Secure Collaborative Key Management for Dynamic Groups in Mobile Networks

Mobile networks are composed of heterogeneous mobile devices with peer-to-peer wireless communication. Their dynamic and self-organizing natures pose security challenge. We consider secure group key management for peer dynamic groups in mobile wireless networks. Many group based applications have achieved remarkable growth along with increasing use of multicast based services. The key sharing among the group members is an important issue for secure group communication because the communication for many participants implies that the likelihood of illegal overhearing increases. We propose a group key sharing scheme and efficient rekeying methods for frequent membership changes from network dynamics. The proposed method enables the group members to simply establish a group key and provide high flexibility for dynamic group changes such as member join or leave and group merging or partition. We conduct mathematical evaluation with other group key management protocols and finally prove its security by demonstrating group key secrecy, backward and forward secrecy, key independence, and implicit key authentication under the decisional Diffie-Hellman (DDH) assumption.


Introduction
Advances in wireless communications and mobile devices have made various types of mobile networks such as mobile ad hoc networks (MANETs), wireless mobile sensor networks (WMSNs), and Internet of things (IoT).In mobile networks, heterogeneous devices such as smartphones, laptops, and smart sensors perform peer-to-peer (machine-to-machine) communications without depending on any fixed infrastructure.Mobile networks have features distinct from conventional networks.First, network topology changes dynamically due to the mobility of nodes, which causes frequent switching of network connection state.Additionally, many applications in mobile networks support one-to-many (multicast) communication, where common data are transferred to multiple destinations from a source, for instance, military communication (battlefield), health care system, industrial monitoring, on-line conferencing, collaborative workspace, and disaster management.They build a collaborative group of entities, called group members, which participate in multicast group communications as a group member and manage group membership changed by node mobility.
Group communication over wireless networks is susceptible to illegal overhearing such as packet sniffing.When a group deals with sensitive information, secure group communication must be achieved by sharing a common secret key-group key for confidentiality of group messages with data encryption.In other words, it is essential to decide how to share a key among group members and how to update the group key for group membership change [1][2][3].A typical approach is based on centralized key distribution with a trusted third party (TTP) [4][5][6][7][8].It provides scalable group key management for large groups using symmetric encryption such as advanced encryption standard (AES) and hierarchical logical key tree.However, it fairly depends on a constantly accessible TTP.This requirement is not suitable for mobile networks with peer-to-peer communication.To apply a symmetric key based approach without a TTP, a node

Related Work
Over the past few decades, a considerable number of studies have been conducted on group key establishment and management.A typical approach is centralized key distribution based on constantly accessible TTP and pairwise keys [4][5][6][7][8].These studies showed apparent efficiency for large groups such as wireless sensor network (WSN).Since, however, a mobile network is comprised of peer-to-peer communications with dynamic mobility and without a TTP, it is difficult to provide scalable group key management on arbitrary group setting [15].
We focus on DH based group key management, known as group key agreement (GKA), in which a common key is generated by all group members' equal contributions.DH protocol allows two parties to share a key using their secrets over an insecure channel [10].The key computation of DH uses the multiplicative group of integer modulo , where  is a large prime number.Each party chooses a random number   in Z  and computes    mod , where  is a primitive root (generator) mod.They exchange the computed values,   1 mod  and   2 mod , and agree on the common key: For extending it to group setting, Burmester and Desmedt (BD) proposed a conference key exchange system [11] depending on a broadcast manner.When the number of group members is n, the group key (GK) of BD becomes (2) As BD system requires large communication messages, Steiner et al. proposed group key agreement protocols called group Diffie-Hellman (GDH) [12,13].In GDH, They showed not only that DH can be extended efficiently to group setting, but also that their protocol can deal efficiently with group membership change.They presented three distinct group key agreements GDH.1, GDH.2, and GDH.3, which later was advanced as a protocol suite known as CLIQUES [13].In GDH.x, group members can individually or massively join and leave; CLIQUES also considers group integration and group division.A variant of GDH protocol is a centralized key distribution (CKD) scheme.In CKD, a controller distributes the group key to every member using pairwise temporal keys between the controller and each of the members, which is computed using DH fashion.
As group dynamics have become an important issue, some studies have adopted tree-based approach [15][16][17][18].Skinny tree (STR) protocol [16] has good performance for member addition.In STR, While STR uses unbalanced key tree for group key computation, tree-based group Diffie-Hellman (TGDH) leverages balanced tree structure.Given eight group members in TGDH, the group key is computed as follows: STR and TGDH require a sponsor node which distributes intermediate computing keys in the tree during membership event changes.As tree-based protocols apparently help to reduce communication cost and operation cost, there have been several variants of TGDH [17,18].However, they need to support management for tree balance and require message delivery order due to hierarchical tree structure.In mobile networks, much communication would be required to make sure that the group members can keep the synchronized tree structure.
In summary, DH-based group key protocol is generally known as GKA protocol.Although our protocol is based on DH, we do not classify it as a GKA protocol because of key distribution feature from a controller.Our proposed scheme provides the advantage of dynamics and collaborative contribution in computing group keys with a modified key agreement method.

Secure Group Key Management for
Mobile Networks deletion of an existing member.We define the insertion event as member join and the deletion event as member leave.When there is only one event node specifically, we call each single join and single leave, and when there are two or more event nodes we call each mass join and mass leave.Furthermore, we consider a group insertion into a group and a group partition into two distinct groups.We define them as group merging and group partition, respectively.Figure 1 shows summary of defined membership events.Group membership change is closely related to security of group communication.Outgoing members should have no access to group communication after it leaves the group, and ingoing nodes should be prevented from accessing previous group communication before it joins the group.We define cryptographic properties in which a secure group, depending on a group key, should meet (1) group key secrecy that guarantees an adversary who knows that messages sent to group members cannot discover any group key in polynomial time, (2) backward secrecy that guarantees a new member or an adversary who knows that the current group key cannot discover any previous group key in polynomial time, (3) forward secrecy that guarantees a former group member or an adversary who knows that previous group keys cannot discover any subsequent group key in polynomial time, (4) key independence that guarantees an adversary who knows that a proper subset of group keys cannot discover any other group keys in polynomial time, and (5) (implicit) key authentication that guarantees that no one apart from a group member recovers the group key.

Group Key
Establishment.We present a new group key protocol, collaborative Diffie-Hellman (CODH).CODH has centralized topology and key distribution property from a leader node.But, unlike conventional centralized scheme with TTP, in CODH, a group leader computes and distributes a group key by using public keys of group members.We formalize the group key protocol and prove its security.
CODH has one leader called master.The leader is also one of group members.It consumes more energy than normal nodes for communication and operation in managing group keys.There will be a policy for choosing a leader.In mobile networks, signal strength, degree to neighbors, identity, and resources (CPU, memory, battery, and bandwidth) would be criteria for leader election [19][20][21].When a group is created, the first master is elected among group members and performs group key initialization.Afterwards, group members select a new master when receiving master notification for leader change.Once a new group master is selected for group management, the previous master forwards information about group members to the new master; that is, a delegation process is run (refer to Sections 3.3 and 3.4).On the other hand, connection failure may occur by network isolation or denial of service attacks.(We assume that group participants are honest and not compromised.However, they can be threatened by network adversaries who can perform all of network-based attacks.)We consider the connection failure as a kind of member leave whether the left node is a member or the master.
Notation section represents notations used to illustrate our group key protocol.The index "s" stands for the master node in a group that is distinct from  or  which indicates a general member node.Therefore,   or   means an identity for general member, while   denotes the master.Lock-secret is defined as a secret value of a member.It locks the group key so that   can securely transfer the group key to the members.General members use their unlock-secret to extract the group key from   's broadcast message of a locked group key.
We adopt inverse exponentiation for obtaining the group key.Let   be a group of size ; that is,   = { 1 ,  2 , . . .,   } and   ∈   .To share the initial group key, the group   runs steps in Box 1 for the initial phase.
The initial phase consists of two rounds.In the first round, all members except the group master send their locker    to the master via unicast and the master produces the locker list,   , from receiving messages.In the second round, the master   selects a random secret  and computes and broadcasts the locked group key (  )  = (   )  using   .Then, each member can compute the group key GK using their own unlock-secret,   , as follows: The group key is equal to the locker of the group master when  is the master's secret.Therefore, operations for computing    and group messages never include   .

Group Rekeying for
Box 3: Group rekeying for member leave.
master, and then   broadcasts locked new group key GK  =    to all the group members in the same manner as second round of initial phase, as in Box 2. All members, including new members, can extract the new group key GK  in the same way as (6).
Unlike the join event, member leave process does not require the first round for sending lockers to the master.Let a subset of   for leaving members be   ⊂   (  ∉   ).Group members conduct rekeying operations for the new group key GK  as in Box 3.
The leaving nodes cannot learn the new group key because the broadcast message from   does not contain any locker   for leaving members.Note that the set   for the leaving node does not include the master.Leaving of the master requires 'delegation' during which the master forwards locker list   for group   to new group master(   ) as follows: The delegation can be used for another case where the master wishes to finish its master's role for a reason such as network topology change or resource exhaustion; that is, the master turns to a group member not leaving the group.In this case, the delegation message includes the former master's locker generated with new selected secret   as follows: When group members detect unexpected disconnection from the master, they restart group key initialization with new master selection.At the worst case, members can suffer from frequent connection failure with the master.In this case, the first protocol should be slightly modified to make all of group members have the locker list and any member be the group master to proceed Box 3.For instance, a general member at the first step of Box 1 broadcasts its locker to the group as follows: The group members continue secure communication with a fresh group key obtained through group rekeying.We provide formal security proofs in Section 5.  3 .In Figure 2, the number in a circle indicates members' index (such as by a joined order).Before they are merged, the number of the current group  is four including the group master (i.e.,  = 4,  4 ) and the number of members of joining group is three (i.e.,  = 3,  3 ).To be merged, the master of  3 sends the master of  4 the locker list   for  1 and  2 .Note that the master   of   must forward its locker after changing its own secret because it was used as the former group key.The master of  4 becomes the master for the merged group.It updates   and generates key-locks    with a new selected random .

Group Rekeying for Group Merging and
As shown in Figure 3, the current group will be divided into two groups.When the number of left members is , the current group will have ( − ) members after the partition process.Group partition requires one more master    for a separated subgroup   ⊂   (  ∉   ).Group partition process can be easily conducted through delegation, from the master   of group   to the fresh master    of subgroup   .The divided groups perform a group key initial phase after the delegation process, as in Box 5.

Implicit Key Authentication.
For the secure key authentication, the messages sent from all members should be signed with a signature key.Hash-based signature such as message authentication code (MAC) is fairly efficient in terms of computation cost.However, it is too costly to share one-toone pairwise keys between all of group members in advance.
We assume that a member holds long-term private and public keys certified by a trusted certificate authority (CA).(Each member can use a different signature algorithm such as RSA-based signature algorithm, digital signature algorithm (DSA), and elliptic curve digital signature algorithm (ECDSA).Note that some of them do not provide message encryption; that is, it is used for message signing and verifying.We consider that DSA is better for our scheme since its public key includes   mod .)The group members send to the master the signed messages with their own private key; for example, in the first step of Box 1, a member,   , sends to the master {  ,    (  )} which   signs for   with its private key.Note that this process runs one-time at initial phase or it can be precomputed with   .
Members can obtain the group key securely by verifying the messages of the master with signature signed with the master's private key.All of messages from the master come with a master-signed signature for the origin and integrity of a group key.For example, in the second step of Box 1, the master broadcasts {  1 ,   2 , . . .,    ,    (GK)}.The master produces a locked set for the group key using verified members' locker.It implies that outsiders cannot recover the group key from the master's messages.

Evaluation
We measure performance of the proposed scheme through communication and computation cost spent for all group members to complete group rekeying by membership change.Table 1 shows summary of comparison with other DHbased key management protocols: CKD, GDH, BD, STR, and TGDH.In Table 1, , , and  denote the number of current group members, joining or merged-group members, and leaving or partitioned-group members, respectively.Therefore,  = 1 or  = 1 indicates the single-member event.
For TGDH, the height of the key tree is denoted as ℎ, and, for STR,  is denoted as the index of the sponsor, which helps other members to calculate group keys.Group merging is a case where a group of  members is merged into a group of  members ( ≥ ), and group partition is a case where a group of  members is divided into separate subgroups: (1) a group Figure 3: Group partition process: (a) when group  7 is partitioned into two groups (new group  3 ), the master of the original group sends P's master the locker list of the new subgroup and (b) after the group is split, each group master broadcasts the key-locks for each new group key.
of  members and (2) a group of ( − ) members, where (−)≥ .The costs for the group partition event include the costs for updating two subgroup keys.In computation costs, we consider concurrent execution in distributed nodes if it is possible.In CODH, we assume the master is selected by group-join order; the first master is  1 , and when  1 leaves the group,  2 becomes the next master.CKD distributes the group key in a similar way with our protocol.Its communication and computation costs are also similar to our protocol.However, the worst case of CKD is when the master leaves.It requires large costs for rekeying.On the other hand, in CODH, the rekeying cost for a leaving master is analogous to that for a leaving member due to efficient delegation or sharing of public locker list.GDH is operated through communication chain from the first node to the last node, and the last node becomes the master of the group.Steiner et al. presented three GDH protocols: GDH.1, 2, and 3. GDH.2 is the most efficient in communication whereas GDH.3 is the most efficient in computation cost among GDH.x.We select GDH.3 for comparison.As shown in Table 1, GDH has weaknesses in group merging and mass joining.BD employs a completely distributed way using broadcast messages.Without sponsors or controllers, all of members broadcast messages for updating the group key.Although it seems to be fairly efficient in computation cost, there are hidden costs for multiplications.In addition, it requires a large communication cost compared to other protocols.STR and TGDH are tree-based key agreement protocols.They use different tree structures for key management.STR, especially, uses the extremely unbalanced tree structure.
Accordingly, the performance of STR depends on the location of the sponsors.In TGDH, the costs depend on the height of the resulting key tree and locations of joining or leaving members in the tree.We provide the worst case cost for TGDH.
Most of the cost in CODH comes from the master node.A general node consumes only one communication, modular exponentiation, signature, and verification in all of group rekeying process.We summarize the costs for a general member and the group master in Table 2.Although the exponentiation cost looks heavy in the master, its cost is insignificant.We conducted an experiment to measure computation delays for modular exponentiations.Table 3 shows the average delay of 10 experimental results for each.The first device has less CPU power than the second device.When modular prime  is 1024 bits long and  ≤ 50, the computation delay is less than 1 s.The average delay of one exponentiation is less than 8 ms in the second device.Moreover, reducing communication cost is important for mobile devices because data communication consumes more energy than any other process.Therefore, our group key protocols can be efficiently applied in dynamic mobile networks.

Security
Let  be a large prime number of the form 2 + 1 for a prime  in Z  .Let  be a cyclic group of prime order  and let  be a generator of ; that is,  = ⟨⟩.The decisional Diffie-Hellman problem (DDH) is as follows: given (,   ,   ,   ), where , ,  ∈ Z  , decide whether  =  or a randomly chosen number.In particular, the security of our protocol is based on the divisible decisional Diffie-Hellman problem The DDDH problem is weaker than DCDH, since if an adversary could solve the DCDH problem, he could solve the DDDH problem by computing   to decide   =  / ; thus the DDDH assumption is stronger than the DCDH assumption.Similarly, the DDH problem is weaker than the computational Diffie-Hellman problem (CDH), which is weaker than discrete logarithm problem (DL) [22].We want to prove the security of our protocol under the DDH and DDDH assumptions.Proof.Given the DDDH input (,   ,   ,   ), where  = /, one submits (,   ,   ,   ) to DDH to decide whether  =  or a randomly chosen number.Similarly, given the DDH input (,   ,   ,   ), where  = , one submits (,   ,   ,   ) to DDDH to decide if  = / or a randomly chosen number.Therefore, we know that if there is no polynomial time algorithm to solve the DDH problem, it is hard to solve the DDDH problem.
Theorem 5.The proposed scheme provides backward secrecy, forward secrecy, and key independence provided the DDH problem is intractable.
Proof.Whenever membership is changed or the group key is updated, the group controller alters its own secret  to   , where   is an independently random number to  ∈ Z  ; it implies that it is impossible to find an algorithm  such that (  ) →    without knowledge of  and   .We assume that the secret values are uniformly distributed by a pseudorandom generator.Therefore, when the group key has been changed, an adversary must use new public information, V(,   ) = (  1 ,   1   ,   2 ,   2   , . . .,    ,      ), to recover the group key updated into    and it depends on a solution to solve the DDH problem by Theorem 4. It follows that past members, future members, or adversaries who know a subset of previous group keys cannot learn the current group key, since the broadcast message from the master does not contain their locker   in view().Theorem 6.The proposed scheme provides implicit key authentication under the security of certified public key.
Proof.A locker which the master obtains from group members is what a group member signs with its public key certified by a CA.Concretely, a locker   is hashed by a one-way function such as SHA-2, and hash (  ) is signed with   's private key using a digital signature algorithm such as RSA, DSA, and ECDSA.Then, the locker is verified with the public key bound to   and certified by CA.If there is a locker of nonmember in the locker list of a group, it must be along with a forged signature.It means that the problem occurs in a hash collision attack or a rogue CA certificate [23].Once all verified lockers are transferred to the master, any other nodes which are not a group member cannot recover the group key under the DDH assumption (Theorems 4 and 5).

Conclusion
In this paper, we propose a secure group key management protocol based on DH key agreement.The proposed key management requires only one data communication and one modular exponentiation at each member for any membership event.It shows prominent efficiency in renewing the group keys against dynamic group membership change, member join/leave and group merging/partition.We proved group key secrecy, backward/forward secrecy, key independence, and key authentication.No outsiders can learn the group key under the DDH assumption.We conclude that CODH can be adapted efficiently for multicast security in mobile networks.

Figure 2 :
Figure2: Group merging process: (a) when groups  4 and  3 are merged, R's master sends the locker list of  to C's master and (b) after groups are merged, C's master becomes the master for merged group and broadcasts the key-locks for new group key to all of the members.

Theorem 3 .
The DDDH problem is equivalent to the DDH problem.
Assume that the group of  members establish a group key.Step 1.Each member selects random   ∈ Z  and computes   =    mod p.   →   :   ( ∈ [1, ],  ̸ = ) Step 2.   selects random  in Z  for group key sharing and computes key-locks.  ⇒   : {(  )  |  ∈ [1, ],  ̸ = } Box 1: Group key initialization.Assume that m members are added to the group   .Step 1.Each new member   ( + 1 ≤  ≤  + ) selects random   ∈ Z  and computes   =    mod p.   →   :   ( ∈ [ + 1,  + ]) Step 2.   selects random   in Z  for new group key and computes key-locks.  ⇒   : {(  ) Member Join and Leave.The mastersecret should be renewed when membership changes, since it is used for the new group key GK  .In Box 2 (member join process),   means a new master-secret that   selects.Let  +1 be the first new member and let  + be the last new member, when  new members join the group   (if a single member joins, the new member is only one node,  +1 ).A new member   (+1 ≤  ≤ +) sends its locker   to the Assume that a subset   of current group   is composed of m leaving members in the group and does not include the group master   .Step 1.   selects random   in Z  for new group key and computes key-locks with updated locker list.
Partition.There are two ways to integrate two groups into one group completely: individual join and group join.The former is that members of a group join another group individually.It is similar to the mass joining process, saving that the joining master should generate his lock-secret,   , and locker,    .The latter way is that a group is absorbed into the other group via delegation process between both group masters.Let two groups be merged   = { 1 ,  2 , . . .,   } and   = { 1 ,  2 , . . .,   } ( ≥ ).The master   of   survives after group merging, while the master    of   becomes a member of the merged group.Smaller group members (∈   ) become a member of  + ; that is,  + = { 1 ,  2 , . . .,   ,  +1 , . . .,  + } and   ∈   after group merging.Group merging process runs with delegation (in the first round) as in Box 4. Figure 2 represents an instance for a merging process for a current group  4 and a merged group Assume that a group   is merged into a group   where  ≥ , and the merged group  + =   ∪   .   is the master of   and   is the master of   .Step 1.    selects a random number    in Z  , computes    =     mod p, and updates the locker list into   = { 1 ,  2 , . ..,   } ∪    .(delegation)    →   :   Step 2.   selects random   in Z  for new group key and computes key-locks with updated locker list.  ⇒  + : {(  )   Assume that a current group   is partitioned into two groups,   (⊂   ) and  − (=  \   ).The master of   is    and the master of   is   (∉   ) Step 1.   generate   = {  |   ∈   ,  ̸ = } from   .(delegation)   →    :   Step 2.   and    select random   ,   in Z  respectively and compute key-locks with their locker list.  ⇒  − : {(  ) ] ∧   ∉   ,  ̸ = }    ⇒   : {(  )   |   ∈ ,  ̸ = } Box 5: Group partition.

Table 1 :
Communication and computation costs.

Table 2 :
Communication and computation costs for CODH member and master.
Number of protocol participants   : th group member,  ∈ [1, ]   : M a s t e rn o d e( c o n t r o l l e r ) , ∈ [1, ] : Prime of the form 2 + 1 for a prime  : Generator in Z *    : Lock-secret; random number picked by   such that 1 <   <  − 1 and gcd(  ,  − 1) = 1   : Unlock-secret for   such that   *   ≡ 1 mod ( − 1) : Master-secret randomly selected in Z *  , by     : L o c k e r ;    mod    : C u r r e n t g r o u p o f  members; #() =    : L o c k e rl i s to fg r o u p ;   = { 1 ,  2 , . . .,   } \ n:   →   : m: Unicast message (m) from   to     ⇒   : m: Broadcast message (m) from   to  members of .