A Survey on Key Management of Identity-Based Schemes in Mobile Ad Hoc Networks

Journal of Communications Vol. 8, No. 11, November 2013

A Survey on Key Management of Identity-based Schemes in Mobile Ad Hoc Networks

Kuo Zhao, Longhe Huang, Hongtu Li, Fangming Wu, Jianfeng Chu, and Liang Hu Jilin University, Chang Chun 130012, China Email: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

Abstract—In mobile ad hoc networks (MANETs), the research scarce resources, and selfish nodes can drop data packets on key management of identity-based scheme is attracting more of other nodes. and more attention. In this paper, we study on four types of Cryptographic schemes with key management are identity-based schemes which resist key escrow problem at employed to provide a general design framework for different degrees, and introduce several schemes for each type. Then, we give an overview of the characteristics of their key secure MANETs. Traditional cryptographic systems can management, and made a summary of key generation and be divided into symmetric and asymmetric ones, distribution. Subsequently, to build a more secure identity-based depending on the way they use keys [4]. In symmetric scheme for MANET, we recommend some techniques to schemes, the secret keys must be shared either by a improve security and availability of its key management. secure pre-established channel or before network Finally, we point out some problems of identity-based schemes formation. If an attacker compromises the symmetric key in MANETs, which are not addressed and we will explore in the  of a group of users, then all encrypted messages for that future. group will be exposed. Therefore, traditional symmetric Index Terms—MANETs, identity-based cryptography, key schemes are difficult to apply in MANETs. [5] The key management management schemes of traditional asymmetric schemes are usually based on Public Key Infrastructure (PKI). The success of certificate-based PKI depends on the I. INTRODUCTION availability and security of a Certificate Authority (CA), A mobile ad hoc network (MANET) is a cooperative a central control point that everyone trusts. In a MANET, wireless network of mobile hosts (which we call nodes or nodes have non-negligible probability to be compromised users) that can communicate with each other without any for the resource limitations of wireless devices and centralized administration or preexisting infrastructure [1], relatively poor physical protection. Once CA is [2]. The nodes of network operate both as communication compromised, the security of the network would be end points as well as routers, enabling multi-hop wireless subverted. Another obstacle of using PKI’s in MANETs communication. Because of the rapidity, self-organizing, is the heavy overhead of transmission and storage of self-configuring and low cost for forming network, Public Key Certificates (PKCs). [6] MANETs have attracted a lot of attention from both the As a powerful alternative to certificate-based PKI, research and industry communities, which are extensively identity-based cryptography (IBC) [7], [8] allows public employed in military, vehicle networks, disaster relief keys to be derived from entities’ known identity and emergency, where geographical or terrestrial information, thus there is no requirement of CA and constraints demand totally distributed networks. PKCs. Recent decade, IBC has attracted more and more However, due to the wireless, bandwidth-limited, attention from researcher, and a number of identity-based resource-constrained, and dynamic nature, MANETs are schemes [9]-[12] have been proposed. The advantages of more vulnerable to security attacks [3] than their wired identity-based key management: reducing the cost of counterparts. Wireless communication, for example, is storage, computation and communication, make IBC open to interference and interception, and malicious more suitable for bandwidth-limited and resource- nodes might create, alter, or replay routing information to constrained MANETs. interrupt network operation. Moreover, malicious nodes An identity-based scheme needs a Private Key may inject bogus data into the network to consume its Generator (PKG) to identify the user’s ID and compute private key, which results single point of failure. Furthermore, there exits key escrow problem (inherent in Manuscript received June 15, 2013; revised October 24, 2013. identity-based cryptosystems), since PKG knows the This work was supported in part by the National High Technology Research and Development Program of China (Grant No. private keys of all nodes. Similar to the CA in PKI, once 2011AA010101), and the National Natural Science Foundation of China PKG is not credible, system won’t be able to ensure (Grant No. 61103197). communication non-repudiation if the compromised PKG Corresponding author email: [email protected]. doi:10.12720/jcm.8.11.768-779 pretends to be user to send messages. In order to

eliminate or reduce the risks of key escrow problem, master private key SK and public key PK. several revised types of identity-based schemes have been  Extract: takes system parameters, master private key, made using multiple authority approaches. But and an identity as input, and returns a secret private meanwhile, they also cause some other new problems. key sk corresponding to the identity. For example, traditional threshold identity-based schemes  Encrypt: takes the master public key, the public key [13] weaken the key escrow problem by distributing the of the receiver node (derived from its identity), and PKG’s service to multiple nodes, but they need to have a the message as input, and returns the corresponding trust authority (TA) and provide the secure distribution of ciphertext. secret shares.  Decrypt: takes the master public key, a ciphertext In this survey, we study on four types of identity-based and the personal private key as input, and returns the key management schemes which resist key escrow decrypted message. problem at different degrees in MANETs: traditional PK threshold identity-based schemes, Secrete Shares as PKG Private Keys (SSPK) identity-based schemes, Upon receiving ID certificateless schemes, and hierarchical identity-based receiver schemes. Then, we discuss the approaches, strengths, and pkreceiver skreceiver weaknesses of key management of these schemes, and provide a comparison between their main features. The remainder of this paper is organized as follows: Ciphertext Message Encrypt Decrypt Message Section II presents an overview of some background knowledge. Next, we describe the multiple identity-based Sender Receiver key management schemes in section III, and then we present a comprehensive picture and discuss their Figure 1. Identity-based encryption strengths and weaknesses in following section. The final section draws our conclusion. In an IBS scheme, the singer first obtains a signing private key associated with its own identity from the II. PRELIMINARIES PKG. It then signs a message using the private key, and In this section, we start from reviewing the brief the verifier verifies the signature using the signer’s public history and basic concepts of IBC, and subsequently key. An IBS scheme can also be described using four introduce an identity-based encryption (IBE) scheme and randomized algorithms [14], [15]: Setup, Extract, Signing, an identity-based signature (IBS) scheme based on the and Verification. The former two steps are same to Setup bilinear pairing, a computational primitive widely used to and Extract of an IBE scheme. (Fig. 2 illustrates a build up various identity-based cryptographic schemes in schematic outline of an IBS scheme.) the current literature. Then we will present the basic idea  Signing: uses own private key to create a signature of threshold cryptography, and describe one classical (t, n) on the message. threshold cryptography.  Verification: takes the master public key, the signature, the message and the public key of sender A. Identity-Based Cryptography as input, checks whether the signature is a genuine As mentioned earlier, in the IBC, the public key/secret signature on the message. If it is, returns “Accept”. key pair is generated by a PKG service, and the public Otherwise, returns “Reject”. key based on the own identity is assumed to be known by PK everyone. The idea of IBC was first proposed by Shamir PKG [8] in 1984. Over years, a number of researchers tried to propose secure and efficient identity based encryption Upon receiving IDsigner algorithms, but with little success. Boneh and Franklin [7] presented first fully functional, efficient and provably sksigner pksigner secure IBE scheme in 2001. At the same year, Boneh, Lynn and Shacham [14] proposed a basic IBS scheme Message||Signature Accept using pairing. Message Signing Verification Or In an IBE scheme, the sender can use the receiver’s Reject identity of public key to encrypt message, and the Signer Verifier receiver can decrypt the ciphertext by his own private key Figure 2. Identity-based signature obtained from the PKG according to his identity. The functions that compose a generic IBE are specified by the Currently, most of IBC schemes for MANETs are following four randomized algorithms [13], [15]. (Fig. 1 based on the bilinear pairing technique and assumptions illustrates a schematic outline of an IBE scheme.) of hard problems in elliptic curves. Let G1 and G2 denote  Setup: takes a security parameter and returns system two groups of the same large prime q, where G1 is an

additive group that consists of points on elliptic curve and III. IDENTITY-BASED KEY MANAGEMENT SCHEMES G is a multiplicative group on a finite field. A bilinear 2 To tackle the inherent key escrow problem of IBC, pairing is a computable bilinear map between two groups. several proposals have been made using multiple Two pairings have been studied for cryptographic use. approaches. Many identity-based schemes for MANETs The admissible bilinear map, denoted by combine Shamir’s threshold scheme to distribute the e: G G G , has the following properties. 1 2 2 PKG service to an aggregation of nodes (PKGs), then no e(,)(,) aP bQ e P Q ab single node knows the private keys of all nodes, thus the  Bilinear:  , where PQG,  1 key escrow problem of PKG is weakened. Actually, and a, b Z  q Shamir’s threshold cryptography is suggested earlier then

 Non-degenerate: there exit PQG,  1 , such that IBC to secure ad hoc networks by Zhou et al. [19] in e( P , Q ) 1 1999. Khalili et al. [13] suggest a mechanism that  Computable: there is an efficient algorithm to combines efficient techniques from identity-based and threshold cryptography to provide a mechanism that compute e(,) P Q for all PQG,  1 enables flexible and efficient key distribution while The most frequently used assumptions are CDHP respecting the constraints of ad-hoc networks. In their assumption and BDHP assumption, which means there is no polynomial time algorithm to solve CDH problem or system, IBC primarily provides efficiency gains, and BDH problem with non-negligible probability. threshold cryptography provides resilience and robustness.  Computational Diffie-Hellman (CDH) problem: for However, Shamir’s threshold secret sharing scheme a, b Z  , given P,, aP bP G , compute q 1 has two major weaknesses. First, the scheme needs a TA abP G .  1 to distribute a secret to users. Second, the scheme does  Bilinear Diffie-Hellman (BDH) problem: for not detect the distributed erroneous shares and the false  shares provided by some compromised users. Deng et al. a,, b c Zq , given P,,, aP bP cP G1 , compute [20], [21] proposed a secret sharing scheme without TA, e(,) P Pabc  G . 2 instead, users choose the secret and distribute it among B. Threshold Cryptography themselves, based on the work [22]. To testify the In (t, n) threshold cryptography [16], [17], a correctness of the shares, a SSPK identity-based scheme cryptographic action divides a secret to n shareholders. [23] using Verifiable Secret Sharing (VSS) [24] was Any t or more shareholders can combine their shares to proposed. What’s more, in the threshold secret sharing deduce the secret. But any combination of t-1 shares does phase of [23], nodes use secret VSS shares as private not yield any significant information about the secret. So, keys, which is different from traditional threshold in such a way, the cryptographic action can be performed identity-based schemes, and that’s why we put it as a if and only if at least a certain number of parties separate type. Still, given enough time an adversary could collaborating. By this principle, in identity-based and corrupt enough serve users (t PKGs) and obtain their threshold distributed key management scheme, the shares to reconstruct the secret. To defend against such PKG’s service is distributed to multiple parties [13]. mobile attacks [25], a proactive secret sharing scheme [26] More details, the master private key SK is shared by n using shares refreshing to compute new shares and nodes in a (t, n) threshold fashion. Each of them holds a remove the old shares was proposed. unique secret share of the master private key SK, and no Although above threshold identity-based schemes can one is able to reconstruct the master private key based on weaken the key escrow problem at server level. There its own information. Any t or more nodes among them still remain risks of t PKGs being compromised. Hence, can reconstruct the mater private key jointly, whereas it is the key escrow problem is not completely addressed. Al- infeasible for at most t-1 nodes to do so, even by Riyam and Paterson [27] first proposed a certificateless collusion. public key cryptography (CL-PKC) that combines the One classical (t, n) threshold cryptography [18] was advantages of IBC and PKI and overcomes the key proposed by Shamir in 1979, which is based on escrow limitation of IBC. We will study on some polynomial interpolation. To distribute a secret s among n certificateless schemes for MANETs [28], [29], [30] users, a trust authority chooses a large prime q and because certificateless-based schemes enjoy a number of randomly selects a random t-1 degree polynomial f(x), features of IBC, though they are not purely identity-based. with f(0)=SK. The trust authority computes each user’s Besides multiple identity-based schemes for flat share using Si  f( i )mod q and securely sends the share MANETs, there are also some hierarchical identity-based schemes [31], [32], [33] for hierarchical MANETs. Si to user i. Then any t or more shareholders can reconstruct the secret using the Lagrange interpolation Considering the spatial concurrency constraints on nearby k k j nodes sharing the same channel and the organization of by S S lmod q , where l  is the i 1 ii i  the network may already be hierarchical in nature, so a j1, j i ji hierarchical key management structure could serve well Lagrange coefficient.

for applications of lager scale or of hierarchy. The good relatively straightforward manner. All subsequent news is that hierarchical identity-based schemes also communications in their scheme are encrypted and allow key escrow free at server levels. decrypted using the master public key and the ID of the In the following part, we will describe above identity- recipient. based key management schemes more detailedly. In the Khalili et al. scheme, however, technical details of key generation are not given. Lots of identity-based A. Traditional Threshold Identity-Based Schemes schemes [34]-[36] in MANET are proposed based on the In traditional threshold identity-based schemes, the idea of their scheme. Among them, Deng et al. [20], [21] parameters of the cryptosystem, like master make a detailed implementation of [13] idea and propose public/private key pair, will be, generally speaking, a distributed key generation (distribution) and established by an online/offline TA or by other way authentication approach by deploying the concepts of before network deployment. The master public key PK is IBC and threshold secret sharing. In these schemes, key known to all nodes in the network, whereas the secret generation provides the network master key pair and the private key SK is divided into n shares S1, S2, ..., Sn, one public/private key pair of each node in a distribute way. share for each server node in a t-out-of-n threshold Key generation consists of three components: master key manner. Each of server nodes holds a unique secret share generation, distributed private key generation, new of the master private key SK, and no one is able to master key share creation for new joining nodes. reconstruct the master private key based on its own Master key generation: The master key pair is information. These multiple server nodes act as the computed collaboratively by the initial network nodes threshold PKGs of an ID-based scheme, and any t server without constructing the master private key at any single nodes can work together to issue personal secret private node. This scheme is an extension to Shamir’s secret keys to nodes (including themselves) in MANETs based sharing without the support of a TA. Each node i on their identities and key issuance policy, whereas it is randomly chooses a secret xi and a polynomial infeasible for at most t-1 nodes to do so, even by f( x ) x  a x21  ...  a xt  mod q of degree collusion. i i i,1 i , t  1 xf(0) Instead of assuming that prior keying material or t-1, such that ii , and the master private key trust/security associations (TA) exist, Khalili et al. nn SK x (0) . Node i computes his establish these at the time of network formation. In more ii11i f i detail, they propose that (at the time of network formation) sub-share ssij for node j as ssij f i() j , j=1,2…n and the participating nodes generate a master public key PK sends ssij securely to node j. After receiving n-1 sub- in a distributed fashion. The master secret key SK will be shares, node j computes its share of master private key as shared in a t-out-of-n threshold manner by this initial set nn S ss f() j and acts as a PKG node. Any of n nodes called PKGs. jii11 ij i At the time of network formation, the initial nodes coalition of t shareholders can jointly recover the secret kn decide on a mutually acceptable set of security as S lmod q x SK , where parameters, including a threshold t of key service nodes, ii11i i i the number (n) and identity of key service nodes, k j li   is the Lagrange coefficient. After the particular parameters of underlying schemes (e.g. key j1, j i ji lengths), and a policy for key issuance. This initial set of master private key is shared, each shareholder nodes will generate the master public/private keys in a publishes SP , then the master public key distributed manner such that fewer than t nodes cannot i n recover the master secret key. The master public key is PK S P . i 1 i given to all members of the network when they join. Usually, an identity can be something present in Private Key Generation: The requesting node i presents transmitted messages, like the network layer (or MAC) its public key pki and self-generated temporary public key address, and all nodes in the network can use their pki-temp when it joins the network and sends private key identities as their personal public keys. When a new node generation request. Each of the t PKGs sends encrypted join the network, it presents its identity or public key and share S j  pki to the requesting node using pki-temp. By any extra material specified by the key issuance policy to collecting the t shares of its new private key, the t or more PKGs providing the PKG service, then it will requesting node would compute its new private receives a share of their personal private key from each of t key sk  S  pk . After the requesting node gets them. The new joining node can then compute its i  j1 j i personal private key using the t shares. its new private key, it discards its temporary They recommend Boneh-Franklin scheme [7] as IBE public/private key pair, and keeps the new key pair in its scheme and Cha and Cheon [10] scheme as IBS scheme. memory for the later authentication and communication. These two schemes use similar elliptic-curve groups, and Master key share creation for new joining nodes: hence can be combined for greater efficiency in a Every new joining node will be the PKG service node, in

other word, these schemes fully distribute the private key SK is shared by the n server nodes using an (t, functionality of PKG to the entire nodes of the network. n) threshold sharing scheme. In addition, the offline TA After private key generation process, the requesting node publishes a piece of verification information consisting of i obtains its new private key. To initialize the share of SPi for each server node i to check malicious PKG master key for the requesting node, each PKG node j server nodes as we will show later. The offline TA will generates the partial shares ss ji  S j l j (i) for node i, leave the network after key generation succeeds. where lj(i) is the Lagrange term. It encrypts the partial The lifetime of the network is divided up in time share using the temporary public key of requesting node periods, where each time period consists of two phases, and sends it to node i. Node i obtains its new share by the operational phase and the share update phase. During t the operational phase, all nodes including server nodes adding the partial shares as S ss . After ij 1 j, i renew their private keys. During the share update phase, obtaining the share of master private key, the new joining all server nodes compute new shares from old ones in node becomes a PKG service node and is available to collaboration. At the j-th time interval, node A uses provide PKG service to other new joining nodes. (IDA||j) as its public key, where “||” represents In these schemes, the public key of node i is computed concatenation of strings. as pkii H( ID || Expire _ time ) or Update of a node’s private key: All server nodes form and maintain a few multicast groups according to location, pkii H( ID || MAC || Expire _ time ) . When the public and each group has more than t server nodes. Node A key is expired, the node needs to obtain its new public key and update corresponding private key. The generated floods its RREQ (Routing REQuset) to find a route to the private keys are used for authentication, providing end- online PKG server nodes group. When it receives RREPs to-end authentication and confidentiality between the (Routing REPly) from server nodes, it selects a server communicating nodes. If the authentication process node, say u, which has the shortest path to itself as its key succeeds, the two communicating nodes calculate a proxy. The routing information to the node u is stored. symmetric session key, which can be used for future data Before time interval j expires, it sends its PREQ to u and encryption/decryption. Ref. [20], [21] refer three u multicasts the PREQ to all server nodes in the same authentication method: a sign-and-encryption procedure, group. Each server node i having received the request in which digital signature [7] is used for the computes a subshare of private key S ipk A for the node A authentication of messages and encryption [37] is used using its share of system secret key Si, then it sends a for the confidentiality of messages; By modifying the PREP message containing the subshare to the key proxy identity-based cryptosystem slightly, the communicating u. Node u waits for some time and checks whether it has nodes can generate a shared secret (session key) on both received t or more subshares from different server nodes. sides without additional key exchange [38]; The If it is true u will return to node A all these subshares in a lightweight authentication and encryption is implemented single PREP packet. Then node A can compute a new by applying the concepts of identity-based signcryption valid private key using Lagrange interpolation as we can [8] and one-way hash chain [39]. see before. Otherwise, node u will multicast the same Instead of encrypting subshares of private key using PREQ again until the number of partial private keys temporary public key, Li et al. [26] suggest a received is larger than t. It is possible that a malicious signcryption scheme [40] to secure the subshares’ server node i may return a false partial private key transmission. Moreover, they use modified multicast generated without using its share. To check the validity of protocol and key proxy technology to reduce traffic and partial key it receives from i, node A needs to check increase safety of key management when nodes update whether the equation e( pk , S P)  e(S  pk , P) holds. their private keys or PKG server nodes refresh their A i i A shares of master private key. They detail three Shares refreshing of server nodes: Each server nodes i components of key management: (master) key generation, randomly generates its sub-shares (SSSS , , ,... ) update of a node’s private key, and share refreshing of tuple i1 i 2 i 3 it . Node i signcrypts every server nodes. subshare Si,k, i≠k, with its own private key and the public Key Generation: At the initial time of the network, an key of server node k. The ciphertext is denoted as ck. offline TA generates system secret key SK and public key Shares refreshing information of server node i consists of PK. Every initial node must contact TA and register its (c ,... c ,0, c ,... c ) a vector 1i 1 i 1 n , and the shares identity before entering the network. After TA refreshing information is sent using multicast. Every authenticates identity of the node, it actes as PKG and server node j in the same group can receive refreshing generates private key of the node using system secret key information from node i, and can only decrypt ciphertext and the node’s identity. Then the private key of the node c to recover S and learn nothing about other subshare S , and the system public key are given to the node securely. j ij ik i≠k. After node j gets the sub-shares (SSSS , , ,... ) TA chooses n nodes as online PKG server nodes (PKGs) 1j 2 j 3 j tj according to abilities of the nodes. Then the master from other server nodes in the same group, it can

compute the new share from the old share and its own Now, any user can send encrypted messages to user i t share as SSS . using its public key pki ,and user i can decrypt using its j new ji 1 ij secret key ski as ElGamal encryption [41]. Similarly, user They point out there are two methods for i can use ski to sign messages, which can be publicly communicating nodes to create a secret session key: key verified using pki using Schnorr signature scheme [42]. agreement using IBS by two parts, and session key Moreover, any two users i and user j can establish generated by one part. pairwise keys in a non-interactive version of the Diffie- This scheme relies on an offline TA to form a trust Hellman pairwise key establishment protocol: user i anchor, which improves security level of the network. sk computes k pki mod p , and user j computes The multicast group of PKGs is fundamental in the ij j skj scheme, but a critical question remaining open in this kji pk i mod p . Since kij = kji, a hash of kij can be work is how the multicast group is formed. used as a session key for secure communication between Schemes [13], [20], [21] conduct a distributed PKG user i and user j. and weaken the key escrow problem of PKG up to the In a VSS identity-based scheme, a trusted dealer threshold t, which means an adversary should corrupt at provides each user with a secret value as the private key least t PKG service nodes in the worst case, if it wants to derived from the unique identifier of the user, and obtain the private keys of all nodes. Here, we denote the publishes the VSS information as its public key. degree of resistance to key escrow (DRKE) of [13], [20], Knowing the identifier of a particular user and also the [21] is t. In [26], due to the new shares being independent public key of the trusted center, one can send encrypted of the old ones, the adversary cannot combine old shares messages and verify signatures. This is equivalent to IBE with new shares to recover the secret. Thus, secret of [7] and IBS of [10], apart from the fact that our scheme refreshing mechanism reduces the risk of mobile attacks becomes insecure if there is more than a threshold of and weakens the key escrow problem at higher level than collusions or corruptions. What’s more, unlike other [20], [21]. But the DRKE of [26] is also t. identity-based schemes, the proposed usage of shares as B. SSPK Identity-Based Schemes private keys is under standard discrete logarithm based Saxena [23] proposes a scheme of public key assumptions, and that is much more efficient than these cryptography for MANETs analogous to IBC above. prior IBC schemes requiring costly computations (such as They use a Verifiable Secret Sharing (VSS) [24] as a key scalar point multiplications, map-to-point operations and distribution scheme, and the major difference from bilinear mappings [7]) in elliptic-curves. But the dealer traditional threshold identity-based schemes, as we who holds the secret sharing polynomial can compute the mentioned before, is that they use the secret shares as the private key of all nodes, so the key escrow problem is not private keys. In the proposed scheme the private keys are addressed or weakened. related (they are points on a polynomial of degree t-1) C. Certificateless Schemes and each public key can be computed from the public CL-PKC enjoys a number of features of IBC while VSS information and the node identifier. The usage of without having the problem of key escrow. LV et al. [28], shares as private keys can also be viewed as a threshold- [29] present a virtual private key generator (VPKG)- tolerant identity-based cryptosystem under standard based escrow-free certificateless public key cryptosystem discrete logarithm based assumptions. for MANETs as a novel combination of certificateless They use Feldman’s VSS based Shamir’s threshold and threshold cryptography. In their schemes, VPKGs cryptography to share the master secret private key. A collaboratively calculate the partial private key and send dealer chooses a secret sharing polynomial it to the node via public channel. The private key ski of f( x ) a a x21 ... a xt  0  1   t  1 in Zq, where a0 node i is generated jointly by the VPKG and the node is the system secret key SK. The dealer also publishes itself. Each of them has “half” of the secret information commitments to the coefficients of the polynomial, as about ski. a In the initialization phase, an offline trust authority w gi mod p , for i=0,···,t-1. These witnesses i (TA) create some system parameters, and picks a secret constitute the public key of the system. To join the key SK and a secret polynomial network, a user i with a unique identifier (such as an f( x ) a a x21 ... a xt  0  1   t  1 , where email address) IDi , receives from the dealer a secret share a SK f(0). Then TA distributes the secret shares (treated as private key ski) ski S i f( ID i )mod q over 0 sk i Si  f() i , i=1,...,n, to the n virtual PKG nodes in an a secure channel. The public key pki  gmod p of node i can be computed by other user using the public offline way. Then PK  SK  P is the public key of the key of the network and its identifier IDi as system. After network initialized, TA leaves the network, t 1 and the distributed VPKGs will be in charge of ID j pk( w )i mod p ij  . calculating private keys for nodes. j 0

A mobile node i picks a secret si for itself and selects a In certificateless schemes, the private key of the user is nearby server node, say u as its combiner (similar to key generated collaboratively by the user and the VPKGs that proxy). Then, node u finds other t-1 server nodes and calculates one part of a user’s private key and sends it to sends IDi (and public key pki) to them. When the the user via public channel. Each has half of the private combiner u receives all shares from the other t-1 server information about the private key of the user. Thus there nodes via public channels, it can compute the partial is no private key secure distribution problem. In addition, private key and then sends the partial private key to the the user’s partial private key is known only to the user requesting node i. itself, therefore there is no key escrow problem. In [28], the public key of node i is D. Hierarchical Identity-Based Schemes pk ( H ( PK , ID ), H ( ID )) . Node i computes i11 i i Usually, a MANET is assumed to be homogeneous or

ski  SK  H1(PK, IDi )  si  H1(IDi ) as its real private flat, where all nodes have the same communication capabilities. A recent theory study in [43] presents the key, the first part SK  H1(PK, IDi ) is obtained from the throughput bounds of homogeneous MANETs. The VPKGs by the public channel. The second part limitation is fundamentally due to the spatial concurrency s  H (ID ) is known only to the node itself. In [29], the i 1 i constraints on nearby nodes sharing the same channel. public key of node i pki (,) s i P s i PK . Node i computes These results strongly suggest that we should consider a hierarchical structure to solve the MANETs problem [44]. ski  si  SK  H1(IDi , pki ) as its real private key and Recently, hierarchical ad hoc networks have been B e(,) sk P for verifying the authenticity of the ii presented as an alternative topology to homogeneous ad public key pki. Those two schemes respectively introduce hoc topologies. Initial measurements indicate that the how the above key pairs are used to perform hierarchical approach has better performance than encryption/decryption using the Boneh-Franklin homogeneous ad hoc network [45]. In addition, a scheme[7]. hierarchical key management scheme could serve well for LV et al. bind the public key of node i with its identity some special applications, e.g. military where the and its partial private key respectively, which raises their organization of the network may already be hierarchical schemes to the same trust level as is enjoyed in a in nature. In hierarchical key management, an upper level traditional PKI. Furthermore, with this binding, it does TA/PKG needs only distribute keys to the layer below it, not need to keep the partial private keys secret, and the and the distribution process continues until all the end- VPKG can send them back to the users via public nodes get their secret keys from the layer above them. channels. This hierarchy of PKG nodes greatly reduces the Li et al. [30] also present a novel distributed key workload on master servers and allows key escrow free at management scheme, a combination of certificateless server levels [27]. public key cryptography and threshold cryptography. The first hierarchical identity-based encryption was They point that each public/private key pair is both node- proposed in [46]. The scheme is only two levels where a specific and phase-specific and node A’s key pair valid pairing-based scheme is placed at the top level and a only during phase pi is denoted by pk, sk . polynomial-based scheme is at the second level. Their A,, pii A p encryption functionality can support key agreement, but it Each of pkAp, and skAp, is comprised of a node-specific i i requires user interaction. Gennaro et al. [31] reverses the element and a phase-specific element common to all order, using the polynomial scheme for all the top levels nodes. and the pairing-based scheme only for the leaves to The network initialization and key generation is similar supports the non-interactive property. to LV et al.’s schemes. But the public key of node A Gennaro et al. propose that an authenticated key during phase pi is agreement protocol for MANETs should have the four pk  ( pk , pk )  ((s  SK  P, s P), H (salt )) and functional properties: non-interactive to save on A, pi A pi A A 1 i bandwidth, identity-based to save on coordination and the corresponding private key is support ad-hoc communication, hierarchical to allow for sk  (sk , sk )  (s  SK  H (ID ), s  SK  H (salt )) , A, pi A pi A 1 A A 1 i flexible provisioning of nodes, and be fully resilient where sA is A’s partial secret, salti is a unique binary against compromise of any number of leaf nodes and string as phase pi’s salt. pkpp, sk varies across resilient against compromise of a “threshold” of nodes in ii the upper levels. pk, sk key-update phases, while AA remains Their goal is to build a hierarchical identity-based key unchanged during network lifetime and should be kept agreement scheme that has all the above functional confidential to A itself. properties and is secure in a strong sense. Their scheme is They also employ key revocation and key update in the a combination of linear hierarchical schemes with the scheme and describe a key agreement to compute a non-interactive identity-based key-agreement scheme. It shared session key. describes two special linear hierarchical schemes:

multivariate polynomials [47] scheme and subset-based (ID ,..., ID ) parent C with the identity tuple 11k  can key pre-distribution [48] scheme. In their scheme, each compute the private key sk using his own private key leaf can compute the shared key between other peer leaf A sk  (SK  P ,..., SK  P , SK ,..., SK ) . node from its own secret key, its peer’s identity, and C 1 1 k 1 k 1 k L potentially some other public information. Key agreement: Suppose node A and node B with the '' They discuss three trade-offs that one can make when identity (ID1 ,..., IDn )(n

Pii H1() ID (i=1,…,k), and send it to A via an generate a partial private key to its predecessor of next authenticates and private channel. Indeed, node A’s level (level k) with identity tuple (ID1 ,..., IDk ). PKGs

computes Pkk H11( ID ,..., ID ) and introduced above. And the capabilities of keys (the sk  sk  SK  P master key pair and private key) generation and k(ci ) k 1(ci ) k 1(ci ) k . The PKGs securely transfer distribution are summarized in Table II. sk to the entity that asked for a private key. By k(ci) As we can see in Table I, IBC for MANETs is often fetching the threshold t number of sk , the entity can k-1 k(ci) combined with threshold cryptography to eliminate recover its private key sk . k single-point of failure and resists compromise or insider It also discusses the cryptographic mechanisms attack by distributing the PKG service to multiple nodes. provided by Halo including the identity-based encryption Furthermore, with the (t, n) threshold cryptography, (HIBE), signature (HIBS) and signcryption (HIBES) honest parties need only contact any t nodes for purpose operations. of obtaining their own key, thus making the protocol In [32], any node (except leaf node) can obtain the resilient to temporary loss of connectivity with other private keys of its children nodes and the root keeps the nodes in the network. Secure key generation and master secret keys, so the key escrow isn’t weakened. In distribution are not trivial and required in key scheme of [33] and polynomial scheme of [31], the PKG management. To improve safety of key generation and at each level (i) is distributed to a threshold (t ) of siblings, i distribution, many techniques, such as master key L 1 thus the DRKE is t . i 1 i generation in a distributed manner, key proxy, share refreshing, and VSS are proposed to combine with the IV. DISCUSSION AND COMMENTS traditional threshold identity-based mechanism, which is showed in Table II. Table I gives an overview of the characteristics of key management of identity-based schemes we mainly

TABLE I. SUMMARY OF IDENTITY-BASED KEY MANAGEMENT SCHEMES Schemes Focus on/ main features DRKE Key update Key agreement Weaknesses Details of key generation combine identity-based and threshold [13] t × × not given, need secure cryptography to secure key distribution channels, Mobile attacks [20],[21] detailed implementation of [13] t √ √ Mobile attacks share refreshing, multicast protocol and Require offline TA in the [26] t √ √ key proxy initial stage secret share act as private key, standard Single point of failure of [23] × × √ discrete logarithm assumptions online TA combination of IBC and the Require offline TA in initial [28],[29] √ × × certificateless cryptosystems stage Require offline TA in initial combine certificateless and threshold [30] √ √ √ stage, details of share cryptosystem transmission not given Not against the corruption linear hierarchical schemes and non- L 1 [31] t × √ of the nodes of higher interactive identity-based key-agreement i 1 i levels, mobile attacks Ancestors’ security matters, resist against any corrupted nodes in the [32] × × √ not efficient with a large entire hierarchy depth, mobile attacks hierarchical ID-based, VSS and L 1 [33] t × × Mobile attacks threshold cryptography i 1 i

TABLE II. SUMMARY OF KEYS GENERATION AND DISTEIBUTION

Master key pair Schemes TA PKG Share of private key transmission Share update generated by the initial nodes in a [13] No Fully distributed Secure channel No distributed manner the initial nodes in a [20],[21] No Fully distributed Encrypted by temporary public key No distributed manner Multicast group and key Signcryption and multicast, verification [26] offline TA Yes proxy, partially distributed of malicious PKG [23] online TA TA acts as PKG VSS validate the correctness No Key combiner, cover all [28],[29] offline TA over the network for high Public channel No level security [30] offline TA D-PKGs/D-KGCs Not mentioned No [31] the root the root A threshold of siblings Not mentioned No [32] the root the root Parent node acts as PKG An authenticated and private channel No the initial nodes in a Nodes from different level [33] No Not mentioned No distributed manner but same cohort

Threshold identity-based schemes weaken the key the initial nodes in a distributed manner, and there is escrow problem of PKG (up to the threshold t). In no need of TA to distribute secrets of master private certificateless schemes, the private key of node is key to nodes. To counter mobile attacks, we suggest comprised of two parts, and the PKG does not have secret refreshing mechanism in which secret shares access to the user’s own secret private key, so are updated in intervals and new shares cannot be certificateless schemes completely address key escrow. combined with old ones to recover the secret. To What’s more, even if adversaries have the entire network secure the share of private key transmission, we can lifetime to mount mobile attacks and they compromise or employ VSS to verify integrity of secret shares of disrupt enough PKGs, a threshold identity-based scheme threshold cryptography. using certificateless cryptography can prevent adversaries  Certificateless cryptography to eliminate key escrow: Certificateless cryptography completely addresses to derive the private keys of nodes from the compromised the key escrow problem and mobile attacks by PKGs. Thus, this scheme also resists against mobile having the user contribute to the private key attacks. generation. A MANET is usually assumed to be homogeneous,  Hierarchical for special MANETs: We can take the where each mobile node shares the same radio capacity. hierarchical cryptography into consideration if the However, a homogeneous ad hoc network often suffers organization of the network is hierarchical in nature from poor scalability. Ref. [50] observed that, when using or the network requires good scalability. the same amount of sensor nodes in a given coverage area for flat and hierarchical topologies, that the system V. CONCLUSIONS throughput capacity increases, while system delay decreases. Ref. [51] showed that a hierarchical key Several cryptographic mechanisms for secure management scheme is a very promising way to achieve MANETs can be found in the literature. Among them, good scalability. Meanwhile, the hierarchy of PKG identity-based cryptography, a special form of public key service nodes reduces normal nodes’ exposure to the cryptography, is more suitable for bandwidth-limited and compromised PKG nodes, thus hierarchical identity- resource-constrained MANETs, because it eliminates the based schemes weaken the key escrow problem. By the requirement for a certificate authority and public key way, there are some other techniques we don’t introduce certificates. In this survey paper, we have divided to eliminate or weaken key escrow of IBC, such as, identity-based key management schemes for MANETs certificate-based cryptosystem [52], reducing the trust of into four types: traditional threshold identity-based PKG [53]. schemes, SSPK identity-based schemes, certificateless There are two points that needs to be noted in identity- schemes, and hierarchical identity-based schemes. Then based schemes for MANETs. First, in threshold-based we have studied one or more typical schemes for each schemes, the threshold parameter t controls the trade-off type, and discussed their approaches, strengths, and between security and service availability. Choosing a weaknesses. Last, we have made a summary of their key value of 1 for t causes the least security while keeping management and keys generation and distribution, and highest service avail ability. On the other hand, selecting pointed out the trade-off problem of threshold parameter t a value of n for t results a maximum security but weak and 1-hop-trust problem. During the survey, we also service availability. Second, the new node can only suggest some techniques to improve the security of key contact its 1-hop neighbors, and if no enough nodes are in management of identity-based scheme for MANET. How proximity then it cannot obtain a key. Deng et al. suggest to combine those effective security techniques to secure that the node moves in order to find a sufficient number the key management is one of our future works. of PKGs. More seriously, nodes have to trust their 1-hop We have mentioned many properties of IBC that make away neighbors to route all information. It makes scheme it especially attractive for MANETs. However, there are more vulnerable to Sybil attacks [54], in which a single still some problems not completely addressed and node presents multiple identities to others. But this impedes application of IBC, e.g. identity disclosure, key problem can be addressed by periodically refreshing the revocation, high computations in elliptic-curve. We will master key, and introducing a trust management try to explore deeper in these research areas. technique [55] and an Intrusion Detection System. REFERENCES A. Techniques to Improve Identity-Based Scheme [1] H. L. Nguyen and U. T. Nguyen, “A study of different types of Key management is an important part of secure attacks in mobile ad hoc networks,” in Proc. 25th IEEE Canadian communication that is responsible for secure key Conference on Electrical and Computer Engineering, 2012, pp. 1- generation, key distribution and key maintenance. Here 6. are techniques in the literature to improve security and [2] A. L. S. Orozco, J. G. Matesanz, L. J. G. Villalba, J. D. M. Díaz, availability of key management of identity-based scheme and T.-H. Kim, “Security issues in mobile ad hoc networks” for MANETs. International Journal of Distributed Sensor Networks, vol. 2012, Dec 2012.  Improved threshold cryptography for key generation [3] P. M. Jawandhiya, M. M. Ghonge, M. S. Ali, and J. S. and distribution: The master key pair is generated by Deshpandee, “A survey of mobile ad hoc network attacks,”

International Journal of Engineering Science and Technology, vol. [25] S. Zhao and A. Aggarwal, “Against mobile attacks in mobile ad- 2, no. 9, pp. 4063-4071, 2010. hoc networks,” in Proc. International Conf. on Information [4] Handbook of Applied Cryptography, A. J. Menezes, P. C. Van Theory and Information Security, Beijing, 2010, pp. 499-502. Oorschot, S. A. Vanstone, CRC press, 2010. [26] G. Li and W. Han, A New Scheme for Key Management in Ad Hoc [5] S. Zhao, A. Aggarwal, R. Frost, and X. Bai, “A survey of Networks, Reunion Island, France: Springer-Verlag, 2005, pp. applications of identity-based cryptography in mobile ad-hoc 242-249. networks,” Communications Surveys & Tutorials, vol. 14, no. 2, [27] S. S. Al-Riyami and K. G. Paterson, Certificateless Public Key pp. 380-400, May 2012. Cryptography, Taipei, Taiwan: Springer-Verlag, 2003, pp. 452- [6] T. Bhatia and A. K. Verma, “Security issues in manet: A survey 473. on attacks and defense mechanisms,” International Journal [28] X. Lv, H. Li, and B. Wang, “Identity-based key distribution for Advanced Research in Computer Science and Software mobile ad hoc networks,” Frontiers of Computer Science in China, Engineering, vol. 3, no. 6, pp. 1382-1394, Jun 2013. vol. 5, no. 4, pp. 442-447, Dec 2011. [7] D. Boneh and M. Franklin, “Identity-based encryption from the [29] X. Lv, H. Li, and B. Wang, “Virtual private key generator based Weil pairing,” in Proc. Adv. Cryptology—CRYPTO, vol. 2139, escrow‐free certificateless public key cryptosystem for mobile ad New York, 2001, pp. 213-229. hoc networks,” Security and Communication Networks, vol. 6, no. [8] A. Shamir, “Identity-based cryptosystems and signature schemes,” 1, pp. 49-57, Jan 2013. in Proc. CRYPTO 84 on Adv. in Cryptology, New York, 1985, pp. [30] L. Li, Z. Wang, W. Liu, and Y. Wang, “A certificateless key 47-53. management scheme in mobile ad hoc networks,” in Proc. 7th [9] B. Waters, Efficient Identity-based Encryption Without Random International Conf. on Wireless Communications, Networking and Oracles, Aarhus, Denmark: Springer-Verlag, 2005, pp. 114-127. Mobile Computing, Wuhan, 2011, pp. 1-4. [10] J. C. Cha and J. H. Cheon, An identity-based Signature From Gap [31] R. Gennaro, S. Halevi, H. Krawczyk, T. Rabin, S. Reidt, and S. D. Diffie-Hellman Groups, FL, USA: Springer-Verlag, 2002, pp. 18- Wolthusen, Strongly-resilient and Non-interactive Hierarchical 30. Key-agreement in MANETs, Málaga, Spain: Springer Berlin [11] F. Hess, “Efficient identity based signature schemes based on Heidelberg, 2008, pp. 49-65. pairings,” in Proc. 9th Annual International Workshop on Selected [32] H. Guo, Y. Mu, Z. Li, and X. Zhang, “An efficient and non- Areas in Cryptography, Newfoundland, 2002, pp. 310-324. interactive hierarchical key agreement protocol,” Computers & [12] D. Boneh and X. Boyen, “Efficient selective-ID secure identity- Security, vol. 30, no. 1, pp. 28-34, Jan 2011. based encryption without random oracles,” in Proc. International [33] F. K. Tseng, J. K. Zao, Y. H. Liu, and F. P. Kuo, “Halo: A Conf. on the Theory and Applications of Cryptographic hierarchical identity-based public key infrastructure for peer-to- Techniques, Interlaken, 2004, pp. 223-238. peer opportunistic collaboration,” in Proc. 10th International Conf. [13] A. Khalili, J. Katz, and W. A. Arbaugh, “Toward secure key on Mobile Data Management: Systems, Services and Middleware, distribution in truly ad-hoc networks,” in Proc. Symp. on Taipei, 2009, pp. 672-679. Applications and the Internet Workshops, 2003, pp. 342-346. [34] Y. Zhang, W. Liu, W. Lou, and Y. Fang, “AC-PKI: Anonymous [14] D. Boneh, B. Lynn, and H. Shacham, Short Signatures From the and certificateless public-key infrastructure for mobile ad hoc Weil Pairing, Gold Coast, Australia: Springer -Verlag, 2001, pp. networks,” in Proc. International Conf. on Communications, vol. 514-532. 5, 2005, pp. 3515-3519. [15] J. Baek, J. Newmarch, R. Safavi-Naini, and W. Susilo, “A survey [35] H. Sun, X. Zheng, and Z. Deng, “An identity-based and threshold of identity-based cryptography,” in Proc. 10th Annual Conf. for key management scheme for ad hoc networks,” in Proc. Australian Unix User’s Group, 2004, pp. 95-102. International Conf. on Networks Security, Wireless [16] Y. Desmedt and Y. Frankel, “Threshold cryptosystems,” in Proc. Communications and Trusted Computing, Wuhan, vol. 2, 2009, pp. Cryptology—CRYPTO’89, New York, 1990, pp. 307-315. 520-523. [17] Y. G. Desmedt, “Threshold cryptography,” European [36] Z. Ping, R. Hu, Y. Fang, and J. Yang, “A key management scheme Transactions on Telecommunications, vol. 5, no. 4, pp. 449-458, for ad hoc networks,” in Proc. 5th International Conf. on Wireless July/Aug 1994. Communications, Networking and Mobile Computing, Beijing, [18] A. Shamir, “How to share a secret,” Communications of the ACM, 2009, pp. 1-5. vol. 22, no. 11, pp. 612-613, Nov 1979. [37] K. G. Paterson, “ID-based signatures from pairings on elliptic [19] L. Zhou and Z. J. Haas, “Securing ad hoc networks,” IEEE curves,” Electronics Letters, vol. 38, no. 18, pp. 1025-1026, Aug Network Magazine, vol. 13, no. 6, pp. 24-30, Nov/Dec 1999. 2002. [20] H. Deng, A. Mukherjee, and D. P. Agrawal, “Threshold and [38] B. Lynn, “Authenticated identity-based encryption,” IACR identity-based key management and authentication for wireless ad Cryptology ePrint Archive, Report 2002/072, July 2002. hoc networks,” in Proc. International Conf. on Information [39] R. Hauser, T. Przygienda, and G. Tsudik, “Reducing the cost of Technology: Coding and Computing, vol. 1, 2004, pp. 107-111. security in link-state routing,” in Proc. Symposium on Network [21] H. Deng and D. P. Agrawal, “TIDS: Threshold and identity-based and Distributed System Security, San Diego, 1997, pp. 93-99. security scheme for wireless ad hoc networks,” Ad Hoc Networks, [40] X. Boyen, Multipurpose Identity-based Signcryption, California, vol. 2, no. 3, pp. 291-307, July 2004. USA: Springer-Verlag, 2003, pp. 383-399. [22] T. P. Pedersen, “A threshold cryptosystem without a trusted [41] T. ElGamal, “A public key cryptosystem and a signature scheme party,” in Proc. Cryptology—EUROCRYPT, Brighton, 1991, pp. based on discrete logarithms,” in Proc. CRYPTO 84 on Advances 522-526. in Cryptology, 1985, pp. 10-18. [23] N. Saxena, “Public key cryptography sans certificates in ad hoc [42] C. P. Schnorr, “Efficient signature generation by smart cards,” networks,” in Proc. 4th International Conf. on Applied Journal of cryptology, vol. 4, no. 3, pp. 161-174, Jan 1991. Cryptography and Network Security, Singapore, 2006, pp. 375- [43] P. Gupta and P. R. Kumar, “The capacity of wireless networks,” 389. IEEE Transactions on Information Theory, vol. 46, no. 2, pp. 388- [24] P. Feldman, “A practical scheme for non-interactive verifiable 404, Mar 2000. secret sharing,’ in Proc. 28th Annual IEEE Symposium on [44] D. L. Gu, G. Pei, H. Ly, and M. Gerla, “Hierarchical routing for Foundations of Computer Science, Los Angeles, 1987, pp. 427- multi-layer ad-hoc wireless networks with UAVs,” in Proc. 21st 438.

Century Military Communications Conf., Los Angeles, 2000, pp. [55] T. Moore, J. Clulow, S. Nagaraja, and R. Anderson, New 310-314. Strategies for Revocation in ad-hoc Networks, Cambridge, UK: [45] S. Zhao, K. Tepe, I. Seskar, and D. Raychaudhuri, “Routing Springer-Verlag, 2007, pp. 232-246. protocols for self-organizing hierarchical ad-hoc wireless networks,” in Proc. IEEE Sarnoff Symposium, 2003. Kuo Zhao received the B.E degree in Computer [46] J. Horwitz and B. Lynn, “Toward hierarchical identity-based Software in 2001 form Jilin University, followed by M.S degree in Computer Architecture in 2004 encryption,” in Proc. International Conf. on the Theory and and Ph.D. in Computer Software and Theory Applications of Cryptographic Techniques on Advances in from the same university in 2008. He is currently Cryptology, Amsterdam, 2002, pp. 466-481. Senior Lecturer in the College of Computer [47] C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro, and Science and Technology, Jilin University. His M. Yung, “Perfectly-secure key distribution for dynamic research interests are in identity-based conferences,” in Proc. 12th Annu. International Cryptology Conf. cryptography, computer networks and on Advances in cryptology, Santa Barbara, 1993, pp. 471-486. information security.

[48] M. Ramkumar, N. Memon, and R. Simha, “A hierarchical key pre- Longhe Huang was born in Jiangxi, China in 1989. He received the distribution scheme,” in Proc. IEEE International Conf. on B.S. degree from the College of Computer Science and Technology, Electro Information Technology, Lincoln, 2005, pp. 6. Jilin University, Changchun in 2012, and he is currently working toward [49] F. R. Yu, H. Tang, P. C. Mason, and F. Wang, “A hierarchical the M.S. degree at Jilin University. His research interest includes identity based key management scheme in tactical mobile ad hoc identity-based cryptography, and the security of wireless network. networks,” IEEE Transactions on Network and Service Management, vol. 7, no. 4, pp. 258-267, Dec 2010. Fangming Wu received his B.S. degree from the PLA Information Engineering University in 2007. He is currently pursuing in the College [50] D. B. Johnson, D. A. Maltz, and J. Broch, “DSR: The dynamic of Computer Science and Technology, Jilin University. His research source routing protocol for multi-hop wireless ad hoc networks,” interest is the communication of WSN, computer networks and Ad hoc networking, vol. 5, pp. 139-172, 2001. information security. [51] K. Xu, X. Hong, and M. Gerla, “An ad hoc network with mobile backbones,” in Proc.IEEE International Conf. on Communications, Liang Hu Dr Liang Hu had his BEng on 2002, pp. 3138-3143. Computer Systems Organization in 1993 and his PhD on Computer Software and Theory in 1999. [52] Z. Li, X. Xu, and C. Li, “Provably secure certificate-based He is currently Professor and PhD supervisor of signature scheme for ad hoc networks,” Journal of Networks, vol. College of Computer Science and Technology, 7, no. 11, pp. 1845-1851, Nov 2012. Jilin University, China. [53] V. Goyal, Reducing Trust in the PKG in Identity based His main research interest includes network Cryptosystems, Santa Barbara, USA: Springer-Verlag, 2007, pp. security and distributed computing, including 430-447. related theories, models, and algorithms of [54] S. Abbas and M. Merabti, D. Llewellyn-Jones, and K. Kifayat, PKI/IBE, and IDS/IPS. As a person in charge or a principal participant, Dr Liang Hu has “Lightweight sybil attack detection in MANETs,” System Journal, finished more than 20 national, provincial and ministerial level research vol. 7, no. 2, Jun 2013. projects of China.