A secure authenticated group key agreement protocol for resource-limited mobile devices

Transcription

1 Ó The Author Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions, please Advance Access published on July 2, 2006 doi:0.093/comjnl/bxl043 A secure authenticated group key agreement protocol for resource-limited mobile devices YUH-MIN TSENG Department of Mathematics, National Changhua University of Education, Jin-De Campus, Chang-Hua 500, Taiwan, R.O.C. Corresponding author: ymtseng@cc.ncue.edu.tw With rapid growth of mobile wireless networks, many mobile applications have received significant attention. However, security will be an important factor for their full adoption. Most security technologies currently deployed in wired networks are not fully applicable to wireless networks involved in resource-limited mobile nodes because of their low-power computing capability and limited energy. The design of secure group key agreement protocols is one of many important security issues in wireless networks. A group key agreement protocol involves all participants cooperatively establishing a group key, which is used to encrypt/decrypt transmitted messages among participants over an open channel. Unfortunately, most previously proposed group key agreement protocols are too expensive computationally to be employed in mobile wireless networks. Recently, Bresson et al. proposed an authenticated group key agreement protocol suitable for a mobile wireless network. This mobile wireless network is an asymmetric wireless one that consists of many mobile nodes with limited computing capability and a powerful node with less restriction. However, this protocol does not satisfy some important security properties such as forward secrecy and contributory key agreement. In this paper, we propose a new authenticated group key agreement protocol, which is well suited for this asymmetric wireless network. The proposed protocol not only is efficient but also meets strong security requirements. We demonstrate that the proposed protocol is a real contributory group key agreement one and provides forward secrecy as well as implicit key authentication. The proposed protocol is provably secure against passive adversaries and impersonator s attacks. A simulation result shows that the proposed protocol is well suited for mobile devices with limited computing capability. Keywords: Security, contributory group key agreement, mobile device, provably secure, resource-limited Received 9 January 2006; revised 25 June INTRODUCTION Recently, many mobile applications have rapidly developed such as wireless internet services, mobile access services and mobile e-commerce. Cellular mobile networks [], wireless local area networks [2], wireless ad hoc networks [3] and mobile peer-to-peer networks [4] are several important technologies for providing mobile communications. Although mobile applications deployed on mobile devices have received significant attention, the security issue will be an important factor for their full adoption. Because of the low-power computing capability of mobile devices in a wireless network, most security technologies currently deployed in wired networks are not fully applicable to wireless networks [3,5]. On the other hand, mobile devices in wireless networks adopt some wireless mediums (i.e. radio wave) to communicate with each other. An intruder is easy to intercept communications over the open wireless network, thus there are more security threats than with the wired communications. Considering the low-power computing capability of mobile devices, the design of security protocols well suited for wireless mobile networks is a nontrivial challenge because most cryptographic algorithms require many expensive computations. The design of secure group key establishment protocols is one of many important security issues. A group key establishment protocol allows participants to construct a group key that is used to encrypt/decrypt transmitted messages among the participants over an open channel. There are two kinds of group key establishment protocols: group key

2 42 Y.-M. Tseng distribution [6,7,8,9] and group key agreement [0,,2,3, 4,5,6]. In a group key distribution protocol, a trusted or elected entity is responsible for generating and distributing the group key. A group key agreement protocol involves all participants cooperatively establishing a group key. One advantage of the key agreement protocol compared with the key distribution one is that no participant can predetermine the group key. In many scenarios, the group key distribution protocol is not appropriate because the elected entity might act a single point of failure for the group s security. Meanwhile, the design of group key agreement protocols should be rigidly proven to provide confidence and authentication. In this paper, we focus on the design of secure authenticated group key agreement protocol for mobile wireless networks. Ateniese et al. [2] proposed an authenticated group key agreement protocol that made each participant explicitly aware of the exact group membership. However, the security of this protocol has not been rigidly proven and therefore confidence in it is limited [7]. Bresson et al. [3,4] developed the first formal security model for an authenticated group key agreement protocol, as well as proposing several protocols that were demonstrated to be secure. However, their protocols require O(n) rounds to construct a group key, where n is the number of participants. Consequently, as group size grows large, these protocols become impractical. In 2003, Katz and Yung [5] proposed a scalable compiler that can transform any group key establishment protocol into an authenticated one. Katz and Yung also applied their compiler to the Burmester Desmedt protocol [], which presented a provable secure authenticated group key agreement protocol with three rounds. In 2005, Tseng [6] proposed a robust group key agreement protocol resistant to malicious participants. The proposed protocol requires only two rounds to establish a group key and provide forward secrecy. The proposed protocol is provably secure against passive adversaries. Furthermore, the protocol provides fault tolerance against malicious participants. Fault tolerance means that even in the event of malicious participants attempting to disrupt the establishment of a group key, the other honest participants will still be able to compute the group key. Nevertheless, computational complexity of these previously proposed protocols [2,3,4,5,6] is beyond the computational capabilities of mobile devices in wireless networks. The design of group key agreement protocols for a mobile wireless network must not only meet strong security requirements but also consider the computational capabilities of mobile devices. In 2000, Asokan and Ginzboorg [8] proposed a first group key agreement protocol for a cluster of mobile nodes. However, their protocol are suited for a small group of powerful devices (i.e. laptops), the protocol becomes impractical when low-power mobile devices come into play. That is, their protocol is not suited for some resource-limited mobile devices such as handheld computers, personal digital assistants and smart phones. In 2003, Boyd and Nieto [9] proposed an efficient group key agreement protocol with a constant round. In their protocol, only one of all participants requires a linear amount of computation, and other participants require only a fixed computation that is independent of the number of participants. It is provably secure against passive adversaries under the random oracle model [20] but lacks forward secrecy. Forward secrecy means that the previously established group keys cannot be compromised if a long-term secret key is compromised. This property is important and has been included in most key agreement protocols and standards [2]. Considering cellular mobile networks [], wireless local area networks [2], wireless ad hoc networks [3] and mobile peer-to-peer networks [4], they may be regarded as an asymmetric wireless network that consists of many resourcelimited mobile nodes and a powerful node with less restriction. Attempt to shift the computational burden to the powerful node and reduce the computational cost of mobile nodes is a flexible approach for designing group key agreement protocols in a mobile environment. Recently, Bresson et al. [22] proposed an authenticated group key agreement protocol suitable for this asymmetric wireless network. However, their protocol does not satisfy some important security properties such as forward secrecy and implicit key authentication [23]. In 2005, Nam et al. [24] proposed a non-authenticated group key agreement protocol for an asymmetric wireless network. They adopted Katz Yung s compiler [5] to transform their group key agreement protocol into an authenticated one. Both Bresson et al. and Nam et al. protocols claimed that their protocols are contributory key agreement ones. Unfortunately, Tseng [25] has presented that both protocols [22,24] are not real contributory key agreement ones. Detailed analysis and related discussions will be presented in the next section. In this paper, we propose a secure authenticated group key agreement protocol, which is well suited for asymmetric wireless networks. The proposed protocol also adopts an asymmetric computation technique to shift the computational burden to the powerful node. Let mobile nodes (low-power nodes) perform most of the cryptographic computations offline. The computational cost of each mobile node is reduced to only one exponential, one hash function and many multiplication operations. The proposed protocol requires only two rounds to construct a group key. In contrast with the previously proposed protocols [22,24] for asymmetric wireless networks, we demonstrate that the proposed protocol is a real contributory group authenticated group key agreement one. Meanwhile, a simulation result on a PDA (Personal Digital Assistant) device shows that the proposed protocol is well suited for mobile devices with low-power computing capability. Despite meeting the requirement of computational capability restrictions for mobile nodes, the proposed protocol is provably secure against passive adversaries and

3 A group key agreement protocol for resource-limited mobile devices 43 impersonator s attacks. We show that the proposed protocol is secure against passive adversaries under the well-known Decision Diffie Hellman problem [26,27,28]. We also show that the proposed protocol is provably secure against impersonator s attacks under the decision Diffie Hellman and the discrete logarithm assumptions and provides mutual authentication between mobile nodes and the powerful node. The remainder of this paper is organized as follows. In the next section, we present the system model and notations. Afterwards, we analyze Bresson et al. s authenticated group key agreement protocol as well as the related discussions. In Section 3, a secure authenticated group key agreement protocol well suited for resource-limited mobile devices is presented. In Section 4, we demonstrate the security analysis of the proposed protocol. In Section 5, the performance evaluation of the proposed protocol is given. Finally, we draw our conclusions and future works in Section PRELIMINARIES AND DISCUSSIONS OF RELATED WORKS Both Bresson et al. s authenticated protocol [22] and our new authenticated protocol are suitable for an asymmetric wireless network (also called imbalanced wireless network) that consists of many mobile nodes with limited computing capability as well as a wireless gateway with less restriction. Therefore, we first present the model of the asymmetric wireless network and some system notations. Afterwards, we review Bresson et al. s authenticated group key agreement protocol and discuss its security weaknesses. 2.. Model and notations The system environment is an asymmetric wireless network, which consists of some mobile nodes with strict computational capability restrictions and a wireless gateway with less restriction. We consider a set of resource-limited mobile nodes (also called low-power nodes) communicating with a wireless gateway (also called powerful node), in which each low-power node can send messages to the powerful node via uni-cast communication, and the powerful node can broadcast or uni-cast messages to each low-power node. The powerful node covers an entire wireless region called a cell such as the base station of cellular mobile networks [], the access point of wireless local area networks [2] and the cluster-head of mobile ad hoc networks [3]. Without loss of generality, let U ¼ {U, U 2,..., U n } be the initial set of low-power nodes that want to generate a group key with powerful node S. Each low-power node as well as the powerful node hold a pair of secret/public keys. The following system parameters and notations are used throughout the paper. q: a large prime. p: a large prime such that p ¼ 2q +. G q : a subgroup of quadratic residues in Z p, that is G q ¼fi 2 j i 2 Z p g. g: a generator for the subgroup G q. SK i : a low-power node U i s secret key in Z q. PK i : a low-power node U i s public key such that PK i ¼ g SK i mod p. SK S : the powerful node S s secret key in Z q. PK S : the powerful node S s public key such that PK S ¼ g SK S modp. H(): a one-way hash function H with arbitrary length input and a fixed length output [29], i.e. {0, }! {0, } k, where k is the length of output. Sign(SK i, m): the signing algorithm based on ElGamal [30] or DSA [3] schemes under the secret key SK i and the signed message m. Verify(PK i, m, d i ): the verifying algorithm corresponding to the signing algorithm under the public key PK i, the signed message m and the corresponding signature d i. As we all know, most cryptographic algorithms (digital signature or common-key establishment) require many expensive computations such as inverse and exponential operations. In 200, Shamir and Tauman [32] proposed an online/offline signature scheme based on the discrete logarithm assumption [30,3]. The online computational complexity is equivalent to about only one modular multiplication. The security of this signature scheme is secure against adaptive chosen messages attacks under the discrete logarithm assumption. Both Bresson et al. s protocol [22] and our new protocol adopt this online/offline signature scheme to reduce the computational complexity of the low-power mobile nodes. Certainly, some offline pre-computation values must be stored on one add-on memory card of the low-power mobile nodes. Until now, storage limitation is becoming less of a concerning issue as many add-on memory cards are widely available Analysis and related discussions of Bresson et al. s protocol Recently, Bresson et al. [22] adopted the offline signature technique [32] to propose an authenticated group key agreement protocol for an asymmetric wireless network. Their protocol is a two-round protocol and computationally asymmetric. For comparing with our proposed protocol, we briefly review their protocol as follows. Step (Round ): Initially, each low-power node U i (i ¼, 2,..., n) selects a random value x i in Z q and then precomputes y i ¼ g x i mod p Z i ¼ PK x i S modp as well as a signature d i ¼ Sign(SK i, y i ) under the secret key SK i. Then, each low-power node U i sends (y i, d i ) to the powerful node S. Note that the (y i, Z i, d i ) should be stored in the memory storage of the low-power node in advance. Step2 (Round 2): For each (y i, d i ), the powerful node S checks the signature d i by Verify(PK i, y i, d i ) under the public

4 44 Y.-M. Tseng key PK i. If the verification is correct, the powerful node S uses his secret key SK S to compute the following values Z i ¼ Z i ¼ y SK S i (for i ¼,2,..., n). Then, S selects a counter c and computes a group key K ¼ H(c k Z kkz 2 k.. k Z n ) and computes the shared secret value: Ki ¼ K H(ckzi) (for i ¼,2,..., n), where k denotes the concatenation. Finally, the powerful node S sends (c, K i ) to the low-power node U i (i ¼,2,..., n). Step3. Group key computation: Upon receiving (c, K i ), each low-power node U i computes the shared secret key K ¼ K i H(c k Z i ), the group session key GK is computed by GK ¼ H(K k U i k S), where U i s are identities of the lowpower nodes and S is the identity of the powerful node. Their original protocol provides only the powerful node to authenticate the lower-power nodes by validating the signatures d i. If the low-power nodes want to authenticate the powerful node, one hash function operation is required by each low-power node, while n hash function operations are required by the powerful node. For providing mutual authentication among mobile nodes, each low-power node must compute n hash function operations and two extra rounds must are required. Although Bresson et al. claimed that their authenticated protocol offers partial forward secrecy and secure against some attacks, unfortunately Nam et al. [23] pointed out that Bresson et al. s authenticated protocol has some security weaknesses. In fact, their protocol does not provide partial forward secrecy and implicit key authentication. Afterwards, Nam et al. [24] proposed a non-authenticated group key agreement protocol for an asymmetric wireless network. By its very nature, a non-authenticated group key agreement protocol cannot provide participant and message authentication, so it must rely on the authenticated network channel or use another scheme to provide authentication such as the Katz Yung transformation [5]. Employing the Katz Yung scalable compiler can transform their two-round protocols into authenticated group key agreement protocols with three rounds. However, this transformation increases the original protocol by one new round, as well as one signature generation and n verifications for each low-power node. In this case, the computational cost is expensive for mobile devices. Both Bresson et al. s [22] and Nam et al. s protocols [24] claimed that their protocols are contributory key agreement ones. However, Tseng [25] has presented that both protocols are not contributory key agreement ones. In this case, some efficient group key distribution protocols [7,8,9] may be deployed in this asymmetric wireless network to replace both Bresson et al. s and Nam et al. s protocols. Nevertheless, the design of a secure authenticated group agreement protocol well suited for wireless mobile networks is a nontrivial challenge, which inspires us to propose a provably secure authenticated group agreement protocol. 3. THE NEW AUTHENTICATED GROUP KEY AGREEMENT PROTOCOL In this section, we propose a new authenticated group key agreement protocol well suited for low-power mobile devices. The proposed protocol is a provably secure group key agreement protocol, which is secure against passive adversaries and provides mutual authentication between the powerful node and low-power nodes. For achieving authentication, each mobile node U i generates a temporary Diffie Hellman key pair (x i, y i ) [26], where (x i, y i ). And U i generates a signature for y i to let the powerful node S authenticate U i. Then, the powerful node S must compute a Diffie Hellman session key based on y i using his secret key, thus the Diffie Hellman session key established enables the mobile node U i to authenticate the powerful node S. Meanwhile, each y i is used to involve in the key agreement construction of a group key shared among all low-power nodes and the powerful node S. As depicted in Figure, the new authenticated group key agreement protocol runs in two rounds as follows: Step (Round ): Initially, each low-power node U i (i ¼, 2,..., n) selects a random value x i in Z q and then precomputes x i, x i, as well as a signature d i ¼ sign(sk i, y i ) under the secret key SK i.then, each low-power node U i sends (y i, d i ) to the powerful node S. Note that (x i, x i, a i, y i, d i ) should be stored in the memory storage of the low-power node in advance and each tuple (x i, x i, a i, y i, d i ) is used only once. Step2 (Round 2): For each (y i, d i ), the powerful node S checks the signature d i by Verify(PK i, y i, d i ) under the public key PK i. If the verification is correct, the powerful node S randomly selects a value x in Z q, and then computes X ¼ g x and the following values (for i ¼,2,..., n): z i ¼ yi x mod p a 0 i ¼ ysk s i mod p: Then, the powerful node S computes a checking value C ¼ H(X z... z n ) and a group key K ¼ X Q n j¼ z j mod p. Finally, the powerful node S broadcasts C and ða 0 i z i Þ, i ¼,2,..., n, to all low-power nodes. Step3. Group key computation: Upon receiving C and ða 0 i z iþ, i ¼,2,..., n, each low-power node U i checks whether a i ¼ a 0 i holds or not. If the check holds, U i computes X ¼ Z x i i mod p. Then U i checks whether C ¼ H(X Z... Z n ) and Z i 6¼, for i ¼,2,..., n, hold or not. If the checks hold, U i computes the group key K ¼ X Q n j¼ z j mod p¼g xþxx þxx 2 þþxx n mod p. As mentioned in Step, many tuples (x i, x i, a i, y i, d i ) should be stored in the memory storage (e.g. smart card) of the low-power node in advance and each tuple (x i, x i, a i, y i, d i ) is used only once. In this case, the used tuple (x i, x i, a i, y i, d i ) must be erased as soon as they are no longer useful for

5 A group key agreement protocol for resource-limited mobile devices 45 FIGURE. New authenticated group key agreement protocol. providing forward secrecy. Besides, for protecting these unused tuples (x i, x i, a i, y i, d i ) stored in the memory storage of the low-power node, one protecting mechanism should be provided to securely store these unused tuples such as self-protected smart cards [33]. Meanwhile, note that the low-power node adopts the Shamir Tauman online/offline signature scheme [32] to generate the signature d i ¼ Sign(SK i, y i ), in which the online computational complexity is mainly involved the time stamp or the nonce into the signature. The detailed procedure refers to [32]. In addition, in each conference the group key is different. Therefore, when a secure conference was terminated or finished, the established group key should be erased from the memory storages of both low-power nodes and the powerful node. In the following, we show that the proposed protocol is a real contributory group key agreement protocol because low-power nodes are able to confirm that their contributions have been involved in the group key. THEOREM. By running the proposed protocol, if each low-power node checks that C ¼ H(X z... zn ) holds, then an identical group key can be established by all lowpower nodes, thus the proposed protocol is a contributory group key agreement one.

6 46 Y.-M. Tseng Proof. According to the proposed protocol, the powerful node S broadcasts C and ða 0 i z iþ, for i ¼,2,..., n, to all low-power nodes, and each low-power node U i ( i n) may use its secret exponent x i to compute X and the checking value H(X z... z n ), and then checks whether C ¼ H(X z... z n ) holds or not. If the check holds, each low-power node can compute an identical group key K ¼ X Q n j¼ z j mod p. Since the identical group key K has been established, this means that the following equation holds. K ¼ g x Yn j¼ Y n z j mod p ¼ Z x j¼ Z j mod p ¼ ¼Z x n n Z j mod p Thus, we have a value V¼K ð Q n j¼ z jþ mod p mod p such that V ¼ Z x mod p ¼ Z x 2 2 mod p ¼ ¼Z x n n mod p: Therefore, we have z ¼ V x mod p z 2 ¼ V x 2 mod p z n ¼ V x n mod p: Observing the above equations, each z i includes the Q lowpower node U i s secret exponent x i. Since K ¼ Z x i n i j¼ Z j, for i ¼,2,..., n, we have K ¼ V Q n j¼ z j mod p. Therefore, the group key K contains each low-power node s secret exponent x i, that is each low-power node can confirm that its contribution has been included in the group key. In this case, the proposed protocol is a contributory group key agreement one. & From Theorem, since the proposed protocol is a contributory group key agreement, it means that each low-power node equally contributes to the group key and guarantees its freshness in each group key construction. One advantage of the key agreement protocol compared with the key distribution one is that no participant can predetermine the group key. In an asymmetric wireless network, to shift the computational burden to the powerful node and reduce the computational cost of low-power nodes is a flexible approach for designing group key agreement protocols. However, for reducing the computational complexity of the low-power nodes, low-power nodes do not authenticate each other and verify the transmitted messages. Meanwhile, all messages sent to low-power nodes are through the powerful node, so low-power nodes cannot verify them. This is an inherent weakness in this asymmetric wireless network. As Bresson et al. s protocol [22] and Nam et al. s protocol [24], the proposed protocol has the same problem. Therefore, single point of failure still existed in the proposed protocol, thus a lot of trust to the powerful node still exists. In the next section, we will show that the proposed protocol is provably secure against passive adversaries as well as impersonator s attacks. Besides, we will also show that the proposed protocol achieves implicit key authentication and provides forward secrecy. 4. SECURITY ANALYSIS In Step of the proposed protocol, the low-power node adopts the Shamir Tauman online/offline signature scheme [32] to generate the signature d i ¼ Sign(SK i, y i ). The online computational complexity is equivalent to about only one modular multiplication. This online computational complexity is mainly involved the time stamp or the date into the signature. Therefore, the proposed protocol is secure against the replay attack. Some offline pre-computation values must be stored on one smart card of the low-power mobile nodes. Therefore, one self-protected mechanism [33] should be provided to securely store these unused messages on the smart card. 4.. Passive adversaries Passive adversary is that if an attacker is unable to obtain the established group key by eavesdropping messages transmitted over the broadcast channel, the group key agreement protocol is secure against passive adversaries. We need a security assumption to prove it. Here, we adopt the Decision Diffie Hellman problem assumption to prove that the proposed protocol is secure against passive adversaries. Several papers [27,28] have demonstrated the security as well as the variants of the Decision Diffie Hellman problem. ASSUMPTION. Decision Diffie Hellman Problem. There are several domain parameters that are primes p and q such that p ¼ 2q +, and a generator g 2 Z p with order q for the subgroup G q, where G q is a subgroup of quadratic residues in Z p. For a given y a ¼ g x a mod p and y b ¼ g x b mod p, where x a and x b are randomly chosen from Z q, the following two tuples of random variables ðy a y b g x ax b mod pþ and (y a, y b, R), where Ris a random value in Z q, are computationally indistinguishable. In other words, there is no efficient algorithm A that satisfies jpr½aðg x a g x b g x ax b Þ¼trueŠ Pr½Aðg x a g x b RÞ ¼trueŠj > QðjqjÞ for any polynomial Q, where the probability is over the random choice of x a, x b and R. In the following theorem, we use the contradiction proof technique to prove that the proposed protocol is secure against passive adversaries under the Decision Diffie Hellman problem. The concept is presented as follows. Assume that there is an efficient algorithm A run by a passive attacker that can distinguish the established group key of

7 A group key agreement protocol for resource-limited mobile devices 47 the proposed protocol from a random value. Then, based on the efficient algorithm A, we can construct another efficient A 0 to distinguish the key g x ax b based on Diffie Hellman key agreement scheme from the random value. It will be a contradiction for Assumption. THEOREM 2. Under Assumption, the proposed protocol is secure against passive adversaries. Proof. A passive attacker tries to learn secret information about the group key by listening to the broadcast channel. The passive attacker may obtain all (y i, Z i ), where y i ¼ g x i mod p and z i ¼ g xx i mod p for i n. Here we show that the passive attacker cannot get any information about the group key K ¼ X Q n j¼ z j mod p ¼ g x Q n j¼ z j mod p from all (y i, Z i ). Under Assumption, we shall prove that (y i z i K ¼ g x Q n j¼ Z j mod p and (y i, z i, R), for i n, are computationally indistinguishable, where R is a random value in G q. By contradiction proof, assume that there exists an algorithm A, which can efficiently distinguish ðy i z i K ¼ g x Q n j¼ z j mod pþ and (y i, z i, R), for i n, where R is a random value in G q. Based on the algorithm A, we show that we can construct another algorithm A 0 that can efficiently distinguish ðy a y b g x ax b mod pþ from (y a, y b, R), where y a ¼ g x a mod p, y b ¼ g x b mod p and x a, x b 2 Z q. First, the values y a, y b and R are the input of algorithm A 0. Without loss of generality, let y ¼ y a and Z ¼ y b. Then, algorithm A 0 randomly selects t, t 2,..., t n from Z q and computes the following values: y 2 ¼ y t mod p Z 2 ¼ Z t mod p y 3 ¼ y t 2 mod p Z 3 ¼ Z t 2 mod p.. y n ¼ y t n 2 mod p Z n ¼ Z t n 2 mod p y n ¼ y t n mod p Z n ¼ Z t n mod p: Therefore, the algorithm A 0 has constructed (y i, Z i for i n, and computes R Q n j¼ z j mod p, then A 0 calls A with these values. Since the algorithm A can compute the group key K ¼ R Q n j¼ z j mod p, then the algorithm A 0 can obtainr ¼ g x ax b. That is, A 0 can apply A to efficiently distinguish ðy a y b g x ax b mod pþ and ðy a y b RÞ, which is a contradiction for Assumption. Thus, the proposed protocol is secure against passive adversaries under the Decision Diffie Hellman problem assumption. & 4.2. Impersonator s attacks Here, we discuss the security of the proposed protocol regarding an attack by an impersonator. Impersonator s attacks are that impersonators who want to impersonate participants in a group key agreement protocol. Mutual authentication ensures that the proposed protocol can withstand impersonator s attacks. Here, we show that the proposed protocol provides mutual authentication between the powerful node and mobile nodes. In the first, we show that the powerful node can authenticate mobile nodes under the discrete logarithm assumption [30,3], using the signatures d i ¼ Sign(SK i, y i ) sent by mobile nodes. Here, we assume that the signature is generated using the Shamir Tauman online/offline signature scheme [32], in which the security is based on the difficulty of computing the discrete logarithm modulo a large prime. LEMMA. If computing the discrete logarithm modulo a large prime is hard, any malicious attacker E cannot generate the valid d i ¼ Sign(SK i, y i ) of any low-power node U i. Proof. Since the signature d i ¼ Sign(SK i, y i ) is generated using the Shamir Tauman online/offline signature scheme, the proof can directly refer to that in [32]. We omit the details of the proof. They have proved the following fact: if a malicious attacker E without knowing secret key SK i can impersonate U i to generate valid d i with a non-negligible probability «, then the malicious attacker E can compute the discrete logarithm modulo a large prime efficiently. Thus, the proposed protocol ensures that the powerful node can authenticate other low-power nodes under the discrete logarithm assumption. & Second, in the following Lemma, we prove that low-power nodes can authenticate the powerful node under the Decision Diffie Hellman problem assumption. LEMMA 2. Under Assumption, any malicious attacker E cannot generate valid a 0 i ¼ ysk S i mod p to pass the verification of the corresponding low-power node U i. Proof. We know that the low-power node U i pre-computes the value a i ¼ PK x i S mod p and keeps it in his storage, where PK S ¼ g SK S mod p and then a i ¼ g x isk S mod p. Since the broadcast message is only y i ¼ g x i mod p, the malicious attacker E must compute a 0 i ¼ g x isk S mod p using two public messages PK S ¼ g SK S mod p and y i ¼ g x i mod p. Obviously, that is the malicious attacker E must efficiently distinguish ðg SK S g x i g SK Sx i mod pþ from ðg SK S g x i RÞ, where R is a random value in G q. It is easy to see that this problem is a contradiction to the Decision Diffie Hellman problem of Assumption. Thus, the proposed protocol ensures that the low-power node can authenticate the powerful node S under Assumption. & Based on the above Lemmas, we demonstrate that the proposed protocol provides mutual authentication and is secure against impersonator s attacks. THEOREM 3. Under the discrete logarithm assumption and Assumption, the proposed protocol is secure against impersonator s attacks. Proof. By Lemma, we know that only one legal lowpower node U i with the secret key SK i can generate valid d i. Since an impersonator does not know the legal low-power

8 48 Y.-M. Tseng node s secret key, the impersonator cannot compute the valid d i. This provides authentication to low-power nodes in the proposed protocol. By Lemma 2, it is obvious to see that only a legal powerful node with knowing the secret key SK S can compute a 0 i ¼ g x isk S mod p. That is, any attacker cannot impersonate the powerful node to low-power nodes, thus it provides authentication to the powerful node in the proposed protocol. Therefore, the proposed protocol is secure against impersonator s attacks and provide mutual authentication between the powerful node and low-power nodes. & 4.3. Implicit key authentication Here, we show that the proposed protocol provides implicit key authentication under the difficulty of computing discrete logarithm modulo a large prime and Assumption. Without loss of generality, let U ¼ {U, U 2,..., U n } be the set of lowpower nodes. The group key agreement protocol provides implicit key authentication if each U i 2 U is assured that no party U q =2 U can learn the group key (unless aided by a dishonest U j 2 U) [0,2,4]. THEOREM 4. Under the difficulty of computing discrete logarithm modulo a large prime and Assumption, the proposed protocol provides implicit key authentication. Proof. By Lemma, we have shown that any malicious attacker cannot generate the valid d i ¼ Sign(SK i, y i ) of any low-power node U i under the difficulty of computing discrete logarithm modulo a large prime. Therefore, only U i 2 U can generate the valid d i ¼ Sign(SK i, y i ), that is U i really owns the tuple (x i, x i, a i, y i, d i ). Since U i owns x i, he/she can compute X ¼ Z x i i mod p and K ¼ X Q n j¼ z j mod p. In addition, we show that no party U q =2 U can learn the group key. In fact, it is clear that the attacker U q is a passive adversary since U q =2 U. By Theorem 2, we have proved that the proposed protocol is secure against passive adversaries. Therefore, the proposed protocol provides implicit key authentication. & 4.4. Forward secrecy A key agreement protocol offers forward secrecy if compromise of a long-term key cannot result in the compromise of previously established session keys. As mentioned in Step of the proposed protocol, (x i, x i, a i, y i, d i ) is stored in the memory storage of the low-power node and each tuple (x i, x i, a i, y i, d i ) is used only once. In this case, (x i, x i, a i, y i, d i ) must be erased as soon as they are no longer useful. Obviously, since the low-power nodes long-term keys SK i are used only for authentication and they are not used for hiding the group key, the leakage of any mobile node s long-term key does not reveal anything about the group key. At the same reason, the long-term key SK S of the powerful node is used to generate the authentication message a i and is not embedded into the group key. The leakage of the long-term key SK S does not reveal anything about the group key. Thus, the proposed protocol provides forward secrecy. The random oracle model [20] assumes that the one-way hash function is actually a true random function and that the computing discrete logarithm modulo a large prime is hard. We demonstrate that the proposed protocol provides forward secrecy under the random oracle model and the Assumption. THEOREM 5. Under the random oracle model and Assumption, the proposed protocol provides forward secrecy. Proof. Without loss of generality, let U ¼ {U, U 2,..., U n } be the set of low-power nodes that have established a group key K with the powerful node S at some past time t. After finishing the group session, the used tuple (x i, x i, a i, y i, d i ) of each low-power node and the used (x, X) have been erased. Suppose that an adversary obtains all secret keys SK i of low-power nodes as well as the secret key SK S of the powerful node at time t +. Therefore, the adversary obtain only C and ðd i y i z i a 0 i Þ, for i ¼,2,..., n. Obviously, d i is a signature for y i under the low-power nodes long-term keys SK i and it is used only for authentication and they are not used for hiding the group key. The leakage of any mobile node s SK i does not reveal anything about the group key. On the other hand, if the adversary can get g x or X, then he/she can compute the group key K. Here we show that the adversary cannot get any information about the group key K ¼ X Q n j¼ z j mod p ¼ g x Q n j¼ z j mod p. In the following, we will discuss three cases to show that the adversary cannot obtain X, g x or K. CASE. If the adversary tries to obtain X from C ¼ H(X z... z n ), the probability is negligible under the random oracle model [20]. In the random oracle model, the hash function is a true random function and the adversary may query a random oracle Q. After q H queries, the probability is q H /2 k, where k is the output-length of the hash function. Therefore, the successful probability of obtaining X from C ¼ H(X z... z n ) is negligible. CASE 2. If the adversary gets x i of any low-power node U i, he/she can compute X from z i. The adversary has two possible ways to get x i, but we show that the difficulty of getting x i is based on the computing discrete logarithm modulo a large prime. The adversary may try to obtain x i from y i directly, or 0 from a i with known SK S. If the adversary tries to obtain x i 0 from a i with known SK S, it is clear that only y i can be computed. Obviously, to obtain x i from y i directly is equal to the difficulty of computing the discrete logarithm modulo a large prime. CASE 3. Finally, the adversary tries to derive the group key from (y i, Z i ) for i ¼,2,..., n. This case is the same as the

9 A group key agreement protocol for resource-limited mobile devices 49 attack of passive adversaries. By Theorem 2, we have shown that the proposed protocol is secure against passive adversaries under Assumption. Therefore, the adversary will fail to obtain the group key K from (y i, Z i ) for i ¼,2,..., n. According to the above discussions of three cases, even though secret keys SK i of low-power nodes as well as the secret key SK S of the powerful node are compromised, they do not reveal anything about the group key. Thus, the proposed protocol provides forward secrecy. & 5. DISCUSSIONS AND COMPARISONS In the following, we analyze the computational complexity and the communication cost of the proposed protocol. For convenience, the following notations are used to analyze the computational complexity and the communication cost. T SIG is the time for computing one signature; T VER is the time for verifying one signature; T EXP is the time for modular exponentiation; T INV is the time for modular inverse; T H is the time for computing one hash function; T MUL is the time for modular multiplication; jmj denotes the bit-length of a message m. Considering the computational cost of the powerful node, the powerful node is regarded as a wireless gateway with less computational restriction. In Step 2 of the proposed protocol, the powerful node checks the signature d i by Verify(PK i, y i, d i ), i ¼,2,..., n. If verifications are correct, the powerful node S randomly selects a value x in Z q and then computes X ¼ g x mod p and computes the values ða 0 i z i Þ, for i ¼,2,..., n. Finally, the powerful node S computes a checking value C ¼ H(X z... z n ) and a group key K ¼ X Q n j¼ z j mod p. Thus, nt VER + (2n + )T EXP + nt MUL + T H is required for the powerful node. In the following, let us discuss the computational cost of low-power nodes in the proposed protocol. In Step, each low-power node U i uses the offline pre-computing technique to compute y i ¼ g x i mod p a i ¼ PK x i S mod p and a signature d i ¼ Sign(SK i, y i. Certainly, some tuples ðx i x i a i y i d i Þ should be stored in the memory storage of the low-power node in advance. When the low-power node U i would like to participate a group session, he gets one tuple ðx i x i a i y i d i Þ from his storage card and sends (y i, d i to the powerful node S. The offline computational cost for this step is T SIG + 2T EXP + T INV. According to the Shamir Tauman online/offline signature scheme [32], the online computational complexity is equivalent to about only one modular multiplication T MUL. In Step 3, upon receiving ða 0 i z i Þ, i ¼,2,..., n, then the low-power node gets a i from the used ðx i x i a i y i d i Þ in Step to check whether a i ¼ a 0 i holds or not. Afterward each low-power node U i computes X ¼ Z x i i. And then U i checks whether C ¼ H(X Z... Z n and computes the group key K ¼ X Q n j¼ z j mod p. This step requires T EXP + T H + nt MUL. Therefore, online computational cost for each low-power node is T EXP + T H + (n + ) T MUL. In the proposed protocol, each low-power node U i sends (y i, d i to the powerful node S via uni-cast communication, and the powerful node S broadcasts C and ða i 0 z i Þ, i ¼,2,..., n, to low-power nodes. Thus, the message sizes sent by each low-power node and the powerful node are 3jpj and jhj +2njpj, where jhj is k bit-length of the adopted hash function. Note that since the powerful node broadcasts messages to all low-power nodes, the broadcast communications could adopt multiple uni-casts or multicasts to achieve this function. In this case, the communication cost of the multiple uni-casts is large than one of one broadcast. Therefore, communication cost required by the proposed protocol is large than one required by Bresson et al. s protocol. Nevertheless, the important point is that the proposed protocol provides more security properties than Bresson et al. s protocol. Table lists the comparisons between Bresson et al. s authenticated protocol [22] and the proposed one. We consider the comparisons in terms of forward secrecy, contributory property, the number of rounds, the online computational complexity required for each low-power node and computational complexity of the powerful node as well as communication costs of each low-power node and the powerful node. If mutual authentication among all lowpower nodes is provided, some extra online computational costs are required for each low-power node. In this case, the computational cost is too expensive for low-power nodes. One alternative is that each low-power node does not authenticate other low-power nodes. Both protocols provide only mutual authentication between the powerful node and low-power nodes and do not consider mutual authentication among all mobile nodes. Certainly, when the proposed protocol is employed into cellular mobile networks or wireless local area networks, another alternative approach is that the low-power nodes may use the authentication procedures [34,35,36] provided by these attached networks to authenticate with the powerful node each other in advance. The online computational complexity required by each low-power node in the proposed protocol is larger than that in Bresson et al. s protocol. Nevertheless, advanced smart-card architecture has been studied and shown the capability for the exponentiation and the multiplication computations [37]. We present the computational time by a simulated environment to provide the evidence that the proposed protocol is well suitable for the low-power node. In the following, a simulation result for the computational time on the low-power node (PDA) is presented. The simulation environment is that the low-power node is ASUS MyPal A620 Pocket PC PDA [38] with Pocket PC 2003 (Windows Mobile 2003) [39] to execute simulation programs. The ASUS A620 features a 400 MHz PXA 255 Intel XScale processor and 32 MB of Flash ROM and 64 MB of RAM. The modular multiplication and the modular exponentiation

10 50 Y.-M. Tseng TABLE. Comparisons between two authenticated group key agreement protocols Bresson et al. s protocol [22] Proposed protocol Forward secrecy No Full Contributory group key agreement No Yes Implicit key authentication No Yes Number of rounds 2 2 Computational complexity required by each low-power node (online) T H +T MUL T EXP + T H + (n + )T MUL Computational complexity required by the powerful node nt VER + nt EXP + (n + )T H nt VER + (2n + )T EXP + nt MUL + T H Message size sent by each low-power node 3 p 3 p Message size sent by the powerful node c + n H H + 2n p Mutual authentication between the powerful node Partial a Yes and low-power nodes Extra computational complexity required by each T H 0 low-power node (online) Extra computational complexity required by the powerful node nt H 0 a Bresson et al. s protocol needs extra computation costs to provide that each low-power node authenticate to the powerful node. TABLE 2. Time measurements of low-level cryptographic operations. Modular multiplication Hash function Modular exponentiation Average time (ms) are developed by the Ewesoft Software Development Kit (EWE SDK) [40]. All contributions are selected from the Diffie Hellman problem with a 024-bit prime modulus p. The computational time of a modular multiplication is measured by computing a b mod p, where jaj¼jbj¼jp¼ 024. The computational time of a modular exponentiation is measured by computing 024-bit modular exponentiation with 256-bit exponent. The average computational costs of the modular multiplication and the modular exponentiation are calculated for 000 and 00 runs, respectively. The hashing function utilizes SHA- [29]. The simulation results for two kinds of modular operations and hash operation are depicted in Table 2. Even though the number of group members is 00, the computational cost required by each low-power node for computing T EXP + 2T H + (n + )T MUL is only about 2 s. It is obvious that the required computational complexity required by the lowpower node is reasonable. We suspect that an implementation with elliptic curve groups [4,42] would yield better results. CONCLUSIONS In this paper, a secure authenticated group key agreement protocol well suited for mobile devices with low-power computing capability has been proposed. We show that the proposed protocol is a real contributory group key agreement one, thus each low-power node equally contributes to the group key and guarantees the group key s freshness in each group key construction. We demonstrate that the proposed protocol is provably secure against passive adversaries under the decision Diffie Hellman assumption. We also show that the proposed protocol is provably secure against impersonator s attacks under the decision Diffie Hellman and the discrete logarithm assumptions and provides mutual authentication between low-power nodes and the powerful node. Meanwhile, a simulation result on a PDA device shows that the proposed protocol is well suited for mobile devices with low-power computing capability. The proposed protocol is efficient in terms of the computational cost of each lowpower node and the number of rounds. Furthermore, in mobile/wireless networks a low-power node often moves from cover-area of one powerful node to one of another powerful node. As considering this situation into the design of group key agreement protocols, handover (or handoff) problem should be addressed. Therefore, how to achieve fast and seamless handover is an important issue in the future. ACKNOWLEDGEMENTS The author would like to thank the referees for their valuable comments and constructive suggestions. This research was partially supported by National Science Council, Taiwan, R.O.C., under contract no. NSC E REFERENCES [] ETSI TS (2002) General Packet Radio Services (GPRS) Service Description (Stage 2)., European Telecommunications Standards Institute ETSI TS , Sophia Antipolis Cedex, France.

11 A group key agreement protocol for resource-limited mobile devices 5 [2] ANSI/IEEE Std (999) Wireless LAN media access control (MAC) and physical layer (PHY) specifications. ANSI/IEEE Std (E) Part, ISO/IEC 8802-, IEEE Standards Association, Piscataway, USA. [3] Yang, H., Luo, H., Ye, F., Lu, S. and Zhang, L. (2004) Security in mobile ad hoc networks: challenges and solutions. IEEE Wireless Commun.,, [4] Campadello, S. (2004) Peer-to-Peer Security in Mobile Devices: A User Perspective. In Proc. Fourth Int. Conf. Peer-to-Peer Computing (P2P 04), Zurich, Switzerland, August 5 7, pp IEEE Press, NJ. [5] Phan, T., Huang, L. and Dulan, C. (2002) Challenge: integrating mobile wireless devices into the computational grid. MobiCom 02, Atlanta, Georgia, USA, September 23 28, pp [6] Ingemaresson, I., Tang, T. D. and Wong, C. K. (982) A conference key distribution system. IEEE Trans. Infom. Theory, 28, [7] Hwang, M. S. and Yang, W. P. (995) Conference key distribution schemes for secure digital mobile communications. IEEE J. Sel. Areas Comm., 3, [8] Tseng, Y. M. (2002) Cryptanalysis and improvement of key distribution system for VS AT satellite communication. Int. J. Informatica, 3, [9] Tseng, Y. M. and Jan, J. K. (999) Anonymous conference key distribution systems based on the discrete logarithm problem. Comput. Commun., 22, [0] Steiner, M., Tsudik, G. and Waidner, M. (998) CLIQUES: A new approach to group key agreement. In Proc. 8th Int. Conf. Distributed Computing. Syst. (ICDCS 98), Amsterdam, The Netherlands, May 26 29, pp IEEE Press, NJ. [] Burmester, M. and Desmedt, Y. (994) A secure and efficient conference key distribution system. In Advances in Cryptology Proceedings of Eurocrypt 94, Perugia, Italy, May 9 2, LNCS, 950, pp Springer-Verlag, Berlin. [2] Ateniese, G., Steiner, M. and Tsudik, G. (2000) New multiparty authentication services and key agreement protocols. IEEE J. Sel. Areas Comm., 8, [3] Bresson, E., Chevassut, O., Pointcheval, D. and Quisquater, J. J. (200) Provably Authenticated Group Diffie-Hellman Key Exchange. In Proc. 8th Annual ACM Conf. Computer and Communications Security, Philadelphia, Pennsylvania, USA, November 5 8, pp ACM Press, New York. [4] Bresson, E., Chevassut, O. and Pointcheval, D. (2002) Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions. In Proc. Eurocrypt 2002, Amsterdam, The Netherlands, April 28 May 2, LNCS 2332, pp Springer-Verlag, Berlin. [5] Katz, J. and Yung, M. (2003) Scalable Protocols for Authenticated Group Key Exchange. Advances in Cryptology Proceedings of Crypto 03, Santa Barbara, CA, August 7 2, pp. 0 25, LNCS [6] Tseng, Y. M. (2005) A robust multi-party key agreement protocol resistant to malicious participants. Comput J., 48, [7] Pereira, O. and Quisquater, J. J. (200) A security analysis of the cliques protocol suites. In Proc. 4th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia, Canada, June 3, pp IEEE Press, NJ. [8] Asokan, N. and Ginzboorg, P. (2000) Key agreement in ad hoc networks. Comput. Commun., 23, [9] Boyd, C. and Nieto, G. (2003) Round-optimal contributory conference key agreement. In Proc. Public-Key Cryptography 03, Miami, USA, January 6 8, LNCS 2567, pp Springer-Verlag, Berlin. [20] Bellare, M. and Rogaway, P. (993) Random oracles are practical: a paradigm for designing efficient protocols. In Proc. st Annual ACM Conference on Computer and Communications Security (ACM CCS 93), Fairfax, Virginia, November 3 5, pp ACM Press, New York. [2] Tseng, Y. M. (2002) Robust generalized MQV key agreement protocol without using one-way hash functions. Comput. Stand. Interface, 24, [22] Bresson, E., Chevassut, O., Essiari, A. and Pointcheval, D. (2004) Multual authentication and group key agreement for low-power mobile devices. Comput. Commun., 27, [23] Nam, J., Kim, S. and Won, D. (2005) A weakness in the Bresson-Chevassut-Essiari-Pointcheval s group key agreement scheme for low-power mobile devices. IEEE Commun. Lett., 9, [24] Nam, J., Kim, S. and Won, D. (2005) DDH-based group key agreement in a mobile environment. J. Syst. Software, 78, [25] Tseng, Y. M. (2006) On the security of two group key agreement protocols for mobile devices. In Int Workshop on Future Mobile and Ubiquitous Information Technologies (FMUIT2006), Nara, Japan, May 9 2, pp IEEE Press, NJ. [26] Diffie, W. and Hellman, M. E. (976) New directions in cryptography. IEEE Trans. Infom. Theory, 22, [27] Boneh, D. (998) The decision Diffie-Hellman problem. In Proc. 3rd Algorithmic Number Theorey Symp., Portland, Oregon, June 2 25, LNCS 423, pp Springer-Verlag, Berlin. [28] Shoup, V. (997) Lower bounds for discrete logarithms and related problems. In Advances in Cryptology Proc. Eurocrypt 97, Konstanz, Germany, May 5, LNCS 233, pp Springer-Verlag, Berlin. [29] NIST/NSA FIPS 80-2 (2005) Secure Hash Standard (SHS). NIST/NSA, Gaithersburg, MD, USA. [30] ELGamal, T. (985) A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, 3, [3] NIST (992) The Digital Signature Standard (DSA). Commun. ACM, 35, [32] Shamir, A. and Tauman, Y. (200) Improved on-line/off-line signature schemes. In Proc. Advances in Cryptology Crypto 0, Santa Barbara, CA, August 9 23, LNCS 239, pp Springer-Verlag, Berlin. [33] Rankl, W., Effing, W. and Wolfgang, R. (2000) Smart Card Handbook. (2nd edition), John Wiley & Sons, UK. [34] 3GPP TS (2003) 3GPP Technical Specification Group Services and System Aspects; 3G Security; Security architecture (Release 6). 3GPP Technical Specification Group, Valbonne, France.