A Security Scheme of 5 G Ultradense Network Based on the Implicit Certificate

The ultradense network (UDN) is one of themost promising technologies in the fifth generation (5G) to address the network system capacity issue. It can enhance spatial reuse through the flexible, intensive deployment of small base stations. A universal 5G UDN architecture is necessary to realize the autonomous and dynamic deployment of small base stations. However, the security of the 5G UDN is still in its infancy, and the data communication security among the network entities is facing new challenges. In this paper, we proposed a new security based on implicit certificate (IC) scheme; the scheme solves the security problem among the access points (APs) in a dynamic APs group (APG) and between the AP and user equipment (UE).We present each phase regarding how two network entities obtain the Elliptic Curve Qu-Vanstone (ECQV) implicit certificate scheme, verify each other’s identity, and share keys in an UDN. Finally, we extensively analyze our lightweight security communication model in terms of security and performance. The simulation on network bandwidth evaluation is also conducted to prove the efficiency of the solution.


Introduction
In the 5G, data traffic will experience explosive growth in the years to come.The use of wireless physical layer technologies (e.g., coding technology, modulation technology, and multiple access technology) can only increase spectrum efficiency by about 10 times and the wider bandwidth can only improve the transmission efficiency by dozens of times.This is far from meeting the 5G demand.However, through the deployment of dense base stations, the spectrum efficiency caused by reducing the cell coverage radius can be increased by more than 2700 times [1].Obviously, the application of dense small base stations with the narrow coverage in the heterogeneous network can remarkably improve the system capacity.In order to enhance up the system capacity of regional hotspot hundreds of times, the small bases network deployment needs to be more flexible and the frequency reuse needs to be more efficient.Therefore, the ultradense network (UDN) is proposed and has attracted wide attention [2].
The UDN is considered to be one of the most effective solutions to improve wireless system capacity.It decreases the distance between the user equipment (UE) and the network entities and greatly improves the spectrum efficiency.Meanwhile, the UDN has been identified as a constituent of future 5G core technologies by the IMT-2020 expert group [3].With various small base stations acting as access points (APs), the intersite distance (ISD) decreases as the network entities' density increases.The AP of 5G is different from the traditional macro station.Traditional macro stations are regularly deployed by operators, while AP deployment may be irregular or even deployed by users.Pseudo or malicious AP will threaten 5G system security.What is more, the APs are not just an air network link; they will cooperate with each other to serve user in UDN.In the air transmission of UDN, the unprotected data among the APs is easy to intercept.Therefore, the mutual authentication and the secure data communication among the dense APs, including the keys for the sessions, will face new challenges.
As the wireless access network of the 5G, the UDN adopts a different deployment plan that focuses on the new requirement of "network follows user" and supports higher date transmission rates and multiple services.This must fully 2 Wireless Communications and Mobile Computing support the organization and access security of dense APs in a heterogeneous environment and also support the seamless connectivity of the user-to-AP, AP-to-AP, and machine-tomachine communications.Therefore, the UDN faces more extensive and complex security threats than traditional wireless systems.However, the security research of the 5G UDN is still in an initial stage, especially the data communication security among the network entities.
In this paper, we propose a new security scheme based on implicit certificate (IC) to solve the security issues among the dense deployment access points (APs) in a dynamic APs group (APG) and between the AP and user equipment (UE).As a new variant of the public key certificate, the novel IC is more efficient in computing and bandwidth allocation, and it requires no peer information before a secure data communication session [4].The IC has been widely applied to the efficient authentication of resourceconstrained Internet of Things (IoT) systems in the literature [5,6].Meanwhile, based on the IC, [7] proposed an effective public key infrastructure for the Vehicle-to-Grid Network.After in-depth research, we believe that the principle based on the IC is suitable for providing a security solution for the UDN.
A new lightweight security scheme for secure data communications is presented in this paper.We provide the specific implementation solutions for the security application scenes in the UDN.Meanwhile, the security scheme is analyzed, and the simulation of the network bandwidth evaluation is conducted to prove the efficiency of the solution.Specifically, the scheme focuses on solving the following three subissues: (i) How to generate the IC and private key (ii) How to implement the mutual authentication based on the IC among the network entities (iii) How to implement the lightweight secure communication with a shared key based on the IC The main contributions of our proposed scheme are summarized as follows: (i) In our solution, the reconstructed private key that would be instantaneously generated based on the IC could solve the key security issues in actual operations.(ii) We propose an innovative scheme to solve the security issues of data communications by using shared key encryption based on the IC.
(iii) Our innovative authentication and key agreement method based on the IC is lightweight, efficient, and less resource-consuming.
The rest of the paper is organized as follows.In Section 2, the security challenges in the 5G UDN architecture are analyzed.The implicit certificate and relevant background knowledge are presented in Section 3. The design of the security solution based on the IC and the implementation processes are described in Section 4.Then, the security analysis and performance evaluation are presented in Section 5.The final conclusions are drawn in Section 6.

Implicit Certificate and Related Work
Compared with the traditional digital certificate based on the public key infrastructure (PKI) [8,9], the implicit certificate (IC) [10] has significant advantages.
The traditional digital certificate (the explicit certificate) is a fixed structure that binds the public key (expressed as P) with the identity (expressed as I) that has an attached signature (expressed as Sig) that can be expressed as a triple (I, P, and Sig) [11,12].Different from the traditional certificate, the IC is composed of an identity element (still expressed as I) and reconfigurable key data (also expressed as P).P can reconstruct the public key of the identity entity together with the public key of the certificate authority (CA) [13].Then, the IC could be expressed as a two-tuple (identity element and reconstructed key data) such as (I, P).Traditional authentication uses the RSA (Rivest-Shamir-Adleman algorithm) [14], the ECDSA (Elliptic Curve Digital Signature Algorithm), and other solutions to conduct the signature process, while the typical implicit authentication adopts the ECQV (Elliptic Curve Qu-Vanstone) solution [15].
(A) Smaller Size and Less Bandwidth Occupation.The IC can reduce the bandwidth occupation in the transmission process.Therefore, it is quite suitable for mobile communications, the Internet of Things (IoT), and other resourceconstrained environments.Table 1 shows that the traditional digital certificate (such as the RSA) requires more bandwidth than the IC that uses the lightweight Elliptic Curves Cryptography (ECC) cryptosystem [16,17].For example, when the security level in a practical application is 112 bits, the IC size is merely 225 bits, which is 43% of the ECDSA certificate (673 bits) and 5.5% of the RSA certificate (4096 bits).(B) Higher Speed and Less Resource Consumption.The IC takes the reconstructed public key as a substitute for the signature authentication process.It requires less computing resources compared to a traditional certificate.In addition, some handlers can be integrated into a parallel process with subsequent communication protocols.This may further reduce the computing time and improve efficiency.
In the implicit certificate, there is no signature process instead of the reconstructed public key.The computing work of the reconstructed public key is very small.Then, the implicit certificate is faster than the traditional certificate, consumes fewer resources, and also has better security [18].For example, when a user's cell phone is stolen, then his private key will also be lost.In the traditional certificate, users need to apply for his certificate revocation to CA.The traditional certificate revocation is to publish the certificate revocation list (CRL) periodically.In large-scale network environment, the CRL is usually large.Because of the periodicity of CRL, the user certificate revocation will be delayed certainly.Thus, the user data security will be threatened.However, the implicit certificate is different.The user's private key corresponds to a short-term lightweight implicit certificate [19].It does not need to be revoked.And it can be issued quickly and temporarily.In this way, the user's data communication will be more secure.Therefore, the implicit certificate shows stronger advantages than the traditional certificate.For example, ECQV based on implicit certificate has been successfully applied to the field of ZigBee wireless communication.It can be predicted that the implicit certificate can be more widely applied to mutual authentication and secure communication among the network entities in 5G system.

UDN Architecture and Security Challenges
3.1.Ultradense Network Architecture.The typical application scenarios of the UDN include office districts, intensive residential areas, high-density blocks, campuses, large gatherings, stadiums, subways, and apartments [20].The above scenarios require the network to be deployed with adequate flexibility, efficiency, intelligence, and integration abilities.According to practical application demands, different UDN architectures are designed using various organizations of different base stations.
One type of UDN is based on the static virtual cell, which is composed of multiple access points in the area to form a "large" static cell and can provide users a similar coverage to that of the macro base station service experience with a unified identity and common services [21].
Another type of UDN is the user-centric UDN (UUDN) [22,23], which has a local control center coordinated with the user, and the virtual adjoined cell is defined based on the unit of a single user.A typical UDN/UUDN architecture is shown in Figure 1.In the UUDN, the system organizes a dynamic APs group (APG) that depends on each UE's situation.It provides unaware and seamless service to the user through dynamic refreshing of the APG as an invisible network coverage accompanying user movement.

Security Challenges in UDN.
The 5G network confronts more extensive and complex security threats compared to current 3G and 4G networks.It includes the traditional security threats in the mobility of multiple UEs and the openness of the wireless channel.Moreover, it also includes new security threats from the enhanced functionality in multiple use patterns, the integration between diversified heterogeneous wireless networks, the open network infrastructure based on the IP framework, and the enriched business bearer with different trust-ratings [24].
The security problems of data communication in the UDN could be summarized as follows.
(C) Access Authentication Security for UE to UDN.To ensure access security, network access authentication is required for the UE to connect with the 5G network.Different from that of the 3G and 4G networks with traditional macro base station coverage, the security threat of UDN cannot be fully avoided by solely depending on traditional authentication and key agreements (AKAs) [25,26].For example, the network entities of the UDN in the flexible deployment environment (such as user self-deployed AP or an uncontrolled deployment environment) can be hijacked.Therefore, the security of UE authentication shall be strengthened.
The UE delivers an initial access request.Then, the AP receives the request and transmits it to the local network system.In accordance with the request's context, the local network system requests that the core network system provide the corresponding network layer authentication vector and response.Then, on the basis of the received network layer security parameter, the local network system initiates the network layer's mutual authentication process with the UE (similar to the 4G EPS-AKA process).When the network layer mutual authentication of the UE is finished, a static virtual cell or an APG is allocated to the UE by the UDN.At this time, the local network system generates network access authentication vectors to the UDN control layer based on the request parameter submitted from the UE.It conducts the access layer (a specific virtual cell or APG) mutual authentication process on the UE.When the mutual authentication processes toward both the network layer and the access layer are finished by the UE, the security access is accomplished.
(D) Communication Security among APs/APG.The UDN is composed of densely deployed APs.The APs are connected and organically organized depending on different technical framework demands, such as a unified static virtual cell or an APG.Regardless of the AP organization, the UDN must realize the access service of the UE while maintaining a highquality user experience.Therefore, the influential factors should be eliminated in the UDN, such as the cochannel interference, shared spectrum interference, interference between multiple coverage layers and frequent network handover caused by the density increase, or the distance decrease between base stations [27].
To protect the APs from various security threats caused by other APs (e.g., illegal APs or malicious APs) and build a secure UDN environment, a solution for secure data communications between APs is necessary and very important.Furthermore, because of the limited capability and small coverage of APs different from the traditional macro base station in 3G and 4G networks, the security of data communication faces new challenges.

(E) Communication Security between UE and AP/APG.
With the intelligent development of the UE, network data transportation is getting flatter.Several new trends have emerged in the 5G network architecture, including the localized flat, heterogeneous coordination of macro and small base stations, and submerging business functions.APs and APG are more than a network access.Depending on the difference in the APs and APG functional requirement, they can realize data transportation, data control, or both.The APs or APG becomes the key network entity when the UE accesses the 5G system and Internet.If the relevant registration data suffers security attacks, the security of user traffic also encounters risks.Therefore, the data communication security between users and APs (or APGs) is another security challenge for the 5G UDN.
Based on this analysis, the security requirements of data communication in the UDN include the following: From the above requirements, a new certificate and key agreement mechanism are required to establish a secure connection for each pair of entities.Therefore, we propose a new security scheme based on the IC to implement the lightweight data communication between various entities.

UDN Security Solution
The data communication among network entities can be described as follows.It is based on the digital certificate and entity-to-entity security data communication model with the participation of the local service center.The entity can be AP or UE.The local service center (LSC) could run within CA functions.

Security Model and Notations. Data communication
among the network entities is temporary and random, such as when an AP dynamically joins or leaves an APG and when the UE temporarily accesses the APG or other network entities.Therefore, using the IC in temporary key generation is a more convenient and efficient solution to achieve a secure data communication session than the prefixed key distribution.Based on the reconstructed public key and private key, trusted authentication management and shared key generation can be implemented through the implicit certificate from the CA.Then, secure data communication sessions can be implemented by using the shared key computed by the network entities' participants.
Under a CA domain, there are three phases among communication entities.In Phase 1, the CA issues an IC to the requesting entity, which is called the phase of IC generation.In Phase 2, entities conduct mutual certification based on the IC, which is called the phase of mutual identity authentication.In Phase 3, entities exchange data based on shared keys, which is called the phase of shared key generation and data communication.The security data communication model based on the IC is shown in Figure 2.
We assume that the basic configuration has been uniformly predeployed at the initialization phase, including the elliptic curve (EC) parameters, the authentication key , the public key  CA of the CA, and the unique user identity label I.The CA can verify the identity and validity of the network entities in order to decide whether they belong to its CA domain.The IC is an ECQV certificate in our solution.The network entities can directly transmit data or forward them through other entities (via single hop or several hops).Any entity can destroy the public key or identity I (or put it on the blacklist) according to the control demand of the LSC.
The notations used in this paper are defined in "Notations."The EC parameters are denoted using , , , , and . is a prime defined on the finite field . and  are coefficients of the EC curve:  2 =  3 +  + , where 4 3 + 27 2 ̸ = 0. Another prime  is the base point generator of the EC with order .

Security Algorithm Solution.
To establish a secure data communication session among the network entities, the security solution based on the IC can be implemented in four phases.
Phase 1 (implicit certificate generation).Before establishing the secure data communication, the entities should launch an IC request to the CA.For example, a new AP (denoted as Ent ) attempts to join the APG, where another entity (denoted as Ent ) is registered.The entity Ent  must communicate with the entity Ent  and exchange essential information.Then, Ent  sends an IC request message.
The entity Ent  with a unique identity ID  generates a random number   and computes   =   * .Concurrently, to avoid a replay attack, Ent  produces a cryptographic random number   and computes HMAC[,   ||   || ID  ].Then, Ent  sends   ,   , and ID  as well as the value of HMAC to the CA.The HMAC is a keyed-hash message authentication code algorithm in cryptography.

Entity (U)
Certificate Authority (CA) Calculate: Check validity of U Private key of CA: d ＃！ , Public key of CA: Figure 3: The generation process of the implicit certificate.
After the request is received, the CA (private key is  CA , public key is  CA , and  CA =  CA * ) verifies the identity ID  and corresponding HMAC of Ent .If the validation is confirmed, a random number  CA ∈ [1,  − 1] will be generated.The CA begins to compute the following: (i) The reconstructed data of the public key: Cert  =   +  CA * .
(ii) The encrypted certificate with the entity's identity: Ent  then verifies the message received from the CA.If the verification is confirmed, Ent  computes the following keys using the reconstruction data: Ent  private key (pKey):   =  *   + (mod ) Ent  public key (PKey):   =  * Cert  +  CA At this point, entity Ent  has its own public key and private key pair (  ,   ) securely through the IC generation process.Similarly, other entities can apply for their respective ICs and the pairwise key, which is shown in Figure 3.

Phase 2 (mutual authentication between Ent 𝑈 and Ent 𝑉).
Similarly, the private key (pKey)   =  *   + (mod ) and public key (PKey)   =  * Cert  +  CA of entity Ent  can be easily obtained.Since the reconstructed data are publicly transmitted over the network in the UDN, other entities can be easily obtained.
Therefore, as long as the entity IC and its identity ID  are known, it is easy to compute the entity's public key.Of course, the CA computes the IC and therefore obviously owns  the public keys of all network entities.Any network entity can obtain the other entity's PKey from the CA, but it cannot obtain the pKey owned and computed by others.
The PKey of the entity Ent  generated in Phase 1 can be verified by the CA.In other words, the identity of entity Ent  can be verified by the CA using the following formulas: The verification of Ent  can also be similarly conducted.In the UDN, a mutual challenge-response among the APs can be processed using the verification formula method.
Phase 3 (shared key generation between Ent  and Ent ).After the identities are confirmed, the entities can agree with the shared key for the communication session to guarantee the confidentiality of data transmission.The sender has to encrypt the data before transmission, while the receiver has to decrypt the data.Accordingly, both of the communication partners must have the same key, namely, the "shared" key (sKey), in this paper.However, since any data with the shared key can be intercepted and have high risk, it is impossible to transmit the key as plaintext in the network.Furthermore, each communication session is temporary and uncertain.The dynamic sessions require the key to be continuously refreshed and updated.It is difficult to preload different encryption keys for each communication session in the actual operator.
Fortunately, we discovered a lightweight scheme based on the IC to solve the issues mentioned above.The shared keys known only by both of the communication partners can be instantly generated through the authentication and key agreement protocol based on the IC (AKA-IC).Moreover, the shared key is locally generated and does not need to be transferred in the network.The new generation mechanism is shown in Figure 4.
From Phases 1 and 2, we know that the parameters of Cert  , ID  ,   , and HMAC[, Cert  ||   || ID  ] can be generated and sent to Ent (  ,   ) from Ent (  ,   ).
After entity Ent  receives the message from Ent , it verifies the identity ID  and HMAC.First, the public key   of Ent  can be computed by Ent .Then, Ent  locally computes out the "shared" key sKey =   using its private key pKey   : Similarly, the partner Ent  locally computes the "shared" key sKey =   at the same time: The equation can be derived as follows: Proof is finished.
The above equation of   =   = sKey shows that the keys temporarily generated by two entities separately are the same, and they can realize secure data communications using the "shared" key sKey.
Phase 4 (secure communication between Ent  and Ent ).When Ent  and Ent  have their own pairwise key, the two entities can generate the shared key for their communication sessions.Ent  encrypts the data that need to be protected by the shared key and sends them to Ent .After the encrypted data are received, Ent  securely decrypts them.Then, the two entities enter into a secure interaction phase until the session ends.

Security Analysis and Performance Evaluation
Focusing on the sensing characteristics of randomly deployed MSNs, we analyzed the coverage redundancy problem for the MSNs, where the sensing ranges satisfy the normal distribution.

Security Analysis
(A) Security of Key Generation.The core of asymmetric cryptography security is the public/private key pair, especially the user's private key.In our solution, the CA generates the user's private key data that can reconstruct the IC using its trusted private key.Then, the reconstructed key data can be locally recomputed.Then, the actual user's private key is generated.The user's private key is locally generated and is not plaintext transmitted in the network.Thus, the security of the user's private key generation is ensured.
(B) Data Confidentiality in Transmission.In our solution, when network entities need to transmit data, both of the communication entities use their private/public key pairs to generate a shared key at their respective locations.The sender encrypts the data using the shared key and sends them to the opposite side.The receiver uses the agreed algorithm to generate the same key to decrypt the data.Thus, the confidentiality of data transmission between the communication entities is guaranteed.
(C) Antireplay Attack.In the process of the shared key generation, the antireplay attack factor NUNV (or timestamp) is added during each computation.If the current interactive data are intercepted and returned to the receiver, the receiver will identify and refuse to receive them.Each communication session has a different encryption key.Moreover, in order to ensure the freshness of shared keys, the secret number increases in the process.It can effectively reduce the shared key's break probability and ensure that the shared key cannot be temporarily reused in the transmission.
(D) Mutual Authentication.In our algorithm, both sides of the communication network's entities have to pass the authentication before they interact with each other.Before the sender delivers the data (such as random numbers and identities), the data must be signed with a digital signature using the sender's private key.When the receiver obtains the signed data, it will use the sender's public key to verify the data.Furthermore, the sender's public key is computed based on the reconstructed public key data.If the validation is correct, then the sender's identity is legal.Similarly, when the receiver sends a reply message, the reply vector data including the identity will also be signed.The opposite side conducts the same legal validation to the vector data.If both sides pass the opposite verification, mutual authentication is complete.
(E) Nonrepudiation.In the algorithm process, both of the communication entities sign the messages using the sender's private key.The source of the data can be identified through the signature, since only the owner of the private key can generate the signature.The receiver simply uses the sender's public key to verify the source of the message.Since the sender's private key is only known by the sender himself/herself, it can effectively prevent the middleman attack and ensure that the sender cannot deny the delivered messages.
(F) Anti-Denial-of-Service Attack.In our scheme, the CA verifies the identity based on the inspection mechanism.
According to the registration information in the database, the CA starts with identity check, including blacklists.The CA will directly reject the unregistered or blacklisted user's application for implicit certificates.Therefore, the Denialof-Service attacks from some malicious network entities are resisted in the UDN.

Performance Evaluation.
In the practical application environment of the UDN, there are convenient deployment sites for small stations, such as large squares, and they may be limited by topography, such as blocks, stations, and other small stations that are irregularly deployed.Therefore, there are two deployment modes in our simulation: random deployment and regular deployment.To get closer to the Considering that the virtual cell is the direction of the future 5G network, the virtual cell is applied in the simulation scenario.The macro station functions as a control plane service entity, and the APs are the user-plane service entities.Since the service entity is dynamically selected when the UE moves among the APs, the best AP should be chosen by the UE to reduce the connection failure rate and improve the throughput.When the dynamic service AP is selected, for L2 (layer two), the service AP delay is changed to 5 ms.When L1 (layer one) is centralized (to similar RRH), the service AP delay is changed to 0 ms.In crowded scenes, users move relatively slowly.Therefore, we select three low-speed scenes: 3 km/h (on foot), 30 km/h (by bike), and 60 km/h (by car).The handover of the UE among the APs is simulated, as shown in Table 2.
In the simulated scene, when the moving UE accesses APs, the handover frequency is equivalent to the frequency of the communication session's establishment.All data communication sessions need different protection keys.The data protected with a traditional symmetric key method (such as LTE encryption algorithm 128-EEA3) and the key storage space requested for data communication can be calculated by formula (5): For instance, the UE continues moving for 30 minutes with the respective speeds of 3 km/h, 30 km/h, and 60 km/h according to Table 2.The required storage capacity can be calculated using the formula above.The results are shown as follows (assuming the SIM card capacity is 32 kB):   However, in our solution for secure data communication, the pairwise key that includes the public key and private key is a one-off generation using the restructured parameters.The pairwise key should be saved by the network entities, while the shared keys are instantaneously calculated.The shared keys can be generated many times and do not require storage.Therefore, the keys' storage capacity will be basically stable, and the keys' storage space can be calculated by formula (6): Sum (storage) = length (pairwise key) * quantity (APs) (6) 225 bit * 2 * 256 = 115200 bits = 14 kB.The simulation results of the key storage capacity required are shown in Figure 5.
Figure 5, which is based on Table 2 and formulas ( 5) and ( 6), compares the key space consumption under three Wireless Communications and Mobile Computing kinds of UE's speed in traditional symmetric key method and the "shared" key based IC method.In our scenario, by means of the "shared" key based IC method, the key storage space is a constant value, 14 kb, but, with the way of traditional symmetric key method, the key storage space value is dynamic and incremental, which shows that when UE movement rate is greater than 30 km/h, the key storage space is generally greater than 32 KB.
From the above data analysis, we can draw the following conclusions: (1) The key space consumed by the shared key method based on the IC is significantly less than the space consumption of the traditional symmetric key method.(2) The key space consumed by the shared key method based on the IC is more stable.In contrast, when using the traditional symmetric key method, the number of protected keys generated by the UE increases with the increasing movement speed.
For 5G UDN, it is very important to have secure and efficient data communications in practical operations.We proposed a scheme where the AKA-IC solution can effectively guarantee the security authentication and data protection among the network entity communication and improve the computational efficiency with less bandwidth.

Conclusions
In the 5G, the UDN is an important solution to the explosive growth of network capacity and data traffic.UDN security will directly affect the security of the 5G system.However, there is little research on UDN security.In particular, the data communication security among the network entities of the UDN is still unclear.
In this paper, a new security scheme based on the implicit certificate is introduced based on the analysis of the security challenge of the UDN.We provide the solution that includes the IC and pairwise key generation, and the application process is based on the IC.Then, we analyze the performance of our security communication model.Moreover, an authentication and key agreement protocol based on the IC (AKA-IC) is proposed to solve the secure data communication issue.The AKA-IC algorithm is lightweight and efficient, and the result of the simulated evaluation shows that it is well adapted to various network entities of the UDN, among the APs of APG and between the AP and UE.The security solution based on the IC should be used as an important direction for data communication security for future 5G UDNs.
For future work, in addition to investigating the aforementioned security issues, we also identify other interesting research areas, such as the unified security authentication architecture, the user privacy protection mechanism, and the algorithm optimization of key generation.This will provide more security assurance for 5G systems.The result value from the hash computing of Cert  :

Notations
Th ev a l u ef o rt h ec o m p u t i n gp ri v a t ek eyo f the entities   : Theprivatekeyofentity   : The public key of entity   : The shared key between entity  and entity  HMAC: The keyed-hash message authentication code algorithm.
(i) Each network entity should be mutually authenticated, and the bilateral entities should use their respective private keys.The security mechanism should be applied to ensure that both sides can receive relevant information.(ii) Each communication entity should be able to obtain the shared keys in data communications.The different communication sessions use different shared keys.(iii) The security mechanisms for data encrypted based on shared keys should support the dynamic joining or leaving of communication entities.(iv) All entities should receive unified management from the network operator.The generation of shared keys between communication entities should be in accordance with the relevant instructions.(v) The security mechanism should support multiple logical channels between the same sources or destinations and avoid the duplication of the keystream.(vi) The security mechanism should be efficient to ensure quick responses and adapt to the entity's performance and network bandwidth in different communication processes.

( 1 )
APs/UE: its own private key (pKey) can be reconstructed (2) the shared key (sKey, between AP and AP or between AP and UE) is instant by the algorithm computing

Figure 2 :
Figure 2: Communication between entities in a UDN based on the IC.
Private key: dU, Public key:

Figure 4 :
Figure 4: The AKA-IC process for the shared key.

Table 1 :
Comparison of the traditional certificate and implicit certificate.
where ID  is the entity's identity and Encrypt is an encoding function for the identity information protection.(iii) The component data of the private key:  =  *  CA + CA (mod ), where  = (Cert  ). is a Secure Hash Algorithm (SHA) such as SHA-1.(iv) Similarly, a sequence code  CA is generated by the CA, and then the CA sends back to the requester Ent  with Cert  ,  CA , , and HMAC[, Cert  ||  CA ||  || ID  ].

Table 2 :
Frequency of handover.the macro station is the center of the grid, where 256 APs are regularly deployed.The ISD is 20 m, which corresponds to the grid size of 320 * 320 m 2 .Similarly, the macro station is also the center of the grid, where 255 APs are randomly deployed, and the grid size is 320 * 320 m 2 .
Symmetric root key for initial authentication   : Secret random integer generated by entity   : EC point for the IC request sent by entity Cert  : The implicit certificate of the entity : :