A provable authenticated group key agreement protocol for mobile environment

Information Sciences xxx (2015) xxx–xxx

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

A provable authenticated group key agreement protocol for mobile environment Hung-Min Sun a,⇑, Bing-Zhe He a, Chien-Ming Chen b, Tsu-Yang Wu b, Chia-Hsien Lin a, Huaxiong Wang c a

Department of Computer Science, National Tsing Hua University, Taiwan Innovative Information Industry Research Center, Shenzhen Graduate School, Harbin Institute of Technology, Shenzhen, China c School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore b

a r t i c l e

i n f o

Article history: Received 31 March 2014 Received in revised form 21 January 2015 Accepted 30 January 2015 Available online xxxx Keywords: Group key agreement protocol Semi-trusted third party Certificateless Mobile computing

a b s t r a c t Secure group communication over an untrusted open network is a continuing problem, especially in mobile environments. With the development of 3G networks and mobile computing technology, the number of group-oriented applications is increasing rapidly. Although these applications are convenient, achieving secure group communication to protect user privacy is a major concern. This study presents an authenticated group key agreement protocol for mobile environments. By using certificateless public key cryptography, the protocol reduces the cost of managing the certificates and avoids the key escrow problem. Instead of a fully-trusted server, the protocol uses a semi-trusted server, which helps users communicate but does not learn about the group key. The analytical results indicate that the proposed protocol provides good security in mobile environments. Ó 2015 Elsevier Inc. All rights reserved.

1. Introduction Secure information exchange over an untrusted network is a widely discussed issue in mobile computing. As 3G wireless networks grow in popularity, people can use mobile devices to connect to the Internet from almost anywhere, which has made life easier. The increasing computing power of mobile devices also increases user productivity. Some mobile computing applications enable a user in a coffee bar to hold online meetings and transfer important documents to other users. However, the document must be protected since most public networks are unsafe. One solution is to protect the communication with a group key, which only group members can compute. The group key can prevent attackers from eavesdropping or tampering with messages, even if they are sent over public and untrusted networks. A major challenge when using a group key agreement protocol is ensuring that each member can securely derive the same group key. If all group members can meet with each other to establish a group key, this problem is easily solved. However, users typically communicate with each other through a third-party server under mobile environment. Additionally, mobile devices usually connect to the Internet through public networks (e.g., public access point). Therefore, group key agreement protocols for mobile environments must ensure that users can agree to a group key through insecure networks and each member obtains the same group key in the end of the protocol. ⇑ Corresponding author. E-mail addresses: [email protected] (H.-M. Sun), [email protected] (B.-Z. He), [email protected] (C.-M. Chen), [email protected] (T.-Y. Wu), [email protected] (C.-H. Lin), [email protected] (H. Wang). http://dx.doi.org/10.1016/j.ins.2015.01.037 0020-0255/Ó 2015 Elsevier Inc. All rights reserved.

Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037

2

H.-M. Sun et al. / Information Sciences xxx (2015) xxx–xxx

Servers have a key role in mobile environments since direct communication between low-power devices or mobile devices in 3G networks is difficult. When a group key agreement protocol is used in a mobile environment, the main function of the server is to help mobile devices compute, communicate, and, ultimately, establish a group key. In most proposed protocols [7,20,21,25,26], the server learns the group key at the end of a protocol. Therefore, the server can access secret information encrypted by the group key. These protocols all assume that the server is fully trusted and will not use the group key to eavesdrop or tamper with the information. However, these servers are vulnerable to attacks that can result in financial losses. An adversary who successfully compromises the server can obtain the session keys and decrypt all the protected data. One way to increase the security of group keys is to prevent the server from learning the group key in the end of protocol. This discussion refers to these servers as semi-trusted servers. In the group key agreement protocol, authentication is essential. If a key agreement protocol does not provide authentication, the protocol is vulnerable to the man-in-the-middle (MITM) attack [11]. One solution is using signature algorithms to provide user authentication. If the signature algorithm is based on public key infrastructure (PKI), then a certificate authority (CA) is needed to manage certificates. However, in conventional PKI, the costs of certificate management, including storage, distribution, verification and revocation, are high. Therefore, Shamir [22] proposed ID-based cryptosystems in 1985, in which the identity of the user is used to derive the public key of the user. Although public keys are used as user IDs and are not generated by CA, ID-based cryptosystems still require that private keys are generated by a private key generator (PKG). Another problem in ID-based cryptosystems is the key escrow problem [19]. This study developed a certificateless public key cryptography (CL-PKC) authentication system that avoids the key escrow problem and does not require certificates to authenticate public keys. Therefore, the CL-PKC combines the advantages of PKI and ID-PKC. This study developed an efficient group key agreement protocol for mobile environments. In mobile environments, the proposed protocol requires a semi-trusted server instead of a fully-trusted server. Although the semi-trusted server helps users to communicate, it cannot access group key information in messages sent by users. Hence, the semi-trusted server is more secure than a fully-trusted server. The proposed protocol also uses certificateless public key cryptography for user authentication. In comparison with public key cryptography and ID-based cryptography, certificateless public key cryptography reduces the cost of certificate management and avoids the key escrow problem. A formal security proof and performance analysis of the protocol is also presented. Compared to previous schemes, the proposed scheme is more secure and more suitable for mobile environments. The rest of this paper is organized as follows. Section 2 reviews previous group key agreement protocols. Section 3 introduces the basic preliminaries, including the security assumption and adversarial model. Section 4 presents the proposed scheme. Section 5 discusses the security and performance analyses. Finally, Section 6 concludes the study.

2. Related work In 1976, Diffie and Hellman [10] proposed the well-known key exchange protocol (DH protocol). In this protocol, modular exponentiation is used to allow two parties to establish a secret key. Although the DH protocol was vulnerable to MITM attack, it was highly influential. Many studies later extended the DH protocol to the group key agreement protocol [4,12,16–18,24]. Since these protocols and DH protocol are all based on modular exponentiation, they can be considered variants of the DH protocol. Another type of group key agreement protocol is based identity-based cryptosystems. In 1985, Shamir [22] first introduced an identity-based cryptosystem and signature scheme. Boneh and Franklin [2] proposed a fully functional identity-based encryption scheme in 2001. Various key agreement protocols based on ID-based cryptosystems were later proposed [8,11,23,32]. For example, Wan et al. [28] proposed an anonymous ID-based group key protocol for wireless networks in 2008. In a wired network, user identity is not very important. In a wireless network, however, the identities of group members are exposed to everyone, including the adversary. For example, the adversary can easily trace the movement pattern of a user based on the user identity. In Wan et al.’s work [28], an anonymous protocol successfully excluded outside passive and active adversaries, but the protocol cannot exclude inside attacks. Hence, Wu et al. [31] (2011) proposed an authenticated group key protocol that can resist an insider attack. Although an ID-based cryptosystem can reduce certificate management costs, an important limitation is the key escrow problem [19]. A solution to the key escrow problem is certificateless public key cryptography (CL-PKC), which was proposed by Al-Riyami and Paterson [1] in 2003. Since then, many certificateless signature schemes have been proposed [9,13,15,27,34]. In 2007, Cao et al. [5] proposed a certificateless group key exchange protocol that uses secret sharing to construct the group key. However, Geng et al. [14] argued that the signature scheme in the Cao et al.’s protocol is insecure and proposed a secure certificateless authenticated group key agreement protocol in which a modification of the Zhang–Zhang signature scheme [34] is used for batch verification. With the development of mobile devices, many group key agreement protocols [3,6,7,20,21,25,26] have been proposed for the mobile environment. However, since mobile devices have limited battery life and limited computing power, a normal group key agreement protocol is unsuitable for mobile environments. In 2002, Boyd and Nieto [3] proposed an efficient protocol that requires only one communication round. However, the protocol lacks forward secrecy. In 2005, Nam et al. [21] proposed a security protocol for mobile environments based on decisional Diffie–Hellman (DDH) assumption. In 2007, Tseng [26] reported that the group key in the Nam et al.’s protocol can be pre-determined by the powerful node. Additionally, the Nam et al.’s protocol is not a contributory group key agreement protocol since users cannot confirm that their contributions Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037

H.-M. Sun et al. / Information Sciences xxx (2015) xxx–xxx

3

were involved in the group key. Tseng remedied the weakness of the protocol and improved its efficiency. However, Lee et al. found that the Tseng’s protocol does not provide authentication. The authenticated group key agreement protocol proposed for mobile environments in Lee et al. (2009) [20] is constructed by a bilinear mapping function. Therefore, the security of their protocol is based on bilinear computational Diffie–Hellman assumption. However, in the Lee et al.’s protocol [20], any adversary can impersonate a legal user and agree to a group key with other legal users. That is, the protocol does not provide implicit key authentication. Therefore, in 2011, Cheng et al. [7] and Tsai [25] proposed their protocols for resisting the impersonation attack. Cheng et al. used additional one hash operation to increase the security of the protocol, and Tsai used the Zhang et al.’s short signature algorithm [33] to improve the Lee et al.’s protocol. 3. Preliminaries This section provides background knowledge, assumptions, and security notations. 3.1. Bilinear map Let G1 and G2 be an additive cyclic group and a multiplicative cyclic group of the same prime order q. There exists a bilinear map e : G1  G1 ! G2 which satisfies the following properties: 1. Bilinear: For all P; Q 2 G1 and a; b 2 Z q ; eðaP; bQ Þ ¼ eðP; Q Þab . 2. Non-degenerate: There exists a P 2 G1 , such that eðP; PÞ – 1. 3. Computable: e must be computable in an efficient manner. 3.2. Imbalanced wireless network The mobile environment can be considered an imbalanced wireless network including two classes of devices: low-power devices (e.g., smart phones) and powerful devices (e.g., servers). The word ‘‘imbalanced’’ means that two devices have different computing power. For a low-power device, battery limitations result in limited computing power. Besides, communications between low-power devices is difficult in a mobile environment (e.g., 3G networks). Therefore, a powerful device is needed to enable low-power devices to perform complex operations and forward their messages. In this discussion, a server is defined as a semi-trusted server that helps low-power devices communicate with each other but never learns the group key at the end of protocol. 3.3. Certificateless public key signature In 2003, Al-Riyami and Paterson [1] developed the concept of certificateless cryptography to solve two problems. First, it solves the certificate management problem. Users can still verify the long-term public key without certificates. Next, it also solves the key escrow problem [19] in ID-based cryptosystems. The key escrow problem in ID-based cryptosystems is that the private key of a user can be learned or held in the third party server, and users must fully trust the third party server. However, the private key for the user can be obtained by hacking the server. Since the proposed protocol uses a certificateless public key signature (CL-PKS) algorithm for user authentication, a CA is not required to generate certificates. Instead, a Key Generate Center (KGC) is used to generate partial long-term public/private keys for users. To verify a signature, the user first verifies the public key and then checks the signature. If both are correct, the public key and signature are valid and belong to the user. Otherwise, the public key or signature is invalid. 3.4. Adversarial model Formally, an adversary A is a probabilistic polynomial-time algorithm. We assume that A can potentially control all communications in the proposed protocol via accessing to a set of oracles. Here, A is allowed to make following queries:  Execute query. In this query, A can get a complete transcript of honest execution between the participants. Note that the number of group participants is chosen by A and this query is used to model passive attack.  Partial private key extract query. When A makes this query with identity IDu to an oracle, it first selects a random value Q u and then computes Du ¼ x  Q u , where x 2 Z q . Finally, the oracle responds Du to A and adds ðIDu ; Q u ; Du Þ into a list L1 .  Private key query. When A makes this query with identity IDu to an oracle, it first searches the list L1 to obtain Du . Then, the oracle responds SK u ¼ ðDu ; xu Þ to A and adds ðIDu ; Du ; xu Þ into a list L2 , where xu 2R Z q .  Public key query. When A makes this query with identity IDu to an oracle, it first searches two lists L1 and L2 to obtain Q u , and xu . Then, the oracle computes PK u ¼ ðxu  P; xu  Q u Þ and responds PK u to A.  Send query. When A makes this query with message m to an oracle, it responds a result to A according to the protocol.  Reveal query. When A makes this query to an oracle, it responds an established group session key. Note that this query is used to the model of known session key attack.

Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037

4

H.-M. Sun et al. / Information Sciences xxx (2015) xxx–xxx

 Test query. A only makes this query once to an oracle. In this moment, the oracle chooses a random coin b 2 f0; 1g. If b ¼ 1, the group session key is returned. Otherwise, a random value is retuned. Note that this query is used to model the semantic security of group session key. According to the above adversarial model, we define two types of adversaries. A passive adversary is only allowed to make Execute, Private key, Reveal, and Test queries. An active adversary is allowed to make the above all queries. Both kinds of adversaries try to obtain the group session key after the execution of protocol. In order to get more precise analyses, we still use Execute query though it can be substituted by making Send query repeatedly.

3.5. Security notations Security of GKA protocol. The security of group key agreement (GKA) protocol is defined in the following game played between an active adversary A and a set of oracles:  Initialization. The system master key, public parameters, and users’ public/private key pairs are generated in this phase.  Query. A may make different types of queries to oracles and gets back the answers corresponding to the GKA protocol.  Guess. Finally, the adversary A outputs its guess for the coin b in Test query and terminates. In this game, the goal of A is to distinguish a group session key from a random value. Let Succ be the event that A correctly guesses the coin b in Test query. The advantage of A in attacking a GKA protocol W is defined by Adv A;W ðkÞ ¼ j2Pr½Succ  1j. We say that the protocol W is a secure GKA, if the advantage Adv A;W ðkÞ is negligible. Forward Secrecy. We say that a GKA protocol W provides forward secrecy. It means that if one or more participants’ longterm private key is compromised, previous established group session keys will not be known by the adversary. The advantage of A in attacking the protocol W providing forward secrecy within running time t is defined by GKAfs

ðt; qex ; qs Þ, where qex and qs are the maximum numbers of making Execute and Send queries, respectively. Adv W Implicit Key Authentication. We say that a GKA protocol W provides implicit key authentication, if all participants in W are guaranteed that nobody other than their partners can learn the group session key. In other words, any adversary should not learn the key. Note that this security property does not guarantee that the partners have computed the key. Known Session Key Security. We say that a GKA protocol W is secure against known session key attack, if an adversary compromises one group session key in W, another session key cannot be compromised by this key. Known Session-specific Temporary Information Security. We say that a GKA protocol is secure against known sessionspecific temporary information attack, if an adversary obtains all temporary information, such as the random values, he still cannot gain knowledge of the group key. Contributiveness. We say that a GKA protocol provides contributiveness, if any participants cannot predict or predetermine the resulting group session key. Concretely, each participant can confirm that his contribution has been involved in the group key.

4. The proposed protocol In this section, a new group key agreement protocol for mobile environments is presented. In order to provide the user authentication, the protocol adopts Tso et al.’s short certificateless signature scheme [27], which is also introduced in this section. The notations used in the protocol are shown in Table 1.

Table 1 The notations. Notations

Description

q G1 ; G2 e P H0 ð:Þ H1 ð:Þ

A prime number A cyclic additive group and a multiplicative group of order q A bilinear map e : G1  G1 ! G2 A generator point of G1 One-way hash function f0; 1g ! G1 One-way hash function f0; 1g ! Z q

n U0 fU 1 ; . . . ; U n g PK i SK i

The number of users Powerful node or server Low-power nodes or users The long-term public key of users and server The long-term private key of users and server The signature of U i

ri

Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037

5

H.-M. Sun et al. / Information Sciences xxx (2015) xxx–xxx

4.1. Initialization Setup: Let G1 be an additive cyclic group and G2 be a multiplicative cyclic group of the same prime order q. A bilinear map e : G1  G1 ! G2 . Two one-way hash functions H0 : f0; 1g ! G1 and H1 : f0; 1g ! Z q . Then, KGC chooses a generator P 2 G1  and a master secret s 2 Z q . In addition, It also computes Ppub ¼ sP. Finally, KGC publishes params ¼ G1 ; G2 ; e; P; Ppub ; H0 ; H1 . Partial-Private-Key-Extract: Given a user U i ’s identity IDi 2 f0; 1g , KGC first computes Q i ¼ H0 ðIDi Þ. Next, KGC uses it’s master secret s to compute the user’s partial private key Di ¼ sQ i , and transmits the partial private key Di to the user U i through a secure channel. Set-Secret-Value: The user U i chooses a random secret value xi 2 Z q . Set-Private-Key: After receiving the Di from KGC, the user U i sets his private key as SK i ¼ ðDi ; xi Þ. 1

2

Set-Public-Key: User U i computes his public key as PK i ¼ ðpki ; pki Þ ¼ ðxi P; xi Q i Þ. 4.2. Review of Tso et al.’s short certificateless signature algorithm Before describing our protocol, we first introduce Tso et al.’s short certificateless signature algorithm [27]. The initialization phase of Tso et al.’s algorithm is similar to the initialization phase of the proposed scheme that has been described above. Now, the signature algorithm proposed by Tso et al. is introduced as follows. 1

2

Sign: Given a message m 2 f0; 1g , public key PK ¼ ðpk ; pk Þ ¼ ðxP; xQ Þ and private key SK ¼ ðD; xÞ, we can compute the signature as

1 D; xþh

r¼

where h ¼ H1 ðmjjIDjjPKÞ. Verify: Given m; r, and PK, the verifier first checks 1

2

eðpk ; Q Þ ¼ eðP; pk Þ: If it is correct, then the verifier checks the signature as follows: 1

eðr; pk þ hPÞ ¼ eðH0 ðIDÞ; Ppub Þ: 4.3. The group key agreement protocol Now, we introduce the proposed protocol (as shown in Fig. 1) in the following. Assume fU 1 ; U 2 ; . . . ; U n g be a group of participants who want to construct a group key to protect their communications. The indexes of all participants are linked in a cycle. For example, U n ’s next participant is U 1 and U 1 ’s previous participant is U n . U 0 is a semi-trusted server. Since the server is not a group member, the server should not learn the group key in the end of the protocol. In addition, we also assume that 1

2

each U i ð0 6 i 6 nÞ has obtained his own IDi ; PK i and SK i before executing the protocol, where PK I ¼ ðpki ; pki Þ ¼ ðxi P; xi Q i Þ and SK i ¼ ðDi ; xi Þ. Step 1 (Round 1): Each U i ð1 6 i 6 nÞ chooses a random number ai 2 Z q and computes two values Ri and Z i as the following two equations with other participants’ long-term public key. 1

Ri ¼ ai pk0 ¼ ai x0 P;

ð1Þ

Z i ¼ xi ðxiþ1 P  xi1 PÞ:

ð2Þ

Then, U i computes the signature as

ri ¼

1 Di ; xi þ h i

where hi ¼ H1 ðRi jjZ i jjIDi jjPK i Þ. U i sends ðRi ; Z i ; ri Þ to the semi-trusted server U 0 . Step 2 (Round 2): After receiving all ðRi ; Z i ; ri Þ from U i ð1 6 i 6 nÞ, the server U 0 first verifies U i ’s public key as Eq. (3). If Eq. (3) holds, the server then verifies the signature as Eq. (4). 1

2

eðpki ; Q i Þ ¼ eðP; pki Þ ð1 6 i 6 nÞ; 1

eðri ; pki þ hi PÞ ¼ eðH0 ðIDi Þ; Ppub Þ ð1 6 i 6 nÞ:

ð3Þ ð4Þ

If at least one signature failed, the protocol will abort. This means the transmitted data has some problems. For example, some messages may be tampered by an adversary. If all the signatures are valid, the server ensures that all data are transmitted by the participants. Next, the server U 0 will choose a random value a0 2 Z q and then computes Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037

6

H.-M. Sun et al. / Information Sciences xxx (2015) xxx–xxx

Fig. 1. The proposed protocol.

Ai ¼ Ri x1 0 ¼ ai P ð1 6 i 6 nÞ; Y ¼ a0 P þ A1 þ A2 þ    þ An ; Si ¼ a0 Ai ð1 6 i 6 nÞ; Z 0i ¼ ðn  1ÞZ i þ ðn  2ÞZ iþ1 þ    þ Z i2 ð1 6 i 6 nÞ: U 0 computes the signature as

r0 ¼

1 D0 ; x0 þ h 0

where h0 ¼ H1 ðS1 jj    jjSn jjYjjZ 01 jj    jjZ 0n jjID0 jjPK 0 Þ. Finally, U 0 transmits ðS1 ; . . . ; Sn ; Y; Z 01 ; . . . ; Z 0n ; r0 Þ to all participants U i ð1 6 i 6 nÞ. Step 3 (Key Computation): All participants U i ð1 6 i 6 nÞ use the following two equations to check whether the server’s public key and the signature are valid or not. 1

2

eðpk0 ; Q 0 Þ ¼ eðP; pk0 Þ;

ð5Þ

Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037

7

H.-M. Sun et al. / Information Sciences xxx (2015) xxx–xxx 1

eðr0 ; pk0 þ h0 PÞ ¼ eðH0 ðID0 Þ; Ppub Þ:

ð6Þ

If the above equations hold, then U i computes the partial group session key RK i and BDK i as Eqs. (7) and (8).

RK i ¼ Y  Si a1 i ;

ð7Þ

BDK i ¼ nxi xi1 P þ Z 0i :

ð8Þ

Finally, the group key can be computed as Eq. (9).

K ¼ RK i þ BDK i :

ð9Þ

In the following lemma and theorem, we show that the correctness of the proposed scheme and signature algorithm. Lemma 1. If all participants and the semi-trusted server follow the signature algorithm, then we have 1

eðri ; pki þ hi PÞ ¼ eðH0 ðIDi Þ; Ppub Þ: Proof. 1

eðri ; pki þ hi PÞ ¼ e



1 1 Di ; pki þ hi P xi þ h i



¼e



1 Di ; ðxi þ hi ÞP xi þ h i



¼ eðDi ; PÞ ¼ eðsQ i ; PÞ ¼ eðH0 ðIDi Þ; Ppub Þ:



Theorem 1. By running the proposed protocol, each participant can construct the same group session key. Proof. The group session key K is consisted of two partial group session key RK i and BDK i . We show that each participant can derive the same RK i and BDK i from ðS1 ; . . . ; Sn ; Y; Z 01 ; . . . ; Z 0n ; r0 Þ which is transmitted by U 0 . For participant U i , he can derive RK i as the following:

RK i ¼ Y  Si a1 ¼ a0 P þ A1 þ A2 þ    þ An  a0 Ai a1 ¼ a0 P þ A1 þ A2 þ    þ An  a0 a1 i i i ðai PÞ ¼ A1 þ A2 þ    þ An : In addition, BDK i is derived as the following:

BDK i ¼ nxi xi1 P þ Z 0i ¼ nxi xi1 P þ ðn  1ÞZ i þ ðn  2ÞZ iþ1 þ    þ Z i2 ¼ nxi xi1 P þ ðn  1Þ½xi ðxiþ1 P  xi1 PÞ þ ðn  2Þ½xiþ1 ðxiþ2 P  xi PÞ þ    þ ½xi2 ðxi1 P  xi3 PÞ ¼ nðxi1 xi PÞ þ ðn  1Þðxi xiþ1 PÞ þ ðn  2Þðxiþ1 xiþ2 PÞ þ    þ ðxi2 xi1 PÞ  ðn  1Þðxi1 xi PÞ  ðn  2Þðxi xiþ1 PÞ      ðxi3 xi2 PÞ ¼ xi1 xi P þ xi xiþ1 P þ xiþ1 xiþ2 P þ    þ xi2 xi1 P: Therefore, the group session key K is equal to the following:

K ¼ RK i þ BDK i ¼ A1 þ A2 þ    þ An þ xi1 xi P þ xi xiþ1 P þ xiþ1 xiþ2 P þ    þ xi2 xi1 P:



5. Security and performance analysis This section analyzes the security of our protocol, which is presented in Section 4. Its performance is then compared with protocols proposed in previous works. 5.1. Security analysis and comparison 5.1.1. Secure GKA providing forward secrecy In the following theorem, we demonstrate the proposed GKA protocol W is a secure GKA providing forward secrecy. Note that we use the similar technique in [29,30] to prove Theorem 2. Theorem 2. Assume that two hash functions H0 and H1 are random oracles. Then, the proposed GKA protocol W is a secure GKA providing forward secrecy under the computational Diffie–Hellman (CDH) assumptions. Concretely, GKAfs

Adv W

f

ðt; qex ; qs Þ 6 2nqex  Adv CDH ðtÞ þ Adv W orgeðtÞ; forge

where qex and qs are total numbers of making the Execute and Send queries, respectively. Note that Adv W ðtÞ denotes the advantage of any forgers successfully attacking the protocol W. Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037

8

H.-M. Sun et al. / Information Sciences xxx (2015) xxx–xxx

Proof. We assume that there exists an active adversary A which attacks the proposed GKA protocol W with a non-negligible advantage. Here, the two possible attack cases are considered. The first case is that A can impersonate any participant with the advantage (i.e. forging authentication transcripts). Another case is that A can break the protocol W without modifying any transcripts with the advantage. Case 1. Suppose that the adversary A with an adaptive impersonation ability can break the GKA protocol W. Using A, we want to construct a forger F which can return two valid signature tuples ðRi ; Z i ; ri Þ and ðS1 ; . . . ; Sn ; Y; Z 01 ; . . . ; Z 0n ; r0 Þ with respect to the proposed protocol W as follows. The forger F first generates all necessary system parameters and keys. Then, F simulates the oracle queries made by A. This simulation is called perfect indistinguishable from A’s oracle queries except A makes Private key query. If it occurs, F fails and stops. Otherwise, when A generates two signature tuples ðRi ; Z i ; ri Þ and ðS1 ; . . . ; Sn ; Y; Z 01 ; . . . ; Z 0n ; r0 Þ; F returns the two tuples. Let Forge be the event that the adversary A successfully generates two valid signature tuples. Then, the probability that F successfully returns two valid signature tuples is bounded by forge

forge

PrA ½Forge 6 Adv F;W ðtÞ 6 Adv W

ðtÞ.

Case 2. We assume that the adversary A can break the GKA protocol W without modifying any transcripts. We first focus on the case that A makes Execute query once on ðID0 ; ID1 ; . . . ; IDn Þ and then extends this to the case that A makes multiple Execute queries, where the number of participants n þ 1 is selected by A. The real execution of W is shown in Fig. 2 (a) and (b). Here, each Z i ¼ xi ðxiþ1 P  xi1 PÞ ¼ xi  xiþ1 P  xi1  xi P. We can use a random value d1;2 2 Z q to substitute x1  x2 . Thus, a new distribution Fake1 is defined in Fig. 2 (c). Note that A can obtain all private keys SK i ¼ ðxi ; Di Þ and hash values hi by making Private key and Hash queries. Then, A can obtain ða1 þ    þ an ÞP. Since the discrete logarithm assumption in G1 is intractable, this value cannot offer some information about ai for i ¼ 1; 2; . . . ; n. Now, we want to demonstrate the problem that to distinguish two distributions Real from Fake1 can be reduced to solve the computational Diffie–Hellman (CDH) problem. Note that we let eðtÞ ¼ Adv CDH ðtÞ. h Claim 1. For any algorithm A with running time t, we have

jPr½ðT; KÞ

RealjAðT; KÞ ¼ 1  Pr½ðT; KÞ

Fake1 jAðT; KÞ ¼ 1j 6 eðtÞ:

Proof. As mentioned above, each Z i ¼ xi  xiþ1 P  xi1  xi P. Here, we use Ci;iþ1 to substitute xi  xiþ1 P and then each Z i can be written into Ci;iþ1  Ci1;i for i ¼ 1; 2; . . . ; n. Furthermore, the group session key K also can be written into nCn;1  ðn  1ÞZ 1 þ ðn  2ÞZ 2 þ    þ Z n1 þ ða1 þ    þ an ÞP. In order to solve the CDH problem, we use a technique to dispose the related parameter. Considering the following algorithm D which inputs P a ¼ aP; Pb ¼ bP 2 G1 for some a; b2R Z q . D first generates ðT; KÞ according to the distribution Dist1 . Then, D runs AðT; KÞ and outputs whatever A outputs. The distribution Dist1 is defined Fig. 2 (d). Note that this distribution depends on Pa and P b . By the above distribution Dist1 , let C1;2 ¼ abP. Then, we can obtain another distribution called Dist1CDH . Obviously, Dist1CDH is identical to Real because of

K ¼ Cn;1 þ C1;2 þ C2;3 þ    þ Cn2;n1 þ Cn1;n þ ða1 þ    þ an ÞP ¼ un2 Pa þ abP þ u1 Pb þ    þ un4 un3 P þ un3 un2 P þ ða1 þ    þ an ÞP ¼ un2 aP þ abP þ bu1 P þ    þ un4 un3 P þ un3 un2 P þ ða1 þ    þ an ÞP: 1

Similarly, let C1;2 ¼ cP for some c – ab 2 Z q . Then, we also can obtain another distribution called Dist Random . Obviously, 1

DistRandom is identical to Fake1 because of

K ¼ Cn;1 þ C1;2 þ C2;3 þ    þ Cn2;n1 þ Cn1;n þ ða1 þ    þ an ÞP ¼ un2 Pa þ cP þ u1 P b þ    þ un4 un3 P þ un3 un2 P þ ða1 þ    þ an ÞP ¼ un2 aP þ cP þ bu1 P þ    þ un4 un3 P þ un3 un2 P þ ða1 þ    þ an ÞP: Therefore, we have

jPr½ðT; KÞ

RealjAðT; KÞ ¼ 1  Pr½ðT; KÞ

Fake1 jAðT; KÞ ¼ 1j 6 eðtÞ:

Then, we can define other distributions Fakei by using the same technique in Fake1 for i ¼ 2; 3; . . . ; n. By the similar approach in Claim 1, the following equations are demonstrated that for any adversary A with running time t:

jPr½ðT; KÞ

Fake1 jAðT; KÞ ¼ 1  Pr½ðT; KÞ .. .

jPr½ðT; KÞ

Faken1 jAðT; KÞ ¼ 1  Pr½ðT; KÞ

Fake2 jAðT; KÞ ¼ 1j 6 eðtÞ;

Faken jAðT; KÞ ¼ 1j 6 eðtÞ:

This implies Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037

H.-M. Sun et al. / Information Sciences xxx (2015) xxx–xxx

9

Fig. 2. The equations used in the proof of forward secrecy.

jPr½ðT; KÞ

RealjAðT; KÞ ¼ 1  Pr½ðT; KÞ

Faken jAðT; KÞ ¼ 1j 6 eðtÞ:

In Faken , the values d1;2 ; d2;3 ; . . . ; dn1;n ; dn;1 are constrained by T according to the following n equations:

Z 1 ¼ ðd1;2  dn;1 ÞP; Z 2 ¼ ðd2;3  d1;2 ÞP; .. . Z n ¼ ðdn;1  dn1;n ÞP:

Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037

10

H.-M. Sun et al. / Information Sciences xxx (2015) xxx–xxx

Since K can be expressed as ðd1;2 þ d2;3 þ    þ dn;1 ÞP þ ða1 þ    þ an ÞP which is linear independent from the set fZ i ¼ ðdi;iþ1 di1;i ÞPji ¼ 1; 2; . . . ; ng, it implies that K is independent for the transcript T. In other words, for any adversary A,

Pr½ðT; K 0 Þ

Faken ; K 1

G1 jAðT; K b Þ ¼ 1; bf0; 1g ¼ 1=2:

Therefore, the advantage of A on the event :Forge is bounded by 2n  Adv CDH ðtÞ. Combining the two cases, the advantage of A is bounded by GKAfs

Adv W

forge

ðt; 1; qs Þ 6 2n  Adv CDH ðtÞ þ Adv W ðtÞ:

Finally, a standard hybrid argument immediately demonstrates that GKAfs

Adv W

forge

ðt; qex ; qs Þ 6 2nqex  Adv CDH ðtÞ þ Adv W ðtÞ for qex > 1:



Under the computational Diffie–Hellman (CDH) assumption, the advantage Adv CDH ðtÞ is negligible. By the security of GKAfs

adopted Tso et al.’s short certificateless signature scheme [27], the Adv W GKAfs

orem 2, we obtain the advantage Adv W providing forward secrecy.

ðtÞ is also negligible. Hence, for the result in The-

ðt; qex ; qs Þ is negligible. It implies that the proposed GKA protocol W is a secure GKA

5.1.2. Known session key security

Theorem 3. The proposed GKA protocol is secure against known session key attack.

Proof. We assume that an adversary A has compromised a group session key K GA in a group GA . It means that A may obtain RK GA and BDK GA on certain execution of the proposed protocol. Here, we consider two possible cases. The first case is that A may use K GA to compromise other group session key K GB in other group GB . The second case is that A may use K GA to compromise other group session key K 0GA in the same group GA . Obviously, the first case does not occur because the two values BDK GA and BDK GB are different in the two groups GA and GB . In addition, the values ai are randomly selected in each execution for i ¼ 1; 2; . . . ; n. This means that RK GA and RK GB are also different. In the second case, A has obtained the value BDK GA . Given a real transcript T; A still cannot get all ai from RK GA under the discrete logarithm assumption by the proof of Theorem 2. Therefore, our protocol is secure against known session key attack. h 5.1.3. Known session-specific temporary information security

Theorem 4. The proposed GKA protocol is secure against known session-specific temporary information attack.

Proof. Assume that an adversary A obtains all the session-specific temporary information which includes the server’s random value a0 and the participants’ random values ai (1 6 i 6 n) in an execution. Thus, A can compute the value RK i easily. In order to obtain the group session key K; A must compute the value BDK i . However, it is impossible because BDK i is composed of participants’ long-term private keys. The adversary A has no information about these private keys. Therefore, the proposed GKA protocol is secure against known session-specific temporary information attack. h 5.1.4. Contributiveness

Theorem 5. After executing the proposed GKA protocol, an identical group session key is established. Each participant can confirm his contribution has been involved in the group session key.

Proof. After U 0 broadcasts ðS1 ; . . . ; Sn ; Y; Z 01 ; . . . ; Z 0n ; r0 Þ to all participants U i (1 6 i 6 n), each U i can use the own secret values ai and xi to compute an identical group session key K. The following equations are held:

K ¼ RK 1 þ BDK 1 ¼ RK 2 þ BDK 2 ¼    ¼ RK n þ BDK n : It is easy to see that each RK i and BDK i include the U i ’s secret values ai and xi for i ¼ 1; 2; . . . ; n. Hence, each participant may ensure his contribution has been involved in the group session key K. h Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037

11

H.-M. Sun et al. / Information Sciences xxx (2015) xxx–xxx

5.1.5. Security comparison Table 2 compares the security of the protocols proposed by Lee et al. [20], Cheng et al. [7], and Tsai [25]. The protocol proposed in this study uses certificateless public key cryptography (CL-PKC) to construct the long-term key. Therefore, when the long-term public key is used, the protocol does not require a certificate to verify the key. Unlike other certificate-based protocols, the certificateless-based protocol does not require certificate management, e.g., storage, revocation, distribution, and verification. Additionally, regarding the server reliability assumption, the protocol assumes that the server is semi-trusted. The semi-trusted server is more secure than a fully-trusted server. Moreover, Cheng et al. and Tsai noted that the Lee et al.’s protocol [20] is vulnerable to impersonation attack. Thus, our protocol is more secure than these three protocols. 5.2. Performance analysis and comparison Before analyzing the cost of our protocol, we define some notations in Table 3. In the step 1, each participant can pre-compute the value Ri and store it on his mobile device. Besides, if all the participants know other group members in advance, the value Z i and the signature ri can also be computed before executing the protocol. Therefore, we consider that there is no any computation costs in the step 1 for each participant. In the step 2, the semi-trusted server needs to verify all of the public keys and the signatures from participants. According 1

2

to Tso et al.’s short certificateless signature algorithm [27], eðpki ; Q i Þ ¼ eðP; pki Þ and eðH0 ðIDi Þ; Ppub Þ are precomputable in advance. Actually, these values only need to be computed once and can be used to verify a participant’s signature many times. Therefore, the cost for verifying n signatures is nT B þ nT sm þ nT sa . Next, for computing the values Ai ; Y; Si , and Z i , the computation costs are nT sm ; T sm þ nT sa ; nT sm , and nðn  2ÞT sm þ nðn  2ÞT sa respectively. Finally, the cost of singing operation is T sm þ T H . Hence, the total computation cost for the semi-trusted server in the step 2 is

nT B þ ðn2 þ n þ 2ÞT sm þ n2 T sa þ ðn þ 1ÞT H : In the step 3, for each participant, the cost of verifying the signature is T B þ T sm þ T sa þ T H and the cost of computing group session key is 2T sm þ 3T sa . Therefore, the computation cost for each participant is

T B þ 3T sm þ 4T sa þ T H : 5.2.1. Performance improvement After above analyzing, it seems that the computation cost for the semi-trusted server is too high and the time complexity

for the scalar multiplication and scalar addition in G1 is O n2 . However, if we can reduce the time complexity from O n2 to OðnÞ, the protocol will be more acceptable and practical. Here we describe how to reduce the computation cost for computing Z 0i ð1 6 i 6 nÞ. Without loose of generality, we assume there are n participants and a semi-trusted server. In the step 2, the semi-trusted server will receive the data ðRi ; Z i ; ri Þ ð1 6 i 6 nÞ from all participants. Before computing Z 0i ð1 6 i 6 nÞ, we let the semi-trusted server computes the following equations:

Table 2 Security comparison.

Key construction Contributory group key agreement Implicit key authentication Known session key security Forward secrecy Known session-specific temporary information security Suffered impersonated attack Server reliability assumption

Lee [20]

Cheng [7]

Tsai [25]

Our scheme

PKC YES NO YES YES NO YES Full-trusted

PKC YES YES YES YES YES NO Full-trusted

PKC YES YES YES YES NO NO Full-trusted

CL-PKC YES YES YES YES YES NO Semi-trusted

Table 3 The performance notations. Notations

Description

TB T sm T sa TH

The The The The

computation computation computation computation

time time time time

for for for for

bilinear pairing scalar operation in G1 scalar addition in G1 hash function

Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037

12

H.-M. Sun et al. / Information Sciences xxx (2015) xxx–xxx

M i ¼ nZ i ð1 6 i 6 nÞ; T ¼ Z1 þ Z2 þ    þ Zn : Next, the server can choose any Z 0i to compute as normal way. We use Z 01 as an example:

Z 01 ¼ ðn  1ÞZ 1 þ ðn  2ÞZ 2 þ    þ Z n1 : If the semi-trusted server wants to compute other Z 0i , it can be computed as the following equation.

Z 0i ¼ Z 0i1 þ T  M i1 ð1 6 i 6 nÞ:

ð10Þ

For example,

Z 02 ¼ Z 01 þ T  M 1 ; Z 03 ¼ Z 02 þ T  M 2 : Finally, the semi-trusted server can easily compute all Z 0i ð1 6 i 6 nÞ according to Eq. (10). Now, we analyze the performance of our protocol again. As the above explanation, before computing Z 0i , the semi-trusted server has to compute Mi and T, which costs nT sm þ ðn  1ÞT sa . The computation cost for Z 01 is ðn  2ÞT sm þ ðn  2ÞT sa and the computation cost for all other n  1 Z 0i is 2ðn  1ÞT sa . The cost for computing all Z 0i is ð2n  2ÞT sm þ ð4n  5ÞT sa . Totally, in the step 2, the computation cost for the semi-trusted server is nT B þ 5nT sm þ ð6n  5ÞT sa þ ðn  1ÞT H . Hence, we reduce the com
putation cost for T sm and T sa from O n2 to OðnÞ. The correctness of Eq. (10) is shown in the following lemma. Lemma 2. If the semi-trust server follows the improvement to compute Z 0i , then we have

Z 0i ¼ Z 0i1 þ T  M i1 : Proof.

LeftSide ¼ Z 0i ¼ ðn  1ÞZ i þ ðn  2ÞZ iþ1 þ    þ 2Z i3 þ Z i2 ; RightSide ¼ Z 0i1 þ T  M i1 ¼ ½ðn  1ÞZ i1 þ ðn  2ÞZ i þ    þ Z i3  þ ½Z i1 þ Z i þ    þ Z i3 þ Z i2   nZ i1 ¼ ½nZ i1 þ ðn  1ÞZ i þ    þ 2Z i3 þ Z i2   nZ i1 ¼ ðn  1ÞZ i þ ðn  2ÞZ iþ1 þ    þ 2Z i3 þ Z i2 :



5.2.2. Performance comparison The proposed protocol was only compared with the protocols proposed by Cheng et al. [7] and Tsai [25] since the Lee et al.’s protocol [20] is insecure. First, the proposed protocol was compared with the Cheng et al.’s protocol. Table 4 shows the computation cost for each participant. The proposed protocol just requires only one pairing operation whereas the Cheng et al.’s protocol requires three pairing operations. Although the protocol requires three scalar multiplications, the cost of scalar multiplication is lower than that of the pairing operation. On the server side, the proposed protocol is more efficient than the Cheng et al.’s protocol because it requires fewer pairing operations. Next, the protocol is compared with the Tsai’s protocol. Table 4 shows that the proposed protocol is less efficient than the Tsai’s protocol. Although both protocols require the same number of pairing operations, the proposed protocol requires T sm þ 3T sa additional operations for each participant and 3nT sm þ 5nT sa additional operations for the However, our protocol is relatively more secure. Table 2 shows that our protocol provides known session-specific temporary information security. In contrast, if all random values are leaked in the Tsai’s protocol, the group session key can be computed if the adversary knows the random values. Additionally, our protocol only requires the semi-trusted server instead of the fully-trusted server. That is, the server cannot learn the group key at the end of the protocol. The group key cannot be leaked by the server even if

Table 4 Comparison of computation cost.

Number of round Computation cost for each participant Computation cost for server

Lee [20]

Cheng [7]

Tsai [25]

Our Scheme

2 3T B þ T sm þ ðn  1ÞT sa þT H ð2n þ 1ÞT B þ ðn þ 2ÞT sm þðn  1ÞT sa þ T H

2 3T B þ T sm þ ðn  1ÞT sa þT H ð2n þ 1ÞT B þ ðn þ 2ÞT sm þðn  1ÞT sa þ ðn þ 2ÞT H

2 T B þ 2T sm þ T sa þ 2T H

2 T B þ 3T sm þ 4T sa þ T H

nT B þ ð2n þ 2ÞT sm þ nT sa þðn þ 2ÞT H

nT B þ 5nT sm þ ð6n  5ÞT sa þðn þ 1ÞT H

Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037

H.-M. Sun et al. / Information Sciences xxx (2015) xxx–xxx

13

the server is compromised. In the Tsai’s protocol, the server learns the group session key in the protocol. If the server is compromised, the group key becomes unsafe. 6. Conclusion This study developed an authenticated group key agreement protocol for mobile environments. The proposed protocol uses a certificateless short signature algorithm for user authentication. The certificateless short signature algorithm not only reduces the cost of certificate management, it also avoids the key escrow problem in identity-based cryptosystems. Instead of a fully-trusted server, the protocol uses a semi-trusted server, which helps communication without learning the group key at the end of protocol. For this reason, the protocol is more practical and secure than previous works. The performance analysis results in this study indicate that the protocol meets most of the security requirements for the group key agreement protocols. In terms of performance, the protocol only requires two communication rounds to agree to a group session key, and each mobile device computes only one pairing and three scalar multiplication operations. Server performance is also improved. Additionally, this study also present a performance enhanced method on the server side. Compared with conventional protocols, the proposed protocol is more secure and efficient. Acknowledgments The work of Chien-Ming Chen was supported in part by the Project NSFC (National Natural Science Foundation of China) under Grant No. 61402135. The work of Hung-Min Sun was supported in part by the Ministry of Science and Technology, Taiwan, R.O.C., under Grant MOST-101-2221-E-007-026-MY3. Ted Knoy is appreciated for his editorial assistance. References [1] S. Al-Riyami, K. Paterson, Certificateless public key cryptography, in: Advances in Cryptology-ASIACRYPT 2003, Lecture Notes in Computer Science, vol. 2894, Springer, Berlin, Heidelberg, 2003, pp. 452–473. [2] D. Boneh, M. Franklin, Identity-based encryption from the weil pairing, in: Advances in Cryptology-CRYPTO 2001, Lecture Notes in Computer Science, vol. 2139, Springer, Berlin, Heidelberg, 2001, pp. 213–229. [3] C. Boyd, J. Nieto, Round-optimal contributory conference key agreement, in: Public Key Cryptography-PKC 2003, Lecture Notes in Computer Science, vol. 2567, Springer, Berlin, Heidelberg, 2002, pp. 161–174. [4] M. Burmester, Y. Desmedt, A secure and efficient conference key distribution system, in: Advances in Cryptology-EUROCRYPT’94, Lecture Notes in Computer Science, vol. 950, pp. 275–286. [5] C. Cao, J. Ma, S. Moon, Provable efficient certificateless group key exchange protocol, Wuhan Univ. J. Nat. Sci. 12 (2007) 41–45. [6] C.M. Chen, K.H. Wang, T.Y. Wu, J.S. Pan, H.M. Sun, A scalable transitive human-verifiable authentication protocol for mobile devices, IEEE Trans. Inf. Forensics Secur. 8 (2013) 1318–1330. [7] Q.F. Cheng, C.G. Ma, F.S. Wei, Analysis and improvement of a new authenticated group key agreement in a mobile environment, Ann. Telecommun. 66 (2011) 331–337. [8] K. Choi, J. Hwang, D. Lee, Efficient id-based group key agreement with bilinear maps, Public Key Cryptography-PKC 2004, vol. 2947, Springer, Berlin, Heidelberg, 2004, pp. 130–144. [9] K.Y. Choi, J.H. Park, D.H. Lee, A new provably secure certificateless short signature scheme, Comput. Math. Appl. 61 (2011) 1760–1768. [10] W. Diffie, M. Hellman, New directions in cryptography, IEEE Trans. Inf. Theory 22 (1976) 644–654. [11] X. Du, Y. Wang, J. Ge, Y. Wang, Id-based authenticated two round multi-party key agreement, in: IACR Cryptology ePrint Archive 2003, 2003, pp. 247. [12] R. Dutta, R. Barua, Constant round dynamic group key agreement, in: Information Security, Lecture Notes in Computer Science, vol. 3650, Springer, Berlin, Heidelberg, 2005, pp. 74–88. [13] C.I. Fan, R.H. Hsu, P.H. Ho, Truly non-repudiation certificateless short signature scheme from bilinear pairings, J. Inform. Sci. Eng. 27 (2011) 969–982. [14] M. Geng, F. Zhang, M. Gao, A secure certificateless authenticated group key agreement protocol, in: International Conference on Multimedia Information Networking and Security, 2009, MINES ’09, vol. 1, pp. 342–346. [15] X. Huang, Y. Mu, W. Susilo, D. Wong, W. Wu, Certificateless signature revisited, in: Information Security and Privacy, pp. 308–322. [16] I. Ingemarsson, D. Tang, C. Wong, A conference key distribution system, IEEE Trans. Inf. Theory 28 (1982) 714–720. [17] J. Katz, M. Yung, Scalable protocols for authenticated group key exchange, in: Advances in Cryptology-CRYPTO 2003, Lecture Notes in Computer Science, vol. 2729, Springer, Berlin, Heidelberg, 2003, pp. 110–125. [18] H.J. Kim, S.M. Lee, D. Lee, Constant-round authenticated group key exchange for dynamic groups, in: Advances in Cryptology-ASIACRYPT 2004, Lecture Notes in Computer Science, vol. 3329, Springer, Berlin, Heidelberg, 2004, pp. 127–140. [19] B. Lee, C. Boyd, E. Dawson, K. Kim, J. Yang, S. Yoo, Secure key issuing in id-based cryptography, in: Proceedings of the Second Workshop on Australasian Information Security, Data Mining and Web Intelligence, and Software Internationalisation, ACSW Frontiers ’04, pp. 69–74. [20] C.C. Lee, T.H. Lin, C.S. Tsai, A new authenticated group key agreement in a mobile environment, Ann. Telecommun. 64 (2009) 735–744. [21] J. Nam, J. Lee, S. Kim, D. Won, DDH-based group key agreement in a mobile environment, J. Syst. Softw. 78 (2005) 73–83. [22] A. Shamir, Identity-based cryptosystems and signature schemes, in: Advances in Cryptology, Lecture Notes in Computer Science, vol. 196, pp. 47–53. [23] Y. Shi, G. Chen, J. Li, Id-based one round authenticated group key agreement protocol with bilinear pairings, in: International Conference on Information Technology: Coding and Computing, 2005, ITCC 2005, vol. 1, pp. 757–761. [24] M. Steiner, G. Tsudik, M. Waidner, Key agreement in dynamic peer groups, IEEE Trans. Parallel Distrib. Syst. 11 (2000) 769–780. [25] J.L. Tsai, A novel authenticated group key agreement protocol for mobile environment, Ann. Telecommun. 66 (2011) 663–669. [26] Y.M. Tseng, A resource-constrained group key agreement protocol for imbalanced wireless networks, Comput. Secur. 26 (2007) 331–337. [27] R. Tso, X. Yi, X. Huang, Efficient and short certificateless signatures secure against realistic adversaries, J. Supercomput. 55 (2011) 173–191. [28] Z. Wan, K. Ren, W. Lou, B. Preneel, Anonymous id-based group key agreement for wireless networks, in: Wireless Communications and Networking Conference, 2008, WCNC 2008, IEEE, pp. 2615–2620. [29] T.Y. Wu, Y.M. Tseng, Towards id-based authenticated group key exchange protocol with identifying malicious participants, Informatica 23 (2012) 315– 334. [30] T.Y. Wu, Y.M. Tseng, T.T. Tsai, A revocable id-based authenticated group key exchange protocol with resistant to malicious participants, Comput. Netw. 56 (2012) 2994–3006. [31] T.Y. Wu, Y.M. Tseng, C.W. Yu, A secure id-based authenticated group key exchange protocol resistant to insider attacks, J. Inform. Sci. Eng. 27 (2011) 915–932.

Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037

14

H.-M. Sun et al. / Information Sciences xxx (2015) xxx–xxx

[32] F. Zhang, X. Chen, Attack on two id-based authenticated group key agreement schemes, in: IACR ePrint Archive Report, vol. 2003, 2003, pp. 259. [33] F. Zhang, R. Safavi-naini, W. Susilo, An efficient signature scheme from bilinear pairings and its applications, in: Public Key Cryptography-PKC 2004, Lecture Notes in Computer Science, vol. 2947, Springer, Berlin, Heidelberg, 2004, pp. 277–290. [34] L. Zhang, F. Zhang, A new provably secure certificateless signature scheme, in: IEEE International Conference on Communications, 2008, ICC ’08, pp. 1685–1689.

Please cite this article in press as: H.-M. Sun et al., A provable authenticated group key agreement protocol for mobile environment, Inform. Sci. (2015), http://dx.doi.org/10.1016/j.ins.2015.01.037