Pragmatic authenticated key agreement for IEEE Std 802.15.6

The IEEE Std 802.15.6 is the latest international standard for Wireless Body Area Networks. The security of communication in this standard is based upon four elliptic-curve-based key agreement protocols. These protocols have been shown to exhibit serious security vulnerabilities but surprisingly, do not provision any privacy guarantees. To date, no suitable key agreement protocol has been proposed which fulfills all the requisite objectives for IEEE Std 802.15.6. In this paper, two key agreement protocols are presented which, in addition to being efficient and provisioning advance security properties, also offer the essential privacy attributes of anonymity and unlinkability. We develop a formal security and privacy model in an appropriate complexity-theoretic framework and prove the proposed protocols secure in this model.


Introduction
Wireless Body Area Networks (WBANs) consist of miniaturized computing devices which can be fitted inside or around the human body [7].Through use of short range communication technologies, these devices talk to a designated centralized node (Hub) which further communicates with external networks via a Gateway [23].The general layout of a typical WBAN is illustrated in Fig. 1.Note that the Hub and Gateway are functionally two separate entities, but are usually combined into a single physical node.Mindful of the peculiarities of communicating in and around the human body, the IEEE published IEEE Std 802.15.6 [3] for WBAN communications in 2012.As high power transmis-sions are harmful to humans and nodes in a WBAN are energy constrained, this standard provisioned an optional two-hop communication architecture to enable resource-constrained nodes to minimize transmissions when communicating with the Hub.
In addition to conventional security guarantees, privacy is of utmost importance for typical target application areas such as healthcare and the military [29].The elliptic-curve-based session key agreement methods of IEEE Std 802.15.6 have been shown to have security weaknesses [28], but also do not provide the privacy features that should be expected of a WBAN [20].In this paper, we present two key agreement protocols which render a comprehensive range of security and privacy properties, which are regarded as essential [20] for WBANs.We start by presenting a network and adversary model for WBAN key agreement and elaborating upon the desired security, privacy and functional objectives.

Network and adversary model
We begin by describing a system model suitable for the deployment scenarios of WBANs.In this model, a System Administrator (S A) initializes the network.The network is composed of three types of nodes; a Hub Node (H N), Intermediary Nodes (I N) and Normal Nodes (N ).As the H N is usually a resourceful device with better hardware protection mechanisms in place, we assume it to be trusted and its long-term secret Master Key to be protected.As the role Fig. 1 Generic architecture of a typical WBAN of H N is usually undertaken by a modern smart phone in a generic WBAN, this argument is supported aptly by the real world example of the FBI-Apple encryption dispute [2] where even for resourceful parties like government agencies it is not easy to crack into a smart phone.Normal nodes N are resource constrained and their transmission range is assumed to be limited; in particular, they are not always able to communicate directly with H N. Intermediary nodes I N are also located in and around the body but, at a particular time instance, are in direct communication with both N and H N, thus acting as intermediary nodes for the purpose of relaying traffic between H N and N when required.We assume a Dolev-Yao [12] adversary A who can listen, modify and synthesize any message of his choice in this model.

Desired objectives
The security of traffic in IEEE Std 802.15.6 is protected using authenticated encryption, which requires the establishment of symmetric session keys.The procedure for agreeing these keys is thus critical to the overall security and privacy of a WBAN.Next we list down the requisite properties (and where required the associated rationale) of a Privacy-Preserving Key Agreement (PPKA) protocol to be executed between a node N and H N

Security properties
Mutual entity authentication Entity authentication is the process by which one entity (the verifier) is assured of the identity of a second entity (the claimant) [27].The PPKA should provision mutual entity authentication between N and H N.

Mutual "implicit" key authentication
The assurance that only a particularly identified other party may possibly know the negotiated key [27].Mutual "implicit" key authentication is required between N and H N.
desirable that this loss should not enable an adversary to impersonate other entities to N [19].Consider the scenario where a cardiac pacemaker is part of a WBAN deployed upon a chronic patient by a hospital for remote administration and monitoring purposes.The leakage of the pacemaker's longterm secret should not enable the adversary to issue "stop" commands to the pacemaker by impersonating as the hospital administrator.Such a case could potentially lead to a life threatening situation.
Replay prevention An adversary should not be able to successfully replay previously captured copies of legitimate messages between the protocol participants.
Desynchronization resistance If the authentication parameters get updated during the protocol execution, then usually the participants need to have the same updated values at the end of a protocol run.Otherwise, they will not authenticate each other in later sessions and we say they have been desynchronized.In a desynchronization attack, the adversary forces the protocol participants to update their authentication parameters to different values.A PPKA needs to be resistant to these types of attacks.

Privacy properties
We focus on two privacy aspects: Node anonymity An adversary A, who is observing all communications, should not be able to learn the identity of any node N who is participating in a PPKA protocol with H N. The privacy attribute of anonymity is a necessity for typical application scenarios of WBANs, such as healthcare and military.
Session unlinkability An adversary A, who is observing communications, should not be able to link one successfully executed PPKA session of node N to another successfully completed session of the same node.Session unlinkability is imperative in addition to anonymity.Although the PPKA sessions could be anonymous, if the adversary is able to link various PPKA sessions and group them together then A would be able to attribute a group to a particular node with high probability, due to his knowledge of the operations of the WBAN.For example, consider a medical WBAN in which a pacemaker is supposed to communicate with the remote healthcare providers every five minutes, while the body temperature sensor communicates only three times per day.

Support for multi-hop communication
As discussed in Sect.1.1, depending upon the network topology, nodes would either be communicating directly with the Hub Node H N or via an Intermediary Node I N. Therefore, the PPKA protocol should be designed to be suitable for both single-hop and two-hop communication modes of [3].

Energy consumption
As nodes in a WBAN are severely energy constrained, the PPKA protocol needs to be minimalistic in terms of computation, communication and storage overhead.Energy consumption in WBANs is dominated by radio communications [10], which mainly depends on the number of bits to be transmitted within the network.Consequently, the PPKA protocol should be designed such that the number of bits to be exchanged between the protocol participants and the computational overhead for nodes N should be minimal.
Stateless HN H N is the consistent nucleus of the network whose lack of accessibility will have devastating effects on the complete WBAN.As the network topology in WBANs is dynamic where client nodes join and leave the network on a frequent basis; it is imperative for H N's accessibility that it be independent of such dynamism.Consequently, an important requirement is that the PPKA protocol should not require H N to maintain a state of the WBAN nodes.

Offloading of expensive operations
As nodes in a WBAN are resource constrained, it makes sense to offload energy-expensive operations to more resourceful entities such as S A and H N. An example of this is discussed in more detail in Sect.4.2.

Minimizing the implementation footprint
Ideally, the proposed solution should not introduce new cryptographic primitives as this will adversely affect the implementation footprint (hardware and memory).Specifically, we aim to use the already specified block cipher function in [3] for achieving the various security and privacy objectives.A more detailed discussion is given in Sect.4.2.

Reducing management costs
A PPKA solution should not place management costs on the WBAN nodes after the network initialization.Consider the situation where a third party wants to add its node (for example a fitness tracker) to an already deployed WBAN.The third party should be able to contact the S A, who (after registration of the new node) would dispatch it to the WBAN owner, who begins using the new device upon receipt.Note

Session unlinkability ×
Anonymity that all this was done without interacting with the currently operational WBAN.

Related work
Toorani [28] discovered various security weaknesses in the key agreement methods of IEEE Std 802.15.6, all of which were susceptible to Key Compromise Impersonation attacks as well as attacks on forward secrecy.Wang and Zhang [30] proposed a key agreement scheme for WBANs that claimed to provide anonymity and unlinkability in addition to the requisite security guarantees.However, Jiang et al. [14] show that [30] is vulnerable to client impersonation attack and thus lacks mutual authentication.They proposed an authenticated key agreement scheme which rectified this flaw.However, their scheme was based on computing bilinear pairings; which is not suitable for deployment in resource constrained WBANs.To avoid the overhead of managing public-key certificates, He et al. proposed a certificateless authentication scheme [13], which provides anonymity and unlinkability.However, the computation and communication overheads associated with their scheme also render it unsuitable for WBAN deployment.Recently, Li et al. [21] presented an authenticated key agreement scheme based only upon symmetric cryptographic primitives.This is an attractive proposal since there is no requirement of any additional infrastructure and the associated computation and communication overheads are negligible.The authors claimed that this scheme achieved almost all of the security and privacy objectives defined in Sect.1.2.

Previous version
This manuscript is full version of the paper presented at IEEE TrustCom, 2018 [15].The main differences from the conference version are as follows: Firstly, the list of required security objectives is more comprehensive after inclusion of PrFS and KCI resilience.Moreover, the introduction section has been further enhanced by addition of the design principles of the proposed protocols.Furthermore, a new Sect.4 providing discussion about various aspects of the proposed protocols is also part of this manuscript.This manuscript successfully answers the open question put forward in [15] regarding the feasibility of a privacy-preserving authenticated key agreement protocol for IEEE Std 802.15.6 offering PrFS and KCI resilience without any dependence on public key cryptography.The second key agreement protocol (termed PPKA2 within this manuscript) is one such protocol satisfying all the requisite security and privacy requirements.Further additional contributions of this manuscript are as below: • We enhance our previous analysis [15] of [21] which, in addition to showing that Li et al. scheme does not provide session unlinkability and forward secrecy, also exhibits its vulnerability to KCI attacks.• In addition to the key agreement protocol (PPKA-1) proposed in [15], which provided session unlinkability and resolved the privacy flaws found in [21], we present another protocol ( PPKA-2) that additionally provisions PrFS and KCI resilience.Table 1 lists the security and privacy features provisioned by each protocol.• We develop a formal security and privacy model in an appropriate complexity-theoretic framework and prove the proposed protocols secure in this model.
The remainder of this paper is organized as follows: • Section 2 provides an overview and analysis of a WBAN key agreement scheme proposed in [21].• The proposed protocols are detailed in Sect.3.
• Section 4 discusses pertinent aspects of the proposed protocols.• Sections 5 and 6 explain the formal security model and the associated analysis, respectively.• Finally, Sect.7 provides future research directions and concludes the paper.

Li et al. scheme
In this section, we present an overview and analysis of Li et al. scheme [21].For ease of comparison we use the same notation (details in Table 2) as in [21].

The key agreement protocol
Li et al.PPKA protocol between the Hub node (H N) and a node (N ) consists of three phases.For a pictorial overview of the protocol see Fig. 2.

Initialization phase
The (S A) randomly samples a master secret key k H N and stores it in H N.

Registration phase
The S A randomly samples a unique secret identity id N for node N .It then randomly chooses the temporary secret parameter k N and calculates A unique relay identity id I N for the intermediary node (I N) is chosen and the parameters id N , a N , b N and id I N are stored in N and I N, respectively, while id I N is stored by H N as the identity of I N when communicating in relay mode.

Authentication phase
We can think of the authentication phase of Li et al. scheme as a two-pass protocol.The individual steps are outlined below: Step 2 I N → H N : tid N , y N , a N , b N , t N , id I N .I N adds its relay identity id I N to the tuple and forwards it to H N. Note that I N when operating in relay mode uses id I N not id I N .
Step 3 H N → I N : α, β, η, μ, id I N .After receiving the parameters from I N, H N verifies the relay identity id I N from its database and substantiates the validity of the timestamp t N .Upon success of these checks, it computes The shared session key is computed as k S = h(id N , r N , f N , x N ) and is stored in Step 4 I N → N : α, β, η, μ .I N removes the relay identity id I N from the received tuple and forwards α, β, η, μ to N .
Step 5; Upon receipt of the response from I N, N computes

Analysis of the Li et al. scheme
In this section we discuss vulnerabilities and attacks on the security of the Li et al. scheme.

Security analysis
In addition to provisioning of mutual "direct" authentication [11], Li et al. scheme fulfills all the security criteria as defined in Sect.1.2 except KCI resilience and PrFS.Moreover, the scheme also protects the master secret (k H N ) in the event of compromise of various nodes of the WBAN.For sake of brevity, we will restrict our security analysis to highlight only the vulnerabilities of Li et al. scheme.
Discussion about forward secrecy Li et al. claimed a forward security property of their scheme.Their definition of forward secrecy varies from the generally accepted one.
According to Li et al., the goal of forward secrecy is to protect other (past / future) session keys in the event of compromise of the current session key k S .However, the conventional definition of forward secrecy states that in the event of compromise of the long term secrets of the protocol participant(s), an adversary should not be able to obtain any of the past session keys [22].While Li et al. scheme is forward secure according to their own definition, it is not forward secure in a conventional sense.

KCI attack We demonstrate a KCI attack on Li et al. scheme.
A observes the first pass of the protocol and notes the message contents.As the value id N is known to A, he calculates the following values as follows: A chooses a random f N and calculates α = f N ⊕ x N .A then chooses arbitrary values of η and μ and calculates β as:

Privacy analysis
The anonymity dilemma It is known apriori to the attacker that all nodes ultimately communicate with H N. As the node identifier id N is always masked (by taking an XOR of it with a fresh random value), anonymity in Li et al. protocol is preserved from "direct" privacy attacks.However, now consider the situation depicted in Fig. 3, where an intermediary node I N is providing the relaying service to various nodes N .
In the second pass of Li et al. scheme, it is not clear how the intermediary node I N would be able to identify the original node N out of the "anonymity set" [25] for onward forwarding of the tuple α, β, η, μ received from H N. One naive way to resolve this is to allow I N to broadcast the second pass of protocol for all nodes.However, this approach is unsuitable for already energy-constrained WBAN nodes as they will need to perform additional communication (radio reception) and computational steps for each transmission.

Session unlinkability While Li et al. claim their scheme
provides session unlinkability, we show this to be untrue.
Further, A records the values η and μ from Step 3 of Sect.2.1.3and uses γ to compute: Session # 2 Now, A observes key exchange protocol sessions between various nodes and H N. A compares the values of the parameters a N and b N from Step 1 of the protocol with the saved values of a + N and b + N .When A finds a match, A concludes with almost certainty that another key exchange session has been initiated by the same node N .This is correct because node N uses the updated authentication parameters a + N and b + N in its next run of the protocol.In this way, A can track and link sessions of node N , demonstrating that Li et al. scheme does not achieve session unlinkability.

Functional requirements
Li et al. scheme can be easily adapted for direct communication between N and H N without the involvement of I N. Since this scheme employs only symmetric cryptographic primitives, it is extremely efficient from a computation, communication and storage overhead perspective and there is no requirement of any additional network infrastructure.Assuming a hash function with a digest length of B bits and 16 bit intermediary node IDs (i.e.id I N ), Table 3 highlights the communication, computation and storage overhead of Li et al. scheme.In this table, h denotes one hash operation, ⊕ denotes an XOR operation and m denotes the number of intermediary nodes in the WBAN.Note that, contrary to the assumption made by Li et al. in Sect.5.4 of [21] about the arbitrary length of the timestamp field, it is implicitly the same length as the hash function digest because, as described earlier in Sect.2.1.3,tid N = h(id N ⊕ t N , r N ).This is not commensurate with the length of the timestamp

Our PPKA protocols
In this section, we propose two PPKA protocols which rectify the problems highlighted in Sect.2.2.While devising these PPKA protocols, we have tried to preserve the original elegance, simplicity and efficiency of the scheme in [21].The first PPKA protocol addresses the privacy flaws of unlinkability and anonymity dilemma faced by I N (Sect.2.2.2) in Li et al.'s scheme.The second protocol, additionally provides PrFS and KCI resilience (in case of compromise of the longterm secret of node N ).Note that though in our protocols the intermediary node I N is not an active participant from a cryptographic standpoint (this was a conscious design consideration), we have included I N in our protocol description for verification of the resolution of the anonymity dilemma of I N. Detail of additional notation used in our PPKA protocols is given in Table 4.

PPKA protocol 1
The phases of PPKA Protocol 1 are separated into three distinct phases.An Initialization Phase, that generates the long-term secret values of the Hub Node H N. A Registration Phase, that generates the long-term values of the end-nodes N and stores them with H N. Finally, an Authentication Phase where the nodes N and H N generate an authenticated shared secret key, and update the authentication parameters.

Initialization phase
This is identical to the Initialization Phase as presented in [21].Specifically, the (S A) randomly samples a master secret key k H N and stores it in H N.

Registration phase
The intermediary node (I N) is not provided with a relay identity id I N .Instead, parameters id N , a N , b N are stored in N .Note that the user identity id N is sampled in a fully random fashion.The identities in case of a WBAN in general and IEEE 802.15.6 in specific, do not require a structure as in other communication settings like mobile telephony, etc [16].Also note that the proposed scheme does not impose any limitations on the length of id N and is flexible enough to accommodate the identity field of any length.

Authentication phase
The various steps of the authentication phase are depicted in Fig. 4 and are as follows: Step It further picks a random pseudonym id N to be used as a temporary identifier for this session only, calculates tid N = h(id N , id N , t N , r N ) and sets the "Relay Field" of the underlying "MAC Header" to value 1, according to sub-clause 6.10 of [3].
Step 2 I N → H N : tid N , y N , a N , b N , t N , id N .I N checks the value of "Relay Field" and forwards the tuple to H N.
Step 3 H N → I N : α, β, η, μ, id N .After receipt of the tuple from I N, H N verifies the validity of the timestamp t N .Upon success of this check, it computes ) is computed and stored in memory, and the value of the underlying "Relay Field" is set to 1.
Step 4 I N → N : α, β, η, μ, id N .I N checks the "Relay Field" of the message received from the Hub node.If "Relay Field" value is set to 1, then it notes the identifier id N received in the tuple for onward forwarding of the tuple to node N .
Step 5; Upon receiving a response from I N, N computes

PPKA protocol 2
The second PPKA protocol is structurally similar to PPKA Protocol 1, with three phases and similar goals.We describe the execution of PPKA Protocol 2 below.

Initialization phase
This phase is unchanged from [21].

Registration phase
The registration phase is mostly identical to PPKA Protocol 1.However, S A additionally computes

Authentication phase
The authentication phase of PPKA Protocol 2 is depicted in Fig. 4 and detailed as follows: = tid * N .Then, α, η and μ are computed as in PPKA 1. k S is computed as h(id N , z N , r N , f N , x N , 1) while an additional key k Z is computed as h(z N , id N , r N , f N , x N , 0).
Step 4 I N → N : α, β, η, μ, δ, id N .This is identical to Step 4 in PPKA 1 Step 5; This is identical to Step 5 in PPKA 1, except that β * is calculated as h(x N , z N , r N , f * N , δ, η, μ, id N ) and the shared session key k S is computed as h(id N , z N , r N , f N , x N , 1).Additionally, node N decrypts z + N = Dec(k z , δ) and replaces z N with z + N .

Why a Bespoke solution?
If we consider the scenario of direct communication between N and H N (without the involvement of I N), at first glance, it seems to be similar to that of RFID; where a tag needs to be authenticated in a secure and private manner by the reader.However, there is a fundamental distinction between the two scenarios.As discussed in Sect.1.2.3, in our case the H N does not maintain any state about the network nodes and is oblivious to the identity management of the network, while in the RFID setting, the reader has access to the backend database server(s) which maintain nodes' status in the RFID network.This means that, in the case of RFID, S A needs to update the status at the back-end servers whenever it introduces a new node or removes an old one from the system.As explained in Sect.1.2.3, this is problematic for WBANs.

Random number generation on WBAN nodes
A WBAN Cryptographically Secure Pseudo Random Number Generator (CSPRNG) needs to be computationally inexpensive and there should be no requirement for entropy collection from environmental resources, as this would entail extra communication.We recommend the approach outlined in [18].During the "Registration Phase", S A can allocate each node N with a unique (randomly chosen) secret key K .
Thereafter, node N can encrypt the sequence {0, 1, 2, 3, ...} under key K using AES (already available for message security purposes) as the block cipher.This arrangement can securely generate 2 60 bytes without the need for re-seeding the key K .

Why timestamps?
Timestamps as a replay prevention tool are generally avoided in key agreement protocols as they present various practical problems, such as the need for a reliable source of time.Here, we would like to draw the reader's attention to Sect.1.2.3, which discusses the requirement of the H N being stateless.Any other technique for replay prevention (nonces, sequence numbers, etc.) will require the H N to maintain a state about the clients and consequently will impose design limitations which we are specifically trying to avoid.Given the peculiar situation of WBANs and availability of various time-synchronization avenues within the standard (Clause 6.11 of [3] which provisions for H N to act as the central time source for the WBAN and regularly broadcasts time-123 synchronization beacons), replay prevention via timestamps seems to be the way forward.This may not be the most desirable solution but it still is a step forward from the current standard which offers no replay protection at all.

Security versus usability
It was a conscious design choice to keep H N free of any client related data (refer Sects.1.2.3 and 1.3).While security can be improved manifold via diffusion of secret parameters between the client nodes and H N and attacks like impersonation of some other non-compromised node by a compromised client node could be avoided; this would adversely affect the usability features (no management cost, etc) we are trying to achieve.Hence, the cleanness predicates (Sect.5.4) in our security model define the exact combination of secrets that the adversary can compromise.Our security model allows the adversary to leak the long-term secret key of the node (id N ) but not along with the previously established per-stage secret state (a N , b N ).What we are trying to achieve here is the delicate balance between security and usability via this approach.

Security model
We now introduce our security models for the analysis of privacy-preserving key agreement (PPKA) protocols.Our first security experiment is based on standard key-exchange models in the tradition of Bellare-Rogaway [4] key indistinguishability games.This allows our model to easily capture known key secrecy, as well as generically capture key randomness notions, since our adversary is tasked merely with the goal of distinguishing the targeted session key from a random session key from the same distribution.Our second security experiment allows us to capture privacy notions of sessions, by challenging an adversary to determine which of two previously selected nodes ran a given protocol execution.
Our cleanness predicates (see Sect. 5.4) allows us to model KCI attacks by allowing the adversary to reveal the long-term key of the node running the PPKA protocol, as well as the notions of partial forward secrecy.We begin by describing the execution environment for our security frameworks.

Execution environment
Consider an experiment Exp PPKA-IND Π,n N ,n S ,A (λ) played between a challenger C and an adversary A. C maintains a single node H N, running a number of instances of the PPKA protocol Π , and a set of (up to) n N nodes N 1 , . . ., N n N (representing nodes communicating with the hub node H N), each potentially running one stage of (up to) n S consecutive stages of Π .The PPKA protocol Π is represented as a tuple of algo-rithms Π = (HKeyGen, HF, NKeyGen, NF, StateGen).We abuse notation and use π stid id to refer to both the identifier of the stid-th stage of Π being run by node N id and the collection of per-session variables maintained for this stage.We describe the algorithms below:

Π.HKeyGen(λ)
$ → (k H N ) is a probabilistic symmetric key generation algorithm taking as input a security parameter λ and outputting a long-term hub node secret key (k H N ).

Π.NKeyGen(λ)
$ → (ltk) is a probabilistic symmetric key generation algorithm taking as input a security parameter λ and outputting a long-term hub node secret key (ltk).Note that in our proposed PPKA protocols, we denote this longterm secret key with id N .

Π.StateGen(λ, k H N , ltk)
$ → ( psstate) is a probabilistic symmetric key generation algorithm taking as input a security parameter λ and the long-term secret keys of the hub node and the "normal" node, outputting secret state information for node N ( psstate).In PPKA Protocol 1, this per-stage secret state is a N , b N .In PPKA Protocol 2, this is a N , b N , z N .

Π.StateUpdate(λ, π )
$ → ( psstate) is a probabilistic symmetric key generation algorithm taking as input a security parameter λ and a set of per-session variables, outputting the next stage's per-stage secret state ( psstate) for node N .
The experiment begins with C running Π.HKeyGen once to generate a long-term secret key for the hub node (k H N ), and randomly sampling a bit b ∈ {0, 1}.A then interacts with C via the queries listed in Sect.5.2, eventually terminating and outputting a guess bit b of C's bit b.A wins the keyindistinguishability game if b = b and the session π stid id such that A issued Test(id, stid) satisfies the cleanness predicate clean, which we discuss in Sect.5.4.Each session maintains the following set of per-session variables: • ltk ∈ {0, 1} λ -the long-term symmetric-secret of N id .
Finally, the challenger manages the following set of registers, which indicate A's compromise of secrets:

Adversarial interaction
In the game, the adversary A is able to communicate with the challenger and thus interact with the parties/sessions via the following set of queries: Register(λ) → id: Allows A to register a new node with security parameters λ and gives A an identifier for the node id (which we denote N id ).For protocols where nodes do not have a public identifier, the index of the node is given to A. N ext K ey(λ, id) → m: Allows A to indicate that the node with public identifier id should attempt a new key agreement using (potentially) the new/updated security parameters λ.
The challenger then returns any protocol messages m.Corrupt(id) → ltk: Allows A to compromise the longterm key of the node π id .ltkwith public identifier id.Reveal(id, stid) → sk: Allows A to compromise the session key established between the hub node and the node N id in stage stid.Note that stid indicates the index of the session key established between the node id and the hub node.The challenger responds with the session key π stid id .sk.StateReveal(id, stid) → psstate: Allows A to compromise the per-stage secret state psstate of the node with public identifier id.Note that stid indicates the index of the stage-specific state, and the challenger responds with π stid id .psstate.Send(id, m) → m : Allows A to send a message m to the node with identifier id currently running a protocol execution.Note that the node will update its per-session variables and potentially output a new message m .T est(id, stid) → sk: If the node N id has completed its stid-stage key agreement, then the challenger uses the randomly-sampled bit b ∈ {0, 1}.If b = 0 the challenger responds with π stid id .sk,otherwise the challenger responds with a random key from the same distribution.
We now formalise the advantage of a PPT algorithm A in winning the PPKA key-indistinguishability game: Definition 1 (Key Indistinguishability) Let Π be a PPKA protocol and n N , n S ∈ N.For a given cleanness predicate clean, and a PPT algorithm A, we define the advantage of A in the key-indistinguishability game to be: We say that (λ) is negligible in security parameter λ.

Session unlinkability
The experiments for PPKA key-indistinguishability and session unlinkability are mostly identical.However, instead of using the Test(id, stid) query, at some point A will stop and output (id 0 , id 1 ).When A outputs (id 0 , id 1 ), C runs NextKey(λ, id 0 ) and responds to queries as before.We will refer to this as the "challenge" node.However, when π stid id 0 .α← accept, C then refers to the random bit b sampled at the beginning of the experiment and: A now uses the SendTest(m) query to send messages to the node N id b in order to avoid trivial identification.We will refer to this as the "unnamed node".A at some point terminates and outputs a guess bit b .If b = 0, then A is indicating that the unnamed node N id b was linked to the challenge node N id 0 .If b = 1, then A is indicating that the unnamed node N id b was not linked to the challenge node N id 0 .
We now formalise the advantage of a PPT algorithm A in winning the PPKA session-unlinkability game: Definition 2 (Session Unlinkability) Let Π be a PPKA protocol, and n N , n S ∈ N.For a given cleanness predicate clean, and a PPT algorithm A, we define the advantage of A in the session-unlinkability game to be: We say that Π is PPKA-SU-secure if, for all A, Adv PPKA-SU,clean Π,n N ,n S ,A (λ) is negligible in the security parameter λ.

Cleanness predicates
The cleanness predicates are used in the security experiments to define the exact combination of secrets that A is able to compromise without trivially breaking the PPKA protocol.In order to capture key-compromise-impersonation (KCI) attacks and PrFS notions, we allow A to leak the long-term secret key of the "normal" nodes if A has not also leaked any previously established per-stage secret state.Our analysis is focused primarily on the normal nodes, and we do not allow the compromise of the hub node secrets, as all security in all stages is lost in this scenario.We additionally describe a cleanness predicate for PPKA protocols that do not achieve PrFS or KCI resilience.

Definition 4 (nPrFS-clean) A session π stid
id such that π stid id .α = accept in the PPKA-IND experiment defined in Fig. 5 is nPrFS-clean if SKflag stid id = corrupt.Finally, we describe a cleanness predicate for our sessionunlinkability game.It is straightforward to realise that if Corrupt(id 0 ) or Corrupt(id 1 ) were to be issued, it would trivially allow A to win in either of our PPKA protocols by simply reconstructing the tid N field sent by the unnamed node.Similarly, we cannot allow the adversary to reveal the per-stage secret state for the current stage stid of the unnamed node N id b .
Definition 5 (SU-clean) A session π stid id in the PPKA-SU experiment defined in Fig. 5 is SU-clean if LSKflag id = corrupt and PSSflag stid id = corrupt.
6 Analysis of our proposed PPKA Protocols

Security and privacy analysis
Before we begin, we show that an adversary A is unable to recover the hub node secret k H N (with non-negligible probability) even if A reveals all long-term secrets id N of all nodes and all per-stage secret states psstate.In our proofs we work within the random oracle model, and A cannot learn anything about k H N from hash outputs h(k H N , X ) (where X is any concatenation of arbitrary values).We turn to A attempting to learn k H N that has been "blinded" through exclusive-or (XOR) operations.We give below the generic construction of messages that include k H N : Taking μ first, we note that k + N (independently sampled by the hub node, uniformly-at-random, in each stage) acts as the key in a one-time-pad, perfectly hiding the long-term secret key k H N of the hub node, the long-term secret key id N of the normal node and the value h(k H N , k N ).k + N is an internal value that is known only to the challenger implementing the Hub Node, as it cannot be compromised by A via Reveal, Corrupt or StateReveal queries.For b N , we note that k N (randomly sampled by the hub node in a previous stage) is still acting as the same key k + N in a one-time-pad, and thus still perfectly hiding the same message, i.e. the long-term secret key k H N of the hub node, the long-term secret key id N of the normal node and the value h(k H N , k N ).We argue then that A cannot recover the hub node secret key k H N .We can further conclude that an adversary that compromises fewer internal states and long-term secret keys will also be unable to recompute k H N .We can continue our proof knowing that the best strategy for A to recover the long-term secret key of the hub node k H N is to attempt to brute-force the value.
We now show that an adversary A that does not issue a Corrupt(id) query cannot recover the long-term secret key id N of node N id .As before, we note that since we instantiate the hash function as a random oracle, that the adversary cannot invert hash outputs of the form h(id N , X ) (where X is some arbitrary concatenation of values) in order to learn id N .We can now focus on the adversary attempting to learn id N from "blinded" values by XORing them with other values.In each stage of the protocol execution, this is available to A in the following generic ways: If this is the first stage of the protocol execution for node N id , then a N and b N are established in some out-of-band way.Thus h(k H N , k N ) and k N act as uniformly random and independent keys in a one-time pad, perfectly hiding id N and k H N ⊕id N ⊕h(k H N , k N ) (for a N and b N respectively).Since, by the previous argument, the best strategy for A to recover k H N is simply to guess, (and we instantiate the hash function with a random oracle), in order to recompute h(k H N , k N ) A must either guess k H N or to guess h(k H N , k N ).Since they are the same bit-length, the probability of A doing either is the same: 2 −λ .If this is not the first stage of the protocol execution, then a N and b N they were sent as "sub-XOR" of a previous stage η and μ.We argue that h(k H N , k + N ) and k + N act as keys to one-time-pads for η and μ, respectively, and remain the keys to the one-time-pad perfectly hiding id N and k H N ⊕ id N ⊕ h(k H N , k N ) (for a N and b N respectively) in the following stage.It follows then that the best strategy A has in recovering id N is to merely guess id N : 2 −λ .
We now prove the key-indistinguishability of our PPKA protocols given in Fig. 4. We begin with PPKA-2, as it captures the strongest notions of security, capturing PrFS, KCI resilience, key randomness, known key security and hub-node authentication.Afterwards, we turn to proving the session unlinkability of PPKA-2.We then prove key indistinguishability and session unlinkability of PPKA-1.As PPKA-1 is essentially a truncated version of PPKA-2, this allows us to omit the most repetitive details of the proofs.
Theorem 1 (Key Indistinguishability of PPKA-2) The privacy preserving key agreement protocol PPKA-2 given in Fig. 4  Proof For our proof, we assume that a test query Test(id, stid) has been issued, and separate into the following three cases: • π stid id has accepted such that π st id id .mr = PPKA -2.HF (λ, k H N , π st id id .mr ).• π stid id has accepted such that π st id id .mr = PPKA -2.HF (λ, k H N , π st id id .mr ) and Corrupt(id) has not been issued.
• π stid id has accepted such that π st id id .mr = PPKA -2.HF (λ, k H N , π st id id .mr ) and Corrupt(id) has been issued.By the definition of the cleanness predicate PrFS-KCI-clean, we assume that the per-stage secret state has not been revealed for any stage s ≤ stid.
Case 1 In this case, we show that the probability the session π stid id such that Test(id, stid) was issued set π stid id .α← accept such that π stid id .mr = PPKA-2.HF(λ, k H N , π stid id .ms ) is negligible.Game 0 This is a normal PPKA key-indistinguishability game.Thus we have: Adv PPKA-IND,C 1 PPKA-2,n N ,n S ,A (λ) = Pr(br eak 0 ).Game 1 In this game, we guess the index (id, stid) of the session π stid id , and abort if during the execution of the experiment, a query Test(i * , s * ) is received and (i * , s * ) = (id, stid).Thus we have: Pr(br eak 0 ) ≤ n N n S • Pr(br eak 1 ).Game 2 In this game, we replace the h(k H N , k N ) value computed within π stid id (and, potentially, in the hub node processing π stid id .ms ) with a uniformly-random value h(k H N , k N ).We note that since we instantiate the hash function with a random oracle that the distribution is identical to h(k H N , k N ).Thus, the only way that A can detect this change is to query (k H N , k N ) to the random oracle.Since the only way for A to do this is to recover k H N fully, and we argued previously that A's probability of success in this endeavour is 2 −λ , we have: Pr(br eak 1 ) ≤ 2 −λ + Pr(br eak 2 ).Game 3 In this game we argue that the adversary A has a negligible probability of producing a value β = h( h(k H N , k N ), ẑ N , r N , fN , δ, η, μ, îd N ).Note that for π stid id .α to reach accept, A must produce such a value β.We know by the definition of Case 1 that the following must be true: • π stid id .mr = α, β, η, μ, δ, îd It is clear that if the session π stid id such that Test(id, stid) must be issued (by Game 1) cannot reach π stid id .α← accept, then in Game 3 the experiment proceeds identically regardless of the bit b sampled by the challenger.Thus: Pr(br eak 3 ) = 0. We can now begin treating Case 2: that Corrupt(id) has not been issued for the appropriate node.Case 2 In this case, we show that an adversary who issues a Test(stid, id) query (and does not also issue a Corrupt(id) query) cannot win the key-indistinguishability game with non-negligible probability.Game 0 This is a normal PPKA key-indistinguishability game.Thus we have: Adv PPKA-IND,C 2 PPKA-2,n N ,n S ,A (λ) = Pr(br eak 0 ).Game 1 In this game, we guess the index (id, stid) of the session π stid id , and abort if during the execution of the experiment, a query Test(i * , s * ) is received and (i * , s * ) = (id, stid).Thus, we have: Pr(br eak 0 ) ≤ n N n S •Pr(br eak 1 ).Game 2 In this game, we replace the session key k S computed by the node N id in stage stid with a uniformly-random and independent value k S .First we note that k S is computed as k S = h(id N , z N , r N , f N , x N ).Since we instantiate the hash function as a random oracle, the distribution of k S and k S is identical.In order to distinguish this change, A must be able to query the random oracle with the input (id N , r N , f N , x N ).Since we argued previously that in order to recover id N (the long-term secret key of the node N id ), A's only strategy to distinguish this change would be to guess the long-term secret id N .The probability of A distinguishing this replacement is 2 −λ where λ is the bit-length of id N .
After this change, the session key returned to A as the response to the Test(stid, id) query is a uniformly-random value independent of the protocol execution regardless of the bit b sampled by the challenger.Thus, we have: Pr(br eak 1 ) ≤ 2 −λ .

Case 3
In this case, we show that an adversary who issues a Test(stid, id) query (and does not issue StateReveal queries oracle, the distributions of Game 1 and Game 2 are indistinguishable.In order to detect this change then, A must query the random oracle with the input (k H N , X ).As per our previous arguments, in order to query k H N to the random oracle, A must first recover k H N .Since the best strategy to recover k H N is, to simply guess the value of k H N , the probability of A distinguishing this change is 2 −λ .Thus we have: Pr(br eak 1 ) = 2 −λ + Pr(br eak 2 ).Game 3 In this game, in the message output by the hub node for the unnamed session π stid b id b , we replace the hash outputs β = h( h(k H N , k + N ), z N , r N , f N , δ, η, μ, id N ) with a uniformly random value β chosen independently of the protocol flow.As previous arguments, the distributions of Game 2 and Game 3 are indistinguishable.In order to detect this change then, A must query the random oracle with the input is already a uniformly random value independent of the protocol flow (by Game 2), the best strategy to distinguish this change is to simply guess the value of h(k H N , k + N ).Thus we have: Pr(br eak 2 ) = 2 −λ + Pr(br eak 3 ).Game 4 In this game, in the unnamed session π stid b id b we replace the computation of the z + N key k z = h(z N , id N , r N , f N , 0) with a uniformly-random and independent value k z .We note that since we instantiate the hash function with a random oracle, that the distribution of k z and k z is indistinguishable.Thus, in order to detect this change, A must query the random oracle with the input z N , id N , r N , f N , 0. By earlier arguments, the best strategy A has to recover id N is simply to guess id N .Thus Pr(br eak 3 ) = 2 −λ + Pr(br eak 4 ).Game 5 In this game we replace the value δ send by the hub node to the unnamed session π stid b id b with a uniformly random and independent values δ $ ← {0, 1} λ .We do so by constructing an algorithm B that interacts with a PRF challenger in the following way: B acts identically as in Game 4, expect for the hub node protocol execution that computes k z .Instead, B initialise a PRF challenger and queries (z + n ), and uses the output δ from the PRF challenger to replace the computation of δ.Since by Game 4, k z is a uniformly random and independent value, this replacement is sound.If the test bit sampled by the PRF challenger is 0, then δ ← Enc( k z , z + N ) and we are in Game 4. If the test bit sampled by the PRF challenger is 1, then δ $ ← {0, 1} λ and we are in Game 5. Thus any adversary A capable of distinguishing this change can be turned into a successful adversary against the PRF security of the encryption scheme Enc, and we find: Pr(br eak 4 ) ≤ Adv PRF Enc,A (λ) + Pr(br eak 5 ) We pause here to reflect on the consequences of these changes.The first message sent by the unnamed node is tid N , y N , a N , b N , t N , id N .Since t N is a timestamp and id N is sampled identically regardless of the identity of the unnamed node, the distributions of these fields is similarly identical independent of the choice of the randomly sampled bit b. tid N is a uniformly-random valued and independent of the protocol flow (by Game 1), as it is the output of a random oracle query that is of the form (id N b , id N , t n , r n ).This is true regardless of the choice of the randomly sampled bit b of the challenger.For y N we remark that r N is a uniformly-random value sampled identically from the same distribution regardless of the node identity.This value acts as the key in a one-time-pad, perfectly hiding h(k H N , k N ).r N is not reused (as a key) in any message in any stage, and thus y N is a uniformly-random value, regardless of node identity.a N is also a uniformly random value.Here, h(k H N , k N ) acts as the key in a one-time-pad, perfectly hiding the long-term secret key id N of the node by Game 2. Since h(k H N , k N ) is not reused (as a key) in any message in any stage, a N is a uniformly random value, regardless of the node identity, or the bit b randomly sampled by the challenger.Finally, we turn to b N .We note that this time, k N (randomly sampled by the hub node in a previous stage, uniformly-at-random) acts as the key in a one-time-pad, perfectly hiding the longterm secret key k H N of the hub node, the long-term secret key id N of the node and the value h(k H N , k N ).k N is not reused (as a key) in any message in any stage, and thus b N is a uniformly-random value, regardless of node identity.
We examine the first message received by the unnamed node, α, β, η, μ, δ, id N .Again, id N is sampled identically regardless of the identity of the unnamed node; the distributions of the fields are similarly identical independent of the choice of the randomly sampled bit b.For α we remark that f N is a uniformly-random value sampled identically from the same distribution regardless of the node identity.This value acts as the key in a one-time-pad, perfectly hiding h(k H N , k + N ).f N is not reused (as a key) in any message in any stage, and thus α is a uniformly-random value, regardless of node identity.η is also a uniformly random value.Here, h(id N , t N ) acts as the key in a one-timepad, perfectly hiding the values r N , f N and a + N by Game 1.Since h(id N , t N ) is not reused (as a key) in any message in any stage, η is a uniformly random value, independent of the node identity, or the bit b randomly sampled by the challenger.A similar argument apples for μ, substituting h(id N , t N , r N , id N ) for h(id N , t N ).β is a uniformly-random valued and independent of the protocol flow (by Game 3), as it is the output of a random oracle query that is of the . This is true regardless of the choice of the randomly sampled bit b of the challenger.Finally, we rely on the PRF security of the encryption scheme Enc to replace the δ field returned by the hub node.By Game 5, the value δ is uniformly-random and independent of the protocol regardless of the node iden-tity id b .We note then that all message fields have the same distribution regardless of the challenger's randomly-sampled bit b; thus we have: Pr(br eak 5 ) = 0.
We now prove key-indistinguishability of our proposed PPKA-1, capturing known key security, and key randomness, but not forward-secrecy.It follows identically from Case 2 of the proof of PPKA-2 key-indistinguishability, as it does not capture PrFS or KCI resilience.However, it still captures known key security, and key randomness and (obviously) key-indistinguishability.Proof For our proof, we note that we cannot prove partialforward-secrecy or key-compromise-impersonation resilience for the proposed PPKA Protocol 1.Thus, unlike PPKA-2, the cleanness predicate nPrFS-clean ensures that Corrupt(id) has not been issued.In this case, we assume that the per-stage secret state has been compromised at any (or perhaps, at all) previous stages.Since PPKA-1 sends the per-stage secret state a N , b N in the clear, this has no bearing on our security proof of PPKA-1.
Similarly to the proof for PPKA-2, we begin by showing that the adversary is unable to recover the Hub Node secret key k H N (with non-negligible probability) even if A completely reveals the long-term secret keys of every normal node and the per-stage secret states of the nodes.This argument follows identically to the argument for the secrecy of k H N in the proof of PPKA-2, and we can continue our proof knowing that the best strategy A has in recovering k H N is to merely guess k H N .
In this proof, we show that an adversary that issues a Test(stid, id) query (and does not also issue a Corrupt(id) query) cannot win the key-indistinguishability game with negligible probability.Before we begin in earnest, we wish to show that an adversary that does not issue a Corrupt(id) query cannot recover the long-term secret key id N of node N id .This argument follows identically to the argument for the secrecy of id N in the proof of PPKA-2, and we can continue our proof knowing that the best strategy A has in recovering id N is to merely guess id N .Game 0 This is a normal PPKA key-indistinguishability game.Thus we have: Adv PPKA-IND,C 1 PPKA-1,n N ,n S ,A (λ) = Pr(br eak 0 ).Game 1 In this game, we guess the index (id, stid) of the session π stid id , and abort if during the execution of the experiment, a query Test(i * , s * ) is received and (i * , s * ) = (id, stid).Thus we have: Pr(br eak 0 ) ≤ n N n S • Pr(br eak 1 ).
Game 2 In this game, we replace the session key k S computed by the node N id in stage stid with a uniformly-random and independent value k S .First we note that k S is computed as k S = h(id N , r N , f N , x N ).Since we instantiate the hash function as a random oracle, the distribution of k S and k S is identical, thus in order to distinguish this change, A must be able to query the random oracle with the input (id N , r N , f N , x N ).Since we argued previously that in order to recover id N (the long-term secret key of the node N id ), A's only strategy in distinguishing this change would be to guess the long-term secret key id N .Thus the probability of A in distinguishing this replacement is 2 −λ where λ is the bit-length of id N .
After this change, the session key returned to A as the response to the Test(stid, id) query is a uniformly-random value independent of the protocol execution regardless of the bit b sampled by the challenger.Thus we have: Pr(br eak 1 ) ≤ 2 −λ + 0.
Finally, we finish our security analysis by proving the session-unlinkability of PPKA-1.

Theorem 4 (Session Unlinkability of PPKA-1)
The PPKA PPKA-1 given in Fig. 4 is PPKA-SU-secure with cleanness predicate SU-clean and assuming all hash functions are random oracles.For any PPT algorithm A against the PPKA-SU session-unlinkability game described in Fig. 5, Adv PPKA-SU,SU-clean PPKA-1,n N ,n S ,A (λ) is negligible in the security parameter λ.

Proof
The proof of the session-unlinkability of PPKA-1 follows near-identically to the proof of session-unlinkability for PPKA-2, (with the exception of Game 4 and Game 5, since PPKA-1 does not have z N state, nor a δ field in the hub node's response) and so we omit repeating it here.

Functional Analysis
The proposed PPKA protocols can easily be adapted for direct communication between N and H N by removal of Steps 2 and 4 out of their respective Authentication Phases.As our PPKA protocols are also based on symmetric cryptographic primitives, they preserve the efficiency of the original scheme from a computation, communication and storage perspective without the aid of any additional network infrastructure.Note that the length of the identity field id N is something not under the control of the authors.The current IEEE 802.15.6 standard utilizes 24-bits to represent id N as specified under Clause 9 of IEEE Std 802-2001.The proposed scheme doesn't impose any limitations on the length of id N and is flexible enough to accommodate the identity field of any length.Moreover, in our protocols the timestamp field can also be of any arbitrary length to suit the underlying protocol layers, unlike [21].Assuming a B bit hash digest and

Fig. 3
Fig. 3 The privacy dilemma of Li et al. scheme and the authentication parameters (a N , b N ) are updated by being replaced with (a + N , b + N ).

Fig. 5
Fig. 5 An algorithmic description of the PPKA-IND and PPKA-SU security experiments is PPKA-IND-secure with cleanness predicate PrFS-KCI-clean (capturing PrFS and KCI resilience) and assuming all hash functions are random oracles.For any PPT algorithm A against the PPKA-IND key indistinguishability game, Adv PPKA-IND,PrFS-KCI-clean PPKA-2,n N ,n S ,A (λ) is negligible in the security parameter λ.

Table 1
Comparison of security and privacy features

Table 3
Overheads associated with Li et al. scheme We highlight a weakness in Li et al. key agreement protocol, which allows a passive attacker to easily link two or more sessions of the same node N .The attack proceeds as follows: Session # 1 Suppose that a run of Li et al.'s key agreement protocol is carried out between node N and H N. A passive attacker A observes the contents of the messages being exchanged.From Step 1 of Sect.2.1.3,A records the value

Table 4
Detail of additional symbols After receipt of the tuple from I N, H N proceeds identically to Step 3 in PPKA 1. Additionally z * N is calculated as h(k H N , id N , k N ) and tid * N as h(id * N , id N , z * N , t N , r * N ).It then verifies whether tid N ?
N = PPKA-2.HF(λ, k H N , π stid id .ms ) , k N ), ẑ N , r N , fN , δ, η, μ, îd N to the random oracle.However, since by Game 2, h(k H N , k N ) is a uniformly-random value sampled independently from the protocol flow, the only way for A to produce such an input is to guess h(k H N , k N ).Thus, we have: Pr(br eak 2 ) ≤ 2 −λ + Pr(br eak 3 ).