 119883119894 119878119894119892119872119894
(119883119894) which 119872
119894signs for 119883
119894with its private
key Note that this process runs one-time at initial phase or itcan be precomputed with119883
119894
Members can obtain the group key securely by verifyingthe messages of the master with signature signed with themasterrsquos private key All of messages from the master comewith a master-signed signature for the origin and integrity ofa group key For example in the second step of Box 1 themaster broadcasts 119883
119896
1 119883119896
2 119883
119896
119899 119878119894119892119872119904
(GK) The masterproduces a locked set for the group key using verifiedmembersrsquo locker It implies that outsiders cannot recover thegroup key from the masterrsquos messages
4 Evaluation
We measure performance of the proposed scheme throughcommunication and computation cost spent for all groupmembers to complete group rekeying bymembership changeTable 1 shows summary of comparison with other DH-based key management protocols CKD GDH BD STRand TGDH In Table 1 119899 119898 and 119901 denote the number ofcurrent group members joining or merged-group membersand leaving or partitioned-group members respectivelyTherefore119898 = 1 or 119901 = 1 indicates the single-member eventFor TGDH the height of the key tree is denoted as ℎ and forSTR 119904 is denoted as the index of the sponsor which helpsother members to calculate group keys Group merging is acase where a group of119898members is merged into a group of 119899members (119899 ge 119898) and group partition is a casewhere a groupof 119899members is divided into separate subgroups (1) a group
6 Journal of Applied Mathematics
6
1
2
s
5
3
4
2
1
s
C
R
XLR = Xs X1 X2
(a)
6
1
2
s
5
3
4
C
XLkC = Xk1 X
k2 X
k6
(b)
Figure 2 Group merging process (a) when groups 1198624and 119877
3are merged Rrsquos master sends the locker list of 119877 to Crsquos master and (b) after
groups are merged Crsquos master becomes the master for merged group and broadcasts the key-locks for new group key to all of the members
6
1
2
s
3
5
4
2
s
1
C
P
XLP = X
4 X6
(a)
1
2 32
1
CP
s
s
XLk
Lk
C = Xkc1 X
kc2 X
kc3
X P = Xkp1 X
kp2
(b)
Figure 3 Group partition process (a) when group 1198627is partitioned into two groups (new group 119875
3) the master of the original group sends
Prsquos master the locker list of the new subgroup and (b) after the group is split each group master broadcasts the key-locks for each new groupkey
of 119901 members and (2) a group of (119899 minus 119901) members where(119899minus119901)ge 119901The costs for the group partition event include thecosts for updating two subgroup keys In computation costswe consider concurrent execution in distributed nodes if itis possible In CODH we assume the master is selected bygroup-join order the first master is119872
1 and when119872
1leaves
the group1198722becomes the next master
CKD distributes the group key in a similar way with ourprotocol Its communication and computation costs are alsosimilar to our protocol However the worst case of CKD iswhen the master leaves It requires large costs for rekeyingOn the other hand in CODH the rekeying cost for a leavingmaster is analogous to that for a leaving member due toefficient delegation or sharing of public locker list GDH isoperated through communication chain from the first node
to the last node and the last node becomes the master of thegroup Steiner et al presented three GDH protocols GDH12 and 3 GDH2 is the most efficient in communicationwhereas GDH3 is the most efficient in computation costamong GDHx We select GDH3 for comparison As shownin Table 1 GDH has weaknesses in group merging and massjoining BD employs a completely distributed way usingbroadcast messages Without sponsors or controllers all ofmembers broadcast messages for updating the group keyAlthough it seems to be fairly efficient in computation costthere are hidden costs for multiplications In addition itrequires a large communication cost compared to otherprotocols STR and TGDH are tree-based key agreement pro-tocolsThey use different tree structures for keymanagementSTR especially uses the extremely unbalanced tree structure
Journal of Applied Mathematics 7
Table 1 Communication and computation costs
Rounds Messages Exponentiations Signatures Verifications
GDH
Join merge m + 3 n + 2m + 1 n + 2m + 1 m + 3 n + 2m + 1Leave 1 1 119899 minus 119901 1 1
Partition 2 p + 1 119899 minus 119901 2 pMaster leave 2 119899 minus 1 119899 minus 1 2 119899 minus 1
STR
Join 3 m + 2 3m 2 m + 2Leave 1 1 3(119899 minus 119901) minus 2119904 minus 1 1 1Merge 3 3 3119898 minus 1 2 3
Partition 2 3 3(119899 minus 119901) minus 2119904 minus 1 2 3
TGDH Join merge 2 3 3ℎ minus 3 2 3Leave partition h 2h 3ℎ h ℎ
BDJoin merge 2 2n + 2m 3 2 2119899 + 2119898 minus 2
Leave 2 2119899 minus 2119901 3 2 2119899 minus 2119901 minus 2
Partition 2 2n 3 2 2119899 minus 2119901 minus 2
CKD
Join merge 3 m + 2 n + 2m 3 m + 2Leave 1 1 119899 minus 119901 1 1
Partition 3 p + 2 max(119899 minus 119901 2119901 minus 1) 3 4Master leave 3 n 2119899 minus 3 3 n
CODH
Join 2 m + 1 n +m + 1 2 m + 1Leave 1 1 119899 minus 119901 1 1Merge 2 2 119899 + 119898 2 2
Partition 2 3 119899 minus 119901 2 2Master leave 2 2 119899 minus 1 2 2
Table 2 Communication and computation costs for CODHmember and master
Send Receive Exponentiations Signatures Verifications
General member Join merge 0 1 1 0 1Leave partition 0 1 1 0 1
Group masterJoin 1 m n +m 1 1
Leave partition 1 0 119899 minus 119901 1 0Merge 1 1 n +m 1 1
Accordingly the performance of STRdepends on the locationof the sponsors In TGDH the costs depend on the heightof the resulting key tree and locations of joining or leavingmembers in the tree We provide the worst case cost forTGDH
Most of the cost in CODH comes from the masternode A general node consumes only one communicationmodular exponentiation signature and verification in allof group rekeying process We summarize the costs for ageneral member and the group master in Table 2 Althoughthe exponentiation cost looks heavy in the master its costis insignificant We conducted an experiment to measurecomputation delays for modular exponentiations Table 3shows the average delay of 10 experimental results for eachThe first device has less CPU power than the second deviceWhen modular prime 119901 is 1024 bits long and 119899 le 50 thecomputation delay is less than 1 s The average delay of one
exponentiation is less than 8ms in the second device More-over reducing communication cost is important for mobiledevices because data communication consumes more energythan any other process Therefore our group key protocolscan be efficiently applied in dynamic mobile networks
5 Security
Let 119901 be a large prime number of the form 2119902 + 1 for a prime119902 in Z
119901 Let 119866 be a cyclic group of prime order 119902 and let 119892
be a generator of 119866 that is 119866 = ⟨119892⟩ The decisional Diffie-Hellman problem (DDH) is as follows given (119892 119892119909 119892119910 119892119911)where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119909119910 or a randomly
chosen number In particular the security of our protocolis based on the divisible decisional Diffie-Hellman problem
8 Journal of Applied Mathematics
Table 3 Computation delays on mobile devices (ms)
p = 1024-bit p = 2048-bit119899 = 1 119899 = 25 119899 = 50 119899 = 1 119899 = 25 119899 = 50
Exponentiation (1 GHz CPU 512MB RAM) 37 4526 9078 1689 33854 67625Exponentiation (226GHz CPU 2GB RAM) 129 1928 3853 754 14588 29174
(DDDH) which is stronger assumption than the divisiblecomputational Diffie-Hellman problem (DCDH)
Definition 1 The DCDH problem is as follows given(119892 119892119909 119892119910) where 119909 119910 isin Z
119902 compute 119892119910119909
Definition 2 The DDDH problem is as follows given(119892 119892119909 119892119910 119892119911) where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119910119909
or a randomly chosen number
The DDDH problem is weaker than DCDH since if anadversary could solve the DCDH problem he could solvethe DDDH problem by computing 119892
119909 to decide 119892119911= 119892119910119909
thus the DDDH assumption is stronger than the DCDHassumption Similarly the DDH problem is weaker thanthe computational Diffie-Hellman problem (CDH) which isweaker than discrete logarithm problem (DL) [22] We wantto prove the security of our protocol under the DDH andDDDH assumptions
Theorem 3 The DDDH problem is equivalent to the DDHproblem
Proof Given the DDDH input (119892 119892119909 119892119910 119892119911) where 119911 =
119910119909 one submits (119892 119892119909 119892119911 119892119910) to DDH to decide whether119910 = 119909119911 or a randomly chosen number Similarly giventhe DDH input (119892 119892119909 119892119910 119892119911) where 119911 = 119909119910 one submits(119892 119892119909 119892119911 119892119910) to DDDH to decide if 119910 = 119911119909 or a randomlychosen number
Therefore we know that if there is no polynomial timealgorithm to solve the DDH problem it is hard to solve theDDDH problem
Theorem 4 If the DDH problem is hard it is hard to find apolynomial time algorithm to recover the group key from theproposed protocol in other words it provides group key secrecyagainst passive adversaries under the DDH assumption
Proof Let view(119899 119896) be public information for a group of 119899members to establish a group key 119892
119896 thus it is a view ofpassive attackers
V119894119890119908 (119899 119896) = (1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899 119892119909119899119896) (10)
Suppose we had an algorithm F that with significantprobability succeeds to distinguish between (view(119899 119896)119892119910) where 119910 is a random number 119910 isin Z
119902 and (view(119899 119896)
119892119896) where 119892
119896 is the group key that is F(V119894119890119908(119899 119896) 119892119910) =
F(1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892119909119899 119892119909119899119896 119892119910) = 1 where 119910 = 119896
otherwise returns 0 Then we can query to F with inputview(119899minus1 119896) = (119892
1199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899minus1 119892119909119899minus1119896) for 119899minus1
membersrsquo information and additional input ((119892119909119894)119903 (119892119909119894119896)119903
)
for a random number 119903 isin119877Z119902 where 0 lt 119894 lt 119899 that is
F(V119894119890119908(119899 minus 1 119896) 119892119909119894119903 119892119909119894119896119903 119892
119910) It follows that
(V119894119890119908(1 119896) 1198921199091199031 1198921199091198961199031 119892
1199091199032 1198921199091198961199032 119892
119909119903119899minus1 119892119909119896119903119899minus1 119892
119910) =
F(119892119909 119892119909119896 1198921199091199031 1198921199091198961199031 1198921199091199032 1198921199091198961199032 119892119909119903119899minus1 119892119909119896119903119899minus1 119892119910) where119903119894isin119877Z119902 for 0 lt 119894 lt 119899 Then 119865 can solve the DDDH problem
since it can decide whether 119910 = 119909119896119909 or a random numbergiven (V119894119890119908(1 119896) 119892
119910)) = (119892
119909 119892119909119896 119892119910) It means that 119865 can
also solve the DDH problem byTheorem 3
Theorem 5 The proposed scheme provides backward secrecyforward secrecy and key independence provided the DDHproblem is intractable
Proof Whenever membership is changed or the group keyis updated the group controller alters its own secret 119896 to 119896
1015840where 119896
1015840 is an independently random number to 119896 isin Z119902
it implies that it is impossible to find an algorithm 119865 suchthat 119865(119892
119896) rarr 119892
1198961015840
without knowledge of 119896 and 1198961015840 We
assume that the secret values are uniformly distributed by apseudorandom generatorTherefore when the group key hasbeen changed an adversarymust use newpublic informationV119894119890119908(119899 119896
1015840) = (119892
1199091 11989211990911198961015840
1198921199092 11989211990921198961015840
119892119909119899 1198921199091198991198961015840
) to recoverthe group key updated into 119892
1198961015840
and it depends on a solutionto solve the DDH problem byTheorem 4 It follows that pastmembers future members or adversaries who know a subsetof previous group keys cannot learn the current group keysince the broadcastmessage from themaster does not containtheir locker119883
119894in view()
Theorem 6 The proposed scheme provides implicit keyauthentication under the security of certified public key
Proof A locker which the master obtains from group mem-bers is what a groupmember signswith its public key certifiedby a CA Concretely a locker 119883
119894is hashed by a one-way
function such as SHA-2 and hash (119883119894) is signed with 119872
119894rsquos
private key using a digital signature algorithm such as RSADSA and ECDSAThen the locker is verified with the publickey bound to 119872
119894and certified by CA If there is a locker of
nonmember in the locker list of a group it must be along witha forged signature It means that the problem occurs in a hashcollision attack or a rogueCAcertificate [23]Once all verifiedlockers are transferred to the master any other nodes whichare not a group member cannot recover the group key underthe DDH assumption (Theorems 4 and 5)
Journal of Applied Mathematics 9
6 Conclusion
In this paper we propose a secure group key managementprotocol based on DH key agreement The proposed keymanagement requires only one data communication and onemodular exponentiation at eachmember for anymembershipevent It shows prominent efficiency in renewing the groupkeys against dynamic group membership change memberjoinleave and group mergingpartition We proved groupkey secrecy backwardforward secrecy key independenceand key authentication No outsiders can learn the group keyunder the DDH assumptionWe conclude that CODH can beadapted efficiently for multicast security in mobile networks
Notations
n Number of protocol participants119872119894 119894th group member 119894 isin [1 119899]
119872119904 Master node (controller) 119904 isin [1 119899]
119901 Prime of the form 2119902 + 1 for a prime 119902119892 Generator in Zlowast
119901
119909119894 Lock-secret random number picked by
119872119894such that 1 lt 119909
119894lt 119901 minus 1 and
gcd(119909119894 119901 minus 1) = 1
119910119894 Unlock-secret for119872
119894such that
119909119894lowast 119910119894equiv 1 mod (119901 minus 1)
119896 Master-secret randomly selected in Zlowast119902
by119872119904
119883119894 Locker 119892119909119894 mod 119901
119862119899 Current group of 119899members (119862) = 119899
119883119871119862 Locker list of group
119862119883119871119862= 1198831 1198832 119883
119899 119883119904
119883119871119896
119862 Key-locks for group
119862119883119871119896
119862= 119883119896
1 119883119896
2 119883
119896
119899 119883119896
119904
119872119894rarr 119872
119895 m Unicast message (m) from119872
119894to119872119895
119872119894rArr 119862119899 m Broadcast message (m) from119872
119894to 119899
members of 119862
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
Theauthors appreciate anonymous reviewers for their helpfulcomments This research was supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0011289)
References
[1] R Canetti TMalkin andKNissim ldquoEfficient communication-storage tradeoffs for multicast encryptionrdquo in Proceedings ofAdvances in Cryptology (Eurocrypt rsquo99) vol 1592 of LectureNotes in Computer Science pp 459ndash474 Prague Czech Repub-lic May 1999
[2] S Setia S Koussih S Jajodia and E Harder ldquoKronos a scalablegroup re-keying approach for secure multicastrdquo in Proceedingsof the IEEE Symposium on Security and Privacy pp 215ndash228Berkeley Calif USA May 2000
[3] M K Reiter ldquoA secure group membership protocolrdquo IEEETransactions on Software Engineering vol 22 no 1 pp 31ndash421996
[4] D Wallner E Harder and R Agee ldquoKey management formulticast issues and architecturesrdquo RFC 2627 Informational1999
[5] C K Wong M Gouda and S S Lam ldquoSecure group com-munications using key graphsrdquo IEEEACM Transactions onNetworking vol 8 no 1 pp 16ndash30 2000
[6] S Mittra ldquoIolus a framework for scalable secure multicastingrdquoin Proceedings of the ACM (SIGCOMM rsquo97) pp 277ndash288Cannes France September 1997
[7] A T Sherman and D A McGrew ldquoKey establishment inlarge dynamic groups using one-way function treesrdquo IEEETransactions on Software Engineering vol 29 no 5 pp 444ndash458 2003
[8] S Zhu S Setia and S Jajodia ldquoLEAP efficient securitymechanisms for large-scale distributed sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 62ndash72 WashingtonDC USA October 2003
[9] S Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols pp 326ndash335 Atlanta Ga USA 2003
[10] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976
[11] M Burmester and Y Desmedt ldquoA secure and scalable group keyexchange systemrdquo Information Processing Letters vol 94 no 3pp 137ndash143 2005
[12] M Steiner G Tsudik and M Waidner ldquoDiffie-Hellman keydistribution extended to group communicationrdquo in Proceedingsof the 3rd ACM Conference on Computer and CommunicationsSecurity pp 31ndash37 New Delhi India March 1996
[13] M Steiner G Tsudik and M Waidner ldquoCLIQUES a newapproach to group key agreementrdquo in Proceedings of the 18thInternational Conference on Distributed Computing Systems pp380ndash387 May 1998
[14] Y Amir Y Kim C Nita-Rotaru and G Tsudik ldquoOn the perfor-mance of group key agreement protocolsrdquo ACM Transactionson Information and System Security vol 7 no 3 pp 457ndash4882004
[15] Y Kim A Perrig and G Tsudik ldquoTree-based group keyagreementrdquo ACM Transactions on Information and SystemSecurity vol 7 no 1 pp 60ndash96 2004
[16] YKimA Perrig andG Tsudik ldquoGroup key agreement efficientin communicationrdquo IEEE Transactions on Computers vol 53no 7 pp 905ndash921 2004
[17] B Wu J Wu and D Yuhong ldquoAn efficient group key manage-ment scheme formobile ad hoc networksrdquo International Journalof Security and Networks vol 4 no 1-2 pp 125ndash134 2009
[18] P P C Lee J C S Lui and D K Y Yau ldquoDistributedcollaborative key agreement and authentication protocols fordynamic peer groupsrdquo IEEEACM Transactions on Networkingvol 14 no 2 pp 263ndash276 2006
10 Journal of Applied Mathematics
[19] J Liu D Sacchetti F Sailhan and V Issarny ldquoGroup manage-ment for mobile AdHoc networks design implementation andexperimentrdquo in Proceedings of the 6th International Conferenceon Mobile Data Management (MDM rsquo05) pp 192ndash199 AyiaNapa Cyprus May 2005
[20] B Singh and D K Lobiyal ldquoA novel energy-aware cluster headselection based on particle swarm optimization for wirelesssensor networksrdquo Human-Centric Computing and InformationSciences vol 2 no 13 pp 1ndash18 2012
[21] C-W Chen Y-R Tsai and S-J Wang ldquoCost-saving key agree-ment via secret sharing in two-party communication systemsrdquoJournal of Convergence vol 3 no 4 pp 29ndash36 2012
[22] S Mohanty and B Majhi ldquoA strong designated verifiable dlbased signcryption schemerdquo Journal of Information ProcessingSystems vol 8 no 4 pp 567ndash574 2012
[23] M Stevens A K Lenstra and B de Weger ldquoChosen-prefixcollisions for MD5 and applicationsrdquo International Journal ofApplied Cryptography vol 2 no 4 pp 322ndash359 2012
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
2 Journal of Applied Mathematics
should establish secure connection for sharing a pairwisekey with all other mobile nodes in a group It requiresmuch communication and depends on another key sharingscheme [9] Diffie-Hellman (DH) key exchange [10] is aprotocol to establish a common key based on asymmetrickeys without any TTP It allows two parties to share a keyusing their secrets over an insecure channel To extend DHinto group setting group key agreement (GKA) protocolshave been developed [11ndash16] In the protocols also known ascontributory key agreement all groupmembers contribute togeneration of a commonkeyWhile providing dynamic groupkey management they require considerable messages oroperations to establish and update group keys An approachfor reducing computation cost deploys tree structure tohandle keymanagement Tree-based group key protocols [15ndash18] need to supportmanagement of tree structure and requireordered message delivery for calculation from leaves to theroot of the tree
In this paper we investigate secure group key distributionand management for collaborative groups with high groupflexibility We propose a DH-based group key managementprotocol and show security proof of the proposed scheme andmathematical evaluation with other GKA protocols
The remainder of the paper is organized as follows InSection 2 we address related works Section 3 explains ourgroup key management scheme with group membershipevents and security requirements Section 4 describes per-formance analysis and Section 5 shows security proof forthe proposed key management We conclude the paper inSection 6
2 Related Work
Over the past few decades a considerable number of studieshave been conducted on group key establishment and man-agement A typical approach is centralized key distributionbased on constantly accessible TTP and pairwise keys [4ndash8] These studies showed apparent efficiency for large groupssuch as wireless sensor network (WSN) Since however amobile network is comprised of peer-to-peer communica-tions with dynamic mobility and without a TTP it is difficultto provide scalable group keymanagement on arbitrary groupsetting [15]
We focus on DH based group key management knownas group key agreement (GKA) in which a common keyis generated by all group membersrsquo equal contributionsDH protocol allows two parties to share a key using theirsecrets over an insecure channel [10] The key computationof DH uses the multiplicative group of integer modulo 119901where 119901 is a large prime number Each party chooses arandom number 119909
119894in Z119901and computes 119892
119909119894 mod 119901 where119892 is a primitive root (generator) mod119901 They exchange thecomputed values 1198921199091 mod 119901 and 119892
1199092 mod 119901 and agree onthe common key
119870 = (1198921199091)1199092 mod 119901 = (119892
1199092)1199091 mod 119901 (1)
For extending it to group setting Burmester andDesmedt(BD) proposed a conference key exchange system [11]
depending on a broadcast manner When the number ofgroup members is n the group key (GK) of BD becomes
GK = 11989211990911199092+11990921199093+sdotsdotsdot+119909119899minus1119909119899 mod 119901 (2)
As BD system requires large communication messagesSteiner et al proposed group key agreement protocols calledgroup Diffie-Hellman (GDH) [12 13] In GDH
GK = 11989211990911199092 119909119899minus1119909119899 mod 119901 (3)
They showed not only that DH can be extended efficientlyto group setting but also that their protocol can dealefficiently with group membership change They presentedthree distinct group key agreements GDH1 GDH2 andGDH3 which later was advanced as a protocol suite knownasCLIQUES [13] InGDHx groupmembers can individuallyor massively join and leave CLIQUES also considers groupintegration and group division A variant of GDH protocolis a centralized key distribution (CKD) scheme In CKD acontroller distributes the group key to every member usingpairwise temporal keys between the controller and each ofthe members which is computed using DH fashion
As group dynamics have become an important issuesome studies have adopted tree-based approach [15ndash18]Skinny tree (STR) protocol [16] has good performance formember addition In STR
GK = 119892119909119899119892119909119899minus1119892119892119909311989211990911199092
mod 119901 (4)
While STR uses unbalanced key tree for group key compu-tation tree-based group Diffie-Hellman (TGDH) leveragesbalanced tree structure Given eight group members inTGDH the group key is computed as follows
GK = 11989211989211989211990911199092 1198921199093119909411989211989211990951199096 11989211990971199098
mod 119901 (5)
STR and TGDH require a sponsor node which distributesintermediate computing keys in the tree during membershipevent changes As tree-based protocols apparently help toreduce communication cost and operation cost there havebeen several variants of TGDH [17 18] However they needto support management for tree balance and require messagedelivery order due to hierarchical tree structure In mobilenetworks much communication would be required to makesure that the group members can keep the synchronized treestructure
In summary DH-based group key protocol is generallyknown as GKA protocol Although our protocol is basedon DH we do not classify it as a GKA protocol becauseof key distribution feature from a controller Our proposedscheme provides the advantage of dynamics and collaborativecontribution in computing group keys with a modified keyagreement method
3 Secure Group Key Management forMobile Networks
31 Membership and Security Requirements Groupmember-ship events occur with either insertion of a new node or
Journal of Applied Mathematics 3
Member join
Member leave
Group partitionGroup merging
Figure 1 Four kinds ofmembership events (1)member join (singlejoin ormass join) (2)member leave (a single leave ormass leave) (3)group merging (group join) and (4) group partition (group leave)A small circle represents a node while a big circle represents a groupof nodes
deletion of an existingmemberWe define the insertion eventasmember join and the deletion event asmember leaveWhenthere is only one event node specifically we call each singlejoin and single leave and when there are two or more eventnodes we call eachmass join andmass leave Furthermore weconsider a group insertion into a group and a group partitioninto two distinct groups We define them as group mergingand group partition respectively Figure 1 shows summary ofdefined membership events
Group membership change is closely related to securityof group communication Outgoingmembers should have noaccess to group communication after it leaves the group andingoing nodes should be prevented from accessing previousgroup communication before it joins the group We definecryptographic properties in which a secure group dependingon a group key should meet (1) group key secrecy thatguarantees an adversary who knows that messages sent togroupmembers cannot discover any group key in polynomialtime (2) backward secrecy that guarantees a new member oran adversary who knows that the current group key cannotdiscover any previous group key in polynomial time (3)forward secrecy that guarantees a former group member oran adversary who knows that previous group keys cannotdiscover any subsequent group key in polynomial time (4)key independence that guarantees an adversary who knowsthat a proper subset of group keys cannot discover anyother group keys in polynomial time and (5) (implicit) keyauthentication that guarantees that no one apart from a groupmember recovers the group key
32 Group Key Establishment We present a new group keyprotocol collaborative Diffie-Hellman (CODH) CODH hascentralized topology and key distribution property from aleader node But unlike conventional centralized schemewith TTP in CODH a group leader computes and distributesa group key by using public keys of group members Weformalize the group key protocol and prove its security
CODH has one leader called master The leader is alsoone of groupmembers It consumesmore energy thannormalnodes for communication and operation in managing groupkeys There will be a policy for choosing a leader In mobilenetworks signal strength degree to neighbors identity andresources (CPU memory battery and bandwidth) would becriteria for leader election [19ndash21] When a group is createdthe first master is elected among group members and per-forms group key initialization Afterwards group membersselect a new master when receiving master notification forleader change Once a new groupmaster is selected for groupmanagement the previous master forwards informationabout group members to the newmaster that is a delegationprocess is run (refer to Sections 33 and 34) On the otherhand connection failure may occur by network isolation ordenial of service attacks (We assume that group participantsare honest and not compromised However they can bethreatened by network adversaries who can perform all ofnetwork-based attacks) We consider the connection failureas a kind of member leave whether the left node is a memberor the master
Notation section represents notations used to illustrateour group key protocol The index ldquosrdquo stands for the masternode in a group that is distinct from 119894 or 119895 which indicates ageneralmember nodeTherefore119872
119894or119872119895means an identity
for general member while119872119904denotes themaster Lock-secret
is defined as a secret value of a member It locks the groupkey so that 119872
119904can securely transfer the group key to the
members General members use their unlock-secret to extractthe group key from119872
119904rsquos broadcast message of a locked group
keyWe adopt inverse exponentiation for obtaining the group
key Let119862119899be a group of size 119899 that is119862
119899= 11987211198722 119872
119899
and119872119904isin 119862119899 To share the initial group key the group119862
119899runs
steps in Box 1 for the initial phaseThe initial phase consists of two rounds In the first round
all members except the group master send their locker 119892119909119894
to the master via unicast and the master produces the lockerlist 119883119871
119862 from receiving messages In the second round
the master 119872119904selects a random secret 119896 and computes and
broadcasts the locked group key (119883119894)119896= (119892119909119894)119896 using 119883119871
119862
Then each member can compute the group key GK usingtheir own unlock-secret 119910
119894 as follows
GK equiv (119883119896
119894)119910119894 mod 119901 equiv (119892
119909119894119910119894)119896 mod 119901 equiv 119892
119896 mod 119901 (6)
The group key is equal to the locker of the group masterwhen 119896 is the masterrsquos secret Therefore operations forcomputing119883
119896
119894and group messages never include119883
119904
33 Group Rekeying for Member Join and Leave Themaster-secret should be renewed when membership changes sinceit is used for the new group key GK1015840 In Box 2 (member joinprocess) 1198961015840 means a new master-secret that 119872
119904selects Let
119872119899+1
be the first new member and let 119872119899+119898
be the last newmember when119898 newmembers join the group 119862
119899(if a single
member joins the new member is only one node 119872119899+1
) Anewmember119872
119895(119899+1 le 119895 le 119899+119898) sends its locker119883
119895to the
4 Journal of Applied Mathematics
Assume that the group of 119899members establish a group keyStep 1 Each member selects random 119909
119894isin Z119902and computes119883
119894= 119892119909119894 mod p
119872119894rarr 119872
119904119883119894(119894 isin [1 119899] 119894 = 119904)
Step 2119872119904selects random 119896 in Z
119902for group key sharing and computes key-locks
119872119904rArr 119862119899 (119883119894)119896| 119894 isin [1 119899] 119894 = 119904
Box 1 Group key initialization
Assume thatmmembers are added to the group 119862119899
Step 1 Each new member119872119895(119899 + 1 le 119895 le 119899 + 119898) selects random 119909
119895isin Z119902and computes119883
119895= 119892119909119895 mod p
119872119895rarr 119872
119904119883119895(119895 isin [119899 + 1 119899 + 119898])
Step 2119872119904selects random 119896
1015840 in Z119902for new group key and computes key-locks
119872119904rArr 119862119899 (119883119894)1198961015840
| 119894 isin [1 119899 + 119898] 119894 = 119904
Box 2 Group rekeying for member join
Assume that a subset 119871119898of current group 119862
119899is composed ofm leaving members in
the group and does not include the group master119872119904
Step 1119872119904selects random 119896
1015840 in Z119902for new group key and computes key-locks with updated locker list
119872119904rArr 119862119899 119871119898 (119883119894)1198961015840
| 119894 isin [1 119899] and 119872119894notin 119871119898 119894 = 119904
Box 3 Group rekeying for member leave
master and then119872119904broadcasts locked new group key GK1015840 =
1198921198961015840
to all the group members in the same manner as secondround of initial phase as in Box 2 All members includingnewmembers can extract the new group keyGK1015840 in the sameway as (6)
Unlike the join event member leave process does notrequire the first round for sending lockers to the master Let asubset of 119862
119899for leaving members be 119871
119898sub 119862119899(119872119904notin 119871119898)
Group members conduct rekeying operations for the newgroup key GK1015840 as in Box 3
The leaving nodes cannot learn the new group keybecause the broadcast message from 119872
119904does not contain
any locker 119883119894for leaving members Note that the set 119871
119898for
the leaving node does not include the master Leaving of themaster requires lsquodelegationrsquo duringwhich themaster forwardslocker list 119883119871
119862for group 119862
119899to new group master(119872
1199041015840) as
follows
119872119904997888rarr 119872
1199041015840 119883119871
119862= 119883119895| 119872119895isin 119862119899 119895 = 119904 (7)
The delegation can be used for another case where the masterwishes to finish its masterrsquos role for a reason such as networktopology change or resource exhaustion that is the masterturns to a group member not leaving the group In this casethe delegation message includes the former masterrsquos lockergenerated with new selected secret 119909
119904as follows
119872119904997888rarr 119872
1199041015840 119883119871
119862= 119883119895| 119872119895isin 119862119899 119909119904
= 119896 119909119904
= 1198961015840 (8)
When group members detect unexpected disconnectionfrom themaster they restart group key initializationwith new
master selection At the worst case members can suffer fromfrequent connection failure with the master In this case thefirst protocol should be slightly modified tomake all of groupmembers have the locker list and any member be the groupmaster to proceed Box 3 For instance a general member atthe first step of Box 1 broadcasts its locker to the group asfollows
119872119894997904rArr 119862
119899 119883119894 (119894 isin [1 119899] 119894 = 119904) (9)
The group members continue secure communication with afresh group key obtained through group rekeyingWeprovideformal security proofs in Section 5
34 Group Rekeying for Group Merging and Partition Thereare two ways to integrate two groups into one group com-pletely individual join and group join The former is thatmembers of a group join another group individually It issimilar to the mass joining process saving that the joiningmaster should generate his lock-secret 119909
119904 and locker 119892119909119904
The latter way is that a group is absorbed into the other groupvia delegation process between both group masters
Let two groups be merged 119862119899
= 11987211198722 119872
119899 and
119877119898
= 11987211198722 119872
119898 (119899 ge 119898) The master 119872
119904of 119862119899
survives after group merging while the master 1198721199041015840 of 119877
119898
becomes a member of the merged group Smaller groupmembers (isin 119877
119898) become a member of 119862
119899+119898 that is 119862
119899+119898=
11987211198722 119872
119899119872119899+1
119872119899+119898
and 119872119904isin 119862119899after group
merging Groupmerging process runs with delegation (in thefirst round) as in Box 4 Figure 2 represents an instance for amerging process for a current group 119862
4and a merged group
Journal of Applied Mathematics 5
Assume that a group 119877119898is merged into a group 119862
119899where 119899 ge 119898 and the merged
group 119862119899+119898
= 119862119899cup 1198771198981198721199041015840 is the master of 119877
119898and119872
119904is the master of 119862
119899
Step 11198721199041015840 selects a random number 119909
1199041015840 in Z
119902 computes119883
1199041015840= 1198921199091199041015840mod p and updates
the locker list into119883119871119877= 11988311198832 119883
119898 cup 119883
1199041015840
(delegation)1198721199041015840 rarr 119872
119904119883119871119877
Step 2119872119904selects random 119896
1015840 in Z119902for new group key and computes key-locks with updated locker list
119872119904rArr 119862119899+119898
(119883119894)1198961015840
| 119894 isin [1 119899 + 119898] 119894 = 119904
Box 4 Group merging
Assume that a current group 119862119899is partitioned into two groups 119875
119898(sub 119862119899) and 119862
119899minus119898(=119862119899 119875119898)
The master of 119877119898is1198721199041015840 and the master of 119862
119899is119872119904(notin 119875119898)
Step 1119872119904generate119883119871
119875= 119883119895|119872119895isin 119875119898 119895 = 119904 from119883119871
119862
(delegation)119872119904rarr 119872
1199041015840 119883119871
119875
Step 2119872119904and119872
1199041015840 select random 119896
1015840 11989610158401015840 in Z119902respectively and compute key-locks with their locker list
119872119904rArr 119862119899minus119898
(119883119894)1198961015840
| 119894 isin [1 119899] and 119872119894notin 119875119898 119894 = 119904
1198721199041015840 rArr 119875
119898 (119883119895)11989610158401015840
|119872119895isin 119875119898 119895 = 119904
Box 5 Group partition
1198773 In Figure 2 the number in a circle indicates membersrsquo
index (such as by a joined order) Before they are merged thenumber of the current group 119862 is four including the groupmaster (ie 119899 = 4 119862
4) and the number of members of
joining group is three (ie 119898 = 3 1198773) To be merged the
master of 1198773sends the master of 119862
4the locker list 119883119871
119877for
1198721and 119872
2 Note that the master 119872
119904of 119877119898must forward its
locker after changing its own secret because it was used as theformer group key The master of 119862
4becomes the master for
the merged group It updates 119883119871119862and generates key-locks
119883119871119896
119862with a new selected random 119896
As shown in Figure 3 the current group will be dividedinto two groups When the number of left members is119898 thecurrent group will have (119899 minus 119898) members after the partitionprocess Group partition requires one more master 119872
1199041015840 for
a separated subgroup 119875119898
sub 119862119899(119872119904notin 119875119898) Group partition
process can be easily conducted through delegation from themaster 119872
119904of group 119862
119899to the fresh master 119872
1199041015840 of subgroup
119875119898Thedivided groups performa group key initial phase after
the delegation process as in Box 5
35 Implicit Key Authentication For the secure key authenti-cation the messages sent from all members should be signedwith a signature key Hash-based signature such as messageauthentication code (MAC) is fairly efficient in terms ofcomputation cost However it is too costly to share one-to-one pairwise keys between all of group members in advance
We assume that a member holds long-term private andpublic keys certified by a trusted certificate authority (CA)(Each member can use a different signature algorithm suchas RSA-based signature algorithm digital signature algo-rithm (DSA) and elliptic curve digital signature algorithm(ECDSA) Note that some of them do not provide messageencryption that is it is used for message signing and
verifyingWe consider thatDSA is better for our scheme sinceits public key includes119892119909mod119901)Thegroupmembers send tothemaster the signedmessageswith their own private key forexample in the first step of Box 1 a member119872
119894 sends to the
master 119883119894 119878119894119892119872119894
(119883119894) which 119872
119894signs for 119883
119894with its private
key Note that this process runs one-time at initial phase or itcan be precomputed with119883
119894
Members can obtain the group key securely by verifyingthe messages of the master with signature signed with themasterrsquos private key All of messages from the master comewith a master-signed signature for the origin and integrity ofa group key For example in the second step of Box 1 themaster broadcasts 119883
119896
1 119883119896
2 119883
119896
119899 119878119894119892119872119904
(GK) The masterproduces a locked set for the group key using verifiedmembersrsquo locker It implies that outsiders cannot recover thegroup key from the masterrsquos messages
4 Evaluation
We measure performance of the proposed scheme throughcommunication and computation cost spent for all groupmembers to complete group rekeying bymembership changeTable 1 shows summary of comparison with other DH-based key management protocols CKD GDH BD STRand TGDH In Table 1 119899 119898 and 119901 denote the number ofcurrent group members joining or merged-group membersand leaving or partitioned-group members respectivelyTherefore119898 = 1 or 119901 = 1 indicates the single-member eventFor TGDH the height of the key tree is denoted as ℎ and forSTR 119904 is denoted as the index of the sponsor which helpsother members to calculate group keys Group merging is acase where a group of119898members is merged into a group of 119899members (119899 ge 119898) and group partition is a casewhere a groupof 119899members is divided into separate subgroups (1) a group
6 Journal of Applied Mathematics
6
1
2
s
5
3
4
2
1
s
C
R
XLR = Xs X1 X2
(a)
6
1
2
s
5
3
4
C
XLkC = Xk1 X
k2 X
k6
(b)
Figure 2 Group merging process (a) when groups 1198624and 119877
3are merged Rrsquos master sends the locker list of 119877 to Crsquos master and (b) after
groups are merged Crsquos master becomes the master for merged group and broadcasts the key-locks for new group key to all of the members
6
1
2
s
3
5
4
2
s
1
C
P
XLP = X
4 X6
(a)
1
2 32
1
CP
s
s
XLk
Lk
C = Xkc1 X
kc2 X
kc3
X P = Xkp1 X
kp2
(b)
Figure 3 Group partition process (a) when group 1198627is partitioned into two groups (new group 119875
3) the master of the original group sends
Prsquos master the locker list of the new subgroup and (b) after the group is split each group master broadcasts the key-locks for each new groupkey
of 119901 members and (2) a group of (119899 minus 119901) members where(119899minus119901)ge 119901The costs for the group partition event include thecosts for updating two subgroup keys In computation costswe consider concurrent execution in distributed nodes if itis possible In CODH we assume the master is selected bygroup-join order the first master is119872
1 and when119872
1leaves
the group1198722becomes the next master
CKD distributes the group key in a similar way with ourprotocol Its communication and computation costs are alsosimilar to our protocol However the worst case of CKD iswhen the master leaves It requires large costs for rekeyingOn the other hand in CODH the rekeying cost for a leavingmaster is analogous to that for a leaving member due toefficient delegation or sharing of public locker list GDH isoperated through communication chain from the first node
to the last node and the last node becomes the master of thegroup Steiner et al presented three GDH protocols GDH12 and 3 GDH2 is the most efficient in communicationwhereas GDH3 is the most efficient in computation costamong GDHx We select GDH3 for comparison As shownin Table 1 GDH has weaknesses in group merging and massjoining BD employs a completely distributed way usingbroadcast messages Without sponsors or controllers all ofmembers broadcast messages for updating the group keyAlthough it seems to be fairly efficient in computation costthere are hidden costs for multiplications In addition itrequires a large communication cost compared to otherprotocols STR and TGDH are tree-based key agreement pro-tocolsThey use different tree structures for keymanagementSTR especially uses the extremely unbalanced tree structure
Journal of Applied Mathematics 7
Table 1 Communication and computation costs
Rounds Messages Exponentiations Signatures Verifications
GDH
Join merge m + 3 n + 2m + 1 n + 2m + 1 m + 3 n + 2m + 1Leave 1 1 119899 minus 119901 1 1
Partition 2 p + 1 119899 minus 119901 2 pMaster leave 2 119899 minus 1 119899 minus 1 2 119899 minus 1
STR
Join 3 m + 2 3m 2 m + 2Leave 1 1 3(119899 minus 119901) minus 2119904 minus 1 1 1Merge 3 3 3119898 minus 1 2 3
Partition 2 3 3(119899 minus 119901) minus 2119904 minus 1 2 3
TGDH Join merge 2 3 3ℎ minus 3 2 3Leave partition h 2h 3ℎ h ℎ
BDJoin merge 2 2n + 2m 3 2 2119899 + 2119898 minus 2
Leave 2 2119899 minus 2119901 3 2 2119899 minus 2119901 minus 2
Partition 2 2n 3 2 2119899 minus 2119901 minus 2
CKD
Join merge 3 m + 2 n + 2m 3 m + 2Leave 1 1 119899 minus 119901 1 1
Partition 3 p + 2 max(119899 minus 119901 2119901 minus 1) 3 4Master leave 3 n 2119899 minus 3 3 n
CODH
Join 2 m + 1 n +m + 1 2 m + 1Leave 1 1 119899 minus 119901 1 1Merge 2 2 119899 + 119898 2 2
Partition 2 3 119899 minus 119901 2 2Master leave 2 2 119899 minus 1 2 2
Table 2 Communication and computation costs for CODHmember and master
Send Receive Exponentiations Signatures Verifications
General member Join merge 0 1 1 0 1Leave partition 0 1 1 0 1
Group masterJoin 1 m n +m 1 1
Leave partition 1 0 119899 minus 119901 1 0Merge 1 1 n +m 1 1
Accordingly the performance of STRdepends on the locationof the sponsors In TGDH the costs depend on the heightof the resulting key tree and locations of joining or leavingmembers in the tree We provide the worst case cost forTGDH
Most of the cost in CODH comes from the masternode A general node consumes only one communicationmodular exponentiation signature and verification in allof group rekeying process We summarize the costs for ageneral member and the group master in Table 2 Althoughthe exponentiation cost looks heavy in the master its costis insignificant We conducted an experiment to measurecomputation delays for modular exponentiations Table 3shows the average delay of 10 experimental results for eachThe first device has less CPU power than the second deviceWhen modular prime 119901 is 1024 bits long and 119899 le 50 thecomputation delay is less than 1 s The average delay of one
exponentiation is less than 8ms in the second device More-over reducing communication cost is important for mobiledevices because data communication consumes more energythan any other process Therefore our group key protocolscan be efficiently applied in dynamic mobile networks
5 Security
Let 119901 be a large prime number of the form 2119902 + 1 for a prime119902 in Z
119901 Let 119866 be a cyclic group of prime order 119902 and let 119892
be a generator of 119866 that is 119866 = ⟨119892⟩ The decisional Diffie-Hellman problem (DDH) is as follows given (119892 119892119909 119892119910 119892119911)where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119909119910 or a randomly
chosen number In particular the security of our protocolis based on the divisible decisional Diffie-Hellman problem
8 Journal of Applied Mathematics
Table 3 Computation delays on mobile devices (ms)
p = 1024-bit p = 2048-bit119899 = 1 119899 = 25 119899 = 50 119899 = 1 119899 = 25 119899 = 50
Exponentiation (1 GHz CPU 512MB RAM) 37 4526 9078 1689 33854 67625Exponentiation (226GHz CPU 2GB RAM) 129 1928 3853 754 14588 29174
(DDDH) which is stronger assumption than the divisiblecomputational Diffie-Hellman problem (DCDH)
Definition 1 The DCDH problem is as follows given(119892 119892119909 119892119910) where 119909 119910 isin Z
119902 compute 119892119910119909
Definition 2 The DDDH problem is as follows given(119892 119892119909 119892119910 119892119911) where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119910119909
or a randomly chosen number
The DDDH problem is weaker than DCDH since if anadversary could solve the DCDH problem he could solvethe DDDH problem by computing 119892
119909 to decide 119892119911= 119892119910119909
thus the DDDH assumption is stronger than the DCDHassumption Similarly the DDH problem is weaker thanthe computational Diffie-Hellman problem (CDH) which isweaker than discrete logarithm problem (DL) [22] We wantto prove the security of our protocol under the DDH andDDDH assumptions
Theorem 3 The DDDH problem is equivalent to the DDHproblem
Proof Given the DDDH input (119892 119892119909 119892119910 119892119911) where 119911 =
119910119909 one submits (119892 119892119909 119892119911 119892119910) to DDH to decide whether119910 = 119909119911 or a randomly chosen number Similarly giventhe DDH input (119892 119892119909 119892119910 119892119911) where 119911 = 119909119910 one submits(119892 119892119909 119892119911 119892119910) to DDDH to decide if 119910 = 119911119909 or a randomlychosen number
Therefore we know that if there is no polynomial timealgorithm to solve the DDH problem it is hard to solve theDDDH problem
Theorem 4 If the DDH problem is hard it is hard to find apolynomial time algorithm to recover the group key from theproposed protocol in other words it provides group key secrecyagainst passive adversaries under the DDH assumption
Proof Let view(119899 119896) be public information for a group of 119899members to establish a group key 119892
119896 thus it is a view ofpassive attackers
V119894119890119908 (119899 119896) = (1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899 119892119909119899119896) (10)
Suppose we had an algorithm F that with significantprobability succeeds to distinguish between (view(119899 119896)119892119910) where 119910 is a random number 119910 isin Z
119902 and (view(119899 119896)
119892119896) where 119892
119896 is the group key that is F(V119894119890119908(119899 119896) 119892119910) =
F(1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892119909119899 119892119909119899119896 119892119910) = 1 where 119910 = 119896
otherwise returns 0 Then we can query to F with inputview(119899minus1 119896) = (119892
1199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899minus1 119892119909119899minus1119896) for 119899minus1
membersrsquo information and additional input ((119892119909119894)119903 (119892119909119894119896)119903
)
for a random number 119903 isin119877Z119902 where 0 lt 119894 lt 119899 that is
F(V119894119890119908(119899 minus 1 119896) 119892119909119894119903 119892119909119894119896119903 119892
119910) It follows that
(V119894119890119908(1 119896) 1198921199091199031 1198921199091198961199031 119892
1199091199032 1198921199091198961199032 119892
119909119903119899minus1 119892119909119896119903119899minus1 119892
119910) =
F(119892119909 119892119909119896 1198921199091199031 1198921199091198961199031 1198921199091199032 1198921199091198961199032 119892119909119903119899minus1 119892119909119896119903119899minus1 119892119910) where119903119894isin119877Z119902 for 0 lt 119894 lt 119899 Then 119865 can solve the DDDH problem
since it can decide whether 119910 = 119909119896119909 or a random numbergiven (V119894119890119908(1 119896) 119892
119910)) = (119892
119909 119892119909119896 119892119910) It means that 119865 can
also solve the DDH problem byTheorem 3
Theorem 5 The proposed scheme provides backward secrecyforward secrecy and key independence provided the DDHproblem is intractable
Proof Whenever membership is changed or the group keyis updated the group controller alters its own secret 119896 to 119896
1015840where 119896
1015840 is an independently random number to 119896 isin Z119902
it implies that it is impossible to find an algorithm 119865 suchthat 119865(119892
119896) rarr 119892
1198961015840
without knowledge of 119896 and 1198961015840 We
assume that the secret values are uniformly distributed by apseudorandom generatorTherefore when the group key hasbeen changed an adversarymust use newpublic informationV119894119890119908(119899 119896
1015840) = (119892
1199091 11989211990911198961015840
1198921199092 11989211990921198961015840
119892119909119899 1198921199091198991198961015840
) to recoverthe group key updated into 119892
1198961015840
and it depends on a solutionto solve the DDH problem byTheorem 4 It follows that pastmembers future members or adversaries who know a subsetof previous group keys cannot learn the current group keysince the broadcastmessage from themaster does not containtheir locker119883
119894in view()
Theorem 6 The proposed scheme provides implicit keyauthentication under the security of certified public key
Proof A locker which the master obtains from group mem-bers is what a groupmember signswith its public key certifiedby a CA Concretely a locker 119883
119894is hashed by a one-way
function such as SHA-2 and hash (119883119894) is signed with 119872
119894rsquos
private key using a digital signature algorithm such as RSADSA and ECDSAThen the locker is verified with the publickey bound to 119872
119894and certified by CA If there is a locker of
nonmember in the locker list of a group it must be along witha forged signature It means that the problem occurs in a hashcollision attack or a rogueCAcertificate [23]Once all verifiedlockers are transferred to the master any other nodes whichare not a group member cannot recover the group key underthe DDH assumption (Theorems 4 and 5)
Journal of Applied Mathematics 9
6 Conclusion
In this paper we propose a secure group key managementprotocol based on DH key agreement The proposed keymanagement requires only one data communication and onemodular exponentiation at eachmember for anymembershipevent It shows prominent efficiency in renewing the groupkeys against dynamic group membership change memberjoinleave and group mergingpartition We proved groupkey secrecy backwardforward secrecy key independenceand key authentication No outsiders can learn the group keyunder the DDH assumptionWe conclude that CODH can beadapted efficiently for multicast security in mobile networks
Notations
n Number of protocol participants119872119894 119894th group member 119894 isin [1 119899]
119872119904 Master node (controller) 119904 isin [1 119899]
119901 Prime of the form 2119902 + 1 for a prime 119902119892 Generator in Zlowast
119901
119909119894 Lock-secret random number picked by
119872119894such that 1 lt 119909
119894lt 119901 minus 1 and
gcd(119909119894 119901 minus 1) = 1
119910119894 Unlock-secret for119872
119894such that
119909119894lowast 119910119894equiv 1 mod (119901 minus 1)
119896 Master-secret randomly selected in Zlowast119902
by119872119904
119883119894 Locker 119892119909119894 mod 119901
119862119899 Current group of 119899members (119862) = 119899
119883119871119862 Locker list of group
119862119883119871119862= 1198831 1198832 119883
119899 119883119904
119883119871119896
119862 Key-locks for group
119862119883119871119896
119862= 119883119896
1 119883119896
2 119883
119896
119899 119883119896
119904
119872119894rarr 119872
119895 m Unicast message (m) from119872
119894to119872119895
119872119894rArr 119862119899 m Broadcast message (m) from119872
119894to 119899
members of 119862
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
Theauthors appreciate anonymous reviewers for their helpfulcomments This research was supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0011289)
References
[1] R Canetti TMalkin andKNissim ldquoEfficient communication-storage tradeoffs for multicast encryptionrdquo in Proceedings ofAdvances in Cryptology (Eurocrypt rsquo99) vol 1592 of LectureNotes in Computer Science pp 459ndash474 Prague Czech Repub-lic May 1999
[2] S Setia S Koussih S Jajodia and E Harder ldquoKronos a scalablegroup re-keying approach for secure multicastrdquo in Proceedingsof the IEEE Symposium on Security and Privacy pp 215ndash228Berkeley Calif USA May 2000
[3] M K Reiter ldquoA secure group membership protocolrdquo IEEETransactions on Software Engineering vol 22 no 1 pp 31ndash421996
[4] D Wallner E Harder and R Agee ldquoKey management formulticast issues and architecturesrdquo RFC 2627 Informational1999
[5] C K Wong M Gouda and S S Lam ldquoSecure group com-munications using key graphsrdquo IEEEACM Transactions onNetworking vol 8 no 1 pp 16ndash30 2000
[6] S Mittra ldquoIolus a framework for scalable secure multicastingrdquoin Proceedings of the ACM (SIGCOMM rsquo97) pp 277ndash288Cannes France September 1997
[7] A T Sherman and D A McGrew ldquoKey establishment inlarge dynamic groups using one-way function treesrdquo IEEETransactions on Software Engineering vol 29 no 5 pp 444ndash458 2003
[8] S Zhu S Setia and S Jajodia ldquoLEAP efficient securitymechanisms for large-scale distributed sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 62ndash72 WashingtonDC USA October 2003
[9] S Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols pp 326ndash335 Atlanta Ga USA 2003
[10] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976
[11] M Burmester and Y Desmedt ldquoA secure and scalable group keyexchange systemrdquo Information Processing Letters vol 94 no 3pp 137ndash143 2005
[12] M Steiner G Tsudik and M Waidner ldquoDiffie-Hellman keydistribution extended to group communicationrdquo in Proceedingsof the 3rd ACM Conference on Computer and CommunicationsSecurity pp 31ndash37 New Delhi India March 1996
[13] M Steiner G Tsudik and M Waidner ldquoCLIQUES a newapproach to group key agreementrdquo in Proceedings of the 18thInternational Conference on Distributed Computing Systems pp380ndash387 May 1998
[14] Y Amir Y Kim C Nita-Rotaru and G Tsudik ldquoOn the perfor-mance of group key agreement protocolsrdquo ACM Transactionson Information and System Security vol 7 no 3 pp 457ndash4882004
[15] Y Kim A Perrig and G Tsudik ldquoTree-based group keyagreementrdquo ACM Transactions on Information and SystemSecurity vol 7 no 1 pp 60ndash96 2004
[16] YKimA Perrig andG Tsudik ldquoGroup key agreement efficientin communicationrdquo IEEE Transactions on Computers vol 53no 7 pp 905ndash921 2004
[17] B Wu J Wu and D Yuhong ldquoAn efficient group key manage-ment scheme formobile ad hoc networksrdquo International Journalof Security and Networks vol 4 no 1-2 pp 125ndash134 2009
[18] P P C Lee J C S Lui and D K Y Yau ldquoDistributedcollaborative key agreement and authentication protocols fordynamic peer groupsrdquo IEEEACM Transactions on Networkingvol 14 no 2 pp 263ndash276 2006
10 Journal of Applied Mathematics
[19] J Liu D Sacchetti F Sailhan and V Issarny ldquoGroup manage-ment for mobile AdHoc networks design implementation andexperimentrdquo in Proceedings of the 6th International Conferenceon Mobile Data Management (MDM rsquo05) pp 192ndash199 AyiaNapa Cyprus May 2005
[20] B Singh and D K Lobiyal ldquoA novel energy-aware cluster headselection based on particle swarm optimization for wirelesssensor networksrdquo Human-Centric Computing and InformationSciences vol 2 no 13 pp 1ndash18 2012
[21] C-W Chen Y-R Tsai and S-J Wang ldquoCost-saving key agree-ment via secret sharing in two-party communication systemsrdquoJournal of Convergence vol 3 no 4 pp 29ndash36 2012
[22] S Mohanty and B Majhi ldquoA strong designated verifiable dlbased signcryption schemerdquo Journal of Information ProcessingSystems vol 8 no 4 pp 567ndash574 2012
[23] M Stevens A K Lenstra and B de Weger ldquoChosen-prefixcollisions for MD5 and applicationsrdquo International Journal ofApplied Cryptography vol 2 no 4 pp 322ndash359 2012
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 3
Member join
Member leave
Group partitionGroup merging
Figure 1 Four kinds ofmembership events (1)member join (singlejoin ormass join) (2)member leave (a single leave ormass leave) (3)group merging (group join) and (4) group partition (group leave)A small circle represents a node while a big circle represents a groupof nodes
deletion of an existingmemberWe define the insertion eventasmember join and the deletion event asmember leaveWhenthere is only one event node specifically we call each singlejoin and single leave and when there are two or more eventnodes we call eachmass join andmass leave Furthermore weconsider a group insertion into a group and a group partitioninto two distinct groups We define them as group mergingand group partition respectively Figure 1 shows summary ofdefined membership events
Group membership change is closely related to securityof group communication Outgoingmembers should have noaccess to group communication after it leaves the group andingoing nodes should be prevented from accessing previousgroup communication before it joins the group We definecryptographic properties in which a secure group dependingon a group key should meet (1) group key secrecy thatguarantees an adversary who knows that messages sent togroupmembers cannot discover any group key in polynomialtime (2) backward secrecy that guarantees a new member oran adversary who knows that the current group key cannotdiscover any previous group key in polynomial time (3)forward secrecy that guarantees a former group member oran adversary who knows that previous group keys cannotdiscover any subsequent group key in polynomial time (4)key independence that guarantees an adversary who knowsthat a proper subset of group keys cannot discover anyother group keys in polynomial time and (5) (implicit) keyauthentication that guarantees that no one apart from a groupmember recovers the group key
32 Group Key Establishment We present a new group keyprotocol collaborative Diffie-Hellman (CODH) CODH hascentralized topology and key distribution property from aleader node But unlike conventional centralized schemewith TTP in CODH a group leader computes and distributesa group key by using public keys of group members Weformalize the group key protocol and prove its security
CODH has one leader called master The leader is alsoone of groupmembers It consumesmore energy thannormalnodes for communication and operation in managing groupkeys There will be a policy for choosing a leader In mobilenetworks signal strength degree to neighbors identity andresources (CPU memory battery and bandwidth) would becriteria for leader election [19ndash21] When a group is createdthe first master is elected among group members and per-forms group key initialization Afterwards group membersselect a new master when receiving master notification forleader change Once a new groupmaster is selected for groupmanagement the previous master forwards informationabout group members to the newmaster that is a delegationprocess is run (refer to Sections 33 and 34) On the otherhand connection failure may occur by network isolation ordenial of service attacks (We assume that group participantsare honest and not compromised However they can bethreatened by network adversaries who can perform all ofnetwork-based attacks) We consider the connection failureas a kind of member leave whether the left node is a memberor the master
Notation section represents notations used to illustrateour group key protocol The index ldquosrdquo stands for the masternode in a group that is distinct from 119894 or 119895 which indicates ageneralmember nodeTherefore119872
119894or119872119895means an identity
for general member while119872119904denotes themaster Lock-secret
is defined as a secret value of a member It locks the groupkey so that 119872
119904can securely transfer the group key to the
members General members use their unlock-secret to extractthe group key from119872
119904rsquos broadcast message of a locked group
keyWe adopt inverse exponentiation for obtaining the group
key Let119862119899be a group of size 119899 that is119862
119899= 11987211198722 119872
119899
and119872119904isin 119862119899 To share the initial group key the group119862
119899runs
steps in Box 1 for the initial phaseThe initial phase consists of two rounds In the first round
all members except the group master send their locker 119892119909119894
to the master via unicast and the master produces the lockerlist 119883119871
119862 from receiving messages In the second round
the master 119872119904selects a random secret 119896 and computes and
broadcasts the locked group key (119883119894)119896= (119892119909119894)119896 using 119883119871
119862
Then each member can compute the group key GK usingtheir own unlock-secret 119910
119894 as follows
GK equiv (119883119896
119894)119910119894 mod 119901 equiv (119892
119909119894119910119894)119896 mod 119901 equiv 119892
119896 mod 119901 (6)
The group key is equal to the locker of the group masterwhen 119896 is the masterrsquos secret Therefore operations forcomputing119883
119896
119894and group messages never include119883
119904
33 Group Rekeying for Member Join and Leave Themaster-secret should be renewed when membership changes sinceit is used for the new group key GK1015840 In Box 2 (member joinprocess) 1198961015840 means a new master-secret that 119872
119904selects Let
119872119899+1
be the first new member and let 119872119899+119898
be the last newmember when119898 newmembers join the group 119862
119899(if a single
member joins the new member is only one node 119872119899+1
) Anewmember119872
119895(119899+1 le 119895 le 119899+119898) sends its locker119883
119895to the
4 Journal of Applied Mathematics
Assume that the group of 119899members establish a group keyStep 1 Each member selects random 119909
119894isin Z119902and computes119883
119894= 119892119909119894 mod p
119872119894rarr 119872
119904119883119894(119894 isin [1 119899] 119894 = 119904)
Step 2119872119904selects random 119896 in Z
119902for group key sharing and computes key-locks
119872119904rArr 119862119899 (119883119894)119896| 119894 isin [1 119899] 119894 = 119904
Box 1 Group key initialization
Assume thatmmembers are added to the group 119862119899
Step 1 Each new member119872119895(119899 + 1 le 119895 le 119899 + 119898) selects random 119909
119895isin Z119902and computes119883
119895= 119892119909119895 mod p
119872119895rarr 119872
119904119883119895(119895 isin [119899 + 1 119899 + 119898])
Step 2119872119904selects random 119896
1015840 in Z119902for new group key and computes key-locks
119872119904rArr 119862119899 (119883119894)1198961015840
| 119894 isin [1 119899 + 119898] 119894 = 119904
Box 2 Group rekeying for member join
Assume that a subset 119871119898of current group 119862
119899is composed ofm leaving members in
the group and does not include the group master119872119904
Step 1119872119904selects random 119896
1015840 in Z119902for new group key and computes key-locks with updated locker list
119872119904rArr 119862119899 119871119898 (119883119894)1198961015840
| 119894 isin [1 119899] and 119872119894notin 119871119898 119894 = 119904
Box 3 Group rekeying for member leave
master and then119872119904broadcasts locked new group key GK1015840 =
1198921198961015840
to all the group members in the same manner as secondround of initial phase as in Box 2 All members includingnewmembers can extract the new group keyGK1015840 in the sameway as (6)
Unlike the join event member leave process does notrequire the first round for sending lockers to the master Let asubset of 119862
119899for leaving members be 119871
119898sub 119862119899(119872119904notin 119871119898)
Group members conduct rekeying operations for the newgroup key GK1015840 as in Box 3
The leaving nodes cannot learn the new group keybecause the broadcast message from 119872
119904does not contain
any locker 119883119894for leaving members Note that the set 119871
119898for
the leaving node does not include the master Leaving of themaster requires lsquodelegationrsquo duringwhich themaster forwardslocker list 119883119871
119862for group 119862
119899to new group master(119872
1199041015840) as
follows
119872119904997888rarr 119872
1199041015840 119883119871
119862= 119883119895| 119872119895isin 119862119899 119895 = 119904 (7)
The delegation can be used for another case where the masterwishes to finish its masterrsquos role for a reason such as networktopology change or resource exhaustion that is the masterturns to a group member not leaving the group In this casethe delegation message includes the former masterrsquos lockergenerated with new selected secret 119909
119904as follows
119872119904997888rarr 119872
1199041015840 119883119871
119862= 119883119895| 119872119895isin 119862119899 119909119904
= 119896 119909119904
= 1198961015840 (8)
When group members detect unexpected disconnectionfrom themaster they restart group key initializationwith new
master selection At the worst case members can suffer fromfrequent connection failure with the master In this case thefirst protocol should be slightly modified tomake all of groupmembers have the locker list and any member be the groupmaster to proceed Box 3 For instance a general member atthe first step of Box 1 broadcasts its locker to the group asfollows
119872119894997904rArr 119862
119899 119883119894 (119894 isin [1 119899] 119894 = 119904) (9)
The group members continue secure communication with afresh group key obtained through group rekeyingWeprovideformal security proofs in Section 5
34 Group Rekeying for Group Merging and Partition Thereare two ways to integrate two groups into one group com-pletely individual join and group join The former is thatmembers of a group join another group individually It issimilar to the mass joining process saving that the joiningmaster should generate his lock-secret 119909
119904 and locker 119892119909119904
The latter way is that a group is absorbed into the other groupvia delegation process between both group masters
Let two groups be merged 119862119899
= 11987211198722 119872
119899 and
119877119898
= 11987211198722 119872
119898 (119899 ge 119898) The master 119872
119904of 119862119899
survives after group merging while the master 1198721199041015840 of 119877
119898
becomes a member of the merged group Smaller groupmembers (isin 119877
119898) become a member of 119862
119899+119898 that is 119862
119899+119898=
11987211198722 119872
119899119872119899+1
119872119899+119898
and 119872119904isin 119862119899after group
merging Groupmerging process runs with delegation (in thefirst round) as in Box 4 Figure 2 represents an instance for amerging process for a current group 119862
4and a merged group
Journal of Applied Mathematics 5
Assume that a group 119877119898is merged into a group 119862
119899where 119899 ge 119898 and the merged
group 119862119899+119898
= 119862119899cup 1198771198981198721199041015840 is the master of 119877
119898and119872
119904is the master of 119862
119899
Step 11198721199041015840 selects a random number 119909
1199041015840 in Z
119902 computes119883
1199041015840= 1198921199091199041015840mod p and updates
the locker list into119883119871119877= 11988311198832 119883
119898 cup 119883
1199041015840
(delegation)1198721199041015840 rarr 119872
119904119883119871119877
Step 2119872119904selects random 119896
1015840 in Z119902for new group key and computes key-locks with updated locker list
119872119904rArr 119862119899+119898
(119883119894)1198961015840
| 119894 isin [1 119899 + 119898] 119894 = 119904
Box 4 Group merging
Assume that a current group 119862119899is partitioned into two groups 119875
119898(sub 119862119899) and 119862
119899minus119898(=119862119899 119875119898)
The master of 119877119898is1198721199041015840 and the master of 119862
119899is119872119904(notin 119875119898)
Step 1119872119904generate119883119871
119875= 119883119895|119872119895isin 119875119898 119895 = 119904 from119883119871
119862
(delegation)119872119904rarr 119872
1199041015840 119883119871
119875
Step 2119872119904and119872
1199041015840 select random 119896
1015840 11989610158401015840 in Z119902respectively and compute key-locks with their locker list
119872119904rArr 119862119899minus119898
(119883119894)1198961015840
| 119894 isin [1 119899] and 119872119894notin 119875119898 119894 = 119904
1198721199041015840 rArr 119875
119898 (119883119895)11989610158401015840
|119872119895isin 119875119898 119895 = 119904
Box 5 Group partition
1198773 In Figure 2 the number in a circle indicates membersrsquo
index (such as by a joined order) Before they are merged thenumber of the current group 119862 is four including the groupmaster (ie 119899 = 4 119862
4) and the number of members of
joining group is three (ie 119898 = 3 1198773) To be merged the
master of 1198773sends the master of 119862
4the locker list 119883119871
119877for
1198721and 119872
2 Note that the master 119872
119904of 119877119898must forward its
locker after changing its own secret because it was used as theformer group key The master of 119862
4becomes the master for
the merged group It updates 119883119871119862and generates key-locks
119883119871119896
119862with a new selected random 119896
As shown in Figure 3 the current group will be dividedinto two groups When the number of left members is119898 thecurrent group will have (119899 minus 119898) members after the partitionprocess Group partition requires one more master 119872
1199041015840 for
a separated subgroup 119875119898
sub 119862119899(119872119904notin 119875119898) Group partition
process can be easily conducted through delegation from themaster 119872
119904of group 119862
119899to the fresh master 119872
1199041015840 of subgroup
119875119898Thedivided groups performa group key initial phase after
the delegation process as in Box 5
35 Implicit Key Authentication For the secure key authenti-cation the messages sent from all members should be signedwith a signature key Hash-based signature such as messageauthentication code (MAC) is fairly efficient in terms ofcomputation cost However it is too costly to share one-to-one pairwise keys between all of group members in advance
We assume that a member holds long-term private andpublic keys certified by a trusted certificate authority (CA)(Each member can use a different signature algorithm suchas RSA-based signature algorithm digital signature algo-rithm (DSA) and elliptic curve digital signature algorithm(ECDSA) Note that some of them do not provide messageencryption that is it is used for message signing and
verifyingWe consider thatDSA is better for our scheme sinceits public key includes119892119909mod119901)Thegroupmembers send tothemaster the signedmessageswith their own private key forexample in the first step of Box 1 a member119872
119894 sends to the
master 119883119894 119878119894119892119872119894
(119883119894) which 119872
119894signs for 119883
119894with its private
key Note that this process runs one-time at initial phase or itcan be precomputed with119883
119894
Members can obtain the group key securely by verifyingthe messages of the master with signature signed with themasterrsquos private key All of messages from the master comewith a master-signed signature for the origin and integrity ofa group key For example in the second step of Box 1 themaster broadcasts 119883
119896
1 119883119896
2 119883
119896
119899 119878119894119892119872119904
(GK) The masterproduces a locked set for the group key using verifiedmembersrsquo locker It implies that outsiders cannot recover thegroup key from the masterrsquos messages
4 Evaluation
We measure performance of the proposed scheme throughcommunication and computation cost spent for all groupmembers to complete group rekeying bymembership changeTable 1 shows summary of comparison with other DH-based key management protocols CKD GDH BD STRand TGDH In Table 1 119899 119898 and 119901 denote the number ofcurrent group members joining or merged-group membersand leaving or partitioned-group members respectivelyTherefore119898 = 1 or 119901 = 1 indicates the single-member eventFor TGDH the height of the key tree is denoted as ℎ and forSTR 119904 is denoted as the index of the sponsor which helpsother members to calculate group keys Group merging is acase where a group of119898members is merged into a group of 119899members (119899 ge 119898) and group partition is a casewhere a groupof 119899members is divided into separate subgroups (1) a group
6 Journal of Applied Mathematics
6
1
2
s
5
3
4
2
1
s
C
R
XLR = Xs X1 X2
(a)
6
1
2
s
5
3
4
C
XLkC = Xk1 X
k2 X
k6
(b)
Figure 2 Group merging process (a) when groups 1198624and 119877
3are merged Rrsquos master sends the locker list of 119877 to Crsquos master and (b) after
groups are merged Crsquos master becomes the master for merged group and broadcasts the key-locks for new group key to all of the members
6
1
2
s
3
5
4
2
s
1
C
P
XLP = X
4 X6
(a)
1
2 32
1
CP
s
s
XLk
Lk
C = Xkc1 X
kc2 X
kc3
X P = Xkp1 X
kp2
(b)
Figure 3 Group partition process (a) when group 1198627is partitioned into two groups (new group 119875
3) the master of the original group sends
Prsquos master the locker list of the new subgroup and (b) after the group is split each group master broadcasts the key-locks for each new groupkey
of 119901 members and (2) a group of (119899 minus 119901) members where(119899minus119901)ge 119901The costs for the group partition event include thecosts for updating two subgroup keys In computation costswe consider concurrent execution in distributed nodes if itis possible In CODH we assume the master is selected bygroup-join order the first master is119872
1 and when119872
1leaves
the group1198722becomes the next master
CKD distributes the group key in a similar way with ourprotocol Its communication and computation costs are alsosimilar to our protocol However the worst case of CKD iswhen the master leaves It requires large costs for rekeyingOn the other hand in CODH the rekeying cost for a leavingmaster is analogous to that for a leaving member due toefficient delegation or sharing of public locker list GDH isoperated through communication chain from the first node
to the last node and the last node becomes the master of thegroup Steiner et al presented three GDH protocols GDH12 and 3 GDH2 is the most efficient in communicationwhereas GDH3 is the most efficient in computation costamong GDHx We select GDH3 for comparison As shownin Table 1 GDH has weaknesses in group merging and massjoining BD employs a completely distributed way usingbroadcast messages Without sponsors or controllers all ofmembers broadcast messages for updating the group keyAlthough it seems to be fairly efficient in computation costthere are hidden costs for multiplications In addition itrequires a large communication cost compared to otherprotocols STR and TGDH are tree-based key agreement pro-tocolsThey use different tree structures for keymanagementSTR especially uses the extremely unbalanced tree structure
Journal of Applied Mathematics 7
Table 1 Communication and computation costs
Rounds Messages Exponentiations Signatures Verifications
GDH
Join merge m + 3 n + 2m + 1 n + 2m + 1 m + 3 n + 2m + 1Leave 1 1 119899 minus 119901 1 1
Partition 2 p + 1 119899 minus 119901 2 pMaster leave 2 119899 minus 1 119899 minus 1 2 119899 minus 1
STR
Join 3 m + 2 3m 2 m + 2Leave 1 1 3(119899 minus 119901) minus 2119904 minus 1 1 1Merge 3 3 3119898 minus 1 2 3
Partition 2 3 3(119899 minus 119901) minus 2119904 minus 1 2 3
TGDH Join merge 2 3 3ℎ minus 3 2 3Leave partition h 2h 3ℎ h ℎ
BDJoin merge 2 2n + 2m 3 2 2119899 + 2119898 minus 2
Leave 2 2119899 minus 2119901 3 2 2119899 minus 2119901 minus 2
Partition 2 2n 3 2 2119899 minus 2119901 minus 2
CKD
Join merge 3 m + 2 n + 2m 3 m + 2Leave 1 1 119899 minus 119901 1 1
Partition 3 p + 2 max(119899 minus 119901 2119901 minus 1) 3 4Master leave 3 n 2119899 minus 3 3 n
CODH
Join 2 m + 1 n +m + 1 2 m + 1Leave 1 1 119899 minus 119901 1 1Merge 2 2 119899 + 119898 2 2
Partition 2 3 119899 minus 119901 2 2Master leave 2 2 119899 minus 1 2 2
Table 2 Communication and computation costs for CODHmember and master
Send Receive Exponentiations Signatures Verifications
General member Join merge 0 1 1 0 1Leave partition 0 1 1 0 1
Group masterJoin 1 m n +m 1 1
Leave partition 1 0 119899 minus 119901 1 0Merge 1 1 n +m 1 1
Accordingly the performance of STRdepends on the locationof the sponsors In TGDH the costs depend on the heightof the resulting key tree and locations of joining or leavingmembers in the tree We provide the worst case cost forTGDH
Most of the cost in CODH comes from the masternode A general node consumes only one communicationmodular exponentiation signature and verification in allof group rekeying process We summarize the costs for ageneral member and the group master in Table 2 Althoughthe exponentiation cost looks heavy in the master its costis insignificant We conducted an experiment to measurecomputation delays for modular exponentiations Table 3shows the average delay of 10 experimental results for eachThe first device has less CPU power than the second deviceWhen modular prime 119901 is 1024 bits long and 119899 le 50 thecomputation delay is less than 1 s The average delay of one
exponentiation is less than 8ms in the second device More-over reducing communication cost is important for mobiledevices because data communication consumes more energythan any other process Therefore our group key protocolscan be efficiently applied in dynamic mobile networks
5 Security
Let 119901 be a large prime number of the form 2119902 + 1 for a prime119902 in Z
119901 Let 119866 be a cyclic group of prime order 119902 and let 119892
be a generator of 119866 that is 119866 = ⟨119892⟩ The decisional Diffie-Hellman problem (DDH) is as follows given (119892 119892119909 119892119910 119892119911)where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119909119910 or a randomly
chosen number In particular the security of our protocolis based on the divisible decisional Diffie-Hellman problem
8 Journal of Applied Mathematics
Table 3 Computation delays on mobile devices (ms)
p = 1024-bit p = 2048-bit119899 = 1 119899 = 25 119899 = 50 119899 = 1 119899 = 25 119899 = 50
Exponentiation (1 GHz CPU 512MB RAM) 37 4526 9078 1689 33854 67625Exponentiation (226GHz CPU 2GB RAM) 129 1928 3853 754 14588 29174
(DDDH) which is stronger assumption than the divisiblecomputational Diffie-Hellman problem (DCDH)
Definition 1 The DCDH problem is as follows given(119892 119892119909 119892119910) where 119909 119910 isin Z
119902 compute 119892119910119909
Definition 2 The DDDH problem is as follows given(119892 119892119909 119892119910 119892119911) where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119910119909
or a randomly chosen number
The DDDH problem is weaker than DCDH since if anadversary could solve the DCDH problem he could solvethe DDDH problem by computing 119892
119909 to decide 119892119911= 119892119910119909
thus the DDDH assumption is stronger than the DCDHassumption Similarly the DDH problem is weaker thanthe computational Diffie-Hellman problem (CDH) which isweaker than discrete logarithm problem (DL) [22] We wantto prove the security of our protocol under the DDH andDDDH assumptions
Theorem 3 The DDDH problem is equivalent to the DDHproblem
Proof Given the DDDH input (119892 119892119909 119892119910 119892119911) where 119911 =
119910119909 one submits (119892 119892119909 119892119911 119892119910) to DDH to decide whether119910 = 119909119911 or a randomly chosen number Similarly giventhe DDH input (119892 119892119909 119892119910 119892119911) where 119911 = 119909119910 one submits(119892 119892119909 119892119911 119892119910) to DDDH to decide if 119910 = 119911119909 or a randomlychosen number
Therefore we know that if there is no polynomial timealgorithm to solve the DDH problem it is hard to solve theDDDH problem
Theorem 4 If the DDH problem is hard it is hard to find apolynomial time algorithm to recover the group key from theproposed protocol in other words it provides group key secrecyagainst passive adversaries under the DDH assumption
Proof Let view(119899 119896) be public information for a group of 119899members to establish a group key 119892
119896 thus it is a view ofpassive attackers
V119894119890119908 (119899 119896) = (1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899 119892119909119899119896) (10)
Suppose we had an algorithm F that with significantprobability succeeds to distinguish between (view(119899 119896)119892119910) where 119910 is a random number 119910 isin Z
119902 and (view(119899 119896)
119892119896) where 119892
119896 is the group key that is F(V119894119890119908(119899 119896) 119892119910) =
F(1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892119909119899 119892119909119899119896 119892119910) = 1 where 119910 = 119896
otherwise returns 0 Then we can query to F with inputview(119899minus1 119896) = (119892
1199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899minus1 119892119909119899minus1119896) for 119899minus1
membersrsquo information and additional input ((119892119909119894)119903 (119892119909119894119896)119903
)
for a random number 119903 isin119877Z119902 where 0 lt 119894 lt 119899 that is
F(V119894119890119908(119899 minus 1 119896) 119892119909119894119903 119892119909119894119896119903 119892
119910) It follows that
(V119894119890119908(1 119896) 1198921199091199031 1198921199091198961199031 119892
1199091199032 1198921199091198961199032 119892
119909119903119899minus1 119892119909119896119903119899minus1 119892
119910) =
F(119892119909 119892119909119896 1198921199091199031 1198921199091198961199031 1198921199091199032 1198921199091198961199032 119892119909119903119899minus1 119892119909119896119903119899minus1 119892119910) where119903119894isin119877Z119902 for 0 lt 119894 lt 119899 Then 119865 can solve the DDDH problem
since it can decide whether 119910 = 119909119896119909 or a random numbergiven (V119894119890119908(1 119896) 119892
119910)) = (119892
119909 119892119909119896 119892119910) It means that 119865 can
also solve the DDH problem byTheorem 3
Theorem 5 The proposed scheme provides backward secrecyforward secrecy and key independence provided the DDHproblem is intractable
Proof Whenever membership is changed or the group keyis updated the group controller alters its own secret 119896 to 119896
1015840where 119896
1015840 is an independently random number to 119896 isin Z119902
it implies that it is impossible to find an algorithm 119865 suchthat 119865(119892
119896) rarr 119892
1198961015840
without knowledge of 119896 and 1198961015840 We
assume that the secret values are uniformly distributed by apseudorandom generatorTherefore when the group key hasbeen changed an adversarymust use newpublic informationV119894119890119908(119899 119896
1015840) = (119892
1199091 11989211990911198961015840
1198921199092 11989211990921198961015840
119892119909119899 1198921199091198991198961015840
) to recoverthe group key updated into 119892
1198961015840
and it depends on a solutionto solve the DDH problem byTheorem 4 It follows that pastmembers future members or adversaries who know a subsetof previous group keys cannot learn the current group keysince the broadcastmessage from themaster does not containtheir locker119883
119894in view()
Theorem 6 The proposed scheme provides implicit keyauthentication under the security of certified public key
Proof A locker which the master obtains from group mem-bers is what a groupmember signswith its public key certifiedby a CA Concretely a locker 119883
119894is hashed by a one-way
function such as SHA-2 and hash (119883119894) is signed with 119872
119894rsquos
private key using a digital signature algorithm such as RSADSA and ECDSAThen the locker is verified with the publickey bound to 119872
119894and certified by CA If there is a locker of
nonmember in the locker list of a group it must be along witha forged signature It means that the problem occurs in a hashcollision attack or a rogueCAcertificate [23]Once all verifiedlockers are transferred to the master any other nodes whichare not a group member cannot recover the group key underthe DDH assumption (Theorems 4 and 5)
Journal of Applied Mathematics 9
6 Conclusion
In this paper we propose a secure group key managementprotocol based on DH key agreement The proposed keymanagement requires only one data communication and onemodular exponentiation at eachmember for anymembershipevent It shows prominent efficiency in renewing the groupkeys against dynamic group membership change memberjoinleave and group mergingpartition We proved groupkey secrecy backwardforward secrecy key independenceand key authentication No outsiders can learn the group keyunder the DDH assumptionWe conclude that CODH can beadapted efficiently for multicast security in mobile networks
Notations
n Number of protocol participants119872119894 119894th group member 119894 isin [1 119899]
119872119904 Master node (controller) 119904 isin [1 119899]
119901 Prime of the form 2119902 + 1 for a prime 119902119892 Generator in Zlowast
119901
119909119894 Lock-secret random number picked by
119872119894such that 1 lt 119909
119894lt 119901 minus 1 and
gcd(119909119894 119901 minus 1) = 1
119910119894 Unlock-secret for119872
119894such that
119909119894lowast 119910119894equiv 1 mod (119901 minus 1)
119896 Master-secret randomly selected in Zlowast119902
by119872119904
119883119894 Locker 119892119909119894 mod 119901
119862119899 Current group of 119899members (119862) = 119899
119883119871119862 Locker list of group
119862119883119871119862= 1198831 1198832 119883
119899 119883119904
119883119871119896
119862 Key-locks for group
119862119883119871119896
119862= 119883119896
1 119883119896
2 119883
119896
119899 119883119896
119904
119872119894rarr 119872
119895 m Unicast message (m) from119872
119894to119872119895
119872119894rArr 119862119899 m Broadcast message (m) from119872
119894to 119899
members of 119862
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
Theauthors appreciate anonymous reviewers for their helpfulcomments This research was supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0011289)
References
[1] R Canetti TMalkin andKNissim ldquoEfficient communication-storage tradeoffs for multicast encryptionrdquo in Proceedings ofAdvances in Cryptology (Eurocrypt rsquo99) vol 1592 of LectureNotes in Computer Science pp 459ndash474 Prague Czech Repub-lic May 1999
[2] S Setia S Koussih S Jajodia and E Harder ldquoKronos a scalablegroup re-keying approach for secure multicastrdquo in Proceedingsof the IEEE Symposium on Security and Privacy pp 215ndash228Berkeley Calif USA May 2000
[3] M K Reiter ldquoA secure group membership protocolrdquo IEEETransactions on Software Engineering vol 22 no 1 pp 31ndash421996
[4] D Wallner E Harder and R Agee ldquoKey management formulticast issues and architecturesrdquo RFC 2627 Informational1999
[5] C K Wong M Gouda and S S Lam ldquoSecure group com-munications using key graphsrdquo IEEEACM Transactions onNetworking vol 8 no 1 pp 16ndash30 2000
[6] S Mittra ldquoIolus a framework for scalable secure multicastingrdquoin Proceedings of the ACM (SIGCOMM rsquo97) pp 277ndash288Cannes France September 1997
[7] A T Sherman and D A McGrew ldquoKey establishment inlarge dynamic groups using one-way function treesrdquo IEEETransactions on Software Engineering vol 29 no 5 pp 444ndash458 2003
[8] S Zhu S Setia and S Jajodia ldquoLEAP efficient securitymechanisms for large-scale distributed sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 62ndash72 WashingtonDC USA October 2003
[9] S Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols pp 326ndash335 Atlanta Ga USA 2003
[10] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976
[11] M Burmester and Y Desmedt ldquoA secure and scalable group keyexchange systemrdquo Information Processing Letters vol 94 no 3pp 137ndash143 2005
[12] M Steiner G Tsudik and M Waidner ldquoDiffie-Hellman keydistribution extended to group communicationrdquo in Proceedingsof the 3rd ACM Conference on Computer and CommunicationsSecurity pp 31ndash37 New Delhi India March 1996
[13] M Steiner G Tsudik and M Waidner ldquoCLIQUES a newapproach to group key agreementrdquo in Proceedings of the 18thInternational Conference on Distributed Computing Systems pp380ndash387 May 1998
[14] Y Amir Y Kim C Nita-Rotaru and G Tsudik ldquoOn the perfor-mance of group key agreement protocolsrdquo ACM Transactionson Information and System Security vol 7 no 3 pp 457ndash4882004
[15] Y Kim A Perrig and G Tsudik ldquoTree-based group keyagreementrdquo ACM Transactions on Information and SystemSecurity vol 7 no 1 pp 60ndash96 2004
[16] YKimA Perrig andG Tsudik ldquoGroup key agreement efficientin communicationrdquo IEEE Transactions on Computers vol 53no 7 pp 905ndash921 2004
[17] B Wu J Wu and D Yuhong ldquoAn efficient group key manage-ment scheme formobile ad hoc networksrdquo International Journalof Security and Networks vol 4 no 1-2 pp 125ndash134 2009
[18] P P C Lee J C S Lui and D K Y Yau ldquoDistributedcollaborative key agreement and authentication protocols fordynamic peer groupsrdquo IEEEACM Transactions on Networkingvol 14 no 2 pp 263ndash276 2006
10 Journal of Applied Mathematics
[19] J Liu D Sacchetti F Sailhan and V Issarny ldquoGroup manage-ment for mobile AdHoc networks design implementation andexperimentrdquo in Proceedings of the 6th International Conferenceon Mobile Data Management (MDM rsquo05) pp 192ndash199 AyiaNapa Cyprus May 2005
[20] B Singh and D K Lobiyal ldquoA novel energy-aware cluster headselection based on particle swarm optimization for wirelesssensor networksrdquo Human-Centric Computing and InformationSciences vol 2 no 13 pp 1ndash18 2012
[21] C-W Chen Y-R Tsai and S-J Wang ldquoCost-saving key agree-ment via secret sharing in two-party communication systemsrdquoJournal of Convergence vol 3 no 4 pp 29ndash36 2012
[22] S Mohanty and B Majhi ldquoA strong designated verifiable dlbased signcryption schemerdquo Journal of Information ProcessingSystems vol 8 no 4 pp 567ndash574 2012
[23] M Stevens A K Lenstra and B de Weger ldquoChosen-prefixcollisions for MD5 and applicationsrdquo International Journal ofApplied Cryptography vol 2 no 4 pp 322ndash359 2012
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
4 Journal of Applied Mathematics
Assume that the group of 119899members establish a group keyStep 1 Each member selects random 119909
119894isin Z119902and computes119883
119894= 119892119909119894 mod p
119872119894rarr 119872
119904119883119894(119894 isin [1 119899] 119894 = 119904)
Step 2119872119904selects random 119896 in Z
119902for group key sharing and computes key-locks
119872119904rArr 119862119899 (119883119894)119896| 119894 isin [1 119899] 119894 = 119904
Box 1 Group key initialization
Assume thatmmembers are added to the group 119862119899
Step 1 Each new member119872119895(119899 + 1 le 119895 le 119899 + 119898) selects random 119909
119895isin Z119902and computes119883
119895= 119892119909119895 mod p
119872119895rarr 119872
119904119883119895(119895 isin [119899 + 1 119899 + 119898])
Step 2119872119904selects random 119896
1015840 in Z119902for new group key and computes key-locks
119872119904rArr 119862119899 (119883119894)1198961015840
| 119894 isin [1 119899 + 119898] 119894 = 119904
Box 2 Group rekeying for member join
Assume that a subset 119871119898of current group 119862
119899is composed ofm leaving members in
the group and does not include the group master119872119904
Step 1119872119904selects random 119896
1015840 in Z119902for new group key and computes key-locks with updated locker list
119872119904rArr 119862119899 119871119898 (119883119894)1198961015840
| 119894 isin [1 119899] and 119872119894notin 119871119898 119894 = 119904
Box 3 Group rekeying for member leave
master and then119872119904broadcasts locked new group key GK1015840 =
1198921198961015840
to all the group members in the same manner as secondround of initial phase as in Box 2 All members includingnewmembers can extract the new group keyGK1015840 in the sameway as (6)
Unlike the join event member leave process does notrequire the first round for sending lockers to the master Let asubset of 119862
119899for leaving members be 119871
119898sub 119862119899(119872119904notin 119871119898)
Group members conduct rekeying operations for the newgroup key GK1015840 as in Box 3
The leaving nodes cannot learn the new group keybecause the broadcast message from 119872
119904does not contain
any locker 119883119894for leaving members Note that the set 119871
119898for
the leaving node does not include the master Leaving of themaster requires lsquodelegationrsquo duringwhich themaster forwardslocker list 119883119871
119862for group 119862
119899to new group master(119872
1199041015840) as
follows
119872119904997888rarr 119872
1199041015840 119883119871
119862= 119883119895| 119872119895isin 119862119899 119895 = 119904 (7)
The delegation can be used for another case where the masterwishes to finish its masterrsquos role for a reason such as networktopology change or resource exhaustion that is the masterturns to a group member not leaving the group In this casethe delegation message includes the former masterrsquos lockergenerated with new selected secret 119909
119904as follows
119872119904997888rarr 119872
1199041015840 119883119871
119862= 119883119895| 119872119895isin 119862119899 119909119904
= 119896 119909119904
= 1198961015840 (8)
When group members detect unexpected disconnectionfrom themaster they restart group key initializationwith new
master selection At the worst case members can suffer fromfrequent connection failure with the master In this case thefirst protocol should be slightly modified tomake all of groupmembers have the locker list and any member be the groupmaster to proceed Box 3 For instance a general member atthe first step of Box 1 broadcasts its locker to the group asfollows
119872119894997904rArr 119862
119899 119883119894 (119894 isin [1 119899] 119894 = 119904) (9)
The group members continue secure communication with afresh group key obtained through group rekeyingWeprovideformal security proofs in Section 5
34 Group Rekeying for Group Merging and Partition Thereare two ways to integrate two groups into one group com-pletely individual join and group join The former is thatmembers of a group join another group individually It issimilar to the mass joining process saving that the joiningmaster should generate his lock-secret 119909
119904 and locker 119892119909119904
The latter way is that a group is absorbed into the other groupvia delegation process between both group masters
Let two groups be merged 119862119899
= 11987211198722 119872
119899 and
119877119898
= 11987211198722 119872
119898 (119899 ge 119898) The master 119872
119904of 119862119899
survives after group merging while the master 1198721199041015840 of 119877
119898
becomes a member of the merged group Smaller groupmembers (isin 119877
119898) become a member of 119862
119899+119898 that is 119862
119899+119898=
11987211198722 119872
119899119872119899+1
119872119899+119898
and 119872119904isin 119862119899after group
merging Groupmerging process runs with delegation (in thefirst round) as in Box 4 Figure 2 represents an instance for amerging process for a current group 119862
4and a merged group
Journal of Applied Mathematics 5
Assume that a group 119877119898is merged into a group 119862
119899where 119899 ge 119898 and the merged
group 119862119899+119898
= 119862119899cup 1198771198981198721199041015840 is the master of 119877
119898and119872
119904is the master of 119862
119899
Step 11198721199041015840 selects a random number 119909
1199041015840 in Z
119902 computes119883
1199041015840= 1198921199091199041015840mod p and updates
the locker list into119883119871119877= 11988311198832 119883
119898 cup 119883
1199041015840
(delegation)1198721199041015840 rarr 119872
119904119883119871119877
Step 2119872119904selects random 119896
1015840 in Z119902for new group key and computes key-locks with updated locker list
119872119904rArr 119862119899+119898
(119883119894)1198961015840
| 119894 isin [1 119899 + 119898] 119894 = 119904
Box 4 Group merging
Assume that a current group 119862119899is partitioned into two groups 119875
119898(sub 119862119899) and 119862
119899minus119898(=119862119899 119875119898)
The master of 119877119898is1198721199041015840 and the master of 119862
119899is119872119904(notin 119875119898)
Step 1119872119904generate119883119871
119875= 119883119895|119872119895isin 119875119898 119895 = 119904 from119883119871
119862
(delegation)119872119904rarr 119872
1199041015840 119883119871
119875
Step 2119872119904and119872
1199041015840 select random 119896
1015840 11989610158401015840 in Z119902respectively and compute key-locks with their locker list
119872119904rArr 119862119899minus119898
(119883119894)1198961015840
| 119894 isin [1 119899] and 119872119894notin 119875119898 119894 = 119904
1198721199041015840 rArr 119875
119898 (119883119895)11989610158401015840
|119872119895isin 119875119898 119895 = 119904
Box 5 Group partition
1198773 In Figure 2 the number in a circle indicates membersrsquo
index (such as by a joined order) Before they are merged thenumber of the current group 119862 is four including the groupmaster (ie 119899 = 4 119862
4) and the number of members of
joining group is three (ie 119898 = 3 1198773) To be merged the
master of 1198773sends the master of 119862
4the locker list 119883119871
119877for
1198721and 119872
2 Note that the master 119872
119904of 119877119898must forward its
locker after changing its own secret because it was used as theformer group key The master of 119862
4becomes the master for
the merged group It updates 119883119871119862and generates key-locks
119883119871119896
119862with a new selected random 119896
As shown in Figure 3 the current group will be dividedinto two groups When the number of left members is119898 thecurrent group will have (119899 minus 119898) members after the partitionprocess Group partition requires one more master 119872
1199041015840 for
a separated subgroup 119875119898
sub 119862119899(119872119904notin 119875119898) Group partition
process can be easily conducted through delegation from themaster 119872
119904of group 119862
119899to the fresh master 119872
1199041015840 of subgroup
119875119898Thedivided groups performa group key initial phase after
the delegation process as in Box 5
35 Implicit Key Authentication For the secure key authenti-cation the messages sent from all members should be signedwith a signature key Hash-based signature such as messageauthentication code (MAC) is fairly efficient in terms ofcomputation cost However it is too costly to share one-to-one pairwise keys between all of group members in advance
We assume that a member holds long-term private andpublic keys certified by a trusted certificate authority (CA)(Each member can use a different signature algorithm suchas RSA-based signature algorithm digital signature algo-rithm (DSA) and elliptic curve digital signature algorithm(ECDSA) Note that some of them do not provide messageencryption that is it is used for message signing and
verifyingWe consider thatDSA is better for our scheme sinceits public key includes119892119909mod119901)Thegroupmembers send tothemaster the signedmessageswith their own private key forexample in the first step of Box 1 a member119872
119894 sends to the
master 119883119894 119878119894119892119872119894
(119883119894) which 119872
119894signs for 119883
119894with its private
key Note that this process runs one-time at initial phase or itcan be precomputed with119883
119894
Members can obtain the group key securely by verifyingthe messages of the master with signature signed with themasterrsquos private key All of messages from the master comewith a master-signed signature for the origin and integrity ofa group key For example in the second step of Box 1 themaster broadcasts 119883
119896
1 119883119896
2 119883
119896
119899 119878119894119892119872119904
(GK) The masterproduces a locked set for the group key using verifiedmembersrsquo locker It implies that outsiders cannot recover thegroup key from the masterrsquos messages
4 Evaluation
We measure performance of the proposed scheme throughcommunication and computation cost spent for all groupmembers to complete group rekeying bymembership changeTable 1 shows summary of comparison with other DH-based key management protocols CKD GDH BD STRand TGDH In Table 1 119899 119898 and 119901 denote the number ofcurrent group members joining or merged-group membersand leaving or partitioned-group members respectivelyTherefore119898 = 1 or 119901 = 1 indicates the single-member eventFor TGDH the height of the key tree is denoted as ℎ and forSTR 119904 is denoted as the index of the sponsor which helpsother members to calculate group keys Group merging is acase where a group of119898members is merged into a group of 119899members (119899 ge 119898) and group partition is a casewhere a groupof 119899members is divided into separate subgroups (1) a group
6 Journal of Applied Mathematics
6
1
2
s
5
3
4
2
1
s
C
R
XLR = Xs X1 X2
(a)
6
1
2
s
5
3
4
C
XLkC = Xk1 X
k2 X
k6
(b)
Figure 2 Group merging process (a) when groups 1198624and 119877
3are merged Rrsquos master sends the locker list of 119877 to Crsquos master and (b) after
groups are merged Crsquos master becomes the master for merged group and broadcasts the key-locks for new group key to all of the members
6
1
2
s
3
5
4
2
s
1
C
P
XLP = X
4 X6
(a)
1
2 32
1
CP
s
s
XLk
Lk
C = Xkc1 X
kc2 X
kc3
X P = Xkp1 X
kp2
(b)
Figure 3 Group partition process (a) when group 1198627is partitioned into two groups (new group 119875
3) the master of the original group sends
Prsquos master the locker list of the new subgroup and (b) after the group is split each group master broadcasts the key-locks for each new groupkey
of 119901 members and (2) a group of (119899 minus 119901) members where(119899minus119901)ge 119901The costs for the group partition event include thecosts for updating two subgroup keys In computation costswe consider concurrent execution in distributed nodes if itis possible In CODH we assume the master is selected bygroup-join order the first master is119872
1 and when119872
1leaves
the group1198722becomes the next master
CKD distributes the group key in a similar way with ourprotocol Its communication and computation costs are alsosimilar to our protocol However the worst case of CKD iswhen the master leaves It requires large costs for rekeyingOn the other hand in CODH the rekeying cost for a leavingmaster is analogous to that for a leaving member due toefficient delegation or sharing of public locker list GDH isoperated through communication chain from the first node
to the last node and the last node becomes the master of thegroup Steiner et al presented three GDH protocols GDH12 and 3 GDH2 is the most efficient in communicationwhereas GDH3 is the most efficient in computation costamong GDHx We select GDH3 for comparison As shownin Table 1 GDH has weaknesses in group merging and massjoining BD employs a completely distributed way usingbroadcast messages Without sponsors or controllers all ofmembers broadcast messages for updating the group keyAlthough it seems to be fairly efficient in computation costthere are hidden costs for multiplications In addition itrequires a large communication cost compared to otherprotocols STR and TGDH are tree-based key agreement pro-tocolsThey use different tree structures for keymanagementSTR especially uses the extremely unbalanced tree structure
Journal of Applied Mathematics 7
Table 1 Communication and computation costs
Rounds Messages Exponentiations Signatures Verifications
GDH
Join merge m + 3 n + 2m + 1 n + 2m + 1 m + 3 n + 2m + 1Leave 1 1 119899 minus 119901 1 1
Partition 2 p + 1 119899 minus 119901 2 pMaster leave 2 119899 minus 1 119899 minus 1 2 119899 minus 1
STR
Join 3 m + 2 3m 2 m + 2Leave 1 1 3(119899 minus 119901) minus 2119904 minus 1 1 1Merge 3 3 3119898 minus 1 2 3
Partition 2 3 3(119899 minus 119901) minus 2119904 minus 1 2 3
TGDH Join merge 2 3 3ℎ minus 3 2 3Leave partition h 2h 3ℎ h ℎ
BDJoin merge 2 2n + 2m 3 2 2119899 + 2119898 minus 2
Leave 2 2119899 minus 2119901 3 2 2119899 minus 2119901 minus 2
Partition 2 2n 3 2 2119899 minus 2119901 minus 2
CKD
Join merge 3 m + 2 n + 2m 3 m + 2Leave 1 1 119899 minus 119901 1 1
Partition 3 p + 2 max(119899 minus 119901 2119901 minus 1) 3 4Master leave 3 n 2119899 minus 3 3 n
CODH
Join 2 m + 1 n +m + 1 2 m + 1Leave 1 1 119899 minus 119901 1 1Merge 2 2 119899 + 119898 2 2
Partition 2 3 119899 minus 119901 2 2Master leave 2 2 119899 minus 1 2 2
Table 2 Communication and computation costs for CODHmember and master
Send Receive Exponentiations Signatures Verifications
General member Join merge 0 1 1 0 1Leave partition 0 1 1 0 1
Group masterJoin 1 m n +m 1 1
Leave partition 1 0 119899 minus 119901 1 0Merge 1 1 n +m 1 1
Accordingly the performance of STRdepends on the locationof the sponsors In TGDH the costs depend on the heightof the resulting key tree and locations of joining or leavingmembers in the tree We provide the worst case cost forTGDH
Most of the cost in CODH comes from the masternode A general node consumes only one communicationmodular exponentiation signature and verification in allof group rekeying process We summarize the costs for ageneral member and the group master in Table 2 Althoughthe exponentiation cost looks heavy in the master its costis insignificant We conducted an experiment to measurecomputation delays for modular exponentiations Table 3shows the average delay of 10 experimental results for eachThe first device has less CPU power than the second deviceWhen modular prime 119901 is 1024 bits long and 119899 le 50 thecomputation delay is less than 1 s The average delay of one
exponentiation is less than 8ms in the second device More-over reducing communication cost is important for mobiledevices because data communication consumes more energythan any other process Therefore our group key protocolscan be efficiently applied in dynamic mobile networks
5 Security
Let 119901 be a large prime number of the form 2119902 + 1 for a prime119902 in Z
119901 Let 119866 be a cyclic group of prime order 119902 and let 119892
be a generator of 119866 that is 119866 = ⟨119892⟩ The decisional Diffie-Hellman problem (DDH) is as follows given (119892 119892119909 119892119910 119892119911)where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119909119910 or a randomly
chosen number In particular the security of our protocolis based on the divisible decisional Diffie-Hellman problem
8 Journal of Applied Mathematics
Table 3 Computation delays on mobile devices (ms)
p = 1024-bit p = 2048-bit119899 = 1 119899 = 25 119899 = 50 119899 = 1 119899 = 25 119899 = 50
Exponentiation (1 GHz CPU 512MB RAM) 37 4526 9078 1689 33854 67625Exponentiation (226GHz CPU 2GB RAM) 129 1928 3853 754 14588 29174
(DDDH) which is stronger assumption than the divisiblecomputational Diffie-Hellman problem (DCDH)
Definition 1 The DCDH problem is as follows given(119892 119892119909 119892119910) where 119909 119910 isin Z
119902 compute 119892119910119909
Definition 2 The DDDH problem is as follows given(119892 119892119909 119892119910 119892119911) where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119910119909
or a randomly chosen number
The DDDH problem is weaker than DCDH since if anadversary could solve the DCDH problem he could solvethe DDDH problem by computing 119892
119909 to decide 119892119911= 119892119910119909
thus the DDDH assumption is stronger than the DCDHassumption Similarly the DDH problem is weaker thanthe computational Diffie-Hellman problem (CDH) which isweaker than discrete logarithm problem (DL) [22] We wantto prove the security of our protocol under the DDH andDDDH assumptions
Theorem 3 The DDDH problem is equivalent to the DDHproblem
Proof Given the DDDH input (119892 119892119909 119892119910 119892119911) where 119911 =
119910119909 one submits (119892 119892119909 119892119911 119892119910) to DDH to decide whether119910 = 119909119911 or a randomly chosen number Similarly giventhe DDH input (119892 119892119909 119892119910 119892119911) where 119911 = 119909119910 one submits(119892 119892119909 119892119911 119892119910) to DDDH to decide if 119910 = 119911119909 or a randomlychosen number
Therefore we know that if there is no polynomial timealgorithm to solve the DDH problem it is hard to solve theDDDH problem
Theorem 4 If the DDH problem is hard it is hard to find apolynomial time algorithm to recover the group key from theproposed protocol in other words it provides group key secrecyagainst passive adversaries under the DDH assumption
Proof Let view(119899 119896) be public information for a group of 119899members to establish a group key 119892
119896 thus it is a view ofpassive attackers
V119894119890119908 (119899 119896) = (1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899 119892119909119899119896) (10)
Suppose we had an algorithm F that with significantprobability succeeds to distinguish between (view(119899 119896)119892119910) where 119910 is a random number 119910 isin Z
119902 and (view(119899 119896)
119892119896) where 119892
119896 is the group key that is F(V119894119890119908(119899 119896) 119892119910) =
F(1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892119909119899 119892119909119899119896 119892119910) = 1 where 119910 = 119896
otherwise returns 0 Then we can query to F with inputview(119899minus1 119896) = (119892
1199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899minus1 119892119909119899minus1119896) for 119899minus1
membersrsquo information and additional input ((119892119909119894)119903 (119892119909119894119896)119903
)
for a random number 119903 isin119877Z119902 where 0 lt 119894 lt 119899 that is
F(V119894119890119908(119899 minus 1 119896) 119892119909119894119903 119892119909119894119896119903 119892
119910) It follows that
(V119894119890119908(1 119896) 1198921199091199031 1198921199091198961199031 119892
1199091199032 1198921199091198961199032 119892
119909119903119899minus1 119892119909119896119903119899minus1 119892
119910) =
F(119892119909 119892119909119896 1198921199091199031 1198921199091198961199031 1198921199091199032 1198921199091198961199032 119892119909119903119899minus1 119892119909119896119903119899minus1 119892119910) where119903119894isin119877Z119902 for 0 lt 119894 lt 119899 Then 119865 can solve the DDDH problem
since it can decide whether 119910 = 119909119896119909 or a random numbergiven (V119894119890119908(1 119896) 119892
119910)) = (119892
119909 119892119909119896 119892119910) It means that 119865 can
also solve the DDH problem byTheorem 3
Theorem 5 The proposed scheme provides backward secrecyforward secrecy and key independence provided the DDHproblem is intractable
Proof Whenever membership is changed or the group keyis updated the group controller alters its own secret 119896 to 119896
1015840where 119896
1015840 is an independently random number to 119896 isin Z119902
it implies that it is impossible to find an algorithm 119865 suchthat 119865(119892
119896) rarr 119892
1198961015840
without knowledge of 119896 and 1198961015840 We
assume that the secret values are uniformly distributed by apseudorandom generatorTherefore when the group key hasbeen changed an adversarymust use newpublic informationV119894119890119908(119899 119896
1015840) = (119892
1199091 11989211990911198961015840
1198921199092 11989211990921198961015840
119892119909119899 1198921199091198991198961015840
) to recoverthe group key updated into 119892
1198961015840
and it depends on a solutionto solve the DDH problem byTheorem 4 It follows that pastmembers future members or adversaries who know a subsetof previous group keys cannot learn the current group keysince the broadcastmessage from themaster does not containtheir locker119883
119894in view()
Theorem 6 The proposed scheme provides implicit keyauthentication under the security of certified public key
Proof A locker which the master obtains from group mem-bers is what a groupmember signswith its public key certifiedby a CA Concretely a locker 119883
119894is hashed by a one-way
function such as SHA-2 and hash (119883119894) is signed with 119872
119894rsquos
private key using a digital signature algorithm such as RSADSA and ECDSAThen the locker is verified with the publickey bound to 119872
119894and certified by CA If there is a locker of
nonmember in the locker list of a group it must be along witha forged signature It means that the problem occurs in a hashcollision attack or a rogueCAcertificate [23]Once all verifiedlockers are transferred to the master any other nodes whichare not a group member cannot recover the group key underthe DDH assumption (Theorems 4 and 5)
Journal of Applied Mathematics 9
6 Conclusion
In this paper we propose a secure group key managementprotocol based on DH key agreement The proposed keymanagement requires only one data communication and onemodular exponentiation at eachmember for anymembershipevent It shows prominent efficiency in renewing the groupkeys against dynamic group membership change memberjoinleave and group mergingpartition We proved groupkey secrecy backwardforward secrecy key independenceand key authentication No outsiders can learn the group keyunder the DDH assumptionWe conclude that CODH can beadapted efficiently for multicast security in mobile networks
Notations
n Number of protocol participants119872119894 119894th group member 119894 isin [1 119899]
119872119904 Master node (controller) 119904 isin [1 119899]
119901 Prime of the form 2119902 + 1 for a prime 119902119892 Generator in Zlowast
119901
119909119894 Lock-secret random number picked by
119872119894such that 1 lt 119909
119894lt 119901 minus 1 and
gcd(119909119894 119901 minus 1) = 1
119910119894 Unlock-secret for119872
119894such that
119909119894lowast 119910119894equiv 1 mod (119901 minus 1)
119896 Master-secret randomly selected in Zlowast119902
by119872119904
119883119894 Locker 119892119909119894 mod 119901
119862119899 Current group of 119899members (119862) = 119899
119883119871119862 Locker list of group
119862119883119871119862= 1198831 1198832 119883
119899 119883119904
119883119871119896
119862 Key-locks for group
119862119883119871119896
119862= 119883119896
1 119883119896
2 119883
119896
119899 119883119896
119904
119872119894rarr 119872
119895 m Unicast message (m) from119872
119894to119872119895
119872119894rArr 119862119899 m Broadcast message (m) from119872
119894to 119899
members of 119862
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
Theauthors appreciate anonymous reviewers for their helpfulcomments This research was supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0011289)
References
[1] R Canetti TMalkin andKNissim ldquoEfficient communication-storage tradeoffs for multicast encryptionrdquo in Proceedings ofAdvances in Cryptology (Eurocrypt rsquo99) vol 1592 of LectureNotes in Computer Science pp 459ndash474 Prague Czech Repub-lic May 1999
[2] S Setia S Koussih S Jajodia and E Harder ldquoKronos a scalablegroup re-keying approach for secure multicastrdquo in Proceedingsof the IEEE Symposium on Security and Privacy pp 215ndash228Berkeley Calif USA May 2000
[3] M K Reiter ldquoA secure group membership protocolrdquo IEEETransactions on Software Engineering vol 22 no 1 pp 31ndash421996
[4] D Wallner E Harder and R Agee ldquoKey management formulticast issues and architecturesrdquo RFC 2627 Informational1999
[5] C K Wong M Gouda and S S Lam ldquoSecure group com-munications using key graphsrdquo IEEEACM Transactions onNetworking vol 8 no 1 pp 16ndash30 2000
[6] S Mittra ldquoIolus a framework for scalable secure multicastingrdquoin Proceedings of the ACM (SIGCOMM rsquo97) pp 277ndash288Cannes France September 1997
[7] A T Sherman and D A McGrew ldquoKey establishment inlarge dynamic groups using one-way function treesrdquo IEEETransactions on Software Engineering vol 29 no 5 pp 444ndash458 2003
[8] S Zhu S Setia and S Jajodia ldquoLEAP efficient securitymechanisms for large-scale distributed sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 62ndash72 WashingtonDC USA October 2003
[9] S Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols pp 326ndash335 Atlanta Ga USA 2003
[10] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976
[11] M Burmester and Y Desmedt ldquoA secure and scalable group keyexchange systemrdquo Information Processing Letters vol 94 no 3pp 137ndash143 2005
[12] M Steiner G Tsudik and M Waidner ldquoDiffie-Hellman keydistribution extended to group communicationrdquo in Proceedingsof the 3rd ACM Conference on Computer and CommunicationsSecurity pp 31ndash37 New Delhi India March 1996
[13] M Steiner G Tsudik and M Waidner ldquoCLIQUES a newapproach to group key agreementrdquo in Proceedings of the 18thInternational Conference on Distributed Computing Systems pp380ndash387 May 1998
[14] Y Amir Y Kim C Nita-Rotaru and G Tsudik ldquoOn the perfor-mance of group key agreement protocolsrdquo ACM Transactionson Information and System Security vol 7 no 3 pp 457ndash4882004
[15] Y Kim A Perrig and G Tsudik ldquoTree-based group keyagreementrdquo ACM Transactions on Information and SystemSecurity vol 7 no 1 pp 60ndash96 2004
[16] YKimA Perrig andG Tsudik ldquoGroup key agreement efficientin communicationrdquo IEEE Transactions on Computers vol 53no 7 pp 905ndash921 2004
[17] B Wu J Wu and D Yuhong ldquoAn efficient group key manage-ment scheme formobile ad hoc networksrdquo International Journalof Security and Networks vol 4 no 1-2 pp 125ndash134 2009
[18] P P C Lee J C S Lui and D K Y Yau ldquoDistributedcollaborative key agreement and authentication protocols fordynamic peer groupsrdquo IEEEACM Transactions on Networkingvol 14 no 2 pp 263ndash276 2006
10 Journal of Applied Mathematics
[19] J Liu D Sacchetti F Sailhan and V Issarny ldquoGroup manage-ment for mobile AdHoc networks design implementation andexperimentrdquo in Proceedings of the 6th International Conferenceon Mobile Data Management (MDM rsquo05) pp 192ndash199 AyiaNapa Cyprus May 2005
[20] B Singh and D K Lobiyal ldquoA novel energy-aware cluster headselection based on particle swarm optimization for wirelesssensor networksrdquo Human-Centric Computing and InformationSciences vol 2 no 13 pp 1ndash18 2012
[21] C-W Chen Y-R Tsai and S-J Wang ldquoCost-saving key agree-ment via secret sharing in two-party communication systemsrdquoJournal of Convergence vol 3 no 4 pp 29ndash36 2012
[22] S Mohanty and B Majhi ldquoA strong designated verifiable dlbased signcryption schemerdquo Journal of Information ProcessingSystems vol 8 no 4 pp 567ndash574 2012
[23] M Stevens A K Lenstra and B de Weger ldquoChosen-prefixcollisions for MD5 and applicationsrdquo International Journal ofApplied Cryptography vol 2 no 4 pp 322ndash359 2012
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 5
Assume that a group 119877119898is merged into a group 119862
119899where 119899 ge 119898 and the merged
group 119862119899+119898
= 119862119899cup 1198771198981198721199041015840 is the master of 119877
119898and119872
119904is the master of 119862
119899
Step 11198721199041015840 selects a random number 119909
1199041015840 in Z
119902 computes119883
1199041015840= 1198921199091199041015840mod p and updates
the locker list into119883119871119877= 11988311198832 119883
119898 cup 119883
1199041015840
(delegation)1198721199041015840 rarr 119872
119904119883119871119877
Step 2119872119904selects random 119896
1015840 in Z119902for new group key and computes key-locks with updated locker list
119872119904rArr 119862119899+119898
(119883119894)1198961015840
| 119894 isin [1 119899 + 119898] 119894 = 119904
Box 4 Group merging
Assume that a current group 119862119899is partitioned into two groups 119875
119898(sub 119862119899) and 119862
119899minus119898(=119862119899 119875119898)
The master of 119877119898is1198721199041015840 and the master of 119862
119899is119872119904(notin 119875119898)
Step 1119872119904generate119883119871
119875= 119883119895|119872119895isin 119875119898 119895 = 119904 from119883119871
119862
(delegation)119872119904rarr 119872
1199041015840 119883119871
119875
Step 2119872119904and119872
1199041015840 select random 119896
1015840 11989610158401015840 in Z119902respectively and compute key-locks with their locker list
119872119904rArr 119862119899minus119898
(119883119894)1198961015840
| 119894 isin [1 119899] and 119872119894notin 119875119898 119894 = 119904
1198721199041015840 rArr 119875
119898 (119883119895)11989610158401015840
|119872119895isin 119875119898 119895 = 119904
Box 5 Group partition
1198773 In Figure 2 the number in a circle indicates membersrsquo
index (such as by a joined order) Before they are merged thenumber of the current group 119862 is four including the groupmaster (ie 119899 = 4 119862
4) and the number of members of
joining group is three (ie 119898 = 3 1198773) To be merged the
master of 1198773sends the master of 119862
4the locker list 119883119871
119877for
1198721and 119872
2 Note that the master 119872
119904of 119877119898must forward its
locker after changing its own secret because it was used as theformer group key The master of 119862
4becomes the master for
the merged group It updates 119883119871119862and generates key-locks
119883119871119896
119862with a new selected random 119896
As shown in Figure 3 the current group will be dividedinto two groups When the number of left members is119898 thecurrent group will have (119899 minus 119898) members after the partitionprocess Group partition requires one more master 119872
1199041015840 for
a separated subgroup 119875119898
sub 119862119899(119872119904notin 119875119898) Group partition
process can be easily conducted through delegation from themaster 119872
119904of group 119862
119899to the fresh master 119872
1199041015840 of subgroup
119875119898Thedivided groups performa group key initial phase after
the delegation process as in Box 5
35 Implicit Key Authentication For the secure key authenti-cation the messages sent from all members should be signedwith a signature key Hash-based signature such as messageauthentication code (MAC) is fairly efficient in terms ofcomputation cost However it is too costly to share one-to-one pairwise keys between all of group members in advance
We assume that a member holds long-term private andpublic keys certified by a trusted certificate authority (CA)(Each member can use a different signature algorithm suchas RSA-based signature algorithm digital signature algo-rithm (DSA) and elliptic curve digital signature algorithm(ECDSA) Note that some of them do not provide messageencryption that is it is used for message signing and
verifyingWe consider thatDSA is better for our scheme sinceits public key includes119892119909mod119901)Thegroupmembers send tothemaster the signedmessageswith their own private key forexample in the first step of Box 1 a member119872
119894 sends to the
master 119883119894 119878119894119892119872119894
(119883119894) which 119872
119894signs for 119883
119894with its private
key Note that this process runs one-time at initial phase or itcan be precomputed with119883
119894
Members can obtain the group key securely by verifyingthe messages of the master with signature signed with themasterrsquos private key All of messages from the master comewith a master-signed signature for the origin and integrity ofa group key For example in the second step of Box 1 themaster broadcasts 119883
119896
1 119883119896
2 119883
119896
119899 119878119894119892119872119904
(GK) The masterproduces a locked set for the group key using verifiedmembersrsquo locker It implies that outsiders cannot recover thegroup key from the masterrsquos messages
4 Evaluation
We measure performance of the proposed scheme throughcommunication and computation cost spent for all groupmembers to complete group rekeying bymembership changeTable 1 shows summary of comparison with other DH-based key management protocols CKD GDH BD STRand TGDH In Table 1 119899 119898 and 119901 denote the number ofcurrent group members joining or merged-group membersand leaving or partitioned-group members respectivelyTherefore119898 = 1 or 119901 = 1 indicates the single-member eventFor TGDH the height of the key tree is denoted as ℎ and forSTR 119904 is denoted as the index of the sponsor which helpsother members to calculate group keys Group merging is acase where a group of119898members is merged into a group of 119899members (119899 ge 119898) and group partition is a casewhere a groupof 119899members is divided into separate subgroups (1) a group
6 Journal of Applied Mathematics
6
1
2
s
5
3
4
2
1
s
C
R
XLR = Xs X1 X2
(a)
6
1
2
s
5
3
4
C
XLkC = Xk1 X
k2 X
k6
(b)
Figure 2 Group merging process (a) when groups 1198624and 119877
3are merged Rrsquos master sends the locker list of 119877 to Crsquos master and (b) after
groups are merged Crsquos master becomes the master for merged group and broadcasts the key-locks for new group key to all of the members
6
1
2
s
3
5
4
2
s
1
C
P
XLP = X
4 X6
(a)
1
2 32
1
CP
s
s
XLk
Lk
C = Xkc1 X
kc2 X
kc3
X P = Xkp1 X
kp2
(b)
Figure 3 Group partition process (a) when group 1198627is partitioned into two groups (new group 119875
3) the master of the original group sends
Prsquos master the locker list of the new subgroup and (b) after the group is split each group master broadcasts the key-locks for each new groupkey
of 119901 members and (2) a group of (119899 minus 119901) members where(119899minus119901)ge 119901The costs for the group partition event include thecosts for updating two subgroup keys In computation costswe consider concurrent execution in distributed nodes if itis possible In CODH we assume the master is selected bygroup-join order the first master is119872
1 and when119872
1leaves
the group1198722becomes the next master
CKD distributes the group key in a similar way with ourprotocol Its communication and computation costs are alsosimilar to our protocol However the worst case of CKD iswhen the master leaves It requires large costs for rekeyingOn the other hand in CODH the rekeying cost for a leavingmaster is analogous to that for a leaving member due toefficient delegation or sharing of public locker list GDH isoperated through communication chain from the first node
to the last node and the last node becomes the master of thegroup Steiner et al presented three GDH protocols GDH12 and 3 GDH2 is the most efficient in communicationwhereas GDH3 is the most efficient in computation costamong GDHx We select GDH3 for comparison As shownin Table 1 GDH has weaknesses in group merging and massjoining BD employs a completely distributed way usingbroadcast messages Without sponsors or controllers all ofmembers broadcast messages for updating the group keyAlthough it seems to be fairly efficient in computation costthere are hidden costs for multiplications In addition itrequires a large communication cost compared to otherprotocols STR and TGDH are tree-based key agreement pro-tocolsThey use different tree structures for keymanagementSTR especially uses the extremely unbalanced tree structure
Journal of Applied Mathematics 7
Table 1 Communication and computation costs
Rounds Messages Exponentiations Signatures Verifications
GDH
Join merge m + 3 n + 2m + 1 n + 2m + 1 m + 3 n + 2m + 1Leave 1 1 119899 minus 119901 1 1
Partition 2 p + 1 119899 minus 119901 2 pMaster leave 2 119899 minus 1 119899 minus 1 2 119899 minus 1
STR
Join 3 m + 2 3m 2 m + 2Leave 1 1 3(119899 minus 119901) minus 2119904 minus 1 1 1Merge 3 3 3119898 minus 1 2 3
Partition 2 3 3(119899 minus 119901) minus 2119904 minus 1 2 3
TGDH Join merge 2 3 3ℎ minus 3 2 3Leave partition h 2h 3ℎ h ℎ
BDJoin merge 2 2n + 2m 3 2 2119899 + 2119898 minus 2
Leave 2 2119899 minus 2119901 3 2 2119899 minus 2119901 minus 2
Partition 2 2n 3 2 2119899 minus 2119901 minus 2
CKD
Join merge 3 m + 2 n + 2m 3 m + 2Leave 1 1 119899 minus 119901 1 1
Partition 3 p + 2 max(119899 minus 119901 2119901 minus 1) 3 4Master leave 3 n 2119899 minus 3 3 n
CODH
Join 2 m + 1 n +m + 1 2 m + 1Leave 1 1 119899 minus 119901 1 1Merge 2 2 119899 + 119898 2 2
Partition 2 3 119899 minus 119901 2 2Master leave 2 2 119899 minus 1 2 2
Table 2 Communication and computation costs for CODHmember and master
Send Receive Exponentiations Signatures Verifications
General member Join merge 0 1 1 0 1Leave partition 0 1 1 0 1
Group masterJoin 1 m n +m 1 1
Leave partition 1 0 119899 minus 119901 1 0Merge 1 1 n +m 1 1
Accordingly the performance of STRdepends on the locationof the sponsors In TGDH the costs depend on the heightof the resulting key tree and locations of joining or leavingmembers in the tree We provide the worst case cost forTGDH
Most of the cost in CODH comes from the masternode A general node consumes only one communicationmodular exponentiation signature and verification in allof group rekeying process We summarize the costs for ageneral member and the group master in Table 2 Althoughthe exponentiation cost looks heavy in the master its costis insignificant We conducted an experiment to measurecomputation delays for modular exponentiations Table 3shows the average delay of 10 experimental results for eachThe first device has less CPU power than the second deviceWhen modular prime 119901 is 1024 bits long and 119899 le 50 thecomputation delay is less than 1 s The average delay of one
exponentiation is less than 8ms in the second device More-over reducing communication cost is important for mobiledevices because data communication consumes more energythan any other process Therefore our group key protocolscan be efficiently applied in dynamic mobile networks
5 Security
Let 119901 be a large prime number of the form 2119902 + 1 for a prime119902 in Z
119901 Let 119866 be a cyclic group of prime order 119902 and let 119892
be a generator of 119866 that is 119866 = ⟨119892⟩ The decisional Diffie-Hellman problem (DDH) is as follows given (119892 119892119909 119892119910 119892119911)where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119909119910 or a randomly
chosen number In particular the security of our protocolis based on the divisible decisional Diffie-Hellman problem
8 Journal of Applied Mathematics
Table 3 Computation delays on mobile devices (ms)
p = 1024-bit p = 2048-bit119899 = 1 119899 = 25 119899 = 50 119899 = 1 119899 = 25 119899 = 50
Exponentiation (1 GHz CPU 512MB RAM) 37 4526 9078 1689 33854 67625Exponentiation (226GHz CPU 2GB RAM) 129 1928 3853 754 14588 29174
(DDDH) which is stronger assumption than the divisiblecomputational Diffie-Hellman problem (DCDH)
Definition 1 The DCDH problem is as follows given(119892 119892119909 119892119910) where 119909 119910 isin Z
119902 compute 119892119910119909
Definition 2 The DDDH problem is as follows given(119892 119892119909 119892119910 119892119911) where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119910119909
or a randomly chosen number
The DDDH problem is weaker than DCDH since if anadversary could solve the DCDH problem he could solvethe DDDH problem by computing 119892
119909 to decide 119892119911= 119892119910119909
thus the DDDH assumption is stronger than the DCDHassumption Similarly the DDH problem is weaker thanthe computational Diffie-Hellman problem (CDH) which isweaker than discrete logarithm problem (DL) [22] We wantto prove the security of our protocol under the DDH andDDDH assumptions
Theorem 3 The DDDH problem is equivalent to the DDHproblem
Proof Given the DDDH input (119892 119892119909 119892119910 119892119911) where 119911 =
119910119909 one submits (119892 119892119909 119892119911 119892119910) to DDH to decide whether119910 = 119909119911 or a randomly chosen number Similarly giventhe DDH input (119892 119892119909 119892119910 119892119911) where 119911 = 119909119910 one submits(119892 119892119909 119892119911 119892119910) to DDDH to decide if 119910 = 119911119909 or a randomlychosen number
Therefore we know that if there is no polynomial timealgorithm to solve the DDH problem it is hard to solve theDDDH problem
Theorem 4 If the DDH problem is hard it is hard to find apolynomial time algorithm to recover the group key from theproposed protocol in other words it provides group key secrecyagainst passive adversaries under the DDH assumption
Proof Let view(119899 119896) be public information for a group of 119899members to establish a group key 119892
119896 thus it is a view ofpassive attackers
V119894119890119908 (119899 119896) = (1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899 119892119909119899119896) (10)
Suppose we had an algorithm F that with significantprobability succeeds to distinguish between (view(119899 119896)119892119910) where 119910 is a random number 119910 isin Z
119902 and (view(119899 119896)
119892119896) where 119892
119896 is the group key that is F(V119894119890119908(119899 119896) 119892119910) =
F(1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892119909119899 119892119909119899119896 119892119910) = 1 where 119910 = 119896
otherwise returns 0 Then we can query to F with inputview(119899minus1 119896) = (119892
1199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899minus1 119892119909119899minus1119896) for 119899minus1
membersrsquo information and additional input ((119892119909119894)119903 (119892119909119894119896)119903
)
for a random number 119903 isin119877Z119902 where 0 lt 119894 lt 119899 that is
F(V119894119890119908(119899 minus 1 119896) 119892119909119894119903 119892119909119894119896119903 119892
119910) It follows that
(V119894119890119908(1 119896) 1198921199091199031 1198921199091198961199031 119892
1199091199032 1198921199091198961199032 119892
119909119903119899minus1 119892119909119896119903119899minus1 119892
119910) =
F(119892119909 119892119909119896 1198921199091199031 1198921199091198961199031 1198921199091199032 1198921199091198961199032 119892119909119903119899minus1 119892119909119896119903119899minus1 119892119910) where119903119894isin119877Z119902 for 0 lt 119894 lt 119899 Then 119865 can solve the DDDH problem
since it can decide whether 119910 = 119909119896119909 or a random numbergiven (V119894119890119908(1 119896) 119892
119910)) = (119892
119909 119892119909119896 119892119910) It means that 119865 can
also solve the DDH problem byTheorem 3
Theorem 5 The proposed scheme provides backward secrecyforward secrecy and key independence provided the DDHproblem is intractable
Proof Whenever membership is changed or the group keyis updated the group controller alters its own secret 119896 to 119896
1015840where 119896
1015840 is an independently random number to 119896 isin Z119902
it implies that it is impossible to find an algorithm 119865 suchthat 119865(119892
119896) rarr 119892
1198961015840
without knowledge of 119896 and 1198961015840 We
assume that the secret values are uniformly distributed by apseudorandom generatorTherefore when the group key hasbeen changed an adversarymust use newpublic informationV119894119890119908(119899 119896
1015840) = (119892
1199091 11989211990911198961015840
1198921199092 11989211990921198961015840
119892119909119899 1198921199091198991198961015840
) to recoverthe group key updated into 119892
1198961015840
and it depends on a solutionto solve the DDH problem byTheorem 4 It follows that pastmembers future members or adversaries who know a subsetof previous group keys cannot learn the current group keysince the broadcastmessage from themaster does not containtheir locker119883
119894in view()
Theorem 6 The proposed scheme provides implicit keyauthentication under the security of certified public key
Proof A locker which the master obtains from group mem-bers is what a groupmember signswith its public key certifiedby a CA Concretely a locker 119883
119894is hashed by a one-way
function such as SHA-2 and hash (119883119894) is signed with 119872
119894rsquos
private key using a digital signature algorithm such as RSADSA and ECDSAThen the locker is verified with the publickey bound to 119872
119894and certified by CA If there is a locker of
nonmember in the locker list of a group it must be along witha forged signature It means that the problem occurs in a hashcollision attack or a rogueCAcertificate [23]Once all verifiedlockers are transferred to the master any other nodes whichare not a group member cannot recover the group key underthe DDH assumption (Theorems 4 and 5)
Journal of Applied Mathematics 9
6 Conclusion
In this paper we propose a secure group key managementprotocol based on DH key agreement The proposed keymanagement requires only one data communication and onemodular exponentiation at eachmember for anymembershipevent It shows prominent efficiency in renewing the groupkeys against dynamic group membership change memberjoinleave and group mergingpartition We proved groupkey secrecy backwardforward secrecy key independenceand key authentication No outsiders can learn the group keyunder the DDH assumptionWe conclude that CODH can beadapted efficiently for multicast security in mobile networks
Notations
n Number of protocol participants119872119894 119894th group member 119894 isin [1 119899]
119872119904 Master node (controller) 119904 isin [1 119899]
119901 Prime of the form 2119902 + 1 for a prime 119902119892 Generator in Zlowast
119901
119909119894 Lock-secret random number picked by
119872119894such that 1 lt 119909
119894lt 119901 minus 1 and
gcd(119909119894 119901 minus 1) = 1
119910119894 Unlock-secret for119872
119894such that
119909119894lowast 119910119894equiv 1 mod (119901 minus 1)
119896 Master-secret randomly selected in Zlowast119902
by119872119904
119883119894 Locker 119892119909119894 mod 119901
119862119899 Current group of 119899members (119862) = 119899
119883119871119862 Locker list of group
119862119883119871119862= 1198831 1198832 119883
119899 119883119904
119883119871119896
119862 Key-locks for group
119862119883119871119896
119862= 119883119896
1 119883119896
2 119883
119896
119899 119883119896
119904
119872119894rarr 119872
119895 m Unicast message (m) from119872
119894to119872119895
119872119894rArr 119862119899 m Broadcast message (m) from119872
119894to 119899
members of 119862
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
Theauthors appreciate anonymous reviewers for their helpfulcomments This research was supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0011289)
References
[1] R Canetti TMalkin andKNissim ldquoEfficient communication-storage tradeoffs for multicast encryptionrdquo in Proceedings ofAdvances in Cryptology (Eurocrypt rsquo99) vol 1592 of LectureNotes in Computer Science pp 459ndash474 Prague Czech Repub-lic May 1999
[2] S Setia S Koussih S Jajodia and E Harder ldquoKronos a scalablegroup re-keying approach for secure multicastrdquo in Proceedingsof the IEEE Symposium on Security and Privacy pp 215ndash228Berkeley Calif USA May 2000
[3] M K Reiter ldquoA secure group membership protocolrdquo IEEETransactions on Software Engineering vol 22 no 1 pp 31ndash421996
[4] D Wallner E Harder and R Agee ldquoKey management formulticast issues and architecturesrdquo RFC 2627 Informational1999
[5] C K Wong M Gouda and S S Lam ldquoSecure group com-munications using key graphsrdquo IEEEACM Transactions onNetworking vol 8 no 1 pp 16ndash30 2000
[6] S Mittra ldquoIolus a framework for scalable secure multicastingrdquoin Proceedings of the ACM (SIGCOMM rsquo97) pp 277ndash288Cannes France September 1997
[7] A T Sherman and D A McGrew ldquoKey establishment inlarge dynamic groups using one-way function treesrdquo IEEETransactions on Software Engineering vol 29 no 5 pp 444ndash458 2003
[8] S Zhu S Setia and S Jajodia ldquoLEAP efficient securitymechanisms for large-scale distributed sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 62ndash72 WashingtonDC USA October 2003
[9] S Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols pp 326ndash335 Atlanta Ga USA 2003
[10] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976
[11] M Burmester and Y Desmedt ldquoA secure and scalable group keyexchange systemrdquo Information Processing Letters vol 94 no 3pp 137ndash143 2005
[12] M Steiner G Tsudik and M Waidner ldquoDiffie-Hellman keydistribution extended to group communicationrdquo in Proceedingsof the 3rd ACM Conference on Computer and CommunicationsSecurity pp 31ndash37 New Delhi India March 1996
[13] M Steiner G Tsudik and M Waidner ldquoCLIQUES a newapproach to group key agreementrdquo in Proceedings of the 18thInternational Conference on Distributed Computing Systems pp380ndash387 May 1998
[14] Y Amir Y Kim C Nita-Rotaru and G Tsudik ldquoOn the perfor-mance of group key agreement protocolsrdquo ACM Transactionson Information and System Security vol 7 no 3 pp 457ndash4882004
[15] Y Kim A Perrig and G Tsudik ldquoTree-based group keyagreementrdquo ACM Transactions on Information and SystemSecurity vol 7 no 1 pp 60ndash96 2004
[16] YKimA Perrig andG Tsudik ldquoGroup key agreement efficientin communicationrdquo IEEE Transactions on Computers vol 53no 7 pp 905ndash921 2004
[17] B Wu J Wu and D Yuhong ldquoAn efficient group key manage-ment scheme formobile ad hoc networksrdquo International Journalof Security and Networks vol 4 no 1-2 pp 125ndash134 2009
[18] P P C Lee J C S Lui and D K Y Yau ldquoDistributedcollaborative key agreement and authentication protocols fordynamic peer groupsrdquo IEEEACM Transactions on Networkingvol 14 no 2 pp 263ndash276 2006
10 Journal of Applied Mathematics
[19] J Liu D Sacchetti F Sailhan and V Issarny ldquoGroup manage-ment for mobile AdHoc networks design implementation andexperimentrdquo in Proceedings of the 6th International Conferenceon Mobile Data Management (MDM rsquo05) pp 192ndash199 AyiaNapa Cyprus May 2005
[20] B Singh and D K Lobiyal ldquoA novel energy-aware cluster headselection based on particle swarm optimization for wirelesssensor networksrdquo Human-Centric Computing and InformationSciences vol 2 no 13 pp 1ndash18 2012
[21] C-W Chen Y-R Tsai and S-J Wang ldquoCost-saving key agree-ment via secret sharing in two-party communication systemsrdquoJournal of Convergence vol 3 no 4 pp 29ndash36 2012
[22] S Mohanty and B Majhi ldquoA strong designated verifiable dlbased signcryption schemerdquo Journal of Information ProcessingSystems vol 8 no 4 pp 567ndash574 2012
[23] M Stevens A K Lenstra and B de Weger ldquoChosen-prefixcollisions for MD5 and applicationsrdquo International Journal ofApplied Cryptography vol 2 no 4 pp 322ndash359 2012
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
6 Journal of Applied Mathematics
6
1
2
s
5
3
4
2
1
s
C
R
XLR = Xs X1 X2
(a)
6
1
2
s
5
3
4
C
XLkC = Xk1 X
k2 X
k6
(b)
Figure 2 Group merging process (a) when groups 1198624and 119877
3are merged Rrsquos master sends the locker list of 119877 to Crsquos master and (b) after
groups are merged Crsquos master becomes the master for merged group and broadcasts the key-locks for new group key to all of the members
6
1
2
s
3
5
4
2
s
1
C
P
XLP = X
4 X6
(a)
1
2 32
1
CP
s
s
XLk
Lk
C = Xkc1 X
kc2 X
kc3
X P = Xkp1 X
kp2
(b)
Figure 3 Group partition process (a) when group 1198627is partitioned into two groups (new group 119875
3) the master of the original group sends
Prsquos master the locker list of the new subgroup and (b) after the group is split each group master broadcasts the key-locks for each new groupkey
of 119901 members and (2) a group of (119899 minus 119901) members where(119899minus119901)ge 119901The costs for the group partition event include thecosts for updating two subgroup keys In computation costswe consider concurrent execution in distributed nodes if itis possible In CODH we assume the master is selected bygroup-join order the first master is119872
1 and when119872
1leaves
the group1198722becomes the next master
CKD distributes the group key in a similar way with ourprotocol Its communication and computation costs are alsosimilar to our protocol However the worst case of CKD iswhen the master leaves It requires large costs for rekeyingOn the other hand in CODH the rekeying cost for a leavingmaster is analogous to that for a leaving member due toefficient delegation or sharing of public locker list GDH isoperated through communication chain from the first node
to the last node and the last node becomes the master of thegroup Steiner et al presented three GDH protocols GDH12 and 3 GDH2 is the most efficient in communicationwhereas GDH3 is the most efficient in computation costamong GDHx We select GDH3 for comparison As shownin Table 1 GDH has weaknesses in group merging and massjoining BD employs a completely distributed way usingbroadcast messages Without sponsors or controllers all ofmembers broadcast messages for updating the group keyAlthough it seems to be fairly efficient in computation costthere are hidden costs for multiplications In addition itrequires a large communication cost compared to otherprotocols STR and TGDH are tree-based key agreement pro-tocolsThey use different tree structures for keymanagementSTR especially uses the extremely unbalanced tree structure
Journal of Applied Mathematics 7
Table 1 Communication and computation costs
Rounds Messages Exponentiations Signatures Verifications
GDH
Join merge m + 3 n + 2m + 1 n + 2m + 1 m + 3 n + 2m + 1Leave 1 1 119899 minus 119901 1 1
Partition 2 p + 1 119899 minus 119901 2 pMaster leave 2 119899 minus 1 119899 minus 1 2 119899 minus 1
STR
Join 3 m + 2 3m 2 m + 2Leave 1 1 3(119899 minus 119901) minus 2119904 minus 1 1 1Merge 3 3 3119898 minus 1 2 3
Partition 2 3 3(119899 minus 119901) minus 2119904 minus 1 2 3
TGDH Join merge 2 3 3ℎ minus 3 2 3Leave partition h 2h 3ℎ h ℎ
BDJoin merge 2 2n + 2m 3 2 2119899 + 2119898 minus 2
Leave 2 2119899 minus 2119901 3 2 2119899 minus 2119901 minus 2
Partition 2 2n 3 2 2119899 minus 2119901 minus 2
CKD
Join merge 3 m + 2 n + 2m 3 m + 2Leave 1 1 119899 minus 119901 1 1
Partition 3 p + 2 max(119899 minus 119901 2119901 minus 1) 3 4Master leave 3 n 2119899 minus 3 3 n
CODH
Join 2 m + 1 n +m + 1 2 m + 1Leave 1 1 119899 minus 119901 1 1Merge 2 2 119899 + 119898 2 2
Partition 2 3 119899 minus 119901 2 2Master leave 2 2 119899 minus 1 2 2
Table 2 Communication and computation costs for CODHmember and master
Send Receive Exponentiations Signatures Verifications
General member Join merge 0 1 1 0 1Leave partition 0 1 1 0 1
Group masterJoin 1 m n +m 1 1
Leave partition 1 0 119899 minus 119901 1 0Merge 1 1 n +m 1 1
Accordingly the performance of STRdepends on the locationof the sponsors In TGDH the costs depend on the heightof the resulting key tree and locations of joining or leavingmembers in the tree We provide the worst case cost forTGDH
Most of the cost in CODH comes from the masternode A general node consumes only one communicationmodular exponentiation signature and verification in allof group rekeying process We summarize the costs for ageneral member and the group master in Table 2 Althoughthe exponentiation cost looks heavy in the master its costis insignificant We conducted an experiment to measurecomputation delays for modular exponentiations Table 3shows the average delay of 10 experimental results for eachThe first device has less CPU power than the second deviceWhen modular prime 119901 is 1024 bits long and 119899 le 50 thecomputation delay is less than 1 s The average delay of one
exponentiation is less than 8ms in the second device More-over reducing communication cost is important for mobiledevices because data communication consumes more energythan any other process Therefore our group key protocolscan be efficiently applied in dynamic mobile networks
5 Security
Let 119901 be a large prime number of the form 2119902 + 1 for a prime119902 in Z
119901 Let 119866 be a cyclic group of prime order 119902 and let 119892
be a generator of 119866 that is 119866 = ⟨119892⟩ The decisional Diffie-Hellman problem (DDH) is as follows given (119892 119892119909 119892119910 119892119911)where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119909119910 or a randomly
chosen number In particular the security of our protocolis based on the divisible decisional Diffie-Hellman problem
8 Journal of Applied Mathematics
Table 3 Computation delays on mobile devices (ms)
p = 1024-bit p = 2048-bit119899 = 1 119899 = 25 119899 = 50 119899 = 1 119899 = 25 119899 = 50
Exponentiation (1 GHz CPU 512MB RAM) 37 4526 9078 1689 33854 67625Exponentiation (226GHz CPU 2GB RAM) 129 1928 3853 754 14588 29174
(DDDH) which is stronger assumption than the divisiblecomputational Diffie-Hellman problem (DCDH)
Definition 1 The DCDH problem is as follows given(119892 119892119909 119892119910) where 119909 119910 isin Z
119902 compute 119892119910119909
Definition 2 The DDDH problem is as follows given(119892 119892119909 119892119910 119892119911) where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119910119909
or a randomly chosen number
The DDDH problem is weaker than DCDH since if anadversary could solve the DCDH problem he could solvethe DDDH problem by computing 119892
119909 to decide 119892119911= 119892119910119909
thus the DDDH assumption is stronger than the DCDHassumption Similarly the DDH problem is weaker thanthe computational Diffie-Hellman problem (CDH) which isweaker than discrete logarithm problem (DL) [22] We wantto prove the security of our protocol under the DDH andDDDH assumptions
Theorem 3 The DDDH problem is equivalent to the DDHproblem
Proof Given the DDDH input (119892 119892119909 119892119910 119892119911) where 119911 =
119910119909 one submits (119892 119892119909 119892119911 119892119910) to DDH to decide whether119910 = 119909119911 or a randomly chosen number Similarly giventhe DDH input (119892 119892119909 119892119910 119892119911) where 119911 = 119909119910 one submits(119892 119892119909 119892119911 119892119910) to DDDH to decide if 119910 = 119911119909 or a randomlychosen number
Therefore we know that if there is no polynomial timealgorithm to solve the DDH problem it is hard to solve theDDDH problem
Theorem 4 If the DDH problem is hard it is hard to find apolynomial time algorithm to recover the group key from theproposed protocol in other words it provides group key secrecyagainst passive adversaries under the DDH assumption
Proof Let view(119899 119896) be public information for a group of 119899members to establish a group key 119892
119896 thus it is a view ofpassive attackers
V119894119890119908 (119899 119896) = (1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899 119892119909119899119896) (10)
Suppose we had an algorithm F that with significantprobability succeeds to distinguish between (view(119899 119896)119892119910) where 119910 is a random number 119910 isin Z
119902 and (view(119899 119896)
119892119896) where 119892
119896 is the group key that is F(V119894119890119908(119899 119896) 119892119910) =
F(1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892119909119899 119892119909119899119896 119892119910) = 1 where 119910 = 119896
otherwise returns 0 Then we can query to F with inputview(119899minus1 119896) = (119892
1199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899minus1 119892119909119899minus1119896) for 119899minus1
membersrsquo information and additional input ((119892119909119894)119903 (119892119909119894119896)119903
)
for a random number 119903 isin119877Z119902 where 0 lt 119894 lt 119899 that is
F(V119894119890119908(119899 minus 1 119896) 119892119909119894119903 119892119909119894119896119903 119892
119910) It follows that
(V119894119890119908(1 119896) 1198921199091199031 1198921199091198961199031 119892
1199091199032 1198921199091198961199032 119892
119909119903119899minus1 119892119909119896119903119899minus1 119892
119910) =
F(119892119909 119892119909119896 1198921199091199031 1198921199091198961199031 1198921199091199032 1198921199091198961199032 119892119909119903119899minus1 119892119909119896119903119899minus1 119892119910) where119903119894isin119877Z119902 for 0 lt 119894 lt 119899 Then 119865 can solve the DDDH problem
since it can decide whether 119910 = 119909119896119909 or a random numbergiven (V119894119890119908(1 119896) 119892
119910)) = (119892
119909 119892119909119896 119892119910) It means that 119865 can
also solve the DDH problem byTheorem 3
Theorem 5 The proposed scheme provides backward secrecyforward secrecy and key independence provided the DDHproblem is intractable
Proof Whenever membership is changed or the group keyis updated the group controller alters its own secret 119896 to 119896
1015840where 119896
1015840 is an independently random number to 119896 isin Z119902
it implies that it is impossible to find an algorithm 119865 suchthat 119865(119892
119896) rarr 119892
1198961015840
without knowledge of 119896 and 1198961015840 We
assume that the secret values are uniformly distributed by apseudorandom generatorTherefore when the group key hasbeen changed an adversarymust use newpublic informationV119894119890119908(119899 119896
1015840) = (119892
1199091 11989211990911198961015840
1198921199092 11989211990921198961015840
119892119909119899 1198921199091198991198961015840
) to recoverthe group key updated into 119892
1198961015840
and it depends on a solutionto solve the DDH problem byTheorem 4 It follows that pastmembers future members or adversaries who know a subsetof previous group keys cannot learn the current group keysince the broadcastmessage from themaster does not containtheir locker119883
119894in view()
Theorem 6 The proposed scheme provides implicit keyauthentication under the security of certified public key
Proof A locker which the master obtains from group mem-bers is what a groupmember signswith its public key certifiedby a CA Concretely a locker 119883
119894is hashed by a one-way
function such as SHA-2 and hash (119883119894) is signed with 119872
119894rsquos
private key using a digital signature algorithm such as RSADSA and ECDSAThen the locker is verified with the publickey bound to 119872
119894and certified by CA If there is a locker of
nonmember in the locker list of a group it must be along witha forged signature It means that the problem occurs in a hashcollision attack or a rogueCAcertificate [23]Once all verifiedlockers are transferred to the master any other nodes whichare not a group member cannot recover the group key underthe DDH assumption (Theorems 4 and 5)
Journal of Applied Mathematics 9
6 Conclusion
In this paper we propose a secure group key managementprotocol based on DH key agreement The proposed keymanagement requires only one data communication and onemodular exponentiation at eachmember for anymembershipevent It shows prominent efficiency in renewing the groupkeys against dynamic group membership change memberjoinleave and group mergingpartition We proved groupkey secrecy backwardforward secrecy key independenceand key authentication No outsiders can learn the group keyunder the DDH assumptionWe conclude that CODH can beadapted efficiently for multicast security in mobile networks
Notations
n Number of protocol participants119872119894 119894th group member 119894 isin [1 119899]
119872119904 Master node (controller) 119904 isin [1 119899]
119901 Prime of the form 2119902 + 1 for a prime 119902119892 Generator in Zlowast
119901
119909119894 Lock-secret random number picked by
119872119894such that 1 lt 119909
119894lt 119901 minus 1 and
gcd(119909119894 119901 minus 1) = 1
119910119894 Unlock-secret for119872
119894such that
119909119894lowast 119910119894equiv 1 mod (119901 minus 1)
119896 Master-secret randomly selected in Zlowast119902
by119872119904
119883119894 Locker 119892119909119894 mod 119901
119862119899 Current group of 119899members (119862) = 119899
119883119871119862 Locker list of group
119862119883119871119862= 1198831 1198832 119883
119899 119883119904
119883119871119896
119862 Key-locks for group
119862119883119871119896
119862= 119883119896
1 119883119896
2 119883
119896
119899 119883119896
119904
119872119894rarr 119872
119895 m Unicast message (m) from119872
119894to119872119895
119872119894rArr 119862119899 m Broadcast message (m) from119872
119894to 119899
members of 119862
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
Theauthors appreciate anonymous reviewers for their helpfulcomments This research was supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0011289)
References
[1] R Canetti TMalkin andKNissim ldquoEfficient communication-storage tradeoffs for multicast encryptionrdquo in Proceedings ofAdvances in Cryptology (Eurocrypt rsquo99) vol 1592 of LectureNotes in Computer Science pp 459ndash474 Prague Czech Repub-lic May 1999
[2] S Setia S Koussih S Jajodia and E Harder ldquoKronos a scalablegroup re-keying approach for secure multicastrdquo in Proceedingsof the IEEE Symposium on Security and Privacy pp 215ndash228Berkeley Calif USA May 2000
[3] M K Reiter ldquoA secure group membership protocolrdquo IEEETransactions on Software Engineering vol 22 no 1 pp 31ndash421996
[4] D Wallner E Harder and R Agee ldquoKey management formulticast issues and architecturesrdquo RFC 2627 Informational1999
[5] C K Wong M Gouda and S S Lam ldquoSecure group com-munications using key graphsrdquo IEEEACM Transactions onNetworking vol 8 no 1 pp 16ndash30 2000
[6] S Mittra ldquoIolus a framework for scalable secure multicastingrdquoin Proceedings of the ACM (SIGCOMM rsquo97) pp 277ndash288Cannes France September 1997
[7] A T Sherman and D A McGrew ldquoKey establishment inlarge dynamic groups using one-way function treesrdquo IEEETransactions on Software Engineering vol 29 no 5 pp 444ndash458 2003
[8] S Zhu S Setia and S Jajodia ldquoLEAP efficient securitymechanisms for large-scale distributed sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 62ndash72 WashingtonDC USA October 2003
[9] S Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols pp 326ndash335 Atlanta Ga USA 2003
[10] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976
[11] M Burmester and Y Desmedt ldquoA secure and scalable group keyexchange systemrdquo Information Processing Letters vol 94 no 3pp 137ndash143 2005
[12] M Steiner G Tsudik and M Waidner ldquoDiffie-Hellman keydistribution extended to group communicationrdquo in Proceedingsof the 3rd ACM Conference on Computer and CommunicationsSecurity pp 31ndash37 New Delhi India March 1996
[13] M Steiner G Tsudik and M Waidner ldquoCLIQUES a newapproach to group key agreementrdquo in Proceedings of the 18thInternational Conference on Distributed Computing Systems pp380ndash387 May 1998
[14] Y Amir Y Kim C Nita-Rotaru and G Tsudik ldquoOn the perfor-mance of group key agreement protocolsrdquo ACM Transactionson Information and System Security vol 7 no 3 pp 457ndash4882004
[15] Y Kim A Perrig and G Tsudik ldquoTree-based group keyagreementrdquo ACM Transactions on Information and SystemSecurity vol 7 no 1 pp 60ndash96 2004
[16] YKimA Perrig andG Tsudik ldquoGroup key agreement efficientin communicationrdquo IEEE Transactions on Computers vol 53no 7 pp 905ndash921 2004
[17] B Wu J Wu and D Yuhong ldquoAn efficient group key manage-ment scheme formobile ad hoc networksrdquo International Journalof Security and Networks vol 4 no 1-2 pp 125ndash134 2009
[18] P P C Lee J C S Lui and D K Y Yau ldquoDistributedcollaborative key agreement and authentication protocols fordynamic peer groupsrdquo IEEEACM Transactions on Networkingvol 14 no 2 pp 263ndash276 2006
10 Journal of Applied Mathematics
[19] J Liu D Sacchetti F Sailhan and V Issarny ldquoGroup manage-ment for mobile AdHoc networks design implementation andexperimentrdquo in Proceedings of the 6th International Conferenceon Mobile Data Management (MDM rsquo05) pp 192ndash199 AyiaNapa Cyprus May 2005
[20] B Singh and D K Lobiyal ldquoA novel energy-aware cluster headselection based on particle swarm optimization for wirelesssensor networksrdquo Human-Centric Computing and InformationSciences vol 2 no 13 pp 1ndash18 2012
[21] C-W Chen Y-R Tsai and S-J Wang ldquoCost-saving key agree-ment via secret sharing in two-party communication systemsrdquoJournal of Convergence vol 3 no 4 pp 29ndash36 2012
[22] S Mohanty and B Majhi ldquoA strong designated verifiable dlbased signcryption schemerdquo Journal of Information ProcessingSystems vol 8 no 4 pp 567ndash574 2012
[23] M Stevens A K Lenstra and B de Weger ldquoChosen-prefixcollisions for MD5 and applicationsrdquo International Journal ofApplied Cryptography vol 2 no 4 pp 322ndash359 2012
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 7
Table 1 Communication and computation costs
Rounds Messages Exponentiations Signatures Verifications
GDH
Join merge m + 3 n + 2m + 1 n + 2m + 1 m + 3 n + 2m + 1Leave 1 1 119899 minus 119901 1 1
Partition 2 p + 1 119899 minus 119901 2 pMaster leave 2 119899 minus 1 119899 minus 1 2 119899 minus 1
STR
Join 3 m + 2 3m 2 m + 2Leave 1 1 3(119899 minus 119901) minus 2119904 minus 1 1 1Merge 3 3 3119898 minus 1 2 3
Partition 2 3 3(119899 minus 119901) minus 2119904 minus 1 2 3
TGDH Join merge 2 3 3ℎ minus 3 2 3Leave partition h 2h 3ℎ h ℎ
BDJoin merge 2 2n + 2m 3 2 2119899 + 2119898 minus 2
Leave 2 2119899 minus 2119901 3 2 2119899 minus 2119901 minus 2
Partition 2 2n 3 2 2119899 minus 2119901 minus 2
CKD
Join merge 3 m + 2 n + 2m 3 m + 2Leave 1 1 119899 minus 119901 1 1
Partition 3 p + 2 max(119899 minus 119901 2119901 minus 1) 3 4Master leave 3 n 2119899 minus 3 3 n
CODH
Join 2 m + 1 n +m + 1 2 m + 1Leave 1 1 119899 minus 119901 1 1Merge 2 2 119899 + 119898 2 2
Partition 2 3 119899 minus 119901 2 2Master leave 2 2 119899 minus 1 2 2
Table 2 Communication and computation costs for CODHmember and master
Send Receive Exponentiations Signatures Verifications
General member Join merge 0 1 1 0 1Leave partition 0 1 1 0 1
Group masterJoin 1 m n +m 1 1
Leave partition 1 0 119899 minus 119901 1 0Merge 1 1 n +m 1 1
Accordingly the performance of STRdepends on the locationof the sponsors In TGDH the costs depend on the heightof the resulting key tree and locations of joining or leavingmembers in the tree We provide the worst case cost forTGDH
Most of the cost in CODH comes from the masternode A general node consumes only one communicationmodular exponentiation signature and verification in allof group rekeying process We summarize the costs for ageneral member and the group master in Table 2 Althoughthe exponentiation cost looks heavy in the master its costis insignificant We conducted an experiment to measurecomputation delays for modular exponentiations Table 3shows the average delay of 10 experimental results for eachThe first device has less CPU power than the second deviceWhen modular prime 119901 is 1024 bits long and 119899 le 50 thecomputation delay is less than 1 s The average delay of one
exponentiation is less than 8ms in the second device More-over reducing communication cost is important for mobiledevices because data communication consumes more energythan any other process Therefore our group key protocolscan be efficiently applied in dynamic mobile networks
5 Security
Let 119901 be a large prime number of the form 2119902 + 1 for a prime119902 in Z
119901 Let 119866 be a cyclic group of prime order 119902 and let 119892
be a generator of 119866 that is 119866 = ⟨119892⟩ The decisional Diffie-Hellman problem (DDH) is as follows given (119892 119892119909 119892119910 119892119911)where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119909119910 or a randomly
chosen number In particular the security of our protocolis based on the divisible decisional Diffie-Hellman problem
8 Journal of Applied Mathematics
Table 3 Computation delays on mobile devices (ms)
p = 1024-bit p = 2048-bit119899 = 1 119899 = 25 119899 = 50 119899 = 1 119899 = 25 119899 = 50
Exponentiation (1 GHz CPU 512MB RAM) 37 4526 9078 1689 33854 67625Exponentiation (226GHz CPU 2GB RAM) 129 1928 3853 754 14588 29174
(DDDH) which is stronger assumption than the divisiblecomputational Diffie-Hellman problem (DCDH)
Definition 1 The DCDH problem is as follows given(119892 119892119909 119892119910) where 119909 119910 isin Z
119902 compute 119892119910119909
Definition 2 The DDDH problem is as follows given(119892 119892119909 119892119910 119892119911) where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119910119909
or a randomly chosen number
The DDDH problem is weaker than DCDH since if anadversary could solve the DCDH problem he could solvethe DDDH problem by computing 119892
119909 to decide 119892119911= 119892119910119909
thus the DDDH assumption is stronger than the DCDHassumption Similarly the DDH problem is weaker thanthe computational Diffie-Hellman problem (CDH) which isweaker than discrete logarithm problem (DL) [22] We wantto prove the security of our protocol under the DDH andDDDH assumptions
Theorem 3 The DDDH problem is equivalent to the DDHproblem
Proof Given the DDDH input (119892 119892119909 119892119910 119892119911) where 119911 =
119910119909 one submits (119892 119892119909 119892119911 119892119910) to DDH to decide whether119910 = 119909119911 or a randomly chosen number Similarly giventhe DDH input (119892 119892119909 119892119910 119892119911) where 119911 = 119909119910 one submits(119892 119892119909 119892119911 119892119910) to DDDH to decide if 119910 = 119911119909 or a randomlychosen number
Therefore we know that if there is no polynomial timealgorithm to solve the DDH problem it is hard to solve theDDDH problem
Theorem 4 If the DDH problem is hard it is hard to find apolynomial time algorithm to recover the group key from theproposed protocol in other words it provides group key secrecyagainst passive adversaries under the DDH assumption
Proof Let view(119899 119896) be public information for a group of 119899members to establish a group key 119892
119896 thus it is a view ofpassive attackers
V119894119890119908 (119899 119896) = (1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899 119892119909119899119896) (10)
Suppose we had an algorithm F that with significantprobability succeeds to distinguish between (view(119899 119896)119892119910) where 119910 is a random number 119910 isin Z
119902 and (view(119899 119896)
119892119896) where 119892
119896 is the group key that is F(V119894119890119908(119899 119896) 119892119910) =
F(1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892119909119899 119892119909119899119896 119892119910) = 1 where 119910 = 119896
otherwise returns 0 Then we can query to F with inputview(119899minus1 119896) = (119892
1199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899minus1 119892119909119899minus1119896) for 119899minus1
membersrsquo information and additional input ((119892119909119894)119903 (119892119909119894119896)119903
)
for a random number 119903 isin119877Z119902 where 0 lt 119894 lt 119899 that is
F(V119894119890119908(119899 minus 1 119896) 119892119909119894119903 119892119909119894119896119903 119892
119910) It follows that
(V119894119890119908(1 119896) 1198921199091199031 1198921199091198961199031 119892
1199091199032 1198921199091198961199032 119892
119909119903119899minus1 119892119909119896119903119899minus1 119892
119910) =
F(119892119909 119892119909119896 1198921199091199031 1198921199091198961199031 1198921199091199032 1198921199091198961199032 119892119909119903119899minus1 119892119909119896119903119899minus1 119892119910) where119903119894isin119877Z119902 for 0 lt 119894 lt 119899 Then 119865 can solve the DDDH problem
since it can decide whether 119910 = 119909119896119909 or a random numbergiven (V119894119890119908(1 119896) 119892
119910)) = (119892
119909 119892119909119896 119892119910) It means that 119865 can
also solve the DDH problem byTheorem 3
Theorem 5 The proposed scheme provides backward secrecyforward secrecy and key independence provided the DDHproblem is intractable
Proof Whenever membership is changed or the group keyis updated the group controller alters its own secret 119896 to 119896
1015840where 119896
1015840 is an independently random number to 119896 isin Z119902
it implies that it is impossible to find an algorithm 119865 suchthat 119865(119892
119896) rarr 119892
1198961015840
without knowledge of 119896 and 1198961015840 We
assume that the secret values are uniformly distributed by apseudorandom generatorTherefore when the group key hasbeen changed an adversarymust use newpublic informationV119894119890119908(119899 119896
1015840) = (119892
1199091 11989211990911198961015840
1198921199092 11989211990921198961015840
119892119909119899 1198921199091198991198961015840
) to recoverthe group key updated into 119892
1198961015840
and it depends on a solutionto solve the DDH problem byTheorem 4 It follows that pastmembers future members or adversaries who know a subsetof previous group keys cannot learn the current group keysince the broadcastmessage from themaster does not containtheir locker119883
119894in view()
Theorem 6 The proposed scheme provides implicit keyauthentication under the security of certified public key
Proof A locker which the master obtains from group mem-bers is what a groupmember signswith its public key certifiedby a CA Concretely a locker 119883
119894is hashed by a one-way
function such as SHA-2 and hash (119883119894) is signed with 119872
119894rsquos
private key using a digital signature algorithm such as RSADSA and ECDSAThen the locker is verified with the publickey bound to 119872
119894and certified by CA If there is a locker of
nonmember in the locker list of a group it must be along witha forged signature It means that the problem occurs in a hashcollision attack or a rogueCAcertificate [23]Once all verifiedlockers are transferred to the master any other nodes whichare not a group member cannot recover the group key underthe DDH assumption (Theorems 4 and 5)
Journal of Applied Mathematics 9
6 Conclusion
In this paper we propose a secure group key managementprotocol based on DH key agreement The proposed keymanagement requires only one data communication and onemodular exponentiation at eachmember for anymembershipevent It shows prominent efficiency in renewing the groupkeys against dynamic group membership change memberjoinleave and group mergingpartition We proved groupkey secrecy backwardforward secrecy key independenceand key authentication No outsiders can learn the group keyunder the DDH assumptionWe conclude that CODH can beadapted efficiently for multicast security in mobile networks
Notations
n Number of protocol participants119872119894 119894th group member 119894 isin [1 119899]
119872119904 Master node (controller) 119904 isin [1 119899]
119901 Prime of the form 2119902 + 1 for a prime 119902119892 Generator in Zlowast
119901
119909119894 Lock-secret random number picked by
119872119894such that 1 lt 119909
119894lt 119901 minus 1 and
gcd(119909119894 119901 minus 1) = 1
119910119894 Unlock-secret for119872
119894such that
119909119894lowast 119910119894equiv 1 mod (119901 minus 1)
119896 Master-secret randomly selected in Zlowast119902
by119872119904
119883119894 Locker 119892119909119894 mod 119901
119862119899 Current group of 119899members (119862) = 119899
119883119871119862 Locker list of group
119862119883119871119862= 1198831 1198832 119883
119899 119883119904
119883119871119896
119862 Key-locks for group
119862119883119871119896
119862= 119883119896
1 119883119896
2 119883
119896
119899 119883119896
119904
119872119894rarr 119872
119895 m Unicast message (m) from119872
119894to119872119895
119872119894rArr 119862119899 m Broadcast message (m) from119872
119894to 119899
members of 119862
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
Theauthors appreciate anonymous reviewers for their helpfulcomments This research was supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0011289)
References
[1] R Canetti TMalkin andKNissim ldquoEfficient communication-storage tradeoffs for multicast encryptionrdquo in Proceedings ofAdvances in Cryptology (Eurocrypt rsquo99) vol 1592 of LectureNotes in Computer Science pp 459ndash474 Prague Czech Repub-lic May 1999
[2] S Setia S Koussih S Jajodia and E Harder ldquoKronos a scalablegroup re-keying approach for secure multicastrdquo in Proceedingsof the IEEE Symposium on Security and Privacy pp 215ndash228Berkeley Calif USA May 2000
[3] M K Reiter ldquoA secure group membership protocolrdquo IEEETransactions on Software Engineering vol 22 no 1 pp 31ndash421996
[4] D Wallner E Harder and R Agee ldquoKey management formulticast issues and architecturesrdquo RFC 2627 Informational1999
[5] C K Wong M Gouda and S S Lam ldquoSecure group com-munications using key graphsrdquo IEEEACM Transactions onNetworking vol 8 no 1 pp 16ndash30 2000
[6] S Mittra ldquoIolus a framework for scalable secure multicastingrdquoin Proceedings of the ACM (SIGCOMM rsquo97) pp 277ndash288Cannes France September 1997
[7] A T Sherman and D A McGrew ldquoKey establishment inlarge dynamic groups using one-way function treesrdquo IEEETransactions on Software Engineering vol 29 no 5 pp 444ndash458 2003
[8] S Zhu S Setia and S Jajodia ldquoLEAP efficient securitymechanisms for large-scale distributed sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 62ndash72 WashingtonDC USA October 2003
[9] S Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols pp 326ndash335 Atlanta Ga USA 2003
[10] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976
[11] M Burmester and Y Desmedt ldquoA secure and scalable group keyexchange systemrdquo Information Processing Letters vol 94 no 3pp 137ndash143 2005
[12] M Steiner G Tsudik and M Waidner ldquoDiffie-Hellman keydistribution extended to group communicationrdquo in Proceedingsof the 3rd ACM Conference on Computer and CommunicationsSecurity pp 31ndash37 New Delhi India March 1996
[13] M Steiner G Tsudik and M Waidner ldquoCLIQUES a newapproach to group key agreementrdquo in Proceedings of the 18thInternational Conference on Distributed Computing Systems pp380ndash387 May 1998
[14] Y Amir Y Kim C Nita-Rotaru and G Tsudik ldquoOn the perfor-mance of group key agreement protocolsrdquo ACM Transactionson Information and System Security vol 7 no 3 pp 457ndash4882004
[15] Y Kim A Perrig and G Tsudik ldquoTree-based group keyagreementrdquo ACM Transactions on Information and SystemSecurity vol 7 no 1 pp 60ndash96 2004
[16] YKimA Perrig andG Tsudik ldquoGroup key agreement efficientin communicationrdquo IEEE Transactions on Computers vol 53no 7 pp 905ndash921 2004
[17] B Wu J Wu and D Yuhong ldquoAn efficient group key manage-ment scheme formobile ad hoc networksrdquo International Journalof Security and Networks vol 4 no 1-2 pp 125ndash134 2009
[18] P P C Lee J C S Lui and D K Y Yau ldquoDistributedcollaborative key agreement and authentication protocols fordynamic peer groupsrdquo IEEEACM Transactions on Networkingvol 14 no 2 pp 263ndash276 2006
10 Journal of Applied Mathematics
[19] J Liu D Sacchetti F Sailhan and V Issarny ldquoGroup manage-ment for mobile AdHoc networks design implementation andexperimentrdquo in Proceedings of the 6th International Conferenceon Mobile Data Management (MDM rsquo05) pp 192ndash199 AyiaNapa Cyprus May 2005
[20] B Singh and D K Lobiyal ldquoA novel energy-aware cluster headselection based on particle swarm optimization for wirelesssensor networksrdquo Human-Centric Computing and InformationSciences vol 2 no 13 pp 1ndash18 2012
[21] C-W Chen Y-R Tsai and S-J Wang ldquoCost-saving key agree-ment via secret sharing in two-party communication systemsrdquoJournal of Convergence vol 3 no 4 pp 29ndash36 2012
[22] S Mohanty and B Majhi ldquoA strong designated verifiable dlbased signcryption schemerdquo Journal of Information ProcessingSystems vol 8 no 4 pp 567ndash574 2012
[23] M Stevens A K Lenstra and B de Weger ldquoChosen-prefixcollisions for MD5 and applicationsrdquo International Journal ofApplied Cryptography vol 2 no 4 pp 322ndash359 2012
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
8 Journal of Applied Mathematics
Table 3 Computation delays on mobile devices (ms)
p = 1024-bit p = 2048-bit119899 = 1 119899 = 25 119899 = 50 119899 = 1 119899 = 25 119899 = 50
Exponentiation (1 GHz CPU 512MB RAM) 37 4526 9078 1689 33854 67625Exponentiation (226GHz CPU 2GB RAM) 129 1928 3853 754 14588 29174
(DDDH) which is stronger assumption than the divisiblecomputational Diffie-Hellman problem (DCDH)
Definition 1 The DCDH problem is as follows given(119892 119892119909 119892119910) where 119909 119910 isin Z
119902 compute 119892119910119909
Definition 2 The DDDH problem is as follows given(119892 119892119909 119892119910 119892119911) where 119909 119910 119911 isin Z
119902 decide whether 119911 = 119910119909
or a randomly chosen number
The DDDH problem is weaker than DCDH since if anadversary could solve the DCDH problem he could solvethe DDDH problem by computing 119892
119909 to decide 119892119911= 119892119910119909
thus the DDDH assumption is stronger than the DCDHassumption Similarly the DDH problem is weaker thanthe computational Diffie-Hellman problem (CDH) which isweaker than discrete logarithm problem (DL) [22] We wantto prove the security of our protocol under the DDH andDDDH assumptions
Theorem 3 The DDDH problem is equivalent to the DDHproblem
Proof Given the DDDH input (119892 119892119909 119892119910 119892119911) where 119911 =
119910119909 one submits (119892 119892119909 119892119911 119892119910) to DDH to decide whether119910 = 119909119911 or a randomly chosen number Similarly giventhe DDH input (119892 119892119909 119892119910 119892119911) where 119911 = 119909119910 one submits(119892 119892119909 119892119911 119892119910) to DDDH to decide if 119910 = 119911119909 or a randomlychosen number
Therefore we know that if there is no polynomial timealgorithm to solve the DDH problem it is hard to solve theDDDH problem
Theorem 4 If the DDH problem is hard it is hard to find apolynomial time algorithm to recover the group key from theproposed protocol in other words it provides group key secrecyagainst passive adversaries under the DDH assumption
Proof Let view(119899 119896) be public information for a group of 119899members to establish a group key 119892
119896 thus it is a view ofpassive attackers
V119894119890119908 (119899 119896) = (1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899 119892119909119899119896) (10)
Suppose we had an algorithm F that with significantprobability succeeds to distinguish between (view(119899 119896)119892119910) where 119910 is a random number 119910 isin Z
119902 and (view(119899 119896)
119892119896) where 119892
119896 is the group key that is F(V119894119890119908(119899 119896) 119892119910) =
F(1198921199091 1198921199091119896 1198921199092 1198921199092119896 119892119909119899 119892119909119899119896 119892119910) = 1 where 119910 = 119896
otherwise returns 0 Then we can query to F with inputview(119899minus1 119896) = (119892
1199091 1198921199091119896 1198921199092 1198921199092119896 119892
119909119899minus1 119892119909119899minus1119896) for 119899minus1
membersrsquo information and additional input ((119892119909119894)119903 (119892119909119894119896)119903
)
for a random number 119903 isin119877Z119902 where 0 lt 119894 lt 119899 that is
F(V119894119890119908(119899 minus 1 119896) 119892119909119894119903 119892119909119894119896119903 119892
119910) It follows that
(V119894119890119908(1 119896) 1198921199091199031 1198921199091198961199031 119892
1199091199032 1198921199091198961199032 119892
119909119903119899minus1 119892119909119896119903119899minus1 119892
119910) =
F(119892119909 119892119909119896 1198921199091199031 1198921199091198961199031 1198921199091199032 1198921199091198961199032 119892119909119903119899minus1 119892119909119896119903119899minus1 119892119910) where119903119894isin119877Z119902 for 0 lt 119894 lt 119899 Then 119865 can solve the DDDH problem
since it can decide whether 119910 = 119909119896119909 or a random numbergiven (V119894119890119908(1 119896) 119892
119910)) = (119892
119909 119892119909119896 119892119910) It means that 119865 can
also solve the DDH problem byTheorem 3
Theorem 5 The proposed scheme provides backward secrecyforward secrecy and key independence provided the DDHproblem is intractable
Proof Whenever membership is changed or the group keyis updated the group controller alters its own secret 119896 to 119896
1015840where 119896
1015840 is an independently random number to 119896 isin Z119902
it implies that it is impossible to find an algorithm 119865 suchthat 119865(119892
119896) rarr 119892
1198961015840
without knowledge of 119896 and 1198961015840 We
assume that the secret values are uniformly distributed by apseudorandom generatorTherefore when the group key hasbeen changed an adversarymust use newpublic informationV119894119890119908(119899 119896
1015840) = (119892
1199091 11989211990911198961015840
1198921199092 11989211990921198961015840
119892119909119899 1198921199091198991198961015840
) to recoverthe group key updated into 119892
1198961015840
and it depends on a solutionto solve the DDH problem byTheorem 4 It follows that pastmembers future members or adversaries who know a subsetof previous group keys cannot learn the current group keysince the broadcastmessage from themaster does not containtheir locker119883
119894in view()
Theorem 6 The proposed scheme provides implicit keyauthentication under the security of certified public key
Proof A locker which the master obtains from group mem-bers is what a groupmember signswith its public key certifiedby a CA Concretely a locker 119883
119894is hashed by a one-way
function such as SHA-2 and hash (119883119894) is signed with 119872
119894rsquos
private key using a digital signature algorithm such as RSADSA and ECDSAThen the locker is verified with the publickey bound to 119872
119894and certified by CA If there is a locker of
nonmember in the locker list of a group it must be along witha forged signature It means that the problem occurs in a hashcollision attack or a rogueCAcertificate [23]Once all verifiedlockers are transferred to the master any other nodes whichare not a group member cannot recover the group key underthe DDH assumption (Theorems 4 and 5)
Journal of Applied Mathematics 9
6 Conclusion
In this paper we propose a secure group key managementprotocol based on DH key agreement The proposed keymanagement requires only one data communication and onemodular exponentiation at eachmember for anymembershipevent It shows prominent efficiency in renewing the groupkeys against dynamic group membership change memberjoinleave and group mergingpartition We proved groupkey secrecy backwardforward secrecy key independenceand key authentication No outsiders can learn the group keyunder the DDH assumptionWe conclude that CODH can beadapted efficiently for multicast security in mobile networks
Notations
n Number of protocol participants119872119894 119894th group member 119894 isin [1 119899]
119872119904 Master node (controller) 119904 isin [1 119899]
119901 Prime of the form 2119902 + 1 for a prime 119902119892 Generator in Zlowast
119901
119909119894 Lock-secret random number picked by
119872119894such that 1 lt 119909
119894lt 119901 minus 1 and
gcd(119909119894 119901 minus 1) = 1
119910119894 Unlock-secret for119872
119894such that
119909119894lowast 119910119894equiv 1 mod (119901 minus 1)
119896 Master-secret randomly selected in Zlowast119902
by119872119904
119883119894 Locker 119892119909119894 mod 119901
119862119899 Current group of 119899members (119862) = 119899
119883119871119862 Locker list of group
119862119883119871119862= 1198831 1198832 119883
119899 119883119904
119883119871119896
119862 Key-locks for group
119862119883119871119896
119862= 119883119896
1 119883119896
2 119883
119896
119899 119883119896
119904
119872119894rarr 119872
119895 m Unicast message (m) from119872
119894to119872119895
119872119894rArr 119862119899 m Broadcast message (m) from119872
119894to 119899
members of 119862
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
Theauthors appreciate anonymous reviewers for their helpfulcomments This research was supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0011289)
References
[1] R Canetti TMalkin andKNissim ldquoEfficient communication-storage tradeoffs for multicast encryptionrdquo in Proceedings ofAdvances in Cryptology (Eurocrypt rsquo99) vol 1592 of LectureNotes in Computer Science pp 459ndash474 Prague Czech Repub-lic May 1999
[2] S Setia S Koussih S Jajodia and E Harder ldquoKronos a scalablegroup re-keying approach for secure multicastrdquo in Proceedingsof the IEEE Symposium on Security and Privacy pp 215ndash228Berkeley Calif USA May 2000
[3] M K Reiter ldquoA secure group membership protocolrdquo IEEETransactions on Software Engineering vol 22 no 1 pp 31ndash421996
[4] D Wallner E Harder and R Agee ldquoKey management formulticast issues and architecturesrdquo RFC 2627 Informational1999
[5] C K Wong M Gouda and S S Lam ldquoSecure group com-munications using key graphsrdquo IEEEACM Transactions onNetworking vol 8 no 1 pp 16ndash30 2000
[6] S Mittra ldquoIolus a framework for scalable secure multicastingrdquoin Proceedings of the ACM (SIGCOMM rsquo97) pp 277ndash288Cannes France September 1997
[7] A T Sherman and D A McGrew ldquoKey establishment inlarge dynamic groups using one-way function treesrdquo IEEETransactions on Software Engineering vol 29 no 5 pp 444ndash458 2003
[8] S Zhu S Setia and S Jajodia ldquoLEAP efficient securitymechanisms for large-scale distributed sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 62ndash72 WashingtonDC USA October 2003
[9] S Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols pp 326ndash335 Atlanta Ga USA 2003
[10] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976
[11] M Burmester and Y Desmedt ldquoA secure and scalable group keyexchange systemrdquo Information Processing Letters vol 94 no 3pp 137ndash143 2005
[12] M Steiner G Tsudik and M Waidner ldquoDiffie-Hellman keydistribution extended to group communicationrdquo in Proceedingsof the 3rd ACM Conference on Computer and CommunicationsSecurity pp 31ndash37 New Delhi India March 1996
[13] M Steiner G Tsudik and M Waidner ldquoCLIQUES a newapproach to group key agreementrdquo in Proceedings of the 18thInternational Conference on Distributed Computing Systems pp380ndash387 May 1998
[14] Y Amir Y Kim C Nita-Rotaru and G Tsudik ldquoOn the perfor-mance of group key agreement protocolsrdquo ACM Transactionson Information and System Security vol 7 no 3 pp 457ndash4882004
[15] Y Kim A Perrig and G Tsudik ldquoTree-based group keyagreementrdquo ACM Transactions on Information and SystemSecurity vol 7 no 1 pp 60ndash96 2004
[16] YKimA Perrig andG Tsudik ldquoGroup key agreement efficientin communicationrdquo IEEE Transactions on Computers vol 53no 7 pp 905ndash921 2004
[17] B Wu J Wu and D Yuhong ldquoAn efficient group key manage-ment scheme formobile ad hoc networksrdquo International Journalof Security and Networks vol 4 no 1-2 pp 125ndash134 2009
[18] P P C Lee J C S Lui and D K Y Yau ldquoDistributedcollaborative key agreement and authentication protocols fordynamic peer groupsrdquo IEEEACM Transactions on Networkingvol 14 no 2 pp 263ndash276 2006
10 Journal of Applied Mathematics
[19] J Liu D Sacchetti F Sailhan and V Issarny ldquoGroup manage-ment for mobile AdHoc networks design implementation andexperimentrdquo in Proceedings of the 6th International Conferenceon Mobile Data Management (MDM rsquo05) pp 192ndash199 AyiaNapa Cyprus May 2005
[20] B Singh and D K Lobiyal ldquoA novel energy-aware cluster headselection based on particle swarm optimization for wirelesssensor networksrdquo Human-Centric Computing and InformationSciences vol 2 no 13 pp 1ndash18 2012
[21] C-W Chen Y-R Tsai and S-J Wang ldquoCost-saving key agree-ment via secret sharing in two-party communication systemsrdquoJournal of Convergence vol 3 no 4 pp 29ndash36 2012
[22] S Mohanty and B Majhi ldquoA strong designated verifiable dlbased signcryption schemerdquo Journal of Information ProcessingSystems vol 8 no 4 pp 567ndash574 2012
[23] M Stevens A K Lenstra and B de Weger ldquoChosen-prefixcollisions for MD5 and applicationsrdquo International Journal ofApplied Cryptography vol 2 no 4 pp 322ndash359 2012
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 9
6 Conclusion
In this paper we propose a secure group key managementprotocol based on DH key agreement The proposed keymanagement requires only one data communication and onemodular exponentiation at eachmember for anymembershipevent It shows prominent efficiency in renewing the groupkeys against dynamic group membership change memberjoinleave and group mergingpartition We proved groupkey secrecy backwardforward secrecy key independenceand key authentication No outsiders can learn the group keyunder the DDH assumptionWe conclude that CODH can beadapted efficiently for multicast security in mobile networks
Notations
n Number of protocol participants119872119894 119894th group member 119894 isin [1 119899]
119872119904 Master node (controller) 119904 isin [1 119899]
119901 Prime of the form 2119902 + 1 for a prime 119902119892 Generator in Zlowast
119901
119909119894 Lock-secret random number picked by
119872119894such that 1 lt 119909
119894lt 119901 minus 1 and
gcd(119909119894 119901 minus 1) = 1
119910119894 Unlock-secret for119872
119894such that
119909119894lowast 119910119894equiv 1 mod (119901 minus 1)
119896 Master-secret randomly selected in Zlowast119902
by119872119904
119883119894 Locker 119892119909119894 mod 119901
119862119899 Current group of 119899members (119862) = 119899
119883119871119862 Locker list of group
119862119883119871119862= 1198831 1198832 119883
119899 119883119904
119883119871119896
119862 Key-locks for group
119862119883119871119896
119862= 119883119896
1 119883119896
2 119883
119896
119899 119883119896
119904
119872119894rarr 119872
119895 m Unicast message (m) from119872
119894to119872119895
119872119894rArr 119862119899 m Broadcast message (m) from119872
119894to 119899
members of 119862
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
Theauthors appreciate anonymous reviewers for their helpfulcomments This research was supported by Basic ScienceResearch Program through the National Research Founda-tion of Korea (NRF) funded by the Ministry of EducationScience and Technology (2011-0011289)
References
[1] R Canetti TMalkin andKNissim ldquoEfficient communication-storage tradeoffs for multicast encryptionrdquo in Proceedings ofAdvances in Cryptology (Eurocrypt rsquo99) vol 1592 of LectureNotes in Computer Science pp 459ndash474 Prague Czech Repub-lic May 1999
[2] S Setia S Koussih S Jajodia and E Harder ldquoKronos a scalablegroup re-keying approach for secure multicastrdquo in Proceedingsof the IEEE Symposium on Security and Privacy pp 215ndash228Berkeley Calif USA May 2000
[3] M K Reiter ldquoA secure group membership protocolrdquo IEEETransactions on Software Engineering vol 22 no 1 pp 31ndash421996
[4] D Wallner E Harder and R Agee ldquoKey management formulticast issues and architecturesrdquo RFC 2627 Informational1999
[5] C K Wong M Gouda and S S Lam ldquoSecure group com-munications using key graphsrdquo IEEEACM Transactions onNetworking vol 8 no 1 pp 16ndash30 2000
[6] S Mittra ldquoIolus a framework for scalable secure multicastingrdquoin Proceedings of the ACM (SIGCOMM rsquo97) pp 277ndash288Cannes France September 1997
[7] A T Sherman and D A McGrew ldquoKey establishment inlarge dynamic groups using one-way function treesrdquo IEEETransactions on Software Engineering vol 29 no 5 pp 444ndash458 2003
[8] S Zhu S Setia and S Jajodia ldquoLEAP efficient securitymechanisms for large-scale distributed sensor networksrdquo inProceedings of the 10th ACM Conference on Computer andCommunications Security (CCS rsquo03) pp 62ndash72 WashingtonDC USA October 2003
[9] S Zhu S Xu S Setia and S Jajodia ldquoEstablishing pairwise keysfor secure communication in ad hoc networks a probabilisticapproachrdquo in Proceedings of the 11th IEEE International Confer-ence on Network Protocols pp 326ndash335 Atlanta Ga USA 2003
[10] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976
[11] M Burmester and Y Desmedt ldquoA secure and scalable group keyexchange systemrdquo Information Processing Letters vol 94 no 3pp 137ndash143 2005
[12] M Steiner G Tsudik and M Waidner ldquoDiffie-Hellman keydistribution extended to group communicationrdquo in Proceedingsof the 3rd ACM Conference on Computer and CommunicationsSecurity pp 31ndash37 New Delhi India March 1996
[13] M Steiner G Tsudik and M Waidner ldquoCLIQUES a newapproach to group key agreementrdquo in Proceedings of the 18thInternational Conference on Distributed Computing Systems pp380ndash387 May 1998
[14] Y Amir Y Kim C Nita-Rotaru and G Tsudik ldquoOn the perfor-mance of group key agreement protocolsrdquo ACM Transactionson Information and System Security vol 7 no 3 pp 457ndash4882004
[15] Y Kim A Perrig and G Tsudik ldquoTree-based group keyagreementrdquo ACM Transactions on Information and SystemSecurity vol 7 no 1 pp 60ndash96 2004
[16] YKimA Perrig andG Tsudik ldquoGroup key agreement efficientin communicationrdquo IEEE Transactions on Computers vol 53no 7 pp 905ndash921 2004
[17] B Wu J Wu and D Yuhong ldquoAn efficient group key manage-ment scheme formobile ad hoc networksrdquo International Journalof Security and Networks vol 4 no 1-2 pp 125ndash134 2009
[18] P P C Lee J C S Lui and D K Y Yau ldquoDistributedcollaborative key agreement and authentication protocols fordynamic peer groupsrdquo IEEEACM Transactions on Networkingvol 14 no 2 pp 263ndash276 2006
10 Journal of Applied Mathematics
[19] J Liu D Sacchetti F Sailhan and V Issarny ldquoGroup manage-ment for mobile AdHoc networks design implementation andexperimentrdquo in Proceedings of the 6th International Conferenceon Mobile Data Management (MDM rsquo05) pp 192ndash199 AyiaNapa Cyprus May 2005
[20] B Singh and D K Lobiyal ldquoA novel energy-aware cluster headselection based on particle swarm optimization for wirelesssensor networksrdquo Human-Centric Computing and InformationSciences vol 2 no 13 pp 1ndash18 2012
[21] C-W Chen Y-R Tsai and S-J Wang ldquoCost-saving key agree-ment via secret sharing in two-party communication systemsrdquoJournal of Convergence vol 3 no 4 pp 29ndash36 2012
[22] S Mohanty and B Majhi ldquoA strong designated verifiable dlbased signcryption schemerdquo Journal of Information ProcessingSystems vol 8 no 4 pp 567ndash574 2012
[23] M Stevens A K Lenstra and B de Weger ldquoChosen-prefixcollisions for MD5 and applicationsrdquo International Journal ofApplied Cryptography vol 2 no 4 pp 322ndash359 2012
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
10 Journal of Applied Mathematics
[19] J Liu D Sacchetti F Sailhan and V Issarny ldquoGroup manage-ment for mobile AdHoc networks design implementation andexperimentrdquo in Proceedings of the 6th International Conferenceon Mobile Data Management (MDM rsquo05) pp 192ndash199 AyiaNapa Cyprus May 2005
[20] B Singh and D K Lobiyal ldquoA novel energy-aware cluster headselection based on particle swarm optimization for wirelesssensor networksrdquo Human-Centric Computing and InformationSciences vol 2 no 13 pp 1ndash18 2012
[21] C-W Chen Y-R Tsai and S-J Wang ldquoCost-saving key agree-ment via secret sharing in two-party communication systemsrdquoJournal of Convergence vol 3 no 4 pp 29ndash36 2012
[22] S Mohanty and B Majhi ldquoA strong designated verifiable dlbased signcryption schemerdquo Journal of Information ProcessingSystems vol 8 no 4 pp 567ndash574 2012
[23] M Stevens A K Lenstra and B de Weger ldquoChosen-prefixcollisions for MD5 and applicationsrdquo International Journal ofApplied Cryptography vol 2 no 4 pp 322ndash359 2012
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of