Anonymous Cluster-Based MANETs with Threshold Signature

Security supports are a significant factor in the design of security system in ad hoc networks. It is particularly important to protect the identities of individual nodes to avoid personal privacy concerns. In this paper, we propose a security system for ID-based anonymous cluster-based MANETs to protect the privacy of nodes. Moreover, we propose a threshold signature scheme without pairing computations, which diminishes the computation load on each node. To the best of our knowledge, our proposed security system is the first in which the pseudonym is combined with cluster-based mobile ad hoc networks (MANETs) without a trusted entity. According to our protocol analysis, our proposal satisfies most properties for an anonymous security system and effectively copes with dynamic environments with greater efficiency by using secret sharing schemes. Therefore, it could be usefully applied to preserve privacy in dynamic MANETs without a trusted entity, such as military battlefields, emergency areas, mobile marketplaces, and vehicular ad hoc networks (VANETs).


Introduction
MANETs support communications in situations involving temporary self-organization and infrastructure-less situations, such as battlefields, disaster relief situations, and emergency rescue areas [1]. Recently, MANETs have been extended to intelligent transport systems, often called VANETs. However, MANETs are subject to various types of attacks because of the wireless and infrastructure-less environments in which they are used. Moreover, these network structures make it difficult to apply the certificate-based public key cryptosystem (CBC) to meet the requirements of the certificate authority (CA). As a powerful alternative to the CBC, the identity-based cryptosystem (IBC) proposed by Shamir [2] has been gaining momentum in recent years. It allows public keys to be derived from entities' known identity information, such as e-mail addresses, IP addresses, or codes, thus eliminating the need for public key distribution and certificates. In other words, a user's public key can be determined directly from his identifying information, rather than having to be extracted from a certificate issued by a CA.
However, a centralized public key generator (PKG) which generates a key pair for users in the IBC would obviously be easy to attack, and accessibility could not be guaranteed at all times for all participants in MANETs. To counter this, Boneh and Franklin [3] suggested spreading the PKG by means of distributed PKGs (D-PKGs), using threshold cryptography. Distribution of a signing key and CA functionality over multiple nodes using secret sharing and threshold cryptography is a possible solution to this problem. Most studies in clusterbased MANETs considering D-PKGs have been based on hierarchy topology structures, which classify the node into two types, namely, representative nodes, called clusterheads (CHs), and common nodes.
Furthermore, the threshold signature scheme in MANETs has attracted many researchers' attentions recently [4]. The threshold signature achieves the purpose for many individuals to cooperatively sign the same document. Some schemes with trusted party are proposed and applied to CBC-based networks [5], while these are unreasonable to MANETs where there are no infrastructure and control administration. Therefore, the threshold signature scheme is necessary for secure message transmission in MANETs. A recent research on cluster-based MANETs has sought to address the privacy problem [6] and threshold signature schemes [7], but research on anonymous threshold signature schemes in cluster-based MANETs has been insufficient. This paper proposes a security system for ID-based anonymous cluster-based MANETs to protect the privacy of nodes. Moreover, we propose a threshold signature scheme without pairing computation, which diminishes the computation load on each node in comparison with existing schemes. The major contributions of this study are summarized as follows.
(i) Security of a cluster key distribution scheme and key agreement scheme. We propose a secure cluster key distribution scheme and a key agreement scheme with anonymity for cluster-based MAENTs. Cluster key distribution scheme ensures that the compromise of an arbitrary number of nodes outside the target cluster does not jeopardize the secrecy of noncompromised nodes. Key agreement scheme also ensures secure communication between nodes in intra-and interclusters.
(ii) Consideration of threshold signature without pairing computation. Our threshold signature supports threshold signature. Comparing to existing threshold signatures, we diminish the computation load on signing nodes and a verification node; instead, CHs aid signature verification process. Thus, our threshold signature is suitable for the distributed PKGs architecture or the cluster-based network architecture.
(iii) Protection of personal privacy. Our schemes support entity anonymity. Only the entities especially of the matched session can know the identity of others with whom they are in communication. For instance, CHs could be dealers, and common nodes could be purchasers when considering temporary established mobile markets. It is no needed to hide the CHs' identity because every purchaser should recognize CHs as dealers and their information; therefore, identities of CHs are not quite important. Besides, the information of purchasers is much attractive to adversaries because the information could be abusable commercially and criminally.
The rest of the paper is organized as follows. In Section 2, we present preliminaries, and the system model is presented in Section 3. In Section 4, we describe ID-based anonymous cluster-based MANETs, and the threshold signature is discussed in Section 5. Finally, we analyze the proposed scheme in Section 6 and conclude our findings in Section 7.

Preliminaries
In this section and we present notations, then define the cryptographic system and primitives used as building blocks in our security system.  Table 1 lists some important notations whose concrete meanings will be further explained where they appear for the first time.

ID-Based Cryptography.
Let , be two large primes, and let /F indicate an elliptic curve 2 = 3 + + over the finite field F . We denote by G 1 a -order subgroup of the additive group of points of /F and by G 2 a -order subgroup of the multiplicative group of the finite field F * 2 . The discrete logarithm problem (DLP) is required to be hard in both G 1 and G 2 . For us, a pairing is a map̂: G 1 × G 1 → G 2 with the following properties. Consequently, for all , ∈ Z * , we havê (ii) Nondegenerate: if is a generator of G 1 , then ( , ) ∈ F * 2 is a generator of G 2 . (iii) Computable: there is an efficient algorithm to com-putê( , ) for all , ∈ G 1 .
Note that̂is also , that is,̂( , ) =̂( , ), for all , ∈ G 1 , which follows immediately from the bilinearity and the fact that G 1 is a cyclic group. Modified Weil [3] and Tate [8] pairings are examples of such bilinear maps for which the bilinear Diffie-Hellman problem (BDHP) is believed to be hard.
(2) Secret reconstruction algorithm: based on a Lagrange interpolation, any subset ⊂ Ω of size can reconstruct the polynomial ( ) as is called a Lagrange coefficient. The secret can be reconstructed by computing (0).
We note that the above scheme satisfies the basic security requirements of secret sharing schemes as follows: (1) with knowledge of a or more than shares, it can reconstruct the secret easily; (2) with knowledge of fewer than ( − 1) shares, it cannot reconstruct the secret . Shamir's scheme is information theoretically secure since the scheme satisfies these two requirements without making any computational assumption. For more information on this scheme, readers can refer to the original paper [9].

System Model
We describe the network architecture and the security requirements.

Network Architecture.
We divide the networks into several clusters to enhance the efficiency and availability. The clustering is a method that enables nodes to be organized on the basis of their relative proximity to one another. We envision a cluster-based MANETs consisting of CHs without any prior contact, trust, or authority relation. In each cluster, one distinguished node, the CH, is responsible for establishing and managing the cluster. The size of the network may change dynamically according to the efficiency and the security. Let us consider an ad hoc network with CHs that are selected to enable secure and robust pseudonym generation. We assume that compromised CHs will eventually exhibit detectable misbehavior. Studies [10,11] discussed ways to detect the misbehavior of nodes or intrusions in detail.
Our schemes work securely and properly on the assumption, which is similar to assumptions made in [12][13][14], that adversaries compromise no more than ( − 1) out of CHs in a given time period. In practice, it is hard to compromise, in a given time period, CHs, which are more secure and powerful than common nodes and are geographically distributed over a wide area. In terms of nodes' ability, we also assume that CHs have more computation and communication power than common nodes. More precisely, CHs have an additional powerful radio to establish wireless links among themselves and strong resistance against malicious attacks. Figure 1(a) illustrates the basic network architecture of our security system for cluster setup and pseudonym generation. CHs have secret sharing (CH ) generated by a PKG before implementation. CHs can generate polynomials ( ) when at least CHs collaborate in the secret reconstruction algorithm. The CHs that reconstruct ( ) have the same cluster key, . This cluster key is periodically updated according to the update phase. Using the same cluster key, CHs generate their own polynomial CH ( ), called the respective polynomial later. Finally, common nodes in each cluster register and receive a pair of pseudonym from their CHs. We only consider the privacy of common nodes. Figure 1(b) illustrates the threshold signature generation process in a cluster. Nodes that are member of the same cluster and try to send the same message generate a threshold signature and send the message with a threshold signature to a verifier and the CH. Then, the CH checks the validity of messages and signatures and generates and sends additional points to a verifier. Finally, a verifier checks the validity of signatures.

Security Requirements.
We define security requirements for our anonymous security system.
(1) Privacy: private information, such as the node's identity and location, should be protected against malicious adversaries. Formally, given two sets of legitimate identities, ID 0 and ID 1 , the adversary should not have any significant advantage in guessing = 0 or 1 for the pseudonym PS .
(2) Traceability: compromised nodes are identified, and the corresponding identity and pseudonym should be revoked to protect networks against further threats. (3) Nonmanipulation: no nodes or CHs can computationally manipulate a pseudonym from an identity.
(4) Verifiability: from the signature, the verifier can be convinced of the signer.
(5) Undeniability: once a signer creates a valid signature, he cannot repudiate the signature creation.
(6) Unforgeability: no nodes can forge a signature; it can only be replicated by the signer who creates it.

System Setup.
It is reasonable to assume that a trusted PKG could bootstrap the network, which itself is not a part of the resulting network. The basic operations consist of generating pairing parameters, private keys, and secret sharing.
(a) Generation of the pairing parameters ( , ,̂): to bootstrap the network, the PKG does the following.
(i) Generation of pairing parameters ( , ,̂). It selects an arbitrary generators ∈ Z * as its private key.
(b) Generation of secret sharing for cluster key: to generate secret sharing for cluster key, the PKG does the following. (c) Generation of CH's ID-based private keys: to hand out CH's private key, the PKG does the following.
(i) It submits identity information. A CH submits its identity information, CH , to PKG. (ii) It computes key pairs. The PKG computes a public/private key pairs: = 1 (CH ) and and key pairs ( , ) are preloaded to each CH securely.
(d) Generation of common nodes' ID-based private keys: to hand out node's private key, the PKG does the following.
International Journal of Distributed Sensor Networks 5 Due to the difficulty of solving the DLP in 1 , it is computationally infeasible to derive the network master secrets from an arbitrary number of private keys. This means that no matter how many key pairs adversaries acquire from compromised nodes, they cannot deduce the private key of any noncompromised node. Colluding CHs (no more than ( −1) out of in a given time period) cannot compute a cluster key.

Cluster Setup.
Cluster-based MANETs work without the help of PKG after completing the system setup. Instead of a PKG, CHs play this role using their secret sharing. In our security system, to provide security services to networks, each CH first generates respective polynomials, that cover within a cluster and a group secret key. Then, the CHs establish a secure channel with CHs or nodes to forward them. Secure channels are generated using their initial key pairs. Secure channels between CHs or between a CH and a node are established by the noninteractive key agreement scheme as follows: Here, , can be a node or a CH. Using this channel, CHs first authenticate nodes and other CHs and then forward respective polynomials and a group secret key. Respective polynomials are for cluster reconfiguration, and the group secret key is for establishing secure channels with pseudonyms. Generation of respective polynomials is carried out as follows.
(a) Pooling secret sharing. Every CH shares their secret sharing, (ch ). (b) Performing secret reconstruction algorithm.
Each CH reconstructs the polynomial ( ) and computes cluster key : To avoid cryptanalysis and malfunction of CHs, frequent key updates are needed. Our key update schemes consist of two parts: one is an update of the cluster key, and the other is the respective polynomial. The cluster keys, , are refreshed periodically at a predefined time interval using secret sharing (ch ), where (0 ≤ ≤ , 1 ≤ ≤ ). The cluster key update can enhance the security level of the network. Intact CHs reject secret sharing of compromised CHs and, as a result, are isolated from the networks. Furthermore, pseudonyms also could be updated consistently regardless of the cluster key update. Each CH can generate different pseudonyms with the same identity by changing a polynomial CH ( ) of its choice by replacing with , , . . . .

Generation of Pseudonyms.
Pseudonym generation is an essential process to provide privacy of each node. Figure 1(a) shows a scenario of pseudonym generation process. Initial pseudonym generation starts when the registered nodes on the PKG try to get a pseudonym from an adjacent CH. The CH generates pseudonyms for common nodes within a cluster using its respective polynomial. Pseudonyms and secret sharing are generated as follows.
(1) Generation of pseudonyms and key pair: to generate pseudonyms, CHs do the following. secret key to corresponding nodes. CHs forward pseudonyms to nodes, respectively, using a secure channel.
Other CHs cannot know pseudonyms from public keys of nodes even though they have knowledge of cluster key because of the hardness of DLP in 1 . Using the pseudonym key pair, common nodes establish a secure channel by the noninteractive key agreement scheme as follows: For noninteractive key agreement between a CH and a node, each CH randomly chooses ∈ Z * and computes a temporary public key as CH ( ) then publishes it.

Threshold Signature in Anonymous Cluster-Based MANETs
We propose an anonymous threshold signature. The proposed scheme involves five roles: a clusterhead (CH), a set of members M = { 1 , . . . , 1 } in a cluster (where 1 is the identity of the th (1 ≤ ≤ 1 ) member), a set of signer S = { 1 , . . . , 2 } (where S is a subset of M and 2 is the identity of the th (1 ≤ ≤ 2 ) member), and a verifier .
(1) Generate threshold signature: to generate a threshold signature regarding message , a number of 2 nodes among the members of M perform the following steps.
(2) Generate a verifying polynomial: to check the validity of signatures, the CH performs the following steps: (a) Check the validity of a set of messages. The CH searches corresponding pseudonyms with pseudonym public keys using the pseudonym lookup table (PLT) and then checks the validity of HMAC respectively. (b) Checking the validity of signatures. The CH recovers signatures Sig PS from ⋅ Sig PS using corresponding tokens and generates additional ( 1 − 2 ) points on 0 ( ) ⋅ CH ( ). Then, it performs a secret reconstruction algorithm using 2 received signatures and ( 1 − 2 ) generated additional points. The reconstruction algorithm is as follows: where = {1, . . . , 1 }, ( ) = ∏ ∈ \ ((id − )/(id − id )) is called a Lagrange coefficient. If the reconstructed polynomial has 0 ( ) ⋅ at ( = 0), the CH accepts signatures as valid.  1 ), . . . , ( 2 , 2 )) on the verifyingpolynomial and then sends the tuple to the verifier : (3) Generate verification: to check the validity of a signature, the verifier does the following.
(b) Checking the validity of HMAC. The verifier checks the validity of HMAC using received 2 points and generated V CH (0). If HMAC is correct, the verifier identifies signatures as valid.

Analysis
In this section, we provide analysis of our system with respect to correctness, performance, and security.

Correctness. Note that
where PS is the secret sharing of .
International Journal of Distributed Sensor Networks 7 ∘ denotes the scheme, and considers the property; × denotes the scheme and does not consider the property; denotes that of one pairing operation; denotes that of one exponentiation operation; 1 denotes that of scalar multiplication in 1 ; 2 denotes that of one scalar multiplication in 2 ; denotes that signing nodes. Therefore, a CH can verify the validity of each signature as follows: The verifier also can check the validity of threshold signature as above, similarly, because V CH ( ) passes a set of points ( 1 , 2 , . . . , 2 ). The verifier can reconstruct the polynomial and find V CH (0) and, consequentially, check the validity of HMAC received from a CH.

6.2.
Performance. This section presents our efficiency analysis. Table 2 compares our proposed schemes with other schemes. For simplicity, we omit private key distribution and secret sharing distribution process in comparison to computation load. Most schemes use pairing algorithm to generate and verify the signature except the proposed scheme. The pairing algorithm and the exponentiation generally consume heavy computation loads rather than scalar multiplications. Cao et al. [15] showed a pairing that consumes about double computation load with those of an exponentiation and three times computation load with those of scalar multiplication in 1 . According to this experiment, our scheme is much lighter than previous threshold signature schemes. Moreover, our threshold scheme is comparable with existing threshold signatures in non-ID-based cryptosystem [16].
6.3. Security 6.3.1. Privacy. Our security system supports the anonymity of nodes using pseudonyms. In our proposed security system, every node does not reveal real identities after the pseudonym generation. An adversary cannot correctly match an identity with a pseudonym even though the identity and the pseudonym are released to them because of the hardness of DLP [17]. The pseudonym is in the form of PS = CH (id ) in the th update phase for node in cluster . To match a real identity with a pseudonym, adversaries should reconstruct a polynomial CH ( ). However, no malicious nodes at most number of ( − 1) can reconstruct respective polynomials, although they have known about a cluster key because ( 1 , 1 )-SS is information theoretically secure against at most ( 1 − 1) adversaries. Thus, as long as the CH does not reveal the respective polynomials, anonymity of each node is guaranteed.

Traceability.
Each CH records the relation of the identity and the pseudonym of common nodes in its cluster at the PLT. Pseudonyms of compromised and revoked nodes are rejected from the PLT, and these nodes cannot be updated any more. Therefore, our system enables the tracing of violators when unlawful actions are notified to the CH, and they are eventually isolated from the network.

6.3.3.
Nonmanipulation. Our proposed security system ensures nonmanipulation in case of at most ( − 1 or 1 − 1) compromised nodes. Only the CH who has a respective polynomial can generate valid pseudonyms in a cluster, and no other nodes and CHs can do it. Secret sharing, ( ), is generated by ( , )-SS; therefore, no more than CHs who are colluding can reconstruct ( ) and learn ; and, to conclude, generate valid respective polynomials CH ( ). Moreover, the respective polynomials generated by ( 1 , 1 )-SS are used to generate pseudonyms. In conclusion, adversaries who know more than secret sharing of ( ) or more than 1 secret sharing of CH ( ) can carry out manipulation; however, it is impractical. Thus, as long as ( or 1 ) or more than ( or 1 ) nodes and CHs are not colluding, non-manipulation is guaranteed.
6.3.4. Verifiability, Undeniability, and Unforgeability. The CH works as a subverifier in our threshold signature scheme by generating a verifying polynomial. From message tuples from signers, the CH can check the validity of signers. First, only valid and registered nodes could generate correct HMAC with its pseudonym. Second, the CH could verify signatures by reconstructing a polynomial 0 ( ) ⋅ CH ( ). This polynomial returns a correct value 0 ( )⋅ CH (0) = 0 ( )⋅ when signatures are generated by signers who have a valid and registered pseudonym key pair. Finally, the reconstructed verifying polynomials generated by the CH and by the verifier return a same value, V CH (0), when the CH satisfies two former conditions and has a valid pseudonym key pair of the verifier. Thus, verifiability is guaranteed if these conditions are acceptable. Undeniability and unforgeability are similarly guaranteed. The message containing the signature is in the form of HMAC PS . Unless the pseudonym is released, only the node can generate valid HMAC; thus, it cannot deny the signature and others cannot forge it. Thus, undeniability and unforgeability are guaranteed.

Forward/Backward
Secrecy. Our security system supports the forward/backward secrecy using key update scheme in case of at most ( − 1 or 1 − 1) compromised nodes.
The key update scheme regularly updates pseudonyms, and, consequently, pseudonym public/private key pairs of nodes also are updated along to the updated pseudonym. And there is no relation in past key pairs and update key pairs because CHs periodically change a polynomial CH ( ) or a cluster key . Therefore, although the updated private/public key pairs are exposed to adversaries, these do not affect past and future session keys.

Conclusions
Concerns for personal privacy and security in wireless environments are increasing rapidly as mobile devices are becoming more popular. Cluster-based MANETs are being seriously considered to pioneer new markets; however, there are urgent unresolved security problems. Fundamental aspects of security, such as authentication and signature, are challenging for secure security systems for cluster-based MANETs. In addition, the protection of personal privacy has become increasingly important as the wireless networks have become personal and popular; therefore, secure security system designs with anonymity are required for cluster-based MANETs.
In this paper, we presented a secure security system with anonymity for cluster-based MANETs and a threshold signature under practical assumptions. To the best of our knowledge, our proposed security system is the first in which the pseudonym is combined with cluster-based MANETs without a trusted entity. According to our protocol analysis, our proposed system satisfies most properties for an anonymous security system and successfully copes with dynamic environments with greater efficiency by using secret sharing schemes. We believe that the proposed system improves upon the security of previously proposed security systems, and that it is suitable for a wider variety of applications. It could be usefully applied to preserve privacy in dynamic MANETs without a trusted entity, such as military battlefields, emergency areas, mobile marketplaces, and privacy-preserving VANETs.