Accepted Manuscript

Practical access control for sensor networks in the context of the Internet of Things

Fagen Li, Yanan Han, Chunhua Jin

PII: DOI:

Reference:

S0140-3664(16)30065-2 10.1016/j.comcom.2016.03.007 COMCOM 5276

To appear in:

Computer Communications

Received date: Revised date: Accepted date:

13 June 2015 26 January 2016 8 March 2016

Please cite this article as: Fagen Li, Yanan Han, Chunhua Jin, Practical access control for sensor networks in the context of the Internet of Things, Computer Communications (2016), doi: 10.1016/j.comcom.2016.03.007

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Practical access control for sensor networks in the context of the Internet of

Things^

Fagen Li*, Yanan Han, Chunhua Jin

School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu 611731,

Abstract

Wire,« «.wort (WSN) p,ays a„ „„porta»,. t„,e i„ m„i«ary s»si»g and rtaddng, ^ «radong,

and environment monitoring. To query of the network to get useful information from anywhere and anytime, we need to integrate the WSN into the Internet as part of the Internet of Things (IoT). In this case, it is an important task to design an access control scheme that can authorize, authenticate and revoke a user to access the WSN. In this paper, we propose a heterogeneous signcryption scheme to control the access behavior of the users. We give the formal security proof of our scheme in the random oracle model. An important characteristic of our scheme is to allow a user in a certificateless cryptography (CLC) environment to send a message to a sensor node in an identity-based cryptography (IBC) environment. We give an access control scheme for the WSN in the context of the IoT using the proposed signcryption scheme. As compared with existing two access control schemes using signcryption, the computational cost of sensors in our scheme is reduced by about 22% and 53%, respectively and the energy consumption of sensors in our scheme is reduced by about 33% and 54%, respectively. Keywords:

Internet of Things, Security, Signcryption, Certificateless cryptography, Identity-based cryptography.

1. Introductio

isor net

Wireless sensor ne works (WSNs) are ad hoc ne works which usually are composed of a large number of tiny sensor nodes with the capabilities of sensing, computation and communication [1]. WSNs have important application value in military sensing and tracking, target tracking, environment monitoring, and so on. For example, we can deploy a WSN to monitor the efficiency of each industrial equipment by measuring vibration, temperature, pressure, power quality, and so on. If a factory personnel find a potential

☆This work is supported by the National Natural Science Foundation of China (Grant Nos. 61073176, 61272525, 61302161 and 61462048) and the Fundamental Research Funds for the Central Universities (Grant No. ZYGX2013J069).

* Corresponding author Email address: fagenli@uestc.edu.cn (Fagen Li)

Preprint submitted to Computer Communications

March 15, 2016

problem by collecting the data from the WSN, he or she may repair or replace the equipment before the efficiency of the equipment drops or the equipment fails entirely. As compared with the traditional wired industrial monitoring system, industrial WSNs have lower cost for development and maintenance and higher flexibility and intelligent process capability [2, 3]. While the WSNs provide a great flexibility for establishing communications, it also brings a lot of technical challenges. In [2], Gungor and Hancke gave eight technical challenges for the WSNs. The fifth challenge is the security due to all the characteristics of these networks, such as open nature of wireless communication, dynamically changing topology, and the limited capabilities of sensor nodes in terms of processing power, storage, bandwidth, and energy. The eighth challenge is the integration with the Internet. To query of the WSNs to get useful information from anywhere and anytime, we need to integrate the WSNs into the Internet as part of the Internet of Things (IoT). We have three methods to achieve this integration, front-end proxy solution, gateway solution and TCP/IP overlay solution [4]. In the front-end proxy solution, the sensor nodes can not communicate with the Internet hosts directly. The base station acts as an interface between the WSNs and the Internet and parses all incoming and outgoing information. That is, the users issue data queries to sensor nodes through the base station and the base station forwards the corresponding results to the users. The weakness of this solution is that the base station may become the bottleneck and the single point of failure. In both gateway solution and TCP/IP overlay solution, the sensor nodes can directly communicate with the Internet hosts. In the gateway solution, the base station plays the role of an application layer gateway that translates the lower layer protocols from both networks. In the TCP/IP overlay solution, sensor nodes use TCP/IP to communicate with other nodes. The base station plays the role of a router that forwards the packets from and to the sensor nodes.

In order to prevent abuse of the data collected by the WSNs, only authorized users are allowed to access the WSNs. However, it is not an easy thing to design an access control scheme for the WSNs in the context of the IoT since the resource of the sensor nodes is very limited.

1.1. Related work

In 2009, Le et al. [5] proposed an energy-efficient access control scheme for the WSNs using elliptic curve cryptography. The advantage of elliptic curve cryptography is that it can afford comparable security level to the other public key cryptography such as RSA [6] with smaller key size. For example, to obtain the 80-bit security level, the modulus size of RSA should be 1024 bits but the key size of elliptic curve cryptography only needs 160 bits. In 2011, He et al. [7] proposed a privacy-preserving access control scheme for the WSNs using ring signature technique [8, 9]. The ring signature allows a signer to anonymously sign a message on behalf of a set of users including itself. It protects the privacy of the signer since the verifier knows that the message comes from a member of a ring, but does not know exactly who the signer is. In 2012, Zhang, Zhang and Ren [10] gave a new solution for privacy-preserving access control scheme for the WSNs

using blind signature technique. Yu, Ren and Lou [11] gave a fine-grained data access control scheme for the WSNs using attribute-based encryption [12]. Recently, Yu et al. [13] (hereafter called YHZXZ) and Ma, Xue and Hong [14] (hereafter called MXH) used signcryption [15] approach to design the access control for the WSNs. The use of signcryption is very novel and efficient for the WSNs application because it simultaneously authenticates the users and protects the query messages with a low cost. Signcryption is a cryptographic primitive that performs both the functions of digital signature and public key encryption in a logical single step, with a cost significantly lower than that required by the traditional signature-then-encryption or encryption-then-signature methods. That is, signcryption can simultaneously accomplishes confidentiality, integrity, authentication and non-repudiation with a lower cost. However, these schemes [13, 14] are based on the traditional public key infrastructure (PKI). In the PKI, each user has a private key and a corresponding public key. In order to ensure the authenticity of the public key, a certificate authority (CA) needs to issue a digital certificate that affords an unforgeable and trusted link between the public key and the identity of a user by the digital signature of the CA. The main difficulty of the traditional PKI is the certificates management, including distribution, storage and revocation. Furthermore, each user should verify the validity of a certificate before using the public key described in this certificate. If the certificate is valid, the public key is believable and the user can use it. Otherwise, the user can not use the public key in any cryptographic operation. For the access control for WSNs in the context of the IoT, it is a heavy burden for the sensor nodes to verify the validity of the public key certificates. To reduce the burden of the sensor nodes, identity-based cryptography (IBC) [16] was proposed to design the security schemes for the WSNs [17, 18, 19, 20]. As compared with the traditional PKI, the main advantage of the IBC is the elimination of public key certificates. In the IBC, a user's public key is computed from its identity information, such as telephone numbers, IP addresses and email addresses. There exists a trusted third party called private key generator (PKG) who is in charge of the generation of private keys for all users. Authenticity of a public key is explicitly verified without a certificate. So the IBC is a good choice for design the security for the WSNs. However, the lightweight IBC has the key escrow problem since the PKG knows all users' private keys [16]. IBC is only suitable for small networks, such as the WSNs, and is not suitable for large-scale networks, such as the Internet. For design an access control scheme for the WSNs in the context of the IoT, a possible solution is that the WSNs part uses the IBC and the Internet part uses the PKI.yThere exist such signcryption schemes [21, 22]. However, in these solutions, when an Internet user issues a query to the WSNs, the sensor nodes need to check if the Internet user has been authorized. The sensor nodes still need to verify the public key certificate since the Internet user belongs to the PKI.

1.2. Motivation and contribution

The motivation of the paper is to design a practical access control scheme without certificates for WSNs in the context of the IoT. Only authorized Internet users can access the WSNs and the query messages

are protected. The protection of the query messages is very important for preserving the privacy of the users [14]. Different to [13] and [14], our solution uses a novel heterogeneous signcryption (HSC) in which the senders belong to the certificateless cryptography (CLC) environment [23] and the receivers belong to the IBC environment. The CLC does not require the use of certificates and yet does not has the built-in key escrow problem of IBC. The CLC still needs a trusted third party called the key generating center (KGC) who is responsible for generating a partial private key using a user's identity and a master key. The user then combines the partial private key with some secret value to generate a full private key which is unknown to the KGC. We show that the novel heterogeneous signcryption scheme has the indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2) under the gap bilinear Diffie-Hellman (GBDH) problem and existential unforgeability against adaptive chosen messages attacks (EUF-CMA) under the gap Diffie-Hellman (GDH) and computational Diffie-Hellman (CDH) problems in the random oracle model. An important characteristic of our scheme is heterogeneous. That is, senders and receivers belong to two different cryptographic environments. It allows a sender in the CLC environment to transmit a message to a receiver in the IBC environment. In addition, our scheme has the ciphertext authenticity that allows we shift the computational cost of the sensor nodes to the gateway. We give an access control scheme for the WSNs in the context of the IoT using the novel signcryption scheme. As compared with existing two access control schemes using signcryption, the computational cost of the sensor node in our scheme is reduced by about 22% and 53%, respectively and the energy consumption of the sensor node in our scheme is reduced by about 33% and 54%, respectively.

1.3. Organization

The rest of the paper is arranged as follows. The network model, security requirements and bilinear pairings are introduced in Section 2. The novel heterogeneous signcryption scheme is proposed in Section 3. We give the access control scheme for the WSNs in the context of the IoT in Section 4. Finally, the conclusions are given i

2. Preliminar

In this section, we give the network model, security requirements and bilinear pairings. 2.1. Network model

Fig. 1 shows the overview of the network model. The model consists of four kinds of entities, a service provider (SP), the sensor nodes, a gateway and the Internet hosts (users). The SP deploys a WSN that collects the monitoring data. The users who want to access the WSN should be authorized by the SP. Anyone without authorization can not access the WSN. The SP takes charge of the registration for sensor nodes and users and generates the private keys for sensor nodes and partial private keys for users. That is,

Identity-based cryptography

Certificateless cryptography

Figure 1: Network model

the SP plays the role of PKG in the IBC environment and the KGC in the CLC environment. The sensor

id the KG

nodes have limited computational power and storage resource while the gateway has higher processing and storage capability. We assume that the SP is always trusted and can never be compromised and the gateway is honest and curious. When a user hope to access the data of the WSN, it sends a query message to a sensor node. The gateway first checks if the user has been authorized to access the data. If yes, the gateway forwards the query to the sensor node and the node transmits collected data to the user in a secure way. Otherwise, the gateway rejects the query request. Our scheme proposed in this paper can be used in both gateway solution and TCP/IP overlay solution.

2.2. Security requirements

The communication between the Internet hosts and sensor nodes should satisfy confidentiality, integrity, authentication, and non-repudiation. Confidentiality is keeping query messages secret from the others except the Internet hosts and sensor nodes. Even the gateway can not know the contents of the message. Integrity is ensuring that the query messages from the Internet hosts have not been altered by unauthorized entities. Authentication is the assurance that only the authorized Internet hosts can access the WSN. Non-repudiation is preventing the denial of previous queries issued by the Internet hosts. That is, if an Internet host has sent a query message to a sensor node, it can not deny its action. In addition, we hope that this communication also satisfies ciphertext authenticity and insider security. The ciphertext authenticity means that a third party can verify the validity of a ciphertext without knowing the query message. The insider security has two aspects. The first aspect is the insider security for confidentiality and the other aspect is the insider security for unforgeability. The insider security for confidentiality guarantees the forward security of signcryption, i.e.

confidentiality is kept in case the host's private key is compromised. The insider security for unforgeability means that an adversary can not forge a ciphertext with the sensor node's private key.

2.3. Bilinear pairings

Let Gi and G2 be two cyclic groups with same prime order p. Gi is an additive group and G2 is a multiplicative group. Let P be a generator of Gi. A bilinear pairing is a map e : Gi x Gi ^ G2 that satisfies the following properties [16]:

1. Bilinearity: e(aP, bQ) = e(P, Q)ab for all P,Q e Gi, a,b e Z*p.

2. Non-degeneracy: There are P,Q e G1 such that e(P, Q) = 1, where 1 is the identity element of G2.

3. Computability: e(P, Q) can be efficiently computed for all P,Q e G1.

The modified Weil pairing and Tate pairing provide admissible maps of this kind. For more details, please refer to [16]. The security of our scheme relies on the following hard problems.

Definition 1. Given groups Gi and G2 with the same prime order p, a generator P of Gi and a bilinear-map e : Gi x Gi ^ G2,

the computational Diffie-Hellman (CDH) problem in Gi is to compute abP given (P,aP,bP).

the bilinear Diffie-Hellman (BDH) problem in (Gi, G2, e) is to compute T = e(P, P)abc given (P, aP, bP, cP).

the decisional bilinear Diffie-Hellman (DBDH) problem in (Gi, G2, e) is to decide whether T = e(P, P)abc

or not given (P, aP, bP, cP) and an element T e G2. If T = e(P, P)abc, we denote it by DBDH(P, aP, bP, cP, T) =

T. Otherwise, we denote it by DBDH(P, aP, bP, cP, T) =

the gap bilinear Diffie-Hellman (GBDH) problem in (Gi,G2,e) is to compute T = e(P, P)abc given (P, aP, bP, cP) with the help of the DBDH oracle that can decide if DBDH(P, aP, bP, cP, T) = T or ±.

the gap Diffie-Hellman (GDH) problem in Gi is to compute abP given (P, aP, bP) with the help of the DBDH oracle that can decide if DBDH(P, aP, bP, cP, T) = T or ±.

3. A heterogeneous signcryption scheme

In this section, we first describe the formal definition and security notions of heterogeneous signcryption scheme that allows a sender in the CLC environment to transmit a message to a receiver in the IBC environment. For simplicity, we use CI-HSC to denote this type of signcryption in the following content. Then we propose an efficient CI-HSC scheme and prove its security in the random oracle model.

3.1. Syntax

A generic CI-HSC scheme consists of the following eight algorithms.

Setup: is a probabilistic algorithm performed by a PKG that takes as input a security parameter k, and outputs a master secret key s and the system parameters params that includes a master public key Ppub. For simplicity, we omit the system parameters params in the other algorithms in the following content.

CL-PPKE: is a partial private key extraction algorithm run by the PKG that takes as input the master secret key s and a user's identity ID, and returns a partial private key D/d. The PKG sends the partial private key to the user in a secure way.

CL-SVS: is a secret value setup algorithm run by the users that takes as input an identity ID, and returns a secret value x/D.

CL-PKS: is a private key setup algorithm run by the users that takes as input a partial private key D/D and a secret value x/D, and outputs a full private key S/D.

CL-PKG: is a public key generation algorithm run by the users that takes as input a secret value x/D, and outputs a public key PK/D. The public key is published without a certificate.

IB-KE: is a key extraction algorithm run by the PKG that takes as input the master secret key s and a user's identity ID, and returns a private key S/d. The PKG sends the private key to the user in a secure way.

SC: is a probabilistic signcryption algorithm performed by a sender that takes as input a plaintext message m, a sender's full private key S/Ds, identity IDs and public key PK/Ds and a receiver's identity IDr, and outputs a ciphertext a.

USC: is a deterministic unsigncryption algorithm performed by a receiver that takes as input a ciphertext a, a sender's identity IDs and public key PK/Ds and a receiver's private key S/Dr and identity IDr, and outputs a plaintext m or a failure symbol ± if a is not a valid ciphertext between the sender and the receiver.

The above algorithms should satisfy the consistency constraint of CI-HSC, i.e. if

a = SC(m, S/ds , IDS, PK/Ds, IDr),

then we hav

m = USC (a, IDs, PK/Ds ,S/Dr ,IDr).

Note that the CL-PPKE, CL-SVS, CL-PKS and CL-PKG are for users in the CLC environments and the IBC-KE algorithm is for users in the IBC environments. If the trusted third party in the CLC and IBC environments are different, we need to generate different master secret keys and corresponding master public key. In this paper, we think the trusted third party in the CLC and IBC environments is the same (please see Section 2). In such an assumption, the role of CL-PPKE and IB-KE is the same.

3.2. Security notions

A signcryption scheme should satisfy confidentiality (i.e. indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2)) and unforgeability (i.e. existential unforgeability against adaptive chosen messages attacks (EUF-CMA)). We modify the notions in [24, 25] slightly to adapt for CI-HSC.

For confidentiality, we consider the following game played between an adversary A and a challenger C. Initial: C runs Setup algorithm with a security parameter k and gives the system parameters params to

Phase 1: A performs a polynomially bounded number of queries in an adaptive

• Partial private key extraction queries: A chooses an identity ID and sends it to C. C runs CL-PPKE algorithm and sends corresponding secret key Did to A.

• Private key setup queries: When receiving an identity ID from A, C runs CL-PKS algorithm and sends the full private key SID to A (C may first run CL-PPKE and CL-SVS algorithms if necessary).

• Public key queries: A chooses an identity ID and sends it to C. C runs CL-PKG algorithm and sends the public key PKID to A (C may first run CL-SVS algorithm if necessary).

• Public key replacement queries: A may replace a public key PKID with a value chosen by it.

• Key extraction queries: When receiving an identity ID from A, C runs IB-KE algorithm and sends the corresponding private key SID to A.

• Signcryption queries: A chooses^a message m, a sender's identity IDi and a receiver's identity IDj, C first runs CL-PKS and CL-PKG algorithms to get the private key SIDi and public key PKIDi, respectively. Then C sends the result of SC(m, SIDi, IDi, PKIDi, IDj) to A. It is possible that C does not know the sender's secret value, if the associated public key has been replaced. In this case, we require A to provide it.

• Unsigncryption queries: A chooses a ciphertext a, a sender's identity IDi and a receiver's identity IDj, C first runs IB-KE and CL-PKG algorithms to get the private key SIDj and the public key PKiDi, respectively. Then C sends the result of USC(a,IDi,PKIDi,SIDj ,IDj) to A. The result is either a plaintext message m or a symbol

Challenge: A decides when phase 1 ends. A generates two equal length plaintexts (m0, mi), a sender's identity IDs and a receiver's identity IDr on which it wishes to be challenged. Note that IDr should not be submitted to a key extraction query in the phase 1. C takes a random bit fl e {0,1} and computes a* = SC (mp ,SIDs ,IDs,PKIDs ,IDr) which is sent to A.

Phase 2: A may make a polynomially bounded number of queries adaptively again as in the phase 1. However, this time, it cannot make a key extraction query on IDr and cannot make an unsigncryption query

on (a*,IDS,IDr) to obtain the corresponding plaintext unless the public key PK/Ds has been replaced after the challenge phase.

Guess: A produces a bit ft' and wins the game if ft = ft.

The advantage of A is defined as Adv(A) = |2Pr[ft' = ft] — 1|, where Pr[ft' = ft] denotes the probability that ft' = ft.

Definition 2. A CI-HSC scheme is (e,t,qppk,qsk,qpk,qpkr,qk,qs,qu)-IND-CCA2 secure if there does not exist a probabilistic t-polynomial time adversary A that has advantage at least e after at most qppk partial private key extraction queries, qsk private key setup queries, qpk public key queries, qpkr public key replacement queries, qk key extraction queries, qs signcryption queries and qu unsigncryption queries in the confidentiality game.

The above definition grasps insider security for confidentiality of signcryption since the adversary knows all senders' private keys [26]. The insider security guarantees the forward security of signcryption scheme, i.e. confidentiality is kept in case the sender's private key is compromised.

For unforgeability, we need consider two types of adversaries, Type I and Type II [23, 27], since the senders belong to the CLC environment. A Type I adversary^models an attacker which is a common user and does not have the KGC's master secret key. But it can adaptively replace users' public keys with (valid) public keys of its choice. A Type II adversary models an honest-but-curious KGC who knows the KGC's master secret key. But it cannot replace users' public keys.

Now let us consider the unforgeability game played between a challenger C and the Type I adversary F/.

Initial: C runs Setup algorithm with a security parameter k and gives the system parameters params to

Attack: F/ performs a polynomially bounded number of queries just like in the confidentiality game.

Forgery: F/ produces a ciphertext a*, a sender's identity IDs and a receiver's identity IDr and succeeds if the following conditions hold:

1. USC(a*, IDs, PK/Ds, S/Dr, IDr) = m*.

2. F/ has not made a private key setup query for IDs.

3. F/ can not both make a public key replacement query for IDs before forgery phase and make a partial private key extraction query in some phase.

4. F/ has not asked a signcryption query on (m*, IDs, IDr).

The advantage of F/ is defined as the probability that it wins.

Definition 3. A CI-HSC scheme is (e,t,qppk ,qsk ,qpk ,qpkr ,qk,qs,qu)-Type-I-EUF-CMA secure if there does not exist a probabilistic t-polynomial time adversary F/ that has advantage at least e after at most qppk

partial private key extraction queries, qsk private key setup queries, qpk public key queries, qpkr public key replacement queries, qk key extraction queries, qs signcryption queries and qu unsigncryption queries in the Type I unforgeability game.

Finally, let us consider the unforgeability game played between a challenger C and the Type II adversary Fii .

Initial: C runs Setup algorithm with a security parameter k and gives both the system parameters params and the master secret key s to FII.

Attack: FII performs a polynomially bounded number of private key setup queries, public key queries and signcryption queries just like in the confidentiality game. Note that we do not need the partial private key extraction, key extraction and unsigncryption queries since FII can do it by itself.

Forgery: FII outputs a ciphertext a*, a sender's identity IDs and a receiver's identity IDr and succeeds if the following conditions hold:

1. USC(a*, IDs, PKids ,SiDr, IDr ) = m*

2. FII has not made a private key setup query for IDs.

3. Fii has not asked a signcryption query on (m*, IDs, II

The advantage of FII is defined as the probability that it succeeds.

Definition 4. A CI-HSC scheme is (e, t, qsk, Qpk, qs)-Type-II-EUF-CMA secure if there does not exist a probabilistic t-polynomial time adversary Fii that has advantage at least e after at most qsk private key setup queries, qpk public key queries and qs signcryption queries in the Type II unforgeability game.

Definition 5. A CI-HSC sc CMA secure if it is both Type IEUF-CMA and Type IIEUF-CMA

In the above Definitions 3 and 4, we also allow the adversary to know the receiver's private key SIDr. That is, the definition also grasps the insider security for unforgeability of signcryption [26].

proposed schem

3.3. The ^

The proposed CI-HSC consists of the following eight algorithms.

Setup: Given a security parameter k, the PKG selects an additive group Gi and a multiplicative G2 of the same prime order p, a generator P of Gi, a bilinear map e : Gi x Gi ^ G2, and four secure hash functions Hi : {0,1}* ^ Gi, H2 : {0,1}* ^ {0,1}n, H3 : {0,1}* ^ Gi and H4 : {0,1}* ^ Gi. Here n is the number of bits of a message to be sent. The PKG randomly selects a master secret key s e Zp and computes the corresponding public key Ppub = sP. The PKG publishes the system parameters {Gi, G2,p, e, n, P, Ppub, Hi, H2, H3, H4} and keeps s secret.

ey PK/Ds, and a

CL-PPKE: A user submits its identity ID to the PKG. The PKG computes Q/D = Hi (ID) and sends the partial private key D/d = sQ/D to the user.

CL-SVS: A user with identity ID chooses a random x/D G Zp as the secret value.

CL-PKS: Given a partial private key D/d and a secret value x/D, this algorithm returns the full private key S/d = (x/D, D/d ).

CL-PKG: Given a secret value x/D, this algorithm returns the public key PK/D = x/D P.

IB-KE: A user submits its identity ID to the PKG. The PKG computes Q/D = Hi(Il sends the

private key S/D = sQ/D to the user.

SC: Given a message m, a sender's full private key S/Ds, identity IDs and receiver's identity IDr, this algorithm works as follows.

1. Choose r G Z* randomly.

2. Compute U = rP and T = e(Ppub, Q/Dr)

3. Compute h = H2(U,T,IDr).

4. Compute C = m © h.

5. Compute X = H3(U,C, IDs, PK/Ds).

6. Compute Y = H4(U,C, IDs, PK/Ds).

7. Compute V = D/Ds + rX + x/Ds Y

8. Output the ciphertext a = (U,C,V).

USC: Given a ciphertext a = (U, C, private key S/Dr and identity IDr

1. Compute X = H3(U,C,

2. Compute Y = H4

3. Check if

nder's identity IDs and public key PK/Ds, and a receiver's hm works as follows.

e(P, V) = e(Ppub, Q/Ds )e(U, X)e(PK/ds , Y) holds. If yes, perform the following step 4. Otherwise, reject this ciphertext and output the symbol

4. Compute T = e(U, S/Dr).

5. Compute h = H2(U,T,IDr).

6. Recover the message m = C © h.

3.4. Security

We prove that the CI-HSC satisfies the confidentiality and unforgeability by following Theorems 1 and 2, respectively.

Theorem 1. In the random oracle model, if there exists an adversary A that has a non-negligible advantage e against the IND-CCA2 security of the CI-HSC when running in a time t and executing qppk partial private key extraction queries, qsk private key setup queries, qpk public key queries, qpkr public key replacement queries, qk key extraction queries, qs signcryption queries, qu unsigncryption queries and qni queries to hash oracles Hi (i = 1, 2, 3, 4), then we can construct an algorithm C that can solve the GBDH problem with an advantage

/ ^ e n qs(qs + qn3)^ e - (1 2k )

in a time t/ < t + O(qs + qu)tp, where tp is the cost for one pairing operation.

Proof. In this proof, we show how C uses A as a subroutine to solve a random instance (P, aP, bP, cP) of the GBDH problem.

Initial: C gives A the system parameters params with Ppub = aP. Note that C does not know the a. In this game, a simulates the secret key of the PKG.

Phase 1: C acts as A's challenger in the above IND-CCA2 game. C keeps four lists Li, L2, L3 and L4 to simulate the hash oracles Hi, H2, H3 and H4, respectively. In addition, C maintains a list Lk that is initially empty to keep the public key information. We assume that Hi queries are different and that A will ask Hi (ID) before the identity ID is used in the other queries. In addition, we assume that the sender's identity is different to the receiver's identity by irreflexivity assumption [28]. C chooses a random number A e {1, 2,..., qHl} and answers A's queries as follows.

• Hi queries: A chooses an identity and submits it to C. At the A-th Hi query, C answers by Hi (ID\) = bP and inserts (ID\, ±) into the list Li. For i-th Hi query (i = A), C randomly chooses ei e Zp, inserts (IDi,ei) into the list Li and answers Hi(IDi) = eiP.

• H2 queries: When A asks a H2 query on (Ui,Ti,IDi), C does the following steps:

1. If DBDH(aP, bP, cP, Ti) = T, C returns Ti and stops.

2. If the list L2 contains entries (Ui,*,IDi,hi) such that DBDH(aP,bP,Ui,Ti) = T, C returns hi and updates the symbol * with Ti. Note that in this case IDi = ID\.

3. If C reaches this point of execution, C randomly chooses a value and returns it to A. The query and the answer will be stored in the list. Note that C should maintain the consistency and avoid collision for these answers.

• H3 Queries: For a H3 query on (Ui,Ci, ID-i, PKIDi), C first checks if the list L3 contains a tuple (Ui,Ci, IDi, PKIDi,ti,tiP). If such a tuple is found, C returns tiP to A. Otherwise, C chooses a random t e Zp, inserts the (Ui, Ci, IDi, PKIDi ,t, tP) into the list L3, and returns tP to A.

H4 Queries: For a H4 query on (Ui,Ci, IDi, PK/Di), C first checks if the list L4 contains a tuple (Ui,Ci, IDi, PK/Di,wi,wiP). If such a tuple is found, C returns wiP to A. Otherwise, C chooses a random w G Z*, inserts the (Ui, Ci, IDi, PK/Di ,w, wP) into the list L4, and returns wP to A.

Partial private key extraction queries: A can choose an identity IDi and ask its partial private key. If IDi = ID\, then C fails and stops. Otherwise the list Li should contain (IDi,ei) for some ei (this shows C previously answered Hi(IDi) = eiP). C returns the partial private key D/Di = eiaP.

Private key setup queries: When A asks a private key setup query on an identity IDi, if IDi = ID\, C aborts. Otherwise, C runs Hi oracle to obtain (IDi,ei). Then C searches Lk for the entry (IDi,PK/Di,x/Di) (C generates a new key pair if this entry does not exist) and returns S/Di = (x/Di, e-aP).

Public key queries: A chooses an identity ID and sends it to C. If the list Lk contains a tuple (IDi, PK/Di, x/Di), then C returns PK/Di to A. Otherwise, C chooses a random x/Di G Zp, computes PK/Di = x/DiP, inserts (IDi, PK/Di,x/Di) into the list Lk and returns PK/Di to A.

Public key replacement queries: A may replace a public key PK/D with a value chosen by it. For a public key replacement query for (IDi, PK/Di), C updates the list Lk with tuple (IDi, PK/Di, ±).

Key extraction queries: When receiving an identity IDi from A, if IDi = ID\, then C fails and stops. Otherwise the list Li should contain (IDi, ei) for some ei. C returns the private key S/Di = eiaP.

Signcryption queries: When A chooses a message m, a sender's identity IDi and a receiver's identity IDj and makes a signcryption query, C proceeds as follows.

1. If IDi = ID\, C first runs private key setup oracle to get S/Di and public key oracle to get PK/Di. Then C can answer A by simply running SC(m, S/Di ,IDi, PK/Di, IDj).

2. If IDi = ID\, C chooses u,v G Zp, sets U = vaP, and computes T = e(U, S/Dj) (C could obtain S/Dj by running key extraction oracle). Then C sets V = uaP + wiPK/Di and defines the hash value H3(U,C,IDi,PK/Di) as v-i(uP — Q/Di) (C could obtain PK/Di by running public key oracle and wi from the list L4). C fails if H3(U,C,IDi,PK/Di) is already defined but this case only happens with probability (qs + qH3 )/2k. C makes the H2 query on (U,T,IDj) to get h and

putes C = m © h. Finally, C returns a = (U, C, V) to A

Unsigncryption queries: A chooses a ciphertext a = (U, C, V), a sender's identity IDi and a receiver's identity IDj, C proceeds as follows.

1. Compute X = H3(U,C, IDi, PK/Di) and Y = H4(U,C, IDi, PK/Di) and check if

e (P, V) = e (Ppub, Q/Di )e (U, X )e (PK/D, ,Y) 13

holds. If yes, perform the following step 2. Otherwise, reject this query and output the symbol

2. If IDj = ID\, C runs the key extraction oracle to get SIDj and computes T = e(U, SIDj). C then runs H2 oracle to get h = H2(U,T, IDj) and returns m = C © h.

3. If IDj = ID\, C can not get the SIDj by the key extraction oracle. In this case, T can not be computed. To return a consistent answer, C goes through the list L2 and looks for a tuple (U,T,IDj,h), for different values of T, such that DBDH(aP,bP,U,T) = T.^If such an entry exists, the correct T is found and returns m = C © h.

4. If C reaches this point of execution, it places the entry (U,*,IDj, h) for a random h on the list L2 and returns m = C © h. The symbol * denotes an unknown value of T. Note that the identity component of all entries with the symbol * is ID\.

Challenge: A generates two equal length plaintexts (m0,mi), a sender's identity IDs and a receiver's identity IDr on which it wishes to be challenged. If IDr = ID\, C aborts. Otherwise C takes a random bit P e {0,1} and signcrypts mp. To do so, it chooses a random hash value h* and sets U* = cP, C* = mp © h* and V* = DIDs + rX + xIDs Y = DIDs + tcP + wPKIDs, where DIDs can be obtained by running private key setup oracle, t is obtained from the list L3, and w is obtained from the list L4. C sends the challenge ciphertext a* = (U*, C* ,V*) to A.

Phase 2: A makes a polynomially bounded number of queries adaptively again as in the phase 1 with the limitation that: (1) it cannot make a key extraction query on IDr; (2) it cannot ask an unsigncryption query on (a*,IDs,IDr) to obtain the corresponding plaintext unless the public key PKIDs has been replaced after the challenge phase. C answer A's queries as in the phase 1.

Guess: A produces a bit P/ which is ignored by C.

Since the list Li contains no more than qHl elements, A will output the identity ID\ with probability 1/qHl. If this event happens, the simulation is perfect unless A makes a H2 query on the challenge-related tuple (U* ,T*,ID\). Since the hash function H2 is modeled as a random oracle, A will not have any advantage if this tuple does not appear on the list L2. However, if this case happens, C will solve the GBDH problem due to the first step in the simulation of H2. In the whole simulation, C makes at most qH2 + qn2 qu DBDH oracle. □

Theorem 2. In the random oracle model, the proposed scheme satisfies the EUF-CMA security under the CDH assumptions.

Proof. This theorem follows from Lemmas 1 and 2. □

Lemma 1. In the random oracle model, if there exists an adversary Fi that has a non-negligible advantage e against the Type I EUF-CMA security of the CI-HSC when running in a time t and performing qppk

partial private key extraction queries, qsk private key setup queries, qpk public key queries, qpkr public key replacement queries, qk key extraction queries, qs signcryption queries, qu unsigncryption queries and qHi queries to hash oracles Hi (i = 1, 2, 3, 4), then we can construct an algorithm C that can solve the GDH problem with an advantage

/ > (i qs(qs + qH3)) " qH/ 2k >

in a time t/ < t + O(qs + qu)tp, where tp is the cost for one pairing operation.

Proof. In this proof, we show how C uses F/ as a subroutine to solve a random instance (P, aP, bP) of the GDH problem.

Initial: C gives F/ the system parameters params with Ppub = aP. Note that C does not know the a. In this game, a simulates the secret key of the PKG.

Attack: C answers F/'s queries according to the proof of Theorem 1 except the the H2 queries. When F/ asks a H2 query on (Ui,Ti,IDi), C first checks if the list L2 contains a tuple (Ui,Ti, IDi,hi). If such a tuple is found, C returns hi to F/. Otherwise, C chooses a random h G {0,1}n, inserts the (Ui,Ti,IDi,h) into the list L2, and returns h to F/.

Forgery: F/ outputs a ciphertext a* = (U*,C*,V*), a sender's identity IDs and a receiver's identity IDr. C checks if IDs = ID\. If not, it aborts. Otherwise, it retrieves t from the list L3 by querying H3 on (U *,C*,IDS,PK/Ds) and w from the list L4 by querying H4 on (U* ,C*, IDs, PK/Ds). Note that if F wins this game, the ciphertext a* must be valid. That is, we have

e(P, V e(Ppub, Q/ds )e(U*, tP)e (PK/ds , wP)

e(aP, bP )e(U *,tP )e(PK/Ds, wP)

Thus C can compute

abP = V* — tU* — wPK/Ds.

Let us now analyze the probability that C succeeds in solving the GDH problem instance. The probability that C aborts the simulation is related with the following events:

• Ei: F/ does not choose the identity ID\

• E2: F/ made a private key setup query on ID\.

• E3 F/ made a public key replacement query for IDs before the challenge phase and make a partial private key extraction query for IDs in some phase.

• E4: C aborts in a signcryption query because of a collision on H3.

We know that Pr[— Ei] = 1/qHl and Pr[E4] < qs(qs + qH3 )/2k. In addition, we know that — Ei implies — E2 and — E3.

Therefore, we have

/ ^ e n qs(qs + qHa)^

e - qhh: (1 2^ )-

In the whole simulation, C makes at most qH2 qu DBDH oracle. □

Lemma 2. In the random oracle model, if there exists an adversary Fii that has a non-negligible advantage e against the Type II EUF-CMA security of the CI-HSC when running in a time t and executing qsk private key setup queries, qpk public key queries, qs signcryption queries and qHi queries to hash oracles Hi (i = 1, 2, 3, 4), then we can construct an algorithm C that can solve the CDH problem with an advantage

e/ - _e_(1 _ qs(qs + qH3

~ qsk + qpk + qs + 1 2k

in a time t/ < t + O(qs + qu)tp, where tp is the cost for one pairing operation

Proof. We show how C uses FII as a subroutine to solve a random instance (P,aP,bP) of the CDH problem.

Initial: C gives FII the system parameters params with Ppub = sP. Here s is chosen randomly by C. Attack: C simulates FII's challenger in the Type II EUF-CMA game. C keeps four lists Li, L2, L3 and L4 to simulate the hash oracles Hi, H2, H3 and H4, respectively. In addition, C maintains a list Lk that is initially empty to keep the public key information. We assume that public key queries are different and that Fii will ask Hi(ID) before the identity ID is used in the other queries. In addition, we assume that the sender's identity is different to the receiver's identity by irreflexivity assumption [28]. C chooses a random number A e {1, 2,..., qsk + qpk + qs + 1}. C answers H2, H3 and signcryption queries according to the same method of the Theorem 1. The other queries are explained as follows.

• Hi queries: When FII asks a Hi query on IDi, C first checks if the list Li contains a pair (IDi, ei). If such a pair is found, C returns eiP to FII. Otherwise, C chooses a random e e Zp, inserts the (IDi, e) into the list Li, and returns eP to FII.

• H4 Queries: For a H4 query on (Ui,Ci, ID-i, PKIDi), C first checks if the list L4 contains a tuple (Ui,Ci, IDi, PKIDi,wi,wibP). If such a tuple is found, C returns wvibP to FII. Otherwise, C chooses a random w e Zp, inserts the (Ui,Ci, IDi, PKIDi,w,wbP) into the list L4, and returns wbP to FII.

• Private key setup queries: When FII asks a private key setup query on an identity IDi, if IDi = ID\, C aborts. Otherwise, C runs Hi oracle to obtain (IDi,ei). Then C searches Lk for the entry (IDi,PKIDi,xIDi) (C generates a new key pair if this entry does not exist) and returns SIDi = (xiDi, se-P).

Public key queries: Fii chooses an identity IDi and sends it to C. If IDi = ID\, C chooses a random xiDi € Z*, computes PKiDi = xiDiP, inserts (IDi, PKiDi,xiDi) into the list Lk and returns PKiDi to Fii . Otherwise, C returns aP and inserts (ID\, aP, ±) into the list Lk.

Forgery: Fii outputs a ciphertext a* = (U*,C*,V*), a sender's identity IDs and a receiver's identity IDr. C checks if IDs = ID\. If not, it aborts. Otherwise, it retrieves t from the list L3 by querying H3 on (U*,C*, IDs, PKIDs) and w from the list L4 by querying H4 on (U*,C*, IDs, PKIDs). t if Fn

wins this game, the ciphertext a* must be valid. That is, we have

e(P,V*) = e(Ppub,QiDs )e (U* ,tP)e(PKds ,wb. = e(sP,QIDs )e(U*,tP)e(aP,wbP)

Therefore, we have

Thus C can compute

e(P, V*) = e(P, sQids )e(tU*,P

abP = w-1(V* -

Let us now analyze the probability that C succeeds in solving the CDH problem instance. The probability that C aborts the simulation is related with the following events:

• E\: Fii does not choose the identity ID\

• E2: Fii made a private key setup query on ID\.

• E3: C aborts in a signcryption query because of a collision on H3.

We know that Pr[—Ei] = 1/(qsk + qpk + qs + 1) and Pr[E3] < qs(qs + qH3)/2k. In addition, we know that —Ei implies —E2. Note that the maximum length of the list Lk is qsk + qpk + qs + 1. Therefore, we have

fore, we h

qsk + qpk + qs +1

n qs(qs + qn3), (1 2k

4. A practical access control scheme

In this section, we propose a practical access control scheme for the WSNs in the context of the IoT using the proposed CI-HSC scheme. Our scheme uses identity-based access control (IBAC) model [29, 30]. The IBAC is a simple and practical access control model that associates access privilege with specific users. The

proposed scheme consists of four phases: the initialization phase, the registration phase, the authentication and authorization phase, and the revocation phase. In this scheme, the SP plays the role of PKG in the IBC environment and the KGC in the CLC environment. The proposed access control scheme is summarized in Fig. 2

Gateway

Sensor node

(^(if^F),//),,?^)

Gateway verify o

Sensor node recover m

ploys the WSNs. Each sensor node is assigned an KE algorithm to generate the private key SID).

Automatic revocation

Figure 2: The proposed access control scheme

4-1- Initialization phase

In this phase, the SP runs Setup algorit identity ID and a private key SID (the

4-2. Registration phase

An Internet user should register with the SP to obtain the access privilege of the WSNs. The user first submits its identity ID to the SP. Then the SP checks if the identity is valid. If the identity is not valid, the SP rejects this registration. Otherwise the SP runs CL-PPKE algorithm to get the partial private key Did = sQID. After receiving Did , the Internet user runs CL-SVS algorithm to set the secret value xID e Zp and then runs CL-PKS to obtain the full private key SID = (xID ,Did ). Finally, the user runs CL-PKG algorithm to gets the public key PKID = xIDP.

4-3. Authentication and authorization phase

We assume that an Internet user with identity IDs hope to access the data of a sensor node with identity IDr. The user first generates a query message m and runs the SC algorithm to get the ciphertext a = (U, C, V), where U = rP, C = m © h, and V = DIDs + rX + xIDs Y. To resist the replay attack, we can concatenate the query message and a timestamp to form a new message that is signcrypted. Then the user sends the ciphertext, its identity IDs and public key PKIDs to the gateway.

When receiving the query message from the user, the gateway first checks if

e(P, V) = e(Ppub, Qids )e(U, X)e (PKids , Y)

holds. If the above equation does not hold, it refuses the query request. Otherwise, the user is authorized to access the data of the sensor node with identity IDr. In this case, the gateway sends the (U, C) to the sensor node. The sensor node first computes T = e(U,SiDr) and h = H2(U,T, IDr). Then the sensor node recovers the message m = C © h. Finally, the sensor node can encrypt the collected data using a symmetric cipher (such as AES [31]) with the session key h and send the data to the user. The session key h is only known by the user and the sensor node and assures the confidentiality for future communication between them. In this communication, confidentiality, integrity, authentication and non-repudiation are simultaneously achieved.

An important advantage of the proposed CI-HSC signcryption scheme is to achieves the public ciphertext authentication [32]. By using this signcryption scheme, the gateway can verify the validity and the origin of the ciphertext without knowing the message and getting any help from the intended receiver. Thus, we can move the most of computational cost of USC from the sensor nodes to the gateway. Of course, a weakness of our scheme is that the gateway may become the bottleneck. However, since the gateway is more powerful than the sensor nodes, our method is reasonable. If required, the anonymity also can be achieved by scrambling the user's identity IDs and public key PKiDs together with the message at the fourth step of SC algorithm. That is, we compute C = (IDs l\PKiDs ||m) © h instead of C = m © h. Of course, we should modify the output value of H2 to adapt the length of the encrypted message. Such changes do not affect the efficiency of our scheme.

4.4. Revocation

revoked au submits it

The registration can be revoked automatically by adding the expiration date in the identity. For example,

when an Internet user first submits its identity ID to the SP. The SP uses a new identity "ID || 2015-12-31" to generate the partial private key. That is, the SP computes Did = sQiD, where Qid = H1(ID||2015-12-31). Thus, the user only can access the WSNs before December 31, 2015. However, if we have to revoke a user's access privilege before the expiration date due to some reasons, the SP can send the revoked identity to the gateway. The gateway should keep a list of revoked identities to identify the validity of users.

4.5. Evaluation

In this section, we evaluate the performance and security of our scheme. First, we compare the computational cost and communication cost of our scheme with those of YHZXZ [13] and MXH [14] in Table 1.

We denote by M the point multiplication operation in G1, E the exponentiation operation in G2 and P the pairing operation. The other operations are ignored in Table 1 since these operations consume the most running time of the whole algorithm. |x| denotes the number of bits of x. Because both YHZXZ and MXH

Table 1: Comparison of performance

Schemes Computational cost Sensor communication cost

User Sensor Gateway Receive Transmit

YHZXZ [13] 8M 3M 3M |Z;| +2|Gi| + Ihaskl + 2|ID| 2|Z;| + |Gi| + Ihaskl +3|ID|

MXH [14] 2M 5M — |Zp| + |m| + |Gi | + |Cert| —

Ours 3M+1E+1P 1P 4P |m| + |Gi| —

are based on the PKI environment, we should verify the public key certificate before using a public key. Here we assume that the elliptic curve digital signature algorithm (ECDSA) [33] is used to sign a certificate. The ECDSA needs one point multiplication to sign a message and two point multiplications to verify a signature. Therefore, in YHZXZ, the gateway needs two point multiplications to verify the user's certificate and the user needs four point multiplications to verify the certificates of the gateway and sensor node. In MXH, the sensor node needs two point multiplications to verify the (user's certificate. From Table 1, we know that our scheme has less computational cost than YHZXZ and more computational cost than MXH for the user. For the sensor node, our scheme has the least computational cost among the three scheme. For design an access control scheme for the WSNs in the context of the IoT, the most important issue is to reduce the computational cost of the sensor node since it's resource is very limited. Therefore, our scheme is more practical than YHZXZ and MXH. For the communication cost of the sensor node, YHZXZ needs more cost since it is an interactive protocol. However, the sensor node does not need to receive the certificate of the user because the gateway assists to do it. In MXH, the sensor node should receive the user's certificate Cert to verify the validity. In our scheme, the sensor node does not need to receive the user's identity ID or certificate.

For both YHZXZ and MXH, we adopt the experiment result in [34] on MICA2 that is equipped with an ATmega128 8-bit processor clocked at 7.3728 MHz, 4 KB RAM and 128 KB ROM. From [34], we know that a point multiplication operation takes 0.81 s using an elliptic curve with 160 bits p that represents 80-bit security level. For our scheme, we adopt the experiment result in [35] on the same processor ATmega128. A pairing operation takes 1.9 s using the supersingular curve y2 + y = x3 + x with an embedding degree 4 and implementing nr pairing: E(F227i) x E(F227i) ^ F24-27i, which is also equivalent to the 80-bit security level. According the results in [34, 35], the computational time on the sensor node of YHZXZ, MXH and our scheme are 3 * 0.81 = 2.43 s, 5 * 0.81 = 4.05 s and 1 * 1.9 = 1.9 s, respectively. As in [36, 37], we assume that the power level of MICA2 is 3.0 V, the current draw in active mode is 8.0 mA, the current draw in receiving mode is 10 mA, the current draw in transmitting mode is 27 mA and the data rate is 12.4 kbps. For energy consumption, according to the method in [14, 38], a point multiplication operation consumes 3.0 * 8.0 * 0.81 = 19.44 mJ and a pairing operation consumes 3.0 * 8.0 * 1.9 = 45.6 mJ. Therefore, the computational energy cost on the sensor node of YHZXZ, MXH and our scheme are 3 * 19.44 = 58.32

mJ, 5 * 19.44 = 97.2 mJ and 1 * 45.6 = 45.6 mJ, respectively.

For the communication cost, we assume that |m| = 160 bits, |hash| = 160 bits and |ID| = 80 bits. In addition, the size of certificate is at least 688 bits [17]. For both YHZXZ and MXH, the size of an element in group Gi is 1024 bits using an elliptic curve with 160 bits p. By standard compression technique [35, 37], the size of an element in group Gi can be reduced to 65 bytes. So, in YHZXZ, the sensor node should receive

|Zp| + 2|Gi| + |hash| + 2|ID| bits = 20 + 2 * 65 + 20 + 2 * 10bytes = 1901 messages and transmit

2|Zp| + |Gi| + |hash| + 3|1D| bits = 2 * 20 + 65 + 20 + 3 * 10byt

messages. In MXH, the sensor node should receive

|Zp| + |m| + |G1| + |Cert| bits = 20 + 20 + 65 + 86 bytes = 191 bytes

messages. Our scheme uses a curve over the binary field F227 i. The size of an element in group G1 is 542 bits. By standard compression technique, the size can be reduced to 34 bytes. So in our scheme, the sensor node needs to receive

|m| + | G1 | bits = 20 + 34 bytes = 54 bytes

messages. From [37], we know the sensor node consumes 3 * 27 * 8/12400 = 0.052 mJ and 3 * 10 * 8/12400 = 0.019 mJ to transmit and receive one byte messages, respectively. Therefore, in YHZXZ, the sensor communication energy consumption is 0.052 * 155 + 0.019 * 190 = 11.67 mJ. In MXH, the communication energy consumption is 0.019 * 191 = 3.63 mJ. In our scheme, the communication energy consumption is 0.019 * 54 = 1.03 mJ. The total energy consumption of the three schemes are 58.32 + 11.67 = 69.99 mJ, 97.2 + 3.63 = 100.83 mJ and 45.6 + 1.03 = 46.63 mJ, respectively.

The computational time and total energy consumption on the sensor node are summarized in Fig. 3 and Fig. 4, respectively. From Fig. 3, we know that the computational cost of our scheme is reduced by about 22% and 5 3% compared to YHZXZ and MXH, respectively. From Fig. 4, we know that the energy consumption of our scheme is reduced by about 33% and 54% compared to YHZXZ and MXH, respectively. Of course, the computational cost of gateway in our scheme is higher than YHZXZ and MXH. We shift the computational cost of the sensor node to the gateway since our scheme has the ciphertext authenticity. The ciphertext authenticity allows the gateway to verify the ciphertext without the decryption.

We compare the security properties of the three schemes in Table 2. In the "Security" column, Con, Int, Aut, Non, CipAut, InsSec and ForPro denotes confidentiality, integrity, authentication, non-repudiation, ciphertext authenticity, insider security and formal proof, respectively. A symbol yj means that the scheme satisfies the security property and a symbol x means that the scheme does not satisfy the security property.

Figure 3: The computational time of the sensor node

Figure

4: The enerj

gy consumption of the sensor node

satisfy the

Both YHZXZ and MXH do not satisfy the insider security [26] and our scheme has such security property. More importantly, our scheme allows a sender in the CLC environment to transmit a message to a receiver in the IBC environment, which conforms the characteristics of the WSNs in the context of the IoT.

Table 2: Comparison of security

Schemes Security Environment

Con Int Aut Non CipAut InsSec ForPro

YHZXZ [13] V V V X X X PKI^PKI

MXH [14] V V V V X V PKI^PKI

Ours V V V V V V CLC^IBC

5. Conclusion

In this paper, we proposed an efficient heterogeneous signcryption scheme that allows a sender in the CLC environment to transmit a message to a receiver in the IBC environment. We proved that the proposed

scheme has the IND-CCA2 under the GBDH problem and EUF-CMA under the GDH and CDH problems in the random oracle model. In addition, we gave a practical access control scheme without certificates for the WSNs in the context of the IoT using the novel heterogeneous signcryption. As compared with existing YHZXZ and MXH using traditional signcryption, the computational cost of the sensor node in our scheme is reduced by about 22% and 53%, respectively and the energy consumption of the sensor node in our scheme is reduced by about 33% and 54%, respectively.

References

[1] C. Wang, C. Jiang, Y. Liu, X.Y. Li, S. Tang, Aggregation capacity of wireless sensor networks: extended network case, IEEE Transactions on Computers 63 (6) (2014) 1351-1364.

[2] V.C. Gungor, G.P. Hancke, Industrial wireless sensor networks: challenges, design^principles, and technical approaches, IEEE Transactions on Industrial Electronics 56 (10) (2009) 4258-4265.

[3] J. Niu, L. Cheng, Y. Gu, L. Shu, S.K. Das, R3E: reliable reactive routing enhancement for wireless sensor networks, IEEE Transactions on Industrial Informatics 10 (1) (2014) 784-794.

[4] R. Roman, J. Lopez, Integrating wireless sensor networks and the Internet: a security analysis, Internet Research 19 (2) (2009) 246-259.

[5] X.H. Le, S. Lee, I. Butun, M. Khalid, R. Sankar, M. Kim, M. Han, Y.K. Lee, H. Lee, An energy-efficient access control scheme forwireless sensor networks based on elliptic curve cryptography, Journal of Communications and Networks 11 (6) (2009) 599-606.

[6] R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM 21 (2) (1978) 120-126.

[7] D. He, J. Bu, S. Zhu, S. Chan, C. Chen, Distributed access control with privacy support in wireless sensor networks, IEEE Transactions on Wireless Communications 10 (10) (2011) 3472-3481.

[8] R.L. Rivest, A. Shamir, Y. Tauman, How to leak a secret, in: Proc. Advances in Cryptology-ASIACRYPT 2001, LNCS 2248, Springer-Verlag, 2001, pp. 552-565.

[9] J.K. Liu, M.H. Au, W. Susilo, J. Zhou, Linkable ring signature with unconditional anonymity, IEEE Transactions on Knowledge and Data Engineering 26 (1) (2014) 157-165.

[10] R. Zhang, Y. Zhang, K. Ren, Distributed privacy-preserving access control in sensor networks, IEEE Transactions on Parallel and Distributed Systems 23 (8) (2012) 1427-1438.

[11] S. Yu, K. Ren, W. Lou, FDAC: toward fine-grained distributed data access control in wireless sensor networks, IEEE Transactions on Parallel and Distributed Systems 22 (4) (2011) 673-686.

[12] V. Goyal, O. Pandey, A. Sahai, B. Waters, Attribute-based encryption for fine-grained access control of encrypted data, in: Proc. ACM conference on Computer and communications security-CCS'06, 2006, pp. 89-98.

[13] H. Yu, J. He, T. Zhang, P. Xiao, Y. Zhang, Enabling end-to-end secure communication between wireless sensor networks and the Internet, World Wide Web 16 (4) (2013) 515-540.

[14] C. Ma, K. Xue, P. Hong, Distributed access control with adaptive privacy preserving property for wireless sensor networks, Security and Communication Networks 7 (4) (2014) 759-773.

[15] Y. Zheng, Digital signcryption or how to achieve cost (signature & encryption) ^ cost (signature) + cost(encryption), in: Proc. Advances in Cryptology-CRYPTO'97, LNCS 1294, Springer-Verlag, 1997, pp. 165-179.

[16] D. Boneh, M. Franklin, Identity-based encryption from the weil pairing, SIAM Journal on Computing 32 (3) (2003) 586-615.

[17] K. Ren, W. Lou, K. Zeng, P.J. Moran, On broadcast authentication in wireless sensor networks, IEEE Transactions on Wireless Communications 6 (11) (2007) 4136-4144.

[18] D. He, C. Chen, S. Chan, J. Bu, SDRP: a secure and distributed reprogramming protocol for wireless sensor networks, IEEE Transactions on Industrial Electronics 59 (11) (2012) 4155-4163.

[19] F. Li, D. Zhong, T. Takagi, Practical identity-based signature for wireless sensor networks, IEEE Wireless Communications Letters 1(6) (2012) 637-640.

[20] H. Lu, J. Li, M. Guizani, Secure and efficient data transmission for cluster-based wireless sensor networks, IEEE Transactions on Parallel and Distributed Systems 25 (3) (2014) 750-761.

[21] F. Li, H. Zhang, T. Takagi, Efficient signcryption for heterogeneous systems, IEEE Systems Journal 7 (3) (2013) 420-429.

[22] F. Li, P. Xiong, Practical secure communication for integrating wireless sensor networks into the Internet of things, IEEE Sensors Journal 13 (10) (2013) 3677-3684.

[23] S.S. Al-Riyami, K.G. Paterson, Certificateless public key cryptography, in: Proc. Advances in Cryptology-ASIACRYPT 2003, LNCS 2894, Springer-Verlag, 2003, pp. 452-474.

[24] P.S.L.M. Barreto, B. Libert, N. McCullagh, J.J. Quisquater, Efficient and provably-secure identity-based signatures and signcryption from bilinear maps, in: Advances in Cryptology-ASIACRYPT 2005, LNCS 3788, Springer-Verlag, 2005, pp. 515-532.

[25] M. Barbosa, P. Farshim, Certificateless signcryption, in; Proc. ACM Symposium on Information, Computer and Communications Security-ASIACCS 2008, 2008, pp. 369-372.

[26] J.H. An, Y. Dodis, T. Rabin, On the security of joint signature and encryption, in: Proc. Advances in Cryptology-EUROCRYPT 2002, LNCS 2332, Springer-Verlag, 2002, pp. 83-107.

[27] F. Li, M. Shirase, T. Takagi, Certificateless hybrid signcryption, Mathematical and Computer Modelling 57 (3-4) (2013) 324-343.

[28] X. Boyen, Multipurpose identity-based signcryption: a swiss army knife for identity-based cryptography, in: Proc. Advances in Cryptology-CRYPTO 2003, LNCS 2729, Springer-Verlag, 2003, pp. 383-399.

[29] A. Herzberg, Y. Mass, J. Mihaeli, D. Naor, Y. Ravid, Access control meets public key infrastructure, or: assigning roles to strangers, in: Proc. IEEE Symposium on Security and Privacy-SP 2000, 2000, pp. 2-14.

[30] V. Suhendra, A survey on access control deployment, in: Proc. Security Technology-SecTech 2011, CCIS 259, SpringerVerlag, 2011, pp. 11-20.

[31] J. Daemen, V. Rijmen, The design of Rijndael: AES-the Advanced Encryption Standard, Springer, 2002.

[32] S.S.M. Chow, S.M. Yiu, L.C.K. Hui, and K.P. Chow, Efficient forward and provably secure ID-based signcryption scheme with public verifiability and public ciphertext authenticity, in: Proc. Information Security and Cryptology-ICISC 2003, LNCS 2971, Springer-Verlag, 2004, pp. 352-369.

[33] D. Johnson, A. Menezes, S. Vanstone, The elliptic curve digital signature algorithm (ECDSA), International Journal of Information Security 1 (1) (2001) 36-63.

[34] N. Gura, A. Patel, A. Wander, H. Eberle, S.C. Shantz, Comparing elliptic curve cryptography and RSA on 8-bit CPUs, in: Proc. Cryptographic Hardware and Embedded Systems-CHES 2004, LNCS 3156, Springer-Verlag, 2004, pp. 119-132.

[35] L.B. Oliveira, D.F. Aranha, C.P.L. Gouvea, M. Scott, D.F. Camara, J. Lopez, R. Dahab, TinyPBC: pairings for authenticated identity-based non-interactive key distribution in sensor networks, Computer Communications 34 (3) (2011) 485-493.

[36] X. Cao, W. Kou, L. Dang, B. Zhao, IMBAS: Identity-based multi-user broadcast authentication in wireless sensor networks, Computer Communications 31 (4) (2008) 659-667.

[37] K.A. Shim, Y.R. Lee, C.M. Park, EIBAS: An efficient identity-based broadcast authentication scheme in wireless sensor networks, Ad Hoc Networks 11 (1) (2013) 182-189.

[38] K.A. Shim, S2DRP: Secure implementations of distributed reprogramming protocol for wireless sensor networks, Ad Hoc Networks 19 (2014) 1-8.