Provably Secure Receiver-Unrestricted Group Key Management Scheme for Mobile Ad Hoc Networks ^†

Abstract

Mobile ad hoc networks (MANETs) are self-configuring networks of wireless nodes, i.e., mobile devices. Since communications in MANETs occur via wireless channels, it is of significance to secure communications among wireless and mobile nodes. Group key management, as a widely used method for securing group communications, has potentially been used in MANETs for years. Most recently, a secure receiver-unrestricted group key management scheme for MANETs has been proposed, which is used to establish a secure channel among a group of wireless nodes without a trusted dealer, which has some advantages such as eliminating the certificate management problem and receiver restriction. However, a formal security analysis of this scheme is still lacking. Therefore, in this paper, we propose the complete security proof to demonstrate that the scheme satisfies the essential security properties including authentication, message confidentiality, known-key security and dynamic secrecy. We also give a brief discussion about the efficiency of the scheme.

1. Introduction

In recent years, mobile ad hoc networks (MANETs) have garnered widespread attention due to their utility and cost-effectiveness. For example, the wireless and mobile nodes in MANETs can still perform effectively in harsh and dynamic environments. This advantage further makes MANETs employed in various fields, including intelligent transportation [1,2], the military field [3], and vehicular ad hoc networks [4]. While enjoying the benefits of MANET, there are still a few security and functional concerns that require our attention. In general, MANETs often consists of numerous mobile and wireless nodes that are responsible for receiving, transmitting and processing data among each other. These interactions among nodes often take place through the wireless communication channel, which makes these mobile and wireless nodes suffer from many attacks, such as impersonation, eavesdropping, forging, and tampering [5]. Hence, it is a challenging task to ensure secure communication in MANETs. Group key management is widely used to establish secure communication channels among wireless nodes by enabling them to exchange encrypted messages through secret keys [6]. Furthermore, the secure channel for wireless communication should support authentication, which ensures that the messages being received are not changed and are coming from a legitimate node. Furthermore, the dynamic feature of MANET makes it difficult to ensure that the established channel remains secure all the time.

Existing group key management schemes for MANETs are realized based on two types of primitives, namely group key distribution (GKD) [7,8,9,10,11] and group key agreement (GKA) [12,13,14,15]. For GKD-based schemes, a trusted dealer is always needed for establishing a secure channel since it is in charge of generating and distributing group key(s) to each sensor node in a group. A trusted dealer is an online trusted party (e.g., a base station), which is often used to authenticate nodes. Our scheme is based on an authenticated scheme, i.e., our identity-based authenticated dynamic contributory broadcast encryption scheme in Section 5. A node is implicitly authenticated in our scheme. Therefore, a trusted dealer (e.g., a base station) is not used to authenticate nodes in our scheme). However, we note the over-dependency of a trusted dealer on increasing the risk of suffering a single-point attack. We also note that, generally, no trusted dealer exists in self-organizing networks such as MANETs. Even if GKA-based schemes eliminate the need for a trusted dealer, receiver restriction still exists, which means that a message from a sender can only be sent to all nodes in the group. This is obviously undesirable in real-world applications (e.g., MANETs) where a sender should be given the rights to choose its preferred sensor nodes within a group to receive the message.

Contributory broadcast encryption (ConBE) [16] can be potentially used to overcome receiver restriction. ConBE can enable wireless nodes to form a group by negotiating a public group encryption key and each wireless node’s decryption key. More importantly, it can allow any node with knowledge of the group encryption key to send encrypted messages to any subset of nodes within the group. Only the selected node can then decrypt the message using its own decryption keys. We note that the first dynamic ConBE scheme was proposed in [17]. However, the scheme is based on traditional public-key cryptography and therefore faces issues with certificate management. Moreover, existing ConBE schemes cannot consider whether the message sent by each wireless node is authenticated. This could potentially increase the risk of an adversary modifying the message.

2. Our Contribution

This paper is an extended version of our paper published in 2022 IEEE Wireless Communications and Networking Conference (WCNC) [18], in which an identity-based authenticated dynamic contributory broadcast encryption (IBADConBE) scheme was first discussed. This scheme was further utilized to achieve a secure and receiver-unrestricted group key management scheme for MANETs and could solve all the challenges mentioned in Section 1. In this paper, we first reviewed the original scheme, which has the following advantages. It first allows multiple wireless nodes to dynamically form a group by negotiating a public group encryption key and each node’s decryption key. After that, any sender knowing the public group encryption key can flexibly choose its interesting wireless nodes in the group to receive a message. Additionally, the scheme avoids the issue of certificate management and the need for a trusted dealer. However, in the original work, the authors briefly discussed the security of the scheme without providing a detailed security analysis. Therefore, in this paper, we made an effort to enhance the original work by reviewing it and presenting a formal security proof for it. The additional security analysis and proof contribute to the persuasiveness and trustworthiness of the protocol. We note that there are many schemes (without formal security proof) that were claimed to be secure and later found to be insecure [19]. To this end, we first design the security model for the original IBADConBE scheme. Based on this security model, we give the complete security proof of the IBADConBE scheme, which is based on the asymmetric variant of the decision k-Bilinear Diffie-Hellman exponent (BDHE) problem. Formal security proof shows that our scheme satisfies all the desirable security properties, including authentication, message confidentiality, known-key security, and dynamic secrecy, as defined in Section 4.2. In terms of efficiency experiments, in the original work, the authors provided a comprehensive analysis of the computational complexity, communication complexity, and simulations about the running time of each algorithm. According to the simulations, the overall costs are acceptable. Therefore, in this paper, we only briefly summarize the experimental results of the original work.

3. Related Work

Secure group communication in MANETs has become an important research topic in recent years, with group key management schemes being the most commonly used method. These schemes can be classified as either group key distribution- (GKD) or group key agreement (GKA)-based, depending on whether they rely on a trusted dealer to generate and distribute the group key(s).

Existing GKD-based schemes for secure communications in MANETs, such as those presented in [7,8,9,10,11], can be categorized into flat and hierarchical types based on network topology. The flat ones include those in [7,8,10,11]. Among them, in [7], an entity called a ground control station (GCS) was employed to distribute a group key and dynamically update the group key when the group membership changes after a fixed period. In [8], a group key pre-distribution scheme was introduced that was used to construct a secure channel among a group of sensors. In [10], the author introduced a symmetric secret key management protocol for multicast communication in MANETs of which a cluster header is selected from a group of sensor nodes and acts as a trusted dealer of the group. Furthermore, a secured key distribution technique was used in the protocol of [11] which was based on key count to effectively distribute the shared pair of keys between two nodes in MANETs. The one in [9] is a hierarchically distributed group key, the management of which is combined with the integrated approach of fuzzy trust-based clustering, which provides an efficient way for group key refreshment in MANETs. In conclusion, the main feature of these schemes is that a trusted dealer is needed to generate and distribute a group key to all nodes in the group. Whenever a node joins or leaves the group, the current group key must be discarded and a new group key should be generated and distributed by the trusted dealer. This results in significant computation and communication overheads, especially making them inefficient for large groups.

To eliminate the need for a trusted dealer, GKA-based group key management schemes were proposed for MANETs, such as the one presented in [12]. Considering the dynamic nature of MANETs, the dynamic scheme was also developed in [13]. However, existing GKA-based schemes still have some limitations, including the requirement for at least two communication rounds to negotiate a secret key, the need for wireless nodes to be online during negotiation, and the inability to allow outside senders to send encrypted messages to a group without first joining the group as a member. Asymmetric group key agreement (AGKA), as a novel group key management technology, was proposed to solve the above problems faced by traditional GKA-based schemes [20]. Later on, AGKA was extended to a new notion called a contributory broadcast encryption (ConBE) [16,21]. Both AGKA and ConBE can enable a group of wireless nodes to negotiate a public group encryption key and each node’s decryption key only in one-round interactions. In contrast to AGKA, ConBE can avoid receiver restriction. Recently, a ConBE scheme for dynamic groups was proposed [17], whose variant designed under the asymmetric group setting was discussed in [22] with lower computation and communication overheads. However, all the ConBE schemes above are designed in the traditional PKI-based cryptosystem. Hence, the burdensome certificate management problem still exists.

4. Background

4.1. System Architecture

The IBADConBE scheme is mainly for mobile ad hoc networks, in which the nodes are assumed to have a relatively sufficient computation capability. Figure 1 shows the system architecture, which involves a trusted authority (TA), a group of wireless nodes, and a sender (outside the group). As shown in Figure 1, the TA is responsible for generating and publishing the global system parameters. Meanwhile, each wireless node has to enroll with TA and ends up obtaining a public–private key pair issued by TA. We note when a group of wireless nodes that want to form a group, they first need to negotiate a group size (the maximum number of wireless nodes in the group) and then agree on an initial public group encryption key and each node’s individual decryption key. The dynamic nature of MANETs allows outside or inside wireless nodes to join or leave a group at any time. Additionally, a sender who has learned a public group encryption key can send an encrypted messages for some and/or all wireless nodes of a group it favors via a public channel. Furthermore, only those wireless nodes chosen by the sender can read the message.

4.2. Design Goals

The design goals that the IBADConBE scheme has achieved can be categorized into security goals and function goals. The security goals include authentication, message confidentiality, known-key security, and dynamic secrecy while the function goals contain trusted dealer freeness, receiver non-restriction, certificate freeness, and dynamicity.

• Authentication: This security goal is used to ensure the legitimacy of wireless nodes in MANETs. That is, all the transmitted messages through communication channels are from legitimate wireless nodes and not altered by an attacker.
• Message confidentiality: This goal is used to ensure that the sent message is only read by those wireless nodes who are chosen by a sender as receivers.
• Known-key security: This goal means that even if an adversary learns some wireless node’s individual decryption keys within a group corresponding to a certain session, they will not obtain the decryption keys held by wireless nodes corresponding to other sessions, especially the target session.
• Dynamic secrecy: This goal is used to secure communication if the group membership of a group has changed. Specifically, when a wireless node permanently leaves a group, it will not know any message subsequently sent to other nodes who still exist in the group; if an outside wireless node joins a group, it cannot learn any message previously delivered to existing inside wireless nodes.

The following ones are function goals that are essential for MANETs.

• Trusted dealer freeness: There is not any trusted dealer needed for generating and distributing secret group key(s) to each wireless node who form a group.
• Receiver non-restriction: Any sender who has known the public group encryption key of a group is allowed to flexibly select its favorable wireless nodes within the group to receive the encrypted message.
• Certificate freeness: There is no need to issue a public key certificate to each wireless node in MANETs to guarantee its legitimacy. Instead, the identity of each node is its public key, which solves the certificate management problem in PKC.
• Dynamicity: Any outside/inside wireless node is allowed to join/leave a group at any moment once the group has been formed.

We note that the TA used in this paper is different from a trusted dealer that is required to be online. The TA can be online or offline in this paper, and is primarily responsible for generating system parameters and issuing a private key to each legitimate node at the enrollment stage. The TA should be online during the GlobeSetup stage and the enrollment stage, since the TA is involved in these two stage. At the other stages, the TA is not involved. Therefore, we say that the TA could be offline.

We also note that the IBADConBE eliminates the usage of a trusted dealer since no online trusted party is employed to generate and distribute the session key to a group of wireless nodes. This can obviously be distinguished from those group key-distributed-based (GDK-based) key management protocols. In GDK-based ones, a trusted dealer often participates in forming a group and may be a base station. We note that, in ad hoc networks, such as mobile ad hoc networks, it is usually assumed that these no trusted dealer-like base station exists. The TA used in this scheme simply generates system parameters and public–private key pairs but does not interfere with the process of group key agreement.

5. Review of IBADConBE Scheme

In this section, we first review the IBADConBE scheme proposed in [18] for MANETs.

5.1. High-Level Description

The IBADConBE scheme in [18] consists of the four following stages: GlobeSetup, Enrollment, Group Initialization and Maintenance, and Secure Group Communication. At the first stage, TA generates the global system parameters that will be used for the next three stages. At the Enrollment stage, TA issues a public–private key pair for each wireless node in MANETs so that the legitimacy of each wireless node could be guaranteed. In particular, upon the input of the identity of any wireless node (which is also the public key of this node), TA will generate the private key corresponding to the identity of the node using the master secret key. The Group Initialize and Maintenance stage consists of three algorithms in total, respectively, namely Initialize, Join and Leave. The first algorithm is used to initialize a group for a group of wireless nodes with an initial negotiated group encryption key and each wireless node’s decryption key. Both Join and Leave algorithms are used to maintain the secure communication channel whenever the membership of a group has changed. Precisely, once an inside/outside wireless node leaves/joins a group, the public group encryption key and the rest of the nodes’ decryption keys will only update with one-round interaction. Furthermore, we note that during the Group Initialize and Maintenance and Group Communication stages, the TA is an offline trusted party. The Secure Group Communication stage is used to establish a secure channel between any sender and some or all wireless nodes within a group. Specifically, any wireless node (even outside a group) can be a sender since each group’s group encryption key is publicly accessible. More importantly, a sender is able to select its preferred wireless nodes within a group as receivers, and only selected wireless nodes can read the message. Then, we show each stage of the IBADConBE scheme in detail.

5.2. GlobeSetup

TA has to generate the global system parameters $\Delta$ at this stage as follows: choose three cyclic multiplicative groups ${\mathbb{G}}_1$, ${\mathbb{G}}_2$, ${\mathbb{G}}_T$ with prime order q, where ${\mathbb{G}}_1$, ${\mathbb{G}}_2$ has its generator g and $g^{\prime }$, respectively; choose an asymmetric bilinear map $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_2⟶{\mathbb{G}}_T$; choose $\kappa \in {\mathbb{Z}}_q^{*}$ as the master secret key and set $g_{pub}=g^{\prime \kappa }$ as its master public key; choose two hash functions $H_1$, $H_2:{\left\{0,1\right\}}^{*}⟶{\mathbb{G}}_1$; choose a secure identity-based signature scheme $IDS$ and a symmetric encryption algorithm ${\mathcal{E}}_K(·)/{\mathcal{D}}_K(·)$. In the IBADConBE scheme, it is assumed that $I{D}_{\gamma }$ denotes the identity of TA and the corresponding private key is $s_{\gamma }=i{d}_{\gamma }^{\kappa }$, where $i{d}_{\gamma }=H_1\left(I{D}_{\gamma }\right)$. We note that $I{D}_{\gamma }$ and $s_{\gamma }$ are used to generate N tuples consisting of the final $\Delta$. The N tuples has the format $(f_{\theta },{\mathbb{R}}_{\theta },{\mathbb{F}}_{\theta })$. Each tuple corresponds to a group with the optional group size n, which is generated as follows:

• For $1\le i\le n$, choose $r_{i\theta }\in {\mathbb{Z}}_q^{*}$ at random and compute $R_{i\theta }=g^{\prime r_{i\theta }}$, $f_j=H_2\left(j\right)$.
• For $1\le i,j\le n,i\ne j$, compute $F_{ij\theta }=s_{\gamma }{f}_j^{r_{i\theta }}$.
• Set ${\mathbb{R}}_{\theta }={\left\{R_{i\theta }\right\}}_{i\in \left\{1,\dots ,n\right\}}$, $f_{\theta }={\left\{f_i\right\}}_{i\in \left\{1,\dots ,n\right\}}$ and ${\mathbb{F}}_{\theta }={\left\{{\mathbb{F}}_{j\theta }\right\}}_{\left\{1\le j\le n\right\}}$, where ${\mathbb{F}}_{j\theta }={\left\{F_{ij\theta }\right\}}_{\left\{1\le i\le n,i\ne j\right\}}$.
• Obtain and publish the global system parameters $\Delta =(q,g,g^{\prime },{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,g_{pub},H_1,H_2,IDS,{\left\{(f_{\theta },{\mathbb{R}}_{\theta },{\mathbb{F}}_{\theta })\right\}}_{\theta \in \left\{1,\dots ,N\right\}},{\mathcal{E}}_K(·)/{\mathcal{D}}_K(·))$.

5.3. Enrollment

In our scheme, each wireless node is required to register with the TA. At this stage, the TA generates private–public key pairs for wireless nodes. It takes master-secret $\kappa$ and an wireless node’s identity $I{D}_i\in {\left\{0,1\right\}}^{*}$ as input. The public key of a wireless node is set to be its identity. Meanwhile, it computes the private key of the wireless node as follows:

• Compute $i{d}_i=H_1\left(I{D}_i\right)$.
• Compute the private key of the wireless node $s_i=i{d}_i^{\kappa }$.

Certificates are not a requisite to bind the wireless node’s identities and public keys. Thus, our scheme captures certificate freeness.

5.4. Group Initialization and Maintenance

This stage consists of three algorithms (Initialize, Join, Leave), which are used to initialize a group and then dynamically maintain the group. Specifically, a group of wireless nodes who want to form a group first perform the Initialize algorithm to negotiate an initial group encryption key and each wireless node’s decryption key. A suitable group size for the initialized group can be negotiated by all of wireless nodes according to historical experience and the context of applications. After initializing a group, any outside/inside wireless node is allowed to join/leave the group at any time which achieves dynamicity. We note that once that the membership of the group has changed, and the group keys (e.g., group encryption key and each existing wireless node’s decryption) must be updated. In the Join/Leave algorithm, one-round communication is only needed to complete updating.

Initialize: Assume there are t wireless nodes (${\mathcal{U}}_1,\dots ,{\mathcal{U}}_t$) who want to form a group with the negotiable group size n, the corresponding tuple is denoted as $(f_{\theta },{\mathbb{R}}_{\theta },{\mathbb{F}}_{\theta })$. For $1\le i\le t$, the i-th wireless node ${\mathcal{U}}_i$ with the public–private key pair $(i{d}_i,s_i)$ performs as follows:

• Randomly chooses $r_i\in {\mathbb{Z}}_q^{*}$ and computes $R_i=g^{\prime r_i}$.
• For $1\le j\le n$, computes $F_{ij}=s_i{f}_j^{r_i}$.
• Sets $M_i=(I{D}_i,R_i,{\left\{F_{ij}\right\}}_{j\in \left\{1,\dots ,n\right\},j\ne i})$ and signs $M_i$ to obtain a signature ${{\rm Y}}_i$ using the ID-based scheme $IDS$.
• Publishes ${\mathbb{M}}_i=(M_i,{{\rm Y}}_i)$.

For each wireless node ${\mathcal{U}}_i$, it will capture $t-1$ message–signature pairs ${\left\{{\mathbb{M}}_k\right\}}_{1\le k\le t,k\ne i}$ from other $t-1$ wireless nodes, which will be used by ${\mathcal{U}}_i$ to calculate the group encryption and its decryption key as follows:

• Check whether the $t-1$ message–signature pairs ${(M_i,{{\rm Y}}_i)}_{1\le k\le t,k\ne i}$ are valid. If valid, go to the next step; otherwise, abort.
• Compute the group encryption key $(\widehat{E},\widehat{\Omega })$, where $\widehat{E}={\prod }_{l=1}^t{R}_i{\prod }_{l=t+1}^n{R}_{i\theta }$ and $\widehat{\Omega }=\widehat{e}(H_1{\left(I{D}_{\gamma }\right)}^{n-t}{\prod }_{j=1}^t{H}_1\left(I{D}_j\right),g_{pub})$.
• For $1\le l\le n$, obtain ${\widehat{S}}_l={\prod }_{j=1}^{t,j\ne l}{F}_{jl}{\prod }_{j=t+1}^n{F}_{jl\theta }$ which are intermediate values to compute the decryption key.
• Compute the decryption key $S_i={\widehat{S}}_i{F}_{ii}$, and checks whether Equation (1) holds. If not, it is aborted.

  $$\widehat{e}(S_i,g^{\prime })\stackrel{?}{=}\widehat{e}(f_i,\widehat{E})·\widehat{\Omega }$$

  (1)
• Let $st$ be an n-bit all zero string. It is used to record the index of free positions in the group. Assume that $st\left[l\right]$ denotes the l-th bit of $st$. For $1\le l\le t$, set $st\left[l\right]=1$. If ${\left[st\right]}_l=1$, it indicates that there exists a wireless node in the position with index l of the group.
• Generate the group member information ${\widehat{\mathbf{M}}}_i=\left\{M_i;{\widehat{S}}_1,\dots ,{\widehat{S}}_n;(\widehat{E},\widehat{\Omega });st;S_i\right\}$.

Join: Suppose an outside wireless node ${\mathcal{U}}_I$ with the public–private key pair $(I{D}_I,s_I)$, $s_I=H_1{\left(I{D}_I\right)}^{\kappa }$ plans to join a group as the i-th group member. This requires that $st\left[i\right]=0$, which means that the i-th position of the group is free. ${\mathcal{U}}_I$ first does the following:

• Randomly chooses $r_i\in {\mathbb{Z}}_q^{*}$ and compute $R_i=g^{\prime r_i}$.
• For $1\le j\le n$, computes $F_{ij}=s_I{f}_j^{r_i}$.
• Sets $M_i=(I{D}_I,R_i,{\left\{F_{ij}\right\}}_{j\in \left\{1,\dots ,n\right\},j\ne i})$ and generates a signature ${{\rm Y}}_i$ by using $IDS$.
• Publishes ${\mathbb{M}}_i=(M_i,{{\rm Y}}_i)$.

In the sequel, each existing wireless node in the group will receive the message ${\mathbb{M}}_i=(M_i,{{\rm Y}}_i)$ from ${\mathcal{U}}_i$. For any wireless node in the group (assume that j-th satisfies $j\in \left\{k\mid st\left[k\right]=1\right\}$), it does the following:

• Check whether the message–signature pair $(M_i,{{\rm Y}}_i)$ is valid. If not, it is aborted; otherwise, the next step ensues.
• For $1\le l\le n,l\ne i$, update ${\widehat{S}}_l={\widehat{S}}_l{F}_{il}{F}_{il\theta }^{-1}$.
• Update $\widehat{E}=\widehat{E}{R}_i{R}_{i\theta }^{-1}$, $\widehat{\Omega }=\widehat{\Omega }·\widehat{e}(H_1\left(I{D}_I\right),g_{pub})·\widehat{e}{(H_1\left(I{D}_{\gamma }\right),g_{pub})}^{-1}$ and $S_j={\widehat{S}}_j{F}_{ij}{F}_{ij\theta }^{-1}$.
• Check whether Equation (1) holds. If Equation (1) does not hold, it is aborted.
• Set $st\left[i\right]=1$ and the new member information ${\widehat{\mathbf{M}}}_i=\left\{M_i;{\widehat{S}}_1,\dots ,{\widehat{S}}_n;(\widehat{E},\widehat{\Omega });st;S_i\right\}$.

We note that, for the new group member ${\mathcal{U}}_I$, it requires messages $\left\{{\widehat{S}}_1,\dots ,{\widehat{S}}_n;(\widehat{E},\widehat{\Omega });st\right\}$ to compute its decryption key $S_i$. Hence, it is assumed that the wireless node with the minimal index of the group has to deliver $\left\{{\widehat{S}}_1,\dots ,{\widehat{S}}_n;(\widehat{E},\widehat{\Omega });st\right\}$ to ${\mathcal{U}}_I$. After receiving the above message, ${\mathcal{U}}_I$ does the following to obtain its member information:

• Computes the decryption key $S_i={\widehat{S}}_i{F}_{ii}$ and check whether Equation (1) holds. If not, it is aborted; otherwise, the next step ensues.
• Stores the group member information ${\widehat{\mathbf{M}}}_i=\left\{M_i;{\widehat{S}}_1,\dots ,{\widehat{S}}_n;(\widehat{E},\widehat{\Omega });st;S_i\right\}$.

Leave: Assume an inside wireless node ${\mathcal{U}}_I$ as the i-th group member wants to leave the group. It does as follows:

• Lets $M_i^{\prime }=M_i$ and generate a new signature ${{\rm Y}}_i^{\prime }$ on $M_i^{\prime }$ using $IDS$.
• Publishes ${\mathbb{M}}_i^{\prime }=(M_i^{\prime },{{\rm Y}}_i^{\prime })$.

After obtaining the message–signature pair ${\mathbb{M}}_i^{\prime }=(M_i^{\prime },{{\rm Y}}_i^{\prime })$ from ${\mathcal{U}}_I$, each existing wireless node in the group will use it to update their member information. For the j-th group member ($j\in \left\{k\mid st\left[k\right]=1,k\ne i\right\}$), it does the following:

• Checks whether the message–signature pair $(M_i^{\prime },{{\rm Y}}_i^{\prime })$ is valid. If not, it is aborted; otherwise, the next step ensues.
• For $1\le l\le n,l\ne i$, updates ${\widehat{S}}_l={\widehat{S}}_l{F}_{il}^{-1}{F}_{il\theta }$.
• Updates $\widehat{E}=\widehat{E}{R}_{i\theta }{R}_i^{-1}$, $\widehat{\Omega }=\widehat{\Omega }·\widehat{e}(H_1\left(I{D}_{\gamma }\right),g_{pub})·{(H_1\left(I{D}_I\right),g_{pub})}^{-1}$ and $S_j={\widehat{S}}_j{F}_{ij}^{-1}{F}_{ij\theta }$.
• Checks whether Equation (1) holds. If Equation (1) does not satisfy, it is aborted.
• Sets $st\left[i\right]=0$ and updates and stores new member information ${\widehat{\mathbf{M}}}_i$.

We note that, during the whole stage of Group Initialization and Maintenance, the group encryption key and each wireless node’s decryption key are generated through the negotiation of wireless nodes themselves, instead of relying on a trusted dealer to generate and distribute these group keys. Hence, this scheme achieves the design goals of trusted dealer freeness.

5.5. Secure Group Communication

At this stage, a sender can securely transmit a message to any wireless nodes that the sender selects from a group based on its preference. There are two algorithms included at this stage, respectively, Encrypt and Decrypt. Any sender who has the knowledge of the group encryption key of a group first selects some wireless nodes that it wants to communicate with and then generates a ciphertext by running the Encrypt algorithm. The wireless nodes within the group which are selected by the sender as receivers are able to decrypt the ciphertext and read the message by performing the Decrypt algorithm.

Encrypt: Assume that a sender wants to send the message m to some wireless nodes in a group and the selected wireless nodes within the group form an index set denoted by $\mathbb{U}$. Let $\mathbb{S}=\left\{k\mid st\left[k\right]=1\right\}$, $\overline{\mathbb{S}}=\left\{{i|\left[st\right]}_i=0\right\}$, $\overline{\mathbb{U}}=\mathbb{S}\setminus \mathbb{U}$. To obtain the final ciphertext, the sender performs the following steps:

• Computes $\Omega =\widehat{\Omega }·{\prod }_{l\in \overline{\mathbb{U}}}^{}\widehat{e}(H_1\left(I{D}_{\gamma }\right),g_{pub})$, $E=\widehat{E}·{\prod }_{l\in \overline{\mathbb{U}}}^{}{R}_{l\theta }$.
• Randomly chooses $a\in {\mathbb{Z}}_q^{*}$, computes the ciphertext $C=(C_1,C_2,C_3)$, where $C_1=g^{\prime a}$, $C_2=E^a$, $C_3={\mathcal{E}}_{sk}\left(m\right)$, and the session key is

  $$sk={\Omega }^a=\widehat{e}{({\prod }_{k\in \mathbb{S}}^{}{s}_k{\prod }_{k\in \overline{\mathbb{S}}}{s}_{\gamma }{\prod }_{k\in \overline{\mathbb{U}}}{s}_{\gamma },g^{\prime })}^a$$
• Sends $(C,\mathbb{U})$ to the group.

Decrypt: Only wireless nodes in $\mathbb{U}$ are capable of decrypting the above ciphertext and then extract the session key $sk$ and read the message m, which captures the receiver non-restriction. For each wireless node in $\mathbb{U}$, (assume that the i-th wireless node $i\in \mathbb{U}$), it does the following:

• Computes ${\tilde{S}}_i=S_i{\prod }_{l\in \overline{\mathbb{U}}}^{}{F}_{li\theta }$ and then computes the session key

  $$\begin{array}{cc}\hfill sk=& \widehat{e}({\tilde{S}}_i,C_1)\widehat{e}{(f_i,C_2)}^{-1}\hfill \\ \hfill =& \widehat{e}{({\prod }_{k\in \mathbb{S}}^{}{s}_k{\prod }_{k\in \overline{\mathbb{S}}}{s}_{\gamma }{\prod }_{k\in \overline{\mathbb{U}}}{s}_{\gamma },g^{\prime })}^a\hfill \end{array}$$
• Computes $m={\mathcal{D}}_{sk}\left(C_3\right)$.

6. Security

6.1. Security Model and Definitions

The IBADConBE scheme captures authentication, message confidentiality, known-key security, and dynamic secrecy, of which authentication was ensured by a secure identity-based signature scheme. Thus, we only have to prove that the IBADConBE scheme captures the remaining security properties. Firstly, we give the security model for the IBADConBE scheme, which is the security game run between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$. In this game, $\mathcal{C}$ plays the role of TA, generates the system-wide parameters and answers different types of queries from $\mathcal{A}$. Our security model consists of four stages: Initialize, Attack, Challenge, and Response. The first and second stages simulate each algorithm of IBADConBE. Meanwhile, at the Attack stage, an adversary is allowed to make various queries, which simulates various attack behaviors. For instance, Corrupt and CorruptKey queries model the leakage of private keys and random coins held by users, Reveal queries model the disclose of session keys (corresponding to the known-key attack), and Join/Leave models the attacker controlling a node to join/leave a group. At the Challenge stage, the adversary submits ($m_0,m_1$) and obtains a challenge ciphertext c (generated from $m_0$ or $m_1$). However, at the last stage, the advantage of the adversary to guess that c is from $m_0$ or $m_1$ is still negligible, even when the advantage can make Reveal, Join and Leave queries. Therefore, the IBADConBE proves to capture message confidentiality, known-key security, and dynamic secrecy.

Initialize: $\mathcal{C}$ generates the system-wide parameters $\Delta$ by running the GlobeSetup algorithm and passes it to $\mathcal{A}$.

Attack: $\mathcal{C}$ answers the following queries from $\mathcal{A}$:

• Execute$(t,n)$: This query is used to model the initialize algorithm at the group initialization and maintenance stage. $\mathcal{A}$ submits $(t,n)$, where t and n denote the number of initial participants and group size $\mathcal{A}$ selects. $\mathcal{C}$ initializes a group, with a unique index $\mu$, and sets the initial session ID $\eta$ to be 1. $\eta$ should be set to $\eta +1$ if $\mathcal{A}$ invokes the following Join$(i,\mu )$ or Leave$(i,\mu )$ query.
• Join$(i,\mu )$: This query is used to model the joint algorithm at the group initialization and maintenance stage. Upon receiving this query, $\mathcal{C}$ enables an outside node to join the group with the index $\mu$ as the i-th group member. This query can be asked for at most K times.
• Leave$(i,\mu )$: This query is used to model the Leave algorithm at the group initialization and maintenance stage. Upon receiving this query, $\mathcal{C}$ enables the i-th inside node in the $\mu$-group to leave permanently.
• CorruptKey$\left(I{D}_i\right)$: Upon receiving this query, $\mathcal{C}$ outputs the private key held by $I{D}_i$. This query can be used to model (partial) forward secrecy.
• Corrupt$(i,\mu ,\eta )$: Upon receiving this query, $\mathcal{C}$ outputs the private input and/or inner random coins held by the i-th inside node corresponding to the $\eta$-th session of the $\mu$-th group.
• Reveal$(i,\mu ,\eta )$: Upon receiving this query, $\mathcal{C}$ outputs the decryption key held by the i-th inside node corresponding to the $\eta$ session in the $\mu$-th group. This query can be used to model known-key security.

Challenge: At this stage, $\mathcal{A}$ submits $\{{\mathbb{U}}^{*},{\mu }^{*},{\eta }^{*},(m_0,m_1)\}$ to $\mathcal{C}$, where ${\mathbb{U}}^{*}\subseteq \mathbb{K}=\left\{1,\dots ,K\right\}$ is a fresh set (see Definition 1), ${\mu }^{*}$, ${\eta }^{*}$ is the index of the target group and the target session ID, $(m_0,m_1)$ is a pair of messages with the same length. $\mathcal{C}$ randomly chooses a bit $b\in \left\{0,1\right\}$. If $b=0$, $\mathcal{C}$ returns the challenge ciphertext $C^{*}$ generated from encrypting $m_0$; otherwise, $\mathcal{C}$ returns the ciphertext $C^{*}$ by encrypting $m_1$.

Response: At this stage, $\mathcal{A}$ returns a guess $b^{\prime }\in \left\{0,1\right\}$. If $b^{\prime }=b$, $\mathcal{A}$ wins the game. $\mathcal{A}$’s advantage to win the above game is defined as $\mathsf{Adv}\left(\mathcal{A}\right)=\left|\mathrm{Pr}[b=b^{\prime }]-1\right|$.

Definition 1

(Freshness). A set ${\mathbb{U}}^{*}$ is fresh if none of the following conditions are satisfied: (1) $\mathcal{A}$ has made a Reveal$(i,\mu ,\eta )$ query on any node with index in ${\mathbb{U}}^{*}$ within the target group; (2) $\mathcal{A}$ has made Corrupt$(i,\mu ,\eta )$ queries on any node with the index in ${\mathbb{U}}^{*}$; (3) All the private keys of the nodes participating in the target session of target group are corrupted.

Definition 2.

An IBADConBE scheme is said to be fully and adaptively secure against chosen plaintext attacks (CPA) if no polynomial-time adversary $\mathcal{A}$ can win the above game with an advantage $Adv\left(\mathcal{A}\right)$. An IBDConBE scheme is said to be semi-adaptively secure if the adversary (1) has to commit an index set $\mathbb{K}$ before the Attack stage; (2) can only choose ${\mathbb{U}}^{*}\subseteq \mathbb{K}$ to query $\mathcal{C}$ at the challenge stage.

We note that $\mathcal{A}$ cannot successfully distinguish $C^{*}$ comes from $m_0$ or $m_1$, even when $\mathcal{A}$ is allowed to ask CorruptKey$\left(I{D}_i\right)$ and Corrupt$(i,\mu ,\eta )$ queries for any node (not in ${\mathbb{U}}^{*}$). This further implies that $\mathcal{A}$ cannot violate the confidentiality of an encrypted message in the real world. Thus, the scheme captures the message confidentiality. Additionally, $\mathcal{A}$ is allowed to reveal some nodes’ decryption keys that do not correspond to the target session of the target group. Thus, the scheme satisfies the capture of the known-key security. At the end of Challenge stage, $\mathcal{A}$ is allowed to invoke Join/Leave queries, but its advantage to win the game is still negligible. Hence, the scheme satisfies dynamic secrecy.

6.2. Security Proof

Theorem 1.

Let $H_1$, $H_2$ be random oracles. Suppose that $\mathcal{C}$ may initialize at most N groups and L sessions for each group, the maximal group size is k, and $\mathcal{A}$ made at most $q_{H_1}$ queries to $H_1$ oracle. If the $\mathcal{A}$ wins the above game with the advantage $Adv\left(\mathcal{A}\right)$ in time τ, there exists an algorithm to solve the asymmetric variant of the decision k-BDHE problem with an advantage at least $\frac{1}{NL{q}_{H_1}}Adv\left(\mathcal{A}\right)$ in time $\tau +\mathcal{O}\left(kNL\right){\tau }_E$, where ${\tau }_E$ computes a scalar multiplication in ${\mathbb{G}}_1$.

Asymmetric variant of a decision k-BDHE problem: Given a bilinear map: $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$, $P=g^p$, $Q=g^{\prime h}$, $X={\{x_i=g^{{\alpha }^i}\}}_{\{i=1,2,...,k,k+2,...,2k\}}$, $Y_1={\{y_j=g^{\prime {\alpha }^j}\}}_{\{j=1,2,...,k+1\}}$, for unknown $\alpha ,p,h\in {\mathbb{Z}}_q^{*}$. An algorithm $\mathcal{D}$ that outputs $b\in \{0,1\}$ has the advantage $ϵ$ in solving the asymmetric variant of the decision k-BDHE problem if

$$\begin{array}{c}\hfill |Pr[\mathcal{D}(g,g^{\prime },P,Q,X,Y_1,Z_0)=0]-\\ \hfill Pr[\mathcal{D}(g,g^{\prime },P,Q,X,Y_1,Z_1)=0]|\ge ϵ\end{array}$$

where $Z_0=\widehat{e}(g^{{\alpha }^{k+1}},Q)$ and $Z_1\in {\mathbb{G}}_T$ randomly. The asymmetric variant of the decision k-BDHE assumption holds in ${\mathbb{G}}_T$ if no polynomial-time algorithm has the advantage of at least $ϵ$ in solving the asymmetric variant of the decision k-BDHE problem in ${\mathbb{G}}_T$.

Proof of Theorem 1.

Let $\mathcal{C}$ be a challenge and $\mathcal{A}$ be an adversary. $\mathcal{C}$ is given an asymmetric variant of the k-BDHE problem instance $(g,g^{\prime },P,Q,Z,x_1,...,x_k,x_{k+2},...,x_{2k},y_1,...,y_k)$, where $P\in {\mathbb{G}}_1,Q\in {\mathbb{G}}_2$, $x_i=g^{{\alpha }^i},i\in \{1,...,k,k+2,...,2k\}$, $y_i=g^{\prime {\alpha }^j},j\in \{1,...,k+1\}$ with some unknown $\alpha \in {\mathbb{Z}}_q^{*}$. We show how $\mathcal{C}$ can utilize $\mathcal{A}$ to determine whether Z is equal to $\widehat{e}(g^{{\alpha }^{k+1}},Q)$ or a uniform element in ${\mathbb{G}}_T$.

Initialize: Assume that two random oracles $H_1$ and $H_2$ answer queries as follows:

$H_1$ queries: $\mathcal{C}$ keeps an initially empty list $H_1^{list}$. Upon input $I{D}_i$, $\mathcal{C}$ performs the following:

• If there is a tuple $(I{D}_i,{\mu }_i,i{d}_i,s_i)$, returns $i{d}_i$.
• Otherwise, chooses ${\mu }_i\in {\mathbb{Z}}_q^{*}$ at random, and if this query is the J-th target query, sets $i{d}_i=g^{{\mu }_i}$, $s_i=x_k^{{\mu }_i}$; otherwise, sets $i{d}_i=g^{{\mu }_i}$, $s_i=x_1^{{\mu }_i}$.
• Adds $(I{D}_i,{\mu }_i,i{d}_i,s_i)$ to $H_1^{list}$ and returns $i{d}_i$.

$H_2$ queries: $\mathcal{C}$ keeps an initially empty list $H_2^{list}$. Upon input j, $\mathcal{C}$ performs the following:

• If there is a tuple $(j,v_j,f_j)$, returns $f_j$.
• Otherwise, randomly chooses $v_j\in {\mathbb{Z}}_q^{*}$, sets $f_j=g^{v_j}$, adds $(j,v_j,f_j)$ to $H_2^{list}$ and returns $f_j$.

$\mathcal{C}$ sets the system-wide parameters $\Delta =(q,g,{\mathbb{G}}_1,{\mathbb{G}}_2,g_{pub},H_1,H_2,IDS,{\left\{(f_{\theta },{\mathbb{R}}_{\theta },{\mathbb{F}}_{\theta })\right\}}_{\theta \in \left\{1,\dots ,N\right\}})$, where $g_{pub}=g^{\prime \alpha }=y_1$. Assume that $I{D}_{\gamma }$ denotes the identity of TA. To generate the tuple, $(f_{\theta },{\mathbb{R}}_{\theta },{\mathbb{F}}_{\theta })$ corresponding to group size n, $\mathcal{C}$ first recovers $(I{D}_{\gamma },{\mu }_{\gamma },i{d}_{\gamma },s_{\gamma })$ from $H_1^{list}$ and $(j,v_j,f_j)$, $1\le j\le n$ from $H_2^{list}$, and then, for $1\le i\le n$, performs the following:

• If $i=1$, performs as follows:
  • Chooses $r_{1\theta }\in {\mathbb{Z}}_q^{*}$ at random and computes $R_{1\theta }=g^{\prime r_{1\theta }}{\prod }_{l=2}^n{y}_{k-l+1}^{-1}$.
  • Computes $F_{1j\theta }=x_1^{{\mu }_{\gamma }}{g}^{v_j{r}_{1\theta }}{\prod }_{l=2}^{n,l\ne j}{x}_{k-l+1+j}^{-1}$, $2\le j\le n$,
  • Sets $F_{11\theta }=null$.
• Otherwise, for $2\le i\le n$, $\mathcal{C}$ performs the following:
  • Chooses $r_{i\theta }\in {\mathbb{Z}}_q^{*}$ randomly and computes $R_{i\theta }=g^{\prime r_{i\theta }}{y}_{k-i+1}$.
  • For $2\le j\le n$, computes $F_{ij\theta }=x_1^{{\mu }_{\gamma }}{g}^{v_j{r}_{i\theta }}{x}_{k-i+1+j}$.
  • Sets $F_{ii\theta }=null$.

$\Delta$ is passed to $\mathcal{A}$. $\mathcal{A}$ then commits a set $\mathbb{U}\subseteq \left\{1,\dots ,K\right\}$ to $\mathcal{C}$. Finally, $\mathcal{C}$ randomly chooses $\mu \in \left\{1,\dots ,N\right\}$ and $\omega \in \left\{1,\dots ,L\right\}$. In the following, we assume that $\mathcal{C}$ will answers the queries as in the real scheme if it is not the $\mu$-th group. Hence, we only need to consider the queries from $\mathcal{A}$ corresponding to target group.

Attack: $\mathcal{C}$ answers $\mathcal{A}$’s queries as follows:

Execute$(t,n)$: $\mathcal{C}$ maintains an initially empty list $T_{list}$ and sets the initial session ID $\eta =1$. Suppose the set of t initial participants’ identities is $\left\{I{D}_1,\dots ,I{D}_t\right\}$. To answer this query, $\mathcal{C}$ first submits $\left\{I{D}_1,\dots ,I{D}_t\right\}$ to $H_1$ if these queries have never been issued before, and then recovers $(I{D}_i,{\mu }_i,i{d}_i,s_i)$ for $1\le i\le t$ from $H_1^{list}$. For $1\le i\le t$, $\mathcal{C}$ generates a coin $coi{n}_{i\eta }$ and then performs the following:

• If $i\notin \mathbb{K}$, sets $coi{n}_{i\eta }=0$ and then performs the following:
  • Chooses $r_{i\eta }\in {\mathbb{Z}}_q^{*}$ and sets $R_{i\eta }=g^{\prime r_{i\eta }}$
  • For $1\le j\le n$, computes $F_{ij\eta }=s_i{f}_j^{r_{i\eta }}$.
• Otherwise, $\mathcal{C}$ sets $coi{n}_{i\eta }=1$. If and only if $i=1$, then $\mathcal{C}$ performs the following:
  • Chooses $r_{i\eta }\in {\mathbb{Z}}_q^{*}$ and computes $R_{i\eta }=g^{\prime r_{i\eta }}{\prod }_{l=2}^n{y}_{k-l+1}^{-1}$.
  • For $1\le j\le n$, $j\ne i$, sets $F_{ij\eta }=x_1^{{\mu }_i}{g}^{v_j{r}_{i\eta }}{\prod }_{l=1}^{n,l\ne j}{x}_{k-l+1+j}^{-1}$.
  • Sets $F_{ii\eta }=null$.
• Otherwise, $\mathcal{C}$ performs the following:
  • Chooses $r_{i\eta }\in {\mathbb{Z}}_q^{*}$ and computes $R_{i\eta }=g^{\prime r_{i\eta }}{y}_{k-i+1}$.
  • For $1\le j\le n$, $j\ne i$, sets $F_{ij\eta }=x_1^{{\mu }_i}{g}^{v_j{r}_{i\eta }}{g}_{k-i+1+j}$.
  • Sets $F_{ii\eta }=null$ and $M_{i\eta }=(I{D}_i,R_{i\eta },{\left\{F_{ij\eta }\right\}}_{j\in \{1,...,n\},j\ne i})$
  • Signs $M_{i\eta }$ to obtain a signature ${{\rm Y}}_{i\eta }$ using $IDS$ and publishes $(M_{i\eta },{{\rm Y}}_{i\eta })$.

Let ${\overline{M}}_{i\eta }=(coi{n}_{i\eta },I{D}_i,r_{i\eta },R_{i\eta },\left\{F_{ij\eta }\right\}$ ${}_{j\in \left\{1,\dots ,n\right\}})$, and then $\mathcal{C}$ performs the following:

• Computes the public group encryption key $({\widehat{E}}_{\eta },{\widehat{\Omega }}_{\eta })$, where ${\widehat{E}}_{\eta }={\prod }_{l=1}^t{R}_{i\eta }{\prod }_{l=t+1}^n{R}_{i\theta }$ and ${\widehat{\Omega }}_{\eta }=\widehat{e}(H_1{\left(I{D}_{\gamma }\right)}^{n-t}{\prod }_{j=1}^t{H}_1\left(I{D}_j\right),g_{pub})$.
• Computes ${\widehat{S}}_{i\eta }={\prod }_{j=1}^{t,j\ne i}{F}_{ji\eta }{\prod }_{j=t+1}^n{F}_{ji\theta }$ for $1\le i\le n$.
• Lets $s{t}_{\eta }$ be a n-bit all-zero string. For $1\le i\le t$, sets $s{t}_{\eta }\left[i\right]=1$.
• Adds ${\mathbf{T}}_{\eta }=(\eta ;{\overline{M}}_{1\eta },\dots ,{\overline{M}}_{t\eta };{\widehat{S}}_{1\eta },\dots ,{\widehat{S}}_{n\eta };s{t}_{\eta };{\widehat{E}}_{\eta },{\widehat{\Omega }}_{\eta })$ to list $T_{list}$.
• Returns ${\left\{I{D}_i,R_{i\eta },{{\rm Y}}_i,{\left\{F_{ij\eta }\right\}}_{j\in \left\{1,\dots ,n\right\}\setminus i}\right\}}_{i\in \left\{1,\dots ,t\right\}}$.

We note that the Execute query can be simulated by invoking the following Join query for t times. If $\mathcal{C}$ answers the above Execute query, then $\eta$ is set to t.

In the following, if we set ${\mathbf{T}}_{\eta }={\mathbf{T}}_{\eta -1}$, then $\mathcal{C}$ performs the following:

• Sets $s{t}_{\eta }=s{t}_{\eta -1}$,${\widehat{E}}_{\eta }={\widehat{E}}_{\eta -1}$,${\widehat{\Omega }}_{\eta }={\widehat{\Omega }}_{\eta -1}$.
• Sets ${\overline{M}}_{i\eta }={\overline{M}}_{i(\eta -1)}$ for $1\le i\le t$.
• Sets ${\widehat{S}}_{i\eta }={\widehat{S}}_{i(\eta -1)}$ for $1\le i\le n$.
• Adds ${\mathbf{T}}_{\eta }=(\eta ;{\overline{M}}_{1\eta },\dots ,{\overline{M}}_{t\eta };{\widehat{S}}_{1\eta },\dots ,{\widehat{S}}_{n\eta };s{t}_{\eta };{\widehat{E}}_{\eta },,{\widehat{\Omega }}_{\eta })$ to list $T_{list}$.

Join$(i,\mu ,\eta )$: Assume a node with $I{D}_i$ wants to join the group as the i-th group member. $\mathcal{C}$ sets ${\mathbf{T}}_{\eta }={\mathbf{T}}_{\eta -1}$, and then performs the following:

• If $i\notin \mathbb{K}$, $\mathcal{C}$ sets $coi{n}_{i\eta }=0$ and then performs the following:
  • Chooses $r_{i\eta }\in {\mathbb{Z}}_q^{*}$, set $R_{i\eta }=g^{\prime r_{i\eta }}$
  • For $1\le j\le n$, computes $F_{ij\eta }=s_i{f}_j^{r_{i\eta }}$.
• Otherwise, sets $coi{n}_{i\eta }=1$, if $i=1$, and then performs the following:
  • Chooses $r_{i\eta }\in {\mathbb{Z}}_q^{*}$ and computes $R_{i\eta }=g^{\prime r_{i\eta }}{\prod }_{l=2}^n{y}_{k-l+1}^{-1}$.
  • For $1\le j\le n$, $j\ne i$, computes $F_{ij\eta }=g_{pub}^{{\mu }_i}{g}^{v_j{r}_{i\eta }}{\prod }_{l=1}^{n,l\ne j}{x}_{k-l+1+j}^{-1}$.
  • Sets $F_{ii\eta }=null$.
• Otherwise, $\mathcal{C}$ performs the following:
  • Chooses $r_{i\eta }\in {\mathbb{Z}}_q^{*}$ and computes $R_{i\eta }=g^{\prime r_{i\eta }}{y}_{k-i+1}$.
  • For $1\le j\le n$, $j\ne i$, computes $F_{ij\eta }=x_1^{{\mu }_i}{g}^{v_j{r}_{i\eta }}{x}_{k-i+1+j}$.
  • Sets $F_{ii\eta }=null$ and $M_{i\eta }=(I{D}_i,R_{i\eta },{\left\{F_{ij\eta }\right\}}_{j\in \{1,...,n\},j\ne i})$
  • Signs $M_{i\eta }$ to obtain a signature ${{\rm Y}}_{i\eta }$ using $IDS$.

$\mathcal{C}$ obtains ${\widehat{E}}_{\eta }={\widehat{E}}_{\eta }{R}_{i\eta }{R}_{i\theta }^{-1}$, ${\widehat{\Omega }}_{\eta }={\widehat{\Omega }}_{\eta }·\widehat{e}(H_1\left(I{D}_i\right),g_{pub})·$, sets ${\widehat{S}}_{l\eta }={\widehat{S}}_{l\eta }{F}_{il\eta }{F}_{il\theta }^{-1}$, $1\le l\le n$, $l\ne i$, $s{t}_{\eta }\left[i\right]=1$, adds ${\overline{M}}_{i\eta }=(coi{n}_{i\eta },I{D}_I,r_{i\eta },R_{i\eta },{\left\{F_{ij\eta }\right\}}_{j\in \left\{1,\dots ,n\right\}})$ to ${\mathbf{T}}_{\eta }$ and returns $(M_{i\eta },{{\rm Y}}_{i\eta })$ and $({\widehat{S}}_{1\eta },\dots ,{\widehat{S}}_{n\eta };s{t}_{\eta };{\widehat{E}}_{\eta },{\Omega }_{\eta })$.

Leave $(i,\mu ,\eta )$: Assume that the i-th group member with $I{D}_i$ intends to leave the $\mu$-th group. $\mathcal{C}$ performs the following:

• Sets ${\mathbf{T}}_{\eta }={\mathbf{T}}_{\eta -1}$.
• Returns the tuple $(I{D}_i,R_{i\eta },{{\rm Y}}_i,{\left\{F_{ij\eta }\right\}}_{j\in \left\{1,\dots ,n\right\}\setminus i})$ and removes the tuple ${\overline{M}}_{i\eta }$ from ${\mathbf{T}}_{\eta }$.
• Sets $s{t}_{\eta }\left[i\right]=0$.
• Sets ${\widehat{E}}_{\eta }={\widehat{E}}_{\eta }{R}_{i\eta }^{-1}{R}_{i\theta }$, ${\widehat{\Omega }}_{\eta }={\widehat{\Omega }}_{\eta }\widehat{e}{(H_1\left(I{D}_i\right),g_{pub})}^{-1}·$, $\widehat{e}(H_1\left(I{D}_{\gamma }\right),g_{pub})$.
• Sets ${\widehat{S}}_{l\eta }={\widehat{S}}_{l\eta }{F}_{il\eta }^{-1}{F}_{il\theta }$ for $1\le l\le n$, $l\ne i$.
• Returns $(M_{i\eta },{{\rm Y}}_{i\eta })$, where $M_{i\eta }=(I{D}_i,R_{i\eta },{\left\{F_{ij\eta }\right\}}_{j\in \{1,...,n\},j\ne i})$, ${{\rm Y}}_{i\eta }$ is the signature on $M_{i\eta }$.

CorruptKey $\left(I{D}_i\right)$: $\mathcal{C}$ first submits $I{D}_i$ to the $H_1$ oracle if this query has never been asked before, recovers $(I{D}_i,{\mu }_i,i{d}_i,s_i)$ from $H_1^{list}$ and returns $s_i$.

Corrupt $(i,\mu ,\eta )$: This query requires $i\in \overline{\mathbb{K}}$. $\mathcal{C}$ returns $r_i$ held by an i-th member corresponding to the $\eta$-th session of $\mu$-th group.

Reveal $(i,\mu ,\eta )$: The query requires $i\in \overline{\mathbb{K}}$. $\mathcal{C}$ recovers ${\mathbf{T}}_{\eta }$ from $T_{list}$ and ${\overline{M}}_{i\eta }$ from ${\mathbf{T}}_{\eta }$. $\mathcal{C}$ recovers ${\widehat{S}}_{i\eta }$ from ${\overline{M}}_{i\eta }$ and returns ${\widehat{S}}_{i\eta }{F}_{ii\eta }$.

Challenge: $\mathcal{A}$ chooses a target set ${\mathbb{U}}^{*}\subseteq \mathbb{K}$ and a target session ${\eta }^{*}$ corresponding to the target group. Let ${\mathbf{T}}_{{\eta }^{*}}$ be $({\eta }^{*};{\overline{M}}_{1{\eta }^{*}},\dots ,{\overline{M}}_{t{\eta }^{*}};{\widehat{S}}_{1{\eta }^{*}},\dots ,{\widehat{S}}_{n{\eta }^{*}};s{t}_{{\eta }^{*}};{\widehat{E}}_{{\eta }^{*}};{\widehat{\Omega }}_{{\eta }^{*}})$. We have ${\mathbb{S}}^{*}=\left\{i|s{t}_{{\eta }^{*}}\left[i\right]=1\right\}$, ${\overline{\mathbb{S}}}^{*}=\left\{i|s{t}_{{\eta }^{*}}\left[i\right]=0\right\}$, ${\overline{\mathbb{U}}}^{*}={\mathbb{S}}^{*}\setminus {\mathbb{U}}^{*}$. We say that Event 1 happens if the group $\mathcal{A}$ that submits is not the $\mu$-group or ${\eta }^{*}\ne \omega$. Furthermore, Event 2 happens if a node exits with index $l^{*}$ that corresponds to the J-th $H_1$ query. If Event 1 does not happen and Event 2 happens, $\mathcal{C}$ performs as follows, otherwise, $\mathcal{C}$ aborts.

• Set $C_1^{*}=Q$, $C_2^{*}=Q^{{\sum }_{i\in {\mathbb{S}}^{*}}^{}{r}_{i{\eta }^{*}}+{\sum }_{i\in {\overline{\mathbb{S}}}^{*}\cup {\overline{\mathbb{U}}}^{*}}^{}{r}_{i\theta }}$.
• Set $s{k}^{*}=\widehat{e}{(x_1,Q)}^{{\sum }_{i\in {\mathbb{S}}^{*},i\ne l^{*}}^{}{\mu }_i+{\sum }_{i\in {\overline{\mathbb{S}}}^{*}\cup {\overline{\mathbb{U}}}^{*}}^{}{\mu }_{\gamma }}$.
• Choose $b\in \{0,1\}$ and obtain $C_3^{*}={\mathcal{E}}_{s{k}^{*}}\left(m_b\right)$.
• Return $(C_1^{*},C_2^{*},C_3^{*})$.

Response: Finally, $\mathcal{C}$ returns their guess $b^{\prime }\in \left\{0,1\right\}$.

If $\mathcal{C}$ does not abort, the above simulations of all queries are valid and the answers are uniformly distributed. Hence, the adversary cannot find any inconsistency between the simulation and the real world. Therefore, $\mathrm{Pr}[\mathrm{b}={\mathrm{b}}^{\prime }]\ge Adv\left(\mathcal{A}\right)$. For our setting, it is easy to have $\mathrm{Pr}[\neg \mathrm{Event}1]\ge \frac{1}{NL}$. Furthermore, $\mathrm{Pr}\left[\mathrm{Event}2\right]\ge \frac{1}{q_{H_1}}$, hence, the overall probability for $\mathcal{C}$ to solve the asymmetric variant of decision k-BDHE problem is at least $\frac{1}{NL{q}_{H_1}}Adv\left(\mathcal{A}\right)$. The time complexity is $\tau +\mathcal{O}\left(kNL\right){\tau }_E$. □

7. Performance Analysis

7.1. Comparison

According to the evaluation work in [18], we also compare the DAGKA scheme in [23] and the DConBE protocol in [17] with the IBADConBE scheme in this paper in terms of design goals and computation overheads.

Table 1. Comparison of security and functional properties.

Design Goals	DAGKA [23]	DConBE [17]	IBADConBE
Authentication	Yes	No	Yes
Message confidentiality	Yes	Yes	Yes
Known-key security	Yes	Yes	Yes
Dynamic secrecy	Yes	Yes	Yes
Trusted dealer freeness	Yes	Yes	Yes
Receiver non-restriction	No	Yes	Yes
Certificate freeness	Yes	No	Yes
Dynamicity	Yes	Yes	Yes

and Table 2, respectively, list the comparison results.

We make a little modification regarding the design goals that the IBADConBE scheme achieves (see in Section 4.2). In particular, we replace the forward secrecy and backward secrecy with dynamic secrecy. Furthermore, we use trusted dealer freeness to replace no trusted dealer in [18]. As shown in Table 1, one can see that only the IBADConBE scheme realizes design goals, i.e., authentication, message confidentiality, known-key security, dynamic secrecy, trusted dealer freeness, receiver non-restriction, certificate freeness, and dynamicity.

Table 2. Comparison of the computation overheads.

Algorithms	DAGKA [23]	DConBE [17]	IBADConBE
Initialize	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_h$+$\mathcal{O}\left(n\right)t_m$	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_m$	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_m$
Join	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_h$+$\mathcal{O}\left(n\right)t_m$	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_m$	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_m$
Leave	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_h$+$\mathcal{O}\left(n\right)t_m$	$\mathcal{O}\left(n\right)t_m$	$\mathcal{O}\left(n\right)t_m$
Encrypt	$2t_e$	$3t_e$+$t_{\mathcal{E}}$	$3t_e$+$t_{\mathcal{E}}$+$t_{sg}$
Decrypt	$2t_b$	$2t_b$+$t_m$+$t_e$+$t_{\mathcal{D}}$	$2t_b$+$t_m$+$t_e$+$t_{\mathcal{D}}$+$t_{sv}$

Table 2. Comparison of the computation overheads.

Algorithms	DAGKA [23]	DConBE [17]	IBADConBE
Initialize	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_h$+$\mathcal{O}\left(n\right)t_m$	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_m$	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_m$
Join	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_h$+$\mathcal{O}\left(n\right)t_m$	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_m$	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_m$
Leave	$\mathcal{O}\left(n\right)t_e$+$\mathcal{O}\left(n\right)t_h$+$\mathcal{O}\left(n\right)t_m$	$\mathcal{O}\left(n\right)t_m$	$\mathcal{O}\left(n\right)t_m$
Encrypt	$2t_e$	$3t_e$+$t_{\mathcal{E}}$	$3t_e$+$t_{\mathcal{E}}$+$t_{sg}$
Decrypt	$2t_b$	$2t_b$+$t_m$+$t_e$+$t_{\mathcal{D}}$	$2t_b$+$t_m$+$t_e$+$t_{\mathcal{D}}$+$t_{sv}$

In Table 2, one can see the comparison between the IBADConBE scheme with those in [17,23] in terms of the computational overheads. Let $t_m$/$t_e$ represent the time to compute a scalar multiplication/exponentiation operation in ${\mathbb{G}}_1$ or ${\mathbb{G}}_2$, $t_h$ represent the time to compute a MapToPoint hash [23], and $t_b$ represent the time to compute a scalar bilinear map operation. Furthermore, let $t_{\mathcal{E}}$/$t_{\mathcal{D}}$ denote the time to compute an encryption/decryption operation using a symmetric cryptographic algorithm. $t_{sg}$/$t_{sv}$ denotes the time to generate/verify an identity-based signature. We note that the time of a scalar multiplication operation is trivial in comparison with that of other operations, and some operations that can be pre-computed were ignored. Obviously, the IBADConBE scheme is more efficient than the DAGKA in [23] and has comparable computational overheads with the DConBE in [17].

7.2. Simulations

The main contribution of this paper is to formally prove the security of the IBADConBE scheme in [18]. As for the detailed simulations, they can be found in an experimental part of the work published on 2022 WCNC [18]. Therefore, we only described the simulation results regarding the efficiency of the IBADConBE scheme based on the experimental part of the work published on 2022 WCNC. The settings of the simulations are consistent with those in [18]. In particular, the MIRACL library [22] was used to implement each algorithms of the IBADConBE scheme. The BN curve with a 128-bit security level was selected. The simulations were run on a RaspberryPi 3b+ with an ARM Cortex-A53 CPU at a frequency of 1.4 GHz. The group size was set from 3 to 180. Since GlobeSetup and Enrollment were only invoked once, the overall execution time of the IBADConBE scheme is mainly determined by Initialize, Join, Leave, Encrypt and Decrypt algorithms. We note that, under the above settings, the simulation results in this paper are consistent with those in [18]. Hence, in this paper, we only need to briefly describe the simulation results. As shown in Figure 2, when the group size ranges from 3 to 180, Initialize costs from $0.25$ s to $0.98$ s, the running time of Join for the new wireless node ranges from $0.16$ s to $0.58$ s while the running time of Join for each group member is from $0.35$ s to $0.79$ s. We note that the execution time of the above algorithms is largely influenced by the group size. The execution time of Encrypt and Decrypt algorithms slightly increases with the group size. Particularly when the group size is 180, the overall running time of Encrypt and Decrypt is still less than $0.2$ s. This result demonstrates that the IBADConBE scheme can be stably and efficiently implemented, even in large groups.

The scalability of the original IBADConBE scheme is quite a new and interesting investigation for us. In fact, our scheme is scalable and can support a larger group size. A general idea is to divide a large group into several subgroups so that the scheme could be effectively applied into each subgroup. We note that the execution time of the encrypt algorithm will increase a little accordingly since a sender has to encrypt a message for multiple times (for each subgroup, less than 0.2 s is required), but the efficiency of the Decrypt algorithm will not be affected.

8. Conclusions

In this paper, our main focus was to formalize the security analysis of the identity-based authenticated dynamic contributory broadcast encryption (IBADConBE) scheme. The IBADConBE scheme achieves various security and functional properties, including authentication, message confidentiality, known-key security, dynamic secrecy, trusted dealer freeness, receiver non-restriction, certificate freeness, and dynamicity. However, the original scheme lacked a formal proof to demonstrate that it captured these security properties. Therefore, we first reviewed the IBADConBE scheme and then designed a security model to capture its security properties. Under this model, we provided concrete security proofs based on the asymmetric variant of the decision k-BDHE assumption. Finally, we presented a comparison and simulations to show the efficiency of the IBADConBE scheme. As for future work, it would be interesting to consider penetration testing for networks supporting our model.