• Open Access

A security communication model based on certificateless online/offline signcryption for Internet of Things

Authors


ABSTRACT

The communication model of Internet of Things (IOT) application has some shortcomings in user privacy protection and information security. To solve these shortcomings, we define the formal models of certificateless online/offline signcryption and propose a concrete certificateless online/offline signcryption scheme for IOT environment. Compared with the existing identity-based online/offline signcryption schemes that do not require the plaintext and the receiver's identity in the offline phase, our scheme has the great advantage of the offline computation cost, offline storage, ciphertext length, and receiver computation cost. Moreover, our scheme achieves known session-specific temporary information security, public verifiability with confidentiality and no key escrow problem. Copyright © 2013 John Wiley & Sons, Ltd.

1 INTRODUCTION

Internet of Things (IOT) is a network that the laser scanners, radio frequency identification (RFID), global positioning systems, and information sensing devices, as agreed in communication protocols and any objects connected to Internet, communicate with each other to realize the location, intelligent identification, monitoring, tracking, and management of the objects. The IOT is the new network that virtual network interacts with the real world, adopting Internet and sensor networks as the core technique, as well as its wireless information transmission and ubiquitous data-aware features, making the IOT to meet security requirements of the Internet and sensor network, while satisfying the security requirements for its own characteristics to ensure its safe and reliable operation [1].

The security shortcoming of IOT has largely affected its promotion and application. On the basis of the studies on the IOT architecture and analysis on the secure threats in IOT, many researches have presented the security architecture [2, 3] or corresponding defensive suggestions [4, 5] of the IOT. Towards security threats of some IOT communication applications, there are several solutions have been researched such as interoperability of security [6], key management protocol [7], and location privacy protection [8]. Compared with those schemes in the previous text, the using of online/offline signcryption for IOT application has the following advantages: (1) the security attributes of confidentiality, authentication, integrity and non-repudiation are achieved simultaneously; and (2) the most of computational overheads is shifted to the offline phase without the knowledge of the particular message to be signcrypted and the receiver's public key/identity.

However, almost all online/offline signcryption (OOSC) schemes that have been presented until now use the traditional public key infrastructure (PKI) or the identity-based public key cryptography, which the former has the problem of the certificate management and the latter faces the inherent key escrow problem. Also, most of OOSC schemes cannot achieve known session-specific temporary information security and public verifiability with confidentiality.

1.1 Related work

Certificateless public key cryptography (CL-PKC) was introduced by Al-Riyami and Paterson [9]. In CL-PKC, a trusted third party called key generation center (KGC) supplies each user with a partial private key and the other part of private key is generated by the user himself, thus some cryptographic operations can be performed only when the both keys are known. Therefore, CL-PKC not only eliminates the use of certificates but also solves the key escrow problem. Recently, some efficient cryptographic schemes based on CL-PKC were proposed [10-12].

The purpose of signcryption is to perform signature and encryption in a single logical step to obtain confidentiality, authentication, integrity, and non-repudiation more efficiently than the sign-then-encrypt approach. The notion of OOSC was introduced by An et al. [13]. The main idea of OOSC is to perform signcryption generation in two phases: offline phase and online phase. The most of computational overheads is shifted to the offline phase without the knowledge of the particular message to be signcrypted and the receiver's public key/identity, thus the OOSC scheme is efficient to provide a security solution for IOT devices with limited computing capability. Based on the traditional PKI, Zhang et al. [14] proposed the first concrete OOSC scheme, but their scheme needs an additional symmetric key to achieve confidentiality. On the basis of the identity-based cryptography, Sun et al. [15] proposed the first identity-based OOSC (IBOOSC) scheme. However, Liu et al. [16] pointed out all of the schemes in the previous text cannot be used because they need the receiver's public key/identity in the offline phase, and they proposed an improved scheme. Subsequently, Selvi et al. [17] showed an attack against sender anonymity of the scheme proposed by Liu et al. Recently, Li et al. [18] proposed a new IBOOSC scheme that is more efficient than the three schemes [15-17] mentioned in the previous text.

1.2 Our contribution

In this paper, we define the generic and security model of the certificateless OOSC (COOSC), then propose a concrete COOSC scheme, and formally prove its security under the strongest existing security notions (IND-CCA2) indistinguishability against adaptive chosen ciphertext attacks and (EUF-CMA) existential unforgeability against adaptive chosen messages attacks, respectively) for OOSC. On the basis of the COOSC, we construct a security communication model for IOT application, which achieves confidentiality, authentication, integrity, and non-repudiation between the IOT nodes. Our scheme has the following merits: (1) the scheme has the great advantage of the offline computation cost, offline storage, ciphertext length and receiver computation cost; (2) the scheme satisfies the known session-specific temporary information security attribute; (3) to improve the processing efficiency of forged signcryption message, our scheme first verifies the signature and then recovers the plaintext; and (4) the scheme eliminates the use of certificates and conquers the key escrow problem that is inherent in IBOOSC.

1.3 Outline of the paper

The remainder of this paper is organized as follows. Some background information on current IOT communication model and its security analysis are given in Section 2. In Section 3, the formal model of COOSC is described. In Section 4, a concrete COOSC scheme is presented with the security proof in random oracle model, and the performance are analyzed. A security communication model based on COOSC for IOT is presented in Section 5. Finally, we conclude the paper in Section 6.

2 INTERNET OF THINGS COMMUNICATION MODEL AND ITS SECURITY ANALYSIS

In the IOT, each object has an RFID tag with a unique electronic product code (EPC) and the detailed information related to the EPC is stored in a database named information server of things (TIS). When an RFID object receives a query from a mobile RFID reader and then transmits his EPC, the reader will request the information of the EPC from the local TIS (L-TIS). If the information of the EPC is stored in remote TIS (R-TIS), the L-TIS requests the universal resource identifier (URI) of the EPC from the local ONS (L-ONS), and the L-ONS will transmit the URI request to root ONS (RT-ONS) if he does not have the URI. Finally, the L-TIS forwards the information of the EPC sent from the R-TIS to the RFID reader. The concrete IOT communication model is shown as Figure 1.

Figure 1.

IOT communication model.

This communication model of IOT achieves the function of the goods identification, automatic tracking and management. However, this communication model has some shortcomings in user privacy protection and information security as follows: (1) any RFID reader can unconditionally read the detailed information of a RFID object, which brings security risk to user privacy protection; (2) there is no mutual authentication between the RFID reader and the L-TIS, the L-TIS and the R-TIS, the L-TIS and the L-ONS, and the L-ONS and the RT-ONS; (3) the messages are exchanged in plaintext between the object and the RFID reader, the RFID reader and the L-TIS, the L-TIS and the R-TIS, the L-TIS and the L-ONS, and the L-ONS and the RT-ONS.

3 FORMAL MODELS OF CERTIFICATELESS ONLINE/OFFLINE SIGNCRYPTION

In the subsection, we define the formal models including generic model and security model for COOSC.

3.1 Generic model

The generic model of COOSC consists of the following six algorithms:

Setup

Upon input of a security parameter k, the KGC generates the public parameters params and master secret key s for the system.

PartialKeyGen

Upon input of an identity IDU of the entity U, the KGC computes a partial public/private key pair (QU, DU) corresponding to the user IDU.

KeyGen

Upon input of the system's public parameters params, the entity U computes the other part of his partial public/private key pair (PKU, xU). So, the entity U's public key pair is (PKU, QU) and private key pair is (xU, DU).

OffSigncrypt

Before generating a full signcryption, the sender with identity IDA and private key pair (xA, DA) runs this algorithm along with input (IDA, DA) to compute an offline signcryption δ.

OnSigncrypt

To send a plaintext message m to the receiver with identity IDB and private key pair (xB, DB), the sender runs this algorithm along with input (m, xA, IDA, IDB, δ) to compute the full signcryption σ.

UnSigncrypt

On receiving the signcryption σ from the5sender IDA, the receiver IDB runs this algorithm with input (σ, IDA, IDB, xB, DB) to output the plaintext message m or the symbol ⊥ if σ is an invalid signcryption.

For consistency purposes, we require that if δ = OffSigncrypt(IDA, DA) and σ = OnSigncrypt(m, xA, IDA, IDB, δ), then we have m = UnSigncrypt(σ, IDA, IDB, xB, DB).

3.2 Security model

In this section, we define the security model of COOSC. There are two types of adversaries in our security model as follows:

Type I Adversary A1

He cannot have access to the master secret key s, but he can request and replace public key PKU with values of his choice.

Type II Adversary A2

He can have access to the master secret key but cannot replace user's public key PKU.

Definition 1. (Confidentiality.) A COOSC scheme is semantically secure against adaptive chosen ciphertext attacks property (IND-COOSC-CCA2) if no probabilistic polynomially time adversary Ai(i = 1,2) has a non-negligible advantage in the following game.

  • Game
    • Initial: The challenger C first runs the Setup(k) algorithm, then sends the system parameters to the adversary Ai and sends the master secret key to the adversary A2.
    • Phase1: Ai makes a polynomially bounded number of the following queries, , where A2 does not need to perform the Replace public key and PartialKeyGen queries.
      • KeyGen query: On a new KeyGen query for IDU, if IDU has already been created, nothing is to be carried out. Otherwise, C computes the public/private key pair (PKU, xU) = KeyGen(IDU) and adds (IDU, xU, PKU) to the list Lu. In both cases, PKU is returned.
      • Replace public key query: On input of a valid public key math formula for any entity IDU, C replaces the public key corresponding to the w with math formula.
      • Corruption query: On a corruption query, C checks the list Lu and returns the private key xU.
      • PartialKeyGen query: On a new PartialKeyGen query for IDU, C computes DU = PartialKeyGen(IDU) and returns DU to Ai.
      • Signcrypt query: Ai produces a plaintext message m, two identities IDs and IDr. C computes δ = OffSigncrypt(IDs, Ds) and σ = OnSigncrypt(m, xs, IDs, IDr, δ), then returns σ to Ai.
      • Unsigncrypt query: Ai produces a signcryption σ, two identities IDs and IDr. C sends the result of UnSigncrypt(σ, IDs, IDr, xr, Dr) to Ai.

At the end of Phase1, Ai chooses two plaintexts (m0, m1), two identities IDA and IDB on which he wishes to be challenged. He cannot have made corruption query on IDA and IDB in the first stage.

  • Challenge: The challenger randomly takes a bit ъR{0,1} and computes δ = OffSigncrypt(IDA, DA) and σ = OnSigncrypt(mъ, xA, IDA, IDB, δ), then returns σ to Ai.
  • Phase 2: Ai continues to probe the challenger with the same type of queries that he made in Phase 1. It is not allowed to obtain the private key pair (xA, xB) corresponding to IDA and IDB, and he is not allowed to make an UnSigncrypt query on σ, also A1 is not allowed to make an PartialKeyGen query if the corresponding public key is replaced in Phase 1.
  • Response: Ai returns a bit ъ'. We say that the adversary wins the game if ъ = ъ'.

Definition 2. (Unforgeability.) A COOSC scheme is existential unforgeable under adaptive chosen messages attacks (EUF-COOSC-CMA) if no polynomially bounded time adversary Ai(i = 1,2) has a non-negligible advantage in the following game.

  • Game
    • Initial: The challenger C first runs the Setup(k) algorithm, then sends the system parameters to the adversary Ai and sends the master secret key to the adversary A2.
    • Probing: Ai performs a polynomially bounded number of the queries just like in Definition 1.
    • Forge: Ai outputs a forgery (σ*, IDA, IDB) that is not produced by the signcryptiom oracle, he cannot have made corruption query on IDA in the second stage. We say Ai wins the game if the result of UnSigncrypt(σ, IDA, IDB, xB, DB) is not the symbol ⊥.

4 PROPOSED CERTIFICATELESS ONLINE/OFFLINE SIGNCRYPTION SCHEME

In this section, we propose an efficient COOSC. The presented scheme consists of six algorithms as described later in the text.

Setup

Upon input of a security parameter k, the KGC selects groups G1 and G2 of a prime order p, an arbitrary generator of PG1, and a bilinear pairing map math formula from G1 × G1 to G2, where G1 is a cyclic additive group and G2 is a cyclic \multiplicative group. The KGC chooses a random number smath formula as the master secret key and computes the corresponding public key Ppub = sP. The KGC selects three one-way hash functions H1: {0, 1}*math formula, H2: G1 × G2math formula, and H3: {0, 1}* × (G1)4math formula. The KGC publishes the system parameters < G1,G2, math formula, P, Ppub, H1, H2, H3> and keeps his master secret key s in private.

PartialKeyGen

This algorithm takes as input an entity U's identity IDU and system parameters. The KGC computes a part of the public key QU = (H1(IDU) + s)P = H1(IDU)P + Ppub and private key DU = (1/(H1(IDU) + s))P of the entity U.

KeyGen

This algorithm takes as input system parameters, an entity U chooses a random number xUmath formula as the other part of private key and computes the other part of public key PKU = xUPG1. Thus the entity U's public key pair is (QU, PKU) and private key pair is (xU, DU). Suppose that the sender obtains his public/private key pairs that are (PKA, QA) and (xA, DA), and the receiver gets his public/private key pairs are (PKB, QB) and (xB, DB).

OffSigncrypt

Before generating a full signcryption, the sender runs this algorithm along with input (IDA, DA) to compute an offline signcryption δ. This algorithm works as follows.

  1. Choose one random nonce x from math formula;
  2. Compute T =math formula (P,P)x and R = xPpub;
  3. Compute S = x−1(DA + P);
  4. Obtain the offline signcryption message δ = (x,R,S,T).

OnSigncrypt. To send a plaintext message m to the receiver, the sender runs this algorithm along with input (m, xA, IDA, IDB, δ) to compute the full signcryption σ. This algorithm works as follows.

  1. Compute the session key k = H2(xAPKB,T) and y = km;
  2. Compute h = H3(y,PKA,PKB,R,S);
  3. Compute u = x(xA + h) mod p and v = xH1(IDB) + xA mod p;
  4. Obtain the full signcryption σ = (y,u,v,R,S).

UnSigncrypt. On receiving the signcryption σ from the sender, the receiver runs this algorithm with input (σ, IDA, IDB, xB, DB) to output the plaintext message m or the symbol ⊥ if σ is an invalid signcryption. This algorithm works as follows.

  1. Compute h = H3(y,PKA,PKB,R,S);
  2. Check if math formula (S,uQA) math formulamath formula (PKA + hP, P + QA) = math formula (PKA,P + QA) math formula (P,P + QA)h, if the condition is not satisfied, return ⊥, else, perform following steps.
  3. Compute W = math formula (vP + R − PKA,DB) and k = H2(xBPKA,W)
  4. Recover m = ky.

4.1 Consistency

In this subsection, we show that our scheme satisfies the consistency. First, we verify the σ is a valid signcryption, because

display math

Second, we verify the consistency of the session key, we have the following:

display math

4.2 Security analysis

The security of our COOSC scheme relies on the hardness of the computational Diffie–Hellman problem (CDHP). So far, the probability of any polynomial-time algorithm to solve CDHP is negligible. Based on the CDHP in the random oracle model, we prove that the proposed scheme offers confidentiality, unforgeability, known session-specific temporary information security, and public verifiability with confidentiality.

4.2.1 Computational Diffie–Hellman problem

Given a generator P of G1 and (aP, bP) for unknown a, bmath formula, the task of CDHP is to compute abP.

Theorem 1. (Confidentiality.) Our certificateless online/offline signcryption scheme is secure against any IND-COOSC-CCA2 adversary Ai(i = 1,2) under the random oracle model if CDHP is hard in G1.

Proof. The challenger C receives an instance (P, aP, bP) of CDHP. His goal is to obtain abP. We show that C can use IND-COOSC-CCA2 adversary Ai to solve the CDHP. To maintain consistency, C will maintain five lists: Lk, Lp and Li(i = 1, 2, 3) of the queries made by Ai to oracle KeyGen, PartialKeyGen and Hi(i = 1, 2, 3) respectively. The challenger C sends the system parameters < G1,G2, math formula,P,Ppub,H1,H2,H3 > to Ai and sends the master secret key s to A2. The Ai performs a polynomially bounded number of the following queries.

KeyGen queries. C chooses two random numbers iA, iB ∈ {1,2,…,qk} first (suppose that Ai can ask at most qk KeyGen queries). C checks if there exists (IDi, xi, PKi) in list Lk. If such an element is found, C answers with PKi, otherwise, C performs the following.

  1. For the iA-th query, C sets xi = ⊥, IDi = IDA, and PKi = aP
  2. For the iB-th query, C sets xi = ⊥, IDi = IDB, and PKi = bP
  3. For other queries, C chooses a random number ximath formula and sets PKi = xiP

In the previous cases, C adds (IDi, xi, PKi) into the list Lk and returns PKi to Ai.

H1 queries. C checks if there exists (IDi, h1) in the list L1. If such an element is found, C answers with h1, otherwise he returns a random number h1math formula to Ai and adds the (IDi, h1) into L1.

H2 queries. C checks if there exists (xiPKj, T, h2) in the list L2. If such an element is found, C answers with h2, otherwise he returns a random number h2math formula to Ai and adds the (xiPKj, T, h2) into L2.

H3 queries. C checks if there exists ( y,PKi,PKj,R,S,h3) in the list L3. If such an element is found, C answers with h3, otherwise he returns a random number h3math formula to Ai and adds the (y,PKi,PKj,R,S,h3) into L3.

Replace public key query. A1 picks a valid corresponding public key math formula for an entity IDU; C updates Lk with the tuple (IDi, ⊥, math formula).

PartialKeyGen queries. C checks if there exists (IDi,w,Qi,Di) in list Lp. If such an element is found, C answers with Di, otherwise, C chooses a random number wmath formula and computes Qi = wP and Di = w−1P, then returns Di as the answer and adds the (IDi,w,Qi,Di) into Lp.

Corruption queries. We assume that C has made KeyGen query for IDi before a corruption query. If IDi = IDA or IDi = IDB, then C fails and stops. Otherwise, C checks the list Lk for IDi and returns xi as the answer.

Signcrypt queries. For this query, we consider the following two cases.

Case 1. IDi ∉ {IDA, IDB}. C obtains the private keys (xi, Di) corresponding to the sender IDi by making the Corruption(IDi) and PartialKeyGen(IDi) queries, then answers what the OnSigncrypt algorithm returns.

Case 2. IDi ∈ {IDA, IDB}. C fails and stops. C first chooses xmath formula, computes T = math formula (P,P)x, R = xPpub + PKi + x2P and S = x−1(Qi + P). Then C chooses K1G1 and makes sure that L2 does not contain an element (K1, T, h2), computes y = H2(K1, T) ⊕ m, h = H3(y, PKi, PKj, R, S) and v = xH1(IDj) − x2. Finally, C chooses umath formula, sets uQA = x(PKi + hP) (if C cannot compute uQi, he just considers uQi = x(PKi + hP) and returns σ = (y,u,v,R,S) as the answer.

Unsigncrypt queries. For this query, we consider the following two cases.

  • Case 1: IDj ∉ {IDA, IDB}. C obtains the private keys (xj, Dj) corresponding to the receiver IDj by making the Corruption(IDj) and PartialKeyGen(IDj) queries, then returns the result of Unsigncrypt(σ, IDi, IDj, xj, Dj) algorithm.
  • Case 2: IDj ∈ {IDA, IDB}. C steps through the list L2 with entries (xiPKj, T, h2) as follows.
  • If IDi ∈ {IDA, IDB} moves to the next element in L2 and begin again, else computes m = H2 (xiPKj, T) ⊕ y.
  • If IDiLk finds PKi in Lk, else move to the next element in L2 and begin again.
  • If IDiLp lets Qi = wP, else move to the next element in L2 and begin again.
  • If (y,PKi,PKj,R,S) ∈ L3 lets h = H3(y,PKi,PKj,R,S,h3), else move on to the next element in L2 and begin again.
  • Check that math formula (S,uQi) math formulamath formula (PKi + hP, P + Qi), if so return m, else move on to the next element in L2 and begin again.
  • If no message has been returned after stepping through the list L2, returns ⊥.

After the first stage, Ai outputs two messages (m0, m1) and two identities (IDs, IDr). If IDs and IDr ∉ {IDA, IDB}, C aborts. Otherwise, he randomly chooses x,u*,v*math formula and ъ ∈ {0,1}, computes T =math formula (P,P)x, R* = xPpub and S* = x−1(Ds + P), obtains k = H2(φ,T) (where φ = abP is C candidate for the CDHP), computes y* = kmъ and sends σ* = (y*,u*,v*,R*,S*) to Ai.

Ai then performs a second series of queries as with the previous text, he picks a bit ъ' for which he believes the relation σ* = (y*,u*,v*,R*,S*) holds at the end of the simulation. If ъ = ъ', C outputs T as a solution of the CDHP because he can recognize which message was signcrypted by seeing the signcryption alone with the session key k = H2(φ,T), where φ = abP. If ъ ≠ ъ', C fails and outputs F.

So, if the adversary Ai can defeat the signcryption algorithm by learning something about the signcrypted message, that means there exists an algorithm to solve the CDHP with non-negligible advantage. However, the probability of any polynomial-time algorithm to solve CDHP is negligible so far. Hence, our proposed COOSC scheme is secure against any IND-COOSC-CCA2 adversary Ai attack.

Theorem 2. (Unforgeability.) Our COOSC scheme is secure against any EUF-COOSC-CMA adversary Ai(i = 1,2) under the random oracle model if CDHP is hard in G1.

Proof. The challenger C receives an instance (P, aP, bP) of CDHP. His goal is to obtain abP. We show that C can use EUF-COOSC-CMA adversary Ai to solve the CDHP. To maintain consistency, C will maintain five lists: Lk, Lp, and Li(i = 1, 2, 3) of the queries made by Ai to oracle KeyGen, PartialKeyGen and Hi(i = 1, 2, 3), respectively. The challenger C sends the system parameters < G1,G2, math formula,P,Ppub,H1,H2,H3> to Ai and sends the master secret key s to A2. The Ai performs a polynomially bounded number of the following queries.

H1, H2, H3 queries are the same as the Theorem 1. The other queries are described as follows.

KeyGen queries. C chooses one random number iA ∈ {1,2,…,qk} first (suppose that Ai can ask at most qk KeyGen queries). C checks if there exists (IDi, xi, PKi) in list Lk. If such an element is found, C answers with PKi, otherwise, C performs the following.

  1. For the iA-th query, C sets xi = ⊥, IDi = IDA and PKi = aP
  2. For other queries, C chooses a random number ximath formula and sets PKi = xiP

In the previous cases, C adds (IDi, xi, PKi) into the list Lk and returns PKi to Ai.

PartialKeyGen queries. C checks if there exists (IDi,w,Qi,Di) in list Lp. If such an element is found, C answers with Di, otherwise, C performs the following.

  1. If IDi = IDA, C sets w = ⊥, Qi = bP and Di = b−1P(C cannot compute b−1P, he just considers Di to be b−1P)
  2. For other queries, C chooses a random number wmath formula and computes Qi = wP and Di = w−1P

In the previous cases, C adds (IDi,w,Qi,Di) into the list Lp and returns Di to Ai.

Corruption queries. We assume that C has made KeyGen query for IDi before a corruption query. If IDi = IDA, then C fails and stops. Otherwise, C checks the list Lk for IDi and returns xi as the answer.

Signcrypt queries. For this query, we consider the following two cases.

Case 1. IDi ≠ IDA. C obtains the private keys (xi, Di) corresponding to the sender IDi by making the Corruption(IDi) and PartialKeyGen(IDi) queries, then answers what the OnSigncrypt algorithm returns.

Case 2. IDi = IDA. C performs the same operations as the Signcrypt queries of Theorem 1.

Unsigncrypt queries. If IDj ≠ IDA, C obtains the private keys (xj, Dj) corresponding to the receiver IDj by making the Corruption(IDj) and PartialKeyGen(IDj) queries, then returns the result of Unsigncrypt(σ, IDi, IDj, xj, Dj) algorithm. Otherwise, C performs the same operations as the Unsigncrypt queries of Theorem 1

At last, Ai chooses ξmath formula and outputs a valid forgery (σ* = (y*,u*,v*,R*,S* = ξP,Sξ = ξbP), IDs, IDr). If IDs ≠ IDA, C aborts. Otherwise, he runs the H3 simulation algorithm to obtain h* = H3(y*,aP,PKB,R*,S*), and checks if math formula (S*,u*QA) math formulamath formula (PKA + h*P, P + QA), if the condition is not satisfied, C fails and outputs F, else, C outputs T as a solution of the CDHP. We have the following:

display math

The solution to the CDHP instance (P, aP, bP) is u*Sξ − (aP + h*P + h*bP). So, if the adversary Ai can forge a valid signcryption by learning something about the signcrypted message, that means there exists an algorithm to solve the CDHP with non-negligible advantage. However, the probability of any polynomial-time algorithm to solve CDHP is negligible so far. Hence, our proposed COOSC scheme is secure against any EUF-COOSC-CMA adversary Ai attack.

Next, we will heuristically argue that the proposed COOSC scheme satisfies the following security properties.

  1. Known session-specific temporary information security: Compromising the ephemeral key of a session does not enable the adversary Ai to compute the session key. Specifically, for our COOSC scheme, obtaining the key x between sender and receiver, allows the adversary Ai to compute T =math formula (P,P)x. However, the adversary Ai still cannot obtain the session key H2(xAPKB,T) or H2(xBPKA,W) because it is hard to compute xAPKB or xBPKA under the assumption of CDHP. Therefore, our COOSC scheme achieves known session-specific temporary information security. But in Liu et al. scheme [16], compromising the ephemeral key x, enables the attacker to compute the session key H3(R,T1,T2,U) = H3(math formula,T1,T2,U); in Selvi et al. scheme [17], compromising the ephemeral key x, enables the attacker to compute the session key H4(ω = αx) = H4(math formula (P,P)x); in Li et al. scheme [18], compromising the ephemeral key x, enables the attacker to compute the session key H3(r) = H3(math formula (P,P)x).
  2. Public verifiability with confidentiality: When necessary, the sender may forward the signcryption σ = (y,u,v,R,S) to verifier, who can be convinced that the σ came originally from the sender by computing h = H3(y,PKA,PKB,R,S) and verifying math formula (S,uQA) math formulamath formula (PKA + hP, P + QA). In the public verification phase, the verifier can check the validity of the signcryption without the knowledge of the plaintext message m, which achieves public verifiability with confidentiality. Also, in our COOSC scheme, the receiver first verifies the validity of the signcryption and then decrypts the ciphertext, which improves the processing efficiency of forged signcryption message. But in the existing three schemes [16-18], they need the plaintext message m in the public verification phase and the signcryption verification phase performs after the ciphertext decryption phase.

4.3 Performance analysis

In this subsection, we compare the efficiency of our COOSC scheme with three different IBOOSC schemes [16-18], namely Liu2010 scheme, Selvi2010 scheme, and Li2012 scheme. As in the Li2012 scheme, let |p|, |G1|, and |m| be 160 bits, |G2| is 1024 bits. We denote by Pm and Mpm the point multiplication and multi-point multiplication in G1 respectively, Ep the exponentiation in G2, Mod the modular computation in math formula and Pr the pairing computation for the comparison of computation cost. Also we denote by Known-STIS the known session-specific temporary information security, PV-confidentiality the public verifiability with confidentiality, and No-KE the no key escrow problem for the comparison of security.

As shown in the Table 1, compared with the existing IBOOSC schemes that do no require the plaintext and the receiver's identity in OfflineSigncrypt phase, the sender requires less offline computation cost, offline storage, and ciphertext length, and the receiver requires less computation in our COOSC scheme. In OnSigncrypt phase, our COOSC scheme needs one more point multiplication operation than Selvi2010 and Li2012 schemes, this is because our scheme provides Known-STIS attribute. Moreover, this point multiplication operation is executed and its computation value is stored only at the first communication between the sender and receiver. The symbol (1Pm) in the Table 1 means that if some communication networks do not need the Known-STIS attribute, our COOSC scheme without this additional point multiplication operation has the same security attributes as the three IBOOSC schemes, and has less computation cost than their schemes. Besides, it can be seen from Table 1 that our COOSC scheme achieves PV-confidentiality and No-KE attributes. Hence, consider the communication security and IOT nodes with limited computing capability it may be that our COOSC scheme is more applicable.

Table 1. Performance Comparison.
 Liu2010Selvi2010Li2012Our scheme
Offline computation cost (sender)4Pm +1Mpm5Pm + 2Ep2Pm +1Mpm +1Ep1Pm + 1Ep
Online computation cost (sender)3Mod2Mod2Mod(1Pm) + 2Mod
Offline storage (sender)2624278421441504
Ciphertext length (sender)12801600960640
Computation cost (receiver)5Pm +2Pr4Pm +2Ep +3Pr3Pm +1Ep +2Pr2Pm +1Ep +2Pr
Known-STISNoNoNoYes
PV-confidentialityNoNoNoYes
No-KENoNoNoYes

5 A SECURITY COMMUNICATION MODEL FOR IOT APPLICATION

As we discussed in Section 2, the communication model of IOT application has some shortcomings in user privacy protection and information security, such as: any RFID reader can unconditionally read the detailed information of an RFID object; there is no mutual authentication and the messages are exchanged in plaintext between the IOT nodes. We will resolve these shortcomings by applying COOSC to IOT environment and introduce a new security communication model. When a mobile RFID reader IDRR wants to read the detailed information of a RFID object IDRO, he performs the following steps:

  • Step 1:RFID reader with private key pair (xRR, DRR) generates a request message m0 and computes y0 = H(xRRPKRO) ⊕ m0 (H is a one-way secure key derivation function), then sends y0 to the RFID object for requesting the EPC information from the object IDRO.
  • Step 2:On receiving the RFID reader's request ciphertext y0, object IDRO with private key pair (xRO, DRO) recovers m0 = H(xROPKRR) ⊕ y0, if m0 is correct, object IDRO generates a response message m1 with his EPC information and computes y1 = H(xROPKRR) ⊕ m1, finally sends y1 to the RFID reader.
  • Step 3:RFID reader receives the response ciphertext y1, he recovers m1 = H(xRRPKRO) ⊕ y1 and generates a message m2 for requesting the detailed information of the EPC from the L-TIS IDLT, then he uses the proposed COOSC algorithm to produce offline signcryption δ = OffSigncrypt(IDRR, DRR) and online signcryption σ1 = OnSigncrypt(m2, xRR, IDRR, IDLT, δ), finally sends σ1 to the L-TIS IDLT.
  • Step 4:On receiving the RFID reader's signcryption σ1, L-TIS IDLT with private key pair (xLT, DLT) uses the proposed COOSC algorithm to obtain the plaintext m2 = UnSigncrypt(σ1, IDRR, IDLT, xLT, DLT). If the information of the EPC corresponding to the message m2 is not stored in his database, L-TIS generates a message m3 for requesting the URI of the EPC from the L-ONS, and then he uses the proposed COOSC algorithm with input m3 to produce signcryption σ2, finally sends σ2 to the L-ONS.
  • Step 5:L-ONS receives the signcryption σ2; he uses the proposed COOSC algorithm to obtain the plaintext m3. If the URI of the EPC corresponding to the message m3 is not stored in his database, L-ONS generates a message m4 for requesting the URI of the EPC from the RT-ONS, and then he uses the proposed COOSC algorithm with input m4 to produce signcryption σ3, finally sends σ3 to the RT-ONS.
  • Step 6:On receiving the signcryption σ3, RT-ONS uses the proposed COOSC algorithm to obtain the plaintext m4, then acquires the URI of the EPC corresponding to the message m4 and generates the response message m5, finally he uses the proposed COOSC algorithm with input m5 to produce signcryption σ4 and sends it to the L-ONS.
  • Step 7:L-ONS receives the signcryption σ4, he uses the proposed COOSC algorithm to obtain the plaintext m5 and generates a message m6 for responding with the URI of the EPC to the L-TIS, then he uses the proposed COOSC algorithm with input m6 to produce signcryption σ5, finally sends σ5 to the L-TIS.
  • Step 8:On receiving the signcryption σ5, L-TIS uses the proposed COOSC algorithm to obtain the plaintext m6 and generates the request message m7 for requesting the information of the EPC from the R-TIS, then he uses the proposed COOSC algorithm with input m7 to produce signcryption σ6, finally sends σ6 to the R-TIS.
  • Step 9:R-TIS receives the signcryption σ6, he uses the proposed COOSC algorithm to obtain the plaintext m7 and generates a message m8 for responding with the information of the EPC to the L-TIS, then he uses the proposed COOSC algorithm with input m8 to produce signcryption σ7, finally sends σ7 to the L-TIS.
  • Step 10:On receiving the signcryption σ7, L-TIS uses the proposed COOSC algorithm to obtain the plaintext m8 and generates a message m9 for responding with the information of the EPC to the RFID reader, then he uses the proposed COOSC algorithm with input m9 to produce signcryption σ8, finally sends σ8 to the RFID reader.
  • Step 11:RFID reader receives the signcryption σ8, he uses the proposed COOSC algorithm to obtain the plaintext m9.

In our security communication model for IOT application, to prevent any RFID reader from reading unconditionally the detailed information of a RFID object and consider limited computing capability of the RFID object, we will maintain two lists for a RFID object: white list Lw and black list Lb; Lw is used to store the elements (IDRRi, xROPKRRi) corresponding to trusted RFID readers and Lb is used to store the identities (IDRRi) of malicious RFID readers. The security mechanism between RFID object and RFID reader not only satisfies the confidentiality but achieves the authentication function, because none other than RFID object IDRO and RFID reader IDRRi can compute the value H(xRRiPKRO) or H(xROPKRRi).

6 CONCLUSIONS

In this paper, we show that the communication model of IOT application has some shortcomings in user privacy protection and information security. To solve these shortcomings, we define the formal models of COOSC and propose a concrete COOSC scheme for the IOT environment. Compared with the existing IBOOSC schemes that do not require the plaintext and the receiver's identity in the OfflineSigncrypt phase, our scheme has the great advantage of the offline computation cost, offline storage, ciphertext length and receiver computation cost. Moreover, our scheme achieves Known-STIS PV-confidentiality and No-KE security attributes. Thus, the new security communication model based on COOSC for IOT application has a well performance.

ACKNOWLEDGEMENTS

We thank the anonymous referees for their valuable suggestions and comments. This work is supported by the National Natural Science Foundation of China under grant no. 11226042, the Science and Technology Supporting Program of Jiangxi Province under grant no. 2012ZBBE50036, and the Science and Technology Project of Jiangxi Provincial Department of Education under grant no. GJJ12147.

Ancillary