Concurrently Deniable Group Key Agreement and Its Application to Privacy-Preserving VANETs

VANETs need secure communication. Authentication in VANETs resists the attack on the receipt of false information. Authenticated group key agreement (GKA) is used to establish a confidential and authenticated communication channel for the multiple vehicles. However, authentication incurs privacy leakage, that is, by using digital signature. Therefore, the deniability is deserved for GKA (which is termed as DGKA) due to the privacy protection. In the DGKA protocol, each participant interacts with intended partners to establish a common group session key. After this agreement session, each participant can not only be regarded as the intended sender but also deny that it has ever participated in this session. Therefore, under this established key, vehicles send confidential messages with authentication property and the deniability protects the vehicles privacy. We present a novel transformation from an unauthenticated group key agreement to a deniable (authenticated) group key agreement without increasing communication round. Our full deniability is achieved even in the concurrent setting which suits the Internet environment. In addition, we design an authenticated and privacy-preserving communication protocol for VANETs by using the proposed deniable group key agreement.


Introduction
Vehicular ad hoc networks (VANETs) [1] refer to the peer-topeer networks formed by roadside units and adjacent vehicles for sharing information, including traffic information (the speed and flow of vehicles, etc.) and warning information.VANETs provide a safe and comfortable driving environment for the drivers, which avoids the congestion and traffic accidents.VANETs should provide secure communication in case false information is inserted into the network.Besides that, VANETs should also have privacy issues as vehicles are reluctant to expose the sensitive information while sharing their own traffic information.
The group key agreement (GKA) provides a secure channel for the vehicles communication.GKA protocol [2] allows a group of participants to establish a common session key for a secure communication channel over an insecure network by agreement.However, key agreement without authentication incurs man-in-middle attack.In order to handle this problem, the authentication is necessary.However, authentication binds the identity, which causes the privacy leakage.In many cases, the participants do not want the third party to know their involvements in some key agreements.In other words, they want to have the capacity to deny that they have ever participated in some sessions after the key agreement execution.Hence, the deniable GKA (DGKA) protocol was presented by introducing deniability into GKA protocol.Bohli and Steinwandt first formalized the DGKA protocol in [3].In the DGKA protocol, it is not feasible to convince a third party that these participants in a group key agreement session have been involved in the conversation from the communication transcript.In other words, each participant can deny its involvement to the third party.

Related Work.
The deniability is formalized by introducing a simulator that can simulate the conversation transcript 2 Wireless Communications and Mobile Computing without secrets.Therefore, the participants can deny this as someone else would produce this indistinguishable conversation transcript.If this simulator can be run by anyone, it is denoted by the full deniability.Deniable authentication was first introduced by Dolev et al. in [4] and formally studied by Dwork et al. in [5].The general technique to realize the deniable authentication is that the sender uses its secret (i.e., the private key) to generate a value V  .If the receiver produces a value V  which equals V  by using a related witness, the receiver is convinced of the sender's authentication.In order to simulate the transcript (for the deniability), this witness has to be revoked.Thus, the early works such as [5,6] require more rounds to revoke the witness upon the receipt of the committed V  (i.e., COM(V  )).In this way, the simulator run by anyone can extract this witness to simulate the transcript by rewinding steps.However, the deniability does not hold in the concurrent scenario due to the rewinding.Therefore, the timing assumption is necessary to be considered to realize concurrent deniability, such as [5,6].
However, the timing assumption is farfetched for the Internet which is a fully concurrent environment.Some related works have to handle this problem by avoiding rewinding.Di Raimondo et al. [7] showed that the plaintextawareness [8] of the underlying encryption can extract the witness for the simulation without rewinding steps.Jiang's work [9] depends on the public random oracle to extract the witness and therefore the rewinding steps are not necessary.Yao and Zhao [10,11] proposed the deniable Internet key exchange based on the knowledge of exponent assumption (KEA).By the KEA assumption, the witness can be extracted and the transcripts are perfectly simulated.Tian et al. [12] made use of the selectively unforgeable but existentially forgeable signature to simulate the transcript.Zeng et al. [13] presented a multireceiver encryption under KEA assumption and used it as a building block to propose a concurrently deniable ring authentication.Jiang [14] made use of a moderate encryption to avoid rewinding to construct the concurrently deniable key exchange.These approaches achieve the deniability without rewinding steps; thus the simulation even in the concurrent scenario is normal.However, as we see above, these works suffer the limitations such as the strong assumptions, inefficiency, or random oracles.
Deniable authentication has been applied to many occasions nowadays [13,15,16] and was first introduced into the two-party key exchange protocol [17] in [18].Mao and Paterson [18] informally defined the deniable key exchange (DKE) protocol and obtained its deniability by using identitybased techniques.Later, how to use the approach in [19] to design a DKE protocol was discussed and a concrete approach was proposed in [20], where the technique based on the public information was used to derive a symmetric key for authentication.Following this work, a series of DKE protocols were proposed in [10,21,22].
When a two-party DKE protocol is extended to a group setting, there may be some troubles [23,24].If there exists malicious insiders, the use of a common symmetric key for deniable authentication is infeasible as the malicious participants may impersonate other participants [3].A solution provided in [3] is to make use of Schnorr's zero-knowledge identification scheme [25].This approach needs 4 rounds to complete the establishment of session key and its efficiency was improved by Zhang et al. [26], which reduced the communication round to 3. Some approaches [27][28][29] transform the passively secure group key establishment to an actively secure one by adding one more round and the deniability was achieved as well.
DGKA protocols can be applied to VANETs to provide the security and privacy protection for vehicles.In recent years, wireless networks (WN) have achieved rapid development [30], and their security issues have been extensively studied [31][32][33].As a kind of WN, the security of VANETs should be taken seriously due to the high risk.Some related schemes for secure communication in VANETs have been presented [34][35][36].Huang et al. [35] proposed a communication scheme based on GKA protocol that the roadside unit generated session key for adjacent vehicles in batches.This scheme could effectively reduce the cost of computation and communication.In [36], a representative selected from the adjacent vehicles was arranged to communicate with the roadside unit, thus making that the security of other vehicles guaranteed.Nevertheless, the public verification in these works leaks the privacy of vehicles.Hence, the deniable group key agreement is necessary to apply to privacy-preserving communication for VANETs.

Contribution.
We focus on the full deniability of the authenticated group key agreement.We provide a generic transformation from unauthenticated GKA to DGKA without increasing any additional communication rounds.Moreover, our deniability does not require rewinding steps; thus it holds even in the concurrent environment such as Internet.We also do not depend on any strong assumptions to reach the full deniability.The contribution of this work is as follows.
(1) We present a generic transformation from an unauthenticated GKA (named as DB protocol [37]) to a deniable (authenticated) GKA.The existing works achieve the full deniability by the rewinding steps, KEA assumption (which is strong), or the public random oracles.It results in inefficiency or insecurity (strong assumption).Our approach does not resort to these ways.We do not require that the underlying primitive is PA secure and the random oracles are not necessary.
(2) Our work achieves the concurrent deniability without timing constraint.In concurrent setting, the adversary can open and schedule sessions arbitrarily.Indeed, our simulation does not require extracting the witness by rewinding steps.Thus, the concurrent session attack (i.e., adversaries schedule the executions or delay messages in arbitrary ways) does not work in our scheme.
have to increase the additional rounds to obtain the deniability.
(4) We also design a privacy-preserving communication protocol for VANETs using the proposed DGKA protocol.In this communication protocol, the vehicles share their information without leaking any identity privacy and without leaving any evidence in the transcript of authentication.
Organization.This paper is organized as follows.Section 2 introduces some preliminaries which are the building blocks in our protocol.Section 3 describes the adversarial model and related security definitions of the DGKA.We propose an efficient DGKA protocol with 2 rounds in Section 4. The security of DGKA protocol is proven and the performance is analyzed in Section 5. We design a privacy-preserving protocol for VANETs in Section 6. Section 7 concludes this work.

Preliminaries
We show the notations and introduce the building blocks in this section.

Notations.
The notations used in this paper are listed in Notations in DGKA Protocol.

DB-GKA Protocol.
Our deniable group key agreement (DGKA) protocol is developed on the basis of Dutta-Barua (DB) GKA protocol [37], which is a 2-round unauthenticated GKA protocol.It is a variant of [38].We now review the original DB-GKA protocol [37].Each participant   chooses   as its short-term private key, computes   =    , and broadcasts   in the first round.In Round 2, upon the receipt of messages ( −1 ,  +1 ),   computes   = ( −1 ,  +1 ) and broadcasts it.Finally, each   generates the common session key sk with the received   and its secret   .The concrete DB-GKA protocol is presented in Algorithm 1.The security of DB-GKA protocol has been proven in [37].

Ring
Signature with 2 Members.Our deniable group key agreement protocol provides the deniability based on the ring signature with 2 members.Now we introduce the syntax and the security properties of the ring signature with 2 members.The ring signature scheme was used to sign a message privately.Given a valid ring signature  with respect to a message  and a set of public keys PK = {PK 1 , . . ., PK  }, any verifier cannot decide which member in set PK is the actual signer.
We consider the ring signature with  members where  = 2.The syntax of the ring signature is as follows.
(1) A probabilistic key generation algorithm KGen: given the security parameter , output the key pair  and the public keys are authenticated and can be accessed by any member.The DGKA protocol may be executed among any subsets of U at any time.At the end of this execution, the common session key is built.Each participant is convinced of the identity of his partners.In addition, all of them can also deny the involvement in this conversation of this session.

Security Model.
We formalize the underlying adversarial behaviors in this subsection.
(i) Execute(pid Communicational Networks.We assume that our protocol is executed in the broadcasting channel; thus the adversaries can arbitrarily eavesdrop, delay, modify, and insert any message.
A secure DGKA protocol should satisfy the correctness, deniability, authentication, and secrecy.
Correctness.This property states that the protocol will establish a session key without adversarial interference.The DGKA protocol is said to be correct if for any pair of instances  Deniability.This deniability states that the adversary cannot convince anyone that the honest participants have indeed joined in some sessions.Let A  be the adversary that violates the deniability.We use the simulation paradigm to formally define the deniability.We construct a simulator S that is a probabilistic polynomial time (PPT) Turing machine.The simulator S can answer all queries from the adversary A  , and its inputs only involve the public information and the long-term private keys of the corrupted participants.Let View S denote the outputs of the adversary A  after interacting with the simulator S. Let View R denote the outputs of the adversary A  in the real world.The protocol is said to be deniable if, for any PPT adversary A  and the distinguisher D with unbounded computation, there exists a simulator S, such that |Pr[D(View Authentication.The authentication of the protocol guarantees that the received messages of the participants come from the intended participants.If an adversary A  that may even be a malicious insider can impersonate an uncorrupted participant   and succeed to accomplish the protocol, then we say the adversary violates the authentication of DGKA protocol.We use Forge to denote the event that the adversary succeeds in cheating the honest participants.The protocol is said to be authenticated if Pr[Forge] ≈ negl() for any PPT adversary.
Secrecy.The secrecy of the protocol states that the session key is known only to participants but is random to outsiders.Formally, let A be the adversary that violates the secrecy and Succ A denote the success of A in the Test query, who decides the session key from a random value successfully.We say the protocol meets the secrecy if Pr[Succ A ] ≈ 1/2 + negl().

Our Deniable Group Key Agreement Protocol
We construct the deniable GKA protocol based on Dutta-Barua (DB) GKA protocol [37], which is elaborated in Section 2. Our DGKA protocol achieves the deniable authentication by employing a ring signature with 2 members.We first give the high level description of our DGKA protocol.= Ŷ +(−1) .If it is true, continue; Otherwise, abort.
(3) Generate the session key sk = Ŷ Algorithm 2: Our deniable group key agreement protocol.
Considering a ring signature scheme with two members: a real participant and a logic entity.In the first round, each participant follows DB-GKA protocol to generate   .Besides that, each one also produces another group element   .The product of each   is viewed as the public key of the logic entity.Therefore, in the second round, each participant gathers all   to result .Then each one uses its own public key PK  and the logic public key  to form a ring to generate a ring signature on the message ( 1 , . . .,   ,   ) with its signing key SK  .The corresponding private key of the logic public key  is unknown to any participant and the third party.Thus, a valid ring signature implies that the authentication to ( 1 , . . .,   ,   ) can be completed only by the participant   .The authentication is achieved.On the other hand, the simulator can simulate the value  by its random choice of the exponent  to get  =   .Then, the simulator produces a ring signature   = RSig(, (PK  , ); ) with the "private key" of .By the unconditional anonymity property of the ring signature, the two distributions of  = RSig(, (PK  , ); SK  ) and   = RSig(, (PK  , ); ) are statistic, identical, where the former one is the real transcription.Therefore, the simulation is perfect and the deniability is achieved.Since the rewinding steps are not necessary in the simulation, the deniability can also hold in the concurrent setting.We give a detailed description of our protocol in Algorithm 2.
Remark 1.The ring signature is with 2 members.One is the participant   , and the other one is a logic entity whose public key is  = ∏  =1   .Obviously, the private key of  is  = ∑  =1   and it is unknown to anybody.In the real conversation,   uses its private key SK  to generate the ring signature .Since  is only bounded to 2 public keys and one of the public key is logic with unknown secret, the partner can be convinced of   's signing.The authentication is completed.Meanwhile, in the simulation, the simulator simulates  (as no secret value is required) to produce the ring signature.
Obviously, this simulation is perfect without any rewinding steps; concurrent deniability is realized.

Security and Performance
In this section, we analyze the security and performance of our protocol.Since the verification of correctness of our protocol is straightforward, in what follows we will prove that our protocol meets the other three properties: deniability, authentication, and secrecy, which have been presented in the security model.Then we give the performance comparisons of the related deniable key agreements regarding the communication round and the deniability.

Security
5.1.1.Deniability.This property states that all the participants can deny the fact that they have joined in the generation of the session key.We use the simulation fashion to prove that our protocol satisfies the deniability.That is, if a simulator without any participant's secret can simulate the transcript and the simulated transcript is indistinguishable from the real one, then we say the deniability is proven.Formal proof is presented as follows.
Theorem 2. The DGKA protocol is concurrently deniable if the underlying ring signature is secure.
Proof.In order to prove our protocol satisfying the deniability, we have to show the real view and the simulated view are indistinguishable.Formally, we construct a simulator S, whose inputs involve the public information and the longterm private keys of the corrupted participants.A  is an adversary that violates the deniability of the protocol.Use View R to denote the view of A  in the real conversation and View S to denote the view of A  in the simulated setting performed by S. We show that any distinguisher D

A Privacy-Preserving Communication Protocol for VANETs
In this section, we design a privacy-preserving communication protocol for VANETs by using the proposed deniable group key agreement protocol.Our protocol guarantees the secure communication between vehicles and vehicles and vehicles and roadside unit.VANETs are composed of Trusted Authority (TA), roadside unit (RSU, which is the infrastructure), and On-board Units (OBUs, with which vehicles are equipped).Our security model for privacy-preserving VANETs is as follows.
(i) Authentication: in the VANETs environment, RSU and OBUs should ensure that only legitimate (certificated by TA) vehicles can join this networks.Similarly, RSU should be also authenticated by vehicles in order to prevent pseudo base stations.(ii) Anonymity: OBUs receive the information without knowing the sender identity, but only to confirm that this message is from an authenticated group.(iii) Privacy: the conversations among the OBUs do not leave any paper trail.This "off-the-record" property prevents the shared information from being maliciously used.(iv) Secrecy: during the process of communication, the sent messages are only known to receivers but are random to any third parties.
Our privacy-preserving communication protocol for VANETs is mainly divided into three steps.The first step is to initialize a group of VANETs.Then, OBUs and RSU in this group authenticate mutually to generate a session key.Finally, they communicate with each other with this session key under an authenticated and privacy-preserving environment.

Initialization
Step.The members of a group of VANETs are decided.
(i)   randomly chooses id as the session ID and forms a group R by using its public key PK 0 and the public keys of adjacent vehicles {PK  }.Finally, broadcast message  init = id ‖ R.

Authentication
Step.The identities of members are authenticated.
(  By employing the proposed DGKA protocol, each receiver can identify the source of the received information without knowing the actual sender by using the session key sk.Moreover, this session key sk can be simulated by anyone; the vehicles involved in the above communication can deny this.There is no paper trail; thus the vehicle privacy is protected.

Conclusions
This paper presents a 2-round fully deniable group key agreement protocol.We provide a novel approach to transfer an unauthenticated GKA to a deniable GKA without increasing round.The transcript simulation does not require the rewinding steps; thus our deniability also holds even in the concurrent setting.We also design a privacy-preserving communication protocol for VANETs using the proposed DGKA protocol.
2) A probabilistic ring signing algorithm RSig: given a message , two public keys (PK 1 , PK 2 ), and a private (signing) key of   ( ∈ {1, 2}), output the ring signature .That is,  ← RSig(, (PK 1 , PK 2 ); SK  ).(3)A deterministic verification algorithm RVer: given the ring signature , the message , and the two public keys (PK 1 , PK 2 ), determine whether  is valid with respect to (, PK 1 , PK 2 ).That is, check 1 ?= RVer(, denote the set of  potential participants who would like to build a common session key to communicate securely.Each participant   ∈ U has a private/public key pair (SK  , PK  ) 3.1.Syntax.The syntax of the deniable group key agreement (DGKA) protocol is as follows.Let U = { 1 , . . .,   } ): this query models the passive attacks in which the adversary can only eavesdrop the execution of protocol among the participants in pid    and outputs the transcript of the session sid    .The transcript consists of the messages that are exchanged during the honest execution of the protocol.(ii) Send(, ,   , ): this query models the active attacks which the adversary can arbitrarily eavesdrop, delay, modify, and insert on any message .The output of this query is the reply generated by instance    ): if instance    ): the query is allowed only once.The queried instance  Response: the adversary outputs a guess bit   .We say that the adversary wins the game if   = .Let Succ A denote the event that the adversary wins the game and Adv A denote the advantage of the adversary by Adv A = |Pr[Succ A ] − 1/2|. .

Table 1 :
Comparisons of deniable key agreement protocols.

Table 1 .
i) Round 1 (OBUs and RSU).Choose   ,   , and compute   =    ,   =    .Broadcast message  1 auth = id ‖ PK  ‖   ‖   .(ii) Round 2 (OBUs and RSU).Compute   and   as the proposed DGKA protocol (described in Algorithm 2).Broadcast message  2 auth = id ‖   ‖   .(iii) Key Generation (OBUs and RSU).Authenticate the identities of other members and get the session key sk as in Algorithm 2. Communication Step.With this session key sk, all the members in this group R can communicate securely.There are two cases in this step, including broadcast from   or   to all members and communication from   to   ,   to   , or   to   .
generator of group    : Theth participant PK  :   's public key SK  :   's private key     : Asessionof  called an instance-a participant may have many instances and denotes the instance   of   as