By Topic

IEEE Quick Preview
  • Abstract

SECTION I

INTRODUCTION

THE Internet of Things (IoT) is a novel paradigm that has received considerable attention from both academia and industry. The basic idea of IoT is the pervasive presence around us of a variety of things or objects-such as radio-frequency identification (RFID) tags, sensors, actuators, mobile phones, etc.-which, through unique addressing schemes, are able to interact with each other and cooperate with their neighbors to reach common goals [1]. Wireless sensor networks (WSNs) are ad hoc networks which usually consist of a large number of tiny sensor nodes with limited resources and one or more base stations. Usually, sensor nodes consist of a processing unit with limited computational power and limited capacity. On the other hand, the base station is a powerful trusted device that acts as an interface between the network user and the nodes. WSNs have many applications, including military sensing and tracking, environment monitoring, target tracking, healthcare monitoring, and so on. A user of the WSNs can read the data received from the sensors through the base station. If we hope to read the data anywhere in the world, we need to integrate the WSNs into the Internet as part of the IoT. There are three methods to accomplish this integration, front-end proxy solution, gateway solution and TCP/IP overlay solution [2]. In the front-end proxy solution, the base station acts as an interface between the WSNs and the Internet. There is no direct connection between the Internet and a sensor node. The base station parses all incoming and outgoing information. In the gateway solution, the base station acts as an application layer gateway that translates the lower layer protocols from both networks. In the TCP/IP overlay solution, sensor nodes communicate with other nodes using TCP/IP. The base station acts as a router that forwards the packets from and to the sensor nodes. In both gateway solution and TCP/IP overlay solution, the sensor nodes can communicate with the Internet hosts directly. However, new security challenges will appear, such as setup of a secure channel between a sensor node and an Internet host that supports end-to-end authentication and confidentiality services. Note that the computational power and storage of a sensor node are limited. But an Internet host has strong computational power and storage. So we hope to design a secure communication scheme that fits such a characteristic.

To support the authenticity of public keys in the public key cryptography, there are two main infrastructures called public key infrastructure (PKI) and identity-based cryptography (IBC) [3]. In the PKI, a certificate authority (CA) issues a certificate which provides an unforgeable and trusted link between the public key and the identity of a user by the signature of the CA. The drawback of the PKI is that we need to manage certificates, including revocation, storage and distribution. In addition, we need to verify the validity of certificates before using them. The PKI technique has been widely developed and applied in the Internet. In the IBC, a user's public key is derived directly from its identity information, such as telephone numbers, email addresses and IP addresses. Secret keys are generated for users by a trusted third party called private key generator (PKG). Authenticity of a public key is explicitly verified without requiring any certificate. The advantage of the IBC is that we eliminate the need for certificates and some of the problems associated with them. On the other hand, the dependence on the PKG who can generate all users' secret keys inevitably causes the key escrow problem in the IBC. For the WSNs, IBC is the best choice because there is no certificates problem. However, IBC is only suitable for small networks. For the Internet security, we need PKI technique.

A. Motivation and Contribution

The motivation of this paper is to setup a secure channel between a sensor node and an Internet host that supports end-to-end confidentiality, integrity, authentication and non-repudiation services. In addition, we require that the IBC is used in the sensor node and that the PKI is used in the Internet host. We also require that the computational cost of sensor nodes is low. Our solution is heterogeneous online/offline signcryption (HOOSC). Concretely, we propose an efficient HOOSC scheme. We prove that the proposed scheme has the indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2) under the bilinear Diffie-Hellman inversion problem (BDHIP) and existential unforgeability against adaptive chosen messages attacks (EUF-CMA) under the Formula$q$-strong Diffie-Hellman problem (Formula$q$-SDHP) in the random oracle model. Our scheme has the following characteristics: (i) It achieves confidentiality, integrity, authentication and non-repudiation in a logical single step. (ii) It allows a sensor node in the IBC to send a message to an Internet host in the PKI. (iii) It splits the signcryption into two phases: offline phase and online phase. In the offline part, most heavy computations are done without the knowledge of a message. In the online stage, only light computations are done when a message is known.

B. Related Work

Signcryption [4] is a new cryptographic primitive that fulfills both the functions of digital signature and public key encryption in a logical single step, at a cost significantly lower than that required by the traditional signature-then-encryption approach. That is, signcryption can simultaneously achieves confidentiality, integrity, authentication and non-repudiation at a lower cost. The performance advantage of signcryption over the signature-then-encryption method makes signcryption useful in many applications, such as electronic commerce, mobile communications and smart cards. Some PKI-based signcryption schemes [5], [6], [7], [8] and IBC-based signcryption schemes [9], [10], [11], [12], [13] are proposed. However, these signcryption schemes are homogeneous and can not be used in heterogeneous communications.

In 2010, Sun and Li [14] proposed two heterogeneous signcryption schemes. The first scheme allows a sender in the PKI to send a message to a receiver in the IBC. The second scheme allows a sender in the IBC to send a message to a receiver in the PKI. But their schemes are only secure against outsider attacks (i.e., attacks made by an attacker who is neither the sender nor the receiver). Such signcryption schemes do not provide any kind of non-repudiation function. A stronger notion than outsider security is insider security [15]. The insider security means that (i) if a sender's secret key is exposed, an attacker is still not able to recover the message from the ciphertext and (ii) if a receiver's secret key is exposed, an attacker is still not able to forge a ciphertext. To achieve the insider security, Huang, Wong and Yang [16] proposed a heterogeneous signcryption scheme that allows a user in the IBC to send a message to a receiver in the PKI. Both [14] and [16] are not suitable for WSNs because the computational cost is high for signcrypting a message.

C. Organization

The rest of this paper is organized as follows. We introduce the preliminary work in Section II. We give the formal model of HOOSC in Section III. An efficient HOOSC scheme is proposed in Section IV. We analyze the proposed scheme in Section V. Finally, the conclusions are given in Section VI.

SECTION II

PRELIMINARIES

In this section, we briefly describe the basic definition and properties of the bilinear pairings.

Let Formula$G_{1}$ be a cyclic additive group generated by Formula$P$, whose order is a prime Formula$p$, and Formula$G_{2}$ be a cyclic multiplicative group of the same order Formula$p$. A bilinear pairing is a map Formula${\mathhat{e}}$: Formula$G_{1}\times G_{1}\rightarrow G_{2}$ with the following properties:

  1. Bilinearity: Formula${\mathhat{e}}(aP,bQ)={\mathhat{e}}(P,Q)^{ab}$ for all Formula$P$, Formula$Q\in G_{1}$, Formula$a$, Formula$b\in\BBZ_{p}^{\ast}$.
  2. Non-degeneracy: There exists Formula$P$, Formula$Q\in G_{1}$ such that Formula${\mathhat{e}}(P,Q)\ne 1$.
  3. Computability: There is an efficient algorithm to compute Formula${\mathhat{e}}(P,Q)$ for all Formula$P$, Formula$Q\in G_{1}$.

The modified Weil pairing and the Tate pairing are admissible maps of this kind. Please see [9], [10], [11], [12], [13] for more details. The security of our scheme relies on the hardness of the following problems.

Given two groups Formula$G_{1}$ and Formula$G_{2}$ of the same prime order Formula$p$, a bilinear map Formula${\mathhat{e}}$: Formula$G_{1}\times G_{1}\rightarrow G_{2}$ and a generator Formula$P$ of Formula$G_{1}$, the Formula$q$-bilinear Diffie-Hellman inversion problem (Formula$q$-BDHIP) in Formula$(G_{1}, G_{2},{\mathhat{e}})$ is to compute Formula${\mathhat{e}}(P,P)^{1/\alpha}$ given Formula$(P,\alpha P,\alpha^{2}P,\ldots,\alpha^{q}P)$. We call bilinear Diffie-Hellman inversion problem (BDHIP) when Formula$q=1$.

Definition 1

The Formula$(\epsilon,t)$-BDHIP assumption holds if no Formula$t$-polynomial time adversary Formula${\cal C}$ has advantage at least Formula$\epsilon$ in solving the BDHIP problem.

Given two groups Formula$G_{1}$ and Formula$G_{2}$ of the same prime order Formula$p$, a bilinear map Formula${\mathhat{e}}$: Formula$G_{1}\times G_{1}\rightarrow G_{2}$ and a generator Formula$P$ of Formula$G_{1}$, the Formula$q$-strong Diffie-Hellman problem (Formula$q$-SDHP) in Formula$(G_{1}, G_{2},{\mathhat{e}})$ is to find a pair Formula$(w,{{1}\over{\alpha+w}}P)\in\BBZ_{p}^{\ast}\times G_{1}$ given Formula$(P,\alpha P,\alpha^{2}P,\ldots,\alpha^{q}P)$.

Definition 2

The Formula$(\epsilon,t)$-Formula$q$-SDHP assumption holds if no Formula$t$-polynomial time adversary Formula${\cal C}$ has advantage at least Formula$\epsilon$ in solving the Formula$q$-SDHP problem.

SECTION III

FORMAL MODEL OF HOOSC

In this section, we give the formal definition and security notions of HOOSC. This paper only discuss the case that senders belong to the IBC and receivers belong to the PKI.

A. Syntax

A generic HOOSC scheme consists of the following five algorithms.

Setup: This is a probabilistic algorithm run by a PKG that takes as input a security parameter Formula$k$, and outputs a master secret key Formula$msk$ and the system parameters params that includes a master public key Formula$mpk$.

IBC-KG: This is a key generation algorithm for IBC users. The user submits an identity Formula$ID$ to its PKG. The PKG computes the corresponding secret key Formula$sk$ and transmits it to the user in a secure way. Note that the user's public key Formula$pk$ is identity Formula$ID$. Such a public key does not need a digital certificate.

PKI-KG: This is a key generation algorithm for PKI users. The user chooses its secret key Formula$sk$ and publishes the corresponding public key Formula$pk$. This public key needs a digital certificate that is sign by its CA.

Off-Signcrypt: This is a probabilistic offline signcryption algorithm run by a sender that takes as input the system parameters param, a sender's private key Formula$sk_{s}$ and a receiver's public key Formula$pk_{r}$, and outputs an offline signcryption Formula$\delta$.

On-Signcrypt: This is a probabilistic online signcryption algorithm run by a sender that takes as input the system parameters param, a message Formula$m$ and an offline signcryption Formula$\delta$, and outputs a full signcryption ciphertext Formula$\sigma$.

Unsigncrypt: This is a deterministic unsigncryption algorithm run by a receiver that takes as input a ciphertext Formula$\sigma$, a sender's public key Formula$pk_{s}$ and the receiver's secret key Formula$sk_{r}$, and outputs the plaintext Formula$m$ or the symbol Formula$\bot$ if Formula$\sigma$ is an invalid ciphertext between the sender and the receiver.

These algorithms must satisfy the standard consistency constraint of HOOSC, i.e., if Formula$\delta=Off\hbox{-}Signcrypt (sk_{s},pk_{r})$ and Formula$\sigma=On\hbox{-}Signcrypt (m,\delta)$, then we have Formula$m={Unsigncrypt}(\sigma,pk_{s},sk_{r})$. Note that we omit param in Off-Signcryptn, On-Signcryptn and Unsigncrypt for simplicity.

For secure communication for integrating WSNs into the Internet, a sensor node is regarded as a sender and an Internet host is regarded as a receiver. HOOSC provides a secure channel between the sensor node and the Internet host that supports end-to-end confidentiality, integrity, authentication and non-repudiation services. Fig. 1 shows the communication model for integrating WSNs into the Internet.

Figure 1
Fig. 1. Communication model for integrating WSNs into the Internet.

B. Security Notions

The standard security notions for signcryption are indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2) (confidentiality) and existential unforgeability against adaptive chosen messages attacks (EUF-CMA) (unforgeability). We modify the notions in [9], [13] slightly to adapt for HOOSC.

For the IND-CCA2 security, we consider the following game played between a challenger Formula${\cal C}$ and an adversary Formula${\cal A}$.

Initial: Formula${\cal C}$ runs Setup algorithm with a security parameter Formula$k$ and sends the system parameters and master secret key Formula$msk$ to Formula${\cal A}$. In addition, Formula${\cal C}$ also runs PKI-KG algorithm to get a receiver's public/secret key pair Formula$(pk_{r}^{\ast},sk_{r}^{\ast})$ and sends Formula$pk_{r}^{\ast}$ to Formula${\cal A}$.

Phase 1: Formula${\cal A}$ performs a polynomially bounded number of unsigncryption queries in an adaptive manner. In an unsigncryption query, Formula${\cal A}$ submits a sender's identity Formula$ID_{s}$ and a ciphertext Formula$\sigma$. Formula${\cal C}$ runs Unsigncrypt Formula$(\sigma,ID_{s},sk_{r}^{\ast})$ algorithm and sends the result to Formula${\cal A}$.

Challenge: Formula${\cal A}$ decides when Phase 1 ends. Formula${\cal A}$ generates two equal length plaintexts Formula$m_{0}$ and Formula$m_{1}$ and a sender's identity Formula$ID_{s}^{\ast}$. Formula${\cal C}$ first runs IBC-KG algorithm to generate the sender's secret key Formula$sk_{ID_{s}^{\ast}}$. Then Formula${\cal C}$ takes a random bit Formula$\gamma\in\{0,1\}$ and computes Formula$\delta^{\ast}=Off\hbox{-}Signcrypt (sk_{ID_{s}^{\ast}},pk_{r}^{\ast})$ and Formula$\sigma^{\ast}=On\hbox{-}Signcrypt (m_{\gamma},\delta)$. Finally, Formula${\cal C}$ sends Formula$\sigma^{\ast}$ to Formula${\cal A}$.

Phase 2: Formula${\cal A}$ can ask a polynomially bounded number of queries adaptively again as in the Phase 1. This time, it cannot make an unsigncryption query on Formula$(\sigma^{\ast},ID_{s}^{\ast})$ to obtain the corresponding plaintext.

Guess: Formula${\cal A}$ produces a bit Formula$\gamma^{\prime}$ and wins the game if Formula$\gamma^{\prime}=\gamma$.

The advantage of Formula${\cal A}$ is defined as Formula$Adv({\cal A})=\vert 2\Pr[\gamma^{\prime}=\gamma]-1\vert$, where Formula$\Pr[\gamma^{\prime}=\gamma]$ denotes the probability that Formula$\gamma^{\prime}=\gamma$.

Definition 3

A HOOSC scheme is Formula$(\epsilon,t,q_{u})$-IND-CCA2 secure if no probabilistic Formula$t$-polynomial time adversary Formula${\cal A}$ has advantage at least Formula$\epsilon$ after at most Formula$q_{u}$ unsigncryption queries in the IND-CCA2 game.

Note that the above definition catches insider security for confidentiality of signcryption since the adversary knows the master secret key Formula$msk$ and all senders' secret keys [15]. The insider security ensures the forward security of the scheme, i.e., confidentiality is preserved in case the sender's secret key becomes compromised.

For the EUF-CMA security, we consider the following game played between a challenger Formula${\cal C}$ and an adversary Formula${\cal F}$.

Initial: Formula${\cal C}$ runs Setup algorithm with a security parameter Formula$k$ and sends the system parameters to Formula${\cal F}$. In addition, Formula${\cal C}$ runs PKI-KG algorithm to get a receiver's public/secret key pair Formula$(pk_{r}^{\ast},sk_{r}^{\ast})$ and sends Formula$(pk_{r}^{\ast},sk_{r}^{\ast})$ to Formula${\cal F}$.

Attack: Formula${\cal F}$ performs a polynomially bounded number of key generation and signcryption queries in an adaptive manner. In a key generation query, Formula${\cal F}$ chooses an identity Formula$ID$. Formula${\cal C}$ runs IBC-KG algorithm and sends corresponding secret key Formula$sk_{ID}$ to Formula${\cal F}$. In a signcryption query, Formula${\cal F}$ produces a sender's identity Formula$ID_{s}$ and a message Formula$m$. Formula${\cal C}$ first runs IBC-KG algorithm to generate the sender's secret key Formula$sk_{ID_{s}}$. Then Formula${\cal C}$ runs Formula$\delta=Off\hbox{-}Signcrypt (sk_{ID_{s}},pk_{r}^{\ast})$ and Formula$\sigma=On\hbox{-}Signcrypt (m,\delta)$ algorithms. Finally, Formula${\cal C}$ sends Formula$\sigma$ to Formula${\cal F}$.

Forgery: Formula${\cal F}$ produces a sender's identity Formula$ID_{s}^{\ast}$ and a ciphertext Formula$\sigma^{\ast}$ and wins the game if the following conditions hold:

  1. Formula$Unsigncrypt(\sigma^{\ast},ID_{s}^{\ast},sk_{r}^{\ast})=m^{\ast}$.
  2. Formula${\cal F}$ has not made a key generation query on Formula$ID_{s}^{\ast}$.
  3. Formula${\cal F}$ has not made a signcryption query on Formula$(m^{\ast},ID_{s}^{\ast})$.

The advantage of Formula${\cal F}$ is defined as the probability that it wins.

Definition 4

A HOOSC scheme is Formula$(\epsilon,t,q_{k},q_{s})$-EUF-CMA secure if no probabilistic Formula$t$-polynomial time adversary Formula${\cal F}$ has advantage at least Formula$\epsilon$ after at most Formula$q_{k}$ key generation queries and Formula$q_{s}$ signcryption queries in the EUF-CMA game.

Note that the adversary knows the receiver's secret key Formula$sk_{r}^{\ast}$ in the above definition. That is, the definition also catches the insider security for unforgeability of signcryption [15].

SECTION IV

A HOOSC SCHEME

In this section, we propose an efficient HOOSC scheme which is based on Barreto et al.'s signcryption scheme [13]. Our scheme allows a sender in the IBC to send a message to a receiver in the PKI. It consists of the following five algorithms.

Setup: Given a security parameter Formula$k$, the PKG chooses groups Formula$G_{1}$ and Formula$G_{2}$ of prime order Formula$p$ (with Formula$G_{1}$ additive and Formula$G_{2}$ multiplicative), a generator Formula$P$ of Formula$G_{1}$, a bilinear map Formula${\mathhat{e}}$: Formula$G_{1}\times G_{1}\rightarrow G_{2}$, and hash functions Formula$H_{1}$: Formula$\{0,1\}^{\ast}\rightarrow\BBZ_{p}^{\ast}$, Formula$H_{2}$: Formula$\{0,1\}^{n}\times G_{2}\times G_{1}\rightarrow\BBZ_{p}^{\ast}$, and Formula$H_{3}$: Formula$G_{2}\rightarrow\{0,1\}^{n}$. Here Formula$n$ is the number of bits of a message to be signcrypted. The PKG chooses a master secret key Formula$s\in\BBZ_{p}^{\ast}$ randomly and computes the master public key Formula$P_{pub}=sP$. The PKG also computes Formula$g={\mathhat{e}}(P,P)$. The PKG publishes system parameters Formula$\{G_{1},G_{2},n,{\mathhat{e}},P,P_{pub},g,H_{1},H_{2},H_{3}\}$ and keeps the master secret key Formula$s$ secret.

IBC-KG: A user in the IBC submits its identity Formula$ID$ to its PKG. The PKG computes the corresponding secret key Formula$S_{ID}={{1}\over{H_{1}(ID)+s}}P$ and sends it to the user in a secure way. We will denote the sender by Formula$ID_{s}$ and its key pair by Formula$(pk_{s}=ID_{s},sk_{s}=S_{ID_{s}})$ in the following description.

PKI-KG: A user Formula$u$ in the PKI chooses a random number Formula$x_{u}$ from Formula$\BBZ_{p}^{\ast}$ and computes Formula$sk_{u}={{1}\over{x_{u}}}P$ as its secret key and Formula$pk_{u}=x_{u}P$ as its public key. We will denote the receiver by Formula$u=r$ and its key pair by Formula$(pk_{r}=x_{r}P,sk_{r}={{1}\over{x_{r}}}P)$ in the following description.

Off-Signcrypt: Given a sender's secret key Formula$S_{ID_{s}}$ and a receiver's public Formula$pk_{r}$, this algorithm works as follows.

  1. Choose Formula$x$, Formula$\beta$ from Formula$\BBZ_{p}^{\ast}$ randomly.
  2. Compute Formula$r=g^{x}$.
  3. Compute Formula$S=\beta S_{ID_{s}}$.
  4. Compute Formula$T=xpk_{r}$.

The offline signcryption is Formula$\delta=(x,r,\beta,S,T)$.

On-Signcrypt: Given a message Formula$m$ and an offline signcryption Formula$\delta$, this algorithm works as follows.

  1. Compute Formula$c=m\oplus H_{3}(r)$.
  2. Compute Formula$h=H_{2}(m,r,S)$.
  3. Compute Formula$\theta=(x+h)\beta^{-1}\bmod p$.

The ciphertext is Formula$\sigma=(c,\theta,S,T)$.

Unsigncrypt: Given a ciphertext Formula$\sigma$, a sender's identity Formula$ID_{s}$ and a receiver's secret key Formula$sk_{r}$, this algorithm works as follows.

  1. Compute Formula$r={\mathhat{e}}(T,sk_{r})$.
  2. Recover Formula$m=c\oplus H_{3}(r)$.
  3. Compute Formula$h=H_{2}(m,r,S)$.
  4. Accept the message if and only if Formula$r={\mathhat{e}}(\theta S,H_{1}(ID_{s})P+P_{pub})g^{-h}$, return Formula$\bot$ otherwise.

For secure communication for integrating WSNs into the Internet, a sensor node is regarded as a sender (the media access control address of the sensor node can be used for the identity Formula$ID$) and an Internet host is regarded as a receiver. First, the sensor node is loaded with precomputed results Formula$\delta=(x,r,\beta, S, T)$ of the offline phase from a more powerful device. When the sensor node wants to send a message Formula$m$ to the Internet host, the sensor node runs Formula$\sigma=On\hbox{-}Signcrypt (m,\delta)$ algorithm and sends the ciphertext Formula$\sigma$ to the Internet host. In this process, the sensor node only does light computations, such as exclusive OR, hash function, modular multiplication and modular inverse. When receiving the ciphertext Formula$\sigma$, the Internet host runs Formula$m={\it Unsigncrypt}(\sigma,ID_{s},sk_{r})$ algorithm to obtain the message Formula$m$. Our scheme simultaneously achieves confidentiality, integrity, authentication and non-repudiation. Fig. 2 shows steps for secure communication using our scheme.

Figure 2
Fig. 2. Steps for secure communication using our scheme.
SECTION V

ANALYSIS OF THE SCHEME

In this section, we analyze the consistency, security and performance of the proposed scheme.

A. Consistency

Now we verify the consistency of the proposed scheme. First, since Formula TeX Source $$\eqalignno{{\mathhat{e}}(T,sk_{r})=&\,{\mathhat{e}}(xpk_{r},{{1}\over{x_{r}}}P)\cr=&\,{\mathhat{e}}(xx_{r}P,{{1}\over{x_{r}}}P)\cr=&\,{\mathhat{e}}(P,P)^{x}\cr=&\, g^{x}\cr=&\, r}$$ we can recover the message by computing Formula$m=c\oplus H_{3}(r)$. Second, since Formula$\theta S=(x+h)\beta^{-1}\beta S_{ID_{s}}=(x+h)S_{ID_{s}}$, we can verify the signature by Formula TeX Source $$\eqalignno{&\,{\mathhat{e}}(\theta S,H_{1}(ID_{s})P+P_{pub})g^{-h}\cr=&\,{\mathhat{e}}((x+h)S_{ID_{s}}, (H_{1}(ID_{s})+s)P)g^{-h}\cr=&\,{\mathhat{e}}((x+h){{1}\over{H_{1}(ID_{s})+s}}P, (H_{1}(ID_{s})+s)P)g^{-h}\cr=&\,{\mathhat{e}}((x+h)P,P)g^{-h}\cr=&\,{\mathhat{e}}(P,P)^{(x+h)}g^{-h}\cr=&\, g^{(x+h)}g^{-h}\cr=&\, g^{x}\cr=&\, r}$$

B. Security

We prove that the proposed scheme satisfies IND-CCA2 and EUF-CMA by the following Theorems 1 and 2, respectively.

Theorem 1

In the random oracle model, if an adversary Formula${\cal A}$ has a non-negligible advantage Formula$\epsilon$ against the IND-CCA2 security of the proposed scheme when running in a time Formula$t$ and performing Formula$q_{u}$ unsigncryption queries and Formula$q_{H_{i}}$ queries to oracles Formula$H_{i}$ (Formula$i=1$, 2, 3), then there exists an algorithm Formula${\cal C}$ that can solve the BDHIP with an advantage Formula$\epsilon^{\prime}\geq{{\epsilon}\over{2q_{H_{2}}+q_{H_{3}}}}(1-{{q_{u}}\over{2^{k}}})$ in a time Formula$t^{\prime}\leq t+O(q_{u})t_{p}+O(q_{u}q_{H_{2}})t_{e}$, where Formula$t_{p}$ denotes the cost for one pairing computation and Formula$t_{e}$ denotes the cost for an exponentiation computation in Formula$G_{2}$.

Proof

We show how Formula${\cal C}$ can use Formula${\cal A}$ as a subroutine to solve a random given instance Formula$(P,\alpha P)$ of the BDHIP.

Initial: Formula${\cal C}$ chooses a master secret key Formula$s\in\BBZ_{p}^{\ast}$ randomly and sets master public key Formula$P_{pub}=sP$. Formula${\cal C}$ also sets the receiver's public key Formula$pk_{r}^{\ast}=\alpha P$ and Formula$g={\mathhat{e}}(P,P)$. Then Formula${\cal C}$ sends the system parameters and the receiver's public key Formula$pk_{r}^{\ast}$ to Formula${\cal A}$.

Phase 1: Formula${\cal C}$ simulates Formula${\cal A}$'s challenger in the IND-CCA2 game. Formula${\cal C}$ maintains three lists Formula$L_{1}$, Formula$L_{2}$ and Formula$L_{3}$ to simulate the hash oracles Formula$H_{1}$, Formula$H_{2}$ and Formula$H_{3}$, respectively. We assume that Formula$H_{1}$ queries are distinct and that Formula${\cal A}$ will ask for Formula$H_{1}(ID)$ before Formula$ID$ is used in any other queries.

  • Formula$H_{1}$ queries: For a Formula$H_{1}(ID_{i})$ query, Formula${\cal C}$ first checks if the value of Formula$H_{1}$ was previously defined for the input Formula$ID_{i}$. If it was, the previously defined value is returned. Otherwise, Formula${\cal C}$ returns a random Formula$h_{1,i}\;\in\BBZ_{p}^{\ast}$ as the answer and inserts the pair Formula$(ID_{i},h_{1,i})$ into the list Formula$L_{1}$.
  • Formula$H_{2}$ queries: For a Formula$H_{2}(m_{i},r_{i},S_{i})$ query, Formula${\cal C}$ first checks if the value of Formula$H_{2}$ was previously defined for the input Formula$(m_{i},r_{i},S_{i})$. If it was, the previously defined value is returned. Otherwise, Formula${\cal C}$ returns a random Formula$h_{2,i}\in\BBZ_{p}^{\ast}$ as the answer. In addition, Formula${\cal C}$ simulates random oracle on its own to obtain Formula$h_{3,i}=H_{3}(r_{i})\in\{0,1\}^{n}$ and computes Formula$c_{i}=m_{i}\oplus h_{3,i}$ and Formula$\xi_{i}=r_{i}\cdot{\mathhat{e}}(P,P)^{h_{2,i}}$. Finally, Formula${\cal C}$ inserts the tuple Formula$(m_{i},r_{i},S_{i},h_{2,i},c_{i},\xi_{i})$ into the list Formula$L_{2}$.
  • Formula$H_{3}$ queries: For a Formula$H_{3}(r_{i})$ query, Formula${\cal C}$ first checks if the value of Formula$H_{3}$ was previously defined for the input Formula$r_{i}$. If it was, the previously defined value is returned. Otherwise, Formula${\cal C}$ randomly chooses Formula$h_{3,i}$ from Formula$\{0,1\}^{n}$, returns Formula$h_{3,i}$ as an answer and inserts the tuple Formula$(r_{i},h_{3,i})$ into the list Formula$L_{3}$.
  • Unsigncryption queries: At any time Formula${\cal A}$ can perform an unsigncryption query for a ciphertext Formula$\sigma=(c,\theta,S,T)$ and a sender's identity Formula$ID_{i}$. Formula${\cal C}$ runs the Formula$H_{1}$ simulation algorithm to find Formula$h_{1,i}=H_{1}(ID_{i})$ and computes the sender's private key Formula$S_{ID_{i}}={{1}\over{h_{1,i}+s}}P$. For all valid ciphertexts, we have Formula$\log_{S_{ID_{i}}}(\theta S{-}hS_{ID_{i}})=\log_{pk_{r}^{\ast}}T$, where Formula$h=H_{2}(m,r,S)$. Therefore, the following equation holds Formula${\mathhat{e}}(T,S_{ID_{i}})={\mathhat{e}}(pk_{r}^{\ast},\theta S-hS_{ID_{i}}). {\cal C}$ first computes Formula$\xi={\mathhat{e}}(\theta S,pk_{r}^{\ast})$ and then searches Formula$L_{2}$ for the entries of the form Formula$(m_{i},r_{i},S_{i},h_{2,i},c,\xi)$ indexed by Formula$i\in\{1,\ldots,q_{H_{2}}\}$. If no an entry is found, Formula$\sigma$ is rejected. Otherwise, Formula${\cal C}$ further checks if the following equation holds for the corresponding indexes Formula${{{\mathhat{e}}(T,S_{ID_{i}})}\over{{\mathhat{e}}(pk_{r}^{\ast},\theta S)}}={\mathhat{e}}(pk_{r}^{\ast},S_{ID_{i}})^{-h_{2,i}}$. If the unique Formula$i\in\{1,\ldots,q_{H_{2}}\}$ satisfying the above equation is found, the matching message Formula$m_{i}$ is returned. Otherwise, Formula$\sigma$ is rejected. It is easy to see that, for all queries, the probability to reject a valid ciphertext does not exceed Formula${{q_{u}}\over{2^{k}}}$.

Challenge: Formula${\cal A}$ generates two equal length plaintexts Formula$m_{0}$ and Formula$m_{1}$ and the sender's identity Formula$ID_{s}^{\ast}$ on which it wishes to be challenged. Formula${\cal C}$ chooses Formula$c^{\ast}\in\{0,1\}^{n}$, Formula$\lambda$, Formula$\theta^{\ast}\in\BBZ_{p}^{\ast}$, Formula$S^{\ast}\in G_{1}$ randomly and computes Formula$T^{\ast}=\lambda P$. Formula${\cal C}$ returns the ciphertext Formula$\sigma^{\ast}=(c^{\ast},\theta^{\ast},S^{\ast},T^{\ast})$ to Formula${\cal A}$. Formula${\cal A}$ cannot recognize that Formula$\sigma^{\ast}$ is not a valid ciphertext unless it queries Formula$H_{2}$ or Formula$H_{3}$ on Formula${\mathhat{e}}(P,P)^{\lambda/\alpha}$.

Phase 2: Formula${\cal A}$ can ask a polynomially bounded number of queries adaptively again as in the Phase 1 with the restriction that it cannot make an unsigncryption query on Formula$\sigma^{\ast}$ to obtain the corresponding plaintext. Formula${\cal C}$ answer Formula${\cal A}$'s queries as in the Phase 1.

Guess: Formula${\cal A}$ produces a bit Formula$\gamma^{\prime}$ which is ignored by Formula${\cal C}$.

Formula${\cal C}$ fetches a random entry Formula$(m_{i},r_{i},S_{i},h_{2,i},c_{i},\xi_{i})$ or Formula$(r_{i},h_{3,i})$ from the lists Formula$L_{2}$ or Formula$L_{3}$. Since Formula$L_{3}$ contains no more than Formula$q_{H_{2}}+q_{H_{3}}$ records, the chosen entry will contain the right element Formula$r_{i}={\mathhat{e}}(P,P)^{\lambda/\alpha}$ with probability Formula$1/(2q_{H_{2}}+q_{H_{3}})$. The BDHIP can be extracted by computing Formula$({\mathhat{e}}(P,P)^{\lambda/\alpha})^{\lambda^{-1}}$.

This completes the description of the simulation. It remains to analyze Formula${\cal C}$'s advantage. Define the event Formula$E$ as that Formula${\cal C}$ aborts in an unsigncryption query because of rejecting a valid ciphertext.

From the above analysis, we know that the probability of Formula${\cal C}$ not aborting is Formula$\Pr[\neg{\rm abort}]=\Pr[\neg E]$. We know that Formula$\Pr[E]\leq q_{u}/2^{k}$. So we have Formula$\Pr[\neg{\rm abort}]\geq (1-{{q_{u}}\over{2^{k}}})$. In addition, Formula${\cal C}$ selects the correct element from Formula$L_{2}$ or Formula$L_{3}$ with probability Formula$1/(2q_{H_{2}}+q_{H_{3}})$. Therefore, we have Formula$\epsilon^{\prime}\geq{{\epsilon}\over{2q_{H_{2}}+q_{H_{3}}}}(1-{{q_{u}}\over{2^{k}}})$.

The bound on Formula${\cal C}$'s computation time derives from the fact that Formula${\cal C}$ needs Formula$O(q_{u})$ pairing calculations and Formula$O(q_{u}q_{H_{2}})$ exponentiations in Formula$G_{2}$ in the unsigncryption queries. Formula$\blackboxfill$

Theorem 2

In the random oracle model, if an adversary Formula${\cal F}$ has an advantage Formula$\epsilon\geq 10(q_{s}+1)(q_{s}+q_{H_{2}})/2^{k}$ against the EUF-CMA security of the proposed scheme when running in a time Formula$t$ and performing Formula$q_{s}$ signcryption queries and Formula$q_{H_{i}}$ queries to oracles Formula$H_{i}$ (Formula$i=1$, 2, 3), then there exists an algorithm Formula${\cal C}$ that can solve the Formula$q$-SDHP for Formula$q=q_{H_{1}}$ in expected time Formula$t^{\prime}\leq 120686q_{H_{1}}q_{H_{2}}{{t+O(q_{s}t_{p})}\over{\epsilon (1-1/2^{k})(1-q/2^{k})}}+O(q^{2}t_{m})$, where Formula$t_{p}$ denotes the cost for one pairing computation and Formula$t_{m}$ denotes the cost for a scalar multiplication computation in Formula$G_{1}$.

Proof

Similar to [13], we use the forking lemma [17] to prove the security of our scheme. To use the forking lemma, we need to show how the proposed scheme fits into the signature scheme described in [17], the simulation step in which the signature can be simulated without the secret signcryption key of the sender, and how we can solve Formula$q$-SDHP based on the forgery.

First, we observe that our scheme satisfies the requirement described in [17]. During the signcryption of message Formula$m$, the tuple Formula$(\sigma_{1},h,\sigma_{2})$ is produced which corresponds to the required three-phase honest-verifier zero-knowledge identification protocol, where Formula$\sigma_{1}=r$ is the commitment of the prover, Formula$h=H_{2}(m,r,S)$ is the hash value depending on Formula$m$ and Formula$\sigma_{1}$ substituted for the verifier's challenge, and Formula$\sigma_{2}=\theta S$ is the response of the prover which depends on Formula$\sigma_{1}$, Formula$h$ and the signcryption private key Formula$S_{ID_{s}}$.

Next, we show Formula${\cal C}$ can provide a faithful simulation to Formula${\cal F}$ and solve the Formula$q$-SDHP by interacting with Formula${\cal F}$. Formula${\cal C}$ takes as input Formula$(P,\alpha P,\alpha^{2}P,\ldots,\alpha^{q}P)$ and aims to find a pair Formula$(w,{{1}\over{\alpha+w}}P)$. Formula${\cal C}$ simulates Formula${\cal F}$'s challenger in the EUF-CMA game. Formula${\cal F}$ then adaptively performs key generation and signcryption queries as explained in the EUF-CMA game. We describe this process as follows.

Initial: First, Formula${\cal C}$ chooses Formula$w_{1}$, Formula$w_{2}\ldots,w_{q-1}\in\BBZ_{p}^{\ast}$ randomly. Formula${\cal C}$ takes Formula$(P,\alpha P,\alpha^{2}P,\ldots,\alpha^{q}P)$ as input to compute a generator Formula$Q\in G_{1}$ and another element Formula$Q_{pub}=\alpha Q\in G_{1}$ such that it knows Formula$q-1$ pairs Formula$(w_{i},V_{i}={{1}\over{\alpha+w_{i}}}Q)$ for Formula$i\in\{1,\ldots,q-1\}$ as in the proof technique of [18]. To do so, Formula${\cal C}$ expands the polynomial Formula$f(z)=\prod_{i=1}^{q-1}(z+w_{i})=\sum_{j=0}^{q-1}c_{j}z^{j}$. A generator Formula$Q$ and an element Formula$Q_{pub}$ are then obtained as Formula$Q=\sum_{j=0}^{q-1}c_{j}(\alpha^{j}P)=f(\alpha)P$ and Formula$Q_{pub}=\sum_{j=1}^{q}c_{j-1}(\alpha^{j}P)=\alpha f(\alpha)P=\alpha Q$. As in [18], the pairs Formula$(w_{i},V_{i})$ are obtained by expanding Formula$f_{i}(z)={{f(z)}\over{z+w_{i}}}=\sum_{j=0}^{q-2}d_{j}z^{j}$ and computing Formula$V_{i}=\sum_{j=0}^{q-2}d_{j}(\alpha^{j}P)=f_{i}(\alpha)P={{f(\alpha)}\over{\alpha+w_{i}}}P={{1}\over{\alpha+w_{i}}}Q$. The PKG's public key is Formula$Q_{pub}$ and its corresponding master secret key is Formula$\alpha$.

Formula${\cal C}$ sends Formula${\cal F}$ the system parameters with the generator Formula$Q$, Formula$Q_{pub}=\alpha Q$ and Formula$g={\mathhat{e}}(Q,Q)$. Formula${\cal C}$ chooses a random challenge identity Formula$ID_{s}^{\ast}\in\{0,1\}^{\ast}$ and sends it to Formula${\cal F}$. In addition, Formula${\cal C}$ runs PKI-KG algorithm to get a receiver's public/secret key pair Formula$(pk_{r}^{\ast},sk_{r}^{\ast})$ and sends Formula$(pk_{r}^{\ast},sk_{r}^{\ast}) {\cal F}$.

Attack: Formula${\cal C}$ simulates Formula${\cal F}$'s challenger in the EUF-CMA game. Formula${\cal C}$ maintains three lists Formula$L_{1}$, Formula$L_{2}$ and Formula$L_{3}$ to simulate the hash oracles Formula$H_{1}$, Formula$H_{2}$ and Formula$H_{3}$, respectively. We also assume that Formula$H_{1}$ queries are distinct and that Formula${\cal F}$ will ask for Formula$H_{1}(ID)$ before Formula$ID$ is used in any other queries.

  • Formula$H_{1}$ queries: These queries are indexed by a counter Formula$\nu$ that is initially set to 1. If Formula$ID=ID_{s}^{\ast}$, Formula${\cal C}$ returns a random Formula$w_{s}\in\BBZ_{p}^{\ast}$ as the answer. Otherwise, Formula${\cal C}$ returns Formula$w_{\nu}$ as the answer and increments Formula$\nu$. In both cases, Formula${\cal C}$ puts the tuple Formula$(ID,w)$ (where Formula$w=w_{s}$ or Formula$w_{\nu}$) into the list Formula$L_{1}$.
  • Formula$H_{2}$ queries: For a Formula$H_{2}(m_{i},r_{i},S_{i})$ query, Formula${\cal C}$ first checks if the value of Formula$H_{2}$ was previously defined for the input Formula$(m_{i},r_{i},S_{i})$. If it was, the previously defined value is returned. Otherwise, Formula${\cal C}$ returns a random Formula$h_{2,i}\in\BBZ_{p}^{\ast}$ as the answer.
  • Formula$H_{3}$ queries: For a Formula$H_{3}(r_{i})$ query, Formula${\cal C}$ first checks if the value of Formula$H_{3}$ was previously defined for the input Formula$r_{i}$. If it was, the previously defined value is returned. Otherwise, Formula${\cal C}$ randomly chooses Formula$h_{3,i}$ from Formula$\{0,1\}^{n}$, returns Formula$h_{3,i}$ as an answer and inserts the tuple Formula$(r_{i},h_{3,i})$ into the list Formula$L_{3}$.
  • Key generation queries: When Formula${\cal F}$ makes a key generation query on an identity Formula$ID_{i}$, if Formula$ID_{i}=ID_{s}^{\ast}$, then Formula${\cal C}$ fails and stops. Otherwise, Formula${\cal C}$ knows Formula$H_{1}(ID_{i})=w_{i}$ and returns Formula$V_{i}={{1}\over{\alpha+w_{i}}}Q$ to Formula${\cal F}$.
  • Signcryption queries: Formula${\cal F}$ chooses a plaintext Formula$m$ and a sender's identity Formula$ID_{i}$. If Formula$ID_{i}\ne ID_{s}^{\ast}$, then Formula${\cal C}$ knows the sender's private key Formula$S_{ID_{i}}=V_{i}$ and can answer the query according to the steps of Off-Signcrypt and On-Signcrypt. If Formula$ID_{i}=ID_{s}^{\ast}$, Formula${\cal C}$ does the following steps.
    1. Choose Formula$\eta$, Formula$\theta$, Formula$h\in\BBZ_{p}^{\ast}$ randomly.
    2. Compute Formula$S=\theta^{-1}\eta sk_{r}^{\ast}$.
    3. Compute Formula$T=\eta (w_{j}Q+Q_{pub})-hpk_{r}^{\ast}$.
    4. Compute Formula$r={\mathhat{e}}(T,sk_{r}^{\ast})$.
    5. Patch the hash value Formula$H_{2}(m,r,S)$ to Formula$h$. Formula${\cal C}$ fails if Formula$H_{2}$ is already defined but this only happens with probability Formula$(q_{s}+q_{H_{2}})/2^{k}$.
    6. Compute Formula$c=m\oplus H_{3}(r)$.
    7. Return Formula$\sigma=(c,\theta,S,T)$ to Formula${\cal F}$.

Next, we coalesce the sender identity Formula$ID_{s}^{\ast}$ and the message Formula$m$ into a “generalized” forged message Formula$(ID_{s}^{\ast},m)$ so as to hide the identity-based aspect of the EUF-CMA attacks, and simulate the setting of an identity-less adaptive-CMA existential forgery for which the forking lemma is proven.

From the forking lemma, if Formula${\cal F}$ is an efficient forger in the above interaction, then we can construct a Las Vegas machine Formula${\cal F}^{\prime}$ that outputs two signed messages Formula$((ID_{s}^{\ast},m),h,\theta,S)$ and Formula$((ID_{s}^{\ast},m),h^{\ast},\theta^{\ast},S^{\ast})$ with Formula$h\ne h^{\ast}$ and the same commitment.

Finally, to solve the Formula$q$-SDHP based on the machine Formula${\cal F}^{\prime}$ derived from Formula${\cal F}$, we construct a machine Formula${\cal C}$ as follows.

  1. Formula${\cal C}$ gets two distinct signatures Formula$((ID_{s}^{\ast},m),h,\theta,S)$ and Formula$((ID_{s}^{\ast},m),h^{\ast},\theta^{\ast},S^{\ast})$ by running Formula${\cal F}^{\prime}$.
  2. Formula${\cal C}$ computes Formula$V^{\ast}=(h-h^{\ast})^{-1}(\theta S-\theta^{\ast}S^{\ast})={{1}\over{\alpha+w_{s}}}Q={{f(\alpha)}\over{\alpha+w_{s}}}P$.
  3. Formula${\cal C}$ uses long division and writes the polynomial Formula$f$ as Formula$f(z)=\psi (z)(z+w_{s})+\psi_{-1}$ for some polynomial Formula$\psi (z)=\sum_{i=0}^{q-2}\psi_{i}z^{i}$ and some Formula$\psi_{-1}\in Z_{p}^{\ast}$. Then Formula${{f(z)}\over{z+w_{s}}}$ can be written as Formula${{f(z)}\over{z+w_{s}}}=\psi (z)+{{\psi_{-1}}\over{z+w_{s}}}=\sum_{i=0}^{q-2}\psi_{i}z^{i}+{{\psi_{-1}}\over{z+w_{s}}}$. Hence, Formula${\cal C}$ can compute Formula${{1}\over{\alpha+w_{s}}}P={{1}\over{\psi_{-1}}}(V^{\ast}-\sum_{i=0}^{q-2}\psi_{i}(x^{i}P))$.
  4. Formula${\cal C}$ outputs Formula$(w_{s},{{1}\over{\alpha+w_{s}}}P)$ as the solution of Formula$q$-SDHP.

From the forking lemma and the lemma on the relationship between given-identity attack and chosen-identity attack [19], if Formula${\cal F}$ succeeds in a time Formula$t$ with probability Formula$\epsilon\geq 10(q_{s}+1)(q_{s}+q_{H_{2}})/2^{k}$, then Formula${\cal C}$ can solve the Formula$q$-SDHP in expected time Formula$t^{\prime}\leq 120686q_{H_{1}}q_{H_{2}}{{t+O(q_{s}t_{p})}\over{\epsilon (1-1/2^{k})(1-q/2^{k})}}+O(q^{2}t_{m})$. Formula$\blackboxfill$

C. Performance

We compare the major computational cost, security, key size, ciphertext size and offline storage of our scheme with those of existing schemes [14], [16] in Table I. We assume that Formula$\vert G_{1}\vert=160 {\rm bits}$, Formula$\vert G_{2}\vert=1024 {\rm bits}$, Formula$\vert p\vert=160 {\rm bits}$, Formula$\vert m\vert=160 {\rm bits}$ and Formula$\vert ID\vert=160$. In the “Schemes” column, SL is the original version in [14] that has not the non-repudiation since a receiver can generate the same ciphertext as a sender does. Of course, we can use a proper signature scheme [19], [20] to get the non-repudiation property. However, we need another two pairings computation. HWY-I and HWY-II are the first scheme and second scheme, respectively in [16]. For simplicity, we only consider the pairing and point multiplication operations since the two operations take the most running time of the whole algorithm [21]. The other operations are ignored. We denote by M the point multiplication in Formula$G_{1}$ and P the pairing computation in the “Computational cost” column. In the “Security” column, CCA2, CMA and IS denotes IND-CCA2, EUF-CMA and insider security, respectively. In the “Key size” column, we consider the sum size of public key and secret key. From Table I, we can see that SL does not satisfy insider security. HWY-I, HWY-II and our scheme satisfy insider security. Our scheme splits the signcryption into two phases: offline phase and online phase. Two point multiplication operations have been precomputed offline. The online phase is very efficient and does not need any pairing and point multiplication operations. That is, our scheme can complete quickly the entire signcryption process when a message is available. Therefore, our scheme is very suitable to provide security solution for sensor nodes. The key size of PKI users in all schemes is 320 bits. For IBC users, SL and our scheme are the same and are 320 bits. HWY-I and HWY-II are 480 bits. For ciphertext length, SL and our scheme are 640 bits. HWY-I and HWY-II are 960 bits. Of course, our scheme needs an offline storage with 1824 bits.

Table 1
TABLE I PERFORMANCE COMPARISON

We adopt the experiment in [22] on MICA2 that is equipped with an ATmega128 8-bit processor clocked at 7.3728 MHz, 4 KB RAM and 128 KB ROM. A point multiplication needs 0.81s using an elliptic curve with 160 bits Formula$p$. According to [23], a pairing computation on MICA2 needs 2.66s. Fig. 3 roughly shows the time for signcrypt a message in SL, HWY-I, HWY-II and our scheme. SL, HWY-I and HWY-II need 2.66s, 2.43s and 1.62s, respectively. The time of our scheme is negligible. As compared with SL, HWY-I, HWY-II, our scheme is most suitable for integrating WSNs into the Internet as part of the IoT. For energy consumption, a point multiplication uses 19.1 mJ and a pairing uses 62.73 mJ [22], [23]. To signcrypt a message, SL, HWY-I and HWY-II roughly uses 62.73 mJ, 57.3 mJ and 38.2 mJ, respectively. The computational energy consumption of our scheme is negligible. From [24], we know that MICA2 costs 4.12 Formula$\mu{\rm J}$ to transmit a bit. For energy cost for communication, SL, HWY-I, HWY-II and our scheme costs 2.64 mJ, 3.96 mJ, 3.96 mJ and 2.64 mJ, respectively.

Figure 3
Fig. 3. Time for signcrypting a message.
SECTION VI

CONCLUSION

In this paper, we proposed a heterogeneous online/offline signcryption scheme. It allows a sensor node in the IBC to send a message to an Internet host in the PKI. Our scheme adopted both online/offline technique and IBC technique to greatly reduce the computational cost of sensor nodes. The scheme setups a secure channel between a sensor node and an Internet host that supports end-to-end confidentiality, integrity, authentication and non-repudiation services. This method provides a new security solution for integrating WSNs into the Internet as part of the IoT.

Footnotes

This work was supported by the National Natural Science Foundation of China under Grants 60803133, 61073176, 61003230, 61003232, 61103207, 61272404 and 61272525. The associate editor coordinating the review of this paper and approving it for publication was Prof. Rose Qingyang Hu.

The authors are with the School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu 611731, China (e-mail: fagenli@uestc.edu.cn; 276878323@qq.com).

Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org.

References

No Data Available

Authors

Fagen Li

Fagen Li

Fagen Li received the B.S. degree from the Luoyang Institute of Technology, Luoyang, China, in 2001, the M.S. degree from the Hebei University of Technology, Tianjin, China, in 2004, and the Ph.D. degree in cryptography from Xi'dian University, Xi'an, China, in 2007. He was a Post-Doctoral Fellow with Future University-Hakodate, Hokkaido, Japan, from 2008 to 2009, which is supported by the Japan Society for the Promotion of Science. He was a Research Fellow with the Institute of Mathematics for Industry, Kyushu University, Fukuoka, Japan, from 2010 to 2012. He is currently an Associate Professor with the School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China. His current research interests include cryptography and network security. He has published more than 70 papers in the international journals and conferences.

Pan Xiong

Pan Xiong

Pan Xiong received the B.S. degree from the Chongqing University of Posts and Telecommunications, Chongqing, China, in 2009. She is currently pursuing the Master degree with the School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China. Her current research interests include cryptography and network security.

Cited By

No Data Available

Keywords

Corrections

None

Multimedia

No Data Available
This paper appears in:
No Data Available
Issue Date:
No Data Available
On page(s):
No Data Available
ISSN:
None
INSPEC Accession Number:
None
Digital Object Identifier:
None
Date of Current Version:
No Data Available
Date of Original Publication:
No Data Available

Text Size