An Elliptic Curve Signcryption Scheme and Its Application

Zhang, Ping; Li, Yamin; Chi, Huanhuan

doi:https://doi.org/10.1155/2022/7499836

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security, Privacy, and Trust Issues in 6G-enabled Sensing and Localization

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 7499836 | https://doi.org/10.1155/2022/7499836

An Elliptic Curve Signcryption Scheme and Its Application

Ping Zhang,¹Yamin Li,¹and Huanhuan Chi¹

Academic Editor: Mu Zhou

Received24 Nov 2021

Revised21 Feb 2022

Accepted08 Apr 2022

Published06 May 2022

Abstract

Two basic security requirements in communication are confidentiality and authentication. Signcryption is an ideal technique to transmit encrypted and authenticated data. In view of the shortcomings of existing signcryption schemes and the high security of elliptic curve cryptography (ECC), we design a ECC-based signcryption scheme and evaluate it in terms of security, computational overhead, and communication overhead. Finally, we consider the application of our secure and efficient signcryption scheme in the smart lock key management system and analyze the bit-oriented performance of the designed key management scheme.

1. Introduction

With the rapid development of Internet, there are an increasing number of smart devices, among which the smart lock is one of the typical representatives. Compared with other smart devices, the smart lock requires higher security. When designing the smart lock, the security is the first problem to be considered.

Confidentiality and authentication are two basic security requirements in communication. In general, encryption can ensure the confidentiality of the message, and digital signature can ensure the authentication of the message. In order to meet these two requirements at the same time, the traditional method is either “Encrypt before signing” or “sign before encryption”. However, these will result in a large amount of computation and communication costs. In 1997, Zheng [1] firstly proposed the notion of signcryption. Signcryption not only meets these two security requirements at the same time, but also its computational and communication costs are much lower than the traditional methods described above. Signcryption is an ideal way to transmit information encrypted and authenticated. Therefore, it also can be used for mobile device authentication. The information on which authentication is based generally includes the following three categories: (1) information known to the user, such as passwords; (2) things owned by the user, such as smart cards; and (3) biometrics of the user, such as fingerprints. Single-factor authentication generally refers to password-based authentication. Two-factor authentication refers to the smart-card-based password authentication. Multifactor authentication refers to authentication that uses two or more pieces of information. Signcryption has broad application prospects in e-commerce, e-government, and key management.

At present, the secure and practical public key cryptosystems include RSA cryptosystem (based on the big integer factorization problem), DSA cryptosystem (based on the discrete logarithm problem in the finite field), and ECC cryptosystem (based on the ECDLP). Among them, ECC cryptosystem has the highest security when the key length is the same.

The ECC cryptosystem was independently proposed by Neal Koblitz [2] and V. S. Miller [3] in 1985. It uses the elliptic curve whose variables and coefficients are elements in the finite field. The security of ECC is based on the ECDLP. Different from the discrete logarithm problem in the finite multiplication group, the ECDLP on the finite field is more difficult to solve, which cannot be solved by all known algorithms in polynomial time. In the general discrete logarithm problem, the algebraic operation on the finite field includes two operations, field addition and field multiplication, which makes the general discrete logarithm problem can be solved in subexponential time. However, in the ECDLP, the algebraic operation only includes the point addition operation on the elliptic curve. Therefore, all the discrete logarithm algorithms cannot solve the ECDLP in subexponential time except some very special elliptic curves.

In view of the shortcomings of the existing key management scheme of the smart lock, the advantages of signcryption scheme, and the high security of ECC, this paper designs a signcryption scheme based on elliptic curve and firstly applies the signcryption scheme to the key management scheme of the smart lock system.

1.1. Related Works

Since the signcryption scheme was put forward in 1997, there have been several specific schemes based on different difficult assumptions ([1, 4–6]). In addition to the basic security objectives, some new features are introduced in the study of signcryption schemes, such as identity-based signcryption scheme ([6–11]), hybrid signcryption scheme [12], key encapsulation mechanism (KEM) and data encapsulation mechanism (DEM-)-based signcryption scheme [13], certificateless signcryption scheme [14], verifiable signcryption scheme [10], attribute-based signcryption scheme ([15, 16]), functional signcryption scheme [17], or key invisible signcryption scheme [18].

Malone-Lee [7] defined the security model of identity-based signcryption scheme in 2002 and constructed the first identity-based signcryption scheme using bilinear pairings. In 2003, Nalla et al. [19] proposed an identity-based signcryption scheme on bilinear pairings of elliptic curves. This scheme is an improvement of Lee’s [7] signcryption scheme. In 2004, with the difficulty of q-Diffie-Hellman problem (q-DH) in Gap-Diffie-Hellman group, Libert et al. [20] proposed a new public key authenticated signcryption scheme. This scheme is particularly efficient. The cost of signcryption operation is almost the same as that of ElGamal encryption, and the inverse operation only needs one pairing evaluation and three power calculations. Under the assumption of q-strong Diffie-Hellman, they proved the unforgeability of this scheme. In 2009, based on the encryption scheme of water [21], Yu et al. [22] proposed the first identity-based signcryption scheme without random oracle.

In 2012, Kar [23] proposed a provably secure signcryption scheme in the random oracle model by modifying the scheme of Libert et al. [24]. This scheme is safer and more reliable than the scheme of Libert et al. In the random oracle model, they use two hypotheses, strong Diffie-Hellman (SDH) and Diffie-Hellman inversion (DHI), to prove the security of the scheme. In the same year, S. Sharmila et al. [11] firstly proposed an identity-based signcryption scheme with provable security under the standard model. The unforgeability of the scheme is based on the difficulty of computational Diffie-Hellman problem (CDH), and the indistinguishability is based on the difficulty of decisional bilinear Diffie-Hellman problem (DBDH). In 2013, Kar [25] proposed an aggregate signcryption scheme with provable security. The security of the scheme is based on the computational reliability of DBDH and discrete logarithm problem (DL). In 2014, Liu Zhenhua et al. [26] proposed a new revocable identity-based signcryption scheme to revoke malicious users in the signcryption system. In this scheme, the master key is randomly divided into two parts, one is used to construct the initial key, and the other is used to update the key. In the standard model, they proved the IND-CCA2 security based on DBDH difficult problem and the EUF-CMA security based on CDH difficult problem. In 2015, Braeken et al. [27] pointed out some problems of existing pairing-free signcryption scheme. Then, they modified the scheme and extended it to a multiuser signcryption scheme. In 2016, Kar and Naik [28] proposed an effective certificateless signcryption scheme based on bilinear mapping in the random oracle model. They proved the security of the scheme based on the assumptions of the k-CAA, Inv-CDH, q-BDHI, and CDH. In the same year, Han Yiliang et al. [29] combined Niedereiter public key cryptography with CFS signature scheme and constructed a signcryption scheme. This scheme can resist quantum attack and has a small amount of key data. They proved the IND-CCA2 security and EUF-CMA security of the scheme in the random oracle model. In 2017, Zhou Yanwei et al. [30] proposed an efficient certificateless signcryption scheme without bilinear mapping and proved the security of the scheme based on CDH and DL in the random oracle model. Tsai et al. [31] proposed a new multidocument blind signature scheme based on ECC. This scheme adds the design of the signature encryption paradigm to the blind signature scheme to enhance high-level security. In 2018, for the security of hybrid signcryption schemes, Dai et al. [32] studied the replayable CCA security (RCCA) of SKEM+DEM [33] and Tag SKEM+DEM [13]. If the scheme SKEM is RCCA secure and the scheme DEM is RCCA secure, the hybrid signature scheme SKEM+DEM is RCCA secure. If the scheme Tag-SKEM is RCCA secure and the scheme DEM is RCCA secure, the Tag SKEM + DEM hybrid encryption scheme is RCCA secure. In the single-factor authentication research area, He Debiao et al. [34] proposed a password-based remote user authentication scheme without smart cards. The scheme can resist various attacks, such as device stolen attack and privileged insider attack. In the two-factor authentication research area, Wang Ding et al. [35] proposed a smart-card-based password authentication scheme that kills two birds with one stone. By integrating “honeywords” with their proposed “fuzzy-verifiers,” the scheme not only not only eliminates the long-standing security-usability conflict that is considered intractable in the literature, but also achieves security guarantees beyond the conventional optimal security bound. Our signcryption scheme has highly efficient and satisfies multiple security properties; we believe it can be used as a building block for the authentication phase of a single-factor authentication scheme. When the server and user authenticate each other and generate a session key, they can use our scheme to signcrypt their own messages, respectively, which not only achieves authentication but also provides additional confidentiality.

At present, there have been many works on the key management system of smart locks. For data security in narrow band Internet of things (NB-IOT) application environment, Jia Rongyuan et al. [36] proposed a lightweight encryption algorithm and encryption model based on AES [37] and chaos sequence. However, they did not explain how to transmit the key. There are problems such as difficult monitoring, high power consumption requirements, and insecure wireless transmission of wireless smart lock. In order to solve the problems, Zhang Huanlan et al. [38] proposed a 433 MHz wireless module based on Diffie-Hellman key exchange algorithm and corrected block tiny encryption algorithm for double encryption smart lock system. In 2019, under the unreliable UDP data transmission of NB-IoT, Liu Mengjun [39] designed a key transmission interaction scheme to complete the reliable update of the user’s unlock key with as little calculation and communication as possible. However, this scheme will continue to use the old key for unlocking when the unlock key update fails, which is not applicable to public rental housing. Because if the user loses the qualification to rent a house, the unlock key must be updated as soon as possible. In addition, in this work, the session key used between the server and the smart lock has low security. Sha Tao et al. [40] designed an identity verification mechanism based on position proof. They also proposed a timestamp encryption mechanism to prevent remote unlocking and replay attacks by malicious users. However, this work did not explain how the server issued the unlock key to the smart lock, and the smart lock did not upload operating information to the server. Wang et al. [41] designed a complementary multidimensional feature fusion network-based hand gesture recognition (CMFF-HGR) to extract features and achieve hand gesture recognition. The smart lock key management system based on hand gesture recognition is different from the key management scheme proposed in this paper. The smart lock system based on hand gesture recognition requires to memorize the gestures manually, and the hand gesture is easy to be known by others during the unlocking process. However, the key management scheme in this paper does not require manually memorizing the unlock key, and every time the unlock key is different, not being fixed. Therefore, the key management scheme in this paper has higher security.

1.2. Contribution

This paper proposed an efficient and secure ECC-based signcryption scheme and applied it to a smart lock key management system. To the best of our knowledge, this work is the first to consider the application of a signcryption scheme in a smart lock key management system. Compared with other smart lock key management schemes, our scheme is more efficient and secure due to the confidentiality and authentication by the signcryption itself, as well as the efficiency and other security properties of our signcryption scheme. In addition, in our key management scheme, the unlock key is delivered to the smartphone by the server, and then, the smartphone unlocks the smart lock through Bluetooth. Therefore, the unlock key is different every time, and the user does not need to memorize a fixed unlock key, which makes our key management scheme more secure and convenient.

1.3. Organization

This paper is organized as follows. The first section is the introduction of this paper. The second section introduces the basic knowledge, including elliptic curve discrete logarithm problem, the formal definition, and the security model of signcryption scheme. In the third section, we design a signcryption scheme based on elliptic curve and analyze the correctness, security, and performance of our signcryption scheme. In the fourth section, we apply our signcryption scheme to the key management system of smart lock. Finally, in the fifth section, we summarize the full text and give an outlook for future work.

2. Preliminaries

2.1. Basic Notation

In the following sections, if for all polynomials and all sufficiently large , we call is negligible. In this paper, “PPT” represents probabilistic polynomial time.

2.2. Elliptic Curve Discrete Logarithm Problem

Definition 1 (Elliptic curve discrete logarithm problem). Given an elliptic curve , is a point on this elliptic curve and its order is a large prime number (). For any random number , can be easily calculated. However, if and are known, it is very difficult to find .

2.3. The Definition of Signcryption Scheme

2.3.1. Syntax

Given the key space , message space , and signcryption space , for any sender and receiver, a signcryption scheme is a collection of the following four algorithms. (i) This is system initialization algorithm. This algorithm requires a security parameter as the input of the algorithm and requires common parameters as the output of the algorithm(ii): This is key generation algorithm, which is a random algorithm. This algorithm requires common parameters and random number as the input of the algorithm and requires key pair () as the output of the algorithm(iii): This is signcryption algorithm. This algorithm requires common parameters , private key () of sender, public key () of receiver, and message () as the input of the algorithm and requires signcryption as the output of the algorithm(iv): This is unsigncryption algorithm. This algorithm requires common parameters , private key () of receiver, and public key () of sender and signcryption as the input of the algorithm. This algorithm outputs message or symbol “” (“” indicates that the unsigncryption failed)

Definition 2 (Correctness). For any message , any sender (his key pair was generated by ), any receiver (his key pair was generated by ), and the following formula holds

2.4. The Security Model of Signcryption Scheme

Definition 3 (Confidentiality). The confidentiality security can be seen as a game between the adversary and the challenger . This game is divided into five phases. (i)Keygen phase: Challenger runs algorithm to generate a sender key pair and a receiver key pair , and sends to adversary (ii)Query phase 1: The adversary sends multiple signcryption queries and unsigncryption queries to the challenger (1)Signcryption query: The adversary submits the message and the public key to the challenger . The challenger calculates and sends the result to the adversary (2)Unsigncryption query: The adversary submits the legitimate signcryption result and the public key to the challenger . The challenger calculates and sends the message or symbol “” to the adversary (iii)Challenge phase: The adversary submits two messages , (, have the same length) to the challenger . The challenger randomly selects , calculates and sends the result to the adversary (iv)Query phase 2: Similar to the query phase 1, the adversary continues to send multiple signcryption queries and unsigncryption queries to the challenger (the adversary is forbidden from sending unsigncryption query for the result )(v)Guess phase: The adversary outputs a value as the guess for . If , the adversary wins this gameIn this game, the advantage of the adversary is .

Definition 4 (Unforgeability). The unforgeability security can be seen as a game between the adversary and the challenger . This game is divided into three phases. (i)Keygen phase: Challenger runs algorithm to generate a sender key pair and a receiver key pair and sends to adversary (ii)Query phase: The adversary sends multiple signcryption queries and unsigncryption queries to the challenger (1)Signcryption query: The adversary submits the message and the public key to the challenger . The challenger calculates and sends the result to the adversary (2)Unsigncryption query: The adversary submits the legitimate signcryption result and the public key to the challenger . The challenger calculates and sends the message or symbol “” to the adversary (iii)Forgery phase: The adversary submits the challenging content, including challenging message and the forged signcryption . The challenger submits the above input to the oracle, and the oracle returns the unsigncryption of signcryption to the challenger . If the result is message , and the adversary has not used this message as the input for signcryption query before, the adversary wins this game

In this game, the advantage of the adversary is his probability of winning the game.

3. Our ECC-Based Signcryption Scheme

3.1. Construction

In this section, we define and construct our elliptic curve signcryption scheme . (i): Let be a finite field of order (the length of is ), () be an elliptic curve in finite field , be the base point of the elliptic curve . , where is a large prime number. Let () is the cofactor. represents the number of points of the elliptic curve defined on the finite field ). is an elliptic curve cyclic multiplication group of order generated by point . We suppose the plaintext space is and select two hash functions , . Then, we expose parameters and hash function , (ii): The sender randomly selects as his private key, and his public key is . The receiver randomly selects as his private key, and his public key is . Then, they keep the private key secret and expose the public key (iii): The sender uses and to signcrypt message (a)Select a random number (b)Compute (c)Compute .(d)Compute (e)Compute .(f)Compute . If , return to step 1(g)Get the signcryption , and send it to the recriver(iv): The receiver gets the signcryption and uses and to unsigncrypt it (a)Compute (b)Compute (c)Compute .(d)Compute (e)Compute .(f)If , return , otherwise return “”.

3.2. Correctness

Because , we have . Therefore, the following formula holds

So, we have , . Here, ensures that the receiver can restore the sender’s message ; that is, the decryption process is correct. ensures that the receiver can verify the correctness of the sender’s signature; that is, the verification process is correct. Therefore, our signcryption scheme is correct.

3.3. Security

3.3.1. Confidentiality

Confidentiality means that information can only be used by authorized users and cannot be disclosed to unauthorized users. Confidentiality is a required property of encryption. Since signcryption needs to realize both signature and encryption, the signcryption scheme must also have confidentiality. According to Theorem 5, our signcryption scheme has confidentiality.

Theorem 5. In the random oracle model, if there is an adversary who can win the game of Definition 3 with the advantage of , there is a challenger who can solve the ECDLP problem with the advantage of at least . , , and represent the number of times the adversary initiates query, signcryption query, and unsigncryption query, respectively.

Proof. At the beginning of the game, the challenger runs algorithm to generate a sender key pair and a receiver key pair and sends to adversary . The challenger manages four lists , which are initially empty. are used to track the adversary’s queries to oracle , respectively, is used to simulate signcryption oracle, and is used to simulate unsigncryption oracle.

Next, the adversary sends queries to the challenger . (1)( query) If already exists in the list , the challenger returns . Otherwise, the challenger selects from randomly, stores in list , and returns (2)( query) If already exists in the list , the challenger returns . Otherwise, the challenger selects from randomly, stores in list , and returns (3)( query) The public key of sender is , the public key of receiver is , and the message is . The challenger selects from randomly and computes , . can be obtained from the above query. Then, the challenger computes , . can be obtained from the above query. The challenger computes and returns (4)( query) The public key of sender is , the public key of receiver is , and the signcryption is . The challenger computes , . If , the challenger returns “”, else computes , . If , the challenger returns “”, else computes . If , the challenger returns “”, else computes

After the above-mentioned queries are initiated polynomial times, the game enters the challenge phase. The adversary outputs two messages . The challenger randomly selects from , from , and and from and computes and . When is queried at , the value is returned directly. When is queried at , the value is returned directly. The challenger returns challenging signcryption to . The adversary initiates the second round of query, which is same as the first round of query, but the adversary cannot send unsigncryption query for the signcryption result . At the end of the simulation, the adversary outputs as the guess for . If , the challenger outputs as an answer to the ECDLP, else the challenger fails to solve the ECDLP.

In the view of the adversary , the challenger provides a simulation environment similar to the actual environment. However, in the challenge phase, the answer of to the query is different. This is because can only be determined at the end of the challenge phase. At this point, is the maximum number that is queried. Therefore, the challenger has an advantage of at least to solve the ECDLP problem.

3.3.2. Unforgeability

Unforgeability is a required property of signature. Since signcryption needs to realize both signature and encryption, the signcryption scheme must also have unforgeability. According to Theorem 6, our signcryption scheme has unforgeability.

Theorem 6. In the random oracle model, if there is an adversary who can win the game of Definition 4 with the advantage of , there is a challenger who can solve the ECDLP problem with the advantage of . , , and represent the number of times the adversary initiates query, query, and signcryption query, respectively.

Proof. At the beginning of the game, the challenger runs algorithm to generate a sender key pair and a receiver key pair and sends to adversary . The challenger manages three lists , which are initially empty. are used to track the adversary’s queries to oracle , respectively, is used to simulate signcryption oracle.

Suppose the public key of the receiver is , the adversary uses the oracle described in the proof of Theorem 5 to send various queries. After these queries, in the forgery phase, the adversary outputs the forged signcryption result. It can be seen from the proof of Theorem 5 that our simulation is equivalent to the actual attack environment. In order to forge successfully, the adversary must send query and query to get corresponding to message . The probability that the adversary chooses the correct record in the list is , so the challenger has the advantage of to solve ECDLP problem.

3.3.3. Integrity

Integrity means that information cannot be accidentally or maliciously deleted, modified, forged, replayed, and inserted during transmission and storage.

Theorem 7. Our signcryption scheme has integrity.

Proof. In our signcryption scheme, it is very difficult for an attacker to tamper with the information between the sender and receiver. Because this tampering requires the hash value , and corresponds to the hash value of a random point of the elliptic curve, due to the collision resistance of the hash function, the attacker cannot determine the point of the elliptic curve corresponding to the hash value . Furthermore, every part of ciphertext depends on all message blocks. Once a malicious attacker makes any change to a particular block of information, it will cause the ciphertext to change. Therefore, our signcryption scheme has integrity.

3.3.4. Nonrepudiation

Nonrepudiation in signcryption and signature is the same. Nonrepudiation is preventing a communicating party from denying a previous promise or behavior. In a signcryption scheme, nonrepudiation means that a signer cannot deny that he signed a valid message after signing it.

Theorem 8. Our signcryption scheme has nonrepudiation.

Proof. In our signcryption scheme, when the sender signs message , it first calculates the hash value of message using its own public key and receiver’s public key and then signs this hash value with his own private key . Therefore, the sender cannot deny its signature to message . In addition, in unsigncryption, the receiver will use the sender’s public key and its own public key to calculate the hash value. If it is equal to the received hash value, it means that the received signature is indeed signed by the sender. Therefore, our scheme has nonrepudiation.

3.3.5. Availability

Availability refers to the property that all resources can be accessed by authorized parties at the appropriate time; i.e., information can be accessed by authorized entities and used on demand.

Theorem 9. Our signcryption scheme has availability.

Proof. In our signcryption scheme, the recipient, as an authorized entity, can use its own private key to obtain the plaintext signed by the sender through the unsigncryption after obtaining the signcryption and then use the plaintext to perform other required operations. Therefore, our signcryption scheme has availability.

3.3.6. Forward Secrecy

Forward secrecy means that exposure of private key of the encryptor does not affect the confidentiality of previously encrypted messages.

Theorem 10. Our signcryption scheme has forward secrecy.

Proof. In our signcryption scheme, if the sender’s private key is leaked, the adversary must know the value of in order to obtain the previous session content, so he must obtain the value . However, is randomly selected by the sender. Even if the adversary obtains the sender’s private key, he still cannot recover the plaintext information. Therefore, our signcryption scheme has forward secrecy.

3.3.7. Internal Security

The security model of signcryption can be divided into external security and internal security. External security means that the adversary only knows public information. Internal security means that the adversary knows the sender’s or receiver’s private key in addition to the public information. That is, if the sender’s private key is exposed, the adversary still cannot recover the plaintext from the ciphertext; if the receiver’s private key is exposed, the adversary still cannot forge the ciphertext. Obviously, internal security is stronger than external security.

Theorem 11. Our signcryption scheme has internal security.

Proof. On the one hand, in our signcryption scheme, if the adversary wants to recover the plaintext from the ciphertext , it must obtain the hash value . Similar to Theorem 7, due to the collision resistance of the hash function and the randomness of the random number , the adversary cannot determine the point on the elliptic curve corresponding to the hash value . Therefore, even if the adversary possesses the sender’s private key, the plaintext still cannot be recovered from the ciphertext. On the other hand, in our signcryption scheme, if the adversary possesses the receiver’s private key, it is also impossible to forge the valid ciphertext of the plaintext . The reason is that even if the adversary uses to compute the value of , gets the hash value , and then uses to get the ciphertext of the plaintext , the ciphertext is invalid. Because the ciphertext in the signcryption result is the encryption of the plaintext , and the in the signcryption result is the signature of the plaintext , which will make the unsigncryption fail, therefore, our signcryption scheme has internal security.

We compare the security of our signcryption scheme with Tsai’s ECC-based signcryption scheme [31] and Zhou’s signcryption scheme [30]. It can be seen from Table 1 that our scheme satisfies the confidentiality, unforgeability, integrity, nonrepudiation, and availability of the other two schemes and also satisfies forward secrecy and internal security. Therefore, compared with the existing signcryption schemes, our signcryption scheme is more secure.

3.4. Performance Evaluation

In this section, we compare the computational and communication overhead of our signcryption scheme with Tsai’s scheme [31] and Zhou’s scheme [30] in detail. Among them, the computational overhead mainly compares the calculation amount of the signcryption and unsigncryption algorithms, and the calculation amount mainly counts the execution times of the point multiplication operation, point addition operation, number multiplication operation, and inversion operation. The XOR operation, Hash operation, and the number addition operation are not counted. The computational overhead and communication overhead of the three schemes are shown in Table 2. In this table, , , , and represent the point multiplication operation, point addition operation, number multiplication operation, and inversion operation, respectively; represents the length of the plaintext message; represents the length of the element on the group; and represents the length of the element in .

Among the various operations counted in Table 2, the point multiplication operation takes the most time, followed by the point addition operation. It can be seen from the calculation amount in Table 2 that the computational overhead of our scheme is much less than that of the other two schemes. In addition, the communication overhead of our scheme is comparable to Zhou’s scheme and smaller than Tsai’s scheme. Our scheme has forward security and internal security in addition to the same confidentiality, unforgeability, integrity, nonrepudiation, and availability as the other two schemes. Overall, our scheme is an efficient and secure ECC-based signcryption scheme.

4. Our Key Management Scheme

In this section, our ECC-based signcryption scheme will be applied to the key management scheme in the smart lock system. In Subsection 4.1, we recall the model of the smart lock system. In Subsection 4.2, we give an overview of the key management scheme for the smart lock system. In Subsection 4.3, we use the above ECC-based signcryption scheme as a building block to construct our key management scheme of the smart lock system. Finally, in Subsection 4.4, we observe the bit-oriented overhead of our smart lock key management scheme through experimental simulations.

4.1. The Model of the Smart Lock System

There are three main parties in a smart lock system [40], that is, smart phone (SP) of user, smart lock (SL), and management server (MS), which is shown in Figure 1. Among them, MS receives the request from the user’s SP, reviews the user’s qualification, receives the operation information of SL, manages the unlock key, and helps SL and SP exchange the public key. SL communicates with MS through narrow band Internet of Things (NB-IOT) and receives the signcryption for the unlock key. SP of the legitimate user applies for the unlock key to MS and sends the signcryption of this unlock key to SL through Bluetooth.

In the smart lock system, MS is trusted, which cannot disclose the unlock key to the adversary. MS will send correct unlock key to SL and legitimate user and cancel the unlock key of the expired user. SL is safe, controllable, and will not disclose the unlock key. The user is semi-honest. Although he will follow the rule of the key management scheme, he will try to use the obtained information to unlock when his key expires or he has no key.

Each smart lock has a unique international mobile equipment identity (IMEI), which is a 15-digit “electronic serial number.” In this paper, the IMEI will be used to generate a session key for the smart lock.

4.2. The Overview of Key Management Scheme

In the key management scheme of the smart lock system, MS and SL generate their own private keys, respectively, and then calculate their own public keys through ECC and send the public key to each other. They realize the key exchange and generate the shared session key between them. MS generates the unlock key, uses the session key to encrypt the unlock key, and sends the encryption result to SL. SL uses the session key to encrypt its operation information and uploads the encryption result to MS. This two communications adopt AES symmetric encryption through the Nb-IOT. After the user applies to MS for the house, MS reviews the user’s qualification. If the user does not meet the conditions, MS refuses to send the key to him. If the user meets the conditions, MS sends the user’s public key to SL. At the same time, MS uses the user’s public key to encrypt the unlock key and sends the encryption result and the public key of SL to the user. The user uses his private key to decrypt the unlock key. This communication uses elliptic curve public key cryptosystem. After that, the user can use the received public key of SL and his own private key to signcrypt the unlock key and send the signcryption result to SL. SL uses the received public key of user and his own private key to de-signcrypt the signcryption, thus obtaining the unlock key. The process above uses our ECC-based signcryption scheme. Finally, SL compares the unlock key from the user with its own unlock key. If the two unlock keys are different, SL cannot be unlocked.

During the lifetime, the smart lock system can periodically update the key according to the security status. If the user loses the housing qualification, MS regenerates the unlock key and sends it to SL. The user cannot unlock with the old key.

4.3. Our Key Management Scheme

Our key management scheme is detailed as follows: (1)Key exchange between MS and SL. MS selects private key . is confidential and satisfying . MS computes public key and sends to SL through NB-IOT. In the transmission, even if is attacked, the adversary cannot calculate by the known since ECDLP problem(2)SL selects private key . is confidential and satisfying . SL computes public key and sends to MS through NB-IOT. In the transmission, even if is attacked, the adversary cannot calculate by the known since ECDLP problem(3)After the MS receives , it uses the private key and the received to generate the secret key

Similarly, SL uses the private key and the received to generate the secret key

The two secret keys are equal, which only are known as MS and SL. Because the secret key is a pair of numbers , MS and SL can select the session key according to the factory agreement, and function is the last digit of IMEI of SL. Because is known only by MS and SL, the session key is also known only by them. (4)MS generates unlock key and sends encryption result to SL. At the same time, SL sends the encryption result to MS and reports the operation information , where is AES symmetric encryption algorithm and is random generating function(5)Users download APP through their SP. SP selects private key . is confidential and satisfying . SP computes public key , sends public key and the request for unlock key to MS. MS will review the user’s qualification after receiving the user’s request. If the user does not have the housing qualification, the MS rejects his request(6)If the user has the housing qualification, MS encrypts the unlock key with the received public key of the user and gets the ciphertext

where is elliptic curve public key cryptosystem. Then, MS sends this ciphertext and the public key to SP and sends the public key to SL at the same time. In the transmission, even if is overheard by the adversary, the adversary cannot get by decrypting since the private key is not known. (7)After receiving the ciphertext and the public key , the SP uses its private key to calculate

Thus, the SP obtains the unlock key of SL. (8)SP uses our ECC-based signcryption algorithm to generate of unlock key and time stamp , sends the signcryption to SL through Bluetooth. SL uses and to calculate

After getting the unlock keyand time stamp, SL checks them. If the unlock key is wrong, SL will not unlock. Our ECC-based signcryption scheme plays the role of encryption and authentication at the same time. The addition of time stamp can prevent replay attack. (9)If the user loses the housing qualification, MS generates a new unlock key and sends it to SL. As a result, the SP cannot unlock with its old key

The flow chart of our key management is shown in Figure 2.

4.4. Performance Analysis

In this subsection, we observe the bit-oriented overhead of our smart lock key management scheme through experimental simulations. Here, AES symmetric encryption is performed in ECB mode, and the in the elliptic curve used in our signcryption scheme and the order of the group are both . The experimental environment is as follows: AMD Ryzen 7 5800H, reference frequency 3.20 GHz, memory 16GB (DDR4-3200 MHz), and Windows 11 operating system.

As can be seen from Figure 3, when the length of the unlock key is as high as, the time consumed of our key management scheme does not exceed. It is worth noting that in the actual deployment of the smart lock key management system, the length of the unlock key is generally not so long. Therefore, our key management scheme is practical and efficient.

5. Conclusion

In this paper, we designed an efficient and secure ECC-based signcryption scheme. Our signcryption scheme has been highly efficient and satisfies multiple security properties; it can also be used for mobile device authentication. Unfortunately, our signcryption scheme is only suitable for single-factor authentication. In the future, it will be interesting to consider applying our signcryption scheme to other application scenarios.

In addition, we proposed a practical and efficient key management scheme of the smart lock using our signcryption scheme firstly. Our key management scheme does not require manually memorizing the unlocking key, and every time the unlocking key is different, not being fixed. However, there has been a recent trend to study smart lock systems using deep learning methods. In addition to hand gesture recognition, face recognition is gradually popular. In the future, we will consider how to use deep learning methods in smart lock key management systems.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was sponsored by the National Natural Science Foundation of China (No.11401172), the Science and Technology Project of Henan Educational Committee of China (No.20A520012).

References

Y. Zheng, “Digital signcryption or how to achieve cost (signature & encryption) << cost(signature) + cost(encryption),” in Advances in Cryptology – CRYPTO ‘97, 17th Annual International Cryptology Conference, Santa Barbara, California, USA, August 17-21, 1997, Proceedings, pp. 165–179, 1997.
View at: Publisher Site | Google Scholar
N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203–209, 1987.
View at: Publisher Site | Google Scholar
V. S. Miller, “Use of elliptic curves in cryptography,” in Advances in Cryptology-CRYPTO’85, Santa Barbara, California, USA, August 18-22, 1985, Proceedings, pp. 417–426, 1985.
View at: Google Scholar
Y. Zheng and H. Imai, “How to construct efficient signcryption schemes on elliptic curves,” Information Processing Letters, vol. 68, no. 5, pp. 227–233, 1998.
View at: Publisher Site | Google Scholar
R. Steinfeld and Y. Zheng, “A signcryption scheme based on integer factorization,” in Information Security, Third International Workshop, ISW 2000, Proceedings, pp. 308–322, 2000.
View at: Publisher Site | Google Scholar
B. Libert and J.-J. Quisquater, “A new identity based signcryption scheme from pairings,” in Proceedings 2003 IEEE Information Theory Workshop, ITW 2003, La Sorbonne, Paris, France, 31 March -4 April, 2003, pp. 155–158, 2003.
View at: Google Scholar
J. Malone-Lee, “Identity-based signcryption,” IACR Cryptology ePrint Archive, vol. 2002, p. 98, 2002.
View at: Google Scholar
X. Boyen, “Multipurpose identity-based signcryption (a swiss army knife for identity-based cryptography),” in Advances in Cryptology-CRYPTO 2003, Proceedings, pp. 383–399, 2003.
View at: Publisher Site | Google Scholar
J. K. Liu, J. Baek, and J. Zhou, “Online/offline identity-based signcryption revisited,” in Information Security and Cryptology -6th International Conference, Inscrypt 2010, Shanghai, China, October 20-24, 2010, Revised Selected Papers, pp. 36–51, 2010.
View at: Google Scholar
S. S. D. Selvi, S. S. Vivek, and C. P. Rangan, “Identity based public verifiable signcryption scheme,” in Provable Security -4th International Conference, ProvSec 2010. Proceedings, pp. 244–260, 2010.
View at: Publisher Site | Google Scholar
S. S. D. Selvi, S. S. Vivek, D. Vinayagamurthy, and C. P. Rangan, “ID based signcryption scheme in standard model,” in Provable Security -6th International Conference, ProvSec 2012. Proceedings, pp. 35–52, 2012.
View at: Publisher Site | Google Scholar
A. W. Dent, “Hybrid signcryption schemes with insider security,” in Information Security and Privacy, 10th Australasian Conference, ACISP2005, Brisbane, Australia, July 4-6, 2005, Proceedings, pp. 253–266, 2005.
View at: Publisher Site | Google Scholar
T. E. Bjørstad and A. W. Dent, “Building better signcryption schemes with tag-kems,” in Public Key Cryptography-PKC 2006, Proceedings, pp. 491–507, 2006.
View at: Publisher Site | Google Scholar
M. Barbosa and P. Farshim, “Certificateless signcryption,” in Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2008, Tokyo, Japan, March 18-20, 2008, pp. 369–372, 2008.
View at: Google Scholar
T. Pandit, S. K. Pandey, and R. Barua, “Attribute-based signcryption: Signer privacy, strong unforgeability and IND-CCA2 security in adaptivepredicates attack,” in Provable Security -8th International Conference, ProvSec 2014. Proceedings, pp. 274–290, 2014.
View at: Publisher Site | Google Scholar
P. Datta, R. Dutta, and S. Mukhopadhyay, “Compact attributebased encryption and signcryption for general circuits from multilinear maps,” in Progress in Cryptology-INDOCRYPT 2015-16th International Conference on Cryptology in India, Bangalore, India, December 6-9, 2015, Proceedings, pp. 3–24, 2015.
View at: Publisher Site | Google Scholar
P. Datta, R. Dutta, and S. Mukhopadhyay, “Functional signcryption: notion, construction, and applications,” in Provable Security -9th International Conference, ProvSec 2015, Proceedings, pp. 268–288, 2015.
View at: Publisher Site | Google Scholar
W. Yang, M. Manulis, A. Man Ho, and W. Susilo, “Relations among privacy notions for signcryption and key invisible “sign-then-encrypt”,” in Information Security and Privacy -18th Australasian Conference, ACISP2013, Brisbane, Australia, July 1-3, 2013. Proceedings, pp. 187–202, 2013.
View at: Publisher Site | Google Scholar
D. Nalla and K. C. Reddy, “Signcryption scheme for identity-based cryptosystems,” IACR Cryptology ePrint Archive, vol. 2003, p. 66, 2003.
View at: Google Scholar
B. Libert and J.-J. Quisquater, “Improved signcryption from q-diffiehellman problems,” in Security in Communication Networks, 4th International Conference, SCN 2004, Amalfi, Italy, September 8-10, 2004, Revised Selected Papers, pp. 220–234, 2004.
View at: Google Scholar
B. Waters, “Efficient identity-based encryption without random oracles,” in Advances in Cryptology-EUROCRYPT 2005, Proceedings, pp. 114–127, 2005.
View at: Publisher Site | Google Scholar
Y. Yong, B. Yang, Y. Sun, and S. Zhu, “Identity based signcryption scheme without random oracles,” Computer Standards & Interfaces, vol. 31, no. 1, pp. 56–62, 2009.
View at: Publisher Site | Google Scholar
J. Kar, “An efficient signcryption scheme from q-diffie-hellman problems,” IACR Cryptology ePrint Archive, vol. 2012, p. 483, 2012.
View at: Google Scholar
B. Libert and J.-J. Quisquater, “Efficient signcryption with key privacy from gap diffie-hellman groups,” in Public Key Cryptography-PKC 2004, 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, March 1-4, 2004, pp. 187–200, 2004.
View at: Google Scholar
J. Kar, “Provably secure identity-based aggregate signcryption scheme in random oracles,” IACR Cryptology ePrint Archive, vol. 2013, p. 37, 2013.
View at: Google Scholar
L. I. U. Zhenhua, L. I. Juanjuan, and Z. U. Longhui, “Revocable id-based signcryption scheme,” Journal of Sichuan University (Engineering Science Edition), vol. 46, no. 2, pp. 79–86, 2014.
View at: Google Scholar
A. Braeken and P. Porambage, “Efficient generalized signcryption based on ecc,” International Journal on Cryptography and Information Security (IJCIS), vol. 5, no. 2, pp. 1–13, 2015.
View at: Publisher Site | Google Scholar
J. Kar and S. Naik, “Generic construction of certificateless signcryption scheme,” IACR Cryptology ePrint Archive, vol. 2016, p. 318, 2016.
View at: Google Scholar
H. A. N. Yiliang, L. I. Chong, F. A. N. G. Dingyi, and Y. A. N. G. Xiaoyuan, “New signcryption scheme based on niederreiter cryptosystem,” Journal of Sichuan University (Engineering Science Edition), vol. 48, no. 2, pp. 97–103, 2016.
View at: Google Scholar
Z. H. O. U. Yan-Wei, Y. A. N. G. Bo, and W. A. N. G. Qing-Long, “Secure certificateless signcryption scheme without bilinear pairing,” Journal of Software, vol. 28, no. 10, pp. 2757–2768, 2017.
View at: Google Scholar
C.-H. Tsai and S. Pin-Chang, “An ecc-based blind signcryption scheme for multiple digital documents,” Security and Communication Networks, vol. 2017, Article ID 8981606, 14 pages, 2017.
View at: Publisher Site | Google Scholar
H. Dai, D. Wang, J. Chang, and X. Maozhi, “On the RCCA security of hybrid signcryption for internet of things,” Wireless Communications and Mobile Computing, vol. 2018, Article ID 8646973, 11 pages, 2018.
View at: Publisher Site | Google Scholar
A. W. Dent, “Hybrid signcryption schemes with outsider security,” in Information Security, 8th International Conference, ISC 2005, Singapore, September 20-23, 2005, Proceedings, volume 3650 of Lecture Notes in Computer Science, J. Zhou, J. López, R. H. Deng, and F. Bao, Eds., pp. 203–217, 2005.
View at: Google Scholar
D. He, D. Wang, and W. Shuhua, “Cryptanalysis and improvement of a password-based remote user authentication scheme without smart cards,” Information technology and control, vol. 42, no. 2, pp. 170–177, 2013.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722, 2018.
View at: Google Scholar
J. I. A. Rong-yuan, W. A. N. G. Yi-huai, and W. A. N. G. Xiao-ning, “Lightweight encryption algorithm for narrowband internet of things,” Computer Engineering and Design, vol. 39, no. 10, pp. 3039–3044, 2018.
View at: Google Scholar
L. Chih-Chung and S.-Y. Tseng, “Integrated design of AES (advanced encryption standard) encrypter and decrypter,” in 13th IEEE International Conference on Application-Specific Systems, Architectures, and Processors (ASAP 2002), 17-19 July 2002, San Jose, CA, USA, pp. 277–285, IEEE Computer Society, 2002.
View at: Google Scholar
Z. H. A. N. G. Huan-lan and X. I. A. O. Ming-bo, “Design of intelligent lock system based on 433mhz band security,” Computer Engineering and Design, vol. 39, no. 9, pp. 2736–2742, 2018.
View at: Google Scholar
L. I. U. Meng-jun, S. H. A. Tao, L. I. Dan, and L. I. U. Shu-bo, “Reliable security lock key updating scheme over narrow band internet of things,” Computer Science, vol. 46, no. 4, pp. 137–143, 2019.
View at: Google Scholar
S. Tao, L. Mengjun, L. Dan, and L. Shubo, “Nb-iot security smart lock system solution under background of public rental housing,” Application Research of Computers, vol. 36, no. 6, pp. 1797–1802, 2019.
View at: Google Scholar
Y. Wang, Y. Shu, M. Xiuqian Jia, L. X. Zhou, and L. Guo, “Multifeature fusion-based hand gesture sensing and recognition system,” IEEE Geoscience and Remote Sensing Letters, vol. 19, pp. 1–5, 2022.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Ping Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies