HAL Id: inria-00071348
https://hal.inria.fr/inria-00071348v2
Submitted on 6 Nov 2006
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
Efficient and Dynamic Group Key Agreement in Ad hoc Networks
Raghav Bhaskar, Paul Mühlethaler, Daniel Augot, Cédric Adjih, Saadi Boudjit, Anis Laouiti
To cite this version:
Raghav Bhaskar, Paul Mühlethaler, Daniel Augot, Cédric Adjih, Saadi Boudjit, et al.. Efficient and Dynamic Group Key Agreement in Ad hoc Networks. [Research Report] RR-5915, INRIA. 2006.
�inria-00071348v2�
inria-00071348, version 2 - 6 Nov 2006
a p p o r t
d e r e c h e r c h e
9-6399ISRNINRIA/RR--5915--FR+ENG
Thèmes COM et SYM
AGDH (Asymetric Group Diffie Hellman) An Efficient and Dynamic Group Key Agreement
Protocol for Ad Hoc Networks
Cédric Adjih — Daniel Augot — Raghav Bhaskar — Saadi Boudjit — Paul Mühlethaler —
N° 5915
Octobre 2006
Ho Networks
CédriAdjih, DanielAugot, RaghavBhaskar,Saadi Boudjit, Paul
Mühlethaler ,
ThèmesCOMet SYMSystèmesommuniantset Systèmessymboliques
ProjetsCodesetHiperCom
Rapportdereherhe n°5915Otobre200619pages
Abstrat: Condentiality,integrityandauthentiationaremorerelevantissuesinAdho
networksthanin wiredxed networks. Onewaytoaddressthese issuesistheuse ofsym-
metri key ryptography, relying on a seret key shared by all members of the network.
But establishingand maintaining suh akey (alsoalled the session key) is a non-trivial
problem. Weshowthat GroupKeyAgreement(GKA)protools aresuitableforestablish-
ing and maintaining suh a session key in these dynami networks. We take an existing
GKAprotool,whihisrobusttoonnetivitylossesanddisuss alltheissuesforthegood
funtioning of thisprotoolin Ad honetworks. Wegive implementation details andnet-
work parameters,whihsigniantlyredue theomputationalburden ofusing publikey
ryptographyinsuhnetworks.
Key-words: AdHoNetworks,ryptographiprotooles,Die-Hellmannprotool
de mise en aord de lé eae pour les réseaux Ad Ho
Résumé: Lesproblèmesdeondentialité, d'intégrité et d'authentiation sontdeplus
enplusprévalentsdanslesréseauxAd Ho,mais aussidans lesréseauxxeslaires. Une
approhe à es problèmes est d'utiliser la ryptographie symétrique (ou à lé serète),
reposant sur une lé partagée par tous les membres du réseau. Mais étblir et maintenir
unetellelé,ditedesession,estunproblèmenontrivial. Nousmontronsquelesprotooles
de mise en aordde lé de groupe(GKAs : GroupKey Agreementprotools) sont bien
adaptés pour établir et maintenir de telles lés de session dans les réseaux dynamiques.
Nous onsidérons un protoole déjà établi, qui est robuste aux pertes de onnetivité, et
nous envisageonstous les problèmes relatifs au bon fontionnement de e protoole dans
lesréseaux Ad Ho. Nous donnons desdétails d'implémentation, desparamètresréseaux,
e qui permet de réduire onsidérablement la harge alulatoire liée àl'emploi de la lé
publiquedansdetelsréseaux.
Mots-lés : RéseauxAd Ho,protoolesryptographiques,Die-Hellmannprotool
1 Introdution
AMobileAdhoNETwork(MANET)isaolletionofmobilenodesonnetedviaawireless
mediumforminganarbitrarytopology. Impliithereinistheabilityforthenetworktopology
tohangeovertimeaslinksinthenetworkappearanddisappear. Tomaintainthenetwork
onnetivity, a routingprotool must be used. An importantseurityissue is that of the
integrity of the network itself. Quite a lot of studies have been already done to resolve
seurityissuesin existingroutingprotools(see[HPJ02℄,[PMdS03℄,[ACJ
+
03b℄,[ACL
+
05℄).
An orthogonalseurityissueisthat ofmaintainingondentialityandintegrityofdata
exhangedbetweennodesin thenetwork. Thetaskofensuringend-to-endseurityofdata
ommuniationsin MANETs is equivalent to that of seuring end-to-end seurity in tra-
ditional wirednetworks. Manystudies have beenarried out to solvethis problem. One
widespreadsolutionis to reate avirtual private network (VPN) in atunnel betweenthe
twoommuniatingnodes. IPSe is awell known seurity arhiteture whih allowssuh
VPNsto bebuiltbetweentwoommuniatingnodes. Howeverthissolutionrequiresadif-
ferentseret keyfor eah end-to-end onnetion. Moreover theVPN solution ansimply
handleuniast tra. An alternativesolutionistheuse ofasharedseretkey. There are
manyissueswith suh anapproah. First thiskeymustbedistributed amongthenetwork
nodes. Seond,toavoidtheompromisingofthiskeyitisrequiredtorenewthekeyoften.
Asolutiontothese twoissuesistheuseaGroupKey Agreementprotool,whih relieson
thepriniplesofthepublikeyryptography.
A Group KeyAgreement protool (GKA) is akeyestablishment tehniquein whih a
sharedseretisderivedbymorethantwopartiipantsasafuntionofinformationpublily
ontributedbyeahofthem. Theyareespeiallywellsuitedtomoderatesizedgroupswith
no entral authority to distribute keys. An authentiated groupkey agreement protool
providesthepropertyofkeyauthentiation(alsoalledimpliitkeyauthentiation),whereby
eahpartiipantisassuredthatnootherpartybesidesthepartiipantsangainaesstothe
omputedkey. GKAprotoolsare dierentfromgroupkeydistribution (orkeytransport)
protoolswhereinonepartiipanthoosesthegroupkeyandommuniatesittoallothers.
GKAprotools help inderiving keyswhih areomposedof eah one'sontribution. This
ensures that the resulting key is fresh (for a given session) and is not favorable to one
partiipantinanyway. ThefollowingseuritygoalsanbeidentiedforanyGKAprotool.
1) Key Serey : Thekeyanbeomputedonlybythepartiipants.
2) Key Independene: Knowledgeofanysetofgroupkeysdoesnotleadtotheknowl-
edgeofanyothergroupkeynotin thisset(see[BM03℄).
3) Forward Serey : Knowledgeofsomelongtermseretdoesnotleadtotheknowl-
edgeofpastgroupkeys.
An important advantage of a group key agreement protool overa simple group key
distribution sheme is the forward serey. This property an be partiularly interesting
in situations where somenodes arelikely to be ompromised(e.g. in military senarios).
In suh senarios, using a GKA, the knowledge of the longterm seret of this node does
not ompromiseall past session keys. From a funtional point of view, it is desirable to
haveproedures tohandlethedynamisminthenetwork. Theseproeduresenableeient
mergingorpartitioning oftwogroupsin thenetwork.
2 Related Work
Key establishmentprotools fornetworksanbebroadlylassiedinto three lasses: Key
transport usingsymmetri ryptography, Keytransportusing asymmetriryptography and
Keyagreement usingasymmetri ryptography. Inkeytransportprotools,onepartiipant
hooses thegroupkeyand seurely transfersit to other partiipantsusing apriori shared
serets(symmetriorasymmetri). Theseprotoolsarenotsuitableforadhonetworksfor
tworeasons;rstly,theyrequireasingletrustedauthoritytodistribute keysandseondly,
ompromiseof theaprioriseretofanypartiipantbreahestheseurityofallpastgroup
keys,thus failingto provideforwardserey. Thus GKAprotools aremorerelevantsine
theyprovidethisforwardsereyproperty.
Mostgroupkeyagreementprotools arederivedfrom thetwo-partyDie-Hellmankey
exhange protool. GKAprotools, not basedon Die-Hellman, are few and inlude the
protoolsofPieprzykandLi[PL00℄,TzengandTzeng[TT00℄andBoydandNieto [BN03℄.
BothprotoolsofPieprzykandLi[PL00℄andBoydandNieto[BN03℄failtoprovideforward
serey whiletheprotoolofTzengandTzeng[TT00℄isquiteresoure-intensiveandprone
to ertain attaks [BN03℄. ForwardSereyis averydesirablepropertyfor key establish-
ment protools in ad ho networks, assomenodesan be easily ompromised due to low
physialseurityofnodes. Thusitisessentialthatompromiseofonesinglenodedoesnot
ompromise all past session keys. We summarize and ompare in Table 1 existing GKA
protools based onDie-Hellman protools. Weompare essentially theunauthentiated
versionsoftheprotools,asmostahieveauthentiationbyusingdigitalsignaturesinavery
similarmannerandthushavesimilaraddedostsforahievingauthentiation. Weompare
theeienyoftheseprotoolsbasedonthefollowingparameters:
Number of synhronous rounds: In a single synhronous round, multiple inde-
pendentmessagesanbesentinthenetwork. Thetotaltimerequiredtorunaround-
eientGKAprotoolanbemuhlessthanotherGKAprotoolsthathavethesame
numberoftotalmessagesbutmorerounds. Thisisbeausethenodesspendlesstime
waitingforothermessagesbeforesendingtheirown.
Number of messages: Thisisthetotalnumberof messages(uniast orbroadast)
exhangedin thenetworktoderivethegroupkey. Formultiple hopadhonetworks,
thedistintionbetweenuniastandbroadastmessagesisimportantasthelatteran
bemuhmoreenergyonsuming(forthewholenetwork)thantheformer.
Number of exponentiations: All Die-Hellman based GKA protools require a
number of modular exponentiations to be performed by eah partiipant. Relative
ExpoperUi Messages Broadasts Rounds
ITW [ITW82℄ m m(m−1) 0 m−1
GDH.1[STW96℄ i+ 1 2(m−1) 0 2(m−1)
GDH.2[STW96,BCP02℄ i+ 1 m−1 1 m
GDH.3[STW96℄ 3 2m−3 2 m+ 1
Perrig[Per99℄ log2m+ 1 m m−2 log2m
Dutta[DB05℄ log3m m m log3m
Table1: Comparisonof nononstantroundsGKAprotools
ExpoperUi Messages Broadasts Rounds Struture FS
Otopus[BW98℄ 4 3m−4 0 4 Hyperube Yes
BDB[BD94,KY03℄ 3 2m m 2 Ring Yes
BCEP[BCEP03℄ 2† 2m 0 2 None No
Catalano[BC04℄ m+ 1 2m 0 2 None Yes
KLL[KSML04℄ 3 2m 2m 2 Ring Yes
NKYW [NLKW04℄ 2‡ m 1 2 None Yes
STR[SSDW88,KPT04℄ (m−i)∗ m 1 2 Skewedtree Yes
Ours(AGDH) 2∗∗ m 1 2 None Yes
†: mexponentiationsforthebasestation.
‡: m+ 1exponentiationsandm-1inversealulationsfortheparentnode.
∗: Up to2mexponentiationsforthesponsornode.
∗∗: mexponentiationsfortheleader.
Table2: ComparisonofonstantroundGKAprotools
to all ryptographi operations, a modular operation is the most omputationally
intensive operation and thus gives a good indiation of the omputational ost for
eahnode.
Communiationostsstillremaintheritialfatorforhoosingenergy-eientprotools
formostadhonetworks. A modular exponentiation(whihis mosteientlydoneusing
elliptiurveryptography)anbeperformedinafewtensofmilliseondsonmostpalmtops,
whereasmessagepropagationinmulti-hopadhonetworksanbeeasilyoftheorderoffew
seonds and has energy impliations for multiple nodes in the network. As an be seen
in Table 1, most existing GKA protools require O(m) rounds of ommuniation for m
partiipants in the protool. Suh protools do not sale well in ad ho networks. Even
tree-based GKA protools with O(logm) rounds an be quite demanding for medium to
large sizedad honetworks. Therefore onstant-round protools are better suited for ad
honetworks.
Amongtheonstantround protools(see Table2), Otopus[BW98℄, BDB[KY03℄and
KLL [KSML04℄ requirespeialordering of the partiipants. This results in messagessent
bysome partiipantbeingdependenton that of others. Insuh aase, failureof a single
node an often halt the protool. Thus suh protools are not robust enough to adapt
well to thedynamism of adhonetworks. TheBCEP protool [BCEP03℄ involvesabase
station, and fails to provide forward serey if the long-term seret of the base station is
revealed. The Bressonand Catalano protool [BC04℄ is omputationally demanding with
O(m) exponentiations foreah partiipant. Anotherdrawbak is that ifanypartiipant's messageislost inrstround, thewholeprotool isbroughttoahalt,astheseretsharing
shemesimpliesallmontributionsarerequiredtoomputethekey. Thusonlytheprotools NKYWandSTR(desribedbelowindetails)seemtobeusablein MANETs.
NKYW [NLKW04℄: Theoriginalpaperproposesthisprotoolforadhonetworksom-
posed of devies with unequal omputationalpowers. In therst round, eah partiipant
Mi uniastsitsontributiongri, i∈[1, n−1] to axed nodeMn, alled theparentnode.
Theparentnodehoosesrandomrandrn andomputesw=gr,xn=grrn andxi =(gri)r
foreah reeived gri. It broadasts w and{xn∗Πj6=ixj}i. Thekeyis derivedfrom Πixi.
Theprotool remainsa bit expensiveomputationally omparedto theprotool that will
bedesribedin thispaper.
STR[SSDW88, KPT04℄: This protool was proposed by Steer et al. in [SSDW88℄ for
stati groups. Perrig et al. proposed proedures to handle group hanges in [KPT04℄.
Althoughthisprotoolhasnotbeenitedasaonstantroundprotooltillnow,weexplain
herein details why this protool is indeed a onstant round protool. In the rst round,
eah partiipantMi broadasts itsontributiongri (alsoknownasitsblindedkey). Inthe
seondround,akey-treeasshowninFigure1whereeahleafnoderepresentsapartiipantis
onstrutedusingpartiipantIDsorthevalueoftheontributions. Thenodeinthebottom-
most,left-mostposition inthetreeisalled thesponsor. Thesponsornodebroadaststhe
set ofblinded keysforall theintermediate nodesupto theroot node. Forthease shown
inFigure1,thebroadastmessageis{gr1, gr2, gr3, gr4,ggr1r2,ggr3.gr
1r2
}. Thegroupkeyis K=gr4.gr3.gr1r2. PartiipantMi hastoperform m−i exponentiationsexeptthesponsor
whih has to ompute2m exponentiations. The protool laksaproofof seurity against ativeadversaries.
Thusboththeseprotoolsareomputationallymoreexpensiveomparedtotheprotool
thatwillbedesribedinthispaper.
Theontributionsofthispaperarethefollowing:
anauthentiateddynamigroupkeyagreementprotoolisrealled[ABIS05℄,
themehanismsthat mustbeusedin aMANETto implementthisgroupkeyagree-
mentprotoolaredesribed,
apreisestudyoftheryptographiparametersthatthisgroupkeyagreementprotool
mustuseintheontextofanadhonetwork isarried out.
"!
#
"!
#
"!
#
"!
#
"!
#
"!
#
"!
#
@@
@@
@@
@@
@@
@@
M1 M2
M3
M4
gr1 gr2
gr3
gr4
gr1r2
gr3gr1r2
gr4gr3gr1r2
Figure1: TheSTRProtool
Finally the adapted versionof thegroup key agreement protool that wepropose, we
allthisprotoolAGDHforAsymetriGroupDieHellman,isamongtheveryfewgroup
keyagreementprotoolssuitableforadhonetworks.
Thepaperisorganizedasfollows:
Setion 3reallsthegroupkeyagreementprotool. Wedesribethebasifuntioning
oftheprotoolonly,
Setion 4explainshowthisgroupkeyagreementprotoolanbeimplementedinan
ad ho network. The main issues disussed in this setion inlude theeletion of a
leaderintheadhonetworkandtheationsthatmustbeundertakentohandlesplits
andmergersintheadhonetwork,
Setion 5disussestheoverheadofryptographioperations.
3 Presentation of AGDH
Wereall anexisting groupkeyagreement protool in this setion. Werst illustratethe
basipriniple of keyexhange, followed by adetailed explanation of how it is employed
to derive Initial Key Agreement, Join/Merge and Delete/Partition proedures to handle
dynamisminadhogroups.
3.1 Notation
G: A subgroup(ofprime orderqwithgeneratorg)ofsomegroup.
Ui: ithpartiipantamongstthenpartiipantsin theurrentsession.
Ul: Theurrentgroupleader(l∈ {1, . . . , n}).
ri: A random number(from[1, q−1])generated by partiipantUi. Alsoalled the seret
forUi.
gri: Theblindedseret forUi.
grirl: Theblindedresponse forUi fromUl.
M: Theset ofindiesofpartiipants(fromP)intheurrentsession.
J: Theset ofindiesofthejoining partiipants.
D: Theset ofindiesoftheleavingpartiipants.
x←y: xisassignedy.
x← Sr : xisrandomlydrawnfrom theuniformdistribution S. Ui−→Uj:{M}: Ui sendsmessageM topartiipantUj.
Ui
−→ MB :{M}: Ui broadastsmessageM to allpartiipantsindexedbyM. Ni: RandomnonegeneratedbypartiipantUi.
VP Ki{msgi, σi}: Signature veriation algorithm whih returns1 if σi isavalid signature
onmessagemsgi else0.
3.2 A Three Round Protool
3.2.1 The formal desription
Pleasenotethat in thefollowingroundseahmessageisdigitallysignedbythesender(σij
is signature on message msgji in Tables 3- 5) and is veried (along with the nones) by
thereeiverbefore followingtheprotool. Thusweomitto desribethese stepswhih are
formallyshownin Tables3-5.
Protool Steps:
Round1: Thehosengroupleader,Mlmakesainitialrequest(INIT)withhisidentity,
Ul andarandomnoneNl tothegroupM.
Round2: EahinterestedMirespondstotheINITrequest,withaIREPLYmessage
whih ontainshis identity Ui, anone Ni and ablindedseretgri to Ml (see Table3for
exatmessageontents).
Round 3: Ml olletsallthereeivedblinded serets,raiseseahofthem toits seret
(rl)andbroadaststhemalongwiththeoriginalontributionstothegroup,i.e. itsendsan IGROUPmessagethatontains{Ui, Ni, gri, grirl} foralli∈ M \ {l}.
Key Calulation: EahMi heksifitsontributionisinludedorretlyandobtains
grl byomputing(grirl)ri−1. Thegroupkeyis
Key=grl∗Πi∈M\{l}grirl=grl(1+
P
i∈M\{l}ri)
.
Note:
