Many previous broadcast encryption schemes can only guarantee confidentiality but cannot verify integrity and authenticity for broadcast messages. In this paper, a broadcast signcryption protocol for ad hoc networks is proposed based on cluster-based structure. The proposed protocol not only guarantees confidentiality but also verifies integrity and authenticity for broadcast messages. More importantly, the proposed scheme enables the cluster head to robustly add or remove any cluster member without changing secret key of other cluster members. Moreover, the proposed protocol avoids massive message exchange for key setup among cluster members. The analysis of security and performance shows that the proposed protocol is secure, efficient, and more practical protocol for ad hoc networks.
IntroductionBroadcast encryption allows the data provider or the broadcast center to encrypt a message for a subset of users called the privileged users, and only the user in subset can use his private key to decrypt it. It has a wide range of applications, including pay-TV, content protection, secure audio streaming, and Internet multicasting. In 1993, Fiat and Naor [1] first proposed the concept of broadcast encryption and a broadcast encryption protocol. From then, broadcast encryption has received much attention, and many broadcast encryption protocols have been proposed [2][3][4][5][6][7] . Mu and Vmdharajan [2] proposed a robust and secure broadcasting scheme, which achieved some significant breakthrough in the revocation of decryption keys used to a secure broadcasting service and in computational efficiency. However, their schemes cannot securely remove subscribers and there exists data redundancy. Zhang et al [3] proposed a novel dynamic key management scheme for secure multicasting based on Ref.[2] and a novel hybrid key distribution scheme. They also claimed that their scheme allows efficient mechanisms for group members to join and leave a group frequently, but their scheme shows the same disadvantages as Ref. [2], that is, their scheme cannot securely remove subscribers. Daza et al [4] proposed an ad hoc threshold broadcast encryption scheme. In their scheme, a sender chooses (ad hoc) a set of n receivers and a threshold t and then encrypts a message by using the public keys of all the receivers, in such a way that the original plaintext can be recovered only if at least t receivers cooperate. Guo et al [5] and Hu et al [6] respectively proposed an identity-based broadcast encryption scheme.