Improved One-Way Hash Chain and Revocation Polynomial-Based Self-Healing Group Key Distribution Schemes in Resource-Constrained Wireless Networks

Self-healing group key distribution (SGKD) aims to deal with the key distribution problem over an unreliable wireless network. In this paper, we investigate the SGKD issue in resource-constrained wireless networks. We propose two improved SGKD schemes using the one-way hash chain (OHC) and the revocation polynomial (RP), the OHC&RP-SGKD schemes. In the proposed OHC&RP-SGKD schemes, by introducing the unique session identifier and binding the joining time with the capability of recovering previous session keys, the problem of the collusion attack between revoked users and new joined users in existing hash chain-based SGKD schemes is resolved. Moreover, novel methods for utilizing the one-way hash chain and constructing the personal secret, the revocation polynomial and the key updating broadcast packet are presented. Hence, the proposed OHC&RP-SGKD schemes eliminate the limitation of the maximum allowed number of revoked users on the maximum allowed number of sessions, increase the maximum allowed number of revoked/colluding users, and reduce the redundancy in the key updating broadcast packet. Performance analysis and simulation results show that the proposed OHC&RP-SGKD schemes are practical for resource-constrained wireless networks in bad environments, where a strong collusion attack resistance is required and many users could be revoked.


Introduction
Many applications of wireless networks require secure group communications, especially in a hostile environment. In order to protect the sensitive data, group communication keys (also named as group session keys) could be used to encrypt exchanged messages among communicating group members. Therefore, the group key management is critical for providing secure communications.
However, providing efficient key distribution in resource-constrained wireless networks, such as wireless sensor networks, is a challenging issue due to some characteristics of wireless networks.
First, a legitimate group member may not receive the key broadcast message for a particular session due to the unreliable wireless medium, which makes the user request the group manager (GM) to re-transmit the message. When the group size is large, re-transmissions could overwhelm the GM potentially. Furthermore, in some applications with high security requirement, it is important that users only transmit essential messages to avoid making themselves vulnerable. It is desirable to have the self-healing property that enables legitimate group members to recover lost session keys on their own, instead of requesting additional transmissions from the GM.
Second, users may join and/or leave the group frequently. For a large communication group, the group session keys have to be updated due to dynamic group members, which result in the network resource consumption. Hence, an efficient node revocation and join mechanism is important for dynamic communication groups.
Third, wireless devices have limited computation capability, memory and energy. Using energy-consuming techniques, such as the public-key cryptography, to realize the group key management is not applicable for resource-constrained wireless networks. Hence, the energy-efficient property is required.
Three articles [1][2][3], reviewing self-healing group key distribution (SGKD) schemes have appeared in the literature. Tian et al. in [1] provides a survey of available solutions, which is focused on the possible scheme extensions, such as sponsorization or mutual-healing. In [2], the author analyzes the practicality of SGKD schemes in the resource-constrained wireless sensor networks. This review is focused on the scheme performance in terms of the communication overhead and storage overhead. In [3], authors identified three building blocks of the SGKD scheme, selective key distribution mechanism, pre-distributed secret data management and self-healing mechanism, to classify and compare the existing solutions. Based on this three-dimensional classification, a comprehensive review of the development in the area of SGKD schemes is provided.

Previous Work
Staddon et al. first introduced the concept of the self-healing group key distribution (SGKD), and proposed a non-interactive and reliable key distribution scheme in [4]. The basic idea of the SGKD is to broadcast information that is useful only for legitimate users. In this scheme, users use the secret sharing to bind the capability of recovering lost session keys with the membership. Combined with pre-distributed secrets, legitimate users can recover a session key; otherwise, revoked users cannot infer useful information. However, this scheme has high storage and communication overheads.
Based on the work in [4], several improved SGKD schemes have been proposed . In order to increase the efficiency of the scheme in [4], Liu et al. proposed some new schemes by combining a personal secret distribution technique with self-healing [5]. Blundo et al. analyzed the security model defined in [4,5], and found that it is impossible to satisfy all of the security requirements. Then, based on the self-healing technique with a slightly modified framework in [6] and the self-healing mechanism in [7], a novel SGKD scheme enabling a user to recover all previous session keys from a single key broadcast message was proposed. Hong and Kang proposed a revocation polynomial-based SGKD scheme (RP-SGKD) with low storage and communication overheads [8].
Recent, many hash chain-based SGKD (HC-SGKD) schemes, one-way hash chain (OHC) and dual directional hash chain (DDHC), were proposed in [9][10][11][12][13][14][15][16]. Due to the efficiency of the hash function, these HC-SGKD schemes reduce communication and storage overheads obviously. However, the performance improvement is at the cost of the property of the collusion attack resistance. That is, revoked users colluding with new joined users can recover all session keys, which they are not entitled to get [1].
In [17][18][19], the pre-arranged life cycle-based SGKD schemes were proposed to make those HC-SGKD schemes resist to the collusion attack. However, these schemes can only apply to the scenario in which the user's life cycle is pre-determined, and the collusion of revoked users within the life cycles and new joined users can recover unauthorized session keys.
In order to resolve the collusion attack resistance problem in existing HC-SGKD schemes, we proposed an SGKD scheme based on the one-way hash chain and revocation polynomial for wireless sensor networks in [20]. However, as using the personal secret structure in Dutta et al.'s scheme, the RP-SGKD scheme proposed in [20] inherits the limitation of SGKD schemes in [10,11]. That is, the maximum allowed number of sessions should not be larger than the maximum number of revoked users.

Problems in Existing RP-SGKD Schemes
In this paper, we focus on the SGKD scheme based on the revocation polynomial. After investigating existing RP-SGKD schemes, we find that, except for the collusion attack resistance problem in the HC-SGKD schemes, three other common weaknesses for existing RP-SGKD schemes need to be resolved.
First, the maximum allowed number of revoked/colluding users is limited to be t, where t is the degree of the personal secret polynomial.
Second, the redundancy exists in the key updating broadcast packet, and the communication overhead increases quickly along with the number of sessions.
Third, given the size of the session key updating broadcast packet, the maximum allowed number of sessions and revoked users is too small to use these existing schemes in real resource-constrained wireless networks.
Although the collusion attack resistance problem is partially resolved in [20], the problem, that the maximum allowed number of sessions is limited by the maximum number of revoked users, still exists.

Our Contributions
Two improved SGKD schemes using the one-way hash chain (OHC) and revocation polynomial in resource-constrained wireless networks are proposed. In the proposed SGKD schemes, by binding the time at which the user joins the group with its capability of recovering group session key(s), some novel methods are presented to utilize one-way hash chain, and to construct the personal secret, the revocation polynomial and the key updating broadcast packet.
To solve the collusion attack resistance problem in existing HC-SGKD schemes and eliminate the limitation of the maximum number of revoked user on the maximum allowed number of sessions, we propose the first SGKD scheme. However, as same as most existing SGKD schemes in [4][5][6][7][8][9][10][11][12]20], the storage overhead of each user in the first proposed SGKD scheme is high, and determined by the maximum number of revoked user or the maximum allowed number of sessions. To eliminate the impact of the maximum number of revoked user or the maximum allowed number of sessions on the storage overhead, we further propose the second SGKD scheme, a constant storage overhead scheme, to achieve a good tradeoff between the storage overhead and the communication overhead.
Compared to existing RP-SGKD schemes, the main advantages of the proposed schemes are four-aspect. First, the collusion attack resistance problem in existing HC-SGKD schemes is solved. Second, a stronger security and more colluding users are to be supported under same conditions. Third, the total communication overhead is reduced without increasing the storage overhead. Fourth, the limitation of the maximum number of revoked user on the maximum allowed number of sessions is eliminated in the proposed SGKD schemes. And the storage overhead is constant in the second SGKD scheme.
The remainder of the paper is organized as follows. In Section 2, the security model on which the proposed schemes are based is defined. In Section 3, two improved SGKD schemes are presented, and the improvements and security performance are analyzed. In Section 4, the performance comparison with some existing schemes is given. Finally, we conclude the paper in Section 5.

Security Model
In this section, we briefly define the security model used in the paper. Notations used in the paper and the corresponding denotations are summarized in Appendix (Table A1).
To clarify the performance of the proposed SGKD schemes, the security model used in this paper is defined as follows.
Suppose a communication group in wireless networks with a GM and a set of group users. Each group member is uniquely identified by an ID number i, the group member is denoted as Ui, i ϵ {1, 2, ..., N}, and N is the largest ID number. All of the operations perform in a finite field, Fq, where q is a prime, and q > N. The lifetime of the SGKD scheme is partitioned into m sessions.
Definition 1: (self-healing group key distribution with mt-revocation capability) The scheme is a self-healing group key distribution with mt-revocation capability if the following conditions are satisfied.
(a). For a legitimate group member Ui, Ui ϵ ' j j G , 1 ≤ j′ ≤ j ≤ m, the session key for session j, Kj, is determined by the key updating broadcast packet for session j, Bj, and the personal secret, Si. That is, (d). (Self-healing property) The scheme is self-healing if any user Ui, who joined the group in session j1 and is still a legitimate group member in session j2, can recover lost session key for session j, Kj, from the key updating broadcast packet for session j2, 2 j B , and j1 < j < j2. That is, Definition 3: (any-wise backward secrecy) Let Dj be the set of users joined the group after session j, is the set of users joined the group in session j′, and 1 ≤ j ≤ m. The scheme guarantees any-wise backward secrecy if for any set Dj, all users in Dj cannot get any information about Kj even with the knowledge of session keys after session j. That is, Definition 4: (mt-wise collusion attack resistance capability) Let 1 R j be the set of users be revoked before and in session j1. Let 2 D j be the set of users joined the group after session j2. The scheme has mt-wise collusion attack resistance capability if given any two disjoint sets 1 R j and 2 D j (j1 < j2), users in 1 R j colluding with users in 2 D j cannot recover Kj even with the knowledge of {B1, B2, …, Bm,

The OHC&RP-SGKD Scheme 1
In order to resolve the problems mentioned in Section 1.2, we propose two improved SGKD schemes using the one-way hash chain and the revocation polynomial for resource-constrained wireless networks.
To remove the limitation of the maximum number of revoked user t on the maximum allowed number of sessions m, m < t + 1, we change the structure of the personal secret used in [20], and propose the first improved SGKD scheme based on the one-way hash chain and the revocation polynomial, named as the OHC&RP-SGKD scheme 1.
In the proposed OHC&RP-SGKD scheme 1, m t-degree polynomials chosen from Fq[x], s1(x), s2(x), ..., sm(x), are used to replace one 2t-degree polynomial in Dutta et al.'s scheme and the RP-SGKD scheme in [20]. When joining the group in session j, Ui stores Si = {åj·sj(i), åj·sj+1(i), …, åj·sm(i)} as the personal secret, where åj is the unique session identifier for session j. Hence, revealing one or more used secret polynomials has no effect on unused personal secret polynomials, and then it has no effect on following group session keys.

The Scheme Detail
The proposed OHC&RP-SGKD scheme 1, including three phases and two cases, is described as follows.
Each user Ui, Ui ϵ G1, receives Si = {å1·s1(i), å1·s2(i), …, å1·sm(i)} as the personal secret from the GM via a secure communication channel, where G1 denotes the set of group members at the beginning of session 1.

Phase 2: Broadcast in Session j (1 ≤ j ≤ m)
Let Rj be the set of users be revoked before and in session j, R is the set of users joining the group in session j′ and be revoked before or in session j, For security, 1 The purpose of the padding with the elements in ' ' j j R is to make the constructed revocation polynomials be t-degree.  '

Phase 3: Group Session Key Recovery in Session j (1 ≤ j ≤ m)
When a legitimate group member Ui, Ui ϵ ' j j G , receives Bj, it recovers the group session key via following steps.
Φ ( ) j j i , and computes the masking key as R , which means that revoked users can recover neither ' j j k nor Kj from Bj.

Case 1: Group Member Addition
If a new user, Uv, joins the communication group in session j, a key updating process is launched to ensure the backward secrecy.
The GM and users in Gj launch a key updating process, including Phase 2 and Phase 3, to include Uv.

Case 2: Group Member Revocation
If a user joined the group in session j′, Ur, is revoked in session j, a key updating process is launched to ensure the forward secrecy. The '' j j R and Rj ″ . And then, the GM and users in Gj launch a key updating process, including Phases 2 and 3, to exclude Ur.

Main Advantages
The proposed OHC&RP-SGKD scheme 1 solves the problems mentioned in Section 1.2, and also has some performance improvements.
(1). With the property of the collusion attack resistance In the proposed OHC&RP-SGKD scheme 1, the unique identity for each session is introduced. Uv, who joins the communication group in session j, receives Sv = {åj·sj(v), åj·sj+1(v), …, åj·sm(v)} as the personal secret, where åj is the joining time identity for session j.
A user Ur, Ur ϵ G1, be revoked in session j1, knows {å1·sj(r)| 1 ≤ j ≤ m}. And Uv joined the group in The collusion of Uv and Ur can obtain Hence, they cannot recover {Kj| j1 < j < j2}. Therefore, the proposed OHC&RP-SGKD scheme 1 resolves the collusion attack problem.
(2). Reducing the communication redundancy Considering that there may have no new joined users in some sessions in real network environments and introducing the unique identity for each session, novel methods are presented to construct the revocation polynomials and the key updating broadcast packet in the proposed OHC&RP-SGKD scheme 1.
In the proposed OHC&RP-SGKD scheme 1, the revocation polynomials for users joined the group in different sessions are constructed in order that a user can be revoked according to its joining time.
And if there are no users joined in session j′ (j′ ≤ j), ' Suppose that during j sessions, the group member addition operation occurs v times. The size of the j-th key updating broadcast packet, Bj, in the proposed OHC&RP-SGKD scheme 1 and Dutta et al.'s scheme is [(t + 1)v + j)]log2q bits and [(t + 1)j]log2q bits, respectively. When v < j, the size of Bj in the proposed OHC&RP-SGKD scheme 1 is smaller than that of Dutta et al.'s scheme.
Hence, with novel structures of the revocation polynomials and the key updating broadcast packet, the communication redundancy reduces.

(3). Updating of personal secrets partially
In existing RP-SGKD schemes, once m sessions expires or t revoked users reaches, these schemes should be reset, and the GM has to update the personal secrets of all legitimate group members because the same personal secret polynomial is shared. In the proposed OHC&RP-SGKD scheme 1, users joined the group in different sessions share different personal secret polynomials, and only the number of revoked users joined the group in the same session reaches t, the scheme will be reset. Hence, the proposed OHC&RP-SGKD scheme 1 can update the personal secrets partially, which in turn prolongs the lifetime of the scheme.
(4). Eliminating the limitation of m < t + 1 In the proposed OHC-RP-SGKD scheme 1, users joined the group in different sessions are treated by binding the joining time with the capability of recovering previous session keys, and they are classified according to the joining time. Users joined the group in different sessions are allocated different shares of personal secret polynomials, which makes users joined the group in different sessions be unable to collude together.
The reset of the SGKD scheme is triggered by two conditions as follows. Hence, the proposed OHC&RP-SGKD scheme 1 can support more sessions under same conditions compared to existing HC-SGKD schemes, and a smaller t can be used to prolong the lifetime of the scheme.

Security Analysis
Based on the security model in Section 2, the proposed OHC&RP-SGKD scheme 1 is secure with following theorems and proofs.
Hence, the proposed OHC-RP-SGKD scheme 1 has the property of self-healing. It follows that

The OHC&RP-SGKD Scheme 2
Several parameters have been considered to evaluate the performance of SGKD schemes. With respect to the storage overhead, the proposed OHC-RP-SGKD scheme 1 is not optimal. How to tradeoff among the maximum allowed number of sessions, the maximum allowed number of revoked users, the storage overhead and the communication overhead is still an open issue for the RP-SGKD schemes.
By analyzing the key updating broadcast packet in the proposed OHC-RP-SGKD scheme 1, we observe that each ' Although using multiple masking polynomials seems to make the attack be more difficult, it does not contribute to the security. Indeed, using one masking polynomial for each ' j j k is sufficient. Hence, the number of masking polynomials and the personal secret stored by each user reduce. Based on the above discussion, an OHC&RP-SGKD scheme with a constant storage overhead is proposed, name as the OHC&RP-SGKD scheme 2.
The proposed OHC&RP-SGKD scheme 2, including three phases and two cases, is described as follows.

Phase 1': Initialization
The GM randomly chooses a 2t-degree polynomial, s1(x) = a0 + a1x The GM constructs and broadcasts the message The definitions of Rj, ' j R and the structure of revoked polynomials, { ' ( ) | ' 1,2,..., j j A x j j = }, are the same as those in Phase 2 of the proposed OHC&RP-SGKD scheme 1.

Phase 3': Group Session Key Recovery in Session j (1 ≤ j ≤ m)
Any legitimate group member Ui in ' j j G (j′ ≤ j) can recover the group session key from Bj through following steps. (15) and (16), respectively. Thus, (2) Ui computes all of the remaining keys in the j-th key chain, { j j k ′ ′ | j′ < j″ ≤ j}.

Case 1': Group Member Addition
When a new user, Uv, joins the group in session j, the GM allocates Sv = {åj·s1(v), åj·s2(v)} to it via the secure communication channel. Receiving the personal secret, Uv joins Gj.
The GM and users in Gj launch a key updating process, including Phase 2' and Phase 3', to include Uv.

Case 2': Group Member Revocation
The operation of group member revocation is the same as that described in the Case 2 of the proposed OHC&RP-SGKD scheme 1.
The proposed OHC&RP-SGKD scheme 2 holds all of the advantages described in Section 3.1.2, and also has constant storage overhead for the personal secret of each user.
Along the same lines of the proof of Theorems 1-4, we have the Theorem 5 as follows.
Theorem 5. The scheme presented in Section 3.2.1 is a secure, self-healing key distribution scheme with mt-revocation capability, and achieves mt-wise forward secrecy, any-wise backward secrecy, and mt-wise collusion attack resistance capability.

Performance Analysis and Comparisons
The performance comparison, in terms of the storage overhead, the communication overhead, the computation overhead, the forward secrecy, the backward secrecy and the collusion attack resistance capability, is listed in Table 1.

The Storage Overhead for the Personal Secret
The storage overhead for the personal secret of each user comes from the initialization phase. In the proposed OHC&RP-SGKD scheme 1, the storage overhead for the personal secret of each user is (m − j + 1)log2q bits, which is as same as that of schemes in [5,7,8].

The Communication Overhead for Updating Session Keys
The communication overhead for updating session keys comes from Bj. In the proposed OHC&RP-SGKD scheme 1, if there are no users joined in session ' j , ' . The communication overhead for broadcasting Rj and R′j can be ignored because the IDs can be selected from a small finite field [7]. Hence, the size of Bj is about [(t + 1)v + j]log2q bits, which is the same as that of the RP-SGKD scheme in [20], and less than that of existing schemes in [4][5][6][7][8]11],where v < j ≤ m.
In the proposed OHC&RP-SGKD scheme 2, the size of Bj is [(3t + 2)v + j]log2q bits, which is larger than that of the proposed OHC&RP-SGKD scheme 1.
As the assumption in [13], the maximum number of sessions is set to be m = 50. Figure 1 shows the comparison of the maximum broadcast packet size when t varies from 10 to 50. Without loss of generality, q is set to be a 128-bit integer.
From Figure 1, we observe that, when v < m, the size of Bj in the proposed OHC&RP-SGKD scheme 1 is smaller than that of schemes in [8,11] and with the same m and t. For example, when m = 50 and t = 50, the broadcast packet sizes of the proposed OHC&RP-SGKD scheme 1 are about 12.734 KB, 20.703 KB, and 28.671 KB for v = 15, 25 and 35, respectively, while the broadcast packet size of schemes in [8,11] is about 39.844 KB. Moreover, the maximum broadcast packet size in the proposed OHC&RP-SGKD scheme 2 is obviously larger than that of the proposed OHC&RP-SGKD scheme 1, especially is larger than that of schemes in [8,11].

Remark:
It is necessary to reduce the communication redundancy as possible. Although the communication overhead in the proposed OHC&RP-SGKD scheme 1 increases with the number of sessions, it grows more slowly than that of schemes in [8,11] under same conditions.
On the other hand, although the broadcast packet size of the proposed OHC&RP-SGKD scheme 2 is larger than that of the proposed OHC&RP-SGKD scheme 1, we will prove later that the total communication overhead for updating group session keys and the personal secrets in the proposed OHC&RP-SGKD scheme 2 is smaller.  The maximum allowed number of revoked users (t) Schemes in [8,11], no matter how much v is Proposed OHC-RP SGKD scheme 1, v=15 Proposed OHC-RP SGKD scheme 1, v=25 Proposed OHC-RP SGKD scheme 1, v=35 Proposed OHC-RP SGKD scheme 2, v=15 Proposed OHC-RP SGKD scheme 2, v=25 Proposed OHC-RP SGKD scheme 2, v=35

Practicality
Many practical issues should be addressed when an SGKD scheme is implemented in a real-world application.
As we know, ZigBee, a protocol designed for low data rate wireless networks, uses the IEEE 802.15.4 physical and MAC layers to provide data transfer. According to the IEEE 802. 15.4 protocol [31], the maximum size of MAC layer payload is from 89 to 119 bytes. When the maximum size of MAC layer payload is 89 bytes, the application layer data larger than 89 bytes will be partitioned into blocks.
Due to the unreliable wireless transmission, the maximum broadcast packet size in the SGKD scheme is also limited. Let the maximum broadcast packet size be 4096 bytes (4 KB), which will be partitioned into 46 packets with 89 bytes/packet. If packets are lost independently and randomly at a rate of 1%, the probability that a 4 KB broadcast packet will not reach the destination is 37.01%. If the packet loss rate is 5% (a fairly high), the probability that a 4 KB broadcast packet reaches the destination is only 9.45%. Hence, m should be larger than 10. However, the maximum broadcast packet size is assumed to be 64 KB in most existing SGKD schemes [4][5][6][7], which is not applicable in ZigBee-based wireless networks.
With the limitation of the maximum broadcast packet size, the value of other parameters should be appropriately set for the intended application and compatible with existing network protocols. In SGKD schemes, system parameters affecting the broadcast packet size are the number of sessions (m), the size of the session key (log2q), and the degree of the personal polynomial (t). Without loss of generality, it is assumed that q is a 128-bit integer, and session keys are also 128 bits, which are used in a symmetric cipher, such as AES. The maximum broadcast packet size is set to be 4KB. Symbol [x] represents the operation to round x to the integer downward.
(1). The proposed OHC&RP-SGKD scheme 1 vs. the scheme in [8] The performance of the proposed OHC&RP-SGKD scheme 1 is compared to that of the scheme in [5] because the storage overhead of each user in these two schemes is same, both of them are the RP-SGKD schemes, and the scheme in [8] is the best one among existing collusion-attack-resistance schemes in [4][5][6][7][8]. Let |Rm|max be the maximum allowed number of revoked users in m sessions. Figure 2 shows performance comparison between the proposed OHC&RP-SGKD scheme 1 and the scheme in [8], where Figure 2a is the tradeoff between m and t, and Figure 2b is the tradeoff between m and |Rm|max.
From Figure 2a, we observe that the proposed OHC&RP-SGKD scheme 1 can support more sessions than the scheme in [8]. In the proposed OHC&RP-SGKD scheme 1, a smaller t can be used to prolong the lifetime of the scheme because users joined the group in different sessions cannot coalesce together. For example, when t = 15 and m = 16, |Rm|max = 15 for the scheme in [8], whereas for the proposed OHC&RP- Moreover, the proposed OHC&RP-SGKD scheme 1 can revoke much more users than that of the scheme in [8]. For example, from Figure 2b, when m = 20, |Rm|max = 11 for the scheme in [8], whereas |Rm|max = 210, 220 and 232 for v = 0.7 m, 0.5 m and 0.3 m, respectively, in the proposed OHC&RP-SGKD scheme 1. Obviously, the proposed OHC&RP-SGKD scheme 1 allows much more revoked users and withstands much more colluding users compared to the scheme in [8].
In a real-world application, the longer the scheme runs, the more users are revoked. Figure 3 shows the possible lifetime of the proposed OHC&RP-SGKD scheme 1 and the scheme in [8] when two schemes are simulated during 100 sessions.
From Figure 3, we observe that with small values of m and t, the scheme in [8] will be reset frequently, which leads to the energy and bandwidth consumption. However, in the proposed OHC&RP-SGKD scheme 1, more revoked users and more sessions are allowed, and less resetting of the proposed OHC&RP-SGKD scheme 1 contributes to saving the network energy.

Running time (in sessions)
Schemes in [8] Therefore, the advantage of the proposed OHC&RP-SGKD scheme 1 is obvious for ZigBee-based wireless networks in bad environment where a strong collusion attack resistance is required and many users need to be revoked.
(2). The proposed OHC&RP-SGKD scheme 2 vs. the proposed OHC&RP-SGKD scheme 1 In the proposed OHC&RP-SGKD scheme 1 and other existing RP-SGKD schemes, since the storage overhead at each user increases along with the increase of m or t, the power and bandwidth consumption for re-keying personal secrets will be much large. However, the proposed OHC&RP-SGKD scheme 2 has constant storage overhead of 2log2q bits. Figure 4 show the performance comparison of the proposed OHC&RP-SGKD schemes 1 and 2, where Figure 4a is the tradeoff between m and t, and Figure 4b is the tradeoff between m and |Rm|max.   From Figure 4a,b, we observe that the values of t and m in the proposed OHC&RP-SGKD scheme 2 are smaller than those of the proposed OHC&RP-SGKD scheme 1 under same conditions. However, since the storage overhead for each user in the proposed OHC&RP-SGKD scheme 2 is much less than that of the proposed OHC&RP-SGKD scheme 1, the communication overhead for rekeying the personal secrets in the proposed OHC&RP-SGKD scheme 2 is much less than that in the proposed OHC&RP-SGKD scheme 1.
Wireless devices are usually powered by battery, and most energy is consumed by the communication module. The main concern of the proposed OHC&RP-SGKD scheme 2 is to reduce the total communication overhead for updating the personal secrets and session keys.
Suppose that n users maintain membership during m sessions. For the proposed OHC&RP-SGKD scheme 1, the communication overhead for distributing the personal secrets to n users is nmlog2q bits in the initialization phase, and the communication overhead for updating session keys is [(t + 1)v + j]log2q bits in the broadcast phase. After running m sessions, the scheme will be reset and new personal secrets should be re-allocated to each group member. Hence, the total communication overhead for updating session keys and the personal secrets of n users in the proposed OHC&RP-SGKD scheme 1 is (1) ( where, m (1) and t (1) denote the session number and the number of revoked users when the proposed OHC&RP-SGKD scheme 1 is reset, respectively. In the proposed OHC&RP-SGKD scheme 2, the communication overhead for distributing the personal secrets to n users is 2nlog2q bits, and the communication overhead for updating session keys is [(3t + 2)v + j]log2q bits. Thus, the total communication overhead is (2) (2) (2) 2 1 where, m (2) and t (2) denote the session number and the number of revoked users when the proposed OHC&RP-SGKD scheme 2 is reset, respectively. According to the results of Figure 4, when v = 0.5 m, m (1) = 22, t (1) = 20, m (2) = 14, t (2) = 10. Hence, after running 154 sessions, the proposed OHC&RP-SGKD scheme 1 is reset seven times and the proposed OHC&RP-SGKD scheme 2 is reset 11 times. Hence, during the 154 sessions, the decrement of the total communication overhead for updating session keys and the personal secrets in the proposed OHC&RP-SGKD schemes 1 and 2 is ΔE = E (1) − E (2) = 232.72 KB when n = 100.
Hence, the proposed OHC&RP-SGKD scheme 2 has less storage and total communication overheads, and is therefore quite suitable for resource-constrained wireless networks.

Conclusions
To solve the collusion attack problem in existing HC-SGKD schemes, eliminate the limitation of the maximum allowed number of revoked users on the maximum allowed number of sessions, and improve the security and efficiency of existing RP-SGKD schemes, we proposed two improved SGKD schemes using the one-way hash chain and the revocation polynomial for resource-constrained wireless networks in this paper. In the proposed OHC&RP-SGKD schemes, by introducing the unique session identifier and binding the joining time with the capability for recovering previous session keys, the problem of the collusion attack between revoked and new joined users in existing HC-SGKD schemes is resolved. And novel methods for utilizing the one-way hash chain and constructing the personal secret, the revocation polynomial and the key updating broadcast packet are presented to eliminate of the limitation of the maximum allowed number of revoked users on the maximum allowed number of sessions, increase the maximum allowed number of revoked users, and reduce the redundancy in the key updating broadcast packet.
With the security and performance analysis, we concluded the proposed improved OHC&RP-SGKD schemes as follows.
(1) In the proposed OHC&RP-SGKD scheme 1, the impact of t on m is eliminated and the maximum allowed number of sessions is enlarged. In the proposed OHC&RP-SGKD scheme 2, the storage overhead for the personal secret in each user is constant, 2log2q bits, and a better tradeoff between the storage overhead and the total communication overhead is also achieved. (2) Two proposed improved OHC&RP-SGKD schemes are secure, achieve mt-revocation capability, mt-wise forward secrecy, any-wise backward secrecy, and mt-wise collusion attack resistance capability. (3) The communication overhead of the proposed OHC&RP-SGKD schemes is lower compared to existing RP-SGKD schemes. (4) Simulation results show that the proposed OHC&RP-SGKD schemes are practical for resource-constrained wireless networks in bad environments where a strong collusion attack resistance is required and many users should be revoked.
For an SGKD scheme, a challenging problem is how to achieve a better tradeoff between the storage overhead and the communication overhead. Since the key updating broadcast packet in the proposed OHC&RP-SGKD scheme 2 is still large, we will focus on reducing the communication overhead in the future work.

Notations Denotations
h i (·) applying hash operation i times E k (.)/D k (.) a symmetric encryption/decryption function å j the unique session identifier, a random number selected by the GM for users joined the group in session j, å j ∈ F q and 1