- About this Journal ·
- Abstracting and Indexing ·
- Advance Access ·
- Aims and Scope ·
- Annual Issues ·
- Article Processing Charges ·
- Articles in Press ·
- Author Guidelines ·
- Bibliographic Information ·
- Citations to this Journal ·
- Contact Information ·
- Editorial Board ·
- Editorial Workflow ·
- Free eTOC Alerts ·
- Publication Ethics ·
- Reviewers Acknowledgment ·
- Submit a Manuscript ·
- Subscription Information ·
- Table of Contents

International Journal of Distributed Sensor Networks

Volume 2013 (2013), Article ID 374713, 9 pages

http://dx.doi.org/10.1155/2013/374713

## Anonymous Cluster-Based MANETs with Threshold Signature

^{1}School of Electrical Engineering and Computer Science, Kyungpook National University, Daegu, Republic of Korea^{2}School of Electrical Engineering, Kyungpook National University, Sangju, Republic of Korea^{3}School of Electronics Engineering, College of IT Engineering, Kyungpook National University, Daegu, Republic of Korea

Received 2 September 2012; Revised 20 February 2013; Accepted 21 February 2013

Academic Editor: Dan Kim

Copyright © 2013 YoHan Park et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Security supports are a significant factor in the design of security system in ad hoc networks. It is particularly important to protect the identities of individual nodes to avoid personal privacy concerns. In this paper, we propose a security system for ID-based anonymous cluster-based MANETs to protect the privacy of nodes. Moreover, we propose a threshold signature scheme without pairing computations, which diminishes the computation load on each node. To the best of our knowledge, our proposed security system is the first in which the pseudonym is combined with cluster-based mobile ad hoc networks (MANETs) without a trusted entity. According to our protocol analysis, our proposal satisfies most properties for an anonymous security system and effectively copes with dynamic environments with greater efficiency by using secret sharing schemes. Therefore, it could be usefully applied to preserve privacy in dynamic MANETs without a trusted entity, such as military battlefields, emergency areas, mobile marketplaces, and vehicular ad hoc networks (VANETs).

#### 1. Introduction

MANETs support communications in situations involving temporary self-organization and infrastructure-less situations, such as battlefields, disaster relief situations, and emergency rescue areas [1]. Recently, MANETs have been extended to intelligent transport systems, often called VANETs. However, MANETs are subject to various types of attacks because of the wireless and infrastructure-less environments in which they are used. Moreover, these network structures make it difficult to apply the certificate-based public key cryptosystem (CBC) to meet the requirements of the certificate authority (CA). As a powerful alternative to the CBC, the identity-based cryptosystem (IBC) proposed by Shamir [2] has been gaining momentum in recent years. It allows public keys to be derived from entities' known identity information, such as e-mail addresses, IP addresses, or codes, thus eliminating the need for public key distribution and certificates. In other words, a user's public key can be determined directly from his identifying information, rather than having to be extracted from a certificate issued by a CA.

However, a centralized public key generator (PKG) which generates a key pair for users in the IBC would obviously be easy to attack, and accessibility could not be guaranteed at all times for all participants in MANETs. To counter this, Boneh and Franklin [3] suggested spreading the PKG by means of distributed PKGs (D-PKGs), using threshold cryptography. Distribution of a signing key and CA functionality over multiple nodes using secret sharing and threshold cryptography is a possible solution to this problem. Most studies in cluster-based MANETs considering D-PKGs have been based on hierarchy topology structures, which classify the node into two types, namely, representative nodes, called clusterheads (CHs), and common nodes.

Furthermore, the threshold signature scheme in MANETs has attracted many researchers' attentions recently [4]. The threshold signature achieves the purpose for many individuals to cooperatively sign the same document. Some schemes with trusted party are proposed and applied to CBC-based networks [5], while these are unreasonable to MANETs where there are no infrastructure and control administration. Therefore, the threshold signature scheme is necessary for secure message transmission in MANETs. A recent research on cluster-based MANETs has sought to address the privacy problem [6] and threshold signature schemes [7], but research on anonymous threshold signature schemes in cluster-based MANETs has been insufficient.

This paper proposes a security system for ID-based anonymous cluster-based MANETs to protect the privacy of nodes. Moreover, we propose a threshold signature scheme without pairing computation, which diminishes the computation load on each node in comparison with existing schemes. The major contributions of this study are summarized as follows.(i) Security of a cluster key distribution scheme and key agreement scheme. We propose a secure cluster key distribution scheme and a key agreement scheme with anonymity for cluster-based MAENTs. Cluster key distribution scheme ensures that the compromise of an arbitrary number of nodes outside the target cluster does not jeopardize the secrecy of noncompromised nodes. Key agreement scheme also ensures secure communication between nodes in intra- and interclusters.(ii)Consideration of threshold signature without pairing computation. Our threshold signature supports threshold signature. Comparing to existing threshold signatures, we diminish the computation load on signing nodes and a verification node; instead, CHs aid signature verification process. Thus, our threshold signature is suitable for the distributed PKGs architecture or the cluster-based network architecture.(iii)Protection of personal privacy. Our schemes support entity anonymity. Only the entities especially of the matched session can know the identity of others with whom they are in communication. For instance, CHs could be dealers, and common nodes could be purchasers when considering temporary established mobile markets. It is no needed to hide the CHs' identity because every purchaser should recognize CHs as dealers and their information; therefore, identities of CHs are not quite important. Besides, the information of purchasers is much attractive to adversaries because the information could be abusable commercially and criminally.

The rest of the paper is organized as follows. In Section 2, we present preliminaries, and the system model is presented in Section 3. In Section 4, we describe ID-based anonymous cluster-based MANETs, and the threshold signature is discussed in Section 5. Finally, we analyze the proposed scheme in Section 6 and conclude our findings in Section 7.

#### 2. Preliminaries

In this section and we present notations, then define the cryptographic system and primitives used as building blocks in our security system.

##### 2.1. Notations

Table 1 lists some important notations whose concrete meanings will be further explained where they appear for the first time.

##### 2.2. ID-Based Cryptography

Let be two large primes, and let indicate an elliptic curve over the finite field . We denote by a -order subgroup of the additive group of points of and by a -order subgroup of the multiplicative group of the finite field . The discrete logarithm problem (DLP) is required to be hard in both and . For us, a pairing is a map with the following properties.(i) Bilinear: for all , . Consequently, for all , we have and so forth.(ii) Nondegenerate: if is a generator of , then is a generator of .(iii) Computable: there is an efficient algorithm to compute for all .

Note that is also , that is, , for all , which follows immediately from the bilinearity and the fact that is a cyclic group. Modified Weil [3] and Tate [8] pairings are examples of such bilinear maps for which the *bilinear Diffie-Hellman problem (BDHP)* is believed to be hard.

*Definition 1 (bilinear Diffie-Hellman (BDH) problem). *The BDH problem for a bilinear pairing is defined as follows: given , where are random numbers from , compute .

*Definition 2 (decisional Bilinear Diffie-Hellman (DBDH) problem). *The DBDH problem for a bilinear pairing is defined as follows: given , where are random numbers from and that determine if (if it holds), then the tuple is called a BDH tuple.

##### 2.3. Threshold Schemes Based on Secret Sharing

###### 2.3.1. Shamir's -SS

In Shamir's -SS [9], based on a Lagrange interpolating polynomial, there are shareholders and a mutually trusted dealer . The scheme consists of two algorithms.(1)Share generation algorithm: dealer does the following:(i)dealer first picks a polynomial of degree randomly: in which the secret and all coefficients are in a finite field with elements,(ii) computes all shares: (mod ) for ,(iii)Then, outputs a subset of size , , and distributes each share to corresponding shareholder privately.(2)Secret reconstruction algorithm: based on a Lagrange interpolation, any subset of size can reconstruct the polynomial as where , is called a Lagrange coefficient. The secret can be reconstructed by computing .

We note that the above scheme satisfies the basic security requirements of secret sharing schemes as follows: (1) with knowledge of a or more than shares, it can reconstruct the secret easily; (2) with knowledge of fewer than shares, it cannot reconstruct the secret . Shamir's scheme is *information theoretically secure* since the scheme satisfies these two requirements without making any computational assumption. For more information on this scheme, readers can refer to the original paper [9].

#### 3. System Model

We describe the network architecture and the security requirements.

##### 3.1. Network Architecture

We divide the networks into several clusters to enhance the efficiency and availability. The clustering is a method that enables nodes to be organized on the basis of their relative proximity to one another. We envision a cluster-based MANETs consisting of CHs without any prior contact, trust, or authority relation. In each cluster, one distinguished node, the CH, is responsible for establishing and managing the cluster. The size of the network may change dynamically according to the efficiency and the security. Let us consider an ad hoc network with CHs that are selected to enable secure and robust pseudonym generation. We assume that compromised CHs will eventually exhibit detectable misbehavior. Studies [10, 11] discussed ways to detect the misbehavior of nodes or intrusions in detail.

Our schemes work securely and properly on the assumption, which is similar to assumptions made in [12–14], that adversaries compromise no more than out of CHs in a given time period. In practice, it is hard to compromise, in a given time period, CHs, which are more secure and powerful than common nodes and are geographically distributed over a wide area. In terms of nodes' ability, we also assume that CHs have more computation and communication power than common nodes. More precisely, CHs have an additional powerful radio to establish wireless links among themselves and strong resistance against malicious attacks.

Figure 1(a) illustrates the basic network architecture of our security system for cluster setup and pseudonym generation. CHs have secret sharing generated by a PKG before implementation. CHs can generate polynomials when at least CHs collaborate in the secret reconstruction algorithm. The CHs that reconstruct have the same cluster key, . This cluster key is periodically updated according to the update phase. Using the same cluster key, CHs generate their own polynomial , called the respective polynomial later. Finally, common nodes in each cluster register and receive a pair of pseudonym from their CHs. We only consider the privacy of common nodes.

Figure 1(b) illustrates the threshold signature generation process in a cluster. Nodes that are member of the same cluster and try to send the same message generate a threshold signature and send the message with a threshold signature to a verifier and the CH. Then, the CH checks the validity of messages and signatures and generates and sends additional points to a verifier. Finally, a verifier checks the validity of signatures.

##### 3.2. Security Requirements

We define security requirements for our anonymous security system.(1)Privacy: private information, such as the node's identity and location, should be protected against malicious adversaries. Formally, given two sets of legitimate identities, and , the adversary should not have any significant advantage in guessing or for the pseudonym . (2)Traceability: compromised nodes are identified, and the corresponding identity and pseudonym should be revoked to protect networks against further threats. (3)Nonmanipulation: no nodes or CHs can computationally manipulate a pseudonym from an identity. (4)Verifiability: from the signature, the verifier can be convinced of the signer. (5)Undeniability: once a signer creates a valid signature, he cannot repudiate the signature creation. (6)Unforgeability: no nodes can forge a signature; it can only be replicated by the signer who creates it.

#### 4. Anonymous Cluster-Based MANETs

##### 4.1. System Setup

It is reasonable to assume that a trusted PKG could bootstrap the network, which itself is not a part of the resulting network. The basic operations consist of generating pairing parameters, private keys, and secret sharing.(a) Generation of the pairing parameters : to bootstrap the network, the PKG does the following.(i)Generation of pairing parameters . It selects an arbitrary generators as its private key.(b) Generation of secret sharing for cluster key: to generate secret sharing for cluster key, the PKG does the following.(i)It submits identity information. A CH submits its identity information, , where , to PKG. (ii)It chooses cluster key. The PKG selects an arbitrary cluster keys , where . (iii)It determines polynomials of degree . The PKG determines random polynomials, (mod ). (iv)It performs -SS of . The PKG computes and secret sharing of : . (v)Parameters , are preloaded to each securely. (c) Generation of CH's ID-based private keys: to hand out CH's private key, the PKG does the following.(i)It submits identity information. A CH submits its identity information, , to PKG. (ii)It computes key pairs. The PKG computes a public/private key pairs: and , . (iii)Parameters and key pairs are preloaded to each securely. (d) Generation of common nodes' ID-based private keys: to hand out node's private key, the PKG does the following.(i)It submits identity information. A common node submits its identity information, , to PKG. (ii)It computes key pairs. The PKG computes a public/private key pairs: and , . (iii)Parameters , and key pairs are preloaded to each securely.

Due to the difficulty of solving the DLP in , it is computationally infeasible to derive the network master secrets from an arbitrary number of private keys. This means that no matter how many key pairs adversaries acquire from compromised nodes, they cannot deduce the private key of any noncompromised node. Colluding CHs (no more than out of in a given time period) cannot compute a cluster key.

##### 4.2. Cluster Setup

Cluster-based MANETs work without the help of PKG after completing the system setup. Instead of a PKG, CHs play this role using their secret sharing. In our security system, to provide security services to networks, each CH first generates respective polynomials, that cover within a cluster and a group secret key. Then, the CHs establish a secure channel with CHs or nodes to forward them. Secure channels are generated using their initial key pairs. Secure channels between CHs or between a CH and a node are established by the noninteractive key agreement scheme as follows: Here, , can be a node or a CH. Using this channel, CHs first authenticate nodes and other CHs and then forward respective polynomials and a group secret key. Respective polynomials are for cluster reconfiguration, and the group secret key is for establishing secure channels with pseudonyms. Generation of respective polynomials is carried out as follows.(1)Generate respective polynomials : to generate respective polynomials, CHs must reconstruct the polynomial first. To reconstruct polynomials, , and generate respective polynomials, , CHs do the following.(a)Pooling secret sharing. Every CH shares their secret sharing, . (b)Performing secret reconstruction algorithm. Each CH reconstructs the polynomial and computes cluster key : where , is called a Lagrange coefficient. The secret can be reconstructed by computing .(c)Generating respective polynomials of degree . Each CH randomly generates a polynomial (mod ). Each CH could change the polynomial by switching coefficients arbitrarily.

To avoid cryptanalysis and malfunction of CHs, frequent key updates are needed. Our key update schemes consist of two parts: one is an update of the cluster key, and the other is the respective polynomial. The cluster keys, , are refreshed periodically at a predefined time interval using secret sharing , where , . The cluster key update can enhance the security level of the network. Intact CHs reject secret sharing of compromised CHs and, as a result, are isolated from the networks. Furthermore, pseudonyms also could be updated consistently regardless of the cluster key update. Each CH can generate different pseudonyms with the same identity by changing a polynomial of its choice by replacing with .

##### 4.3. Generation of Pseudonyms

Pseudonym generation is an essential process to provide privacy of each node. Figure 1(a) shows a scenario of pseudonym generation process. Initial pseudonym generation starts when the registered nodes on the PKG try to get a pseudonym from an adjacent CH. The CH generates pseudonyms for common nodes within a cluster using its respective polynomial. Pseudonyms and secret sharing are generated as follows.(1)Generation of pseudonyms and key pair: to generate pseudonyms, CHs do the following.(a)Performing -SS of to generate pseudonyms. Each CH computes and secret sharing of : , where . (b)Computing key pairs. Each CH computes a public/private key pairs: and . (c)Recording pseudonyms. Each CH records the identities and the pseudonyms with the corresponding key pairs at the pseudonym lookup table (PLT). (d)Forwarding pseudonyms, key pairs, and group secret key to corresponding nodes. CHs forward pseudonyms to nodes, respectively, using a secure channel.

Other CHs cannot know pseudonyms from public keys of nodes even though they have knowledge of cluster key because of the hardness of DLP in . Using the pseudonym key pair, common nodes establish a secure channel by the noninteractive key agreement scheme as follows: For noninteractive key agreement between a CH and a node, each CH randomly chooses and computes a temporary public key as then publishes it.

#### 5. Threshold Signature in Anonymous Cluster-Based MANETs

We propose an anonymous threshold signature. The proposed scheme involves five roles: a clusterhead (), a set of members in a cluster (where is the identity of the th member), a set of signer (where is a subset of and is the identity of the th member), and a verifier .(1)Generate threshold signature: to generate a threshold signature regarding message , a number of nodes among the members of perform the following steps.(a)Requesting threshold generation. The initiator, one of signers, sends a threshold generation request to the CH with a list of signers as . (b)Sending tokens. The CH chooses an arbitrary tokens , where , and sends them to corresponding signers securely. (c)Generating signature. Then, each signer generates a signature: and computes with a corresponding token: . (d)Sending the signature and a pseudonym public key. Each node sends the message tuple to the verifier and the : (2)Generate a verifying polynomial: to check the validity of signatures, the performs the following steps:(a)Check the validity of a set of messages. The searches corresponding pseudonyms with pseudonym public keys using the pseudonym lookup table (PLT) and then checks the validity of HMAC respectively. (b)Checking the validity of signatures. The recovers signatures from using corresponding tokens and generates additional points on . Then, it performs a secret reconstruction algorithm using received signatures and generated additional points. The reconstruction algorithm is as follows: where , is called a Lagrange coefficient. If the reconstructed polynomial has at , the accepts signatures as valid.(c)Generating a verifying polynomial. If all messages and signatures are valid, the generates an extra polynomial as follows:(i)generating a verifying-polynomial. The generates of degree which passes points where and the point . (ii)generating points. The generates additional points on the verifying-polynomial and then sends the tuple to the verifier : (3)Generate verification: to check the validity of a signature, the verifier does the following. (a)Performing secret reconstruction algorithm. The verifier performs a secret reconstruction algorithm using points and the point . The verifying polynomial can be reconstructed as follows: where , is called a Lagrange coefficient.(b)Checking the validity of HMAC. The verifier checks the validity of HMAC using received points and generated . If HMAC is correct, the verifier identifies signatures as valid.

#### 6. Analysis

In this section, we provide analysis of our system with respect to correctness, performance, and security.

##### 6.1. Correctness

Note that where is the secret sharing of .

Therefore, a CH can verify the validity of each signature as follows:

The verifier also can check the validity of threshold signature as above, similarly, because passes a set of points . The verifier can reconstruct the polynomial and find and, consequentially, check the validity of HMAC received from a CH.

##### 6.2. Performance

This section presents our efficiency analysis. Table 2 compares our proposed schemes with other schemes. For simplicity, we omit private key distribution and secret sharing distribution process in comparison to computation load.

Most schemes use pairing algorithm to generate and verify the signature except the proposed scheme. The pairing algorithm and the exponentiation generally consume heavy computation loads rather than scalar multiplications. Cao et al. [15] showed a pairing that consumes about double computation load with those of an exponentiation and three times computation load with those of scalar multiplication in . According to this experiment, our scheme is much lighter than previous threshold signature schemes. Moreover, our threshold scheme is comparable with existing threshold signatures in non-ID-based cryptosystem [16].

##### 6.3. Security

###### 6.3.1. Privacy

Our security system supports the anonymity of nodes using pseudonyms. In our proposed security system, every node does not reveal real identities after the pseudonym generation. An adversary cannot correctly match an identity with a pseudonym even though the identity and the pseudonym are released to them because of the hardness of DLP [17]. The pseudonym is in the form of in the th update phase for node in cluster . To match a real identity with a pseudonym, adversaries should reconstruct a polynomial . However, no malicious nodes at most number of can reconstruct respective polynomials, although they have known about a cluster key because -SS is information theoretically secure against at most adversaries. Thus, as long as the CH does not reveal the respective polynomials, anonymity of each node is guaranteed.

###### 6.3.2. Traceability

Each CH records the relation of the identity and the pseudonym of common nodes in its cluster at the PLT. Pseudonyms of compromised and revoked nodes are rejected from the PLT, and these nodes cannot be updated any more. Therefore, our system enables the tracing of violators when unlawful actions are notified to the CH, and they are eventually isolated from the network.

###### 6.3.3. Nonmanipulation

Our proposed security system ensures nonmanipulation in case of at most ( or ) compromised nodes. Only the CH who has a respective polynomial can generate valid pseudonyms in a cluster, and no other nodes and CHs can do it. Secret sharing, , is generated by -SS; therefore, no more than CHs who are colluding can reconstruct and learn ; and, to conclude, generate valid respective polynomials . Moreover, the respective polynomials generated by -SS are used to generate pseudonyms. In conclusion, adversaries who know more than secret sharing of or more than secret sharing of can carry out manipulation; however, it is impractical. Thus, as long as ( or ) or more than ( or ) nodes and CHs are not colluding, non-manipulation is guaranteed.

###### 6.3.4. Verifiability, Undeniability, and Unforgeability

The CH works as a subverifier in our threshold signature scheme by generating a verifying polynomial. From message tuples from signers, the CH can check the validity of signers. First, only valid and registered nodes could generate correct HMAC with its pseudonym. Second, the CH could verify signatures by reconstructing a polynomial . This polynomial returns a correct value when signatures are generated by signers who have a valid and registered pseudonym key pair. Finally, the reconstructed verifying polynomials generated by the CH and by the verifier return a same value, , when the CH satisfies two former conditions and has a valid pseudonym key pair of the verifier. Thus, verifiability is guaranteed if these conditions are acceptable. Undeniability and unforgeability are similarly guaranteed. The message containing the signature is in the form of . Unless the pseudonym is released, only the node can generate valid ; thus, it cannot deny the signature and others cannot forge it. Thus, undeniability and unforgeability are guaranteed.

###### 6.3.5. Forward/Backward Secrecy

Our security system supports the forward/backward secrecy using key update scheme in case of at most ( or ) compromised nodes. The key update scheme regularly updates pseudonyms, and, consequently, pseudonym public/private key pairs of nodes also are updated along to the updated pseudonym. And there is no relation in past key pairs and update key pairs because CHs periodically change a polynomial or a cluster key . Therefore, although the updated private/public key pairs are exposed to adversaries, these do not affect past and future session keys.

#### 7. Conclusions

Concerns for personal privacy and security in wireless environments are increasing rapidly as mobile devices are becoming more popular. Cluster-based MANETs are being seriously considered to pioneer new markets; however, there are urgent unresolved security problems. Fundamental aspects of security, such as authentication and signature, are challenging for secure security systems for cluster-based MANETs. In addition, the protection of personal privacy has become increasingly important as the wireless networks have become personal and popular; therefore, secure security system designs with anonymity are required for cluster-based MANETs.

In this paper, we presented a secure security system with anonymity for cluster-based MANETs and a threshold signature under practical assumptions. To the best of our knowledge, our proposed security system is the first in which the pseudonym is combined with cluster-based MANETs without a trusted entity. According to our protocol analysis, our proposed system satisfies most properties for an anonymous security system and successfully copes with dynamic environments with greater efficiency by using secret sharing schemes. We believe that the proposed system improves upon the security of previously proposed security systems, and that it is suitable for a wider variety of applications. It could be usefully applied to preserve privacy in dynamic MANETs without a trusted entity, such as military battlefields, emergency areas, mobile marketplaces, and privacy-preserving VANETs.

#### Acknowledgments

This paper was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (2012R1A1A4A01002603) and was supported by the Kyungpook National University Research Fund, 2012.

#### References

- R. Dutta and T. Dowling, “Provably secure hybrid key agreement protocols in cluster-based wireless ad hoc networks,”
*Ad Hoc Networks*, vol. 9, no. 5, pp. 767–787, 2011. View at Publisher · View at Google Scholar · View at Scopus - A. Shamir, “Identity-based cryptosystems and signature schemes,” in
*CRYPTO 84, LNCS 196*, pp. 47–53, Springer, New York, NY, USA, 1985. View at Google Scholar - D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,” in
*CRYPTO 01, LNCS 2139*, pp. 213–229, Springer, New York, NY, USA, 2001. View at Google Scholar - X. Meng and Y. Li, “A novel verifiable threshold signature scheme based on bilinear pairing in mobile ad hoc network,” in
*Proceedings of the IEEE International Conference on Information and Automation (ICIA '12)*, pp. 361–366, IEEE, 2012. - Y. Takehana, I. Nishimura, N. Yosaki, T. Nagase, and Y. Yoshioka, “Building trust among certificate management nodes in mobile ad-hoc network,” in
*Proceedings of the 26th International Conference on Advanced Information Networking and Applications Workshops (WAINA '12)*, pp. 564–568, IEEE, 2012. - J. Freudiger, M. Raya, and J. P. Hubaux, “Self-organized anonymous authentication in mobile ad hoc networks,” in
*SecureComm 2009, LNICST 19*, pp. 350–372, Springer, New York, NY, USA, 2009. View at Google Scholar - X. Chen, F. Zhang, D. M. Konidala, and K. Kim, “New ID-based threshold signature scheme from bilinear pairings,” in
*INDOCRYPT 2004*, pp. 371–383, Springer, New York, NY, USA, 2004. View at Google Scholar - P. Barreto, H. Kim, B. Bynn, and M. Scott, “Efficient algorithms for pairing-based cryptosystems,” in
*CRYPTO 02*, pp. 354–369, Springer, New York, NY, USA, 2002. View at Google Scholar - A. Shamir, “How to share a secret,”
*Communications of the ACM*, vol. 22, no. 11, pp. 612–613, 1979. View at Publisher · View at Google Scholar · View at Scopus - A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung, “Proactive secret sharing or: how to cope with perpetual leakage,” in
*CRYPTO 95*, pp. 339–352, Springer, New York, NY, USA, 1995. View at Google Scholar - Y. Zhang and W. Lee, “Intrusion detection in wireless ad-hoc networks,” in
*Proceedings of the 6th Annual International Conference on Mobile Computing and Networking (MOBICOM '00)*, pp. 275–283, ACM, August 2000. View at Scopus - M. Bechler, H. J. Hof, D. Kraft, F. Pählke, and L. Wolf, “A cluster-based security architecture for ad hoc networks,” in
*Proceedings of the 23th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM '04)*, pp. 2393–2403, IEEE, March 2004. View at Scopus - L. C. Li and R. S. Liu, “Securing cluster-based ad hoc networks with distributed authorities,”
*IEEE Transactions on Wireless Communications*, vol. 9, no. 10, pp. 3072–3081, 2010. View at Publisher · View at Google Scholar · View at Scopus - Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Securing mobile ad hoc networks with certificateless public keys,”
*IEEE Transactions on Dependable and Secure Computing*, vol. 3, no. 4, pp. 386–399, 2006. View at Publisher · View at Google Scholar · View at Scopus - X. Cao, W. Kou, and X. Du, “A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges,”
*Information Sciences*, vol. 180, no. 15, pp. 2895–2903, 2010. View at Publisher · View at Google Scholar · View at Scopus - J. Hu and J. Zhang, “Cryptanalysis and improvement of a threshold proxy signature scheme,”
*Computer Standards and Interfaces*, vol. 31, no. 1, pp. 169–173, 2009. View at Publisher · View at Google Scholar · View at Scopus - L. Harn and C. Lin, “Authenticated group key transfer protocol based on secret sharing,”
*IEEE Transactions on Computers*, vol. 59, no. 6, pp. 842–846, 2010. View at Publisher · View at Google Scholar · View at Scopus - J. Baek and Y. Zheng, “Identity-based threshold signature scheme from the bilinear pairings (extended abstract),” in
*Proceedings of the International Conference on Information Technology: Coding Computing (ITCC '04)*, pp. 124–128, IEEE, April 2004. View at Scopus - H. Yuan, F. Zhang, X. Huang, Y. Mu, W. Susilo, and L. Zhang, “Certificateless threshold signature scheme from bilinear maps,”
*Information Sciences*, vol. 180, no. 23, pp. 4714–4728, 2010. View at Publisher · View at Google Scholar · View at Scopus