 Research
 Open Access
 Published:
Tworound contributory group key exchange protocol for wireless network environments
EURASIP Journal on Wireless Communications and Networking volume 2011, Article number: 12 (2011)
Abstract
With the popularity of grouporiented applications, secure group communication has recently received much attention from cryptographic researchers. A group key exchange (GKE) protocol allows that participants cooperatively establish a group key that is used to encrypt and decrypt transmitted messages. Hence, GKE protocols can be used to provide secure group communication over a public network channel. However, most of the previously proposed GKE protocols deployed in wired networks are not fully suitable for wireless network environments with lowpower computing devices. Subsequently, several GKE protocols suitable for mobile or wireless networks have been proposed. In this article, we will propose a more efficient group key exchange protocol with dynamic joining and leaving. Under the decision DiffieHellman (DDH), the computation DiffieHellman (CDH), and the hash function assumptions, we demonstrate that the proposed protocol is secure against passive attack and provides forward/backward secrecy for dynamic member joining/leaving. As compared with the recently proposed GKE protocols, our protocol provides better performance in terms of computational cost, round number, and communication cost.
Introduction
Wireless communication technology has widely been applied to many mobile applications and services such as ecommerce applications, mobile access services, and wireless Internet services. Nowadays, people use their cellular phone or PDA (personal digital assistant) to access these mobile services. However, most of such security schemes and protocols deployed in wired networks are not fully applicable to wireless networks (i.e., wireless local area networks [1], mobile ad hoc networks [2], cellular mobile networks [3], and wireless sensor networks [4]) because of the network architecture and the computational complexity of mobile devices. In addition, an intruder is easy to intercept the transmitted messages over a wireless network because wireless communications use radio waves to transmit messages. Meanwhile, most cryptographic algorithms require many expensive computations, thus it will be a nontrivial challenge to design security schemes and protocols for wireless network environments with lowpower computing devices [5, 6].
With the popularity of grouporiented applications such as collaboration works and electric conferences, secure group communication has received much attention from cryptographic researchers. A group key exchange (GKE) protocol allows that participants establish a group key to encrypt/decrypt the transmitted messages. Thus, GKE protocols can be used to provide secure group communication. In 1982, Ingemaresson et al. [7] proposed the first GKE protocol relied on the twoparty DiffieHellman scheme [8]. Subsequently, different types of GKE protocols were presented such as constantround GKE [9–13] and linearround GKE [14–17]. However, these previously proposed GKE protocols did not deal with the computing capability of mobile devices in wireless mobile networks.
Actually, considering wireless network environments such as wireless local area networks [1] and cellular mobile networks [3], they may be regarded as asymmetric (imbalanced) wireless networks. An imbalanced wireless network consists of mobile clients and a powerful node. Generally, mobile clients may use some mobile devices (i.e., cellular phone or PDA) to access mobile applications through the powerful node. If such mobile clients want to perform a secure conference using their mobile devices through cellular mobile networks or wireless local area networks, they must establish a secure group key to encrypt/decrypt the transmitted messages. Considering the computing capability of mobile devices, a flexible approach is to shift the computational burden from the mobile devices to the powerful node. This approach reduces the computational costs on mobile nodes. Consequently, several group key agreement protocols [18–22] for the imbalanced wireless network have been proposed.
In 2003, Boyd and Nieto [18] presented a oneround GKE protocol. Their protocol is efficient for imbalanced wireless networks, but it lacks forward secrecy. Bresson et al. [19] proposed a tworound GKE protocol for imbalanced wireless networks. Unfortunately, their protocol provides only partial forward secrecy [20]. This partial forward secrecy means that leaking the mobile nodes' private keys do not reveal any information about the previous establishment group keys, but leaking the powerful node's private key will enable an adversary to reconstruct the previous group keys. Subsequently, Nam et al. [20] also presented an improvement on the protocol proposed by Bresson et al. In 2007, Tseng [21] demonstrated that the Nam et al.'s protocol has a security weakness. In their protocol, the powerful node can predetermine the group key. That is, Nam et al.'s protocol is not a contributory GKE protocol. For repairing this weakness, Tseng also proposed a secure group key exchange protocol for imbalanced wireless networks. However, Tseng's GKE protocol does not deal with dynamic member joining/leaving functionality. Note that the dynamic joining/leaving functionality means that other participants need not to rerun the protocol when a participant joins or leaves the group. For a GKE protocol, it is important to provide this dynamic functionality, especially for wireless network environments. For providing dynamic joining/leaving functionality, Chuang and Tseng [22] recently proposed a dynamic group key exchange protocol for imbalanced wireless networks. However, their protocol requires three rounds to establish a group key.
Since the recently proposed GKE protocols [20–22] for wireless network environment are nonauthenticated ones. By its very nature, a nonauthenticated group key exchange protocol cannot provide participant and message authentication, so it must rely on the authenticated network channel [1, 3] or use other schemes [23–25] to provide authentication in advance. Here, as like the recently proposed GKE protocols [20–22], we assume that each mobile client and the powerful node have already authenticated mutually. Here, we focus on the design of a nonauthenticated GKE protocol. In this article, we propose a new group key exchange protocol with the dynamic property for wireless network environments. Under several security assumptions, we will prove that the proposed protocol is secure against passive attack and provides forward/backward secrecy for dynamic member joining/leaving. Meanwhile, we demonstrate that the proposed protocol also satisfies the contributiveness property. As compared with the recently proposed GKE protocols, our protocol provides better performance in terms of computational cost, round number, and communication cost.
The remainder of this article is organized as follows. In the next section, we present the security assumptions and the security requirements for a dynamic GKE protocol. In 'A concrete dynamic GKE protocol' section, we propose a concrete dynamic GKE protocol. Security analysis of the proposed protocol is demonstrated in 'Security analysis' section. In 'Performance analysis and discussions' section, we make performance analysis and comparisons. The conclusions are given in 'Conclusions' section.
Preliminaries
In this section, we present the security requirements of dynamic group key exchange protocol, as well as several security assumptions.
Notations
The following notations are used throughout the article:

p, q: two large primes satisfying p = 2q + 1.

G_{ q }: a subgroup of Z_{ p }* with the order q.

g: a generator of the group G_{ q }.

H: a oneway hash function, H:{0, 1}* → Z_{ q }*.

SID: a session identity is public information. Note that each session is assigned a unique SID.
Security requirements for dynamic GKE protocol
Here, we define the security requirements of a dynamic GKE protocol as follows:

Passive attack: This attack means that a passive adversary cannot compute the group key by eavesdropping on the transmitted messages over a public channel or efficiently distinguish the group key from a random string.

Forward secrecy: When a new member joins the group, he/she cannot compute the previous established group keys to decrypt the past encrypted messages.

Backward secrecy: When an old member leaves the group, he/she cannot compute the subsequent group keys to decrypt the future encrypted messages.

Contributiveness: In the group, any participants cannot predetermine or predict the resulting group key. In other words, each participant can confirm that her/his contribution has been involved in the group key.
Security of a dynamic GKE protocol
We say that a dynamic group key exchange protocol is secure, if (1) it is secure against passive attack; (2) it provides forward/backward secrecy for joining/leaving; (3) it satisfies contributiveness.
Security assumptions
For the security of our proposed dynamic group key exchange protocol, we need the following hard problems and assumptions [26, 27].

Decision DiffieHellman (DDH) problem: Given and for some x_{ a }, x_{ b }∈ Z_{ q }*, the DDH problem is to distinguish two tuples (y_{ a }, y_{ b }, ) and (y_{ a }, y_{ b }, R ∈ G_{ q }).

DDH assumption: There exists no probabilistic polynomialtime algorithm can solve the DDH problem with a nonnegligible advantage.

Computational DiffieHellman (CDH) problem: Given a tuple (g, ) for some x_{ a }, x_{ b }∈ Z_{ q }*, the CDH problem is to compute the value

CDH assumption: There exists no probabilistic polynomialtime algorithm can solve the CDH problem with a nonnegligible advantage.

Hash function assumption: A secure oneway hash function must satisfy following requirements [28]:

(i)
For any y ∈ Y, it is hard to find x ∈ X such that H(x) = y.

(ii)
For any x ∈ X, it is hard to find x' ∈ X such that x' ≠ x and H(x') = H(x).

(iii)
It is hard to find x, x' ∈ X such that x ≠ x' and H(x) = H(x').
A concrete dynamic GKE protocol
In this section, we present a new group key exchange protocol with the member joining/leaving functionality. Without loss of generality, let {U_{0}, U_{1}, U_{2},..., U_{ n }} be a set of participants who want to generate a group key in an imbalanced wireless network, where U_{0} is a powerful node and U_{1},..., U_{ n }are n mobile clients with the limited computing capability. Our proposed dynamic GKE protocol is depicted in Figure 1 and the detailed steps are described as follows.
Step 1: Each client U_{ i }(1 ≤ i ≤ n) selects a random value and computes . Then, each U_{ i }sends (U_{ i }, z_{ i }) to the powerful node U_{0}.
Step 2: The powerful node U_{0} first selects two random values r_{0}, r ∈ Z_{ q }* and computes . Upon receiving n pairs (U_{ i }, z_{ i }) (1 ≤ i ≤ n), U_{0} computes and y_{ i }= H(x_{ i }SID)⊕r for i = 1, 2,..., n. Finally, the powerful node U_{0} computes SK = H(ry_{1}y_{2}...y_{ n }SID) and broadcasts (U_{0}, y_{1}, y_{2},..., y_{ n }, z_{0}, SID) to all clients.
Step 3: Upon receiving the messages (U_{0}, y_{1}, y_{2},..., y_{n}, z_{0}, SID), each client U_{ i }(1 ≤ i ≤ n) can compute and uses r to obtain the group key SK = H(ry_{1}y_{2}...y_{ n }SID).
Member joining phase. Assume that a new client U_{n+1}want to join the group. This phase is depicted in Figure 2 and the detailed steps are described as follows.
Step 1: Only the client U_{n+1}randomly selects a value and computes . Then, U_{n+1}sends (U_{n+1}, z_{n+1}) to the powerful node U_{0}.
Step 2: Upon receiving the pair (U_{n+1}, z_{n+1}), the powerful node U_{0} computes and selects a new value r' ∈_{ R }Z_{ q }*. Then, U_{0} computes for i = 1, 2,..., n+1 and . Finally, the powerful node U_{0} broadcasts to all clients.
Step 3: Upon receiving the messages , each client U_{ i }(1 ≤ i ≤ n) can compute and uses r' to obtain a new group key The client U_{n+1}first computes and to obtain the group key SK'.
Member leaving phase. Without loss generality, we assume that the client U_{n+1}would like to leave the group. This phase is depicted in Figure 3 and the detailed steps are described as follows.
Step 1: The powerful node U_{0} first selects a new random value . Then, U_{0} computes for i = 1, 2,..., n and Finally, the powerful node U_{0} broadcasts to all other clients.
Step 2: Upon receiving the message each client U_{ i }(1 ≤ i ≤ n) can compute and uses r″ to obtain a new group key
Security analysis
In this section, we demonstrate that our proposed GKE protocol can achieve the security requirements defined in 'Security requirements for dynamic GKE protocol' subsection that include withstanding passive attack, satisfying contributiveness and providing forward/backward secrecy.
Passive attacks
Theorem 1. Under the decision DiffieHellman assumption, the proposed group key exchange protocol is secure against passive attacks.
Proof. Assume that there exists an adversary A who tries to obtain the information about the group key by eavesdropping the transmitted messages over a public channel. Suppose that the adversary A may obtain all transmitted messages (z_{0}, z_{ i }, y_{ i }, SID) for i = 1, 2,..., n, where and . Here, we want to prove that the adversary A cannot get any information about the group key SK = H(ry_{1}y_{2}...y_{ n }SID). Under the decision DiffieHellman assumption, we prove that two tuples (z_{ i }, y_{ j }, SK = H(ry_{1}y_{2}...y_{ n }SID)) and (z_{ i }, y_{ j }, R_{1}) are computationally indistinguishable for 0 ≤ i ≤ n and 1 ≤ j ≤ n, where R_{1} ∈ G_{ q }.
By contradiction proof, we assume that the adversary A within a polynomialtime can efficiently distinguish (z_{ i }, y_{ j }, SK = H(ry_{1}y_{2}...y_{ n }SID)) and (z_{ i }, y_{ j }, R_{1}) for 0 ≤ i ≤ n and 1 ≤ j ≤ n. Then, we can construct an algorithm A_{1} that can efficiently distinguish a decision DiffieHellman (DDH) problem (u_{ a }, u_{ b }, ) from (u_{ a }, u_{ b }, R_{2}), where and for r_{ a }, and R_{2} ∈ G_{ q }. Without loss generality, we set u_{ a }= z_{0} and u_{ b }= y_{1} as the inputs of the algorithm A_{1}, A_{1} selects n values t_{1}, t_{2},..., t_{ n }∈_{ R }Z_{ q }* and computes following values:
and
Now, the algorithm A_{1} has constructed all (z_{ i }, y_{ j }) and then computes R_{1} = H(y_{1}⊕H(R_{2}SID)y_{1}y_{2}...y_{ n }SID) for 0 ≤ i ≤ n and 1 ≤ j ≤ n. Finally, A_{1} sends (z_{ i }, y_{ j }, R_{1}) to the adversary A.
The adversary A can determine whether SK is equal to R_{1}. If it is true, then This means that the algorithm A_{1} can run A as a subroutine to efficiently distinguish two tuples (u_{ a }, u_{ b }, ) from (u_{ a }, u_{ b }, R_{2}). It is a contradiction for the decision DiffieHellman assumption. Thus, the proposed dynamic key exchange protocol is secure against passive attacks.■
Contributiveness
Theorem 2. By running the proposed group key exchange protocol, an identical group key is established by the group participants. Then, each participant may ensure that her/his contribution has been involved in the group key.
Proof. In the proposed protocol, after the powerful node U_{0} broadcasts (U_{0}, y_{1}, y_{2},..., y_{ n }, z_{0}, SID) to all clients, each client U_{ i }(1 ≤ i ≤ n) can use its own secret r_{ i }to compute the value r and then obtains an identical group key SK. Thus, this means that the following equations hold:
Set . It implies . Obviously, each y_{ i }includes the participant U_{ i }'s secret value r_{ i }for i = 1, 2,..., n. By the group key , each participant may ensure that her/his contribution has been involved in the group key SK. Therefore, our proposed GKE protocol provides contributiveness.■
For convenience to prove the forward/backward secrecy for member joining/leaving, we first prove a lemma as follow.
Lemma 3. Assume that three secret parameters a, b, and c are randomly selected from Z_{ p }*. If a passive adversary knows two values H(a)⊕b and H(a)⊕c, then the secret b is uncomputable under the hash function assumption. Furthermore, the secret a is also uncomputable under the same assumption.
Proof. Note that if the passive adversary can get the secret b from U = H(a)⊕b and V = H(a)⊕c, then it implies that the adversary can obtain H(a) from U and V. In the following, we want to prove that the passive adversary is unable to get H(a) from U and V under the hash function assumption.
By the contradiction proof, assume that there exists an algorithm A can obtain the value H(a) from H(a)⊕b and H(a)⊕c within a polynomialtime. If the algorithm A cannot get a, then it is hard to find x = a such that H(x) = H(a) and x ≠ a such that H(x) = H(a) by the hash function assumption (ii). Thus, the algorithm A must get a. That is, there exists an algorithm A which is able to obtain the secret a from H(a)⊕b and H(a)⊕c within the polynomialtime.
Based on the algorithm A, we can construct another algorithm A_{1} which is able to get x from H(x) within the polynomialtime as follows. Set the value H(x) as input of the algorithm A_{1}. A_{1} executes the following procedures to obtain x:

(1)
The algorithm A_{1} calls the algorithm A with the input H(x)⊕R, where R is a nonce.

(2)
The algorithm A_{1} can obtain x from the algorithm A.
According to the above procedures, the algorithm A_{1} can get x from H(x) within the polynomialtime. This is a contradiction for the oneway property of the hash function assumption. Therefore, no passive adversary can compute the secret b from H(a)⊕b and H(a)⊕c under the hash function assumption. Certainly, the secret a is also uncomputable under the same assumption.■
Forward secrecy
Theorem 4. Under the computation DiffieHellman (CDH) and the hash function assumptions, the proposed group key exchange protocol provides forward secrecy for member joining.
Proof. Assume that a new client U_{n+1}would like to join the group. According to the proposed protocol, U_{n+1}sends to the powerful node U_{0}. Then, U_{0} selects and computes with a new SID'. Finally, U_{0} broadcasts to all other clients. Hence, all participants can compute a new group key , where .
Here, we want to prove that the client U_{n+1}cannot compute the previous group key SK = H(ry_{1}...y_{ n }SID). We may assume that U_{n+1}has recorded the previous transmitted messages for i = 1, 2,..., n. Obviously, if U_{n+1}can get the value r or x_{ i }for some i ∈ {1, 2,..., n}, then the key SK can be computed. Hence, we want to prove that the following two cases do not occur.
Case I. U_{n+1}can obtain x_{ i }from z_{ i }(0 ≤ i ≤ n). Due to , given a tuple , it is hard to compute , by the computational DiffieHellman (CDH) assumption. Thus, U_{n+1}obtaining x_{ i }from z_{ i }is impossible.
Case II. U_{n+1}can get the value r or x_{ i }from (y_{ i }, , SID, SID') for i = 1, 2,..., n, where and . Without loss generality, we set a = x_{ i }SID = x_{ i }SID', b = r, and c = r' such that y_{ i }= H(a)⊕b and . By Lemma 3, we have proven that the values a and b are uncomputable under the hash function assumption. Thus, to obtain the value r or x_{ i }is also impossible.
Therefore, the client U_{n+1}cannot compute the previous group key SK by Cases I and II. This means that the proposed group key exchange protocol provides forward secrecy.■
Backward secrecy
Theorem 5. Under the computation DiffieHellman (CDH) and the hash function assumptions, the proposed dynamic group key exchange protocol provides backward secrecy for member leaving.
Proof. Without loss generality, we assume that an old client U_{n+1}wants to leave the group. According to the proposed protocol, the powerful node U_{0} selects a new random value and computes with a new SID". Then, U_{0} broadcasts to all other participants. Hence, all participants can compute a new group key
Here, we prove that the client U_{n+1}cannot compute the later group key We may assume that U_{n+1}has recorded all transmitted messages for i = 1, 2,..., n, where . Due to the key and , if U_{n+1}can get the value r″ or x_{ i }for some i ∈ {1, 2,..., n} then SK″ can be computed. However, U_{n+1}cannot obtain the values r″ and x_{ i } from by the similar method in the proof of Theorem 4. Thus, the client U_{n+1}cannot compute the later group key SK″. Finally, the proposed group key exchange protocol provides backward secrecy.■
Performance analysis and discussions
For convenience to analyze the performance of our proposed dynamic GKE protocol, we first define the following notations:

T_{exp}: The time of executing a modular exponentiation operation.

T_{inv}: The time of executing a modular inverse operation.

T_{mul}: The time of executing a modular multiplication operation.

T_{ H }: The time of executing a oneway hash function operation.

m: the bit length of a transmitted message m.
Here, let us discuss the computational cost for each client U_{ i }(1 ≤ i ≤ n). In Step 1, the client U_{ i }computes z_{ i }, thus it requires T_{exp}. Upon receiving (U_{0}, y_{1}, y_{2},..., y_{ n }, z_{0}, SID), the client U_{ i }computes r and then uses r to obtain the group key SK, thus T_{exp}+2T_{ H }is required in Step 3. The required computational cost for each client U_{ i }is 2T_{exp} + 2T_{ H }. Considering the computational cost of the powerful node, the powerful node might be regarded as a wired gateway with less computingrestriction. In Step 2 of the proposed protocol, the powerful node U_{0} computes z_{0}, x_{ i }and y_{ i }for i = 1, 2,..., n. Then the powerful node U_{0} computes SK. In total, it requires (n + 1)T_{exp} + (n + 1)T_{ H }. Furthermore, let us discuss the computation cost required for member joining/leaving. The powerful node's computation cost for joining and leaving requires T_{exp} + (n + 2)T_{ H }and (n + 1)T_{ H }, respectively. Each client's computation costs for joining/leaving requires 2T_{ H }, except for the joining client.
In Table 1, we demonstrate the comparisons between our GKE protocol and the recently proposed GKE protocols [20, 22] in terms of the number of rounds, the computational cost and the communication complexity required for each client, the powerful node, and the dynamic member joining/leaving, respectively. It is easy to see that the performance of our GKE protocol is better than Nam et al.'s [20] and the ChuangTseng [22] GKE protocols. Meanwhile, our GKE protocol also provides the member dynamic joining/leaving functionality and satisfies contributiveness.
Since Nam et al.'s protocol [20], the ChuangTseng protocol [22], and our proposed protocol are nonauthenticated GKE ones, they must rely on an authenticated channel or apply other schemes to provide authentication like the KatzYung complier [12]. Using their complier into a nonauthenticated GKE protocol, the protocol can be transformed into an authenticated GKE. Nevertheless, it will additionally increase a new round, one signature generation, and n  1 signature verifications for each client. Thus, the computational cost is too expensive for each mobile client. The other option is that each client needs not to authenticate the other clients. It only authenticates the powerful node. Certainly, the powerful node must be trusted. Then, it requires single signature generation and verification for each client. Naturally, the powerful server will additionally add one signature generation and n  1 signature verifications. Fortunately, some known wireless network environment such as cellular mobile networks [3] and wireless local area networks [1], these clients must be authenticated before they want to connect to their network systems. In addition, the powerful node may apply some existing authentication protocols [23–25] to authenticate the mobile client in advance.
Conclusions
In this article, we have proposed a new dynamic GKE protocol for wireless network environments. Under the decision DiffieHellman (DDH), the computation DiffieHellman (CDH), and the hash function assumptions, we have proven that the proposed protocol is secure against passive attacks and provides forward/backward secrecy for member joining/leaving. Meanwhile, we have proven that the proposed protocol satisfies contributiveness. As compared with the recently presented GKE protocols, we have demonstrated that our protocol provides better performance in terms of computational cost, round number, and communication cost.
Abbreviations
 CDH:

computation DiffieHellman
 DDH:

decision DiffieHellman
 GKE:

group key exchange
 PDA:

personal digital assistant.
References
 1.
ANSI/IEEE. Wireless LAN media access control (MAC) and physical layer (PHY) specifications. ANSI/IEEE Std 1999 802.11: 1999 (E) Part 11, ISO/IEC880211
 2.
Perkins C: Ad Hoc Networking. AddisonWesley, MA; 2001.
 3.
GPRS: General packet radio services (GPRS) service description (stage 2). 2002.
 4.
Akyildiz I, Su W, Sankarasubramaniam Y, Cayirci E: A survey on sensor networks. IEEE Commun, Mag 2002, 40(8):102114. 10.1109/MCOM.2002.1024422
 5.
Phan T, Huang L, Dulan C: Challenge: integrating mobile wireless devices into the computational grid. Proceedings of MOBICOM' 02 2002, 271278.
 6.
Yang H, Luo H, Ye F, Lu S, Zhang L: Security in mobile ad hoc networks: challenges and solutions. IEEE Wireless Commun 2004, 11(1):3847. 10.1109/MWC.2004.1269716
 7.
Ingemaresson I, Tang TD, Wong CK: A conference key distribution system. IEEE Trans Inform Theory 1982, 28(5):714720. 10.1109/TIT.1982.1056542
 8.
Diffie W, Hellman ME: New directions in cryptography. IEEE Trans. Inform. Theory 1976, 22(6):644654.
 9.
Bresson E, Manulis M: Contributory group key exchange in the presence of malicious participants. IET Inform Security 2008, 2(3):8593. 10.1049/ietifs:20070113
 10.
Burmester M, Desmedt Y: A secure and efficient conference key distribution system.Inform. Process. Lett 2005, 94(3):137143.
 11.
Katz J, Shin JS: Modeling insider attacks on group key exchange protocols. Proceedings of CCS' 05 2005, 180189.
 12.
Katz J, Yung M: Scalable protocols for authenticated group key exchange. J Crypt 2007, 20: 85113. 10.1007/s0014500603615
 13.
Tseng YM: A robust multiparty key agreement protocol resistant to malicious participants. Comput J 2005, 48(4):480487. 10.1093/comjnl/bxh111
 14.
Ateniese G, Steiner M, Tsudik G: New multiparty authentication services and key agreement protocols. IEEE J Select Areas Commun 2000, 18(4):628639. 10.1109/49.839937
 15.
Bresson E, Chevassut O, Pointcheval D: Dynamic group DiffieHellman key exchange under standard assumptions. Proceedings of EUROCRYPT' 02 2002, 321336. LNCS 2332
 16.
Steiner M, Tsudik G, Waidner M: DiffieHellman key distribution extended to group communication. Proceedings of CCS' 96 1996, 3137.
 17.
Steiner M, Tsudik G, Waidner M: Key agreement in dynamic peer groups. IEEE Trans. Parallel Distribut. Syst 2000, 11(8):769780.
 18.
Boyd C, Nieto G: Roundoptimal contributory conference key agreement. Proceedings of PKC' 03 2003, 161174. LNCS 2567
 19.
Bresson E, Chevassut O, Essiari A, Pointcheval D: Multual authentication and group key agreement for lowpower mobile devices. Comput. Commun 2004, 27(7):17301737.
 20.
Nam J, Lee J, Kim S, Won D: DDHbased group key agreement in a mobile environment. J Syst Softw 2005, 78(1):7383.
 21.
Tseng YM: A resourceconstrained group key agreement protocol for imbalanced wireless networks. Comput Security 2007, 26(4):331337. 10.1016/j.cose.2006.12.001
 22.
Chuang YH, Tseng YM: An efficient dynamic group key agreement protocol for imbalanced wireless networks. Int J Netw Manage 2010, 20(4):167180.
 23.
Arkko J, Haverinen H: EAP AKA authentication. DraftArkkoPppextEapAka11, IETF 2003.
 24.
Tseng YM: GPRS/UMTSaided authentication protocol for wireless LANs. IEE Proc Commun 2006, 153(6):810817. 10.1049/ipcom:20050366
 25.
Tseng YM: USIMbased EAPTLS authentication protocol for wireless local area networks. Comput Stand Interfaces 2009, 31(1):128136. 10.1016/j.csi.2007.11.014
 26.
Boneh D: The decision DiffieHellman problem. Proceedings of 3rd Algorithmic Number Theory Symposium 1998, 4863.
 27.
Shoup V: Lower bounds for discrete logarithms and related problems. Proceedings of Advances in Cryptology  Eurocrypt' 97 1997, 256266.
 28.
NIST/NSA FIPS 1802: Secure Hash Standard (SHS). NIST/NSA, Gaithersburg, MD; 2005.
Acknowledgements
This research was partially supported by National Science Council, Taiwan, ROC, under contract no. NSC972221E018010MY3.
Author information
Affiliations
Corresponding author
Additional information
Competing interests
The authors declare that they have no competing interests.
Authors’ original submitted files for images
Below are the links to the authors’ original submitted files for images.
Rights and permissions
About this article
Cite this article
Wu, TY., Tseng, YM. & Yu, CW. Tworound contributory group key exchange protocol for wireless network environments. J Wireless Com Network 2011, 12 (2011). https://doi.org/10.1186/16871499201112
Received:
Accepted:
Published:
Keywords
 Group key exchange
 Dynamic
 Wireless network
 DiffieHellman assumption