 Research
 Open Access
 Published:
A provably secure clusterbased hybrid hierarchical group key agreement for large wireless ad hoc networks
Humancentric Computing and Information Sciences volume 9, Article number: 26 (2019)
Abstract
Group key agreement protocol permits a set of users to create a common key to make sure security of information exchange among members of the group. It is extensively used in secure multiparty computation, resource security sharing, and distributed collaborative computing etc. For large wireless adhoc network, there is no authentication center, the computing power and communication distance of terminals are constrained, and nodes frequently join and exit the network. For these reasons, Group Key Management for securing multicast communications in an energyconstrained large wireless adhoc network environment is still remains a critical and challenging issue. In this direction, we propose a clusterbased hybrid hierarchicalgroup key agreement (CHHGKA) framework to provide a scalable solution for Secure Group Communication (SGC) in large wireless ad hoc networks (WANETs). This technique is based on splitting a large group into a certain number of clusters in which the last member of each of the clusters is designated as a cluster head (CH) and the last member of the group is designated as the group controller (GC). First we apply on hand Naresh–Murthygroup key agreement (NMGKA) protocol locally in every cluster in parallel in levelI to generate CKs and then in levelII, the CHs’ use these CKs and implement NMGKA protocol again among them to form the complete group key. Finally each CH distributes the group key to all its members through their respective CK encrypted links. In this process, first we survey several clusterbased hierarchical GKA protocols and compare the proposed one with them and show that it provides optimal performance with regard to computation and communication expenses. Further, it also handles dynamic events and is provably secure in formal security model under the cryptographic suppositions.
Introduction
WANETS provide whenever–wherever networking amenities for communication establishment through the public wireless medium. In this environment, SecureGKA and proficient group key management are known to be complicated tasks with respect to both computational and algorithmic points of view because of resource constraints in WANET [1]. There is an extensive range of applications for WANET which includes emergency medical services deployed in various environments which can considerably improve the quality of medical care; military applications, rescue missions, collaborative commercial applications; law enforcement etc. Security is the decisive factor for designing an efficient Wireless Sensor Network (WSN) protocol. Consequently, secure GKA protocols have gained extensive attention. We presented considerable number of GKA schemes in the literature [2,3,4,5,6,7,8,9,10,11]. However, traditional GKA protocols are not appropriate for ad hoc networks. The principal challenge here is provision of secure authenticated communication which comes from their distinctive features which include (i) need for a fixed trustworthy Public Key Infrastructure (PKI); (ii) need to support dynamic network topology as a result of high mobility like joining/leaving; (iii) nodes with less amount of storage, computation and communication power; (iv) be deficient in predisseminated symmetric keys among the peers; (v) higher level of selfnetwork arrangement; (vi) susceptible multihop wireless connections, etc.
In large WANETs, establishment of group key [1] is a tricky job due to its dynamism. A usual solution suggested to address this issue is to split up the large network into a certain number of constituent network clusters [12]. Categorization of the clustering algorithms can be done by the type of clusters they are forming. Several clustering algorithms pick special nodes as CHs, responsible for cluster creation and afterwardmaintenance of the cluster [13], at times routing also. The CHs are not always mandatory. A few protocols used in clustering algorithms do not use them at all. Instead, they prefer gateways to communicate messages from one cluster to another. A gateway generally fits to more than one cluster if there is an overlap in the clusters. In depth description relating to some of these clustering algorithms can be found, for example, in [14].
The implementation of GKA and key management are easier within the cluster in contrast to the complete ad hoc network. Since the clusters have further stable internal links because of the huge quantity of connections among peers within the similar cluster. Further, intercluster GKA is meaningful as clusters are put on to stick jointly more than the hops do on average for WANETs. Clustering may thus fetch the essential scalability and failure in one cluster does not affect the whole group for establishing the group key in large networks. Thus clustering was adopted in the proposed work.
A public key cryptography is used in majority of distributed GKA protocols because there are no alternative approaches available for distributing a common key through a public channel. The Public Key Computations (PKC) methods, as well as DH’s exponentiation are both costly and very difficult for WANET. While distributing extra common keys to nodes that have embarrassed capabilities or bandwidth of storage and computation. The management techniques for computational overheads must be considered into account. As ECDH is lightweight and efficient when compared to regular DH, the ECCbase [15] is used to secure dynamic authenticated GKAs: Consequently, in this paper an ECCbased NMGKA [16] is used as a prerequisite for the proposed protocol.
In hierarchical framework, a network is formulated from a nested grouping (clustering) of nodes, connected in the form of a tree structure. Hierarchical frameworks are often utilized in routing as in [12, 17, 18], where best clustering frameworks are derived so as to minimize routing table’s size. Numerous protocols require the information of the entire topology of network, whereas others carry out the computations with the knowledge of the nearby nodes and their likely clustermemberships [13, 19]. After having a thorough study of these existing hierarchical and clusterbased protocols, we derived some notable merits which include (i) a hierarchical structure is adopted to handle the dynamic events efficiently, (ii) a hybrid encryption is employed as this approach can reduce the computation overhead, and therefore, it is quite suitable for WSN. Some common drawbacks in the existing hierarchical protocols which include (i) the clustering method is not easy to handle certain member events, such as a CH node leaving the network. More precisely, it is rather costly to use the cluster method to deal with the situation that several CH nodes leave the network at the same time. (ii) Distinct complex algorithms should be carefully designed for handling different kinds of dynamic events. On the other hand, as it was stated in [20, 21], when every cluster are having the same amount of nodes and sizes, the hierarchical framework becomes fully balanced and also achieves the best performance. Besides, the authors of [21] asserted that the competence of the entire scheme is enriched if the amount of levels is little (let it be 3). In this work, a fully balanced hierarchical framework of level 2 was adopted with all the clusters with equal size except for one.
The proposed work has adopted hybrid based symmetric encryption where it combines the key distribution and key agreement. A digital signature scheme as in [16] can be used to authenticate our protocols. In view of the MANET’s (Mobile Adhoc Network) dynamic, the proposed protocols adeptly address the dynamic events. It is designed exclusive of utilizing calculationexhaustive pairings [22] and is extremely efficient relative to the existing hybrid clusterbased GKA protocols [20, 23,24,25,26,27,28,29].
In contrast, usage and implementation of NMGKA [16] protocol among all the nodes in the system may not be feasible for large WANETs. Consequently, we plan to use the same for each cluster and then for all the CHs in two levels hierarchically.
Notice that this paper assumes that the cluster structure has already been established (includes the amount of levels in the cluster hierarchy, formation of clusters [20, 21, 25, 26, 30,31,32,33] and the selection of CHs) and thus does not consider overhead computation during the clustersetup phase.
Related work
Twoparty DHkey agreement [34] is the origin for enormous amount of consequent GKA schemes. The majority of distributed/contributoryGKA protocols rely on generalizations of 2party DH or its extensions [3, 7, 16, 35,36,37,38,39]. Key management in distributed/contributoryGKA are less difficult to deal with in each subgroup/cluster compared to the whole ad hoc network. So most recent works [18, 20, 21, 25, 26, 30, 31, 35, 39, 40,41,42] adopted subgroup/cluster based approach, in which the whole group is divided into clusters. Distinct controllers are utilized to control every cluster which minimizes the issue of imposing the work on a single point.
The majority of CKGKAs’ [18, 20, 21, 25, 26, 30, 31, 35, 39, 40,41,42] presume a hierarchical framework of the clusters or hierarchical structure, then execute a natural key agreement schemes such as, DH [34] or the Burmester and Desmedt (BD) [3] GKA scheme, or a variety GKA schemes [3, 7, 16, 35,36,37,38,39] is at first implemented locally in each cluster, after that utilize these CKs in the next level with equivalent or an alternate key agreement scheme among CHs’ to generate the whole group key. For further information on a comparison of the existing protocols [18, 21, 25, 26, 28, 30, 31, 33, 43] in this direction, one can refer to Table 2, summary of the key characteristics of cluster based protocols.
In the existing clusterbased GKA protocols, only [20, 26, 28, 31] offer authentication. Authentication confirms that only legitimate group members are allowed to derive the key in the key setup phase and accordingly facilitate the group members to secure against MITM attacks in the course of the key agreement phase. In the schemes [18, 21, 29], the authors suggest an approach of making their scheme into an authenticated approach, but doesn’t analyse the additional communication and computation cost in order to authenticate each and every message which is shared among the group members. Lastly, some protocols [25, 44] did not even consider the authentication mechanism at all in key agreement phase. On the other hand, these schemes can be altered in order to accomplish authentication by means of either a special kind of compiler or an authenticated GKA (AGKA) [45].
Further, most of the traditional GKA schemes stated in the literature are unable to handle the dynamic nature (joining and leaving of nodes from the clusters) in WANETs. In precise, the renowned protocols in [3, 11, 36, 38] competent for wired networks, may not be applicable to the WANETs due to their enormous dynamism. On the other hand, clustering strategy empowers hubs to be sorted out in a various levelled ad hoc network dependent on their relative nearness to each other, along these lines debilitating the one hop presumption in natural GKA protocols.
After a thorough study in examined research area, in this work we adopted cluster based hybrid hierarchical approach: dynamic clusterbased hybrid hierarchical group key agreement for large wireless ad hoc networks.
Our contribution
The key objective of this work is to achieve “a provably secure CHHGKA for large WANETs”. The base behind the proposed creation is to divide and conquer. This protocol works by dividing larger group into a certain number of clusters created on their relative closeness to each another. For this we employ two types of keys namely group key (GK) and cluster key (CK). A CK is nothing but the key produced among every member inside a cluster and the GK is the complete network key among every node in the group.
In this work we choose dynamic authenticated NMGKA protocol [16] for establishment of the CKs in levelI and then for GK in levelII. Further, the last member of each cluster will act as its CH and generates the CK among the cluster members in levelI. The last member of the group will act as the GC for the entire group and combines all the CKs to create the GK. Key for the entire group in levelII. This scheme reduces the computational complexity O(lr) to O(l + r) where l = Max (C1, C2,…,Cr) and “r” is the number of clusters.
For building provably secure model for the proposed protocol we adopted Bresson et al.’s [46] because it is the first formal provably secure model for authenticated GKA. The concept of provable security is utilized over the contemporary literature to demonstrate in a mathematical means, and under sensible suppositions, that a cryptographic technique accomplishes the essential goals of security. Such proofs are generally build by means of a formal setting that indicates: (1) the computing environment (involving cryptographic parameters, users, their trust association, communication etc.), (2) the adversarial environment and (3) the definitions of a few solid goals of security.
Overall contribution

i.
The key contribution of this work is authenticated clusterbased hybrid hierarchical GKA: NMCHHGKA for large wireless ad hoc networks.

ii.
Extended NMCHHGKA to dynamic NMCHHGKA by proposing join and leave of single or multiple group members for membership changes.

iii.
Established recognized proofs of provable security for to dynamic NMCHHGKA.

iv.
Our comparative analysis assessed and measured the effectiveness of proposed protocol and compared with identified protocols in terms of energy cost for computation and communication and shown that the proposed protocol is optimal.
Some salient features of the proposed scheme

i.
Different CH are used to control each cluster and it minimizes the total load on a single point (GC).

For instance consider one of the most promising applications [24] of clusterbased hierarchical GKA over WSNs in the healthcare sector.

NMCHHGKA over infrastructurebased WSN situation is appropriate for medical environments in which one can have numerous powerful nodes those can take CH role, such as intrahospital environments. We can then suppose that CHs are predetermined and that consumption of energy is not a principal concern for them. The hospital sensor network can be split into various clusters by considering their geographical location.
NMCHHGKA over infrastructureless WSN situation is appropriate for medical environments in which there is no fixed infrastructure at all or no full coverage, as in the case of a medical emergency. In this situation, dynamically sensors can be clustered into nonoverlapping or overlapping groups. Whenever a node wants to send out data, the node closer to the gateway (best path) is selected as the CH. For further information please refer [24].



ii.
The failure of one CH or node doesn’t affect the entire group.

iii.
Parallel computation of CKs provides reduced computational load from O(l·r) to O(l + r).

iv.
Both membership changes and subgroup dynamics can be optimally achieved.

v.
Local rekey: membership change in a cluster are treated locally, so that rekey of a cluster will not disturb the entire GK.

vi.
The two level cluster based hierarchical GKA scheme allows distributed key management scheme to implement at the cluster level to realize dynamism without losing efficiency.

vii.
The two level GKA reduces load on the GC by distributing or arranging the group members in the form of hierarchy, which enhances scalability and security.

viii.
Every cluster member requires a minimum storage space to preserve the CKs.
Organization/structure of the paper
“Background protocols” section talks about the protocol’s prerequisites. The proposed protocol is exhibited in “Proposed protocol” section. “Security analysis” section speaks about analysis of security. “Comparative analysis” section delivers a relative analysis with the existing prominent protocols. Finally, “Conclusion and future scope” section concludes with several observations and future scope.
Background protocols
Here first we introduce several notations presented during the course of the paper and then we present the backbone on hand NMGKA protocol.
Notations
The several notations utilized in this paper are presented in Table 1.
Naresh–Murthy group key agreement protocol (NMGKA)
Let M_{1}, M_{2},…,M_{i},…,M_{n} be the members of group and let M_{n} the last member be the GC. As shown in Fig. 1, in round1, the GC M_{n} establishes (n − 1), 2party ECDH common keys with every residual members. During round2 the GC generates (n − 1) public keys L_{i} by means of 2party keys generated in round1 after that it sends these public keys to the corresponding members and on getting, every member products it with their own common key in order to calculate the GK. Further the GC combines all the 2party keys generated in round1 into a GK and it turn into a part of the group. Authentication is provided with a digital signature (DSig) as in [16]. The NM.Initial group key agreement (NM.IGKA) protocol is presented in Fig. 1. Further we presented NMGKA dynamic protocols [16], NM.Join and NM.Leave in Figs. 2 and 3 respectively.
Proposed protocol
Here we presented an outline of the proposed protocol and then the detailed proposed protocol.
Outline of the proposed scheme: NMCHHGKA
The proposed scheme consists of 4 steps as follows:
Step 1: (Cluster key agreement) In this step parallel execution of NMGKA protocol in all the clusters for computing their respective CKs as in Algorithm 1.
Step 2: (Group key agreement) In this step execution of NMGKA protocol among all the CHs for computing their complete GK as in Algorithm 2.
Step 3: (Group key distribution among the cluster nodes) In this step each of the CH distributes the established GK in step2 to their members through their respective CK encrypted links.
Step 4: (Group key maintenance) As per the dynamic nature of wireless nodes, the nodes’ movement may vary the topology of network often. It is consequently significant and essential to update session key of the group to guarantee security. For establishing new GK, in level1 we renew the CKs where changes in membership arise by call upon CK update as in Algorithm 4 and then in level2 by invoking GK update as in Algorithm 5.
Proposed scheme: NMCHHGKA
NMCHHIGKA
Let M_{1}, M_{2}, M_{3}…, M_{n} be the group members. Without loss of generality, for computation sake, divide these “n” members into \(r = \left\lceil {\frac{n}{l}} \right\rceil\) clusters, where cardinality of each cluster C_{1}, C_{2}, …, C_{r} is less than or equal to l and also let the last member of each cluster act as CH and let the last member of entire group act as the GC for the whole group.
LevelI: CK generation for any of the cluster \(C_{i} ,\;1 \le i \le r.\)
Let \(C_{i} = \left\{ {M_{{i_{1} }} ,M_{{i_{2} }} , \ldots ,M_{{i_{l  1} }} ,M_{{i_{l} }} } \right\}\) where \(M_{{i_{l} }}\) is the CH of \(C_{i} ,\;1 \le i \le r.\)
Notice that the rth cluster may not have \(l\) members in it. However, the procedure remains the same with a different suffix other than l.
Step 1: The ith CH \(M_{{i_{l} }}\) forms (l − 1) twoparty groups with the remaining members of that cluster \(M_{{i_{1} }} ,\;M_{{i_{2} }} , \ldots ,M_{{i_{l  1} }}\) and generates twoparty ECDH style keys \(x_{{K_{l,j} }} , \;1 \le j \le l  1\) as follows:

i.
The CH \(M_{{i_{l} }} ,\) chooses a private key \(x_{l}\) and generates its public key \(X_{l} = \left[ {x_{l} } \right]P\)

ii.
Remaining cluster members \(M_{{i_{j} }} ,\;1\, \le \,j\, \le \,l  1,\) chooses private keys \(x_{j}\) and generates their respective public keys \(X_{j} = \left[ {x_{j} } \right]P,\;\;1\, \le \,j\, \le \,l  1.\)

iii.
The CH broadcasts its public key X_{l} to the remaining members of the cluster and each \(M_{{i_{j} }} , \, 1\, \le \,j\, \le \,l  1\) unicasts X_{j} to the CH \(M_{{i_{l} }} .\)

iv.
After exchanging their public key each member \(M_{{i_{j} }}\) in the cluster C_{i}, computes its shared key K_{l,j} with the CH \(M_{{i_{l} }}\) as follows:
$$\begin{aligned} K_{l,j} & = \left[ {x_{j} } \right] \, X_{l} = \left[ {x_{j} } \right]\left[ {x_{l} } \right]P \\ & = \left[ {x_{j} x_{l} } \right] \, P \\ & = \left( {x_{{K_{l,j} }} , \;y_{{K_{l,j} }} } \right),\quad 1 \le j \le l  1 . \\ \end{aligned}$$ 
v.
Similarly, the CH \(M_{{i_{l} }}\) computes (l − 1) shared keys K_{l,j} with the remaining cluster members \(M_{{i_{j} }} ,\;1\, \le \,j\, \le \,l  1\) as follows:
$$\begin{aligned} K_{l,j} & = \left[ {x_{l} } \right] \, Xj = \left[ {x_{l} } \right]\left[ {x_{j} } \right]P \\ & = \left[ {x_{l} x_{j} } \right]P \\ & = \left( {x_{{K_{l,j} }} , y_{{K_{l,j} }} } \right), \quad 1 \le j \le l  1 . \\ \end{aligned}$$Thus \(x_{{K_{l,j} }} 1 \le j \le l  1\) are the (l − 1) shared keys between the CH \(M_{{i_{l} }}\) and other members \(M_{{i_{j} }}\) of the cluster C_{i}, where \(1 \le i \le r\) and \(1 \le j \le l\) in that order.
Step 2: Currently the CH calculates the (l − 1) public keys L_{j}, using twoparty common keys \(x_{{K_{l,j} }} ,\; 1 \le j \le l  1\) established in step 1, as below and sends it to respective \(M_{{i_{j } }} .\)
Public keys:
After unicast messages are received by respective members \(M_{{i_{j} }}\) compute the CKs as under:
As CH be acquainted with all the common keys, it also establishes the CK as under:
Thus \(x_{s}\) is the CK among the cluster members C_{i}.
Now, let the CK of C_{i} be \(x_{{s_{i} }} ,\;1 \le i \le r.\)
LevelII: Let \(M_{{1_{l} }} ,M_{{2_{l} }} , \ldots ,M_{{r  1_{l} }} , \;M_{{r_{l} }}\) be the CHs and let \(M_{{r_{l} }} = M_{n}\) be the GC.
Step 1: Let \(x_{{s_{i} }}\) be the CK of the respective cluster \(C_{i} ,\;1 \le i \le r\) generated in levelI. First the GC \(M_{{r_{l} }}\) forms (r − 1) 2party groups with the residual CHs and each CH \(M_{{i_{l} }}\) takes the CKs generated in levelI \(x_{{s_{i} }} ,\;1 \le i \le r\) as their private key respectively and computes their respective public keys as follows:
The GC, \(M_{{r_{l} }}\) broadcasts its public key S_{r} to the remaining CHs \(M_{{i_{l} }} ,\;1 \le i \le r  1.\)
After receiving each CH \(M_{{i_{j} }}\) computes the shared key between GC and itself as follows:
Each CH \(M_{{i_{l} }} ,\) unicasts its public key \(x_{{s_{i} }}\) to GC \(M_{{r_{l} }}\) and then GC computes the (r − 1) shared keys with the remaining CHs as follows:
Thus \(x_{{T_{r,i } }} \;1 \le i \le r  1\) are the (r − 1) common keys between the GC \(M_{{r_{l} }}\) and the other CHs \(M_{{i_{l} }} ,\) where \(1 \le i \le r  1.\)
Step 2: Currently the GC calculate the (r − 1)public keys U_{i}, by means of two party common keys \(x_{{T_{r,i} }} , \;1 \le i \le r  1,\) generated in step 1, and sends it to respective CHs \(M_{{i_{l} }} \;1 \le i \le r  1\) as follows:
Public keys:
After receiving respective unicast messages, respective CHs \(M_{{i_{l} }}\) compute the GKs as follows:
In view of the fact that the GC knows every common key, it also generates the GK as under:
Hence the \(x_{K}\) is the GK among the group members. Authentication is provided with a digital signature (DSig) as in [16].
NMdynamic CCH protocol (NMDCHH)
To address the dynamic events such as join and leave in GKA we proposed a NMDCCHGKA by introducing NMCHH.Join protocol and NMCHH.Leave protocol as follows:
NMCHH.Join protocol
The principal security prerequisite of member joining is the protection of the earlier GK from both the outsiders and the newly joining group members.
Suppose a node or a set of nodes U wish to join the group and intimates the same to GC. The GC adds U at the beginning of the cluster C_{i} where it belongs so that the CH remains the same. We proceed with NMCHHJoin protocol as shown in Fig. 4.
NMCHH.Leave protocol
The principal security prerequisite when a member leaves is the protection of the succeeding (future) GK from both the outsiders and the earlier leaving group nodes.
We may assume that this member is not a CH without loss of generality, because if it is the GC and/or CH, naturally the preceding member will act as GC and/or CH and the procedure still remains the same.
Suppose a node or a set of nodes U want to leave the group and intimates the same to GC. We proceed with NMCHHLeave protocol shown in Fig. 5.
Security analysis
Here we presented the security of (i) unauthenticated protocol (UP): the initial key agreement (NMCHH.IGKA). (ii) the authenticated key agreement (AKA): the NMACHH and (iii) the dynamic authenticated key agreement (DAKA): NMDCHH (NMCHH.Join and NMCHH.Leave) of proposed protocols separately.
Theorem 4.2 addresses the security of unauthenticated static NMCHHIGKA and then the Theorem 4.3 deals with security of authenticated CHH protocol (NMACHH). Finally Theorem 4.4 states the security of dynamic authenticated CHH protocol (NMDACHH).
Lemma 4.1
The unauthenticated NMGKA scheme depicted in " Background protocols " section is secure in opposition to passive opponent under ECDDH supposition, accomplishes forward secrecy and fulfils the accompanying: \(Adv_{NM}^{KA} \left( {t,\;q_{E} } \right) \le 2Adv_{G}^{ECDDH} \left( {t^{\prime}} \right) + {{2q_{E} } \mathord{\left/ {\vphantom {{2q_{E} } {\left {G } \right}}} \right. \kern0pt} {\left {G } \right}},\) where \(t^{\prime} = t + O\;\left( {\left {\mathcal{P}} \rightq_{E} t_{s.m} } \right),\) t_{s.m} is the time required to carry out scalar multiplications over \(G = E\left( {F_{p} } \right),\;\left {\mathcal{P}} \right\) is the amount of participants in the network and \(q_{E}\) is the amount of implemented queries that an opponent may ask.
Proof
The lemma’s proof is depicted in [16] as a theorem. □
Theorem 4.2
The unauthenticated static NMCHH.IGKA protocol depicted in " Proposed protocol " section is secure against inactive opponent under ECDDH presumption, accomplishes forward secrecy and fulfils the accompanying:
where \(t^{\prime} = t + O\;\left( {\left {{\mathcal{P}}_{max} } \rightq_{E} t_{s.m} } \right),\) t_{s.m} is the time required to execute scalar multiplications over G = E(F_{p}), \(P_{max}\) = maximum amount of users in a cluster of the network, r +1 is the amount of clusters formed in the network and \(q_{E}\) is the amount of implemented queries that an opponent may pose.
Proof
The verification regard as an opponent \({\mathcal{A}}\) who overcomes the security of proposed unauthenticated static NMCHH scheme. Given \(\mathcal{A}\), we build an enemy \(\mathcal{B}\) assaulting the symmetric encryption plot (Symm); identifying with the achievement likelihood of \(\mathcal{A}\) and \(\mathcal{B}\) gives the expressed consequence of the theorem. Before portraying \(\mathcal{B}\), we initially characterize event Bad and bound its likelihood. Let Bad be the event to be the occasion that \(\mathcal{A}\) can recognize a CK (which is a key concurred by the NM scheme) from a arbitrary value anytime amid its execution.
Let Prob [Bad] stands for \({\text{Prob}}_{{NM{  }CHH}}\)[Bad]. Let Succ indicate the event that \(\mathcal{A}\) succeed the game.
Notice that r + 1 clusters are required in the network, in each execution of proposed protocol to form the GK:

i.
The execution of NMGKA protocol simultaneously for r clusters in levelI.

ii.
The execution of the NMGKA protocol among the r CHs in levelII.

iii.
Symmetric encryption scheme: Symm for distributing the key among the clusters with respect to given CKs.
The opponent \(\mathcal{A}\) performs \({\varvec{q}}_ {\varvec{E}}\) execute queries and accordingly carry out \({\varvec{r}} \cdot {\varvec{q}}_{ {\varvec{E}}}\) executions of NMGKA scheme in levelI and \(1 \cdot {\varvec{q}}_{ {\varvec{E}}}\) executions of NMGKA protocol in levelII respectively. Consequently performs a total of \(( r+ 1 ) {\varvec{q}}_{ {\varvec{E}}} .\)
Now by definition,
Hence we have
\(\mathcal{B}\) simulates every oracle queries of \(\mathcal{A}\) by implementing the unauthenticated static NMCHH protocol all alone. Thusly, \(\mathcal{B}\) can recognize the event of occasion Bad. \(\mathcal{B}\) gives impeccable simulation to \(\mathcal{A}\) so long as the occasion Bad does not happen. If at any point the event Bad happens, \(\mathcal{B}\) prematurely ends and yield a random bit. Something else, \(\mathcal{B}\) outputs whatever bit in the end yield by \(\mathcal{A}\). So \(Prob_{{{\mathcal{A}},NM  CCH}} \left[ {succBad} \right] = \raise.5ex\hbox{$\scriptstyle 1$}\kern.1em/ \kern.15em\lower.25ex\hbox{$\scriptstyle 2$} .\)
Now,
Note that ever call upon its encrypting oracle E. Furthermore, the \(\mathcal{B}\)’s running time is at most t.
As \(Adv_{B,Symm} \le Adv_{Symm} \left( {t,\;0,0} \right),\) by assumption.
when \(t^{\prime} = t + O\left( {\left {P_{m} } \right q_{E} t_{sm} } \right) = t + O\left( {\left( {r + 1} \right)\left {q_{E} t_{sm} } \right.} \right)\;,\) where \(\left {P_{m} } \right\) = maximum amount of clusters in the network = r +1
Hence by Lemma 4.1, we realize the theorem. □
We now present the security of the NMACHH in which the security is depends on that of unauthenticated schemes relied on fact that DSig (signature scheme) is secure.
Theorem 4.3
The authenticated CHH scheme (NMACHH) is secure in opposition to active opponent under Elliptic CurveDecision Diffie Hellman (ECDDH) supposition, accomplishes forward secrecy and outputs the following:
where \(t^{\prime} = t +( \left {\mathcal{P}} \rightq_{E} + q_{S} )t_{ACHH} ,\) with \(t_{ACHH }\) is the time needed for carrying out of NMACHH by each of the party, \(q_{S} \;and\; q_{E}\) are respectively the maximum amount of Send and Execute query an opponent may pose.
Proof
Let \(\mathcal{A}^\prime\) be a opponent ambushing the AP. With this we construct an enemy \(\mathcal{A}\) attacking the UP.
We initially confine the likelihood of the event Forge that \(\mathcal{A}^\prime\) outputs an authentic forge w.r.t publickey pk_{i} for some client \({M_i} \in \mathcal{P}\) before making the question corrupt (M_{i}).
Claim
Let Forge be the incident that a signature of Dsig is forged by \(\mathcal{A}^\prime\) then
Proof
\(\mathcal{A}^\prime\) prepares a signature forger \(\mathcal{F}\) to challenge Dsigscheme. The aim of \(\mathcal{F}\) preparation is that, when a publickey PK is given as input, \(\mathcal{F}\) has permission to a signing oracle using PK, which generates a legitimate forgery (m, σ), i.e., \(\gamma_{PK} \left( {m, \, \sigma } \right)\, = \,1 \ni \sigma\) was not previously output by the signing oracle as a signature over m. The \(\mathcal{F}\) chooses a client \(M_{f} \in\) at random, and sets PK_{ƒ} to the PK. For left over members, \(\mathcal{F}\) legitimately generates key pair (private key, public key) by executing GKA protocol. In addition, \(\mathcal{F}\) carryout the method, necessary for Initiating UP. At this moment \(\mathcal{F}\) carryout \(\mathcal{A}^\prime\) as a subprogram \(\in\) simulated queries from \(\mathcal{A}^\prime\) are as below:

Execute (M)/Reveal \(\left( {\pi_{i}^{s} } \right)\)/Dump \(\left( {\left( {\pi_{i}^{s} } \right)} \right)\)/Test \(\left( {\left( {\pi_{i}^{s} } \right)} \right)\): these questions are answered in an obvious manner.

Send \(\left( {\left( {\pi_{i}^{s} } \right),\;m} \right)\): every private keys of M_{i} are aware to \(\mathcal{F}\) when i ≠ ƒ, then, respond to queries subsequent to the particular protocol specifically. Conversely if i = ƒ, then every \(M^{\prime}_{i}\)’s signing keys are unrecognized by \(\mathcal{F}\) Incidentally, \(\mathcal{F}\) can acquire message signature it needs by accomplishment to signing oracle related to PK.

Corrupt (M_{i}). If i ≠ ƒ, F principally holds \(M^{\prime}_{i}\)’s private keys stands for long period, created itself. On the other hand if \(\mathcal{A}^\prime\) corrupts M_{i}= M_{ƒ}, then, \(\mathcal{F}\) terminates and returns “fail”.
The displayed above simulation is marvelously ill defined from the authentic execution except if enemy \(\mathcal{A}^\prime\) represents the query corrupt (M_{ƒ}). All the way through this simulation, \(\mathcal{F}\) glances each send question from \(\mathcal{A}^\prime,\) and keeps an eye in the unlikely event that it fuses an authentic pair (m, σ) using PK. If no such inquiry is posed till \(\mathcal{A}^\prime\) ends, at that point \(\mathcal{F}\) closures and returns “fail”. Else, \(\mathcal{F}\) generates (m, σ) as real fraud w.r.t PK. Lemma 3 straight forwardly inferred from the manner in which the second case occurs with likelihood pγ[Forge]/n.
Currently we portray the improvement of attacking UP, that utilizes \(\mathcal{A}^\prime\) ambushing AP. \(\mathcal{A}\) uses tlist and keep (session Ids, transcripts) in it. \(\mathcal{A}\) makes (verification keys (pk_{M}), signing keys (sk_{M})) for each customer M ∈ P and check keys are given to \(\mathcal{A}^\prime.\) At the point when the event Forge occurs, \(\mathcal{A}\) rashly closures and outputs an arbitrary bit. Else, outputs a similar bit whatever \(\mathcal{A}^\prime\) outputs. \(\mathcal{A}\) can recognize occasion of the event Forge \(\mathcal{A}^\prime\) in light of the fact that it knows sk_{M} and pk_{M}. The oracle questions of \(\mathcal{A}^\prime\) are imitated by \(\mathcal{A}\) using its inquiries to the Execute Oracle (EO). The motto is to procure a transcript (T) of UP for every single Execute question of \(\mathcal{A}^\prime.\) Besides for every one beginning send question, send_{0} (M, I, *) of \(\mathcal{A}^\prime.\) \(\mathcal{A}\) then fixes legitimate sign with messages in T to secure a transcript (T′) of AP and uses T′ to answer request of \(\mathcal{A}^\prime.\) since by assumption, \(\mathcal{A}^\prime\) can’t forge, \(\mathcal{A}^\prime\) is “compelled” to send out messages viably contained in T′. This system gives a decent simulation. The details are underneath:
Execute queries (EQs’): presume \(\mathcal{A}^\prime\) asks EQ ((M_{i1},d_{1}),…,(M_{ik}, d_{k})) and so that occasions \(\pi_{{M_{1} }}^{{i_{1} }} \ldots \pi_{{M_{k} }}^{{i_{k} }}\) are incorporated.
\(\mathcal{A}\) characterizes \(S = \left\{ {\left( {M_{{i_{1} }} ,\;d_{1} } \right), \ldots ,\left( {M_{{i_{k} }} ,d_{k} } \right)} \right\}\) and send out the EQ to its EO. It outputs a T by implementing UP. It attaches (s, t) to tlist and after that broadens T for the UP into T′ for the AP. It offers T′ to \(\mathcal{A}^\prime.\)
Send queries (SQs’): the prime SQ means, \(\mathcal{A}^\prime\) asks an occasion to commence one more session, indicated by send_{0}. The opponent desires to use SQs’ to commence a session between occasions \(\pi_{{M_{1} }}^{{i_{1} }} \ldots \pi_{{M_{k} }}^{{i_{k} }}\) which are not yet used:
These queries should not in an explicit order. \(\mathcal{A}\) forms \(S = \left\{ {\left( {M_{{i_{1} }} ,d_{1} } \right), \ldots ,\left( {M_{{i_{k} }} ,d_{k} } \right)} \right\}\) when these queries are prepared and sends an EQ to it’s executing oracle. It outputs T and includes (S, T) to tlist.
Assume that signatures can’t be forged, any progressive SQ to an event \(\pi_{M}^{i}\) is a really sorted out messages with a real signature. For each such SQ, \(\mathcal{A}\) checks the question as depicted in the authenticated NMCHHGKA protocol. In the event that the confirmation overruled, \(\mathcal{A}\) sets \(acc_{M}^{i} = 0,\) \(sK_{M}^{i} = NULL\) and ends \(\pi_{M}^{i} .\) Else, \(\mathcal{A}\) plays out the action to be completed by π in the AP. It finishes as under:

Finds an sole entry (S,T) in tlist ∋ (M, i) ∈ S, such a novel entry exits for every one event by assumption. Presently from T, \(\mathcal{A}\) finds best possible messages which is identified with the message transmitted by \(\mathcal{A}^\prime\) to \(\pi_{M}^{i} .\) From T, \(\mathcal{A}\) gets following open information yielded by \(\pi_{M}^{i}\) and offers to \(\mathcal{A}.\)
Reveal/test queries (R Q/T Q): Suppose \(\mathcal{A}^\prime\) asks the RQ (M, i) or TQ (M, i) to an incident \(\pi_{M}^{i}\) for which \({\text{acc}}_{M}^{i} = 1.\). Currently the T’ in which \(\pi_{M}^{i}\) took part has been predefined. Now first finds an sole entry (S,T) in the tlist ∋ (M, i) ∈ S. Imagine that, forge doesn’t occur, T is sole unauthenticated transcript which is related to T′. Now asks proper RQ or TQ to any occasion incorporated in T and hand over a proportional payback to \(\mathcal{A}^\prime\) is just right. When Forge occurs, opponent \(\mathcal{A}\) terminates and outputs an arbitrary bit.
\(\mathcal{A}\) asks an EQ in line with each EQ of \(\mathcal{A}^\prime.\) Similarly poses an EQ in all sessions underway by \(\mathcal{A}^\prime.\) Because, session consist of at least two instances, such as EQ is processed after at least two SQs’ of \(\mathcal{A}^\prime.\) The max. no of such queries are q_{s}/2, where q_{s} is amount of queries posed by \(\mathcal{A}^\prime.\) The maximum amount of EQs executed by \(\mathcal{A}\) is q_{e} + q_{s}/2, where q_{e} is the amount of EQs’ executed by \(\mathcal{A}^\prime.\)
Already we have \(Adv_{NM  ACHH}^{AKA} \left( {t,\;q_{E} , q_{S} } \right) \le Adv_{NM  CHH}^{KA} \left( {t^{\prime},\;q_{E} + \frac{{q_{S} }}{2}} \right)\) by supposition,
The statement of the theorem is yielded. □
We currently present the security of dynamic authenticated protocol (DAP): (NMDACHH). Expecting that, DSig is secure, we can change over any enemy assaulting convention DAP into a opponent assaulting convention UP. We disregard Corrupt queries since our convention DAP does not utilize any longtime secret keys. Along these lines convention DAP obviously accomplishes forward secrecy.
Theorem 4.4
The dynamic authenticated CHH scheme (NMDACHH) depicted in “ Proposed protocol " section fulfils the following:
where \(t^{\prime}\, = \,{\text{t}}\, +( \left {\mathcal{P}} \rightq_{E} + q_{J} + q_{l} + q_{S} ) t_{DACHH} ,\) with \(t_{AHP}\) is the time needed for carrying out of DACHH by each of the party \(q_{E} , \;q_{S } q_{J,} q_{L}\) are in that order the maximum amount of Execute, Send, Join and Leave queries an opponent may pose.
Proof
Let \(\mathcal{A}^\prime\) be an opponent who tries to attack DAP. By means of this we build an opponent \(\mathcal{A}\) who assaults UP. As in the preceding proof, we had the following claim.
Claim
Let Forge be the incident, that \(\mathcal{A}^\prime\) forged the signature, then
At the moment we present the creation of the passive opponent \(\mathcal{A}\) assaulting UP that utilizes opponent \(\mathcal{A}^\prime\) assaulting DAP. Opponent \(\mathcal{A}\) can implement the UP numerous times, among every subset of Ƥ and can acquire session key of scheme implementation by producing a RQ to any occurrence concerned in session. Now we demonstrate that \(\mathcal{A}\) simulates itself Leave and Join questions of \(\mathcal{A}^\prime\) utilizing its own Reveal Oracles (ROs) and EOs. Opponent \(\mathcal{A}^\prime\) keeps up a Tlist to store sets of session IDs and transcripts. It likewise utilizes two records Llist and Jlist to be determined in future.
Opponent \(\mathcal{A}\) creates signing/confirmation key pair (pkU, skU) for every client U ∈ Ƥ and gives confirmation keys to \(\mathcal{A}^\prime.\) If at any time the occasion Forge happens, opponent \(\mathcal{A}\) prematurely ends and outputs an arbitrary bit. Else, \(\mathcal{A}\) outputs no matter what bit is in the long run yield by \(\mathcal{A}^\prime.\) Since the signing and confirmation keys, it can identify event of occasion Forge. \(\mathcal{A}\) reproduces the oracle inquiries of \(\mathcal{A}^\prime\) utilizing its own questions to the ROs and EOs. We present particulars below.
EQs’: these queries are replicated in Theorem 4.2 proof.
SQs’: separately from regular SQ, two special send queries, Send_{L} and Send_{J} are there.
Let, set S_{1} = {(M_{ik+1}, d_{k+1}),…,(M_{ik+l}, d_{k+l})} of occurrences, needs to join gathering S = {(M_{i1}, d_{1}),…,(M_{ik}, d_{k})}, at that point \(\mathcal{A}^\prime\) will create Send_{J} (M_{ij}, d_{j}, ‹M_{i1},…, M_{ik}›) query for every j, k +1≤ j ≤ k + l. These queries commence Join (S, S_{1}) query. The occurrence in S might have previously implemented either (a) UP or (b) leave protocol or (c) join protocol. As a result, first \(\mathcal{A}\) finds any of the subsequent form of a sole entry: (1) (S, T) in Tlist or (2) (S′, S″, T) in Jlist with S = S′ ∪ S″ or (3) (S′, S″, T) in Llist with S = S′\S″. If no such entry, makes an EQ to its personal EO on S, obtains a transcript T and keeps (S, T) in Tlist.
Whenever (S, T) ∈ Tlist, \(\mathcal{A}\) fundamentally issues RQ to an event in S so as to accomplish the session key sk identified with T, calculates seed x = H(sk) and plan the calculation for Join by questioning its EO (rolling out fitting improvements). At that point include signature in every message, acquires T′ and stores (S, S1, T′) in Jlist. In this manner reproduces the transcript T′ of Join utilizing self RO and EO. In the rest of the cases (2) and (3), produces T by and by thus \(\mathcal{A}\) can simulate T’ of Join from T.
Likewise, when an unused instances of S_{2}={(M_{l1}, d_{l1}),…,(M_{lm}, d_{lm})} desires to leave S ={(M_{i1}, d_{1}),…,(M_{ik}, d_{k})}, then, \(\mathcal{A}^\prime\) will Send_{L} (M_{ij}, d_{j},(M_{i1},…, M_{ik})) inquiry for every j, j ∈ {l_{1},…, l_{m}}. These inquires commences Leave(S, S_{2}) query. As stated in join member, first traces an entry (S, T) in Tlist or an entry (S′, S″, T) in Jlist with S = S′ U S″ or an entry (S′, S″, T) in Llist with S = S′\S″. If entry is missing, then \(\mathcal{A}\) set up an inquiry to its personal EO on S, obtain T and adds (S, T) to Tlist.
\(\mathcal{A}\) simulates protocol for Leave without anyone else’s input and gets an altered T ′ from T as pursues: \(\mathcal{A}\) distinguishes the situations in T where the new messages are to be infused or the old messages are to be supplanted by new. \(\mathcal{A}\) do these alterations in T as indicated by protocol for leave depicted in Fig. 5 and gets an adjusted T′ by fixing up fitting signature with each message. In this way \(\mathcal{A}\) extends T into a T′ for Leave protocol. \(\mathcal{A}\) stores (S, S2, T′) in Llist.
\({\text{Send}}_{0}\) questions are replied as in Theorem 4.3. The typical send questions are prepared as in Theorem 4.3 with the accompanying changes.
Assume \(\mathcal{A}^\prime\) formulates a SQ to occurrence \(\prod_{M}^{i}\). After appropriate check, discovers an entry (S, T) ∈ Tlist, such that (M, i) ∈ S. The response to this inquiry is as in Theorem 4.3. If no such entry is found, then discovers a sole entry (S, S_{1}, T′) in Jlist such that (M, i) ∈ S_{1}.
This implies the session for Join has just been started. At that point acquires the next public information for T′ to be yield by \(\prod_{M}^{i}\) (given all essential data has been achieved by \(\varPi_{M}^{i}\) by SQs from \(\mathcal{A}^\prime\)) and forwards it to \(\mathcal{A}^\prime.\) If discovers an sole entry (S, S_{2}, T′) in Llist such that (M, i) ∈ S_{2}, then as above, the proper response to the question is found from T′.
Join queries (JQs): assume \(\mathcal{A}^\prime\) sends a JQ (S, S_{1}) where S = {(M_{i1}, d_{1}),…,(M_{ik}, d_{k})} and S = {(M_{ik+1}, d_{k+1}),…,(M_{ik+l}, d_{k+l}). The occurrences \(\varPi_{{M_{{i_{k + 1} }} }}^{{d_{k + 1} }} , . . . ,\varPi_{{M_{{i_{k + l} }} }}^{{d_{k + l} }}\) desire to join the group \(\varPi_{{M_{{i_{1} }} }}^{{d_{1} }} , . . . ,\varPi_{{M_{{i_{k} }} }}^{{d_{k} }} .\) \(\mathcal{A}\) discovers an entry of the form (S, S_{1}, T′) in Jlist. If no such entry, then the opponent \(\mathcal{A}^\prime\) doesn’t give any output. Else, \(\mathcal{A}\) returns T′ to \(\mathcal{A}^\prime\)
Leave queries (LQs): Assume \(\mathcal{A}^\prime\) sends a LQ(S, S_{2}) where S ={(M_{i1}, d_{1}),…,(M_{ik},, d_{k})} and S_{2}={(M_{l1}, d_{l1}),…,(M_{lm}, d_{lm})} where (M_{lj}, d_{lj}) ∈ S for 1≤ j ≤ m. The occurrences \(\varPi_{{M_{{l_{1} }} }}^{{d_{l1} }} , . . . ,\varPi_{{M_{{l_{m} }} }}^{{d_{{l_{m} }} }}\) desires to leave the group \(\varPi_{{M_{{i_{1} }} }}^{{d_{1} }} , \ldots ,\varPi_{{M_{{i_{k} }} }}^{{d_{{i_{k} }} }}\) where \(M_{{i_{j} }} \in \left\{ {M_{{i_{1} }} , \ldots ,M_{{i_{k} }} } \right\}\) for 1 ≤ j ≤ m. \(\mathcal{A}^\prime\) discovered an entry of the form (S, S_{2}, T′) in Llist. If no such entry, then the opponent \(\mathcal{A}^\prime\) is doesn’t give any output. Else, \(\mathcal{A}\) returns T′ to \(\mathcal{A}^\prime.\)
Reveal/Test (R/T) queries: assume \(\mathcal{A}^\prime\) sends the RQ(M, i) or TQ(M, i) for an occurrence \(\varPi_{M}^{i}\) for which \(acc_{M}^{i} = \, 1.\). At this moment the transcript T′ in which Π \(_{M}^{i}\) take part has been predefined. If T′ related to the transcript of the AP then \(\mathcal{A}^\prime\) discovers the sole pair (S, T) in Tlist such that (M, i) ∈ S. Supposing that the occasion Forge does not occur, T is the sole unauthenticated transcript which relates to the transcript T′. Then sends the suitable RQ or TQ to one of the occasions concerned in T and returns the result to \(\mathcal{A}^\prime.\) Else, T′ is the transcript for Join or Leave, as the case may be. Because T′ has been simulated by \(\mathcal{A}\), is capable to calculate the updated session key and hence send an appropriate reply to \(\mathcal{A}^\prime.\)
Providing Forge doesn’t occur, the above simulation for \(\mathcal{A}^\prime\) is perfect. At the time Forge occurs, opponent \(\mathcal{A}\) terminates and outputs a arbitrary bit.
So \(Prob_{{{\mathcal{A}^{\prime}},AP}} \left[ {SuccForge} \right]\, = \,\frac{1}{2}.\) By means of this, one can prove
The opponent \(\mathcal{A}\) sends an EQ for every EQ of \(\mathcal{A}^\prime\). \(\mathcal{A}^\prime\) poses q_{J}, JQs and q_{L}, LQs. These inquiries are commenced respectively by Send_{J} and Send_{L} inquires of \(\mathcal{A}^\prime\). Currently every Send_{J} and Send_{L} inquiry of \(\mathcal{A}^\prime\) poses at most one EQ of. Consequently there are at most q_{J}+ q_{L} EQs posed by \(\mathcal{A}\) to reply all the Send_{J} and Send_{L} inquiries of \(\mathcal{A}^\prime\). Also \(\mathcal{A}\) poses an EQ for every session commenced by \(\mathcal{A}^\prime\) by means of SQs. Because a session engages at least two occurrences, such an EQ is prepared after at least two SQs of \(\mathcal{A}^\prime\). Consequently there are (q_{S} − q_{J} − q_{L})/2 EQs of \(\mathcal{A}\) to react to all other SQs of \(\mathcal{A}^\prime,\) where q_{S} is the amount of SQs prepared by \(\mathcal{A}^\prime.\) Consequently the total amount of EQs posed by is at most q_{E} + q_{J} + q_{L} +(q_{S} − q_{J} − q_{L})/2 = q_{E} + (q_{J} + q_{L} + q_{S})/2, where q_{E} is the amount of EQs posed by \(\mathcal{A}^\prime.\) Furthermore since \(Adv_{A,UP} \left( {t^{\prime},\;q_{E} ,\;q_{J} ,\;q_{L} ,\;q_{S} } \right) \le Adv_{UP}^{KA} \left( {t^{\prime},\;q_{E} + q_{J/2} + q_{L/2} + q_{S/2} } \right)\) by assumption, we obtain:
This implies the statement of the theorem. □
Comparative analysis
Here the proposed ECDHbased NMclusteringbased hybrid hierarchical group key agreement (NMCHHGKA) protocol has been compared with prevalent clustering based GKA protocols such as HKAP [25], GKACH [21], PBGKAHGM [31], AP1/AP2 [33], ACEKA [26], ADTGKA [20], ACBGKA [18], ECDHSKDM [43] and NMsetup [16] with regard to various characteristics such as pre required GKA protocol used, structure and limitations are in Table 2. Further we compare the proposed one with them in terms of communication and computational complexities in Table 3.
Here Let the amount of nodes be “n” and choose \(l\, = \left\lceil {\surd n} \right\rceil \,\) be the amount of clusters members such that l ≪ r and the amount of clusters \(r\, = \,\left\lceil {n/l} \right\rceil\)
From Table 3, it follows that the proposed protocol is optimal with reference to communication and computation expenses, facilitating the equal level of security with fewer key sizes. Further the proposed protocol is shown to be optimal for secure GKA over resource constrained networks like WSN and Mobile Ad hoc Networks (MANETS) and among ECDLP/DLPbased protocols confer in this paper.
With the end goal to acquire a improved guess for the energy cost of computation and communication for the scheme presented in this paper, we ascertained its energy utilization for a particular sensor. Particularly, we pick a sensor network involved by Tmote Sky gadgets by Texas Instruments with a most extreme 100 kbps data rate. As per [47] a sensor hub relied on the 133 MHz Strong ARM chip devours 8.8 mJ for a scalar multiplication and 47.0 mJ for a paring. Concerning the cost of communication, a 100 kbps radio handset module devours 10.8 μJ and 7.51 μJ for the communication gathering of one bit of information in that order.
For GKA scheme we utilize its ECanalog and in this manner suppose that the traded messages has the size of an ECpoint. In the event that we utilize a 160bit EC, the extent of its points (x, y) will be 320 bits. We would then be able to figure the expense for the reception and transmission by multiplying energy cost with its size in bits for the reception and transmission of a single bit. Table 4 outlines a scalar multiplication’s energy costs, a pairing calculation and a reception and transmission of a message utilizing the specific gadget (Tmote Sky) and radio handset module of speed the 100 kbps.
From Table 3 the total amount of Sequential Scalar Multiplications and Messages if we use NMGKA [16] protocol among all the nodes in the system are \(2\left( {l \cdot r} \right),\) \(2(l \cdot r  2)\) which may not be feasible for large WANETs. Consequently, we plan to use the same for each of the “r” cluster of “l” nodes each in parallel in levelI and then for all the “r” CHs in levelII hierarchically to establish the GK so the proposed protocol uses total amount of Sequential Scalar Multiplications and Messages \(2\left( {l + r} \right)\), \(2(l + r  2\)) only.
Computational complexities using graphs
Figures 6, 7 and 8 indicates comparison on computational energy cost of proposed NMCHHGKA protocol with reference to number of nodes for establishing GK and shown that the proposed one is the optimal when compared to the other protocols. So the proposed NMCHHGKA works with lower computational cost and better efficiency when compared to existing protocols. So It is suitable for recourse constrained networks such as WANETS.
Communication complexities using graphs
Figures 9, 10 and 11 indicates comparison on communication energy cost of proposed NMCHHGKA protocol with reference to number of nodes for establishing GK and shown that the proposed one is the optimal when compared to the other protocols. So the proposed NMCHHGKA works with relatively low communication overheads and greater competence when compared to existing protocols. So It is fitting for recourse embarrassed networks such as WANETS.
Experimental results
For Experimentation Linux environment was used running on a system with configuration 2.4 GHz Celeron(R) CPU with 512 MB of memory. A NS2 simulator was used to establish a hierarchical arrangement of nodes in tree topology format. A Crypt++ Library 5.2.1 was utilized to implement NMCHHGKA scheme, different libraries were used to develop algorithms for the key sharing, encryption and decryption algorithm. NS2 libraries were used to establish the TCP connection and communication among the nodes to share the packets (max 1000 bytes), to support multicasting or unicasting in the derivation of key as well as data sharing.
For each examination, we ran the protocol for 10 times and calculate the average computation times for different operations such as levelI group formulation, levelII group formulation, Computation of K_{i,j} values, Computation of L_{i} values, Computation of individual CKs SKi/CK_{i} computation, and GK with the following tabulated NS2 parameters in Table 5.
Experimental results for computational times
Let the quantity of members be “n” and choose \(l\, = \,\left\lceil {\surd n} \right\rceil\) number of cluster members such that l < r and \({\text{r}}\, = \,\left\lceil {n/l} \right\rceil .\) We presented the experimental results for computational time with respect to amount of nodes, quantity of clusters; quantity of members in a cluster are tabulated in detail in Table 6. Further we present the experimental comparative analysis between NMSetup and NMCHH Setup in Table 7.
The experimental results through graphs
Various scenarios of experimental results of NMCHHGKA scheme are presented in Figs. 12, 13, 14 and 15. Further we presented comparison of computation time between NM and NMCHH in Fig. 16.
Figure 12 indicates comparison between setup time for GKA in levelI and levelII. We can observe that setup time in both levels NMCHHGKA are mostly same because we are using same NM.Setup in both levels.
Figure 13 indicates comparison between computation time of member and cluster head in levelI. We can observe that the computation load on cluster head is relatively higher than individual members in levelI of NMCHHGKA.
Figure 14 indicates comparison between Computation time of cluster head as a Member and Group Head in levelII. We can observe that the computation load on Group Head is relatively higher than individual cluster head in NMCHHGKA.
Figure 15 indicates comparison of computation time among individual Member, Cluster Head, Group Head in Entire GK Generation. We can observe that the computation load on Group Head is relatively higher than individual cluster head which is relatively higher than individual members in NMCHHGKA.
Figure 16 indicates comparison of computation time between NM.Setup and NMCHHGKA. We can observe that the computational load on NMCHHGKA is highly reduced relative to NM.Setup by splitting large group into a certain number of clusters.
The findings in “Computational complexities using graphs”, “Communication complexities using graphs” and “Experimental results” sections are the complexities of NMCHHGKA in the context of computation, communication and experimental results respectively when compared to existing protocols. From these sections we can conclude that our protocol is optimal with respect to all the three dimensions. So NMCHHGKA is suitable for recourse constrained networks such as WANETS.
Conclusion and future scope
In this paper a new scalable NMCHH GKA protocol was proposed based on parallel computing for large dynamic groups with less computational capabilities. Novel architectural design of our protocol provides flexibility and reduces cryptographic workload. The two level NMCHHGKA scheme allows on hand NMGKA scheme to implement at cluster level to achieve scalability and robustness without sacrificing efficiency. The advantage of hierarchical management includes freeing the group controller looking after several members, enhancing security, improving scalability together with all cluster requiring minimal space for dealing with protocol. As a key management technique, proposed protocol uses clusterbased hybrid hierarchical scheme reducing rekeying workload of the networks while limiting the failure to local cluster without affecting other clusters. Comparative analysis showed that proposed protocol provides better performance in view of both communication and computation expenses. Further we established a formal security model for the proposed NMCHHGKA under cryptographic assumptions.
Security of CHHGKA in WANETs is inadequate in the presence of node misbehaviour and internal attacks. It is because an opponent may start security attacks with the security keys obtained from compromised nodes. To isolate misbehaving node from legitimate data transmission as a future scope we plan to integrate trust enhanced module using Fuzzy Trust Based rules to NMCHH GKA to develop a trust enhanced secure clustering framework for WANETs.
Data availability statement for the data used in this manuscript
The Experimental data used to support the findings of this study are available from the corresponding author upon request, with this readers can access the data supporting the conclusions of the study.
References
 1.
EBashary M, Abdelhafez A, Anis W (2015) A comparative study of group key management in MANET. Int J Eng Res Appl 5(8):85–94
 2.
Boneh D, Franklin M (2001) Identitybased encryption from weil pairing. In: Proceedings of crypto 2001, LNCS, vol 2139. SpringerVerlag, Berlin, pp 213–229
 3.
Burmester M, Desmedt Y (2005) A secure and scalable group key exchange system. Inf Process Lett 94(3):137–143
 4.
Manulis M. Securityfocused survey on group key exchange protocols. http://eprint.iacr.org/2006/395
 5.
Scott M, Costigan N, Abdulwahab W. Implementing cryptographic pairings on smart cards. http://www.iacr.org/2006/144
 6.
Barreto PSLM, Kim HY, Scott M (2002) Efficient algorithms for pairing based cryptosystems. In: Proceedings of crypto 2002, LNCS, vol 42. SpringerVerlag, Berlin, pp 354–368
 7.
Dutta R, Barua R (2008) Provably secure constant round contributory group key agreement in dynamic setting. IEEE Trans Inf Theory 54(5):2007–2025
 8.
Dutta R, Barua R (2005) Constant round dynamic group key agreement. In: Proceedings of ISC 2005, LNCS, vol 3650, SpringerVerlag, Berlin. pp 74–88
 9.
Dutta R, Barua R. Overview of key agreement protocols. http://eprint.iacr.org/2005/289
 10.
Dutta R, Barua R, Sarkar P (2004) Provably secure authenticated tree based group key agreement. In: Proceedings of ICICS’04, LNCS, vol 3269. SpringerVerlag, Berlin, pp 92–104
 11.
Kim Y, Perrig A, Tsudik G (2004) Treebased group key agreement. ACM Trans Inf Syst Secur 7(1):60–96
 12.
Kleinrock L, Kamoun F (1977) Hierarchical routing for large networks; performance evaluation and optimization. Comput Netw 1(3):155–174
 13.
Basagni S (1999) Distributed clustering for ad hoc networks. In: Proceedings of the international symposium on parallel architectures, algorithms, and networks (ISPAN), IEEE, Perth, Australia, pp 310–315
 14.
Steenstrup M (2001) Clusterbased networks. C.E. Perkins, Addison Wesley, Boston, pp 75–138
 15.
Szczechowiak P, Oliveira L, Scott M, Collier M, Dahab R (2008) NanoECC: testing the limits of elliptic curve cryptography in sensor networks. In: 5th European conference on wireless sensor networks—EWSN 2008, lecture notes in computer science, vol 4913. SpringerVerlag, Berlin, pp 305–320
 16.
Naresh VS, Murthy NV (2015) Provably secure group key agreement protocol based on ECDH with integrate signature. Secur Commun Netw 9(10):1085–1102
 17.
Bemmoussat C, Didi F, Feham M (2013) Cluster based routing protocol in wireless mesh network. In: International conference on computer applications technology (ICCAT), Jan 2013, pp 1–6
 18.
BeldingRoyer EM (2002) Hierarchical routing in ad hoc mobile networks. Wirel Commun Mob Comput 2(5):515–532
 19.
Virtanen SE, Nikander P (2004) Local clustering for hierarchical ad hoc networks. In: Proceedings of WiOpt: modeling and optimization in mobile, ad hoc and wireless networks, pp 404–405
 20.
AbdelHafez A, Miri A, OronzoBarbosa L (2007) Authenticated group key agreement protocols for ad hoc wireless networks. Int J Netw Secur 4(1):90–98
 21.
Teo JCM, Tan CH (2005) Energyefficient and scalable group key agreement for large ad hoc networks. In: Proceedings of the 2nd ACM international workshop on performance evaluation of wireless ad hoc, sensor, and ubiquitous networks, pp 114–121
 22.
Galbraith S, Harrison K, Soldera D (2002) Implementing the Tate pairing. In: Proceedings of algorithm number theory symposium—ANTS V, LNCS, vol 2369. SpringerVerlag, Berlin, pp 324–337
 23.
Klaoudatou E, Konstantinou E, Kambourakis G, Gritzalis S (2011) A survey on clusterbased group key agreement protocols for WSNs. IEEE Commun Surv Tutor 13(3):429–442
 24.
Klaoudatou E, Konstantinou E, Kambourakis G, Gritzalis S (2008) Clustering oriented architectures in medical sensor environments. In: International workshop on security and privacy in ehealth, Barcelona, March 2008. IEEE CS Press, pp 929–934
 25.
Yao G, Ren K, Bao F, Deng RH, Feng D (2003) Making the key agreement protocol in mobile ad hoc network more efficient. In: 1st international conference on applied cryptography and network security—ACNS 2003, lecture notes in computer science, vol 2846. SpringerVerlag, Berlin, pp 343–356
 26.
Shi H, He M, Qin Z (2006) Authenticated and communication efficient group key agreement for clustered ad hoc networks. In: 5th international conference on cryptology and network security—CANS 2006, lecture notes in computer science, vol 4301, SpringerVerlag, Berlin, pp 73–89
 27.
Gomathi K, Parvathavarthini B, Saravanakumar C (2017) An efficient secure group communication in MANET using fuzzy trust based clustering and hierarchical distributed group key management. Wirel Pers Commun 94(4):2149–2162
 28.
Hietalahti M (2008) A clusteringbased group key agreement protocol for ad hoc networks. Electron Notes Theor Comput Sci 192:43–53
 29.
Li X, Wang Y, Frieder O (2002) Efficient hybrid key agreement protocol for wireless ad hoc networks. In: Proceedings of IEEE international conference on computer communications and networks, pp 404–409
 30.
AbdelHafez A, Miri A, OronzoBarbosa L (2006) Scalable and faulttolerant key agreement protocol for dynamic groups. Int J Netw Manag 16(3):185–201
 31.
Teo JC, Tan CH (2007) Denialofservice resilience passwordbased group key agreement for wireless networks. In: Proceedings of the 3rd ACM workshop on QoS and security for wireless and mobile networks (Chania, Crete Island, Greece), October 22. ACM, New York, pp 136–143
 32.
Hussain K, Abdullah AH, Iqbal S, Awan K, Ahsan F (2013) Efficient cluster head selection algorithm for manet. J Comput Netw Commun 2013(7):1–7
 33.
Dutta R, Dowling T (2009) Secure and efficient group key agreements for cluster based network. In: Transactions on computational science IV: special issue on security in computing, lecture notes in computer science, vol 5430. SpringerVerlag, Berlin, pp 87–116
 34.
Diffie W, Hellman M (1976) New directions in cryptography. IEEE Trans Inf Theory 22:644–654
 35.
Joux A (2000) A one round protocol for tripartite Diffie–Hellman. In: Algorithmic number theory symposium—ANTS IV, LNCS, vol 1838. SpringerVerlag, Berlin, pp 385–394
 36.
Steiner M, Tsudik G, Waidner M (1996) Diffie–Hellman key distribution extended to group communication. In: Proceedings of the 3rd ACM conference on computer and communications security. ACM Press, New York, pp 31–37
 37.
Barua R, Dutta R, Sarkar P (2003) Extending Joux’s protocol to multi party key agreement. In: Progress in cryptology—INDOCRYPT 2003, lecture notes in computer science, vol 2904. pp 205–217
 38.
Naresh VS, Murthy NV (2015) A new tworound dynamic authenticated contributory group key agreement protocol using elliptic curve Diffie–Hellman with privacy preserving public key infrastructure. Sadhana 40:2143–2161
 39.
Chen Y, Zhao M, Zheng S, Wang Z (2006) An efficient and secure group key agreement using in the group communication of mobile ad hoc networks. In: International conference on computational intelligence and security, IEEE Press, pp 1136–1142
 40.
Ayman ELS (2014) A new hierarchical group key management based on clustering scheme for mobile ad hoc networks. IJACSA 5(4):208–219
 41.
Krishna P, Vaidya NH, Chatterjee M, Pradhan DK (1997) A clusterbased approach for routing in dynamic networks. In: ACM SIGCOMM computer communication review, pp 49–65
 42.
Dutta R, Dowling T (2011) Provably secure hybrid key agreement protocols in clusterbased wireless ad hoc networks. Ad Hoc Netw 9(5):767–787
 43.
Niu Q (2014) ECDHbased scalable distributed key management scheme for secure group communication. J Comput 9(1):153–160
 44.
Balasubramanian A, Mishra S, Sridhar R (2005) Analysis of a hybrid key management solution for ad hoc networks. In: IEEE wireless communications and networking conference. IEEE Press, New York, pp 2082–2087
 45.
Katz J, Yung M (2003) Scalable protocols for authenticated group key exchange. In: Advances in cryptology—CRYPTO 2003, lecture notes in computer science, vol 2729. SpringerVerlag, Berlin, pp 110–125
 46.
Bresson E, Chevassut O, Pointcheval D (2002) A dynamic group Diffie–Hellman key exchange under standard assumptions. In: Proceedings of Eurocrypt 2002, LNCS, lecture notes in computer science, vol 2332. pp 321–336
 47.
Tan CH, Teo JCM (2006) Energyefficient IDbased group key agreement protocols for wireless networks. In: 2nd international workshop on security in systems and networks—SSN 2006, IEEE Press, New York
Acknowledgements
I would like to thank my parents, family members and Management of Sri Vasavi Engineering College, Tadepalligudem who encouraged and supported me to do this work. Further I am very much thankful to reviewers and Journal Authorities.
Funding
Not currently in receipt of any research funding for this paper.
Author information
Affiliations
Contributions
The first author VSN conceived of the presented idea and developed the theory and performed the computations. The second author verified the analytical methods and security analysis. The first author VSN encouraged the third author to implement and supervised the findings of this work. All authors discussed the results and contributed to the final manuscript. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Cite this article
Naresh, V.S., Reddi, S. & Murthy, N.V.E.S. A provably secure clusterbased hybrid hierarchical group key agreement for large wireless ad hoc networks. Hum. Cent. Comput. Inf. Sci. 9, 26 (2019). https://doi.org/10.1186/s1367301901865
Received:
Accepted:
Published:
Keywords
 Secure Group Communication
 Elliptic curve Diffie–Hellman (ECDH)
 Hierarchical
 Clustering
 Hybrid
 Group key agreement
 Wireless ad hoc networks