Sage Journals: Discover world-class research

Abstract

Security supports are a significant factor in the design of security system in ad hoc networks. It is particularly important to protect the identities of individual nodes to avoid personal privacy concerns. In this paper, we propose a security system for ID-based anonymous cluster-based MANETs to protect the privacy of nodes. Moreover, we propose a threshold signature scheme without pairing computations, which diminishes the computation load on each node. To the best of our knowledge, our proposed security system is the first in which the pseudonym is combined with cluster-based mobile ad hoc networks (MANETs) without a trusted entity. According to our protocol analysis, our proposal satisfies most properties for an anonymous security system and effectively copes with dynamic environments with greater efficiency by using secret sharing schemes. Therefore, it could be usefully applied to preserve privacy in dynamic MANETs without a trusted entity, such as military battlefields, emergency areas, mobile marketplaces, and vehicular ad hoc networks (VANETs).

1. Introduction

MANETs support communications in situations involving temporary self-organization and infrastructure-less situations, such as battlefields, disaster relief situations, and emergency rescue areas [1]. Recently, MANETs have been extended to intelligent transport systems, often called VANETs. However, MANETs are subject to various types of attacks because of the wireless and infrastructure-less environments in which they are used. Moreover, these network structures make it difficult to apply the certificate-based public key cryptosystem (CBC) to meet the requirements of the certificate authority (CA). As a powerful alternative to the CBC, the identity-based cryptosystem (IBC) proposed by Shamir [2] has been gaining momentum in recent years. It allows public keys to be derived from entities' known identity information, such as e-mail addresses, IP addresses, or codes, thus eliminating the need for public key distribution and certificates. In other words, a user's public key can be determined directly from his identifying information, rather than having to be extracted from a certificate issued by a CA.

However, a centralized public key generator (PKG) which generates a key pair for users in the IBC would obviously be easy to attack, and accessibility could not be guaranteed at all times for all participants in MANETs. To counter this, Boneh and Franklin [3] suggested spreading the PKG by means of distributed PKGs (D-PKGs), using threshold cryptography. Distribution of a signing key and CA functionality over multiple nodes using secret sharing and threshold cryptography is a possible solution to this problem. Most studies in cluster-based MANETs considering D-PKGs have been based on hierarchy topology structures, which classify the node into two types, namely, representative nodes, called clusterheads (CHs), and common nodes.

Furthermore, the threshold signature scheme in MANETs has attracted many researchers' attentions recently [4]. The threshold signature achieves the purpose for many individuals to cooperatively sign the same document. Some schemes with trusted party are proposed and applied to CBC-based networks [5], while these are unreasonable to MANETs where there are no infrastructure and control administration. Therefore, the threshold signature scheme is necessary for secure message transmission in MANETs. A recent research on cluster-based MANETs has sought to address the privacy problem [6] and threshold signature schemes [7], but research on anonymous threshold signature schemes in cluster-based MANETs has been insufficient.

This paper proposes a security system for ID-based anonymous cluster-based MANETs to protect the privacy of nodes. Moreover, we propose a threshold signature scheme without pairing computation, which diminishes the computation load on each node in comparison with existing schemes. The major contributions of this study are summarized as follows. (i)

Security of a cluster key distribution scheme and key agreement scheme. We propose a secure cluster key distribution scheme and a key agreement scheme with anonymity for cluster-based MAENTs. Cluster key distribution scheme ensures that the compromise of an arbitrary number of nodes outside the target cluster does not jeopardize the secrecy of noncompromised nodes. Key agreement scheme also ensures secure communication between nodes in intra- and interclusters.

(ii)

Consideration of threshold signature without pairing computation. Our threshold signature supports threshold signature. Comparing to existing threshold signatures, we diminish the computation load on signing nodes and a verification node; instead, CHs aid signature verification process. Thus, our threshold signature is suitable for the distributed PKGs architecture or the cluster-based network architecture.

(iii)

Protection of personal privacy. Our schemes support entity anonymity. Only the entities especially of the matched session can know the identity of others with whom they are in communication. For instance, CHs could be dealers, and common nodes could be purchasers when considering temporary established mobile markets. It is no needed to hide the CHs' identity because every purchaser should recognize CHs as dealers and their information; therefore, identities of CHs are not quite important. Besides, the information of purchasers is much attractive to adversaries because the information could be abusable commercially and criminally.

The rest of the paper is organized as follows. In Section 2, we present preliminaries, and the system model is presented in Section 3. In Section 4, we describe ID-based anonymous cluster-based MANETs, and the threshold signature is discussed in Section 5. Finally, we analyze the proposed scheme in Section 6 and conclude our findings in Section 7.

2. Preliminaries

In this section and we present notations, then define the cryptographic system and primitives used as building blocks in our security system.

2.1. Notations

Table 1 lists some important notations whose concrete meanings will be further explained where they appear for the first time.

Table 1

Notations.

$𝔾_{1}, 𝔾_{2}$	Cyclic groups of order q
$\hat{e}$	Pairing s.t. $\hat{e} : 𝔾_{1} \times 𝔾_{1} \to 𝔾_{2}$
P	Generator of $𝔾_{1}$
$C H_{j} / I D_{A}$	Network ID of clusterhead j/common node A
$P S_{A}$	Pseudonym of $I D_{A}$
$S_{j} / Q_{j}$	Private/public key pair of clusterhead $C H_{j}$
$S_{A} / Q_{A}$	Private/public key pair of common node $I D_{A}$
$S_{P S_{A}} / Q_{P S_{A}}$	Private/public key pair of pseudonym $P S_{A}$
U	Maximum update phase index
$K_{m}$	Cluster key at m-th update phase
$g_{m} (x)$	Polynomial for cluster key $K_{m}$ at m-th update phase
$f_{m}^{C H_{j}} (x)$	Polynomial of $C H_{j}$ at m-th update phase
$v_{M}^{C H_{j}} (x)$	Verifying polynomial of $C H_{j}$ for message M
$(t, n)$	Secret sharing parameters for $g_{m} (x)$
$(t_{1}, n_{1})$	Secret sharing parameters for $f_{m}^{C H_{j}} (x)$
$H_{0}$	Mapping ${0,1}^{} \to ℤ_{p}^{}$
$H_{1}$	Mapping ${0,1}^{*} \to 𝔾_{1}$
$H_{2}$	Mapping $ℤ_{p}^{} \to {0,1}^{}$
$H_{3}$	Mapping $𝔾_{1} \to ℤ_{p}^{*}$
$HMA C_{K} (M)$	Hash message authentication code of message M with key K

2.2. ID-Based Cryptography

Let $p, q$ be two large primes, and let $E / 𝔽_{p}$ indicate an elliptic curve $y^{2} = x^{3} + a x + b$ over the finite field $𝔽_{p}$ . We denote by $𝔾_{1}$ a q-order subgroup of the additive group of points of $E / 𝔽_{p}$ and by $𝔾_{2}$ a q-order subgroup of the multiplicative group of the finite field $𝔽_{p^{2}}^{*}$ . The discrete logarithm problem (DLP) is required to be hard in both $𝔾_{1}$ and $𝔾_{2}$ . For us, a pairing is a map $\hat{e} : 𝔾_{1} \times 𝔾_{1} \to 𝔾_{2}$ with the following properties. (i)

Bilinear: for all $P, Q, R, S \in 𝔾_{1}$ ,

$\hat{e} (P + Q, R + S) = \hat{e} (P, R) \hat{e} (P, S) \hat{e} (Q, R) \hat{e} (Q, S)$ .

Consequently, for all $a, b \in ℤ_{q}^{*}$ , we have

$\hat{e} (a P, b Q) = \hat{e} (a P, Q)^{b} = \hat{e} (P, b Q)^{a} = \hat{e} (P, Q)^{a b}$ and so forth.

(ii)

Nondegenerate: if P is a generator of $𝔾_{1}$ , then $\hat{e} (P, P) \in 𝔽_{q^{2}}^{*}$ is a generator of $𝔾_{2}$ .

(iii)

Computable: there is an efficient algorithm to compute $\hat{e} (P, Q)$ for all $P, Q \in 𝔾_{1}$ .

Note that $\hat{e}$ is also $s y m m e t r i c$ , that is, $\hat{e} (P, Q) = \hat{e} (Q, P)$ , for all $P, Q \in 𝔾_{1}$ , which follows immediately from the bilinearity and the fact that $𝔾_{1}$ is a cyclic group. Modified Weil [3] and Tate [8] pairings are examples of such bilinear maps for which the bilinear Diffie-Hellman problem (BDHP) is believed to be hard.

Definition 1 (bilinear Diffie-Hellman (BDH) problem).

The BDH problem for a bilinear pairing $\hat{e} : 𝔾_{1} \times 𝔾_{1} \to 𝔾_{2}$ is defined as follows: given $P, x P, y P, z P \in 𝔾_{1}$ , where $x, y, z$ are random numbers from $ℤ_{p}^{*}$ , compute $\hat{e} (P, P)^{x y z} \in 𝔾_{2}$ .

Definition 2 (decisional Bilinear Diffie-Hellman (DBDH) problem).

The DBDH problem for a bilinear pairing $\hat{e} : 𝔾_{1} \times 𝔾_{1} \to 𝔾_{2}$ is defined as follows: given $P, x P, y P, z P \in 𝔾_{1}$ , where $x, y, z$ are random numbers from $ℤ_{p}^{*}$ and $W \in 𝔾_{2}$ that determine if $\hat{e} (P, P)^{x y z} = W$ (if it holds), then the tuple $〈 P, x P, y P, z P, W 〉$ is called a BDH tuple.

2.3. Threshold Schemes Based on Secret Sharing

2.3.1. Shamir's $(t, n)$ -SS

In Shamir's $(t, n)$ -SS [9], based on a Lagrange interpolating polynomial, there are n shareholders $𝒰 = {𝒰_{1}, \dots, 𝒰_{n}}$ and a mutually trusted dealer D. The scheme consists of two algorithms. (1)

Share generation algorithm: dealer D does the following:

(i)

dealer D first picks a polynomial $f (x)$ of degree $(t - 1)$ randomly: $f (x) = a_{0} + a_{1} x + \dots + a_{t - 1} x^{t - 1}$ in which the secret $K = a_{0} = f (0)$ and all coefficients $a_{0}, a_{1}, \dots, a_{t - 1}$ are in a finite field $𝔽_{p} = G F (p)$ with p elements,

(ii)

D computes all shares: $K_{i} = f (s_{i})$ (mod p) for $i = 1, \dots, n$ ,

(iii)

Then, D outputs a subset $Ω$ of size n, $(K_{1}, K_{2}, \dots, K_{n})$ , and distributes each share $K_{i}$ to corresponding shareholder $s_{i}$ privately.

(2)

Secret reconstruction algorithm: based on a Lagrange interpolation, any subset $A \subset Ω$ of size t can reconstruct the polynomial $f (x)$ as

\begin{matrix} f (x) = \sum_{i \in A} λ_{i} (x) K_{i} (\mod q), \end{matrix}

(1)

where

A = {1, \dots, t} \subseteq {1,2, \dots, n}

λ_{i} (x) = \prod_{j \in A ∖ i} ((s_{j} - x) / (s_{j} - s_{i})) ‍

is called a Lagrange coefficient. The secret K can be reconstructed by computing

f (0)

We note that the above scheme satisfies the basic security requirements of secret sharing schemes as follows: (1) with knowledge of a t or more than t shares, it can reconstruct the secret K easily; (2) with knowledge of fewer than $(t - 1)$ shares, it cannot reconstruct the secret K. Shamir's scheme is information theoretically secure since the scheme satisfies these two requirements without making any computational assumption. For more information on this scheme, readers can refer to the original paper [9].

3. System Model

We describe the network architecture and the security requirements.

3.1. Network Architecture

We divide the networks into several clusters to enhance the efficiency and availability. The clustering is a method that enables nodes to be organized on the basis of their relative proximity to one another. We envision a cluster-based MANETs consisting of n CHs without any prior contact, trust, or authority relation. In each cluster, one distinguished node, the CH, is responsible for establishing and managing the cluster. The size of the network may change dynamically according to the efficiency and the security. Let us consider an ad hoc network with n CHs that are selected to enable secure and robust pseudonym generation. We assume that compromised CHs will eventually exhibit detectable misbehavior. Studies [10, 11] discussed ways to detect the misbehavior of nodes or intrusions in detail.

Our schemes work securely and properly on the assumption, which is similar to assumptions made in [12–14], that adversaries compromise no more than $(t - 1)$ out of n CHs in a given time period. In practice, it is hard to compromise, in a given time period, t CHs, which are more secure and powerful than common nodes and are geographically distributed over a wide area. In terms of nodes' ability, we also assume that CHs have more computation and communication power than common nodes. More precisely, CHs have an additional powerful radio to establish wireless links among themselves and strong resistance against malicious attacks.

Figure 1(a) illustrates the basic network architecture of our security system for cluster setup and pseudonym generation. CHs have secret sharing $g_{m} (C H_{j})$ generated by a PKG before implementation. CHs can generate polynomials $g_{m} (x)$ when at least t CHs collaborate in the secret reconstruction algorithm. The CHs that reconstruct $g_{m} (x)$ have the same cluster key, $K_{m}$ . This cluster key is periodically updated according to the update phase. Using the same cluster key, CHs generate their own polynomial $f_{m}^{C H_{j}} (x)$ , called the respective polynomial later. Finally, common nodes in each cluster register and receive a pair of pseudonym from their CHs. We only consider the privacy of common nodes.

Figure 1

Network Architectures.

Figure 1(b) illustrates the threshold signature generation process in a cluster. Nodes that are member of the same cluster and try to send the same message generate a threshold signature and send the message with a threshold signature to a verifier and the CH. Then, the CH checks the validity of messages and signatures and generates and sends additional points to a verifier. Finally, a verifier checks the validity of signatures.

3.2. Security Requirements

We define security requirements for our anonymous security system. (1)

Privacy: private information, such as the node's identity and location, should be protected against malicious adversaries. Formally, given two sets of legitimate identities, $I D_{0}$ and $I D_{1}$ , the adversary should not have any significant advantage in guessing $d = 0$ or $1$ for the pseudonym $P S_{d}$ .

(2)

Traceability: compromised nodes are identified, and the corresponding identity and pseudonym should be revoked to protect networks against further threats.

(3)

Nonmanipulation: no nodes or CHs can computationally manipulate a pseudonym from an identity.

(4)

Verifiability: from the signature, the verifier can be convinced of the signer.

(5)

Undeniability: once a signer creates a valid signature, he cannot repudiate the signature creation.

(6)

Unforgeability: no nodes can forge a signature; it can only be replicated by the signer who creates it.

4. Anonymous Cluster-Based MANETs

4.1. System Setup

It is reasonable to assume that a trusted PKG could bootstrap the network, which itself is not a part of the resulting network. The basic operations consist of generating pairing parameters, private keys, and secret sharing. (a)

Generation of the pairing parameters $(p, q, \hat{e})$ : to bootstrap the network, the PKG does the following.

(i)

Generation of pairing parameters $(p, q, \hat{e})$ . It selects an arbitrary generators $s \in ℤ_{q}^{*}$ as its private key.

(b)

Generation of secret sharing for cluster key: to generate secret sharing for cluster key, the PKG does the following.

(i)

It submits identity information. A CH submits its identity information, $C H_{j}$ , where $(1 \leq j \leq n)$ , to PKG.

(ii)

It chooses cluster key. The PKG selects an arbitrary cluster keys $K_{m} \in ℤ_{q}^{*}$ , where $(1 \leq m \leq U)$ .

(iii)

It determines polynomials of degree $(t - 1)$ . The PKG determines random polynomials, $g_{m} (x) = K_{m} + \sum_{i = 1}^{t - 1} ‍ a_{i} x^{i}$ (mod q).

(iv)

It performs $(t, n)$ -SS of $K_{m}$ . The PKG computes $c h_{j} = H_{0} (C H_{j})$ and secret sharing of $g_{m} (x)$ : $g_{m} (c h_{j})$ .

(v)

Parameters U, $g_{m} (c h_{j})$ are preloaded to each $C H_{j}$ securely.

(c)

Generation of CH's ID-based private keys: to hand out CH's private key, the PKG does the following.

(i)

It submits identity information. A CH submits its identity information, $C H_{j}$ , to PKG.

(ii)

It computes key pairs. The PKG computes a public/private key pairs: $Q_{j} = H_{1} (C H_{j})$ and $S_{j} = s H_{1} (C H_{j})$ , $(1 \leq j \leq n)$ .

(iii)

Parameters $(p, q, G_{1}, G_{2}, \hat{e}, P, H_{0}, H_{1}, H_{2}, H_{3})$ and key pairs $(Q_{j}, S_{j})$ are preloaded to each $C H_{j}$ securely.

(d)

Generation of common nodes' ID-based private keys: to hand out node's private key, the PKG does the following.

(i)

It submits identity information. A common node submits its identity information, $I D_{A}$ , to PKG.

(ii)

It computes key pairs. The PKG computes a public/private key pairs: $Q_{A} = H_{1} (I D_{A})$ and $S_{A} = s H_{1} (I D_{A})$ , $(1 \leq j \leq n_{1})$ .

(iii)

Parameters $(p, q, G_{1}, G_{2}, \hat{e}, P$ , $H_{0}, H_{1}, H_{2}, H_{3})$ and key pairs $(Q_{A}, S_{A})$ are preloaded to each $I D_{A}$ securely.

Due to the difficulty of solving the DLP in $G_{1}$ , it is computationally infeasible to derive the network master secrets s from an arbitrary number of private keys. This means that no matter how many key pairs adversaries acquire from compromised nodes, they cannot deduce the private key of any noncompromised node. Colluding CHs (no more than $(t - 1)$ out of n in a given time period) cannot compute a cluster key.

4.2. Cluster Setup

Cluster-based MANETs work without the help of PKG after completing the system setup. Instead of a PKG, CHs play this role using their secret sharing. In our security system, to provide security services to networks, each CH first generates respective polynomials, that cover within a cluster and a group secret key. Then, the CHs establish a secure channel with CHs or nodes to forward them. Secure channels are generated using their initial key pairs. Secure channels between CHs or between a CH and a node are established by the noninteractive key agreement scheme as follows:

\begin{array}{l} D_{A B} = \hat{e} (Q_{B}, S_{A}) \\ = \hat{e} {(H_{1} (I D_{B}), H_{1} (I D_{A}))}^{s} = \hat{e} (S_{B}, Q_{A}) = D_{B A}, \\ k_{A B} = H_{2} (D_{A B}) . \end{array}

(2)

Here, A, B can be a node or a CH. Using this channel, CHs first authenticate nodes and other CHs and then forward respective polynomials and a group secret key. Respective polynomials are for cluster reconfiguration, and the group secret key is for establishing secure channels with pseudonyms. Generation of respective polynomials is carried out as follows.

(1)

Generate respective polynomials $f_{m}^{C H_{j}} (x)$ : to generate respective polynomials, CHs must reconstruct the polynomial $g_{m} (x)$ first. To reconstruct polynomials, $g_{m} (x)$ , and generate respective polynomials, $f_{m}^{C H_{j}} (x)$ , CHs do the following.

(a)

Pooling secret sharing. Every CH shares their secret sharing, $g_{m} (c h_{j})$ .

(b)

Performing secret reconstruction algorithm. Each CH reconstructs the polynomial $g_{m} (x)$ and computes cluster key $K_{m}$ :

\begin{matrix} g_{m} (x) = \sum_{j \in A} λ_{j} (x) g_{m} (c h_{j}) (\mod q), \end{matrix}

(3)

where

A = {1, \dots, t} \subseteq {1,2, \dots, n}

λ_{j} (x) = \prod_{k \in A ∖ j} ‍ ((c h_{k} - x) / (c h_{k} - c h_{j}))

is called a Lagrange coefficient. The secret

K_{m}

can be reconstructed by computing

g_{m} (0)

(c)

Generating respective polynomials of degree $(t_{1} - 1)$ . Each CH randomly generates a polynomial $f_{m}^{C H_{j}} (x) = K_{m} + \sum_{i = 1}^{t_{1} - 1} ‍ b_{i} x^{i}$ (mod q). Each CH could change the polynomial by switching coefficients $b_{0}, b_{1}, \dots, b_{t_{1} - 1}$ arbitrarily.

To avoid cryptanalysis and malfunction of CHs, frequent key updates are needed. Our key update schemes consist of two parts: one is an update of the cluster key, and the other is the respective polynomial. The cluster keys, $K_{m}$ , are refreshed periodically at a predefined time interval using secret sharing $g_{m} (c h_{j})$ , where $(0 \leq m \leq U$ , $1 \leq j \leq n)$ . The cluster key update can enhance the security level of the network. Intact CHs reject secret sharing of compromised CHs and, as a result, are isolated from the networks. Furthermore, pseudonyms also could be updated consistently regardless of the cluster key update. Each CH can generate different pseudonyms with the same identity by changing a polynomial $f_{m}^{C H_{j}} (x)$ of its choice by replacing $b_{i}$ with $c_{i}, d_{i}, \dots$ .

4.3. Generation of Pseudonyms

Pseudonym generation is an essential process to provide privacy of each node. Figure 1(a) shows a scenario of pseudonym generation process. Initial pseudonym generation starts when the registered nodes on the PKG try to get a pseudonym from an adjacent CH. The CH generates pseudonyms for common nodes within a cluster using its respective polynomial. Pseudonyms and secret sharing are generated as follows. (1)

Generation of pseudonyms and key pair: to generate pseudonyms, CHs do the following.

(a)

Performing $(t_{1}, n_{1})$ -SS of $K_{m}$ to generate pseudonyms. Each CH computes $i d_{A} = H_{0} (I D_{A})$ and secret sharing of $f_{m}^{C H_{j}} (x)$ : $P S_{A} = f_{m}^{C H_{j}} (i d_{A})$ , where $(1 \leq A \leq n_{1})$ .

(b)

Computing key pairs. Each CH computes a public/private key pairs: $Q_{P S_{A}} = P S_{A} K_{m} P$ and $S_{P S_{A}} = P S_{A}$ .

(c)

Recording pseudonyms. Each CH records the identities and the pseudonyms with the corresponding key pairs at the pseudonym lookup table (PLT).

(d)

Forwarding pseudonyms, key pairs, and group secret key to corresponding nodes. CHs forward pseudonyms to nodes, respectively, using a secure channel.

Other CHs cannot know pseudonyms from public keys of nodes even though they have knowledge of cluster key $K_{m}$ because of the hardness of DLP in $G_{1}$ . Using the pseudonym key pair, common nodes establish a secure channel by the noninteractive key agreement scheme as follows:

\begin{matrix} D_{A B} = \hat{e} (Q_{P S_{B}}, S_{P S_{A}} P) = \hat{e} (Q_{P S_{A}}, S_{P S_{B}} P) = \hat{e} {(P, P)}^{P S_{A} P S_{B} K_{m}}, \\ k_{A B} = H_{2} (D_{A B}) . \end{matrix}

(4)

For noninteractive key agreement between a CH and a node, each CH randomly chooses

r \in ℤ_{q}^{*}

and computes a temporary public key as

f_{m}^{C H_{k}} (r) K_{m} P

then publishes it.

5. Threshold Signature in Anonymous Cluster-Based MANETs

We propose an anonymous threshold signature. The proposed scheme involves five roles: a clusterhead (CH), a set of members $ℳ = {M_{1}, \dots, M_{t_{1}}}$ in a cluster (where $M_{t_{1}}$ is the identity of the ith $(1 \leq i \leq t_{1})$ member), a set of signer $𝒮 = {S_{1}, \dots, S_{t_{2}}}$ (where 𝒮 is a subset of ℳ and $S_{t_{2}}$ is the identity of the jth $(1 \leq j \leq t_{2})$ member), and a verifier V. (1)

Generate threshold signature: to generate a threshold signature regarding message M, a number of $t_{2}$ nodes among the members of ℳ perform the following steps.

(a)

Requesting threshold generation. The initiator, one of signers, sends a threshold generation request to the CH with a list of signers as ${T S_{1}, \dots, T S_{t_{2}}}$ .

(b)

Sending tokens. The CH chooses an arbitrary tokens $T_{A} \in ℤ_{q}^{*}$ , where $(1 \leq A \leq t_{2})$ , and sends them to corresponding signers securely.

(c)

Generating signature. Then, each signer generates a signature: $Si g_{P S_{A}} = H_{0} (M) \cdot S_{P S_{A}}$ and computes with a corresponding token: $T \cdot Si g_{P S_{A}} = T_{A} \cdot Si g_{P S_{A}}$ .

(d)

Sending the signature and a pseudonym public key. Each node sends the message tuple to the verifier V and the $C H_{j}$ :

\begin{matrix} (M, Q_{P S_{A}}, Q_{P S_{V}}, T  \cdot  Si g_{P S_{A}},  HMA C_{P S_{A}} (M, Q_{P S_{V}}, T  \cdot  Si g_{P S_{A}})), \end{matrix}

(5)

(2)

Generate a verifying polynomial: to check the validity of signatures, the $C H_{j}$ performs the following steps:

(a)

Check the validity of a set of messages. The $C H_{j}$ searches corresponding pseudonyms with pseudonym public keys using the pseudonym lookup table (PLT) and then checks the validity of HMAC respectively.

(b)

Checking the validity of signatures. The $C H_{j}$ recovers signatures $Si g_{P S_{A}}$ from $T \cdot Si g_{P S_{A}}$ using corresponding tokens and generates additional $(t_{1} - t_{2})$ points on $H_{0} (M) \cdot f_{m}^{C H_{j}} (x)$ . Then, it performs a secret reconstruction algorithm using $t_{2}$ received signatures and $(t_{1} - t_{2})$ generated additional points. The reconstruction algorithm is as follows:

\begin{array}{l} H_{0} (M) \cdot f_{m}^{C H_{j}} (x) = \sum_{i \in N} λ_{i} (x) Y_{i} (\mod q), \\ Y_{i} = {\begin{cases} Si g_{P S_{i}}, & (1 \leq i \leq t_{2}), \\ H_{0} (M) \cdot P S_{i}, & (t_{2} + 1 \leq i \leq t_{1}), \end{cases} \end{array}

(6)

where

N = {1, \dots, t_{1}}

λ_{i} (x) = \prod_{j \in N ∖ i} ‍ ((i d_{i} - x) / (i d_{j} - i d_{i}))

is called a Lagrange coefficient. If the reconstructed polynomial has

H_{0} (M) \cdot K_{m}

(x = 0)

, the

C H_{j}

accepts signatures as valid.

(c)

Generating a verifying polynomial. If all messages and signatures are valid, the $C H_{j}$ generates an extra polynomial as follows:

(i)

generating a verifying-polynomial. The $C H_{j}$ generates $v_{M}^{C H_{j}} (x)$ of degree $t_{2}$ which passes points $(i d_{A}, T \cdot Si g_{P S_{A}})$ where $(1 \leq A \leq t_{2})$ and the point $(i d_{V}, H_{0} (M) \cdot P S_{V})$ .

(ii)

generating points. The $C H_{j}$ generates additional points $(P_{1}, \dots, P_{t_{2}}) = ((x_{1}, y_{1}), \dots, (x_{t_{2}}, y_{t_{2}}))$ on the verifying-polynomial and then sends the tuple to the verifier V:

\begin{array}{l} (T \cdot Si g_{P S_{1}}, \dots, T \cdot Si g_{P S_{t_{2}}}, P_{1}, \dots, P_{t_{2}}, \\ HMA C_{P S_{V}} (v_{M}^{C H_{j}} (0), T \cdot Si g_{P S_{1}}, \dots, T \cdot Si g_{P S_{t_{2}}}, P_{1}, \dots, P_{t_{2}})) . \end{array}

(7)

(3)

Generate verification: to check the validity of a signature, the verifier does the following.

(a)

Performing secret reconstruction algorithm. The verifier performs a secret reconstruction algorithm using points $(P_{1}, \dots, P_{t_{2}})$ and the point $(i d_{V}, H_{0} (M) \cdot P S_{V})$ . The verifying polynomial can be reconstructed as follows:

\begin{array}{l} v_{M}^{C H_{j}} (x) = \sum_{i \in N_{1}} λ_{i} (x) Z_{i}, (\mod q), \\ Z_{i} = {\begin{cases} P_{i}, & (1 \leq i \leq t_{2}), \\ H_{0} (M) \cdot P S_{i}, & (i = V), \end{cases} \end{array}

(8)

where

N_{1} = {1, \dots, t_{2}, V}

λ_{i} (x) = \prod_{j \in N ∖ i} ((i d_{i} - x) / (i d_{j} - i d_{i})) ‍

is called a Lagrange coefficient.

(b)

Checking the validity of HMAC. The verifier checks the validity of HMAC using received $t_{2}$ points and generated $v_{M}^{C H_{j}} (0)$ . If HMAC is correct, the verifier identifies signatures as valid.

6. Analysis

In this section, we provide analysis of our system with respect to correctness, performance, and security.

6.1. Correctness

Note that

\begin{matrix} f_{m}^{C H_{j}} (x) = K_{m} + \sum_{i = 1}^{t_{1} - 1} ‍ b_{i} x^{i} = \sum_{i = 1}^{t_{1} - 1} ‍ λ_{i} (x) P S_{i}, \\ Si g_{P S_{i}} = H_{0} (M) \cdot S_{P S_{i}} = H_{0} (M) \cdot P S_{i}, \end{matrix}

(9)

where

P S_{i}

is the secret sharing of

K_{m}

Therefore, a CH can verify the validity of each signature as follows:

\begin{array}{l} \sum_{i \in N} ‍ λ_{i} (x) Y_{i} = \sum_{i = 1}^{t_{2}} ‍ λ_{i} (x) Si g_{P S_{i}} + \sum_{i = t_{2} + 1}^{t_{1}} ‍ λ_{i} (x) H_{0} (M) P S_{i} \\ = H_{0} (M) \cdot {\sum_{i \in N} ‍ λ_{i} (x) P S_{i}} \\ = H_{0} (M) \cdot f_{m}^{C H_{j}} (x), \\ H_{0} (M) \cdot f_{m}^{C H_{j}} (0) = H_{0} (M) \cdot K_{m} . \end{array}

(10)

The verifier also can check the validity of threshold signature as above, similarly, because $v_{M}^{C H_{j}} (x)$ passes a set of points $(P_{1}, P_{2}, \dots, P_{t_{2}})$ . The verifier can reconstruct the polynomial and find $v_{M}^{C H_{j}} (0)$ and, consequentially, check the validity of HMAC received from a CH.

6.2. Performance

This section presents our efficiency analysis. Table 2 compares our proposed schemes with other schemes. For simplicity, we omit private key distribution and secret sharing distribution process in comparison to computation load.

Table 2

Comparisons among other ID-based threshold signature schemes.

	[7]	[18]	[19]	Proposed scheme
Distributed PKG	∘	×	×	∘
Entity anonymity	×	×	×	∘
Cost of threshold signature
Cost of signature generation (for one signer)	$4 T_{P} + 3 t T_{E} + 2 T_{M_{1}} + 3 t T_{M_{2}}$	$T_{P} + t T_{E} + T_{M_{1}} + t T_{M_{2}}$	$2 T_{P} + 2 t T_{E} + (2 t + 2) T_{M_{1}} + 2 T_{M_{2}}$	$2 T_{M_{2}}$
Cost of signature validity check	$3 t T_{P} + t T_{M_{1}} + t T_{M_{2}}$ (for one signer)	$T_{P} + 2 t T_{E} + 2 t T_{M_{2}}$ (for one signer)	Include in signature generation	$(t^{2} + 1) T_{M_{2}}$ (for one CH)
Cost of signature verification (for the verifier)	$6 T_{P} + 2 T_{M} + 2 T_{S}$	$2 T_{P} + T_{E} + T + H$	$2 T_{P} + 2 T_{M_{1}}$	$(t^{2} - t) T_{M_{2}}$

∘ denotes the scheme, and considers the property; × denotes the scheme and does not consider the property; $T_{P}$ denotes that of one pairing operation; $T_{E}$ denotes that of one exponentiation operation; $T_{M_{1}}$ denotes that of scalar multiplication in $G_{1}$ ; $T_{M_{2}}$ denotes that of one scalar multiplication in $G_{2}$ ; t denotes that signing nodes.

Most schemes use pairing algorithm to generate and verify the signature except the proposed scheme. The pairing algorithm and the exponentiation generally consume heavy computation loads rather than scalar multiplications. Cao et al. [15] showed a pairing that consumes about double computation load with those of an exponentiation and three times computation load with those of scalar multiplication in $G_{1}$ . According to this experiment, our scheme is much lighter than previous threshold signature schemes. Moreover, our threshold scheme is comparable with existing threshold signatures in non-ID-based cryptosystem [16].

6.3. Security

6.3.1. Privacy

Our security system supports the anonymity of nodes using pseudonyms. In our proposed security system, every node does not reveal real identities after the pseudonym generation. An adversary cannot correctly match an identity with a pseudonym even though the identity and the pseudonym are released to them because of the hardness of DLP [17]. The pseudonym is in the form of $P S_{A} = f_{m}^{C H_{j}} (i d_{A})$ in the mth update phase for node A in cluster j. To match a real identity with a pseudonym, adversaries should reconstruct a polynomial $f_{m}^{C H_{j}} (x)$ . However, no malicious nodes at most number of $(t - 1)$ can reconstruct respective polynomials, although they have known about a cluster key $K_{m}$ because $(t_{1}, n_{1})$ -SS is information theoretically secure against at most $(t_{1} - 1)$ adversaries. Thus, as long as the CH does not reveal the respective polynomials, anonymity of each node is guaranteed.

6.3.2. Traceability

Each CH records the relation of the identity and the pseudonym of common nodes in its cluster at the PLT. Pseudonyms of compromised and revoked nodes are rejected from the PLT, and these nodes cannot be updated any more. Therefore, our system enables the tracing of violators when unlawful actions are notified to the CH, and they are eventually isolated from the network.

6.3.3. Nonmanipulation

Our proposed security system ensures nonmanipulation in case of at most ( $t - 1$ or $t_{1} - 1$ ) compromised nodes. Only the CH who has a respective polynomial can generate valid pseudonyms in a cluster, and no other nodes and CHs can do it. Secret sharing, $g_{m} (x)$ , is generated by $(t, n)$ -SS; therefore, no more than t CHs who are colluding can reconstruct $g_{m} (x)$ and learn $K_{m}$ ; and, to conclude, generate valid respective polynomials $f_{m}^{C H_{k}} (x)$ . Moreover, the respective polynomials generated by $(t_{1}, n_{1})$ -SS are used to generate pseudonyms. In conclusion, adversaries who know more than t secret sharing of $g_{m} (x)$ or more than $t_{1}$ secret sharing of $f_{m}^{C H_{k}} (x)$ can carry out manipulation; however, it is impractical. Thus, as long as (t or $t_{1}$ ) or more than (t or $t_{1}$ ) nodes and CHs are not colluding, non-manipulation is guaranteed.

6.3.4. Verifiability, Undeniability, and Unforgeability

The CH works as a subverifier in our threshold signature scheme by generating a verifying polynomial. From message tuples from signers, the CH can check the validity of signers. First, only valid and registered nodes could generate correct HMAC with its pseudonym. Second, the CH could verify signatures by reconstructing a polynomial $H_{0} (M) \cdot f_{m}^{C H_{j}} (x)$ . This polynomial returns a correct value $H_{0} (M) \cdot f_{m}^{C H_{j}} (0) = H_{0} (M) \cdot K_{m}$ when signatures are generated by signers who have a valid and registered pseudonym key pair. Finally, the reconstructed verifying polynomials generated by the CH and by the verifier return a same value, $v_{M}^{C H_{j}} (0)$ , when the CH satisfies two former conditions and has a valid pseudonym key pair of the verifier. Thus, verifiability is guaranteed if these conditions are acceptable. Undeniability and unforgeability are similarly guaranteed. The message containing the signature is in the form of $HMA C_{P S_{A}}$ . Unless the pseudonym is released, only the node A can generate valid HMAC; thus, it cannot deny the signature and others cannot forge it. Thus, undeniability and unforgeability are guaranteed.

6.3.5. Forward/Backward Secrecy

Our security system supports the forward/backward secrecy using key update scheme in case of at most ( $t - 1$ or $t_{1} - 1$ ) compromised nodes. The key update scheme regularly updates pseudonyms, and, consequently, pseudonym public/private key pairs of nodes also are updated along to the updated pseudonym. And there is no relation in past key pairs and update key pairs because CHs periodically change a polynomial $f_{m}^{C H_{j}} (x)$ or a cluster key $K_{m}$ . Therefore, although the updated private/public key pairs are exposed to adversaries, these do not affect past and future session keys.

7. Conclusions

Concerns for personal privacy and security in wireless environments are increasing rapidly as mobile devices are becoming more popular. Cluster-based MANETs are being seriously considered to pioneer new markets; however, there are urgent unresolved security problems. Fundamental aspects of security, such as authentication and signature, are challenging for secure security systems for cluster-based MANETs. In addition, the protection of personal privacy has become increasingly important as the wireless networks have become personal and popular; therefore, secure security system designs with anonymity are required for cluster-based MANETs.

In this paper, we presented a secure security system with anonymity for cluster-based MANETs and a threshold signature under practical assumptions. To the best of our knowledge, our proposed security system is the first in which the pseudonym is combined with cluster-based MANETs without a trusted entity. According to our protocol analysis, our proposed system satisfies most properties for an anonymous security system and successfully copes with dynamic environments with greater efficiency by using secret sharing schemes. We believe that the proposed system improves upon the security of previously proposed security systems, and that it is suitable for a wider variety of applications. It could be usefully applied to preserve privacy in dynamic MANETs without a trusted entity, such as military battlefields, emergency areas, mobile marketplaces, and privacy-preserving VANETs.

Footnotes

Acknowledgments

This paper was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (2012R1A1A4A01002603) and was supported by the Kyungpook National University Research Fund, 2012.

References

Dutta

Dowling

Provably secure hybrid key agreement protocols in cluster-based wireless ad hoc networks

Ad Hoc Networks 2011 9 5 767 787

2-s2.0-79952575691

10.1016/j.adhoc.2010.08.021

Shamir

Identity-based cryptosystems and signature schemes

CRYPTO 84, LNCS 196 1985

New York, NY, USA

Springer

47 53

Boneh

Franklin

Identity-based encryption from the weil pairing

CRYPTO 01, LNCS 2139 2001

New York, NY, USA

Springer

213 229

Meng

A novel verifiable threshold signature scheme based on bilinear pairing in mobile ad hoc network

Proceedings of the IEEE International Conference on Information and Automation (ICIA ′12)

2012

IEEE

361 366

Takehana

Nishimura

Yosaki

Nagase

Yoshioka

Building trust among certificate management nodes in mobile ad-hoc network

Proceedings of the 26th International Conference on Advanced Information Networking and Applications Workshops (WAINA ′12)

2012

IEEE

564 568

Freudiger

Raya

Hubaux

J. P.

Self-organized anonymous authentication in mobile ad hoc networks

SecureComm 2009, LNICST 19 2009

New York, NY, USA

Springer

350 372

Chen

Zhang

Konidala

D. M.

Kim

New ID-based threshold signature scheme from bilinear pairings

INDOCRYPT 2004 2004

New York, NY, USA

Springer

371 383

Barreto

Kim

Bynn

Scott

Efficient algorithms for pairing-based cryptosystems

CRYPTO 02 2002

New York, NY, USA

Springer

354 369

Shamir

How to share a secret

Communications of the ACM 1979 22 11 612 613

2-s2.0-0018545449

10.1145/359168.359176

10.

Herzberg

Jarecki

Krawczyk

Yung

Proactive secret sharing or: how to cope with perpetual leakage

CRYPTO 95 1995

New York, NY, USA

Springer

339 352

11.

Zhang

Lee

Intrusion detection in wireless ad-hoc networks

Proceedings of the 6th Annual International Conference on Mobile Computing and Networking (MOBICOM ′00)

August 2000

ACM

275 283

2-s2.0-0034546898

12.

Bechler

Hof

H. J.

Kraft

Pählke

Wolf

A cluster-based security architecture for ad hoc networks

Proceedings of the 23th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM ′04)

March 2004

IEEE

2393 2403

2-s2.0-8344229909

13.

L. C.

Liu

R. S.

Securing cluster-based ad hoc networks with distributed authorities

IEEE Transactions on Wireless Communications 2010 9 10 3072 3081

2-s2.0-77957929278

10.1109/TWC.2010.080610.090759

14.

Zhang

Liu

Lou

Fang

Securing mobile ad hoc networks with certificateless public keys

IEEE Transactions on Dependable and Secure Computing 2006 3 4 386 399

2-s2.0-33751529199

10.1109/TDSC.2006.58

15.

Cao

Kou

A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges

Information Sciences 2010 180 15 2895 2903

2-s2.0-78049296439

10.1016/j.ins.2010.04.002

16.

Zhang

Cryptanalysis and improvement of a threshold proxy signature scheme

Computer Standards and Interfaces 2009 31 1 169 173

2-s2.0-54349105888

10.1016/j.csi.2007.11.002

17.

Harn

Lin

Authenticated group key transfer protocol based on secret sharing

IEEE Transactions on Computers 2010 59 6 842 846

2-s2.0-77951728980

10.1109/TC.2010.40

18.

Baek

Zheng

Identity-based threshold signature scheme from the bilinear pairings (extended abstract)

Proceedings of the International Conference on Information Technology: Coding Computing (ITCC ′04)

April 2004

IEEE

124 128

2-s2.0-3042597451

19.

Yuan

Zhang

Huang

Susilo

Zhang

Certificateless threshold signature scheme from bilinear maps

Information Sciences 2010 180 23 4714 4728

2-s2.0-77956612141

10.1016/j.ins.2010.07.021

Anonymous Cluster-Based MANETs with Threshold Signature

Abstract

1. Introduction

2. Preliminaries

2.1. Notations

2.2. ID-Based Cryptography

Definition 1 (bilinear Diffie-Hellman (BDH) problem).

Definition 2 (decisional Bilinear Diffie-Hellman (DBDH) problem).

2.3. Threshold Schemes Based on Secret Sharing

2.3.1. Shamir's ( t , n ) -SS

3. System Model

3.1. Network Architecture

3.2. Security Requirements

4. Anonymous Cluster-Based MANETs

4.1. System Setup

4.2. Cluster Setup

4.3. Generation of Pseudonyms

5. Threshold Signature in Anonymous Cluster-Based MANETs

6. Analysis

6.1. Correctness

6.2. Performance

6.3. Security

6.3.1. Privacy

6.3.2. Traceability

6.3.3. Nonmanipulation

6.3.4. Verifiability, Undeniability, and Unforgeability

6.3.5. Forward/Backward Secrecy

7. Conclusions

Footnotes

Acknowledgments

References

2.3.1. Shamir's $(t, n)$ -SS