1. Revocation Mechanisms for Hybrid Group Communication with Asymmetric Links Abstract Wildcard identity-based encryption (IBE) provides an effective means of communicating among groups which do not have a well-defined membership or hierarchy pre-established, as may frequently be the case in dynamic coalition operations. The protection of group communication against compromised nodes is, however, expensive in that it typically requires frequent re- keying in the case of attribute-based IBE or voting-based revocation mechanisms, which can be problematic in multi-hop ad-hoc networks. In this paper we investigate the use of asymmetric communication links such as may be provided by unmanned aerial vehicles to provide efficient revocation mechanisms for small ad-hoc networks. Such link characteristics allow the efficient maintenance and propagation of blacklists as proposed by Saxena et al. and also enable the development of probability and plausibility metrics for revocation requests. We therefore propose a scheme for the distribution of group keys that requires nodes of the group to collaborate in order to obtain the group secret key. Consequently, untrusted nodes are hindered from communicating with other groups. This isolation from untrusted nodes allows to avoid or at least to postpone expensive node revocations which require the rekeying of the whole group. Steffen Reidt, s.reidt@rhul.ac.uk Stephen Wolthusen, stephen.wolthusen@rhul.ac.uk Building on UAVs In this paper we introduce a protocol for inter-group commu- nication which builds on groups that are organized by group access control schemes. We assume a military setting, where groups are supported by UAVs, which can help to distribute key material and act as relay nodes for inter-group communication. The figure on left shows one such UAV which is in communication range with three groups. Groups can vary in size, starting from a single node. Nodes can also belong to several groups. For example, the platoon leader and squad leaders of a platoon might build their own group of group leaders but also belong to the group that contains the whole platoon. Revocation In our protocol for distributing the session key, nodes depend on the willingness of k other nodes to collaborate. The figure on right shows the communication overhead depending on k that can be expected by this strategy. No honest node should collaborate with a node on the black-list or suspicious nodes that are not yet on the black-list. Consequently, our protocol helps to secure inter- group communication by enforcing that only nodes with a certain reputation in their group are allowed to communicate with other groups on behalf of their own group. This kind of soft revocation has the benefit that nodes can react quickly to attacks in their group. The drawbacks however are, that i) revocation decisions are based on local observations and are thus not reliable, and ii) nodes keys are not revoked what increases the risk that the number of malicious nodes reaches the critical number of k + 1 (see section IV-A). To actually revoke keys in a secret sharing scheme, all nodes in a group need to be equipped with new secret shares leaving out the revoked ones. As this hard revocation requires a considerable communication effort, it shouldonly be performed when required. Key distribution We assume that several groups exist which are organized by a secret sharing scheme. Each group has at least intermittent contact to an UAV (figure on right), several of which may communicate among each other. Moreover, each group maintains a black-list containing identities of suspicious nodes. This black-list can either be handled by each node independently, or group-wide by a threshold revocation schemes. Group Key: As described in the introduction, we wish to enable nodes to multicast messages based on several identity attributes including geolocation. To this end, we propose the use of identity-based encryption (IBE) to encrypt messages with a group-identity, where the identity can contain information about the location of the group. Using the WIBE scheme from Birkett et al. the identity of a group can be a concatenation of several parameters such as the location, a group Id, and the clearance level of a group.