Non-interactive integrated membership authentication and group arithmetic computation output for 5G sensor networks

Group-oriented applications show its potential ability in the next generation of wireless sensor networks (5G WSNs), which have the particularity of being heterogeneous and so have different capabilities in terms of storage, computing, communicating and energy. One of the main challenges for secure group-oriented applications (SGA) in 5G WSNs is how to secure communication between these heterogeneous devices. Conventional protocols are not suitable for SGA in 5G sensor networks since multiparty output establishment in this environment requires lightweight communication and computation overhead, further the primary task of SGA in 5G WSNs is to securely transmit various types of jointly computing data. Hence, membership authentication and multiparty output for arithmetic computations become two fundamental and necessary security services in SGA for 5G WSNs. In this paper we propose a novel design of non-interactive integrated membership authenticated multiparty output for arithmetic computations in 5G sensor networks, which embeds the function of membership authentication and multiparty output for arithmetic computations. Since any arithmetic computation function is composed of multiple additions and multiplications, our result serves as a general method for multiparty computation output in SGA. This design is more suitable for lightweight membership authenticated multiparty arithmetic computations output in 5G sensor networks.


INTRODUCTION
The next generation of wireless sensor networks (5G WSNs) has the particularity of being heterogeneous and has been developed to collect data remotely for various applications [1,2]. For example, data has been collected for traffic analysis, for weather prediction, and medical analysis, etc. These applications motivate the needs for secure group-oriented applications (SGA) over open and insecure 5G WSNs. The negotiation of group outputs among different group members is fundamental for SGA. For security reason, collected data needs to be protected from eavesdropping. Data encryption requires that both the source node and the receiver node share a pairwise shared key. The source node encrypts collected data under the shared key and the receiver node decrypts the ciphertext under the shared key to recover the data. Collected data in 5G WSNs is different from most data in digital communication applications. The primary task for most collected data, for example weather/traffic cal for a group with large size. Laih et. al [17] proposed the first group key distribution protocol based on the secret sharing scheme. During registration, each group member obtains a token from the group manager. The group manager can distribute a group key to all participated members in broadcasting transmission. There are many published papers based on this approach [18,19,21,22].
Group key distribution protocols are non-interactive so they are more efficient than group key agreement protocols which are interactive. For example, in IEEE 802.11i secure local area network [20], the group key is determined by the server and then encrypts the group key with each pairwise shared key between the server and mobile device. Then, the ciphertext of the group key is one-to-one transmitted to each mobile device separately. One alternative group key distribution protocol is proposed by Harn and Lin [18] which hides a group key in a linear polynomial and then broadcasts the polynomial to all group members simultaneously. Broadcast communication is more efficient than one-to-one communication.
In this paper, we propose a novel design of non-interactive SGA for arithmetic computations which embeds the function of membership authentication and multiparty computation output. We present this efficient non-interactive membership authentication and multiparty computations output based on an asymmetric bivariate polynomial and the combination of addition and multiplicative operation function. During registration, each member will receive a ''token'' from the membership registration center (MRC). Tokens are generated by an asymmetric bivariate polynomial and each token is two univariate polynomials. Each member uses the token for membership authentication, pairwise shared key distribution. Then, for basic addition and multiplication multiparty output computation, by using the basic addition and multiplicative operations respectively, each member mixes his/her input with pairwise shared keys with other users and uses his/her pairwise shared keys to encrypt the computed value, and then, releases the computed values in a broadcast channel. After collecting all values from other members, each member can compute the multiparty computation output. Since any arithmetic computation function is composed of multiple additions and multiplications, this proposed efficient scheme is especially suitable for general multiparty arithmetic computations output.
In summary, we list the contributions of this paper below.
(i) An efficient lightweight membership authentication and multiparty arithmetic computation output for SGA in 5G WSNs is proposed. (ii) Tokens generated by a bivariate polynomial initially can be used for membership authentication, pairwise shared key distribution and group computation output establishment. (iii) Our proposed approach is very efficient since there is no need for additional membership authentication and pairwise shared key distribution. (iv) Our protocol is secure against inside attackers and outside attackers. Furthermore, confidentiality, authentication, freshness, forward secrecy and backward secrecy of group output computation can be achieved.
(v) One unique feature of our proposed protocol is that since any general function is composed of multiple additions and multiplications, our proposal can serve as a solution for general multiparty arithmetic computation output, more importantly, it is non-interactive.
The organization of this paper is as follows. In Section 2, we provide some preliminaries about bivariate polynomials. In Section 3, we present the model of our protocols including the protocol description, types of adversaries and security properties of our proposed protocol. Our proposed protocol including three parts (a) token generation, (b) membership authentication and (c) group output establishment is given in Section 4. In Section 5, we analyze the security and performance of this protocol. The conclusion is given in Section 5.

PRELIMINARIES
In Shamir's (t, n)SS [23], the dealer selects a univariate polynomial, f (x), with degree t − 1 and f (0) = s, where s is the secret. The dealer generates shares, f (x i ) mod p,i = 1, 2, … , n, for shareholders, where p is a prime with p > s, and x i is the public information associated with each shareholder, U i . Each share, f (x i ), is an integer in GF (p). Shamir's (t, n) SS satisfies security requirements of a (t, n)SS. That are, (a) with t or more than t shares can reconstruct the secret, and (b) with fewer than t shares cannot obtain any information of the secret. Shamir's SS is unconditionally secure. In Shamir's (t, n) SS, shareholders cannot verify the validity of their shares obtained from the dealer. In 1985, Chor et al. [24] extended the notion of SS and proposed the first verifiable secret sharing (VSS). Verifiability is the property of a VSS which allows shareholders to verify their shares. Invalid shares may be caused either by the dealer during share generation or by channel noise during transmission. VSS is performed by shareholders after receiving their shares from the dealer and before using their shares to reconstruct the secret. If invalid shares have been detected, shareholders can request the dealer to regenerate new shares. There are many (t, n) VSSs [25][26][27][28][29][30] using bivariate polynomials, denoted them as BVSSs. A bivariate polynomial with degree t − 1 can be represented as . We can classify BVSSs into two types, the symmetric BVSSs, denoted them as SBVSSs [26,28,30] and the asymmetric BVSSs, denoted them as ABVSSs, [25,27,29]. If the coefficients satisfy a i, j = a j,i , ∀i, j ∈ [0, t − 1], it is a symmetric bivariate polynomial. Shares generated by a bivariate polynomial can be used to establish pairwise keys between any pair of shareholders. In all (t, n) SBVSSs, the dealer selects a bivariate polynomial, F (x, y), with degree t − 1 and F (0, 0) = s, where s is the secret. The dealer generates shares, F (x i , y) mod p,i = 1, 2, … , n, for shareholders, where p is a prime with p > s, and x i is the public information associated with each shareholder, U i . Each share, F (x i , y), is a univariate polynomial with degreet − 1. Note that shares generated in a SBVSS satisfy F (x i , can be established between the pair of shareholders, U i and U j . In a similar way, in a ABVSS, the dealer generates a pair of shares, F (x i , y) mod p and F (x, x i ) mod p,i = 1, 2, … , n, for each shareholder and the pairwise secret key, F (x i , x j ) or F (x j , x i ), can also be established between the pair of shareholders, U i and U j .
In this paper, we propose a novel design of efficient noninteractive user authentication and group output establishment for arithmetic computations in group-oriented applications. Our design integrates solutions of membership authentication, pairwise shared key distribution and group output establishment together. In other words, we propose to use a bivariate polynomial to generate tokens. Tokens of members obtained during registration can be used for (a) user authentication; (b) pairwise shared keys distribution and (c) group output establishment. Even more valuable, since any general function is composed of multiple additions and multiplications, our proposal can serve as a solution for general multiparty arithmetic computation output, However, most of existing cryptographic solutions need additional membership authentication and shared keys distribution, also need interactive communications or complex computations for encryption and decryption [31][32][33][34].

MODEL OF OUR PROPOSED PROTOCOL
In this section, we describe the model of our proposed user authentication and group output establishment protocol for arithmetic computations in SGA including the network model and security model, which provide the type of adversaries and security features.

Network Model
Without loss of generality, suppose that there has a mutually trusted MRC and there are n users {U 1 , U 2 , … , U n }, involved in group-oriented applications, which is shown in Figure 1. Each user is required to register at MRC and MRC manages all registered users which includes removing any unsubscribed users or adding new users. In order to achieve a secret output being shared among all communication entities, each group's output Group-oriented applications is needed to be securely distributed to all corresponding group members in prior of exchanging messages or be used as a result that all users jointly compute using their secret inputs. Typically, if all participants are members and act honestly, the protocol is successful, i.e. only the members belong to the same group can derive this group's output. Otherwise, it fails, i.e. group members obtain nothing. Thus, membership authentication before the group output establishment is necessary. In our proposed protocol, each user needs to register at the MRC initially and obtain secret token. The MRC selects an asymmetric bivariate polynomial and generates tokens. Token of each user is two univariate polynomials, one is t − 1 degree in x and one is h − 1 degree in y.
In order to establish a secure group output involving m (i.e. 2 ≤ m < n) members, it requires to execute a membership authentication first in which all participated users interact with each other to prove that they belong to the same group. In the membership authentication, each member needs to broadcast a random integer. After receiving all random integers, each member needs to use his secret tokens to compute pairwise shared keys and then compute a hash output as his authentication response. Members can use this authentication response to authenticate his membership. This membership authentication can also identify non-members. At the end of membership authentication, each member knows exactly the memberships of users participated in the secure group communication. Then, by using the combination of basic addition and multiplication operation functions, each member mixes his/her private input with pairwise shared keys, and after that, uses his/her pairwise shared keys to encrypt the computed value, and next, sends this value to other members. After collecting all values from other members, each member can compute the secret group output, that is, a secret function value is jointly computed by using each member's private inputs. There is no interaction with other members to compute the group output. Thus, our proposed protocol is very efficient in both membership authentication and group output establishment since there is only broadcast transmission. Furthermore, the computation of each member needs only polynomial evaluation, addition computation, multiplication computation and hash function which are much faster than most public-key computations. We will give detail discussion for its performance evaluation in Section 5.

Security Model
Now we introduce the security model include the type of adversaries, the required security features for secure group communication. These security requirements will be analyzed in Section 5.

Type of Adversaries
We consider two types of attacks: inside and outside attacks. The inside attackers are legitimate members who have obtained valid tokens from MRC initially. From inside attack, colluded mem-bers try to recover MRC's secret polynomial used to generate tokens for members and then use these uncovered tokens to obtain group outputs which they are not authorized to access. On the other hand, the outside attackers are illegitimate members who try to generate valid tokens of members and use them to impersonate members in a secure group communication or to recover secret group outputs which they are not authorized to access. In the Section 5, we will give the detailed security analysis about these two types of attackers.

Security features
For secure group output establishment, our protocol needs to have the following security features.

Correctness
The protocol can successfully authenticate memberships of all participated users and then establish a secret group output among all members.

Freshness of authentication response
The authentication responses generated by members in the membership authentication can only be used for one time. This feature can prevent replay attack in which attackers replay recorded authentication response to fail the membership authentication.

Freshness of group outputs
The secret group output generated by members in the output establishment can only be used for one time communication. This feature can prevent attackers to reuse previously compromised group outputs to gain access to other secure communications.

Freshness of the group output authentication
The group output authentication messages generated by members in the group output establishment can only be used for one time. This feature can prevent replay attack in which attackers replay recorded group output authentication messages to fail the group output authentication.

Forward secrecy of group outputs
The forward secrecy is ensured if a departing member cannot access the content of communications of any future group output establishment.

Backward secrecy of group outputs
The backward secrecy is ensured if a new member cannot access the content of communications of any past group output establishment.

OUR PROPOSED PROTOCOL
In this paper, we propose an integrated membership authentication and group output establishment protocol using an asymmetric bivariate polynomial to realize basic addition and Token generationFor n users U 1 , U 2 , … , U n ,the MRC selects a random asymmetric polynomial, F (x, y) = a 0,0 + a 1,0 x + a 0,1 y + a 1,1 xy + a 2,0 x 2 + a 0,2 y 2 + a 1,2 xy 2 + a 2,1 x 2 y + a 2,2 x 2 y 2 + ⋯ ++a t −1,h−1 x t −1 y h−1 mod p, where F (x, y) is t − 1 degree in x and h − 1 degree (i.e. h > 2t − 2. We will prove this condition in Theorem 1) in y, a i, j ∈ GF (p), ∀i ∈ [0, t − 1], ∀ j ∈ [0, h − 1] and p is a prime integer with p > n. The MRC computes a pair of shares, s i (y) = F (x i , y) and s i (x) = F (x, x i ), for each user, U i , i = 1, 2, … , n, where x i ∉ {0, 1} is the public information associated with each user, U i . The MRC sends each pair of shares as U ′ i s token, (s i (y), s i (x)), to user U i through the secure channel.Membership authenticationWe assume that m (i.e. 2 ≤ m < n) users, for example {U v 1 , U v 2 , … , U v m }, want to engage in group output establishment for a group-oriented application.
Step 1. Each member U v i broadcasts a random integer, r i ∈ GF (p). to all other members, where i = 1, 2, … , m.
Step 2. Assume that the value F (x v i , x v j ), with x v i < x v j , is used as the pairwise shared key between the shareholders U v i and U v j . Each member U v i uses one of shares of his token, s v i (y) or s v i (x), to compute pairwise shared keys, between any other users, where k i, j is the secret key shared between users, U v i and U v j .
Step 3. Each member U v i computes authentication responses, Auth i, j = h(k i, j ‖r j ), j = 1, 2, … , m, j ≠ i, where h(k i, j ‖r j ) is a one-way hash output with k i, j and r j as inputs. Each Auth i, j is sent to member U v j publicly for authentication.
Step 4. After receiving Auth i, j = h(k i, j ‖r j ),from member U v i , the member U v j uses his computed pairwise shared key, Step 2 to compute h(k i, j ‖r j ) and check whether Auth i, j = h(k i, j ‖r j ), If the checking is successful, member U v i has been authenticated; otherwise, member U v i has not been authenticated. Repeat this process for all other members U v i , i = 1, 2, … , m, i ≠ j .

Group Output Establishment and Authentication
Let us assume that at the end of membership authentication, all m members, {U v 1 , U v 2 , … , U v m } have been successfully authenticated. Then, members follow a multiple additions and multiplications operation algorithm to complete the group output establishment process. However, all exchange information among members is encrypted under the pairwise shared keys, k i, j , j = 1, 2, … , m, j ≠ i, in the Step 2 of membership authentication, and then these encrypted information are released non-interactively through broadcast channel.
Step 1. Each member U v i need to select a secret input s i ∈ GF (p) and broadcasts a random integer, l i ∈ GF (p). to all other members, where i = 1, 2, … , m.
Step 2. In arithmetic computations, for an addition operation, each member U v i uses his pairwise shared keys with other members to compute In arithmetic computations, for an multiplication operation, each member U v i uses his pairwise shared keys with other members to compute (For arithmetic computations include multiple addition and multiplication operations, each member just needs to repeat and combine the above primitive computations.) Step 3. Each member U v i uses his computed pairwise shared keys, k i, j , j = 1, 2, … , m, j ≠ i, in the Step 2 of membership authentication to encrypt q v i as Step 4. After receiving u j,i , from other member, member U v i uses his computed pairwise shared key, k i, j , in the Step 2 of membership authentication to decrypt as q v j . = E k i, j (u j .i ). Repeat this process for all u j,i , j = 1, 2, … , m, j ≠ i.
Step 5. After obtaining q v j . , j = 1, 2, … , m, j ≠ i, from all other members, for an addition operation, member U v i computes inputs. If the checking is successful, the group output has been authenticated, K i = K is the secret group output; otherwise, the group output has not been authenticated. Repeat this process for all group members U v i , i = 1, 2, … , m. multiplication group computation functions. The protocol is illustrated in Table 1.

ANALYSIS
In this section, we address the security and performance of our proposed protocol.

Security analysis
In this sub-section, we discuss security features and possible attacks of our protocol as described in Section 3.2.

Correctness
Membership authentication-If all participated users are members as they claimed in Step 1 of Membership authentication, each member, U i , in Step 2 should be able to compute the pairwise shared key k i, j . Thus, in Step 4 the authentication response, Auth i, j = h(k i, j ‖r j ), can be used to verify U ′ v i s membership by U v j . Non-members cannot forge this authentication response since non-members do not know the secret tokens of member, Group output establishment-The correctness of this property comes from the rule of addition and multiplication operations. For an addition group computation, For an multiplication group computation,

Freshness of authentication response
In Step 3 of Membership authentication, the authentication response, Auth i, j = h(k i, j ‖r j ), is a hash output of pairwise shared key and random integer selected by participated member initially. By recording a previously used authentication response cannot impersonate a member since this random integer is different in every session.

Freshness of group outputs
In the group output establishment, the group output,

Freshness of the group output authentication
In Step 6 of Group Output Establishment, the authentication H (K i ||L) is a one-way hash output with inputs group output determined by each member's secret input s i and sum of random integers selected by participated member initially. By recording a previously used authentication cannot impersonate a member since this random integer is different in every session.

Forward secrecy of group outputs
If a member has departed from the group, the departed member cannot access the content of future communications since the any group output, K, can only be computed by members involved in the secure communication.

Backward secrecy of group outputs
If a member joins the group, the new member cannot access the content of any past communications since the any group output, K, can only be computed by members involved in the secure communication. Since is an asymmetric polynomial of degree t − 1 in and h − 1 degree in y, which contains th different coefficients. In the proposed scheme, each token {s i (y), s i (x)} contains two univariate polynomials with degree h − 1 in y and t − 1 degree in x, respectively. In other words, each user can use his token to establish t + h linearly independent equations in terms of the coefficients of the asymmetric bivariate polynomial F (x, y). When there are t − 1 colluded users with their tokens together, they can establish in total (t + h)(t − 1) equations. At the same time, for t − 1 colluded users there are 2C t −1 2 pairwise keys. Hence, having t − 1 colluded users' shares, the total number of linearly independent equations are (t + h)(t − 1) − 2C t −1 2 . If the number of coefficients of the bivariate polynomial F (x, y) is larger than the number of linearly independent equations available to the colluded users (i.e. th

Possible attacks
2 ), they cannot recover the bivariate polynomial. Hence, they cannot learn any information of the secret. From th Hence, If h > 2t − 2, it assures that t − 1 colluded inside adversaries cannot recover the secret polynomial F (x, y) selected by MRC initially. Thus, it needs at least [t] inside attackers to work together to reconstruct the tokens. the proposed protocol can resist up to [t-1] colluded members to recover the secret polynomial F (x, y) of MRC. According the security level requirement, the proper values of t and h can be selected. For example, when n=[t-1], all members collusions cannot recover the secret polynomial F (x, y) of MRC. This security is information-theoretic secure.

Theorem 2.
Outside Attack-In the proposed protocol, the outside attacker cannot obtain any secret information.
Proof. Outside attackers are illegitimate users who do not own any valid tokens from MRC. The outside attackers may try to impersonate members in the group output establishment to obtain the group output. However, since in the group output establishment, all exchange information of legitimate members are encrypted using pairwise shared keys and outside attackers do not own any valid token to recover any pairwise shared key, so the outside attacker cannot obtain any secret information.

Performance evaluation
Most of latest schemes can either provides user authentication or group key establishment separately [37][38][39][40]. They need additional membership authentication and shared keys distribution, also need more rounds interactive communications and complex computations for encryption and decryption. Further they just consider the situation that how to establish a group key, which is only one case of group output in SGA. For the first time we propose a lightweight non-interactive integrated membership authentication and multiparty output establishment for arithmetic computations in SGA. First, we discuss the performance features of our protocol as below.
(i) Functional Features: Compare with most of the existing scheme, our protocol can provide both membership authentication and multiparty output establishment simultaneously for arithmetic computations in secure grouporiented applications. By using a bivariate polynomial, membership authentication and pairwise shared keys distribution are realized at the same time. Then, just by using the basic addition and multiplication operations, each member mixes his/her input with pairwise shared keys with other members and releases the encrypted value in a broadcast channel. After collecting all released values, each member can compute the group output efficiently. Recall that any general function is composed of multiple additions and multiplications, our result serves as a solution for general multiparty output computation. Our proposal is noninteractive and efficient. (ii) Non-interactive Property: According to the definition in most communications, "Interactive communications" means acting one upon or with the other. In our group output computing process, each member computes his/her own values and releases the values to others without "waiting" for other members' inputs. In other words, each member doesn't need waiting time in computing and releasing values to other members. We call this property "non-interactive", which can speed up the communication process significantly and can be easily extended to SGA with any number of inputs. At the same time, there is only broadcast transmission. Thus, our proposed protocol is very fast. (iii) Cryptographic Method: It is well known that symmetric key encryption a way that each pair of users shares a symmetric key, but this way only provides confidentiality. Further, key distribution and management is a bottleneck in symmetric key cryptography, which produce huge communication and storage cost. Hence, public key encryption appeared, which can provide confidentiality, authenticity and non-repudiation. However, this way needs high computation cost due to very large modulus and modular exponentiation operations. For instance, RSA modulus is at least 1024 bits. Observe that the latest group key establishment protocols [37][38][39][40] are all based on Bilinear map and complex computational assumptions, which need modular exponentiation, pairing and scalar multiplication operations. Compare with public key operations producing high computation cost. bivariate polynomialbased approach can provide not only authentication and information-theoretic security, but also with lower computation cost, where polynomial-based modulus is far less than public-key-based modulus. At the same time, compare with symmetric key distribution method producing huge communication cost. Such as DES, our bivariate polynomial-based approach saves a lot of communication cost. It is really efficient while providing authentication.
Furthermore, one unique feature of our scheme is that the addition and multiplication operations are the main computation and this result serves as a solution for general multiparty arithmetic computation output. It is simple and lightweight.
In summary, our proposal for multiparty arithmetic computation output is non-interactive and lightweight. This protocol has the advantages in storage, computation and communication cost. Specific analysis is as follows.

Storage Requirements
The storage overhead for each group member is calculated as the bit length of params and secret materials outputted by executing the whole protocol. To fit with the memory capability of the group members, the storage overhead should be as low as possible. In our protocol. each member needs to store a token, (s i (y), s i (x)), which consists of two univariate polynomials, one is t − 1 degree in x and one is h − 1 degree in y. Thus, each shareholder needs to store t + h coefficients of a univariate polynomial. The storage requirement for each user is (t + h)log 2 p bits, where p is the modulus. This polynomial-based modulus is far less than public-key-based modulus.

Computation Requirements
The computation overhead for each group member is calculated as the time cost of executing our integrated algorithm. It is desirable to minimize the computation overhead for reducing the total running time. For our protocol, in Step 2 of membership authentication, when evaluating the polynomials, Horner's rule [35] can be used to reduce the computational cost. Each shareholder needs to compute m − 1 pairwise shared keys, Steps of group output establishment, there are all basic addition and multiplication operations, symmetric encryption and decryption operations which are very efficient in comparing with all existing public key cryptography protocols. Meanwhile, our efficient symmetric encryption and decryption operations have the function of membership authentication. Finally, there is only computing hash function to authenticate the group output by each member. The computation load of our proposed protocol is much simpler than most public-key based schemes and the polynomial-based modulus is far less than public-keybased modulus. For example, the RSA [36] public-key operation requires approximately 1.5log 2 N modulo multiplications (i.e. in RSA, N is at least 1024 bits).

Communication Requirements
The communication of membership authentication is performed completely in the broadcast channel. Total communication time is to transmit m random integers, {r i , i = 1, 2, … , m}, and m(m − 1) authentication responses for all participated group members. To establish the group output, total communication time is to transmit m random integers, {l i , i = 1, 2, … , m}, m(m − 1) encrypted messages and m hash outputs to authenticate the group output for all participated group members. The transmission overhead of each group member is calculated as the bit length of the transmitted data in executing our integrated algorithm. In our protocol, this cost is significantly reduced since all transmitted data are computed on polynomial-based modulus. At the same time, since our protocol is non-interactive, all released values can be broadcasted simultaneously, it is very efficient for group-oriented applications. Furthermore, in our protocol, by using a bivariate polynomial, membership authentication and pairwise shared keys distribution are realized concurrently. Compare to symmetric key distribution method, such as DES, this way saves a lot of key distribution communication overhead.

CONCLUSION
We have proposed a novel design of non-interactive integrated membership authentication and multiparty arithmetic computations output protocol for SGA in 5G sensor networks. Our protocol provides both membership authentication and multiparty output establishment simultaneously. However, all existing schemes can provide either membership authentication or multiparty output establishment separately. We have included the security analysis and performance evaluation in the paper. Our protocol is lightweight in terms of computation and communication. Recall that any general function is composed of multiple additions and multiplications, our result serves as a general multiparty output establishment for arithmetic computations in SGA for 5G WSNs. Our proposal is non-interactive and can be easily extended to SGA with any number of inputs, which is absolutely attractive for secure group-oriented applications in 5G sensor networks.