Abstract

The Internet of Things (IoT) is a vast perceptual network formed by a variety of IoT devices connected to each other. In IoT, various devices cooperate with each other to collect and transmit private data of IoT and sustain the efficient and orderly operation of IoT. However, in the complex security situation of IoT, due to the resources of IoT devices being limited, it is difficult for IoT devices to afford the heavy resource consumption of sophisticated data encryption and decryption mechanism, which brings certain security risk to data transmission of IoT. To ensure safe and efficient data transmission, we propose an improved efficient certificateless hybrid signcryption scheme for IoT, which satisfies confidentiality, unforgeability, forward security, public verification, and known session-specific temporary information security; meanwhile, we prove them in random oracle model (ROM). In addition, through simulation experiment, we find that our scheme has higher communication efficiency and computational efficiency compared with existing schemes.

1. Introduction

The Internet of Things (IoT) realizes the mapping from the real world to the virtual world through the perception of a large number of IoT devices to the real world. In the virtual world, by sorting out and analyzing massive perceptual data, users can obtain more accurate and effective information, so as to obtain detailed status in the real world, and then realize more accurate and efficient adjustment to the real world. At present, with the extensive development of the IoT, IoT has brought unimaginable convenience to the people and the country. For example, in the smart home, various furniture and equipment can cooperate with each other, so that people can get rid of heavy housework [1]. In the smart medical, through the real-time perception and analysis of the disease, patients can attain more perfect and comprehensive treatment in time [2]. Therefore, IoT plays a key role in people’s production and life and has become one of the most potential technologies in the 21st century [3].

In IoT, there are a large number of devices with different structures, which cooperate to transmit sensitive data or private information of IoT, forming an organic whole. However, in order to reduce production costs, manufacturers often adopt overly simple structure design and limited resources in the design and manufacture of IoT devices. It is easy for attackers to guess the general structure of the device and carry out illegal operations such as hacking and misappropriation [4]. Additionally, in the face of the complex security situation of IoT, it is difficult for the resource-constrained devices to afford the heavy resource consumption of sophisticated data transmission mechanism, which also brings certain security risks to the data transmission in IoT [5]. Therefore, for the massive resource-constrained devices in IoT, how to ensure the efficient and secure data transmission has become a key factor in the security of IoT [6].

Data encryption has become the primary choice to ensure the security of data transmission and has been successfully applied in many fields such as the Internet. However, in IoT, the normal data encryption mechanism is no longer suitable for data encryption of IoT devices because it consumes too much software and hardware resources or lacks some security features of IoT. In order to reduce the resource consumption in the process of data encryption and improve efficiency and security levels of data transmission, the researchers put forward a series of lightweight data encryption algorithm [7, 8]. Among them, the concept of certificateless hybrid signcryption has attracted extensive attention since it was put forward.

Compared with other data encryption methods, the certificateless hybrid signcryption mechanism can greatly reduce the consumption of computing resources and communication resources in the process of data transmission and has higher flexibility and security [9]. In the certificateless cryptosystem, the key generation center (KGC) can generate the user’s partial private key according to the user’s public information and send it to the user through the secure channel. After receiving the partial private key, the user combines its own secret value to generate the full private key. After that, the user computes the public key to complete the initialization of the user key. Compared with other public key cryptosystem, the certificateless cryptosystem gets rid of the problem of public key authentication in traditional cryptosystem based on public key infrastructure (PKI). Meanwhile, the full private key of the users in the certificateless public key cryptography is generated jointly by the user and KGC and overcomes the key escrow problem in identity-based cryptography [10]. In terms of data encryption algorithm, compared with the traditional “signature before encryption” method, the hybrid signcryption algorithm can achieve the signature and encryption in one calculation turn, which can improve the computing efficiency and provide stronger security for data transmission [11]. Therefore, for resource-constrained devices and complex security situations in IoT, the certificateless hybrid signcryption mechanism can not only greatly reduce the consumption of computing resources and the communication pressure in data transmission but also can provide better security and flexibility for data transmission of IoT [12].

However, in the practical application of resource-constrained devices of IoT, the existing certificateless hybrid signcryption schemes are hard to keep the balance between security and efficiency. In security, the capabilities of attackers are also increasing day by day in IoT, and some proposed schemes have certain flaws in the face of new security requirements of IoT [6]. In efficiency, bilinear pairing operation improves the flexibility and security of the algorithm but also increases the computational pressure on devices [13]. However, most existing schemes adopt multiple bilinear pairing operations, which consume too much hardware and software resources and are no longer suitable for the data transmission requirements of resource-constrained devices in IoT. Therefore, to ensure secure and efficient data transmission in IoT, our contribution is therefore as follows. (1)We evaluate the security of Gong et al.’s certificateless hybrid signcryption scheme for IoT [14](2)We propose an improved efficient certificateless hybrid signcryption scheme for IoT(3)Our scheme can meet confidentiality, unforgeability, forward security, public verification, and known session-specific temporary information security, and we prove them in random oracle model (ROM)(4)In theoretical analysis and experimental simulation, we find that our scheme has higher communication efficiency and computational efficiency than the existing schemes

The rest of the paper is organized as follows. In Section 2 and Section 3, we present research status and preliminaries related to this paper. The review and the evaluation of the Gong’s scheme are carried out in Section 4. In Section 5, we show the specific details of our scheme. In Section 6, we analyze the security of the proposed scheme. In Section 7, we perform theoretical analysis and experimental simulation. In Section 8, we make the summary of this paper.

2. Related Work

Since the concept of certificateless hybrid signcryption is put forward, it has attracted more and more attention, and a series of effective schemes had been produced. Li et al. took the lead in proposing the concept of certificateless hybrid signcryption, gave an example of certificateless hybrid signcryption scheme, and declared that their scheme satisfied confidentiality and unforgeability in ROM [9]. However, Li et al.’s scheme uses too many bilinear pairs, resulting in low computational efficiency.

To ensure efficient data transmission, a series of feasible methods and schemes were proposed. Yin and Liang proposed a certificateless hybrid signcryption scheme for wireless sensor networks, which performed only two bilinear calculations and improved computational efficiency [15]. However, after receiving valid message, the receiver can forge any information, resulting in Yin and Liang’s scheme not meeting the unforgeability. Yu and Yang proposed a certificateless hybrid signcryption scheme without pairing, which did not require bilinear computation and improved computing efficiency [16]. However, compared with other schemes, this scheme transmits more data and has certain deficiencies in communication efficiency. Luo and Ma proposed a new certificateless hybrid signcryption scheme for cloud storage, which did not require bilinear pairings and reduced the computational pressure in the process of data encryption [17]. However, Kasyoka et al. proved that Luo and Ma’s scheme did not meet the requirement of unforgeability and had certain security defects and proposed an improvement scheme [18].

With the gradual improvement of the attacker’s ability, researchers also put forward some certificateless hybrid signcryption schemes to enhance the security of data transmission. Luo et al. proposed a certificateless hybrid signcryption scheme, which can meet confidentiality, unforgeability, and the known session-specific temporary information security [19]. However, this scheme uses too many bilinear operations and has certain deficiencies in computing efficiency. To ensure data security and low computational overhead, Gong et al. proposed a lightweight and secure certificateless hybrid signcryption for the IoT, but it cannot satisfy the requirements of unforgeability, and its security analysis will be explained in Section 4 of this paper [14].

3. Preliminaries

3.1. Formal Model of Certificateless Hybrid Signcryption

There are three members: KGC, sender, and receiver. The general interaction process is as follows.

Setup. The KGC randomly chooses master system key and generates system parameters . After the algorithm is executed, KGC publishes the system parameters to all users

Extract Partial Private Key. The user firstly sends his unique identifier to KGC, which generates the partial private key of user and sends the partial private key to the user through secure channel

Generate User Key. After receiving the system parameters published by KGC, the user generates the secret value and generates the public key . Next, the user publishes the public key and reserves the secret value

Extract Full Private Key. After receiving partial private key sent secretly by KGC, the user generates the full private key combined with the secret value . From there, the user and KGC jointly generate the full private keys of user

Signcryption. Assume that both sender and receiver have completed the initialization of the key. During the signcryption process, the sender generates the session key , encrypts the information with symmetric encryption algorithm, and generates ciphertext . After the signcryption is complete, the sender sends the ciphertext to the receiver

Unsigncryption. After receiving the ciphertext , the receiver generates the session key and decrypts the ciphertext to recover information or error symbols . Finally, the receiver executes the authentication equation to judge the validity of the ciphertext

3.2. Security Notions

The security of modern cryptographic systems mostly is based on mathematical problems, and this paper is no exception. The mathematical difficult problems proposed in this paper are involved as follows.

Definition 1. Let us say that is an additive cyclic group and is the generator of . The challenger chooses , where . The computational Diffie-Hellman (CDH) is to compute .

Definition 2. Let us say that is a multiplication cyclic group and is the generator of . The challenger chooses , where . The computational Diffie-Hellman (CDH) is to compute .

Definition 3. Let us say that is an additive cyclic group and is the generator of . The challenger chooses , where . The decisional Diffie-Hellman (DDH) is to determine whether the equation is true.

Definition 4. Let us say that is an additive cyclic group, is a multiplication cyclic group, is a bilinear pairing, and is the generator of . The challenger chooses and , where . The decisional bilinear Diffie-Hellman (DBDH) is to determine whether the equation is true.

4. Gong et al.’s Scheme Review and Security Analysis

In this section, we review the scheme proposed by Gong et al. and show the security analysis of Gong et al.’s scheme [14]. In the security analysis, we find that the scheme does not meet the unforgeability and prove it.

4.1. The Review of Gong et al.’s Scheme

Assuming that Alice is the sender and Bob is the receiver in the communication process, then the details of Gong et al.’s scheme are as follows.

Setup. After receiving the security parameter , the KGC selects an additive cyclic group , a multiplicative cyclic group , a bilinear pairing , and as the generator of the additive cyclic group , where . Then, KGC selects four hash functions , , , and and one modular function . After that, KGC selects as the master system key and computes as the system public key. Finally, KGC publishes system parameters and keeps the master system key secret

Extract Partial Private Key. After receiving the user’s unique identifier sent by the user , and KGC computes as the partial private key of the user , where . Next, KGC sends the partial private key to the user through the private channel

Generate User Key. The user selects a random value as the secret value and computes as the public key. After receiving the partial private key of the user sent by KGC, the user generates the full private key

Signcryption. Suppose Alice and Bob have completed the initialization of the key, and Alice already gets Bob’s public key . The specific process of signcryption is as follows. (1)Chooses randomly and compute (2)Computes and , where (3)Computes the session key (4)Generates ciphertext (5)Computes and and sends the ciphertext to Bob

Unsigncryption. Assume that Bob has obtained the public key of sender Alice and received the signcryption ciphertext . The specific process of unsigncryption is as follows. (1)Computes and , where (2)Computes the session key and generates the message (3)Computes and checks if the verification equation is true(4)If true, Bob receives the message. If not, Bob drops the message

4.2. Security Analysis

Through the analysis of the Gong et al.’s scheme, we find that it cannot meet the unforgeability. It is assumed that the sender Alice and the receiver Bob have generated their key. If the receiver Bob has received a valid ciphertext , then Bob is able to forge any ciphertext and claims that it was sent by the sender Alice. The forgery process is as follows. (1)Chooses and (2)Computes and (3)Computes the session key and executes the symmetric encryption algorithm to generate the ciphertext , where is the information Bob wants to get(4)Computes the from the previous communication and the forgeable (5)Computes and generate the valid forgeable ciphertext

The forgeable ciphertext can be able to overcome the verification equation. The verification process is as follows:

Since then, the receiver Bob has successfully forged a valid signcryption ciphertext. Thus, Gong et al.’s proposed scheme does not satisfy the requirement of unforgeability. Based on the analysis of the Gong et al.’s scheme, we propose an improved scheme, which will be introduced in Section 5.

5. The Proposed Scheme

In this section, we take the communication between Alice and Bob as an example to introduce our scheme in detail, where Alice represents the sender and Bob represents the receiver. For increasing readability, the main symbols involved in our scheme are introduced in Table 1.

Setup. Let and be an additive cyclic group and a multiplicative cyclic group, where and is a prime. Choose a bilinear pairing , be the generator of and a pair of symmetric encryption and decryption algorithms (Enc, Dec). Select three hash functions : , , and , where is the length of identity and is the length of session key, respectively. Then, the KGC chooses as the master system key and computes as the system public key. Finally, the KGC publishes the system parameters and keeps the master system key secret

Extract Partial Private Key. After receiving the unique identifier of user, the KGC randomly selects , computes , , and generates the partial private key . Finally, KGC sends the partial private key and to the user

Generate User Key. After receiving the partial private key and the partial public key , the user randomly chooses as the secret value and computes as the public key. Note that the user combines and to generate the full public keys

Extract the Full Private Key. The user combines the secret value and the partial private key to generate the full private key

Signcryption. Before performing signcryption, the sender Alice has obtained the full public key , the full private key , the message needed to be transmitted, system parameters , the full public key , and identity of the receiver Bob. The detailed process is as follows. (1)Chooses randomly and compute (2)Computes and , where (3)Computes session key and generates the ciphertext (4)Computes and (5)Sends ciphertext to receiver Bob

Unsigncryption. Before performing unsigncryption, the receiver Bob has obtained the full public key , the full private key , the ciphertext , the system parameters , the full public key , and identity of the sender Alice. The detailed process is as follows. (1)Computes and (2)Computes session key and generate the message or error symbol (3)Computes (4)Checks if the equation holds. If true, the Bob receives the message ; otherwise, the message is dropped

5.1. Correctness

6. Security Analysis

There are two kinds of security adversary in certificateless public key cryptosystems. The adversary , impersonating the user in cryptosystems, can replace the public key of any user in system. The adversary , impersonating the KGC in cryptosystems, can obtain the master system key. In this section, we discuss the security attributes of our scheme from the perspective of two types of attackers.

6.1. Confidentiality

Lemma 5. Assuming that the adversary can be able to win the game with a nonnegligible advantages after queries, queries, queries, public key queries, secret value queries, the partial private key queries, and the replace public key queries, the challenger can solve the CDH problem with the follow probability . Note that .

Proof. The challenger takes adversary as the subroutine, gives the adversary the . And the target is compute the through the game between adversary and the challenger .
Setup. The challenger executes the setup algorithm and generates the system public parameters
Phase 1. The adversary execute the following polynomially bounded queries. Note that before the adversary executes queries, the challenger chooses randomly for the challenged phase.
query: the challenger initializes and updates data table , where the tuple format is . When adversary executes the query with the user identity as input, firstly checks if contains item . If contains the tuple , returns the to . If not, randomly chooses the , adds or updates the new item to , and returns to
query: the challenger initializes and updates data table , where the tuple format is . When adversary executes the query with the as the input, the challenger firstly checks if contains the related tuple . If contains the tuple , returns the to . If not, randomly chooses , inserts the new item to the list , and returns the to
query: the challenger initializes and updates data table , where the tuple format is . When the adversary executes the query with the as input, the challenger firstly checks if contains the interrelated tuple. If contains this tuple, returns the to . If not, randomly chooses , adds or updates the new item to , and returns to
Secret value query: the challenger initializes and updates data table , where the tuple format is . When adversary executes the secret value query with the as the input, the challenger firstly checks if contains the interrelated tuple . If contains this tuple, returns the to . If not, chooses randomly, computes , adds or updates the item to , and returns to . Note that if , aborts this game
Partial private key query: with the as the input, the challenger firstly checks if contains the interrelated tuple . If contains this tuple, returns the to . Otherwise, if , chooses and computes and , where is from the list . Next, adds or updates the item to and returns to . Note that if , aborts this game
Public key query: when adversary executes the public key query with the as the input, the challenger firstly checks if contains list item . If contains this tuple, returns the to . Otherwise, if , executes the secret value query and partial private key query. If , sets and computes and , where is from the list . Next, adds or updates the item to and returns to
Replace public key query: with the as the input, updates the list with the new item
Signcryption query: when adversary executes the signcryption query with the as the input, firstly checks whether . If , executes the normal signcryption process according to our scheme. If , the full private key of cannot be obtained, and queries the full private key of and the full public key of from and performs the following operation. (1)Chooses randomly and computes (2)Inserts into with the new item , where (3)Computes and (4)Computes session key , inserts into the with the new item , and generates the ciphertext (5)Computes and returns the ciphertext to After Bob receives the ciphertext , it can pass the verification, with the following computation: Unsigncryption query: when adversary executes the unsigncryption query with the as the input, firstly checks whether . If , executes the normal unsigncryption process according to our scheme. If , the full private key of cannot be obtained, and queries of and of from and performs the following operation. (1)Computes (2)Retrieves each item in to determine whether is true. If the equation is true, it computes and generates the message or error symbol (3)Gets from the list with as input(4)Checks if the equation holds. If true, returns the message to ; otherwise, returns the symbol to Challenge. After the queries in Phase 1, the adversary selects two same length plaintext and two user’s identity . In this phase, and are the users that will challenge. Before the challenge, the full private key cannot be queried and cannot be replaced. If or , aborts the game. Otherwise, generates the ciphertext by following the steps. (1)Sets , chooses , and computes (2)Chooses session key and generates the ciphertext , where (3)Adds the new item to the list (4)Computes, generates the ciphertext , and returns to Phase 2. In this stage, the adversary can execute the polynomially bounded queries like Phase 1. Note that of cannot be queried, cannot be replaced, and the ciphertext with sender and receiver cannot be executed unsigncryption query
Guess. The challenger computes the probability of solving the CDH through the adversary that wins the game. If the wins the game, the list will store items, one of which is the answer to the CDH problem. Thus, chooses the in every item of to test. Analysis. Let us compute the probability of the challenger cab by solving the CDH problem. In this game, there are two conditions for the challenger to solve CDH: the challenger does not abort in this game and the adversary successfully wins this game. Firstly, the challenger abandons the challenge by following four events. Note that . (1)Event 1: the adversary executes the partial private key query of , and the probability of this event is (2)Event 2: the adversary executes the secret value query of , and the probability of this event is (3)Event 3: the adversary executes the replace public key query of , and the probability of this event is (4)Event 4: when the adversary executes challenges, the user are not challenged user identity, that is, , and the probability of this event is Therefore, we calculate the probability that does not give up the game with the probability .
Secondly, the challenger goes through the list and selects as the answer to the CDH. Thus, the probability of finding the correct solution to CDH is . Therefore, with the adversary as the subroutine, the challenger solves the CDH with the following probability .