# A Secure and Efficient Group Key Management Protocol with Cooperative Sensor Association in WBANs

^{*}

## Abstract

**:**

## 1. Introduction

- A novel WBAN model with message broadcasting: In practical medical WBAN scenarios, patients who receive services from HC are allocated to different departments according to their physical conditions and diseases. As a result, it is necessary for HC to provide a notification service to different patient groups. To the best of our knowledge, we are the first to propose the system model providing a specific group communication channel for message broadcasting between HC and patients. Moreover, the medical data transmission channel from sensors to PC is also taken into consideration in our design.
- Group key management between HC and PC with CRT: The Chinese remainder theorem is employed for the group key management between HC and PC, which also supports batch key updating. In this case, HC is capable of broadcasting messages to different patient groups. Moreover, patients in the same group are capable of exchanging information about their physical conditions.
- Group key management between PC and sensors with CCDE: In our design, the group key management between PC and sensors is motivated by coded cooperative data exchange for the purpose of minimizing the communication rounds for group key generation. Hence, the communication and computation complexity can be drastically reduced, which is efficient for resource-limited wireless sensors in WBAN.

## 2. Related Works

## 3. Preliminaries and Model Definitions

#### 3.1. Bilinear Pairing

- Bilinearity: For $\forall {g}_{1}\in {\mathbb{G}}_{1}$, $\forall {g}_{2}\in {\mathbb{G}}_{2}$ and $\forall a,b\in \mathbb{Z}$, there is $\widehat{e}({{g}_{1}}^{a},{{g}_{2}}^{b})=\widehat{e}{({g}_{1},{g}_{2})}^{ab}$.
- Non-degeneracy: For $\exists {g}_{1}\in {\mathbb{G}}_{1}$ and $\exists {g}_{2}\in {\mathbb{G}}_{2}$, there is $\widehat{e}({g}_{1},{g}_{2})\ne 1$.
- Computability: For $\forall {g}_{1}\in {\mathbb{G}}_{1}$ and $\forall {g}_{2}\in {\mathbb{G}}_{2}$, there exists an efficient algorithm to compute $\widehat{e}({g}_{1},{g}_{2})$.

#### 3.2. Coded Cooperative Data Exchange Problem

#### 3.3. Chinese Remainder Theorem

#### 3.4. System Model

#### 3.5. Network Assumption

## 4. Proposed Schemes

#### 4.1. Notations

#### 4.2. Group Key Generation for HC and PCs

#### 4.2.1. Registration Phase

**SecKeGen**. Subsequently, HC executes

**PreCom**for necessary precomputation. The design of

**SecKeGen**and

**PreCom**is presented below.

**SecKeGen**: The HC conducts

**SecKeGen**to generate information for ${\mathrm{PC}}_{i\in [1,n]}$. ${\mathbb{Z}}_{p}^{*}$ and ${\mathbb{Z}}_{s}^{*}$ are defined as two nonnegative integers sets less than p and s, respectively, where p and s are two large prime numbers. Additionally, $\mathbb{G}$ is defined as a multiplicative group of p, and g is a generator of $\mathbb{G}$. HC randomly chooses $S\phantom{\rule{-0.166667em}{0ex}}S\phantom{\rule{-0.166667em}{0ex}}K$ and $P\phantom{\rule{-0.166667em}{0ex}}S\phantom{\rule{-0.166667em}{0ex}}{K}_{i\in [1,n]}$ from ${\mathbb{Z}}_{p}^{*}$, where $P\phantom{\rule{-0.166667em}{0ex}}S\phantom{\rule{-0.166667em}{0ex}}{K}_{i}$ is the secret key of ${\mathrm{PC}}_{i}$ and $S\phantom{\rule{-0.166667em}{0ex}}S\phantom{\rule{-0.166667em}{0ex}}K$ is the HC master key. Moreover, HC chooses $hsk\in {\mathbb{Z}}_{s}^{*}$ for symmetric encryption. As a result, the HC temporary identity $H\phantom{\rule{-0.166667em}{0ex}}I\phantom{\rule{-0.166667em}{0ex}}D$ is generated as:

**PreCom**: The HC conducts

**PreCom**to compute the essential intermediate values [44]. First, HC selects $P\phantom{\rule{-0.166667em}{0ex}}S\phantom{\rule{-0.166667em}{0ex}}{K}_{i}$ from the key list and computes:

#### 4.2.2. Group Key Computation Phase

**PGKCom**is conducted by HC in order to obtain the keying message. Finally, HC conducts

**SecHtoP**to distribute the keying message to all ${\mathrm{PC}}_{i\in [1,n]}$. The design of

**PGKCom**and

**SecHtoP**is described in detail below.

**PGKCom**: In our design, the HC conducts

**PGKCom**to get the keying message ${\gamma}_{j}$ for department j, which is illustrated as:

**SecHtoP**: The HC conducts

**SecHtoP**to distribute the keying message ${\gamma}_{j}$ to department j. First, HC encrypts the keying message, illustrated as:

#### 4.2.3. Group Key Derivation Phase

**AuthMess**. Subsequently, ${\mathrm{PC}}_{i}$ derives the group key $P\phantom{\rule{-0.166667em}{0ex}}G\phantom{\rule{-0.166667em}{0ex}}{K}_{j}$ using

**GrKeCom**. The design of

**AuthMess**and

**GrKeCom**is described in detail below.

**AuthMess**: ${\mathrm{PC}}_{i}$ conducts

**AuthMess**to verify the received message from HC. First, ${\mathrm{PC}}_{i}$ checks the time stamp $T\phantom{\rule{-0.166667em}{0ex}}S$ from the broadcast message. If $T\phantom{\rule{-0.166667em}{0ex}}S$ matches the current time, ${\mathrm{PC}}_{i}$ checks whether:

**GrKeCom**: This algorithm is designed for group key derivation from the received keying message ${\gamma}_{j}$. In

**GrKeCom**, a modulo division on the ${\mathrm{PC}}_{i}$ side is conducted as:

#### 4.3. PC Join and Leave Operations

#### 4.3.1. PC Join Operation Phase

**JoKeUpdate**is conducted by HC to generate the rekeying message of ${\mathrm{PC}}_{join}$ and other n PCs of department j. Finally, by conducting

**JoKeDerive**, the updated group key is distributed to all the $n+1$ PCs of department j. The design of

**JoKeUpdate**and

**JoKeDerive**is described in detail below.

**JoKeUpdate**: The HC conducts

**JoKeUpdate**to generate the rekeying message for both ${\mathrm{PC}}_{join}$ and the current n PCs. A few steps are necessary as introduced below: First, for ${\mathrm{PC}}_{join}$, HC computes its corresponding ${x}_{join}$ and ${y}_{join}$ according to the

**PreCom**algorithm in Section 4.2. Hence, the variable $va{r}_{join}$ can be computed as:

**SecHtoP**algorithm introduced in Section 4.2, the rekeying message ${\gamma}_{j-join}$ can be securely transmitted to the $n+1$ PCs, which includes one new joining ${\mathrm{PC}}_{join}$ and existing n PCs of department j.

**JoKeDerive**: This algorithm is designed for the aforementioned $n+1$ PCs to derive the updated group key $P\phantom{\rule{-0.166667em}{0ex}}G\phantom{\rule{-0.166667em}{0ex}}{K}_{j-join}$ from ${\gamma}_{j-join}$. After the verification process through

**AuthMess**in Section 4.2, the ${\mathrm{PC}}_{i\in [1,n]\cup \left\{join\right\}}$ conducts a modulo division, illustrated as:

**JoKeDerive**is similar to the group key derivation phase presented in Section 4.2.

#### 4.3.2. PC Leave Operation Phase

**LeKeUpdate**algorithm first to generate the rekeying message ${\mu}_{j-leave}$ and transmits it to the remaining $n-1$${\mathrm{PC}}_{i\in [1,n]\backslash \left\{leave\right\}}$ securely. Then,

**LeKeDerive**is adapted on the ${\mathrm{PC}}_{i}$ side. Hence, the updated group key $P\phantom{\rule{-0.166667em}{0ex}}G\phantom{\rule{-0.166667em}{0ex}}{K}_{j-leave}$ is derived by HC and the rest of the $n-1$ PCs. The design of

**LeKeUpdate**and

**LeKeDerive**is described in detail below.

**LeKeUpdate**: The HC conducts

**LeKeUpdate**to generate the rekeying message concerning the remaining $n-1$ PCs. A few steps are necessary as introduced below: First, HC obtains ${\mu}_{leave}$ of ${\mathrm{PC}}_{leave}$ demonstrated as:

**SecHtoP**algorithm introduced in Section 4.2, the rekeying message ${\gamma}_{j-leave}$ can be securely transmitted.

**LeKeDerive**: After the verification process with the

**AuthMess**algorithm in Section 4.2, ${\mathrm{PC}}_{i\in [1,n]\backslash \left\{leave\right\}}$ conducts

**LeKeDerive**to derive the updated group key $P\phantom{\rule{-0.166667em}{0ex}}G\phantom{\rule{-0.166667em}{0ex}}{K}_{j-leave}$, illustrated as:

**LeKeDerive**is similar to the group key derivation phase presented in Section 4.2.

#### 4.3.3. Batch Updating Phase

**BaKeUpdate**algorithm to generate the batch rekeying message ${\gamma}_{j-batch}$ and uses

**SecHtoP**to distribute it to all the $n+w$ PCs. Afterwards,

**AuthMess**is conducted for verification on the PC side. Finally,

**BaKeDerive**is conducted so that the updated group key $P\phantom{\rule{-0.166667em}{0ex}}G\phantom{\rule{-0.166667em}{0ex}}{K}_{j-batch}$ is obtained by $n+w-z$ PCs in department j. It is noteworthy that the

**SecHtoP**and

**AuthMess**algorithms are the same as the ones presented in Section 4.2. The design of

**BaKeUpdate**and

**BaKeDerive**is described in detail below.

**BaKeUpdate**: The HC conducts

**BaKeUpdate**to generate the batch rekeying message for the $n+w-z$ PCs. A few steps are necessary as introduced below: First, with the aforementioned

**PreCom**algorithm described in Section 4.2, HC computes the corresponding ${x}_{bj}$ and ${y}_{bj}$ of w${\mathrm{PC}}_{bj\in [1,w]}$. Hence, the variable for ${\mathrm{PC}}_{bj}$ is obtained as:

**SecHtoP**algorithm introduced in Section 4.2, the batch rekeying message ${\gamma}_{j-batch}$ can be distributed to all the $n+w$ PCs.

**BaKeDerive**: After the verification process using the

**AuthMess**algorithm in Section 4.2, ${\mathrm{PC}}_{i\in [1,n+w]}$ derives the updated group key $P\phantom{\rule{-0.166667em}{0ex}}G\phantom{\rule{-0.166667em}{0ex}}{K}_{j-batch}$ from ${\gamma}_{j-batch}$ using

**BaKeDerive**. The ${\mathrm{PC}}_{i\in [1,n+w-z]}$ conducts a modulo division, illustrated as:

#### 4.4. Group Key Generation for PC and Sensors

#### 4.4.1. Setup Phase

**SecKeDis**to generate temporary identity $P\phantom{\rule{-0.166667em}{0ex}}I\phantom{\rule{-0.166667em}{0ex}}{D}_{i}$ and symmetric secret key $nsk$. Thereafter, ${\mathrm{PC}}_{i}$ conducts

**MasKeDis**to distribute the predefined master keys to sensor ${\mathrm{SN}}_{v\in [1,m]}$. The design of

**SecKeDis**and

**MasKeDis**is described in detail below.

**SecKeDis**: The ${\mathrm{PC}}_{i}$ conducts

**SecKeDis**to generate $nsk$ and $P\phantom{\rule{-0.166667em}{0ex}}I\phantom{\rule{-0.166667em}{0ex}}{D}_{i}$. Let ${\mathbb{Z}}_{h}^{*}$ be a nonnegative integer set less than h, where h is assumed to be a large prime number. Additionally, ${\mathbb{G}}_{T}$ is defined as a multiplicative group of h, and u is the generator of ${\mathbb{G}}_{T}$. First, ${\mathrm{PC}}_{i}$ randomly chooses $nsk$ from ${\mathbb{Z}}_{h}^{*}$. Hence, $P\phantom{\rule{-0.166667em}{0ex}}I\phantom{\rule{-0.166667em}{0ex}}{D}_{i}$ is generated, illustrated as follows:

**MasKeDis**: The ${\mathrm{PC}}_{i}$ conducts

**MasKeDis**to distribute a set of master keys among the m sensors. Let ${Q}_{i}=\left\{{k}_{h}\right|h\in [1,c],c>m\wedge c\in {\mathbb{N}}^{*}\}$ be the c master keys to be allocated. According to our design, a master key subset ${B}_{v}$ denoted by ${B}_{v}\subseteq {Q}_{i}$ is distributed to ${\mathrm{SN}}_{v}\in {C}_{i}$. Hence, $\forall {v}_{1},{v}_{2}\in \{1,\dots ,m\}$ (${v}_{1}\ne {v}_{2}$), ${B}_{{v}_{1}}\cap {B}_{{v}_{2}}\ne \u2300$ and ${B}_{{v}_{1}}\cup {B}_{{v}_{2}}\subseteq {Q}_{i}$ hold. In this way, each sensor ${\mathrm{SN}}_{v}\in {C}_{i}$ shares at least one master key with each remaining sensor. Upon completion, ${\mathrm{PC}}_{i}$ assigns $\u2329P\phantom{\rule{-0.166667em}{0ex}}I\phantom{\rule{-0.166667em}{0ex}}{D}_{i},nsk,{B}_{v}\u232a$ to sensor ${\mathrm{SN}}_{v}$.

#### 4.4.2. Key Generation Phase

**${\mathrm{MasKeSel}}_{1}$**to select the most widely-shared master key ${k}_{\Psi}^{1}\in {Q}_{i}$ in all the m subsets ${B}_{v\in [1,m]}$ and computes the session key $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{1}$. Afterwards, ${\mathrm{PC}}_{i}$ transmits the session key $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{1}$ to sensors with

**SecPtoS**. Subsequently,

**AuthSess**is conducted by sensor ${\mathrm{SN}}_{v}\in {C}_{i}$ so as to guarantee the validity of the received session key and to compare it with ${B}_{v}$. Hence, the sensors preloaded with ${k}_{\Psi}^{1}$ are classified as one subset ${\Lambda}_{1}\subseteq {C}_{i}$. Other sensors without ${k}_{\Psi}^{1}$ abandon the received message.

**${\mathrm{MasKeSel}}_{2}$**to select the second master key ${k}_{\Psi}^{2}$. Similarly, the sensors preloaded with ${k}_{\Psi}^{2}$ are classified as the second subset ${\Lambda}_{2}\subseteq {C}_{i}$. According to our design, ${\Lambda}_{1}\cap {\Lambda}_{2}\ne \u2300$. In other words, at least one sensor is preloaded with both ${k}_{\Psi}^{1}$ and ${k}_{\Psi}^{2}$. Let ${\mathrm{SN}}_{\hslash}^{{\Lambda}_{1}\cap {\Lambda}_{2}}$ be the sensors such that ${\mathrm{SN}}_{\hslash}^{{\Lambda}_{1}\cap {\Lambda}_{2}}\in {\Lambda}_{1}\cap {\Lambda}_{2}$($\hslash \in [1,{\Phi}_{1}]$), assuming that there are in total ${\Phi}_{1}$ elements in ${\Lambda}_{1}\cap {\Lambda}_{2}$. Subsequently, ${\mathrm{SN}}_{\hslash \in [1,{\Phi}_{1}]}^{{\Lambda}_{1}\cap {\Lambda}_{2}}$ with both ${k}_{\Psi}^{1}$ and ${k}_{\Psi}^{2}$ conducts

**GrKeEnc**so that the sensors in ${\complement}_{{\Lambda}_{2}}({\Lambda}_{1}\cap {\Lambda}_{2})$ can derive the session key $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{1}$. Note that $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{1}$ is considered as the group key $S\phantom{\rule{-0.166667em}{0ex}}G\phantom{\rule{-0.166667em}{0ex}}{K}_{i}$.

**${\mathrm{MasKeSel}}_{1}$**,

**SecPtoS**,

**AuthSess**,

**${\mathrm{MasKeSel}}_{2}$**and

**GrKeEnc**is respectively described in detail below.

**${\mathrm{MasKeSel}}_{1}$**: This algorithm is designed for ${\mathrm{PC}}_{i}$ to select the master key ${k}_{\Psi}^{1}$. It is assumed that ${\mathrm{PC}}_{i}$ primarily chooses the master key involving more sensors. As a result, the corresponding session key $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{1}$ is generated, illustrated as:

**SecPtoS**: After the computation of session key $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{1}$, ${\mathrm{PC}}_{i}$ conducts

**SecPtoS**for session key distribution. First, $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{1}$ is encrypted by ${\mathrm{PC}}_{i}$ following:

**SecPtoS**is similar to the aforementioned

**SecHtoP**.

**AuthSess**: This algorithm is designed for sensors to verify the received certificate from ${\mathrm{PC}}_{i}$. The whole process is similar to the aforementioned

**AuthMess**algorithm. ${\mathrm{PC}}_{i}$ checks whether:

**${\mathrm{MasKeSel}}_{2}$**: This algorithm is designed for ${\mathrm{PC}}_{i}$ to select the second master key ${k}_{\Psi}^{2}$. It is required that at least one sensor in ${\Lambda}_{1}$ stores master key ${k}_{\Psi}^{2}$ in its master key subset. That is, $\exists {\mathrm{SN}}_{\Omega}\in {\Lambda}_{1}$, ${k}_{\Psi}^{2}\in {B}_{\Omega}$ holds. Following this rule, ${\mathrm{PC}}_{i}$ chooses the master key involving more sensors in ${\complement}_{{C}_{i}}{\Lambda}_{1}$. After that, session key $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{2}$ is generated according to:

**GrKeEnc**: After ${\mathrm{PC}}_{i}$ broadcasts the session keys two times, sensors ${\mathrm{SN}}_{\hslash}^{{\Lambda}_{1}\cap {\Lambda}_{2}}$ have both $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{1}$ and $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{2}$. Consequently, ${\mathrm{SN}}_{\hslash \in [1,{\Phi}_{1}]}^{{\Lambda}_{1}\cap {\Lambda}_{2}}$ encrypts $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{1}$ using $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{2}$ as follows:

**SecPtoS**. At last,

**AuthSess**, sensors in ${\complement}_{{\Lambda}_{2}}({\Lambda}_{1}\cap {\Lambda}_{2})$ derive the session key $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{1}$. Hence, $S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{1}$ is distributed as the group key $S\phantom{\rule{-0.166667em}{0ex}}G\phantom{\rule{-0.166667em}{0ex}}{K}_{i}$.

#### 4.5. Sensor Join and Leave Operations

#### 4.5.1. Sensor Join Operation

#### 4.5.2. Sensor Leave Operation

## 5. Security Analysis

#### 5.1. Resistance to Replay Attack

**Theorem**

**1.**

**Proof**

**of**

**Theorem**

**1.**

**SecKeGen**algorithm to generate relevant secret information $\{T\phantom{\rule{-0.166667em}{0ex}}S,P\phantom{\rule{-0.166667em}{0ex}}S\phantom{\rule{-0.166667em}{0ex}}{K}_{i},S\phantom{\rule{-0.166667em}{0ex}}S\phantom{\rule{-0.166667em}{0ex}}K,g,hsk\}$. It is notable that $T\phantom{\rule{-0.166667em}{0ex}}S$ denotes the current time stamp. After that, ${\mathcal{C}}_{1}$ computes $H\phantom{\rule{-0.166667em}{0ex}}I\phantom{\rule{-0.166667em}{0ex}}D$ and $E\left({\gamma}_{j}\right)$. Finally, $\{{\mathrm{PC}}_{i},H\phantom{\rule{-0.166667em}{0ex}}I\phantom{\rule{-0.166667em}{0ex}}D,T\phantom{\rule{-0.166667em}{0ex}}S,g,E\left({\gamma}_{j}\right)\}$ is returned to ${\mathcal{A}}_{1}$.

**SecHtoP**algorithm to generate the signature $S\phantom{\rule{-0.166667em}{0ex}}I\phantom{\rule{-0.166667em}{0ex}}G\left(T\phantom{\rule{-0.166667em}{0ex}}S\right|\left|H\phantom{\rule{-0.166667em}{0ex}}I\phantom{\rule{-0.166667em}{0ex}}D\right|\left|E\left({\gamma}_{j}\right)\right)$ and return it to ${\mathcal{A}}_{1}$.

**AuthMess**algorithm to check the validity of the received signature. The received signature is compared with the newly-generated signature after a certain time interval $\Delta t$ by replaying the process.

**AuthMess**algorithm as follows:

**Theorem**

**2.**

**Proof**

**of**

**Theorem**

**2.**

#### 5.2. Resistance to Forgery Attack

**Theorem**

**3.**

**Proof**

**of**

**Theorem**

**3.**

**SecKeGen**algorithm to generate relevant secret information $\{T\phantom{\rule{-0.166667em}{0ex}}S,P\phantom{\rule{-0.166667em}{0ex}}S\phantom{\rule{-0.166667em}{0ex}}{K}_{i},S\phantom{\rule{-0.166667em}{0ex}}S\phantom{\rule{-0.166667em}{0ex}}K,g,hsk\}$. Note that $T\phantom{\rule{-0.166667em}{0ex}}S$ denotes the current time stamp. $\{{\mathrm{PC}}_{i},H\phantom{\rule{-0.166667em}{0ex}}I\phantom{\rule{-0.166667em}{0ex}}D,T\phantom{\rule{-0.166667em}{0ex}}S,g\}$ is returned to ${\mathcal{A}}_{2}$.

**AuthMess**algorithm to check the validity of the received signature. The received signature is compared with the newly-generated signature of $E({\gamma}_{j}^{\prime})$ (${\gamma}_{j}^{\prime}\ne {\gamma}_{j}$).

**Theorem**

**4.**

**Proof**

**of**

**Theorem**

**4.**

#### 5.3. Forward Security

**Theorem**

**5.**

**Proof**

**of**

**Theorem**

**5.**

**Theorem**

**6.**

**Proof**

**of**

**Theorem**

**6.**

#### 5.4. Resistance to Collusion Attack

**Theorem**

**7.**

**Proof**

**of**

**Theorem**

**7.**

## 6. Performance Analysis

#### 6.1. Group Key Management between HC and PCs

#### 6.1.1. Computational Cost and Storage

#### 6.1.2. Communication Cost

#### 6.2. Group Key Management between PC and Sensors

#### 6.2.1. Computational Cost and Storage

#### 6.2.2. Communication Cost

#### 6.3. Simulation Experiments and Results

**SecKeGen**was not included. The simulation was performed for several times based on different numbers of PCs. The comparison results with ESSA [4] and DAKM [44] are presented in Figure 2 and Figure 3. As shown in Figure 2, it is obvious that our protocol required less running time.

## 7. Conclusions

## Author Contributions

## Funding

## Acknowledgments

## Conflicts of Interest

## References

- Alemdar, H.; Ersoy, C. Wireless Sensor Networks for Healthcare: A Survey. Comput. Netw.
**2010**, 54, 2688–2710. [Google Scholar] [CrossRef] - Liu, J.; Zhang, Z.; Chen, X.; Kwak, K.S. Certificateless Remote Anonymous Authentication Schemes for Wireless Body Area Networks. IEEE Trans. Parallel Distrib. Syst.
**2014**, 25, 332–342. [Google Scholar] [CrossRef] - He, D.; Zeadally, S.; Wu, L. Certificateless Public Auditing Scheme for Cloud-Assisted Wireless Body Area Networks. IEEE Syst. J.
**2018**, 12, 64–73. [Google Scholar] [CrossRef] - Shen, J.; Tan, H.; Moh, S.; Chung, I.; Liu, Q.; Sun, X. Enhanced Secure Sensor Association and Key Management in Wireless Body Area Networks. J. Commun. Netw.
**2015**, 17, 453–462. [Google Scholar] [CrossRef] - Halford, T.R.; Courtade, T.A.; Chugg, K.M.; Li, X.; Thatte, G. Energy-Efficient Group Key Agreement for Wireless Networks. IEEE Trans. Wirel. Commun.
**2015**, 14, 5552–5564. [Google Scholar] [CrossRef] - Zhang, P.; Ma, J. Channel Characteristic Aware Privacy Protection Mechanism in WBAN. Sensors
**2018**, 18, 2703. [Google Scholar] [CrossRef] [PubMed] - Lee, D.; Lee, I. Dynamic Group Authentication and Key Exchange Scheme Based on Threshold Secret Sharing for IoT Smart Metering Environments. Sensors
**2018**, 18, 3534. [Google Scholar] [CrossRef] [PubMed] - Tan, H.; Choi, D.; Kim, P.; Pan, S.; Chung, I. Secure Certificateless Authentication and Road Message Dissemination Protocol in VANETs. Wirel. Commun. Mob. Comput.
**2018**, 2018, 7978027. [Google Scholar] [CrossRef] - Augimeri, A.; Fortino, G.; Galzarano, S.; Gravina, R. Collaborative Body Sensor Networks. In Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics, Anchorage, AK, USA, 9–12 October 2011; pp. 3427–3432. [Google Scholar]
- Horn, G.; Preneel, B. Authentication and Payment in Future Mobile Systems. J. Comput. Secur.
**2000**, 8, 183–207. [Google Scholar] [CrossRef] - Zhu, J.; Ma, J. A New Authentication Scheme With Anonymity for Wireless Environments. IEEE Trans. Consum. Electron.
**2004**, 50, 231–235. [Google Scholar] - Shacham, H.; Brent, W. Compact Proofs of Retrievability. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, Australia, 7–11 December 2008; pp. 90–107. [Google Scholar]
- Hao, Z.; Zhong, S.; Yu, N. A Privacy-Preserving Remote Data Integrity Checking Protocol With Data Dynamics and Public Verifiability. IEEE Trans. Knowl. Data Eng.
**2011**, 23, 1432–1437. [Google Scholar] - Wang, C.; Wang, Q.; Ren, K.; Cao, N.; Lou, W. Toward Secure and Dependable Storage Services in Cloud Computing. IEEE Trans. Serv. Comput.
**2012**, 5, 220–232. [Google Scholar] [CrossRef] [Green Version] - Huang, K.; Xian, M.; Fu, S.; Liu, J. Securing The Cloud Storage Audit Service: Defending Against Frame and Collude Attacks of Third Party Auditor. IET Commun.
**2014**, 8, 2106–2113. [Google Scholar] [CrossRef] - Lu, R.; Lin, X.; Zhu, H.; Ho, P.; Shen, X. A Novel Anonymous Mutual Authentication Protocol With Provable Link-Layer Location Privacy. IEEE Trans. Veh. Technol.
**2009**, 58, 1454–1466. [Google Scholar] [Green Version] - Teranishi, I.; Furukawa, J.; Sako, K. K-Times Anonymous Authentication. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, 5–9 December 2004; pp. 308–322. [Google Scholar]
- Tan, H.; Choi, D.; Kim, P.; Pan, S.; Chung, I. Comments on ‘Dual Authentication and Key Management Techniques for Secure Data Transmission in Vehicular Ad Hoc Networks’. IEEE Trans. Intell. Transp. Syst.
**2017**, 19, 2149–2151. [Google Scholar] [CrossRef] - Cao, X.; Zeng, X.; Kou, W.; Hu, L. Identity-Based Anonymous Remote Authentication for Value-Added Services in Mobile Networks. IEEE Trans. Veh. Technol.
**2009**, 58, 3508–3517. [Google Scholar] [CrossRef] - Shamir, A. Identity-Based Cryptosystems and Signature Schemes. In Proceedings of the Advances in Cryptology, Santa Barbara, CA, USA, 11–15 August 1984; pp. 47–53. [Google Scholar]
- Yang, J.; Chang, C. An ID-based Remote Mutual Authentication With Key Agreement Scheme for Mobile Devices on Elliptic Curve Cryptosystem. Comput. Secur.
**2009**, 28, 138–143. [Google Scholar] [CrossRef] - Yoon, E.; Yoo, K. Robust ID-Based Remote Mutual Authentication With Key Agreement Scheme for Mobile Devices on ECC. In Proceedings of the 2009 International Conference on Computational Science and Engineering, Vancouver, BC, Canada, 29–31 August 2009; pp. 633–640. [Google Scholar]
- Wang, H. Identity-Based Distributed Provable Data Possession in Multicloud Storage. IEEE Trans. Serv. Comput.
**2015**, 8, 328–340. [Google Scholar] [CrossRef] - He, D.; Chen, J.; Hu, J. An ID-based Client Authentication With Key Agreement Protocol for Mobile Client–Server Environment on ECC With Provable Security. Inf. Fusion
**2012**, 13, 223–230. [Google Scholar] - Wang, Y.; Wu, Q.; Qin, B.; Shi, W.; Deng, R.H.; Hu, J. Identity-Based Data Outsourcing With Comprehensive Auditing in Clouds. IEEE Trans. Inf. Forensics Secur.
**2017**, 12, 940–952. [Google Scholar] [CrossRef] - Al-Riyami, S.S.; Paterson, K.G. Certificateless Public Key Cryptography. In Proceedings of the Advances in Cryptology-ASIACRYPT2003, Taipei, Taiwan, 30 November–4 December 2003; pp. 452–473. [Google Scholar]
- Xiong, H. Cost-Effective Scalable and Anonymous Certificateless Remote Authentication Protocol. IEEE Trans. Inf. Forensics Secur.
**2014**, 9, 2327–2339. [Google Scholar] [CrossRef] - Xiong, H.; Qin, Z. Revocable and Scalable Certificateless Remote Authentication Protocol With Anonymity for Wireless Body Area Networks. IEEE Trans. Inf. Forensics Secur.
**2015**, 10, 1442–1455. [Google Scholar] [CrossRef] - Zheng, X.; Huang, C.; Matthews, M. Chinese Remainder Theorem Based Group Key Management. In Proceedings of the 45th Annual Southeast Regional Conference, Winston-Salem, NC, USA, 23–24 March 2007; pp. 266–271. [Google Scholar]
- Zhou, J.; Ou, Y. Key Tree and Chinese Remainder Theorem Based Group Key Distribution Scheme. J. Chin. Inst. Eng.
**2009**, 32, 967–974. [Google Scholar] [CrossRef] - Lv, X.; Li, H.; Wanga, B. Group Key Agreement for Secure Group Communication in Dynamic Peer Systems. J. Parallel Distrib. Comput.
**2012**, 72, 1195–1200. [Google Scholar] [CrossRef] - Guo, C.; Chang, C. An Authenticated Group Key Distribution Protocol Based on The Generalized Chinese Remainder Theorem. Int. J. Commun. Syst.
**2014**, 27, 126–134. [Google Scholar] [CrossRef] - Vijayakumar, P.; Bose, S.; Kannan, A. Chinese Remainder Theorem Based Centralised Group Key Management for Secure Multicast Communication. IET Inf. Secur.
**2014**, 8, 179–187. [Google Scholar] [CrossRef] - Rouayheb, S.E.; Sprintson, A.; Sadeghi, P. On Coding for Cooperative Data Exchange. In Proceedings of the 2010 IEEE Information Theory Workshop on Information Theory, Cairo, Egypt, 6–8 Januaray 2010; pp. 1–5. [Google Scholar]
- Courtade, T.A.; Wesel, R.D. Coded Cooperative Data Exchange in Multihop Networks. IEEE Trans. Inf. Theory
**2014**, 60, 1136–1158. [Google Scholar] [CrossRef] [Green Version] - Gonen, M.; Langberg, M. Coded Cooperative Data Exchange Problem for General Topologies. IEEE Trans. Inf. Theory
**2015**, 61, 5656–5669. [Google Scholar] [CrossRef] - Heidarzadeh, A.; Yan, M.; Sprintson, A. Cooperative Data Exchange With Priority Classes. In Proceedings of the 2016 IEEE International Symposium on Information Theory, Barcelona, Spain, 10–15 July 2016; pp. 2324–2328. [Google Scholar]
- Milosavljevic, N.; Pawar, S.; Rouayheb, S.E.; Gastpar, M.; Ramchandran, K. Deterministic Algorithm for The Cooperative Data Exchange Problem. In Proceedings of the 2011 IEEE International Symposium on Information Theory Proceedings, St. Petersburg, Russia, 31 July–5 August 2011; pp. 410–414. [Google Scholar]
- Sprintson, A.; Sadeghi, P.; Booker, G.; Rouayheb, S.E. A Randomized Algorithm and Performance Bounds for Coded Cooperative Data Exchange. In Proceedings of the 2010 IEEE International Symposium on Information Theory Proceedings, Austin, TX, USA, 13–18 June 2010; pp. 1888–1892. [Google Scholar]
- Courtade, T.A.; Halford, T.R. Coded Cooperative Data Exchange for a Secret Key. IEEE Trans. Inf. Theory
**2016**, 62, 3785–3795. [Google Scholar] [CrossRef] - Jiang, Q.; Ma, J.; Wei, F.; Tian, Y.; Shen, J.; Yang, Y. An Untraceable Temporal-Credential-Based Two-Factor Authentication Scheme Using ECC for Wireless Sensor Networks. J. Netw. Comput. Appl.
**2016**, 76, 37–48. [Google Scholar] [CrossRef] - Pirbhulal, S.; Zhang, H.; Wu, W.; Mukhopadhyay, S.C.; Zhang, Y. Heart-Beats Based Biometric Random Binary Sequences Generation to Secure Wireless Body Sensor Networks. IEEE Trans. Biomed. Eng.
**2018**. [Google Scholar] [CrossRef] - Shen, J.; Tan, H.; Zhang, Y.; Sun, X.; Xiang, Y. A New Lightweight RFID Grouping Authentication Protocol for Multiple Tags in Mobile Environment. Multimed. Tools Appl.
**2017**, 76, 22761–22783. [Google Scholar] [CrossRef] - Vijayakumar, P.; Azees, M.; Kannan, A.; Deborah, L.J. Dual Authentication and Key Management Techniques for Secure Data Transmission in Vehicular Ad Hoc Networks. IEEE Trans. Intell. Transp. Syst.
**2016**, 17, 1015–1028. [Google Scholar] [CrossRef] - Jiang, Q.; Ma, J.; Yang, C.; Ma, X.; Shen, J.; Chaudhry, S.A. Efficient End-to-End Authentication Protocol for Wearable Health Monitoring Systems. Comput. Electr. Eng.
**2017**, 63, 182–195. [Google Scholar] [CrossRef] - Ho, J.; Wright, M.; Das, S.K. ZoneTrust: Fast Zone-Based Node Compromise Detection and Revocation in Wireless Sensor Networks Using Sequential Hypothesis Testing. IEEE Trans. Dependable Secur. Comput.
**2012**, 9, 494–511. [Google Scholar] [CrossRef] [Green Version] - Thaile, M.; Ramanaiah, O. Node Compromise Detection based on NodeTrust in Wireless Sensor Networks. In Proceedings of the International Conference on Computer Communication and Informatics, Coimbatore, India, 7–9 January 2016; pp. 1–5. [Google Scholar]
- Courtade, T.A.; Wesel, R.D. Weighted Universal Recovery, Practical Secrecy, and An Efficient Algorithm for Solving Both. In Proceedings of the 49th Annual Allerton Conference on Communication, Control, and Computing, Monticello, IL, USA, 28–30 September 2011; pp. 1349–1357. [Google Scholar]
- Tan, H.; Choi, D.; Kim, P.; Pan, S.; Chung, I. An Efficient Hash-based RFID Grouping Authentication Protocol Providing Missing Tags Detection. J. Internet Technol.
**2018**, 19, 481–488. [Google Scholar] - Pirbhulal, S.; Zhang, H.; Wu, W.; Mukhopadhyay, S.C.; Zhang, Y. An Efficient Biometric-Based Algorithm Using Heart Rate Variability for Securing Body Sensor Networks. Sensors
**2015**, 15, 15067–15089. [Google Scholar] [CrossRef] [PubMed] [Green Version]

Notation | Description |
---|---|

HC, PC | Healthcare center, personal controller |

${\mathrm{P}}_{i}$ | Patient |

$hsk$, $nsk$ | Symmetric secret key |

$P\phantom{\rule{-0.166667em}{0ex}}S\phantom{\rule{-0.166667em}{0ex}}{K}_{i}$ | Secret key of ${\mathrm{PC}}_{i}$ |

$S\phantom{\rule{-0.166667em}{0ex}}S\phantom{\rule{-0.166667em}{0ex}}K$ | HC master key |

$H\phantom{\rule{-0.166667em}{0ex}}I\phantom{\rule{-0.166667em}{0ex}}D$, $P\phantom{\rule{-0.166667em}{0ex}}I\phantom{\rule{-0.166667em}{0ex}}{D}_{i}$ | HC and ${\mathrm{PC}}_{i}$ temporary identity |

g, u | Generators of $\mathbb{G}$ and ${\mathbb{G}}_{T}$ |

$T\phantom{\rule{-0.166667em}{0ex}}S$ | Time stamp |

n | Number of patients in department j |

$P\phantom{\rule{-0.166667em}{0ex}}G\phantom{\rule{-0.166667em}{0ex}}{K}_{j}$ | Group key for HC and PCs in department j |

$S\phantom{\rule{-0.166667em}{0ex}}\_E\phantom{\rule{-0.166667em}{0ex}}N\phantom{\rule{-0.166667em}{0ex}}{C}_{x}\left(M\right)$ | Symmetric encryption on M with x |

$S\phantom{\rule{-0.166667em}{0ex}}\_D\phantom{\rule{-0.166667em}{0ex}}E\phantom{\rule{-0.166667em}{0ex}}{C}_{x}\left(M\right)$ | Symmetric decryption on M with x |

$S\phantom{\rule{-0.166667em}{0ex}}I\phantom{\rule{-0.166667em}{0ex}}{G}_{x}\left(T\phantom{\rule{-0.166667em}{0ex}}S\right|\left|M\right)$ | Signature on M |

m | Number of sensors attached to ${\mathrm{P}}_{i}$ |

$H\left(\right)$ | One-way hash function |

${B}_{v}$ | Master key subset preloaded to ${\mathrm{SN}}_{v}$ |

${k}_{\Psi}^{i}$ | Shared master key |

$S\phantom{\rule{-0.166667em}{0ex}}{k}_{\Psi}^{i}$ | Session key |

${\Lambda}_{i}$ | Sensors preloaded with ${k}_{\Psi}^{i}$ |

$S\phantom{\rule{-0.166667em}{0ex}}G\phantom{\rule{-0.166667em}{0ex}}{K}_{i}$ | Sensor group key of ${\mathrm{P}}_{i}$ |

$\rho $ | Transmission times on the ${\mathrm{PC}}_{i}$ side |

${\Theta}_{i}$ | Number of sensors in ${\Lambda}_{i}$ |

${\Phi}_{i}$ | Number of sensors in ${\Lambda}_{i}\cap {\Lambda}_{i+1}$ |

Protocol | ESSA [4] | DAKM [44] | Our Protocol |
---|---|---|---|

Computation of HC | $np$ + $n\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}$ + $2nA$ + $2nM$ + $nH$ | $3Enc$ + $2nM$ + $nD$ + ($n-1$)A | $2Ex$ + $2nM$ + $nD$ + $1Enc$ + $1H$ + ($n-1$)A |

Computation of PC | $1p$ + $1\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}$ + $2A$ + $2M$ + $1H$ | $1Dec$ + $1\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}$ + $1Enc$ | $1e$ + $1H$ + $1Dec$ + $1\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}$ |

Storage of HC | $3n$ + 10 | $5n$ + 9 | $3n$ + 10 |

Storage of PC | 13 | 10 | 8 |

Protocol | ESSA [4] | DAKM [44] | Our Protocol |
---|---|---|---|

Transmission Type | Unicast | Broadcast | Broadcast |

Communication Cost | $3n$ | 1 | 1 |

Protocol | ESSA [4] | Our Protocol |
---|---|---|

Computation of PC | ($2m$ + 1)p + $6mH$ + ($m-1$)A + $Enc$ | ($\rho $ + 1)$Ex$ + $2\rho H$ + $\rho Enc$ |

Computation of Sensor | $2p$ + $6H$ + $Dec$ | $\left[(e+H+Dec)({\Theta}_{1}+2\sum _{i=2}^{\rho}{\Theta}_{i})\right]/m$ |

Storage of PC | $6m$ + 9 | $km$ + 8 |

Storage of Sensor | 15 | 9 + k |

Protocol | ESSA [4] | Our Protocol |
---|---|---|

Transmission Type | Unicast/Broadcast | Broadcast |

Communication Cost | $4m$ + 1 | $\rho +{\displaystyle \sum _{i=1}^{\rho -1}}{\Phi}_{i}$ |

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Tan, H.; Chung, I.
A Secure and Efficient Group Key Management Protocol with Cooperative Sensor Association in WBANs. *Sensors* **2018**, *18*, 3930.
https://doi.org/10.3390/s18113930

**AMA Style**

Tan H, Chung I.
A Secure and Efficient Group Key Management Protocol with Cooperative Sensor Association in WBANs. *Sensors*. 2018; 18(11):3930.
https://doi.org/10.3390/s18113930

**Chicago/Turabian Style**

Tan, Haowen, and Ilyong Chung.
2018. "A Secure and Efficient Group Key Management Protocol with Cooperative Sensor Association in WBANs" *Sensors* 18, no. 11: 3930.
https://doi.org/10.3390/s18113930