Skip to main content
Sensors (Basel, Switzerland) logoLink to Sensors (Basel, Switzerland)
. 2014 Dec 18;14(12):24358–24380. doi: 10.3390/s141224358

Improved One-Way Hash Chain and Revocation Polynomial-Based Self-Healing Group Key Distribution Schemes in Resource-Constrained Wireless Networks

Huifang Chen 1,2,*, Lei Xie 1
PMCID: PMC4299115  PMID: 25529204

Abstract

Self-healing group key distribution (SGKD) aims to deal with the key distribution problem over an unreliable wireless network. In this paper, we investigate the SGKD issue in resource-constrained wireless networks. We propose two improved SGKD schemes using the one-way hash chain (OHC) and the revocation polynomial (RP), the OHC&RP-SGKD schemes. In the proposed OHC&RP-SGKD schemes, by introducing the unique session identifier and binding the joining time with the capability of recovering previous session keys, the problem of the collusion attack between revoked users and new joined users in existing hash chain-based SGKD schemes is resolved. Moreover, novel methods for utilizing the one-way hash chain and constructing the personal secret, the revocation polynomial and the key updating broadcast packet are presented. Hence, the proposed OHC&RP-SGKD schemes eliminate the limitation of the maximum allowed number of revoked users on the maximum allowed number of sessions, increase the maximum allowed number of revoked/colluding users, and reduce the redundancy in the key updating broadcast packet. Performance analysis and simulation results show that the proposed OHC&RP-SGKD schemes are practical for resource-constrained wireless networks in bad environments, where a strong collusion attack resistance is required and many users could be revoked.

Keywords: wireless networks, group communication, group key distribution, self-healing, collusion attack

1. Introduction

Many applications of wireless networks require secure group communications, especially in a hostile environment. In order to protect the sensitive data, group communication keys (also named as group session keys) could be used to encrypt exchanged messages among communicating group members. Therefore, the group key management is critical for providing secure communications.

However, providing efficient key distribution in resource-constrained wireless networks, such as wireless sensor networks, is a challenging issue due to some characteristics of wireless networks.

First, a legitimate group member may not receive the key broadcast message for a particular session due to the unreliable wireless medium, which makes the user request the group manager (GM) to re-transmit the message. When the group size is large, re-transmissions could overwhelm the GM potentially. Furthermore, in some applications with high security requirement, it is important that users only transmit essential messages to avoid making themselves vulnerable. It is desirable to have the self-healing property that enables legitimate group members to recover lost session keys on their own, instead of requesting additional transmissions from the GM.

Second, users may join and/or leave the group frequently. For a large communication group, the group session keys have to be updated due to dynamic group members, which result in the network resource consumption. Hence, an efficient node revocation and join mechanism is important for dynamic communication groups.

Third, wireless devices have limited computation capability, memory and energy. Using energy-consuming techniques, such as the public-key cryptography, to realize the group key management is not applicable for resource-constrained wireless networks. Hence, the energy-efficient property is required.

Three articles [13], reviewing self-healing group key distribution (SGKD) schemes have appeared in the literature. Tian et al. in [1] provides a survey of available solutions, which is focused on the possible scheme extensions, such as sponsorization or mutual-healing. In [2], the author analyzes the practicality of SGKD schemes in the resource-constrained wireless sensor networks. This review is focused on the scheme performance in terms of the communication overhead and storage overhead. In [3], authors identified three building blocks of the SGKD scheme, selective key distribution mechanism, pre-distributed secret data management and self-healing mechanism, to classify and compare the existing solutions. Based on this three-dimensional classification, a comprehensive review of the development in the area of SGKD schemes is provided.

1.1. Previous Work

Staddon et al. first introduced the concept of the self-healing group key distribution (SGKD), and proposed a non-interactive and reliable key distribution scheme in [4]. The basic idea of the SGKD is to broadcast information that is useful only for legitimate users. In this scheme, users use the secret sharing to bind the capability of recovering lost session keys with the membership. Combined with pre-distributed secrets, legitimate users can recover a session key; otherwise, revoked users cannot infer useful information. However, this scheme has high storage and communication overheads.

Based on the work in [4], several improved SGKD schemes have been proposed [529]. In order to increase the efficiency of the scheme in [4], Liu et al. proposed some new schemes by combining a personal secret distribution technique with self-healing [5]. Blundo et al. analyzed the security model defined in [4,5], and found that it is impossible to satisfy all of the security requirements. Then, based on the self-healing technique with a slightly modified framework in [6] and the self-healing mechanism in [7], a novel SGKD scheme enabling a user to recover all previous session keys from a single key broadcast message was proposed. Hong and Kang proposed a revocation polynomial-based SGKD scheme (RP-SGKD) with low storage and communication overheads [8].

Recent, many hash chain-based SGKD (HC-SGKD) schemes, one-way hash chain (OHC) and dual directional hash chain (DDHC), were proposed in [916]. Due to the efficiency of the hash function, these HC-SGKD schemes reduce communication and storage overheads obviously. However, the performance improvement is at the cost of the property of the collusion attack resistance. That is, revoked users colluding with new joined users can recover all session keys, which they are not entitled to get [1].

In [1719], the pre-arranged life cycle-based SGKD schemes were proposed to make those HC-SGKD schemes resist to the collusion attack. However, these schemes can only apply to the scenario in which the user's life cycle is pre-determined, and the collusion of revoked users within the life cycles and new joined users can recover unauthorized session keys.

In order to resolve the collusion attack resistance problem in existing HC-SGKD schemes, we proposed an SGKD scheme based on the one-way hash chain and revocation polynomial for wireless sensor networks in [20]. However, as using the personal secret structure in Dutta et al.'s scheme, the RP-SGKD scheme proposed in [20] inherits the limitation of SGKD schemes in [10,11]. That is, the maximum allowed number of sessions should not be larger than the maximum number of revoked users.

Other techniques, such as subset difference re-keying [21], bilinear pairings [22,23], vector space secret sharing [24,25] and the exponential arithmetic [26], are also used to design SGKD schemes.

Among those existing SGKD schemes, the polynomial secret sharing is the most common cryptographic technique used to implement self-healing key distribution [22]. With regard to the construction method, the polynomial is classified into two types, the revocation polynomial and the access polynomial. Both of them guarantee that only legitimate users can recover the session key(s), while illegitimate users cannot. The SGKD schemes in [5,720] are based on the revocation polynomial, and schemes in [2730] are based on the access polynomial.

Moreover, the hash chain, another cryptographic technique, is used to design the SGKD scheme with other cryptographic techniques. The schemes in [920] are hash chain and revocation polynomial-based SGKD (HC&RP-SGKD) schemes, and schemes in [29,30] are hash chain and access polynomial-based SGKD (HC&AP-SGKD) schemes.

1.2. Problems in Existing RP-SGKD Schemes

In this paper, we focus on the SGKD scheme based on the revocation polynomial. After investigating existing RP-SGKD schemes, we find that, except for the collusion attack resistance problem in the HC-SGKD schemes, three other common weaknesses for existing RP-SGKD schemes need to be resolved.

First, the maximum allowed number of revoked/colluding users is limited to be t, where t is the degree of the personal secret polynomial.

Second, the redundancy exists in the key updating broadcast packet, and the communication overhead increases quickly along with the number of sessions.

Third, given the size of the session key updating broadcast packet, the maximum allowed number of sessions and revoked users is too small to use these existing schemes in real resource-constrained wireless networks.

Although the collusion attack resistance problem is partially resolved in [20], the problem, that the maximum allowed number of sessions is limited by the maximum number of revoked users, still exists.

1.3. Our Contributions

Two improved SGKD schemes using the one-way hash chain (OHC) and revocation polynomial in resource-constrained wireless networks are proposed. In the proposed SGKD schemes, by binding the time at which the user joins the group with its capability of recovering group session key(s), some novel methods are presented to utilize one-way hash chain, and to construct the personal secret, the revocation polynomial and the key updating broadcast packet.

To solve the collusion attack resistance problem in existing HC-SGKD schemes and eliminate the limitation of the maximum number of revoked user on the maximum allowed number of sessions, we propose the first SGKD scheme. However, as same as most existing SGKD schemes in [412,20], the storage overhead of each user in the first proposed SGKD scheme is high, and determined by the maximum number of revoked user or the maximum allowed number of sessions. To eliminate the impact of the maximum number of revoked user or the maximum allowed number of sessions on the storage overhead, we further propose the second SGKD scheme, a constant storage overhead scheme, to achieve a good tradeoff between the storage overhead and the communication overhead.

Compared to existing RP-SGKD schemes, the main advantages of the proposed schemes are four-aspect. First, the collusion attack resistance problem in existing HC-SGKD schemes is solved. Second, a stronger security and more colluding users are to be supported under same conditions. Third, the total communication overhead is reduced without increasing the storage overhead. Fourth, the limitation of the maximum number of revoked user on the maximum allowed number of sessions is eliminated in the proposed SGKD schemes. And the storage overhead is constant in the second SGKD scheme.

The remainder of the paper is organized as follows. In Section 2, the security model on which the proposed schemes are based is defined. In Section 3, two improved SGKD schemes are presented, and the improvements and security performance are analyzed. In Section 4, the performance comparison with some existing schemes is given. Finally, we conclude the paper in Section 5.

2. Security Model

In this section, we briefly define the security model used in the paper. Notations used in the paper and the corresponding denotations are summarized in Appendix (Table A1).

To clarify the performance of the proposed SGKD schemes, the security model used in this paper is defined as follows.

Suppose a communication group in wireless networks with a GM and a set of group users. Each group member is uniquely identified by an ID number i, the group member is denoted as Ui, i ϵ {1, 2, …, N}, and N is the largest ID number. All of the operations perform in a finite field, Fq, where q is a prime, and q > N. The lifetime of the SGKD scheme is partitioned into m sessions.

Definition 1: (self-healing group key distribution with mt-revocation capability) The scheme is a self-healing group key distribution with mt-revocation capability if the following conditions are satisfied.

  • (a).
    For a legitimate group member Ui, UiϵGjj , 1 ≤ j′jm, the session key for session j, Kj, is determined by the key updating broadcast packet for session j, Bj, and the personal secret, Si. That is,
    H(Kj|Bj,Si)=0 (1)
  • (b).
    No information about Kj (1 ≤ jm) can be obtained from either key updating broadcast packets or personal secrets only. That is,
    H(Kj|S1,S2,,SN)=H(Kj|B1,B2,,Bm)=H(Kj) (2)
  • (c).
    (mt-revocation capability) Let Rj be a set of users be revoked before and in session j, Rj={Rj1,Rj2,,Rjj}, where Rjj is the set of users joined the group in session j′ and be revoked before or in session j, |Rjj'|t and |Rj| ≤ jt for 1 ≤ jm. The scheme has mt-revocation capability if for a given Rj, the GM can generate a key updating broadcast packet, Bj, in order that Ui who does not belong to Rj recovers Kj, whereas the revoked user Ur, UrRj, cannot recover Kj. That is,
    H(Kj|Bj,Si)=0,H(Kj|Bj,{Sr|UrRj})=H(Kj) (3)
  • (d).
    (Self-healing property) The scheme is self-healing if any user Ui, who joined the group in session j1 and is still a legitimate group member in session j2, can recover lost session key for session j, Kj, from the key updating broadcast packet for session j2, Bj2, and j1 < j < j2. That is,
    H(Kj|Bj2,{Si|UiGjj1})=0 (4)

Definition 2: (mt-wise forward secrecy) Let Rj be a set of users be revoked before and in session j, Rj={Rj1,Rj2,,Rjj}, where Rjj is the set of users who joined the group in session j′ and are revoked before or in session j, |Rjj'|t and |Rj| ≤ jt for 1 ≤ jm. The scheme guarantees mt-wise forward secrecy if for any set Rj, all users in Rj cannot get any information about Kj+1 even with the knowledge of session keys before session j. That is,

H(Kj+1|B1,B2,,Bm,{Sr|UrRj},K1,K2,,Kj)=H(Kj+1) (5)

Definition 3: (any-wise backward secrecy) Let Dj be the set of users joined the group after session j, Dj = {Dj+1, Dj+2, …, Dm}, where Dj (j + 1 ≤ j′m) is the set of users joined the group in session j′, and 1 ≤ jm. The scheme guarantees any-wise backward secrecy if for any set Dj, all users in Dj cannot get any information about Kj even with the knowledge of session keys after session j. That is,

H(Kj|B1,B2,,Bm,{Sv|UvDj},Kj+1,Kj+2,Km)=H(Kj) (6)

Definition 4: (mt-wise collusion attack resistance capability) Let Rj1 be the set of users be revoked before and in session j1. Let Dj2 be the set of users joined the group after session j2. The scheme has mt-wise collusion attack resistance capability if given any two disjoint sets Rj1 and Dj2 (j1 < j2), users in Rj1 colluding with users in Dj2 cannot recover Kj even with the knowledge of {B1, B2, …, Bm, {Sr|UrRj1}} and {B1, B2, …, Bm, {Sv|UvDj2}} for j1 < jj2. That is,

H(Kj|B1,B2,,Bm,{Si|UiRj1Dj2})=H(Kj) (7)

3. Two Improved Self-Healing Group Key Distribution Schemes

3.1. The OHC&RP-SGKD Scheme 1

In order to resolve the problems mentioned in Section 1.2, we propose two improved SGKD schemes using the one-way hash chain and the revocation polynomial for resource-constrained wireless networks.

To remove the limitation of the maximum number of revoked user t on the maximum allowed number of sessions m, m < t + 1, we change the structure of the personal secret used in [20], and propose the first improved SGKD scheme based on the one-way hash chain and the revocation polynomial, named as the OHC&RP-SGKD scheme 1.

In the proposed OHC&RP-SGKD scheme 1, m t-degree polynomials chosen from Fq[x], s1(x), s2(x), …, sm(x), are used to replace one 2t-degree polynomial in Dutta et al.'s scheme and the RP-SGKD scheme in [20]. When joining the group in session j, Ui stores Si = {åj·sj(i), åj·sj+1(i), …, åj·sm(i)} as the personal secret, where åj is the unique session identifier for session j. Hence, revealing one or more used secret polynomials has no effect on unused personal secret polynomials, and then it has no effect on following group session keys.

3.1.1. The Scheme Detail

The proposed OHC&RP-SGKD scheme 1, including three phases and two cases, is described as follows.

Phase 1: Initialization

The GM independently and randomly chooses m t-degree polynomials from Fq[x], s1(x), s2(x), …, sm(x), and m numbers from Fq, å1, å2, …, åm.

Each user Ui, Ui ϵ G1, receives Si = {å1·s1(i), å1·s2(i), …, å1·sm(i)} as the personal secret from the GM via a secure communication channel, where G1 denotes the set of group members at the beginning of session 1.

Phase 2: Broadcast in Session j (1 ≤ jm)

Let Rj be the set of users be revoked before and in session j, Rj={Rj1,Rj2,,Rjj}, where Rjj is the set of users joining the group in session j′ and be revoked before or in session j, Rjj={Ur1j,Ur2j,,Urwjj} and |Rjj'|=wjt. r1j,r2j,,rwjj are the IDs of users in Rjj. Rjj= if there are no new joined users in session j′.

  • (1)
    The GM randomly chooses a number kj0 from Fq. And the j-th key chain, {kj1,kj2,,kjj}, is calculated with one-way hash function, h(·), and kj0 as follows,
    kj1=h(kj0)kj2=h(kj1)=h(h(kj0))=h2(kj0)kjj=h(kjj1)=h2(kjj2)==hj(kj0) (8)

    For security, kj10kj20 for j1j2.

  • (2)
    The GM chooses number sets Rjj, Rjj={r1j,r2j,,rtwjj}, from Fq for sessions with new joined user(s), where r1j,r2j,,rtwjj are random numbers, not used as a user ID and different from each other. The GM constructs the revocation polynomials for the users joined the group in different sessions as,
    Ajj'(x)=z=1|Rjj'|(xrzj')z'=1t|Rjj'|(xr'z'j'),j'=1,2,,j (9)

    The purpose of the padding with the elements in Rjj is to make the constructed revocation polynomials be t-degree.

  • (3)
    The GM computes
    Φjj'(x)=Ajj'(x)kjj'+εj'sj(x),j'=1,2,,j (10)
    where εj′·sj(x) and kjj are the masking polynomial and the masking key, respectively.
  • (4)

    The GM randomly chooses a session key Kj from Fq.

  • (5)
    The GM constructs and broadcasts the message
    Βj=RjR'j{Φjj'(x)|j'=1,2,,j}{Ekjj'(Kj')|j'=1,2,,j} (11)
    where Rj={Rj1,Rj2,,Rjj}.

Phase 3: Group Session Key Recovery in Session j (1 ≤ jm)

When a legitimate group member Ui, UiϵGjj, receives Bj, it recovers the group session key via following steps.

  • (1)
    Ui evaluates εj′·sj(i), Ajj(i) and Φjj(i), and computes the masking key as
    kjj'=[Φjj'(i)εj'sj(i)]/Ajj'(i),j'=1,2,,j (12)
    Ajj(i)=0 when UiϵRjj, which means that revoked users can recover neither kjj nor Kj from Bj.
  • (2)

    Ui computes all masking keys, {kjj|jjj}, in the j-th key chain with (8).

  • (3)

    By decrypting {Ekjj(Kj)|jjj} with {kjj|jjj}, Ui recovers {Kj″| j′j″j}.

Case 1: Group Member Addition

If a new user, Uv, joins the communication group in session j, a key updating process is launched to ensure the backward secrecy.

The GM allocates Sv = {åj·sj(v), åj·sj+1(v), …, åj·sm(v)} as the personal secret to Uv via a secure communication channel. Receiving the personal secret, Uv joins Gj.

The GM and users in Gj launch a key updating process, including Phase 2 and Phase 3, to include Uv.

Case 2: Group Member Revocation

If a user joined the group in session j′, Ur, is revoked in session j, a key updating process is launched to ensure the forward secrecy.

The GM includes ( xrrj) into Ajj(x)(jjm), which means Ur joins Rjj and Rj″. And then, the GM and users in Gj launch a key updating process, including Phases 2 and 3, to exclude Ur.

3.1.2. Main Advantages

The proposed OHC&RP-SGKD scheme 1 solves the problems mentioned in Section 1.2, and also has some performance improvements.

  • (1).

    With the property of the collusion attack resistance

    In the proposed OHC&RP-SGKD scheme 1, the unique identity for each session is introduced. Uv, who joins the communication group in session j, receives Sv = {åj·sj(v), åj·sj+1(v), …, åj·sm(v)} as the personal secret, where åj is the joining time identity for session j.

    A user Ur, UrG1, be revoked in session j1, knows {å1·sj(r)| 1 ≤ jm}. And Uv joined the group in session j2 (j1 < j2m) knows {εj2·sj(v)| j2jm}. The collusion of Uv and Ur can obtain {å1·sj(r)| 1 ≤ jm} and {εj2·sj(v)| j2jm}, but neither {åj·sj(r)| j1 < j < j2} nor {åj·sj(v)| j1 < j < j2}. Hence, they cannot recover {Kj| j1 < j < j2}.

    Therefore, the proposed OHC&RP-SGKD scheme 1 resolves the collusion attack problem.

  • (2).

    Reducing the communication redundancy

    Considering that there may have no new joined users in some sessions in real network environments and introducing the unique identity for each session, novel methods are presented to construct the revocation polynomials and the key updating broadcast packet in the proposed OHC&RP-SGKD scheme 1.

    In the proposed OHC&RP-SGKD scheme 1, the revocation polynomials for users joined the group in different sessions are constructed in order that a user can be revoked according to its joining time. And if there are no users joined in session j′ (j′j), Rjj=, Ajj(x)=, and Φjj(x) is not included in Bj.

    Suppose that during j sessions, the group member addition operation occurs v times. The size of the j-th key updating broadcast packet, Bj, in the proposed OHC&RP-SGKD scheme 1 and Dutta et al.'s scheme is [(t + 1)v + j)]log2q bits and [(t + 1)j]log2q bits, respectively. When v < j, the size of Bj in the proposed OHC&RP-SGKD scheme 1 is smaller than that of Dutta et al.'s scheme.

    Hence, with novel structures of the revocation polynomials and the key updating broadcast packet, the communication redundancy reduces.

  • (3).

    Updating of personal secrets partially

    In existing RP-SGKD schemes, once m sessions expires or t revoked users reaches, these schemes should be reset, and the GM has to update the personal secrets of all legitimate group members because the same personal secret polynomial is shared. In the proposed OHC&RP-SGKD scheme 1, users joined the group in different sessions share different personal secret polynomials, and only the number of revoked users joined the group in the same session reaches t, the scheme will be reset. For example, if |Rjj'|=t in session j, and j < m, the GM only needs to update the personal secrets of legitimate users in Gjj.

    Hence, the proposed OHC&RP-SGKD scheme 1 can update the personal secrets partially, which in turn prolongs the lifetime of the scheme.

  • (4).

    Eliminating the limitation of m < t + 1

    In the proposed OHC-RP-SGKD scheme 1, users joined the group in different sessions are treated by binding the joining time with the capability of recovering previous session keys, and they are classified according to the joining time. Users joined the group in different sessions are allocated different shares of personal secret polynomials, which makes users joined the group in different sessions be unable to collude together.

The reset of the SGKD scheme is triggered by two conditions as follows.

CON1: The maximum number of sessions expires although the number of revoked users is less than t.

CON2: The number of revoked users reaches t although the maximum number of sessions does not expire.

Considering the CON2 that |Rj|=j'=1j|Rjj'|t in session j, j < m and |Rjj'|<t. In the proposed OHC&RP-SGKD scheme 1, since users joined the group in different sessions cannot coalesce together, the session key(s) cannot be deduced even if t + 1 users joined the group in different sessions are revoked. Hence, the proposed OHC&RP-SGKD scheme 1 does not need to reset.

Hence, the proposed OHC&RP-SGKD scheme 1 can support more sessions under same conditions compared to existing HC-SGKD schemes, and a smaller t can be used to prolong the lifetime of the scheme.

3.1.3. Security Analysis

Based on the security model in Section 2, the proposed OHC&RP-SGKD scheme 1 is secure with following theorems and proofs.

Theorem 1

The scheme presented in Section 3.1.1 is a secure, self-healing group session key distribution scheme with mt-revocation capability.

Proof
  • (a)

    A legitimate group member Ui, UiϵGjj and j′j, can recover Kj as described in Phase 3. Hence, it follows that H(Kj|Bj, Si) = 0.

  • (b)

    Since Kj is independent of Si, using the personal secret only does not give any information about the session keys. On the other hand, since the masking key and the session key are selected randomly, the key updating broadcast packets cannot give any information about the session keys. Therefore, Kj cannot be determined only with Sj or Bj. Hence, it follows that H(Kj|S1, S2, …, SN) = H(Kj|B1, B2, …, Bm) = H(Kj).

  • (c)

    For UrRjj, Ajj(r)=0, which makes kjj' appears randomly to users in Rjj'. Hence, it is impossible for the coalition of users in Rj to recover Kj because Rj has no information about kjj'.

    Moreover, since only users joined the group in the same session can coalesce together, the coalition of users joined the group in different sessions cannot get information about åj′·sj(x). Because |Rjj'|t, and the required number of users to determine åj′·sj(x) is at least (t + 1), the coalition of users in Rj cannot recover åj′·sj(x), which makes Kj appear randomly to all users in Rj.

    Hence, it follows that H(Kj|Bj, Si) = 0, H(Kj|Bj, {Sr|UrRj}) = H(Kj).

  • (d)

    From Phase 3, we observe that the proposed OHC&RP-SGKD scheme 1 makes a user recover lost session keys in previous sessions with current key updating broadcast packet only if the user is not revoked in these sessions.

    Specifically, let Ui who joined the group in session j1 be a legitimate group member in session j2, and UiGj2j1. Ui receives Bj2, but not Bj, and j1 < j < j2. Ui recovers all of the lost session keys as follows.

    • (1)
      In Phase 3, Ui, UiϵGj2j1 and j1 < j2, recovers kj2j1.
    • (2)
      With kj2j1, Ui generates all masking keys, {kj2j|j1<j<j2}, in the j2-th one-way hash key chain.
    • (3)
      Ui recovers {Kj| j1 < j < j2} by decrypting {Ekj2j(Kj)|j1<j<j2} with {kj2j|j1<j<j2}.
      Hence, the proposed OHC-RP-SGKD scheme 1 has the property of self-healing. It follows that
      H(Kj|Bj2,{Si|UiGjj1})=0
Theorem 2

The scheme presented in Section 3.1.1 achieves mt-wise forward secrecy.

Proof

For UrϵRjj, Aj+1j(r)=0, which means that Ur cannot recover kj+1j unless Ur can guess kj+1j correctly.

Since |Rjj|t, åj′·Sj+1(x) cannot be determined by the coalition of users in Rjj. Moreover, since only users who joined the group in the same session can coalesce together, the coalition of users joined the group in different sessions cannot get information about åj′·Sj+1(x). Hence, although all revoked users in Rj coalesce together, åj′·Sj+1(x) still cannot be determined, and Kj+1 cannot be recovered.

Therefore, the proposed OHC-RP-SGKD scheme 1 is mt-wise forward secret. It follows that

H(Kj+1|B1,B2,,Bm,{Sr|UrϵRj},K1,K2,,Kj)=H(Kj+1)
Theorem 3

The scheme presented in Section 3.1.1 achieves any-wise backward secrecy.

Proof

In order to recover Kj, any user Ui, Ui ϵ Dj, requires the knowledge of at least (t + 1) distinct points about åj″·Sj(x), j″j. Suppose that Ui joins the group in session j′, the GM gives the personal secret, Si = {åj′·Sj1(i)| j + 1 ≤ j′j1m} to Ui. Hence, the coalition of user in Dj cannot compute åj″·Sj(x) no matter how many users in Dj.

Therefore, the proposed OHC-RP-SGKD scheme 1 is any-wise backward secret. It follows that

H(Kj|B1,B2,,Bm,{Si|UiϵDj},Kj+1,Kj+2,,Km)=H(Kj)
Theorem 4

The scheme presented in Section 3.1.1 has mt-collusion attack resistance capability.

Proof

Let Rj1 be a set of users be revoked before and in session j1, Dj2 be the set of users joined the group after session j2, and j1 < j2. We will prove that users in Rj1 colluding with users in Dj2 cannot recover Kj (j1 < jj2) with Bj1 and Bj2.

From Theorem 2, the coalition of users in Rj1 cannot recover Kj for j > j1. Similarly, from Theorem 3, the coalition of users in Dj2 cannot recover Kj for jj2.

On the other hand, any user Ur in Rj1j only knows {åj′·Sj(r)| jj′}, And any user Ui in Dj″ only knows {åj″·Sj(i)| j > j″}. Since only users joined the group in the same session can coalesce together, users in Rj1 colluding with users in Dj2 obtain no information about åj′·Sj(x) or åj″·Sj(x), j1 < jj2. Hence, the collusion of users in Rj1 and Dj2 cannot recover Kj, j1 < jj2.

Therefore, the proposed OHC-RP-SGKD scheme 1 resists to mt-wise collusion attack. It follows that

H(Kj|B1,B2,,Bm,{Si|UiRj1Dj2})=H(Kj)

3.2. The OHC&RP-SGKD Scheme 2

Several parameters have been considered to evaluate the performance of SGKD schemes. With respect to the storage overhead, the proposed OHC-RP-SGKD scheme 1 is not optimal. How to tradeoff among the maximum allowed number of sessions, the maximum allowed number of revoked users, the storage overhead and the communication overhead is still an open issue for the RP-SGKD schemes.

By analyzing the key updating broadcast packet in the proposed OHC-RP-SGKD scheme 1, we observe that each kjj is masked by different masking polynomials, {εj′· sj (x) | j = j′, j′+1,…,m}. Although using multiple masking polynomials seems to make the attack be more difficult, it does not contribute to the security. Indeed, using one masking polynomial for each kjj is sufficient. Hence, the number of masking polynomials and the personal secret stored by each user reduce.

Based on the above discussion, an OHC&RP-SGKD scheme with a constant storage overhead is proposed, name as the OHC&RP-SGKD scheme 2.

The proposed OHC&RP-SGKD scheme 2, including three phases and two cases, is described as follows.

Phase 1′: Initialization

The GM randomly chooses a 2t-degree polynomial, s1(x) = a0 + a1x + … + a2tx2t, a t-degree polynomial, s2(x) = b0 + b1x + … + btxt, from Fq[x], and a number, å1, from Fq.

Any user Ui in G1 receives the personal secret Si = {å1·s1(i), å1·s2(i)} from the GM via a secure communication channel.

Phase 2′: Broadcast in Session j (1 ≤ jm)

The GM randomly chooses a session key Kj and a number kj0 from Fq.

The j-th key chain, {kj1,kj2,,kjj}, is computed with (8). And the GM splits kjj into two t-degree polynomials, Ujj(x) and Vjj(x), in order that

kjj=Ujj(x)+Vjj(x),j=1,2,,j (13)

The GM constructs and broadcasts the message

Βj=RjRj{Mjj(x)|j=1,2,,j}{Njj(x)|j=1,2,,j}{Ekjj(Kj)|j=1,2,,j} (14)

where

Mjj(x)=Ajj(x)Ujj(x)+εjs1(x) (15)
Njj(x)=Vjj(x)+εjs2(x) (16)

The definitions of Rj, R′j and the structure of revoked polynomials, {Ajj(x)|j=1,2,,j}, are the same as those in Phase 2 of the proposed OHC&RP-SGKD scheme 1.

Phase 3′: Group Session Key Recovery in Session j (1 ≤ jm)

Any legitimate group member Ui in Gjj(jj) can recover the group session key from Bj through following steps.

  • (1)

    Ui computes Ujj(i)=[Mjj(i)εjs1(i)]/Ajj(i) and Vjj(i)=Njj(i)εjs2(i) with (15) and (16), respectively. Thus, kjj=Ujj(i)+Vjj(i).

  • (2)

    Ui computes all of the remaining keys in the j-th key chain, {kjj|j<jj}.

  • (3)

    By decrypting {Ekjj(Kj)|j<jj} with {kjj|j<jj}, Ui recovers {kj″| j′ < j″j}.

Case 1′: Group Member Addition

When a new user, Uv, joins the group in session j, the GM allocates Sv = {åj·s1(v), åj·s2(v)} to it via the secure communication channel. Receiving the personal secret, Uv joins Gj.

The GM and users in Gj launch a key updating process, including Phase 2′ and Phase 3′, to include Uv.

Case 2′: Group Member Revocation

The operation of group member revocation is the same as that described in the Case 2 of the proposed OHC&RP-SGKD scheme 1.

The proposed OHC&RP-SGKD scheme 2 holds all of the advantages described in Section 3.1.2, and also has constant storage overhead for the personal secret of each user.

Along the same lines of the proof of Theorems 1–4, we have the Theorem 5 as follows.

Theorem 5

The scheme presented in Section 3.2.1 is a secure, self-healing key distribution scheme with mt-revocation capability, and achieves mt-wise forward secrecy, any-wise backward secrecy, and mt-wise collusion attack resistance capability.

4. Performance Analysis and Comparisons

The performance comparison, in terms of the storage overhead, the communication overhead, the computation overhead, the forward secrecy, the backward secrecy and the collusion attack resistance capability, is listed in Table 1.

Table 1.

Performance comparison results.

Schemes Storage Overhead for Personal Secret (Bits) Communication Overhead for Updating Session Keys (Bits) Computation Overhead (the Number of Multiplication Operations) Forward Secrecy Backward Secrecy Collusion Attack Resistance
Scheme 3 in [4] (mj + 1)2log2q (mt2 + 2mt + m + t)log2q 2mt2 + 3mtt Yes/t Yes/t Yes/t
Scheme 2 in [5] (mj + 1)log2q (jt2+ jt)log2q (2t + 1)(m + 1) Yes/t Yes/t Yes/t
Scheme 3 in [6] 2(mj + 1)log2q [(m + j + 1)t + (m + 1)]log2q mt + t + 2tj + j Yes/t Yes/t Yes/t
Scheme 3 in [7] (mj + 1)log2q (2t + 1)jlog2q 2j(t2 + t) Yes/t Yes/t Yes/t
Scheme 2 in [8] (mj + 1)log2q (t + 1)jlog2q (3t + 1)j Yes/t Yes/t Yes/t
Scheme in [9] 2log2q (t + j + 1)log2q 2t + 1 No No No
Scheme in [10] (t + 2)log2q (t + 1 + j)log2q 3t + 1 Yes/t No No
Scheme 2 in [11] (t + 2)log2q (t + 1)jlog2q (3t + 1)j Yes/t Yes/t No
Scheme in [20] (t + 2)log2q [(t + 1)v + j]log2q 3t + 1 Yes/mt Yes/any Yes/mt
Proposed OHC&RP-SGKD scheme 1 (mj + 1)log2q [(t + 1)v + j]log2q 2t + 1 Yes/mt Yes/any Yes/mt
Proposed OHC&RP-SGKD scheme 2 2log2q [(3t + 2)v + j]log2q 3t + 1 Yes/mt Yes/any Yes/mt

4.1. The Storage Overhead for the Personal Secret

The storage overhead for the personal secret of each user comes from the initialization phase. In the proposed OHC&RP-SGKD scheme 1, the storage overhead for the personal secret of each user is (mj + 1)log2q bits, which is as same as that of schemes in [5,7,8].

In the proposed OHC&RP-SGKD scheme 2, the storage overhead for the personal secret of each user is 2log2q bits, which is independent of m and t, and much less than that of the proposed OHC&RP-SGKD scheme 1 and other existing schemes in [48,10,11,20].

4.2. The Communication Overhead for Updating Session Keys

The communication overhead for updating session keys comes from Bj. In the proposed OHC&RP-SGKD scheme 1, if there are no users joined in session j′, Φjj'(x) is not included in Bj. Suppose that the joining operation occurs v times during j sessions, Bj consists of a set of revoked users Rj, Rj, v t-degree polynomials, {Φjj'(x)}, and the sequence, {Ekjj'(Kj')|j'=1,2,,j}. The communication overhead for broadcasting Rj and Rj can be ignored because the IDs can be selected from a small finite field [7]. Hence, the size of Bj is about [(t + 1)v + j]log2q bits, which is the same as that of the RP-SGKD scheme in [20], and less than that of existing schemes in [48,11],where v < jm.

In the proposed OHC&RP-SGKD scheme 2, the size of Bj is [(3t + 2)v + j]log2q bits, which is larger than that of the proposed OHC&RP-SGKD scheme 1.

As the assumption in [13], the maximum number of sessions is set to be m = 50. Figure 1 shows the comparison of the maximum broadcast packet size when t varies from 10 to 50. Without loss of generality, q is set to be a 128-bit integer.

Figure 1.

Figure 1.

The comparison of the maximum broadcast packet size.

From Figure 1, we observe that, when v < m, the size of Bj in the proposed OHC&RP-SGKD scheme 1 is smaller than that of schemes in [8,11] and with the same m and t. For example, when m = 50 and t = 50, the broadcast packet sizes of the proposed OHC&RP-SGKD scheme 1 are about 12.734 KB, 20.703 KB, and 28.671 KB for v = 15, 25 and 35, respectively, while the broadcast packet size of schemes in [8,11] is about 39.844 KB. Moreover, the maximum broadcast packet size in the proposed OHC&RP-SGKD scheme 2 is obviously larger than that of the proposed OHC&RP-SGKD scheme 1, especially is larger than that of schemes in [8,11].

Remark: It is necessary to reduce the communication redundancy as possible. Although the communication overhead in the proposed OHC&RP-SGKD scheme 1 increases with the number of sessions, it grows more slowly than that of schemes in [8,11] under same conditions.

On the other hand, although the broadcast packet size of the proposed OHC&RP-SGKD scheme 2 is larger than that of the proposed OHC&RP-SGKD scheme 1, we will prove later that the total communication overhead for updating group session keys and the personal secrets in the proposed OHC&RP-SGKD scheme 2 is smaller.

4.3. Practicality

Many practical issues should be addressed when an SGKD scheme is implemented in a real-world application.

As we know, ZigBee, a protocol designed for low data rate wireless networks, uses the IEEE 802.15.4 physical and MAC layers to provide data transfer. According to the IEEE 802.15.4 protocol [31], the maximum size of MAC layer payload is from 89 to 119 bytes. When the maximum size of MAC layer payload is 89 bytes, the application layer data larger than 89 bytes will be partitioned into blocks.

Due to the unreliable wireless transmission, the maximum broadcast packet size in the SGKD scheme is also limited. Let the maximum broadcast packet size be 4096 bytes (4 KB), which will be partitioned into 46 packets with 89 bytes/packet. If packets are lost independently and randomly at a rate of 1%, the probability that a 4 KB broadcast packet will not reach the destination is 37.01%. If the packet loss rate is 5% (a fairly high), the probability that a 4 KB broadcast packet reaches the destination is only 9.45%. Hence, m should be larger than 10. However, the maximum broadcast packet size is assumed to be 64 KB in most existing SGKD schemes [47], which is not applicable in ZigBee-based wireless networks.

With the limitation of the maximum broadcast packet size, the value of other parameters should be appropriately set for the intended application and compatible with existing network protocols. In SGKD schemes, system parameters affecting the broadcast packet size are the number of sessions (m), the size of the session key (log2q), and the degree of the personal polynomial (t). Without loss of generality, it is assumed that q is a 128-bit integer, and session keys are also 128 bits, which are used in a symmetric cipher, such as AES. The maximum broadcast packet size is set to be 4KB. Symbol [x] represents the operation to round x to the integer downward.

  • (1).

    The proposed OHC&RP-SGKD scheme 1 vs. the scheme in [8]

    The performance of the proposed OHC&RP-SGKD scheme 1 is compared to that of the scheme in [5] because the storage overhead of each user in these two schemes is same, both of them are the RP-SGKD schemes, and the scheme in [8] is the best one among existing collusion-attack-resistance schemes in [48]. Let |Rm|max be the maximum allowed number of revoked users in m sessions.

    Figure 2 shows performance comparison between the proposed OHC&RP-SGKD scheme 1 and the scheme in [8], where Figure 2a is the tradeoff between m and t, and Figure 2b is the tradeoff between m and |Rm|max.

    From Figure 2a, we observe that the proposed OHC&RP-SGKD scheme 1 can support more sessions than the scheme in [8]. In the proposed OHC&RP-SGKD scheme 1, a smaller t can be used to prolong the lifetime of the scheme because users joined the group in different sessions cannot coalesce together. For example, when t = 15 and m = 16, |Rm|max = 15 for the scheme in [8], whereas for the proposed OHC&RP-SGKD scheme 1, when t = 15, m = 44, 28 and 20, |Rm|max = 195, 210 and 210 for v = 0.3 m, 0.5 m and 0.7 m, respectively. And when t = 10, m = 59, 39 and 29, |Rm|max=170, 190 and 200 for v = 0.3 m, 0.5 m and 0.7 m, respectively.

    Moreover, the proposed OHC&RP-SGKD scheme 1 can revoke much more users than that of the scheme in [8]. For example, from Figure 2b, when m = 20, |Rm|max = 11 for the scheme in [8], whereas |Rm|max = 210, 220 and 232 for v = 0.7 m, 0.5 m and 0.3 m, respectively, in the proposed OHC&RP-SGKD scheme 1. Obviously, the proposed OHC&RP-SGKD scheme 1 allows much more revoked users and withstands much more colluding users compared to the scheme in [8].

    In a real-world application, the longer the scheme runs, the more users are revoked. Figure 3 shows the possible lifetime of the proposed OHC&RP-SGKD scheme 1 and the scheme in [8] when two schemes are simulated during 100 sessions.

    From Figure 3, we observe that with small values of m and t, the scheme in [8] will be reset frequently, which leads to the energy and bandwidth consumption. However, in the proposed OHC&RP-SGKD scheme 1, more revoked users and more sessions are allowed, and less resetting of the proposed OHC&RP-SGKD scheme 1 contributes to saving the network energy.

    Therefore, the advantage of the proposed OHC&RP-SGKD scheme 1 is obvious for ZigBee-based wireless networks in bad environment where a strong collusion attack resistance is required and many users need to be revoked.

  • (2).

    The proposed OHC&RP-SGKD scheme 2 vs. the proposed OHC&RP-SGKD scheme 1

    In the proposed OHC&RP-SGKD scheme 1 and other existing RP-SGKD schemes, since the storage overhead at each user increases along with the increase of m or t, the power and bandwidth consumption for re-keying personal secrets will be much large. However, the proposed OHC&RP-SGKD scheme 2 has constant storage overhead of 2log2q bits.

    Figure 4 show the performance comparison of the proposed OHC&RP-SGKD schemes 1 and 2, where Figure 4a is the tradeoff between m and t, and Figure 4b is the tradeoff between m and |Rm|max.

    From Figure 4a,b, we observe that the values of t and m in the proposed OHC&RP-SGKD scheme 2 are smaller than those of the proposed OHC&RP-SGKD scheme 1 under same conditions. However, since the storage overhead for each user in the proposed OHC&RP-SGKD scheme 2 is much less than that of the proposed OHC&RP-SGKD scheme 1, the communication overhead for rekeying the personal secrets in the proposed OHC&RP-SGKD scheme 2 is much less than that in the proposed OHC&RP-SGKD scheme 1.

    Wireless devices are usually powered by battery, and most energy is consumed by the communication module. The main concern of the proposed OHC&RP-SGKD scheme 2 is to reduce the total communication overhead for updating the personal secrets and session keys.

    Suppose that n users maintain membership during m sessions. For the proposed OHC&RP-SGKD scheme 1, the communication overhead for distributing the personal secrets to n users is nmlog2q bits in the initialization phase, and the communication overhead for updating session keys is [(t + 1)v + j]log2q bits in the broadcast phase. After running m sessions, the scheme will be reset and new personal secrets should be re-allocated to each group member. Hence, the total communication overhead for updating session keys and the personal secrets of n users in the proposed OHC&RP-SGKD scheme 1 is
    E(1)={nm(1)+j=1m(1)[(t(1)+1)v+j]}log2q(bits) (17)
    where, m(1) and t(1) denote the session number and the number of revoked users when the proposed OHC&RP-SGKD scheme 1 is reset, respectively.
    In the proposed OHC&RP-SGKD scheme 2, the communication overhead for distributing the personal secrets to n users is 2nlog2q bits, and the communication overhead for updating session keys is [(3t + 2)v + j]log2q bits. Thus, the total communication overhead is
    E(2)={2n+j=1m(2)[(3t(2)+2)v+j]}log2q(bits) (18)
    where, m(2) and t(2) denote the session number and the number of revoked users when the proposed OHC&RP-SGKD scheme 2 is reset, respectively.

    According to the results of Figure 4, when v = 0.5 m, m(1) = 22, t(1) = 20, m(2) = 14, t(2) = 10. Hence, after running 154 sessions, the proposed OHC&RP-SGKD scheme 1 is reset seven times and the proposed OHC&RP-SGKD scheme 2 is reset 11 times. Hence, during the 154 sessions, the decrement of the total communication overhead for updating session keys and the personal secrets in the proposed OHC&RP-SGKD schemes 1 and 2 is ΔE = E(1)E(2) = 232.72 KB when n = 100.

    Hence, the proposed OHC&RP-SGKD scheme 2 has less storage and total communication overheads, and is therefore quite suitable for resource-constrained wireless networks.

Figure 2.

Figure 2.

The performance comparison between the proposed one-way hash chain and revocation polynomial-based self-healing group key distribution (OHC&RP-SGKD) scheme 1 and the scheme in [8]. (a) The tradeoff between m and t; (b) The tradeoff between m and |Rm|max.

Figure 3.

Figure 3.

The possible lifetime in 100 sessions.

Figure 4.

Figure 4.

The performance comparison of the proposed one-way hash chain and revocation polynomial-based self-healing group key distribution (OHC&RP-SGKD) schemes 1 and 2. (a) The tradeoff between m and t; (b) The tradeoff between m and |Rm|max.

5. Conclusions

To solve the collusion attack problem in existing HC-SGKD schemes, eliminate the limitation of the maximum allowed number of revoked users on the maximum allowed number of sessions, and improve the security and efficiency of existing RP-SGKD schemes, we proposed two improved SGKD schemes using the one-way hash chain and the revocation polynomial for resource-constrained wireless networks in this paper. In the proposed OHC&RP-SGKD schemes, by introducing the unique session identifier and binding the joining time with the capability for recovering previous session keys, the problem of the collusion attack between revoked and new joined users in existing HC-SGKD schemes is resolved. And novel methods for utilizing the one-way hash chain and constructing the personal secret, the revocation polynomial and the key updating broadcast packet are presented to eliminate of the limitation of the maximum allowed number of revoked users on the maximum allowed number of sessions, increase the maximum allowed number of revoked users, and reduce the redundancy in the key updating broadcast packet.

With the security and performance analysis, we concluded the proposed improved OHC&RP-SGKD schemes as follows.

  • (1)

    In the proposed OHC&RP-SGKD scheme 1, the impact of t on m is eliminated and the maximum allowed number of sessions is enlarged. In the proposed OHC&RP-SGKD scheme 2, the storage overhead for the personal secret in each user is constant, 2log2q bits, and a better tradeoff between the storage overhead and the total communication overhead is also achieved.

  • (2)

    Two proposed improved OHC&RP-SGKD schemes are secure, achieve mt-revocation capability, mt-wise forward secrecy, any-wise backward secrecy, and mt-wise collusion attack resistance capability.

  • (3)

    The communication overhead of the proposed OHC&RP-SGKD schemes is lower compared to existing RP-SGKD schemes.

  • (4)

    Simulation results show that the proposed OHC&RP-SGKD schemes are practical for resource-constrained wireless networks in bad environments where a strong collusion attack resistance is required and many users should be revoked.

For an SGKD scheme, a challenging problem is how to achieve a better tradeoff between the storage overhead and the communication overhead. Since the key updating broadcast packet in the proposed OHC&RP-SGKD scheme 2 is still large, we will focus on reducing the communication overhead in the future work.

Acknowledgments

This work is partly supported by National Natural Science Foundation of China (No. 61071127, No. 61471318), and National High Technology Research and Development Program (863) of China (No. 2012AA090901), and the Fundamental Research Funds for the Central Universities.

Appendix

Table A1.

Notations.

Notations Denotations
Ui the i-th user
N the total number of users in a communication group
m the maximum allowed number of sessions
t the maximum allowed number of revoked users
j, j′, j″ the order of a session
v the number of sessions with new joined user(s) during m sessions, v < m
Fq a finite field of order q, and q is a prime larger than N
Si the personal secret of Ui
Bj the key updating broadcast packet in session j
Kj the session key generated by the GM for session j
H(X) the entropy of the random variable X
H(X|Y) the entropy of X conditioned on Y
h(·) the random one-way function used to compute the one-way key chain
hi(·) applying hash operation i times
Ek(.)/Dk(.) a symmetric encryption/decryption function
åj the unique session identifier, a random number selected by the GM for users joined the group in session j, åjFq and εj1 ≠ εj2 for j1j2
kj0
the seed of the j-th key chain randomly selected by the GM for session j, kj0ϵFq, and kj10kj20 for j1j2
kjj'
the j′-th key in the j-th key chain
Ajj'(x)
the revoked polynomial constructed by the GM with the IDs of users joined the group in session j′ and be revoked before or in session j, and j′j
Rjj'
the set of users joined the group in session j′ and be revoked before or in session j, and j′j
|Rjj'|
the number of users in Rjj'
Rj the set of users be revoked before and in session j, and Rj={Rj1,Rj2,,Rjj}
|Rj| the number of users in Rj
Dj the set of users joined the group in session j
Dj the set of users joined the group after session j, and Dj = {Dj+1, Dj+2, …, Dm}
Gjj'
the set of group members who join the group in session j′ and are still legitimate in session j, and j′j
Gj the set of all legitimate group members in session j, and Gj={Gj1,Gj2,,Gjj}

Author Conrtibutions

Huifang Chen and Lei Xie proposed two improved OHC&RP-SGKD schemes, analyzed and compared the performance; Lei Xie contributed the simulation results and figures; Huifang Chen wrote the manuscript.

Conflicts of Interest

The authors declare no conflict of interest.

References

  • 1.Tian B., Han S., Parvin S., Hu J., Das S. Self-healing key distribution schemes for wireless networks: A survey. Comput. J. 2011;54:549–569. [Google Scholar]
  • 2.Wang Q. Practically analysis of the self-healing group key distribution schemes for resource-constrained wireless sensor networks. Proceedings of the 2011 International Conference on Communications and Mobile Computing (CMC 2011); Qingdao, China. 18–20 April 2011; pp. 37–40. [Google Scholar]
  • 3.Rams T., Pacyna P. A survey of group key distribution schemes with self-healing property. IEEE Commun. Surv. Tutor. 2013;15:820–842. [Google Scholar]
  • 4.Staddon J., Miner S., Franklin M., Balfanz D., Malkin M., Dean D. Self-healing key distribution with revocation. Proceedings of the 2002 IEEE Symposium on Security and Privacy (SSP 2002); Oakland, CA, USA. 12–15 May 2002; pp. 241–257. [Google Scholar]
  • 5.Liu D., Ning P., Sun K. Efficient self-healing group key distribution with revocation capability. Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS′03); Washington, DC, USA. 27–30 October 2003; pp. 27–31. [Google Scholar]
  • 6.Blundo C., D'Arco P., Santis A. Definitions and bounds for self-healing key distribution. LNCS. 2004;3142:234–245. [Google Scholar]
  • 7.Blundo C., D'Arco P., Santis A., Listo M. Design of self-healing key distribution schemes. Des. Codes Cryptogr. 2004;32:15–44. [Google Scholar]
  • 8.Hong D., Kang J. An efficient key distribution scheme with self-healing property. IEEE Commun. Lett. 2005;9:759–761. [Google Scholar]
  • 9.Dutta R., Chang E., Mukhopadhyay S. Constant storage self-healing key distribution with revocation in wireless sensor network. Proceedings of IEEE International Conference on Communications (ICC 2007); Glasgow, Scotland. 24–28 June 2007; pp. 1323–1332. [Google Scholar]
  • 10.Dutta R., Mukhopadhyay S. Improved self-healing key distribution with revocation in wireless sensor network. Proceedings of the 2007 IEEE Wireless Communications and Networking Conference (WCNC 2007); Hong Kong, China. 11–15 March 2007; pp. 2963–2968. [Google Scholar]
  • 11.Dutta R., Mukhopadhyay S. Designing scalable self-healing key distribution schemes with revocation capability. LNCS. 2007;4742:419–430. [Google Scholar]
  • 12.Dutta R., Mukhopadhyay S., Emmanuel S. Low bandwidth self-healing key distribution for broadcast encryption. Proceedings of the 2nd Asia International Conference on Modeling and Simulation (ICOMS-2008); Kuala Lumpur, Malaysia. 13–15 May 2008; pp. 867–872. [Google Scholar]
  • 13.Song H., Tian B., He M. Efficient threshold self-healing key distribution with sponsorization for infrastructureless wireless networks. IEEE Trans. Wirel. Commun. 2009;8:1876–1887. [Google Scholar]
  • 14.Kausar F., Hussain S., Park J.H. Secure group communication with self-healing and rekeying in wireless sensor networks. LNCS. 2007;4864:737–748. [Google Scholar]
  • 15.Dutta R., Change E.C., Mukhopadhyay S. Efficient self-healing key distribution with revocation for wireless sensor networks using one way key chains. Proceedings of the 5th International Conference on Applied Cryptography and Network Security (ACNS 2007); Zhuhai, China. 5–8 June 2007; pp. 385–400. [Google Scholar]
  • 16.Yang Y., Zhou J., Deng R., Bao F. Computationally secure hierarchical self-healing key distribution for heterogeneous wireless sensor networks. LNCS. 2009;5927:135–149. [Google Scholar]
  • 17.Jiang Y., Lin C., Shi M. Self-healing group key distribution with time-limited node revocation for wireless sensor networks. Ad Hoc Netw. 2007;5:14–23. [Google Scholar]
  • 18.Du C., Zhang H., Hu M. Anti-collusive self-healing key distribution scheme with revocation capability. Inf. Technol. J. 2009;8:619–624. [Google Scholar]
  • 19.Dutta R., Mukhopadhyay S., Dowling T. Trade-off between collusion resistance and user life cycle in self-healing key distributions with t-revocation. Proceedings of the 2nd International Conference on the Applications of Digital Information and Web Technologies (ICADIWT 2009); London, UK. 4–6 August 2009; pp. 603–608. [Google Scholar]
  • 20.Wang Q., Chen H., Xie L., Wang K. One-way hash chain-based self-healing group key distribution scheme with collusion resistance capability in wireless sensor networks. Ad Hoc Netw. 2013;11:2500–2511. [Google Scholar]
  • 21.Muhammad J., Miri A. Self-healing in group key distribution using subset difference method. Proceedings of the 3rd IEEE International Symposium on Network Computing and Applications (NCA 2004); Boston, MA, USA. 30 August–1 September 2004; pp. 405–408. [Google Scholar]
  • 22.Tian B., Chang E., Dillon T.S., Han S., Hussain F.K. An authenticated self-healing key distribution scheme based on bilinear pairings. Proceedings of the 6th IEEE Consumer Communications and Networking Conference (CCNC 2009); Las Vegas, NV, USA. 10–13 January 2009; pp. 1–5. [Google Scholar]
  • 23.Tian B., Han S., Dillon T.S. A self-healing and mutual-healing key distribution scheme using bilinear pairings for wireless networks. Proceedings of the 6th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing (EUC 2008); Shanghai, China. 17–20 December 2008; pp. 208–215. [Google Scholar]
  • 24.Tian B., Han S., Dillon T.S., Das S. A self-healing key distribution scheme based on vector space secret sharing and one way hash chains. Proceedings of the 9th IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM2008); New Port Beach, CA, USA. 23–27 June 2008; pp. 1–6. [Google Scholar]
  • 25.Wang Z., Ma M. A collusion-resilient self-healing key distribution scheme for wireless sensor networks. Proceedings of the 2012 IEEE International Conference on Communications (ICC 2012); Ottawa, ON, Canada. 10–15 June 2012; pp. 566–570. [Google Scholar]
  • 26.Rams T., Pacyna P. Long-lived self-healing group key distribution scheme with backward secrecy. Proceedings of the 2013 Conference on Networked Systems (NetSys 2013); Stuttgart, Germany. 11–15 March 2013; pp. 59–65. [Google Scholar]
  • 27.Zou X., Dai Y. A robust and stateless self-healing group key management scheme. Proceedings of the 2006 IEEE International Conference on Communication and Technology (ICCT 2006); Guilin, China. 27–30 November 2006; pp. 1–4. [Google Scholar]
  • 28.Tian B., Han S., Dillon T.S. An efficient self-healing key distribution scheme. Proceedings of the 2nd IFIP International Conference on New Technologies, Mobility and Security (NTMS 2008); Tangier, Morocco. 5–7 November 2008; pp. 1–5. [Google Scholar]
  • 29.Dutta R., Wu Y., Mukhopadhyay S., Dowling T. Enhanced access polynomial based self-healing key distribution. Secur. Emerg. Wirel. Commun. Netw. Syst. 2010;42:13–24. [Google Scholar]
  • 30.Wang Q., Chen H., Xie L., Wang K. Access-polynomial-based self-healing group key distribution scheme for resource-constrained wireless networks. Secur. Commun. Netw. 2012;5:1363–1374. [Google Scholar]
  • 31.LAN MAN Standards Committee of the IEEE Computer Society . Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low-Rate Wireless Personal Area Networks (LR-WPANs), IEEE Std 802.15.4–2003ed. IEEE; New York, NY, USA: 2003. [Google Scholar]

Articles from Sensors (Basel, Switzerland) are provided here courtesy of Multidisciplinary Digital Publishing Institute (MDPI)

RESOURCES