A Dynamic and Cross-domain Authentication ... - IEEE Xplore

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2799007, IEEE Access

Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000. Digital Object Identifier 10.1109/ACCESS.2017.DOI

A Dynamic and Cross-domain Authentication Asymmetric Group Key Agreement in Telemedicine Application ZHANG QIKUN1 , GAN YONG 1 , ZHANG QUANXIN 2 , WANG RIFANG1 and TAN YU-AN2 1

Institute of Computer and Communication Engineering, Zhengzhou University of Light Industry, Zhengzhou 450002,P. R. China(e-mail: [email protected]) 2 School of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, P. R. China(e-mail: [email protected])

Corresponding author: Zhang Quanxin (e-mail: [email protected]). This work is supported by National Natural Science Foundation of China under Grant No. U1636213, 61772477,61572445 and 61501406, the PhD Research Fund of the Zhengzhou University of Light Industry, the Natural Science Foundation of Henan Province No. 162300410322.

ABSTRACT Telemedicine offers medical services remotely via telecommunications systems and physiological monitoring devices. Group-oriented communication is an important application for telemedicine. However, transmission of information over an insecure channel such as internet or private data storing generates a security problem. Therefore, authentication, confidentiality, and privacy are important challenges in telemedicine. Therefore, developing suitable encryption communication ptotocol for group communication is quite important for modern medicine. Group key agreement is one way to ensure the security of group-oriented communication for telemedicine. In this paper, we propose a dynamic and cross-domain authenticated asymmetric group key agreement (DC-AAGKA).The protocol adopts crossdomain authentication mechanism to avoid the security risks of key escrow and the complexity of certificate management. It supports the dynamic group key update of nodes for forward secrecy and backward security of group key; also achieved the key self-certified, the member participated group key agreement can self-certify whether the calculated group keys are correct. The protocol is proven secure under the Inverse Computational Diffe-Hellman (ICDH) problem assumption, and the performance analysis shows that the proposed scheme is highly efficient. The proposed scheme is more suitable for security group communication in telemedicine. INDEX TERMS Telemedicine, group key agreement, certificateless authentication, key self-certified

I. INTRODUCTION

ECENTLY, dadvances in computers and high-speed communication tools have led to enhancements in remote medical consultation research. Laws in some localities require hospitals to encrypt patient information before transferring the data over a network. Therefore, developing suitable encryption algorithms is quite important for modern medicine. Murillo-Escobar et al.[1] proposed a novel symmetric encryption algorithm based on logistic map with double chaotic layer encryption (DCLE) in diffusion process and just one round of confusion-diffusion for the confidentiality and privacy of clinical information such as electrocardiograms (ECG), electroencephalograms (EEG), and blood pressure (BP) for applications in telemedicine. Dai et al.[2] demon-

R

VOLUME 4, 2016

strated a digital image encryption algorithm based on chaotic mapping, which uses the no-period and no-convergence properties of a chaotic sequence to create image chaos and pixel averaging. Group-oriented communication applications are a widely used in telemedicine. For the group security communication, studying group encryption communication algorithms is quite important for modern medicine. Group key agreement is one way to ensure the security of group communication for medical corps. Omit et al.[3] proposed an improved biometrics-based authentication and key agreement scheme. Asymmetric Group Key Agreement (ASGKA) was first introduced by Wu et al.[4] to solve the problem. Li et al.[5] proposed Dekey, an efficient and reliable convergent key management scheme for secure deduplication. Dekey applies 1

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2799007, IEEE Access Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

deduplication among convergent keys and distributes convergent key shares across multiple key servers, while preserving semantic security of convergent keys and confidentiality of outsourced data. Zhang and Zheng et al.[6],[7] proposed authenticated key exchange respectively, but these schemes depend on the third party, and these schemes are symmetric group key agreement protocols. Ranjani.[8] proposed a new cryptosystem termed as Asymmetric group key agreement cryptosystem, group users broadcast their contribution to other group members by keeping their own information secret. Each group user collects broadcast message from other group participants and derive a common group key. Dynamic asymmetric group key agreement concerns about the scenarios such as the terminals in mobile cloud networks may join or leave at any given time.Yeun et al.[9] improved the GKA protocol by designing additional security requirements, making it is applicable to dynamic MANET environments. Li et al.[10] proposed a new Secure Outsourced ABE system, which supports both secure outsourced keyissuing and decryption. Zhao et al.[11] proposed a dynamic AGKA protocol, the scheme improved the flexibility of AGKA, and it is suitable to be applied in ad hoc network, it adopts multi-signature scheme to achieve authentication of protocol. For the cost of computation and communication of signature and signature verification are very large , if the protocol is applied to the resource-limited mobile devices networks, the calculation and communication of this protocol must be further simplified. Bilal et al.[12] propose a novel methodology for group key agreement which exploits the state vectors of group members. The state vector empowers the group member to generate multiple cryptographic keys independently. It supports the dynamic group key agreement. Authenticated key agreement protocols authenticate the identities of users to ensure that only the intended group members can establish a session in which the group members can communicate with each other. Farash et al. [13],[14] proposed an effective authenticated key exchange agreement respectively. It achieves mutual authentication without applying signature, which makes the protocol more practical. Lv et al.[15] proposed authenticated asymmetric group key agreement based on certificateless cryptosystem, which does not require certi?cates to guarantee the authenticity of public keys yet avoids the inherent escrow problem of identity-based cryptosystems. Zhu et al.[16] presented a novel group key agreement protocol with deniable authentication to against insider attack. The group participants unable to reveal the source of the messages to another party, any subgroup participants still can simulate the whole transcript process. Ranjani et al.[17] proposed an authenticated asymmetric group key agreement protocol; they used broadcast encryption mechanism without relying on the trusted dealer to distribute the secret key, which o?ers security against active as well as passive attacks. Zhang et al.[18] introduce an authenticated asymmetric group key agreement protocol which offers security against active attacks in open networks. Based on this protocol, they propose a broadcast 2

encryption system without relying on a trusted dealer to distribute the secret keys to the users. Xu et al.[19] proposed a one-round affiliation-hiding authenticated asymmetric group key agreement with semi-trusted group authority, which can protect personal privacy, but the calculation of this protocol is very large, it is not suitable to use in energy-limited mobile devices of wireless network. Xu et al.[20] proposed a new af?liation-hiding protocol. The scheme not only exhibits the af?liation-hiding property, but also holds the properties of detectability and perfect forward secrecy. Zhang et al.[21] and Wei et al.[22],[23] proposed authenticated AGKA protocol to improve the security of AGKA respectively. Li et al.[24] proposed a one-round authenticated dynamic protocol for symmetric group key agreement. They employed the identity-based public-key cryptography to authenticate users rather than the public key infrastructure and the certificateless public-key cryptography. This paper proposes a dynamic and cross-domain authenticated asymmetric group key agreement (DC-AAGKA) in telemedicine application. The main design goals of this paper are as follows: (1) The DC-AAGKA protocol is a cross-domain authentication protocol and provably security key escrow freeness. (2) The DC-AAGKA protocol makes the mobile terminals distributed different domains to securely exchange information and share secrets. (3) We design an asymmetric key negotiation with key self-certified. (4) We design an asymmetric key agreement with dynamic to allow the members to join and exit the group. Our contribution. Telemedicine networks have the some characteristics, such as members in medical corps that participated in collaborative computing and information sharing may be distributed in different secure domains, and the members leave one group or join another group frequently. In order to meet the security application need of remote medical system, we designed a dynamic and cross-domain authenticated asymmetric group key agreement protocol. The contribution is as follows: 1) cross-domain authenticated. DC-AAGKA requires the participants whether in different domain must to mutual authentication before negotiating the group keys, which to avoid illegal members to participate in group key agreement; 2) Key self-certified. All participants can verify the group keys correctness without any other additional communication; 3) Dynamic. DC-AAGKA protocol supports the members to join or exit the group, and it has the group key forward secrecy and backward secrecy security. Organization. In section II, we describe the basic knowledge associated with this paper; In section III, we describe the DC-AAGKA protocol and key update protocol; In section IV, we analyze and prove the correctness and safety of the protocol; We further analyze the performance in Section´cõ. Finally, we conclude the paper in Section c´ ö. II. PRELIMINARIES AND NOTATION VOLUME 4, 2016

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2799007, IEEE Access Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

A. BILINEAR MAPS AND COMPLEXITY ASSUMPTIONS

This paper is based on the basic theory of bilinear mapping; some basic knowledge related to bilinear mapping will be described in this section. Let G1 be an additive group and G2 is a multiplicative group. Both of them have the same prime order q, where q ≥ 2k + 1, and kis a security parameter. G1 is generated by g1 , that means G1 = hg1 i, and the discrete logarithm problems of G1 and G2 are difficult. We call e an admissible pairing, if e : G1 × G1 → G2 satisfies the follow properties: (1) bilinearty: For all u, v ∈ G1 , and a, b ∈ Z∗p , there is e(au, bv) = e(u, v)ab ; (2) Non-degeneracy: There exits u, v ∈ G1 , such that e(v, u) 6= 1; (3) Computability: For all u, v ∈ G1 , there exits a efficient way to calculate e(v, u). Inference1. For all u1 , u2 , v ∈ G1 , there is e(u1 + u2 , v) = e(u1 , v)e(u2 , v). Definition 1. Discrete Logarithm problem (DLP). Given an equation Y = aP ,and Y, P ∈ G1 ,a < q. If a and P are given, it is easy to calculate Y . But if P and Y are given, it will be difficult to calculate a. Definition 2. Inverse Computational Diffe-Hellman (ICDH) Problem: The IDH problem is given g1 , ag1 and abg1 , for some a, b ∈ Z∗p to compute (ab/a)g1 . B. PARTICIPANTS AND NOTATIONS

Attributes of asymmetric group key negotiation protocol security model is given. And then, definition of formal definition of security model and Security objectives to be achieved are stated in this section. Suppose U is the set of senor nodes participating in key agreement protocol, and the size of the set is polynomial bounded, each senor node in the set U has own identity information and corresponding public / private key pair. In any subset of U , Usub = {ui,1 , ui,2 , ..., ui,n }, the node can execute the key agreement protocol at any time Π. Ππui,j is the πth instance that the node executes asymmetric key agreement with its partner nodes {ui,1 , ..., ui,j−1 , ui,j+1 ..., un }, π ∈ mathbbZp∗ ,and each instance of the node participating in Ππui,j has various attributes, defined as follows: sidπui,j . Session key identity of instance Ππui,j . All partners participating in this session key agreement will have the same session key identity. pidπui,j . Partner identity label of instance Ππui,j which is a identity set of all participants establishing session key with the Ππui,j , including Ππui,j itself. ekuπi,j . Group session encryption key which is calculated by participants after instance Ππui,j , executes the key agreement protocol Π. dkuπi,j . Group session decryption key which is calculated after the instance Ππui,j executes the key negotiation protocol. msπui,j . The link of all information sent and received during executing the key agreement. stateπui,j . The current status of instance Ππui,j . If the protocol ends up, and the instance Ππui,j sent and received all inforVOLUME 4, 2016

mation, and it also calculated the parameters (ekuπi,j 6= null), (dkuπi,j 6= null), sidπui,j and pidπui,j , then the current state of instance Ππui,j is receiving status, otherwise it enters the ending state. Definition 1(Partnering). The definition of partners of the instance Ππui,j is that all instances participating in the session key agreement with the instance Ππui,j . Instance Ππui,j and its partners meet the following conditions: 1) Instance Ππui,j is a different entity from its partners, that is ui,j 6= ui,t ; 2) They can accomplish group session key 0 agreement successfully; 3) sidπui,j = sidπui,t ; 4) pidπui,j = 0 pidπui,t . C. SECURITY MODEL

DC-AAGKA protocol proposed in this paper, the group encryption key and the group decryption key are calculated by the different mobile terminals with the key parameters of themselves. In this paper, confidentiality is defined as distinguishing a message encrypted with a group encryption key and the advantage of a random string in the cipher text space can be ignored in the probability polynomial time. The security of the group key agreement protocol is defined by game rules between a challenger C and an adversaryA . In security model, it includes an active attacker and a set of protocol participants, each of whom being modeled as a random oracle, and the game is as the follow steps: Initialization phase. In this phase challenger C runs the system function Setup(`), outputting related system parameter and master key. Then system parameter will be sent to adversary, and master key is reserved. Training phase. The adversary interacts with the challenger A by asking following steps: Send(Ππui,j , m). Adversary A pretending as pidπui,j sends message m to oracle machine Ππui,j , if message m = null ( null is empty), oracle machine Ππui,j will initiate a conversation as an active sponsor of the session. Otherwise it will be as a respondent, and response to the corresponding inquiries from adversary according to protocol rules, make a decision of accepting or refusing session and record the message received and sent at each time. Ek.Reveal(Ππui,j ). After oracle machine Ππui,j receives this query, it will return group encryption key ekuπi,j calculated during executing group key agreement, if oracle machine is in the rejection state, it will return a terminal symbol ⊥. Dk.Reveal(Ππui,j ). After oracle machine Ππui,j receives this query, it will return a group decryption key calculated during executing group key agreement.If oracle machine is in rejection state, it will return a terminal symbol ⊥. It is used to simulate security of known key. Corrupt(ui,j ). This query is required the participant inquired return its long-term private key SKui,j , once adversary has long-term private key of participant ui , it can pretend as participant ui through Send. entity already responded to Corrupt query is calledaˇ ˛rcorrupteda´ ˛s. Use it to simulate the forward security of the key. 3

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2799007, IEEE Access Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

T est(Ππui,j ). At some time during the game, sends two messages (m0 , m1 ) (|m0 | = |m1 |). T est query send to a new freshness cˇ´ldefinition of freshness is explained in definition 2)oracle machine Ππui allows adversary A to make T est query only once.Oracle machine Ππui chooses a bit b ∈ {0, 1} randomly, then returns a new sequence generated by XOR b with the sequence chosen randomly, to A. Output. After game ends,adversary A outputs a guess value on bit b (remember as b0 ). If b0 = b, adversary A wins the game. The probability of winning the game successfully of adversary A is defined as Adv A (`) = |2 Pr[b0 = b] − 1|,(` is security parameter). Definition 2(Freshness). If an oracle machine Ππui,j meets the following conditions when the game ends, this oracle machine Ππui,j (satisfy pidπui = Pj ) is freshness: 1) Ππui,j is in the acceptance state; 2) A did not do query to 0 oracle machine Ππui,j and it partner oracle machine Ππui,t ; 3) not do query Corruptto the set of participating entities Pj .

suj,k = H3 (idj,uk ), Skuj,k = γj,k suj,k , P kuj,k = g1 Skuj,k , where the (P kuj,k , Skuj,k ) can as its public/private key pairs. (1) uj,k sends its own identity message idj,uk and corresponding public key P kuj,k to the CAj for register. (2) CAj chooses a positive integer ηinZ∗p randomly and calculates a blind parameter fCAj = (η (SKCAj + SKalli ))g1 using its own private key SKCAj and the alliance private key SKalli . Then, it sends the result fCAj to uj,k . (3) After receiving the parameter fCAj , uj,k calculates a parameter fuj,k = Skuj,k fCAj using its own private key. Then, uj,k sends fuj,k to CAj . (4) After receiving the parameter fuj,k , CAj calculates a parameter ruj,k = η −1 fuj,k , and verifies the equation e(ruj,k , P KCAj + P Kalli ) = e(P kuj, k , g1 ). If ita´ ˛rs hold , then CAj sends ruj,k to uj,k as a register key. uj,k register successfully. All the members participated in DC-AAGKA should register to their CA as above.

III. THE PROCESS OF DC-AAGKA A. INITIALIZATION

In this stage, members participated in group key agreement will calculate a group encryption key and a group decryption key which are used in security communicate among members in a group. Assuming there are R domains in the network, and there are n members in each domain at most, so the members in the network can be denoted with the set Φ = {uj,k |1 ≤ j ≤ R, 1 ≤ k ≤ n}, where j denotes the member uj,k is belonged to the domain Dj , and k denotes that the member uj,k is the kth member in the domain Dj . For description convenience, assuming that members participated in dc-AAGKA come from the kth member in each domain, so all the members of participated in DC-AAGKA can be denoted with the set U = {uj,k |(1 ≤ j ≤ R, 1 ≤ k ≤ n) }. DC-AAGKA protocol is as follows: (1) Each member uj,k participated in DC-AAGKA chooses a positive integer mj,k ∈ Z∗p randomly and calculates parameters Tj,k = mj,k ruj,k , Mi,k = mj,k P kuj,k , (1 ≤ i ≤ R, i 6= j). Then, uj,k broadcasts the messages (Dj , Tj,k , Mi,k , idj,u k ) to other members in the group. (2) After receiving the message as shown in TABLE.1, each member ui,k (1 ≤ i ≤ R, i 6= j) calculates −1 M i,k = mi,k P kui,k , δ i,k = Ski,k Mj,k = mj,k g1 , δ i,k = −1 Ski,k Mj,k = mj,k g1 (only ui,k can calculates M i,k , and M i,k is not broadcasted to others). (3) Then, ui,k verifies the identity of uj,k by equation e(Tj,k , (P KCAj + P Kalli )) = e(P kuj,k , δi,k ). If it holds, ui,k can ensure that (Dj , Tj,k , Mi,k , idj,u k ) are sent by uj,k . Otherwise, ui,k reports error. (4) If all of the group members are verified successfully, each member ui,k ∈ U in the group can R P calculate δi,k = mi,k g1 , Γ = P kuj,k , and

C. REGISTER KEY GENERATION

Assuming the mobile cloud network contains N domains, and there are R members to participate in group key agreement in the same domain Di (1 ≤ i ≤ R), at most. Let Ui = {ui,1 , ui,2 , ..., ui,n } be the set of members in the domain Di (1 ≤ i ≤ R), and the IDi = {idi,u1 , idi,u2 , ..., idi,un } be the set of membersa´ ˛r identity in the domain Di .Assuming G1 is an additive group, and the G2 is a multiplicative group and discrete logarithm over G1 and G2 are difficult. Assuming G1 = hg1 i, g1 is generator of G1 . G1 nd G2 have the same large prime number order q. e is calculable bilinear mapping, e : G1 × G1 → G2 . and H3 : Z∗p → Z∗p , H4 : G1 → Z∗p , are two hash function. system parameter is params = (q, G1 , G2 , g1 , e, H3 , H4 ). Assuming uj,k (1 ≤ j ≤ R, 1 ≤ k ≤ n) is any member in any domain , where j denotes the member uj,k in the domain Dj , and k denotes the member uj,k is the kth member in the domain Dj . B. REGISTER KEY GENERATION

Assume members participating the DC-AAGKA protocol come from different domain in the mobile cloud platform. Each domain has a certification authority (CA), each members must registers to its CA when it join this domain. Each member from different domains should be verified before participated in DC-AAGKA. All the CAs in the mobile cloud network needs to negotiate an alliance public/private key pair before their members to register. Suppose all the CAs negotiate an alliance public/private key pair (P Kalli , SKalli ). Let take the registration of domain Dj as an example, the registration are as follows: The certification authority CAj of domain Dj chooses SKCAj ∈ Z∗p as its private key randomly and it calculates P KCAj = g1 SKCAj as its public key. The any member uj,k chooses a random positive integer γj,k ∈ Z∗p and calculates 4

j=1

it can calculate the group decryption key dkuπi,k = R P Sku−1 Ωi,k = mj,k g1 and group encryption key i,k j=1

VOLUME 4, 2016

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2799007, IEEE Access Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

TABLE 1. The parameters of encryption/decryption

D. GROUP KEY UPDATE PROTOCOL FOR NODES JOIN GROUP

When a new node want to join the existing group, the join phase occurs and in this case, the existing group should provide the fairness group key formation to the new node. Mi,k , Dj ) However, it should ensure that none of new member can calculate any of previous group decryption key. Assuming the existing group is U = {u1,k , u2,k , ..., uR,k }, (1 ≤ k ≤ n), u1,k ⇒ M 1,1 M1,2 · · · M1,R (id1,uk , T1,k , and low-power node uj,i , (1 ≤ j ≤ R, 1 ≤ i ≤ n, i 6= k) M1,k , D1 ) wish to join this group. The new set of mobile nodes is U 0 = U ∪ {uj,i } = {u1,k , u2,k , ..., uR,k , uj,i }. Let member uR,k in the group be the sponsor of updating group key, the steps are as follows: u2,k ⇒ M2,1 M 2,2 · · · M2,R (id2,uk , T2,k , (1) uR,k selects a number m0R,k ∈ Z∗p randomly, and M2,k , D2 ) 0 0 calculates TR,k = m0R,k ruR,k , Mj,k = m0R,k P kuj,k , (1 ≤ j ≤ R − 1) and MR,k = mR,k P kuR,k , then it broadcasts 0 0 the message (idR,uk , TR,k , Mj,k , DR ) to other old members .. .. .. .. .. .. .. . . and proclaims that there is a new member to want to join the . . . . . group. (2) After receiving the messages, each old member uj,k , (1 ≤ j ≤ R − 1, 1 ≤ k ≤ n) calculates the 0 0 uR,k ⇒ MR,1 MR,2 · · · M R,R (idR,uk , TR,k , = Sku−1 Mj,k = m0R,k g1 and verifies the parameter δj,k j,k 0 identity of uR,k by equation e(TR,k , (P K CAR + P Kalli )) = MR,k , DR ) 0 ). If it is hold, u e(P kuR,k , δj,k j,k can ensure that the messages are sent by uR,k and then it calculates θR,k = ↓ ↓ m0R,k g1 + dkuπj,k , otherwise reports error. ↓ ↓ ↓ ↓ ↓ (3) The new member uj,i chooses a number m0j,i ∈ 0 ∗ 0 = m0j,i ruj,i , Mt,k = Zp randomly, it calculates Tj,i 0 mj,i P kut,k , (t = 1, 2, ..., R, i 6= k) and broadcasts the P arameters ⇒ M1 M2 · · · MR (idj , Tj , 0 0 messages (Tj,i , Mt,k ) to all the group members. Mj , D j ) (4) After receiving the messages broadcasted by uj,i , each 0 member ut,k , (t = 1, 2, ..., R, i 6= k) calculates δt,k = 0 0 = m g and verifies the identity of u by Sku−1 M j,i j,i 1 t,k t,k 0 0 ). If equation e(Tj,i , (P K CAj + P Kalli )) = e(P kuj,i , δt,k R Y it is hold, ut,k can ensure that the message are sent by uj,i , ekuπi,k = ( e(Tj,k , (P KCAj + P Kalli ))).e(P kui,k , δi,k ) and then it calculates χ = δ 0 , otherwise reports error. t,k t,k j=1,j6=i (5) uR,k chooses a number λ0R,k ∈ Z∗p randomly and R Y calculates βR,k = θR,k + λg1 , αR,k = λP kuj,i , then it sends = e(P kuj,k , δj,k ) (αR,k , βR,k ) to the new member uj,i . 1=j (6) Calculation group decryption key. All the old members (5) Key consistency verification. After calculating the 0 can calculate the new group decryption key dkuπt,k = θt,k + group encryption key and decryption key, each member uj,k χt,k = m0R,k g1 + dkuπt,k + m0j,i g1 ; and the new member verifies the correctness of these group keys by equation uj,i can calculate ςuj,i = Sku−1 α and then calculates the j,i R,k ekuπj,k = (dkuπj,k , Γ). If it is correct, the DC-AAGKA is terπ0 0 new group decryption key dk = β R,k − ςuj,i + mj,i g1 = minated successfully. Otherwise, uj,k should calculate again uj,i π0 dkut,k . or report error. (7) Calculation group encryption key. all the member(6) Instance. For any plaintext m ∈ M∗ (M∗ : plaintext 0 s can calculate the new group encryption key ekuπj,k = space), each uj,k (1 6 j 6 R, 1 6 k 6 n) with the 0 0 e(TR,k , (P KCAR +P Kalli ))×e(Tj,i , (P KCAj +P Kalli ))× group encryption key ekuπj,k and group decryption key dkuπj,k π ekuj,k . operates as the follows: Encryption. uj,k chooses a random number tj,k ∈ Z∗p , P E. GROUP KEY UPDATE PROTOCOL FOR NODES EXIT P kj,k , V = m ⊕ and calculate U = t M embers

⇒

u1,k

u2,k

···

uR,k

(idj,uk , Tj,k ,

16j6R,16k6n

H4 ((ekuπj,k )t ), Then it broadcasts ciphertext (U , V ). Decryption. After receiving a ciphertext (U , V ), anyone can calculate m = V ⊕ H4 (e(U , dkuπj,k )) with a valid dkuπj,k . VOLUME 4, 2016

GROUP

When a set of nodes wish to leave the group, the remove phase occurs. In this case, for protecting the security communication of the group, either creation of new group keys 5

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2799007, IEEE Access Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

or the modification of the existing group keys is necessary. In this section, we propose a modification of the existing group key in such a way that none of the leaving user can calculate the subsequent group key generated. Let the set of existing group be U = {u1,k , u2,k , ..., uR,k }, (1 ≤ k ≤ n). For convenience, assume that only one member ul,k , (1 ≤ l ≤ n) wish to exit this group. The new set of mobile nodes set is U 00 = U − {ul,k } = {u1,k , u2,k , ..., ul−1,k , ..., uR,k }. Let member uR,k in the group be the sponsor of updating group key, the proposed protocol for implementing the remove phases is as follows. (1) ul,k broadcasts the messages (idl,uk , Tl,k , Mi,k , Dl ), (1 ≤ i ≤ R, i 6= l) to the group and declares to exit this group. 0 00 = Sku−1 MR,k = m0l,k g1 and (2) uR,k calculates δR,k R,k verifies the identify of ul,k by the equation e(Tl,k , (P K CAl + 00 ). If it is hold, u P Kalli )) = e(P kul,k , δR,k R,k can ensure that the messages are sent by ul,k . Then uR,k selects a 00 = number m00R,k ∈ Z∗p randomly, and calculates TR,k 00 00 0 mR,k ruR,k , Mj,k = mR,k P kuj,k , (1 ≤ j ≤ R − 1, j 6= l), 00 M R,k = m00R,k P kuR,k , Ω00 R,k = ΩR,k − MR,k , Γ00R,k = R P ΓR,k − P kul,k = P kut,k , and then broadcasts the t=1,t6=l

00 00 messages (idR,uk , TR,k , Mj,k , DR ) to the remainder members and declares to update the existing group keys. (3) After receiving the messages from uR,k and ul,k , each remainder member uj,k , (1 ≤ j ≤ R − 1, j 6= l) calculates −1 00 00 = m00R,k g1 and verifies the identity δj,k = Skj,k Mj,k 00 of uR,k by the equation e(TR,k , (P K CAR + P Kalli )) = 00 e(P kuR,k , δj,k ). If it is hold, uj,k calculates Ω00 j,k = Ωj,k − R P Mj,k and Γ00j,k = Γj,k − P kul,k = P kut,k . Otherwise, t=1,t6=l

reports error. (4) Calculation group decryption key. All the remainder members uj,k , (1 ≤ j ≤ R − 1, j 6= l) can calculate Ω00j,k , and then calculate the group decryption φj,k = Sku−1 j,k 00 00 ; the sponsor u key dkuπj,k = φj,k + δj,k R,k can calculate the 00 00 00 group decryption key dkuπR,k = Sku−1 (Ω R,k + MR,k ). R,k (5) calculation groups encryption key. All the remainder members uj,k , (1 ≤ j ≤ R−1, j 6= l) can calculate the group 00 00 00 encryption key ekuπj,k = e(Tj,k , φj,k ) × e(TR,k , (P KCAj + P Kalli )); the sponsor uR,k can calculate group encryption 00 00 key ekuπR,k = e(dkuπR,k , Γ00R,k + P kuR,k ). IV. CORRECTNESS AND SECURITY ANALYSIS A. CORRECTNESS ANALYSIS

If all the participants calculate the group keys correctly by the group key agreement protocol, then they are able to negotiate a pair of group encryption / decryption keys, and they can also decrypt any ciphertext messages encrypted by group encryption key with there group decryption key . The proofs of the correctness of the DC-AAGKA are as the following theorems. Theorem1. If the equation e(Tj,k , (P KCAj +P Kalli )) = e(P kuj,k , δi,k ) is hold, then any members of group can 6

ensure that messages (Dj , Tj,k , Mi,k , idj,u k ) are sent by uj,k . . Proof: Since ruj,k = (Skuj,k (SK CAj + SKalli ))g1 , −1 Tj,k = mj,k ruj,k , δ i,k = Ski,k Mj,k = mj,k g1 and the properties of the bilinear pairings, there are:

e(Tj,k , (P KCAj + P Kalli )) = e(mj,k ruj,k g1 ,(SKCAj + SKalli )g1 ) = e(mj,k (Skuj,k (SKCAj + SKalli ))g1 , (SKCAj + SKalli )g1 ) = e(mj,k Skuj,k g1 , g1 ) = e(mj,k g1 , Skuj,k g1 ) = e(P kuj,k , )

The above proof shows that the message is signed by uj,k , so that it can prove that the message is sent by the member uj,k . Theorem2. By running the DC-AAGKA protocol, all participants can establish consistent group keys, and the group keys are contribution group keys. (1) An identical group decryption key has been established by all the group members. Proof: Since Mi,k = mj,k P kui,k , each member ui,k receives other membera´ ˛rs message Mj,k (1 ≤ j ≤ R, j 6= i), R P and then ui,k can calculate Ωi,k = Mj,k +M i,k = j=1,j6=i R P

Mj,k , and then it can calculate the group decryption key

j=1

as follows:

Ωi,k = Sku−1 dkuπi,j = Sku−1 i,j i,j = Sku−1 i,j =

R P j=1

R P j=1

R P

Mj,k

j=1

mj,k P kui,k = Sku−1 i,j

mj,k g1 =

R P i=1

R P j=1

mj,k Skui,j g1

mi,k g1 = dkuπj,k .

From above equation, each member can calculate a fixed value for the group decryption key finally. The group decryption key includes all the membersa´ ˛r key parameter mj,k g1 , so the group decryption key is a contribution group key. (2) An identical group encryption key has been established by all the group members. Proof: When each member ui,k receives other membera´ ˛rs broadcast message (Dj , Tj,k , Mi,k , idj,u k ) , then all the participants can calculate . an identical group encryption key. Since ruj,k = (Skuj,k (SK CAj + SKalli ))g1 , Tj,k = mj,k ruj,k , δj,k = mj,k g1 , and the properties of the bilinear pairings, we have: VOLUME 4, 2016

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2799007, IEEE Access Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

ekuπi,k = (

R Q

e(Tj,k , (P KCAj + P Kalli )))

1=j,j6=i

·e(P kui,k , δi,k ) =(

R Q

e(mj,k ruj,k g1 , (SKCAj + SKalli )g1 ))

1=j,j6=i

=(

·e(P kui,k , δi,k )  e(mj,k (Skuj,k (SKCAj + SKalli ))g1 ,

R Q

1=j,j6=i

(SKCAj + SKalli )g1 ) · e(P kui,k , δi,k ) =(

R Q

e(mj,k Skuj,k g1 , g1 )) · e(P kui,k , δi,k )

1=j,j6=i R Q

=(

1=j,j6=i R Q

=(

e(mj,k g1 , Skuj,k g1 )) · e(P kui,k , δi,k ) e(δj,k , P kuj,k )) · e(P kui,k , δi,k )

1=j,j6=i R Q

=(

e(δj,k , P kuj,k )

1=j

B. CORRECTNESS ANALYSIS

Theorem3. for an instance (G1 , G2 , q, g1 , ag1 , abg1 , e, H1 , H2 ) of ICDH problem, we construct a Polynomial time simulator C , and solve the problem by utilizing attacker A . Suppose if it is possible to attack DC-AAGKA protocol successfully, it can be proved that C are able to solve the IDH problem with non-ignorable advantages. Firstly, we suppose that there are members want to participate DCAAGKAprotocol, adversary A requires qH1 H1 , requires qH2 H2 , queries to Ek.Reveal for qE times, queries to Dk.Reveal for qD times and to Corrupt for qC times, also the maximum number of the protocol that A could set up is qA in the attack experimentnt. Adversary A win this game with advantage Adv(A) = ε , so then there is an algorithm solving the ICDH problem exists with advantage 2

ε0 = ε

2 q µ4 (qH1 + qH2 ) qH 1 H2 qA qC1 qD qE n

ICDH problem. Proof: Suppose C is a challenge, and A is an adversary who can decipher the protocol. Given an instance (G1 , G2 , q, g1 , ag1 , abg1 , e, H1 , H2 ) of C, unknown number a, b ∈ Z∗p , and h is open hash function, H1 and H2 are two oracle machines controlled by C. C solve the ICDH problems by utilizing A. Define a new session, it will have an unique session ID. Challenger C chooses one session randomly, whose ID is sidt . ID of corresponding simulated session is Csidt , and thus the probability that the session is selected is pr[Csidt = 0] = ω, and corresponding pr[Csidt = 1] = 1 − ω.At the same time, challenger C records two-tuples (sidt , Csidt ). Initialization phase. When the game starts, C chooses system parameter params = (G1 , G2 , q, g1 , ag1 , abg1 , e, H1 , H2 ) and keep two positive integers SKCAi , SKalli ∈ Z∗p VOLUME 4, 2016

,calculates P KCAj = SKCAi g1 , P Kalli = SKalli g1 , then C sends the params to adversary A. Training phase. Interactions between challenger and adversary are as following: KG(ui,j ). Simulate user register key generation. C maintains an initially empty list CL1 , CH1i ∈ {0, 1} denotes the type of user ( where CH1i = 1 denotes C can not calculate the register key of the user, CH1i = 0 denotes C can calculate the register key of the user, the probability that calculate the register key is pr[CH1i = 0] = µ, and corresponding pr[CH1i = 1] = 1−µ). A chooses two positive integers ski,j , γi,j ∈ Z∗p randomly and the identity idi,uj of ui,j , then it calculates the parameters sui,j = H1 (idi,uj ), Skui,j = γi,j sui,j , P kui,j = Skui,j g1 , A queries H1 on (idi,uj , Skui,j , P kui,j ), C does the following: If there is a tuple (idi,uj , Skui,j , P kui,j , rui,j , CH1i ) on CL1 , return rui,j as the answer.  Else if CH1i = 0, C calculates rui,j = (Skui,j (SKCAi + SKalli ))g1 , add (idi,uj , Skui,j , P kui,j , rui,j , CH1i ) to CL1 and return rui,j as the answer. Otherwise if CH1i = 1 , add (idi,uj , Skui,j , P kui,j , null, CH1i ) to CL1 and return null as the answer. Else if qH1 is more then the length of CL1 , it outputs symbol ⊥(Event 1). Send(Ππui,j , m). C reserve an empty initialization list CL2 . Suppose pidπui,j = {idui,1 , idui,2 , ..., idui,n }, C initializes and defines a session identity sidπui,j to a session Csidπu . i,j Then idi,uj submits to oracle machine H2 . C starts to simulate oracle as following: (1) If Csidπu = 0 and CH1i = 0, perform the followi ing steps: C chooses mi,k (1 ≤ k ≤ n) ∈ Z∗p randomly, obtain (rui,j , P kui,j ) from list CL1 and calculates Ti,j = mi,k rui,j and Mi,j = mi,k P kui,j . Then ,add (idi,uj , Ti,k , Mi,j , P kui,j , P KCAj , P Kalli , Csidπu , CH1i ) to i list CL2 and respond with (idi,uj , Ti,j , Mi,j , P kui,j , P KCAj , P Kalli ). (2) If Csidπu = 0 and CH1i = 1, perfori ∗0 m the following steps: C chooses mi,k (1 ≤ k ≤ n) ∈ Z∗p randomly, obtain (null, P kui,j ) from list 0 ∗0 CL1 and calculates Mi,j = m∗i,k P kui,j . Then, add ∗0 (idi,uj , null, Mi,j , P kui,k , P KCAj , P Kalli , Csidπu , CH1i ) to i ∗0 list CL2 and respond with (idi,uj , null, Mi,j , P kui,k , P KCAj , P Kalli ). (3)If Csidπu = 1 and CH1i = 0, perform the followi ing steps: C chooses m∗i,k (1 ≤ k ≤ n) ∈ Z∗p randomly, obtain (rui,j , P kui,j ) from list CL1 and calculates ∗ ∗ Ti,j = m∗i,k rui,j and Mi,j = m∗i,k P kui,j . Then, add ∗ ∗ (idi,uj , Ti,j , Mi,j , P kui,k , P KCAj , P Kalli , Csidπu , CH1i ) to i ∗ ∗ list CL2 and respond with (idi,uj , Ti,j , Mi,j , P kui,k , P KCAj , P Kalli ). (4) If Csidπu = 1 and CH1i = 1, perfori m the following steps: C chooses m0i,k (1 ≤ k ≤ n) ∈ Z∗p randomly, obtain (null, P kui,j ) from list CL1 and calculates M 0i,j = m0i,k P kui,j . Then, add (idi,uj , null, M 0i,j , P kui,k , P KCAj , P Kalli , Csidπu CH1i ) to i

7

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2799007, IEEE Access Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

list CL2 and respond with (idi,uj , null, M 0i,j , P kui,k , P KCAj , P Kalli ). Ek.Reveal(Ππui,j ). If stateπui,j ends successfully, else if Csidπu = 0 and CH1i = 0, according to the list CL1 , C get i Skui,j and get (Ti,k , Mi,k , P kui,k , P KCAj , P Kalli ) from CL2 , and then calculates δi,j = Sku−1 Mi,j and eki,j = i,j R R Q Q e(P kuk,j , δk,j ), returns e(P kuk,j , δk,j ). k=1

k=1

Else if Csidπu = 1 and CH1i = 0 according to the list CL1 , i ∗ ∗ C get Skui,j and get (Ti,j , Mi,j , P kui,k , P KCAj , P Kalli ) ∗ ∗ ∗ from CL2 , and then calculates δi,j = Sku−1 Mi,j and eki,j = i,j R R Q Q ∗ ∗ e(P kuk,j , δi,j ), returns e(P kuk,j , δi,j ). Otherwise, it k=1

k=1

outputs symbol ⊥ˇc´lEvent 2ˇcl’. Dk.Reveal(Ππui,j ). If stateπui,j do not end successfully, it returns null. Else if Csidπu = 0 and CH1i = 0, according to the list CL1 , C i get Skui,j and get Mi,k (1 ≤ k ≤ n) from CL2 , and then caln n P P Ωi,j = mi,k g1 , culates Ωi,j = Mi,k , dkuπi,j = Sku−1 i,j k=1

k=1

returns dkuπi,j . Else if Csidπu = 1 and CH1i = 0, according to the list CL1 , C i ∗ get Skui,j and get Mi,k (1 ≤ k ≤ n) from CL2 , and then caln n P P ∗ Ω∗i,j = m∗i,k g1 , culates Ω∗i,j = Mi,k , dkuπ∗i,j = Sku−1 i,j k=1

k=1

returns dkuπ∗i,j . Otherwise, it outputs symbol ⊥ˇc´lEvent 3ˇcl’. Corrupt(ui,j ). After receiving query from Corrupt, C find the corresponding identity idi,uj of ui,j in CL1 firstly. If C cannot find the identity , it means this is the first time to query. Then as querying oracle machine H1 , (idi,uj , Skui,j , P kui,j , rui,j , CH1i ) will be added into CL1 through related process. If CH1i = 1, outputs symbol ⊥(Event R Q 4), if Csidπu = 0, returns (dkuπi,j , e(P kuk,j , δk,j )). Othi

k=1

R Q

erwise, returns (dkuπ∗i,j ,

1

00

00

00

00

1

=

0, then extract information

00

00

00

(idi,uj , Ti,k , Mi,j , P kui,j , P KCAj , P Kalli , Csidπu , CH i ) from 1 i R Q 00 00 π 00 list CL2 , and calculate (dkui,j , e(P kuk,j , δi,j )), Othk=1

erwise, output symbol ⊥(Event 5); 3) C chooses a random number b ∈ {0, 1}, t∗ ∈ Z∗p to calculate U ∗ = P 00 00 P kui,j ,then encrypt mb = V ∗ ⊕ H4 (e(U ∗ , dkuπi,j )) t∗ 1≤j≤n

; Return c∗ =< U ∗ , V ∗ > to A. Response. After A finishes all queries, it returns a b0 ∈ {0, 1} as an assumption to b. If A query H2 to get information 00 00 00 00 00 00 (idi,uj , Ti,k , Mi,j , P kui,j , P KCAj , P Kalli , Csidπu , CH i ) in i

8

00 Sku−1 Ωi,j i,j

1

=

n P k=1

k=1

00

mi,k g1 , A get the advantage to obtain 00

mb = V ∗ ⊕ H4 (e(U ∗ , dkuπi,j )). Then C can calculate ICDH 00 problem, according to Aa´ ˛rs method, because set abg1 =Ωi,j , 00 P kui,j = ag1 . According to system parameter (g1 , ag1 , bg1 ), n P 00 00 00 mi,k g1 that means C can calcuΩ = dkuπi,j = Sku−1 i,j i,j k=1

late value of bg1 = (ab/a)g1 . lemma1. If C does not end the simulation game above, adversary A cannot distinguish the environment of simulation world from of real world. Proof: All the outputs in the simulation game described above conform to the rules of the DC-AAGKA protocol, and the messages generated by the entity conform to the uniform distribution of the message space, so adversary cannot perceive the inconsistency between the simulated world and the real world. The probability of success to C is: pr[Cwins] = pr[Event1 ∧ Event2 ∧ Event3 ∧Event4 ∧ Event5 ∧ Awins] Event1 ∧ Event2 ∧ Event3 ∧ Event4 ∧ Event5 ] = pr[Awins pr[Event5 Event1 ∧ Event2 ∧ Event3 ∧ Event4] pr[Event4 Event1 ∧ Event2 ∧ Event3] pr[Event3 Event1 ∧ Event2]pr[Event2 Event1 ] pr[Event1] q µ q µ (q +q )ωµ+(qH1 +qH2 )(1−ω)µ = ε · HqA2 · HqC1 · H1 H2 × qD = =

∗ e(P kuk,j , δi,j )).

k=1

T est(Ππui ). After adversary A ends related query, it will challenge C, A chooses a fresh oracle ma00 chine Ππui,j and two message m0 , m1 , and |m0 | = 00 π |m1 |. Suppose pidui,j = {d00ui,1 , d00ui,2 , ..., d00ui,n }, C responses as following: 1) C search the relat00 00 00 00 00 ed information (idi,uj , Skui,j , P kui,j , rui,j , CH i ) in list CL1 ; 2) If CH i

the list CL2 and it can guess b0 = b correctly with some advantage. That means get A query H2 to get information 00 00 00 00 00 00 (idi,uj , Ti,k , Mi,j , P kui,j , P KCAj , P Kalli , Csidπu , CH i ) in 1 i n P 00 00 π 00 the list CL2 , and calculates Ωi,j = Mi,k , dkui,j =

=

(qH1 +qH2 )ωµ+(qH1 +qH2 )(1−ω)µ qH1 · n qE qH1 qH2 µ2 ((qH1 +qH2 )ωµ+(qH1 +qH2 )(1−ω)µ)2 qH1 ε qA qC1 qD qE n 2 qH q µ2 ((qH1 +qH2 )(ωµ+(1−ω)µ))2 1 H2 ε qA qC1 qD qE n 2 qH q µ4 (qH1 +qH2 )2 1 H2 ε qA qC1 qD qE n

V. PERFORMANCE ANALYSIS

Because of limited resources of mobile terminals, during the process of designing protocol, except security, the computational time, the computational complexity, communication energy consumption and computation energy consumption are important performance measures of the agreement. In this paper, we compared and analyzed the literature that can be quantified in recent years. All these protocols are suitable for mobile terminals. According to data from these protocols, comparative the analyses are from computational time, the complexity of calculation and communication, and protocol consumption of the total energy. Table 2 lists the comparison and analysis between the SC-AGKG protocol and other three group key agreement protocols in the calculation of complexity and traffic. From Table1, Xu et al.[21] proposed scheme have the lowest computational complexity and their communication VOLUME 4, 2016

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2799007, IEEE Access Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

TABLE 2. COMPLEXITY ANALYSIS OF THE FOUR PROTOCOLS

protocol

Xu et al.[19]

Exponent iations Pairing Scalar Multiplications Sent Messages Received Messages

4n + 3

Zhang al.[21] 6n + 2

et

Wei al.[22] n+1

et

DCAAGKA 0

6n 7n + 1

2n + 3 5n + 1

4n + 1 4n

2n 3n + 2

n+5

n+2

n+1

n+2

n2 + 5n

3n − 1

n+1

n+2

TABLE 3. TIME COST OF SOME ALGORITHMS

Algorithm Scalar Multiplication Over G1 Modular Exponentiation Over G1 Modular Exponentiation OverG2 Tate Pairing

Time cost 0.016ms 3.886ms 0.489ms 4.354ms

complexity. Zhang et al [21] and Wei et al [22] have the high computational complexity. Zhang et al.[21], Wei et al.[22], and DC-AAGKA have the similar of communication complexity. As the time of processing the protocol shows, analyzing with the data from paper[22], which ran the related algorithm through program pbc-0.5.12 provides by PBC lab, on environment of Intel(R) Core(TM)2 Duo E8400 CPU(3.00GHz), ubuntu 10.04,the average run time of the multiplication on is 0.016 ms, and the average exponent operation time of and are 3.886 ms and 0.489 ms, respectively, and the average running time of the bilinear pair is 4.354 ms, as shown in Table3. Based on the above calculation complexity and related algorithm operation time analysis, comparison of the time consumption of results between DC-AAGKA and previous three kinds of research is shown in Fig.1 In this section, we perform the total energy consumption cost analysis of performing GKA using the data provided in Makri et al. [25]. The total energy cost of each GKA protocol is simply the sum of the computation and communication cost, according to Tan et al., a 133 MHz aˇ ˛rStrong ARMa´ ˛s microprocessor consumes 9.1 mJ for performing a modular exponentiation, 8.8 mJ for performing a scalar multiplication, 47.0 mJ for a Tate pairing, 8.8 mJ for performing a Elliptic Curve Digital Signature Algorithm and 10.9 mJ for performing a Elliptic Curve Digital Signature Verify Algorithm. As for the communication energy cost, according again to (Makri), an IEEE 802.11 Spectrum24 WLAN card consumes 0.00066 mJ for the transmission of 1 bit and 0.00031 mJ for the reception of 1 bit. The above mentioned energy costs will be used for the performance evaluation of the examined GKA protocols and are summarized in Table 4. The DC-AAGKA protocol is compared with the related works [19], [21] and [22] in communication costs, computation costs and other items. These agreements conclude aˇ ˛rOne-Round Affiliation-Hiding Authenticated Asymmetric Group Key Agreement with Semi-trusted Group Authoritya´ ˛s VOLUME 4, 2016

TABLE 4. ENERGY COSTS FOR COMPUTATION AND COMMUNICATION

Type of Communication Computation cost of Modular Exponentiation Computation cost of Scalar Multiplication Computation cost of Tate Pairing Communication cost for transmitting a bit Communication cost for receiving a bit

Energy Costs/mJ 9.1 8.8 47 0.00066 0.00031

proposed by Xu et al. [19], the aˇ ˛ridentity-based authenticated asymmetric group key agreement protocola´ ˛s proposed by Zhang et al. [21] and aˇ ˛rno valid certificate authenticated asymmetric group key agreement protocola´ ˛s proposed by Wei et al. [22]. Based on the data provided by the literature [25], the computing and communication complexity of these agreements are analyzed in Table 1. We compared the DCAAGKA protocol with other two protocols in computation cost. The result is shown in Fig.2. In Fig.2, the computation cost of these three group key agreement protocols is presented. In terms of computation, the most efficient protocol is DC-AAGKA.A higher computation cost is proposed by Wei et al.a´ ˛rs protocol [22], while the highest computation cost is inferred by Xu et al.a´ ˛rs protocol [19]. To compute the communication cost, we need to know the size of the information exchange. We assume that the secure key length is 160b of the elliptic curve cryptography. All these three protocols adopt the elliptic curve cryptography, so their key length is 160b. Let the length of the information exchange be 160b, and the communication consumption is shown in Fig.3. The communication consumption of the examined Protocols are depicted in Fig.3. Xu et al.a´ ˛rs protocol [19] has the worst performance, followed by Zhang et al.a´ ˛rs protocol[21], Wei et al.a´ ˛rs protocol[22] and DC-AAGKA Protocol, are very efficient in terms of communication, bringing a very similar cost. The total energy consumption analysis is shown in fig.4, the total energy consumption increases rapidly with the nodes increased in Xu et al.a´ ˛rs protocol [19] and Wei et al.a´ ˛rs protocol [22]. DC-AAGKA protocol has a really low total energy cost, which makes its performance exceptional. VI. CONCLUSION

The paper analyses the security need of telemedicine telecommunications systems. For meet the security collaborative computing and security information sharing among the members in medical corps, A DC-AAGKA protocol is proposed. The group keys also have been implemented efficiently in cryptographic systems to provide confidential and privacy. The paper proposed the corresponding dynamic key update scheme. It supports the members leave one group or join another group frequently. DC-AAGKA has both forward secrecy and backward secrecy. It proven that the safety and energy cost performance of DC-AAGKA has good advantages. It is suitable for security group communication in telemedicine 9

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2799007, IEEE Access Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

FIGURE 1. Time analysis as a function of applied field.It is good practice to explain the time cost of the protocol in the caption.

VII. ACKNOWLEDGMENTS

This work is supported by National Natural Science Foundation of China under Grant No. U1636213, 61772477,61572445 and 61501406, the PhD Research Fund of the Zhengzhou University of Light Industry, the Natural Science Foundation of Henan Province(No. 162300410322). VIII. REFERENCE EXAMPLES REFERENCES [1] Murillo-Escobar M. A., Cardoza-Avendano, L., Lopez-Gutierrez, R. M., “A Double Chaotic Layer Encryption Algorithm for Clinical Signals in Telemedicine,” JOURNAL OF MEDICAL SYSTEMS, to be published., DOI: 10.1007/s10916-017-0698-3. [2] Dai Yin, Wang Huanzhen, Zhou Zixia, ”Research on medical image encryption in telemedicine systems,” TECHNOLOGY AND HEALTH CARE, vol.24, no.2, P.S435-S442, Jun.2016. [3] Mir Omid, Nikooghadam Morteza, ”A Secure Biometrics Based Authentication with Key Agreement Scheme in Telemedicine Networks for EHealth Services,” WIRELESS PERSONAL COMMUNICATIONS, vol. 83, no.4, p.2439-2461, Aug. 2015. [4] Wu Q, Mu Y, Susilo W, ”Asymmetric group key agreement,” EUROCRYPT 2009, Cologne, Germany, 2009, pp.153-170. [5] Jin Li, Xiaofeng Chen, Mingqiang Li, Jingwei Li, Patrick Lee, Wenjing Lou, ”Secure Deduplication with Efficient and Reliable Convergent Key Management,” IEEE Transactions on Parallel and Distributed Systems, vol.25, no.6, pp. 1615-1625, Jun.2014. [6] Zhang Xiaosong, Tan Yu-an, Xue Yuan, Zhang Quanxin, Li Yuanzhang, Zhang Can, Zheng Jun, ”Cryptographic key protection against FROST for Mobile Devices,” Cluster Computing, vol.20, no.3, Sep.2017. 10

[7] J. H. Davis and J. R. Cogdell, “Calibration program for the 16-foot antenna,” Elect. Eng. Res. Lab., Univ. Texas, Austin, TX, USA, Tech. Memo. NGL-006-69-3, Nov. 15, 1987. [8] Dr. R. Siva Ranjani, ”Lagrange interpolation based Asymmetric Group Key Agreement Cryptosystem,” International Journal of Engineering and Technology, vol.8, no. 2, p.635-646, Apr-May 2016. [9] Yeun CY, Han K, Vo DL, et al., ”Secure authenticated group key agreement protocol in the MANET environment”, Information Security Technical Report, vol.13, no.3, pp.158-164, Mar.2008. [10] Jin Li, Xinyi Huang, Jingwei Li, Xiaofeng Chen, Yang Xiang, ”Securely Outsourcing Attribute-based Encryption with Checkability,” IEEE Transactions on Parallel and Distributed Systems, vol.25, no.8, pp. 2201-2210, Aug.2014. [11] Zhao Xingwen, Zhang Fangguo, Tian Haibo, ”Dynamic asymmetric group key agreement for ad hoc networks,” Ad Hoc Networks, vol.9, no.4, pp. 928-939, May 2011. [12] Muhammad Bilal, Shin-Gak Kang, ”A secure key agreement protocol for dynamic group,” Cluster Comput, vol.20, no.3, Sep.2017. [13] Mohammad Sabzinejad Farash, ”A secure and efficient identity-based authenticated key exchange protocol for mobile client-server networks,” J Supercomput, vol.69, no.1, pp.395-411, Jul.2014. [14] Zhu Hongfei, Tan Yu-an, Zhang Xiaosong, Zhu Liehuang, Zhang Changyou, Zheng Jun, ” A Round-Optimal Lattice-Based Blind Signature Scheme for Cloud Services,” Future Generation Computer Systems, vol.73, p.106114, Aug. 2017. [15] Xixiang Lv, Hui Li, Baocang Wang, ”Authenticated asymmetric group key agreement based on certificateless cryptosystem,” International Journal of Computer Mathematics, vol.91, no.3, p. 447-460, Apr. 2014. [16] Hongfeng Zhu, Yan Zhang, ”An Ef?cient Chaotic Maps-Based Deniable Authentication Group Key Agreement Protocol,” Wireless Pers Commun., vol.96, no.1, p. 217-229, Sep.2017. [17] Reddi Siva Ranjani, D. Lalitha Bhaskari, P. S. Avadhani, ”An Extended Identity Based Authenticated Asymmetric Group Key Agreement ProtoVOLUME 4, 2016

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2799007, IEEE Access Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

FIGURE 2. Computation energy consumption analysis as a function of applied field.It is good practice to explain the computation cost of the protocol in the caption.

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

col,” International Journal of Network Security, Vol.17, No.5, PP.510-516, Sept. 2015. Lei Zhangˇcnˇ Qianhong Wuˇcnˇ Bo Qinˇcnˇ Josep Domingo-Ferrerˇcnˇ ´lšrsula Gonz´l´clez-Nicol´l´cs, ”Asymmetric group key agreement protocol for open networks and its application to broadcast encryption,” Computer Networks, vol. 55, no.15, Oct. 2011. Chang Xu, Liehuang Zhu, Zhoujun Li and Feng Wang, ”One-Round Affiliation-Hiding Authenticated Asymmetric Group Key Agreement with Semi-trusted Group Authorit,” COMPUTER JOURNAL, vol. 58, no. 10, pp.2509-2519,OCT. 2015. Chang Xu, Hua Guo, Zhoujun Li, and Yi Mu, ”Af?liation-Hiding Authenticated Asymmetric Group Key Agreement Based on Short Signature,” The Computer Journal, Vol. 57 No. 10, p. 1580-1590, Oct. 2014. zhang qikun, Zhang Quanxin, Ma Zhongmei, Tan Yu-an, ”An Authenticated Asymmetric Group Key Agreement for imbalanced mobile networks,” Chinese Journal of Electronics, vol.23, no.4, p.827-835, Oct.2014. Guiyi Wei, Xianbo Yang and Jun Shao, ”Efficient Certificateless Authenticated Asymmetric Group Key Agreement Protocol,” KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS, vol. 6, no. 12, pp.3352-3364, Dec. 2012. Lei Zhang, Qianhong Wu, Josep Domingo-Ferrer, Bo Qin, and Zheming Dong,”Round-Efficient and Sender-Unrestricted Dynamic Group Key Agreement Protocol for Secure Group Communications,” IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, vol.10, no.11, pp.2352-2364, Dec.2015. Mingchu Li, Xiaodong Xu, Cheng Guo, Xing Tan, ”AD-ASGKA- authenticated dynamic protocols for asymmetric group key agreement,” Security and Communication Networks, Vol.9, no.11, p. 1340-1352 Jul. 2016. Eleftheria Makri, Elisavet Konstantinou, ”Constant round group key agreement protocols:A comparative study,” computers and security, vol.30, on.8, pp. 643-678, Oct.2011.

VOLUME 4, 2016

ZHANG QIKUN was born in 1980.03. received his B.S. degrees from Xidian University in 2004. He received his M.S. degrees from LanZhou University of Technology in 2008. He received his ph.D. from Beijing Institute of Technology in 2013.Now he is a associate professor in department of Computer and Communication Engineering, Zhengzhou University of Light Industry, Zhengzhou, China. His research interests include information security and cryptography (Email:[email protected])

GAN YONG was born in 1965.05. Ph.D. Professor, School of Computer and Communication Engineering, Zhengzhou University of Light Industry. His research interests include multimedia communications, image processing, coding and network engineering.

11

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2799007, IEEE Access Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

FIGURE 3. Communication cost analysis as a function of applied field. It is good practice to explain the communication consumption of the protocol in the caption.

ZHANG QUANXIN was born in 1974, received the B.S. degree in Department of Computer Science from Shandong University of Technology in 1997, the M.S. degree in School of Electronic and Information Engineering from Lanzhou Jiaotong University in 2000 and the Ph.D. degree in School of Computer Science from Beijing Institute of Technology in 2003. He is the faculty of the School of Computer Science and Technology at Beijing Institute of Technology. His research interest includes the ad hoc network and mobile computing. (Email:[email protected])

TAN YU-AN was born in 1972.01. Ph.D.Supervisor, Professor, Beijing Institute of Technology, senior member of China Computer Federation. His current research interests include Information Security and network storage.

WANG RUIFANG was born in 1982.11. received her B.S. from Xidian University in 2004. She received her M.S. degrees from LanZhou University of Technology in 2008. Her research interests include information security and cryptography.

12

VOLUME 4, 2016

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2799007, IEEE Access Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

FIGURE 4. Total energy analysis as a function of applied field.It is good practice to explain the total energy consumption of the protocol in the caption.

VOLUME 4, 2016

13

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.