Lightweight Noninteractive Membership Authentication and Group Key Establishment for WSNs

Wireless sensor networks (WSNs) exhibit their potential capacity in the next generation of mobile communication networks and wireless systems (5G). Collected data in WSNs are different from most data transmitted in digital communication applications. Most collected data in WSNs contain only few bits of information. Conventional protocols are not suitable for WSNs since this environment needs more flexible and lightweight protocols for secure group communications. Hence, how to realize the mutual secure and lightweight communication is a big challenge for WSNs. User authentication and key establishment are two fundamental security services in secure communications for WSNs. In this paper, we propose a novel design which embeds the function of membership authentication and group key establishment in WSNs. By using an asymmetric bivariate polynomial, membership authentication and pairwise shared keys distribution are realized. (en, each member mixes his/her input with pairwise shared keys with other members and releases the encrypted value in a broadcast channel. After collecting all released values, each member can compute the group key efficiently. Our proposal is noninteractive and lightweight. As it enjoys low computation and communication costs compared with the state-of-the-art cryptographic solutions, this design is more suitable for efficient membership authentication and group key establishment in WSNs.


Introduction
Wireless Sensor Networks (WSNs) have been developed to collect data remotely for various applications [1,2]. For example, data have been collected for traffic analysis, weather prediction, and medical analysis, etc. [3,4]. For security reason, the collected data need to be protected from eavesdropping. Data encryption requires that both the source node and the receiver node share a pairwise shared key. e source node encrypts the collected data under the shared key, and the receiver node decrypts the ciphertext under the shared key to recover the data.
In general, security research studies in WSNs are focused on the development of key establishment and key management solutions. Random key predistribution schemes [5][6][7] have been developed to allow two sensors to establish a shared key. e random key distribution is a probabilistic scheme and does not guarantee connectivity in WSNs. Each sensor is preloaded with k keys randomly selected from a large pool of keys. Blom [8] proposed the first pairwise key establishment scheme based on threshold cryptography. is approach is a deterministic scheme which can guarantee connectivity in WSNs. Blundo et al. [9] have discussed the key establishment using polynomials. Khan et al. [10] proposed a predistribution scheme using a symmetric matrix and a generator matrix of maximum rank distance to establish pairwise keys for sensor nodes. Group key distribution based on bivariate polynomials [11][12][13][14] has also been developed to allow a group of sensors to establish a shared key deterministically. e design of WSNs has been classified into two types: flat and hierarchical. In flat WSNs, all sensors have the same capabilities to collect data and forward data to other sensors in the network. In hierarchical WSNs, devices are organized into a hierarchy based on their capabilities. e key management protocols in WSNs have also been proposed according to two different types: flat and hierarchical.
Collected data in WSNs are different from most data in digital communication applications. Most collected data, for example, weather/traffic data, in WSNs contain only few bits of information. Conventional protocols are not suitable for WSNs since WSNs need more fast and lightweight protocols for secure group communications.
User authentication and key establishment are two fundamental security services in secure communications for WSNs. User authentication is the process of determining whether someone is, in fact, who it is declared to be. Key establishment is the process of distributing a secret communication key to all users. e key can be used to protect the secrecy or integrity of exchange messages in the communication.
In general, key distribution schemes can be classified into two types: centralized key distribution schemes (CKDs) and distributed key distribution schemes (DKDs). In CKDS, the key distribution is served by using a server. During registration, each user needs to share a secret key with the authentication server. en, later, a one-time session key is determined by the server and is encrypted with the preshared key. e ciphertext is sent to each user in a one-toone communication. is type of key distribution is very efficient, and the security is based on a trusted server. ere are many practical network security schemes which use this type of key distribution, for example, the Kerberos [15] and IEEE 802.11 [16]. In DKDs, the key distribution is performed by all users. Every user needs to interact with every other user to finally determine a one-time session key which is only known to all participated users. Diffie-Hellman publickey distribution scheme [17] is one of the most well-known DKD. Many research papers [18,19] have proposed schemes in the literature which belong to this type of key distribution schemes. In DKD, there is no centralized trust and there are more interactions among users.
Most traditional communications are one-to-one type of communications. e majority of key distribution schemes focus on developing ways to establish a pairwise shared key between two users. Modern communications are no longer interested in one-to-one type of communication but in oneto-many type of communications, such as multicast or conference, in which a group key needs to be established among all users. Diffie-Hellman public-key distribution scheme [17] invented in 1976 only works to establish a pairwise shared key between two users. But, Diffie-Hellman key distribution scheme only works for two users. ere are many research papers [18,19] to extend the original Diffie-Hellman scheme to establish a group key. In 2004, Joux [20] devised a simple three-party Diffie-Hellman group key exchange scheme based on bilinear pairings. Pairing-based cryptography is the use of a pairing between elements of two cryptographic groups and a third group with a mapping. By utilization of the extended Chebyshev chaotic maps, Abbasinezhad-Mood and Nikooghadam [21] proposed an anonymous password-authenticated key exchange protocol. In 1992, Blundo et al. [9] proposed a noninteractive k-secure m-conference scheme based on a multivariate polynomial. eir scheme can establish a conference key of m participants. e storage space of each user is exponentially proportional to the size of conference.
is makes their scheme impractical for a group with large size. Laih et al. [22] proposed the first group key distribution scheme based on the secret-sharing scheme. During registration, each group member obtains a token from the group manager. e group manager can distribute a group key to all participated members in broadcasting transmission.
ere are many published papers based on this approach [23,24].
In this paper, we propose a novel design which embeds the function of membership authentication and group key establishment. We present this efficient lightweight membership authentication and group key establishment based on an asymmetric bivariate polynomial and the logic Exclusive (XOR) operation function. During registration, each member will receive a "token" from the membership registration center (MRC). Tokens are generated by an asymmetric bivariate polynomial, and each token is a univariate polynomial. Each member uses the token for membership authentication, pairwise shared key establishment. en, by using the logic Exclusive (XOR) operation function, each member mixes his/her input with pairwise shared secrets with other users and uses his/her pairwise shared keys to encrypt the computed value and then sends this value to other members. After collecting all values from other members, each member can compute the group key. is proposed lightweight scheme is especially suitable for WSNs.
In summary, we list the contributions of this paper as follows: (i) An efficient lightweight membership authentication and group key establishment for WSNs is proposed. (ii) Tokens generated by an asymmetric bivariate polynomial initially can be used for membership authentication and pairwise shared key establishment. (iii) Our proposed approach is very efficient since there is no need for additional membership authentication and pairwise shared key establishment. (iv) Our protocol is secure against inside attackers and outside attackers. Furthermore, confidentiality, authentication, freshness, forward secrecy, and backward secrecy of group key can be achieved. (v) One unique feature of our group key establishment is that the XOR operation is the main computation, so it is lightweight. e organization of this paper is as follows. In Section 2, we provide some preliminaries about bivariate polynomials. In Section 3, we present the model of our protocols including the protocol description, types of adversaries, and security properties of our proposed protocol. Our proposed protocol including three parts (a) token generation, (b) membership authentication, and (c) group key establishment is given in Section 4. In Section 5, we analyze the security and performance of this protocol. e conclusion is given in Section 5.

Preliminaries
In Shamir's (t, n) SS [25], the dealer selects a univariate polynomial, f(x), with degree t − 1 and f(0) � s, where s is the secret. e dealer generates shares, f(x i )modp, i � 1, 2, . . . , n, for shareholders, where p is a prime with p > s and x i is the public information associated with each shareholder, U i . Each share, f(x i ), is an integer in GF(p). Shamir's (t, n) SS satisfies security requirements of a (t, n) SS, that is, (a) with t or more than t shares can reconstruct the secret and (b) with fewer than t shares cannot obtain any information of the secret. Shamir's SS is unconditionally secure.
In Shamir's (t, n) SS, shareholders cannot verify the validity of their shares obtained from the dealer. In 1985, Chor et al. [26] extended the notion of SS and proposed the first verifiable secret sharing (VSS). Verifiability is the property of a VSS which allows shareholders to verify their shares. Invalid shares may be caused either by the dealer during share generation or by channel noise during transmission. VSS is performed by shareholders after receiving their shares from the dealer and before using their shares to reconstruct the secret. If invalid shares have been detected, shareholders can request the dealer to regenerate new shares. ere are many (t, n) VSSs [27][28][29][30][31][32] using bivariate polynomials, denoted as BVSSs. A bivariate polynomial with degree t − 1 can be represented as . We can classify BVSSs into two types, the symmetric BVSSs, denoted as SBVSSs [28,30,32], and the asymmetric BVSSs, denoted as ABVSSs, [27,29,31]. If the coefficients satisfy a i,j � a j,i , ∀i, j ∈ [0, t − 1], it is a symmetric bivariate polynomial. Shares generated by a bivariate polynomial can be used to establish pairwise keys between any pair of shareholders. In all (t, n) SBVSSs, the dealer selects a bivariate polynomial, F(x, y), with degree t − 1, and F(0, 0) � s, where s is the secret. e dealer generates shares, F(x i , y)modp, i � 1, 2, . . . , n, for shareholders, where p is a prime with p > s and x i is the public information associated with each shareholder, U i . Each share, F(x i , y), is a univariate polynomial with degree t − 1. Note that shares generated in a SBVSS satisfy F( can be established between the pair of shareholders, U i and U j . In a similar way, in a ABVSS, the dealer generates a pair of shares, F(x i , y)modp and F(x, x i )modp, i � 1, 2, . . . , n, for each shareholder, and the pairwise secret key, F(x i , x j ) or F(x j , x i ), can also be established between the pair of shareholders, U i and U j .
In this paper, we propose a novel design of efficient lightweight membership authentication and group key establishment for WSNs. Our design integrates solutions of membership authentication, pairwise shared key establishment, and group key establishment together. In other words, we propose to use a bivariate polynomial to generate tokens. Tokens of members obtained during registration can be used for (a) membership authentication; (b) pairwise shared keys distribution; and (c) group key establishment. However, most of the existing cryptographic solutions need additional membership authentication and shared keys distribution and also need interactive communications or complex computations for encryption and decryption [33][34][35][36].

Model of Our Proposed Protocol
In this section, we describe the model of our proposed membership authentication and group key agreement protocol for WSNs including the network model and security model, which provide the type of adversaries and security features.

Protocol Description for the Network Model.
Without loss of generality, suppose that there has a mutually trusted membership registration center (MRC) and there are n users U 1 , U 2 , . . . , U n , involved in group communications. Each user is required to register at MRC, and MRC manages all registered users which includes removing any unsubscribed users or adding new users. In order to achieve secure communications, each group's session key is needed to be securely distributed to all corresponding group members in prior of exchanging messages. Typically, if all participants are members and act honestly, the protocol is successful; i.e., only the members belonging to the same group can derive this group's session key. Otherwise, it fails, i.e., group members obtain nothing. us, membership authentication before the group key establishment is necessary.
In our proposed protocol, each user needs to register at the MRC initially and obtain secret token. e MRC selects an asymmetric bivariate polynomial and generates tokens. Token of each user is two univariate polynomials: one is t − 1 degree in x and the other one is h − 1 degree in y.
In order to establish a secure group communication involving m (i.e., 2 ≤ m < n) members, it requires to execute a membership authentication first in which all participated users interact with each other to prove that they belong to the same group. In the membership authentication, each member needs to broadcast a random integer. After receiving all random integers, each member needs to use his secret tokens to compute pairwise shared keys and then compute a hash output as his authentication response. Members can use this authentication response to authenticate his membership. is membership authentication can also identify nonmembers. At the end of membership authentication, each member knows exactly the memberships of users participated in the secure group communication. en, by using XOR operation function, each member mixes his/her input with pairwise shared keys and, after that, uses his/her pairwise shared keys to encrypt the computed value, and next, sends this value to other members. After collecting all values from other members, each member can compute the group key; that is, a secret group session key is obtained by each member individually.
ere is no interaction with other members to compute the group key. us, our proposed protocol is very efficient in both membership authentication and group key establishment since there is only broadcast transmission.
Furthermore, the computation of each member needs only polynomial evaluation, XOR computation, and hash function which are much faster than most public-key computations. We will give detail discussion for its performance evaluation in Section 5.

Security
Model. Now, we introduce the security model which include the type of adversaries and the required security features for secure group communication. ese security requirements will be analyzed in Section 5.

Type of Adversaries.
We consider two types of attacks: inside and outside attacks. e inside attackers are legitimate members who have obtained valid tokens from MRC initially. From inside attack, colluded members try to recover the MRC's secret polynomial used to generate tokens for members and then use these uncovered tokens to obtain group keys which they are not authorized to access. On the other hand, the outside attackers are illegitimate members who try to generate valid tokens of members and use them to impersonate members in a secure group communication or to recover secret group keys which they are not authorized to access. In Section 5, we will give the detailed security analysis about these two types of attackers.

Security Features.
For secure group communication, the group key establishment protocol needs to have the following security features.

Our Proposed Protocol
In this section, we present a membership authentication and group key establishment protocol using an asymmetric bivariate polynomial and XOR operation function. e protocol is described in Algorithm 1. ere are three phases in our protocol, i.e., token generation, membership authentication, group key establishment, and authentication. For every phase, we give the illustrative figure, respectively, in Figures 1-3.

Analysis
In this section, we address the security and performance of our proposed protocol.

Security Analysis.
In this section, we discuss security features and possible attacks of our protocol as described in Section 3.2.

Security Features
(a) Correctness: In membership authentication, if all participated users are members as they claimed in Step 1 of membership authentication, each member, U i , in Step 2 should be able to compute the pairwise shared key k i,j . us, in Step 4, the authentication response, Auth i,j � h(k i,j ‖r j ), can be used to verify U v i 's membership by U v j . Nonmembers cannot forge this authentication response since nonmembers do not know the secret tokens of member, U i . In group key establishment, the correctness of this property comes from the rule of XOR operation and q v i .
(b) Freshness of authentication response: in Step 3 of membership authentication, the authentication response, Auth i,j � h(k i,j ‖r j ), is a hash output of pairwise shared key and random integer selected by participated member initially. Recording a previously used authentication response cannot impersonate a member since this random integer is different in every session. (c) Freshness of group keys: in the group key establishment, the group key, K � s 1 ⊕ s 2 . ⊕ · · · ⊕ s i . ⊕ · · · ⊕ s m modp, is determined by U v i 's secret input s i initially. is group key is different in every session. (d) Freshness of the group key authentication: in Step 6 of group key establishment, the authentication H(K i ‖L) is a one-way hash output with input s group key determined by each member's secret input s i and sum of random integers selected by the participated member initially. Recording a previously used authentication cannot impersonate a 4

Membership authentication
We assume that m (i.e., 2 ≤ m < n) users, for example U v 1 , U v 2 , . . . , U v m , want to engage in a group key establishment in WSNs.
Step 1. Each member U v i broadcasts a random integer, r i ∈ GF(p) to all other members, where i � 1, 2, . . . , m.
Step 2. Assume that the value F(x v i , x v j ), with x v i < x v j , is used as the pairwise shared key between the shareholders U v i and U v j . Each member U v i uses one of shares of his token, s v i (y) or s v i (x), to compute pairwise shared keys, . . , m, j ≠ i, between any other users, where k i,j is the secret key shared between users, U v i and U v j .
Step 3. Each member U v i computes authentication responses, Auth i,j � h(k i,j ‖r j ), j � 1, 2, . . . , m, j ≠ i, where h(k i,j ‖r j ) is a one-way hash output with k i,j and r j as inputs. Each Auth i,j is sent to member U v j publicly for authentication.
Step 4. After receiving Auth i,j � h(k i,j ‖r j ), from member U v i , the member U v j uses his computed pairwise shared key, Step 2 to compute h(k i,j ‖r j ) and check whether Auth i,j � h(k i,j ‖r j ). If the checking is successful, member U v i has been authenticated; otherwise, member U v i has not been authenticated. Repeat this process for all other members Group key establishment and authentication Let us assume that at the end of membership authentication, all m members, U v 1 , U v 2 , . . . , U v m have been successfully authenticated. en, members follow an XOR operation algorithm to complete the group key establishment process. However, all exchange information among members is encrypted under the pairwise shared keys, k i,j , j � 1, 2, . . . , m, j ≠ i, in the Step 2 of membership authentication.
Step 1. Each member U v i needs to select a secret input s i ∈ GF(p) and broadcasts a random integer, l i ∈ GF(p) to all other members, where i � 1, 2, . . . , m. Step Step 3. Each member U v i uses his computed pairwise shared keys, k i,j , j � 1, 2, . . . , m, j ≠ i, in the Step 2 of membership authentication to encrypt Step 4. After receiving u j,i , from other member, member U v i uses his computed pairwise shared key, k i,j , in the Step 2 of membership authentication to decrypt as q v j .
Step 6. Each member U v i computes and broadcasts H(K i ‖L), i � 1, 2, . . . , m, and then checks if H(K 1 ‖L) � H(K 2 ‖L) � · · · � H(K i ‖L) � · · · � H(K m ‖L)modp, where L � m i�1 l i and H(K i ‖L) is a one-way hash output with K i and L as input s. If the checking is successful, the group key has been authenticated, K i � K is the secret group communication key; otherwise, the group key has not been authenticated. Repeat this process for all group members U v i , i � 1, 2, . . . , m.

Check if Auth
h(k i, j ||r j ) group key, K, can only be computed by members involved in the secure communication.

Possible Attacks
Theorem 1 (inside attack). In the proposed protocol, if h > 2t − 2, it needs at least t insider attackers to work together to reconstruct the tokens. e proposed protocol can resist up to t − 1 colluded members to recover the secret polynomial F(x, y) of MRC.
Proof. Inside attackers are legitimate members who own valid tokens from the MRC during registration.
Since F(x, y) � a 0,0 + a 1,0 x + a 1,1 xy + a 2,0 x 2 + a 0,2 y 2 + a 1,2 xy 2 + a 2,1 x 2 y + a 2,2 x 2 y 2 + . . . + a t−1,h−1 x t− 1 y h− 1 modp is an asymmetric polynomial of degree t − 1 in x and h − 1 degree in y, which contains th different coefficients. In the proposed scheme, each token s i (y), s i (x) contains two univariate polynomials with degree h − 1 in y and t − 1 degree in x, respectively. In other words, each user can use his token to establish t + h linearly independent equations in terms of the coefficients of the asymmetric bivariate polynomial F(x, y). When there are t − 1 colluded users with their tokens together, they can establish total (t + h)(t − 1) equations. At the same time, for t − 1 colluded users, there are 2C t−1 2 pairwise keys. Hence, having t − 1 colluded users' shares, the total number of linearly independent equations is 2 . If the number of coefficients of the bivariate polynomial F(x, y) is larger than the number of linearly independent equations available to the colluded users (i.e.,th > (t + h)(t − 1) − 2C t−1 2 ), they cannot recover the bivariate polynomial. Hence, they cannot learn any information of the secret. From th > (t + h)(t − 1) − 2C t−1 2 , we obtain h > 2t − 2. Hence, if h > 2t − 2, it assures that t − 1 colluded inside adversaries cannot recover the secret polynomial F(x, y) selected by MRC initially. us, it needs at least t inside attackers to work together to reconstruct the tokens. e proposed protocol can resist up to t − 1 colluded members to recover the secret polynomial F(x, y) of MRC. According to the security level requirement, the proper values of t and h can be selected. For example, when n � t − 1, all member collusions cannot recover the secret polynomial F(x, y) of MRC.
Theorem 2 (outside attack). In the proposed protocol, the outside attacker cannot obtain any secret information.
Proof. Outside attackers are illegitimate users who do not own any valid tokens from MRC. e outside attackers may try to impersonate members in the group key establishment to obtain the group key. However, since in the group key establishment, all exchange information of legitimate members are encrypted using pairwise shared keys and outside attackers do not own any valid token to recover any pairwise shared key, so the outside attacker cannot obtain any secret information.

Performance Evaluation.
Most of the latest schemes can either provide user authentication or group key establishment separately [37][38][39][40]. ey need additional membership authentication and shared keys distribution and also need interactive communications and complex computations for encryption and decryption. We first discuss performance features of our protocol as follows.
Compared with the existing schemes, our protocol can provide both membership authentication and group key establishment simultaneously. By using a bivariate polynomial, membership authentication and pairwise shared keys distribution are realized at the same time. en, just by the XOR operation, each member mixes his/her input with pairwise shared keys with other members and releases the encrypted value in a broadcast channel. After collecting all released values, each member can compute the group key efficiently. In our protocol, tokens of members obtained during registration can be used for (a) membership authentication; (b) pairwise shared keys distribution; and (c) group key establishment. It is very efficient.
According to the definition in most communications, "Interactive communications" means acting one upon or with the other. In our group key establishment phase, each member computes his/her own values and releases the values to others without "waiting" for other members' inputs. In other words, each member does not need waiting time in computing and releasing values to other members. We call this property "noninteractive," which can speed up the communication process significantly.
Our proposal is noninteractive, computation-efficient, and lightweight, which has the advantages in storage, computation, and communication cost. Specific analysis is as follows.

Storage
Cost. In our protocol. each member needs to store a token, (s i (y), s i (x)), which consists of two univariate polynomials: one is t − 1 degree in x and the other one is h − 1 degree in y. us, each shareholder needs to store t + h coefficients of a univariate polynomial. e storage requirement for each user is (t + h)log 2 p bits, where p is the modulus. is polynomial-based modulus is far less than public-key-based modulus.

Computation Cost. For our protocol, in
Step 2 of membership authentication, when evaluating the polynomials, Horner's rule [32] can be used to reduce the computational cost. Each shareholder needs to compute m − 1 pairwise shared keys, k i,j � s v i (x v j ) � F(x v i , x v j ), j � 1, 2, . . . , m, j ≠ i, by evaluating m − 1 different polynomials. Using Horner's rule, evaluating a polynomial of degree h − 1 needs h − 1 multiplications and h additions. In addition, each member needs to generate one authentication response and to verify (m − 1) authentication responses. Since each authentication response is a hash output, each member needs to compute m hash outputs. In steps of group key establishment, there are all XOR operations, symmetric encryption, and decryption operations which is very efficient in comparing with all existing protocols. Finally, there is only computing hash function to authenticate the group session key by each member. e computation load of our proposed protocol is much simpler than most public-key based schemes. For example, the RSA [41] public-key operation requires approximately 1.5 log 2 N modulo multiplications (i.e., in RSA, N is at least 1024 bits).

Communication Cost.
e communication of membership authentication is performed completely in the broadcast channel. e total communication time is to transmit m random integers, r i , i � 1, 2, . . . , m , and m(m − 1) authentication responses for all participated group members. To establish the group key, the total communication time is to transmit m random integers, l i , i � 1, 2, . . . , m , m(m − 1)-encrypted messages and m hash outputs to authenticate the group session key for all participated group members. In our protocol, all transmitted data are computed on polynomial-based modulus. Furthermore, since our protocols are noninteractive, all released values can be broadcasted simultaneously and they are very efficient.

Conclusion
We have proposed a novel design of lightweight membership authentication and group key establishment protocol for WSNs. Our protocol provides both membership authentication and group key establishment simultaneously. However, all existing schemes can provide membership authentication and key establishment separately. We have included the security analysis and performance evaluation in the paper. Our protocol is very efficient in terms of computation and communication, so it is absolutely attractive for secure group communications in WSNs.

Data Availability
e data used to support the findings of this study are included within this article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.