Security for Mobile Ad-Hoc Networks and Wireless

Sensor Networks using Identity-Based Cryptography

Mayank Tiwari
Department of Computer Science and Automation
Indian Institute of Science
Bangalore - 560012

AbstractSecurity in Wireless Ad-hoc Networks

(WANs) is still an active area of research. Due to the
inherent characteristics like mobility, dynamic topology
and lack of centralised infrastructure, WANs face some
serious security issues. Identity-based cryptography
(IBC), due to its simplified infrastructure,seems one of the
promising solution base for these issues. In this report,
we will be focusing on secure key management for Mobile
Ad-hoc Networks (MANETs) and signature schemes for
Wireless Sensor Networks (WSNs) using IBC. We will
present a survey of the existing research works on these
topics. Also, we will point out some interesting open
problems in the area on which we are planning to work.
Index Terms - Identity-based Cryptography, Wireless
Ad-hoc Networks, Mobile Ad-hoc Networks, Wireless Sensor Networks

I. I NTRODUCTION
Recent advancements in digital computing, wireless
communications and sensing technology have led to the
proliferation of wireless ad-hoc networks (WANs). A
wireless ad-hoc network (WAN) [1], [2] is a decentralized, distributed network formed by an autonomous collection of users that communicate over wireless medium
with a constrained bandwidth. A WAN is capable of self
configuration i.e. self-formation and self-repairing. The
network is ad-hoc in the sense that it does not rely on a
pre-existing infrastructure.
A WAN can be recognized as a concatenation of Data
Acquisition Network (DAN) and Data Dissemination
Network (DDN). The sensor nodes and the base station
i.e. the sensor network forms the data acquisition network. The wired and/or wireless network, backing the
sensor network forms the data dissemination network.
The main functionality of DAN is to acquire the information sensing physical attributes of surrounding environment. DDN is responsible for post-processing of the
acquired information [3]. Based on topology, dynamics

and availability of resources to individual users, WANs

can be classified as:
1. Wireless Sensor Network (WSN) [3]: A WSN can
be described as a network of nodes that makes
a collaborative effort in sensing certain specified
data around its periphery. The nodes in WSN are
extremely resource constrained, and are expected
to work unattended (without recharge of batteries).
These are usually static; though some applications
require mobility. These inexpensive networks are
meant to be deployed in adversarial geographical
environments. The network size varies from a hundreds to thousands and the network should scale
easily. The nodes primarily broadcast their message;
some applications may require multicast (specially
in presence of special nodes).
2. Mobile Ad-hoc NETwork (MANET) [1]: A
MANET is a network of mobile and moderately resource constrained devices communicating through
a wireless medium. It has an ability to self-configure
itself. Examples of standard MANET devices are
laptops, personal digital assistants (PDAs), cellphones etc. In contrast to WSN nodes which are in
proximity to surrounding environment, the devices
of MANETs are in close proximity with human beings [3]. This implies the network size is moderate
say a few hundreds and scaling is restricted. The
communication between nodes is primarily unicast
(point-to-point). Multicast and broadcast transmission of messages may be required sometimes.
We mention few military and civilian applications of
WANs in the appendix.
A. Security aspects in WSNs and MANETs
Security of communications is a major concern for
any WAN. The primary cryptographic security requirements for WANs are Data Confidentiality, Data Integrity,

Data Authentication, Non-repudiation and Access Control. Here we discuss the challenges faced by WANs to
achieve cryptographic security.
Security mechanisms that are proven to be effective
in wired networks are not always applicable to WANs.
The combination of the following weaknesses in WANs
make them difficult to achieve security requirements [4]:
Ad-hoc infrastructure and no online administration.
Dynamic network topology.
The nodes in the network can be captured inducing
insider attacks.
Constrained resources in terms of computation and
communication capabilities.
Vulnerabilities of wireless networks are inherited by
WANs implicitly.
B. Comparison of SKC, PKC and IBC for security in
MANETs and WSNs
Cryptographic techniques can be classified into two
categories, namely, Symmetric Key based (SKC) and
Asymmetric/Public Key based (PKC). In symmetric key
schemes, if there exists a single key for the network
and an attacker compromises the key, then all encrypted
messages for that network will be exposed. In contrast,
if there is a key for every pair of users in the network,
then the number of keys for n users to communicate
securely is O(n2 ) [5]. This hinders scalability and thus
makes SKC unsuitable for WANs (specially WSNs).
When compared with the symmetric key based schemes,
asymmetric key based schemes can provide more functionalities, e.g., easier key distribution, availability of
non-repudiation, and also in PKC the compromise of a
private key of a user does not reveal messages encrypted
for other users. However, PKC schemes are generally
computationally expensive. Also, there is the requirement of a Certificate Authority (CA) to verify that a
particular public key belongs to a particular user in
the network. The issue of management of certificates
is complex and thus an obstacle that hinders PKCs
employment in WANs.
Identity-based cryptography (IBC) is a special form
of public key cryptography which eliminates the requirement of certificate authorities. In a PKC scheme, to send
an encrypted message, the sender requires a certificate
of the recipient as well as all the intermediate CAs. This
problem of obtaining authentic public certificates has
been replaced with the task of obtaining authenticating
public parameters in IBC. As there are fewer PKGs
compared to the end users, thus IBC has an advantage
over the PKC. Say, if there exists only a single PKG in

the network, then all end users can communicate securely

with each other eternally without ever needing any public
key certificates [3].
II. BACKGROUND
A. History of Identity-Based Cryptography
The idea of Identity-Based Cryptography (IBC) was
introduced by Shamir [6] in 1984. He proposed that the
public and private key of the user should be based on
its identity. For this the public key of a user can be
computed as some function applied over its identity and
the private key of the user can be computed by a trusted
third party called a Private Key Generator (PKG). This
saves the overhead of storage and transmission of public
keys and certificates. This makes IBC specially attractive
for resource constrained devices. Thus, application of
IBC in WANs is an important research topic.
In 2000, a breakthrough result [7] by Antonie Joux
showed that bilinear pairing can be used to construct
three-party one-round Diffie-Hellman key agreement.
After this, in 2001, Boneh and Franklin [8] presented an
efficient and provably secure identity-based encryption
(BF-IBE) scheme based on the properties of bilinear
pairings on elliptic curves.
Subsequently, a number of cryptographic schemes
based on the work of [8] were proposed.
B. Preliminaries of Identity-based Cryptography
We stick to the notations (unless otherwise stated)
summarized in Table I in this report.
A Symmetric Bilinear Map is denoted e : G1 G1
G2 between two cyclic groups G1 , G2 of order some
large prime q , where G1 is the group of points of an
elliptic curve over Fp and G2 is a subgroup of Fpk .
A cryptographic bilinear map satisfies the following
properties [5]:
1) Bilinear: e(aP, bQ) = e(P, Q)ab for all P, Q
G1 and all a, b Zq . Note that for P, Q, R G1 ,
e(P + Q, R) = e(P, R).e(Q, R) and e(P, Q + R) =
e(P, Q).e(P, R).
2) Non-degenerate: e(P, P ) G2 is an element of
order q .
3) Computable: Given P, Q G1 there is an efficient
algorithm to compute e(P, Q).
Most of the IBC schemes, are based on assumptions
of hard problems in elliptic curves groups. Here we reproduce the most frequently used assumptions from [5]:
Computational Diffie-Hellman (CDH) assumption in G1 : there is no efficient algorithm to compute abP from P, aP, bP G1 for a, b Zq .

Computational Bilinear Diffie-Hellman (CBDH)

assumption in (G1 , G2 , e): there is no efficient algorithm to compute e(P, P )abc from
P, aP, bP, cP G1 for a, b, c Zq .
Decisional Bilinear Diffie-Hellman (DBDH) assumption in (G1 , G2 , e): there is no efficient algorithm to decide if r = abc or a unifrom random element of Zq , given P, aP, bP, cP G1 ,
e(P, P )r G2 and a, b, c Zq .

Symbols
Z
Zn
Fq
Zq
E/Fp
e : G1 G1 G2
P
dID
QID
s
Ppub
H(i)

Meanings
set of integers
set of integers mod n
finite field with q elements
the multiplicative group of integers modulo prime number q
elliptic curve over Fp
a bilinear map between two
cyclic groups G1 , G2
an arbitrary point in E/Fp
private key of ID
public key of ID
master secret key
system/master public key
a hash function

TABLE I
Notations used in this Report
C. Threshold Cryptography
The solution for the problem of sharing a secret among
a number of users was proposed by Shamir in [9] in
1979. Precisely, he generalized the problem as: There
is some secret data - D. We need to divide the data
D into n pieces - D1 , ..., Dn in such a way that D is
easily reconstructable from t or more shares. However
one should not be able to determine any knowledge about
the secret D even if he has the complete knowledge of
t 1 or fewer shares. He called such a scheme as (t, n)
threshold scheme.
To solve (t, n) threshold scheme, Shamir proposed the
solution based on polynomial interpolation. Here is the
reproduced solution for the problem proposed by Shamir
[9]: Given t points say (x1 , y1 )...(xt , yt ), with distinct
xi s, one can easily show that there is only one polynomial q(x) of degree t 1 such that q(xi ) = yi for all i.
To divide D into n shares, we pick a random t1 degree
polynomial q(x) = a0 + a1 x + + at xt1 . Here a0 = D,
and each share is the value of the polynomial at the n
points i.e. D1 = q(1), ..., D1 = q(i), ..., Dn = q(n).

Thus given any t of these Di values is sufficient to find

the coefficients of q(x) using Lagrange interpolation, and
then evaluate D = q(0). While knowledge of t 1 of
these values, does not suffice to calculate D.
Threshold cryptography was later used to address
some of the security problem of WANs. For instance,
Zhou et al. constructed a distributed CA architecture [10]
in PKC and Kate et al. constructed a distributed PKG
[11] in IBC.
III. K EY M ANAGEMENT FOR MANET S USING IBC
Key management in IBC involves key generation and
distribution methods. This section reviews proposals for
IBC based key management in MANETs along with their
limitations.
A. Key Generation using Threshold Cryptography
Zhou et al. suggested a distributed CA architecture
[10] in PKC i.e. services of CA can be distributed among
many nodes in an ad-hoc network. The same idea can
be extended to IBC. Khalili et al. [12] proposed an
idea to enable key distribution in an efficient manner
in IBC while respecting the constraints of WANs. The
key features of their scheme are summarized in [4] as:
During network formation, the master secret key is
shared in t-out-of-n threshold fashion among the n
nodes.
In a distributed fashion, these nodes generate a
master public key. This way these nodes form a
threshold PKG.
The nodes in the network use their identities as
public key.
A node needs to obtain t shares from the n nodes
to compute its secret key.
The subsequent communications are carried using the
master public key and the ID of the recipient. The encryption and decryption is based on BF-IBE scheme [8].
An implementation of Khalilis idea was proposed
by Deng et al. referred as DMA scheme in [13]. The
work comprises an identity-based key management and
authentication system. The system was built on the
assumption that the nodes can get the identities of other
nodes in the network and they have a mechanism to discover their one-hop neighborhood. The scheme uses [14],
an extension of Shamirs secret sharing scheme [9]. Thus
the distributed key generation in DMA scheme does not
require a trusted third party to safely compute a master
key, separate it into pieces (shares) and then distribute
among the network nodes. Instead the master key pair is
computed collaboratively by the initial network nodes.

This prevents creation of master secret key at any single

node.
The distributed key generation of DMA [13] scheme
comprises following two algorithms:
Master Public/Private Key Generation:
Each node Ci chooses a secret xi and a polynomial fi (z) over Zq of degree k 1, such that
fi (0) = (xi ).
The node Ci computes its sub-share for node
Cj as ssj = fi (j) for j = 1, 2, ..., n and sends
ssij securely to Cj .
After sending the n 1 subshares, node Cj
can compute
its share
P
P of master private key as
Sj = ni=1 ssij = ni=1 fi (j).
Similarly, any coalition of t parties can jointly
recover
the secret as in secret sharing using
Pt
S
.L
i=1 i i (z) mod q where Li (z) is the Lagrange coefficient. The
master
Pjointly generated
P
secret key is msk = ni=1 xi = ni=1 fi (0).
Then each party publishes Si P , where P is a
common parameter used by the identity-based
scheme [8].PThe master public key is computed
as mpk = ni=1 Si P .
Distributed Private Key Generation:
The public key of a user with an identity ID is
computed as QID = H(ID||Expire time),
where H : {0, 1} G1 is a cryptographic
hash function, and Expire time is a timestamp.
To obtain its private key a user has to contact at
least t neighbor nodes, present its identity and
request private key generation (PKG) service.
Each of the t PKG nodes generate a secret
share and sends to the requesting node.
The process of generation of secret key for the
requesting node can be represented as ski =
Si .QID , where Si for i = 1, 2, ..., t is the share
of master private key of the serving node, ID
is the identity of the requesting node, and QID
is its public key.
By collecting the t shares, the requesting
node
Pt would compute its private key as ski =
i=1 Si QID .
Threshold cryptography distributes the functionality of
PKG to multiple nodes. Due to this, the DMA scheme
suffers from following weaknesses:
1) Interdependency Cycle between Secure Routing and
Security Services: The scheme rely on some already
existing routing mechanism or other infrastructure

(e.g. out-of-band communication) to distribute secret shares among the distributed PKG nodes. This
makes them unsuitable for secure routing protocols.
This results in an interdependency cycle problem
between distributed secure key agreement and secure routing [15], [16].
2) Proximity-caused Insecurity: In mobile WANs to
avoid the routing-security interdependency cycle
problem one can have a threshold number of authorized users that are physically close to each
other (i.e., within one-hop communication distance). However this leads to another problem called
the proximity-caused insecurity. It is possible for an
adversary to compromise these nodes for a short period of time [16]. Furthermore, for fully distributed
key generation schemes where all nodes have to
participate for the key generation, the proximitybased solution is not applicable.
3) Mobile Attacks: The key generation algorithms using threshold cryptography are subjected to mobile attacks [15]. The above scheme uses secret
refreshing mechanism to counter such attacks. They
assume that a mobile adversary cannot compromise
enough authentic nodes within share refresh period.
Zhao et al. discuss this issue and proposed solutions
in [17].
B. Offline Threshold PKG
Zhang et al. [18] proposed a distributed PKG (DPKG) scheme to distribute PKG of IBC to multiple
nodes. In this scheme, the master key of the IBC system
is distributed to D-PKGs in an offline manner. Then
a threshold number of D-PKGs can function as PKG.
As described in [4], in each D-PKG, the following
operations are performed:
1) Determine a (t1)-degree (1 t n) polynomial,
h(x) = s + a1 x + ... + at1 xt1 (mod q), where
ai are random coefficients and s is the master key
chosen previously.
2) Select n (t n N ) out of the total nodes N
(denoted by SH ). These nodes are chosen either
without distinction or by considering powerful or
more secure nodes. Call these nodes as D-PKGs
(distributed private key generators). Each node in
SH gets a share of s as sk = h(k).
3) Calculate a set of share commitments as SC =
{Pk = sk .P G1 |1 k n}.
SH and SC are included in the public parameters
and sent to all nodes. Similar to DMA scheme using
Lagrange interpolation, any combination of t-out-of-n

D-PKGs can collectively reconstruct the system masterkey s .

This scheme is similar to the DMA scheme [13], but
differs in the following ways [4] - the secrets for D-PKGs
are shared offline and thus does not require online secure
channels for distribution of those secret shares. However,
as the secret shares of this scheme are never refreshed
or updated, it is more vulnerable to attacks. Though
the master key generation doesnt need secure channels but the private key generation still requires them;
thus the routing-security interdependency cycle is still
not addressed. Also, the share commitments resemble
certificates which are distributed among network nodes
before the network starts. This is against the spirit of
IBC.

IV. S IGNATURE SCHEMES FOR WAN S USING IBC

Shamir in his seminal paper [6] introduced IdentityBased Signature (IBS) schemes. He also proposed a
scheme which allows users to verify the digital signatures
using public information like users identity.
A. Identity-Based Signature (IBS)
In general an ID-Based Signature (IBS) can be defined
as a set of four algorithms:
Setup: Given a security parameter k , it outputs
system parameters params and a master secret key
s.
Key Extraction: Given a users identity IDi and the
master secret s, it outputs the private key dIDi .
Sign: Given a message m M and the private key
dIDi , outputs a signature .
Verify: Given a message m M , signers identity
ID, signature and system parameters params,
outputs a bit 1 if is signature on (ID, m),
otherwise 0.
1) BNN-IBS Scheme: Bellare, Namprempre and
Neven proposed the first Elliptic Curve Cryptography
(ECC) based IBS scheme [19] in 2004. Though BNNIBS is a non-pairing based signature scheme, still it is
not efficient in terms of the signature size. A variant of
BNN-IBS - vBNN-IBS [20] proposed by Cao et al. in
2008 reduces the signature size when compared to BNNIBS. The appendix includes the description of BNN-IBS
scheme.
2) vBNN-IBS Scheme: Let E be an elliptic curve
defined over a prime finite field Fp and denoted as E/Fp .
Let G be the group of points formed by E/Fp , which
includes the point at infinity O. The scheme can be
defined as follows:

Setup: Given the security parameter k , PKG does

the following Let H1 : {0, 1} G1 Zq and H2 :
{0, 1} Zq .
Selects a generator P G and computes
master public key as P0 = xP G.
Master secret key is x Zq and Public parameters params = hG, q, P, P0 , H1 , H2 i.
Key Extraction: Given an identity ID, the PKG
generates the private key as:
Chooses a random r Zq and computes R =
rP .
Uses master secret key x to compute s = r+cx
where c = H1 (ID||R).
The pair (R, s) is sent to the end user via a secure
channel.
Sign: Given a message m {0, 1} ,
Choose a random y Zq and compute Y =
yP .
Compute z =y+hs, where h=H2 (ID, m, R, Y ).
The signature is = hR, h, zi.
Verify: Given = hR, h, zi, ID, and the message
m, the receiver computes c = H1 (ID||R) and
verifies if?

h = H2 (ID, m, R, zP h(R + cP0 )).

Due to short signature size, this scheme can be easily

used for broadcast authentication in WSN.
B. ID-Based Online/Offline Signature (IBOOS)
The IBOOS scheme is usually used for authenticated
broadcast. The notion of online/offline signatures was
introduced by Even, Goldreich, and Micali [21]. In
WSN, the offline phase can be executed at the base
station, while the online phase, which is typically very
fast, is executed in the WSN node. The following five
algorithms define the ID-based online/offline signature
scheme:
Setup and Key Extract are same as defined in IBS.
Offline Sign Generation: Given the system parameters params and the signing key dIDi , ouputs a
partial signature of f .
Online Sign Generation: Given m M , and of f ,
outputs an online signature on . The reuse of the
partial offline signature of f reduces the energy
consumption for generation of on .
Online Sign Verification: Given m, IDi , on ,
params the algorithm outputs 1 if the signature is
valid, otherwise 0.

Xu, Mu and Sisilo gave the first ID-based online/offline signature scheme [26] (referred as XMS
scheme). In XMS scheme, whenever the signer wants
to produce a signature, he has to execute the offline
phase. This makes the offline phase one-time i.e. the
offline signature part can be used only once and cannot
be re-used. Assuming the offline phase is conducted
by the base station, whenever a sensor node needs to
sign a message, it has to go contact the base station
for the offline signature part. This makes XMS scheme
impractical in WSNs. Also the verification algorithm of
XMS scheme uses a pairing operation, which is a costly
computation for a resource constrained sensor node.
1) BLYS-IBOOS Scheme: Baek, Liu, Yang and
Zhou presented an online/offline identity-based signature scheme for the wireless sensor networks [22]. The
scheme provides multi-time usable offline storage, which
allows the signer to re-use the offline pre-computed
information. The scheme can be defined as follows:
Setup: Given the security parameter k , PKG does
the following Let G be a multiplicative group of prime order
q. Let H : {0, 1} Zq .
Selects a generator g G and computes master
public key as X = g x G.
Master secret key is x Zq and Public parameters params = hG, q, g, X, H1 , i.
Key Extraction: Given an identity ID , the PKG:
Chooses a random r Zq and computes R =
g r and
Computes s = r + H(R, ID)x mod q .
The user secret key is (R, s) and is sent to the
end user via a secure channel. Note that a correctly
generated secret key should satisfy:
g s = RX H(R,ID) .

Offline Sign: For i = 0, ..., |q| 1 the signer

i
computes Yi = g 2 . Note that the offline stage does
not require the knowledge of the message and the
secret key. Thus this offline sign can be generated
by the PKG and can be made a part of public
parameters.
Online Sign: Signer randomly selects y Zq at
random. Let y[i] be the i-th bit of y . Define
{1, ..., |q|} to be the set of indices such that y[i] = 1.
Compute:
Y
Y =
Yi1
i

and then compute: h = H(Y, R, m) and z = y + hs

mod q . The signature is (Y, R, z).
Verify: The verifier verifies the signature as follows,
Computes h = H(Y, R, m) and
?
Checks if g z = Y Rh X hH(R,ID) , Outputs 1 if
equal, otherwise 0.
V. C ONCLUSION AND F UTURE WORKS

In this report we discussed two key management

schemes for MANETs and two signature schemes for
WSNs. We identified the challenges of WANs which
make it difficult to provide security in them. There
are many unaddressed issues in the application of IBC
in WANs. IBC requires that the public parameters be
distributed to all parties before any communication. This
requirement is not in the spirit of ad-hoc networks where
a group of strangers come together without any existing
infrastructure and central administration.
Thus, we find IBC best for those types of WANs,
where there is some authority/administrator that generates and distributes system parameters to all nodes;
authenticates their identities and assigns them their private keys. For example: A MANET of military network
consisting soldiers with wearable computers usually has
a central authority to administer above issues.
Also we plan to work on few interesting problems
like:
Secure key agreement in WANs is still a challenge
[23]. The current schemes either tradeoff with the
spirit of IBC or with WANs. We plan to work on this
aspect i.e. towards a true Id-based key agreement
scheme preserving the ad-hocism of MANETs and
WSNs.
Hierarchical ID-based encryption and signature
schemes were introduced by Gentry and Silverberg
in [24]. We want to explore the idea of Hierarchical
Key agreement (and subsequently encryption and
signature) in MANETs using IBC.
Aggregate signature scheme [25] was introduced
in 2003. The scheme helps to aggregate multiple
signatures to a single signature saving the bandwidth of network. We plan to work on the aspect
of aggregation of signatures for ID-based signature
schemes of WANs [27].
R EFERENCES
[1] National Institute of Standards and Technology (NIST), Wireless Ad Hoc Sensor Networks, Published online at http://www.
antd.nist.gov/wahn mahn.shtml

[2] National Institute of Standards and Technology (NIST), Wireless Ad Hoc Sensor Networks, Published online at http://www.
antd.nist.gov/wahn ssn.shtml
[3] H.K. Patil and S.A. Szygenda, Security for Wireless Sensor
Networks Using Identity-Based Cryptography, Auerbach Publications, Boston, MA, USA, first edition, 2012
[4] Shushan Zhao, Akshai Aggarwal, Richard Frost, Xiaole Bai,
A Survey of Applications of Identity-Based Cryptography in
Mobile Ad-Hoc Networks, IEEE Communications Suerveys &
Tutorials, Vol. 14, No. 2, SECOND QUARTER, 2012
[5] Sanjit Chatterjee and Palash Sarkar, Identity-Based Encryption,
Springer, New York, 2011
[6] Adi Shamir. Identity-based cryptosystems and signature
schemes. In G. R. Blakley and David Chaum, editors, CRYPTO,
volume 196 of Lecture Notes in Computer Science, pages 4753. Springer, 1984.
[7] Antoine Joux, A one round protocol for tripartite DiffieHellman, ANTS-IV Proceedings of the 4th International Symposium on Algorithmic Number Theory, 2000.
[8] Dan Boneh and Matthew K. Franklin, Identity-based encryption
from the Weil pairing, SIAM J. Comput., 32(3):586-615, 2003.
Earlier version appeared in the proceedings of CRYPTO, 2001.
[9] Adi Shamir, How to share a secret, Communications of the
ACM, vol. 22, no. 11, 1979.
[10] L. Zhou and Z.J. Haas, Securing ad-hoc networks, IEEE Network, vol.13, no. 6, pp. 24-30, 1999
[11] Aniket Kate and Ian Goldberg, Distributed Private-Key Generators for Identity-Based Cryptography, Security and Cryptography for Networks, 436-453, 2010
[12] A. Khalili, J. Katz, and W. A. Arbaugh, Toward secure key
distribution in truly ad-hoc networks, SAINT Workshops, IEEE
Computer Society, 2003, pp. 342-346.
[13] H. Deng, A. Mukherjee, and D. P. Agrawal, Threshold and
identity-based key management and authentication for wireless
ad hoc networks, ITCC (1). IEEE Computer Society, 2004, pp.
107111.
[14] T. P. Pedersen, A Threshold Cryptosystem Without A Trusted
Party, EUROCRYPT, 1991.
[15] J. V. D. MERWE, D. DAWOUD, and S. McDONALD, A survey
on peer-to-peer key management for mobile ad hoc networks,
ACM Comput. Surv., vol. 39, no. 1, pp. 1-45, 2007.
[16] S. Xu and S. Capkun, Distributed and secure bootstrapping of
mobile ad hoc networks: Framework and constructions, ACM
Trans. Inf. Syst. Secur., vol. 12, no. 1, pp. 1-37, 2008.
[17] S. Zhao and A. Aggarwal, Against mobile attacks in ad-hoc
networks, Proc. IEEE International Conference on Information
Theory and Information Security, 2010.
[18] Y. Zhang, W. Liu, W. Lou, Y. Fang, and Y. Kwon, Acpki: anonymous and certificateless public-key infrastructure for
mobile ad hoc networks, Proc. International Conference on
Communications, IEEE Computer Society Press, 2005.
[19] Mihir Bellare, Chanathip Namprempre, and Gregory Neven,
Security Proofs for Identity-Based Identification and Signature
Schemes, Proceedings of Eurocrypt, Springer-Verlag, 2004.
[20] X. Cao, W.Kou, L.Dang and B.Zhao, IMBAS: , Identity-based
multi-user broadcast authentication in wireless sensor networks,
Computer Communication, (Elseveir) 31 2008,659-669.
[21] S. Even, O. Goldreich, and S. Micali. On-line/off-line digital
signatures. Proc. CRYPTO 89, volume 2442 of Lecture Notes
in Computer Science, pages 263277. Springer-Verlag, 1989.
[22] Joseph K. Liu, Joonsang Baek, Jianying Zho, and Yanjiang
Yang, Efficient Online/Offline Identity-Based Signature for

[23]

[24]

[25]

[26]

[27]

Wireless Sensor Network, International Journal of Information

Security August 2010, Volume 9, Issue 4, pp 287-296, 2008.
Hung-Yu Chien and Ru-Yu Lin, Identity-based key agreement
protocol for mobile ad-hoc networks using bilinear pairing, Sensor Networks, Ubiquitous, and Trustworthy Computing, 2006,
IEEE International Conference on (Volume:1 ).
Craig Gentry and Alice Silverberg. Hierarchical ID-based cryptography. In Yuliang Zheng, editor, ASIACRYPT, volume 2501
of Lecture Notes in Computer Science, pages 548-566. Springer,
2002.
Dan Boneh, Craig Gentry, Ben Lynn, and Hovav Shacham.
Aggregate and verifiably encrypted signatures from bilinear
maps, In Biham [31], pages 416432.
Shidi Xu, Yi Mu, Willy Susilo, Authenticated AODV Routing
Protocol Using One-Time Signature and Transitive Signature
Schemes, In Journal of Networks, Vol 1, No 1 (2006)
Yifan Li, Huiyan Chen, Application of ID-based aggregate
signature in MANETs, Journal of Electronics (China), July
2010, Volume 27, Issue 4, pp 516-521

A PPENDIX
A. Applications of Wireless Ad-hoc Networks
WANs have diverse applications which range from
applications of static resource constrained networks
(WSNs) to relatively resourceful, highly dynamic and
mobile networks (MANETs). Some influential military
applications of WANs over the past few decades are:
Establishing instant communication infrastructure in
war zones and disaster-affected areas.
Detection and characterization of chemical, biological, radiological, nuclear and other explosive
materials.
Military surveillance like detecting and gaining information about enemy movements, explosions and
other phenomena of interest.
In recent times, WAN have found wide-scale applications in civilian as well as scientific domain. Some
prominent applications are:
Applications of WANs in civil and scientific areas
[3]:
Seismic and Volcanic activity monitoring.
Ocean water monitoring for tracking pollution.
Detecting and monitoring environmental
changes in plains, forests, deserts etc.
Surveillance for providing security in shopping
malls, parking garages, and other facilities.
Monitoring living conditions of wild animals
and plants.
Virtual classrooms to reach students in remote
areas.
B. Security aspects in WSNs and MANETs
The cryptographic security requirements for WANs
are:

Data Confidentiality: To protect the data from unauthorized disclosure. A common approach to achieve
confidentiality is by encrypting user data.
Data Integrity: To confirm that the data received
is not altered during communication. Usually, cryptographic primitives such as digital signatures and
hash values are used to provide data integrity.
Data Authentication: To prevent impersonation attacks. Authentication is the process of assuring that
the identity of the communicating entity is what it
claims to be.
Non-repudiation: Aims to achieve protection against
communicating entities that deny that they ever
participated in any sort of communication with the
victim. It can be achieved using signature schemes.
Access Control: To enforce access rights to all
resources in its system. It tries to prevent a unauthorized use of system and network.

C. Boneh-Franklin IBE scheme

The BF-IBE scheme is specified as a set of four
randomized algorithms [8]:
Setup: Given a security parameter k , the algorithm Generates a symmetric bilinear map e : G1
G1 G2 between two cyclic groups G1 , G2
of order q , for some large prime q .
Sets the master public key Ppub as sP where s
is a random element in Zq , and P is an arbitrary
generator of G1 . Choose cryptographic hash
functions H1 : {0, 1} G1 and H2 : G2
{0, 1}n .
The system parameters are params =
hG1 , G2 , e, q, n, P, Ppub , H1 , H2 i. The master
secret key is s Zq .
Extract: For a given string ID {0, 1} , the
algorithm builds public key for ID : QID =
H1 (ID) G1 , and the private key dID = sQID .
Encrypt: Choose a random r Z
q , and set the
r )i where
ciphertext to be C = hrP, M H(gID
gID = e(QID , Ppub ) G2 .
Decrypt: Let C = hU, V i be a ciphertext encrypted
using the public key of ID, decrypt C using the
private key dID : V H(e(dID , U )) = M .
Security of BF-IBE scheme is based on the CBDH
problem in the random oracle model. The security proof
can be referred in [8]
D. BNN-IBS scheme
Let E be an elliptic curve defined over a prime finite
field Fp and denoted as E/Fp . Let G be the group of

points formed by E/Fp , which includes the point at

infinity O. The scheme can be defined as follows [19]:
Setup: Given the security parameter k , PKG does
the following Let H1 : {0, 1} G1 Zq and H2 :
{0, 1} Zq .
Selects a generator P G and computes
master public key as P0 = xP G.
Master secret key is x Zq and Public parameters params = hG, q, P, P0 , H1 , H2 i.
Key Extraction: Given an identity ID , the PKG
generates the private key as:
Choose a random r Zq and compute R =
rP .
Use master secret key x to compute s = r + cx
where c = H1 (ID||R).
The pair (R, s) is sent to the end user via a secure
channel.
Sign: Given a message is m {0, 1} .
Choose a random y Zq and compute Y =
yP .
Compute z =y +hs, where h=H2 (ID, m, R, Y )
The signature = hR, Y, zi
Verify: The verifier verifies the signature as follows,
Compute h = H2 (ID, m, R, Y ) and c =
H1 (ID||R).
?
Checks if zP = Y + h(R + cP0 ), outputs 1 if
equal, otherwise 0
Note that the BNN-IBS scheme is not efficient in
terms of signature size because it includes two (elliptic
curve) points R, Y and an integer z .