Secure and Efficient Access Control Scheme for Wireless Sensor Networks in the Cross-Domain Context of the IoT

Nowadays wireless sensor network (WSN) is increasingly being used in the Internet ofThings (IoT) for data collection, and design of an access control scheme that allows an Internet user as part of IoT to access the WSN becomes a hot topic. A lot of access control schemes have been proposed for the WSNs in the context of the IoT. Nevertheless, almost all of these schemes assume that communication nodes in different network domains share common system parameters, which is not suitable for cross-domain IoT environment in practical situations. To solve this shortcoming, we propose a more secure and efficient access control scheme for wireless sensor networks in the cross-domain context of the Internet of Things, which allows an Internet user in a certificateless cryptography (CLC) environment to communicate with a sensor node in an identity-based cryptography (IBC) environment with different system parameters. Moreover, our proposed scheme achieves known session-specific temporary information security (KSSTIS) that most of access control schemes cannot satisfy. Performance analysis is given to show that our scheme is well suited for wireless sensor networks in the cross-domain context of the IoT.


Introduction
Wireless sensor network (WSN) is a distributed network which contains a large number of sensor nodes.We can collect the target data through the sensor nodes to obtain valuable information.Due to the flexibility and convenience of data capture, WSN has been integrated into the IoT.The integration of WSN applications and low-power sensing nodes with the Internet may be accomplished with various approaches and strategies [1], and the popular integration solutions include cloud-based integration approaches [2,3], front-end proxy integration approaches [4], architecture frameworks [5], and the integration via standard Internet communication protocols [6,7].In the cloud-based integration solution, some important security requirements including privacy, trust, and anonymity cannot be addressed.This approach also does not support the secure integration with data sources from other sensing devices or heterogeneous WSN domains.For the front-end proxy integration solution, the wireless sensor nodes communicate with the Internet hosts through a proxy server; thus this integration approach does not support direct communications between WSN nodes and Internet hosts, and the shortcoming of this approach is that the proxy server is vulnerable to cyberattacks and may become the bottleneck.In the integration solution via standard Internet communication protocols, most of approaches employ specialized middleware layers instead of supporting generic Internet communication mechanisms that can implement heterogeneous applications.However, these proposed solutions developed in the context of the architecture frameworks currently do not support Internet communications in WSN environments.For the integration via standard Internet communication protocols, a large number of access control schemes using public key infrastructure (PKI) are proposed.PKI, however, has a serious problem of certificate management.Subsequently, a series of access control schemes using identity-based cryptography (IBC) or certificateless cryptography (CLC) are designed, and even a new idea of integrating IBC with CLC into an access control scheme is introduced.In particular some access control schemes using heterogeneous signcryption schemes are generated, in which an Internet sender as part of IoT belongs to the CLC environment and a wireless sensor receiver is in the IBC environment.However, almost all of these access 2 Security and Communication Networks control schemes assume that communication nodes share common system parameters in different network domains, which are not suitable for cross-domain IoT environment in practical situations.Moreover, we find that most of these schemes cannot satisfy known session-specific temporary information security (KSSTIS, which means that the attacker cannot obtain the plaintext message when the ephemeral key and the access request message are leaked).Thus, it is necessary to design a more secure and efficient access control scheme and make it more suitable for wireless sensor networks in the cross-domain context of the IoT.
1.1.Related Work.Zhou et al. proposed an access control scheme for WSNs using elliptic curve (EC) cryptography [8], which is more efficient than the PKI-based schemes.However, to authenticate a sensor node, the scheme of Zhou et al. needed high computational and communicational costs.Next, Huang [9] proposed an efficient access control protocol (EACP) based on the EC, which is quite adequate for lowpowered sensor nodes.Consequently, Kim and Lee [10] pointed out that EACP scheme is susceptible to a message replay attack, and they proposed an enhanced access control protocol (ENCP).However, Lee et al. [11] showed that ENCP is subjected to a new node masquerade attack and message forgery attack, and then they proposed a practical access control protocol (PACP).In 2015, Chen et al. [12] claimed that the PACP is susceptible to the adversary attacks and needs huge key storage resources.Recently, Kumar et al. [13] proposed a more secure and efficient scheme for WSNs, which provides robust security and achieves the access control while taking care of the identity privacy.However, these schemes above cannot provide message confidentiality and unforgeability at the same time.In order to simultaneously authenticate the sensor node and protect the confidentiality of messages with a low cost, Yu et al. [14] and Ma et al. [15] proposed the access control schemes using signcryption approach (ACSC).Signcryption performs the signature and the encryption in one logical step.Compared with the signature-then-encryption method, signcryption has less cost.But these above ACSC schemes are based on the public key infrastructure (PKI).In PKI, the certificate authority (CA) generates a digital certificate for each user, which triggers the PKI's certificate management problem.In order to avoid this problem and reduce the burden on traditional PKI, identity-based public key cryptography (IBC) and certificateless public key cryptography (CLC) were proposed, where certificate used in PKI is not needed.Recently, many security mechanisms for WSNs using IBC [16,17] or CLC [18,19] have been generated.All the above schemes are homogeneous means that sender and receiver must belong to the same security domain (PKI or IBC or CLC environment).Heterogeneous signcryption allows the sender to send a message to the receiver in different security domain.Huang et al. [20] proposed a heterogeneous signcryption scheme that the sender is in the IBC environment and the receiver belongs to the PKI environment.In 2016, Li et al. [21] proposed a novel access control scheme (NACS) for sensor networks in the context of the IoT.The NACS uses heterogeneous signcryption (HSC) in which an Internet sender as part of IoT belongs to the CLC environment and a wireless sensor receiver is in the IBC environment, which conforms the characteristics of the WSNs in the context of the IoT.

Our Contribution.
In this paper, we propose an access control scheme for WSNs in the cross-domain context of the IoT using heterogeneous signcryption.We define the generic model and security model of the cross-domain heterogeneous signcryption (CDHSC) and then propose a CDHSC scheme that proves to be safe under the Bilinear Inverse Diffie-Hellman Problem (BIDH) and Computational Diffie-Hellman Problem (CDHP) assumptions in the random oracle model.Compared with NACS scheme [21] through performance analysis, our scheme has the following merits: (1) our scheme allows an Internet user in a certificateless cryptography (CLC) environment to communicate a sensor node in an identity-based cryptography (IBC) environment with different system parameters so that it can be used for WSNs in the cross-domain context of the IoT; (2) our scheme has less computation cost (not including precomputation cost).For the Signcryption algorithm, our scheme has the same computation cost as the NACS scheme.But for the Unsigncryption algorithm, our scheme only needs three bilinear pairings computations, while the NACS scheme requires four.As we all know, bilinear pairing computation is the most expensive operation in a signcryption scheme from bilinear pairing; (3) our scheme satisfies the known sessionspecific temporary information security attribute.

Organization.
The remainder of our paper is organized as follows.The preliminaries for network model, bilinear pairings, and difficult mathematical problems are given in the next section.The third section elaborates on the definition of the cross-domain heterogeneous signcryption (CDHSC), proposes a specific CDHSC scheme, and gives the security analysis of the proposed scheme.In the fourth section we propose a secure and efficient access control scheme for wireless sensor networks in the cross-domain context of the IoT and perform an efficiency analysis on it.In the last section, we make a summary.

Preliminaries
In this part, we give the basic network model of access control scheme, some prior knowledge of bilinear pairings, and difficult mathematical problems.

Network Model.
In the network model of access control for wireless sensor networks in the cross-domain context of the IoT, there are five types of communication entities including Internet user, a trusted third party called key generation center (KGC) in the CLC environment, WSN node, the other trusted third party named private key generator (PKG) in the IBC environment, and a gateway used to connect the CLC domain with the IBC domain.PKG and KGC are used to complete the registration of WSN nodes and Internet users, respectively.The PKG calculates the public key and a private key for each WSN node.The KGC is responsible for producing a part of the private key of Internet users, and the other part of the private key is generated by the users themselves.In the network model, each PKG and KGC has different system parameters.In the KGC environment, when an Internet user wants to access the information collected by the sensor nodes from WSN, he needs to signcrypt and submit the query message to the gateway.The gateway belonging to this WSN will first authenticate the access request message from the Internet user.If the verification is passed, the gateway will forward the query message to the WSN.Then the WSN transmits the collected data to the Internet user with unsigncryption key.Otherwise, gateway refuses to provide the service.
In the network model of access control, the access request message generated by the Internet user should satisfy confidentiality, integrity, authentication, nonrepudiation, and known session-specific temporary information security (KSSTIS) simultaneously when it is transmitted to the gateway.Figure 1 shows the overview of the network model.
The security of our scheme relies on the following two hard mathematical problems.

Cross-Domain Heterogeneous Signcryption
For the cross-domain heterogeneous signcryption (CDHSC) which can be used in access control for WSNs in the context of the IoT, we first define the generic model and security model.Then we present the specific CDHSC scheme.Finally we show the correctness analysis and the security proof of the proposed scheme.
3.1.Generic Model.Our CDHSC scheme consists of nine algorithms as follows.
Setup.The trusted third party PKG and KGC execute this probabilistic algorithm to produce a series of system parameters.Firstly they input a security parameter   then output their master secret key   and corresponding system parameters.Different PKG and KGC use different   and output different   .Note that the ciphertext  should meet the need of the public verifiability with confidentiality.That is to say, ciphertext verification process of the unsigncryption algorithm can be performed by any verifier (generally the WSN gateway) without the knowledge of the plaintext message .

Security Model.
The standard security notion for a CDHSC scheme is confidentiality and unforgeability.In the following definitions, Definition 3 describes the confidentiality and the unforgeability is depicted in Definition 5. Challenge.After Phase 1,  outputs two plaintexts ( 0 ,  1 ) which are of the same length, a sender's identity ID  and a receiver's identity ID  on which he wants to be challenged.Note that ID  cannot be the identity that has been used for KE query in Phase 1.  randomly takes a bit of  ∈ {0, 1} and calculates  * = SC(  ,  ID  ,  ID  , ID  ,  ID  ) and forwards it to .Phase 2.  can make a polynomially bounded number of queries just like in Phase 1, whereas, it cannot make a KE query on ID  and cannot perform an Unsigncryption query on ciphertext  * under ID  and ID  to obtain the plaintext  unless the sender's public key PK ID  is replaced after the challenge phase.
For unforgeability, there are two types of adversaries named  I and  II since the signcryption is generated in the CLC environment.Type I adversary  I does not know the KGC's master key, but he is able to replace public keys of arbitrary identities with other public keys of his choice.In contrast, Type II adversary possesses the KGC's master secret key, while he cannot replace public key of any user during the game.
Initial.The challenger  runs the Setup algorithm defined in generic model and gives the resulting system parameters to the adversary   .For Type II adversary,  sends him the master secret keys of PKG and KGC in addition to the system parameters.
Probing.The challenger is probed by the adversary   who executes a polynomially bounded number of queries just like Phase 1 of the confidentiality game.Note that  II does not need to perform PKR, PPKE, and KE queries.
Forge.The adversary   returns a ciphertext  * , a sender's identity ID  , and a receiver's identity ID  .Let the tuple ( * , ID  ,  * ) be the result of unsigncrypt algorithm under the private key corresponding to ID  .  wins the game if the tuple ( * , ID  ,  * ) satisfies the following requirements: (1) This ciphertext is a valid one, when the result of unsigncrypt algorithm is not character ⊥ but  * .(2)   has never asked the secret value of the user with identity ID  .(3)   has never asked the Signcryption query on ( * , ID  , ID  ).

CDHSC Scheme.
In this section, we propose a CDHSC scheme based on bilinear pairings.We follow the generic model of a general CDHSC scheme that we presented in Section 3.1, and we add KSSTIS property to it.The scheme is described below.

CL-PPUKE. This algorithm accepts an identity ID 𝐴 of an
Internet user and generates the partial public key   = ( +  0 ) 0 for the user, where  =  1−0 (ID  ).Then the KGC runs the CL-PPKE algorithm.

CL-PPKE.
After executing the CL-PPUKE algorithm, the KGC calculates the partial private key   = ( +  0 ) −1  0 for the user.Finally, the KGC sends (  ,   ) securely to the user.CL-SVS.This algorithm accepts an identity ID  of an Internet user and randomly chooses a secret value   ∈  *  0 for the user.Then the user runs the CL-PKG algorithm.

CL-PKG.
After executing the CL-SVS algorithm, the user calculates his public key PK  =     .IB-PKE.This algorithm accepts an identity ID  of a WSN node and generates the public key   = ( +  1 ) 1 for the node, where  =  1−1 (ID  ).Then the PKG runs the IB-KE algorithm.

IB-KE.
After executing the IB-PKE algorithm, the PKG calculates the private key   = ( +  1 ) −1  1 for the node.Finally, the PKG sends (  ,   ) securely to the WSN node.SC.To signcrypt a message  using the partial private key   , secret value   , and the receiver's identity ID  , a sender with identity ID  performs the following steps: (1) Selecting  ∈  *  0 randomly.
USC.To unsigncrypt the ciphertext  = (, , ) using the private key   , sender's partial public key   , and the main public key PK  , the receiver with identity ID  performs the following steps: (1) Calculating  =  3−0 (, , PK  , ID  ).
Note that any user can verify the ciphertext  = (, , ) by computing  =  3−0 (, , PK  , ID  ) and verifying whether ê(,   ) = ê( 0 ,  0 )  ê(PK  , ), where nothing about the plaintext message  will be lost.Thus, we can shift the computational cost of signcryption verification to the WSN gateway (he just needs to obtain the public parameters and the ciphertext ) in the cross-domain context of the IoT.

Correctness.
The consistency of the CDHSC scheme is easy to verify.
(1) In the signcryption verification stage, (2) In the signcryption decryption stage, 3.5.Security Proof.In this section, we use some mathematical difficult problems to prove the confidentiality and unforgeability of the CDHSC scheme in the random oracle model.In addition, we demonstrate that our scheme satisfies the known session-specific temporary information security (KSSTIS).In our scheme, the generation algorithms of public key   and private key   for the node ID  in the IBC environment are the same as the generation algorithms of partial public key   and partial private key   for the user ID  in the CLC environment, so the KGC can act as the roles of KGC and PKG simultaneously in a small wireless sensor networks in a single domain context of the IoT.Moreover, in the following security proofs of our proposed scheme, for reasons of proof brevity, we assume that the KGC plays the roles of the KGC and PKG at the same time in a single domain.
( Signcryption Queries.When  asks for a  query on a message  with a sender's identity ID  and a receiver's identity ID  , if ID  = ID  ,  aborts the simulation and returns ⊥.Otherwise,  first executes Corruption query and PPKE query with ID  to obtain  ID  and  ID  , performs PPUKE query with ID  to obtain  ID  , and then executes SC(,  ID  ,  ID  , ID  ,  ID  ) algorithm to return the signcryption  = (, , ).If the sender's public key PK ID  has been replaced, the sender's secret value  ID  is provided by .Finally  returns ciphertext  back to .Unsigncryption Queries.When  asks for this query on a signcryption  = (, , ) with a sender's identity ID  and a receiver's identity ID  , if ID  = ID  ,  aborts the simulation and returns ⊥.Otherwise,  computes  =  3−0 (, , PK ID  , ID  ) and checks if ê(,  ID  ) = ê( 0 ,  0 )  ê(PK ID  , ) holds.If not,  aborts the simulation and returns ⊥.Otherwise,  executes the KE query to get  ID  and calculates  = ê(,  ID  ).Then  executes  2 query to obtain  =  2 (, , ID  ) and finally calculates and returns  = ⊕ .
Challenge. outputs two plaintexts ( 0 ,  1 ) which have the same length and picks a sender's identity ID  and a receiver's identity ID  on which he wishes to be challenged.Note that  fails if  has asked a KE query on ID  during the first stage.If ID  ̸ = ID  ,  aborts the simulation and returns ⊥.Otherwise  selects a random number  ∈ {0, 1} and generates the challenge ciphertext  * = ( * ,  * ,  * ) as follows.At first,  chooses the value  * ∈  1 .Then he sets  * =  and computes  * =  2 ( * ,  * , ID  ) and is the candidate answer for the BIDH problem).Finally  forwards the ciphertext  * = ( * ,  * ,  * ) to .Phase 2.  then performs a second series of queries, and  can handle these queries as in the first stage.Whereas, it cannot make a KE query on ID  and cannot perform an Unsigncryption query on ciphertext  * under ID  and ID  to obtain the plaintext unless the sender's public key PK ID  is replaced after the challenge phase.
Guess. produces a bit of   .If   = ,  then answers 1 as the result to the BIDH problem since he has generated a valid signcrypted message of   using the knowledge of  * .Otherwise,  answers 0.
So, the adversary  can defeat the signcryption by means of analyzing the ciphertext, and at the same time he can solve the BIDH problem with nonnegligible advantage.But we all know that there is no algorithm that can be used to work out the BIDH problem in the probabilistic polynomial time; hence our scheme has the indistinguishability against adaptive chosen ciphertext attack.
(2) Unforgeability Theorem 8. Our CDHSC scheme is existentially unforgeable against any EUF-CDHSC-CMA adversary   (=I,II) in the random oracle model assuming that the CDH problem in  1 is intractable.
Proof.Let  be an CDH problem attacker.Then   is the adversary who interacts with  following Game 2.  is given (, , ) as an input to the CDH problem and aims to compute , where ,  ∈  *  and  ∈  1 .
Initial.The challenger  runs the Setup algorithm defined in generic model and gives the resulting system parameters to the adversary   .For the Type II adversary,  sends him the master secret keys of KGC in addition to the system parameters.
Probing.We show that  can use   to solve the CDH problem. needs to maintain three lists  to compute the new partial public key   = ( +  0 +    ) 0 and partial private key   = ( +  0 +    ) −1  0 with the same identity ID  .Then the KGC returns (  ,   ) to user.

Performance Evaluation.
We compare the performance of our method with the NACS [21].The comparative result is shown in Table 1.In the table, we use , , and  as abbreviations for point multiplications in  1 , exponentiations in  2 , and pairing operations, respectively.Moreover, we use notations KSSTIS as abbreviations for whether the scheme achieves known session-specific temporary information security.
From the computational point of view, the signcryption operation of our CDHSC scheme needs three point multiplications in  1 and one exponentiation in  2 which is the same as NACS [21].The unsigncryption operation of our CDHSC scheme needs one exponentiation and three pairings, but NACS requires four pairings.As we all know, the pairing operation is several times more expensive than the exponentiation.So the computational cost of our CDHSC scheme is more efficient than the NACS.In addition to efficiency improvement, our CDHSC scheme also enhances the security, since it achieves KSSTIS attribute.Most importantly, our scheme allows an Internet user under the circumstance of CLC to communicate a sensor node in IBC environment with different system parameters.
For energy consumption, according to [21], a point multiplication in  1 (or an exponentiation in  2 ) operation and a pairing operation consume 19.44 mJ and 45.6 mJ, respectively.Therefore, the computational energy cost of NACS and our scheme are 4 * (19.44 + 45.6) = 260.16mJ and 5 * 19.44 + 3 * 45.6 = 234 mJ, respectively, and the communication energy cost of NACS and our scheme are the same for the sensor node (the cost is 1.03 mJ [21]).
Hence, consider the wireless sensor networks in the single-domain or cross-domain context of the IoT; it may be that our access control scheme is more applicable.

Conclusion
In this paper, we proposed a cross-domain heterogeneous signcryption scheme that allows a sender in the CLC environment to send the request signcryption message to a recipient in the IBC environment with different system parameters, and we proved that it has the confidentiality under the BIDH problem and unforgeability under the CDH problem in the random oracle model.Based on the CDHSC scheme, we designed a secure and efficient access control scheme for wireless sensor networks in the cross-domain context of the IoT.
Compared with NACS, our scheme not only needs less computation costs but also has stronger security since it achieves KSSTIS attribute.We believe that the proposed access control scheme can be feasible in many practical single-domain or cross-domain WSN applications.
The key extraction algorithm is performed by the PKG in IBC environment.Taking as inputs a PKG's master secret key   and the user's identity ID, the algorithm outputs the user's private key  ID .SC.The signcryption algorithm is performed by an Internet user under the circumstance of CLC.Taking as inputs the plaintext message , sender's partial private key  ID  , sender's secret value  ID  , sender's identity ID  , and the receiver's identity ID  , the algorithm outputs the ciphertext .USC.The unsigncryption algorithm is performed by the receiver in IBC environment.Taking as inputs the ciphertext , the sender's identity ID  and the main public key PK ID  , sender's partial public key  ID  , and the receiver's private key  ID  and identity ID  , the algorithm outputs the plaintext  if  is a valid ciphertext.Otherwise the output is the symbol ⊥.
The partial public key extraction algorithm is executed by the KGC in CLC environment, which takes as input a KGC's master secret key   and an Internet user's identity ID, and outputs the user's partial public key  ID .CL-PPKE.The partial private key extraction algorithm is executed by the KGC in CLC environment, which takes as input a KGC's master secret key   and an Internet user's identity ID, and generates the user's partial private key  ID .CL-SVS.The secret value setup algorithm is performed by the Internet users in CLC environment.Taking as inputs a user's identity ID, the algorithm outputs the user's secret value  ID .CL-PKG.The main public key generation algorithm is executed by the users in the context of CLC, which takes as input the secret value  ID , and outputs the user's main public key PK ID .IB-PKE.The public key extraction algorithm is performed by the PKG in IBC circumstance.Taking as inputs a PKG's master secret key   and the user's identity ID, the algorithm outputs the user's public key  ID .IB-KE.
The challenger  runs Setup algorithm with a parameter , then he returns the system parameters to .Partial Public KeyExtraction (PPUKE) Queries. chooses an identity ID and forwards it to .Then  executes CL-PPUKE algorithm and forwards the corresponding partial public key  ID to .  executes CL-SVS and CL-PKG algorithm to compute the user's secret value  ID and main public key PK ID then adds (ID,  ID , PK ID ) to the list   .Finally,  returns PK ID to .Public Key Replacement (PKR) Queries. can replace a main public key PK ID with a value selected by himself.Corruption Query.On a corruption query,  checks the list   and returns the secret value  ID .Partial Private Key Extraction (PPKE) Queries. chooses an identity ID and forwards it to .Then  executes CL-PPKE algorithm and forwards the corresponding partial private key  ID to .Public Key Extraction (PKE) Queries.When receiving an identity ID from ,  executes IB-PKE algorithm and forwards the corresponding public key  ID to .When receiving an identity ID from ,  executes IB-KE algorithm and forwards the corresponding private key  ID to .Signcryption Queries. submits a plaintext , a sender's identity ID  , and a receiver's identity ID  .Firstly,  performs Corruption query and PPKE query with ID  to obtain  ID  and  ID  , performs PKE query with ID  to obtain  ID  , and then executes SC algorithm to get the signcryption  = SC(,  ID  ,  ID  , ID  ,  ID  ).If the sender's public key PK ID  has been replaced, the sender's secret value  ID  is provided by .Finally  returns ciphertext  to .Unsigncryption Queries. submits a signcryption , a sender's identity ID  , and a receiver's identity ID  .Firstly,  performs PPUKE query and PK query with ID  to obtain  ID  and PK ID  , performs KE query with ID  to obtain  ID  , and then executes USC algorithm to check the validity of ciphertext .If the ciphertext is valid,  sends plaintext  = USC(, PK ID  ,  ID  ,  ID  , ID  ) to ; otherwise it outputs character ⊥.
is given (, , ) as an input to the BIDH problem and aims to compute ê(, ) −1, where ,  ∈  *  and  ∈  1 .Initial. sets  pub = .The value  is the master key of the KGC, which is unknown to , and  gives system parameters to . W show that  can use  to solve the BIDH problem. needs to maintain three lists  1 ,  2 , and  3 that are initially empty and are used to keep track of answers to queries asked by  to oracles  1 ,  2 , and  3 , respectively.What is more,  maintains two lists:   and   chooses  ∈ {1, 2, . . .,   } randomly.When  makes this query on ID  ( ∈ {1, 2, . . .,   }), if  =  (we let ID  = ID  at this point),  returns  ID  =  and adds (ID  ,  ID  = ,  ID  =  −1 , ⊥) to   ( cannot compute  ID  =  −1 ; he just considers  ID  to be  −1 ).Otherwise  picks a random   ∈  *  , returns  ID  =   , and adds (ID  ,  ID  =   ,  ID  =  −1  ,   ) to   . 1 Queries.When  makes this query on ID  ,  forwards   to  if  1 has the entry (ID  ,   ).If the list  1 does not contain (ID  ,   ),  randomly picks   ∈  *  , returns   , and adds (ID  ,   ) to  1 . 2 Queries.When  makes  2 query on (  ,   , ID  ), if the list  2 has the entry (  ,   , ID  ,   ),  answers   to .Otherwise,  randomly picks   ∈ {0, 1}  as the output and inserts (  ,   , ID  ,   ) into the list  2 . 3 Queries.For  3 query on (  ,   , PK ID  , ID  ), if the list  3 has the entry (  ,   , PK ID  , ID  ,   ),  answers   to .Otherwise,  randomly picks   ∈  *  as the output and inserts (  ,   , PK ID  , ID  ,   ) into the list  3 .Partial Private Key Extraction (PPKE) or Key Extraction (KE) Queries.When  makes this query on ID  , if ID  = ID  ,  aborts the simulation and returns ⊥.Otherwise, the list   should have the entry (ID  ,  ID  =   ,  ID  =  −1  ,   ). returns  ID  to .Public Key (PK) Queries.When  makes this query on ID  , if the list   has the entry (ID  , PK ID  ,  ID  ), then  answers PK ID  to .Otherwise,  selects  ID  ∈  *  randomly, computes PK ID  =  ID   ID  , and then returns PK ID  and adds (ID  , PK ID  ,  ID  ) to   .Corruption Queries.We assume that  has made PK query on ID  before this query.The list   should have the entry (ID  , PK ID  ,  ID  ). returns  ID  to .Public Key Replacement (PKR) Queries. can replace the main public key PK ID  of user ID  with a value he selects.When  executes a public key replacement query with the entry (ID  , PK  ID  ),  updates the list   with entry (ID  , PK  ID  , ⊥).
1) Confidentiality Theorem 7. Our CDHSC scheme is indistinguishable against any IND-CDHSC-CCA2 adversary  in the random oracle model assuming that the BIDH problem in  2 is intractable.Proof.Let  be a BIDH problem attacker.Then  is an adversary who interacts with  following Game 1.  of the queries made by  to oracles PK and PPUKE (or PKE), respectively.Subsequently,  simulates the challenger and plays the game described in Definition 3 with the adversary  as follows.Partial Public Key Extraction (PPUKE) or Public Key Extraction (PKE) Queries.Suppose that  makes at most   queries to this oracle.First,

Table 1 :
1 ,  2 , and  3 that are initially empty and are used to keep track of answers to queries asked by   to oracles  1 ,  2 , and  3 , respectively.What is more,  maintains two lists:   and   of the queries made by   to oracles PK and PPUKE (or PKE), respectively.Subsequently,  simulates the challenger and plays the game described in Definition 5 with the adversary   .The   performs a polynomially bounded number of the following queries, and  II does not need to perform PKR, PPKE, and KE queries.When   makes this query on ID  , if the list   has the entry (ID  ,  ID  =   ,  ID  =  −1  ,   ), then  answers  ID  to   .Otherwise,  selects   ∈  *  randomly, computes  ID  =    and  ID  =  −1  , then returns  ID  , and adds (ID  ,  ID  =   ,  ID  =  −1  ,   ) to   .We assume that  has made PPUKE (or PKE) query on ID  before this query.The list   should have the entry (ID  ,  ID  =   ,  ID  =  −1  ,   ). returns  ID  to .Public Key (PK) Queries.We assume that   makes at most   queries to this oracle and  has made PPUKE (or PKE) query on ID  before this query.First,  chooses  ∈ {1, 2, ...,   } randomly.When   makes this query on ID  ( ∈ {1, 2, ...,   }), if  =  (we let ID  = ID  at this point),  returns PK ID  =    and adds (ID  , PK ID  , ⊥) to   .Otherwise  selects  ID  ∈  *  randomly, computes PK ID  =  ID   ID  , then returns PK ID  , and adds (ID  , PK ID  ,  ID  ) to   .Corruption Queries.When   makes this query on ID  , if ID  = ID  ,  aborts the simulation and returns ⊥.Otherwise, the list  k should have the entry (ID  , PK ID  ,  ID  ).returns  ID  to   . 1 ,  2 ,  3 , PKR, and Signcryption Queries.This proof is the same as the proof of Theorem 7.Unsigncryption Queries.When  asks for this query on a signcryption  = (, , ) with a senders identity ID  and a receivers identity ID  ,  computes  =  3−0 (, , PK ID  , ID  ) and checks if ê(,  ID  ) = ê( 0 ,  0 )  ê(PK ID  , ) holds.If not,  aborts the simulation and returns ⊥.Otherwise,  executes the KE query to get  ID  and calculates  = ê(,  ID  ).Then  executes  2 query to obtain  =  2 (, , ID  ) and finally calculates and returns  =  ⊕ .Forgery.outputs a ciphertext  * = ( * ,  * = ,  * ) and picks a sender's identity ID  and a receiver's identity ID  on which he wishes to be challenged.If ID  ̸ = ID  ,  aborts the simulation and returns ⊥.Otherwise, he runs the  3 simulation algorithm to obtain  * =  3 ( * ,  * , PK ID  , ID  ); we can have  * =  *  ID  +  and  =  * −  *  ID  ( is a candidate for the CDH problem).Finally,  checks if Comparisons of performance.tothe KGC.KGC examines if the user's information (e.g., the user's IP address) is reasonable.If the information is incorrect, the KGC will reject the user's request.Otherwise, the KGC executes CL-PPUKE and CL-PPKE algorithms to get partial public key   = ( +  0 +   ) 0 and partial private key   = (+ 0 +  ) −1  0 , where  =  1−0 (ID  ) and   ∈  *  selected by the KGC randomly.The KGC returns (  ,   ) to user.After receiving (  ,   ), the Internet user executes the CL-SVS and CL-PKG algorithms to obtain his secret value   and public key PK  .The user can store the public parameters in a plaintext file and (  ,   ) in a ciphertext file.4.3.Authentication with Key Establishment Phase.When anInternet user ID  wants to access the information collected by a sensor node ID  from WSN, the user firstly acquires the current time stamp  1 in order to detect the replay attack, then generates the query request message, and performs a signcryption operation on it.The ciphertext is  = (, , ,  1 ), where  =   +    and  =  3−0 (, , PK  , ID  ⊕  1 ).Then he sends the ciphertext to the gateway belonging to the destination WSN.The gateway first calculates  =  3−0 (, , PK  , ID  ⊕  1 ) and examines whether ê(,   ) = ê( 0 ,  0 )  ê(PK  , ) and  1 is fresh or not.If not, the gateway denies the access to the WSN.Otherwise, the user passes the authentication, and the gateway sends (, ) to the WSN node.The WSN node calculates  = ê(,   ),  =  2 (, , ID  ) and gets query request message  =  ⊕ .After that, the WSN node can encrypt the response data using symmetric encryption algorithm with the session key .In this process, confidentiality, nonrepudiation, and KSSTIS are all achieved according to the security proof of Section 3.5.The message integrity is ensured by using the hash value .The functions of authentication and session key establishment are implemented by verifying the signature (,) and calculating the session key , respectively.4.4.Leaked Key Revocation Phase.Assume that the partial private key   of an Internet user with identity ID  is leaked; then the user should send a key revocation request message to the KGC for a new key.The user submits his identity ID  to the KGC.KGC randomly chooses another value    ∈  *