Fast Multivariate-Polynomial-Based Membership Authentication and Key Establishment for Secure Group Communications in WSN

The primary task of secure group communications in wireless sensor networks (WSNs) is to securely transmit various types of data, for example weather data, traffic data, etc. Collected data in WSNs is different from most data transmitted in digital communication applications. Most collected data in WSNs contains only few bits of information. Conventional protocols are not suitable for WSNs since WSNs need more fast and lightweight protocols for secure group communications. User authentication and key establishment are two fundamental security services in secure communications for WSNs. The user authentication allows communication entities to authenticate their communication partners and the key establishment allows a secret session key to be shared among all communication entities. The session key can be used to protect exchange information in the communication. Communication has been moved from traditional one-to-one communications to many-to-many communications, also called group communications. Traditional user authentication which authenticates one user at one time is no longer suitable for a group communication which involves multiple users. In this paper, we propose a protocol which provides both membership authentication and key establishment simultaneously for WSNs. However, all existing solutions can only provide either user authentication or key establishment separately. Furthermore, our proposed membership authentication has complexity <inline-formula> <tex-math notation="LaTeX">$O(n)$ </tex-math></inline-formula>, where <inline-formula> <tex-math notation="LaTeX">$n$ </tex-math></inline-formula> is the number of users in a group communication, which is different from all existing user authentication schemes which are one-to-one authentications with complexity <inline-formula> <tex-math notation="LaTeX">$O(n^{2})$ </tex-math></inline-formula>.


I. INTRODUCTION
Wireless Sensor Networks (WSNs) have been developed to collect data remotely for various applications [27], [28]. For example, data has been collected for traffic analysis, for weather prediction, and medical analysis, etc. For security reason, collected data needs to be protected from eavesdropping. Data encryption requires that both the source node and the receiver node share a pairwise shared key. The source node encrypts collected data under the shared key and the The associate editor coordinating the review of this manuscript and approving it for publication was Mohamad Afendee Mohamed . receiver node decrypts the ciphertext under the shared key to recover the data.
In general, security researches in WSNs are focused on the development of key establishment and key management solutions. Random key pre-distribution schemes [29]- [31] have been developed to allow two sensors to establish a shared key. The random key distribution is a probabilistic scheme and does not guarantee connectivity in WSNs. Each sensor is preloaded with k keys randomly selected from a large pool of keys. Blom [32] proposed the first pairwise key establishment scheme based on threshold cryptography. This approach is a deterministic scheme which can guarantee VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ connectivity in WSNs. Blundo et al. [33] have discussed the key establishment using polynomials. Khan et al. [34] proposed a pre-distribution scheme using a symmetric matrix and a generator matrix of maximum rank distance to establish pairwise keys for sensor nodes. Group key distribution based on Bivariate polynomials [24], [35]- [37] have also been developed to allow a group of sensors to establish a shared key deterministically. The design of WSNs have been classified into two types: flat and hierarchical. In flat WSNs, all sensors have the same capabilities to collect data and forward data to other sensors in the network. In hierarchical WSNs, devices are organized into a hierarchy based on their capabilities. The key management protocols in WSNs have also been proposed according to two different types: flat and hierarchical. Collected data in WSNs is different from most data in digital communication applications. Most collected data, for example weather/traffic data, in WSNs contains only few bits of information. Conventional protocols are not suitable for WSNs since WSNs need more fast and lightweight protocols for secure group communications.
User authentication and key establishment are two fundamental security services in secure communications for WSNs. The user authentication enables communication entities to authenticate the identities of their communication partners. After users being successfully authenticated, a key establishment enables a secret session key to be shared among communication entities such that all exchange information can be protected using this shared secret key.
It is well known that symmetric key encryption a way that each pair of users shares a symmetric key, but this way cannot provide authentication. Hence, pubic key encryption appeared, which can provide authentication but with high computation cost due to very large modulus and modular exponentiation operations. (RSA modulus is at least 1024 bits). How to realize efficient membership authentication and key distribution is an important problem for secure group communications.
Traditional communications are one-to-one type of communications which involves only two communication entities. Most existing user authentication schemes [1]- [7] involve only two entities, one is the prover and the other one is the verifier. The verifier interacts with the prover to validate the identity of the prover. However, communication has been moved to many-to-many communications recently, also called group communications. Traditional user authentication which authenticates one user at one time is no longer suitable for a group communication which involves multiple users. Recently, a new type of authentication, called group authentication [8], is proposed which can be used to determine whether all users belong to the same group or not. The group authentication is very efficient since it can authenticate all members at one time. However, the group authentication can only be used as a pre-processing of user authentication since if there are non-members, group authentication cannot determine who are non-members. Additional one-to-one user authentications are needed to identify non-members.
The use of centralized group key establishment protocols is the most commonly used protocol due to its efficiency. For example, the IEEE 802.11i standard [9] uses an online server to select a group key and transport it to each group member. More specifically, the server in the IEEE 802.11i encrypts the group temporal key (GTK) using the key encryption key (KEK) obtained from the authentication server (AS) and then the server transmits the encrypted message to each mobile client (group member) separately. Using a (t, n) secret sharing scheme to distribute a group key to all members can be found in [10]- [13]. Harn and Lin [14] have proposed an authenticated group key transfer protocol based on the secret sharing. Their protocol uses an RSA modulus to resist inside attack. The most commonly used public-key agreement protocol is Diffie-Hellman (DH) key exchange protocol [15]. However, DH key exchange can only provide session key for two entities; not for a group more than two members. Most public-key based group key distribution protocols [16]- [23] took natural generalization of the DH key agreement. One major concern of this type of protocols is due to its computational cost. Since the group key is contributed by all group members, the number of public-keys computations by each group member is proportional to the number of members involved in a secret group communication.
In this paper, we propose a membership authentication and key establishment protocol based on polynomials for WSNs. There are two unique features of our proposed protocol, (a) our proposed membership authentication has complexity O(n), where n is the number of users in a group communication, which is different from most existing user authentication schemes which are one-to-one type of authentications with complexity O(n 2 ); and (b) our protocol provides both membership authentication and key establishment simultaneously; but all most solutions provides either user authentication or key establishment separately. Here, we summarize the contributions of our paper.
· Our protocol provides both membership authentication and key establishment simultaneously.
· Our membership authentication has complexity O(n). · Our protocol is polynomial-based protocol so the computation is very efficient.
The rest of this paper is organized as follows: In the next section, we review a pre-distribution scheme of group keys which was published recently. Our proposed protocol is built upon this scheme. In Section 3, we describe the model of our protocol and the security feature of our protocol. In Section 4, we propose our membership and key establishment protocol. We analyze the security and performance in Section 5. We conclude in Section 6.

II. REVIEW OF PRE-DISTRIBUTION SCHEME FOR ESTABLISHING GROUP KEYS [24]
Our proposed protocol is built upon a recent paper by Harn and Hsu [24] which is a pre-distribution scheme of group keys in sensor networks using a multivariate polynomial. In this section, we review their scheme.
There has a mutually trusted key generation center (KDC) and there are n sensors, {P 1 , P 2 , . . . , P n }. Each sensor loads shares by the KDC initially. The KDC selects an RSA modulus N, where N is the product of two large safe primes, p and q, i.e., p=2p'+1 and q=2q'+1, where p and q are also primes. p and q are KDC's secrets, N is made publicly known. The KDC selects a random polynomial having degree k as Shares are stored in sensor P i secretly for i = 1, 2, . . . , n.
If m sensors, {P i 1 , P i 2 , . . . , P i m } want to establish a secret group key among them, each sensor P i , where i ∈ {1, 2, . . . , m}, uses its shares, We illustrate the scheme in Figure 1.
In [24], it has discussed that the proposed scheme satisfies following features.
(a) Correctness: The group key can be computed by each sensor in a group communication involving m (i.e., 2 ≤ m ≤ n) sensors.
(b) k-secure: If k sensors are captured, there will have no information to be compromised.
(c) Key confidentiality: It is computationally infeasible for any attacker to discover any group key.
(d) Key independence: Knowing a subset of group keys, K ⊂ K , where k is the complete set of group keys, the attacker cannot discover any other group keys, K = K − K .

III. MODEL OF MEMBERSHIP AUTHENTICATION AND KEY ESTABLISHMENT PROTOCOL
In this section, we describe the model of our proposed membership authentication and key establishment protocol including the protocol description, the adversary and security properties of our proposed protocol. Figure 2 illustrates a sensor network consisting multiple secure group communications. In our proposed protocol, there has a membership registration center (MRC) and there are n members, {U 1 , U 2 , . . . , U n }. Each member needs to register at the MRC initially and obtain secret tokens. The MRC selects a special type of m-variate polynomial and generates tokens. Tokens of each member is m − 1 univariate polynomials.

A. PROTOCOL DESCRIPTION
In order to establish a secure group communication involving m (i.e., 2 ≤ m ≤ n) members, it requires to execute a membership authentication first in which all participated users interact with each other to prove that they belong to the same group. In the membership authentication, each member needs to broadcast his identity and a random integer. After receiving all identities and random integers, each member needs to use his secret tokens to compute a key-hash output as his authentication response. Members can use this authentication response to authenticate his membership. Since each member is required to generate an authentication response and to be verified by other members, the complexity of this membership authentication is O(m). This membership authentication can also identify non-members. At the end of membership authentication, each member knows exactly the memberships of users participated in the secure communication. Then, a secret session key is computed by each member individually. There is no interaction with other members to compute the session key. Thus, our proposed protocol is very efficient in both membership authentication and key establishment since there is only broadcast transmission. Furthermore, the computation of each member needs only polynomial evaluation and key-hash function which are much VOLUME 8, 2020 faster than most public-key computations. We will give detail discussion for its performance evaluation in Section 5.

B. TYPE OF ADVERSARIES
We consider two types of attacks: inside and outside attacks. The inside attackers are legitimate members who have obtained valid tokens from MRC initially. From inside attack, colluded members try to recover MRC's secret polynomial used to generate tokens for members and then use these uncovered tokens to obtain group keys which they are not authorized to access. On the other hand, the outside attackers are illegitimate members who try to generate valid tokens of members and use them to impersonate members in a secure group communication or to recover secret group keys which they are not authorized to access. In the security analysis, we will show that none of these attacks can work properly against our protocol.

C. SECURITY FEATURES OF PROPOSED SCHE-ME
Since our protocol is based on the group key establishment scheme proposed in [24] with properties, k-secure, key confidentiality and key independence, as we have discussed in Section 2, it is obvious that our protocol shares the same properties in [24]. In addition, our protocol has the following features.
(a) Correctness: The protocol can successfully authenticate memberships of all participated users and then establish a secret group key among all members.
(b) Freshness of authentication response: The authentication responses generated by members in the membership authentication can only be used for one time. This feature can prevent replay attack in which attackers replay recorded authentication response to fail the membership authentication.
(c) Freshness of group keys: The secret group key generated by members in the key establishment can only be used for one time communication. This feature can prevent attackers to reuse previously compromised group keys to gain access to other secure communications.

IV. PROPOSED PROTOCOL
In this paper, we propose a membership authentication and key establishment protocol using a multivariate polynomial in Z N , where N is an RSA modulus [25]. Our protocol is built upon the pre-distribution scheme of group key establishment [24]. The storage space of each member is m(k + 1) coefficients which is linearly proportional to the size of group communication.
The MRC selects an RSA modulus N, where N is the product of two large safe primes, p and q, i.e., p=2p'+1 and q=2q'+1, where p' and q' are also primes. p and q are MRC's secrets, N is made publicly known. The protocol is illustrated in Figure 3.

V. ANALYSIS A. SECURITY ANALYSIS
In this sub-section, we discuss security features of our protocol as described in Section 3.3.
(a) Correctness: Membership authentication-If all participated users are members as they claimed in Step 1, each member, U i , in step 2 should be able to compute the group key,

B. PERFORMANCE EVALUATION
All existing schemes can either provides user authentication or group key establishment separately. But our protocol can provide both membership authentication and key establishment simultaneously. Furthermore, our membership authentication has complexity O(n), where n is the number of members in a group communication, which is different from most existing user authentication schemes which are one-to-one authentication with complexity O(n 2 ). Each member needs to store tokens, {s j,1 (x), s j,2 (x), . . . , s j,m−1 (x)}, which are m − 1 univariate polynomials. Thus, the memory storage of each member is (m − 1)(k + 1) coefficients from Z N .
In Step 2 membership authentication, to compute the group key, K = s i,1 (i 1 ) · s i,2 (i 2 ) · . . . · s i,m−1 (i m−1 ) mod N , needs VOLUME 8, 2020 to evaluate m − 1 polynomials. Horner's rule [26] can be used to evaluate polynomials. From Horner's rule, evaluating a polynomial of degree k needs k multiplications and k + 1 additions. The computational cost to establish a group key with size m consists of the cost of evaluating m−1 polynomials. Overall, the computational cost to compute the group key, K , each member needs to evaluate (m − 1)k multiplications and (m − 1)(k + 1) additions. In addition, each member needs to generate one authentication response and to verify (m − 1) authentication responses. Since each authentication response is a key-hash output, each member needs to compute m keyhash outputs. Finally, there is one more key-hash output to compute the group session key by each member. This computation of our proposed protocol is much simpler than most public-key based schemes. For example, the RSA public-key operation requires approximately 1.5log 2 N modulo multiplications (i.e., in RSA, N is at least 1024 bits).
The communication of membership authentication is performed completely in the broadcast channel. Total communication time is to transmit m identities and random integers, {(1, r 1 ), i = 1, 2, . . . , m}, and m authentication responses, {AS i , i = 1, 2, . . . , m}, of all participated members. There is no additional communication in order to establish the group key.

VI. CONCLUSION
We have proposed a novel design of a membership authentication and key establishment protocol for WSNs. Our protocol provides both membership authentication and key establishment simultaneously. However, all existing schemes can provide either user authentication or key establishment separately. We have included the security analysis and performance evaluation in the paper. Our protocol is very efficient in terms of computation and communication, so it is absolutely attractive for secure group communications in WSNs.

ACKNOWLEDGMENT
(Qi Cheng and Chingfang Hsu contributed equally to this work.)