Hierarchical Group Based Mutual Authentication and Key...

Research ArticleHierarchical Group Based Mutual Authenticationand Key Agreement for Machine Type Communication inLTE and Future 5G Networks

Probidita Roychoudhury1 Basav Roychoudhury2 and Dilip Kumar Saikia1

1National Institute of Technology Meghalaya Shillong Meghalaya India2Indian Institute of Management Shillong Meghalaya India

Correspondence should be addressed to Probidita Roychoudhury probiditaphukangmailcom

Received 26 July 2016 Revised 1 October 2016 Accepted 12 October 2016 Published 19 January 2017

Academic Editor Muhammad Khurram Khan

Copyright copy 2017 Probidita Roychoudhury et alThis is an open access article distributed under theCreativeCommonsAttributionLicense which permits unrestricted use distribution and reproduction in anymedium provided the originalwork is properly cited

In view of the exponential growth in the volume of wireless data communication among heterogeneous devices ranging from smartphones to tiny sensors across a wide range of applications 3GPP LTE-A has standardized Machine Type Communication (MTC)which allows communication between entities without any human intervention The future 5G cellular networks also envisagemassive deployment of MTCDevices (MTCDs) which will increase the total number of connected devices hundredfoldThis posesa huge challenge to the traditional cellular system processes especially the traditional Mutual Authentication and Key Agreement(AKA) mechanism currently used in LTE systems as the signaling load caused by the increasingly large number of devices mayhave an adverse effect on the regular Human to Human (H2H) traffic A solution in the literature has been the use of group basedarchitecture which while addressing the authentication traffic has their share of issues This paper introduces Hierarchical Groupbased Mutual Authentication and Key Agreement (HGMAKA) protocol to address those issues and also enables the small cellheterogeneous architecture in line with 5G networks to support MTC services The aggregate Message Authentication Code basedapproach has been shown to be lightweight and significantly efficient in terms of resource usage compared to the existing protocolswhile being robust to authentication message failures and scalable to heterogeneous network architectures

1 Introduction

Themarket for cellular data is growing at a tremendous pacewith the birth of a new generation of cellular system at almostevery decade This has been largely triggered by the explo-sive growth in mobile traffic coupled with advancementsin wireless communication technologies As per the CiscoVisual Networking Index 2014ndash19 [1] machine to machine(M2M) also termed as Machine Type Communication(MTC) connections are expected to grow to 105 billion by2019M2MorMTCcommunication refers to communicationbetween entities without any human intervention intendedto support applications like home automation securityand surveillance healthcare traffic management and manyothers The communicating entities are termed MachineType Communication Devices (MTCDs) Standardizationorganizations like Third Generation Partnership Project

(3GPP) European Telecommunications StandardsOrganiza-tion (ETSI) and so forth have already come up with stan-dards on MTC architecture and security architecture under3GPP Long Term Evolution Advanced (LTE-A) [2] Underthe 7th Framework Programme for Research (7FP) [3] theEuropean Union has initiated several programs to promoteresearch in technologies to build wired and wireless commu-nication networks of the future A key project Mobile andwireless communication Enablers for Twenty-twenty Infor-mation Society (METIS) [4] the flagship program of theEuropean Union on Fifth Generation Cellular Network (5G)has attempted to prepare the groundwork for 5G networkbefore any standardization activities are carried out The sce-narios anduse cases analyzed byMETIS [5] indicate amassivedeployment of MTCDs in future cellular networks Theexisting cellular network is ill-equipped to handle the surgein traffic from such massive MTC deployment The traffic

HindawiSecurity and Communication NetworksVolume 2017 Article ID 1701243 21 pageshttpsdoiorg10115520171701243

2 Security and Communication Networks

generated from the authentication procedure executed forsecurity reasons by each MTCD before they can attach tothe network becomes a serious concern in such scenariosA sizable number of MTCDs trying to attach to the networksimultaneously with each having to undergo the MutualAuthentication and Key Agreement (AKA) procedure resultinmassive signaling overload at both access network and corenetwork

The existing literature on MTC authentication has triedto find different approaches to reduce the signaling trafficneeded for the AKA procedure by grouping the MTCDsbased on different criteria like belonging to the same appli-cation appearing in the same location and so forth Theschemes exploiting the group based approach use one of thefollowing methods for reducing the AKA signaling load

(1) First MTCD performs a full AKA with the core net-work and also authenticates the group by fetching theauthentication data for the entire group to the servingnetwork the rest of the group members authenticateslocally at the serving network using the prefetchedauthentication data

(2) Each MTCD sends its authentication message to aMTCD selected from among the group to be a groupleader who in turn aggregates the same and transmitsit to the core network

The main drawback of the first approach is that while itreduces the signaling load between the home network andthe serving network the load at the access network remainsunchangedThe latter approach successfully reduces the loadat the access network but a single corrupt authenticationmes-sage in the aggregate will result in the rejection of the authen-tication of the entire group Furthermore the group leaderbased approach also includes the complexity and consequentdelay of group leader selection and in the event of groupleader failureexit reselection of the new incumbent Hencea natural corollary to these contributions would be one thataddresses these limitations

In this paper the authors propose the HierarchicalGroup based Mutual Authentication and Key Agreement(HGMAKA)protocol forMTCwhichwill be suitable for bothcurrent LTE-A and future 5G networks The main contribu-tions of this paper are the following

(1) Introduction of a hierarchical approach as againstthe existing first MTCD based or group leader basedapproach for implementation of group based AKAbetween a group of MTCDs and the Core Network

(2) Adoption of hierarchical small cell architecture inline with 5G architecture for reduction in signalingload due to authentication as against macrocell archi-tecture in existing literature

(3) Introduction of en route integrity verification ofauthentication messages to avoid batch reauthentica-tion due to failures

(4) Performance comparison with ten other group basedschemes in the literature

The proposed group based hierarchical protocol uses thesupport of network elements instead of a group leader ther-eby eliminating the additional complexity related to groupleader management In view of resource constrained devicesused in most M2M applications it uses the lightweight sym-metric key based aggregate Message Authentication Code(MAC) approach with integrity verification of authenticationmessages at each level of the hierarchy This eliminates thechance of group authentication failure at the core networkwhich can otherwise be caused in the existing group basedschemes using aggregateMAC by even a single corruptMACappearing in the aggregate authentication message

Furthermore the use of small cells helps in offloadingtraffic from the macrocells to small cells resulting in furtherreduction in signaling load at the access network level Thisis also in linewith the architectures of future cellular networksas proposed by several projects like METIS iJOIN [6] TRO-PIC [7] and so forth advocating the use of small cells Depen-ding on applications MTCDs may be deployed in low cov-erage areas like underground parking or remote inaccessiblelocations where connectivity to cellular networks may not befeasible The proposed HGMAKA scheme takes into consid-eration such cases through the use of small cells and capillarynetwork of devices Being hierarchical in nature it allowslarger group sizes through multilevel aggregation resultingin lesser number of groups for a given number of MTCDsMoreover highlymobileMTCDs like those in public vehicleswill need frequent handovers resulting in high overheadThe proposed protocol uses mobile femtocells to address thisissue

The rest of the paper is organized as follows Section 2provides an overview ofMTC under LTE-A themutual AKAprotocol and the importance of heterogeneous cellular net-work architecture Section 3 spells out the motivation behindthe proposed protocol Section 4 reviews some related worksfrom the literature on group basedmutualAKAprotocols andhighlights the issues therein Sections 5 and 6 present the pro-posed system architecture along with the proposed protocolSection 7 presents the security analysis of the protocolSection 8 provides performance analysis of the proposed pro-tocol vis-a-vis existing group based protocols and Section 9concludes the paper

2 Machine Type Communication and SmallCell Architecture

21 Machine Type Communication Machine Type Commu-nication (MTC) [8] also known as M2M communicationrefers to the communication between entities without anyhuman interventionThis communicationmainly entails col-lection of data by the MTCD and transmitting to an MTCServer which processes the data and initiates some actionThere can also be scenarios where the MTC Server triggersthe MTCD to perform some action A third scenario mayinvolve twoMTCDs communicating among themselves withor without involving any MTC Server Standardization orga-nizations like 3GPP have published specifications to enableoptimization of 3G and LTE cellular networks for MTCtraffic The MTCD connects to the LTE core network also

Security and Communication Networks 3

known as Evolved Packet Core (EPC) via the evolvedNode B(eNodeBeNB) which is the base station in the Radio AccessNetwork (RAN) named Evolved Universal Terrestrial RAN(eUTRAN) in case of LTE LTE also supports other non-3GPPRANwhich can be either trusted or untrusted depend-ing on the operatorrsquos policiesThe RAN and thereby the basestation can differ in case of trusteduntrusted 3GPPnon-3GPPnetworks Before theMTCDcan communicate over theLTE network it has to perform a mutual authentication withthe core network The Mobility Management Entity (MME)represents the network in this authentication procedure Incase of trusted non-3GPP access networks the Authenti-cation Authorization and Accounting (AAA) Server andfor untrusted non-3GPP networks the evolved Packet DataGateway (ePDG) performs the authentication with theMTCD The Home Subscriber Server (HSS) is the centraldatabase of all authentication information and assists theMMEAAAePDG in the authentication procedure ThePacket Data Gateway (PDG) entity provides connectivity toexternal packet data networks

In case of indoor traffic a smaller and less powerful basestation named Home eNodeB (HeNB) [9] can be usedwhich improves the coverage in indoor locations with higherdata rates The HeNB is a small less expensive base sta-tion that is located at the customer site and connects tothe EPC via the customerrsquos existing broadband access line likeDSL or broadband cable Multiple HeNBs can be managedby an optional element of the EPC called the Home eNodeBGateway (HeNB-GW) It multiplexes connections frommul-tiple HeNBs into a single stream in order to alleviate the loadon the MME The HeNB-GW is transparent to the MME aswell as to the HeNBs Figure 1 gives the network architectureof LTE

A Mutual Authentication and Key Agreement proce-dure is carried out between the MMEAAAePGD and theMTCD The authentication procedure used is the EvolvedPacket System-Authentication and Key Agreement (EPS-AKA) [10] for 3GPP and Extensible Authentication Protocol-AKA (EAP-AKA) [11] for non-3GPP networks On successfulcompletion of the authentication procedure both partiesshare a secret session key to be used for confidentiality andintegrity protection or for deriving next level keys to be usedfor the same purpose Figure 2 shows the steps involved in theEPS-AKA protocol

22 Small Cell Architecture andHetNets Asmentioned in theprevious section the growing number of MTC connectionis a concern for the current cellular network which will facetremendous challenges in providing the desired level of usersatisfaction to both M2M and Human to Human (H2H)communications One of the possible approaches to handlehyper densification of cells is to offload traffic into smallercells served by low powered base stations like micro and picoeNodeBs (eNB) Home eNodeBs (HeNB) Relay Nodes (RN)and even Remote Radio Heads (RRH) (radio elements whichhave a wired connection to an existing macro eNB) As thedeployment of additional macrocells is not practically possi-ble due to paucity of space and prohibitive costs a network

of macro as well as small cells termed as Heterogeneous Net-work or HetNet [12] will assist in a long way in handling themassive numbers of users Small cells bring in the advantagesof load balancing between cells improved coverage leadingto improved user satisfaction and reduced latency and lowerpower consumption as the base stations are closer to theusers A HetNet in LTE-A can consist of macrocells micro-cells picocells and femtocell in the decreasing order of thebase station powerWhile femtocells cater to only indoor traf-fic the others mostly cater to outdoor traffic Another smallcell termedmobile femtocell (MFemtocell) [13] combines theconcepts of femtocell with mobile relay It consists of dedi-cated relay nodes mounted outside public vehicles like busestrains and so forth The users inside the vehicle form a fem-tocell which uses the mobile relay node to communicate withthe macro base station The base station views the MFemto-cell and all its users as a single entity and at the same time theusers are unaware of the existence of the mobile relay nodeThe deployment of MFemtocell will prove to be beneficial forhigh mobility scenarios and also improve network coverage

In addition to the above which operate in the licensedspectrum the network can also incorporate Capillary Net-works of MTCDs where the devices also use some local com-munication technologies like Bluetooth ZigBeeWiFi and soforth in the unlicensed spectrumThe devices in the networkcommunicate with MTC Servers via a MTC Gateway Devicethat acts as the intermediary between the cellular networkand the capillary network of devices The MTC GatewayDevice is equippedwith dual communication capabilities likecellular and some local access technology [14]

The small cells have their share of challenges to over-come These include cost effective deployment and efficientoperation and management of small cells by operators inter-cell interference management technologies for backhaulingtraffic from small cells to core networks security and manymoreThe authors in [15] have listed some of the issues relatedto use of capillary M2M networks which includes interfer-ence and low data rates for applications with high end-to-endreliability requirement

Considering the fact that small cells are expected to be anintegral component of future mobile cellular networks theproposed hierarchical group based authentication protocoluses an architecture which brings together a macrocellsnetwork with an overlay of small cells and capillary networks

3 Motivation

While MTC applications span across a wide domain eachwith distinct features and requirements the common featuredistinguishing them from the regular H2H communication isthe presence of massive number of devices As these deviceshave to execute EPS-AKA to connect to the EPC for accessauthentication a large number of these trying to connect atthe same time will create substantial signaling overload inthe access network In a roaming scenario where the devicesare away from their home network (HN) the serving network(SN) will have to fetch the authentication data from the HNleading to an increased signaling load Consequently thisnecessitates the design of Mutual Authentication and Key


UEMTCD

eNB HeNB

E-UTRAN

Untrusted non-3GPP

ePDG

HeNB-GW

AAA

MMES-GW

PDG MC server

HSS

MC server

MTC user

Trusted non-3GPP

Figure 1 LTE-A network architecture

UE MME HSS

(1) Access request message

(2) Identity request message

(3) IMSITMSI (4) Authentication info request(IMSI SN_ID)

(7) Authentication response (RES)

(5) Authentication info reply

(6) Authentication request (RAND AUTN)

Verify AUTN and compute RES CK IK

Compare RES and XRES

Generate EPS AV

Compute KASME

AV(RAND XRES KASME AUTN)

Figure 2 EPS-AKA protocol

Agreement protocols for MTC aimed at minimizing thesignaling overhead

In addition the MTCDs are usually low powered deviceslacking high computational capabilities This calls for anauthentication protocol of lower computational complexityFurthermore an additional issue with cellular MTC is thepresence of the devices at cell edges and in indoor spaces likeinside underground parking lots shopping malls hospitalsand so forth where network connectivity may be poor Like-wise someof the devicesmaynot exhibit any formofmobility(eg security camera) while others may be highly mobile

(eg devices in trains or buses) Thus the authenticationprocedure needs to take into consideration the followingfactors

(i) Massive deployment of MTCDs causing signalingoverload

(ii) Deployment environment of the MTCDs (ie indooroutdoor)

(iii) Mobility behavior of the MTCDs (ie stationarymobile)

(iv) Computational and storage capabilities of MTCDs


This paper thus proposes an Authentication and KeyAgreement protocol to reduce the signaling load whileaddressing the aforementioned factors The first three factorsare accounted for in the deployment architecture while thelast factor is handled by the use of symmetric cryptographyin the proposed algorithm

4 Related Works

A number of group based mutual authentication schemesexist in the literature The schemes can be categorized intothree types

(i) Schemes consist of one device of the group perform-ing a full AKA with the core network and thereafterthe authentication records for all members of thegroup are retrieved from the HN and sent to theSN For the second group member onwards the HNremains offline with the authentication being per-formed locally at the SN with the prefetched dataSome of the schemes following this approach are SE-AKA [16] by Lai et alMTC-AKA [17] also by Lai et alDGBAKA [18] by Zhang et al and GAKA [19] byChen et al with some minor variations

While these schemes successfully reduce the signalingtraffic between the home network and the servingnetwork the load at the access network remainsunchanged

(ii) Schemes use aggregation ofmessageswhere a selectedgroup leader from among the MTCDs receives indi-vidual messages from all group members aggregatesthem into a single message along with an aggregatesignature or an aggregate MAC and forwards thesame to the core network The core network elementverifies the aggregate signature or aggregate MAC toauthenticate the group Schemes like Cao et al in[20 21] uses the aggregate signature concept and those[22] by Lai et al [23] by Choi et al and GLARM [24]by Lai et al are based on the aggregate MAC conceptWhile the scheme [20] is based on the concept ofaggregate signature proposed by Boneh et al [25]the scheme [21] uses the Nyberg Rueppel signaturescheme [26]

The aggregate MAC approach for group authentication isa lightweight one significantly reducing the signaling over-head at the access network level as compared to aggregatesignature schemes Most existing schemes use a group leaderto aggregate the MACs received from the individual MTCDsin a group However this can cause a bottleneck at the groupleader and also involves the additional complexity and delayassociated with group leader selection and managementAnother drawback of the aggregation approach is that a singlebad (message MAC) pair or a single invalid signature in theaggregate can cause the entire authentication to fail resultingin repeating the entire authentication process An attackeronly needs to change a single bit in a message or MAC acrossthe group to ensure a failure So the cost of this endeavor

from the attackerrsquos point of view is very low making thesystem susceptible to Denial of Service attacks

(iii) Schemes follow a batch processing approach wherebyauthentication requests from multiple devices areprocessed at once as a batch like ABAKA [27] byHuang et alThese schemes are also hounded by the issue of asingle invalid signature requiring the rerun of theentire authentication process

5 HGMAKA Protocol System Architecture

The proposed system architecture consists of macrocellsfemtocells mobile femtocells and also capillary networkof devices thereby forming a HetNet The architecturalelements are classified into three tiers each consisting ofheterogeneous devices performing distinct activities

(i) The first tier Tier 1 consists of the data generatingconsuming MTCDs for example smart meters andmedical equipment They generate data periodicallyor on being triggered and send the data to someMTCServer The MTCDs may be static (eg surveillancecamera) or may be mobile (devices inside train busetc) They need to be authenticated before they canuse the network for sending data to theMTC ServersThus they generate authentication request messageswhich are sent to the Tier 2 elements

(ii) The second tier Tier 2 comprises aggregating ele-ments those which aggregate the multiple streams ofdata received from elements in the first tier into asingle stream and forward it to the elements in thenext tier Additionally they verify the MACs of thereceived messages to verify their integrity and ensurethat no tampered messages are included in the aggre-gate These elements can be HeNBs mobile femto-cells MTC Gateway devices and so forth

(iii) The third tier Tier 3 elements provide the last mileconnectivity to the core network They accept themultiple incoming aggregated streams from Tier 2elements and forward them to the core network eitheras individual streams or as an aggregate stream asper the requirements They are also the second levelaggregator and verifier Like the Tier 2 elements theyalso verify the integrity of the incoming messagesfrom Tier 2 using MAC before including them inthe aggregate These elements include Home eNodeBGateway if HeNBs were the Tier 2 elements andeNodeB if the corresponding Tier 2 elements wereMFemtocells or MTC Gateway devices

The proposed protocol thus not only performs the aggre-gation of multiple streams from a lower tier into a singlestream at a higher tier but also eliminates the possibility dueto presence of tamperedmessages in the aggregate of authen-tication failure of the entire groupThe Tiers 2 and 3 elementstake up the role of aggregation from the group leaders ofaggregate based schemes in the literature thus eliminating


the requirement of group leader and the associated com-putational overheads Moreover the limited communica-tion range of group leader due to the use of local accesstechnology at the group level restricts the group sizes Theuse of hierarchical architecture also removes this limitationthereby allowing larger groups of MTCDs to spread acrossa macrocell Figure 3 shows the network architecture whileFigure 4 illustrates the advantage of hierarchical architecturein terms of group sizes Table 1 lists the classification of thearchitectural elements

6 HGMAKA Protocol Algorithm

The aggregation of authentication message at various hierar-chies in HGMAKA protocol is followed by a key agreementphase resulting in a unique secret session key being sharedamong an individual MTCD and the corresponding SN

The grouping of MTCDs in this protocol may be prede-termined or may be done on the fly For example a group ofMTCDs belonging to the sameMTCowner or using the sameMTC application may be grouped together by the operatorand assigned a group key Alternately a group can also becreated on the fly based on say the current location of theMTCDs like group of MTCDs inside a vehicletrainbus andso forth In this scenario a group key agreement protocolmust be used to generate a group key for all group memberswith the HSS involved in the process The group key can alsobe changed dynamically as changes in membership occur inthe group While there are various group key managementprotocols available in the literature [28ndash30] and so forththe same is beyond the scope of the paper and hence notdiscussed here The group key is shared among the MTCDsHSS the Tier 1 the Tier 2 and the Tier 3 elements Notationsexplain the symbols used in the protocol The proposedprotocol consists of two phases

(i) Aggregate generation phase where the authenticationrequest messages and MACs sent by Tier 1 elementsare aggregated at higher levels first by Tier 2 elementsand followed by Tier 3 elements Integrity verificationof the incoming messages is performed at each levelprior to the aggregate generation

(ii) Group based Mutual Authentication and Key Agree-ment phase where the HSS authenticates all groupmembers simultaneously from the aggregate MACand the MTCDs authenticate the MME and HSSthrough a random challenge response protocol ter-minating with the derivation of unique shared secretkeys between the MME and each MTCD

61 Aggregate Generation Phase

(1) Consider a groupG119894where the 119895thMTCDMTCDG119894-119895identified by its Unique International Mobile Sub-scriber Identity IMSIG119894-119895 shares a secret key 119870G119894-119895with the HSS In this phase MTCDG119894-119895 generatesthe authentication request message (119872G119894-119895

1) contain-ing the IMSI (IMSIG119894-119895) Group Identifier (GIDG119894)

random number (119877G119894-119895) and a MAC (MACG119894-119895)computed on the same using the secret key 119870G119894-119895and sends it to the Tier 2 element Also includedin this communication is another MAC (MACG119894-119895

1)computed on 119872G119894-119895

1 and MACG119894-119895 using the groupkey GKG119894 While the former is used for authenticationof the MTCD by the HSS the latter is used forverifying the integrity of the message by the Tier 2element The detailed steps are listed below

(a) EachMTCD 119895 of group G119894 generates an authen-tication message119872G119894-119895

1 which contains MTCDidentity (IMSIG119894-119894) group identifier (GIDG119894)a random number 119877G119894-119894 generated by theMTCDG119894-119895 and a MAC MACG119894-119895 This MAClater aggregated by the Tier 2 elements is usedby the HSS to authenticate the MTCD

119872G119894-1198951 = IMSIG119894-119895 119877G119894-119895 GIDG119894 MACG119894-119895 (1)

where MACG119894-119895 = 1198912(119870G119894-119895 IMSIG119894-119895 119877G119894-119895 GIDG119894)

(b) TheMTCD computes a second MAC on119872G119894-1198951

with the group keyGKG119894 to be used for integrityverification of these Tier 1 messages at the Tier2 element

MACG119894-1198951 = 1198912 (GKG119894119872G119894-119895

1) (2)

(c) MTCDG119894-119895 sends119872G119894-1198951 MACG119894-119895

1 to the Tier2 element

(2) On receiving the message 119872G119894-1198951 MACG119894-119895

1 theTier 2 element of groupG119894 first verifies the integrity ofthe receivedmessage fromMACG119894-119895

1 using the sharedgroup key GKG119894 On successful verification it pro-ceeds to compute the aggregate MAC (aggMACG119894

1198962)and aggregate message (agg119872G119894

1198962) for all Tier 1 ele-ments under it Finally the Tier 2 element computesa MAC MACG119894

1198962 on agg119872G1198941198962 aggMACG119894

1198962 to belater used for the integrity verification of the messageat the Tier 3 element The steps are listed below

(a) For each Tier 1 element 119895 of group G119894 underthe Tier 2 element 119896 the Tier 2 element verifiesMACG119894-119895

1 in the received message 119872G119894-1198951

MACG119894-1198951 using (2) Successful verification assu-

res that the message 119872G119894-1198951 has not been tam-

pered with(b) The Tier 2 element then computes aggregate

MAC aggMACG1198941198962 by performing XOR opera-

tion on the individual MACs received from theTier 1 elements

aggMACG1198941198962 = aggMACG119894

1198962 oplusMACG119894-119895 (3)

(c) Aggregate message agg119872G1198941198962 is compiled by

concatenating individual messages receivedfrom Tier 1 elements

119872G119894-1198951 = remove (119872G119894-119895

1MACG119894-119895) (4)


HeNB-GW

HSS

PDN-GW

MMES-GW

MTCserver

Internet

eNB

HeNB HeNB

Wireless link

HeNB

Wired link

MTCD MTCD MTCD MTCDMTCD

MTC-GW

Femtocell Femtocell Capillary network Mobile femtocell

Tier 1

Tier 2

Tier 3

Figure 3 Proposed MTC network architecture

MTCD

MTCD

MTCD

MTCD

MTCDMME

Gateway

Gateway

Group leader

Group leader

Group leader

eNodeB

Group 1

Group 2

Group 3

Group 4

Figure 4 Larger groups enabled by hierarchical architecture

Table 1 Network elements

Tier Description DevicesTier 1 The end-device in the communication scenario which generates the authentication requests MTCDTier 2 Level 1 aggregator and integrity verifier of authentication requests from Tier 1 HeNB MTC-GW mobile femtocellTier 3 Last mile connecting device and Level 2 aggregator and integrity verifier of Tier 2 messages HeNB-GW eNodeB


The remove function excluded the MAC fieldfrom individual messages

agg119872G1198941198962 = agg119872G119894

1198962 119872G119894-1198951 (5)

(d) MACG1198941198962 is then computed for integrity ver-

ification of message at the next higher Tierelement

MACG1198941198962 = 1198912 (GKG119894 agg119872G119894

1198962 aggMACG1198941198962) (6)

(e) Finally the first level aggregate messageagg119872G119894

1198962 aggMACG1198941198962 MACG119894

1198962 is sent toTier 3 element

(3) The Tier 3 element performs integrity verification ofthe message received from Tier 2 and then the secondlevel aggregation is as follows

(a) For each Tier 2 element of group G119894 underthe Tier 3 element the Tier 3 element verifiesMACG119894

1198962 in the received aggregate messageagg119872G119894

1198962 aggMACG1198941198962 MACG119894

1198962 using (6)(b) On successful verification an aggregate MAC

aggMACG119894 is computed from the first levelaggregate MACs to be used by the HSS forauthenticating the entire group G119894

aggMACG119894 = aggMACG119894 oplus aggMACG1198941198962 (7)

(c) The aggregate message agg119872G119894 is compiled byconcatenating the level one aggregate messagesof group G119894

agg119872G119894-1198951198962 = remove (agg119872G119894-119895

1198962 aggMACG1198941198962)

agg119872G119894 = agg119872G119894 agg119872G1198941198962

(8)

(d) The second level aggregate message agg119872G119894 aggMACG119894 is then sent to MME

62 Group Authentication and Key Agreement Phase

(1) On receiving the aggregate authentication request andaggregate MAC that is agg119872G119894 aggMACG119894 fromthe Tier 3 element the MME forwards this alongwith its Serving Network Identity (SN ID) that isagg119872G119894 aggMACG119894 SN ID to the HSS

(2) The HSS receives this aggregate message authenti-cation request for group G119894 from the MME andauthenticates the entire group from the aggregateMAC

(a) TheHSS verifies the aggregateMAC aggMACG119894(see (7))

(b) The HSS uses a random number 119877HSS to com-pute a Temporary Group Key TGKG119894

TGKG119894 = 1198911 (GKG119894 119877HSS SN ID) (9)

and generates an authentication tokenAUTHHSS to be used by the MTCD for authen-ticating the HSS as

MACHSSG119894 = 1198912 (TGKG119894 119877HSS GIDG119894) (10)

AUTHHSS = 119877HSS MACHSSG119894 (11)

(c) Next the HSS generates individual session keys(119870ASME

G119894-119895) for eachMTCD in the group as wellas the expected response XRES to the randomchallenge that the HSS sends to the MTCDs forauthentication purposes via MME

For each 119899member 119895 of group G119894For 119895 = 1 to 119899

AKG119894-119895 = 1198915(119870G119894-119895 119877HSS)CKG119894-119895 = 1198913(119870G119894-119895 119877HSS)IKG119894-119895 = 1198914(119870G119894-119895 119877HSS)119870ASME

G119894-119895 = KDF(SQN oplus AKG119894-119895CKG119894-119895 IKG119894-119895 SN ID)XRESG119894-119895 = 1198916(119870G119894-119895 119877HSS)

End ForThe HSS compiles the authentication informa-tion together with the computed 119870ASME andXRES for all members of the group in the formof a table called Group Key Index (GKI) TheGKI for group G119894 is constructed as seen inTable 2

(d) The HSS sends the GKI and AUTHHSS (from(11)) to the MME

(2) The MME receives these from the HSS and saves theGKI It forwards AUTHHSS to each MTCD of groupGIDG119894

(3) At each MTCD on receiving the authentication chal-lenge one has the following

(a) The MTCDs authenticate the HSS from thischallenge by verifying MACHSS

G119894 after comput-ing TGKG119894 (using (9) (10))

(b) Each MTCD 119895 in the group also computes aresponse (RESG119894-119895) to the challenge given by theHSS

RESG119894-119895 = 1198916 (119870G119894-119895 119877HSS) (12)

The group members send their response to the Tier 2element who aggregates the response in the same wayas for MAC The aggregate RES is sent to the Tier 3element that again aggregates the response and sendsit as an aggregate response aggRESG119894 for the groupThe procedure is the same as aggregate MAC genera-tion

(4) TheMME receives the aggregate response (aggRESG119894)and performs the authentication as follows

(a) The MME verifies if aggRESG119894 == XRESG119894-1 xorXRESG119894-2 xor


Table 2 Group Key Index

Group identifier Group member IMSI 119870ASME XRES

GIDG119894

IMSIG119894-1 119870ASMEG119894-1 XRESG119894-1


IMSIG119894-119899 119870ASME

G119894-119899 XRESG119894-119899

(b) If the verification is successful the MTCDs inthe group are authenticated The MTCDs gen-erate their individual119870ASMEs as

119870ASMEG119894-119895

= KDF (SQN oplus AKG119894-119895CKG119894-119895 IKG119894-119895 SN ID) (13)

Thus at the end of the Authentication and KeyAgreement phase a shared secret key 119870ASME

G119894is shared between each MTCD and the MMEFigure 5 shows a working example of the aggre-gate generation phase and Figure 6 shows themessage sequence in the group Authenticationand Key Agreement phase

7 Security Analysis

To illustrate that the proposed protocol is secure the authorshave followed a three-pronged approach to security analysisFirst an informal security analysis of the protocol has beenperformed to demonstrate the resilience of the protocolagainst different protocol attacks Second the automatedformal verification tool AVISPA has been used to verify if thesecurity goals of mutual authentication and secure key agree-ment have been met And third a provable security approachhas been used to formally prove that no feasible polynomialtime adversary exists which can break the security of thescheme

71 Mutual Authentication The proposed protocol isbased on the aggregate MAC concept An aggregate MAC(aggMACG119894) is generated at two levels Level 1 by Tier 2elements and Level 2 by Tier 3 from the individual MACssent by the MTCDs in the group This is sent to the MMEwhich forwards it to the HSS The HSS verifies this aggregateMAC and generates a random challenge and forwards it tothe MME in the form of an authentication token (AUTHHSS)along with the expected response (XRES) for each MTCD inthe group The MME broadcasts the same to all MTCDs AllMTCDs authenticate the HSS from AUTHHSS The MTCDcomputes their individual response to the random challengeand sends it via the Tier 2 and Tier 3 elements after goingthrough two levels of aggregation to arrive at the aggregateresponse (aggRESG119894) The MME then completes the mutualauthentication by comparing the received aggregate responseto the precomputed responses stored at the MME Thus theMME and MTCDs perform a mutual authentication

72 Secured Key Agreement Once mutual authentication issuccessful both parties that is MME and MTCD have asession key shared between them The key (119870ASME

G119894-119895) isgenerated at both ends after mutual authentication and isnever transmitted over any channel Also the respective keysare generated at both ends as KDF(SQN oplus AKG119894-119895CKG119894-119895IKG119894-119895 SN ID) where AKG119894-119895 CKG119894-119895 and IKG119894-119895 are com-puted from 119877HSS and the shared secret key 119870G119894-119895 only aftermutual authentication is successful

73 Man-in-the-Middle Attack Despite the fact that theentire communication both within the capillary networkfemtocell and between the MTC-GW and the networkoccurs in plaintext an intruder cannot determine the sessionkeys (TGKG119894 and 119870ASME

G119894-119895) as these require the knowledgeof long term secret keys shared between the MTCD and theHSS as well as the random numbers and sequence numbers

74 Replay Attack Replay attacks can be thwarted by theuse of the random numbers generated by the MTCDs andHSS in the authentication procedure Even if an attackercaptures the messages the same random number cannot beused for another round of authentication as fresh numbersare required for a fresh round of authentication

75 Key Compromise Impersonation (KCI) A key agreementprotocol is KCI-resilient if no adversary can masquerade asan honest user and establish a session key with another userwhose long term key has been compromised by the adversaryThe proposed protocol is KCI-resilient as proved formally inthe next section

76 Forward Secrecy Forward secrecy implies that if the longterm key of the entity is compromised then the secrecy ofthe earlier session keys generated is not affected In caseof HGMAKA the session key 119870ASME

G119894-119895 is computed as afunction of the long term secret key119870G119894-119895 as well as 119877HSS andSQN both of which changes for each session Thus even if119870G119894-119895 is compromised it will be difficult for the attacker tocorrelate both the correct 119877HSS and SQN to be used forgenerating a past session keyHence the protocol has forwardkey secrecy

77 Formal Verification Using AVISPA The main goal ofthe proposed protocol is to provide mutual authenticationbetween the MTCD and the MMEHSS and secured keyagreement between the entities The formal verification ofthe proposed protocol is tested on Automated Validation ofInternet Security Protocols and Applications (AVISPA) [31]AVISPA is a tool for automatic security analysis of protocolsrepresented in High Level Protocol Specification Language(HLPSL) and evaluated using automatic deduction tech-niques We have modeled three roles MTCD Gateway andMME using HLPSL As the MME and HSS have a securedchannel between them so we have integrated the roles ofMME and HSS into a single role The On-the-Fly ModelChecker has been used to test our protocol The goals of the


HeNBmobilefemtocellMTC-GW


HeNB-GWeNB

MME

All 6 MTCDs belong to group G1 They fall under two cells covered by Tier 2 element 1 and Tier 2 element 2

MTCDG1-1

MTCDG1-2

MTCDG1-3

MTCDG1-4

MTCDG1-5

MTCDG1-6

MG1-11MACG1-1

1

MG1-21MACG1-2

1

MG1-31 MACG1-3

1

MG1-4 1

MACG1-4 1

MG1-51MACG1-5

1

MG1-61 MACG1-6

1

aggMACG1 = aggMACG112 XOR aggMACG1

22

Tier 1 Tier 2 Tier 3

aggMG1

12 aggMACG1

12MACG1 12

aggMG122 aggMAC G1

22 MAC G122

MACG1-11 = f 2(GKG1MG1-1

1)

aggMG1 aggMACG1

aggMG1 = aggMG112 aggMG1

22

aggMG112 = IMSIG1-1 RG1-1 GIDG1 IMSIG1-2 RG1-2 GIDG1 IMSIG1-3 RG1-3 GIDG1

MG1-11 = IMSIG1-1 RG1-1 GIDG1 MACG1-1

MACG1-1 = f2(KG1-1 IMSIG1-1 RG1-1 GIDG1)

aggMACG112 = MACG1-1 XOR MACG1-2 XOR MACG1-3

f 2(GKG1 aggMG112 aggMACG1

12)MACG112 =

Figure 5 Example working of proposed protocol (aggregate generation)

MTCD Tier 3 element MME HSS

(Broadcast to all MTCDs)

Send RES for aggregation to Tier 2

Authentication successful

(iii) Generate authentication response

(i) Generate TGKGi

(ii) Authenticate HSS from MACHSSGi

RESGi-j

aggRESGi

Verify aggRESGi

(i) Verify SN_ID aggMACGi

(ii) Generate TGKGi RHSSMACHSSGi

AUTHHSS

for each group member and construct GKI

AUTHHSS GKIAUTHHSS

aggMGi aggMACGi aggMGi aggMACGi SN_ID

Generate KASMEGi-j

(iii) Compute AK CK IK KASMEGi-j XRES

Figure 6 Message exchanges in group Authentication and Key Agreement phase


goalsecrecy of kasmesecrecy of gtkg1authentication on mtcd mme rg11authentication on mtcd mme rhss

end goal

Algorithm 1 Goal specification of proposed protocol

protocol are given in Algorithm 1 and the output is given inAlgorithm 2TheHLPSL roles forMTCDandMMEare givenin Appendix A as Algorithms 3 and 4

78 Formal Protocol Analysis The foundation of the securityproof of the proposed protocol lies in Shouprsquos formal securitymodel [32] for secure Mutual Authentication and Key Agree-ment using the simulation based technique In [33] Zhangsuitably modified Shouprsquos model to fit the mobile communi-cation scenario Further Huang et al in [34 35] also usedZhangrsquos model to present a provably secure AKA protocolfor UMTS The authors have based their security proof onZhangrsquos model In Zhangrsquos simulation based model the proofof security is arrived at by comparing the performance of anadversary in a real protocol execution (real world) and anideal scenario (ideal world) which is assumed to be secureby definitionThe protocol is said to be provably secure if it isnot possible to distinguish between the actions of the attackerin the real world and the ideal world

As per Shouprsquos model the MTC scenario involves twotypes of communication channels a secure (assumed) chan-nel betweennetwork entities and an insecurewireless channelbetween the MTCD entities and the network entities Thelatter is under the full control of the adversary who canread modify and replay the messages transmitted over thechannel The adversary can set up and initiate multiplesessions between MTCD and network and also acquiresession keys and apply it on somemathematical functionTheactivities of the adversary are captured under two scenariosideal world and real world The security of the proposedprotocol is proved by comparing the actions of the adversaryin the two worlds and proving that the adversary cannot doany more harm in the real world than it would do in the idealworld Appendix B contains the descriptions of the ideal andreal world as well as certain preliminary definitions

Security Proof Each entity in the proposed protocol possessesa random number generator which produces random num-bers 119877G119894-119895 (for all 119894 and 119895) and 119877HSS for the entity instancesLet all random numbers be selected randomly in 119860 and 1198641 isthe event that 119879119860 is collision-free we get

Pr (1198641) le11989921198942(2minus|119877G119894-119895| + 2minus|119877HSS|) (14)

where 119899119894 is the count of instances created by119860 and |119877G119894-119895| and|119877HSS| are lengths of the respective random numbers and arepolynomial in 119896 and then Pr(1198641) is negligible

Lemma 1 For real world adversary 119860 with collision-free(assumed) transcript 119879119860 and independent function family 1198912assumed to be collision resistant in 119879119860 the probability of theevent 1198642 (1198642 is the event that 119879119860 is authentic) is given by

Pr (1198642) le 119899119894 (2 times Advmac1198912 (119901 119899)) (15)

where 119901 = 119874(119905) and 119899 = 119874(119899119894) and 119905 is the execution time of119860

Proof For 119879119860 to be nonauthentic we must have at best oneinstance that has accepted based on a stimulus sent by anoncompatible instance To prove this we show that upperbound on the probability of 119879119860 being nonauthentic is givenby (15) and the proof proceeds as follows

Case 1 Say the network entity instance 11986811989410158401198951015840 accepted onreceipt of aggregate message agg119872G119894 aggMACG119894 Wetry to prove that the stimulus was sent by a compatibleMTCD entity If 11986811989410158401198951015840 has accepted that means that theMAC verification has been successful However the identityIMSIG119894-119895 of each MTCD entity instance in the group is usedin the computation of MAC Since the IMSI contains the HNidentity embedded in it if 11986811989410158401198951015840 accepts then it could onlybe on stimulus sent by a compatible MTCD instance Let 119865be the adversary for Message Authentication Code 1198912 withoracle access to 1198912119870 where 119870 is a randomly selected keyLet PID11989410158401198951015840 = IMSI11989410158401198951015840 of user 119880 and 119880 might be initializedby 119865 119865 starts its execution by picking keys for all usersother than 119880 and proceeds as in the real world If 119865 needsaccess to the MAC function 1198912119870 under the key of 119880 thesame is provided by the corresponding oracles Further theevaluation of functions 1198911 1198913 1198914 1198915 1198916 and KDF with119880rsquos key is realized through returning a constant or randomnumber by 119865 Say 11986811989410158401198951015840 accepts at some point and 119865 outputsaggMACG119894 and the message agg119872G119894 and stops else 119865 stopswith a null string as output

Let Succ(119865 1198912) be the event that 119865 outputs aggMAC anda message which has not been given to the oracle 1198912119870 as aquery Let the event that 11986811989410158401198951015840 has accepted on stimulus bynoncompatible instance be represented by 11986411989410158401198951015840 If 11986411989410158401198951015840 = 1then the adversary has been successful in forging the MACfor the given message Thus

Pr (11986411989410158401198951015840 = 1) le Pr (Succ (119865 1198912) = 1) (16)

hencePr (11986411989410158401198951015840 = 1) le Advmac1198912 (119901 119899) (17)

where 119901 = 119874(119905) and 119899 = 119874(119899119894)

Case 2 Say MTCD instance 119868119894119895 accepted on stimulusAUTHHSS Let the event that 119868119894119895 accepted on stimulus froma nonnetwork entity be denoted by 119864119894119895 and let the event that119868119894119895 accepted on stimulus from anoncompatible network entity11986811989410158401198951015840 be denoted by 1198641015840119894119895 If 119864

1015840119894119895 has occurred then 11986811989410158401198951015840 must have

received agg119872G119894 aggMACG119894 before sending AUTHHSS As119879119860 is collision-free 119877G119894-119895 could be generated only by 119868119894119895 whichimplies that the adversary has successfully forged one ormoreMACs in aggMACThus

Pr (1198641015840119894119895 = 1) le Advmac1198912 (119901 119899) (18)


OFMC Version of 20060213SUMMARY

SAFEDETAILS

BOUNDED NUMBER OF SESSIONSPROTOCOL

homespanspantestsuiteresultsProposedifGOAL

as specifiedBACKEND

OFMCCOMMENTSSTATISTICS

parseTime 000ssearchTime 021svisitedNodes 8 nodesdepth 3 plies

Algorithm 2 Results from OFMC

role mtcd(MTCDGWMME agentKg1 1Gkg1 symmetric keyIMSIg1 1 GIDg1textHMAC functionF1F2F3F4F5F6KDFfunctionSQNtextSNDRCVSNDGRCVGchannel(dy))

played by MTCD def=local Statenat

Rg1 1textMACg1 1textGMACg1 1textAuthhssRmmeRhssMacmmetextSNIDtext

init State=0transition(1) State=0 and RCV(start)=|gt

State=3 and Rg1 1=new() andMACg1 1= HMAC(IMSIg1 1Rg1 1) Gkg1 and GMACg1 1=HMAC(IMSIg1 1Rg1 1MACg1 1GIDg1) Gkg1 and SNDG(IMSIg1 1Rg1 1MACg1 1GIDg1GMACg1 1) andwitness(MMEMTCDmme mtcd rg11Rg1 1)(2) State=3 andRCV(Rhss(HMAC(RhssGIDg1) (F1(RhssSNID) Gkg1))Rmme(F2(Rmme(Rhss(HMAC(RhssGIDg1)(F1(RhssSNID) Gkg1)))) (F1(RhssSNID) Gkg1))) =|gt

State=6 and SNDG(F6(RhssRg1 1) Kg1 1) and request(MTCDMMEmtcd mme rhssRhss) andrequest(MTCDMMEmtcd mme rmmeRmme)end role

Algorithm 3 Role of MTCD in HLPSL

If 119864119894119895 has occurred then the adversary was successful inforging the MAC for the message 119877HSS An execution of 119860results in an adversary 1198651015840 for 1198912 such that the event of 119868119894119895accepting results in 1198651015840 ends with output MACHSS

G119894 and 119877HSSThus in (18) we have Pr(119864119894119895 = 1) le Pr(Succ(1198651015840 1198912) = 1)Hence

Pr (119864119894119895 = 1) le Advmac1198912 (119901 119899) (19)

Therefore the upper bound on the probability that MTCDinstance 119868119894119895 accepted on a stimulus from a network instancenoncompatible with it is given by

Pr (119864119894119895 = 1) + Pr (1198641015840119894119895 = 1) le 2 times Advmac1198912 (119901 119899) (20)

Case 3 Let the network instance that accepted on stimulusaggRESG119894 be denoted by 1198681198941015840101584011989510158401015840 and 1198681198941015840101584011989510158401015840 had earlier sent 119877HSSIf aggRESG119894 was not sent by a MTCD instance then the


role mme(MTCDGWMME agentKg1 1 Gkg1 symmetric keyIMSIg1 1 GIDg1textHMAC functionF1F2F3F4F5F6KDFfunctionSQNtextSNDRCVchannel(dy))

played by MME def=local

StatenatSNIDAggmacg1AggresRhss Macg1textGTKg1Kasmeg1 1symmetric keyAuthhsstextAkg1 1Ckg1 1Ikg1 1Xresg1 1 RmmeRg1 1Macmmetext

initState=3

transition(1) State=3 and RCV(IMSIg1 1Rg1 1GIDg1(xor(Aggmacg1HMAC(IMSIg1 1Rg1 1) Gkg1))SNID) =|gt

State=5 and Rhss=new() and GTKg1=F1(RhssSNID) Gkg1 and secret(GTKg1gtkg1MMEMTCD) andMacg1=HMAC(RhssGIDg1) GTKg1 and Authhss= RhssMacg1 and Akg1 1= F5(Rhss) Kg1 1 and Ckg1 1=F3(Rhss) Kg1 1 and Ikg1 1= F4(Rhss) Kg1 1 and Kasmeg1 1=KDF(xor(SQNAkg1 1)Ckg1 1Ikg1 1SNID) andsecret(Kasmeg1 1kasmeMTCDMME) and Xresg1 1= F6(RhssRg1 1) Kg1 1 and Rmme= new() andMacmme=HMAC(RmmeAuthhss) GTKg1 and SND(AuthhssRmmeMacmme) and witness(MMEMTCDmtcd mme rmmeRmme) andwitness(MMEMTCDmtcd mme rhssRhss)(2) State=5 and RCV(xor(AggresF6(RhssRg1 1) Kg1 1)) =|gt

State=6 and request(MTCDMMEmme mtcd rg11Rg1 1)end role

Algorithm 4 Role of MME in HLPSL

adversary was successful in forging MACHSSG119894 and it can be

proved similar to (17) that the upper bound on this eventis Advmac

1198912 (119901 119899) Further say aggRESG119894 was output by non-compatible MTCD instance 11986811989411198951 In this case 11986811989411198951 receivedAUTHHSS (which contains 119877HSS) prior to generating thestimulus With 119879119860 being collision-free it is not possible for anetwork entity other than 1198681198941015840101584011989510158401015840 to output AUTHHSS pointingto an adversary having forged MACHSS

G119894 Similar to (19) wehave an upper bound on this event as Advmac

1198912 (119901 119899) Thus theupper bound on the probability that the stimulus on 1198681198941015840101584011989510158401015840 wasfrom a noncompatible MTCD instance is 2 times Advmac

1198912 (119901 119899)We can therefore conclude that the probability of the

event 1198642 isPr (1198642) le 119899119894 (2 times Advmac

1198912 (119901 119899)) (21)

Lemma 2 Let 1198911 1198913 1198914 1198915 1198916 and KDF represented by119867 be a family of pseudorandom functions and 119867 is indepen-dent of1198912 and collision resistant in the real world adversary119860rsquosauthentic and collision-free transcript119879119860The algorithm119863 thatdistinguishes between the transcript of the real world adversary119860 and the ideal world adversary 119860lowast has

Advdist119879119860119879119860lowast (119863) le 119899MTCDAdvprf119867 (119901 119899) (22)

where119860 initializes 119899MTCD MTCD entities and 119899119894 instances 119901 =119874(119905) and 119899 = 119874(119899119894)

Proof A simulator with a real world adversary 119860 creates anideal world adversary 119860lowast and converts the transcript in thereal world (119879119860) into a transcript in the ideal world (119879119860lowast) sothat the two are almost identical The conversion is carriedout in the following manner

(i) An implementation record in 119879119860 is copied to 119879119860lowastthrough an implementation operation

(ii) A (start session 119894 119895) record in 119879119860 is connectionassignment with the ring master replacing the sessionkey 119870ASME

119894119895 with idealized random session key119870119894119895(iii) An (abort session 119894 119895) is copied to 119879119860lowast with 119879119860lowast

executing (abort session 119894 119895) operation(iv) In case of an application action in 119879119860 all necessary

evaluation is made by the ring master using thesession key of the ideal world

The main difference between 119879119860 and 119879119860lowast lies in the applica-tion records We prove that the assignments made by 119860lowast arelegal and 119879119860 and 119879119860lowast are indistinguishable

Case 1 Let us assume that an MTCD instance 119868119886119887 receivesAUTHHSS and accepts This message cannot be sent by anoncompatible network entity as 119879119860 is authentic Let thestimulus on 119868119886119887 be sent by compatible MTCD entity instance11986811988610158401198871015840 The connection assignment (create 1198861015840 1198871015840) is madeby adversary 119860lowast This connection assignment has not been


made earlier as AUTHHSS contains 119877HSS which the MTCDcan verify as not being repeated Thus the ring master cansubstitute the session key 119870ASME

119886119887 with an idealized (ran-dom) session key 119870119886119887

Case 2 Say 11986811990110158401199021015840 a network instance receives agg119872G119894 aggMACG119894 119868119901119902 is an MTCD instance whose individual MACis included in aggMACG119894 and 11986811990110158401199021015840 accepts on this stimulusThe connection assignment made by 119860lowast is (create 119901 119902) Therandom session key119870119901119902 is assigned by the ringmaster insteadof 119870ASME

11990110158401199021015840 Since 1198912 is collision resistant in 119879119860 hence thereceived message could be the stimulus only on 11986811990110158401199021015840 Thusthe connection assignment (create 119901 119902) has not be madeearlier This can be proved similarly for all MTCD instancesincluded in the group MAC construction

Case 3 Let 11986811990910158401199101015840 be the network instance that receivesaggRESG119894 from a group G119894 and let 119868119909119910 be a MTCD instance ofanMTCD belonging to this group Assume 11986811990910158401199101015840 has acceptedon this stimulus Since 1198912 is collision resistant and 119879119860 iscollision-free as in Case 2 we can prove that 119868119909119910 has acceptedon receiving stimulus provided by 11986811990910158401199101015840 Thus the adversary119860lowast has made a valid connection assignment (connect 119909 119910)with the ring master setting the session key119870ASME

11990910158401199101015840 to119870119909119910Each start session record in 119879119860lowast has a connection assign-

ment as seen from the analysis The main difference between119879119860 and 119879119860lowast now lies only in the application records For asingle MTCD entity initialized by 119860 and algorithm 119863 thatdistinguishes between 119879119860 and 119879119860lowast an adversary 1198631015840 for 119867 issuch that Advdist119879119860119879119860lowast (119863) = Advprf119867 (119863

1015840) Hence Advdist119879119860119879119860lowast (119863) leAdvprf119867 (119901 119899) where 119901 = 119874(119905) and 119899 = 119874(119899119894)

For 119899MTCD MTCD entities with keys 119870G119894-1 119870G119894-2 119870G119894-119899MTCD 119863 and 1198631015840 have access to oracles 119866119870G119894-1 119866119870G119894-2 119866119870G119894-119899MTCD1015840

Thus


119867 can be replaced by any of 1198911 1198913 1198914 1198915 1198916 or KDF

Theorem 3 Assume f1 f3 f4 f5 f6 and KDF representedby 119867 are pseudorandom function families and f2 is a secureMAC and all functions are independent of each other ThenHGMAKA is a secure AKA protocol

Proof For real world adversary 119860 with transcript 119879119860 theprobability that 1198912 is collision resistant is negligible as 1198912 isa secure Message Authentication Code From Lemma 2 wehave a distinguishing algorithm 119863 for ideal world adversary119860lowast such that

1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)

minus Pr (119863 (119879119860lowast) = 1 | 1198641 and 1198642)1003816100381610038161003816

le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore

Advdist119879119860119879119860lowast (119863) =1003816100381610038161003816Pr (119863 (119879119860) = 1) minus Pr (119863 (119879119860lowast)

= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)

minus Pr (119863 (119879119860lowast) = 1 | 1198641 and 1198642))Pr (1198641 and 1198642)

+ (Pr (119863 (119879119860) | 1198641 or 1198642)

minus Pr (119863 (119879119860lowast) = 1 | 1198641 or 1198642))Pr (1198641 or 1198642)10038161003816100381610038161003816le 1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642) minus Pr (119863 (119879119860lowast)

= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)

le 119899MTCDAdvprf119867 (119901 119899) + Pr (1198642) + Pr (1198641)

(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)

le 119899MTCDAdvprf119867 (119901 119899) + Pr (1198642 | 1198641) + 2Pr (1198641)

(27)

The probabilities Pr(1198641) and Pr(1198642 | 1198641) are negligiblein 119896 (from (14) and Lemma 1) hence Advdist119879119860119879119860lowast (119863) is alsonegligible Hence it is proved that HGMAKA is a secure AKAprotocol

Theorem 4 HGMAKA is KCI-resilient

Proof We consider the case when the long term secret keyof a MTCD has been compromised by an adversary Let 119868denote a MTCD entity instance who tries to execute theAuthentication and Key Agreement protocol with a compat-ible network entity instance 1198681015840 1198681015840 accepts with session key119870ASME

G119894-119895 on the stimulus agg119872G119894 aggMACG119894 Now theadversary corrupts MTCDG119894-119895 and 1198681015840 responds with messageAUTHHSS This is intercepted by the adversary and replacedby message AUTHHSS

1015840 Next 119868 accepts and generates sessionkey119870ASME

G119894-1198951015840 which is the same as the one generated by the

adversary and different from119870ASMEG119894-119895 generated by 1198681015840 In the

ideal world the session key generated by 1198681015840 was prior to theadversary corrupting the MTCD entity instance Hence theonly connection assignment possible is create Further in caseof 119868 since it was corrupted by the adversary the only possibleconnection assignment is compromise However 119868 cannotbe compromised without invalidating the rules of the idealworld as PID119868 = ID1198681015840 Also connect is not possible without119870ASME

G119894-119895 = 119870ASMEG119894-1198951015840 Thus the real world transcript will


Table 3 Probability of authentication failure and success

Group size 100 200 300 400 500 600 700 800 900 1000Number of groups 100 50 33 25 20 16 14 12 11 10Pr(119860) 06358 08687 09532 09835 09942 09980 09993 09998 09999 099991 minus Pr(119860) 03642 01313 00468 00165 00058 00020 00007 00002 763Eminus05 251Eminus05

be different from the ideal world transcript causing thesimulation to be impossible Therefore we can conclude thatHGMAKA is KCI-resilient

8 Performance Analysis

A comparative analysis of the proposed HGMAKA protocolvis-a-vis ten others discussed in Section 4 was performedwith respect to three different metrics (a) number of sig-naling messages exchanged in executing the protocol (b)communication cost that is the amount of data (in numberof bits) transferred in executing the protocols and (c)computational complexity that is the time (in milliseconds)taken for executing the cryptographic operations involved inthe protocols by both the MTCD and the network

An example scenario is given in the annexure A totalpopulation 119899 of 10000MTCDswas consideredwhichmay bedivided into groups of varying sizes It is assumed that 1 ofthis population can generate corrupt authentication requestsrepresented by 119899119888 that is 100 corrupt messages can exist Thepresence of even a single corrupt message can cause authen-tication failure resulting in a reauthentication requirementfor the entire group For a group size of 119899119887 the probability thatexactly 119894 invalid requests out of 119899119888 are present in the group 119899119887follows the hypergeometric distribution as

Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)

If119860 represents the event that reverification of the entire groupis required then probability of 119860 is

Pr (119860) = Pr 119894 = 1 + Pr 119894 = 2 + sdot sdot sdot + Pr 119894 = 100 (29)

This computation has been applied for different groupsizes that is 119899119887 and the corresponding probabilities are shownin Table 3

Thus for a group size of 100 there are 06358 probabilitiesthat group reauthentication will be required and 03642 thatgroup reauthentication will not be required As the numberof groups decreases resulting in increase in the number ofMTCDs in each individual group the probability of reauthen-tication (due to failure) increases

These probabilities are taken into account in the per-formance analysis for the proposed protocol vis-a-vis theexisting protocols Each of the aforementioned metrics wascomputed for different protocols using the following formulaQuantity of metric required for 119892 groups for successfulauthentication = 119910 sdot Pr(119860) sdot 119905 + 119909 sdot (1 minus Pr(119860)) sdot 119905 where 119905 isthe number of authentication runs 119909 is the quantity of metricrequired for authentication of 119892 groups and 119910 is the quantityof metric required for reauthentication of 119892 groups

0255075

25 50 75 100Number of groups

mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost

Scheme1-GLARM 8-LGTH2-Cao-AKA3-SE-AKA 6-MTC-AKA 9-DGBAKA 10-GAKA4-ABAAM5-ABAKA7-Choi-AKA11-HGMAKA multiple groups11-HGMAKA single group

Figure 7 Comparison of signaling messages per MTCD withincreasing number of groups

A total of 119905 = 10 runs of the authentication protocol havebeen considered For each metric comparison of the variousprotocols has been performed considering the probabilitiesmentioned in Table 3

81 Number of Signaling Messages The number of messageexchanges that takes place for 119905 rounds of authentication fordifferent number of groups across existing group based proto-cols vis-a-vis proposed HGMAKA protocol was consideredOnly group based protocols are considered as the advantagesof group based as against nongroup based schemes havealready been shown in existing literature As the HGMAKAprotocol allows group sizes to be large due to the hierarchicalnature of the aggregation two variants of this were comparedone with a single large group with the entire populationof 10000 MTCDs as members and the other consisting ofmultiple smaller groups

The HGMAKA protocol requires the lowest number ofsignaling messages as compared to the existing protocols asseen in Figure 7 Furthermore the reduction in signalingmessages with increasing number of groups is far moresignificant in the single group variation as compared to themultiple group version the reason being that even though theprobability of reauthentication increases with larger groupsize the proposed protocol does not require the entire groupto be reauthenticated in case of failure

82 Communication Cost The communication costs of theprotocols are computed as the sum of the sizes of the indi-vidual messages that are exchanged for a full round of AKA


010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion

cost Communication cost

Number of groups

Scheme1-GLARM2-Cao-AKA3-SE-AKA4-ABAAM5-ABAKA6-MTC-AKA

7-Choi-AKA8-LGTH9-DGBAKA10-GAKA11-HGMAKA multiple groups11-HGMAKA single group

Figure 8 Comparison of communication cost (in bits) per MTCDwith increasing number of groups

The parameters used are placed in the annexure for referencefor example the size of the messages exchanged betweenTier 1 and Tier 2 elements Tier 2 and Tier 3 elements andTier 3 and core networks in HGMAKA is added to arrive atits communication cost The plot in Figure 8 compares thecommunication costs

HGMAKA protocol with a single group requires theleast communication cost which is significantly lower ascompared to others When considered in multiple smallergroup it still exhibits a low communication cost with onlyChoi-AKA and SE-AKA performing a little better

83 Computational Cost For calculation of the computa-tional complexity of the protocols only significant crypto-graphic operations like hash point multiplication map-to-point pairing and so forth were considered A table has beenincluded in the annexure that lists the execution times ofthese operations usingCrypto++ library on aCeleron 11 GHzprocessor as MTCD and Dual Core 26GHz processor as anetwork element (MMEHSS) as reported in [16]

The plots in Figure 9 show that the computation costexhibited by HGMAKA protocol is low sharing the samewith only three other protocols MTC-AKA Choi-AKA andGAKA

While the main motivation was to reduce the signalingload on the network HGMAKA is seen to be light even interms of communication and computation costs

9 Conclusion

This paper presents a hierarchical group based mutualauthentication scheme HGMAKA for Machine Type Com-munication over LTE network The proposed lightweightsymmetric key based HGMAKA protocol introduces anarchitectural model that utilizes a heterogeneous networkof femtocells mobile femtocell and capillary network ofMTCDs in line with the future 5G networks The HGMAKAprotocol contributes by reducing the overall signaling load onthe access network eNBs and offloads the same to the smallercells It also significantly reduces the number of signaling

0100200300400

25 50 75 100

Computation cost at MTCD

(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups


7-Choi-AKA8-LGTH9-DGBAKA10-GAKA11-HGMAKA

0204060

25 50 75 100

Computation cost at network

(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups

Figure 9 Comparison of computation cost per MTCD at theMTCD and at the network with increasing number of groups

message exchanges and the size of the exchangedmessages byusing a single aggregateMAC in place of individualMACs foreach MTCD The scheme also addresses the important issuewith aggregate MACs single corrupt MAC-message pairinvalidating the aggregateMAC through the use of hierarchi-cal en route filtering of MACs HGMAKA has been shown toperform significantly better compared to other group basedprotocols Moreover this also releases the overhead of groupleadermanagement which includes selection of group leaderits failure and so forth which plagues many of the groupbased protocols

Appendix

A Additional Information

A1 Example Scenario Used for Evaluation of PerformanceParameters of Various Schemes An area where M2M com-munication is currently used is the Smart Metering Applica-tions These applications deal with monitoring and manage-ment of utilities like electricity gas or water Some of theactivities include obtaining meter reading self-configurationof smart meters monitoring usage and detecting outagesleakage and taking necessary actions like closing-downvalves circuit breakers and so forth From the HGMAKAarchitecture perspective one can look at this application fromthe following viewpoints

(i) First the smart meters can be considered as MTCDs(Tier 1) which can communicate with a gatewaydevice (Tier 2) which further communicates with theeNodeB (Tier 3) for communication with the corenetwork


(ii) Second the household appliances devices and soforth can be considered to beMTCDs (Tier 1) forminga capillary network with the smart meters acting asthe gateway device (Tier 2) The gateway device canfurther communicatewith the eNodeB (Tier 3) for thelast mile connectivity to core network

In both cases the final aggregator is the eNodeB Thisallows group sizes to be very large often spanning across avery large geographical area This is in contrast with otheraggregation schemes where the aggregator is a group leaderselected from across the MTCDs In the latter scenario allMTCDs in a group must be colocated within a specific rangeof the group leader thus limiting the group size Conse-quently the larger group will result in lower signaling over-load on the access network as opposed to multiple smallergroups formed from the same number of MTCDs

Ahousing complexwith 10multistoried apartment blocksor towers is considered as test case Each block consists of100 households each equipped with a smart meterThat givesapproximately 1000 smart meters in the entire complex Eachapartment block has a gateway device (a total of 10 in thecomplex) installed by the operator which communicates withthe smart meters aggregates the dataauthentication signalsreceived and sends a single messagesignal to the eNodeBNext we assume that there are 10 such housing complexeslocated in the nearby area all under the coverage of the samemacro base station increasing the number of smart meters to10000 If all houses in the locality are availing the services ofthe same utility provider then all 10000 smart meters can besaid to belong to a single group

Whenever the utility provider wants to communicatewith the smart meters all 10000 smart meters will try toconnect to the core network to send their usage billing orany other information thus overloading the eNodeB

As per the proposed hierarchical architecture whichallows large groups all 10000 smart meters form a groupcommunicating with the gateways which aggregates and for-wards themessagessignals to the eNodeBwhich further pro-ceeds with the last level aggregation and ultimately a singlemessagesignal is forwarded to the MME

In schemes where aggregation is performed by groupleader the size of groupswill be small say all 100 smartmetersin an apartment block forming a single group One of thesmart meters in each block is selected as a group leader andaggregates the messagessignals for all 100 meters Thus foreach housing complex consists of 10 groups and for 10 suchcomplexes we will have 100 groups The group leader sends asingle messagesignal per group to the eNodeB which for-wards them (as received without any aggregation) to theMME

A2 Formal VerificationUsing AVISPA SeeAlgorithms 3 and4

A3 Performance Comparison See Tables 4 and 5

Table 4 Parameters for computing communication costs

Field Size (bits)119870G119894-119895 128119877 128SQN 48AMF 16MAC 64RESXRES 128CK 128IK 128AK 48IMSI 64LAI 40GK 128GID 64119870ASME 256IDMME 24ECDSA public key 160Timestamp 32Digital signature 320Temporary ID 128Pseudo-ID 320Security value 128LMK 256

Table 5 Parameters for computing computation costs

Operation Time (millisec)

At MTCD

Digital signature 477Hashing 00356

Point multiplication 1537Map-to-point 1537Exponentiation 1698

Pairing 38376Decryption 477Encryption 018

At network

Modulus 1698Hashing 00121


Pairing 16322Digital signature 477

B Formal Security Analysis Definitions

B1 IdealWorld The ideal world consists of entities (denotedby 119872119894) MTCD or network (can be either home networkor serving network referred to simply as network) MTCDentities communicate with network entities in a two-partysetting Each 119872119894 (119894 = 1 2 ) can participate in multipleinstances denoted by 119868119894119895 (119895 = 1 2 ) An adversary playsa game with its opponent a ring master who generates ran-dom numbers The adversary can create and connect entity


instances and can query the ring masterThe ring master alsoprovides session keys to the entity instances The adversarycan perform operations which are recorded in a transcriptThese operations are as follows

(i) (Initialize entity 119894 119903119900119897119890119894 119868119863119894) Adversary assigns anidentity ID119894 (a unique arbitrary bit-string) to the 119894thentity with the role as 0 for a MTCD entity and 1 fornetwork entity

(ii) (Initialize entity instance 119894 119895 119875119868119863119894119895) It initializes anentity instance for previously initialized entities andassigns a partner identity for this instance In caseof group based architecture for a network entityinstance the PIDij can be a list corresponding to theIDs of all MTCDs in the group

(iii) (Abort session 119894 119895) It aborts a previously initializedentity instance

(iv) (Start session 119894 119895 connection assignment [ key]) Itspecifies how a session key 119870119894119895 for an entity instance119868119894119895 is generated The possible connection assignmentsare as follows

(1) (Create 1198941015840 1198951015840) A random bit-string119870119894119895 is gener-ated by the ring master This is valid only if(a) 11986811989410158401198951015840 is an instance compatible with 119868119894119895 and

initialized earlier that is PID119894119895 = ID1198941015840 andPID11989410158401198951015840 = ID119894 and role119894 = role119895

(b) (create 1198941015840 1198951015840) had not been made earliereither on 119868119894119895 or any other instance

We can say that 119868119894119895 is isolated for 11986811989410158401198951015840 once thestart session operation completes

(2) (Connect 1198941015840 1198951015840) The key119870119894119895 is set to11987011989410158401198951015840 by thering master This assignment is legal only if 11986811989410158401198951015840is isolated for 119868119894119895

(3) CompromiseThe ring master sets119870119894119895 to key

(v) (Application f)119891(119877 119870119894119895)where119877 is a random inputand 119870119894119895 is a session key The adversary receives theoutput of this function from the ring master

(vi) (Implementation comment) Inserting comments tothe transcript by the adversary

The activities of the adversary 119860 are logged in the transcript119879119860

B2 Real World In the real world the adversary has fullcontrol over the channel The real world adversary workstowards defeating theMutual Authentication and Key Agree-ment goals The adversary starts by initializing the entitiesusing the initialize entity operation followed by the initializeentity instance operations In addition to the operationsavailable in the ideal world the entities in the real worldcan perform protocol specific operations which can modifytheir internal state A network entity 119873119894 with identity ID119894can start an initialization routine whereby it interacts withother network entities with which it has service agreementsThe ring master provides a list of networks to119873119894 with which

it has service agreements 119873119894 sends agreement messages toeach network in this list to which the other party respondswith an approval message Communication between the twonetworks is modeled with the ring master providing a securecommunication with the help of mailboxes at both sides

Each MTCD entity has to be registered with some net-work entity through the execution of a registration routineThe identity of an MTCD is assumed to be prefixed withthe identity of the home network to which it is registered(eg IMSI) During the registration routine ofMTCD119880119894withpreviously initialized network 1198731198941015840 the ring master assignsarbitrary bit-string 119870119894 to both 119880119894 and 1198731198941015840 which is stored inthe variable LTSi by 119880119894 and (119870119894 119880119894) in variable LTS1198941015840 by1198731198941015840

Additionally a group registration routine is carried outbetween a group of MTCDs and the network Here a list ofIDs of MTCD entities forming a group is assigned a groupidentity GID119894 and an arbitrary bit-string as group key GK119894by the ring master The identity and the key are sent to allMTCDs and1198731198941015840 TheMTCD119880119894 stores (GID119894GK119894) in variableGS119894 and1198731198941015840 stores the same in GS1198941015840

An entity instance is implemented in the form of a statemachine having access to ID119894 role119894 LTS119894 and GS119894 A statechange occurs on receiving somemessage of the form (delivermessage 119894 119895 type InMsg) from an adversary 119868119894119895 responds byreporting OutMsg along with status to the adversary Thestatus can be continue (if 119868119894119895 can receive a nextmessage) accept(119868119894119895 ends with session key SK119894119895) or reject (119868119894119895 ends withoutsession key) The transcript 119879119860 records (implementationdeliver message 119894 119895 type InMsg OutMsg status) and (startsession 119894 119895) if status is accept and (abort session 119894 119895) if statusis reject

Also the operation (119886119901119901119897119894119888119886119905119894119900119899 119891) can be executed bythe adversary using the actual session key SK119894119895

B3 Some Preliminaries

B31 Negligible Function A real valued function 120598(119896) isnegligible (in 119896 119896 is nonnegative) if for every 119888 gt 0 there exists119896119888 gt 0 such that 120598(119896) lt 119896minus119888 for all 119896 gt 119896119888

B32 Function Family A function family is a map 119865 K times119863 rarr 119877 where K is the set of keys 119863 is the domain of 119865and 119877 is the range of 119865 The set of keys and 119877 are finite setsThe function 119865 takes two inputs 119870 isin K and 119883 as input andreturns a point 119884 in 119877 119865(119870119883) = 119884

For a key 119870 isin K the mapping 119865119870 119863 rarr 119877 is definedby 119865119870(119883) = 119865(119870119883) = 119884 119865119870 is said to be an instance of thefunction family 119865

B33 Random Function Let 119877 = 0 1119899 be a finite set andlet 119865119899 be an oracle which implements a random function Ifan adversary queries (119909) where 119909 is an input parameter itreceives a random point from 119877 If 119865119899(119909) is queried multipletimes the response remains unchanged

B34 Pseudorandom Function Family It is a family of func-tions with the property that the input-output behavior of


a random instance of the family is computationally indis-tinguishable from a truly random function For a family offunctions 119865 0 1119896 times 0 1119897 rarr 0 1119871 and 119865119870 119863 rarr 119877 with119870 isin K In the real world 119865119870 is an instance of 119865 and in theideal world 119865119870 is a truly random function

B35 Distinguishing Advantage The advantage of a prob-abilistic polynomial time algorithm 119863 in distinguishingbetween two families of random variables is119883 = 119883119896119896ge0 and119884 = 119884119896119896ge0 where 119883119896 and 119884119896 take values from a finite set119878119896 The output of 119863 is 0 or 1 depending on whether it candistinguish between 119883 and 119884 The distinguishing advantageof119863 is

Advdist119883119896 (119863) =1003816100381610038161003816Pr (119863 (119883119896) = 1) minus Pr (119863 (119884119896) = 1)1003816100381610038161003816 (B1)

B36 Prf-Advantage Let 119865 K times 119863 rarr 119877 be a family offunctions and let 119866 119863 rarr 119877 be another family of functionsfrom 0 1119897 to 0 1119871 and let 119860 be a probabilistic polynomialtime oracle algorithmThe prf-advantage of 119860 is

Advprf119865 (119860) = |Pr (119860 (119865) = 1) minus Pr (119860 (119866) = 1)| (B2)

An insecurity function associated with 119865 is given by

Advprf119865 (119905 119902) = max119860isinA(119905119902)Advprf119865 (119860) (B3)

whereA(119905 119902) is the set of adversaries that make a maximumof 119902 oracle queries and have running time of 119905 If forevery probabilistic polynomial time adversary119860 Advprf119865 (119860) isnegligible in 119896 then we say that 119865 is a pseudorandom family

B37 MAC Advantage A Message Authentication Code isa family of functions 0 1119896 times Dom(119865) rarr 0 1119871 whereDom(119865) is the domain of 119865 and Dom(119865) = 0 1le119897 For119870 isin 0 1119896 and119872 isin 0 1le119897 120590 = 119865(119870119872) is the MAC of119872An adversary119860 is a probabilistic polynomial time algorithmthat has oracle access for computing MAC for random key119869 The mac advantage of 119860 is the probability that 119860 outputs(120590119872) such that 120590 = 119865(119870119872) and119872 was not a query to theoracle by 119860 The insecurity function of 119865 is

Advmac119865 (119905 119902) = max119860isinA(119905119902)Adv

mac119865 (119860) (B4)

We say that 119865 is a secure message authentication code iffor every polynomially bounded adversary 119860 Advmac

119865 (119860) isnegligible in 119896

B4 Definitions

B41 Stimulus For a real world entity instance 119868119894119895 a messagereceived by 119868119894119895 causing it to change its status to accept is calleda stimulus on 119868119894119895

B42 Authentic Transcript For every real world adversary119860 with transcript 119879119860 119879119860 is said to be authentic if for aninstance 119868119894119895 the stimulus to accept comes only from anothercompatible instance

B43 Collision-Free Transcript For every real world adver-sary 119860 with transcript 119879119860 119879119860 is said to be collision-free ifevery entity and its instances generate unique nonrepeatedrandom numbers

B44 Collision Resistant Transcript For every real worldadversary119860with transcript119879119860 if for function family119865 is usedby entity and entity instance to compute tags 1205901 1205902 120590119899and 120590119894 = 120590119895 119894 = 119895 we say that 119865 is collision resistant in 119879119860

Notations

MTCDG119894-119895 MTCD 119895 belonging to group G119894IMSIG119894-119895 Unique International Mobile Subscriber

Identity Number for MTCDG119894-119895GIDG119894 Group identifier of group G119894GKG119894 Group key of group 119894 shared by all members

of the group with the HSS The group key isalso shared between the Tier 2 and Tier 3elements catering to the group

119870G119894-119895 Secret key shared between the MTCDG119894-119895with the HSS

119872G119894-1198951 Authentication request message generated by

MTCDG119894-119895119877G119894-119895 Random number generated by MTCDG119894-119895MACG119894-119895 Message authentication code sent by

MTCDG119894-119895 for authentication by MMEMACG119894-119895

1 Message authentication code sent byMTCDG119894-119895 for verification by Tier 2 element

119877HSS Random number generated by HSSaggMACG119894

1198962 Aggregate MAC generated by 119896th Tier 2element

agg119872G1198941198962 Aggregate message generated by 119896th Tier 2

elementMACG119894

1198962 MAC generated by 119896th Tier 2 element ofgroup G119894 for verification by Tier 3 element

aggMACG119894 Final aggregate MAC generated by Tier 3element

agg119872G119894 Final aggregate message generated by Tier 3element

SN ID Serving Network IdentityTGKG119894 Temporary Group Key for group G119894 used as

a group session keyMACG119894

HSS MAC generated by HSS for group G119894AUTHHSS Authentication token generated by HSSCK Ciphering keyIK Integrity keyAK Anonymity keySQN Sequence number119870ASME

G119894-119895 Session key between MME and MTCD 119894XRESG119894-119895 Expected response to the challenge sent by

MME to MTCDG119894-119895RESG119894-119895 Response generated by MTCDG119894-119895 in

response to challenge by MMEGKI Group Key IndexaggRESG119894 Aggregate response by Tier 3 element to

MME


1198911 1198913 1198914 1198915 1198916 One-way hash functionsKDF Key derivation function1198912 Message authentication code

generating function

Competing Interests

The authors declare that they have no competing interests

References

[1] ldquoCisco Visual Networking Indexrdquo httpwwwciscocomcenussolutionsservice-providervisual-networking-index-vniindexhtml

[2] 3rd Generation Partnership Project Technical SpecificationGroup Services and System Aspects Security aspects of Mach-ine-Type Communications (Rel 12) 3GPP TR 33868 V0100Septemper 2012

[3] ldquoFP7 Seventh Framework Programmerdquo httpseceuropaeuresearchfp7index encfm

[4] HDroste G ZimmermannM Stamatelatos et al ldquoTheMETIS5G architecture a summary of METIS work on 5G architec-turesrdquo in Proceedings of the 81st IEEE Vehicular Technology Con-ference (VTC rsquo15) pp 1ndash5 May 2015

[5] A Osseiran F Boccardi V Braun et al ldquoScenarios for 5Gmobile and wireless communications the vision of the METISprojectrdquo IEEE Communications Magazine vol 52 no 5 pp 26ndash35 2014

[6] ldquoiJOINrdquo httpwwwict-ijoineu[7] ldquoTROPICrdquo httpwwwict-tropiceu[8] 3rd Generation Partnership Project and Technical Specification

Group Services and System Aspects ldquoService requirements forMachine-Type Communications (MTC) (Rel 12)rdquo 3GPP TS22368 V1200 2012

[9] 3rd Generation Partnership Project and Technical SpecificationGroup Services and System Aspects ldquoService requirements forHome Node B (HNB) and Home eNode B (HeNB) (Rel 12)rdquo3GPP TS 22220 V1200 2012

[10] 3rd Generation Partnership Project ldquoTechnical SpecificationGroup Service and System Aspects 3GPP System ArchitectureEvolution (SAE)rdquo Security architecture (Rel 12) 3GPP TS 33401V12130 2012

[11] J Arkko andHHaverinen ldquoExtensibleAuthenticationProtocolMethod for 3rd Generation Authentication and Key Agreement(EAP-AKA)rdquo IETF RFC 4187 January 2006

[12] M Condoluci M Dohler G Araniti A Molinaro and KZheng ldquoToward 5G densenets architectural advances for eff-ective machine-type communications over femtocellsrdquo IEEECommunications Magazine vol 53 no 1 pp 134ndash141 2015

[13] F Haider C-XWang H Haas et al ldquoSpectral efficiency analy-sis of mobile Femtocell based cellular systemsrdquo in Proceedings ofthe IEEE 13th International Conference on Communication Tech-nology (ICCT rsquo11) pp 347ndash351 IEEE Jinan China September2011

[14] 3rd Generation Partnership Project and Technical Specifica-tion Group Services and System Aspects ldquoStudy on enhance-ments for Machine-Type Communications (MTC) (Release12)rdquo V1200 3GPP TR 22888 2012

[15] V B Misic J Misic X Lin and D Nerandzic ldquoCapillary mach-ine-to-machine communications the road aheadrdquo in Ad-Hoc

Mobile and Wireless Networks X-Y Li S Papavassiliou and SRuehrup Eds vol 7363 of Lecture Notes in Computer Sciencepp 413ndash423 Springer Berlin Germany 2012

[16] C Lai H Li R Lu and X Shen ldquoSE-AKA a secure and efficientgroup authentication and key agreement protocol for LTE net-worksrdquo Computer Networks vol 57 no 17 pp 3492ndash3510 2013

[17] C Lai H Li X Li and J Cao ldquoA novel group access authentica-tion and key agreement protocol formachine-type communica-tionrdquo Transactions on Emerging Telecommunications Technolo-gies vol 26 no 3 pp 414ndash431 2015

[18] Y Zhang J Chen H Li W Zhang J Cao and C Lai ldquoDyna-mic group based authentication protocol formachine type com-municationsrdquo in Proceedings of the 4th International Conferenceon Intelligent Networking and Collaborative Systems (INCoS rsquo12)pp 334ndash341 IEEE Bucharest Romania September 2012

[19] Y-W Chen J-T Wang K-H Chi and C-C Tseng ldquoGroup-based authentication and key agreementrdquo Wireless PersonalCommunications vol 62 no 4 pp 965ndash979 2012

[20] J Cao M Ma and H Li ldquoA group-based authentication andkey agreement for MTC in LTE networksrdquo in Proceedings of theIEEEGlobal Communications Conference (GLOBECOM rsquo12) pp1017ndash1022 Anaheim Calif USA December 2012

[21] J Cao M Ma and H Li ldquoAccess authentication of mass deviceconnections for MTC in LTE networksrdquoThe Smart ComputingReview vol 4 no 4 pp 262ndash277 2014

[22] C Lai H Li R Lu R Jiang and X Shen ldquoLGTH a lightweightgroup authentication protocol for machine-type communica-tion in LTE networksrdquo in Proceedings of the IEEE Global Comm-unications Conference (GLOBECOM rsquo13) pp 832ndash837 Decem-ber 2013

[23] D Choi S Hong andH-K Choi ldquoA group-based security pro-tocol for machine type communications in LTE-advancedrdquo inProceedings of the IEEE Conference on Computer Communica-tions Workshops (INFOCOM WKSHPS rsquo14) pp 161ndash162 IEEEOntario Canada May 2014

[24] C Lai R Lu D Zheng H Li and X Sherman ldquoGLARMgroup-based lightweight authentication scheme for resource-constrained machine to machine communicationsrdquo ComputerNetworks vol 99 pp 66ndash81 2016

[25] D Boneh C Gentry B Lynn and H Shacham Aggregate andVerifiably Encrypted Signatures from Bilinear Maps SpringerBerlin Germany 2003

[26] D Naccache M Just B Preneel et al ldquoNybergndashrueppel signa-ture schemerdquo in Encyclopedia of Cryptography and Security p879 Springer Boston Mass USA 2011

[27] J-L Huang L-Y Yeh and H-Y Chien ldquoABAKA an anony-mous batch authenticated and key agreement scheme for value-added services in vehicular ad hoc networksrdquo IEEETransactionson Vehicular Technology vol 60 no 1 pp 248ndash262 2011

[28] E Klaoudatou E Konstantinou G Kambourakis and S Grit-zalis ldquoA survey on cluster-based group key agreement protocolsforWSNsrdquo IEEE Communications Surveys and Tutorials vol 13no 3 pp 429ndash442 2011

[29] T Rams and P Pacyna ldquoA survey of group key distributionschemeswith self-healing propertyrdquo IEEECommunications Sur-veys and Tutorials vol 15 no 2 pp 820ndash842 2013

[30] R Roman C Alcaraz J Lopez and N Sklavos ldquoKey manage-ment systems for sensor networks in the context of the Internetof Thingsrdquo Computers and Electrical Engineering vol 37 no 2pp 147ndash159 2011

[31] AVISPA Automated Validation of Internet Security Protocolsand Applications httpwwwavispa-projectorg


[32] V Shoup ldquoOn formal models for secure key exchangerdquo TechRep 1999

[33] M Zhang and Y Fang ldquoSecurity analysis and enhancementsof 3GPP authentication and key agreement protocolrdquo IEEETransactions onWireless Communications vol 4 no 2 pp 734ndash742 2005

[34] Y-L Huang C-Y Shen and S W Shieh ldquoS-AKA a provableand secure authentication key agreement protocol for UMTSnetworksrdquo IEEE Transactions on Vehicular Technology vol 60no 9 pp 4509ndash4519 2011

[35] Y-L Huang C Y Shen S Shieh H-J Wang and C-C LinldquoProvable secure AKA scheme with reliable key delegation inUMTSrdquo in Proceedings of the 3rd IEEE International Conferenceon Secure Software Integration Reliability Improvement (SSIRIrsquo09) pp 243ndash252 Shanghai China July 2009

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



generated from the authentication procedure executed forsecurity reasons by each MTCD before they can attach tothe network becomes a serious concern in such scenariosA sizable number of MTCDs trying to attach to the networksimultaneously with each having to undergo the MutualAuthentication and Key Agreement (AKA) procedure resultinmassive signaling overload at both access network and corenetwork

The existing literature on MTC authentication has triedto find different approaches to reduce the signaling trafficneeded for the AKA procedure by grouping the MTCDsbased on different criteria like belonging to the same appli-cation appearing in the same location and so forth Theschemes exploiting the group based approach use one of thefollowing methods for reducing the AKA signaling load

(1) First MTCD performs a full AKA with the core net-work and also authenticates the group by fetching theauthentication data for the entire group to the servingnetwork the rest of the group members authenticateslocally at the serving network using the prefetchedauthentication data

(2) Each MTCD sends its authentication message to aMTCD selected from among the group to be a groupleader who in turn aggregates the same and transmitsit to the core network

The main drawback of the first approach is that while itreduces the signaling load between the home network andthe serving network the load at the access network remainsunchangedThe latter approach successfully reduces the loadat the access network but a single corrupt authenticationmes-sage in the aggregate will result in the rejection of the authen-tication of the entire group Furthermore the group leaderbased approach also includes the complexity and consequentdelay of group leader selection and in the event of groupleader failureexit reselection of the new incumbent Hencea natural corollary to these contributions would be one thataddresses these limitations

In this paper the authors propose the HierarchicalGroup based Mutual Authentication and Key Agreement(HGMAKA)protocol forMTCwhichwill be suitable for bothcurrent LTE-A and future 5G networks The main contribu-tions of this paper are the following

(1) Introduction of a hierarchical approach as againstthe existing first MTCD based or group leader basedapproach for implementation of group based AKAbetween a group of MTCDs and the Core Network

(2) Adoption of hierarchical small cell architecture inline with 5G architecture for reduction in signalingload due to authentication as against macrocell archi-tecture in existing literature

(3) Introduction of en route integrity verification ofauthentication messages to avoid batch reauthentica-tion due to failures

(4) Performance comparison with ten other group basedschemes in the literature

The proposed group based hierarchical protocol uses thesupport of network elements instead of a group leader ther-eby eliminating the additional complexity related to groupleader management In view of resource constrained devicesused in most M2M applications it uses the lightweight sym-metric key based aggregate Message Authentication Code(MAC) approach with integrity verification of authenticationmessages at each level of the hierarchy This eliminates thechance of group authentication failure at the core networkwhich can otherwise be caused in the existing group basedschemes using aggregateMAC by even a single corruptMACappearing in the aggregate authentication message

Furthermore the use of small cells helps in offloadingtraffic from the macrocells to small cells resulting in furtherreduction in signaling load at the access network level Thisis also in linewith the architectures of future cellular networksas proposed by several projects like METIS iJOIN [6] TRO-PIC [7] and so forth advocating the use of small cells Depen-ding on applications MTCDs may be deployed in low cov-erage areas like underground parking or remote inaccessiblelocations where connectivity to cellular networks may not befeasible The proposed HGMAKA scheme takes into consid-eration such cases through the use of small cells and capillarynetwork of devices Being hierarchical in nature it allowslarger group sizes through multilevel aggregation resultingin lesser number of groups for a given number of MTCDsMoreover highlymobileMTCDs like those in public vehicleswill need frequent handovers resulting in high overheadThe proposed protocol uses mobile femtocells to address thisissue

The rest of the paper is organized as follows Section 2provides an overview ofMTC under LTE-A themutual AKAprotocol and the importance of heterogeneous cellular net-work architecture Section 3 spells out the motivation behindthe proposed protocol Section 4 reviews some related worksfrom the literature on group basedmutualAKAprotocols andhighlights the issues therein Sections 5 and 6 present the pro-posed system architecture along with the proposed protocolSection 7 presents the security analysis of the protocolSection 8 provides performance analysis of the proposed pro-tocol vis-a-vis existing group based protocols and Section 9concludes the paper

2 Machine Type Communication and SmallCell Architecture

21 Machine Type Communication Machine Type Commu-nication (MTC) [8] also known as M2M communicationrefers to the communication between entities without anyhuman interventionThis communicationmainly entails col-lection of data by the MTCD and transmitting to an MTCServer which processes the data and initiates some actionThere can also be scenarios where the MTC Server triggersthe MTCD to perform some action A third scenario mayinvolve twoMTCDs communicating among themselves withor without involving any MTC Server Standardization orga-nizations like 3GPP have published specifications to enableoptimization of 3G and LTE cellular networks for MTCtraffic The MTCD connects to the LTE core network also










3 Motivation



UEMTCD

eNB HeNB

E-UTRAN

Untrusted non-3GPP

ePDG

HeNB-GW

AAA

MMES-GW

PDG MC server

HSS

MC server

MTC user

Trusted non-3GPP


UE MME HSS









Generate EPS AV

Compute KASME












4 Related Works

























1)computed on 119872G119894-119895








MACG119894-1198951 = 1198912 (GKG119894119872G119894-119895

1) (2)








1198962 on agg119872G1198941198962 aggMACG119894









aggMACG1198941198962 = aggMACG119894

1198962 oplusMACG119894-119895 (3)



119872G119894-1198951 = remove (119872G119894-119895

1MACG119894-119895) (4)


HeNB-GW

HSS

PDN-GW

MMES-GW

MTCserver

Internet

eNB

HeNB HeNB

Wireless link

HeNB

Wired link


MTC-GW


Tier 1

Tier 2

Tier 3


MTCD

MTCD

MTCD

MTCD

MTCDMME

Gateway

Gateway

Group leader

Group leader

Group leader

eNodeB

Group 1

Group 2

Group 3

Group 4






agg119872G1198941198962 = agg119872G119894

1198962 119872G119894-1198951 (5)



MACG1198941198962 = 1198912 (GKG119894 agg119872G119894

1198962 aggMACG1198941198962) (6)


1198962 aggMACG1198941198962 MACG119894





1198962 aggMACG1198941198962 MACG119894





agg119872G119894-1198951198962 = remove (agg119872G119894-119895

1198962 aggMACG1198941198962)

agg119872G119894 = agg119872G119894 agg119872G1198941198962

(8)







TGKG119894 = 1198911 (GKG119894 119877HSS SN ID) (9)
















RESG119894-119895 = 1198916 (119870G119894-119895 119877HSS) (12)







GIDG119894



IMSIG119894-119899 119870ASME

G119894-119899 XRESG119894-119899


119870ASMEG119894-119895




7 Security Analysis















HeNB-GWeNB

MME


MTCDG1-1

MTCDG1-2

MTCDG1-3

MTCDG1-4

MTCDG1-5

MTCDG1-6

MG1-11MACG1-1

1

MG1-21MACG1-2

1

MG1-31 MACG1-3

1

MG1-4 1

MACG1-4 1

MG1-51MACG1-5

1

MG1-61 MACG1-6

1


22


aggMG1

12 aggMACG1

12MACG1 12

aggMG122 aggMAC G1

22 MAC G122


1)

aggMG1 aggMACG1


22






12)MACG112 =







(i) Generate TGKGi


RESGi-j

aggRESGi

Verify aggRESGi



AUTHHSS


AUTHHSS GKIAUTHHSS


Generate KASMEGi-j





end goal














Pr (11986411989410158401198951015840 = 1) le Pr (Succ (119865 1198912) = 1) (16)


where 119901 = 119874(119905) and 119899 = 119874(119899119894)




Pr (1198641015840119894119895 = 1) le Advmac1198912 (119901 119899) (18)



SAFEDETAILS



as specifiedBACKEND













Pr (119864119894119895 = 1) le Advmac1198912 (119901 119899) (19)








initState=3












1198912 (119901 119899)) (21)






















Thus





1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)


le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore


= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)


+ (Pr (119863 (119879119860) | 1198641 or 1198642)


= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)


(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)


(27)

















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation


















3 Motivation



UEMTCD

eNB HeNB

E-UTRAN

Untrusted non-3GPP

ePDG

HeNB-GW

AAA

MMES-GW

PDG MC server

HSS

MC server

MTC user

Trusted non-3GPP


UE MME HSS









Generate EPS AV

Compute KASME












4 Related Works

























1)computed on 119872G119894-119895








MACG119894-1198951 = 1198912 (GKG119894119872G119894-119895

1) (2)








1198962 on agg119872G1198941198962 aggMACG119894









aggMACG1198941198962 = aggMACG119894

1198962 oplusMACG119894-119895 (3)



119872G119894-1198951 = remove (119872G119894-119895

1MACG119894-119895) (4)


HeNB-GW

HSS

PDN-GW

MMES-GW

MTCserver

Internet

eNB

HeNB HeNB

Wireless link

HeNB

Wired link


MTC-GW


Tier 1

Tier 2

Tier 3


MTCD

MTCD

MTCD

MTCD

MTCDMME

Gateway

Gateway

Group leader

Group leader

Group leader

eNodeB

Group 1

Group 2

Group 3

Group 4






agg119872G1198941198962 = agg119872G119894

1198962 119872G119894-1198951 (5)



MACG1198941198962 = 1198912 (GKG119894 agg119872G119894

1198962 aggMACG1198941198962) (6)


1198962 aggMACG1198941198962 MACG119894





1198962 aggMACG1198941198962 MACG119894





agg119872G119894-1198951198962 = remove (agg119872G119894-119895

1198962 aggMACG1198941198962)

agg119872G119894 = agg119872G119894 agg119872G1198941198962

(8)







TGKG119894 = 1198911 (GKG119894 119877HSS SN ID) (9)
















RESG119894-119895 = 1198916 (119870G119894-119895 119877HSS) (12)







GIDG119894



IMSIG119894-119899 119870ASME

G119894-119899 XRESG119894-119899


119870ASMEG119894-119895




7 Security Analysis















HeNB-GWeNB

MME


MTCDG1-1

MTCDG1-2

MTCDG1-3

MTCDG1-4

MTCDG1-5

MTCDG1-6

MG1-11MACG1-1

1

MG1-21MACG1-2

1

MG1-31 MACG1-3

1

MG1-4 1

MACG1-4 1

MG1-51MACG1-5

1

MG1-61 MACG1-6

1


22


aggMG1

12 aggMACG1

12MACG1 12

aggMG122 aggMAC G1

22 MAC G122


1)

aggMG1 aggMACG1


22






12)MACG112 =







(i) Generate TGKGi


RESGi-j

aggRESGi

Verify aggRESGi



AUTHHSS


AUTHHSS GKIAUTHHSS


Generate KASMEGi-j





end goal














Pr (11986411989410158401198951015840 = 1) le Pr (Succ (119865 1198912) = 1) (16)


where 119901 = 119874(119905) and 119899 = 119874(119899119894)




Pr (1198641015840119894119895 = 1) le Advmac1198912 (119901 119899) (18)



SAFEDETAILS



as specifiedBACKEND













Pr (119864119894119895 = 1) le Advmac1198912 (119901 119899) (19)








initState=3












1198912 (119901 119899)) (21)






















Thus





1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)


le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore


= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)


+ (Pr (119863 (119879119860) | 1198641 or 1198642)


= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)


(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)


(27)

















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










UEMTCD

eNB HeNB

E-UTRAN

Untrusted non-3GPP

ePDG

HeNB-GW

AAA

MMES-GW

PDG MC server

HSS

MC server

MTC user

Trusted non-3GPP


UE MME HSS









Generate EPS AV

Compute KASME












4 Related Works

























1)computed on 119872G119894-119895








MACG119894-1198951 = 1198912 (GKG119894119872G119894-119895

1) (2)








1198962 on agg119872G1198941198962 aggMACG119894









aggMACG1198941198962 = aggMACG119894

1198962 oplusMACG119894-119895 (3)



119872G119894-1198951 = remove (119872G119894-119895

1MACG119894-119895) (4)


HeNB-GW

HSS

PDN-GW

MMES-GW

MTCserver

Internet

eNB

HeNB HeNB

Wireless link

HeNB

Wired link


MTC-GW


Tier 1

Tier 2

Tier 3


MTCD

MTCD

MTCD

MTCD

MTCDMME

Gateway

Gateway

Group leader

Group leader

Group leader

eNodeB

Group 1

Group 2

Group 3

Group 4






agg119872G1198941198962 = agg119872G119894

1198962 119872G119894-1198951 (5)



MACG1198941198962 = 1198912 (GKG119894 agg119872G119894

1198962 aggMACG1198941198962) (6)


1198962 aggMACG1198941198962 MACG119894





1198962 aggMACG1198941198962 MACG119894





agg119872G119894-1198951198962 = remove (agg119872G119894-119895

1198962 aggMACG1198941198962)

agg119872G119894 = agg119872G119894 agg119872G1198941198962

(8)







TGKG119894 = 1198911 (GKG119894 119877HSS SN ID) (9)
















RESG119894-119895 = 1198916 (119870G119894-119895 119877HSS) (12)







GIDG119894



IMSIG119894-119899 119870ASME

G119894-119899 XRESG119894-119899


119870ASMEG119894-119895




7 Security Analysis















HeNB-GWeNB

MME


MTCDG1-1

MTCDG1-2

MTCDG1-3

MTCDG1-4

MTCDG1-5

MTCDG1-6

MG1-11MACG1-1

1

MG1-21MACG1-2

1

MG1-31 MACG1-3

1

MG1-4 1

MACG1-4 1

MG1-51MACG1-5

1

MG1-61 MACG1-6

1


22


aggMG1

12 aggMACG1

12MACG1 12

aggMG122 aggMAC G1

22 MAC G122


1)

aggMG1 aggMACG1


22






12)MACG112 =







(i) Generate TGKGi


RESGi-j

aggRESGi

Verify aggRESGi



AUTHHSS


AUTHHSS GKIAUTHHSS


Generate KASMEGi-j





end goal














Pr (11986411989410158401198951015840 = 1) le Pr (Succ (119865 1198912) = 1) (16)


where 119901 = 119874(119905) and 119899 = 119874(119899119894)




Pr (1198641015840119894119895 = 1) le Advmac1198912 (119901 119899) (18)



SAFEDETAILS



as specifiedBACKEND













Pr (119864119894119895 = 1) le Advmac1198912 (119901 119899) (19)








initState=3












1198912 (119901 119899)) (21)






















Thus





1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)


le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore


= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)


+ (Pr (119863 (119879119860) | 1198641 or 1198642)


= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)


(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)


(27)

















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











4 Related Works

























1)computed on 119872G119894-119895








MACG119894-1198951 = 1198912 (GKG119894119872G119894-119895

1) (2)








1198962 on agg119872G1198941198962 aggMACG119894









aggMACG1198941198962 = aggMACG119894

1198962 oplusMACG119894-119895 (3)



119872G119894-1198951 = remove (119872G119894-119895

1MACG119894-119895) (4)


HeNB-GW

HSS

PDN-GW

MMES-GW

MTCserver

Internet

eNB

HeNB HeNB

Wireless link

HeNB

Wired link


MTC-GW


Tier 1

Tier 2

Tier 3


MTCD

MTCD

MTCD

MTCD

MTCDMME

Gateway

Gateway

Group leader

Group leader

Group leader

eNodeB

Group 1

Group 2

Group 3

Group 4






agg119872G1198941198962 = agg119872G119894

1198962 119872G119894-1198951 (5)



MACG1198941198962 = 1198912 (GKG119894 agg119872G119894

1198962 aggMACG1198941198962) (6)


1198962 aggMACG1198941198962 MACG119894





1198962 aggMACG1198941198962 MACG119894





agg119872G119894-1198951198962 = remove (agg119872G119894-119895

1198962 aggMACG1198941198962)

agg119872G119894 = agg119872G119894 agg119872G1198941198962

(8)







TGKG119894 = 1198911 (GKG119894 119877HSS SN ID) (9)
















RESG119894-119895 = 1198916 (119870G119894-119895 119877HSS) (12)







GIDG119894



IMSIG119894-119899 119870ASME

G119894-119899 XRESG119894-119899


119870ASMEG119894-119895




7 Security Analysis















HeNB-GWeNB

MME


MTCDG1-1

MTCDG1-2

MTCDG1-3

MTCDG1-4

MTCDG1-5

MTCDG1-6

MG1-11MACG1-1

1

MG1-21MACG1-2

1

MG1-31 MACG1-3

1

MG1-4 1

MACG1-4 1

MG1-51MACG1-5

1

MG1-61 MACG1-6

1


22


aggMG1

12 aggMACG1

12MACG1 12

aggMG122 aggMAC G1

22 MAC G122


1)

aggMG1 aggMACG1


22






12)MACG112 =







(i) Generate TGKGi


RESGi-j

aggRESGi

Verify aggRESGi



AUTHHSS


AUTHHSS GKIAUTHHSS


Generate KASMEGi-j





end goal














Pr (11986411989410158401198951015840 = 1) le Pr (Succ (119865 1198912) = 1) (16)


where 119901 = 119874(119905) and 119899 = 119874(119899119894)




Pr (1198641015840119894119895 = 1) le Advmac1198912 (119901 119899) (18)



SAFEDETAILS



as specifiedBACKEND













Pr (119864119894119895 = 1) le Advmac1198912 (119901 119899) (19)








initState=3












1198912 (119901 119899)) (21)






















Thus





1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)


le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore


= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)


+ (Pr (119863 (119879119860) | 1198641 or 1198642)


= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)


(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)


(27)

















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation




















1)computed on 119872G119894-119895








MACG119894-1198951 = 1198912 (GKG119894119872G119894-119895

1) (2)








1198962 on agg119872G1198941198962 aggMACG119894









aggMACG1198941198962 = aggMACG119894

1198962 oplusMACG119894-119895 (3)



119872G119894-1198951 = remove (119872G119894-119895

1MACG119894-119895) (4)


HeNB-GW

HSS

PDN-GW

MMES-GW

MTCserver

Internet

eNB

HeNB HeNB

Wireless link

HeNB

Wired link


MTC-GW


Tier 1

Tier 2

Tier 3


MTCD

MTCD

MTCD

MTCD

MTCDMME

Gateway

Gateway

Group leader

Group leader

Group leader

eNodeB

Group 1

Group 2

Group 3

Group 4






agg119872G1198941198962 = agg119872G119894

1198962 119872G119894-1198951 (5)



MACG1198941198962 = 1198912 (GKG119894 agg119872G119894

1198962 aggMACG1198941198962) (6)


1198962 aggMACG1198941198962 MACG119894





1198962 aggMACG1198941198962 MACG119894





agg119872G119894-1198951198962 = remove (agg119872G119894-119895

1198962 aggMACG1198941198962)

agg119872G119894 = agg119872G119894 agg119872G1198941198962

(8)







TGKG119894 = 1198911 (GKG119894 119877HSS SN ID) (9)
















RESG119894-119895 = 1198916 (119870G119894-119895 119877HSS) (12)







GIDG119894



IMSIG119894-119899 119870ASME

G119894-119899 XRESG119894-119899


119870ASMEG119894-119895




7 Security Analysis















HeNB-GWeNB

MME


MTCDG1-1

MTCDG1-2

MTCDG1-3

MTCDG1-4

MTCDG1-5

MTCDG1-6

MG1-11MACG1-1

1

MG1-21MACG1-2

1

MG1-31 MACG1-3

1

MG1-4 1

MACG1-4 1

MG1-51MACG1-5

1

MG1-61 MACG1-6

1


22


aggMG1

12 aggMACG1

12MACG1 12

aggMG122 aggMAC G1

22 MAC G122


1)

aggMG1 aggMACG1


22






12)MACG112 =







(i) Generate TGKGi


RESGi-j

aggRESGi

Verify aggRESGi



AUTHHSS


AUTHHSS GKIAUTHHSS


Generate KASMEGi-j





end goal














Pr (11986411989410158401198951015840 = 1) le Pr (Succ (119865 1198912) = 1) (16)


where 119901 = 119874(119905) and 119899 = 119874(119899119894)




Pr (1198641015840119894119895 = 1) le Advmac1198912 (119901 119899) (18)



SAFEDETAILS



as specifiedBACKEND













Pr (119864119894119895 = 1) le Advmac1198912 (119901 119899) (19)








initState=3












1198912 (119901 119899)) (21)






















Thus





1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)


le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore


= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)


+ (Pr (119863 (119879119860) | 1198641 or 1198642)


= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)


(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)


(27)

















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










HeNB-GW

HSS

PDN-GW

MMES-GW

MTCserver

Internet

eNB

HeNB HeNB

Wireless link

HeNB

Wired link


MTC-GW


Tier 1

Tier 2

Tier 3


MTCD

MTCD

MTCD

MTCD

MTCDMME

Gateway

Gateway

Group leader

Group leader

Group leader

eNodeB

Group 1

Group 2

Group 3

Group 4






agg119872G1198941198962 = agg119872G119894

1198962 119872G119894-1198951 (5)



MACG1198941198962 = 1198912 (GKG119894 agg119872G119894

1198962 aggMACG1198941198962) (6)


1198962 aggMACG1198941198962 MACG119894





1198962 aggMACG1198941198962 MACG119894





agg119872G119894-1198951198962 = remove (agg119872G119894-119895

1198962 aggMACG1198941198962)

agg119872G119894 = agg119872G119894 agg119872G1198941198962

(8)







TGKG119894 = 1198911 (GKG119894 119877HSS SN ID) (9)
















RESG119894-119895 = 1198916 (119870G119894-119895 119877HSS) (12)







GIDG119894



IMSIG119894-119899 119870ASME

G119894-119899 XRESG119894-119899


119870ASMEG119894-119895




7 Security Analysis















HeNB-GWeNB

MME


MTCDG1-1

MTCDG1-2

MTCDG1-3

MTCDG1-4

MTCDG1-5

MTCDG1-6

MG1-11MACG1-1

1

MG1-21MACG1-2

1

MG1-31 MACG1-3

1

MG1-4 1

MACG1-4 1

MG1-51MACG1-5

1

MG1-61 MACG1-6

1


22


aggMG1

12 aggMACG1

12MACG1 12

aggMG122 aggMAC G1

22 MAC G122


1)

aggMG1 aggMACG1


22






12)MACG112 =







(i) Generate TGKGi


RESGi-j

aggRESGi

Verify aggRESGi



AUTHHSS


AUTHHSS GKIAUTHHSS


Generate KASMEGi-j





end goal














Pr (11986411989410158401198951015840 = 1) le Pr (Succ (119865 1198912) = 1) (16)


where 119901 = 119874(119905) and 119899 = 119874(119899119894)




Pr (1198641015840119894119895 = 1) le Advmac1198912 (119901 119899) (18)



SAFEDETAILS



as specifiedBACKEND













Pr (119864119894119895 = 1) le Advmac1198912 (119901 119899) (19)








initState=3












1198912 (119901 119899)) (21)






















Thus





1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)


le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore


= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)


+ (Pr (119863 (119879119860) | 1198641 or 1198642)


= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)


(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)


(27)

















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











agg119872G1198941198962 = agg119872G119894

1198962 119872G119894-1198951 (5)



MACG1198941198962 = 1198912 (GKG119894 agg119872G119894

1198962 aggMACG1198941198962) (6)


1198962 aggMACG1198941198962 MACG119894





1198962 aggMACG1198941198962 MACG119894





agg119872G119894-1198951198962 = remove (agg119872G119894-119895

1198962 aggMACG1198941198962)

agg119872G119894 = agg119872G119894 agg119872G1198941198962

(8)







TGKG119894 = 1198911 (GKG119894 119877HSS SN ID) (9)
















RESG119894-119895 = 1198916 (119870G119894-119895 119877HSS) (12)







GIDG119894



IMSIG119894-119899 119870ASME

G119894-119899 XRESG119894-119899


119870ASMEG119894-119895




7 Security Analysis















HeNB-GWeNB

MME


MTCDG1-1

MTCDG1-2

MTCDG1-3

MTCDG1-4

MTCDG1-5

MTCDG1-6

MG1-11MACG1-1

1

MG1-21MACG1-2

1

MG1-31 MACG1-3

1

MG1-4 1

MACG1-4 1

MG1-51MACG1-5

1

MG1-61 MACG1-6

1


22


aggMG1

12 aggMACG1

12MACG1 12

aggMG122 aggMAC G1

22 MAC G122


1)

aggMG1 aggMACG1


22






12)MACG112 =







(i) Generate TGKGi


RESGi-j

aggRESGi

Verify aggRESGi



AUTHHSS


AUTHHSS GKIAUTHHSS


Generate KASMEGi-j





end goal














Pr (11986411989410158401198951015840 = 1) le Pr (Succ (119865 1198912) = 1) (16)


where 119901 = 119874(119905) and 119899 = 119874(119899119894)




Pr (1198641015840119894119895 = 1) le Advmac1198912 (119901 119899) (18)



SAFEDETAILS



as specifiedBACKEND













Pr (119864119894119895 = 1) le Advmac1198912 (119901 119899) (19)








initState=3












1198912 (119901 119899)) (21)






















Thus





1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)


le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore


= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)


+ (Pr (119863 (119879119860) | 1198641 or 1198642)


= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)


(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)


(27)

















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












GIDG119894



IMSIG119894-119899 119870ASME

G119894-119899 XRESG119894-119899


119870ASMEG119894-119895




7 Security Analysis















HeNB-GWeNB

MME


MTCDG1-1

MTCDG1-2

MTCDG1-3

MTCDG1-4

MTCDG1-5

MTCDG1-6

MG1-11MACG1-1

1

MG1-21MACG1-2

1

MG1-31 MACG1-3

1

MG1-4 1

MACG1-4 1

MG1-51MACG1-5

1

MG1-61 MACG1-6

1


22


aggMG1

12 aggMACG1

12MACG1 12

aggMG122 aggMAC G1

22 MAC G122


1)

aggMG1 aggMACG1


22






12)MACG112 =







(i) Generate TGKGi


RESGi-j

aggRESGi

Verify aggRESGi



AUTHHSS


AUTHHSS GKIAUTHHSS


Generate KASMEGi-j





end goal














Pr (11986411989410158401198951015840 = 1) le Pr (Succ (119865 1198912) = 1) (16)


where 119901 = 119874(119905) and 119899 = 119874(119899119894)




Pr (1198641015840119894119895 = 1) le Advmac1198912 (119901 119899) (18)



SAFEDETAILS



as specifiedBACKEND













Pr (119864119894119895 = 1) le Advmac1198912 (119901 119899) (19)








initState=3












1198912 (119901 119899)) (21)






















Thus





1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)


le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore


= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)


+ (Pr (119863 (119879119860) | 1198641 or 1198642)


= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)


(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)


(27)

















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












HeNB-GWeNB

MME


MTCDG1-1

MTCDG1-2

MTCDG1-3

MTCDG1-4

MTCDG1-5

MTCDG1-6

MG1-11MACG1-1

1

MG1-21MACG1-2

1

MG1-31 MACG1-3

1

MG1-4 1

MACG1-4 1

MG1-51MACG1-5

1

MG1-61 MACG1-6

1


22


aggMG1

12 aggMACG1

12MACG1 12

aggMG122 aggMAC G1

22 MAC G122


1)

aggMG1 aggMACG1


22






12)MACG112 =







(i) Generate TGKGi


RESGi-j

aggRESGi

Verify aggRESGi



AUTHHSS


AUTHHSS GKIAUTHHSS


Generate KASMEGi-j





end goal














Pr (11986411989410158401198951015840 = 1) le Pr (Succ (119865 1198912) = 1) (16)


where 119901 = 119874(119905) and 119899 = 119874(119899119894)




Pr (1198641015840119894119895 = 1) le Advmac1198912 (119901 119899) (18)



SAFEDETAILS



as specifiedBACKEND













Pr (119864119894119895 = 1) le Advmac1198912 (119901 119899) (19)








initState=3












1198912 (119901 119899)) (21)






















Thus





1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)


le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore


= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)


+ (Pr (119863 (119879119860) | 1198641 or 1198642)


= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)


(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)


(27)

















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











end goal














Pr (11986411989410158401198951015840 = 1) le Pr (Succ (119865 1198912) = 1) (16)


where 119901 = 119874(119905) and 119899 = 119874(119899119894)




Pr (1198641015840119894119895 = 1) le Advmac1198912 (119901 119899) (18)



SAFEDETAILS



as specifiedBACKEND













Pr (119864119894119895 = 1) le Advmac1198912 (119901 119899) (19)








initState=3












1198912 (119901 119899)) (21)






















Thus





1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)


le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore


= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)


+ (Pr (119863 (119879119860) | 1198641 or 1198642)


= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)


(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)


(27)

















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











SAFEDETAILS



as specifiedBACKEND













Pr (119864119894119895 = 1) le Advmac1198912 (119901 119899) (19)








initState=3












1198912 (119901 119899)) (21)






















Thus





1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)


le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore


= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)


+ (Pr (119863 (119879119860) | 1198641 or 1198642)


= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)


(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)


(27)

















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation













initState=3












1198912 (119901 119899)) (21)






















Thus





1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)


le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore


= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)


+ (Pr (119863 (119879119860) | 1198641 or 1198642)


= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)


(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)


(27)

















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation



















Thus





1003816100381610038161003816Pr (119863 (119879119860) = 1 | 1198641 and 1198642)


le 119899MTCDAdvprf119867 (119901 119899)

(24)

Therefore


= 1)1003816100381610038161003816 =10038161003816100381610038161003816(Pr (119863 (119879119860) | 1198641 and 1198642)


+ (Pr (119863 (119879119860) | 1198641 or 1198642)


= 1 | 1198641 and 1198642)1003816100381610038161003816 + Pr (1198642) + Pr (1198641)


(25)

Again

Pr (1198642) = Pr (1198642 | 1198641)Pr (1198641)

+ Pr (1198642 | 1198641)Pr (1198641)

le Pr (1198642 | 1198642) + Pr (1198641)

(26)

Hence

Advdist119879119860119879119860lowast (119863)


(27)

















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation
















Pr 119883 = 119894 =( 119899minus119899119888119899119887minus119894 ) (

119899119888119894 )

( 119899119899119887 )119894 = 0 1 2 100 (28)






0255075


mes

sage

sM

TCD

Num

ber o

f sig

nalin

g Signaling cost








010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










010000200003000040000

25 50 75 100

(bits

)M

TCD

Com

mun

icat

ion


Number of groups









9 Conclusion


0100200300400

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



0204060

25 50 75 100


(ms)

MTC

DC

ompu

tatio

n co

st

Number of groups



Appendix

















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation






















At MTCD




At network












































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation















































mac119865 (119860) (B4)


119865 (119860) isnegligible in 119896

B4 Definitions





Notations












elementMACG119894










MME



generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











generating function

Competing Interests


References







































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation
















RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









Hierarchical Group Based Mutual Authentication and Key...

Documents

Transcript of Hierarchical Group Based Mutual Authentication and Key...