SECTION I

THE Internet of Things (IoT) is a novel paradigm that has received considerable attention from both academia and industry. The basic idea of IoT is the pervasive presence around us of a variety of things or objects-such as radio-frequency identification (RFID) tags, sensors, actuators, mobile phones, etc.-which, through unique addressing schemes, are able to interact with each other and cooperate with their neighbors to reach common goals [1]. Wireless sensor networks (WSNs) are ad hoc networks which usually consist of a large number of tiny sensor nodes with limited resources and one or more base stations. Usually, sensor nodes consist of a processing unit with limited computational power and limited capacity. On the other hand, the base station is a powerful trusted device that acts as an interface between the network user and the nodes. WSNs have many applications, including military sensing and tracking, environment monitoring, target tracking, healthcare monitoring, and so on. A user of the WSNs can read the data received from the sensors through the base station. If we hope to read the data anywhere in the world, we need to integrate the WSNs into the Internet as part of the IoT. There are three methods to accomplish this integration, front-end proxy solution, gateway solution and TCP/IP overlay solution [2]. In the front-end proxy solution, the base station acts as an interface between the WSNs and the Internet. There is no direct connection between the Internet and a sensor node. The base station parses all incoming and outgoing information. In the gateway solution, the base station acts as an application layer gateway that translates the lower layer protocols from both networks. In the TCP/IP overlay solution, sensor nodes communicate with other nodes using TCP/IP. The base station acts as a router that forwards the packets from and to the sensor nodes. In both gateway solution and TCP/IP overlay solution, the sensor nodes can communicate with the Internet hosts directly. However, new security challenges will appear, such as setup of a secure channel between a sensor node and an Internet host that supports end-to-end authentication and confidentiality services. Note that the computational power and storage of a sensor node are limited. But an Internet host has strong computational power and storage. So we hope to design a secure communication scheme that fits such a characteristic.

To support the authenticity of public keys in the public key cryptography, there are two main infrastructures called public key infrastructure (PKI) and identity-based cryptography (IBC) [3]. In the PKI, a certificate authority (CA) issues a certificate which provides an unforgeable and trusted link between the public key and the identity of a user by the signature of the CA. The drawback of the PKI is that we need to manage certificates, including revocation, storage and distribution. In addition, we need to verify the validity of certificates before using them. The PKI technique has been widely developed and applied in the Internet. In the IBC, a user's public key is derived directly from its identity information, such as telephone numbers, email addresses and IP addresses. Secret keys are generated for users by a trusted third party called private key generator (PKG). Authenticity of a public key is explicitly verified without requiring any certificate. The advantage of the IBC is that we eliminate the need for certificates and some of the problems associated with them. On the other hand, the dependence on the PKG who can generate all users' secret keys inevitably causes the key escrow problem in the IBC. For the WSNs, IBC is the best choice because there is no certificates problem. However, IBC is only suitable for small networks. For the Internet security, we need PKI technique.

The motivation of this paper is to setup a secure channel between a sensor node and an Internet host that supports end-to-end confidentiality, integrity, authentication and non-repudiation services. In addition, we require that the IBC is used in the sensor node and that the PKI is used in the Internet host. We also require that the computational cost of sensor nodes is low. Our solution is heterogeneous online/offline signcryption (HOOSC). Concretely, we propose an efficient HOOSC scheme. We prove that the proposed scheme has the indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2) under the bilinear Diffie-Hellman inversion problem (BDHIP) and existential unforgeability against adaptive chosen messages attacks (EUF-CMA) under the $q$-strong Diffie-Hellman problem ($q$-SDHP) in the random oracle model. Our scheme has the following characteristics: (i) It achieves confidentiality, integrity, authentication and non-repudiation in a logical single step. (ii) It allows a sensor node in the IBC to send a message to an Internet host in the PKI. (iii) It splits the signcryption into two phases: offline phase and online phase. In the offline part, most heavy computations are done without the knowledge of a message. In the online stage, only light computations are done when a message is known.

Signcryption [4] is a new cryptographic primitive that fulfills both the functions of digital signature and public key encryption in a logical single step, at a cost significantly lower than that required by the traditional signature-then-encryption approach. That is, signcryption can simultaneously achieves confidentiality, integrity, authentication and non-repudiation at a lower cost. The performance advantage of signcryption over the signature-then-encryption method makes signcryption useful in many applications, such as electronic commerce, mobile communications and smart cards. Some PKI-based signcryption schemes [5], [6], [7], [8] and IBC-based signcryption schemes [9], [10], [11], [12], [13] are proposed. However, these signcryption schemes are homogeneous and can not be used in heterogeneous communications.

In 2010, Sun and Li [14] proposed two heterogeneous signcryption schemes. The first scheme allows a sender in the PKI to send a message to a receiver in the IBC. The second scheme allows a sender in the IBC to send a message to a receiver in the PKI. But their schemes are only secure against outsider attacks (i.e., attacks made by an attacker who is neither the sender nor the receiver). Such signcryption schemes do not provide any kind of non-repudiation function. A stronger notion than outsider security is insider security [15]. The insider security means that (i) if a sender's secret key is exposed, an attacker is still not able to recover the message from the ciphertext and (ii) if a receiver's secret key is exposed, an attacker is still not able to forge a ciphertext. To achieve the insider security, Huang, Wong and Yang [16] proposed a heterogeneous signcryption scheme that allows a user in the IBC to send a message to a receiver in the PKI. Both [14] and [16] are not suitable for WSNs because the computational cost is high for signcrypting a message.

The rest of this paper is organized as follows. We introduce the preliminary work in Section II. We give the formal model of HOOSC in Section III. An efficient HOOSC scheme is proposed in Section IV. We analyze the proposed scheme in Section V. Finally, the conclusions are given in Section VI.

SECTION II

In this section, we briefly describe the basic definition and properties of the bilinear pairings.

Let $G_{1}$ be a cyclic additive group generated by $P$, whose order is a prime $p$, and $G_{2}$ be a cyclic multiplicative group of the same order $p$. A bilinear pairing is a map ${\mathhat{e}}$: $G_{1}\times G_{1}\rightarrow G_{2}$ with the following properties:

- Bilinearity: ${\mathhat{e}}(aP,bQ)={\mathhat{e}}(P,Q)^{ab}$ for all $P$, $Q\in G_{1}$, $a$, $b\in\BBZ_{p}^{\ast}$.
- Non-degeneracy: There exists $P$, $Q\in G_{1}$ such that ${\mathhat{e}}(P,Q)\ne 1$.
- Computability: There is an efficient algorithm to compute ${\mathhat{e}}(P,Q)$ for all $P$, $Q\in G_{1}$.

The modified Weil pairing and the Tate pairing are admissible maps of this kind. Please see [9], [10], [11], [12], [13] for more details. The security of our scheme relies on the hardness of the following problems.

Given two groups $G_{1}$ and $G_{2}$ of the same prime order $p$, a bilinear map ${\mathhat{e}}$: $G_{1}\times G_{1}\rightarrow G_{2}$ and a generator $P$ of $G_{1}$, the $q$-bilinear Diffie-Hellman inversion problem ($q$-BDHIP) in $(G_{1}, G_{2},{\mathhat{e}})$ is to compute ${\mathhat{e}}(P,P)^{1/\alpha}$ given $(P,\alpha P,\alpha^{2}P,\ldots,\alpha^{q}P)$. We call bilinear Diffie-Hellman inversion problem (BDHIP) when $q=1$.

The $(\epsilon,t)$-BDHIP assumption holds if no $t$-polynomial time adversary ${\cal C}$ has advantage at least $\epsilon$ in solving the BDHIP problem.

Given two groups $G_{1}$ and $G_{2}$ of the same prime order $p$, a bilinear map ${\mathhat{e}}$: $G_{1}\times G_{1}\rightarrow G_{2}$ and a generator $P$ of $G_{1}$, the $q$-strong Diffie-Hellman problem ($q$-SDHP) in $(G_{1}, G_{2},{\mathhat{e}})$ is to find a pair $(w,{{1}\over{\alpha+w}}P)\in\BBZ_{p}^{\ast}\times G_{1}$ given $(P,\alpha P,\alpha^{2}P,\ldots,\alpha^{q}P)$.

The $(\epsilon,t)$-$q$-SDHP assumption holds if no $t$-polynomial time adversary ${\cal C}$ has advantage at least $\epsilon$ in solving the $q$-SDHP problem.

SECTION III

In this section, we give the formal definition and security notions of HOOSC. This paper only discuss the case that senders belong to the IBC and receivers belong to the PKI.

A generic HOOSC scheme consists of the following five algorithms.

Setup: This is a probabilistic algorithm run by a PKG that takes as input a security parameter $k$, and outputs a master secret key $msk$ and the system parameters params that includes a master public key $mpk$.

IBC-KG: This is a key generation algorithm for IBC users. The user submits an identity $ID$ to its PKG. The PKG computes the corresponding secret key $sk$ and transmits it to the user in a secure way. Note that the user's public key $pk$ is identity $ID$. Such a public key does not need a digital certificate.

PKI-KG: This is a key generation algorithm for PKI users. The user chooses its secret key $sk$ and publishes the corresponding public key $pk$. This public key needs a digital certificate that is sign by its CA.

Off-Signcrypt: This is a probabilistic offline signcryption algorithm run by a sender that takes as input the system parameters param, a sender's private key $sk_{s}$ and a receiver's public key $pk_{r}$, and outputs an offline signcryption $\delta$.

On-Signcrypt: This is a probabilistic online signcryption algorithm run by a sender that takes as input the system parameters param, a message $m$ and an offline signcryption $\delta$, and outputs a full signcryption ciphertext $\sigma$.

Unsigncrypt: This is a deterministic unsigncryption algorithm run by a receiver that takes as input a ciphertext $\sigma$, a sender's public key $pk_{s}$ and the receiver's secret key $sk_{r}$, and outputs the plaintext $m$ or the symbol $\bot$ if $\sigma$ is an invalid ciphertext between the sender and the receiver.

These algorithms must satisfy the standard consistency constraint of HOOSC, i.e., if $\delta=Off\hbox{-}Signcrypt (sk_{s},pk_{r})$ and $\sigma=On\hbox{-}Signcrypt (m,\delta)$, then we have $m={Unsigncrypt}(\sigma,pk_{s},sk_{r})$. Note that we omit param in Off-Signcryptn, On-Signcryptn and Unsigncrypt for simplicity.

For secure communication for integrating WSNs into the Internet, a sensor node is regarded as a sender and an Internet host is regarded as a receiver. HOOSC provides a secure channel between the sensor node and the Internet host that supports end-to-end confidentiality, integrity, authentication and non-repudiation services. Fig. 1 shows the communication model for integrating WSNs into the Internet.

The standard security notions for signcryption are indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2) (confidentiality) and existential unforgeability against adaptive chosen messages attacks (EUF-CMA) (unforgeability). We modify the notions in [9], [13] slightly to adapt for HOOSC.

For the IND-CCA2 security, we consider the following game played between a challenger ${\cal C}$ and an adversary ${\cal A}$.

Initial: ${\cal C}$ runs Setup algorithm with a security parameter $k$ and sends the system parameters and master secret key $msk$ to ${\cal A}$. In addition, ${\cal C}$ also runs PKI-KG algorithm to get a receiver's public/secret key pair $(pk_{r}^{\ast},sk_{r}^{\ast})$ and sends $pk_{r}^{\ast}$ to ${\cal A}$.

Phase 1: ${\cal A}$ performs a polynomially bounded number of unsigncryption queries in an adaptive manner. In an unsigncryption query, ${\cal A}$ submits a sender's identity $ID_{s}$ and a ciphertext $\sigma$. ${\cal C}$ runs Unsigncrypt $(\sigma,ID_{s},sk_{r}^{\ast})$ algorithm and sends the result to ${\cal A}$.

Challenge: ${\cal A}$ decides when Phase 1 ends. ${\cal A}$ generates two equal length plaintexts $m_{0}$ and $m_{1}$ and a sender's identity $ID_{s}^{\ast}$. ${\cal C}$ first runs IBC-KG algorithm to generate the sender's secret key $sk_{ID_{s}^{\ast}}$. Then ${\cal C}$ takes a random bit $\gamma\in\{0,1\}$ and computes $\delta^{\ast}=Off\hbox{-}Signcrypt (sk_{ID_{s}^{\ast}},pk_{r}^{\ast})$ and $\sigma^{\ast}=On\hbox{-}Signcrypt (m_{\gamma},\delta)$. Finally, ${\cal C}$ sends $\sigma^{\ast}$ to ${\cal A}$.

Phase 2: ${\cal A}$ can ask a polynomially bounded number of queries adaptively again as in the Phase 1. This time, it cannot make an unsigncryption query on $(\sigma^{\ast},ID_{s}^{\ast})$ to obtain the corresponding plaintext.

Guess: ${\cal A}$ produces a bit $\gamma^{\prime}$ and wins the game if $\gamma^{\prime}=\gamma$.

The advantage of ${\cal A}$ is defined as $Adv({\cal A})=\vert 2\Pr[\gamma^{\prime}=\gamma]-1\vert$, where $\Pr[\gamma^{\prime}=\gamma]$ denotes the probability that $\gamma^{\prime}=\gamma$.

A HOOSC scheme is $(\epsilon,t,q_{u})$-IND-CCA2 secure if no probabilistic $t$-polynomial time adversary ${\cal A}$ has advantage at least $\epsilon$ after at most $q_{u}$ unsigncryption queries in the IND-CCA2 game.

Note that the above definition catches insider security for confidentiality of signcryption since the adversary knows the master secret key $msk$ and all senders' secret keys [15]. The insider security ensures the forward security of the scheme, i.e., confidentiality is preserved in case the sender's secret key becomes compromised.

For the EUF-CMA security, we consider the following game played between a challenger ${\cal C}$ and an adversary ${\cal F}$.

Initial: ${\cal C}$ runs Setup algorithm with a security parameter $k$ and sends the system parameters to ${\cal F}$. In addition, ${\cal C}$ runs PKI-KG algorithm to get a receiver's public/secret key pair $(pk_{r}^{\ast},sk_{r}^{\ast})$ and sends $(pk_{r}^{\ast},sk_{r}^{\ast})$ to ${\cal F}$.

Attack: ${\cal F}$ performs a polynomially bounded number of key generation and signcryption queries in an adaptive manner. In a key generation query, ${\cal F}$ chooses an identity $ID$. ${\cal C}$ runs IBC-KG algorithm and sends corresponding secret key $sk_{ID}$ to ${\cal F}$. In a signcryption query, ${\cal F}$ produces a sender's identity $ID_{s}$ and a message $m$. ${\cal C}$ first runs IBC-KG algorithm to generate the sender's secret key $sk_{ID_{s}}$. Then ${\cal C}$ runs $\delta=Off\hbox{-}Signcrypt (sk_{ID_{s}},pk_{r}^{\ast})$ and $\sigma=On\hbox{-}Signcrypt (m,\delta)$ algorithms. Finally, ${\cal C}$ sends $\sigma$ to ${\cal F}$.

Forgery: ${\cal F}$ produces a sender's identity $ID_{s}^{\ast}$ and a ciphertext $\sigma^{\ast}$ and wins the game if the following conditions hold:

- $Unsigncrypt(\sigma^{\ast},ID_{s}^{\ast},sk_{r}^{\ast})=m^{\ast}$.
- ${\cal F}$ has not made a key generation query on $ID_{s}^{\ast}$.
- ${\cal F}$ has not made a signcryption query on $(m^{\ast},ID_{s}^{\ast})$.

The advantage of ${\cal F}$ is defined as the probability that it wins.

A HOOSC scheme is $(\epsilon,t,q_{k},q_{s})$-EUF-CMA secure if no probabilistic $t$-polynomial time adversary ${\cal F}$ has advantage at least $\epsilon$ after at most $q_{k}$ key generation queries and $q_{s}$ signcryption queries in the EUF-CMA game.

Note that the adversary knows the receiver's secret key $sk_{r}^{\ast}$ in the above definition. That is, the definition also catches the insider security for unforgeability of signcryption [15].

SECTION IV

In this section, we propose an efficient HOOSC scheme which is based on Barreto *et al.*'s signcryption scheme [13]. Our scheme allows a sender in the IBC to send a message to a receiver in the PKI. It consists of the following five algorithms.

Setup: Given a security parameter $k$, the PKG chooses groups $G_{1}$ and $G_{2}$ of prime order $p$ (with $G_{1}$ additive and $G_{2}$ multiplicative), a generator $P$ of $G_{1}$, a bilinear map ${\mathhat{e}}$: $G_{1}\times G_{1}\rightarrow G_{2}$, and hash functions $H_{1}$: $\{0,1\}^{\ast}\rightarrow\BBZ_{p}^{\ast}$, $H_{2}$: $\{0,1\}^{n}\times G_{2}\times G_{1}\rightarrow\BBZ_{p}^{\ast}$, and $H_{3}$: $G_{2}\rightarrow\{0,1\}^{n}$. Here $n$ is the number of bits of a message to be signcrypted. The PKG chooses a master secret key $s\in\BBZ_{p}^{\ast}$ randomly and computes the master public key $P_{pub}=sP$. The PKG also computes $g={\mathhat{e}}(P,P)$. The PKG publishes system parameters $\{G_{1},G_{2},n,{\mathhat{e}},P,P_{pub},g,H_{1},H_{2},H_{3}\}$ and keeps the master secret key $s$ secret.

IBC-KG: A user in the IBC submits its identity $ID$ to its PKG. The PKG computes the corresponding secret key $S_{ID}={{1}\over{H_{1}(ID)+s}}P$ and sends it to the user in a secure way. We will denote the sender by $ID_{s}$ and its key pair by $(pk_{s}=ID_{s},sk_{s}=S_{ID_{s}})$ in the following description.

PKI-KG: A user $u$ in the PKI chooses a random number $x_{u}$ from $\BBZ_{p}^{\ast}$ and computes $sk_{u}={{1}\over{x_{u}}}P$ as its secret key and $pk_{u}=x_{u}P$ as its public key. We will denote the receiver by $u=r$ and its key pair by $(pk_{r}=x_{r}P,sk_{r}={{1}\over{x_{r}}}P)$ in the following description.

Off-Signcrypt: Given a sender's secret key $S_{ID_{s}}$ and a receiver's public $pk_{r}$, this algorithm works as follows.

- Choose $x$, $\beta$ from $\BBZ_{p}^{\ast}$ randomly.
- Compute $r=g^{x}$.
- Compute $S=\beta S_{ID_{s}}$.
- Compute $T=xpk_{r}$.

The offline signcryption is $\delta=(x,r,\beta,S,T)$.

On-Signcrypt: Given a message $m$ and an offline signcryption $\delta$, this algorithm works as follows.

- Compute $c=m\oplus H_{3}(r)$.
- Compute $h=H_{2}(m,r,S)$.
- Compute $\theta=(x+h)\beta^{-1}\bmod p$.

The ciphertext is $\sigma=(c,\theta,S,T)$.

Unsigncrypt: Given a ciphertext $\sigma$, a sender's identity $ID_{s}$ and a receiver's secret key $sk_{r}$, this algorithm works as follows.

- Compute $r={\mathhat{e}}(T,sk_{r})$.
- Recover $m=c\oplus H_{3}(r)$.
- Compute $h=H_{2}(m,r,S)$.
- Accept the message if and only if $r={\mathhat{e}}(\theta S,H_{1}(ID_{s})P+P_{pub})g^{-h}$, return $\bot$ otherwise.

For secure communication for integrating WSNs into the Internet, a sensor node is regarded as a sender (the media access control address of the sensor node can be used for the identity $ID$) and an Internet host is regarded as a receiver. First, the sensor node is loaded with precomputed results $\delta=(x,r,\beta, S, T)$ of the offline phase from a more powerful device. When the sensor node wants to send a message $m$ to the Internet host, the sensor node runs $\sigma=On\hbox{-}Signcrypt (m,\delta)$ algorithm and sends the ciphertext $\sigma$ to the Internet host. In this process, the sensor node only does light computations, such as exclusive OR, hash function, modular multiplication and modular inverse. When receiving the ciphertext $\sigma$, the Internet host runs $m={\it Unsigncrypt}(\sigma,ID_{s},sk_{r})$ algorithm to obtain the message $m$. Our scheme simultaneously achieves confidentiality, integrity, authentication and non-repudiation. Fig. 2 shows steps for secure communication using our scheme.

SECTION V

In this section, we analyze the consistency, security and performance of the proposed scheme.

Now we verify the consistency of the proposed scheme. First, since TeX Source $$\eqalignno{{\mathhat{e}}(T,sk_{r})=&\,{\mathhat{e}}(xpk_{r},{{1}\over{x_{r}}}P)\cr=&\,{\mathhat{e}}(xx_{r}P,{{1}\over{x_{r}}}P)\cr=&\,{\mathhat{e}}(P,P)^{x}\cr=&\, g^{x}\cr=&\, r}$$ we can recover the message by computing $m=c\oplus H_{3}(r)$. Second, since $\theta S=(x+h)\beta^{-1}\beta S_{ID_{s}}=(x+h)S_{ID_{s}}$, we can verify the signature by TeX Source $$\eqalignno{&\,{\mathhat{e}}(\theta S,H_{1}(ID_{s})P+P_{pub})g^{-h}\cr=&\,{\mathhat{e}}((x+h)S_{ID_{s}}, (H_{1}(ID_{s})+s)P)g^{-h}\cr=&\,{\mathhat{e}}((x+h){{1}\over{H_{1}(ID_{s})+s}}P, (H_{1}(ID_{s})+s)P)g^{-h}\cr=&\,{\mathhat{e}}((x+h)P,P)g^{-h}\cr=&\,{\mathhat{e}}(P,P)^{(x+h)}g^{-h}\cr=&\, g^{(x+h)}g^{-h}\cr=&\, g^{x}\cr=&\, r}$$

We prove that the proposed scheme satisfies IND-CCA2 and EUF-CMA by the following Theorems 1 and 2, respectively.

In the random oracle model, if an adversary ${\cal A}$ has a non-negligible advantage $\epsilon$ against the IND-CCA2 security of the proposed scheme when running in a time $t$ and performing $q_{u}$ unsigncryption queries and $q_{H_{i}}$ queries to oracles $H_{i}$ ($i=1$, 2, 3), then there exists an algorithm ${\cal C}$ that can solve the BDHIP with an advantage $\epsilon^{\prime}\geq{{\epsilon}\over{2q_{H_{2}}+q_{H_{3}}}}(1-{{q_{u}}\over{2^{k}}})$ in a time $t^{\prime}\leq t+O(q_{u})t_{p}+O(q_{u}q_{H_{2}})t_{e}$, where $t_{p}$ denotes the cost for one pairing computation and $t_{e}$ denotes the cost for an exponentiation computation in $G_{2}$.

We show how ${\cal C}$ can use ${\cal A}$ as a subroutine to solve a random given instance $(P,\alpha P)$ of the BDHIP.

Initial: ${\cal C}$ chooses a master secret key $s\in\BBZ_{p}^{\ast}$ randomly and sets master public key $P_{pub}=sP$. ${\cal C}$ also sets the receiver's public key $pk_{r}^{\ast}=\alpha P$ and $g={\mathhat{e}}(P,P)$. Then ${\cal C}$ sends the system parameters and the receiver's public key $pk_{r}^{\ast}$ to ${\cal A}$.

Phase 1: ${\cal C}$ simulates ${\cal A}$'s challenger in the IND-CCA2 game. ${\cal C}$ maintains three lists $L_{1}$, $L_{2}$ and $L_{3}$ to simulate the hash oracles $H_{1}$, $H_{2}$ and $H_{3}$, respectively. We assume that $H_{1}$ queries are distinct and that ${\cal A}$ will ask for $H_{1}(ID)$ before $ID$ is used in any other queries.

- $H_{1}$ queries: For a $H_{1}(ID_{i})$ query, ${\cal C}$ first checks if the value of $H_{1}$ was previously defined for the input $ID_{i}$. If it was, the previously defined value is returned. Otherwise, ${\cal C}$ returns a random $h_{1,i}\;\in\BBZ_{p}^{\ast}$ as the answer and inserts the pair $(ID_{i},h_{1,i})$ into the list $L_{1}$.
- $H_{2}$ queries: For a $H_{2}(m_{i},r_{i},S_{i})$ query, ${\cal C}$ first checks if the value of $H_{2}$ was previously defined for the input $(m_{i},r_{i},S_{i})$. If it was, the previously defined value is returned. Otherwise, ${\cal C}$ returns a random $h_{2,i}\in\BBZ_{p}^{\ast}$ as the answer. In addition, ${\cal C}$ simulates random oracle on its own to obtain $h_{3,i}=H_{3}(r_{i})\in\{0,1\}^{n}$ and computes $c_{i}=m_{i}\oplus h_{3,i}$ and $\xi_{i}=r_{i}\cdot{\mathhat{e}}(P,P)^{h_{2,i}}$. Finally, ${\cal C}$ inserts the tuple $(m_{i},r_{i},S_{i},h_{2,i},c_{i},\xi_{i})$ into the list $L_{2}$.
- $H_{3}$ queries: For a $H_{3}(r_{i})$ query, ${\cal C}$ first checks if the value of $H_{3}$ was previously defined for the input $r_{i}$. If it was, the previously defined value is returned. Otherwise, ${\cal C}$ randomly chooses $h_{3,i}$ from $\{0,1\}^{n}$, returns $h_{3,i}$ as an answer and inserts the tuple $(r_{i},h_{3,i})$ into the list $L_{3}$.
- Unsigncryption queries: At any time ${\cal A}$ can perform an unsigncryption query for a ciphertext $\sigma=(c,\theta,S,T)$ and a sender's identity $ID_{i}$. ${\cal C}$ runs the $H_{1}$ simulation algorithm to find $h_{1,i}=H_{1}(ID_{i})$ and computes the sender's private key $S_{ID_{i}}={{1}\over{h_{1,i}+s}}P$. For all valid ciphertexts, we have $\log_{S_{ID_{i}}}(\theta S{-}hS_{ID_{i}})=\log_{pk_{r}^{\ast}}T$, where $h=H_{2}(m,r,S)$. Therefore, the following equation holds ${\mathhat{e}}(T,S_{ID_{i}})={\mathhat{e}}(pk_{r}^{\ast},\theta S-hS_{ID_{i}}). {\cal C}$ first computes $\xi={\mathhat{e}}(\theta S,pk_{r}^{\ast})$ and then searches $L_{2}$ for the entries of the form $(m_{i},r_{i},S_{i},h_{2,i},c,\xi)$ indexed by $i\in\{1,\ldots,q_{H_{2}}\}$. If no an entry is found, $\sigma$ is rejected. Otherwise, ${\cal C}$ further checks if the following equation holds for the corresponding indexes ${{{\mathhat{e}}(T,S_{ID_{i}})}\over{{\mathhat{e}}(pk_{r}^{\ast},\theta S)}}={\mathhat{e}}(pk_{r}^{\ast},S_{ID_{i}})^{-h_{2,i}}$. If the unique $i\in\{1,\ldots,q_{H_{2}}\}$ satisfying the above equation is found, the matching message $m_{i}$ is returned. Otherwise, $\sigma$ is rejected. It is easy to see that, for all queries, the probability to reject a valid ciphertext does not exceed ${{q_{u}}\over{2^{k}}}$.

Challenge: ${\cal A}$ generates two equal length plaintexts $m_{0}$ and $m_{1}$ and the sender's identity $ID_{s}^{\ast}$ on which it wishes to be challenged. ${\cal C}$ chooses $c^{\ast}\in\{0,1\}^{n}$, $\lambda$, $\theta^{\ast}\in\BBZ_{p}^{\ast}$, $S^{\ast}\in G_{1}$ randomly and computes $T^{\ast}=\lambda P$. ${\cal C}$ returns the ciphertext $\sigma^{\ast}=(c^{\ast},\theta^{\ast},S^{\ast},T^{\ast})$ to ${\cal A}$. ${\cal A}$ cannot recognize that $\sigma^{\ast}$ is not a valid ciphertext unless it queries $H_{2}$ or $H_{3}$ on ${\mathhat{e}}(P,P)^{\lambda/\alpha}$.

Phase 2: ${\cal A}$ can ask a polynomially bounded number of queries adaptively again as in the Phase 1 with the restriction that it cannot make an unsigncryption query on $\sigma^{\ast}$ to obtain the corresponding plaintext. ${\cal C}$ answer ${\cal A}$'s queries as in the Phase 1.

Guess: ${\cal A}$ produces a bit $\gamma^{\prime}$ which is ignored by ${\cal C}$.

${\cal C}$ fetches a random entry $(m_{i},r_{i},S_{i},h_{2,i},c_{i},\xi_{i})$ or $(r_{i},h_{3,i})$ from the lists $L_{2}$ or $L_{3}$. Since $L_{3}$ contains no more than $q_{H_{2}}+q_{H_{3}}$ records, the chosen entry will contain the right element $r_{i}={\mathhat{e}}(P,P)^{\lambda/\alpha}$ with probability $1/(2q_{H_{2}}+q_{H_{3}})$. The BDHIP can be extracted by computing $({\mathhat{e}}(P,P)^{\lambda/\alpha})^{\lambda^{-1}}$.

This completes the description of the simulation. It remains to analyze ${\cal C}$'s advantage. Define the event $E$ as that ${\cal C}$ aborts in an unsigncryption query because of rejecting a valid ciphertext.

From the above analysis, we know that the probability of ${\cal C}$ not aborting is $\Pr[\neg{\rm abort}]=\Pr[\neg E]$. We know that $\Pr[E]\leq q_{u}/2^{k}$. So we have $\Pr[\neg{\rm abort}]\geq (1-{{q_{u}}\over{2^{k}}})$. In addition, ${\cal C}$ selects the correct element from $L_{2}$ or $L_{3}$ with probability $1/(2q_{H_{2}}+q_{H_{3}})$. Therefore, we have $\epsilon^{\prime}\geq{{\epsilon}\over{2q_{H_{2}}+q_{H_{3}}}}(1-{{q_{u}}\over{2^{k}}})$.

The bound on ${\cal C}$'s computation time derives from the fact that ${\cal C}$ needs $O(q_{u})$ pairing calculations and $O(q_{u}q_{H_{2}})$ exponentiations in $G_{2}$ in the unsigncryption queries. $\blackboxfill$

In the random oracle model, if an adversary ${\cal F}$ has an advantage $\epsilon\geq 10(q_{s}+1)(q_{s}+q_{H_{2}})/2^{k}$ against the EUF-CMA security of the proposed scheme when running in a time $t$ and performing $q_{s}$ signcryption queries and $q_{H_{i}}$ queries to oracles $H_{i}$ ($i=1$, 2, 3), then there exists an algorithm ${\cal C}$ that can solve the $q$-SDHP for $q=q_{H_{1}}$ in expected time $t^{\prime}\leq 120686q_{H_{1}}q_{H_{2}}{{t+O(q_{s}t_{p})}\over{\epsilon (1-1/2^{k})(1-q/2^{k})}}+O(q^{2}t_{m})$, where $t_{p}$ denotes the cost for one pairing computation and $t_{m}$ denotes the cost for a scalar multiplication computation in $G_{1}$.

Similar to [13], we use the forking lemma [17] to prove the security of our scheme. To use the forking lemma, we need to show how the proposed scheme fits into the signature scheme described in [17], the simulation step in which the signature can be simulated without the secret signcryption key of the sender, and how we can solve $q$-SDHP based on the forgery.

First, we observe that our scheme satisfies the requirement described in [17]. During the signcryption of message $m$, the tuple $(\sigma_{1},h,\sigma_{2})$ is produced which corresponds to the required three-phase honest-verifier zero-knowledge identification protocol, where $\sigma_{1}=r$ is the commitment of the prover, $h=H_{2}(m,r,S)$ is the hash value depending on $m$ and $\sigma_{1}$ substituted for the verifier's challenge, and $\sigma_{2}=\theta S$ is the response of the prover which depends on $\sigma_{1}$, $h$ and the signcryption private key $S_{ID_{s}}$.

Next, we show ${\cal C}$ can provide a faithful simulation to ${\cal F}$ and solve the $q$-SDHP by interacting with ${\cal F}$. ${\cal C}$ takes as input $(P,\alpha P,\alpha^{2}P,\ldots,\alpha^{q}P)$ and aims to find a pair $(w,{{1}\over{\alpha+w}}P)$. ${\cal C}$ simulates ${\cal F}$'s challenger in the EUF-CMA game. ${\cal F}$ then adaptively performs key generation and signcryption queries as explained in the EUF-CMA game. We describe this process as follows.

Initial: First, ${\cal C}$ chooses $w_{1}$, $w_{2}\ldots,w_{q-1}\in\BBZ_{p}^{\ast}$ randomly. ${\cal C}$ takes $(P,\alpha P,\alpha^{2}P,\ldots,\alpha^{q}P)$ as input to compute a generator $Q\in G_{1}$ and another element $Q_{pub}=\alpha Q\in G_{1}$ such that it knows $q-1$ pairs $(w_{i},V_{i}={{1}\over{\alpha+w_{i}}}Q)$ for $i\in\{1,\ldots,q-1\}$ as in the proof technique of [18]. To do so, ${\cal C}$ expands the polynomial $f(z)=\prod_{i=1}^{q-1}(z+w_{i})=\sum_{j=0}^{q-1}c_{j}z^{j}$. A generator $Q$ and an element $Q_{pub}$ are then obtained as $Q=\sum_{j=0}^{q-1}c_{j}(\alpha^{j}P)=f(\alpha)P$ and $Q_{pub}=\sum_{j=1}^{q}c_{j-1}(\alpha^{j}P)=\alpha f(\alpha)P=\alpha Q$. As in [18], the pairs $(w_{i},V_{i})$ are obtained by expanding $f_{i}(z)={{f(z)}\over{z+w_{i}}}=\sum_{j=0}^{q-2}d_{j}z^{j}$ and computing $V_{i}=\sum_{j=0}^{q-2}d_{j}(\alpha^{j}P)=f_{i}(\alpha)P={{f(\alpha)}\over{\alpha+w_{i}}}P={{1}\over{\alpha+w_{i}}}Q$. The PKG's public key is $Q_{pub}$ and its corresponding master secret key is $\alpha$.

${\cal C}$ sends ${\cal F}$ the system parameters with the generator $Q$, $Q_{pub}=\alpha Q$ and $g={\mathhat{e}}(Q,Q)$. ${\cal C}$ chooses a random challenge identity $ID_{s}^{\ast}\in\{0,1\}^{\ast}$ and sends it to ${\cal F}$. In addition, ${\cal C}$ runs PKI-KG algorithm to get a receiver's public/secret key pair $(pk_{r}^{\ast},sk_{r}^{\ast})$ and sends $(pk_{r}^{\ast},sk_{r}^{\ast}) {\cal F}$.

Attack: ${\cal C}$ simulates ${\cal F}$'s challenger in the EUF-CMA game. ${\cal C}$ maintains three lists $L_{1}$, $L_{2}$ and $L_{3}$ to simulate the hash oracles $H_{1}$, $H_{2}$ and $H_{3}$, respectively. We also assume that $H_{1}$ queries are distinct and that ${\cal F}$ will ask for $H_{1}(ID)$ before $ID$ is used in any other queries.

- $H_{1}$ queries: These queries are indexed by a counter $\nu$ that is initially set to 1. If $ID=ID_{s}^{\ast}$, ${\cal C}$ returns a random $w_{s}\in\BBZ_{p}^{\ast}$ as the answer. Otherwise, ${\cal C}$ returns $w_{\nu}$ as the answer and increments $\nu$. In both cases, ${\cal C}$ puts the tuple $(ID,w)$ (where $w=w_{s}$ or $w_{\nu}$) into the list $L_{1}$.
- $H_{2}$ queries: For a $H_{2}(m_{i},r_{i},S_{i})$ query, ${\cal C}$ first checks if the value of $H_{2}$ was previously defined for the input $(m_{i},r_{i},S_{i})$. If it was, the previously defined value is returned. Otherwise, ${\cal C}$ returns a random $h_{2,i}\in\BBZ_{p}^{\ast}$ as the answer.
- $H_{3}$ queries: For a $H_{3}(r_{i})$ query, ${\cal C}$ first checks if the value of $H_{3}$ was previously defined for the input $r_{i}$. If it was, the previously defined value is returned. Otherwise, ${\cal C}$ randomly chooses $h_{3,i}$ from $\{0,1\}^{n}$, returns $h_{3,i}$ as an answer and inserts the tuple $(r_{i},h_{3,i})$ into the list $L_{3}$.
- Key generation queries: When ${\cal F}$ makes a key generation query on an identity $ID_{i}$, if $ID_{i}=ID_{s}^{\ast}$, then ${\cal C}$ fails and stops. Otherwise, ${\cal C}$ knows $H_{1}(ID_{i})=w_{i}$ and returns $V_{i}={{1}\over{\alpha+w_{i}}}Q$ to ${\cal F}$.
- Signcryption queries: ${\cal F}$ chooses a plaintext $m$ and a sender's identity $ID_{i}$. If $ID_{i}\ne ID_{s}^{\ast}$, then ${\cal C}$ knows the sender's private key $S_{ID_{i}}=V_{i}$ and can answer the query according to the steps of Off-Signcrypt and On-Signcrypt. If $ID_{i}=ID_{s}^{\ast}$, ${\cal C}$ does the following steps.
- Choose $\eta$, $\theta$, $h\in\BBZ_{p}^{\ast}$ randomly.
- Compute $S=\theta^{-1}\eta sk_{r}^{\ast}$.
- Compute $T=\eta (w_{j}Q+Q_{pub})-hpk_{r}^{\ast}$.
- Compute $r={\mathhat{e}}(T,sk_{r}^{\ast})$.
- Patch the hash value $H_{2}(m,r,S)$ to $h$. ${\cal C}$ fails if $H_{2}$ is already defined but this only happens with probability $(q_{s}+q_{H_{2}})/2^{k}$.
- Compute $c=m\oplus H_{3}(r)$.
- Return $\sigma=(c,\theta,S,T)$ to ${\cal F}$.

Next, we coalesce the sender identity $ID_{s}^{\ast}$ and the message $m$ into a “generalized” forged message $(ID_{s}^{\ast},m)$ so as to hide the identity-based aspect of the EUF-CMA attacks, and simulate the setting of an identity-less adaptive-CMA existential forgery for which the forking lemma is proven.

From the forking lemma, if ${\cal F}$ is an efficient forger in the above interaction, then we can construct a Las Vegas machine ${\cal F}^{\prime}$ that outputs two signed messages $((ID_{s}^{\ast},m),h,\theta,S)$ and $((ID_{s}^{\ast},m),h^{\ast},\theta^{\ast},S^{\ast})$ with $h\ne h^{\ast}$ and the same commitment.

Finally, to solve the $q$-SDHP based on the machine ${\cal F}^{\prime}$ derived from ${\cal F}$, we construct a machine ${\cal C}$ as follows.

- ${\cal C}$ gets two distinct signatures $((ID_{s}^{\ast},m),h,\theta,S)$ and $((ID_{s}^{\ast},m),h^{\ast},\theta^{\ast},S^{\ast})$ by running ${\cal F}^{\prime}$.
- ${\cal C}$ computes $V^{\ast}=(h-h^{\ast})^{-1}(\theta S-\theta^{\ast}S^{\ast})={{1}\over{\alpha+w_{s}}}Q={{f(\alpha)}\over{\alpha+w_{s}}}P$.
- ${\cal C}$ uses long division and writes the polynomial $f$ as $f(z)=\psi (z)(z+w_{s})+\psi_{-1}$ for some polynomial $\psi (z)=\sum_{i=0}^{q-2}\psi_{i}z^{i}$ and some $\psi_{-1}\in Z_{p}^{\ast}$. Then ${{f(z)}\over{z+w_{s}}}$ can be written as ${{f(z)}\over{z+w_{s}}}=\psi (z)+{{\psi_{-1}}\over{z+w_{s}}}=\sum_{i=0}^{q-2}\psi_{i}z^{i}+{{\psi_{-1}}\over{z+w_{s}}}$. Hence, ${\cal C}$ can compute ${{1}\over{\alpha+w_{s}}}P={{1}\over{\psi_{-1}}}(V^{\ast}-\sum_{i=0}^{q-2}\psi_{i}(x^{i}P))$.
- ${\cal C}$ outputs $(w_{s},{{1}\over{\alpha+w_{s}}}P)$ as the solution of $q$-SDHP.

From the forking lemma and the lemma on the relationship between given-identity attack and chosen-identity attack [19], if ${\cal F}$ succeeds in a time $t$ with probability $\epsilon\geq 10(q_{s}+1)(q_{s}+q_{H_{2}})/2^{k}$, then ${\cal C}$ can solve the $q$-SDHP in expected time $t^{\prime}\leq 120686q_{H_{1}}q_{H_{2}}{{t+O(q_{s}t_{p})}\over{\epsilon (1-1/2^{k})(1-q/2^{k})}}+O(q^{2}t_{m})$. $\blackboxfill$

We compare the major computational cost, security, key size, ciphertext size and offline storage of our scheme with those of existing schemes [14], [16] in Table I. We assume that $\vert G_{1}\vert=160 {\rm bits}$, $\vert G_{2}\vert=1024 {\rm bits}$, $\vert p\vert=160 {\rm bits}$, $\vert m\vert=160 {\rm bits}$ and $\vert ID\vert=160$. In the “Schemes” column, SL is the original version in [14] that has not the non-repudiation since a receiver can generate the same ciphertext as a sender does. Of course, we can use a proper signature scheme [19], [20] to get the non-repudiation property. However, we need another two pairings computation. HWY-I and HWY-II are the first scheme and second scheme, respectively in [16]. For simplicity, we only consider the pairing and point multiplication operations since the two operations take the most running time of the whole algorithm [21]. The other operations are ignored. We denote by M the point multiplication in $G_{1}$ and P the pairing computation in the “Computational cost” column. In the “Security” column, CCA2, CMA and IS denotes IND-CCA2, EUF-CMA and insider security, respectively. In the “Key size” column, we consider the sum size of public key and secret key. From Table I, we can see that SL does not satisfy insider security. HWY-I, HWY-II and our scheme satisfy insider security. Our scheme splits the signcryption into two phases: offline phase and online phase. Two point multiplication operations have been precomputed offline. The online phase is very efficient and does not need any pairing and point multiplication operations. That is, our scheme can complete quickly the entire signcryption process when a message is available. Therefore, our scheme is very suitable to provide security solution for sensor nodes. The key size of PKI users in all schemes is 320 bits. For IBC users, SL and our scheme are the same and are 320 bits. HWY-I and HWY-II are 480 bits. For ciphertext length, SL and our scheme are 640 bits. HWY-I and HWY-II are 960 bits. Of course, our scheme needs an offline storage with 1824 bits.

We adopt the experiment in [22] on MICA2 that is equipped with an ATmega128 8-bit processor clocked at 7.3728 MHz, 4 KB RAM and 128 KB ROM. A point multiplication needs 0.81s using an elliptic curve with 160 bits $p$. According to [23], a pairing computation on MICA2 needs 2.66s. Fig. 3 roughly shows the time for signcrypt a message in SL, HWY-I, HWY-II and our scheme. SL, HWY-I and HWY-II need 2.66s, 2.43s and 1.62s, respectively. The time of our scheme is negligible. As compared with SL, HWY-I, HWY-II, our scheme is most suitable for integrating WSNs into the Internet as part of the IoT. For energy consumption, a point multiplication uses 19.1 mJ and a pairing uses 62.73 mJ [22], [23]. To signcrypt a message, SL, HWY-I and HWY-II roughly uses 62.73 mJ, 57.3 mJ and 38.2 mJ, respectively. The computational energy consumption of our scheme is negligible. From [24], we know that MICA2 costs 4.12 $\mu{\rm J}$ to transmit a bit. For energy cost for communication, SL, HWY-I, HWY-II and our scheme costs 2.64 mJ, 3.96 mJ, 3.96 mJ and 2.64 mJ, respectively.

SECTION VI

In this paper, we proposed a heterogeneous online/offline signcryption scheme. It allows a sensor node in the IBC to send a message to an Internet host in the PKI. Our scheme adopted both online/offline technique and IBC technique to greatly reduce the computational cost of sensor nodes. The scheme setups a secure channel between a sensor node and an Internet host that supports end-to-end confidentiality, integrity, authentication and non-repudiation services. This method provides a new security solution for integrating WSNs into the Internet as part of the IoT.

This work was supported by the National Natural Science Foundation of China under Grants 60803133, 61073176, 61003230, 61003232, 61103207, 61272404 and 61272525. The associate editor coordinating the review of this paper and approving it for publication was Prof. Rose Qingyang Hu.

The authors are with the School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu 611731, China (e-mail: fagenli@uestc.edu.cn; 276878323@qq.com).

Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org.

No Data Available

No Data Available

None

No Data Available

- This paper appears in:
- No Data Available
- Issue Date:
- No Data Available
- On page(s):
- No Data Available
- ISSN:
- None
- INSPEC Accession Number:
- None
- Digital Object Identifier:
- None
- Date of Current Version:
- No Data Available
- Date of Original Publication:
- No Data Available

Normal | Large

- Bookmark This Article
- Email to a Colleague
- Share
- Download Citation
- Download References
- Rights and Permissions