Provably Secure Receiver-Unrestricted Group Key Management Scheme for Mobile Ad Hoc Networks

Mobile ad hoc networks (MANETs) are self-configuring networks of wireless nodes, i.e., mobile devices. Since communications in MANETs occur via wireless channels, it is of significance to secure communications among wireless and mobile nodes. Group key management, as a widely used method for securing group communications, has potentially been used in MANETs for years. Most recently, a secure receiver-unrestricted group key management scheme for MANETs has been proposed, which is used to establish a secure channel among a group of wireless nodes without a trusted dealer, which has some advantages such as eliminating the certificate management problem and receiver restriction. However, a formal security analysis of this scheme is still lacking. Therefore, in this paper, we propose the complete security proof to demonstrate that the scheme satisfies the essential security properties including authentication, message confidentiality, known-key security and dynamic secrecy. We also give a brief discussion about the efficiency of the scheme.


Introduction
In recent years, mobile ad hoc networks (MANETs) have garnered widespread attention due to their utility and cost-effectiveness. For example, the wireless and mobile nodes in MANETs can still perform effectively in harsh and dynamic environments. This advantage further makes MANETs employed in various fields, including intelligent transportation [1,2], the military field [3], and vehicular ad hoc networks [4]. While enjoying the benefits of MANET, there are still a few security and functional concerns that require our attention. In general, MANETs often consists of numerous mobile and wireless nodes that are responsible for receiving, transmitting and processing data among each other. These interactions among nodes often take place through the wireless communication channel, which makes these mobile and wireless nodes suffer from many attacks, such as impersonation, eavesdropping, forging, and tampering [5]. Hence, it is a challenging task to ensure secure communication in MANETs. Group key management is widely used to establish secure communication channels among wireless nodes by enabling them to exchange encrypted messages through secret keys [6]. Furthermore, the secure channel for wireless communication should support authentication, which ensures that the messages being received are not changed and are coming from a legitimate node. Furthermore, the dynamic feature of MANET makes it difficult to ensure that the established channel remains secure all the time.
Existing group key management schemes for MANETs are realized based on two types of primitives, namely group key distribution (GKD) [7][8][9][10][11] and group key agreement (GKA) [12][13][14][15]. For GKD-based schemes, a trusted dealer is always needed for establishing a secure channel since it is in charge of generating and distributing group key(s) to each sensor node in a group. A trusted dealer is an online trusted party (e.g., a base station), which is often used to authenticate nodes. Our scheme is based on an authenticated scheme, i.e., our identity-based authenticated dynamic contributory broadcast encryption scheme in Section 5. A node is implicitly authenticated in our scheme. Therefore, a trusted dealer (e.g., a base station) is not used to authenticate nodes in our scheme). However, we note the over-dependency of a trusted dealer on increasing the risk of suffering a single-point attack. We also note that, generally, no trusted dealer exists in self-organizing networks such as MANETs. Even if GKA-based schemes eliminate the need for a trusted dealer, receiver restriction still exists, which means that a message from a sender can only be sent to all nodes in the group. This is obviously undesirable in real-world applications (e.g., MANETs) where a sender should be given the rights to choose its preferred sensor nodes within a group to receive the message.
Contributory broadcast encryption (ConBE) [16] can be potentially used to overcome receiver restriction. ConBE can enable wireless nodes to form a group by negotiating a public group encryption key and each wireless node's decryption key. More importantly, it can allow any node with knowledge of the group encryption key to send encrypted messages to any subset of nodes within the group. Only the selected node can then decrypt the message using its own decryption keys. We note that the first dynamic ConBE scheme was proposed in [17]. However, the scheme is based on traditional public-key cryptography and therefore faces issues with certificate management. Moreover, existing ConBE schemes cannot consider whether the message sent by each wireless node is authenticated. This could potentially increase the risk of an adversary modifying the message.

Our Contribution
This paper is an extended version of our paper published in 2022 IEEE Wireless Communications and Networking Conference (WCNC) [18], in which an identity-based authenticated dynamic contributory broadcast encryption (IBADConBE) scheme was first discussed. This scheme was further utilized to achieve a secure and receiver-unrestricted group key management scheme for MANETs and could solve all the challenges mentioned in Section 1. In this paper, we first reviewed the original scheme, which has the following advantages. It first allows multiple wireless nodes to dynamically form a group by negotiating a public group encryption key and each node's decryption key. After that, any sender knowing the public group encryption key can flexibly choose its interesting wireless nodes in the group to receive a message. Additionally, the scheme avoids the issue of certificate management and the need for a trusted dealer. However, in the original work, the authors briefly discussed the security of the scheme without providing a detailed security analysis. Therefore, in this paper, we made an effort to enhance the original work by reviewing it and presenting a formal security proof for it. The additional security analysis and proof contribute to the persuasiveness and trustworthiness of the protocol. We note that there are many schemes (without formal security proof) that were claimed to be secure and later found to be insecure [19]. To this end, we first design the security model for the original IBADConBE scheme. Based on this security model, we give the complete security proof of the IBADConBE scheme, which is based on the asymmetric variant of the decision k-Bilinear Diffie-Hellman exponent (BDHE) problem. Formal security proof shows that our scheme satisfies all the desirable security properties, including authentication, message confidentiality, known-key security, and dynamic secrecy, as defined in Section 4.2. In terms of efficiency experiments, in the original work, the authors provided a comprehensive analysis of the computational complexity, communication complexity, and simulations about the running time of each algorithm. According to the simulations, the overall costs are acceptable. Therefore, in this paper, we only briefly summarize the experimental results of the original work.

Related Work
Secure group communication in MANETs has become an important research topic in recent years, with group key management schemes being the most commonly used method. These schemes can be classified as either group key distribution-(GKD) or group key agreement (GKA)-based, depending on whether they rely on a trusted dealer to generate and distribute the group key(s).
Existing GKD-based schemes for secure communications in MANETs, such as those presented in [7][8][9][10][11], can be categorized into flat and hierarchical types based on network topology. The flat ones include those in [7,8,10,11]. Among them, in [7], an entity called a ground control station (GCS) was employed to distribute a group key and dynamically update the group key when the group membership changes after a fixed period. In [8], a group key pre-distribution scheme was introduced that was used to construct a secure channel among a group of sensors. In [10], the author introduced a symmetric secret key management protocol for multicast communication in MANETs of which a cluster header is selected from a group of sensor nodes and acts as a trusted dealer of the group. Furthermore, a secured key distribution technique was used in the protocol of [11] which was based on key count to effectively distribute the shared pair of keys between two nodes in MANETs. The one in [9] is a hierarchically distributed group key, the management of which is combined with the integrated approach of fuzzy trust-based clustering, which provides an efficient way for group key refreshment in MANETs. In conclusion, the main feature of these schemes is that a trusted dealer is needed to generate and distribute a group key to all nodes in the group. Whenever a node joins or leaves the group, the current group key must be discarded and a new group key should be generated and distributed by the trusted dealer. This results in significant computation and communication overheads, especially making them inefficient for large groups.
To eliminate the need for a trusted dealer, GKA-based group key management schemes were proposed for MANETs, such as the one presented in [12]. Considering the dynamic nature of MANETs, the dynamic scheme was also developed in [13]. However, existing GKA-based schemes still have some limitations, including the requirement for at least two communication rounds to negotiate a secret key, the need for wireless nodes to be online during negotiation, and the inability to allow outside senders to send encrypted messages to a group without first joining the group as a member. Asymmetric group key agreement (AGKA), as a novel group key management technology, was proposed to solve the above problems faced by traditional GKA-based schemes [20]. Later on, AGKA was extended to a new notion called a contributory broadcast encryption (ConBE) [16,21]. Both AGKA and ConBE can enable a group of wireless nodes to negotiate a public group encryption key and each node's decryption key only in one-round interactions. In contrast to AGKA, ConBE can avoid receiver restriction. Recently, a ConBE scheme for dynamic groups was proposed [17], whose variant designed under the asymmetric group setting was discussed in [22] with lower computation and communication overheads. However, all the ConBE schemes above are designed in the traditional PKI-based cryptosystem. Hence, the burdensome certificate management problem still exists.

System Architecture
The IBADConBE scheme is mainly for mobile ad hoc networks, in which the nodes are assumed to have a relatively sufficient computation capability. Figure 1 shows the system architecture, which involves a trusted authority (TA), a group of wireless nodes, and a sender (outside the group). As shown in Figure 1, the TA is responsible for generating and publishing the global system parameters. Meanwhile, each wireless node has to enroll with TA and ends up obtaining a public-private key pair issued by TA. We note when a group of wireless nodes that want to form a group, they first need to negotiate a group size (the maximum number of wireless nodes in the group) and then agree on an initial public group encryption key and each node's individual decryption key. The dynamic nature of MANETs allows outside or inside wireless nodes to join or leave a group at any time. Additionally, a sender who has learned a public group encryption key can send an encrypted messages for some and/or all wireless nodes of a group it favors via a public channel. Furthermore, only those wireless nodes chosen by the sender can read the message.

Design Goals
The design goals that the IBADConBE scheme has achieved can be categorized into security goals and function goals. The security goals include authentication, message confidentiality, known-key security, and dynamic secrecy while the function goals contain trusted dealer freeness, receiver non-restriction, certificate freeness, and dynamicity.

•
Authentication: This security goal is used to ensure the legitimacy of wireless nodes in MANETs. That is, all the transmitted messages through communication channels are from legitimate wireless nodes and not altered by an attacker. • Message confidentiality: This goal is used to ensure that the sent message is only read by those wireless nodes who are chosen by a sender as receivers. • Known-key security: This goal means that even if an adversary learns some wireless node's individual decryption keys within a group corresponding to a certain session, they will not obtain the decryption keys held by wireless nodes corresponding to other sessions, especially the target session. • Dynamic secrecy: This goal is used to secure communication if the group membership of a group has changed. Specifically, when a wireless node permanently leaves a group, it will not know any message subsequently sent to other nodes who still exist in the group; if an outside wireless node joins a group, it cannot learn any message previously delivered to existing inside wireless nodes.
The following ones are function goals that are essential for MANETs.
• Trusted dealer freeness: There is not any trusted dealer needed for generating and distributing secret group key(s) to each wireless node who form a group. • Receiver non-restriction: Any sender who has known the public group encryption key of a group is allowed to flexibly select its favorable wireless nodes within the group to receive the encrypted message. • Certificate freeness: There is no need to issue a public key certificate to each wireless node in MANETs to guarantee its legitimacy. Instead, the identity of each node is its public key, which solves the certificate management problem in PKC.
• Dynamicity: Any outside/inside wireless node is allowed to join/leave a group at any moment once the group has been formed.
We note that the TA used in this paper is different from a trusted dealer that is required to be online. The TA can be online or offline in this paper, and is primarily responsible for generating system parameters and issuing a private key to each legitimate node at the enrollment stage. The TA should be online during the GlobeSetup stage and the enrollment stage, since the TA is involved in these two stage. At the other stages, the TA is not involved. Therefore, we say that the TA could be offline.
We also note that the IBADConBE eliminates the usage of a trusted dealer since no online trusted party is employed to generate and distribute the session key to a group of wireless nodes. This can obviously be distinguished from those group key-distributedbased (GDK-based) key management protocols. In GDK-based ones, a trusted dealer often participates in forming a group and may be a base station. We note that, in ad hoc networks, such as mobile ad hoc networks, it is usually assumed that these no trusted dealer-like base station exists. The TA used in this scheme simply generates system parameters and public-private key pairs but does not interfere with the process of group key agreement.

Review of IBADConBE Scheme
In this section, we first review the IBADConBE scheme proposed in [18] for MANETs.

High-Level Description
The IBADConBE scheme in [18] consists of the four following stages: GlobeSetup , Enrollment, Group Initialization and Maintenance, and Secure Group Communication. At the first stage, TA generates the global system parameters that will be used for the next three stages. At the Enrollment stage, TA issues a public-private key pair for each wireless node in MANETs so that the legitimacy of each wireless node could be guaranteed. In particular, upon the input of the identity of any wireless node (which is also the public key of this node), TA will generate the private key corresponding to the identity of the node using the master secret key. The Group Initialize and Maintenance stage consists of three algorithms in total, respectively, namely Initialize, Join and Leave. The first algorithm is used to initialize a group for a group of wireless nodes with an initial negotiated group encryption key and each wireless node's decryption key. Both Join and Leave algorithms are used to maintain the secure communication channel whenever the membership of a group has changed. Precisely, once an inside/outside wireless node leaves/joins a group, the public group encryption key and the rest of the nodes' decryption keys will only update with one-round interaction. Furthermore, we note that during the Group Initialize and Maintenance and Group Communication stages, the TA is an offline trusted party. The Secure Group Communication stage is used to establish a secure channel between any sender and some or all wireless nodes within a group. Specifically, any wireless node (even outside a group) can be a sender since each group's group encryption key is publicly accessible. More importantly, a sender is able to select its preferred wireless nodes within a group as receivers, and only selected wireless nodes can read the message. Then, we show each stage of the IBADConBE scheme in detail.

GlobeSetup
TA has to generate the global system parameters ∆ at this stage as follows: choose three cyclic multiplicative groups G 1 , G 2 , G T with prime order q, where G 1 , G 2 has its generator g and g , respectively; choose an asymmetric bilinear mapê : q as the master secret key and set g pub = g κ as its master public key; choose two hash functions H 1 , H 2 : {0, 1} * −→ G 1 ; choose a secure identity-based signature scheme IDS and a symmetric encryption algorithm E K (·)/D K (·). In the IBADConBE scheme, it is assumed that ID γ denotes the identity of TA and the corresponding private key is s γ = id κ γ , where id γ = H 1 (ID γ ). We note that ID γ and s γ are used to generate N tuples consisting of the final ∆. The N tuples has the format ( f θ , R θ , F θ ). Each tuple corresponds to a group with the optional group size n, which is generated as follows: Obtain and publish the global system parameters ∆ = (q, g, g ,

Enrollment
In our scheme, each wireless node is required to register with the TA. At this stage, the TA generates private-public key pairs for wireless nodes. It takes master-secret κ and an wireless node's identity ID i ∈ {0, 1} * as input. The public key of a wireless node is set to be its identity. Meanwhile, it computes the private key of the wireless node as follows: Compute the private key of the wireless node s i = id κ i .
Certificates are not a requisite to bind the wireless node's identities and public keys. Thus, our scheme captures certificate freeness.

Group Initialization and Maintenance
This stage consists of three algorithms (Initialize, Join, Leave), which are used to initialize a group and then dynamically maintain the group. Specifically, a group of wireless nodes who want to form a group first perform the Initialize algorithm to negotiate an initial group encryption key and each wireless node's decryption key. A suitable group size for the initialized group can be negotiated by all of wireless nodes according to historical experience and the context of applications. After initializing a group, any outside/inside wireless node is allowed to join/leave the group at any time which achieves dynamicity. We note that once that the membership of the group has changed, and the group keys (e.g., group encryption key and each existing wireless node's decryption) must be updated. In the Join/Leave algorithm, one-round communication is only needed to complete updating.
Initialize: Assume there are t wireless nodes (U 1 , . . . , U t ) who want to form a group with the negotiable group size n, the corresponding tuple is denoted as ( f θ , R θ , F θ ). For 1 ≤ i ≤ t, the i-th wireless node U i with the public-private key pair (id i , s i ) performs as follows:

1.
Randomly chooses r i ∈ Z * q and computes R i = g r i .

2.
For 1 ≤ j ≤ n, computes F ij = s i f r i j .

3.
Sets M i = (ID i , R i , F ij j∈{1,...,n},j =i ) and signs M i to obtain a signature Υ i using the ID-based scheme IDS.

4.
Publishes For each wireless node U i , it will capture t − 1 message-signature pairs {M k } 1≤k≤t,k =i from other t − 1 wireless nodes, which will be used by U i to calculate the group encryption and its decryption key as follows: 1.
Check whether the t − 1 message-signature pairs (M i , Υ i ) 1≤k≤t,k =i are valid. If valid, go to the next step; otherwise, abort.

3.
For 1 ≤ l ≤ n, obtainŜ l = ∏ t,j =l j=1 F jl ∏ n j=t+1 F jlθ which are intermediate values to compute the decryption key.

4.
Compute the decryption key S i =Ŝ i F ii , and checks whether Equation (1) holds. If not, it is aborted.ê (S i , g ) ? Randomly chooses r i ∈ Z * q and compute R i = g r i . 2.
For 1 ≤ j ≤ n, computes F ij = s I f r i j .

Publishes
In the sequel, each existing wireless node in the group will receive the message M i = (M i , Υ i ) from U i . For any wireless node in the group (assume that j-th satisfies j ∈ {k | st[k] = 1}), it does the following:

1.
Check whether the message-signature pair (M i , Υ i ) is valid. If not, it is aborted; otherwise, the next step ensues.

2.
For Check whether Equation (1)  We note that, for the new group member U I , it requires messages Ŝ 1 , . . . ,Ŝ n ; (Ê,Ω); st to compute its decryption key S i . Hence, it is assumed that the wireless node with the minimal index of the group has to deliver Ŝ 1 , . . . ,Ŝ n ; (Ê,Ω); st to U I . After receiving the above message, U I does the following to obtain its member information: 1.
Computes the decryption key S i =Ŝ i F ii and check whether Equation (1) holds. If not, it is aborted; otherwise, the next step ensues.
Leave: Assume an inside wireless node U I as the i-th group member wants to leave the group. It does as follows:

1.
Lets M i = M i and generate a new signature Υ i on M i using IDS.

2.
Publishes After obtaining the message-signature pair M i = (M i , Υ i ) from U I , each existing wireless node in the group will use it to update their member information. For the j-th group member (j ∈ {k | st[k] = 1, k = i}), it does the following: 1.
Checks whether the message-signature pair (M i , Υ i ) is valid. If not, it is aborted; otherwise, the next step ensues.

5.
Sets st[i] = 0 and updates and stores new member informationM i .
We note that, during the whole stage of Group Initialization and Maintenance, the group encryption key and each wireless node's decryption key are generated through the ne-gotiation of wireless nodes themselves, instead of relying on a trusted dealer to generate and distribute these group keys. Hence, this scheme achieves the design goals of trusted dealer freeness.

Secure Group Communication
At this stage, a sender can securely transmit a message to any wireless nodes that the sender selects from a group based on its preference. There are two algorithms included at this stage, respectively, Encrypt and Decrypt. Any sender who has the knowledge of the group encryption key of a group first selects some wireless nodes that it wants to communicate with and then generates a ciphertext by running the Encrypt algorithm. The wireless nodes within the group which are selected by the sender as receivers are able to decrypt the ciphertext and read the message by performing the Decrypt algorithm.
Encrypt: Assume that a sender wants to send the message m to some wireless nodes in a group and the selected wireless nodes within the group form an index set denoted by U. Let To obtain the final ciphertext, the sender performs the following steps:

3.
Sends (C, U) to the group.
Decrypt: Only wireless nodes in U are capable of decrypting the above ciphertext and then extract the session key sk and read the message m, which captures the receiver non-restriction. For each wireless node in U, (assume that the i-th wireless node i ∈ U), it does the following:

1.
Computes S i = S i ∏ l∈U F liθ and then computes the session key Computes m = D sk (C 3 ).

Security Model and Definitions
The IBADConBE scheme captures authentication, message confidentiality, known-key security, and dynamic secrecy, of which authentication was ensured by a secure identitybased signature scheme. Thus, we only have to prove that the IBADConBE scheme captures the remaining security properties. Firstly, we give the security model for the IBADConBE scheme, which is the security game run between a challenger C and an adversary A. In this game, C plays the role of TA, generates the system-wide parameters and answers different types of queries from A. Our security model consists of four stages: Initialize, Attack, Challenge, and Response. The first and second stages simulate each algorithm of IBAD-ConBE. Meanwhile, at the Attack stage, an adversary is allowed to make various queries, which simulates various attack behaviors. For instance, Corrupt and CorruptKey queries model the leakage of private keys and random coins held by users, Reveal queries model the disclose of session keys (corresponding to the known-key attack), and Join/Leave models the attacker controlling a node to join/leave a group. At the Challenge stage, the adversary submits (m 0 , m 1 ) and obtains a challenge ciphertext c (generated from m 0 or m 1 ). However, at the last stage, the advantage of the adversary to guess that c is from m 0 or m 1 is still negligible, even when the advantage can make Reveal, Join and Leave queries. There-fore, the IBADConBE proves to capture message confidentiality, known-key security, and dynamic secrecy.
Initialize: C generates the system-wide parameters ∆ by running the GlobeSetup algorithm and passes it to A.
Attack: C answers the following queries from A: • Execute(t, n): This query is used to model the initialize algorithm at the group initialization and maintenance stage. A submits (t, n), where t and n denote the number of initial participants and group size A selects. C initializes a group, with a unique index µ, and sets the initial session ID η to be 1. η should be set to η + 1 if A invokes the following Join(i, µ) or Leave(i, µ) query. • Join(i, µ): This query is used to model the joint algorithm at the group initialization and maintenance stage. Upon receiving this query, C enables an outside node to join the group with the index µ as the i-th group member. This query can be asked for at most K times. • Leave(i, µ): This query is used to model the Leave algorithm at the group initialization and maintenance stage. Upon receiving this query, C enables the i-th inside node in the µ-group to leave permanently. • CorruptKey(ID i ): Upon receiving this query, C outputs the private key held by ID i . This query can be used to model (partial) forward secrecy. • Corrupt(i, µ, η): Upon receiving this query, C outputs the private input and/or inner random coins held by the i-th inside node corresponding to the η-th session of the µ-th group. • Reveal(i, µ, η): Upon receiving this query, C outputs the decryption key held by the i-th inside node corresponding to the η session in the µ-th group. This query can be used to model known-key security.

Challenge:
At this stage, A submits {U * , µ * , η * , (m 0 , m 1 )} to C, where U * ⊆ K = {1, . . . , K} is a fresh set (see Definition 1), µ * , η * is the index of the target group and the target session ID, (m 0 , m 1 ) is a pair of messages with the same length. C randomly chooses a bit b ∈ {0, 1}. If b = 0, C returns the challenge ciphertext C * generated from encrypting m 0 ; otherwise, C returns the ciphertext C * by encrypting m 1 .
Response: At this stage, A returns a guess b ∈ {0, 1}. If b = b, A wins the game. A's advantage to win the above game is defined as Adv(A) = |Pr[b = b ] − 1|.

Definition 1 (Freshness).
A set U * is fresh if none of the following conditions are satisfied: (1) A has made a Reveal(i, µ, η) query on any node with index in U * within the target group; (2) A has made Corrupt(i, µ, η) queries on any node with the index in U * ; (3) All the private keys of the nodes participating in the target session of target group are corrupted.

Definition 2.
An IBADConBE scheme is said to be fully and adaptively secure against chosen plaintext attacks (CPA) if no polynomial-time adversary A can win the above game with an advantage Adv(A). An IBDConBE scheme is said to be semi-adaptively secure if the adversary (1) has to commit an index set K before the Attack stage; (2) can only choose U * ⊆ K to query C at the challenge stage.
We note that A cannot successfully distinguish C * comes from m 0 or m 1 , even when A is allowed to ask CorruptKey(ID i ) and Corrupt(i, µ, η) queries for any node (not in U * ). This further implies that A cannot violate the confidentiality of an encrypted message in the real world. Thus, the scheme captures the message confidentiality. Additionally, A is allowed to reveal some nodes' decryption keys that do not correspond to the target session of the target group. Thus, the scheme satisfies the capture of the known-key security. At the end of Challenge stage, A is allowed to invoke Join/Leave queries, but its advantage to win the game is still negligible. Hence, the scheme satisfies dynamic secrecy.

Security Proof
Theorem 1. Let H 1 , H 2 be random oracles. Suppose that C may initialize at most N groups and L sessions for each group, the maximal group size is k, and A made at most q H 1 queries to H 1 oracle. If the A wins the above game with the advantage Adv(A) in time τ, there exists an algorithm to solve the asymmetric variant of the decision k-BDHE problem with an advantage at least 1 where τ E computes a scalar multiplication in G 1 .
Asymmetric variant of a decision k-BDHE problem: Given a bilinear map:ê : G 1 × {i=1,2,...,k,k+2,...,2k} , Y 1 = {y j = g α j } {j=1,2,...,k+1} , for unknown α, p, h ∈ Z * q . An algorithm D that outputs b ∈ {0, 1} has the advantage in solving the asymmetric variant of the decision k-BDHE problem if where Z 0 =ê(g α k+1 , Q) and Z 1 ∈ G T randomly. The asymmetric variant of the decision k-BDHE assumption holds in G T if no polynomial-time algorithm has the advantage of at least in solving the asymmetric variant of the decision k-BDHE problem in G T .
Initialize: Assume that two random oracles H 1 and H 2 answer queries as follows: H 1 queries: C keeps an initially empty list H list 1 . Upon input ID i , C performs the following: Otherwise, chooses µ i ∈ Z * q at random, and if this query is the J-th target query, sets Adds (ID i , µ i , id i , s i ) to H list 1 and returns id i . H 2 queries: C keeps an initially empty list H list 2 . Upon input j, C performs the following: Otherwise, randomly chooses v j ∈ Z * q , sets f j = g v j , adds (j, v j , f j ) to H list 2 and returns f j . C sets the system-wide parameters ∆ = (q, g, G 1 , G 2 , g pub , H 1 , H 2 , IDS, {( f θ , R θ , F θ )} θ∈{1,...,N} ), where g pub = g α = y 1 . Assume that ID γ denotes the identity of TA. To generate the tuple, ( f θ , R , F θ ) corresponding to group size n, C first recovers (ID γ , µ γ , id γ , s γ ) from H list 1 and (j, v j , f j ), 1 ≤ j ≤ n from H list 2 , and then, for 1 ≤ i ≤ n, performs the following: • If i = 1, performs as follows: 1.
∆ is passed to A. A then commits a set U ⊆ {1, . . . , K} to C. Finally, C randomly chooses µ ∈ {1, . . . , N} and ω ∈ {1, . . . , L}. In the following, we assume that C will answers the queries as in the real scheme if it is not the µ-th group. Hence, we only need to consider the queries from A corresponding to target group.
Attack: C answers A's queries as follows: Execute(t, n): C maintains an initially empty list T list and sets the initial session ID η = 1. Suppose the set of t initial participants' identities is {ID 1 , . . . , ID t }. To answer this query, C first submits {ID 1 , . . . , ID t } to H 1 if these queries have never been issued before, and then recovers ( C generates a coin coin iη and then performs the following: • If i / ∈ K, sets coin iη = 0 and then performs the following: 1.
Chooses r iη ∈ Z * q and sets R iη = g r iη 2. For Otherwise, C sets coin iη = 1. If and only if i = 1, then C performs the following: 1.
We note that the Execute query can be simulated by invoking the following Join query for t times. If C answers the above Execute query, then η is set to t.
In the following, if we set T η = T η−1 , then C performs the following:
Join(i, µ, η): Assume a node with ID i wants to join the group as the i-th group member. C sets T η = T η−1 , and then performs the following: • If i / ∈ K, C sets coin iη = 0 and then performs the following: 1.
For 1 ≤ j ≤ n, j = i, computes F ijη = x µ i We make a little modification regarding the design goals that the IBADConBE scheme achieves (see in Section 4.2). In particular, we replace the forward secrecy and backward secrecy with dynamic secrecy. Furthermore, we use trusted dealer freeness to replace no trusted dealer in [18]. As shown in Table 1, one can see that only the IBADConBE scheme realizes design goals, i.e., authentication, message confidentiality, known-key security, dynamic secrecy, trusted dealer freeness, receiver non-restriction, certificate freeness, and dynamicity.
2t e 3t e +t E 3t e +t E +t sg Decrypt 2t b 2t b +t m +t e +t D 2t b +t m +t e +t D +t sv In Table 2, one can see the comparison between the IBADConBE scheme with those in [17,23] in terms of the computational overheads. Let t m /t e represent the time to compute a scalar multiplication/exponentiation operation in G 1 or G 2 , t h represent the time to compute a MapToPoint hash [23], and t b represent the time to compute a scalar bilinear map operation. Furthermore, let t E /t D denote the time to compute an encryption/decryption operation using a symmetric cryptographic algorithm. t sg /t sv denotes the time to generate/verify an identity-based signature. We note that the time of a scalar multiplication operation is trivial in comparison with that of other operations, and some operations that can be pre-computed were ignored. Obviously, the IBADConBE scheme is more efficient than the DAGKA in [23] and has comparable computational overheads with the DConBE in [17].

Simulations
The main contribution of this paper is to formally prove the security of the IBADConBE scheme in [18]. As for the detailed simulations, they can be found in an experimental part of the work published on 2022 WCNC [18]. Therefore, we only described the simulation results regarding the efficiency of the IBADConBE scheme based on the experimental part of the work published on 2022 WCNC. The settings of the simulations are consistent with those in [18]. In particular, the MIRACL library [22] was used to implement each algorithms of the IBADConBE scheme. The BN curve with a 128-bit security level was selected. The simulations were run on a RaspberryPi 3b+ with an ARM Cortex-A53 CPU at a frequency of 1.4 GHz. The group size was set from 3 to 180. Since GlobeSetup and Enrollment were only invoked once, the overall execution time of the IBADConBE scheme is mainly determined by Initialize, Join, Leave, Encrypt and Decrypt algorithms. We note that, under the above settings, the simulation results in this paper are consistent with those in [18]. Hence, in this paper, we only need to briefly describe the simulation results.
As shown in Figure 2, when the group size ranges from 3 to 180, Initialize costs from 0.25 s to 0.98 s, the running time of Join for the new wireless node ranges from 0.16 s to 0.58 s while the running time of Join for each group member is from 0.35 s to 0.79 s. We note that the execution time of the above algorithms is largely influenced by the group size. The execution time of Encrypt and Decrypt algorithms slightly increases with the group size. Particularly when the group size is 180, the overall running time of Encrypt and Decrypt is still less than 0.2 s. This result demonstrates that the IBADConBE scheme can be stably and efficiently implemented, even in large groups.
The scalability of the original IBADConBE scheme is quite a new and interesting investigation for us. In fact, our scheme is scalable and can support a larger group size. A general idea is to divide a large group into several subgroups so that the scheme could be effectively applied into each subgroup. We note that the execution time of the encrypt algorithm will increase a little accordingly since a sender has to encrypt a message for multiple times (for each subgroup, less than 0.2 s is required), but the efficiency of the Decrypt algorithm will not be affected.

Conclusions
In this paper, our main focus was to formalize the security analysis of the identitybased authenticated dynamic contributory broadcast encryption (IBADConBE) scheme. The IBADConBE scheme achieves various security and functional properties, including authentication, message confidentiality, known-key security, dynamic secrecy, trusted dealer freeness, receiver non-restriction, certificate freeness, and dynamicity. However, the original scheme lacked a formal proof to demonstrate that it captured these security properties. Therefore, we first reviewed the IBADConBE scheme and then designed a security model to capture its security properties. Under this model, we provided concrete security proofs based on the asymmetric variant of the decision k-BDHE assumption. Finally, we presented a comparison and simulations to show the efficiency of the IBADConBE scheme. As for future work, it would be interesting to consider penetration testing for networks supporting our model.