Skip to main content

A provably secure cluster-based hybrid hierarchical group key agreement for large wireless ad hoc networks


Group key agreement protocol permits a set of users to create a common key to make sure security of information exchange among members of the group. It is extensively used in secure multiparty computation, resource security sharing, and distributed collaborative computing etc. For large wireless ad-hoc network, there is no authentication center, the computing power and communication distance of terminals are constrained, and nodes frequently join and exit the network. For these reasons, Group Key Management for securing multicast communications in an energy-constrained large wireless ad-hoc network environment is still remains a critical and challenging issue. In this direction, we propose a cluster-based hybrid hierarchical-group key agreement (CHH-GKA) framework to provide a scalable solution for Secure Group Communication (SGC) in large wireless ad hoc networks (WANETs). This technique is based on splitting a large group into a certain number of clusters in which the last member of each of the clusters is designated as a cluster head (CH) and the last member of the group is designated as the group controller (GC). First we apply on hand Naresh–Murthy-group key agreement (NM-GKA) protocol locally in every cluster in parallel in level-I to generate CKs and then in level-II, the CHs’ use these CKs and implement NM-GKA protocol again among them to form the complete group key. Finally each CH distributes the group key to all its members through their respective CK encrypted links. In this process, first we survey several cluster-based hierarchical GKA protocols and compare the proposed one with them and show that it provides optimal performance with regard to computation and communication expenses. Further, it also handles dynamic events and is provably secure in formal security model under the cryptographic suppositions.


WANETS provide whenever–wherever networking amenities for communication establishment through the public wireless medium. In this environment, Secure-GKA and proficient group key management are known to be complicated tasks with respect to both computational and algorithmic points of view because of resource constraints in WANET [1]. There is an extensive range of applications for WANET which includes emergency medical services deployed in various environments which can considerably improve the quality of medical care; military applications, rescue missions, collaborative commercial applications; law enforcement etc. Security is the decisive factor for designing an efficient Wireless Sensor Network (WSN) protocol. Consequently, secure GKA protocols have gained extensive attention. We presented considerable number of GKA schemes in the literature [2,3,4,5,6,7,8,9,10,11]. However, traditional GKA protocols are not appropriate for ad hoc networks. The principal challenge here is provision of secure authenticated communication which comes from their distinctive features which include (i) need for a fixed trustworthy Public Key Infrastructure (PKI); (ii) need to support dynamic network topology as a result of high mobility like joining/leaving; (iii) nodes with less amount of storage, computation and communication power; (iv) be deficient in pre-disseminated symmetric keys among the peers; (v) higher level of self-network arrangement; (vi) susceptible multi-hop wireless connections, etc.

In large WANETs, establishment of group key [1] is a tricky job due to its dynamism. A usual solution suggested to address this issue is to split up the large network into a certain number of constituent network clusters [12]. Categorization of the clustering algorithms can be done by the type of clusters they are forming. Several clustering algorithms pick special nodes as CHs, responsible for cluster creation and afterward-maintenance of the cluster [13], at times routing also. The CHs are not always mandatory. A few protocols used in clustering algorithms do not use them at all. Instead, they prefer gateways to communicate messages from one cluster to another. A gateway generally fits to more than one cluster if there is an overlap in the clusters. In depth description relating to some of these clustering algorithms can be found, for example, in [14].

The implementation of GKA and key management are easier within the cluster in contrast to the complete ad hoc network. Since the clusters have further stable internal links because of the huge quantity of connections among peers within the similar cluster. Further, inter-cluster GKA is meaningful as clusters are put on to stick jointly more than the hops do on average for WANETs. Clustering may thus fetch the essential scalability and failure in one cluster does not affect the whole group for establishing the group key in large networks. Thus clustering was adopted in the proposed work.

A public key cryptography is used in majority of distributed GKA protocols because there are no alternative approaches available for distributing a common key through a public channel. The Public Key Computations (PKC) methods, as well as D-H’s exponentiation are both costly and very difficult for WANET. While distributing extra common keys to nodes that have embarrassed capabilities or bandwidth of storage and computation. The management techniques for computational overheads must be considered into account. As ECDH is lightweight and efficient when compared to regular DH, the ECC-base [15] is used to secure dynamic authenticated GKAs: Consequently, in this paper an ECC-based NM-GKA [16] is used as a pre-requisite for the proposed protocol.

In hierarchical framework, a network is formulated from a nested grouping (clustering) of nodes, connected in the form of a tree structure. Hierarchical frameworks are often utilized in routing as in [12, 17, 18], where best clustering frameworks are derived so as to minimize routing table’s size. Numerous protocols require the information of the entire topology of network, whereas others carry out the computations with the knowledge of the nearby nodes and their likely cluster-memberships [13, 19]. After having a thorough study of these existing hierarchical and cluster-based protocols, we derived some notable merits which include (i) a hierarchical structure is adopted to handle the dynamic events efficiently, (ii) a hybrid encryption is employed as this approach can reduce the computation overhead, and therefore, it is quite suitable for WSN. Some common drawbacks in the existing hierarchical protocols which include (i) the clustering method is not easy to handle certain member events, such as a CH node leaving the network. More precisely, it is rather costly to use the cluster method to deal with the situation that several CH nodes leave the network at the same time. (ii) Distinct complex algorithms should be carefully designed for handling different kinds of dynamic events. On the other hand, as it was stated in [20, 21], when every cluster are having the same amount of nodes and sizes, the hierarchical framework becomes fully balanced and also achieves the best performance. Besides, the authors of [21] asserted that the competence of the entire scheme is enriched if the amount of levels is little (let it be 3). In this work, a fully balanced hierarchical framework of level 2 was adopted with all the clusters with equal size except for one.

The proposed work has adopted hybrid based symmetric encryption where it combines the key distribution and key agreement. A digital signature scheme as in [16] can be used to authenticate our protocols. In view of the MANET’s (Mobile Adhoc Network) dynamic, the proposed protocols adeptly address the dynamic events. It is designed exclusive of utilizing calculation-exhaustive pairings [22] and is extremely efficient relative to the existing hybrid cluster-based GKA protocols [20, 23,24,25,26,27,28,29].

In contrast, usage and implementation of NM-GKA [16] protocol among all the nodes in the system may not be feasible for large WANETs. Consequently, we plan to use the same for each cluster and then for all the CHs in two levels hierarchically.

Notice that this paper assumes that the cluster structure has already been established (includes the amount of levels in the cluster hierarchy, formation of clusters [20, 21, 25, 26, 30,31,32,33] and the selection of CHs) and thus does not consider overhead computation during the cluster-setup phase.

Related work

Two-party DH-key agreement [34] is the origin for enormous amount of consequent GKA schemes. The majority of distributed/contributory-GKA protocols rely on generalizations of 2-party DH or its extensions [3, 7, 16, 35,36,37,38,39]. Key management in distributed/contributory-GKA are less difficult to deal with in each subgroup/cluster compared to the whole ad hoc network. So most recent works [18, 20, 21, 25, 26, 30, 31, 35, 39, 40,41,42] adopted subgroup/cluster based approach, in which the whole group is divided into clusters. Distinct controllers are utilized to control every cluster which minimizes the issue of imposing the work on a single point.

The majority of CK-GKAs’ [18, 20, 21, 25, 26, 30, 31, 35, 39, 40,41,42] presume a hierarchical framework of the clusters or hierarchical structure, then execute a natural key agreement schemes such as, D-H [34] or the Burmester and Desmedt (BD) [3] GKA scheme, or a variety GKA schemes [3, 7, 16, 35,36,37,38,39] is at first implemented locally in each cluster, after that utilize these CKs in the next level with equivalent or an alternate key agreement scheme among CHs’ to generate the whole group key. For further information on a comparison of the existing protocols [18, 21, 25, 26, 28, 30, 31, 33, 43] in this direction, one can refer to Table 2, summary of the key characteristics of cluster based protocols.

In the existing cluster-based GKA protocols, only [20, 26, 28, 31] offer authentication. Authentication confirms that only legitimate group members are allowed to derive the key in the key setup phase and accordingly facilitate the group members to secure against MITM attacks in the course of the key agreement phase. In the schemes [18, 21, 29], the authors suggest an approach of making their scheme into an authenticated approach, but doesn’t analyse the additional communication and computation cost in order to authenticate each and every message which is shared among the group members. Lastly, some protocols [25, 44] did not even consider the authentication mechanism at all in key agreement phase. On the other hand, these schemes can be altered in order to accomplish authentication by means of either a special kind of compiler or an authenticated GKA (AGKA) [45].

Further, most of the traditional GKA schemes stated in the literature are unable to handle the dynamic nature (joining and leaving of nodes from the clusters) in WANETs. In precise, the renowned protocols in [3, 11, 36, 38] competent for wired networks, may not be applicable to the WANETs due to their enormous dynamism. On the other hand, clustering strategy empowers hubs to be sorted out in a various levelled ad hoc network dependent on their relative nearness to each other, along these lines debilitating the one hop presumption in natural GKA protocols.

After a thorough study in examined research area, in this work we adopted cluster based hybrid hierarchical approach: dynamic cluster-based hybrid hierarchical group key agreement for large wireless ad hoc networks.

Our contribution

The key objective of this work is to achieve “a provably secure CHH-GKA for large WANETs”. The base behind the proposed creation is to divide and conquer. This protocol works by dividing larger group into a certain number of clusters created on their relative closeness to each another. For this we employ two types of keys namely group key (GK) and cluster key (CK). A CK is nothing but the key produced among every member inside a cluster and the GK is the complete network key among every node in the group.

In this work we choose dynamic authenticated NM-GKA protocol [16] for establishment of the CKs in level-I and then for GK in level-II. Further, the last member of each cluster will act as its CH and generates the CK among the cluster members in level-I. The last member of the group will act as the GC for the entire group and combines all the CKs to create the GK. Key for the entire group in level-II. This scheme reduces the computational complexity O(lr) to O(l + r) where l = Max (|C1|, |C2|,…,|Cr|) and “r” is the number of clusters.

For building provably secure model for the proposed protocol we adopted Bresson et al.’s [46] because it is the first formal provably secure model for authenticated GKA. The concept of provable security is utilized over the contemporary literature to demonstrate in a mathematical means, and under sensible suppositions, that a cryptographic technique accomplishes the essential goals of security. Such proofs are generally build by means of a formal setting that indicates: (1) the computing environment (involving cryptographic parameters, users, their trust association, communication etc.), (2) the adversarial environment and (3) the definitions of a few solid goals of security.

Overall contribution

  1. i.

    The key contribution of this work is authenticated cluster-based hybrid hierarchical GKA: NM-CHH-GKA for large wireless ad hoc networks.

  2. ii.

    Extended NM-CHH-GKA to dynamic NM-CHH-GKA by proposing join and leave of single or multiple group members for membership changes.

  3. iii.

    Established recognized proofs of provable security for to dynamic NM-CHH-GKA.

  4. iv.

    Our comparative analysis assessed and measured the effectiveness of proposed protocol and compared with identified protocols in terms of energy cost for computation and communication and shown that the proposed protocol is optimal.

Some salient features of the proposed scheme

  1. i.

    Different CH are used to control each cluster and it minimizes the total load on a single point (GC).

    • For instance consider one of the most promising applications [24] of cluster-based hierarchical GKA over WSNs in the healthcare sector.

      • NM-CHH-GKA over infrastructure-based WSN situation is appropriate for medical environments in which one can have numerous powerful nodes those can take CH role, such as intra-hospital environments. We can then suppose that CHs are predetermined and that consumption of energy is not a principal concern for them. The hospital sensor network can be split into various clusters by considering their geographical location.

        NM-CHH-GKA over infrastructure-less WSN situation is appropriate for medical environments in which there is no fixed infrastructure at all or no full coverage, as in the case of a medical emergency. In this situation, dynamically sensors can be clustered into non-overlapping or overlapping groups. Whenever a node wants to send out data, the node closer to the gateway (best path) is selected as the CH. For further information please refer [24].

  2. ii.

    The failure of one CH or node doesn’t affect the entire group.

  3. iii.

    Parallel computation of CKs provides reduced computational load from O(l·r) to O(l + r).

  4. iv.

    Both membership changes and subgroup dynamics can be optimally achieved.

  5. v.

    Local rekey: membership change in a cluster are treated locally, so that rekey of a cluster will not disturb the entire GK.

  6. vi.

    The two level cluster based hierarchical GKA scheme allows distributed key management scheme to implement at the cluster level to realize dynamism without losing efficiency.

  7. vii.

    The two level GKA reduces load on the GC by distributing or arranging the group members in the form of hierarchy, which enhances scalability and security.

  8. viii.

    Every cluster member requires a minimum storage space to preserve the CKs.

Organization/structure of the paper

Background protocols” section talks about the protocol’s prerequisites. The proposed protocol is exhibited in “Proposed protocol” section. “Security analysis” section speaks about analysis of security. “Comparative analysis” section delivers a relative analysis with the existing prominent protocols. Finally, “Conclusion and future scope” section concludes with several observations and future scope.

Background protocols

Here first we introduce several notations presented during the course of the paper and then we present the backbone on hand NM-GKA protocol.


The several notations utilized in this paper are presented in Table 1.

Table 1 Notations

Naresh–Murthy group key agreement protocol (NM-GKA)

Let M1, M2,…,Mi,…,Mn be the members of group and let Mn the last member be the GC. As shown in Fig. 1, in round-1, the GC Mn establishes (n − 1), 2-party ECDH common keys with every residual members. During round-2 the GC generates (n − 1) public keys Li by means of 2-party keys generated in round-1 after that it sends these public keys to the corresponding members and on getting, every member products it with their own common key in order to calculate the GK. Further the GC combines all the 2-party keys generated in round-1 into a GK and it turn into a part of the group. Authentication is provided with a digital signature (DSig) as in [16]. The NM.Initial group key agreement (NM.IGKA) protocol is presented in Fig. 1. Further we presented NM-GKA dynamic protocols [16], NM.Join and NM.Leave in Figs. 2 and 3 respectively.

Fig. 1
figure 1

NM.IGKA protocol

Fig. 2
figure 2

NM.Join protocol

Fig. 3
figure 3

NM.Leave protocol

Proposed protocol

Here we presented an outline of the proposed protocol and then the detailed proposed protocol.

Outline of the proposed scheme: NM-CHH-GKA

The proposed scheme consists of 4 steps as follows:

Step 1: (Cluster key agreement) In this step parallel execution of NM-GKA protocol in all the clusters for computing their respective CKs as in Algorithm 1.

figure a

Step 2: (Group key agreement) In this step execution of NM-GKA protocol among all the CHs for computing their complete GK as in Algorithm 2.

figure b

Step 3: (Group key distribution among the cluster nodes) In this step each of the CH distributes the established GK in step-2 to their members through their respective CK encrypted links.

figure c

Step 4: (Group key maintenance) As per the dynamic nature of wireless nodes, the nodes’ movement may vary the topology of network often. It is consequently significant and essential to update session key of the group to guarantee security. For establishing new GK, in level-1 we renew the CKs where changes in membership arise by call upon CK update as in Algorithm 4 and then in level-2 by invoking GK update as in Algorithm 5.

figure d
figure e

Proposed scheme: NM-CHH-GKA


Let M1, M2, M3…, Mn be the group members. Without loss of generality, for computation sake, divide these “n” members into \(r = \left\lceil {\frac{n}{l}} \right\rceil\) clusters, where cardinality of each cluster C1, C2, …, Cr is less than or equal to l and also let the last member of each cluster act as CH and let the last member of entire group act as the GC for the whole group.

Level-I: CK generation for any of the cluster \(C_{i} ,\;1 \le i \le r.\)

Let \(C_{i} = \left\{ {M_{{i_{1} }} ,M_{{i_{2} }} , \ldots ,M_{{i_{l - 1} }} ,M_{{i_{l} }} } \right\}\) where \(M_{{i_{l} }}\) is the CH of \(C_{i} ,\;1 \le i \le r.\)

Notice that the rth cluster may not have \(l\) members in it. However, the procedure remains the same with a different suffix other than l.

Step 1: The ith CH \(M_{{i_{l} }}\) forms (l − 1) two-party groups with the remaining members of that cluster \(M_{{i_{1} }} ,\;M_{{i_{2} }} , \ldots ,M_{{i_{l - 1} }}\) and generates two-party ECDH style keys \(x_{{K_{l,j} }} , \;1 \le j \le l - 1\) as follows:

  1. i.

    The CH \(M_{{i_{l} }} ,\) chooses a private key \(x_{l}\) and generates its public key \(X_{l} = \left[ {x_{l} } \right]P\)

  2. ii.

    Remaining cluster members \(M_{{i_{j} }} ,\;1\, \le \,j\, \le \,l - 1,\) chooses private keys \(x_{j}\) and generates their respective public keys \(X_{j} = \left[ {x_{j} } \right]P,\;\;1\, \le \,j\, \le \,l - 1.\)

  3. iii.

    The CH broadcasts its public key Xl to the remaining members of the cluster and each \(M_{{i_{j} }} , \, 1\, \le \,j\, \le \,l - 1\) unicasts Xj to the CH \(M_{{i_{l} }} .\)

  4. iv.

    After exchanging their public key each member \(M_{{i_{j} }}\) in the cluster Ci, computes its shared key Kl,j with the CH \(M_{{i_{l} }}\) as follows:

    $$\begin{aligned} K_{l,j} & = \left[ {x_{j} } \right] \, X_{l} = \left[ {x_{j} } \right]\left[ {x_{l} } \right]P \\ & = \left[ {x_{j} x_{l} } \right] \, P \\ & = \left( {x_{{K_{l,j} }} , \;y_{{K_{l,j} }} } \right),\quad 1 \le j \le l - 1 . \\ \end{aligned}$$
  5. v.

    Similarly, the CH \(M_{{i_{l} }}\) computes (l − 1) shared keys Kl,j with the remaining cluster members \(M_{{i_{j} }} ,\;1\, \le \,j\, \le \,l - 1\) as follows:

    $$\begin{aligned} K_{l,j} & = \left[ {x_{l} } \right] \, Xj = \left[ {x_{l} } \right]\left[ {x_{j} } \right]P \\ & = \left[ {x_{l} x_{j} } \right]P \\ & = \left( {x_{{K_{l,j} }} , y_{{K_{l,j} }} } \right), \quad 1 \le j \le l - 1 . \\ \end{aligned}$$

    Thus \(x_{{K_{l,j} }} 1 \le j \le l - 1\) are the (l − 1) shared keys between the CH \(M_{{i_{l} }}\) and other members \(M_{{i_{j} }}\) of the cluster Ci, where \(1 \le i \le r\) and \(1 \le j \le l\) in that order.

Step 2: Currently the CH calculates the (l − 1) public keys Lj, using two-party common keys \(x_{{K_{l,j} }} ,\; 1 \le j \le l - 1\) established in step 1, as below and sends it to respective \(M_{{i_{j } }} .\)

Public keys:

$$L_{j} = \left[ {\mathop \prod \limits_{m = 1,m \ne j}^{l - 1} x_{{K_{l,m} }} } \right]P, \quad for \;1 \le j \le l - 1 .$$

After unicast messages are received by respective members \(M_{{i_{j} }}\) compute the CKs as under:

$$\begin{aligned} S & = \left[ {x_{{K_{l,j} }} } \right]L_{j} \\ & = \left[ {x_{{K_{l,j} }} } \right]\left[ {\prod\nolimits_{m = 1, m \ne j}^{l - 1} {x_{{K_{l,m} }} } } \right]P \\ & = \left[ {\prod\nolimits_{j = 1,}^{l - 1} {x_{{K_{l,j} }} } } \right]{\text{ P}} \\ & = \left( {x_{s} ,y_{s} } \right). \\ \end{aligned}$$

As CH be acquainted with all the common keys, it also establishes the CK as under:

$$\begin{aligned} S & = \left[ {\prod\nolimits_{j = 1,}^{l - 1} {x_{{K_{l,j} }} } } \right]P \\ \, & = \left( {x_{s} ,y_{s} } \right). \\ \end{aligned}$$

Thus \(x_{s}\) is the CK among the cluster members Ci.

Now, let the CK of Ci be \(x_{{s_{i} }} ,\;1 \le i \le r.\)

Level-II: Let \(M_{{1_{l} }} ,M_{{2_{l} }} , \ldots ,M_{{r - 1_{l} }} , \;M_{{r_{l} }}\) be the CHs and let \(M_{{r_{l} }} = M_{n}\) be the GC.

Step 1: Let \(x_{{s_{i} }}\) be the CK of the respective cluster \(C_{i} ,\;1 \le i \le r\) generated in level-I. First the GC \(M_{{r_{l} }}\) forms (r − 1) 2-party groups with the residual CHs and each CH \(M_{{i_{l} }}\) takes the CKs generated in level-I \(x_{{s_{i} }} ,\;1 \le i \le r\) as their private key respectively and computes their respective public keys as follows:

$$S_{i} = \left[ {x_{{s_{i} }} } \right] P, \quad 1 \le i \le r.$$

The GC, \(M_{{r_{l} }}\) broadcasts its public key Sr to the remaining CHs \(M_{{i_{l} }} ,\;1 \le i \le r - 1.\)

After receiving each CH \(M_{{i_{j} }}\) computes the shared key between GC and itself as follows:

$$\begin{aligned} T_{r,i} & = \left[ {x_{{s{}_{i}}} } \right]S_{r} = \left[ {x_{{s{}_{i}}} } \right]\left[ {x_{{s{}_{r}}} } \right] P = \left[ {x_{{s{}_{i}}} x_{{s{}_{r}}} } \right] P \\ & = \left( {x_{{T_{r,i} }} ,\; y_{{T_{r,i} }} } \right), \quad 1 \le i \le r - 1. \\ \end{aligned}$$

Each CH \(M_{{i_{l} }} ,\) unicasts its public key \(x_{{s_{i} }}\) to GC \(M_{{r_{l} }}\) and then GC computes the (r − 1) shared keys with the remaining CHs as follows:

$$\begin{aligned} {\text{T}}_{r,i} & = \left[ {x_{{s_{r} }} } \right]S_{i} = \left[ {x_{{s_{r} }} } \right]\left[ {x_{{s_{i} }} } \right] P \\ & = \left[ {x_{{s_{r} }} x_{{s_{i} }} } \right] P \\ & = \left( {x_{{T_{r,i} }} ,y_{{T_{r,i} }} } \right), \quad 1 \le i \le r - 1. \\ \end{aligned}$$

Thus \(x_{{T_{r,i } }} \;1 \le i \le r - 1\) are the (r − 1) common keys between the GC \(M_{{r_{l} }}\) and the other CHs \(M_{{i_{l} }} ,\) where \(1 \le i \le r - 1.\)

Step 2: Currently the GC calculate the (r − 1)-public keys Ui, by means of two party common keys \(x_{{T_{r,i} }} , \;1 \le i \le r - 1,\) generated in step 1, and sends it to respective CHs \(M_{{i_{l} }} \;1 \le i \le r - 1\) as follows:

Public keys:

$$U_{i} = \left[ {\mathop \prod \limits_{j = 1,j \ne i}^{r - 1} x_{{T_{r,j} }} } \right]P, \quad for\; 1 \le i \le r - 1.$$

After receiving respective unicast messages, respective CHs \(M_{{i_{l} }}\) compute the GKs as follows:

$$\begin{aligned} K & = \left[ {x_{{T_{r,i} }} } \right]U_{i} \\ & = \left[ {x_{{T_{r,i} }} } \right]\left[ {\prod\nolimits_{j = 1, j \ne i}^{r - 1} {x_{{T_{r,j} }} } } \right]P \\ & = \left[ {\prod\nolimits_{j = 1}^{r - 1} {x_{{T_{r,j} }} } } \right]P \\ & = \left( {x_{K,} y_{K} } \right). \\ \end{aligned}$$

In view of the fact that the GC knows every common key, it also generates the GK as under:

$$\begin{aligned} K & = \left[ {\prod\nolimits_{j = 1}^{r - 1} {x_{{T_{r,j} }} } } \right]{\text{P}} \\ & = \left( {x_{K,} y_{K} } \right). \\ \end{aligned}$$

Hence the \(x_{K}\) is the GK among the group members. Authentication is provided with a digital signature (DSig) as in [16].

NM-dynamic CCH protocol (NM-DCHH)

To address the dynamic events such as join and leave in GKA we proposed a NM-DCCH-GKA by introducing NM-CHH.Join protocol and NM-CHH.Leave protocol as follows:

NM-CHH.Join protocol

The principal security prerequisite of member joining is the protection of the earlier GK from both the outsiders and the newly joining group members.

Suppose a node or a set of nodes U wish to join the group and intimates the same to GC. The GC adds U at the beginning of the cluster Ci where it belongs so that the CH remains the same. We proceed with NM-CHH-Join protocol as shown in Fig. 4.

Fig. 4
figure 4

NM-CHH.Join protocol

NM-CHH.Leave protocol

The principal security prerequisite when a member leaves is the protection of the succeeding (future) GK from both the outsiders and the earlier leaving group nodes.

We may assume that this member is not a CH without loss of generality, because if it is the GC and/or CH, naturally the preceding member will act as GC and/or CH and the procedure still remains the same.

Suppose a node or a set of nodes U want to leave the group and intimates the same to GC. We proceed with NM-CHH-Leave protocol shown in Fig. 5.

Fig. 5
figure 5

NM-CHH.Leave protocol

Security analysis

Here we presented the security of (i) unauthenticated protocol (UP): the initial key agreement (NM-CHH.IGKA). (ii) the authenticated key agreement (AKA): the NM-ACHH and (iii) the dynamic authenticated key agreement (DAKA): NM-DCHH (NM-CHH.Join and NM-CHH.Leave) of proposed protocols separately.

Theorem 4.2 addresses the security of unauthenticated static NM-CHH-IGKA and then the Theorem 4.3 deals with security of authenticated CHH protocol (NM-ACHH). Finally Theorem 4.4 states the security of dynamic authenticated CHH protocol (NM-DACHH).

Lemma 4.1

The unauthenticated NM-GKA scheme depicted in " Background protocols " section is secure in opposition to passive opponent under ECDDH supposition, accomplishes forward secrecy and fulfils the accompanying: \(Adv_{NM}^{KA} \left( {t,\;q_{E} } \right) \le 2Adv_{G}^{ECDDH} \left( {t^{\prime}} \right) + {{2q_{E} } \mathord{\left/ {\vphantom {{2q_{E} } {\left| {G } \right|}}} \right. \kern-0pt} {\left| {G } \right|}},\) where \(t^{\prime} = t + O\;\left( {\left| {\mathcal{P}} \right|q_{E} t_{s.m} } \right),\) ts.m is the time required to carry out scalar multiplications over \(G = E\left( {F_{p} } \right),\;\left| {\mathcal{P}} \right|\) is the amount of participants in the network and \(q_{E}\) is the amount of implemented queries that an opponent may ask.


The lemma’s proof is depicted in [16] as a theorem. □

Theorem 4.2

The unauthenticated static NM-CHH.IGKA protocol depicted in " Proposed protocol " section is secure against inactive opponent under ECDDH presumption, accomplishes forward secrecy and fulfils the accompanying:

$$Adv_{NM - CHH}^{KA} \left( {t,\;q_{E} } \right) \le Adv_{Symm} \left( {t,\;0,0} \right) + \frac{1}{{ \left( {r + 1} \right)q_{E} }} Adv_{NM}^{ECDDH} \left( {t^{\prime}} \right) + \frac{1}{{ \left( {r + 1} \right)\left( { 2q_{E} + \left| G \right|} \right) }},$$

where \(t^{\prime} = t + O\;\left( {\left| {{\mathcal{P}}_{max} } \right|q_{E} t_{s.m} } \right),\) ts.m is the time required to execute scalar multiplications over G = E(Fp), \(P_{max}\) = maximum amount of users in a cluster of the network, r +1 is the amount of clusters formed in the network and \(q_{E}\) is the amount of implemented queries that an opponent may pose.


The verification regard as an opponent \({\mathcal{A}}\) who overcomes the security of proposed unauthenticated static NM-CHH scheme. Given \(\mathcal{A}\), we build an enemy \(\mathcal{B}\) assaulting the symmetric encryption plot (Symm); identifying with the achievement likelihood of \(\mathcal{A}\) and \(\mathcal{B}\) gives the expressed consequence of the theorem. Before portraying \(\mathcal{B}\), we initially characterize event Bad and bound its likelihood. Let Bad be the event to be the occasion that \(\mathcal{A}\) can recognize a CK (which is a key concurred by the NM scheme) from a arbitrary value anytime amid its execution.

Let Prob [Bad] stands for \({\text{Prob}}_{{NM{ - }CHH}}\)[Bad]. Let Succ indicate the event that \(\mathcal{A}\) succeed the game.

Notice that r + 1 clusters are required in the network, in each execution of proposed protocol to form the GK:

  1. i.

    The execution of NM-GKA protocol simultaneously for r clusters in level-I.

  2. ii.

    The execution of the NM-GKA protocol among the r CHs in level-II.

  3. iii.

    Symmetric encryption scheme: Symm for distributing the key among the clusters with respect to given CKs.

The opponent \(\mathcal{A}\) performs \({\varvec{q}}_ {\varvec{E}}\) execute queries and accordingly carry out \({\varvec{r}} \cdot {\varvec{q}}_{ {\varvec{E}}}\) executions of NM-GKA scheme in level-I and \(1 \cdot {\varvec{q}}_{ {\varvec{E}}}\) executions of NM-GKA protocol in level-II respectively. Consequently performs a total of \(( r+ 1 ) {\varvec{q}}_{ {\varvec{E}}} .\)

$$\therefore Prob\left[ {Bad} \right] \le \frac{{Prob\left[ {succ} \right]}}{{\left( {r + 1} \right) q_{E} }}.$$

Now by definition,

$$\begin{aligned} Adv_{{NM,{\mathcal{A}}}}^{KA} & = \left| {2 Prob\left[ {succ} \right] - 1} \right| \\ \Rightarrow Prob\left[ {succ} \right] &\le \frac{1}{2}\left[ {1 + Adv_{NM,A}^{KA} } \right]. \\ \end{aligned}$$

Hence we have

$$\begin{aligned} Prob\left[ {Bad} \right] & \le \frac{{\frac{1}{2}\left[ {1 + Adv_{NM,A}^{KA} } \right]}}{{\left( {r + 1} \right) q_{E} }} \\ &= \frac{{Adv_{NM,A}^{KA} }}{{2\left( {r + 1} \right)q_{E} }} + \frac{1}{{2\left( {r + 1} \right) q_{E} }}. \\ \end{aligned}$$

\(\mathcal{B}\) simulates every oracle queries of \(\mathcal{A}\) by implementing the unauthenticated static NM-CHH protocol all alone. Thusly, \(\mathcal{B}\) can recognize the event of occasion Bad. \(\mathcal{B}\) gives impeccable simulation to \(\mathcal{A}\) so long as the occasion Bad does not happen. If at any point the event Bad happens, \(\mathcal{B}\) prematurely ends and yield a random bit. Something else, \(\mathcal{B}\) outputs whatever bit in the end yield by \(\mathcal{A}\). So \(Prob_{{{\mathcal{A}},NM - CCH}} \left[ {succ|Bad} \right] = \raise.5ex\hbox{$\scriptstyle 1$}\kern-.1em/ \kern-.15em\lower.25ex\hbox{$\scriptstyle 2$} .\)


$$\begin{aligned} Adv_{{{\mathcal{B}},Symm }} & = 2\left| {Prob_{{{\mathcal{B}},Symm}} \left[ {Succ} \right] - 1/2} \right| \\ & = 2\left| {Prob_{{{\mathcal{A}},NM - CCH}} \left[ {Succ \wedge \overline{Bad} } \right] + Prob_{{{\mathcal{A}},NM - CCH}} \left[ {Succ \wedge Bad } \right] - 1/2} \right| \\ & = 2|Prob_{{{\mathcal{A}},NM - CCH}} [Succ \wedge \overline{Bad} ] + Prob_{{{\mathcal{A}},NM - CHH}} \left[ {Succ|Bad} \right]\;\left. {\left( {Prob_{{{\mathcal{A}},CHH}} \left[ {Bad} \right] - 1/2} \right)} \right| \\ & = 2\left| {Prob_{{{\mathcal{A}},NM - CHH}} [Succ \wedge \overline{Bad} ] + \left( {\frac{1}{2}} \right)Prob_{{{\mathcal{A}},NM - CHH}} \left[ {Bad} \right] - 1/2} \right| \\ & = 2\left| {Prob_{{{\mathcal{A}},NM - CHH}} \left[ {Succ} \right] - Prob_{{{\mathcal{A}},NM - CHH}} \left[ {Succ \wedge Bad} \right] + \left( {\frac{1}{2}} \right)Prob_{{{\mathcal{A}},NM - CHH}} \left[ {Bad} \right] - 1/2} \right| \\ & \ge \left| {2.Prob_{{{\mathcal{A}},NM - CHH}} [Succ] - 1} \right| - \left| {Prob_{{{\mathcal{A}},NM - CCH}} [Bad] - 2Prob_{{{\mathcal{A}},NM - CHH}} \left[ {Succ \wedge Bad} \right]} \right| \\ & \ge Adv_{{{\mathcal{A}},NM - CHH}} - Prob\left[ {Bad} \right] \\ \end{aligned}$$

Note that ever call upon its encrypting oracle E. Furthermore, the \(\mathcal{B}\)’s running time is at most t.

As \(Adv_{B,Symm} \le Adv_{Symm} \left( {t,\;0,0} \right),\) by assumption.

$$\begin{aligned} Adv_{NM - CHH}^{KA} \left( {t,\;q_{E} } \right) & \le Adv_{Symm} \left( {t,0,0} \right) + Prob\left[ {Bad} \right] \\ & \le Adv_{Symm} \left( {t,\;0,0} \right) + \frac{{Adv_{NM,A}^{KA} \left( {t, \left( {r + 1} \right)q_{E} } \right)}}{{2\left( {r + 1} \right)q_{E} }} + \frac{1}{{ 2\left( {r + 1} \right)q_{E} }} \\ & \le Adv_{Symm} \left( {t,\;0,0} \right) + \frac{1}{{ 2\left( {r + 1} \right)q_{E} }}\left[ {2Adv_{NM}^{ECDDH} \left( {t^{\prime}} \right) + \frac{{2q_{E} }}{{\left| {G } \right|}}} \right] + \frac{1}{{ 2\left( {r + 1} \right)q_{E} }} \\ & = Adv_{Symm} \left( {t,\;0,0} \right) + \frac{1}{{ \left( {r + 1} \right)q_{E} }} Adv_{NM}^{ECDDH} \left( {t^{\prime}} \right) + \frac{1}{{ \left( {r + 1} \right)\left( { 2q_{E} + \left| G \right|} \right) }}, \\ \end{aligned}$$

when \(t^{\prime} = t + O\left( {\left| {P_{m} } \right| q_{E} t_{sm} } \right) = t + O\left( {\left( {r + 1} \right)\left| {q_{E} t_{sm} } \right.} \right)\;,\) where \(\left| {P_{m} } \right|\) = maximum amount of clusters in the network = r +1

Hence by Lemma 4.1, we realize the theorem. □

We now present the security of the NM-ACHH in which the security is depends on that of unauthenticated schemes relied on fact that DSig (signature scheme) is secure.

Theorem 4.3

The authenticated CHH scheme (NM-ACHH) is secure in opposition to active opponent under Elliptic Curve-Decision Diffie Hellman (EC-DDH) supposition, accomplishes forward secrecy and outputs the following:

$$Adv_{NM - ACHH}^{AKA} \left( {t,\;q_{E} ,\; q_{S} } \right) \le Adv_{NM - CHH}^{KA} \left( {t^{\prime},\;q_{E} + \frac{{q_{S} }}{2}} \right) + \left| {\mathcal{P}} \right|Adv_{Dsig} ,$$

where \(t^{\prime} = t +( \left| {\mathcal{P}} \right|q_{E} + q_{S} )t_{ACHH} ,\) with \(t_{ACHH }\) is the time needed for carrying out of NM-ACHH by each of the party, \(q_{S} \;and\; q_{E}\) are respectively the maximum amount of Send and Execute query an opponent may pose.


Let \(\mathcal{A}^\prime\) be a opponent ambushing the AP. With this we construct an enemy \(\mathcal{A}\) attacking the UP.

We initially confine the likelihood of the event Forge that \(\mathcal{A}^\prime\) outputs an authentic forge w.r.t publickey pki for some client \({M_i} \in \mathcal{P}\) before making the question corrupt (Mi).


Let Forge be the incident that a signature of Dsig is forged by \(\mathcal{A}^\prime\) then

$$Prob\left[ {Forge} \right] \le \left| {\mathcal{P}} \right|Adv_{Dsig} \left( {t^{\prime}} \right).$$


\(\mathcal{A}^\prime\) prepares a signature forger \(\mathcal{F}\) to challenge Dsig-scheme. The aim of \(\mathcal{F}\) preparation is that, when a publickey PK is given as input, \(\mathcal{F}\) has permission to a signing oracle using PK, which generates a legitimate forgery (m, σ), i.e., \(\gamma_{PK} \left( {m, \, \sigma } \right)\, = \,1 \ni \sigma\) was not previously output by the signing oracle as a signature over m. The \(\mathcal{F}\) chooses a client \(M_{f} \in\) at random, and sets PKƒ to the PK. For left over members, \(\mathcal{F}\) legitimately generates key pair (private key, public key) by executing GKA protocol. In addition, \(\mathcal{F}\) carryout the method, necessary for Initiating UP. At this moment \(\mathcal{F}\) carryout \(\mathcal{A}^\prime\) as a subprogram \(\in\) simulated queries from \(\mathcal{A}^\prime\) are as below:

  • Execute (M)/Reveal \(\left( {\pi_{i}^{s} } \right)\)/Dump \(\left( {\left( {\pi_{i}^{s} } \right)} \right)\)/Test \(\left( {\left( {\pi_{i}^{s} } \right)} \right)\): these questions are answered in an obvious manner.

  • Send \(\left( {\left( {\pi_{i}^{s} } \right),\;m} \right)\): every private keys of Mi are aware to \(\mathcal{F}\) when i ≠ ƒ, then, respond to queries subsequent to the particular protocol specifically. Conversely if i = ƒ, then every \(M^{\prime}_{i}\)’s signing keys are unrecognized by \(\mathcal{F}\) Incidentally, \(\mathcal{F}\) can acquire message signature it needs by accomplishment to signing oracle related to PK.

  • Corrupt (Mi). If i ≠ ƒ, F principally holds \(M^{\prime}_{i}\)’s private keys stands for long period, created itself. On the other hand if \(\mathcal{A}^\prime\) corrupts Mi= Mƒ, then, \(\mathcal{F}\) terminates and returns “fail”.

The displayed above simulation is marvelously ill defined from the authentic execution except if enemy \(\mathcal{A}^\prime\) represents the query corrupt (Mƒ). All the way through this simulation, \(\mathcal{F}\) glances each send question from \(\mathcal{A}^\prime,\) and keeps an eye in the unlikely event that it fuses an authentic pair (m, σ) using PK. If no such inquiry is posed till \(\mathcal{A}^\prime\) ends, at that point \(\mathcal{F}\) closures and returns “fail”. Else, \(\mathcal{F}\) generates (m, σ) as real fraud w.r.t PK. Lemma 3 straight forwardly inferred from the manner in which the second case occurs with likelihood pγ[Forge]/n.

Currently we portray the improvement of attacking UP, that utilizes \(\mathcal{A}^\prime\) ambushing AP. \(\mathcal{A}\) uses tlist and keep (session Ids, transcripts) in it. \(\mathcal{A}\) makes (verification keys (pkM), signing keys (skM)) for each customer M P and check keys are given to \(\mathcal{A}^\prime.\) At the point when the event Forge occurs, \(\mathcal{A}\) rashly closures and outputs an arbitrary bit. Else, outputs a similar bit whatever \(\mathcal{A}^\prime\) outputs. \(\mathcal{A}\) can recognize occasion of the event Forge \(\mathcal{A}^\prime\) in light of the fact that it knows skM and pkM. The oracle questions of \(\mathcal{A}^\prime\) are imitated by \(\mathcal{A}\) using its inquiries to the Execute Oracle (EO). The motto is to procure a transcript (T) of UP for every single Execute question of \(\mathcal{A}^\prime.\) Besides for every one beginning send question, send0 (M, I, *) of \(\mathcal{A}^\prime.\) \(\mathcal{A}\) then fixes legitimate sign with messages in T to secure a transcript (T′) of AP and uses T′ to answer request of \(\mathcal{A}^\prime.\) since by assumption, \(\mathcal{A}^\prime\) can’t forge, \(\mathcal{A}^\prime\) is “compelled” to send out messages viably contained in T′. This system gives a decent simulation. The details are underneath:

Execute queries (EQs’): presume \(\mathcal{A}^\prime\) asks EQ ((Mi1,d1),…,(Mik, dk)) and so that occasions \(\pi_{{M_{1} }}^{{i_{1} }} \ldots \pi_{{M_{k} }}^{{i_{k} }}\) are incorporated.

\(\mathcal{A}\) characterizes \(S = \left\{ {\left( {M_{{i_{1} }} ,\;d_{1} } \right), \ldots ,\left( {M_{{i_{k} }} ,d_{k} } \right)} \right\}\) and send out the EQ to its EO. It outputs a T by implementing UP. It attaches (s, t) to tlist and after that broadens T for the UP into T′ for the AP. It offers T′ to \(\mathcal{A}^\prime.\)

Send queries (SQs’): the prime SQ means, \(\mathcal{A}^\prime\) asks an occasion to commence one more session, indicated by send0. The opponent desires to use SQs’ to commence a session between occasions \(\pi_{{M_{1} }}^{{i_{1} }} \ldots \pi_{{M_{k} }}^{{i_{k} }}\) which are not yet used:

$$Send_{0} = \left( {M_{{i_{j} }} ,d_{j} ,\left\langle {M_{{i_{1} }} \ldots M_{{i_{k} }} } \right\rangle - M_{{i_{j} }} } \right), \quad 1 \le J \le k.$$

These queries should not in an explicit order. \(\mathcal{A}\) forms \(S = \left\{ {\left( {M_{{i_{1} }} ,d_{1} } \right), \ldots ,\left( {M_{{i_{k} }} ,d_{k} } \right)} \right\}\) when these queries are prepared and sends an EQ to it’s executing oracle. It outputs T and includes (S, T) to tlist.

Assume that signatures can’t be forged, any progressive SQ to an event \(\pi_{M}^{i}\) is a really sorted out messages with a real signature. For each such SQ, \(\mathcal{A}\) checks the question as depicted in the authenticated NM-CHH-GKA protocol. In the event that the confirmation overruled, \(\mathcal{A}\) sets \(acc_{M}^{i} = 0,\) \(sK_{M}^{i} = NULL\) and ends \(\pi_{M}^{i} .\) Else, \(\mathcal{A}\) plays out the action to be completed by π in the AP. It finishes as under:

  • Finds an sole entry (S,T) in tlist  (M, i)  S, such a novel entry exits for every one event by assumption. Presently from T, \(\mathcal{A}\) finds best possible messages which is identified with the message transmitted by \(\mathcal{A}^\prime\) to \(\pi_{M}^{i} .\) From T, \(\mathcal{A}\) gets following open information yielded by \(\pi_{M}^{i}\) and offers to \(\mathcal{A}.\)

Reveal/test queries (R Q/T Q): Suppose \(\mathcal{A}^\prime\) asks the RQ (M, i) or TQ (M, i) to an incident \(\pi_{M}^{i}\) for which \({\text{acc}}_{M}^{i} = 1.\). Currently the T’ in which \(\pi_{M}^{i}\) took part has been predefined. Now first finds an sole entry (S,T) in the tlist  (M, i) S. Imagine that, forge doesn’t occur, T is sole unauthenticated transcript which is related to T′. Now asks proper RQ or TQ to any occasion incorporated in T and hand over a proportional payback to \(\mathcal{A}^\prime\) is just right. When Forge occurs, opponent \(\mathcal{A}\) terminates and outputs an arbitrary bit.

$$Prob_{{A^{\prime},AP}} \left[ {Succ|Forge} \right] = 1/2.$$
$$\begin{aligned} Now,\;Adv_{A,UP} & = 2\left| {Prob_{A,UP} [Succ] - 1/2} \right| \\ & = 2\left| {Prob_{{A^{\prime},AP}} \left[ {Succ \wedge Fo\bar{r}ge} \right] + Prob_{{A^{\prime},AP}} \left[ {Succ \wedge Forge} \right] - 1/2} \right| \\ & = 2\left| {Prob_{{A^{\prime},AP}} \left[ {Succ \wedge Fo\bar{r}ge} \right] + Prob_{{A^{\prime},AP}} \left[ {Succ|Forge} \right]Prob_{{A^{\prime},AP}} \left[ {Forge} \right] - 1/2} \right| \\ & = 2\left| {Prob_{{A^{\prime},AP}} \left[ {Succ \wedge Fo\bar{r}ge} \right] + 1/2Prob_{{A^{\prime},AP}} \left[ {Forge} \right] - 1/2} \right| \\ & = 2\left| {Prob_{{A^{\prime},AP}} \left[ {Succ} \right] - Prob_{{A^{\prime},AP}} \left[ {Succ \wedge Forge} \right] + 1/2Prob_{{A^{\prime},AP}} \left[ {Forge} \right] - 1/2} \right| \\ & \ge 2\left| {Prob_{{A^{\prime},AP}} \left[ {Succ} \right] - 1\left| - \right|Prob_{{A^{\prime},AP}} \left[ {Forge} \right] - 2Prob_{{A^{\prime},AP}} \left[ {Succ \wedge Forge} \right]} \right| \\ & \ge Adv_{A,AP} - Prob\left[ {Forge} \right]. \\ \end{aligned}$$
$$Adv_{NM - ACHH}^{AKA} \le Adv_{NM - CHH}^{KA} \left( {t^{\prime},\;q_{s} + q_{e} /2} \right) + prob\left[ {Forge} \right]$$

\(\mathcal{A}\) asks an EQ in line with each EQ of \(\mathcal{A}^\prime.\) Similarly poses an EQ in all sessions underway by \(\mathcal{A}^\prime.\) Because, session consist of at least two instances, such as EQ is processed after at least two SQs’ of \(\mathcal{A}^\prime.\) The max. no of such queries are qs/2, where qs is amount of queries posed by \(\mathcal{A}^\prime.\) The maximum amount of EQs executed by \(\mathcal{A}\) is qe + qs/2, where qe is the amount of EQs’ executed by \(\mathcal{A}^\prime.\)

Already we have \(Adv_{NM - ACHH}^{AKA} \left( {t,\;q_{E} , q_{S} } \right) \le Adv_{NM - CHH}^{KA} \left( {t^{\prime},\;q_{E} + \frac{{q_{S} }}{2}} \right)\) by supposition,

from 1 and 2 we get,

$$Adv_{NM - ACHH}^{AKA} \left( {t,q_{E} , q_{S} } \right) \le Adv_{NM - CHH}^{KA} \left( {t^{\prime},q_{E} + \frac{{q_{S} }}{2}} \right) + \left| {\mathcal{P}} \right|Adv_{Dsig}$$

The statement of the theorem is yielded. □

We currently present the security of dynamic authenticated protocol (DAP): (NM-DACHH). Expecting that, DSig is secure, we can change over any enemy assaulting convention DAP into a opponent assaulting convention UP. We disregard Corrupt queries since our convention DAP does not utilize any long-time secret keys. Along these lines convention DAP obviously accomplishes forward secrecy.

Theorem 4.4

The dynamic authenticated CHH scheme (NM-DACHH) depicted in Proposed protocol " section fulfils the following:

$$Adv_{NM - DACHH}^{AKA} \left( {t,q_{E} , q_{J,} q_{L} , q_{S} } \right) \le Adv_{NM - CHH}^{KA} \left( {t^{\prime},q_{E} + \frac{{\left( {q_{J} + q_{l} + q_{S} } \right)}}{2}} \right) + \left| {\mathcal{P}} \right|Adv_{Dsig} \left( {t^{\prime}} \right),$$

where \(t^{\prime}\, = \,{\text{t}}\, +( \left| {\mathcal{P}} \right|q_{E} + q_{J} + q_{l} + q_{S} ) t_{DACHH} ,\) with \(t_{AHP}\) is the time needed for carrying out of DACHH by each of the party \(q_{E} , \;q_{S } q_{J,} q_{L}\) are in that order the maximum amount of Execute, Send, Join and Leave queries an opponent may pose.


Let \(\mathcal{A}^\prime\) be an opponent who tries to attack DAP. By means of this we build an opponent \(\mathcal{A}\) who assaults UP. As in the preceding proof, we had the following claim.


Let Forge be the incident, that \(\mathcal{A}^\prime\) forged the signature, then

$${\text{Prob}}\left[ {\text{Forge}} \right]\, \le \,\left| \cal P \right|{\text{ AdvDSig }}(t^{\prime}).$$

At the moment we present the creation of the passive opponent \(\mathcal{A}\) assaulting UP that utilizes opponent \(\mathcal{A}^\prime\) assaulting DAP. Opponent \(\mathcal{A}\) can implement the UP numerous times, among every subset of Ƥ and can acquire session key of scheme implementation by producing a RQ to any occurrence concerned in session. Now we demonstrate that \(\mathcal{A}\) simulates itself Leave and Join questions of \(\mathcal{A}^\prime\) utilizing its own Reveal Oracles (ROs) and EOs. Opponent \(\mathcal{A}^\prime\) keeps up a Tlist to store sets of session IDs and transcripts. It likewise utilizes two records Llist and Jlist to be determined in future.

Opponent \(\mathcal{A}\) creates signing/confirmation key pair (pkU, skU) for every client U  Ƥ and gives confirmation keys to \(\mathcal{A}^\prime.\) If at any time the occasion Forge happens, opponent \(\mathcal{A}\) prematurely ends and outputs an arbitrary bit. Else, \(\mathcal{A}\) outputs no matter what bit is in the long run yield by \(\mathcal{A}^\prime.\) Since the signing and confirmation keys, it can identify event of occasion Forge. \(\mathcal{A}\) reproduces the oracle inquiries of \(\mathcal{A}^\prime\) utilizing its own questions to the ROs and EOs. We present particulars below.

EQs’: these queries are replicated in Theorem 4.2 proof.

SQs’: separately from regular SQ, two special send queries, SendL and SendJ are there.

Let, set S1 = {(Mik+1, dk+1),…,(Mik+l, dk+l)} of occurrences, needs to join gathering S = {(Mi1, d1),,(Mik, dk)}, at that point \(\mathcal{A}^\prime\) will create SendJ (Mij, dj, ‹Mi1,…, Mik›) query for every j, k +1≤ j  k + l. These queries commence Join (S, S1) query. The occurrence in S might have previously implemented either (a) UP or (b) leave protocol or (c) join protocol. As a result, first \(\mathcal{A}\) finds any of the subsequent form of a sole entry: (1) (S, T) in Tlist or (2) (S′, S, T) in Jlist with S = S′ S″ or (3) (S′, S″, T) in Llist with S = S\S″. If no such entry, makes an EQ to its personal EO on S, obtains a transcript T and keeps (S, T) in Tlist.

Whenever (S, T)  Tlist, \(\mathcal{A}\) fundamentally issues RQ to an event in S so as to accomplish the session key sk identified with T, calculates seed x = H(sk) and plan the calculation for Join by questioning its EO (rolling out fitting improvements). At that point include signature in every message, acquires T′ and stores (S, S1, T′) in Jlist. In this manner reproduces the transcript T′ of Join utilizing self RO and EO. In the rest of the cases (2) and (3), produces T by and by thus \(\mathcal{A}\) can simulate T’ of Join from T.

Likewise, when an unused instances of S2={(Ml1, dl1),,(Mlm, dlm)} desires to leave S ={(Mi1, d1),,(Mik, dk)}, then, \(\mathcal{A}^\prime\) will SendL (Mij, dj,(Mi1,…, Mik)) inquiry for every j, j  {l1,…, lm}. These inquires commences Leave(S, S2) query. As stated in join member, first traces an entry (S, T) in Tlist or an entry (S′, S″, T) in Jlist with S = SU S″ or an entry (S′, S″, T) in Llist with S = S\S″. If entry is missing, then \(\mathcal{A}\) set up an inquiry to its personal EO on S, obtain T and adds (S, T) to Tlist.

\(\mathcal{A}\) simulates protocol for Leave without anyone else’s input and gets an altered T ′ from T as pursues: \(\mathcal{A}\) distinguishes the situations in T where the new messages are to be infused or the old messages are to be supplanted by new. \(\mathcal{A}\) do these alterations in T as indicated by protocol for leave depicted in Fig. 5 and gets an adjusted T′ by fixing up fitting signature with each message. In this way \(\mathcal{A}\) extends T into a T′ for Leave protocol. \(\mathcal{A}\) stores (S, S2, T′) in Llist.

\({\text{Send}}_{0}\) questions are replied as in Theorem 4.3. The typical send questions are prepared as in Theorem 4.3 with the accompanying changes.

Assume \(\mathcal{A}^\prime\) formulates a SQ to occurrence \(\prod_{M}^{i}\). After appropriate check, discovers an entry (S, T)  Tlist, such that (M, i) S. The response to this inquiry is as in Theorem 4.3. If no such entry is found, then discovers a sole entry (S, S1, T′) in Jlist such that (M, i) S1.

This implies the session for Join has just been started. At that point acquires the next public information for T′ to be yield by \(\prod_{M}^{i}\) (given all essential data has been achieved by \(\varPi_{M}^{i}\) by SQs from \(\mathcal{A}^\prime\)) and forwards it to \(\mathcal{A}^\prime.\) If discovers an sole entry (S, S2, T′) in Llist such that (M, i)  S2, then as above, the proper response to the question is found from T′.

Join queries (JQs): assume \(\mathcal{A}^\prime\) sends a JQ (S, S1) where S  = {(Mi1, d1),…,(Mik, dk)} and S  = {(Mik+1, dk+1),…,(Mik+l, dk+l). The occurrences \(\varPi_{{M_{{i_{k + 1} }} }}^{{d_{k + 1} }} , . . . ,\varPi_{{M_{{i_{k + l} }} }}^{{d_{k + l} }}\) desire to join the group \(\varPi_{{M_{{i_{1} }} }}^{{d_{1} }} , . . . ,\varPi_{{M_{{i_{k} }} }}^{{d_{k} }} .\) \(\mathcal{A}\) discovers an entry of the form (S, S1, T′) in Jlist. If no such entry, then the opponent \(\mathcal{A}^\prime\) doesn’t give any output. Else, \(\mathcal{A}\) returns T′ to \(\mathcal{A}^\prime\)

Leave queries (LQs): Assume \(\mathcal{A}^\prime\) sends a LQ(S, S2) where S ={(Mi1, d1),…,(Mik,, dk)} and S2={(Ml1, dl1),…,(Mlm, dlm)} where (Mlj, dlj) S for 1≤ j  m. The occurrences \(\varPi_{{M_{{l_{1} }} }}^{{d_{l1} }} , . . . ,\varPi_{{M_{{l_{m} }} }}^{{d_{{l_{m} }} }}\) desires to leave the group \(\varPi_{{M_{{i_{1} }} }}^{{d_{1} }} , \ldots ,\varPi_{{M_{{i_{k} }} }}^{{d_{{i_{k} }} }}\) where \(M_{{i_{j} }} \in \left\{ {M_{{i_{1} }} , \ldots ,M_{{i_{k} }} } \right\}\) for 1 ≤ j ≤ m. \(\mathcal{A}^\prime\) discovered an entry of the form (S, S2, T′) in Llist. If no such entry, then the opponent \(\mathcal{A}^\prime\) is doesn’t give any output. Else, \(\mathcal{A}\) returns T′ to \(\mathcal{A}^\prime.\)

Reveal/Test (R/T) queries: assume \(\mathcal{A}^\prime\) sends the RQ(M, i) or TQ(M, i) for an occurrence \(\varPi_{M}^{i}\) for which \(acc_{M}^{i} = \, 1.\). At this moment the transcript T′ in which Π \(_{M}^{i}\) take part has been predefined. If T′ related to the transcript of the AP then \(\mathcal{A}^\prime\) discovers the sole pair (S, T) in Tlist such that (M, i)  S. Supposing that the occasion Forge does not occur, T is the sole unauthenticated transcript which relates to the transcript T′. Then sends the suitable RQ or TQ to one of the occasions concerned in T and returns the result to \(\mathcal{A}^\prime.\) Else, T′ is the transcript for Join or Leave, as the case may be. Because T′ has been simulated by \(\mathcal{A}\), is capable to calculate the updated session key and hence send an appropriate reply to \(\mathcal{A}^\prime.\)

Providing Forge doesn’t occur, the above simulation for \(\mathcal{A}^\prime\) is perfect. At the time Forge occurs, opponent \(\mathcal{A}\) terminates and outputs a arbitrary bit.

So \(Prob_{{{\mathcal{A}^{\prime}},AP}} \left[ {Succ|Forge} \right]\, = \,\frac{1}{2}.\) By means of this, one can prove

$$Adv,_{UP} \, \ge \,Adv_{{{\mathcal{A}^{\prime}},DAP}} \, - \,Prob\left[ {Forge} \right]$$

The opponent \(\mathcal{A}\) sends an EQ for every EQ of \(\mathcal{A}^\prime\). \(\mathcal{A}^\prime\) poses qJ, JQs and qL, LQs. These inquiries are commenced respectively by SendJ and SendL inquires of \(\mathcal{A}^\prime\). Currently every SendJ and SendL inquiry of \(\mathcal{A}^\prime\) poses at most one EQ of. Consequently there are at most qJ+ qL EQs posed by \(\mathcal{A}\) to reply all the SendJ and SendL inquiries of \(\mathcal{A}^\prime\). Also \(\mathcal{A}\) poses an EQ for every session commenced by \(\mathcal{A}^\prime\) by means of SQs. Because a session engages at least two occurrences, such an EQ is prepared after at least two SQs of \(\mathcal{A}^\prime\). Consequently there are (qS − qJ − qL)/2 EQs of \(\mathcal{A}\) to react to all other SQs of \(\mathcal{A}^\prime,\) where qS is the amount of SQs prepared by \(\mathcal{A}^\prime.\) Consequently the total amount of EQs posed by is at most qE + qJ + qL +(qS − qJ − qL)/2 = qE + (qJ + qL + qS)/2, where qE is the amount of EQs posed by \(\mathcal{A}^\prime.\) Furthermore since \(Adv_{A,UP} \left( {t^{\prime},\;q_{E} ,\;q_{J} ,\;q_{L} ,\;q_{S} } \right) \le Adv_{UP}^{KA} \left( {t^{\prime},\;q_{E} + q_{J/2} + q_{L/2} + q_{S/2} } \right)\) by assumption, we obtain:

$$Adv_{DAP}^{AKA} ( {\text{t}},\;q_{E} ,\;q_{J} ,\;q_{L} ,\;q_{S} )\, \le \,Adv_{UP}^{KA} (t^{\prime},\;q_{E} \, + \,(q_{J} \, + \,q_{L} \, + \,q_{S} )/ 2)\, + \,{\text{Prob}}\left[ {\text{Forge}} \right].$$
$$Adv_{NM - DACHH}^{AKA} \, \le \,Adv_{NM - CHH}^{KA} (t^{\prime},\;q_{E} \, + \,(q_{J} \, + \,q_{L} \, + \,q_{S} )/2)\, + \,\left| \cal P \right|Adv_{DSig} \left( {t^{\prime}} \right)$$

This implies the statement of the theorem. □

Comparative analysis

Here the proposed ECDH-based NM-clustering-based hybrid hierarchical group key agreement (NM-CHH-GKA) protocol has been compared with prevalent clustering based GKA protocols such as HKAP [25], GKA-CH [21], PB-GKA-HGM [31], AP-1/AP-2 [33], ACEKA [26], A-DTGKA [20], ACBGKA [18], ECDH-SKDM [43] and NM-setup [16] with regard to various characteristics such as pre required GKA protocol used, structure and limitations are in Table 2. Further we compare the proposed one with them in terms of communication and computational complexities in Table 3.

Table 2 Summary of the key characteristics of cluster
Table 3 Computation and communication complexities

Here Let the amount of nodes be “n” and choose \(l\, = \left\lceil {\surd n} \right\rceil \,\) be the amount of clusters members such that lr and the amount of clusters \(r\, = \,\left\lceil {n/l} \right\rceil\)

From Table 3, it follows that the proposed protocol is optimal with reference to communication and computation expenses, facilitating the equal level of security with fewer key sizes. Further the proposed protocol is shown to be optimal for secure GKA over resource constrained networks like WSN and Mobile Ad hoc Networks (MANETS) and among ECDLP/DLP-based protocols confer in this paper.

With the end goal to acquire a improved guess for the energy cost of computation and communication for the scheme presented in this paper, we ascertained its energy utilization for a particular sensor. Particularly, we pick a sensor network involved by Tmote Sky gadgets by Texas Instruments with a most extreme 100 kbps data rate. As per [47] a sensor hub relied on the 133 MHz Strong ARM chip devours 8.8 mJ for a scalar multiplication and 47.0 mJ for a paring. Concerning the cost of communication, a 100 kbps radio handset module devours 10.8 μJ and 7.51 μJ for the communication gathering of one bit of information in that order.

For GKA scheme we utilize its EC-analog and in this manner suppose that the traded messages has the size of an EC-point. In the event that we utilize a 160-bit EC, the extent of its points (x, y) will be 320 bits. We would then be able to figure the expense for the reception and transmission by multiplying energy cost with its size in bits for the reception and transmission of a single bit. Table 4 outlines a scalar multiplication’s energy costs, a pairing calculation and a reception and transmission of a message utilizing the specific gadget (Tmote Sky) and radio handset module of speed the 100 kbps.

Table 4 Computation and communication energy costs

From Table 3 the total amount of Sequential Scalar Multiplications and Messages if we use NM-GKA [16] protocol among all the nodes in the system are \(2\left( {l \cdot r} \right),\) \(2(l \cdot r - 2)\) which may not be feasible for large WANETs. Consequently, we plan to use the same for each of the “r” cluster of “l” nodes each in parallel in level-I and then for all the “r” CHs in level-II hierarchically to establish the GK so the proposed protocol uses total amount of Sequential Scalar Multiplications and Messages \(2\left( {l + r} \right)\), \(2(l + r - 2\)) only.

Computational complexities using graphs

Figures 6, 7 and 8 indicates comparison on computational energy cost of proposed NM-CHH-GKA protocol with reference to number of nodes for establishing GK and shown that the proposed one is the optimal when compared to the other protocols. So the proposed NM-CHH-GKA works with lower computational cost and better efficiency when compared to existing protocols. So It is suitable for recourse constrained networks such as WANETS.

Fig. 6
figure 6

Comparison of energy costs

Fig. 7
figure 7

Comparison of energy costs

Fig. 8
figure 8

Comparison of energy costs

Communication complexities using graphs

Figures 9, 10 and 11 indicates comparison on communication energy cost of proposed NM-CHH-GKA protocol with reference to number of nodes for establishing GK and shown that the proposed one is the optimal when compared to the other protocols. So the proposed NM-CHH-GKA works with relatively low communication overheads and greater competence when compared to existing protocols. So It is fitting for recourse embarrassed networks such as WANETS.

Fig. 9
figure 9

Communication cost comparisons

Fig. 10
figure 10

Communication cost comparisons

Fig. 11
figure 11

Communication cost compariso

Experimental results

For Experimentation Linux environment was used running on a system with configuration 2.4 GHz Celeron(R) CPU with 512 MB of memory. A NS-2 simulator was used to establish a hierarchical arrangement of nodes in tree topology format. A Crypt++ Library 5.2.1 was utilized to implement NM-CHH-GKA scheme, different libraries were used to develop algorithms for the key sharing, encryption and decryption algorithm. NS-2 libraries were used to establish the TCP connection and communication among the nodes to share the packets (max 1000 bytes), to support multicasting or unicasting in the derivation of key as well as data sharing.

For each examination, we ran the protocol for 10 times and calculate the average computation times for different operations such as level-I group formulation, level-II group formulation, Computation of Ki,j values, Computation of Li values, Computation of individual CKs SKi/CKi computation, and GK with the following tabulated NS-2 parameters in Table 5.

Table 5 Experimental NS-2 parameters

Experimental results for computational times

Let the quantity of members be “n” and choose \(l\, = \,\left\lceil {\surd n} \right\rceil\) number of cluster members such that l < r and \({\text{r}}\, = \,\left\lceil {n/l} \right\rceil .\) We presented the experimental results for computational time with respect to amount of nodes, quantity of clusters; quantity of members in a cluster are tabulated in detail in Table 6. Further we present the experimental comparative analysis between NM-Setup and NM-CHH Setup in Table 7.

Table 6 Experimental Computation times for various group sizes
Table 7 Experimental comparative analysis

The experimental results through graphs

Various scenarios of experimental results of NM-CHH-GKA scheme are presented in Figs. 12, 13, 14 and 15. Further we presented comparison of computation time between NM and NM-CHH in Fig. 16.

Fig. 12
figure 12

Setup time: level-I vs level-II

Fig. 13
figure 13

Computation time: member vs cluster head in level-I

Fig. 14
figure 14

Computation time: cluster nead as member vs group head in level-II

Fig. 15
figure 15

Computation time: member vs cluster head vs group head in entire GK generation

Fig. 16
figure 16

Comparison of computation time between NM-setup and NM-CHH

Figure 12 indicates comparison between setup time for GKA in level-I and level-II. We can observe that setup time in both levels NM-CHH-GKA are mostly same because we are using same NM.Setup in both levels.

Figure 13 indicates comparison between computation time of member and cluster head in level-I. We can observe that the computation load on cluster head is relatively higher than individual members in level-I of NM-CHH-GKA.

Figure 14 indicates comparison between Computation time of cluster head as a Member and Group Head in level-II. We can observe that the computation load on Group Head is relatively higher than individual cluster head in NM-CHH-GKA.

Figure 15 indicates comparison of computation time among individual Member, Cluster Head, Group Head in Entire GK Generation. We can observe that the computation load on Group Head is relatively higher than individual cluster head which is relatively higher than individual members in NM-CHH-GKA.

Figure 16 indicates comparison of computation time between NM.Setup and NM-CHH-GKA. We can observe that the computational load on NM-CHH-GKA is highly reduced relative to NM.Setup by splitting large group into a certain number of clusters.

The findings in “Computational complexities using graphs”, “Communication complexities using graphs” and “Experimental results” sections are the complexities of NM-CHH-GKA in the context of computation, communication and experimental results respectively when compared to existing protocols. From these sections we can conclude that our protocol is optimal with respect to all the three dimensions. So NM-CHH-GKA is suitable for recourse constrained networks such as WANETS.

Conclusion and future scope

In this paper a new scalable NM-CHH GKA protocol was proposed based on parallel computing for large dynamic groups with less computational capabilities. Novel architectural design of our protocol provides flexibility and reduces cryptographic workload. The two level NM-CHH-GKA scheme allows on hand NM-GKA scheme to implement at cluster level to achieve scalability and robustness without sacrificing efficiency. The advantage of hierarchical management includes freeing the group controller looking after several members, enhancing security, improving scalability together with all cluster requiring minimal space for dealing with protocol. As a key management technique, proposed protocol uses cluster-based hybrid hierarchical scheme reducing rekeying workload of the networks while limiting the failure to local cluster without affecting other clusters. Comparative analysis showed that proposed protocol provides better performance in view of both communication and computation expenses. Further we established a formal security model for the proposed NM-CHH-GKA under cryptographic assumptions.

Security of CHH-GKA in WANETs is inadequate in the presence of node misbehaviour and internal attacks. It is because an opponent may start security attacks with the security keys obtained from compromised nodes. To isolate misbehaving node from legitimate data transmission as a future scope we plan to integrate trust enhanced module using Fuzzy Trust Based rules to NM-CHH GKA to develop a trust enhanced secure clustering framework for WANETs.

Data availability statement for the data used in this manuscript

The Experimental data used to support the findings of this study are available from the corresponding author upon request, with this readers can access the data supporting the conclusions of the study.


  1. E-Bashary M, Abdelhafez A, Anis W (2015) A comparative study of group key management in MANET. Int J Eng Res Appl 5(8):85–94

    Google Scholar 

  2. Boneh D, Franklin M (2001) Identity-based encryption from weil pairing. In: Proceedings of crypto 2001, LNCS, vol 2139. Springer-Verlag, Berlin, pp 213–229

  3. Burmester M, Desmedt Y (2005) A secure and scalable group key exchange system. Inf Process Lett 94(3):137–143

    Article  MathSciNet  MATH  Google Scholar 

  4. Manulis M. Security-focused survey on group key exchange protocols.

  5. Scott M, Costigan N, Abdulwahab W. Implementing cryptographic pairings on smart cards.

  6. Barreto PSLM, Kim HY, Scott M (2002) Efficient algorithms for pairing based cryptosystems. In: Proceedings of crypto 2002, LNCS, vol 42. Springer-Verlag, Berlin, pp 354–368

    Chapter  Google Scholar 

  7. Dutta R, Barua R (2008) Provably secure constant round contributory group key agreement in dynamic setting. IEEE Trans Inf Theory 54(5):2007–2025

    Article  MathSciNet  MATH  Google Scholar 

  8. Dutta R, Barua R (2005) Constant round dynamic group key agreement. In: Proceedings of ISC 2005, LNCS, vol 3650, Springer-Verlag, Berlin. pp 74–88

    Google Scholar 

  9. Dutta R, Barua R. Overview of key agreement protocols.

  10. Dutta R, Barua R, Sarkar P (2004) Provably secure authenticated tree based group key agreement. In: Proceedings of ICICS’04, LNCS, vol 3269. Springer-Verlag, Berlin, pp 92–104

    Chapter  Google Scholar 

  11. Kim Y, Perrig A, Tsudik G (2004) Tree-based group key agreement. ACM Trans Inf Syst Secur 7(1):60–96

    Article  Google Scholar 

  12. Kleinrock L, Kamoun F (1977) Hierarchical routing for large networks; performance evaluation and optimization. Comput Netw 1(3):155–174

    MathSciNet  MATH  Google Scholar 

  13. Basagni S (1999) Distributed clustering for ad hoc networks. In: Proceedings of the international symposium on parallel architectures, algorithms, and networks (ISPAN), IEEE, Perth, Australia, pp 310–315

  14. Steenstrup M (2001) Cluster-based networks. C.E. Perkins, Addison Wesley, Boston, pp 75–138

    Google Scholar 

  15. Szczechowiak P, Oliveira L, Scott M, Collier M, Dahab R (2008) NanoECC: testing the limits of elliptic curve cryptography in sensor networks. In: 5th European conference on wireless sensor networks—EWSN 2008, lecture notes in computer science, vol 4913. Springer-Verlag, Berlin, pp 305–320

  16. Naresh VS, Murthy NV (2015) Provably secure group key agreement protocol based on ECDH with integrate signature. Secur Commun Netw 9(10):1085–1102

    Article  Google Scholar 

  17. Bemmoussat C, Didi F, Feham M (2013) Cluster based routing protocol in wireless mesh network. In: International conference on computer applications technology (ICCAT), Jan 2013, pp 1–6

  18. Belding-Royer EM (2002) Hierarchical routing in ad hoc mobile networks. Wirel Commun Mob Comput 2(5):515–532

    Article  Google Scholar 

  19. Virtanen SE, Nikander P (2004) Local clustering for hierarchical ad hoc networks. In: Proceedings of WiOpt: modeling and optimization in mobile, ad hoc and wireless networks, pp 404–405

  20. Abdel-Hafez A, Miri A, Oronzo-Barbosa L (2007) Authenticated group key agreement protocols for ad hoc wireless networks. Int J Netw Secur 4(1):90–98

    Google Scholar 

  21. Teo JCM, Tan CH (2005) Energy-efficient and scalable group key agreement for large ad hoc networks. In: Proceedings of the 2nd ACM international workshop on performance evaluation of wireless ad hoc, sensor, and ubiquitous networks, pp 114–121

  22. Galbraith S, Harrison K, Soldera D (2002) Implementing the Tate pairing. In: Proceedings of algorithm number theory symposium—ANTS V, LNCS, vol 2369. Springer-Verlag, Berlin, pp 324–337

    Google Scholar 

  23. Klaoudatou E, Konstantinou E, Kambourakis G, Gritzalis S (2011) A survey on cluster-based group key agreement protocols for WSNs. IEEE Commun Surv Tutor 13(3):429–442

    Article  Google Scholar 

  24. Klaoudatou E, Konstantinou E, Kambourakis G, Gritzalis S (2008) Clustering oriented architectures in medical sensor environments. In: International workshop on security and privacy in e-health, Barcelona, March 2008. IEEE CS Press, pp 929–934

  25. Yao G, Ren K, Bao F, Deng RH, Feng D (2003) Making the key agreement protocol in mobile ad hoc network more efficient. In: 1st international conference on applied cryptography and network security—ACNS 2003, lecture notes in computer science, vol 2846. Springer-Verlag, Berlin, pp 343–356

    Chapter  Google Scholar 

  26. Shi H, He M, Qin Z (2006) Authenticated and communication efficient group key agreement for clustered ad hoc networks. In: 5th international conference on cryptology and network security—CANS 2006, lecture notes in computer science, vol 4301, Springer-Verlag, Berlin, pp 73–89

    Chapter  Google Scholar 

  27. Gomathi K, Parvathavarthini B, Saravanakumar C (2017) An efficient secure group communication in MANET using fuzzy trust based clustering and hierarchical distributed group key management. Wirel Pers Commun 94(4):2149–2162

    Article  Google Scholar 

  28. Hietalahti M (2008) A clustering-based group key agreement protocol for ad hoc networks. Electron Notes Theor Comput Sci 192:43–53

    Article  MATH  Google Scholar 

  29. Li X, Wang Y, Frieder O (2002) Efficient hybrid key agreement protocol for wireless ad hoc networks. In: Proceedings of IEEE international conference on computer communications and networks, pp 404–409

  30. Abdel-Hafez A, Miri A, Oronzo-Barbosa L (2006) Scalable and fault-tolerant key agreement protocol for dynamic groups. Int J Netw Manag 16(3):185–201

    Article  Google Scholar 

  31. Teo JC, Tan CH (2007) Denial-of-service resilience password-based group key agreement for wireless networks. In: Proceedings of the 3rd ACM work-shop on QoS and security for wireless and mobile networks (Chania, Crete Island, Greece), October 22. ACM, New York, pp 136–143

  32. Hussain K, Abdullah AH, Iqbal S, Awan K, Ahsan F (2013) Efficient cluster head selection algorithm for manet. J Comput Netw Commun 2013(7):1–7

    Google Scholar 

  33. Dutta R, Dowling T (2009) Secure and efficient group key agreements for cluster based network. In: Transactions on computational science IV: special issue on security in computing, lecture notes in computer science, vol 5430. Springer-Verlag, Berlin, pp 87–116

    Chapter  Google Scholar 

  34. Diffie W, Hellman M (1976) New directions in cryptography. IEEE Trans Inf Theory 22:644–654

    Article  MathSciNet  MATH  Google Scholar 

  35. Joux A (2000) A one round protocol for tripartite Diffie–Hellman. In: Algorithmic number theory symposium—ANTS IV, LNCS, vol 1838. Springer-Verlag, Berlin, pp 385–394

    Google Scholar 

  36. Steiner M, Tsudik G, Waidner M (1996) Diffie–Hellman key distribution extended to group communication. In: Proceedings of the 3rd ACM conference on computer and communications security. ACM Press, New York, pp 31–37

  37. Barua R, Dutta R, Sarkar P (2003) Extending Joux’s protocol to multi party key agreement. In: Progress in cryptology—INDOCRYPT 2003, lecture notes in computer science, vol 2904. pp 205–217

    Chapter  Google Scholar 

  38. Naresh VS, Murthy NV (2015) A new two-round dynamic authenticated contributory group key agreement protocol using elliptic curve Diffie–Hellman with privacy preserving public key infrastructure. Sadhana 40:2143–2161

    Article  MathSciNet  MATH  Google Scholar 

  39. Chen Y, Zhao M, Zheng S, Wang Z (2006) An efficient and secure group key agreement using in the group communication of mobile ad hoc networks. In: International conference on computational intelligence and security, IEEE Press, pp 1136–1142

  40. Ayman ELS (2014) A new hierarchical group key management based on clustering scheme for mobile ad hoc networks. IJACSA 5(4):208–219

    Google Scholar 

  41. Krishna P, Vaidya NH, Chatterjee M, Pradhan DK (1997) A cluster-based approach for routing in dynamic networks. In: ACM SIGCOMM computer communication review, pp 49–65

    Article  Google Scholar 

  42. Dutta R, Dowling T (2011) Provably secure hybrid key agreement protocols in cluster-based wireless ad hoc networks. Ad Hoc Netw 9(5):767–787

    Article  Google Scholar 

  43. Niu Q (2014) ECDH-based scalable distributed key management scheme for secure group communication. J Comput 9(1):153–160

    Article  Google Scholar 

  44. Balasubramanian A, Mishra S, Sridhar R (2005) Analysis of a hybrid key management solution for ad hoc networks. In: IEEE wireless communications and networking conference. IEEE Press, New York, pp 2082–2087

  45. Katz J, Yung M (2003) Scalable protocols for authenticated group key exchange. In: Advances in cryptology—CRYPTO 2003, lecture notes in computer science, vol 2729. Springer-Verlag, Berlin, pp 110–125

    Chapter  Google Scholar 

  46. Bresson E, Chevassut O, Pointcheval D (2002) A dynamic group Diffie–Hellman key exchange under standard assumptions. In: Proceedings of Eurocrypt 2002, LNCS, lecture notes in computer science, vol 2332. pp 321–336

    Chapter  Google Scholar 

  47. Tan CH, Teo JCM (2006) Energy-efficient ID-based group key agreement protocols for wireless networks. In: 2nd international workshop on security in systems and networks—SSN 2006, IEEE Press, New York

Download references


I would like to thank my parents, family members and Management of Sri Vasavi Engineering College, Tadepalligudem who encouraged and supported me to do this work. Further I am very much thankful to reviewers and Journal Authorities.


Not currently in receipt of any research funding for this paper.

Author information

Authors and Affiliations



The first author VSN conceived of the presented idea and developed the theory and performed the computations. The second author verified the analytical methods and security analysis. The first author VSN encouraged the third author to implement and supervised the findings of this work. All authors discussed the results and contributed to the final manuscript. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Vankamamidi S. Naresh.

Ethics declarations

Competing interests

The authors declare that they have no competing interests

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (, which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Naresh, V.S., Reddi, S. & Murthy, N.V.E.S. A provably secure cluster-based hybrid hierarchical group key agreement for large wireless ad hoc networks. Hum. Cent. Comput. Inf. Sci. 9, 26 (2019).

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: