Group Key Agreement Protocol based on Grouping in Ad Hoc Network

1
Ruojuan Xue,
2
Wenpeng Lu,
3
Qikun Zhang
*1
LiShan College, Shandong Normal University, Jinan, China, xuerj@sdnu.edu.cn
2
School of Science, Shandong Polytechnic University, Jinan, China, lwp@sdili.edu.cn
3
School of Computer, Beijing Institute of Technology, Beijing, China, qkzhang04@gmail.com


Abstract
A group key agreement protocol is proposed in this paper. The members of one group are divided
into some teams in the scheme and the method of the group key agreement relies on the multi-linear
mapping algorithm. The shared key function of each team is established on the hardness of elliptic
curve discrete logarithm problem. Different expressions of the function generate dynamic shared keys.
This is suitable for the large-scale, dynamic, frequently group key updating in Ad hoc network. In this
scheme, the key agreement within one team doesnt affect the others, so the other teams need not
update their shared keys whether the members join or exit another team. Compared with the other
schemes, this scheme can reduce the cost of key computation and communication, which is suitable for
Ad hoc network environment with its security, scalability and robustness of the dual hard problem.

Keywords: Ad Hoc Network, Multi-Linear Mapping, Elliptic Curve, Shared Key Function

1. Introduction

The target of the group key management is that all members of the group can share the key safely,
and that it can process the events such as the exit of group members, the join of new members, or the
mergence and partition of sub-groups. Besides, it should insure that the member could not access the
communication information of the group after it exits the group and that the member could not access
its former group when it joins a new group.
Recently, plenty of researches have been made on the group key management, and many kinds of
group key management schemes and security analyses have been proposed. Zhou[1], Luo[2] and Fokin
et al.[3]

have proposed the key management scheme of partly distributed CA (Certificate Authority)
based on threshold cryptosystem, which realizes the CA by distributing the key share to a set of special
server nodes and finishing the encryption, decryption and signature operation jointly. This scheme is
based on certificate-based RSA public key and avoids the failure of single node by applying the
threshold cryptosystem, which enhances the robustness of network. But its shortcoming is obvious:
enormous computation of the RSA algorithm, which leads to the higher cost of the computation and
transmission, and the lower security. Some typical conference group key agreement protocols, such as
novel group key agreement protocol for wireless mesh network [4], novel hybrid group key agreement
for sensitive information systems [5], communication-efficient group key agreement [6]

and tree-based
group key agreement [7], are designed for the wired network. They adopt the scheme of distributed key
agreement, and require the same security and trust as the group key agreement in Ad hoc network.
They need enormous computation and storage cost, but the computation and storage ability of the
nodes in Ad hoc network is limited. Therefore, they are not suitable for Ad hoc network. The identity-
based blind key pairing scheme and the bilinear mapping scheme are respectively proposed in [8,9].
The scheme of the bilinear mapping combining with the logical key hierarchy is proposed in [10,11,12].
The dynamic group key management scheme based on ternary-tree is put forward in [13]. These
schemes can reduce the communication and computation costs of key agreement based on STR in a
certain extent, but they still cant alter the cost of adjusting the balanced tree. The scheme proposed in
[14] can negotiate the group key with the multi-linear principle. But it lacks the scalability, in which
the pre-defined n cant be established efficiently. If n is too large, it would lead to the enormous
redundancy computation; if n is too small, it could not be extended and the groups need to be
redefined and negotiate the key again when new members join.
The group key management scheme based on grouping provided in this paper can be realized simply
and expediently, and its cost of computation and communication is less. It is independent with the
Group Key Agreement Protocol based on Grouping in Ad Hoc Network
Ruojuan Xue, Wenpeng Lu, Qikun Zhang
Advances in information Sciences and Service Sciences(AISS)
Volume3, Number11. December 2011
doi : 10.4156/AISS.vol3.issue11.45
structure of groups, the shared key is generated by the universal functions, and the members can gain the
different shared keys without changing their key share, namely, the parameters of shared key function.
The scheme is established on the hardness of the multi-linear mapping and the elliptic curve discrete
logarithm, which ensures the dual security performance of the key.

2. Basic theory

The cryptosystem of elliptic curve is based on the elliptic curve of finite field[15]. Two kinds of
elliptic curves in the cryptology are the prime curves defined on
P
Z and the binary curve constructed
on (2 )
m
GF . The finite field (2 )
m
GF consists of 2
m
elements, the operations of addition and
multiplication defined on the polynomial. Given m numbers, the cubic equation
2 3 2
y xy x ax b + = + + whose arguments and coefficients are the elements of (2 )
m
GF , is used for
the elliptic curve over (2 )
m
GF . The coefficients a , b and the arguments x , y are the elements
in (2 )
m
GF , and all operations are carried out on this field. The finite field elliptic curve cryptography
is based on the hardness of elliptic curve discrete logarithm problem ( ECDLP ). Elliptic curve
discrete logarithm problem ( ECDLP ) is: in the given equation Q KP = , , ( , )
P
Q P E a b e and
K P < , Given K and P , it is easy to calculate Q; but given P and Q, the calculation of K is
difficult. The number P is a large prime number, and ( , )
P
E a b is the set which consists of all the
integers ( x , y ) satisfying the equation and infinite point o . The order of point G on the elliptic
curve E is the smallest positive integer p which satisfies pG o = . G is an Abelian group defined
on the set ( , )
p
E a b .
Multi-linear Diffie-Hellman hypothesis: Reference [16] gives the definition of l -multi-linear
mapping, let
1
G be an addition group,
2
G be a multiplicative group, the discrete logarithmic over
1
G
and
2
G is hard to solve.
Definition 1: mapping
1 1 2
:
L
e G G is defined L multi-linear mapping, if it has the following
properties:
a)
1
G and
2
G have the same prime order
p
;
b) For all
1 2
, ,...
l p
a a a Z e ,
1 2 1
, ,...
l
g g g G e , there exists
1 2
...
1 1 1 2 2 1 1 2
( , ,... ) ( , ,... )
l
a a a
l l l
e a g a g a g e g g g = ;
c) non- degeneracy: if g is one of generators of
1
G
1
( ) g G e , then
1
( , ,... ) e g g g is also one of
generators of
2
G .
Definition 2: Determinable multi-linear Diffie-Hellman problem (DMDH) is that, given
1 2 1
( , , ,... )
l
e g a g a g a g
+
and
2
z G e , whether
1 2 1
...
1
( , ,... )
l
a a a
e g g g
+
exists can be determined.
Definition 3: Determinable multi-linear Diffie-Hellman hypothesis is that, it is hard to solve
determinable multi-linear Diffie-Hellman problem. This means that there is not a probabilistic
polynomial time algorithm to solve Diffie-Hellman problem.

3. Group key agreement protocol based on grouping

3.1. Design model of the protocol

When the group is initialized, according to the range of the public key pair (coordinate) of group
members, the group is divided into l teams. (The set
2
( , )
m
E a b consisting of the elliptic curve integer
pairs ( x , y ) and the infinite point o ,and divides the set into l subsets ,each subset will compose of a
team. All the teams are
1 2
( , ), ( , )...... ( , )
l
Z x y Z x y Z x y . Moreover,
Group Key Agreement Protocol based on Grouping in Ad Hoc Network
Ruojuan Xue, Wenpeng Lu, Qikun Zhang

Figure.1 The structure of group multicast key
2
1 2
( , ) ( , )...... ( , ) ( , )
m
l
Z x y Z x y Z x y E a b e and
1 2
( , ) ( , )...... ( , )
l
Z x y Z x y Z x y =C, if the public key
( , ), (1 ,1 )
Ki j
P Z x y i n j l e s s s s of member
i
M , then the member
i
M belong to jth teams). Each
team can have n internal members. n is arbitrary, which varies with the number of members in each
team. When the team is null, its key is a l multi-linear generator. There is an internal member
l
M ( 0 l n < < ) in each team as the organizing member deputy among l teams (i.e., the member
l
M
is both the internal member of the team and the organizing member deputy among teams ). Each team
consults an internal shared key within the team, and all teams of the group consults a shared group key
among teams. As shown in Figure.1, the structure is described abstractly as a three-dimensional grid-
like structure.















3.2. Logic description of the protocol

The parameters in the definition of the protocol are as follow: (2 )
m
GF is finite field, E is an
elliptic curve over finite field,
2
( , )
m
E a b represents the set which consists of all the integer pairs
( x , y ) satisfying the elliptic curve equation and infinite point o . G is a base point on E , the order
of G is the smallest positive integer p that satisfies pG o = . The members within the team are
represented with
1 2
( , ,..., ), ( 2)
n
M M M n > . The public and private key pair of the team members is
denoted by ( , )
i Ki
K P , and ( , )
Ki Ki
Sign V is the signature verification key pair. The team identity
identifier is SID, and ( ) H is the one-way Hash function.
The set
2
( , )
m
E a b consisting of the elliptic curve integer pairs ( x , y ) and the infinite point o ,
divides the group members into l teams. Each member only can be put into one team. If the elliptic
curve integer pairs corresponding to the set consisting of each team member are denoted with ( , )
i
Z x y ,
in other words, the public key of member
i
M ( , )
Ki i
P Z x y e , then the set composed by all the
members respectively are
1 2
( , ), ( , )...... ( , )
l
Z x y Z x y Z x y . Moreover,
2
1 2
( , ) ( , )...... ( , ) ( , )
m
l
Z x y Z x y Z x y E a b e and
1 2
( , ) ( , )...... ( , )
l
Z x y Z x y Z x y =C.
Each member
i
M randomly selects an integer
i
K from the integers set {1, 2,, n} as its own
private key, and lets
i
ID be its identity identifier. Its corresponding public key is
Ki i
P K G = , and the
signature is
( )
Ki Ki Ki Ki
Sign x y ID
. If mod
Ki i
P p Z e and there is no repetition member within the
team, then the member
i
M will be put into the team
i
Z ; Otherwise, the member
i
M reselects another
private key. The function ( ) H is a one-way Hash function, and ,
Ki Ki
x y ,
Ki
ID respectively is the
Group Key Agreement Protocol based on Grouping in Ad Hoc Network
Ruojuan Xue, Wenpeng Lu, Qikun Zhang
horizontal and vertical coordinates of
Ki
P and the identity signature of
i
M . The signature adopts the
identity-based elliptic curve signature mechanism[17][18].

3.2.1. Initialization

(1) The internal member
i
M of each team ( , )
i
Z x y randomly selects an integer
i
m from the set {1,
2, ......, n}, then calculates and broadcasts
( , ( ))
ki Ki Ki Ki Ki
P sign x y ID
.
(2) Each member ( 1, 2,..., 1, 1,... .)
j
M j i i n = + in the team begins to do the calculation of group
key agreement after receiving the broadcast and verifying the signature. Each member calculates and
broadcasts , ( , 1, 2,..., )
i Kj
mP i j j n = = , but its key share
i
m is kept secret. Let
1 2
[ , ,..., ]
n
A m m m = be
the vector composed of the integers generated randomly by the team members, and
1 2
[ , ,..., ]
K K Kn
B P P P = be the vector composed of the corresponding public key, then the matrix
1 1 1 2 1
2 1 2 2 2
1 2
K K Kn
K K Kn T
n K n K n Kn
mP mP mP
m P m P m P
M A B
m P m P m P



= =
`


)

. If each column of the matrix M is denoted with a

corresponding vector function
| |
1 2
( )
ki Ki Ki n Ki
f P m P m P m P =
, then the matrix M can be
represented as:
| |
1 2
( ) ( ) ( )
k k kn
M f P f P f P =
.
(3) If any member of the team
j
M corresponds to a vector function
| |
1 2 1 2 1 2
( ) ) ) ( )
kj Kj Kj n Kj j j n j j n
f P mP m P m P mK G m K G m K G K mG mG mG ( ( = = =


,then the arbitrary linear combination function ( ( ))
kj
Q f P of the vector function ( )
kj
f P is:
| |
1 2 1 2 1 2
( ) ) ) ( )
kj Kj Kj n Kj j j n j j n
f P mP m P m P mK G m K G m K G K mG mG mG ( ( = = =


(4) Because
j
K is the private key of
j
M , so any member
j
M gets the same value of the function
| |
1 2
( ) ( )
i n
Q mG Q mG m G m G =
after getting its own private key ( the parameter and the
number of function are the same).
| |
1 2 1 2
( ) ( ) ( ,..., )
i n n
Q mG Q mG m G m G mG m G m G = = - -
.
(* represents one kind of computation, and the expression of computation can be adjusted
expediently for the flexibility of the key updating).
(5) The member deputy among the teams
i
M calculates and broadcasts the value of
( ( ) )
sgroup i
P H Q mG SID =
within the team, and every member within the team calculates and compares
the value of
sgroup
P . If the values are same, then ( ( ))
zi i
K H Q mG = is the internal team shared key.
(6) According to the steps (1) - (5), every team calculates its own team shared key in turn, and the
results are as follow:
1 2
, ,...,
z z zl
K K K .
(7) Each member deputy among the groups ( 1, 2,..., )
i
M i n = calculates and broadcasts
zi
K g .
(8)According as the definition 1, the key of the Ad hoc group is:
1 2
3
1 2 3
2 3 1 3
1 2 1 2 ( 1)
...
( , ,..., ) ( , ,..., )
( , ,..., ) ... ( , ,..., )
( , ,..., )
z z
z zl
z z z zl
K K
group z z zl z z zl
K K
z z zl z z z l
K K K K
K e K g K g K g e K g K g K g
e K g K g K g e K g K g K g
e g g g

= =
= = =
=

(9) Any teams broadcasts the value of ( || )
group group
P H K g = , If the values are same, then
group
K is
the key of the Ad hoc group.

Group Key Agreement Protocol based on Grouping in Ad Hoc Network
Ruojuan Xue, Wenpeng Lu, Qikun Zhang
3.2.2. Key updating protocol

(1) Key updating protocol for the joining of new member
When the external member M
n+1
wants to join the group, firstly it needs to generate its own
public and private key pairs
1 1
( , )
n Kn
K P
+ +
and its signature verification key pairs
1 1
( , )
Kn Kn
Sign V
+ +
,
and chooses
1 k n
ID
+
as its identity identifier. According to the scope of its public key point pair
1
mod
Kn i
P p Z
+
e , it can try for joining the corresponding team ( , )
i
Z x y . The member deputy
i
M of
this team will verify its public key and identity identifier
1 k n
ID
+
. If there is not the same public key
within the team, then the private key neednt to be reselected. After verifying the new member, the
internal member
i
M of the team changes its key share '
i
m , and lets the member M
n+1
randomly
selects an integer
1 n
m
+
from the set {1,2, ... ..., n} to calculate
1 n Kj
m P
+
(j = 1, 2, ..., n). After computing
' , ( , 1, 2,..., )
i Kj
m P i j j n = = , the member deputy
i
M among the teams broadcasts
1 n Kj
m P
+
,
' , ( , 1, 2,..., )
i Kj
m P i j j n = = ,
1 1 1 1 1
( , ( ))
Kn kn kn kn kn
P Sign x y ID
+ + + + +
, then initiates the key updating protocol.
After verifying the signature, each team member
( , 1, 2,..., )
j
M j i j n = =
calulates severally
the function
1 2 1
'( ( )) , '
kj Kj Kj i Kj n Kj
Q f P m P m P m P m P
+
( =



| | | |
1 2 1 1 2 1
'( , ' , ) '( , ' , ).
j i n j i n
Q K mG m G m G m G K Q mG m G m G m G
+ +
= =
Because
j
K
is the private key of
j
M
, each member
j
M
can get the same value of the function
| |
1 2 1
'( ) ( , ' , )
i i n
Q mG Q mG mG m G m G
+
=
with its private key.

i
Z sends the vector
| |
1 1 2 1 1 1
, '
Kn Kn i Kn n Kn
mP mP m P mP
+ + + +

to the new member M
n+1
. The
member M
n+1
calculates | |
1 1 1 2 1 1 1 1
'( ( )) , '
Kn Kn Kn i Kn n Kn
Q f P m P m P m P m P
+ + + + + +
=
| | | |
1 1 2 1 1 1 2 1
'( , ' , ) '( , ' , ),
Kn i n n i n
Q K mG mG m G m G K Q mG mG m G m G
+ + + +
= =
and computes
| |
1 2 1
'( ) ( , ' , )
i i n
Q mG Q mG mG m G m G
+
= with its private key
1 n
K
+
.
The member deputy
i
M broadcasts
( '( ) )
sgroup i
P H Q mG SID =
, and the members of the team
compare their values. If the values are same, then ' ( '( ))
zi i
K H Q mG = would be as the team shared key.
Except for the team of M
n+1
, the shared keys of the other teams are unaltered, which are:
1 2
, ,... ' ,...,
z z zi zl
K K K K . The team
i
Z broadcasts
( ' , ( ))
zi zi
K g H P SID
and initiates the key updating
protocol among teams.
After authenticating among teams, the group calculates the group shared key
1 2
1 2 3
'
2 3 1 3 1 2 1 1
... ' ...
1 2 ( 1)
' ( , ,..., ) ( , ,..., ) ( , , ,... , )
... ( , ,..., ) ( , ,..., )
zi z z
zl z z z zi zl
K K K
group z z zl z z zl z z zi zi zl
K K K K K K
z z z l
K e K g K g K g e K g K g K g e K g K g K g K g K g
e K g K g K g e g g g
+

= = =
= = =
.
(2) Key updating protocol for the leaving of internal member
When the internal member
j
M ( 1 j n < < ) in the team
i
Z leaves the set, the new set
' ( , ) ( , ) { }
i i Kj
Z x y Z x y P = . The member deputy
i
M of the team updates its key share '
i
m again, then
computes and broadcasts ' , ( 1, 2,..., 1, )
i ki
m p i n i j = = , the public key
Kj
P of
j
M and the
signature verification key pairs (
ki
p ,
ki
sign = ( )
ki ki ki
H x y ID ) of
i
M ( If the member deputy
i
M

leaves the team, an adjacent member in the coordinate system within the team would be selected as the
member deputy) and initiates the key updating protocol.
Group Key Agreement Protocol based on Grouping in Ad Hoc Network
Ruojuan Xue, Wenpeng Lu, Qikun Zhang
The group key updating is similar to the one for the joining of new member. Each team member
i
M no longer calculates the public key
kj
P of the member which has left the team, the calculating
vector is
1 2 1 1 1
'( ( )) [ , , ..., ' , ].
ki ki ki i ki j ki j ki n ki
Q f P m P m P m P m P m P m P
+
=
According to the method for the joining of new member, the group shared key or the linear
combination function '( )
i
Q mG is updated.

4. Correctness analysis

The so-called correctness means that even if there is a passive attacker, all dynamic group members
can still calculate the same key. In the section, the solution proposed in the paper is proved to satisfy
the correctness.
Proposition 1: In the procedure of the group key agreement based on grouping, if each member of
the group calculates correctly, then they would get the same group key.
Proof:
1 2 3
...
( , ,..., )
z z z zl
K K K K
group
K e g g g =
=
1
2 3
( , ,..., )
z
K
z z zl
e K g K g K g
1
( ( ))
2 3
( ( ( )) , ( ( )) ,..., ( ( )) )
i
H Q mG
i i l i
e H Q mG g H Q mG g H Q mG g =
Because the member
j
M is one of the group, as long as each team can correctly calculate
| |
1 2
( ) ( )
i n
QmG Q mG mG mG =
, the Hash value of ( ( ))
i
H Q mG is same, then each team can generate
the same shared key. For the function
| |
1 2
( )
n
Q mG m G m G
, because the functions of each
member are same, and every parameter variable of the function and the number are same, so the
function values are same.
As long as the members of each team calculate ( ( ))
i
H Q mG (j=1,2n) correctly, the same
group
K
can be gotten with backward reasoning. The team member
i
Z within the group encrypts the group key
with the team shared key and distributes it to the members within the teams.
Proposition 2: As long as each member of the team calculates correctly during the procedure of key
updating, then the same group shared key can be achieved.
Proof: The analysis is similar as the proposition 1. If each member
j
M ( 1, 2,..., j n = ) within each
team calculates '( )
i
Q mG correctly, then the Hash value of corresponding ' ( '( ))
i i
K H Q mG = is same.
Therefore, '
group
K
1 2 3
... ' ...
( , ,..., )
z z z zi zl
K K K K K
e g g g = is also same.

5. Security analysis

The scheme is based on multi-linear mapping and elliptic curve cryptography, and its performance
of security is established on dual hard problems of elliptic curve discrete logarithm over the finite field
and the determinability multi-linear Diffie-Hellman. The hard problem of elliptic curve discrete
logarithm (ECDLP) is: in the given equation Q PK = , , ( , )
P
Q P E a b e and K P < .
Given K and P , it is easy to calculate Q; while given P andQ, the calculation of K is difficult. The
hard problem of solving the multi-linear Diffie-Hellman is that there is no probabilistic polynomial
time algorithm to solve a Diffie-Hellman problem.
Proposition 3: Even if there is a passive attacker, the proposed group key management scheme also
meets the security attributes, such as key confidentiality, strong forward secrecy, strong backward
secrecy and key independence.
Proof 1 of the proposition 3 for the key confidentiality: Suppose the attacker A intercepts all the
information of key negotiation, namely all the elements of the matrix M, and can combine the
vector ( ( ))
kj
Q f P . But because he hasnt the corresponding private key
j
K , he cant achieve ( )
i
Q mG
with his private key. Otherwise, it would breach the hard problem property of elliptic curve discrete
logarithm. It is not feasible for the attacker to solve the single
i
m , because it is also the hard problem of
Group Key Agreement Protocol based on Grouping in Ad Hoc Network
Ruojuan Xue, Wenpeng Lu, Qikun Zhang
elliptic curve discrete logarithm. The attacker A can get the broadcast messages
( ( ) )
i
H Q mG SID
in
the procedure of the key agreement. Even though the attacker knows SID , he cant get the
( ( ))
i
H Q mG for the one-way property of the Hash function. The attacker cant forge or achieve the
team shared key, and cant get the group shared key, so the scheme is safe.
Proof 2 of the proposition 3 for the backward secrecy: When new member
j
M joins the team
( , )
i
Z x y , the member deputy
i
M among teams changes its key share '
i
m . The members within the
team update the function vector parameter value ( )
i
Q mG to '( )
i
Q mG , then calculate the team key
with the specific function. New member only can get '( )
i
Q mG sent by the member
i
M , and the hard
problem of elliptic curve discrete logarithm ensures that new member
j
M and the attacker A cant get
the original ( )
i
Q mG . While the key consistency authenticating, the security of the shared key within
the team is ensured by the one-way and anti-collision properties of Hash function. Besides, the group
key adds another multi-linear mapping hard problem, so the group key is more secure. All the above
ensure the strong backward secrecy of the scheme.
Proof 3 of the proposition 3 for the forward secrecy: The member deputy
i
M within the team
broadcasts the public key
Kj
P of the member
j
M when
j
M leaves the team ( , )
i
Z x y , and the other
team members remove the element from the vector set. At the same time, the member
i
M updates its
key share '
i
m . Even if the member
j
M can intercept the vector set
1 2 1
( ( )) , '
kj Kj Kj i Kj n Kj
Q f P mP m P m P m P

( =


consisting of all vector elements when they are
broadcasted again, he cant get
j
K without the corresponding private key. According to the property of
hard problem of the elliptic curve discrete logarithm, he cant get '( )
i
Q mG . Moreover, when the
members of the team calculate the shared key, his corresponding public key element is not considered
in the vector set (i.e., his corresponding key share is not calculated). Therefore, the member
j
M cant
achieve the team shared key and the group key. The scheme has a strong forward secrecy.

6. Performance Analysis

This scheme divides a large group into several teams. Each team shares a team key, and a group key
is shared among the teams. The specific topology is not needed, and the change of the member of
teams doesnt induce any structural adjustment. The joining or leaving of members in one team doesnt
affect the other teams, so the shared key of other teams neednt to be updated, which reduces the
communication overhead. As the shared key of the team is a function, the team can change the key by
changing the calculation method of the function. The scheme neednt any communication overhead
and generates the shared key flexibly and variedly. The number of the members doesnt affect the
communication overhead, which is same when a lot of members or single member join and leave. In
the scheme, the joining or leaving of single member can be looked as the vector set consisted of multi-
members. When the number of teams L approximates L n ~ , it is the best grouping theory.
Because the joining or leaving of the members is random, the grouping is relatively stable.
In the following, as shown in the Table 1, the schema is compared with the [13, 19] on the cost of
communication, message and computation When L n ~ . The letter I denotes the initialization
protocol, J for the protocol of joining of the members and E is for the protocol of leaving of the
members. The letter n denotes the number of the members in the group, and L is the number of the
teams in the group. The letter h denotes the height of the tree, and N is the number of the members
who request to join or leave. The letter K expresses the height of the new key tree composed of N new
members, and r is the height of the new key tree consisting of the rest n N members.
Additional explanation for Table 1 is that: calculation amount means the multiplication
calculation amount of ordinary member. Besides, when the node joins the group, the calculation
Group Key Agreement Protocol based on Grouping in Ad Hoc Network
Ruojuan Xue, Wenpeng Lu, Qikun Zhang
amount of the member deputy
i
M among teams is 2 n + , the one of the requester is 1 n + , and that
of other members is 1. When N member join the group, the calculation amount of the member
i
M is
1 n N + + , the amount of the requesters is n k + , and the amount of the ordinary members is 1.
When one member or batch members leave, the computation amount of the member
i
M is 2, and the
amount of other members is 1.

Table 1. Performance comparison

As it can be seen from the Table 1, in the proposed scheme, when a large number of members join
or exit the group, the group key updating communication and the multiplication calculation amount of
ordinary members would not change, which is fit for the characteristic that large-scale members
frequently vary in the wireless network. The frequency of broadcast is a constant which is independent
with the size of the group, thus the delay caused by exchanging a large number of messages is avoided.
In the calculation amount, the joining or leaving of the members within each team doesnt affect the
shared key updating of the other team. The calculation is only two layers, which reduces the scale of
computation.

7. Conclusion

In this paper, the two-layer group key scheme based on grouping is proposed. With a simple structure,
it is easy to manage. The scheme doesnt require a lot of reconstruction overhead, in which the group
members can calculate and negotiate more fairly. Based on the hardness of the elliptic curve discrete
logarithm and multi-linear mapping, the scheme has the characteristics of algorithm simpleness and dual
safety. The teams can generate shared keys by dynamically changing the expression of the key function,
and can achieve many different shared keys. The scheme is universal and suitable for application in the
large-scale wireless Ad hoc network in which the members change frequently.

Acknowledgement

This work is supported by a project of Shandong Province Higher Educational Science and
Technology Program(J10LG20), and Natural Science Foundation of Shandong Province
(ZR2011FQ038), China.
Protocol
Group
Operating
Rounds Messages Unicast Multicast
Calculation
Amount
CCEGK
initialization
node join
batch join
batch leave
h
1
K+1
r
2*(n-1)
2
2*N
2*(n-N-1)
n
1
N
n-N
n-2
1
n
n-N-2
2*h-2
1
2*k
2*r
EGK
initialization
node join
batch join
batch leave
h
1
K+1
h
2*(n-1)
2
2*N
2*(n-N)
0
0
0
0
2*n-2
2
2*N
2*(n-N)
2*h-2
1
2*k
2*h
TGDH
initialization
node join
batch join
batch exit
h
2
K+1
Min(k+1,h)
2*(n-1)
3
2*N
Min(2*N,n-N)
0
0
0
0
2*n-2
3
2*N
Min(2*N,n-N)
2*h-2
3*h-3
3*h-3
3*h-3
STR
initialization
node join
batch join
batch leave
n-1
2
2
1
2*(n-1)
3
N+2
1
0
0
0
0
2*n-2
3
2+N
1
2*(n-1)
4
3*N+1
n/2+2
Our
Scheme
initialization
node join
batch join
batch leave
3
2
2
1
4 n
5
5
5
0
0
0
0
4 n
5
5
5
1 n +
1
1
1
Group Key Agreement Protocol based on Grouping in Ad Hoc Network
Ruojuan Xue, Wenpeng Lu, Qikun Zhang

References

[1] Lidong Zhou, Zygmunt J.Hass, Securing Ad hoc networks, IEEE Network, IEEE, vol. 13, no. 6,
pp.24-30, 1999.
[2] Haiyun Luo, Petros Zerfo, Jiejun Kong, Songwu Lu, Lixia Zhang, Self-securing Ad hoc wireless
network, In Proceedings of the ISCC 2002 Seventh International Symposium on Computers and
Communications, pp.567-564, 2002.
[3] Klas Fokin, Key management in Ad hoc networks, Linkpings University, Master Dissertation,
2002.
[4] Ziyi You, Xiaoyao Xie, A Novel Group Key Agreement Protocol for Wireless Mesh Network,
Journal of Convergence Information Technology, AICIT, vol. 6, no. 2, pp. 86-101, 2011.
[5] Xianping Wu, Huy Hoang Ngo, Phu Dung Le, Bala Srinivasan, Huamei Qi, Novel Hybrid Group
Key Agreement for Sensitive Information Systems, Journal of Convergence Information
Technology, AICIT, vol. 5, no. 1, pp. 69-81, 2010.
[6] Yongdae Kim, Adrian Perrig, Gene Tsudik, Communication-Efficient Group Key Agreement, In
Proceedings of 16th International Information Security Conference, pp.229-244, 2001.
[7] Yongdae Kim, Adrian Perrig, Gene Tsudik, Tree-based group key agreement, ACM
Transactions on Information and System Security, ACM, vol. 7, no. 1, pp.60-96, 2004.
[8] Yuan Wei, Hu Liang, Zhao Kuo, Li HongTu, Chu JiangFeng, Sun Yuyu, Improvement of an
Efficient Identity-Based Group Key Agreement ProtocolIn Proceeding(s) of 2011 International
Conference on Network Computing and Information Security, pp.234-238, 2011.
[9] Hong Tang, Liehuang Zhu, Zijian Zhang, Efficient ID-Based Two Round Authenticated Group
Key Agreement Protocol, In Proceeding of 2008 International Conference on Wireless
Communications, Networking and Mobile Computing(WiCOM08), pp.1-4, 2008.
[10] Zhou Fucai, Xu Jian, Xu Haifeng, Research of STR multicast key management protocol based on
bilinear pairing in ad hoc network, Journal on Communications, Editorial Board of Journal on
Communications, vol. 29, no. 10, pp.117-125, 2008.
[11] Zhou Fucai, Xu Jian, Li Ting, Cost of multicast logical key tree based on hierarchical data
processing, Wuhan University Journal of Natural Sciences, Editorial Department of Wuhan
Univeristy Journal, vol.11, no. 5, pp.1172-1176, 2006.
[12] Raphael C.-W. Phan, Bok-Min Goi, (In)Security of efficient tree-based group key agreement
using bilinear map, In Proceeding of 2008 IEEE/IFIP 5th International Conference on Embedded
and Ubiquitous Computing(EUC 2008), pp.443-446, 2008.
[13] Sachin Tripathi, G.P. Biswas, Design of efficient ternary-tree based group key agreement
protocol for dynamic groups, In Proceeding of 2009 International Communication Systems and
Networks and Workshops(COMSNETS 09), pp.1-6, 2009.
[14] Zhang Liping, Cui Guohua, Group key agreement protocol based on circular hierarchical for Ad
hoc networks, Computer Science, Editorial Board of Computer Science Journal, vol. 35, no. 10,
pp.61-64, 2008.
[15] Wang Wei, Group key management: theory and key technologies, XiDian University, PhD
Dissertation, 2008.
[16] Dan Boneh, Alice Silverberg, Applications of multilinear forms to cryptography, Contemporary
Mathematics, AMS, vol. 324(2003), pp.71-90, 2003.
[17] Yan Junhui, Dai ZongDuo, Liu HongWei, An elliptic curve signature scheme and an identity-
based signature agreement, Journal of software(China), Science Press, vol. 11, no. 10, pp.1303-
1306, 2000.
[18] K.Muthumayil, Dr.V.Rajamani, Dr.S.Manikandan, M.Buvana, A group key agreement protocol
based on stability and power using Elliptic curve cryptography, In Proceeding of 2011
International Conference on Emerging Trends in Electrical and Computer Technology
(ICETECT2011), pp.1051-1056, 2011.
[19] Mark Manulis, Contributory group key agreement protocols, revisited for mobile ad-hoc
groups,In Proceedings of 2005 IEEE International Conference on Mobile Ad hoc and Sensor
Systems (MASS 2005), pp.811-818, 2005.

Group Key Agreement Protocol based on Grouping in Ad Hoc Network
Ruojuan Xue, Wenpeng Lu, Qikun Zhang