# A Self-healing Key Distribution Scheme for Mobile Ad Hoc Networks

## Abstract

Group communication in mobile Ad Hoc network (MANET), because of its special characteristics of large-scale mobile nodes, frequent change and update of group members relationship, open and unstable communication channel and high rate of packets loss, making secure group communication in MANET face many security threats, so how to realize secure communication between mobile nodes and how to establish secure session keys shared between mobile nodes has been the focus of MANET. Aimed at the problem mentioned above, a group key distribution scheme based on three hash chains is proposed for MANET. This scheme introduces a self-healing hash chain based on Dual Directional Hash Chain(DDHC), when a node is revoked, the corresponding self-healing hash value will be replaced by a new random value, so that revoked nodes can not realize collusion attack with the newly added node; This scheme also takes into account the high rate of packet loss in MANET, and realizes self-healing property. The security and performance analysis shows that the scheme can meet the security requirements of group communication for MANET, and it has the characteristics of dynamic revocation and resists collusion. The scheme also reduces the storage overhead and the communication load to a large extent, and can meet the performance requirements of group communication for MANET.

## Keywords

Mobile ad hoc network Group key distribution Dual directional hash chain Self-healing Resist collusion## 1 Introduction

The MANET is a multi-hop temporary autonomous system consisting of a set of mobile nodes with wireless transceivers, unlike traditional networks that rely on communications infrastructure, all mobile nodes in MANET assume both communication and routing responsibilities, and all mobile nodes are equal, without a central control organization [20]. And the nodes move in or out range dynamically so that the topology of network dynamically changes. These features guarantee the flexibility of MANET applications, but also face to many challenges. Therefore, it is necessary to encrypt and authenticate the messages in the communication to avoid the adversaries intercept, tamper even partially interrupt the communication. Group key can be used to establish secure communication over an unreliable channel in MANET.

In this paper, we propose a self-healing group key distribution scheme with dynamic revocation and collusion resistance. our scheme is based on Dual Directional Hash Chain so that it can keep the forward secrecy and backward secrecy. And we introduce a self-healing hash chain to resist collusion attack between the new joined mobile node and the revoked mobile node. In addition, our scheme can revoke nodes during a session, while the previous schemes based on hash chains can not totally overcome such flaw.

Key management is one of the core technologies to realize the mobile ad hoc network security using cryptography technology [13]. The self-healing key distribution scheme was first proposed by Staddon et al. in [9] based on the information entropy theory. Initially, it is design for unreliable network to ensure the establishment and updating of session keys and improve the usability of the system in harsh communication environment. Liu et al. first proposed an efficient self-healing key distribution scheme based on revocation polynomials [8]. Dutta and Mukhopadhyay proposed an efficient computationally secure solution based on the combination of forward hash chain and reverse hash chain [4], which can greatly reduce resource cost, yet the scheme would lead to session keys being exposed [3, 16, 17]. Dutta and Mukhopadhyay further replace *m* mask polynomials with a bivariate t-degree polynomial [5], reducing the communication overhead and storage overhead to \(O((t+1)\ log\ q)\). However, the scheme is still flawed and cannot resist collusion attack. To prevent collusion attack, Du et al. introduced a secret random number for each session [2], as long as the attacker cannot get these secret random numbers. Wang et al. proposed a self-healing key distribution scheme based on the revocation polynomial [15], which solve the collusion attack problem by binding the joining time with its capability for recovering previous group session keys. Chen et al. solved the collusion attack problem [1], by introducing the unique session identifier and binding the joining time with the capability of recovering previous session keys.

Zou et al. proposed the first key distribution scheme based on the access polynomial [21]. Tian et al. proposed a simpler and more efficient key distribution scheme based on access polynomials [11], but later, this scheme was proved to be insecure later. Yuan et al. proposed unconditional secure key distribution schemes based on access polynomials [18, 19], but these schemes only apply to specific groups. Wang et al. proposed a novel self-healing group key distribution scheme based on the access polynomial [14], which achieves the self-healing attribute by binding the joining time with the capability of recovering previous session keys, however, Guo et al.proved that the scheme does not have forward secrecy [6]. Sun et al. proposed two improved self-healing key distribution schemes with the capability of broadcast and authentication based on access polynomials [10], which further improved the ability to resist collusion attacks. Guo et al. proposed two self-healing group key distribution schemes based on exponential arithmetic, and introduced a novel broadcast method to reduce the storage cost and communication cost [7].

## 2 Preliminaries

*H*(

*x*) satisfies the following conditions:

- (1)
*Unidirectional:*Let \(H:A\rightarrow B\) as a one-way hash function, given \(x\in A\), it is easy to compute \(y=H(x)\). But if given \(y\in B\), it is computationally infeasible to compute the \(x\in A\) and \(H(x)=y\). - (2)
*Resist weak collision:*Let \(H:A\rightarrow B\) as a one-way hash function, given \(x\in A\), it is computationally infeasible to compute \(x'\in A\), \(x'\ne x\) and \(H(x')=H(x)\). - (3)
*Resist strong collision:*Let \(H:A\rightarrow B\) as a one-way hash function, it is computationally infeasible to compute*x*, \(x'\in A\), \(x'\ne x\), and \(H(x')=H(x)\).

*FK*and

*BK*from finite field \(\mathbb {F}_q\). Then repeatedly applies the same one-way function

*H*(

*x*) on each key seed to produce two hash chains of equal length

*m*. So, the DDHC is defined as follows:

- (1)
*Key confidentiality*: Any mobile nodes that are not the member of the group have no access to the keys that can decrypt the data that broadcast to the group. - (2)
*Forward secrecy*: For the set \(R_j\) of mobile nodes revoked before session*j*, it is computationally infeasible for the mobile nodes \(u_i\in R_j\) colluding together to recover any of subsequent session keys \(SK_j, SK_{j+1}, \cdots ,SK_m\), even with the knowledge of keys \(SK_1\), \(SK_2\), \(\cdots \), \(SK_{j-1}\). - (3)
*Backward secrecy*: For the set \(J_j\) of new mobile nodes joined after session*j*, it is computationally infeasible for the mobile nodes \(u_i\in J_j\) colluding together to recover any of past session keys \(SK_1\), \(SK_2\), \(\cdots \), \(SK_j\), even with the knowledge of keys \(SK_{j+1}\), \(SK_{j+2}\), \(\cdots \), \(SK_m\). - (4)
*Collision resistant*: Given any set \(R_i\) of mobile nodes revoked before session*i*and any set \(J_j\) of new mobile nodes joined after session*j*, \(i<j\). It is computationally infeasible for a colluding coalition \(R_i\cup J_j\) to recover any keys \(SK_i\), \(SK_{i+1}\), \(\cdots \), \(SK_{j-1}\) between session*i*and session*j*. - (5)
*Revocation capability*: The illegal mobile nodes will be removed from the current group in time when the detection system detects the illegal mobile nodes.

## 3 Proposed scheme

*SK*with group members in the group communication. The lifetime of the group communication is divided into

*m*sessions, where a session is a fixed interval of time denoted as \(T_r\), the \(j^{th}\) session is represented by \(s_j\), and the session key of the \(j^{th}\) session is \(SK_j\). The scheme consists of six parts: initialization, key update, key recovery, add or revoke group members, self-healing mechanism and re-initialization mechanism. The basic process shown in Fig. 1.

### 3.1 Initialization

*t*be a positive integer. KDC first randomly chooses a bivariate

*t*-degree polynomial

*h*(

*x*,

*y*) from a small finite field \(\mathbb {F}_q [x,y]\):

*h*(

*x*,

*y*), KDC assigns a polynomial \(h(u_i,y)\) to each mobile node as its mask polynomial.

KDC randomly picks the forward key seed *FK*, the backward key seed *BK* and the self-healing hash seed *SH* from \(\mathbb {F}_q\), respectively. Then KDC generates three hash chains: \(fk^j=H^j(FK),\ bk^j=H^{m-j+1}(BK),\ sh_j=H_1^j(SH)\), Where the structure of the DDHC adopts the hash function *H*(*x*), and the structure of the self-healing hash chain adopts the hash function \(H_1(x)\).

### 3.2 Key Update

At the beginning of each session, KDC constructs the revocation set *R* to store the revoked mobile node and a set *U* to store the non-revoked mobile node. Let \(R_j\) be the set of all mobile nodes revoked in \(s_j\), and \(R=R_1\cup R_2 \cdots \cup R_j\), \(U_j=\{u_1,u_2,\cdots ,u_n\}\) be the set of all legal mobile nodes in \(s_j\).

### 3.3 Key Recovery

The session key consists of three parts: \(fk^j\), \(bk^j\) and \(sh_j\). \(fk^j\) is secretly assigned to each legal mobile node in the initialization phase, \(sh_j\) is updated at the beginning of each session.

### 3.4 Add or Revoke Group Members

**Add group members:**When a node \(u_i\) wants to join the communication group and to be legal from \(s_i\) to \(s_j\), \(u_i\) first get in touch with KDC. After verifying its identification, KDC encrypts and sends the session key parameters to \(u_i\) via the secure communication channel:

**Revoke group members:**Assuming that a mobile node is captured by the attacker during \(s_j\), KDC immediately broadcasts an \(R_{rekeying}\) key update message to revoke the captured mobile node:

### 3.5 Self-healing Mechanism

Suppose mobile node \(u_i\) whose lifetime is from \(s_{j_1}\) to \(s_{j_2}\) receives broadcast message \(B_{j_1}\) in \(s_{j_1}\) and broadcast message \(B_{j_2}\) in \(s_{j_2 }\), but not message \(B_j\) for \(s_j\), where \(1\le j_1<j<j_2\le m\), \(u_i\) can recover the lost session key \(SK_j\) as follows:

Firstly, \(u_i\) can obtain \(fk^j\) and \(bk^j\) as a non-revoked mobile node.

Secondly, \(u_i\) can recover \(sh_{j_1}\) as a non-revoked mobile node, then \(u_i\) can recover \(sh_j\) as follows: If there is no mobile node is revoked from \(s_{j_1}\) to \(s_{j_2}\), \(u_i\) repeatedly applies the hash function \(H_1(x)\) on \(sh_{j_1}\) to obtain the self-healing hash value \(sh_j\). Otherwise, \(u_i\) still can recover \(sh_j\). For example, suppose there is a mobile node is revoked in \(s_{j'}\), where \(j_1<j'<j<j_2\), \(u_i\) can recover the self-healing hash value \(sh_{j'}^{'}\) according to the recovery polynomial \(\psi _{j'}(x)\) in broadcast message \(B_{j_2}\). Then, \(u_i\) repeatedly applies the hash function \(H_1 (x)\) on \(sh_{j'}^{'}\) to obtain \(sh_j\).

Thirdly, \(u_i\) computes the lost session key \(SK_j=fk^j+sh_j\times bk^j\).

### 3.6 Re-initialization Mechanism

If the lifetime of the communication group ends, the group must re-initialize and assign the key materials for all legal mobile nodes.

## 4 Security Analysis

### Theorem 1:

The scheme is a session key with privacy and achieves self-healing with revocation capability.

### Proof:

(1) The scheme is a session key with privacy: For a non-revoked mobile node \(u_i\) in \(s_j\), the \(SK_j\) is determined by \(fk^j\), \(bk^j\) and \(sh_j\). \(fk^j\) is assigned to the non-revoked mobile node when the node joins the communication group. \(bk^j\) can only be recovered by non-revoked mobile nodes at the beginning of each session. Even if a revoked mobile node obtain \(fk^j\) and \(bk^j\), \(sh_j\) will be updated immediately when a mobile node is revoked, such that the revoked cannot recover \(sh_j\). Thus, it is impossible for any mobile node to obtain the session key only by \(fk^j\) and \(bk^j\) or only by \(sh_j\).

- (2)
Self-healing: As described in Sect. 3.5, a non-revoked mobile node can recover the lost session key by the self-healing hash value and the recovery polynomial.

- (3)
Revocation capability: In the scheme, the session key is updated in two ways, one is to update periodically, and the other is to update when the mobile node is revoked. The periodic update prevents the session key from being cracked because it uses time too long. The dynamic revocation mechanism ensures that the revoked mobile node is removed from the communication group in time to avoid further damage to the system. Let

*R*be the set of all mobile nodes revoked in and before \(s_j\). For a mobile node \(u_i\in R\), because the access polynomial \(v_j(u_i)\) is always zero, \(u_i\) cannot recover \(bk^j\) from the broadcast polynomial \(b_j(u_i)\), moreover, once the mobile node \(u_i\) is revoked, the self-healing hash value \(sh_j\) will replace by a random value \(sh_j'\), \(u_i\) cannot obtain \(sh_j'\). Because \(u_i\) cannot obtain \(bk^j\) and \(sh_j'\), it is infeasible for \(u_i\) to recover the session key \(SK_j\).

### Theorem 2:

The scheme achieves forward security and backward security.

### Proof:

(1) Forward security: Let *R* be the set of all mobile nodes revoked in and before \(s_k\). Consider a mobile node \(u_i\in R \), whose lifetime is from \(s_{start}\) to \(s_{end}\). We can analyze the forward security in two scenarios:

\(s_{start}<s_k\le s_{end}\), which signifies that \(s_k\) in the lifetime of \(u_i\), and \(u_i\) can obtain \(fk^k\). If \(u_i\) is revoked before \(s_k\), \(u_i\) cannot recover \(bk^k\) and \(sh_k\), so \(u_i\) cannot recover \(SK_k\). If \(u_i\) is revoked in \(s_k\), \(u_i\) can recover \(bk^k\), but \(sh_k\) will be replaced by a new random value \(sh_k'\) when \(u_i\) is revoked, \(u_i\) cannot recover \(sh_k'\), so \(u_i\) cannot recover \(SK_k\).

\(s_k>s_{end}\), in this case \(u_i\) could only obtain \(fk^k\) and cannot recover \(bk^k\) and \(sh_k\). Thus \(u_i\) cannot recover \(SK_k\). As a result, the scheme achieves forward security.

- (2)
Backward security: Suppose \(u_i\) joins the communication group in \(s_j\), for \(s_k<s_j\), \(u_i\) could only recover \(bk^k\), and cannot obtain \(fk^k\) and \(sh_k\). Moreover, even if holds the broadcast message corresponding to \(s_k\), it cannot compute the mask polynomial \(h(u_i,fk^k)\). Thus \(u_i\) cannot recover \(SK_k\). As a result, the scheme achieves backward security.

### Theorem 3:

The scheme resists collusion of revoked mobile nodes and newly joined mobile nodes.

### Proof:

Suppose the mobile node \(u_i\) is revoked in \(s_i\) and the mobile node \(u_j\) join the group in \(s_j\), where \(s_i<s_j\). \(u_i\) and \(u_j\) can collude to obtain the value of DDHC from \(s_i\) to \(s_j\). The self-healing hash chain is a forward hash chain in the scheme, \(sh_i\) will be replaced by a new random value \(sh_i'\) when \(u_i\) is revoked, subsequent self-healing hash value will be computed with \(sh_i'\), that is \(sh_j=H_1^{j-i} (sh_i')\). It is computationally infeasible to compute \(sh_{j-1}\) even if it obtains \(sh_j\). Therefore, even if the revoked mobile node in collusion with the newly joined mobile node, they cannot obtain session keys more than their lifetime. As a result, the scheme resists the collusion of revoked mobile nodes and newly joined mobile node.

## 5 Performance analysis

In order to evaluate the performance of the proposed scheme, we will compare with the communication overhead and storage overhead between our scheme and the previous self-healing key distribution schemes based on hash chain. The comparison results are shown in Table 1. The storage overhead of a non-revoked mobile node with the lifetime from \(s_i\) to \(s_j\) is shown in Table 2, and the total storage overhead of a non-revoked mobile node is \((t+4)\ log\ q\) bits.

At the session \(s_j\), the broadcast message \(B_j\) consists of *t*-degree broadcast polynomial \(b_j(x)\), *v* *t*-degree recovery polynomials \(\psi _{j'}(x)\), set \(U_j\) and the revocation set *R*. The communication overhead of the set \(U_j\) and the revocation set *R* can be ignored because the mobile node identify can be selected from a small finite field \(\mathbb {F}_q\). Therfore, The total communication overhead of our scheme is \((v+1)(t+1)\ log\ q\) bits, where \(0\le v<j\le m\).

Comparison of self-healing key distribution schemes based on hash chains

Schemes | Storage overhead \((log\,\, q)\) | Communication overhead \((log \,\, q)\) | Revocation capability | Collusion resistance | Robustness |
---|---|---|---|---|---|

Scheme 3 of [5] | \((t+1)\) | \((t+1)\) | \(\surd \) | \(\times \) | \(\times \) |

Scheme of [2] | \((2s_j-2s_i+4)\) | \((t+(1+m)/2)\) | \(\surd \) | incomplete | \(\times \) |

Scheme of [7] | \((2m+1)\) | \((2t+1)\) | \(\surd \) | incomplete | \(\times \) |

Scheme of [12] | \((2s_j-2s_i+6)\) | \((t+l+1)\) | \(\surd \) | \(\surd \) | \(\surd \) |

Proposed scheme | \((t+4)\) | \((v+1)(t+1)\) | \(\surd \) dynamic | \(\surd \) | \(\surd \) |

Storage overhead of key material

Key material | Storage space \((log\ q)\) |
---|---|

The seeds of hash chain \(fk^i\),\(sh_i\) | 2 |

Masking polynomials \(h(u_i,fk^i)\) | \((t+1)\) |

Session length \(T_r\) | 1 |

## 6 Conclusion

A self-healing group key distribution scheme with dynamic revocation and collusion resistance is proposed in this paper. The scheme based on DDHC to ensure the forward security and backward security of session key. For the problem of packet loss, the scheme introduces a self-healing hash chain to ensure that the non-revoked mobile node can recover the lost session key. At the same time, the scheme has a small storage overhead and communication overhead and can be applied to resource-constrained MANET communication.

## References

- 1.Chen, H., Xie, L.: Improved one-way hash chain and revocation polynomial-based self-healing group key distribution schemes in resource-constrained wireless networks. Sensors
**14**(12), 24358–24380 (2014)CrossRefGoogle Scholar - 2.Du, C., Hu, M., Zhang, H., Zhang, W.: Anti-collusive self-healing key distribution scheme with revocation capability. Inf. Technol. J.
**8**(4), 619–624 (2009)CrossRefGoogle Scholar - 3.Du, W., He, M.: Self-healing key distribution with revocation and resistance to the collusion attack in wireless sensor networks. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 345–359. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88733-1_25CrossRefGoogle Scholar
- 4.Dutta, R., Mukhopadhyay, S.: Improved self-healing key distribution with revocation in wireless sensor network. In: Wireless Communications and NETWORKING Conference, pp. 2963–2968. IEEE (2007)Google Scholar
- 5.Dutta, R., Mukhopadhyay, S., Collier, M.: Computationally secure self-healing key distribution with revocation in wireless ad hoc networks. Ad Hoc Netw.
**8**(6), 597–613 (2010)CrossRefGoogle Scholar - 6.Guo, H., Zheng, Y.: On the security of a self-healing group key distribution scheme. Wirel. Pers. Commun.
**91**(3), 1109–1121 (2016)CrossRefGoogle Scholar - 7.Guo, H., Zheng, Y., Zhang, X., Li, Z.: Exponential arithmetic based self-healing group key distribution scheme with backward secrecy under the resource-constrained wireless networks. Sensors
**16**(5), 609 (2016)CrossRefGoogle Scholar - 8.Liu, D., Ning, P., Sun, K.: Efficient self-healing group key distribution with revocation capability. In: ACM Conference on Computer and Communications Security, pp. 231–240. ACM (2003)Google Scholar
- 9.Staddon, J., Miner, S., Franklin, M., Balfanz, D., Malkin, M., Dean, D.: Self-healing key distribution with revocation. In: 2002 IEEE Symposium on Security and Privacy, Proceedings, pp. 241–257. IEEE (2002)Google Scholar
- 10.Sun, X., Wu, X., Huang, C., Zhong, J., Zhong, J.: Modified access polynomial based self-healing key management schemes with broadcast authentication and enhanced collusion resistance in wireless sensor networks. Ad Hoc Netw.
**37**(P2), 324–336 (2016)CrossRefGoogle Scholar - 11.Tian, B., Han, S., Dillon, T.S.: An efficient self-healing key distribution scheme. In: New Technologies, Mobility and Security, pp. 1–5. IEEE (2008)Google Scholar
- 12.Tian, B., Han, S., Dillon, T.S., Das, S.: A self-healing key distribution scheme based on vector space secret sharing and one way hash chains. In: World of Wireless, Mobile and Multimedia Networks, pp. 1–6. IEEE (2008)Google Scholar
- 13.Wang, G., Wen, T., Guo, Q., Ma, X.: An efficient and secure group key management scheme in mobile ad hoc networks. J. Comput. Res. Dev.
**30**(3), 937–954 (2010)Google Scholar - 14.Wang, Q., Chen, H., Xie, L., Wang, K.: Access-polynomial-based self-healing group key distribution scheme for resource-constrained wireless networks. Secur. Commun. Netw.
**5**(12), 1363–1374 (2012)CrossRefGoogle Scholar - 15.Wang, Q., Chen, H., Xie, L., Wang, K.: One-way hash chain-based self-healing group key distribution scheme with collusion resistance capability in wireless sensor networks. Ad Hoc Netw.
**11**(8), 2500–2511 (2013)CrossRefGoogle Scholar - 16.Xu, Q., He, M.: Improved constant storage self-healing key distribution with revocation in wireless sensor network. Inf. Secur. Appl.
**5379**, 41–55 (2008)Google Scholar - 17.Yang, Y., Zhou, J., Deng, R.H., Bao, F.: Computationally secure hierarchical self-healing key distribution for heterogeneous wireless sensor networks. Inf. Commun. Secur.
**5927**, 135–149 (2009)Google Scholar - 18.Yuan, T., Ma, J., Zhong, Y., Zhang, S.: Efficient self-healing key distribution with limited group membership for communication-constrained networks. In: IEEE/IFIP International Conference on Embedded Ubiquitous Computing, pp. 453–458. IEEE (2008)Google Scholar
- 19.Yuan, T., Ma, J., Zhong, Y., Zhang, S.: Self-healing key distribution with limited group membership property. In: International Conference on Intelligent Networks Intelligent Systems, pp. 309–312. IEEE (2008)Google Scholar
- 20.Zhu, S., Setia, S., Xu, S., Jajodia, S.: GKMPAN: an efficient group rekeying scheme for secure multicast in ad-hoc networks. J. Comput. Secur.
**14**(4), 301–325 (2006)CrossRefGoogle Scholar - 21.Zou, X., Dai, Y.S.: A robust and stateless self-healing group key management scheme. In: International Conference on Communication Technology, pp. 1–4. IEEE (2006)Google Scholar