Keywords

1 Introduction

The MANET is a multi-hop temporary autonomous system consisting of a set of mobile nodes with wireless transceivers, unlike traditional networks that rely on communications infrastructure, all mobile nodes in MANET assume both communication and routing responsibilities, and all mobile nodes are equal, without a central control organization [20]. And the nodes move in or out range dynamically so that the topology of network dynamically changes. These features guarantee the flexibility of MANET applications, but also face to many challenges. Therefore, it is necessary to encrypt and authenticate the messages in the communication to avoid the adversaries intercept, tamper even partially interrupt the communication. Group key can be used to establish secure communication over an unreliable channel in MANET.

In this paper, we propose a self-healing group key distribution scheme with dynamic revocation and collusion resistance. our scheme is based on Dual Directional Hash Chain so that it can keep the forward secrecy and backward secrecy. And we introduce a self-healing hash chain to resist collusion attack between the new joined mobile node and the revoked mobile node. In addition, our scheme can revoke nodes during a session, while the previous schemes based on hash chains can not totally overcome such flaw.

Key management is one of the core technologies to realize the mobile ad hoc network security using cryptography technology [13]. The self-healing key distribution scheme was first proposed by Staddon et al. in [9] based on the information entropy theory. Initially, it is design for unreliable network to ensure the establishment and updating of session keys and improve the usability of the system in harsh communication environment. Liu et al. first proposed an efficient self-healing key distribution scheme based on revocation polynomials [8]. Dutta and Mukhopadhyay proposed an efficient computationally secure solution based on the combination of forward hash chain and reverse hash chain [4], which can greatly reduce resource cost, yet the scheme would lead to session keys being exposed [3, 16, 17]. Dutta and Mukhopadhyay further replace m mask polynomials with a bivariate t-degree polynomial [5], reducing the communication overhead and storage overhead to \(O((t+1)\ log\ q)\). However, the scheme is still flawed and cannot resist collusion attack. To prevent collusion attack, Du et al. introduced a secret random number for each session [2], as long as the attacker cannot get these secret random numbers. Wang et al. proposed a self-healing key distribution scheme based on the revocation polynomial [15], which solve the collusion attack problem by binding the joining time with its capability for recovering previous group session keys. Chen et al. solved the collusion attack problem [1], by introducing the unique session identifier and binding the joining time with the capability of recovering previous session keys.

Zou et al. proposed the first key distribution scheme based on the access polynomial [21]. Tian et al. proposed a simpler and more efficient key distribution scheme based on access polynomials [11], but later, this scheme was proved to be insecure later. Yuan et al. proposed unconditional secure key distribution schemes based on access polynomials [18, 19], but these schemes only apply to specific groups. Wang et al. proposed a novel self-healing group key distribution scheme based on the access polynomial [14], which achieves the self-healing attribute by binding the joining time with the capability of recovering previous session keys, however, Guo et al.proved that the scheme does not have forward secrecy [6]. Sun et al. proposed two improved self-healing key distribution schemes with the capability of broadcast and authentication based on access polynomials [10], which further improved the ability to resist collusion attacks. Guo et al. proposed two self-healing group key distribution schemes based on exponential arithmetic, and introduced a novel broadcast method to reduce the storage cost and communication cost [7].

2 Preliminaries

Our scheme is based on the Dual Directional Hash Chain(DDHC), we first introduce the definition of a one-way hash function, which is the foundation of the DDHC. A hash function is any function that can be used to map data of arbitrary size to data of fixed size. A one-way hash function H(x) satisfies the following conditions:

  1. (1)

    Unidirectional: Let \(H:A\rightarrow B\) as a one-way hash function, given \(x\in A\), it is easy to compute \(y=H(x)\). But if given \(y\in B\), it is computationally infeasible to compute the \(x\in A\) and \(H(x)=y\).

  2. (2)

    Resist weak collision: Let \(H:A\rightarrow B\) as a one-way hash function, given \(x\in A\), it is computationally infeasible to compute \(x'\in A\), \(x'\ne x\) and \(H(x')=H(x)\).

  3. (3)

    Resist strong collision: Let \(H:A\rightarrow B\) as a one-way hash function, it is computationally infeasible to compute x, \(x'\in A\), \(x'\ne x\), and \(H(x')=H(x)\).

A DDHC consists of two one-way hash chains with equal length, a forward hash chain and a backward hash chain. First, generating two random key seeds FK and BK from finite field \(\mathbb {F}_q\). Then repeatedly applies the same one-way function H(x) on each key seed to produce two hash chains of equal length m. So, the DDHC is defined as follows:

$$\begin{aligned} \{ K_F^0=FK, K_F^1=H(K_F^0), \ldots , K_F^m=H^m (K_F^0) \} \end{aligned}$$
$$\begin{aligned} \{ K_B^m=H^m (K_B^0),\ldots ,K_B^1=H(K_B^0),K_B^0=BK \} \end{aligned}$$

In our scheme, we mainly focus on how to guarantee the security of communication between mobile nodes. To further clarify our goals and facilitate the later presentation, We define security model for the proposed self-healing key distribution scheme as follows:

  1. (1)

    Key confidentiality: Any mobile nodes that are not the member of the group have no access to the keys that can decrypt the data that broadcast to the group.

  2. (2)

    Forward secrecy: For the set \(R_j\) of mobile nodes revoked before session j, it is computationally infeasible for the mobile nodes \(u_i\in R_j\) colluding together to recover any of subsequent session keys \(SK_j, SK_{j+1}, \cdots ,SK_m\), even with the knowledge of keys \(SK_1\), \(SK_2\), \(\cdots \), \(SK_{j-1}\).

  3. (3)

    Backward secrecy: For the set \(J_j\) of new mobile nodes joined after session j, it is computationally infeasible for the mobile nodes \(u_i\in J_j\) colluding together to recover any of past session keys \(SK_1\), \(SK_2\), \(\cdots \), \(SK_j\), even with the knowledge of keys \(SK_{j+1}\), \(SK_{j+2}\), \(\cdots \), \(SK_m\).

  4. (4)

    Collision resistant: Given any set \(R_i\) of mobile nodes revoked before session i and any set \(J_j\) of new mobile nodes joined after session j, \(i<j\). It is computationally infeasible for a colluding coalition \(R_i\cup J_j\) to recover any keys \(SK_i\), \(SK_{i+1}\), \(\cdots \), \(SK_{j-1}\) between session i and session j.

  5. (5)

    Revocation capability: The illegal mobile nodes will be removed from the current group in time when the detection system detects the illegal mobile nodes.

3 Proposed scheme

The self-healing key distribution scheme proposed in this paper focuses on a communication group in the MANET. A communication group includes a key distribution center KDC and n group members. Each member in the group has a unique identifier, represented by \(u_i\), and KDC shares a session key SK with group members in the group communication. The lifetime of the group communication is divided into m sessions, where a session is a fixed interval of time denoted as \(T_r\), the \(j^{th}\) session is represented by \(s_j\), and the session key of the \(j^{th}\) session is \(SK_j\). The scheme consists of six parts: initialization, key update, key recovery, add or revoke group members, self-healing mechanism and re-initialization mechanism. The basic process shown in Fig. 1.

Fig. 1.
figure 1

Basic process of the proposed scheme

Full size image

3.1 Initialization

Let t be a positive integer. KDC first randomly chooses a bivariate t-degree polynomial h(x, y) from a small finite field \(\mathbb {F}_q [x,y]\):

$$\begin{aligned} h(x,y)=\sum _{0\le i,j\le t} a_{ij} x^i y^j\ mod\ q \qquad (t\le m,t\le n) \end{aligned}$$
(1)

According to the identifier of each mobile node and h(x, y), KDC assigns a polynomial \(h(u_i,y)\) to each mobile node as its mask polynomial.

KDC randomly picks the forward key seed FK, the backward key seed BK and the self-healing hash seed SH from \(\mathbb {F}_q\), respectively. Then KDC generates three hash chains: \(fk^j=H^j(FK),\ bk^j=H^{m-j+1}(BK),\ sh_j=H_1^j(SH)\), Where the structure of the DDHC adopts the hash function H(x), and the structure of the self-healing hash chain adopts the hash function \(H_1(x)\).

During the initialization phase, KDC will send the following packet over the secure channel to the mobile node \(u_i\) with the session period \(s_i\) to \(s_j\) (\(1\le s_i<s_j\le m\)).

$$\begin{aligned} KDC\rightarrow u_i:\{T_r\Vert h(u_i,y)\Vert fk^i \Vert sh_i \} \end{aligned}$$

where \(T_r\) is the length of each session, \(fk^i=H^i(FK)\) is the forward key hash value and \(sh_i\) is the self-healing hash value corresponding to session \(s_i\). When the mobile node receives the initialization packet, decrypts and obtains the corresponding session key update parameters and system parameters, sets the update time of timer to \(T_r\), and saves the session key update parameters.

3.2 Key Update

At the beginning of each session, KDC constructs the revocation set R to store the revoked mobile node and a set U to store the non-revoked mobile node. Let \(R_j\) be the set of all mobile nodes revoked in \(s_j\), and \(R=R_1\cup R_2 \cdots \cup R_j\), \(U_j=\{u_1,u_2,\cdots ,u_n\}\) be the set of all legal mobile nodes in \(s_j\).

If a mobile node is revoked in \(s_j\), KDC will produce a random value \(sh_j'\) to replace the self-healing hash value \(sh_j\), that is \(sh_j=sh_j'\), subsequent self-healing hash values can be computed using the random value \(sh_j'\): \(sh_{j+k}=H_1^k(sh_j')(0<k\le m-j)\). If there is no mobile node is revoked in \(s_j\), KDC will compute the self-healing hash value \(sh_j=H_1(sh_{j-1})\). So the session key \(SK_j\) of \(s_j\) as follows:

$$\begin{aligned} SK_j=fk^j+sh_j\times bk^j \end{aligned}$$
(2)

If a mobile node is revoked in \(s_j\), KDC first constructs the revocation polynomial \(r_j (x)\) according to the revocation set \(R=\{r_1,r_2,\cdots ,r_{\omega _j }\}\):

$$\begin{aligned} r_j(x)=(x-r_1)(x-r_2)\cdots (x-r_{\omega _j})\ mod\ q \end{aligned}$$
(3)

Then KDC constructs the recovery polynomial \(\psi _j (x)\) to recover the lost session keys:

$$\begin{aligned} \psi _j (x)=r_j(x)sh_j'+h(x,fk^j)\ mod\ q \end{aligned}$$
(4)

KDC constructs the access polynomial \(v_j(x)\) according to the set \(U_j\):

$$\begin{aligned} v_j (x)=[1+(x-u_1)(x-u_2)\cdots (x-u_n)]\ mod\ q \end{aligned}$$
(5)

Where legal mobile nodes compute the access polynomial \(v_j(x)\) will get \(v_j(x)=1\), however, the revoked mobile nodes will get a random value that different from 1.

After constructing the access polynomial, KDC will compute the broadcast polynomial \(b_j (x)\):

$$\begin{aligned} b_j (x)=v_j (x)\times bk^j+h(x,fk^j)\ mod\ q \end{aligned}$$
(6)

Based on these preparations, KDC will broadcast the key update messages \(B_j\) in the group. The format of \(B_j\) is as follows:

$$\begin{aligned} B_j=\{R_1\cup R_2\cup \cdots \cup R_j \Vert U_j \Vert b_j (x)\Vert \cup _{j'=1}^{j}\psi _{j'}(x) \} \end{aligned}$$
(7)

3.3 Key Recovery

The session key consists of three parts: \(fk^j\), \(bk^j\) and \(sh_j\). \(fk^j\) is secretly assigned to each legal mobile node in the initialization phase, \(sh_j\) is updated at the beginning of each session.

At the beginning of \(s_j\), when a legal mobile node \(u_i\) receives the key update packet, it first computes \(fk^j\), then computes the result of \(h(u_i,fk^j )\), and then computes the result of access polynomial \(v_j(u_i)\) according to the legal node set \(U_j\), and computes the backward hash value:

$$\begin{aligned} bk^j=\frac{b_j (u_i )-h(u_i,fk^j)}{v_j (u_i)}\ mod\ q \end{aligned}$$
(8)

If the mobile node is revoked, the result of access polynomial is a random value different from 1, the mobile node cannot obtain the right backward hash value \(bk^j\).

If there is no revoked mobile node in \(s_j\), \(u_i\) computes \(sh_j=H_1 (sh_{j-1})\). Otherwise, \(u_i\) can compute \(sh_j\) from the recovery polynomial \(\psi _j (x)\) in the broadcast message \(B_j\):

$$\begin{aligned} sh_j=sh_j'=\frac{\psi _j (u_i )-h(u_i,fk^j)}{r_j (u_i)}\ mod\ q \end{aligned}$$
(9)

Finally, \(u_i\) can further compute the session key \(SK_j=fk^j+sh_j\times bk^j\).

3.4 Add or Revoke Group Members

Add group members: When a node \(u_i\) wants to join the communication group and to be legal from \(s_i\) to \(s_j\), \(u_i\) first get in touch with KDC. After verifying its identification, KDC encrypts and sends the session key parameters to \(u_i\) via the secure communication channel:

$$\begin{aligned} KDC\rightarrow u_i:\{T_r\Vert h(u_i,y)\Vert fk^i \Vert sh_i \} \end{aligned}$$

At the same time, KDC adds \(u_i\) to the legal set \(U_j\), updates key and recovers key.When a non-revoked mobile node leaves the communication group,the mobile node will be deleted from the legal set \(U_j\), and the mobile node can rejoin the communication group with the same identify.

Revoke group members: Assuming that a mobile node is captured by the attacker during \(s_j\), KDC immediately broadcasts an \(R_{rekeying}\) key update message to revoke the captured mobile node:

$$\begin{aligned} B_j \rightarrow all:\{R_{rekeying}\Vert R_j'\Vert U_j' \Vert \psi _j (x)\} \end{aligned}$$

When the non-revoked mobile node receives the \(R_{rekeying}\) message, it will compute the new session key \(SK_j'\). Noted that when the mobile node is revoked during the session, the non-revoked mobile node does not reset the timer.

3.5 Self-healing Mechanism

Suppose mobile node \(u_i\) whose lifetime is from \(s_{j_1}\) to \(s_{j_2}\) receives broadcast message \(B_{j_1}\) in \(s_{j_1}\) and broadcast message \(B_{j_2}\) in \(s_{j_2 }\), but not message \(B_j\) for \(s_j\), where \(1\le j_1<j<j_2\le m\), \(u_i\) can recover the lost session key \(SK_j\) as follows:

Firstly, \(u_i\) can obtain \(fk^j\) and \(bk^j\) as a non-revoked mobile node.

Secondly, \(u_i\) can recover \(sh_{j_1}\) as a non-revoked mobile node, then \(u_i\) can recover \(sh_j\) as follows: If there is no mobile node is revoked from \(s_{j_1}\) to \(s_{j_2}\), \(u_i\) repeatedly applies the hash function \(H_1(x)\) on \(sh_{j_1}\) to obtain the self-healing hash value \(sh_j\). Otherwise, \(u_i\) still can recover \(sh_j\). For example, suppose there is a mobile node is revoked in \(s_{j'}\), where \(j_1<j'<j<j_2\), \(u_i\) can recover the self-healing hash value \(sh_{j'}^{'}\) according to the recovery polynomial \(\psi _{j'}(x)\) in broadcast message \(B_{j_2}\). Then, \(u_i\) repeatedly applies the hash function \(H_1 (x)\) on \(sh_{j'}^{'}\) to obtain \(sh_j\).

Thirdly, \(u_i\) computes the lost session key \(SK_j=fk^j+sh_j\times bk^j\).

3.6 Re-initialization Mechanism

If the lifetime of the communication group ends, the group must re-initialize and assign the key materials for all legal mobile nodes.

4 Security Analysis

Theorem 1:

The scheme is a session key with privacy and achieves self-healing with revocation capability.

Proof:

(1) The scheme is a session key with privacy: For a non-revoked mobile node \(u_i\) in \(s_j\), the \(SK_j\) is determined by \(fk^j\), \(bk^j\) and \(sh_j\). \(fk^j\) is assigned to the non-revoked mobile node when the node joins the communication group. \(bk^j\) can only be recovered by non-revoked mobile nodes at the beginning of each session. Even if a revoked mobile node obtain \(fk^j\) and \(bk^j\), \(sh_j\) will be updated immediately when a mobile node is revoked, such that the revoked cannot recover \(sh_j\). Thus, it is impossible for any mobile node to obtain the session key only by \(fk^j\) and \(bk^j\) or only by \(sh_j\).

  1. (2)

    Self-healing: As described in Sect. 3.5, a non-revoked mobile node can recover the lost session key by the self-healing hash value and the recovery polynomial.

  2. (3)

    Revocation capability: In the scheme, the session key is updated in two ways, one is to update periodically, and the other is to update when the mobile node is revoked. The periodic update prevents the session key from being cracked because it uses time too long. The dynamic revocation mechanism ensures that the revoked mobile node is removed from the communication group in time to avoid further damage to the system. Let R be the set of all mobile nodes revoked in and before \(s_j\). For a mobile node \(u_i\in R\), because the access polynomial \(v_j(u_i)\) is always zero, \(u_i\) cannot recover \(bk^j\) from the broadcast polynomial \(b_j(u_i)\), moreover, once the mobile node \(u_i\) is revoked, the self-healing hash value \(sh_j\) will replace by a random value \(sh_j'\), \(u_i\) cannot obtain \(sh_j'\). Because \(u_i\) cannot obtain \(bk^j\) and \(sh_j'\), it is infeasible for \(u_i\) to recover the session key \(SK_j\).

Theorem 2:

The scheme achieves forward security and backward security.

Proof:

(1) Forward security: Let R be the set of all mobile nodes revoked in and before \(s_k\). Consider a mobile node \(u_i\in R \), whose lifetime is from \(s_{start}\) to \(s_{end}\). We can analyze the forward security in two scenarios:

\(s_{start}<s_k\le s_{end}\), which signifies that \(s_k\) in the lifetime of \(u_i\), and \(u_i\) can obtain \(fk^k\). If \(u_i\) is revoked before \(s_k\), \(u_i\) cannot recover \(bk^k\) and \(sh_k\), so \(u_i\) cannot recover \(SK_k\). If \(u_i\) is revoked in \(s_k\), \(u_i\) can recover \(bk^k\), but \(sh_k\) will be replaced by a new random value \(sh_k'\) when \(u_i\) is revoked, \(u_i\) cannot recover \(sh_k'\), so \(u_i\) cannot recover \(SK_k\).

\(s_k>s_{end}\), in this case \(u_i\) could only obtain \(fk^k\) and cannot recover \(bk^k\) and \(sh_k\). Thus \(u_i\) cannot recover \(SK_k\). As a result, the scheme achieves forward security.

  1. (2)

    Backward security: Suppose \(u_i\) joins the communication group in \(s_j\), for \(s_k<s_j\), \(u_i\) could only recover \(bk^k\), and cannot obtain \(fk^k\) and \(sh_k\). Moreover, even if holds the broadcast message corresponding to \(s_k\), it cannot compute the mask polynomial \(h(u_i,fk^k)\). Thus \(u_i\) cannot recover \(SK_k\). As a result, the scheme achieves backward security.

Theorem 3:

The scheme resists collusion of revoked mobile nodes and newly joined mobile nodes.

Proof:

Suppose the mobile node \(u_i\) is revoked in \(s_i\) and the mobile node \(u_j\) join the group in \(s_j\), where \(s_i<s_j\). \(u_i\) and \(u_j\) can collude to obtain the value of DDHC from \(s_i\) to \(s_j\). The self-healing hash chain is a forward hash chain in the scheme, \(sh_i\) will be replaced by a new random value \(sh_i'\) when \(u_i\) is revoked, subsequent self-healing hash value will be computed with \(sh_i'\), that is \(sh_j=H_1^{j-i} (sh_i')\). It is computationally infeasible to compute \(sh_{j-1}\) even if it obtains \(sh_j\). Therefore, even if the revoked mobile node in collusion with the newly joined mobile node, they cannot obtain session keys more than their lifetime. As a result, the scheme resists the collusion of revoked mobile nodes and newly joined mobile node.

5 Performance analysis

In order to evaluate the performance of the proposed scheme, we will compare with the communication overhead and storage overhead between our scheme and the previous self-healing key distribution schemes based on hash chain. The comparison results are shown in Table 1. The storage overhead of a non-revoked mobile node with the lifetime from \(s_i\) to \(s_j\) is shown in Table 2, and the total storage overhead of a non-revoked mobile node is \((t+4)\ log\ q\) bits.

At the session \(s_j\), the broadcast message \(B_j\) consists of t-degree broadcast polynomial \(b_j(x)\), v t-degree recovery polynomials \(\psi _{j'}(x)\), set \(U_j\) and the revocation set R. The communication overhead of the set \(U_j\) and the revocation set R can be ignored because the mobile node identify can be selected from a small finite field \(\mathbb {F}_q\). Therfore, The total communication overhead of our scheme is \((v+1)(t+1)\ log\ q\) bits, where \(0\le v<j\le m\).

According to the Table 1, the scheme 3 of [5] is better than our scheme in term of storage overhead and communication overhead, however, the scheme 3 of [5] can not resist the collusion of newly joined user and revoked users whose lifetimes do not expire and the users in the scheme can not be revoked during a session. Although the scheme of [2, 7] have the revocation capability, they can only resist the collusion of newly joined user and revoked users incompletely and the users in these two schemes can not be revoked during a session. The scheme of [12] has the revocation capability, but the users in the scheme can not be revoked during a session. From the comparison in Table 1, although the storage overhead and communication overhead of proposed scheme are slightly increased, only our scheme can revoke a user dynamically and resist collusion of newly joined user and revoked users no matter whether their lifetimes expire or not.

Table 1. Comparison of self-healing key distribution schemes based on hash chains
Full size table
Table 2. Storage overhead of key material
Full size table

6 Conclusion

A self-healing group key distribution scheme with dynamic revocation and collusion resistance is proposed in this paper. The scheme based on DDHC to ensure the forward security and backward security of session key. For the problem of packet loss, the scheme introduces a self-healing hash chain to ensure that the non-revoked mobile node can recover the lost session key. At the same time, the scheme has a small storage overhead and communication overhead and can be applied to resource-constrained MANET communication.