Secure D2D Group Authentication Employing Smartphone Sensor Behavior Analysis

: Nowadays, with rapid advancement of both the upcoming 5G architecture construction and emerging Internet of Things (IoT) scenarios, Device-to-Device (D2D) communication provides a novel paradigm for mobile networking. By facilitating continuous and high data rate services between physically proximate devices without interconnection with access points (AP) or service network (SN), spectral efﬁciency of the 5G network can be drastically increased. However, due to its inherent open wireless communicating features, security issues and privacy risks in D2D communication remain unsolved in spite of its beneﬁts and prosperous future. Hence, proper D2D authentication mechanisms among the D2D entities are of great signiﬁcance. Moreover, the increasing proliferation of smartphones enables seamlessly biometric sensor data collecting and processing, which highly correspond to the user’s unique behavioral characteristics. For the above consideration, we present a secure certiﬁcateless D2D authenticating mechanism intended for extreme scenarios in this paper. In the assumption, the key updating mechanism only requires a small modiﬁcation in the SN side, while the decryption information of user equipment (UEs) remains constant as soon as the UEs are validated. Note that a symmetric key mechanism is adopted for the further data transmission. Additionally, the user activities data from smartphone sensors are analyzed for continuous authentication, which is periodically conducted after the initial validation. Note that in the assumed scenario, most of the UEs are out of the effective range of cellular networks. In this case, the UEs are capable of conducting data exchange without cellular connection. Security analysis demonstrates that the proposed scheme can provide adequate security properties as well as resistance to various attacks. Furthermore, performance analysis proves that the proposed scheme is efﬁcient compared with state-of-the-art D2D authentication schemes.


Introduction
Device-to-Device (D2D) communication is defined as a promising short-distance communicating strategy, which is capable of directly conducting effective data exchange among the proximate entities without involvement of the cellular core network. As for conventional cellular networking services, connectivity between the mobile devices is subjected to the coverage of access point or base stations, where direct communication among mobile devices is not offered [1]. Instead, all the involved traffic floods should be processed through the core cellular network, which severely restrains the large-scale implementation of massive and reliable data exchange between mobile devices. this area [15,16]. The BS is able to interact with certain UEs and provide cellular connection for all the participating UEs within the D2D network. As for individual users with UE, vital biometric data including accelerometer and gyroscope signals are acquired by the smartphone sensors, revealing personal behavioral features. Subsequently, the user's behavioral patterns can be adopted for continuous authentication. That is, after the initial authentication operation, the specific verification is conducted periodically for the purpose of guaranteeing secure data transmission throughout the entire process. Therefore, through analysis of a user's behavioral patterns, continuous authentication can spot vulnerabilities at any point in a session [17]. Note that the above assumption is suitable for both field trip assistance and emergency rescue. The detected anomaly feature demonstrates certain distinctness from existing personal record. That is, the user may encounter unexpected physical danger that causes severe deterioration of health, which is of great significance for real time healthcare monitoring and subsequent emergency aid in complex circumstances [6].
In this paper, a secure certificateless authentication scheme for D2D communication is presented. The nontrivial contributions of this paper can be briefly summarized: • Secure certificateless authentication scheme: According to our design, a certificateless cryptography mechanism is applied so as to provide improved security assurance. BS and UE itself generate the partial private key respectively so as to prevent the key escrow problem of identity-based encryption. Moreover, conditional privacy-preserving authentication (CPPA) is deployed. That is, the user anonymity is provided through the entire authentication session, preventing illegal tracing towards particular UEs, while the valid identity-related information is recorded in BS side in the preliminary registration phase. Hence the tracking and revocation towards malicious UEs can be conducted by trustworthy authority. Additionally, bilinear pairing is adopted in order for advanced security properties. • Efficient Group key distribution with updating mechanism: During the authentication process, the allocated group key computed by BS will be delivered to all legitimate UEs through one broadcasting operation, which drastically alleviates the communication cost compared with conventional one-to-one key distribution. Note that only the authentic UEs have the capability of deriving the valid group key. Therefore, the designed key updating mechanism only require small modification in the BS side, while the decrypting information in the UEs side remains constant as soon as the UEs are validated. Similarly, fast UE revocation process can be operated by BS without extensive computation. • Continuous authentication strategy adopting smartphone sensor behavior analysis: The unique user behavioral data acquired by accelerometer and gyroscope sensors in smart phone (UE) is processed and characterized by time and frequency domain features. Subsequently, appropriate activity recognition implementation is conducted, where the individual behavior profile is evaluated with the pre-defined biometric parameter to reveal the real-time personal activity level. In this case, continuous authentication is performed with the adopted biometric parameter periodically. Security analysis demonstrates that the proposed scheme is able to provide adequate security assurance. Moreover, performance analysis proves that the proposed design is efficient compared with the state-of-the-art authentication schemes. To the best of our knowledge, we are the first to design the D2D authenticating and key distributing method with biometric continuous authentication. Potential scenarios include disaster rescue and medical aid in harsh environment.
The remaining contents of the paper are constructed as follows. Section 2 briefly introduces the corresponding research achievements. Section 3 illustrates the significant preliminaries and the designed system model so that the reader is able to acquire a better understanding. Section 4 introduces the proposed D2D certificateless authentication scheme in detail. Section 5 presents the proposed continuous authentication strategy. Section 6 proves the formal security analysis. Section 7 demonstrates the performance analysis. Finally, the conclusion is drawn in Section 8.

Related Works
As the underlay to the upcoming 5G networks, the development of D2D communication has attracted a lot of attention from both academia and industry. Major research regarding radio resource allocation [5], mode selection [1] and interference management [2] have been widely studied, while only a few works have been done emphasizing on the security and privacy protection for D2D communication in both the academic and standardization communities. In 2014, a detailed survey emphasizing on the D2D infrastructure, the major threads and security requirements [3] is presented by Alam et al. After that, Yue et al. initially illustrated the D2D communication into information-theoretic secrecy problem of cellular communication, where the secrecy outage probability is utilized to depict the uncertainty of the eavesdropper [18]. Subsequently, a secure data sharing scheme SeDS is designed for D2D communication in LTE-A network, where the public-key-based digital signature is applied for mutual authentication. Note that the proposed SeDS is capable of detecting free-riding attack and achieving reception nonrepudiation by key hint transmission so as to improve system availability [19]. Similarly, due to the potential threats caused by the open access feature of wireless channel, Shen et al. designed a short authentication-string-based key management scheme for secure D2D communication over WiFi direct [4]. In Reference [20], the spatiotemporal matching is formulated, which is considered to be the crucial primitive for D2D communications. Note that the Bloom filter is adopted during the estimation process as well.
The combination between D2D communication and 5G network enables a new research direction. The structure intended for the LTE-D2D system and its corresponding security threats are discussed in Reference [6] by Zhang et al., where the frameworks for cross-layer D2D security are designed. In 2017, a robust D2D-assisted secure transmission scheme for mobile healthcare system is introduced, where certificateless generalized signcryption (CLGSC) is deployed. Meanwhile, Waqas et al. investigated the physical layer security for secure key generation rate (SKGR) among D2D communication. In order to prevent attack from both the eavesdropper and non-trusted relays, the related privacy protection scheme is conducted [21]. Subsequently, Kim et al. designed a secure link establishing protocol for LoRaWAN D2D communication, where the D2D nodes share cryptographic keys with each other. The proposed scheme is able to guarantee fundamental security requirements with sufficient feasibility [22]. Next, in order for device recognition in D2D communication, the advantage of RF fingerprint of wireless D2D device is taken into consideration in Reference [7]. Note that the support vector machine (SVM) is deployed with the purpose of classifying all the activated devices.
Recently, Wang et al. presented the privacy-preserving authentication and keying schemes PPAKA-HAMC and PPAKA-IBS so as to offer reliable anonymous D2D communications [9]. According to their assumption, the D2D user group members mutually authenticate with each other using the anonymous identity. The group session key for secure D2D communications is built accordingly. For the same purpose, Hsu et al. presented network-absent and network-covered authenticated key exchange schemes, where the authentication process is evaluated under the analytic model, proving that the proposed schemes satisfy proper performance requirements [12]. Moreover, another reliable D2D key distribution protocol is proposed in Reference [10], where the information exchange is conducted through the RF channel and the audio channel.
Furthermore, advancements in human activity recognition regarding smartphone sensors have been presented, which provide a new paradigm for daily health monitoring compared to the initial recognition mechanism with wearable sensors. In 2010, Kwapisz et al. [17] adopted phone-based accelerator data for human activity recognition, where six daily activities from 29 volunteers are involved. Note that the time series data are segmented into examples over 10-s example duration (ED), achieving accuracy over 90% for most activities. Similarly, Sun et al. [23] developed a SVM-based classifier for recognition over seven common physical activities. Both the time-and frequency-domain information are taken into consideration. Subsequently, Shoaib et al. [24] evaluated thoroughly the impacts of various types of sensor data and demonstrated that performance improvement is available by combining individual parameters together.
The health status measurement and prediction can be achieved with the user behavior profiles generated by smartphone sensors. Hence, several existing studies have been conducted, emphasizing practical applications for medical purposes. In Reference [25], the data derived from accelerometer are processed to measure the behavior regarding a patient's actual stress levels, indicating the generalized and prosperous utilization for healthcare environment with smartphone sensor data analysis. Thereafter, Kelly et al. [14] developed a health status measuring design so as to objectively monitor the real-time physical condition of patients, which provides a unique approach for the clinicians to conduct in-time treatments.
Specifically, the studies on continuous authentication combing user's behavioral properties have been presented in existing papers. Shen et al. [13] emphasized on the reliability on the usage of motion-sensor behaviors for continuous authentication conducted on smartphones. Subsequently, several human activity recognition for authentication purposes have been proposed [15,26]. Accordingly, continuous authentication towards identification for smartphone users is performed in our authentication scheme, resulting in advanced security properties.

Preliminaries and Model Definitions
The necessary preliminaries utilized in this paper are described with the intention of facilitating the reader's understanding on the proposed method, which includes the definitions of bilinear pairing, the DBDH problem and hash function. Thereafter, the notations, system model and network assumptions are respectively introduced.
Definition 1 (Decisional Bilinear Diffie-Hellman (DBDH) Problem). Given a tuple (g, g a , g b , g c , Z) for a, b, c ∈ Z * P , output 1 if Z =ê(g, g) abc and 0 otherwise. A is defined as a probabilistic algorithm. Hence the advantage in solving the DBDH problem is defined as: where Z ∈ G S and g is a random generator in G 1 . If all probabilistic polynomial-time (PPT) algorithms have the negligible advantage in solving the DBDH problem, the DBDH assumption holds in the related bilinear map (P, G 1 , G S ,ê).

Hash Function
A secure one-way hash function is defined with the following properties [27]: 1. Given a input message x of arbitrary length, the message digest of a fixed length output h(x) can be calculated accordingly. 2. Given y, it is difficult to calculate the value of x = h −1 (y). 3. Given x, it is computationally infeasible to find x = x such that h(x ) = h(x).

Notations
The major notations appeared in the proposed scheme are introduced, along with the brief description in Table 1.

System Model
In the assumption, the whole D2D infrastructure is composed of service network (SN) and multiple user entities (UEs). The utilized structure of the proposed D2D authentication architecture is introduced in Figure 1, which is considered as the specific D2D communication scenario devoted to public safety and emergency rescue in the wild. Potential occasions include most of the isolated nature landscapes such as the mountainous regions, desert areas, tropical rainforests or vast oceans [28], which account for comparatively large proportions of the Earth's surface in total. Most of the regions are depopulated zones. On the other hand, due to the complex and hostile environmental characteristics, it is technically difficult for the involving countries to construct even the basic infrastructure for cellular network coverage in these areas, which requires huge amounts of financial grants. In these regions, few cellular network facilities such as base stations are available, most of the areas are not in the cellular coverage. In this assumption, D2D communication between user entities (UEs) are necessary so as to substitute the cellular connection from the base station. For example, a group of tourists are intended to go hiking in the mountains, where cellular coverage is not available in most of the spots. In this case, interactions between the tourists highly depend on the self-constructed D2D communicating network. It is worth nothing that some UEs are within the effective range of base station. Hence, cellular connections can be achieved for all the participating UEs over the D2D network, even though the UEs are not within the cellular coverage. The corresponding description of service network and the user entities are respectively illustrated below. The service network (SN) is assumed to be the powerful controlling center for the whole D2D system. SN takes the responsibility of conducting main operations including system initialization, initial registration, key generation and management, identity verification. In the proposed design, SN is designed to be resistant to all kinds of attacks and remains authentic anytime. In the proposed scheme, as the role of SN are taken by the commercial organizations, it cannot be fully trusted. We consider the SN to be an honest-but-curious authority, where the essential key generation and identification processes are all conducted accordingly. Note that the partial private key is only generated for the registered UEs, while the individual UE is designed to generate the remaining partial secret key itself.
The key escrow issue is avoided accordingly. Particularly, SN also offers direct cellular connection for the validated devices within its effective range, while the devices beyond its coverage can acquire cellular access indirectly. In our design, SN can be considered as the combination of cellular base station and validated verifier at the same time.
The user entities (UEs) are designed to be the terminal user of the D2D communication. In the proposed system model, UE refers to the personal smartphone of users. In harsh environment, UEs are involved in the data transmission that is routed over the SN and D2D network structure. That is, the participating UE not only delivers the messages generated by itself, but also forwards the routed information originated from other UEs. As for certain UEs, its interaction with neighboring devices provides high connectivity to all the remaining UEs, even though some devices are out of the SN cellular coverage. It is worth noting that the UEs should be authenticated before accessing the D2D network for security assurance. Besides, the UE (smartphone) is equipped with various behavioral sensors such as the accelerometer and gyroscope. Therefore, vital biometric data can be collected by the smartphone sensors, revealing the personal behavioral features. In our design, the user's unique behavioral patterns are applied for continuous authentication. That is, after the initial authentication operation, the specific verification is conducted periodically for the purpose of guaranteeing secure data transmission throughout the entire process. To be concluded, the UEs perform as both the D2D terminal device and biometric data collector as well.

Network Assumptions
As shown in Figure 1, SN is assumed to have full authority to access the entire D2D communication system, where the UEs within its cellular coverage can operate communication directly with SN without additional assistance. Note that these UEs are considered the major devices in the entire D2D network, where both the cellular links and D2D links can be maintained. Moreover, the remaining UEs are beyond the effective range of SN, thus requires the major devices to forward messages to SN. An integrated D2D network is constructed involving all the participating UEs. Communication between the UEs is provided in this way. Additionally, a universal group communication channel is indispensable for message broadcasting to all users.
Due to the inherent wireless characteristic, D2D data exchange suffers from D2D data exchange suffers from various security risks and privacy threats, especially in the D2D group communication involving large numbers of participating devices. The transmitted information may be eavesdropped, impersonated, and even altered illegally. In this case, advanced security strategies and privacy preservation techniques are vital for the proposed D2D scenario. Proper authentication mechanism should be deployed so that the identities of the requesting UEs are verified before accessing the D2D services. Subsequently, the unique group key shared between SN and all legitimate UEs should be generated and allocated, ensuring the secure broadcasting channel for emergency use.
In addition, after being successfully verified, the continuous authentication is of great significance, where periodical validation is activated. In this case, the compromised and disabled UEs can be detected and removed accordingly, offering resistance to various insider attacks. Note that essential behavioral characteristics derived by the user's smartphone (UE) is adopted in the continuous authentication process.

Proposed Secure Certificateless Group Authentication Scheme for D2D Communication
With the purpose of providing an enhanced authentication scheme to D2D communication in specific scenarios, the certificateless group authentication scheme is presented in this paper. For a better description, the proposed scheme is divided into certificateless authentication with group key distribution and the subsequent continuous authentication utilizing smartphone sensor behavioral processing. In this section the former part is illustrated, while the latter part is presented in the following Section.
The certificateless authentication and group key management method is presented, which mainly emphasizes on the verification for participating UEs. Our authentication design can be briefly divided into three different phases including offline registration phase, authentication phase, and group key distribution phase. Initially, the UE registration, along with vital key initialization, is made in the offline registration phase. Consequently, significant authenticating procedures are provided in the authentication phase. Thereafter, the group key is distributed in an efficient and reliable way. Moreover, the strategy for efficient key updating is also introduced, offering dynamic membership management for UEs. Certificateless encryption technique is applied for mutual verification between SN and UEs, where the key escrow issue can be drastically addressed. The proposed certificateless authentication for D2D communication is suitable for practical D2D scenarios in complex environments.

Offline Registration Phase
The offline registration phase is designed for the D2D initialization, which can be divided into the essential key information management and UE registration.
Initially, on inputting the security parameter λ, SN first generates a bilinear group (P, G, G S ,ê), where P is defined as a λ-bit prime, G and G S denote two multiplicative cyclic groups with the prime order P. Hence the bilinear mapê is constructed in the form ofê : G × G → G S . SN selects the generator g, w ∈ G and randomly chooses mk ∈ Z P as the system master key. Note that Z P is defined as a non-negative integer set less than the prime number P.
Subsequently, each UE is a prerequisite to register to SN in offline mode, where the confidential user information including name, address, phone number are correspondingly recorded in SN server securely. Meanwhile, the unique license ID i is assigned to each legitimate UE and stored in the tamper-resistant module constantly during the entire operation. Note that ID i ∈ {0, 1} * and i ∈ [1, t], where t is defined as the total number of the registered UEs for the D2D network. Hence the D2D device set is defined as S = {ID 1 , . . . , ID t }. Moreover, the secure cryptographic hash functions For each ID i ∈ S, SN first computes ζ i = H 1 (ID i ), then randomly chooses X i ∈ G and r i ∈ Z P , where i ∈ [1, t]. The following computations regarding U i and V i are conducted in SN side: Thereafter, the confidential message X i , U i , V i is allocated to specific UE with identity ID i . It is worth noting that in our design the delivered X i for ID i are considered as the partial key generated by SN, while the generated r i is not revealed to any other entities during the entire authentication process. In this case, for ID i ∈ S, the key set {(X 1 , r 1 ), (X 2 , r 2 ), . . . , (X t , r t )} regrading t participating UEs will be one-to-one corresponded to the concerning ID i , which will be securely recorded in SN side.
In this way, the offline registration for D2D authentication is completed. All the registered UEs store the unique partial secret key X i , and the intermediate value U i , V i for following authentication in the next phase.

Authentication Phase
In this phase, the essential communication rounds between SN and UEs are conducted with the purpose of providing valid D2D verification. The group authentication process is assumed to be initialized with one broadcast conducted by SN. That is, SN computes the public key to be broadcast as: where mk is the system master key generated in the previous registration phase. Thereafter, SN broadcast Request, PK to all entities, where the authentication request, along with the public key is delivered. After receiving the request, each UE adopts the stored X i , U i , V i , along with the derived PK to verify whether the following formula holds: The correctness of the above equation follows from direct verification of the equalities below: where the security relies on the DBDH assumption. If the equation does not hold, UE terminates the process and abandons the received message. Otherwise, UE randomly generates its own partial secret key ϑ i ∈ Z P and computes T i = PK ϑ i for subsequent verification. In this case, the full secret key set of UE is denoted as X i , ϑ i , which are respectively generated by UE and SN. Moreover, the previous calculated authentication result of e(U i , PK)V i is stored as η i =ê(U i , PK)V i . Consequently, the temporary identity Tid i of UE is derived as Additionally, the certificate Auth i involving the aforementioned information can be calculated as which is transmitted to SN in the form of Tid i , T i , Auth i . It is worth nothing that, due to the broadcasting feature, multiple replying messages are transmitted to SN simultaneously. Hence SN first compares the received Tid i with its database in order to search for the matched UE. Note that the corresponding values {ζ r 1 1 , . . . , ζ r i i } are computed and stored previously so that repetitive operations are prevented. Thereafter, SN checks the correctness of the received Auth i , where η i can be acquired according to η i =ê(X i , PK). If it matches, SN computes which will be used in the subsequent group key distribution phase.

Group Key Distribution Phase
In our design, a commonly shared secret key is allocated to provide universal group communication channel between SN and all the legitimate UEs. In this way, message broadcasting is available for practical applications such as emergency rescue. Instead of delivering the keying message to individual devices one by one, SN conducts a one-time broadcast to all, offering a more efficient way for key distribution.
It is assumed that t UEs (ID i ∈ S) has passed the previous verification in SN side. Hence the group key should be successfully delivered to all UEs, while the outsiders cannot derive the group key through eavesdropping. Accordingly, for i ∈ [1, t], SN computes which involves the UE partial secret key and SN information as well. Hence ϕ i is one-to-one mapped to certain UE with ID i . With the calculated set {ϕ 1 , . . . , ϕ t }, SN randomly generates the group key γ ∈ Z P and constructs the following function: which can then be further illustrated as where {a 0 , a 1 , . . . , a t−1 } are the coefficients composing the f (x) formula. It is worth nothing that for ∀i ∈ [1, t], f (x) = γ holds. Subsequently, SN computes δ = w mk ℘ = H 4 (ζ i , a 0 , . . . , a t−1 ) (12) and delivers the following packet δ, ℘, a 0 , . . . , a t−1 to all. Upon receiving the packet, the correctness of ℘ is validated, as well as the following equation: e(δ, g) ? =ê(w, PK).
At this point, all the UE are able to construct f (x) according to the derived coefficient set {a 0 , a 1 , . . . , a t−1 }. In this case, UE computes its corresponding and where the distributed group key γ is derived in UE side. Note that the coefficient set {a 0 , a 1 , . . . , a t−1 } are distributed in plaintext, indicating that all devices can build the formula f (x). However, only the validated UEs can acquire the correct group key γ with self-computed ϕ i . In this way, the group key is preserved.
At this point, the group communication channel is enabled by utilizing the group key γ. For two strings a and b, let [a] represents the first bits of a, a||b represents the concatenation of a and b. Hence the following one-time-pad format can be applied for D2D transmission: where TS denotes the current timestamp. Moreover, the length of hashed value H 1 (γ, TS) is defined as , the length of the transmitted message is defined as m with m ≤ , exclusive disjunction is conducted between message m and the first m bits of hashed value, while the remaining ( − m ) bits is used for validation by the receiver. The destination devices can easily decrypt it and derive m, where the hashed value H 1 (γ, TS) is used as the symmetric key for both encryption and decryption. Hence, the group key is successfully distributed, D2D secure transmission is provided in this way.

Group Key Updating Strategy
In the proposed centralized scheme, group key updating is provided in an efficient way, which requires comparatively small efforts in the SN side. Note that further communication rounds with the participating devices are not required. Respectively, let ID r denote the UE identity to be revoked, ID j denote the newly joining device identity. The key updating involving multiple UEs can be achieved in the following step: For device revocation, SN removes the related ϕ r from the stored set {ϕ 1 , . . . , ϕ t } and choose a new group key γ new r . Hence the f (x) function is built as In this way, f (ϕ r ) = γ new r , indicating that the revoked device cannot acquired the updated group key. For i ∈ [1, t]\{r}, f (ϕ i ) = γ new r holds. Hence the remaining UEs can directly derive the updated group key with the current ϕ i . Extra information for key distribution is not required for SN and all the legitimate UEs.
The process for newly joining UE is similar. After successful authentication, SN computes the corresponding ϕ i related to ID j and adds it to the set {ϕ 1 , . . . , ϕ t }, Hence the new function f (x) is built as where γ new j denotes the newly generated group key. Obviously, for i ∈ [1, t] ∩ {j}, f (ϕ i ) = γ new j holds. All the valid UEs can acquire the update group key in this case.
It is worth nothing that the presented key updating strategy is able to provide efficient group key updating involving multiple UEs simultaneously. That is, SN organizes the newly generated key information with only one broadcasting. The revoked UEs cannot acquire the updated key according to the keying message due to the removal of ϕ i from f (x) function. Similarly, the newly joining UEs can acquire the updated group key using the computed ϕ i .

Proposed Continuous Authentication Method
In the aforementioned section, the certificateless authentication and group key distribution scheme is introduced with the purpose of offering validated D2D communication channel. However, the authentication event is only conducted prior to the entire communication process, while the entire communication process is still vulnerable to all kinds of attacks and security risks. Therefore, the continuous authentication with behavioral biometrics is adopted in our scheme, providing the new perspective to dynamically and periodically detect the anomalies during the entire user session. Intuitively, the regarding steps are conducted as follows.

Sensor Data Preprocessing
In our design, user's smartphone is deployed as the terminal device for D2D authentication, as well as the essential entity for continuous authentication. The embedded tri-axial gyroscope and accelerometer of smartphone are capable of capturing massive linear acceleration and angular velocity data, which distinctively reveals the different activities operated by the user.
Subsequently, de-noising on the acquired raw sensor data is enabled. The following cubical smoothing algorithm with five-point approximation is utilized: where (y i−2 , y i−1 , y i , y i+1 , y i+2 ) denotes the five adjacent points of data series, (y i−2 , y i−1 , y i , y i+1 , y i+2 ) are the output of the filtering operation. Note that the computation cost towards the cubical smoothing algorithm is comparatively small, thus it is suitable for the resource-limited smartphone devices. The filtered continuous sensor data are then separated into a number of sliding windows for the further training process. Note that the generated windows are half overlapped in our design. Subsequently, the segmented time window is further divided into action frames regarding to certain motion, where cycle detection is adopted with the purpose of characterizing specific data points in the acceleration sequence of each time windows.

Feature Extraction
Intuitively, the entire biometric data processing operations are carried out inside the individual smartphone, which is resource and power limited. Hence critical features with less complex computing requirements are adopted. Initially, the acquired three-axis gyroscope and accelerometer data are denoted as A = (a x , a y , a z ) and G = (g x , g y , g z ) respectively, indicating the measures of angular velocity and acceleration in X-axis, Y-axis and Z-axis. In this case, the magnitude of acceleration and angular velocity signals are respectively calculated as Accordingly, a set of time and frequency domain sensor data features are calculated: The overall standard deviation defined as: • γ(x): The skewness of x defined as: The kurtosis of x defined as: • ρ X,Y : The correlation between each pair of axes of the sensor data: Thereafter, standard normalization towards the extracted features is conducted before the training process, which is achieved as where z denotes the normalized output, µ and σ are respectively defined as the mean value and standard deviation of specific features.

Classification and Authentication Design
SVM (Support Vector Machine) is defined as the classifier formally defined by a separating hyperplane. In the supervised learning, with a set of training examples marked as one of the two given categories, SVM algorithm is able to construct the model that assigns new examples to one of the two categories. Based on this, the LibSVM [29] is adopted in our design for multi-class classification, where the radial basis function (RBF) kernel is utilized for core experiments of our study. Intuitively, the entire procedure is conducted independently from others. The personalized classification model is built for each participant. The subsequent evaluation is conducted using the personal testing samples.
At this point, a personalized model for individual participant is constructed locally, where the training data characterize unique behavioral patterns within a relatively long interval. Intuitively, for participants in certain area, similar activities are performed accordingly, indicating unique environmental characteristics. Hence the major performed activities types are denoted as {∆ 1 , . . . , ∆ N }, where N ∈ Z P . Consequently, the ratio of specific activity among all the detected actions within certain time interval is defined as {Φ ∆ 1 , . . . , Φ ∆ N }, which is presented in the form of biometric parameter Ψ i . Note that for various participants, Ψ i varies. Ψ i = {Φ ∆ 1 , . . . , Φ ∆ N } is then securely transmitted to SN right after the initial successful certificateless authentication process. Subsequently, UE periodically updates its biometric parameter Ψ i and transmits it to SN. Hence the statistical significance involving the previous data and the fresh data are conducted so as to measure the variation, where the significance level is set to be α = 0.05. If anomalies detected, SN resets the stored keying information of certain UE and requests re-authentication from specific UE. Finally, after each validation, the stored parameter set Ψ i is updated using newly acquired value so as to timely reveal the recent biometric status of user.
It is worth noting that the parameter checking process is performed at set intervals, thus continuous authentication is achieved.

Security Analysis
In this section, the security analysis towards the proposed certificateless authentication scheme is presented. The security theorems as well as the corresponding proofs are given below.

Resistance to Forgery Against Adaptive Chosen Message Attack
Definition 2 (Forking Lemma [30,31]). Let A be a probabilistic polynomial time Turing machine, given only the public data as an input. Within a certain time bound T , if A can produce, with non-negligible probability, a valid signature (m, σ 1 , h, σ 2 ), where the tuple (σ 1 , h, σ 2 ) can be simulated without knowing the secret key. In this case, with an indistinguishable distribution probability, there is another machine which has control over the machine obtained from A replacing interaction with the signer by simulation and produces two valid signatures (m, σ 1 , h, σ 2 ) and (m, σ 1 , h , σ 2 ) such that h = h . Theorem 1. The proposed certificateless authentication protocol could resist forgery towards adaptive chosen message attack in the assumption of random oracles H 1 , H 2 , H 3 .
Proof of Theorem 1. The security of unforgeability can be formally defined under the game G 1 . Let A 1 be a probabilistic polynomial time adversary. In this assumption, A 1 is able to break the proposed scheme. In this case, it is claimed that by conducting the following queries from adversary A 1 , the challenger B 1 is capable of making use of A 1 to break the randomness of H 1 , H 2 , H 3 oracles' outputs. Note that in the constructed game G 1 , the used hash functions represent the random oracles. Accordingly, the hash lists are maintained by B 1 . We assumed that B 1 is able to simulate all the oracles. The following steps to B 1 can be operated by A 1 : • Setup Phase. B 1 chooses the bilinear group (P, G, G S ,ê) of prime order P, as well as the generator g, w ∈ G. Thereafter, B 1 randomly chooses the system master key mk ∈ Z P and computes PK = g mk accordingly. The public parameters (P, G, G S ,ê, g, w, PK, H  (ID, ζ). Note that the tuple (ID, ζ) has already recorded in List H 1 . B 1 randomly selects X, r ∈ Z P and computes U = Xζ r and V =ê(ζ, g −r ) mk adopting the acquired ζ and previously stored mk. The calculated tuple (U , V ) will be sent to A 1 .
Finally, adversary A 1 obtains two tuple Tid, T , Auth and Tid, T , Auth * after querying B 1 , where ID = ID * . Hence, ζ = ζ * holds. That is, H 1 (ID) = H 1 (ID * ). Due to the assumption that H 1 is a random oracle, we can get ID = ID * , which contradicts the aforementioned assumption. Hence the probability that adversary A 1 can win the game G 1 is 1 2 ID + X + r , where ( ID , X , r ) denote the length of ID, X and r respectively. Thus, the advantage of A 1 winning the game is negligible. Our scheme is resistance to adaptive chosen message attack.

Resistance to Replay Attack
In the proposed authentication scheme, the previous collected information cannot pass the current data transmission procedure. As shown in the aforementioned group key distribution phase, the D2D transmission on message m is performed as , where the current time stamp is involved in each transmission process. In this way, the regular data transmission process is resistant to reply attack.
As for the authentication process, the certificate authentication method is adopted, where two partial secret keys X i , ϑ i are respectively generated by SN and UE itself. Accordingly, the utilized partial secret key ϑ i ∈ Z P is randomly selected after the successful validation of Auth i = H 2 (Tid i , T i , η i ). Note that the partial secret key ϑ i , as well as the group key γ ∈ Z P , is considered as the randomly generated value in each authenticating session. In this way, the delivered δ, ℘, a 0 , . . . , a t−1 from the previous session cannot pass the current authentication. The replay attack is prevented in this way.

Provision to Identity Privacy Preserving
In practical D2D communication scenarios, the adversary, including the insider and outsider attacker, is able to perform illegal tracing on particular device. The user privacy is damaged in this way. Therefore, in our design, the original identity of certain UE will not be revealed during the whole communicating phase. Furthermore, for all the participating vehicles, the user unlinkability is also provided. Hence the multiple messages generated by the same vehicle cannot be linked together. The brief description is given as follows.
Theorem 2. The proposed authentication scheme is resistant to illegal tracing, and provides UE unlinkability. That is, particular UEs can not be traced by extracting the featured information from the delivered messages.
Proof of Theorem 2. In our assumption, the real identity ID i for certain UE i is hidden all the time. As shown in the aforementioned authentication phase, the one-way hashed function H 1 is employed. The newly constructed temporary identity Tid i is derived as Tid i = ζ r i i , which contains the randomly generated value r i . Note that r i is previous selected in the SN side. The transmitting message Tid i , T i , Auth i shows no similarity with the subsequent data exchange. In this way, the tracing towards certain device is prevented.

Session Key Establishment
In the D2D environment, it is of great significance to generate the shared session key between the SN and all the UEs with the intention to guarantee the data confidentiality and transmission security. Theorem 3. Our authentication scheme is able to provide the shared session key γ ∈ Z P between SN and all the validated UEs.
Proof of Theorem 3. According to our design, the group key γ generated by SN is finally delivered to valid UEs in a secure way. The γ is adopted as the group key between SN and all the legitimate devices. Specifically, fast key updating operations can be guaranteed in the corresponding updating process. Within the updating phase, updating the related key for decryption is not necessary for the currently legitimate devices. In other words, the newly distributed key γ new can easily be derived with the formula f (x), where f (ϕ i ) = γ new holds for all validated UEs. However, the updated group key does not involve the information of revoked devices. In this way, the revoked device cannot derive the new group key using the expired f (ϕ i ). The group key can be successfully distributed and updated in our scheme.

Certificateless Authentication
The certificateless authentication feature is provided in our scheme, where key escrow issue can be prevented. In this section, the certificateless authentication properties can be analyzed as follows.
Theorem 4. The proposed protocol can provide certificateless authentication for D2D devices. The malicious entities cannot reveal the confidential key message of particular vehicle. Furthermore, SN cannot impersonate legitimate vehicles with the acquired knowledge.
Proof of Theorem 4. As illustrated above, during the authentication phase, SN has zero knowledge about the self-generated random partial key ϑ i ∈ Z P from UE side. Moreover, according to DBDH, SN cannot derive the ϑ i within the received T i = PK ϑ i , either. In this way, the impersonation on certain UE cannot be conducted.

Continuous Authentication
The continuous authentication strategy is conducted in our scheme, which could periodically detect the anomalies during the entire user session [26]. The analysis about behavioral biometrics is adopted, revealing the real-time human physical status. The personalized model for individual participant is constructed locally, where the training data characterize unique behavioral patterns within a relatively long interval. The biometric parameter Ψ i = {Φ ∆ 1 , . . . , Φ ∆ N } is processed for anomalies detection. Additionally, after each validation, the stored parameter set Ψ i is updated using newly acquired value so as to timely reveal the recent biometric status of user. Noting that the parameter checking process is performed at set intervals, thus continuous authentication is provided in our scheme.

Comparison on Security Properties
In this section, the comparison in terms of the major security properties for D2D authentication is presented. The proposed protocol is compared with the stat-of-the-art D2D authentication and key agreement schemes including SeDS [19], LRSA [32], GRAAD [12], and PPAKA [9] in order to prove its superiority on security properties. As shown in Table 2, our protocol yields the desirable security properties.

Performance Analysis
In this section, the performance analysis towards the proposed D2D authentication protocol is presented.

Storage Overhead
In our designed D2D communication model, the UEs are resource-limited devices with constrained storing capacity and computing ability. Hence, it is not efficient to store massive key information in the UE storage. Furthermore, additional storage overhead is required for authentication as well. In the contrast, considered as the major component of D2D network, SN is assumed to have adequate storing ability for key information recording and generation towards all the participated devices. Therefore, the analysis here emphasizes on the storage overhead in UE side, while the SN is not included due to the aforementioned design. The state-of-the-art D2D authentication and key agreement schemes including SeDS [19], LRSA [32], GRAAD [12], and PPAKA [9] are compared with the proposed scheme in order to prove its efficiency on storage overhead. Similarly, the storage overhead for D2D device is taken into consideration.
As for the UE in the proposed protocol, the public generators g, w ∈ G are previously stored in UE side. During the offline registration phase, the confidential key information X i , U i , V i is stored with its own identity ID i . Accordingly, we define the length of key information including X i , U i , V i and is 160 bits, the identity ID i is 32 bits. At this point, the storage overhead for each UE is 32 + 160 × 5 = (832) bits. Similarly, in the subsequent authentication phase, the length of public key PK, the validation result η i , and the self-generated partial secret key ϑ i ∈ Z P are 160 bits each. Hence the storage cost of UE in authentication phase can be calculated as 160 × 6 = (960) bits. In the following group key distribution phase, the received packet δ, ℘, a 0 , . . . , a t−1 is stored as well, where t denotes the number of participating UEs. The length of the final group key γ ∈ Z P is defined as 32 bits. In this way, the total storage cost can be summarized as 832 + 960 + 160 × 3 + 16 × t + 32 = (2304 + 16t) bits. Obviously, the storage cost is related to the number of validated UEs. The comparison results on storage overhead with the four existing D2D authentication scheme are illustrated in Table 3. Apparently, minor storage cost is required in our authentication scheme on the resourced-constrained UEs.

Communication Cost
In this section, the required communication rounds for the D2D authentication in SN side is analyzed, where totally t UEs are assumed to be authenticated. In our design, for each UE, only 3 rounds are required for the entire authentication process, where the offline registration phase is not included. Hence, the total communication rounds involving t UEs is n + 2 in our design, where the authenticating request and the final group key distribution message are through one broadcast operation. Accordingly, the comparison result on communication cost is given in Table 5, demonstrating that less communication rounds are conducted in our scheme comparing with the state-of-the-arts.

Conclusions
In this paper, a secure certificateless group authentication scheme for D2D communication is presented, the user activities data from smartphone sensors are analyzed for continuous authentication as well. The proposed scheme is designed for particular D2D scenario intended for public safety or field trip application for extreme environments, where the smartphone acts as the UEs for every terminal user. Note that most of the user equipments (UEs) are out of the effective range of cellular networks. Consequently, an efficient group key distribution method is constructed, which drastically reduces the communication cost compared with conventional one-to-one key distribution. In this case, the group key updating mechanism only requires a small modification in the SN side, while the decrypting information in the UEs side remains constant as soon as the UEs are validated. Additionally, continuous authentication strategy adopting smartphone sensor behavior analysis is adopted, where the unique user behavioral data acquired by accelerometer and gyroscope sensors in the smart phone (UE) is processed and characterized by time and frequency domain features. Continuous authentication is performed with the adopted biometric parameter periodically. Security and performance analysis demonstrate that the proposed scheme can yield desired security properties towards various attacks. The proposed design is efficient compared with state-of-the-art D2D authentication schemes.