# Securing Network-Assisted Direct Communication: The Case of Unreliable Cellular Connectivity

Network-assisted device-to-device (D2D) communication is a next-generation wireless technology enabling direct connectivity between proximate user devices under the control of cellular infrastructure. It couples together the centralized and the distributed network architectures, and as such requires respective enablers for secure, private, and trusted data exchange especially when cellular control link is not available at all times. In this work, we conduct the state-ofthe-art overview and propose a novel algorithm to maintain security functions of proximate devices in case of unreliable cellular connectivity, whether a new device joins the secure group of users or an existing device leaves it. Our proposed solution and its rigorous mathematical implementation detailed in this work open door to a novel generation of secure proximity-based services and applications in future wireless communication systems.

Paper by:
Aleksandr Ometov, Konstantin Zhidanov, Sergey Bezzateev, Roman Florea, Sergey Andreev, and Yevgeni Koucheryavy
To view the full version with all the equations, please follow: this link.

###### Introduction

Recently, researchers have completed network-assisted WiFi-Direct device-to-device (D2D) offloading technology [1], which tames unlicensed WiFi bands to relieve cellular network congestion by making use of the availability of two radio interfaces (e.g., 3GPP LTE and WiFi) in today’s mobile devices. The feasibility of a proof-of-concept implementation of such technology on live cellular core has also been demonstrated in a practical trial lately [2]. The concept of LTE-assisted WiFi-Direct brings together two previously independent network architectures – the centralized networks (e.g., cellular) and the distributed systems (e.g., WiFi-Direct) – by allowing some form of centralized assistance (control) over otherwise distributed communicating proximate pairs.

As LTE-WiFi offloading technology has already taken shape, our main target in this research is to study the resulting hybrid centralized-distributed architectures. The underlying goal is to allow secure data delivery for already communicating D2D users even in the cases of unreliable cellular connection [3], which may become temporarily unavailable due to a variety of different factors, such as user mobility, obstacles, etc. When connected to the centralized infrastructure, a group of D2D users can straightforwardly establish their own information security (IS) rules with conventional methods. However, whenever LTE connection becomes unavailable (unreliable), our solution empowers a certain number of user devices in this group to admit a new (previously unassociated) device or to exclude one of the existing members from the group.

Today, such group admission/exclusion can only be managed by the cellular network employing the Public Key Infrastructure (PKI) and our proposed algorithm extends this functionality for the cases of partially unavailable cellular connection (tunnels, airplanes, lifts, etc.). In a nutshell, the contributions of this work are twofold: (i) we conduct a thorough state-of-the-art overview of potential security, privacy, and trust solutions that are suitable for proximity-based communication; (ii) building on this background, we propose our novel information security protocol for network-assisted D2D connectivity, which remains operational even when cellular network connection becomes temporarily unavailable.

This paper is organized as follows. In the following section, the current state-of-the-art behind secure proximity-based communication is outlined. A detailed overview of the contemporary information security protocol operation is also given it this section. Further, in Section III a novel algorithm is proposed allowing secure direct connectivity in case of unreliable cellular connection. In Section IV, the respective protocol implementation and operation are discussed. Several examples of available applications for the proposed protocol follow in Section V. The main outcomes of this work are summarized in Conclusion.

###### State-of-the-art on security for proximity-based communication

In today’s cellular networks, the central control infrastructure that orchestrates the associated wireless devices is deemed always available. Consequently, given its reliable and ubiquitous presence, cellular network is typically assumed to serve as a trusted authority for security purposes. In proximity-based D2D communication with continuous cellular connectivity, the 3GPP LTE base station is responsible for managing security functions within the network, and most of the corresponding operations can thus be handled over the PKI [4].

On the other hand, for wireless architectures not relying on pre-existing network infrastructure [5], [6], communication and security functions are distributed across users. If simultaneous use of more than one radio interface is allowed, a variety of new attacks [7], [8] become possible, which advocates the use of PKI whenever available.

The key requirements for hybrid systems without permanent centralized management can be identified as follows [9]: a reliable connection establishment control algorithm; an adaptive mechanism for rapid response to network topology changes or node failures; a multi-hop communication possibility; and an algorithm enabling continuous secure connectivity even when the cellular base station is not accessible. This important topic is elaborated upon in what follows.

Before proceeding with the associated background, we discuss the main underlying terms and definitions. First, a security protocol is assumed to be composed of distinct blocks, which in essence constitute various cryptographic primitives invented by the protocol developer or reused from the past research. Each of these primitives solves a certain specific security issue. Some fundamental primitives and their associated descriptions are the following:

• Confidentiality (Encryption) – only authorized users have access to data transmitted over a wireless network.
• Integrity (Hash functions) – only authorized users can alter the transmitted data.
• Accessibility (Keys, Passphrases) – only authorized users can access data in a timely
fashion within operational constraints.

As a result, relevant primitives are combined in order to construct a required protocol that would solve a certain target task. In particular, important research questions to address when developing a protocol are: What to combine? How to connect? In which order?

In this work, we concentrate on the key security challenges from the point of view of establishing secure connectivity between unfamiliar proximal devices. Even though our problem formulation is novel and shaped by the emerging network-assisted D2D technology, the topic itself has much prior background captured e.g., in [10], [11], and [12]. For instance, the wellknown Diffie-Hellman key exchange algorithm [13] maintains the zero-knowledge property on each side of communication, but requires a secure channel in-between the communicating parties for its successful operation. Taking into account the more recent developments, PKI is employed as a trusted authority (i.e., a certificate provider) to distribute public keys and thus allow for communication of end-devices [4]. A simplified PKI scheme is shown in Fig. 1.

￼￼￼￼￼￼￼￼Figure 1: Secure data transmission with and without the PKI

Alternatively, if the network in question does not feature a centralized control unit, a PairWise Key (PWK) could be utilized [14]. Importantly, while using this method the communicating devices would not be able to obtain any information about their pair devices except for their identity. Hence, one would need to use ID-based cryptography [15], [16] and verify the device’s signature – a public key based on a specific ID. However, a personal secret key is then required for decryption. The respective service may be provided with the use of a Private Key ID2 IDn Generator (PKG), which could be employed only in the case of its availability in the system.

Figure 2: Keys (pair-wise) redistribution and new user arrival case

Additionally, if a PKG becomes temporarily unreachable, a set of users connected to the PKG prior to when the connection became unavailable could group together and form a (or use an existing) Master Key (MK) [17], [18]. Accordingly, a new device could receive access to the network as it is shown in Fig. 2. A new PWK could be generated as a function of the MK and a set of IDs (Fi,j = F(MK,IDi,IDj)), and it can be calculated with the following approach:

$F_{i,1}=F{(MK,ID_i, ID_1)}$
$F_{i,2}=F{(MK,ID_i, ID_2)}$
$...$
$F_{i,n}=F{(MK,ID_i, ID_n)}$
$F_{i,i}=F{(MK,ID_i, ID_i)}$

Interestingly, in sensor networks the devices conventionally remove the MK after the key pair generation has been completed [19]. Such course of operation is taken mainly due to the static system topology. Along these lines, in our D2D architecture we reuse this approach in order to allow for the new devices to join the network continuously, even if the cellular network connection becomes unreachable. Additionally, the MK would be regenerated anew in case when the base station connection is re-established.

Noteworthy, the devices may also store a PWK with themselves Fi,i. This is done mainly
for the case when a new user enters their proximity, that is, when the target device is connected
to the cellular network and it requests a MK directly froMmK the network coordinator to obtain
a new key and connect to the neighboring device $K_{1,j}=K_{1,1}=F(MK,ID_1,ID_1)$.

Another important issue in proximity-based networks is the question of trust. We consider a solution based on Pretty Good Privacy (PGP) trust scheme developed by Phil Zimmermann [20] Accordingly, the trust level can be input as a numeral from zero to one and would then be obtained as a sum of the trust multiplications for the already known users $t=w_{01}w_{11}+w_{02}w_{12}$, as it is demonstrated in Fig. 3. Hence, if the trust level is equal or greater than 1, one can assume that the user is trusted; otherwise, the connection to this user would be discarded. In
addition, one may build a tree of trust for the target network.

Figure 3: Trust policy based on PGP scheme

The second part of our discussion concerns classical issues related to ad-hoc networks [21], that is, proximity-based device arrival/departure when no connection to the centralized infrastructure is available. Importantly, this scenario brings along additional challenges, such as key distribution for device association. The latter can be solved by a \textit{Broadcast Encryption Protocol}~\cite{du2005id}, which implies that there exists a number of user key sets $K = {K_1,K_2,...,K_n}$. In turn, for the key construction one may use Cover Free Families} (CFF) -- a specialized system of sets having the alphabet of elements $X$ and a set of subsets (blocks) F(X). An example of CFF is shown in Fig. 4. Correspondingly, a system can be defined as a CFF, if for any block $B_0\in B$ and any other r blocks $A_1;...; A_n \in B$, one can calculate:
$B_0 != \bigcup \limits _{j=1}^r A_j,$

where |X| = T is the alphabet size, |B | = N is the number of blocks, r is the number of blocks,
which do not cover any other block, and n is the block length.
As different users should have a possibility to obtain their key, there may appear a situation when a small set of users can produce the key with less inter-operation. Hence, the respective attack may be conducted by a certain group of devices. On the other hand, by using this approach one can guarantee that if the number of devices is less or equal than the minimum number of needed devices for the key reconstruction I, this group would not cover a key of any other device.

￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼Figure 4: Cover-free family r = 2, n = 6, and T = 30

In summary, for our problem at hand one may employ sharing schemes based on well-known
solutions, such as:
• Chinese remainder theorem [23],
• Lagrange polynomial interpolation [24],
• Error-correcting codes (Reed-Solomon codes) [25].
Providing continuous secure connectivity with the above solution should become a significant improvement in next-generation D2D systems. Here, the Lagrange polynomial mechanism may a vailable democratic solutions [26]:
• (1,N) scheme – any individual device share can recover the secret key (shown in Fig. 5a).

Providing continuous secure connectivity with the above solution should become a significant improvement in next-generation D2D systems. Here, the Lagrange polynomial mechanism may be preferred due to its relative computational simplicity, which is one of the crucial factors for today's mobile devices. A classical formulation assumes that every communicating device (representing its user) is fairly equal and has the same weight of its vote (or share) in the overall trust tree. However, a situation may appear when one would like to vary weights and focus the discussed solution on the trust enforcement in more complex systems. Therefore, one would need to sign the data before transmitting it and employ the secret sharing schemes, which distribute the key shares between the devices. The following list is surveying the currently available democratic solutions [27]:

• (N,N) sc..h.eme – only all N shares from N devices can recover the secret key (shown in ...
Fig. 5b).
• (wKj,1N) scheme –where K of N shares can recover the secret key. If the number of shares is less than K, then the key may not be recovered (shown in Fig. 5c). This mechanism is chosen to be used in our implementation discussed below.
• weighted (K,N) scheme – participants with the weight sum of equal to or more than K can recover the secret key. The weighs may vary based on the level of trust (shown in Fig. 5d).

Figure 5: Examples of secret sharing schemes

￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼In addition to the above, it is important to take into account the well-known dictatorship
solutions [27]. The main difference between these and the previously discussed democratic
approaches is in that one or more ”significant” devices should participate in the key recovery
Security process, and in case none has participated the key should not be recovered. More specifically, we assume that the secret is a codeword a of the Web Host Manager (WHM) code [28], an encrypted secret is b = a+e, and the shares are the values and positions of possible fixed errors. Hence, the secret reconstruction process is essentially error correction at known positions of b. If the sum weight of uncorrected errors is less than the threshold value t, then the secret can be reconstructed by the decoding procedure. Focusing on the D2D system implementation, there might appear a situation when users are connected to the trusted authority via the infrastructure network. In this case, hierarchal and multi-level access control functionality may be added based on the Security Classes technology [29] (see Fig. 6), which takes into account the following IS requirements:

• Security – only the authorized users can obtain access to the information.
• Anonymity – the underlying hierarchy should be hidden.
• Adaptation – the network structure is changed frequently and should be dynamic.
• Simplicity – the devices are resource-constrained.
The main features of such a system should consider at least the following conditions:
• The system should be based on the PKI.
• A user can change the PKI-based key easily.
• The encrypted data should contain information about the Session Data Key for all the authorized users.

Further, the proximity-based D2D system may be improved by employing the McEliece scheme for error-correcting codes [30]. Here, the secret keys for the security classes are chosen by means of using the embedded codes. Thus, each device has its own private key and no additional information on this specific device is sent in the encrypted message.

￼￼￼￼￼￼￼￼￼Figure 6: Hierarchical and multi-level access control

Noteworthy, there is an opportunity to exchange messages on all levels of hierarchy, that is, in-between the classes.

Finally, in order to prevent from the unauthorized use of data, we propose the application of digital watermarking/steganography approaches and, in particular, the F5 steganographic method. Essentially, by changing only one bit of data in the message of length n, one can send another message containing new data (0, n − 1). Hence, by editing the less important parts of transmitted information one can obtain a considerable IS improvement. However, there remains a question of choosing appropriately the part of data to be modified as well as understanding how the respective modification would impact the decoding process. A prospective solution to the above is a weighted container model (e.g., the weighted Hamming metric). Moreover, in order to calculate the number of errors added and specify the weight of distortion, the penalty function may be used:
$F=\sum^l_{i=1}\eta_i\nu_i,$
where ηi is the average number of errors in zone Ii and νi is the weight of significance in zone.
In addition to the above, cloud techniques could be reviewed due to the fact that they some-times face similar challenges as do the network-assisted D2D systems under consideration: the data distributed across the remote users devices, as well as hidden calculations and anonymity. To complement this, authorization by behavior may also be employed for user accounts in social-based D2D networks by reusing the already authorized devices and taking advantage of analyzing the specific user behavior during its account access (usage, preferences, location, etc.).

In summary, the considered D2D system operation may look similar to that of ad-hoc networks, but it also has one key difference – in a D2D scenario all the communicating devices are (have been) associated with the cellular base station, at least for some time, which would be sufficient to distribute the initial amount of security-related information (master keys, certificates, etc.). Hence, classical decentralized security-centric solutions (for e.g., sensor networks) may be significantly augmented in the D2D case by utilizing the possibility to (periodically) access the trusted cellular infrastructure.

###### Proposed algorithm for D2D communication over unreliable cellular connectivity

Many contemporary mobile devices have several available short-range radio interfaces (WiFi, BLE, etc.) as well as employ cellular connection (e.g., 3GPP LTE) for most of their operation time. Hence, regular functioning of network-assisted D2D communication assumes that the cellular base station controls direct transmissions between devices (e.g., over WiFi-Direct) in all respects, including security, through the active cellular connection. However, if this cellular link is (temporarily) unavailable, secure communication may be disrupted and admission/exclusion of users to/from secure communication groups is not possible any longer. Taking advantage of ￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼the above background, below we propose a novel algorithm to extend the secure D2D operation for the cases of unreliable cellular connectivity.

Figure 7: Example scenario with unreliable cellular connectivity

In our target scenario (see Fig. 7), we consider all of the involved devices to be multi-radio terminals (at least with LTE and WiFi interfaces) that initially have been connected to the cellular network, which acts as their trusted authority for the purposes of the certificate distribution. Further, we assume that all of the devices under consideration participate in assisted offloading of their cellular data flows onto WiFi-Direct sessions [31], thus we only account for the signaling information to be transfered over the cellular link. This link is employed by the D2D users in proximity to communicate with the PKI functions and establish a coalition, that is, a logical group of securely-commutating devices.

In this work, we argue that whenever the reliable cellular link becomes unavailable for some of the devices in a coalition, additional measures are necessary to continue secure operation (communication, new user admission, user exclusion, etc.). Therefore, we propose the following classification to conveniently differentiate between the various types of users (see Fig. 7) from the point of view of this research:

• ”Light” device that has a reliable cellular connection active;
• ”Dark” device that currently does not have a reliable cellular connection, but used to
have such form of connectivity in the past;
• ”Blank” (unknown) device that wishes to join the secure coalition. Importantly, such device may not have had access to the cellular network (and its respective trusted authority) previously.

To this end, we can further specify the following functions of the target algorithm to enable secure D2D communication in case of unreliable cellular connectivity.

Join coalition In case when a device wishes to join a secure coalition, the latter may be done in two alternative ways, depending on the availability of the cellular connection. If it is available, all the respective functions would be managed by the trusted authority residing in the cellular operator’s network. The existing signaling mechanisms would then process the device’s request straightforwardly by allowing to obtain its own certificate signed by the coalition owner. Alternatively, in case of unreliable cellular link, the device would send its request to any of its proximate users in the target coalition, which would then utilize the developed cryptographic methods, such as new user secret generation, certificates redistribution, etc. The coalition acceptance decision for this requesting device is made collectively, i.e., when k out of M devices in a coalition grant access to the new user based on their shares. Noteworthy, after the cellular connection is re-established for the new user, its inclusion into the coalition would be transparent for the trusted authority, as its secret is kept unchanged.

Leave coalition At some point, a device may decide to leave its current coalition due to mobility (i.e., leaving proximity) or other factors. We thus consider the case of device exclusion and again different procedures could be applied. On the one hand, if the device in question has reliable connection to the cellular network, which knows about its geographic position change, an automated decision can be made and user certificates for this specific coalition would be revoked. On the other hand, if there is no reliable cellular connectivity for this device, the decision should be made employing our proposed weight-based mechanism.

Coalition initialization Another important challenge is the initial device grouping. Again, for a system with persistent cellular connection we can rely on the solutions from past literature. However, if not all of the devices involved into direct D2D communication have a reliable cellular link, we need to reconsider the trust and privacy policies along the lines of our proposal.
Coalition recovery As defined before, the coalition is a logical group of devices with their own set of certificates. Hence, we need dedicated measures to control the overall system stability in case when a coalition member misbehaves or comes into proximity of another already established coalition. Of particular interest are the situations when not all of the devices in the coalition have a reliable cellular connection available. In these situations, a modification of Diffie-Hellman key exchange procedure may be employed, followed by the challenge of introducing such a ”remote” coalition to the cellular trusted authority.

Having described the most essential functions of the proposed algorithm on the general level, we can now proceed with discussing its actual implementation.

###### Implementing the proposed D2D-centric information security solution

As suggested in the previous section, we assume that a remote server in the network core or in the Internet operates as a trusted authority (TA) for the application users, i.e., the server certificate PKTR,NTR is distributed along with the application though the repository as it is shown in Fig. 8. Importantly, all the cellular base stations of the operator are connected to this server and may concurrently distribute the coalition certificates signed by the TA, that is, PKc and SKc. Alternatively, those certificates may be distributed directly via a cellular link from the TA. As mentioned previously, all the communicating devices have a pre-generated set of parameters: IDi is a unique identifier assigned for the ith device using a particular application and P KT R is a trusted authority certificate in order to verify the validity of the coalition and other devices (users). Additionally, each of the D2D partners would obtain a PKc in relation to a specific coalition and then generate the PKi – its own public key, the secret key SKi, and a certificate share certi signed by the SKc. Here, we define certi as a primitive for the Shamir’s secret sharing scheme, i.e., the RSA-based algorithm for the sake of simplicity. These parameters are, in turn, required for the appropriate protocol operation in our target D2D scenario.

￼￼￼￼￼￼￼￼￼￼Figure 8: Network topology from the coalition’s point of view

Initially, we require that all of the devices have a reliable cellular connection to the TA and thus we outline the case for a new blank device to join a coalition of light devices. Importantly, the actual cellular connection status of the joining device is not important for the proposed protocol operation. However, as we assume the existence of two protocol stacks for different connectivity states (ad hoc for WiFi and infrastructure for LTE), there is a need to consider these in details. For the infrastructure case, certificate distribution is a well-known PKI task, i.e., a new device is requesting the base station directly to join the target coalition. The base station then has to redistribute the new certificates for all the communicating devices belonging to this coalition.

On the other hand, the cellular connection may be unavailable for (some of) the devices in the coalition when a new device requests to join it – this is the case when a blank device is joining the dark group. Accordingly, the joining device is initialized by generating the PKi and SKi. Based on the fact that none of the devices have their connection to the TA at the moment, we rely on the coalition itself when admitting the additional device. This, in turn, requires a preset parameter included into the PKc certificate, which is a threshold value of k characterizing the number of devices in the target coalition that have a right to allow the new device to join it. This threshold value is chosen at the stage of coalition initialization and may vary based on the number of devices n and/or other factors; thereby a new certificate would be obtained for the joining user that is indistinguishable for the base station.
From the mathematical point of view, this procedure may be implemented at the base station side as follows:

$f(x)= a_{k-1}x^{k-1}+a_{k-2}x^{k-2}+...+a_1x+SK_c,$

$f(0)= SK_c,$

where $a_i$ is the generated polynomial indexes, k is the preset threshold value, x is the unique device identifier IDi, and SKc is the coalition secret generated for the secure group. Again, for the infrastructure case, the procedure in question is fairly straightforward, but in the distributed scenario the grouped devices should construct a secret for the new user without the cellular connectivity and not disclosing this secret to anyone. For both of the above cases, the certificate component for the jth device is calculated as:

$cert_j = \overline{PK_j}^{f(0)}mod \: N_c,$

￼where PKj is generated by the device with additional salt sj: (PKj +sj), f(0) is the coalition secret obtained with (4), which can be either recovered or used at the base station itself, and Nc is generated at the coalition initialization stage as well.

In the case when the coalition is losing the cellular connection (that is, turns dark) and a new jth device is willing to join it, we should consider a more complicated distributed protocol operation. If at least k devices have agreed to let the new device in, then a Lagrange polynomial sequence [32] is employed by allowing one to obtain the value of the function at any point f(IDj). Using the equation (4) in the Shamir’s secret sharing scheme, we can calculate f(IDi) as:

$f(ID_j) = \sum_{i=0}^k f(ID_i) l_i(ID_j),$

i=0. Where devices obtain their shares utilizing the standard Shamir’s mechanism and φ is the Euler’s
formula, given that we make our computations in the modular arithmetic.
Importantly, parts of the equation (6) are calculated individually at the device side and it is not allowed to distribute/share these between the devices due to the fact that their own secrets are involved into the generation process, whereas the IDs are publicly available. The required
protocol steps are as follows:

1. The joining jth device is sending its request along with its IDj to the first one of the devices that has agreed to admit the former into the coalition.
2. The device with ID1 is calculating its part based on (6) and adds its salt to the result f(IDi) = f(IDi)li(IDj) + si, where si is stored in memory.
3. The first device is then sending its result to the next device.
4. Steps 2 and 3 are repeated for all of the k devices.
5. The kth device is sending the final sum back to the joining jth device, which then adds its salt sj to the equation and sends it to the first device.
6. All of the k devices are excluding their salts one by one similarly to the salt adding procedure.
7. The jth device is excluding its salt an by doing so obtains its needed secret f(IDj).
The following protocol step is to generate the certificate for the newly joining device. For the infrastructure case, it can be obtained by using the equation (5). In the distributed scenario, k devices can recover f(0) by grouping together as:

$cert_j = PK_j^{SK_{c}}mod \: N_c =$
$= PK_j^{f(0)} mod \: N_c =$
$= \prod_{i=0}^k PK_i^{f(ID_i)} mod \: N_c,$
which should be calculated similarly to (4).

Further, we need to consider the situation when the device is leaving its coalition based on
e.g., weak proximity. The respective decision may be made by the group or by the device itself. For the infrastructure case this action is nearly trivial, whereas for the distributed scenario the respective operation has been shown previously. Importantly, the main challenge here is still rooted into the key re-generation process for the updated dark group when excluding the jth device. Note that SKc and PKc should be kept unchanged while new keys are re-generated and re-distributed for the updated coalition. Here, it is essential to follow the rule: the devices reaching cellular coverage again should be verified for their coalition membership. In addition, as it has been mentioned before, SKc must not be recovered by any of the communicating devices. Therefore, we have to re-evaluate f(IDi) while keeping the original SKc, which can be calculated as:

$f(ID_i)= b_{k-1}x^{k-1}+b_1 x + SK_{c},$

where indexes bk−1 = ak−1 + ∆k−1 and ∆i may be generated by one of the trusted devices in the coalition. Accordingly, we can derive new keys for each user in the new group and then re-generate the certificates for all except the rogue device:
${f(ID_i)} = a_{k-1}x^{k-1} +\Delta_{k-1}x^{k-1} + ... + a_1 x + \\ + \Delta_{1}x + SK_{c} =$
$f(0)+\Delta_{k-1}x^{k-1} + ... + \Delta_{1} x.$

Finally, it should be noted that if a new device (or a group of the devices) acquires its new key, then it is not required to specify the source – it can be obtained directly from other coalition and does not depend on the connectivity state. However, this solution potentially opens door to an important security challenge: if there are k malicious users, they can form their own group and exclude other devices one by one. We, however, consider this situation unlikely and leave its consideration to our future publications. In summary, we arrive at a point of the complete mathematical model for the proposed D2D-centric IS protocol, and hence we can now proceed with outlining the potential scenarios for secure proximity-based communication enabled by it.

###### Prospective applications of secure and trusted D2D connectivity

One of the most promising classes of network-assisted D2D applications is based on the situations, where a large number of people are brought together casually and may benefit from their proximity for business or pleasure, but at the same time require certain levels of security, privacy, and trust for their communication.

An example of such a scenario may involve a person (group of people) commuting on a public/intercity transport line and willing to interact with other passengers by sharing some content, playing games, or by getting involved into any other social activities, such as chat. A user may thus sign-in for its customizable commuter entertainment services well in advance and has a choice to also subscribe to a group package with friends and/or family members.

At a later time, whenever the client is in geographical proximity to the carrier, the system activates automatically to offer a personalized selection of user services throughout the journey. Importantly, together with securing the desired multimedia content, the mechanisms described in this work offer rich opportunities to engage into proximal applications with other commuters, which may involve private and trusted unfamiliar connectivity. However, the unreliable connectivity situations may appear frequently during the trip, but the proposed solution is robust to sudden connectivity faults.
Therefore, the proposed solution is meant to enable secure D2D communication in conditions of unfamiliar connectivity, limited access to the centralized authority, as well as can provide an entire palette of proximity-based policies on top of the sharing of data. For instance, on contemporary long-distance buses and planes, it has already become commodity to see small personal screens with a selection of videos, music, multiplayer games, news, and other contextual information. However, deployment of such systems incurs high market entry barriers, adds significant operational expenses, and is strongly tied to a centralized authority dispatching content and enforcing policies. Our solution allows people to use their own familiar handheld devices, whereas guaranteeing the desired levels of communication security.

###### Conclusion and ongoing work

In this work, we formulated security challenges in proximity-based direct communication systems. We also proposed a novel security algorithm, which allows a group of devices that have initialized their D2D connection to be controlled and managed by the cellular network. The respective functionality includes adding new users to the secure coalition as well as excluding existing users from it, even in cases when the reliable cellular network connection is presently not available.

Currently, building on our proposed mathematical model, we are constructing a demo application incorporating the respective cryptographic primitives for its further inclusion into our D2D testbed on live 3GPP LTE deployment [2]. This demo takes advantage of the implementation in today’s Android phones in order to prove our concept not only mathematically, but also with prototyping.

###### Bibliography

[1] S. Andreev, A. Pyattaev, K. Johnsson, O. Galinina, and Y. Koucheryavy, “Cellular Traffic Offloading onto network-assisted device-to-device connections,” Communications Magazine, IEEE, vol. 52, no. 4, pp. 20–31, 2014.
[2] S. Andreev, Y. Koucheryavy, J. Hosek, and K. Johnsson, “LTE-Assisted WiFi Direct Trial,” Global Communications Newsletter, vol. 4, p. 3, April 2015.
[3] G. Fodor, S. Parkvall, S. Sorrentino, P. Wallentin, Q. Lu, and N. Brahmi, “Device-to-Device Communications for National Security and Public Safety,” IEEE Access, pp. 1510–1520, 2014.
[4] C. Adams and S. Lloyd, Understanding PKI: Concepts, Standards, and Deployment Considerations. Addison-Wesley Professional, 2003.
[5] Z. J. Haas, J. Deng, B. Liang, P. Papadimitratos, and S. Sajama, “Wireless ad hoc networks,” Encyclopedia of Telecommunications, 2002.
[6] M. N. Johnstone and R. Thompson, “Security aspects of military sensor-based defence systems,” in Trust, Security and Privacy in Computing and Communications (TrustCom), 2013 12th IEEE International Conference on, pp. 302–309, IEEE, 2013.
[7] A. Khalili, J. Katz, and W. A. Arbaugh, “Toward secure key distribution in truly ad-hoc networks,” in Proc. of Symposium on Applications and the Internet Workshops., pp. 342– 346, IEEE, 2003.
[8] X. Yi, J. Willemson, and F. Nait-Abdesselam, “Privacy-preserving wireless medical sensor network,” in Trust, Security and Privacy in Computing and Communications (TrustCom), 2013 12th IEEE International Conference on, pp. 118–125, IEEE, 2013.
[9] D. B. Johnson and D. A. Maltz, “Dynamic source routing in ad hoc wireless networks,” in Mobile computing, pp. 153–181, Springer, 1996.
[10] A. Perrig, J. Stankovic, and D. Wagner, “Security in wireless sensor networks,” Communications of the ACM, vol. 47, no. 6, pp. 53–57, 2004.
[11] P. MCDANIEL and S. MCLAUGHLIN, “Security and privacy challenges in the smart grid,” IEEE Security & Privacy, vol. 7, no. 3, pp. 75–77, 2009.
[12] J.-P. Hubaux, S. Capkun, and J. Luo, “The security and privacy of smart vehicles,” IEEE Security & Privacy Magazine, vol. 2, no. LCA-ARTICLE-2004-007, pp. 49–55, 2004.
[13] W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976.
[14] D. Liu, P. Ning, and R. Li, “Establishing Pairwise Keys in Distributed Sensor Networks,” ACM Transactions on Information and System Security (TISSEC), vol. 8, no. 1, pp. 41–77, 2005.
[15] A. Shamir, “How to Share a Secret,” Communications of the ACM, vol. 22, no. 11, pp. 612– 613, 1979.
[16] A. Shamir, Identity-Based Cryptosystems and Signature Schemes. Springer, 1985.
[17] A. Perrig, R. Szewczyk, J. Tygar, V. Wen, and D. E. Culler, “SPINS: Security protocols
for sensor networks,” Wireless networks, vol. 8, no. 5, pp. 521–534, 2002.
[18] W. Du, J. Deng, Y. S. Han, P. K. Varshney, J. Katz, and A. Khalili, “A pairwise key predistribution scheme for wireless sensor networks,” ACM Transactions on Information and System Security (TISSEC), vol. 8, no. 2, pp. 228–258, 2005.
[19] S. Zhu, S. Setia, and S. Jajodia, “LEAP+: Efficient security mechanisms for large-scale distributed sensor networks,” ACM Transactions on Sensor Networks (TOSN), vol. 2, no. 4, pp. 500–528, 2006.
[20] P. Zimmermann, “Why I Wrote PGP,” //Part of the Original., June 1991.
[21] L. Zhou and Z. J. Haas, “Securing ad hoc networks,” Network, IEEE, vol. 13, no. 6,
pp. 24–30, 1999.
[22] X. Du, Y. Wang, J. Ge, and Y. Wang, “An ID-based broadcast encryption scheme for key
distribution,” IEEE Transactions on Broadcasting, vol. 51, no. 2, pp. 264–266, 2005.
[23] G.-h. Chiou and W.-T. Chen, “Secure broadcasting using the secure lock,” Software Engineering, IEEE Transactions on, vol. 15, no. 8, pp. 929–934, 1989.
[24] T. Jakobsen and L. R. Knudsen, “The interpolation attack on block ciphers,” in Fast
Software Encryption, pp. 28–40, Springer, 1997.
[25] R. J. McEliece and D. V. Sarwate, “On Sharing Secrets and Reed-Solomon Codes,” Communications of the ACM, vol. 24, no. 9, pp. 583–584, 1981.
[26] C. W. Man and R. Safavi-Naini, “Democratic key escrow scheme,” in Information Security
and Privacy, pp. 249–260, Springer, 1997.
[27] J. Yuan and C. Ding, “Secret sharing schemes from three classes of linear codes,” Information Theory, IEEE Transactions on, vol. 52, no. 1, pp. 206–212, 2006.
[28] J. L. Massey, “Minimal codewords and secret sharing,” in Proceedings of the 6th Joint Swedish-Russian International Workshop on Information Theory, pp. 276–279, Citeseer, 1993.
[29] D. E. Denning, “A Lattice Model of Secure Information Flow,” Communications of the ACM, vol. 19, no. 5, pp. 236–243, 1976.
[30] R. McEliece, “A Public-Key Cryptosystem Based on Algebraic Coding Theory,” DSN Progress Report, pp. 42–44, January February 1978.
[31] “Cisco Visual Networking Index: Global Mobile Data Traffic Forecast.”
http://www.cisco.com/c/en/us/solutions/collateral/service-provider/ visual-networking-index-vni/white_paper_c11-520862.html, February 2014.
[32] M. Narasimha, G. Tsudik, and J. H. Yi, “On the utility of distributed cryptography in P2P and MANETs: the case of membership control,” in Proc. of 11th IEEE International Conference on Network Protocols., pp. 336–345, IEEE, 2003.