Practical KGC-Free Polynomial-Based Multiple Group Keys Agreement for IoT Health Care Systems

Although nowadays lots of group key agreement schemes have been presented, most of these protocols generate a secret key for a single group. However, in the IoT HCS, more and more communications are involved in multiple groups and users can join multiple groups to communicate at the same time. Therefore, applying the conventional public-key-based one-at-a-time group key establishment protocols has heavy computational cost or suﬀer from security vulnerabilities. At the same time, in an IoT HCS, a trusted KGC is usually not available and so more ﬂexible self-organized multigroup keys generation will be desired by all group members. In order to address this issue, a practical scheme for eﬃcient and ﬂexible KGC-free polynomial-based multigroup key establishments for IoT HCS is proposed. The proposed protocol can generate multiple group keys for all group members at once, instead of generating one key each time for a single group; more importantly, there is no need for a trusted KGC in the process of group keys establishment and each user can join multiple groups at the same time using only one reserved share. Meanwhile, the security of the proposed protocol is discussed in detail. Finally, we compare this protocol with the latest related group key distribution protocols in performance analysis. The results show that this eﬃcient and ﬂexible KGC-free polynomial-based multiple group keys establishment protocol is more suitable for practical group key agreement in IoT HCS.


Introduction
e widespread application of the Internet of ings (IoT) brings great opportunities to the health care system (HCS).
e IoT-based HCS provides enormous convenience for group communication among doctors, patients, paramedics, ambulances, and hospitals.
e healthcare system can transmit the medical information collected by the internal equipment to multiple members in the group. Since medical information involves the life safety of patients, ensuring the safety of personal health information is crucial [1][2][3][4][5][6]. HCS is mainly responsible for collecting patient's health information and transmitting this information to group members in the system through the access point. When information is transmitted on the network, it is vulnerable to malicious attacks such as eavesdropping, tampering, and replay. It is possible that the adversary performs malicious attacks and manipulates the information transmitted on the network, which will threaten the lives of patients. e sensitivity of medical data brings many privacy and security issues to the IoT-based HCS. For example, an adversary may eavesdrop on medical information transmitted on the network [7][8][9][10]; an adversary may destroy the key used to encrypt data. Hence, it is essential to protect the security of medical data. Only when safety is guaranteed can the hospital provide better services to patients. en, it is necessary to provide security services for the IoT-based HCS to resist various attacks. For data security, the source node and target node need to share a key before communicating. is process is called key distribution or establishment in IoT-based HCS. It is worth noting that these nodes have small memory space, slow operation speed, and limited battery power. erefore, a lightweight key distribution protocol needs to be designed for the IoT-based HCS. e asymmetric cryptographic schemes (e.g., RSA [11]) are impractically used in IoT HCS due to node's inherit To solve this problem, an efficient and flexible polynomial-based self-organized one-time multiple group keys establishment scheme for IoT HCS is presented in this paper. is scheme does not need to distribute a separate group key for each group once at a time and can generate multiple group keys for all group members at one time. In addition, there is no need for a trusted KGC in the process of group keys establishment. Each user uses only one share reserved to join multiple groups at the same time. We define it as self-organize one-time multiple group keys establishment method. Meanwhile, the security properties of our scheme are analyzed in detail. Finally, comparing the performance of our protocol with the latest public-key-based group key establishment protocol, the results show that in IoT HCS our scheme has the advantages of high efficiency and practicality.
Our main contributions are summarized as follows: (a) We design a polynomial-based self-organize multiple group keys establishment protocol for IoT HCS, in which there is no need for a trusted KGC in the process of group keys establishment, and multigroup keys generation will be performed by all involved group members. (b) Our method is very efficient since in this protocol each user can join multiple groups at the same time using only one share reserved. ere has no rekeying overhead. (c) One unique feature of our design is that in this protocol the multigroup keys generation is performed by all group members. ere is no need to set up a trusted server. It is very flexible for IoT HCS. Moreover, the polynomial is much more efficient than public key calculations. It is truly low computation. e rest of this paper is arranged as follows. Some related work of the key agreement schemes is discussed in Section 2. Section 3 introduces some essential preliminaries. e model of the proposed protocol is briefly introduced in Section 4. Section 5 presents our polynomial-based selforganize multiple group keys establishment protocol. e correctness and the security are proven in Section 6. Section 7 evaluates the performance of our scheme and makes comparisons between our protocol and latest protocol. At last, we make a summary for this paper in Section 8.

Related Work
For HCS based on the IoT, more and more key establishment protocols are proposed [22][23][24][25][26][27][28][29][30]. Most schemes are implemented in a flat structure and establish a separate key for each group once a time. e following methods are more used in group key agreement schemes, namely random-key predistribution [31], polynomial-based predistribution [32], and grid-based predistribution [33]. e first random key protocol was designed by Eschenauer and Gligor [31]. is scheme first randomly selects a key set from the key space, namely the key pool. Before being deployed, each sensor node randomly selects a subset from the key pool, called a key ring, and stores it in its own memory. Sensor nodes must look for public keys in their respective key rings before communicating with other nodes. If there is a public key, it will be used as a shared key for both parties to communicate. On the contrary, it is necessary to find a neighbor node that has a public key with both parties in the communication. e random key scheme is a probabilistic scheme. In other words, sensor nodes can only establish a shared key with a certain probability, and it cannot ensure that there is a shared key between all nodes. is requires increasing the size of the key ring of the sensor node to increase the probability of establishing a shared key between nodes. But it will also increase the success rate of node capture attacks. Hence, it is necessary to weigh the advantages and disadvantages between network connections and node capture attacks. e key distribution scheme using polynomials is deterministic, which means that there is a shared key between any two nodes. Suppose that the proposed scheme uses a t − 1 degree polynomial to establish the shared key for the node, if the number of nodes captured by the adversary is t or more than t, it will pose a threat to the entire network. For the purpose of improving the security of the scheme, the degree of the polynomial needs to be increased, but this makes the storage and calculation overhead of the nodes larger. erefore, our intention is to design a multigroup key distribution protocol, which has the advantages of high efficiency and high security simultaneously.
A new key management protocol was proposed by Park et al. [34], which is aimed at the coexistence of multiple multicast groups in the same network. In this scheme, three different services are provided by the service provider for the IEEE 802.16 network [35]. e service provider is responsible for managing each user group. When a user exits or joins the user group, the service provider needs to update the broadcast key using asymmetric encryption. However, due to the limited resources of IoT devices, asymmetric encryption increases the computational cost of the key generation process. In the group key agreement scheme proposed in [36], the group key used for encryption is negotiated by members of the group, and then each group member is assigned a key for decryption. Only members of the group can decrypt the ciphertext encrypted by their shared key. Like the above scheme, in [34], this scheme also uses asymmetric encryption to establish multigroup keys. Recently, the authors of [37] proposed a multiparty key agreement based on elliptic curve cryptography (ECC) encryption, which is more computational efficient than RSA, but this protocol also needs a group controller (GC) and rekeying overhead. Hsu et al. [38] proposed an efficient useroriented multigroup key agreement scheme based on secret sharing, which relies on the trusted key generation center (KGC) to negotiate keys. We observe that in an IoT HCS, if there is no trusted KGC, self-organized one-time multiple group keys generation will be desired by all group members.
is observation motivates us to come up with a solution to meet this requirement.

Preliminaries
We briefly described the knowledge related to secret sharing in this section. In the secret sharing scheme, the trusted dealer splits the secret s into multiple smaller shares and transmits them to the participants in the group to realize the sharing of the secret in the same group. Authorized participants in the same group can recover their secrets, while other unauthorized participants cannot recover their secrets. If a scheme can make it impossible for any unauthorized participant to recover the key and obtain any secret-related information, it is regarded as a perfect scheme.
Suppose P � 1, . . . , n { } represents a collection of participants. Based on the Shannon's entropy function, [39] proposed that secret sharing protocol should meet the following conditions: (a) Correctness. e secrets s can be recovered by authorized participants. In other words, it has H(S|A) � 0 for any A ∈ Γ. Γ refers to access structure that is the collection of authorized participants. (b) Security. It is impossible for the secret s to be recovered by an unauthorized participant. In other In this case, any information related to the secret s cannot be obtained by the participants in A. So, the security of this protocol is perfect.
If the participant's share is in the same domain as the secret (this is the minimum size of the shares as demonstrated in [40]), a perfect secret sharing protocol is ideal.

Secret Sharing Scheme Based on Polynomials.
In Shamir's (t, n) secret sharing scheme [41] based on linear polynomial, the trusted dealer chooses a t − 1 degree polynomial f(x), where f(0) � s. e dealer uses f(x) to split s into smaller shares, f(x i ), i � 1, 2, . . . , n, and distribute them to each participant, where x i is a public identifier for each participant U i . is secret sharing scheme meets the above two security features. at are (a) the secret that can be recovered only if the number of shares is not less than t and (b) the number of shares is less than t, it is impossible to recover the secret. Hence, Shamir's (t, n) secret sharing scheme is unconditionally secure, and it contains the following two phases.
where x i is a public identifier for each participant U i . en, each share y i is secretly distributed to the corresponding participant U i .

Secret Reconstruction.
Assume that there are t participants, U 1 , U 2 , . . . , U t , reconstructing the secret s.

Mathematical Problems in Engineering
Participants release their shares and recover the secret by using the Lagrange interpolating formula,

Model of Our Multigroup Key Agreement Scheme
e model of the proposed multigroup key agreement scheme for IoT HCS is presented in this section, which contains system model and security model.

System Model.
ere is a KGC in our proposed protocol for IoT HCS, and it is assumed that there are n users U 1 , U 2 , . . . , U n participating in multigroup communication. e system model of our proposed protocol is illustrated in Figure 1.
ese users can be doctors, patient, caretaker, ambulance, and hospital. KGC is responsible for user registration and managing all registered users, including adding users and deleting users. In the IoT HCS, if there is no trusted KGC, all members of the group participating in the communication will negotiate to generate multiple group keys before communication in order to exchange information securely. Generally, self-organized multiple group keys generation should be performed by all group members. Hence, group session keys can only be generated by members in the same group.
During the registration phase of the proposed protocol, each user U i is secretly assigned a long-term secret generated by KGC. Next, self-organized multigroup keys generation will be performed by all group members. In other words, when accepting the key agreement request initiated by one of the users to multiple groups, each user select one value for each group he joins and transfer each value secretly to the corresponding group members. en, each user uses the values received from other group members, who belong to the same group, to recover the polynomial and the corresponding group key and further authenticates that this group key is the same with other group members. Later, members in the group use the generated self-organizing multigroup key for secure communication.
Public key calculation uses a large modulus, such as at least 1024 bits in RSA. In comparison, polynomial encryption uses a small modulus, only 160 bits. erefore, our protocol based on polynomial encryption is more efficient and computationally faster. In addition, conventional group key agreement protocols need a mutually trusted KGC generate all group keys for multigroups. is method relies on trusted servers and will incur communication and storage overhead in IoT HCS. e problem with the trusted server is that if it is attacked, the network will be completely insecure. In order to address the problem, self-organized multigroup keys generation is performed by all group members. is makes our protocol very effective and practical.

Security Model.
We briefly describe the security model to evaluate the security of the proposed scheme.

Type of Adversaries.
Our protocol mainly analyzes two types of adversaries, internal and external. An internal attacker refers to a legitimate member of the group, so the group key is known to him. e internal attacker may attempt to obtain the long-term secret keys of other members, which allows him to impersonate other members for secure communication. In addition, internal attackers may also obtain other group keys without authorizing him to know and leak them out. On the other hand, group keys that are not allowed to be known by outsiders may be maliciously obtained by an external attacker. e confidentiality of the group key affects the success rate of this attack. We will explain in detail that our scheme can resist these attacks in the following security analysis.

Security Features.
e following security features need to be satisfied: (a) Key confidentiality: it is computationally infeasible for external attackers to obtain any group key. (b) Key authentication: the generated group key is required to be authenticated by group members, which is the same with the corresponding group members.

The Proposed Protocol for Multigroup Communications
Suppose that there are a total of n users participating in multigroup communication U 1 , U 2 , . . . , U n . Before receiving system services, users need to register with KGC. KGC is responsible for user registration and managing all registered users, including adding users and deleting users. Before group members communicate, the session key of each group is distributed to the corresponding members of the same group in a secure manner, which ensures the security of communication. Generally, the session key of each group is determined by all corresponding members of the group according to the membership to which they belong. Hence, group session keys can only be generated by members in the same group. Table 1 illustrates the symbols used in this paper is shown in Table 1. ere are three stages in the proposed multigroup communication protocol, namely the initialization phase of KGC, the registration phase, and the multigroup key agreement phase. Users participating in multigroup communication are recorded as U 1 , U 2 , . . . , U n , and these groups are recorded as G 1 , G 2 , . . . , G m . A multigroup table is determined in Table 2 ≤ m), then the corresponding unit a ik � 1, else a ik � 0. Here we define the rank of a user, |U i |, as the number of nonzero elements in (a i1 , a i2 , . . . , a im ) and define the rank of a group, |G k |, as the number of nonzero elements in (a 1k , a 2k , . . . , a nk ). e detailed multigroup keys establishment is as follows: Initialization of KGC. First, the KGC selects a large prime p, a generator g of GF p , and constructs a secure one-way hash function h(·) based on the domain GF p . ese parameters p, g, and h(·) are published by the KGC. User Registration. Every user who needs multigroup key agreement service must first register with KGC. KGC is responsible for managing all registered users and updating the number of users in real time. After receiving the user's registration request, KGC generates a long-term secret, x i ∈ GF p , for user U i and distributes it to U i secretly and publishes g x i , where x i ≠ x j , and i, j ∈ 1, . . . , n { }. Later in real-time operation, multigroup keys will be calculated by the members of the group participating in the communication using their long-term secrets and used for secure communication between group members. Multigroup Keys Establishment. In the IoT HCS, if there is no trusted KGC, then self-organized multigroup keys generation should be performed by all group members. Upon receiving multigroup keys agreement request for these groups G 1 , G 2 , . . . , G m from any group member, all involved group members will establish the m corresponding group keys K 1 , K 2 , . . . , K m as the following steps: Step 1.
e initiator broadcasts a multigroup keys establishment request for these groups G 1 , G 2 , . . . , Step 2. Each participating group member U i (1 ≤ i ≤ n) responds by broadcasting the list of his involved groups, Step 3. Each member U i (1 ≤ i ≤ n) selects and broadcasts a random challenge, r i ∈ GF p .
Step 4. According to the multigroup table, if a ik � 1 for 1 ≤ k ≤ m, then each member U i (1 ≤ i ≤ n), needs to randomly select a corresponding value R ik ∈ GF p , which is used to compute the group key K k . Altogether U i should select |U i | such values.
Step 5. Each member U i uses his secret share x i , his challenge r i , and the public value g x j +r j to calculate the pairwise shared secret keys between U i and U j , k i,j � (g x j +r j ) x i +r i , where i ≠ j for i, j ∈ 1, 2, . . . , n { }. en, if a ik � 1 and a jk � 1 for 1 ≤ k ≤ m, U i sends the corresponding R ik secretly to U j as c i,j � E k i,j (R ik ), 1 ≤ i ≤ n, where E k i,j (R ik ) represents the encryption of R ik using the key k i,j .
Step 6. After receiving ciphertext, c j,i (i ≠ j for i, j ∈ 1, 2, . . . , n { }) from each member U j , U i computes R jk � D k j,i (c j,i ), where D k j,i (c j,i ) refers to decrypt c j,i using the key k j,i � k i,j � (g x j +r j ) x i +r i . en, for each group G k (k ∈ 1, 2, . . . , m { }) that U i joins, U i will altogether obtain |G k | points (l, R lk ), where a lk � 1 for 1 ≤ l ≤ n. According to these |G k | points, user U i generates a (|G k | − 1) degree polynomial f k (x) for each group G k and select the constant term of f k (x) as the group key K k . en, U i broadcasts |U i | such values h(K k ) to all group members, where a lk � 1 for 1 ≤ k ≤ m.
Step 7. Each member U i checks whether these broadcasting h(K k ) for 1 ≤ k ≤ m are identical, respectively. If they are identical, U i , for 1 ≤ i ≤ n, authenticates that these m group keys K 1 , K 2 , . . . , K m are valid. If some of these group keys are not identical, the corresponding group members will replay this protocol again. All computations are performed in GF p .
After successfully completing the above steps, m group keys K 1 , K 2 , . . . , K m associated with G 1 , G 2 , . . . , G m , respectively, are self-established among all group members.  en, group members can use these group keys K 1 , K 2 , . . . , K m for secure multigroup communication.

Correctness. In
Step 6, U i will altogether obtain |G k | points (l, R lk ) from the group G k he joined, where a lk � 1 for 1 ≤ l ≤ n, and k ∈ 1, . . . , m { }. According to these points |G k |, user U i can calculate a (|G k | − 1) degree polynomial f k (x) for each group G k by using the Lagrange interpolation formula and select the constant term of f k (x) as the group key K k . en U i broadcasts |U i | such values h(K k ) to all group members, where a ik � 1 for 1 ≤ k ≤ m. In Step 7, each member U i checks whether these broadcasting h(K k ) for 1 ≤ k ≤ m are identical, respectively. If they are identical, U i (1 ≤ i ≤ n) authenticates that these m group keys K 1 , K 2 , . . . , K m are valid.

Security.
e security of the proposed protocol is discussed by analyzing the following security features: (1) e proposed scheme can guarantee the freshness, confidentiality, and independence of the key and provide verification for the key. (2) is scheme is able to withstand attacks that occur on synchronous and asynchronous networks. Proof. Key freshness is satisfied since for each request to generate multigroup key, there are m new group keys K 1 , K 2 , . . . , K m associated with G 1 , G 2 , . . . , G m , where each group's session key K k (k ∈ 1, 2, . . . , m { }) is decided by all corresponding group members according to the membership to which they belong. Hence, the group session key can only be negotiated by members belonging to the group. In addition, each group member, U i , uses |G k | points (l, R lk ), where a lk � 1 for 1 ≤ l ≤ n and R lk is randomly selected by U l , to generate a (|G k | − 1) degree polynomial f k (x) and the constant term of f k (x) is the group key K k for group G k .
Key confidentiality is guaranteed by secret sharing protocol. e secret key of each group is decided by all members participating in the communication in the group according to the memberships that they belong to. ese group members will interact with each other by fresh pairwise keys, which are computed using their long-term secrets x i and random challenges r i . Hence, the group session key can only be negotiated by members belonging to the group.
Key authentication is provided by the value h(K 1 ), h(K 2 ), . . . , h(K m ), which is generated by one-way hash function in Step 6, with the group keys K 1 , K 2 , . . . , K m as input. e secret group key is determined by all members participating in the communication in the group. Besides, the group key cannot be forged by an internal attacker because it is decided by all corresponding group members according to the memberships that they belong to.
Key independence is provided. It means that the group member cannot obtain any other group key information that he has not authorized from the corresponding group key that he has obtained. is is because each group key K k (k ∈ 1, 2, . . . , m { }) is computed by |G k | points (l, R lk ), where a lk � 1 for 1 ≤ l ≤ n and R lk is randomly selected by U l . e proof process is given in detail in eorem 5.

Theorem 2.
e proposed protocol is able to withstand attacks in synchronous and asynchronous networks.
Proof. Group members will interact with each other by fresh pairwise keys, which are computed using their longterm secrets x i and random challenges r i . Each group key K k (k ∈ 1, 2, . . . , m { }) reconstruction is based on |G k | points (l, R lk ), where a lk � 1 for 1 ≤ l ≤ n and R lk is randomly selected by U l . ere is only a list of groups G 1 , G 2 , . . . , G m , the parameters p, g, h(·), and g x i , and random challenges r i ∈ GF p available. In real-time operation, multigroup keys generation is performed by all involved group members. It is impossible for an attacker to get information related to the key from the asynchronously released values. e proof process is given in detail in eorems 4 and 5.

Theorem 3.
e forward and backward secrecy are guaranteed in the proposed scheme, which means that the leaving members are unable to obtain the new group key, and the newly joined member does not know the past key.
Proof. When the group members change, such as a member leaving the group or a new member joining, in step 1, the list of groups G 1 , G 2 , . . . , G m will be updated in real time. Group key in multigroup session is decided by all corresponding group members according to the memberships that they belong to. Members in the group can only get the session key of the group they are currently in. In other words, new keys will not be obtained by the leaving members. And the previous key cannot be obtained by newly joined group members. erefore, the proposed protocol guarantees both the forward and backward security of multigroup keys.
Our proposed scheme divides adversaries into two types. One type of adversary is external attacker, which refers to members outside the group. An external attacker may attempt to obtain a private group key that is not allowed to be known by user outside the group. e confidentiality of the key guarantees that external attackers cannot achieve this kind of attack. In addition, our scheme allows any user to send a request to KGC to obtain the service of multigroup key establishment. en an external attacker may pretend to be other legitimate members of the group to request the service of key establishment. However, the information related to the group key cannot be obtained by an external attacker through this attack. Because the proposed scheme guarantees that members who are not authorized cannot obtain the group key. e other type of adversary refers to internal attackers. ey are authorized to access the group key of their group, but they try to obtain the secrets shared by other members with KGC. erefore, it is necessary to protect the secrets shared by other members with KGC from inside attackers. Proof. In our scheme, any attacker is able to impersonate another member to request services from KGC and get a response message. However, it is guaranteed that only legitimate members of the group can obtain the secret key of the group. In our proposed scheme, group members will interact with each other by fresh pairwise keys, which are computed using their long-term secrets x i and random challenges r i . Each group key K k (k ∈ 1, 2, . . . , m { }) reconstruction is based on |G k | points (l, R lk ), where a lk � 1 for 1 ≤ l ≤ n and R lk is randomly selected by U l . ere is only a list of groups G 1 , G 2 , . . . , G m , the parameters p, g, h(·), and g x i , and random challenges r i ∈ GF p available. e polynomial-based secret sharing scheme, the difficulty of the discrete logarithm problem, and the one-way nature of the hash function protect the secret group key from being acquired by an attacker.
Group members cannot obtain information about other keys that are not allowed to know based on the recovered secret group key. is is because each group key can only be calculated by the long-term secret calculation of the corresponding member in the group. Hence, key independence is guaranteed in our protocol. e possibility of an attacker successfully negotiating the leaked group key with other members by replaying the eavesdropped communication message is negligible. is is because the fresh pairwise keys are computed using their random challenges r i and each group key K k (k ∈ 1, 2, . . . , m { }) reconstruction is based on |G k | points (l, R lk ), where R lk is randomly selected by U l . e parameters r i and R lk are different in each round of communication. us, our protocol is able to withstand the replay attack. Proof.
e group key in our protocol will be generated by members of the group participating in the communication. Each group's session key is decided by all corresponding group members according to the memberships that they belong to.
ese group members will interact with each other by fresh pairwise keys, which are computed using their long-term secrets. However, the secret x ∈ K shared by group members and KGC is not known by outsiders.
Our scheme does not authenticate the user who sent the service request. Internal attackers can request services from KGC and pretend to be a member of the group to initiate a challenge. Suppose that there is an adversary U i , he sends a group key agreement service request to the group including himself and member U target and forges the group member's challenge r target . Although the adversary U i can obtain the group key, the value x target is not known to him, since x target is protected in k i,target � (g x target +r target ) x i +r i due to the difficulty of discrete logarithm problem. us, the internal attacker can only obtain the secret group key of the group and cannot know the long-term secrets of other members in the group. erefore, the insider attack cannot be implemented in the proposed protocol.

Performance Evaluation
By comparing with the recently proposed multigroup key agreement scheme [34,37] based on public key encryption, the performance of our scheme is evaluated in this section. en we show the comparison between our protocol and the latest multigroup key establishment protocols.
Compared with the public-key-based multigroup key establishment schemes [34,37], our protocol has the following advantages: (a) Flexible and convenient network structures do not require a central server, such as peer-to-peer network. In P2P network, 'peers' are the nodes or computer system that are connected to each other. Files or resources can be shared directly between the system on the network, without the need of any central server. Conventional group key agreement schemes require a central server, namely trusted KGC, to generate all group keys for multigroups. is method needs to set up a trusted server, so it will incur the overhead costs in communications and storages in sensor networks. In addition, if the trusted server is compromised, the network will be insecure. To overcome this drawback, in our protocol, KGC-free multigroup keys generation is performed by all group members. (b) In the public key broadcast-based scheme [34,37], the broadcast key needs to be updated when the user changes, which increases the cost of the scheme. In comparison, KGC is responsible for managing member changes in our secret sharing scheme. If a new user joins the group, he only needs to register with KGC and obtain the long-term secret distributed by KGC in a secure way. is process will not affect the long-term secrets of other existing members. In addition, the member's departure only requires KGC to delete the user without regenerating the key.
(c) It is well known that symmetric key encryption is a way that each pair of users shares a symmetric key, but this way only provides confidentiality. Further, key distribution and management is a bottleneck in symmetric key cryptography, which produces huge communication and storage cost. Hence, public key encryption appeared, which can provide confidentiality, authenticity, and nonrepudiation but with high computation cost due to very large modulus and modular exponentiation operations. Compared with public key operations producing high computation cost, bivariate polynomial-based approach can provide not only authentication and information-theoretic security but also with lower computation cost. At the same time, compared with symmetric key distribution process that needs huge communication cost, bivariate polynomial-based approach is really efficient while providing authentication. In our protocol, the polynomial calculation uses a small modulus, only 160 bits. In comparison, public key calculations not only require a larger modulus (for example, at least 1024 bits in RSA) but also use modular exponentiation, pairing, and scalar multiplication operations (such as ECC-based schemes). erefore, the calculation efficiency of polynomials is higher than that of public key calculations.
Meanwhile, Table 3 compares our proposed scheme with the latest multigroup key agreement schemes, which demonstrate that our protocol has the optimal performance.

Conclusions
We present an efficient and flexible KGC-free polynomialbased multiple group keys establishment protocol for IoT HCS in this paper. e proposed protocol can generate multiple group keys for all group members at one time. In addition, there is no need for a trusted KGC in the process of group keys establishment, and each user can join multiple groups at the same time using only one share reserved. Meanwhile, the security of the proposed protocol is strictly analyzed. Finally, we compare this protocol with the latest multigroup key establishment protocols in performance analysis, which indicates that our KGC-free polynomialbased multiple group keys establishment protocol is fairly attractive for efficient and flexible IoT HCS.

Data Availability
e data used to support the findings of this study are included within the article.

Consent
Informed consent was obtained from all individual participants included in the study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.