GRAAD: Group Anonymous and Accountable D2D Communication in Mobile Networks
Device-to-Device (D2D) communication is mainly launched by the transmission requirements between devices for specific applications such as Proximity Services in Long-Term Evolution Advanced (LTE-A) networks, and each application will form a group of registered devices for the network-covered and network-absent D2D communications. During the applications of D2D communication, each device needs to identify the other devices of the same group in proximity by their group identity. This leads to the exposure of group information, by which the usage of applications can be analyzed by eavesdroppers. Hence, this work introduces network-covered and network-absent authenticated key exchange protocols for D2D communications to guarantee accountable group anonymity, end-to-end security to network operators, as well as traceability and revocability for accounting and management requirements. We formally prove the security of those protocols, and also develop an analytic model to evaluate the quality of authentication protocols by authentication success rate in D2D communications. Besides, we implement the proposed protocols on android mobile devices to evaluate the computation costs of the protocols. We also evaluate the authentication success rate by the proposed analytic model and prove the correctness of the analytic model via simulation. Those evaluations show that the proposed protocols are feasible to the performance requirements of D2D communications.
Due to the dramatic growth of the number of mobile devices, providing mobile communication services with higher throughput, lower traffic overhead, and lower energy consumption are challenges. Although LTE-A physical-layer provides even higher communication capability , the resource allocation in the evolved universal terrestrial radio access network (E-UTRAN) to high density mobile devices remains dilemma when the resource is limited. The 3rd generation partnership project (3GPP) proposes D2D communication service in LTE-A, called Proximity Service (ProSe) [2, 3] with three main purposes as follows: 1) the mobile network operator can offload traffic of E-UTRAN and Evolved Packet System (EPS) , which is the core network (CN) of the LTE-A system; 2) D2D communication may support social network service, information sharing, advertising, gaming, and conferencing services; and 3) the high availability of D2D communication can be used to support public safety services. Besides, security is essential to support the correctness of the functions and the availability for D2D communications.
In ProSe, D2D communication can be classified as the network-covered and network-absent according to whether its control components are connected to CN (covered) or not (absent). The authenticated key exchange (AKE) in ProSe have to consider the connectivity between user equipments (UEs) and CN and should provide security protection from various kinds of attacks. Certain security threats have been discussed in , i.e., eavesdropping between UEs, impersonation attack on UE or evolved NodeB (eNB), and active attack by injecting messages into traffic data or control data.
AKE guarantees the identification by mutual authentication and confidentiality of communication by key exchange in computer networks [6, 7, 8]. Additionally, the anonymous protection to user identity is critical due to the broadcast nature of wireless communications. This security requirement has been carefully deliberated in [9, 10, 11, 12, 13, 14, 15, 16, 17, 18]. In mobile networks, an UE should complete authentication for identity identification in advance of requesting for services when roaming to a foreign network (FN). The user anonymous authentication prevents eavesdroppers or/and FN from disclosing the real identities of UEs in every authentication session, whereby the locations of UEs (i.e., footprints) may be tracked.
Anonymity can be divided as two levels, partial user anonymity and full user anonymity. Partial user anonymous authentication conceals identities from eavesdroppers, excluding FNs [9, 10, 11] and full user anonymous authentication additionally considers FNs as eavesdroppers [12, 13, 14, 15, 16, 18]. In case of full user anonymity, traceability and revocability are essential to support the permitted network operators to trace and revoke user identities for management purposes. Certain traceability and revocability techniques [12, 13, 18] have been introduced to cancel the anonymity protection in secure wireless communications.
The aforementioned studies provide elegant solutions to support anonymous and secure wireless communication between users and networks. For D2D communications, two secure D2D communication systems [19, 20] are proposed to support data sharing with distinct application scenarios. One  supports pseudonymity protection, where each real identity is replaced with a corresponding pseudo identity so that the sessions from the same device are traceable. The other  offers partial user anonymity, where system is able to trace the footprints of users.
Nevertheless, the new anonymity issue for the group information arises when direct communications between devices are launched for specific applications. In ProSe-enabled devices, the group is formed by devices using the same application. During the establishment of a D2D communication including device discovery procedure, the device, which initiates the D2D communication, needs to announce messages with an application identity so that it can be discovered by other devices in the same application group. Attackers may collect and analyze the application usage information and launch distributed denial-of-service (DDoS) attacks to specific groups or observe the behaviors of users in proximity for malicious purposes. Hence, group anonymous protection with traceability should be considered in D2D communication to protect the application information included in the announcing message need to be protected while establishing D2D communications.
End-to-end security is another required security property as devices exchange messages via D2D communications. This security property prevents system operators, who help to establish D2D communications, from eavesdropping exchanging messages between devices.
Security Difference. Compared to wireless communication, D2D communications additionally consider entity authentication without involving security infrastructure (i.e., authentication server), privacy protection against network infrastructure, group anonymity preventing from exposing group or application related identity, and end-to-end security among devices.
This work presents two group anonymous authenticated key exchange protocols for network-covered and network-absent D2D communications in mobile networks to support identity and group (application) anonymity, accountability (i.e., traceability and revocability), and end-to-end security against insider attacker (between devices). Specifically, we first propose the group-anonymous D2D communication with CN-assistance (CN-GD2C) protocol adopting identity-based encryption (IBE) against chosen ciphertext attacks (IND-CCA), Diffie-Hellman key exchange, symmetry-based encryption, and hash functions. We also propose the group-anonymous authenticated key exchange for network-absent D2D communication (NA-GD2C) protocol by utilizing the new proposed identity-based -anonymity secret handshake scheme with the encryptions and proof technique by combining public-key encryptions (key-private encryption and Linear encryption) and zero-knowledge proof in the design. We then formally prove the security of these two protocols and develop an analytic model using queueing theory to evaluate authentication success rates of the proposed protocols and demonstrate the scalability and efficiency of the proposed protocols. We also implement the proposed protocols to estimate the computation costs on mobile devices, and obtain the authentication success rates by both simulation and analytic model.
The remainder of this paper is organized as follows. In Section II, we introduce the system and security models of D2D communication in mobile networks. In Section III, we propose group anonymous D2D communication protocols of network-covered and network-absent cases. The security analysis and performance evaluation on the proposed protocols are presented in Section IV and Section V, respectively. Finally, we conclude this work in Section VI.
Ii System and Security Models
This section introduces the system model including the functions of the system components and the operating procedures for secure D2D communications in ProSe [21, 22]. We then introduce the behaviors of the attackers, and propose the security model and its definitions of the proposed system.
Ii-a System Model and Security Requirements
Ii-A1 The System Model
In ProSe, there are two kinds of UEs, announcing UE (A-UE), who requests for establishing D2D communication, and monitoring UE (M-UE), who monitors the requests of D2D communications in proximity. In network-covered D2D communications, each UE shares long-term secret with authentication center/home subscriber server (AuC/HSS), which is response for the user subscription management, user authentication and session key management. When UEs establish D2D communication for ProSe, they can be either inside or outside of the coverage of CN. Each UE can access E-UTRAN via eNB in its coverage. Before establishing D2D communication, each A-UE and M-UE need to register to ProSe function to obtain the required parameters for D2D communication configuration.
In network-covered D2D communications, both A-UE and M-UE attach to CN for device discovery procedure with authentication and authorization. During a device discovery, the ProSe function will send authentication requests to AuC/HSS to authenticate participant devices. Once authentication requests are received, HSS/AuC will produce the corresponding authentication token for ProSe function to authenticate the UEs. By the aforesaid parameters from ProSe function, the A-UE can announce device discovery messages and be discovered by the M-UEs of the same application groups.
In network-absent D2D communications, HSS/AuC assigns each UE an identity with the corresponding private key of an IBE system for secure D2D communication. The identity is valid for a pre-defined duration and can be revoked as required. In both communication modes, the application identity of each UE for services are maintained by ProSe function.
Ii-A2 The Security Requirements
According to the system model, we analyze and propose the following security requirements that are urgently required in D2D communications.
Authenticated key exchanged with end-to-end security: This is to guarantee the authentication of intended participants and confidentiality of the transmission between two UEs in ProSe. Typically, two parties achieve authenticated key exchange (AKE) with end-to-end secure communication based on a long-term secret only known by them. However, UEs only share long-term secret key with the HSS/AuC located in CN. Hence, AKE between two UEs needs the participation of the HSS/AuC and this leads the exchanged session key between two UEs will be known by the HSS/AuC. Namely, the communication between two UEs will be exposed to the CN. In the sense of D2D communications, communication confidentiality between two UEs should be guaranteed. Hence, ProSe needs to achieve authenticated key exchange with end-to-end security between two UEs.
Identity and group anonymity: Identity anonymity is to guarantee that the identities of the participants in each AKE session are protected and cannot be linked between sessions to prevent outsider attackers from tracing the footprints of the participants. Besides that, group anonymity is also essential in ProSe since the usage of applications of UEs in ProSe is considered as sensitive information, which may be analyzed and utilized for disturbing services. Only two UEs in the same application group can successfully authenticate each other and exchange a session key. If two UEs belong to different groups, they are unable to learn identity and group information of each other in authentication . Obviously, AKE with group anonymity also guarantees identity anonymity.
Traceability and revocability: Traceability in group anonymous authentication guarantees the identity and group information of participants in every successful authentication session can be disclosed when the identities of UEs in ProSe are required for management or accounting purposes by CN. Only authorized entity, e.g., HSS/AuC or ProSe, can disclose the group and identity information. Revocability ensures the identity of every UE can be revoked to terminate D2D services.
Ii-B Security Models and Definitions
Figure 1 shows the attacker model of ProSe. An outsider attacker may eavesdrop the communications including the exchanged messages, the identity information, or the group information, between two UEs. It may break the confidentiality of communications, trace the footprints of UEs, or probe the using applications according to the group information. The outsider attacker may also impersonate as a legal user to pass the authentication and exchange a common session key with any legal user. Furthermore, a legal user can be an attacker to achieve mutual authentication and exchange a common session key with any user belonging to different group. Additionally, the ProSe function or HSS/AuC can be system attackers, who eavesdrop the exchanged messages between devices in D2D communications. This kind of attacker is commonly not considered by the security solutions in mobile networks. However, it makes sense to consider secure communication against the system attackers as the messages are merely exchanged between devices in D2D communications. Before defining the attackers, we define an authenticated key exchange protocol and the capabilities of attackers in the protocol as follows.
The proposed protocol is , and and are regarded as two instances to model two users and being the partners of each other in the communication session and of . We say that a matching conversation involving and if and only if and and are partners. The capability of an attacker can be captured by the following oracles.
This oracle models a passive attacker, who can intercept all communications between and .
This oracle models an active attacker, who sends a message to .
This oracle models the exposure of the accepted session key of shared with its partner in the session .
This oracle models the exposure of the long-term secret key of during the session with its partner .
When an attacker queries this oracle, it will return a real session key, accepted by with its partner in the session , or a random string according to a random bit if the negotiation of the session key is complete. The query of this oracle is failed, if the session key is not negotiated.
When an attacker queries this oracle, it will return the real identity of or a random string according to a random bit when and are accepted each other with a negotiated session key. The query of this oracle is failed, if the AKE is not fulfilled between and .
When an attacker queries this oracle, it will return the group information of or a random string according to a random bit when and are accepted each other with a negotiated session key. The query of this oracle is failed, if the AKE is not fulfilled between and .
We then define the security of AKE in ProSe according to the discussed security requirements as follows.
Definition 1 (Mutul Authentication)
There are a simulator , who simulates or by , and a probabilistic polynomial-time (PPT) attacker of , who can query Execute and Send in polynomial time. After oracle queries, sends a message to be accepted by or with the advantage as follows:
The mutual authentication security of is guaranteed for and if 1) and has a matching conversation with and are accepted by each other and 2) is negligible.
Definition 2 (Key Exchange against System Operator)
simulates and by to interact with , who is either an outsider attacker or a system attacker (i.e., HSS/AuC or ProSe function), and can query Execute and Send in polynomial time. After oracle queries, and are accepted by each other with an exchanged session key , queries Test to obtain or a random string from or according to a random bit . Then, outputs a guess with the following advantage.
If is negligible, we say achieves session key security.
Definition 3 (Identity Anonymity)
simulates and by interacting with and can query Execute and Send in polynomial time. After oracle queries, and are accepted by each other, queries TestID to obtain or , or a random string from or according to a random bit . Then, outputs a guess with the following advantage.
If is negligible, we say achieves identity anonymity.
Definition 4 (Group Anonymity)
The security of group anonymity is similar to that of identity anonymity. Instead, queries TestGroup to obtain the group information or a random string from or according to . The advantage of guessing from the output of is as follows.
If is negligible, we say achieves group anonymity.
Iii Proposed Group Anonymous D2D Communications
|eNB||evolved node B|
|HSS/AuC||home subscriber server/authentication center|
|the real identities of|
|the identity in IBE system|
|the application identity of|
|the group identity of|
|the shared secret key between and HSS/AuC|
|the secret key only known by ProSe Function|
|the authorization key of ProSe function for|
|the public parameters of an ID-based encryption|
|the IBE private key corresponding to|
|IND-CCA secure ID-based encryption with the|
|system public key , the identity , and the input|
|symmetric Encryption with inputs etc.|
|a Diffie-Hellman tuple , where|
|, , ,||secure one-way hash functions, where , ,|
In this section, we propose two group anonymous schemes including the main building blocks for network-covered and network-absent cases.
This section introduces the preliminaries of the proposed protocols.
Iii-A1 Bilinear Groups
We first define the used bilinear map operation [25, 26, 27, 28]. The bilinear maps is defined as , where all group , , and are multiplicative and of prime order . When is a generator of and is a generator of , there exists a computable isomorphism from to such as . The map has the following properties: 1) bilinearity: for all , , and , ; and 2) non-degeneracy: .
Iii-A2 Identity-based Encryption
The concept of identity-based encryption (IBE) is to eliminate the management costs of user certificates, i.e., verifying its correctness and its revocation. A usable IBE is first proposed by Boneh and Franklin  (BF-IBE) with IND-CCA in random oracle model. It consists of four algorithms as follows.
Setup: This algorithm is given a security parameter to generate a prime and two bilinear groups and such that a bilinear map holds. It then chooses a random generator , sets for a randomly selected , and chooses two cryptographic hash functions, and for some . The message space is and the ciphertext space is . The system parameters are and the master key of the system is .
Extract: This algorithm is given an identity and computes the corresponding private key , where .
Encrypt: Given a message and the identity as the public key, this algorithm encrypts the message as , where and .
Decrypt: Given a ciphertext encrypted by and the private key , the algorithm decrypts the message by .
Security of IBE. The notion of ciphertext indistinguishability for the security of public-key encryption has been introduced to make an attacker obtain no information of the plaintext from a given ciphertext . A stronger security notion of IND-CCA is proposed to satisfy the security requirement of secure communication , where the attacker can decrypt any chosen ciphertexts other than the target ciphertext.
An IBE is IND-CCA secure if the advantage of any probabilistic polynomial-time (PPT) adversary, , in the following game is negligible: 1) issues queries for the private keys of ; 2) may make polynomial number of queries to a decryption oracle to obtain the corresponding plaintexts of the chosen ciphertext with ; 3) outputs two chosen messages , and the target identity, which is not queried for the private key, and is given a challenge ciphertext on message according to a random bit ; 4) makes another polynomial number of queries to extract the private keys and decrypt for the plaintexts by the given identities and ciphertexts (Restriction: The queried identites and ciphertexts should be different from and ); and 5) eventually, outputs a bit . If , wins the game.
Iii-A3 Proof on Dual Encryptions
To support traceability of the group anonymous AKE in network-absent D2D communications, we will adopt the concept of proof on dual encryptions. The transcripts of each authentication session is anonymous to the outsiders, including ProSe function, as group anonymity is guaranteed. We leave a trapdoor for the ProSe function to open the messages of the session by encrypting the message in a session with the public key of each participant device and the public key of ProSe function and proving the encryptions on the same messages. Before introducing the proof on dual encryptions, we introduce two encryption algorithms, i.e., key-private and Linear public-key encryptions. The procedures of key-private encryption are as follows: 1) the public key and the private key of a user are given by and , respectively, and 2) the ciphertext of the key-private encryption on a message becomes . One can decrypt the message by . The Linear encryption  is underlaid on the decision linear problem and shown as follows: 1) the public key and the private key of are given by and , respectively, and 2) the ciphertext of the linear encryption on a message becomes . One can decrypt the message by . The proof of dual encryptions, i.e., the key-private encryption and the linear encryption, and its verification can be done as the following two algorithms.
EncProof First, the prover randomly selects , , and , and computes , , and . Then it computes and , , and . After that, the prover outputs as the proof to the verifier.
EncVer The verifier then checks if and are the ciphertexts on the same plaintext by , , , and . If the equations hold, the ciphertexts produced by the prover are the encryptions on the same plaintext, and this algorithm outputs or otherwise.
Iii-B Key Management and User Registration
The key management of the proposed GRAAD inherits the key management of the conventional security architecture of LTE, where each shares a long-term secret key with HSS/AuC after registration. In addition, the key management on UEs, ProSe function, and HSS/AuC for the security of ProSe is considered as shown in Fig. 2. On HSS/AuC, the real identity , the corresponding application identity and the shared secret of each UE are stored. Additionally, the HSS/AuC generates a master secret key, , for randomly selected and the corresponding public parameters, , by Setup (as introduced in Sec. III-A2) to build an BF-IBE system. On the ProSe function, and the corresponding group identity of each UE are managed. Besides that, the ProSe function is associated a unique secret key and generates a public/private key pair of Linear encryption as . HSS/AuC issues each UE a BF-IBE user private key by Extract in Sec. III-A2, where and .
Iii-C Group Anonymous AKE for Network-covered D2D Communication (CN-GD2C)
After negotiating the parameters for D2D communication, randomly selects a session identity and . It then computes , and and send them to , where and is the BF-IBE ciphertext.
keeps and computes , , and with randomly selected , where and is the BF-IBE ciphertext. It then sends to HSS/AuC via eNB.
The HSS/AuC first decrypts and by and , where and . and can be produced by the HSS/AuC with . The HSS/AuC then finds the corresponding application identities and of and and sends to the ProSe function to check the group information. If , then the ProSe function computes and , where returns the belonging group of and . Once received , and , the HSS/AuC confirms and belong to the same group and sends and to .
first decrypts with to obtain and verify . If so, extracts from and sends to .
decrypts with to obtain and verify the same as the previous step. Then, extracts and sends to . Once received , computes and sends to the HSS/AuC.
The HSS/AuC decrypts with to obtain . It then obtains from by and decrypts with to check if it is equal to . If so, HSS/AuC sends and to , and forwards to . and accept the authenticated key exchange session for the following D2D communication between them according the verification on and . Finally, and computes the same session key by , respectively.
Iii-D Group-anonymous AKE for Network-absent D2D Communication (NA-GD2C)
This section presents a group anonymous AKE for network-absent D2D communication (NA-GD2C) protocol with traceability, where only two devices are involved in the protocol. Specifically, the objective of NA-GD2C protocol is to conceal the group information of both devices from outsiders and CN, except for a trusted authority that is granted to reveal the group information of users and not a part of CN. As the dispute is arisen in a session, designated authorities, i.e., ProSe function and HSS/AuC, can engage to trace the identities of the originators. Nonetheless, the identity of every UE is revocable by announcing the revoked identities in the system. The NA-GD2C protocol achieves the aforesaid goals based on the techniques of -anonymous secret handshakes, identity-based encryption, and non-interactive zero-knowledge proof.
In the following subsections, we describe the design intuition of group anonymous protection based on -anonymous secret handshakes and identity-based encryption. Then, we present the propose the NA-GD2C protocol based on the proposed group anonymous protection technique.
Iii-D1 Group anonymity by -anonymous Secret Handshakes
The -anonymous secret handshakes (SH) can achieve adjustable group anonymous authentication where the adversary exists with the probability of to identify the group information of given user pairs . Moreover, the -anonymous SH enjoys the property of revocability since it utilizes user certificates, which are reusable and can be revoked by announcing certificate revocation list (CRL). Compared to the unlinkable secret handshakes  by group signatures and group key agreement, -anonymous SH needs less computation costs. SH supports each user to authenticate to the others according to the possessed group information but not identity information [23, 34, 32]. Namely, each user belonging to a group can only successfully authenticate to the other users in the same group. Otherwise, the authentication process does not leak any information to the counterpart or eavesdroppers who do not belong to the same group. However,the communication costs of -anonymous SH is linear to the anonymity degree, i.e., , for exchanging the public keys of selected user pairs in the protocol. Hence, this work shows an enhanced -anonymous SH by applying identity-based encryption in the design. The public keys of the selected user pairs are replaced with the identities, which can be derived by constant number of variables, of them. We propose the following four functions to achieve -anonymous SH with constant communication cost in the proposed NA-GD2C.
gSelect is divided into ,…,, where , where for some and . Set , , and , where is randomly selected from , where is a large prime. Solve with such that . For to (except ), set and . Then, compute and output . ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼ ï¼
uSelect is divided into , where and is the -th member of for some and . Set and , and , where is selected randomly from . Solve with such that . For to (except ), set and . It then computes and outputs .
gSelectVer First, for to , calculate , , and . After that, check whether . If so, output .
uSelectVer Parse as . Afterwards, for to , calculate , , , and . Then, check whether . If so, output , where denotes the -th user in .
These four functions are to guarantee the exchanged group and user information being selected randomly for -anonymous protection in NA-GD2C.
Iii-D2 Proposed NA-GD2C Protocol
Let us consider UEs, , that belong to different application groups, , in D2D communication. For with an assigned identity , the identity-based user private key is issued by HSS/AuC as introduced in Sec. III-B. Additionally, generates a public/private key pair, , of key-private public key encryption as introduced in Sec. III-A3. Each UE belongs to one group only, and means the belonging group of is .
We consider two UEs, an belongs to the group and an belongs to the group . For D2D communication between and , they want to authenticate each other to check whether they are legal users and belong to the same group. The protocol of proposed group-anonymous D2D communication is shown in Fig. 3 and described as follows.
In the beginning, and negotiate the parameters of D2D communication and exchange two random numbers and selected by them, respectively. Afterwards, generates , , , and by and and sends them to , where gSelect and uSelect are introduced in Sec. III-D1.
generates , , and encrypts a randomly selected and as , where is selected at random. It then sends to .
generates , , and encrypts a randomly selected and as . It then decrypts by to obtain and . Afterwards, computes and encrypts with and as and , where is the group index of such that . It then obtains by running as in Sec. III-A3 and sends and to .
first decrypts by and checks if , , and . If so, it accepts belonging to its group and computes , , , and , where is the group index of such that . After that, sends