Skip to main content

Anonymous authentication scheme based on identity-based proxy group signature for wireless mesh network


Access security is the key obstacle of the rapid popularization of wireless mesh network (WMN). We suggest the proxy group signature scheme based on identity in this paper. This scheme is combined with proxy group signature and identity-based group signature, based on designated hierarchical proxy architecture for WMN. An anonymous mutual authentication scheme is thus achieved, which not only simplifies the complex management of PKI but also guarantees anonymous authentication and owns high handover authentication efficiency. Performance and security analysis show that the scheme in this paper is efficient and resilient to a series of security and anonymity attacks.

1 Introduction

Compared with traditional wireless self-organized network (MANET), wireless mesh network (WMN) owns higher reliability, larger data throughput, and lower disturbance, as well as stronger scalability due to its unique mesh structure. As a result, WMN is able to provide high-speed wireless access service for mobile users in a wide area. WMN is now attracting more and more attentions in both academia and industry [1].

WMN is a kind of wireless multi-hop radio network, whose promotion and deployment depend heavily on security issues relative to cable network and WLAN [2]. To keep malicious nodes from accessing and provide reliable service to WMN users, two-way authentication between mesh client (MC) and access network is necessary and becomes the foundation of the whole WMN security [3]. However, users’ privacy information is always carried in the authentication signaling. So to protect user’s privacy is important during mutual authentication in the research of WMN access security [2].

For the past few decades, scholars have lots of researches in WMN access security, which aim at achieving safe and efficient access authentication systems. In Ref [4], the authors applied identity-based encryption and signature scheme to WMN access authentication. Mutual authentication is adopted between MC and authentication server without the protection of MC’s privacy. Ref [5]’s authors utilized Tor (The Onion Router Protocol) to protect the security of WMN router and the privacy of MC. But access authentication is ignored. Moreover, the extra-expense for saving and maintaining a routing table made the scheme not profitable. The authors of Ref [6] adopted Ring Signature for WMN anonymous authentication and communication. However, each MR needs to manage two certificates, which results in extra-burden. Besides, the cost for handling ring signature during authentication is large.

We proposed a new scheme, which is the combination of proxy group signature and identity-based group signature, based on designated hierarchical proxy architecture for WMN. An anonymous mutual authentication scheme is thus achieved, which not only simplifies the complex management of PKI but also guarantees anonymous authentication and owns high handover authentication efficiency. Security and performance analysis show that our scheme is efficient and is resilient to a series of security and anonymity attacks.

Our paper is organized as follows. Section 2 reviews the cryptographic primitives. The identity-based proxy group signature scheme was presented in Section 3. The anonymous access authentication scheme with different roaming is in Section 4. We provide security and performance analysis in Section 5. Last, we make the conclusion in Section 6.

2 Preliminaries

2.1 Bilinear pairings

G 1, G 2, and G T are groups of the same prime order q. Consider that discrete logarithm problem(DLP) is hard in G 1, G 2, and G T [8]. A bilinear paring can be defined if the mapping e: G 1×G 2G T satisfying the following properties.

  1. (1)


    \(e\left ({g_{1}^{a}},{g_{2}^{b}}\right) = e{({g_{1}},{g_{2}})^{ab}}\) if g 1G 1, g 2G 2, \(a,b \in Z_{q}^{*}\);

  2. (2)


    e(g 1,g 2)ab≠1 T if 1 T is a generator of group G T .

  3. (3)


    As how to compute e(g 1,g 2)G T , there existed an efficient algorithm.

2.2 Hard problems and security assumptions

G 1 and G 2 are cyclic groups of prime order q, and P is a generator of group G 1. For bilinear pairing e:G 1×G 1G 2 as well as \(a,~b,~c,~x,~y \in Z_{q}^{*}\), the assumptions that related to this paper are described as followings.

  1. (1)

    Computational Diffie-Hellman (CDH) problem:

    Sample: (P,a,P b P) for some \(a,b \in Z_{q}^{*}\)

    Output: abP

  2. (2)

    CDH assumption:

    There does not exist an efficient PPT (probabilistic polynomial time) algorithm in G 1 to solve CDH problem.

  3. (3)

    Decisional Diffie-Hellman (DDH) problem:

    Sample: (P,a P,b P,c P) for some \(a,b,c \in Z_{q}^{*}\)

    Output: True if c=a b m o d q and false if otherwise.

  4. (4)

    Gap Diffie-Hellman (GDH) group:

    If there exists an efficient PPT algorithm to solve the DDH problem and no PPT algorithm to solve the CDH problem, then G 1, a prime group, is defined as a GDH group.

  5. (5)

    q-Strong Diffie-Hellman (q-SDH) problem:

    Instance: q+1 tuple <P,x P,x 2 Px q P> belongs to GDH group G 1.

    Output: \(\left (y,\frac {1}{{x + y}}P\right)\).

  6. (6)

    q-SDH assumption:

    There does not exist an efficient PPT algorithm to solve q-SDH problem.

  7. (7)

    Bilinear Diffie-Hellman (BDH) problem:

    Instance: (P,a P,b P,c P) in random

    Output: e(P,P)abc

  8. (8)

    BDH assumption:

    No efficient PPT algorithm exist here to solve BDH problem under the condition <G1,G2,e>.

2.3 Certificate-based signature

Based on the certificate-based encryption (CBE) scheme [7, 11], Kang et al. presented certificate-based signature(CBS) scheme. First of all, users’ public and private keys are generated by public parameters. Then users apply certificates from CA as part of temporary signing key. And it addressed the key escrow problem. Besides, it is not necessary to establish the secure channel between users and CA. The process of CBS is described as below.

  1. (1)


    Given cyclic groups G 1 and G 2 generated by CA and the bilinear pairing e:G 1×G 1G 2; CA computes system public key P K c =S c P after choosing generator PG 1 and random private key \(S_{C} \in Z_{q}^{*}\); CA selects two hash functions H 1:{0,1}G 1, \({H_{2}}:{\{ 0,1\}^{*}} \times {G_{1}} \to Z_{q}^{*}\). (G 1,G 2,e,q,P,P K C ,H 1,H 2) is published.

  2. (2)


    Users select their own private key \({S_{A}} \in Z_{q}^{*}\) randomly to compute public key P K A =S A P.

  3. (3)


    Users send their P K A and authentication information(such as ID A ) to CA to verify their identity. If valid, CA calculates P A =H 1(P K C ||P K A ||ID A )G 1 then generates certificate Cert A =S C P A which is sent to users.

  4. (4)


    Users compute \(P_{A}^{'} = {H_{1}}(P{K_{A}}||\text {ID}{_{A}}) \in {G_{1}}\) and \({S_{A}} = {S_{C}}{P_{A}} + {S_{A}}P_{A}^{'} = \text {Cert}{_{A}} + {S_{A}}P_{A}^{'}\).

  5. (5)


    Given message m, users select \(r \in Z_{q}^{*}\) and generate the signature σ=(U 1,U 2,V), where \(U_{1} = {rP}_{A},U_{2}={rP}_{A}^{'},h = {H_{2}}({U_{1}},{U_{2.}},m)\), and \(V = (r + h){S_{A}} = (r + h)({S_{C}}{P_{A}} + {S_{A}}P_{A}^{'})\).

  6. (6)


    Verifier will check whether \(e(P{K_{C}},{U_{1}} + h{P_{A}})e(P{K_{A}},{U_{2}} + {hP}_{A}^{'}) = ?e(P,V)\) when given the signature σ to confirm the validity of σ. Returns 1 if valid, else returns 0.

3 Identity-based proxy group signature

Identity-based Proxy Group Signature (IPGS) scheme is the combination of proxy group signature [9] and identity-based group signature [10]. In IPGS, the signing rights can be delegated in turn from the initial signer to proxy signer then to group manager. Anyone in this group can sign a message for the initial signer. As for the verifier, the only thing he can do is to verify the validity of a signature but cannot tell which specific group member generates the signature. The group manager is responsible for setting up the group. When dispute happens, only the group manager can disclose signer’s real identity. The process of IPGS is described as following.

  1. (1)


    Original signer generates two cyclic groups G 1 and G 2 of prime order q and the bilinear pairing \(\phantom {\dot {i}\!}e:{G_{1}} \times {G_{1}} \to {G_{2}}\). Then he selects a generator PG 1 and random number \(\phantom {\dot {i}\!}{S_{O}} \in Z_{q}^{*}\) as private key. The corresponding public key P K O =S O P ; Three hash functions \(\phantom {\dot {i}\!}{H_{1}}:{\{ 0,1\}^{*}} \to {G_{1}}, {H_{2}}:{\{ 0,1\}^{*}} \times {G_{1}} \to {G_{1}}\), and \({H_{3}}:{G_{1}} \to {G_{1}}\phantom {\dot {i}\!}\) are also selected. (G 1,G 2,e,q,P,P K O ,H 1,H 2,H 3) is published.

    Proxy signer selects private key \({S_{D}} \in Z_{q}^{*}\) and figures out the public key P K D =S D P. Group manager selects group private key \({S_{g}} \in Z_{q}^{*}\) and computes group public key P K g =S g P.

  2. (2)


    Original signer generates the \(\phantom {\dot {i}\!}\text {warrant}\text {auth}^{'} = {S_{O}}{H_{3}}({PK}_{D})\) which is sent to proxy signer. Proxy signer verifies \(\phantom {\dot {i}\!}\mathrm {auth^{'}}\) through

    \(\phantom {\dot {i}\!}e(P,\mathrm {auth^{'}}){ =}{?}e{(}{PK}_{O},H_{3}{(}{PK}_{D}{)}{)}\), then computes another \(\text {warrant}\text {auth} = S_{D}H_{3}({PK}_{g}) + \mathrm {auth^{'}}\phantom {\dot {i}\!}\) for group manager.

  3. (3)


    It is necessary to execute the following protocol if a user (group member) wants to join a group.

    \(r \in Z_{q}^{*}\) was the long-term private key selected by the group member and then it figures out the public key Q ID=H 1(ID); Group member sends ID,r P to group manager to compute S ID=S g H 2(Q ID||r P). Then group manager distributes S ID and auth to group member through secure channel; (S ID,r) is the group member’s private key; the public key is Q ID.

    Group member selects \({x_{i}} \in Z_{q}^{*}, i=1,2,...k\) and sends ID,S ID,r P,x i P, and r x i P to group manager through secure channel.

    Group manager verifies S ID=?S g H 2(Q ID||r P) and e(r x i P,P)=?e(x i P,r P). If successful, group manager sends S i =S g H 2(T||r x i P) to user. T presents the life cycle of the private key. User needs to update the private key if T is expired. (S i ,r x i P) is the user’s group signing key.

  4. (4)


    Signer signs the message m through computing

    U=r x i P,V=r x i H 2(Q ID||T||U),H=H 2(m||V) and W=r x i H+S i then generates signature σ=(U,V,W,T). σ and along with warrant auth will be sent to verifier by signer.

  5. (5)


    If T is fresh, verifier verifies auth first by checking

    e(P,a u t h)=?e(P K P ,H 3(P K DM ))e(P K DM ,H 3(P K g )).

  6. (6)


    If auth is successfully tested, verifier computes Q=H 2(T||U),H=H 2(m||V) then verifies the signature by checking e(P,W)=?e(P K g ,Q)e(U,H). If the equation holds, returns 1, else returns 0.

IPGS is the foundation of our proposed scheme in this paper to achieve anonymous access authentication. In Ref. [9], authors show that IPGS is safe under q-SDH assumption. IPGS simplifies the management and maintenance of the certificate for both signer and verifier.

4 Anonymous access authentication scheme

4.1 Proxy-based hierarchical network architecture

The relevant notations and explanations used in our scheme are shown in Table 1.

Table 1 Notations and explanations

We present a proxy-based hierarchical network architecture shown as Fig. 1 [12]. TR is the first layer. As the architecture’s root trust, TR generates public parameter and distributes warrant to the second-layer entities, Domain Managers(DMs).

Fig. 1
figure 1

Proxy-based hierarchical network architecture

After getting the warrant from TR, DM delegates the signing rights to the third-layer entities, a quantity of WMN groups which includes GW, several mesh routers and MCs. As the manager of a WMN group, GW holds the group master key and allocates private key for every member in the group. Besides, GW issues the certificates for legitimate roaming users.

4.2 Trust model

As shown in Fig. 2, our trust model is set up under the hierarchical network architecture. The following trust assumptions are given. (1) TR is trusted by all the entities of the network. (2) There is no trust between DMs in different domain. (3) GWs in the same domain own mutual trust to each other. (4) Within the same WMN group: GW and MR trust each other. MC trusts GW and MR in the same group. MC trusts all the GW’s public keys in the same group. (5) MC does not trust the entities in the access WMN group, vice versa. The main goal of our authentication scheme is to establish trust between MC and the access network.

Fig. 2
figure 2

Trust model

4.3 Adversary model

In this paper, we assume that adversary owns the ability to launch both active and passive attacks. The adversary can break all the nodes and eavesdrop all the communications between nodes in our network. While it does not mean that the adversary holds boundless information stealing and computing capacity. In other words, the adversary cannot guess the private key of the relevant nodes and decrypt the ciphertext or fake the digital signature of intercepted message. It implies that CDH, BDH, and q-SDH assumptions are effective for the adversary.

4.4 Intra-domain authentication protocol

We design intra-domain authentication protocol with the help of IPGS, CBS, and BF scheme [13]. The protocol includes initial authentication protocol as well as handover authentication protocol.

4.4.1 System initialization

As a root trust, TR generates system public parameter \(\text {Param} = \{ {G_{1}},{G_{2}},e:{G_{1}} \times {G_{1}} \to {G_{2}},P \in {G_{1}},P{K_{TR}},{H_{1}}:{\{0,1\}^{*}} \to {G_{1}},{H_{2}}:{\{ 0,1\}^{*}} \times {G_{1}} \to Z_{q}^{*},{H_{3}}:{G_{1}} \to {G_{1}},{H_{4}}: {\{ 0,1\}^{*}} \times {\{ 0,1\}^{*}} \to Z_{q}^{*},{H_{5}}:{G_{1}} \times {G_{1}} \to {G_{2}}\} \)for IPGS, CBS, and BF. At the same time, TR publishes Param for all the entities in the system. Assume that DM and GW have completed IPGS. Auth and get warrants before MC’s roaming. Besides, entities in the third layer have completed IPGS.join and obtain the corresponding warrant and public/private keys.

4.4.2 Initial authentication protocol

It will trigger the initial authentication protocol when MC leaves its WMN group for another WMN group in the same domain. In Fig. 1, MC moves from WMN1 to WMN2 and connects with MR2. It is necessary for MC and MR2 to execute mutual authentication protocol. The details of the protocol are described in Fig. 3.

  1. (1)

    MR 2→MC{PKMR2,PK g2,authMR2,PKDM1}

    Fig. 3
    figure 3

    Initial authentication protocol

    MR2 broadcasts PKMR2,PK g2, PKDM1,a u t h M R2 to MC. After the message was received, MC chooses \({\mathrm {M{C_{CBS\_SK}}}} = S \in Z_{q}^{*}\) and figures out

    MC C B S_P K =SP,δ 1=SIGN_IPGS(T S 1),c 1=ENCR_BF_GW 2(g a),c 2=ENCR_BF_MR 2(c 1), where TS1 is the current time stamp, g a is the key negotiation parameter. MC sends

    P K g1, c 2,δ 1,MC C B S_P K ,PK MC ,TS 1 to MR 2.

  2. (2)

    MC→MR 2{P K g1,c 2,δ 1,MC C B S_P K ,TS 1}

    MR 2 checks TS 1’s freshness after receiving the access authentication message from MC. If TS 1 is fresh, c 2 will be decrypted by MR 2 to get c 1. Then c 1,MC C B S_P K will be sent to GW 2. MR 2 verifies group signature δ 1 through IPGS.Verify-sign. If δ 1 is legitimate, MC is regarded as a legal user by MR2.

  3. (3)

    MR 2G W 2{c 1,M C C B S_P K }

    While getting the message from MR 2,G W 2 decrypts c 1 to get g a. GW2 generates negotiation parameter g b and \({\text {CERT\_MC}}\_{g_{2}} = {S_{g2}}{P_{A}}\), where P A =H 1(PK G W2||MC C B S_P K ). G W 2 derives shared key K GW2−MC=g ab and \({c_{3}} =S{E_{{K_{\mathrm {GW2 - MC}}}}}({\text {CERT\_MC\_}}{{\mathrm {g}}_{{2}}})\phantom {\dot {i}\!}\). c 3,g b are then sent to M R 2. Meanwhile, G W 2 stores K GW2−MC.

  4. (4)

    GW 2→MR 2{c 3,g b}

    M R 2 transfers c 3,g b to MC after receiving the message from G W 2.

  5. (5)

    MR 2M C{c 3,g b}

    When getting message from M R 2, MC computes the shared key K GW2−MC=g ab and uses it to decrypt c 3 and then to get CERT_MC_g2. If the certificate is normally decrypted, MC makes sure to access to a legitimate WMN. MC also computes CBS’s signing key \({\mathrm {M{C_{CBS\_SK\_SIGN}}}} = {\text {CERT\_MC}}\_{g_{2}} + {\mathrm {M{C_{CBS\_SK}}}}P_{A}^{'}\), where \(P_{A}^{'} = {H_{1}}(\mathrm {M{C_{CBS\_PK}}})\). Finally, MC stores \(P_{A}^{'}\) and K GW2−MC.

4.4.3 Handover authentication protocol

When MC roams from one MR to another in the same WMN group, handover authentication protocol should be executed between MC and new access MR. As shown in Fig. 1, when moving from MR 2 to MR 3 in WMN 2, MC needs to take handover authentication with MR 3 following the steps in Fig. 4.

  1. (1)

    {R 3M C{PKMR3,PK g2,authMR3,PKDM1}

    Fig. 4
    figure 4

    Handover authentication protocol

    M R 3 broadcasts PKMR3, PKg2, PKDM1 to MC. MC computes δ 2=SIGN_CBS(TS 2), c 4=ENCR_BF_PK M R3(g c), where T S 2 is the current time stamp, g c is the key negotiation parameter. MC then sends \({\mathrm {M{C_{CBS\_PK}}}}, {\delta _{\mathrm {2}}}, c_{4}, {\mathrm {{TS}_{2}}}\) to M R 3.

  2. (2)

    MC→MR 3{MC C B S_P K ,δ 2,c 4,TS 2}

    M R 3 will check the freshness of T S 2 when received the authentication message from MC. If T S 2 is fresh, M R 3 verifies δ 2 through CBS.Verify. If δ 2 is valid, M R 3 regards MC as a legal user. M R 3 decrypts c 4 and chooses g d as the key negotiation parameter. M R 3 computes

    \(\phantom {\dot {i}\!}{K_{\mathrm {MR3 - MC}}} = {g^{cd}}, {c_{5}} = S{E_{{K_{\mathrm {GW2 - MC}}}}}(P{K_{\mathrm {MR3}}})\). M R 3 then sends g d,c 5 to MC and stores K MR3−MC.

  3. (3)

    MR 3→MC{g d,c 5}

    MC computes K MC−MR3=g cd when receiving message from M R 3 and decrypts c 5 with its private key. If the plaintext includes P K MR3, MC confirms to access a legitimate network. Finally, MC keeps K MC−MR3.

4.5 Inter-domain authentication protocol

When MC leaves its own WMN for another in the different domain,it needs to take inter-domain authentication with the access WMN. As Fig. 1 shows, MC leaves WMN2 in domain1 for WMN3 in domain2 and connects with MR4, and it needs to complete mutual authentication with MR4. The difference between inter-domain authentication protocol and initial authentication protocol is whether to verify the group public key of the other group. In our roaming scenario, MC and MR4 should utilize IPGS.Verify-auth to verify P K g3 and P K g1, respectively, during inter-domain authentication. While the other procedures are totally the same as initial authentication protocol.

5 Discussion

5.1 Security analysis

According to Fig. 1, we make security analysis of our scheme in terms of reliability, traceability, anonymity, and unforgeability.

5.1.1 Reliability

First, adversary could not decrypt c 1 =ENCR_BF_PK G W2(g a) if he does not know \(\mathrm {G{W_{2BF\_SK}}}\) due to the fact that BF is safe under BDH assumption during initial authentication [13]. Thus, adversary cannot get g a. He cannot negotiate correct shared key with MC. So GW2 is legitimate. Similarly, adversary could not decrypt c 2=ENCR_BF_PK M R2(c 1) if he does not know \({\mathrm {M{R_{2BF\_SK}}}}\). Then GW2 cannot get c 1. So MR2 is legitimate. Besides, adversary cannot generate a legitimate group signature if he does not know \({\mathrm {M{C_{IPGS\_SK}}}}\) due to the security of IPGS under q-SDH assumption [9]. So MC is legitimate. In conclusion, our initial authentication protocol is reliable.

Second, adversary could not decrypt c 4 = ENCR_BF_PK M R3(g c) if he does not know \({\mathrm {M{R_{3BF\_SK}}}}\) during handover authentication. Thus, he cannot get g c. As a result, adversary cannot negotiate correct shared key with MC. So MR 3 is legitimate. Meanwhile, adversary could not generate legitimate certificate-based signature if he does not get \({\mathrm {M{C_{CBS\_SK}}}}\) or MC does not obtain CERT_MC_g 2 [11]. So MC is legitimate. To sum up, our handover authentication protocol is reliable.

Finally, the analysis of reliability of inter-domain authentication protocol is the same as initial authentication protocol.

5.1.2 Traceability

When a MC behaves illegally in a certain visiting WMN, the group manager(GM) should be equipped with the ability to disclose the real identity of that MC.

To achieve the traceability goal, GM first sends group signature δ 1=SIGN_IPGS(TS 1) to the GM of MC’s home WMN group who is able to open δ 1 and trace the real identity of MC with the clue of U=r x i P.

5.1.3 Anonymity

During initial authentication and inter-domain authentication process, access network can verify MC by checking whether the group signature δ 1=SIGN_IPGS(TS 1) is legal or not. The access network only knows which group MC belongs to but cannot tell MC’s real identity information. MC’s privacy is thus guaranteed. Access network verifies MC through δ 2=SIGN_CBS(TS 2) to handover authentication. We modify the CBS certificate as \({\text {CERT\_MC}}\_{g_{2}} = {S_{g2}}{P_{A}}, {P_{A}} = {H_{1}}({\mathrm {P{K_{GW2}}}}||{\mathrm {M{C_{CBS\_PK}}}})\). MC’s privacy is guaranteed since no identity information is included in the certificate.

5.1.4 Unforgeability

First, only TR can generate DM’s warrant. Adversary cannot compute legitimate warrant if he does not know TR’s private key. Only DM who obtain warrant form TR can compute WMN group’s warrant. Adversary cannot compute legitimate warrant if he does not know DM’s private key. Hence, warrant is unforgeable on the basis of private key’s security.

Second, only legitimate group member owns private key issued by GM to generate legitimate group signature. Adversary cannot compute legitimate group signature if he does not know group member’s private key. As a result, group signature is unforgeable on the basis of private key’s security.

Finally, only MC can generate legitimate CBS signature. Adversary cannot compute legitimate CBS signature if he does not know \(\mathrm {M{C_{CBS\_SK}}}\). Consequently, CBS signature is also unforgeable on the basis of private key’s security.

5.2 Performance analysis

We use NS2 (Network Simulation version2) [1417] to simulate ad hoc on-demand distance vector routing (AODV) protocol, our proposed scheme(HPAA) and JSEN [6]. We analyze the access authentication efficiency of these schemes in terms of handover delay.

According to the scenario defined in Fig. 1, the experimental environment is constructed within a rectangular area of 1000 m × 1000 m as shown in Fig. 5. MAC layer is assumed to be 802.11 MAC protocol. AODV is adopted as routing protocol. The simulation is under wireless environment as AODV does not support promiscuous mode between cable and wireless. FTP traffic flow is built between MC and CN through TCP at application layer, which begins at 1.0 s and finishes at 88.0 s. When simulation begins, MC moves from MR1 to MR4 at the speed of 10 m/s. The simulation time is 90 s. In the whole simulation, MC handovers three times. (1) MC moves from MR1 to MR2. Initial authentication protocol is executed among MC, MR2, and GW2; (2) MC leaves MR2 for MR3. Handover authentication occurs between MC and MR3; (3) MC moves on from MR3 to MR4. Inter-domain authentication protocol is triggered.

Fig. 5
figure 5

NS2 simulation scenario

5.2.1 Handover delay analysis

Handover delay is defined as a kind of communication interrupt between CN and MC when handover occurs. Handover delay can be analyzed through the serial number and receiving time of the TCP packet from CN to MC. Simulations are done for AODV, JSEN, and HPAA to observe their differences in handover delay. In order to eliminate the error and interference, all the experimental results are the average value of 20 times’ simulation.

Figure 6 shows the results when MC handovers for the first time. The handover delay of AODV, JSEN, and HPAA is 1.2, 2.1, and 1.8 s, respectively. Figure 7 shows the simulation results when MC handovers for the second time. The handover delay of AODV, JSEN, and HPAA is 1.1, 1.7, and 1.5 s, respectively. Figure 8 shows the simulation results while MC handovers for the third time. The handover delay of AODV, JSEN, and HPAA is 1.2, 2.2, and 2.1 s, respectively.

Fig. 6
figure 6

Relationship between serial number and receiving time (first handover)

Fig. 7
figure 7

Relationship between serial number and receiving time (second handover)

Fig. 8
figure 8

Relationship between serial number and receiving time (third handover)

From the above results, we can draw the following conclusions. Mutual authentication is introduced in HPAA and JSEN together with some specific signature scheme for privacy protection. Compared with AODV, which has no concern of privacy-preserved authentication, the handover delay of HPAA and JSEN is obviously higher. However, the handover delay of HPAA is superior to JSEN, even approaches AODV with average 0.6 s higher, due to the introduction of CBS, shared-key negotiation method, and other optimizations during the handover authentication procedure.

6 Conclusions

Our scheme is different from other similar works because we combined the proxy group signature and identity-based group signature. And it has high efficiency and has less expense for saving and maintaining a routing table.

In this paper, we propose a proxy-based authentication scheme which is aimed at anonymous authentication for WMN. The scheme owes the following advantages.

  1. (1)

    MC’s privacy is safe due to the anonymous authentication;

  2. (2)

    The interactions are eliminated between home network and access network. This is because identity-based proxy group signature scheme makes a great effect;

  3. (3)

    The authentication delay no longer exists because of the implementation of efficient handover authentication by CBS.

Security and performance analysis show that our scheme is secure and efficient. How to integrate our scheme into the existed authentication protocol forms [1820] our future research work.


  1. Z Wang, Ma Maode, W Liu, X Wei, A unified security framework for multi-domain wireless mesh networks [J]. Lect. Notes Comput. Sci. 7043:, 319–329 (2011).

    Article  Google Scholar 

  2. R Di Pietro, S Guarino, NV Verdeb, J Domingo-Ferrerc, Security in wireless ad-hoc networks - A survey [J]. Int. J. Comput. Commun. 51(10), 1–20 (2014).

    Article  Google Scholar 

  3. T Gao, N Guo, K Yim, Q Wang, PPS: A Privacy-Preserving Security Scheme for Multi-operator Wireless Mesh Networks with Enhanced User Experience [J]. Sci. Inf. Syst. 11(3), 975–999 (2014).

    Article  Google Scholar 

  4. Z Wang, WJ Liu, A Wireless mesh network authentication method based on identity based signature [C]. International Conference on Wireless Communications, NETWORKING and Mobile Computing. 46:, 1–4 (2009).

    Google Scholar 

  5. R Li, L Pang, Q Pei, Anonymous communication in wireless mesh network[C]. Comput. Intell. Secur. Int. Conf. IEEE. 2:, 416–420 (2009).

    Google Scholar 

  6. J Sen, Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks [M]. Applied Cryptography and Network Security, ISBN: 978-953-51-0218-2, InTech, 3–34 (2012).

  7. A Shamir, in Proceedings of CRYPTO ’84. Identity-based cryptosystems and signature schemes[C]. Advances in Cryptology (SpringerBerlin Heidelberg, 1985), pp. 47–53.

    Google Scholar 

  8. VS Miller, in Advances in Cryptology Proceedings of CRYPTO’85. Use of elliptic curves in cryptography[C] (SpringerBerlin Heidelberg, 1986), pp. 417–426.

    Chapter  Google Scholar 

  9. KL Wu, J Zou, XH Wei, et al., Proxy group signature: a new anonymous proxy signature scheme[C]. International Conference on Machine Learning and Cybernetics. 3:, 1369–1373 (2008).

    Google Scholar 

  10. D Liang, X Guo-Zhen, An ID-based group signature scheme [J]. Comput. Sci. 32(11), 69–71 (2005).

    Google Scholar 

  11. BG Kang, JH Park, SG Hahn, A certificate-based signature scheme [M]. Topics in Cryptology (Springer, Berlin Heidelberg, 2004).

    Google Scholar 

  12. T GAO, N GUO, ZL ZHU, Access authentication for HMIPv6 with node certificate and identity-based hybrid scheme[J]. J. Softw. 23(9), 2465–2480 (2012).

    Article  Google Scholar 

  13. D Boneh, M Franklin, Identity-based encryption from the Weil pairing[C]. Advances in Cryptology (Springer, Berlin Heidelberg, 2001).

    MATH  Google Scholar 

  14. A Ortega, et al., Proposal DNP3 protocol simulation on NS-2 in IEEE 802.11g wireless network ad hoc over TCP/IP in smart grid applications [C]. Innovative Smart Grid Technologies. 3:, 25–31 (2015).

    Google Scholar 

  15. B LI, G-g ZHANG, J-j ZHAO, Research and simulation of wireless mesh network model [J]. Comput. Simul. (4), 270–273 (2013).

  16. S ZHENG, W-q WU, Q-y ZHANG, N-t ZHANG, Routing protocol based on energy aware in ad hoc network[J]. J. Commun. 33(04), 9–16 (2012).

    Google Scholar 

  17. S Xu, Y Yang, Protocols simulation and performance analysis in wireless network based on NS2 [C]. International Conference on Multimedia Technology. 1:, 638–641 (2011).

    Google Scholar 

  18. A Skovoroda, D Gamayunov, Securing mobile devices: malware mitigation methods [J]. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. (JoWUA).6(2), 78–97 (2015).

    Google Scholar 

  19. L Nkenyereye, BA Tama, Y Park, KH Rhee, A fine-grained privacy preserving protocol over attribute based access control for VANETs [J]. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. (JoWUA).6(2), 98–112 (2015).

    Google Scholar 

  20. K Sun, Y Kim, Flow mobility management in PMIPv6-based DMM (Distributed Mobility Management) Networks[J]. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. (JoWUA). 5(4), 120–127 (2014).

    Google Scholar 

Download references


This work was supported by the National Natural Science Foundation of China under Grant No. 61300196, 61402095, and China Fundamental Research Funds for the Central Universities under Grant No. N130817002, N120404010.

Competing interests

The authors declare that they have no competing interests.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Tianhan Gao.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License(, which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Gao, T., Peng, F. & Guo, N. Anonymous authentication scheme based on identity-based proxy group signature for wireless mesh network. J Wireless Com Network 2016, 193 (2016).

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI:


  • WMN
  • Access authentication
  • Privacy preserving
  • Proxy group signature
  • Certificate-based signature