Exponential Arithmetic Based Self-Healing Group Key Distribution Scheme with Backward Secrecy under the Resource-Constrained Wireless Networks

In resource-constrained wireless networks, resources such as storage space and communication bandwidth are limited. To guarantee secure communication in resource-constrained wireless networks, group keys should be distributed to users. The self-healing group key distribution (SGKD) scheme is a promising cryptographic tool, which can be used to distribute and update the group key for the secure group communication over unreliable wireless networks. Among all known SGKD schemes, exponential arithmetic based SGKD (E-SGKD) schemes reduce the storage overhead to constant, thus is suitable for the the resource-constrained wireless networks. In this paper, we provide a new mechanism to achieve E-SGKD schemes with backward secrecy. We first propose a basic E-SGKD scheme based on a known polynomial-based SGKD, where it has optimal storage overhead while having no backward secrecy. To obtain the backward secrecy and reduce the communication overhead, we introduce a novel approach for message broadcasting and self-healing. Compared with other E-SGKD schemes, our new E-SGKD scheme has the optimal storage overhead, high communication efficiency and satisfactory security. The simulation results in Zigbee-based networks show that the proposed scheme is suitable for the resource-restrained wireless networks. Finally, we show the application of our proposed scheme.


Introduction
Wireless sensor networks have drawn a lot of attention because they have demonstrated applicability in practical applications, such as emergency rescue operations and military application. In these applications, the security of the wireless sensor networks should be highly regarded. In wireless sensor networks, resources, including storage and communication bandwidth, are constrained since nodes are powered by battery. To guarantee the secure communication in wireless networks, secure group keys should be distributed to nodes for the purpose of encryption and authentication.
As an issue in wireless networks, packet losses are inevitable and have a negative impact on the group key distribution flows. The packets may never arrive for some target nodes. The most too large. Rams et al. [21] pointed out that all known E-SGKD schemes can not offer backward secrecy. In order to solve the backward secrecy and reduce the size of the broadcast message, Rams et al. [14] proposed an efficient E-SGKD scheme based on Lagrange Interpolation and sliding windows with backward secrecy. Then, Rams et al. [15] improved the scheme [14] and proposed an E-SGKD scheme with lower storage overhead. The sliding windows allow the trade-off between the size of the broadcast message and the self-healing capability.
In this paper, we propose a new mechanism to achieve backward secrecy of the E-SGKD scheme. Compared with existing E-SGKD schemes [14,15] with backward secrecy, our proposed scheme has full self-healing properties, that is, user nodes can recover all of the lost session keys. In Schemes [14,15], user nodes can only recover part session keys determined by sliding windows. In addition, the communication overhead in our proposed scheme is low.
Except for the method of Lagrange Interpolation, there is another method to construct E-SGKD schemes. The core idea is that the computational operations of recovering the session key are moved to the exponent. Based on this idea, in this paper, we present a secure E-SGKD scheme with high efficiency. To make the new scheme easily understood, we first present a basic E-SGKD scheme based on Hong et al.'s Construction 2 [22]. In the basic construction, to reduce the users' storage overhead, only one secret polynomial is selected as a secret polynomial. However, if this secret polynomial is repeatedly used, all basic security properties are destroyed. Hence, a random value v j for each session is chosen to update the secret polynomial for each session. Unfortunately, such an E-SGKD scheme still does not have backward secrecy.
Based on the basic construction, we further present the new E-SGKD scheme with backward secrecy, optimal storage and low communication bandwidth using two strategies. The first strategy is used to construct the revocation polynomials in the broadcast messages, thus achieving backward secrecy. More precisely, the group users, whose identities are used to compute the revocation polynomials, are divided into different subgroups according to their joined sessions. The second strategy, dual chains, are used for efficient seal-healing of the lost session keys. As we know, the hash chain is a useful tool to reduce the communication overhead in efficient seal-healing mechanisms. However, we find that the P-SGKD schemes with hash chains can not be converted to the E-SGKD schemes directly, and we will discuss the details later. To minimize the communication overhead, we introduce the dual chains. The first chain is a traditional hash chain, and the second chain is a key chain. Two chains are combined together to help the active group users compute the lost session keys, which reduces the number of the broadcast messages. Note that these two strategies, especially the first one, can be applied to transform other P-SGKD schemes to E-SGKD schemes. The new E-SGKD scheme has the following advantages: • The new E-SGKD scheme solves the backward secrecy of E-SGKD schemes perfectly, i.e., the proposed scheme can satisfy the backward secrecy, and furthermore can resist the collusion attack. The construction method of this scheme can be applied to convert other P-SGKD schemes to secure E-SGKD schemes.

•
The storage overhead of the new schemes is optimal, i.e., one element in Z p .

•
Thanks to the dual chains, the new E-SGKD scheme minimizes the communication cost, i.e., the number of the broadcast messages is reduced to the number of the sessions in which new group users join in.

•
The new E-SGKD scheme is computationally secure, i.e., its security is based on the discrete logarithm problem.
The rest of the paper is arranged as follows. Section 2 defined the security model of this paper. Section 3 presents the basic E-SGKD scheme. Section 4 shows the novel E-SGKD scheme. Section 5 introduces the security analysis and performance comparison. Section 6 presents the practicality in the ZigBee network of the novel E-SGKD scheme. Application to Supervisory Control And Acquisition (SCADA) in smart grid is shown in Section 7. The conclusions are presented in Section 8.

Security Model
In this section, we introduce the network model, the notations and the hypothesis following Rams et al.'s survey [21].

Network Model
The network consists of a user node set U = {U 1 , · · · , U N } and a single GM. GM has rich resources such as large memory space and unlimited energy resources, and powerful ability including high computational ability. Instead, the resources and ability of user nodes are limited. In the resource-constrained networks, especially, the resources of the user nodes are lower.
GM communicates with the group user nodes under the unreliable channel. Message encryption and authentication by a symmetric group key can guarantee the secure group communication. The network is dynamic, and the user nodes may frequently join and leave the network. The leaving nodes may disclose the group key, thus breaking the security of group communication. Hence, the group key should be changed when there are user nodes joining and leaving the group. In addition, a minimal time interval should be set to change the group key even if the network is changeless. Thus, achieving secure group key distribution is necessary.

General Description of SGKD
In order to achieve secure group communication, group keys need to be changed frequently. Group lifetime is divided into epochs called sessions, where each session has a unique group key. In each session, GM distributes a new session key K j to nodes in G j by broadcasting the key updating messages.
Generally speaking, an SGKD scheme consists of six algorithms.
• SetUp: GM constructs personal secret S i for each legitimate group node, and sends it to U i by secure channel. U i can use personal secret S i to recover session keys from broadcast messages. • Broadcast: GM creates message B j from K j according to the following conditions: -There exists a algorithm η, which for all i : U i ∈ G j , can recover K j with the knowledge of S i , that is: K j = η(B j , S i ). -For any set of nodes R ⊂ U\G j , there exists no computational algorithm, ς, which can recover K j with the knowledge of personal secrets of all nodes in R that is: • SessionKeyRecovery: This algorithm is executed by user nodes. Each member U j ∈ G j recovers key K j from broadcast message B j with her personal secret S i that is: K j = η(B j , S i ). • SelfHealing: This algorithm is executed by user nodes to recover lost session keys. Given l, r, there exists an algorithm ζ, which can recover K j with the knowledge of B r by node • GroupMemberAddition: When a node U i joins the group, GM sends his personal secret S i via a secure channel. • GroupMemberRevocation: When U i is revoked from the group. The GM starts a new session and updates the session key, which can not be computed by U i .

Definition of Self-Healing Group Key Distribution
In this subsection, we introduce the definition and security properties of SGKD scheme. In order to facilitate the narrative, we first list the notations in Table 1.
a finite field of order p, where p is a prime F * q a multiplicative group of finite of order q g a generater of F * q S(i) U i 's personal secret E k (·)/D k (·) symmetric encryption/decryption function B j the j-th key updating broadcast message h 1 (·), h 2 (·) one-way hash function ε j the unique session identifier, chosen at random by GM for users who joined the group in session j, ε j ∈ F q and ε j 1 = ε j 2 for j 1 = j 2 k 1 j the initial value of j-th key chain chosen at random by GM for session j, k 1 j ∈ F q , and k 1 j 1 = k 1 j 2 for j 1 = j 2 k j j the j -th key in the j-th key chain R j j the set of users joining group in session j and revoked before or in session the set of users who are revoked before and in session j, and R j = {R 1 j , · · · , R j j } |R j | the number of users in R j G j j the set of group members joining the group in session j and still legitimate in session j (j ≤ j) |G j j | the number of users in G j j G j the set of legitimate group user in session j, and G j = {G 1 j , · · · , G j j } |G j | the number of users in G j Definition 1. (self-healing key distribution with mt-revocation capability). The scheme has mt-revocation capability and self-healing property if (1) For a legitimate user U i , U i ∈ G j j , 1 ≤ j ≤ j, the session key K j can be computed by the j-th broadcast message B j , and U i 's personal secret S i .
(2) Either broadcast packet B j or personal secret S i alone can obtain any information about K j (j ≥ 1).
(3) mt-revocation capability: For all U i / ∈ R j , U i can compute K j if given the j-th broadcast message B j .
However, the revoked user U i ∈ R j can not, where R j = {R 1 j , R 2 j , · · · , R j j } and R j j , denote the users joining the group in session j and revoked before and in session j. (4) Self-healing property: For any j (1 ≤ j 1 ≤ j ≤ j 2 ), a user, U i (U i ∈ G j 1 ∩ G j 2 ), can recover the session key K j from broadcast messages B j 2 .

Definition 2.
(mt-wise forward secrecy). The scheme has mt-wise forward secrecy, if all users in R j can not obtain information about K j+1 even knowing session keys K j (j'<j), where R j ⊆ U, |R j | ≤ jt, and R j contains all users revoked before session j.

Definition 3.
(any-wise backward secrecy). The scheme has any-wise backward secrecy if users in D j can not obtain information K j even knowing session keys K j (j > j), where D j denotes users joining the group after session j (D j = {D j+1 , D j+2 , · · · } ⊆ U) and D j contains users joining the group in session j (j ≥ j + 1).

Definition 4.
(resistance to mt-wise collusion attack). The scheme has mt-wise collusion resistance capability if given any two disjoint sets R j 1 ,D j 2 , users in R j 1 colluding with users in D j 2 can not recover K j (j 1 ≤ j ≤ j 2 ) even knowing {B 1 , B 2 , · · · , {S i |U i ∈ R j 1 }} {B 1 , B 2 , · · · , {S i |U i ∈ D j 2 }}.

The Basic E-SGKD Scheme
Rams et al. [21] pointed out that almost all of the P-SGKD schemes can be converted to the E-SGKD schemes. Up to now, all P-SGKD schemes are divided into two classes based on if they use Lagrange Interpolation or not. As we surveyed in Section 1, the published E-SGKD schemes, Construction 5 [1], Scheme 4 [2], the schemes [14,15] are constructed based on the P-SGKD schemes with Lagrange Interpolation.
The other kind of P-SGKD schemes, without Lagrange Interpolation, can be divided into another two classes based on if they use hash chains or not. We checked all P-SGKD schemes without Lagrange Interpolation one by one, and found that the P-SGKD schemes with hash chains can not move the computational operations from the polynomial to the exponential, since the recursion of the one-way hash chain could not hold on once transferring the computation to the exponential. Precisely speaking, it is easy to compute H(H(x)) from H(x) while it's hard to compute g H(H(x)) from g H(x) . On the other hand, the revocation polynomial based SGKD schemes without hash chains are suitable to be transformed to E-SGKD schemes, such as Scheme 3 in [18] and Scheme 2 in [22]. Since the transformation method is similar, in this paper, we take Hong et al.'s Scheme 2 as an example to construct the basic E-SGKD Scheme.

The Basic Construction
The basic construction includes five procedures: SetUp, Broadcast, SessionKeyRecovery, GroupMemberAdddtion and GroupMemberRevocation.

• SetUp
Suppose G 1 = {U 1 , U 2 , · · · , U N } denotes the users who join the group in the initial session. Each user U i has a unique identity i. GM randomly selects a t-degree polynomial f (x) = a 0 + a 1 x + · · · + a t x t ∈ F p [x] as a secret masking polynomial. Then, the GM distributes the personal secret S i = { f (i)} to each user U i ∈ G 1 via a secure channel, where using secret splitting algorithms in [37] has a better secrecy compared with distributing f (i) to U i directly.

• Broadcast
Suppose R j = {r j 1 , r j 2 , · · · , r j ω j } denotes a set of users who are revoked before and in session j, where |R j | = ω j ≤ t.

-
The GM constructs the j-th revocation polynomial as The GM selects a random value K j , v j from F p , and computes g v j and Then, the GM constructs the broadcast message as • SessionKeyRecovery -For a legitimate user U i , U i ∈ G j recovers the j-th session key g K j by broadcast message B j as follows: U i computes the session key as Similarly, U i can recover the lost session keys g K j by using adopting the same method, i.e., self-healing property.

-
For a revoked user U i ∈ R j , r j (i) = 0. Thus, he can not obtain information about the session key g K j .
• GroupMemberAddition When a user, U k , joins the group in session j, the GM randomly selects a unique identity k ∈ F p at random, and U k gets his personal secret S k = { f (k)} from the GM via a secure communication channel. For security, GM starts a new session.

• GroupMemberRevocation
When a user, U i , is revoked in session j, the GM then includes (x − i) in r j (x) and starts a new session.

Remark 1.
In order to guarantee that the users' personal secret can be reused, we choose a mask value v j in session j to multiply the secret polynomial. Thus, different sessions have different secret values, which contributes to the constant storage overhead.

The Security Problem
It is easy to analyze that the above basic E-SGKD scheme satisfies the forward security and has t-revocation capability. Unfortunately, it has an obvious weakness, i.e., it can not achieve the backward secrecy. More precisely, for a user U i who joins the group in session j+1, he can recover the session key g K j by the j-th broadcast message B j as follows: U i computes the j-th session's session key g K j as Hence, a new user U i , who joins the group in session j + 1, recovers the session key g K j , even if he is not a legitimate user in the session j. Thus, the basic E-SGKD scheme does not satisfy backward secrecy.

The Countermeasure
The reason why the basic E-SGKD scheme can not satisfy the backward secrecy lies in the fact that a user's personal secret S(i) does not change in the different sessions. As we mentioned above, E-SGKD schemes reduce the size of the personal secret to a constant, i.e., a personal secret S(i) only relates to a user's identity, no matter when he joins the group. This means a new user, who joins the group later, can use his personal secret to recover the past session keys.
From the above analysis, we know that to achieve the backward secrecy, a user's personal secret should be changed in the different sessions. However, allocating different personal secrets to different sessions would create linear storage overhead. How to balance the storage overhead and security is a challenging task.
To solve this problem, we consider binding each user's personal secret with a changed value. More precisely, users are divided into different subgroups according to the sessions in which they join the group. The core idea is described as follows: a unique session identifier ε j is assigned to each session, and is multiplied with the secret polynomial to produce a new secret polynomial. Thus the personal secret for a user U i who joins the group in session j is ε j · f (i). As a result, user U i can not recover the previous session keys with his personal secret ε j · f (i), i.e., backward secrecy is achieved. On the other hand, it is easy to see that the storage overhead is optimal since ε j · f (i) is a random value in F p .
The above idea, binding each user's personal secret with a changed value, can help the scheme gain the backward secrecy. However, this idea can not be directly applied to the basic construction, since the self-healing property is destroyed. To gain efficient self-healing, dual chains are introduced in the basic construction. The first chain is a hash chain, and the second chain is a key chain.

The Novel E-SGKD Scheme
Motivated by the above idea, in this section, we present a new E-SGKD scheme which consists of five procedures, i.e., SetUp, Broadcast, SessionKeyRecovery, GroupMemberAdddtion, GroupMemberRevocation.
• Setup GM picks a t-degree polynomial f (x) = a 0 + a 1 x + · · · + a t x t ∈ F p [x] at random and keeps it secret. The GM randomly selects a one-way hash function h 2 (·): {0, 1} 512 → {0, 1} 128 . Then, the GM selects a session identifier ε 1 ∈ F p at random. Note that the GM will randomly select a session identifier ε j ∈ F p in session j. Each user U i ∈ G 1 obtains his personal secret S i = {ε 1 · f (i)} through a secure channel, where G 1 includes the group members who join the group in the initial session and, using secret splitting algorithms in [37], has a better secrecy compared with distributing consists of the users joining the group in session j and is revoked before and in session j, and |R The GM randomly selects k 1 j ∈ F p , r 0 ∈ F p , and a one-way hash function h 1 (·): {0, 1} 128 → {0, 1} 128 . The GM uses r 0 as a seed and h 1 (·) as a hash function to construct a hash chain as follows: Then, the GM constructs the j-th keys chain as follows: are different from each other and are never used for users' identities. Then, the revocation polynomials are constructed as: Note that R j j denotes the set of users joining the group in session j and is revoked before and in session j. The number of users in R j j is less than t, thus the degree of Π is less than t. However, the degree of f (x) is t. In the following computation, A j j (x) · k j j + v j · ε j · f (x) may expose some coefficients of ε j · f (x). In order to keep the coefficients the polynomial ε j f (x) secret, the set R j j = {r j 1 , r j 2 , · · · , r j t−ω j } is randomly selected to pad the revocation polynomials to be t-degree, where r j k ∈ F p (1 ≤ k ≤ t − ω j ) for R j j is different from each other and never used for users' identities. Thus, the coefficients of the secret polynomial ε j f (x) can be protected better.

-
The GM randomly selects a random value v j ∈ F p . Then, the GM computes and constructs the broadcast message as be the sequence of {g b 0 , g b 1 , · · · , g b t }.
• SessionKeyRecovery -For a legitimate user U i , U i ∈ G j j uses the j-th broadcast message to compute the current session key K j and recover the lost session keys as: -For a revoked user U i , A j j (i) = 0. Thus, he can not obtain any information about K j .

• GroupMemberAddition
When a user, U v , joins the group in session j, GM randomly selects a unique identity v and a session identifier ε j from F p , and distributes a personal key S v = ε j · f (v) to him via a secure communication channel. For security, GM starts a new session.

• GroupMemberRevocation
When a user, U i joins the group in session j and is revoked in session j, GM includes (x − i) in A j j (x) and starts a new session.

Remark 2.
In this scheme, the algorithm "Self Healing" is contained in algorithm "Session key recovery". That is, for a legitimate user U i , by running the algorithm "Session key recovery", he can compute the current session key and recover lost session keys from current broadcast, that is, a self-healing property.  (r j )} j =1,2,··· ,j−1 in the broadcast messages B j are v, respectively. Note that v ≤ j. Especially, if v is much smaller than m, the communication overhead would be reduced remarkably.

Security Analysis and Performance Comparison
In this section, the security and the performance of new E-SGKD scheme will be analyzed.

Security Analysis
We present four theorems and proofs for the new E-SGKD scheme, which demonstrate that the new E-SGKD scheme has the security properties as defined in security model.

Theorem 5.
The new E-SGKD scheme is a secure SGKD scheme with a self-healing property and mt-revocation capability.
Proof. According the definition in Section 2.3, the new E-SGKD scheme has a self-healing property and mt-revocation capability, because it satisfies the following conditions: (1) For a legitimate user U i ∈ G j j , he can recover the session key K j by combining B j with his personal secret S i as described in the SessionKeyRecovery procedure.
(2) On one hand, the session key K j has a relationship with the initial value of the j-th masking key chain, k 1 j , and r j (1 ≤ j ≤ j). However, because of the revocation polynomial, it is difficult to compute k 1 j and r j (1 ≤ j ≤ j) only using the broadcast messages. Therefore, using the broadcast message B j alone can not obtain any information about K j . On the other hand, K j is chosen randomly and is independent of the personal secret so that using the personal secret alone can not obtain any information about K j .
Thus, either the broadcast messages or the personal secrets alone can not obtain any information about K j .
(3) We first consider a single user U i ∈ R j . For any revoked user U i ∈ R j , if U i ∈ R j j , A j j (i) = 0. Hence, he can not obtain any information about k j j . Thus, for any revoked user, he alone can not obtain any information about K j . Furthermore, we consider the collusion of the users in R j . Because the personal secret of a user has a relationship with a session in which he joins the group, only the users joining the group in the same session can collude together. According to the Lagrange Interpolation method, only at least t + 1 users coalesce to recover the corresponding ε j · f (x). Since |R j j | ≤ t, the coalition of users in R j can not obtain ε j · f (x). Therefore, U i ∈ R j can not obtain information about K j . (4) From the SessionKeyRecovery procedure, we learn that a legitimate user can recover the lost session keys from his joined session to the current session, which demonstrates that the new scheme has a self-healing property.

Theorem 6.
The new E-SGKD scheme has mt-wise forward secrecy.
Proof. We first consider a single user U i ∈ R j who tries to recover the session key K j+1 . For a revoked user U i ∈ R j j , A j j+1 (i) = 0. Therefore, U i can not obtain any information about k j j+1 . Hence, U i can not recover K j+1 . Now we consider the collusion of the users in R j . As described above, only at least t + 1 users who join the group in same session can collude to recover ε j · f (x). However, |R j j | ≤ t so that ε j · f (x) can not be recovered. Thus, U i can not obtain any information about k j j+1 and the session key K j+1 . Therefore, the new E-SGKD scheme achieves mt-wise forward secrecy.

Theorem 7. The new E-SGKD scheme guarantees any-wise backward secrecy.
Proof. Users in D j have to know at least t+1 users' personal secrets ε j · f (i) (j ≤ j) which are distributed to those users who join the group in the same session, so that they can recover ε j · f (x), and, furthermore, recover the session key K j . However, according to the definition of D j , users in D j join the group after the session j, so they only have ε j · f (i)(j ≥ j + 1). Thus, no matter how many users in D j coalesce, they do not have enough personal secrets to recover K j . Therefore, the new E-SGKD scheme guarantees any-wise backward secrecy.

Theorem 8.
The new E-SGKD scheme has mt-collusion attack resistance capability.
Proof. Suppose R j 1 consists of all users revoked before and in session j 1 , and D j 2 includes all users joining the group after session j 2 (j 1 < j 2 ). Even if users in R j 1 collude with users in D j 2 , they can not recover K j with the knowledge of B j 1 , B j 2 and users' personal secrets.
On one hand, a user U i ∈ R j j 1 (j < j 1 ) only has ε j · f (i), and a user U v ∈ D j j 2 (j > j 2 ) only has ε j · f (v). However, only users joining the group in the same session can collude together and |R j j 1 | ≤ t, |D j 2 | ≤ t. Even if users in R j 1 collude with users in D j 2 , they can not obtain enough information to recover ε j · f (x) and ε j · f (x).
On the other hand, from Theorems 2 and 3, we learn that either the collusion of users in R j 1 or the collusion of users in D j 2 alone can not recover K j . Therefore, the new E-SGKD scheme has mt-collusion attack resistance capability.

Performance Comparison
In this subsection, we compare the basic E-SGKD scheme and the new E-SGKD scheme with the previous E-SGKD schemes from the security performance and the efficiency performance. Except for the published E-SGKD schemes, only Liu et al.'s Scheme 3 [18] and Hong et al.'s Scheme 2 [22] can be converted to the E-SGKD schemes. Here, "Liu et al.'s improved scheme" means the E-SGKD scheme constructed from Liu et al.'s Scheme 3 using the similar method in Section 3. In general, let p be a 128-bit integer and q be a 512-bit integer.

The Security Performance
From Table 2, it is easy to find that Construction 5 [1], Scheme 4 [2], "Liu et al.'s improved scheme" and our basic scheme do not satisfy the backward secrecy and are not resistant to the collusion attack. The Schemes [14,15] and our new scheme have all of the basic security properties, i.e., forward secrecy, backward secrecy and resistance to collusion attack capability.
Additionally, our new scheme allows more users to be revoked and more users to be colluded together compared with the E-SGKD schemes [14,15]. Note that our new scheme has the capability of resisting mt-wise collusion attack and mt-wise forward secrecy, when there are users joining the group in every session. Our new scheme has the capability of resisting vt-wise collusion attack and vt-wise forward secrecy, when the number of the sessions in which there are users joining group is v(v < m). Specially speaking, the collusion users are less than t for each session. Thus, the total number of the collusion users is less than vt.  [14] t Yes/t Yes/t Yes t Scheme in [15] t

The Storage Overhead
Now, we focus on the efficiency performance, including the storage overhead and the communication overhead. From Table 3, it is obvious that only scheme [15], our basic scheme and our new scheme have the constant storage overhead, i.e., log 2 p, which is optimal compared with other E-SGKD schemes. Table 3. Comparison of storage overhead.
In the basic scheme, the broadcast message B j in session j includes R i , {g P j (x) }, {g v j }, where j = 1, 2, · · · , j. Because the users' identities can be chosen from a small finite, the communication overhead of R j can be neglected. Thus, the communication overhead is (t + 2)j log 2 q, which is obviously less than the communication overhead of Blundo et al.'s Scheme 4, based on the fact that j ≤ m. Similarly, in the new scheme, the broadcast message B j in session j includes R j , where j ∈ {1, 2, · · · , j}. Note that the communication overhead of R j , R j can be neglected. Thus, the communication overhead is where v is the number of the sessions in which the new users join. Let B 1 = (t + 2)j log 2 q, B 2 = [(t + 1)v + 1] log 2 q + (v + j) log 2 p and v = j which means all sessions have new users join in, and let p be a 128-bit integer and q be a 512-bit integer. Then, we have: It is obvious that the communication overhead in our new scheme is lower than the communication overhead of our basic scheme as long as j > 2. Now, we analyze the relationship between the maximum size of the broadcast message and the degree t for different E-SGKD schemes. Suppose [x] denotes that x rounds down to the nearest whole unit. Let m = 30, and t varies from 10 to 30.   [22], which is the most efficient known P-SGKD scheme.  (2) The comparison between our new E-SGKD scheme and scheme [15] The communication overhead in scheme [15] is (d + 1)[(t + 2) log 2 q + (t + 1) log 2 p], which has a relationship with the size of the sliding windows. In general, we assume that the size of sliding windows (say d) is equal to the number of sessions (say v), in which there are users joining the group. Figure 2   The degree of the personal secret polynomial(t) The maximum broadcast packet size(KB) Scheme in [15](d=0.2m) Scheme in [15](d=0.3m) Scheme in [15](d=0.5m) Scheme in [15]  To sum up, our new E-SGKD scheme has a smaller broadcast size compared with the E-SGKD Schemes [1], [2] and "Liu et al.'s improved scheme". In addition, our new E-SGKD Scheme has a smaller broadcast size than the E-SGKD Scheme [15] when v = d. Hence, our new E-SGKD Scheme is efficient in terms of the communication overhead.

Practicality
Many specific issues should be taken into consideration when an SGKD Scheme is applied to real-word scenarios. First, the SGKD Sscheme should work well and efficiently complete the task of the key distribution in the specific scenarios. Second, the system parameters for these scenarios should be determined so that the SGKD Scheme and corresponding parameters can work efficiently.
As we know, for most of the SGKD schemes, the largest broadcast packet is supposed to be 64 KB, so the system parameters should be selected according to the principle of reducing the largest broadcast packet. The largest broadcast packet in the E-SGKD scheme is mainly determined by p, q, m and t. In general, suppose p is a 128-bit integer and q is a 512-bit integer. Then, we simulate the E-SGKD schemes that are applied in the wireless network in which the broadcast packet is 64 KB. The simulation results will contribute in analyzing how to select parameters.
(1) The relationship between m and t.  [22]. Thus, our new E-SGKD scheme has the best performance.     [22], is 135. Thus, our new E-SGKD scheme allows more revoked users than all other known E-SGKD schemes and P-SGKD schemes, i.e., the new scheme can resist more users' collusion attacks.

Practicality in ZigBee Network
In this section, we mainly discuss how to apply our new E-SGKD scheme to special kinds of resource-constrained wireless sensor networks, i.e., ZigBee networks. For the resource-constrained wireless networks, resources including the users' storage and communication bandwidth is limited.
ZigBee protocol is designed for low-data-rate wireless networks and is very suitable for low-rate, low-cost and low-energy-consumption networks. As we know, for the ZigBee protocol [38,39], the maximum size of the Mac layer data is from 89 to 119 bytes. When the the maximum size of the Mac layer data is 89 bytes, if the data of the application layer are more than 89 bytes, the data will be divided into blocks. Assume that the maximum size of the broadcast message are 4 KB. Then, the broadcast message will be divided into 46 small packets with 88 bytes/packet. Without loss of generality, suppose packets are lost randomly and independently. When the packet loss rate is 1%, only 37.01% of packets reach their destination. When the packet loss rate is 5%, only 9.45% of packets reach their destination, i.e., only one packet in ten reaches its destination and is received by a group member. Hence, suppose m is at least 10.
Under the above assumption, i.e., m equals 10 and the maximum size of the broadcast message is 4 KB, we now check if the known E-SGKD schemes are suitable for ZigBee wireless networks or not. From Figure 5, we can find that when t = 10, the size of the broadcast message is more than 4 KB in the most efficient E-SGKD scheme, i.e., Thus, we can conclude that all of the known E-SGKD schemes can not be applied to the ZigBee network, and only our new E-SGKD scheme with v = [0.2m], [0.3m] is suitable for the ZigBee network, since it also has optimal storage overhead.   Now, we discuss how to select the system parameters when applying our new E-SGKD scheme to the ZigBee-based wireless network. The simulation results will contribute to analyzing how to select parameters. Suppose the largest broadcast packet in ZigBee-based wireless networks is 4 KB. As    In conclusion, if the new users do not join the group frequently, the number of the sessions in which new users join is small. In this case, our new scheme is efficient in terms of the storage overhead and the communication overhead. When v = [0.2m], the overall efficiency is higher than the most efficient known P-SGKD.

Application to Supervisory Control And Data Acquisition (SCADA) in Smart Grid
Smart grids are becoming more and more important in modern society. SCADA systems are applied to monitor and control smart grids. The SCADA system consists of human-machine interface (HMI), master terminal unit (MTU), and remote terminal unit (RTU). The structure of these entities is as described in Figure 8 ([40]). HMI is a human-computer interaction device. MTU is in charge of supervisory control to the RTUs. As shown in Figure 8, the SCADA system consists of one MTU and multiple sub-MTUs, and these MTUs have rich resources such as storage space and computational capability. Thus, the public key cryptography can be used to protect the security among them. Compared with MTU, the resources of RTUs are limited. In addition, the RTUs are often located in remote places and the security can not be guaranteed. In SCADA systems, the sensitive data will be transmitted among different parts of the power grid. Key management mechanisms can be used to protect the security of the data. Due to a self-healing property and low storage overhead requirements, our proposed E-SGKD scheme is suitable for achieving the key distribution and resolving the transmission availability and security in resource-constrained SCADA systems, where the sub-MTUs are as the GM and RTUs are as group manager nodes, which can efficiently achieve the key distribution and updating in SCADA systems.

Conclusions
In this paper, we proposed two E-SGKD schemes. The basic E-SGKD scheme was constructed from a known polynomial-based SGKD, and it has offered the optimal storage overhead while not having backward secrecy. The new E-SGKD scheme was constructed from the basic E-SGKD scheme. To consider the communication overhead and the backward secrecy, a novel approach is introduced for message broadcasting, which makes the new E-SGKD scheme obtain all basic security properties. Compared with known E-SGKD schemes, our new scheme has optimal storage overhead and low communication overhead. We discussed how to select the parameters and simulated it in the ZigBee network. Finally, we introduce the application of our proposed E-SGKD scheme to SCADA systems in the smart grid.