Advanced
A novel ID-based multi-domain handover protocol for mesh points in WMNs
A novel ID-based multi-domain handover protocol for mesh points in WMNs
KSII Transactions on Internet and Information Systems (TIIS). 2015. Jul, 9(7): 2512-2529
Copyright © 2015, Korean Society For Internet Information
  • Received : December 13, 2014
  • Accepted : June 08, 2015
  • Published : July 31, 2015
Download
PDF
e-PUB
PubReader
PPT
Export by style
Share
Article
Author
Metrics
Cited by
TagCloud
About the Authors
Xue Zhang
Guangsong Li
Wenbao Han
Huifang Ji

Abstract
Wireless mesh networks (WMNs) provide an efficient and flexible method to the field of wireless networking, but also bring many security issues. A mesh point may lose all of its available links during its movement. Thus, the mesh point needs to handover to a new mesh point in order to obtain access to the network again. For multi-domain WMNs, we proposed a new ID-based signcryption scheme and accordingly present a novel ID-based handover protocol for mesh points. The mutual authentication and key establishment of two mesh points which belong to different trust domains can be achieved by using a single one-round message exchange during the authentication phase. The authentication server is not involved in our handover authentication protocol so that mutual authentication can be completed directly by the mesh points. Meanwhile, the data transmitted between the two mesh points can be carried by the authentication messages. Moreover, there are no restrictions on the PKG system parameters in our proposed multi-domain ID-based signcryption scheme so our handover scheme can be easily applied to real WMNs circumstances. Security of the signcryption scheme is proved in the random oracle model. It shows that our protocol satisfies the basic security requirements and is resistant to existing attacks based on the security of the signcryption. The analysis of the performance demonstrates that the protocol is efficient and suitable for the multi-domain WMNs environment.
Keywords
1. Introduction
W ireless mesh networks (WMNs) [1] use a new crucial technology for wireless network structure, with many features including multi-hops, self-organization, low installation costs, large-scale deployment and fault-tolerance. Mesh nodes consist of mesh clients (MCs) and mesh points (MPs). The MCs are often laptops, cell phones and other wireless devices. The MPs form a wireless mesh backbone to provide network access from one mesh node to another or to the Internet. A subset of mesh points work as mesh access points (MAPs) to connect mesh clients to the WMNs. Due to the features of distributed architecture, multi-hop wireless backbone and dynamic network topology, the WMNs provide an efficient and flexible networking method, but also bring great security challenges.
The IEEE 802.11s [2] defines the security of WMNs that are still using the IEEE 802.11i [3] standards with IEEE 802.11x [4] and 4-way handshake protocols. Current research of WMNs is based on a shared key scheme or a public key system. The shared key scheme relies heavily on key management, and the conventional public key infrastructure (PKI) has a requirement for large storage and management of the public key certifications. The IEEE 802.11s presents a new security structure MSA (Mesh Security Association) [5] , however, its key framework is quite complicated. Numerous security schemes for WMNs using identity-based (ID-based) cryptography have been proposed over the years. The concept of ID-based cryptography (IBC) [6] was first introduced by Shamir in 1984. The basic idea of ID-based cryptosystem is that the entity’s public key is directly derived from its publicly known identity information such as an email address, an IP address, a telephone number or any other string of characters. The private key is issued by a trusted authority called the Private Key Generator (PKG). IBC completely eliminates the need for public-key distribution realized by conventional public-key certificates.
WMNs usually consist of several cooperating sub-networks called mesh trust domains. Establishing trust relationships between multi-domains is necessary and important in roaming scenarios. Most of the existing ID-based authentication protocols are based on the assumption that there exists only one single PKG. They consider the situation in which all the users belong to the same network. However, next generation wireless network is expected to establish a hybrid heterogeneous network with several types of wireless access technologies. In the circumstance of ubiquitous wireless network, there exists multiple independent and autonomous trust domains. It is unreasonable to assume that different trust domains use a single PKG. Different trust domains may be maintained by different PKGs in the real networks. Therefore, another kind of security handover scheme is needed for WMNs, namely an ID-based multi-domain security scheme with different PKGs.
A MP may lose all available current links when it moves away. Thus, it should be handed over to another MP in order to obtain access to the network again. Mutual authentication and key agreement are important for supporting the MPs’ secure and fast roaming ability across different trust domains. We propose an ID-based multi-domain WMNs security structure. We will present a novel multi-domain handover protocol based on the ID-based multi-domain security structure. The scheme is quite suitable for real WMNs circumstances because the system parameters of the PKGs can be totally different. Multi-hops wireless communication between the Authentication Server (AS) and MPs would result in high latency, low stability and potential service interruption. In our protocol, the AS is not involved during the handover authentication process. Thus, the protocol is well suitable for self-organized WMNs. By using the multi-domain ID-based signcryption technique we proposed, two MPs which belong to different trust domains will be able to achieve both a mutual authentication and an authenticated key establishment in a single one-round message exchange during the authentication phase. Furthermore, the transmitted data of both sides can be carried by the authentication messages.
2. Related Work
IEEE 802.11i defines a complete mutual authentication mechanism based on the EAP (Extensible authentication protocol) and IEEE 802.1x. However we believe it is not suitable for WMNs due to its centralized operations and multi-hops communication between the authentication server and the access points. The mutual re-authentication process still needs the AS to participate in executing the total IEEE 802.11i authentication procedures for any handover to occur. The IEEE 802.11s inherits the security architecture from IEEE 802.11i, so it will also suffer the above-mentioned drawbacks.
The shared key scheme has a key management burden, and the conventional public key infrastructure (PKI) has a large overhead storage requirement and has to deal with the management of the public key certifications. Shamir first presented the concept of ID-based cryptography in 1984. Several ID-based signature schemes have been proposed since then. It was not until 2001 that a satisfying ID-based encryption scheme was devised by Boneh and Franklin [7] using bilinear maps (the Wail or Tate pairing) over supersingular elliptic curves.
Confidentiality, integrity, non-repudiation and authentication are the important security attributes for many cryptographic applications. The traditional approach to achieve these security attributes is “sign-then-encrypt”. A new standard for data protection called signcryption [8] was proposed by Zheng in 1997. Signcryption simultaneously fulfills both the functions of digital signature and public key encryption in a single logical step, and with a cost significantly lower than that required by "signature followed by encyption". Signcryption plays an important part in the application environments which demand to complete both encryption and signature. A signcryption scheme is deemed to be secure if it possesses confidentiality, unforgeability and non-repudiation. Malone-Lee [9] first presented ID-based signcryption by using bilinear pairing. Li [10] presents ID-based multi-PKG signcryption schemes which can achieve multi-domain signcryption. But these schemes require an assumption that different domains own different master private keys but still share the same pairing parameters.
Caimu Tang et al. [11] presented a mobile authentication scheme for wireless networks. In his protocol, a MC is registered to its home network and can be authenticated by visiting a network through a delegation passcode. However, the communication between the HLR (home location register) and the VLR (visited location register) will lead to high latency and low stability. Li et al. [12] proposed a ticket-based authentication protocol to support a faster handover in wireless local area networks. The authentication server pre-distributes the tickets to clients, one for each neighbor AP of the current AP. The client will deliver the corresponding ticket to the target AP for mutual authentication when it moves to the target AP. The protocol does not apply any public-key cryptography in order to minimize the re-authentication latency. But their schemes may not be suitable for all WMNs circumstances, for risk and cost caused by the multi-hop communication should be considered. Celia Li et al. [13 , 14] proposed a mesh handover scheme, in which the AS is not required. But the major problem of the protocol for handover authentication is that all the neighbours of the current MAP share the same keys for handover authentication. For this reason, the client can not verify the AP’s identity because any AP that owns the authentication keys can impersonate the target AP. Li et al. [15] achieved roaming authentication without any home AS’s participation, which can not be applied in the environment of multi-domain wireless networks.
Zhu et al. [16] presented a more secure scheme for multi-domain wireless mesh networks combing PKI and IBC techniques. The MC which belongs to trust domain B can be authenticated by the target network of trust domain A. However, trusted authorities of both sides need to be involved during the authentication process, and the trust relationship between home domain and visited domain should be negotiated through PKI. He et al. [17] accomplished the authentication between mesh nodes belongs to different trust domains, but the home AS still needs to be involved, and system time synchronization is required. The interaction between home domain and visited domain causes high latency and low efficiency. A non-repudiable authentication scheme for wireless mesh networks was proposed in paper [18] . Although inter-domain authentication in the scheme is actualized by an ID-based signature, the author assumes that different domains share the same PKG system parameters. Gao et al. [19] applied ID-based proxy signature to multi-domain authentication protocols for WMNs. Authentication and key agreement depend on a trust relationship between the broker and the domain. Besides that, delegating the signing rights from the original signer to a proxy signer would result in more security risks. And proxy signature mechanism is sure to increase system complexity. As discussed above, the ID-based multi-domain authentication schemes, except Zhu’s, are based upon the assumption that: all the different domains share the same pairing parameters. The assumption limits the application scalabilities of these schemes. It is infeasible to satisfy the above assumption for real networks especially heterogeneous networks.
We are proposing a novel ID-based multi-domain handover protocol for mesh points in WMNs in which there are no restrictions on the PKG system parameters. As a result different domains may have totally different PKG system parameters including public system parameters, master keys and system public keys.
3. ID-based multi-domain handover protocol for mesh points in WMNs
- Preliminaries
(1) Bilinear pairings:Let G 1 be an additive group and G 2 be a multiplicative group of the prime order q . Let P be an arbitrary generator of G 1 . The pairing e : G 1 × G 1 G 2 is called an admissible bilinear map if it has the following properties:
1)Bilinear: For ∀ P , Q G 1 and a , b
PPT Slide
Lager Image
, e ( aP , bQ )= e ( P , Q ) ab .
2)Non-degenerate: ∀ P , Q G 1 , e ( aP , bQ )≠ 1 G2 , for 1 G2 is an arbitrary generator of G 2 .
3)Computable: For ∀ P , Q G 1 , there exists an efficient algorithm to compute e ( P , Q ).
(2) Decisional Bilinear Diffie-Hellman Problem (DBDHP): Given ( P , aP , bP , cP ), for some a , b , c Z q and an element θ G 2 , decide whether θ = e ( P , Q ) abc .
- 3.1 ID-based multi-domain security structure of WMNs
The network model we considered in this paper is portrayed in Fig. 1 . There are multiple independent and autonomous trust domains in the WMNs. Each domain has its own PKG which generates and distributes the private keys for the nodes in the domain. The PKGs are supposed to be trusted. In order to make our scheme applicable in real WMNs circumstances, we have allowed each PKG to use totally different system parameters, including different public parameters < G 1 , G 2 , e , P , H 1 , H 2 , H 3 >, system master key s and system public key Pub = sP . For each node in the domain, the public key is its identity information, and the private key is generated by PKG using its identity information.
PPT Slide
Lager Image
ID-based multi-domain security structure of WMNs
A MP may lose all currently available links during its movement. Thus, the MP must handover to another MP in order to obtain access to the network again. Fig. 2 shows the ID-based multi-domain handover for MPs in WMNs. We take the networks U and V for instance.
PPT Slide
Lager Image
ID-based multi-domain handover for mesh points in WMNs
- 3.2 ID-based multi-domain signcryption protocol
The encrypted random numbers used as challenges will enhance the security during the handover protocol. However, a simple signature scheme cannot implement random numbers encryption. Both signature and encryption should be considered in the scheme. Signcryption simultaneously fulfills both signature and public key encryption in a single logical step with a cost significantly lower than that required by "signature followed by encyption". Therefore, we have proposed a novel ID-based multi-domain signcryption scheme which can be used to achieve secure handovers for MPs in WMNs in the future. There are no restrictions on PKG system parameters so they can be totally different in the different trust domains. Let us describe the signcryption scheme before representing the handover protocol. The scenario studied in this section is pictured in Fig. 2 .
Setup:
The system parameters for network domain U are generated as follows. Define
PPT Slide
Lager Image
be an additive group and
PPT Slide
Lager Image
be a multiplicative group of the prime order qU . PU is an arbitrary generator of
PPT Slide
Lager Image
. The pairing eU :
PPT Slide
Lager Image
×
PPT Slide
Lager Image
PPT Slide
Lager Image
is a bilinear map. Let
PPT Slide
Lager Image
,
PPT Slide
Lager Image
and
PPT Slide
Lager Image
be three cryptography hash functions where
PPT Slide
Lager Image
:{0,1}
PPT Slide
Lager Image
,
PPT Slide
Lager Image
:
PPT Slide
Lager Image
→{0,1} ,
PPT Slide
Lager Image
:{0,1} ×
PPT Slide
Lager Image
PPT Slide
Lager Image
. The PKG U chooses a master private key sU
PPT Slide
Lager Image
randomly and computes a corresponding system public key PubU = sU PU . The PKG U publishes PubU and keeps the master private key sU secret. The public system parameters of PKG U are <
PPT Slide
Lager Image
,
PPT Slide
Lager Image
, qU , PU , PubU , eU ,
PPT Slide
Lager Image
,
PPT Slide
Lager Image
,
PPT Slide
Lager Image
>.
The similar process is implemented for network domain V. Define
PPT Slide
Lager Image
be an additive group and
PPT Slide
Lager Image
be a multiplicative group of the prime order qV . PV is an arbitrary generator of
PPT Slide
Lager Image
. The pairing eV :
PPT Slide
Lager Image
×
PPT Slide
Lager Image
PPT Slide
Lager Image
is a bilinear map. Let
PPT Slide
Lager Image
,
PPT Slide
Lager Image
and
PPT Slide
Lager Image
be three cryptography hash functions where
PPT Slide
Lager Image
:{0,1}
PPT Slide
Lager Image
,
PPT Slide
Lager Image
:
PPT Slide
Lager Image
→{0,1} ,
PPT Slide
Lager Image
:{0,1} ×
PPT Slide
Lager Image
PPT Slide
Lager Image
. The PKG V chooses a master private key sV
PPT Slide
Lager Image
randomly and computes a corresponding system public key PubV = sV PV . The PKG V publishes PubV and keeps the master private key sV secret. The public system parameters of PKG V are <
PPT Slide
Lager Image
,
PPT Slide
Lager Image
, qV , PV , PubV , eV ,
PPT Slide
Lager Image
,
PPT Slide
Lager Image
,
PPT Slide
Lager Image
>.
Extract:
Suppose Alice that registers with PKG U and gets its private key
PPT Slide
Lager Image
where QAlice =
PPT Slide
Lager Image
( IDAlice ), IDAlice ∈{0,1} .
Suppose Bob that registers with PKG V and gets its private key
PPT Slide
Lager Image
where QBob =
PPT Slide
Lager Image
( IDBob ), IDBob ∈{0,1} .
Signcrypt:
To send a message m to Bob,
Alice operates as follows.
  • 1. Choose random numbersa1∈,a2∈and computeTA1=a1PU,TA2=a2PV.
  • 2. Computew=eV(a2PubV,QBob)
  • 3. Computec=(w)⊕m. (The plaintextmis encrypted by Bob’s public keyQBob.)
  • 4. Computeh=(c,TA1).
  • 5. Computeσ=a1PubU+hSAlice. (The ciphertextcis signatured by Alice using its private keySAlice.)
The SigncryptAlice,Bob ( m ) is { c , TA 1 , TA 2 , σ }.
Unsigncrypt:
When receiving SigncryptAlice,Bob ( m ), Bob operates as follows.
  • 1. Compute. (Bob checks Alice’s signature using Alice’s public keyQAliceto make sure that the message is from Alice indeed.) Bob accepts the ciphertextcif and only if the above equation holds.
  • 2. Computew∗=eV(TA2,SBob).
  • 3. Recoverm=(w∗)⊕c. (The plaintextmis recovered from the ciphertextcby Bob’s private keySBob. Thus no one but Bob is able to obtainm.)
The correctness can be easily verified by the following equations.
PPT Slide
Lager Image
A brief security analysis is described as follows. Our signcryption scheme possesses confidentiality, unforgeability and non-repudiation. More details see in Section 4.1.
confidentiality
It is computationally infeasible for an attacker who may be anyone other than Alice and Bob to obtain any partial information on the contents of a signcrypted text. No one except Bob can achieve m from { c , TA 1 , TA 2 , σ }, because only Bob owns SBob to calculate the decryption key w = eV ( TA 2 , SBob ).
unforgeability
It is computationally infeasible for an attacker to impersonate Alice in creating a signcrypted text. An attacker can obtain PubU and h , but cannot get a 1 nor SAlice . For σ = a 1 PubU + hSAlice , no one can forge a Alice’s signature.
non-repudiation
It is computationally infeasible for anyone to deny the fact that they are the originator of a signcrypted text. Once Bob verifies Alice’s signature, Alice cannot repudiate the signature because nobody is able to forge her signature.
- 3.3 ID-based multi-domain handover protocol
We propose an ID-based multi-domain handover protocol for mesh points in WMNs based upon the signcryption scheme in 3.2. A MP loses all links with other MPs in its home domain U if it roams to visited domain V. It should handover to one MP in domain V to acquire network service. Thus a fast and secure handover authentication process is needed to avoid a great deal of data loss. The detailed procedure of the protocol is described in Fig. 3 .
PPT Slide
Lager Image
Procedures for the ID-based multi-domain handover protocol for the mesh points in WMNs
When MP i moves to the visited network V, it can obtain the identifiers, frequencies and link qualities of its surrounding mesh access points. According to some decision algorithms, MP i chooses only one mesh access point. Let us take the access point MP j for example. The detailed description of cross-domain handover authentication protocol is as follows.
In the open system authentication phase, MP i sends an association requirement message to MP j . MP j then replies to MP i ’s requirement with an association response message indicating acceptance or rejection. MP i and MP j generate random numbers
PPT Slide
Lager Image
and
PPT Slide
Lager Image
respectively. The random numbers are used as challenges for authentication. Then MP i and MP j exchange the random numbers and their respective public system parameters of PKGs: <
PPT Slide
Lager Image
,
PPT Slide
Lager Image
, qU , PU , PubU , eU ,
PPT Slide
Lager Image
,
PPT Slide
Lager Image
,
PPT Slide
Lager Image
> and <
PPT Slide
Lager Image
,
PPT Slide
Lager Image
, qV , PV , PubV , eV ,
PPT Slide
Lager Image
,
PPT Slide
Lager Image
,
PPT Slide
Lager Image
>.
In the authentication phase, the procedure is described below.
1. MP i
PPT Slide
Lager Image
MP i signcrypts m 1 and
PPT Slide
Lager Image
with its own private key SMPi and MP j ’s public key
PPT Slide
Lager Image
. m 1 is a plaintext to be transferred from MP i to MP j , and its value is null if there is no message to be delivered.
(1) Choose a 1
PPT Slide
Lager Image
, a 2
PPT Slide
Lager Image
randomly and compute TA 1 = a 1 PU , TA 2 = a 2 PV .
(2) Compute wMPi = eV ( a 2 PubV ,
PPT Slide
Lager Image
).
(3) Compute the ciphertext cMPi =
PPT Slide
Lager Image
PPT Slide
Lager Image
PPT Slide
Lager Image
, where
PPT Slide
Lager Image
(MP i encyptes the
PPT Slide
Lager Image
by using MP j ’s public key
PPT Slide
Lager Image
, thus only MP j is able to decypt the ciphertext cMPi .)
(4) Compute
PPT Slide
Lager Image
(5) Compute the signature
PPT Slide
Lager Image
(The ciphertext cMPi is signed by MP i using its private key SMPi .)
Then MP i sends to MP j the message: { IDMPi , IDMPj , SigncryptMPi,MPj (
PPT Slide
Lager Image
)}, where SigncryptMPi,MPj (
PPT Slide
Lager Image
{ cMPi , TA 1 , TA 2 , σMPi }
2. When receiving the message: { IDMPi , IDMPj , SigncryptMPi,MPj (
PPT Slide
Lager Image
)} from MP i , MP j follows these steps;
(1) Validate IDMPi and IDMPj to confirm the identity of each other.
(2) Compute
PPT Slide
Lager Image
Accept the message cMPi if and only if the equation holds. (MP j checks MP i ’s signature using MP i ’s public key QMPi to make sure that the message is indeed from MP i .)
Step (2) is using MP i ’s public key QMPi to confirm MP i ’s signature of the message in order to authenticate the identity of MP i .
(3) Compute wMPi = eV ( TA 2 , SMPj ).
(4) Recover
PPT Slide
Lager Image
=
PPT Slide
Lager Image
( wMPi )⊕ cMPi . (The plaintext
PPT Slide
Lager Image
is recovered from the ciphertext cMPi by MP j ’s private key SMPi . Thus no one but MP j is able to obtain
PPT Slide
Lager Image
.)
Step (3) (4) is using MP j ’s private key SMPi to recover the message
PPT Slide
Lager Image
,
PPT Slide
Lager Image
= m 1
PPT Slide
Lager Image
. MP j then gets data m 1 and random number
PPT Slide
Lager Image
.
(5) Confirm the challenge number
PPT Slide
Lager Image
.(MP j decides whether
PPT Slide
Lager Image
is the challenge number it sent to MP i . This step is to resist replay attacks.)
At this point the identity of MP i is confirmed by MP j . Meanwhile, the data m 1 is successfully received by MP j .
3. MP j ® MP i : { IDMPj , IDMPi , SigncryptMPj,MPi (
PPT Slide
Lager Image
)}.
MP j signcrypts m 2 and
PPT Slide
Lager Image
with its own private key SMPj and MP i ’s public key QMPi . m 2 is a plaintext to be transferred from MP j to MP i , and its value is null if there is no message to be delivered.
(1) Choose b 1
PPT Slide
Lager Image
, b 2
PPT Slide
Lager Image
randomly and compute TB 1 = b 1 P V , TB 2 = b 2 P U .
(2) Compute
PPT Slide
Lager Image
= eU ( b 2 Pub U , QMPi ).
(3) Compute the ciphertext cMPj =
PPT Slide
Lager Image
(
PPT Slide
Lager Image
)⊕ mMPj , where mMPj = m 2
PPT Slide
Lager Image
. (MP j encyptes the mMPj by using MP i ’s public key QMPi , thus only MP i is able to decrypt the ciphertext cMPj .)
(4) Compute hMPj =
PPT Slide
Lager Image
( cMPj , TB 1 )
(5) Compute the signature σMPj = b 1 PubV + hMPj SMPj . (The ciphertext cMPj is signed by MP j using its private key SMPj .)
Then MP j sends to MP i the message: { IDMPj , IDMPi , SigncryptMPj,MPi ( mMPj )}, where SigncryptMPj,MPi ( mMPj )={ cMPj , TB 1 , TB 2 , σMPj }
In addition, MP j is able to calculate the session key between MP i and MP j . MP j computes KMPj,MPi = eV ( SMPj , TA 2 ) eU ( QMPi , b 2 PubU ),
PPT Slide
Lager Image
= b 2 TA 1 ,
PPT Slide
Lager Image
= b 1 TA 2 , and then gets the session key skMPj,MPi = H ( KMPj,MPi ,
PPT Slide
Lager Image
,
PPT Slide
Lager Image
, TA 1 , TA 2 , TB 1 , TB 2 , IDMPi , IDMPj ), where H :{0,1} →{0,1} k , k is the length of the session key.
4. When receiving the message: { IDMPj , IDMPi , SigncryptMPj,MPi ( mMPj )} from MP j , MP i follows these steps;
(1) Validate IDMPj and IDMPi to confirm the identity of each other.
(2) Compute
PPT Slide
Lager Image
. Accept the ciphertext cMPj if and only if the equation holds. (MP i checks MP j ’s signature using MP j ’s public key
PPT Slide
Lager Image
to make sure that the message is indeed from MP j .)
Step (2) is using MP j ’s public key
PPT Slide
Lager Image
to confirm MP j ’s signature of the message in order to authenticate the identity of MP j .
(3) Compute
PPT Slide
Lager Image
= eU ( TB 2 , SMPi ).
(4) Recover mMPj =
PPT Slide
Lager Image
(
PPT Slide
Lager Image
)⊕ cMPj . (The plaintext mMPj is recovered from the ciphertext cMPj by MP i ’s private key SMPi . Thus no one but MP i is able to obtain mMPj .)
Step (3) (4) is using MP i ’s private key SMPi to recover the message mMPj , mMPj = m 2
PPT Slide
Lager Image
. MP i then gets data m 2 and random number
PPT Slide
Lager Image
.
(5) Confirm the challenge number
PPT Slide
Lager Image
. (MP i decides whether
PPT Slide
Lager Image
is the challenge number it sent to MP j . The step is to resist replay attacks.)
At this point the identity of MP j is confirmed by MP i . Meanwhile, the data m 2 is successfully received by MP i .
MP i is able to calculate the session key between MP i and MP j . MP i computes KMPi,MPj = eU ( SMPi , TB 2 ) eV (
PPT Slide
Lager Image
a 2 PubV ),
PPT Slide
Lager Image
= a 1 TB 2 ,
PPT Slide
Lager Image
= a 2 TB 1 , and then gets the session key skMPi,MPj = H ( KMPi,MPj ,
PPT Slide
Lager Image
,
PPT Slide
Lager Image
, TA 1 , TA 2 , TB 1 , TB 2 , IDMPi , IDMPj ), where H :{0,1} →{0,1} k , k is the length of the session key.
To this, mutual authentication between MP i and MP j is completed.
The correctness of the session key can be easily verified. It is easy to verify KMPi,MPj = KMPj,MPi ,
PPT Slide
Lager Image
=
PPT Slide
Lager Image
and
PPT Slide
Lager Image
=
PPT Slide
Lager Image
by the following equations.
KMPi,MPj = eU ( SMPi , TB 2 ) eV (
PPT Slide
Lager Image
, a 2 PubV )= eU ( sU QMPi , b 2 PU ) eV (
PPT Slide
Lager Image
, a 2 sVPV )
= eU ( QMPi , PU ) sUb2 eV (
PPT Slide
Lager Image
, PV ) a2sV
KMPj,MPi = eV ( SMPj , TA 2 ) eU ( QMPi , b 2 PubU )= eV ( sV
PPT Slide
Lager Image
, a 2 PV ) eU ( QMPi , b 2 sUPU )
= eV (
PPT Slide
Lager Image
, PV ) sVa2 eU ( QMPi , PU ) b2sU
PPT Slide
Lager Image
=
PPT Slide
Lager Image
= a 1 b 2 PU
PPT Slide
Lager Image
=
PPT Slide
Lager Image
= a 2 b 1 PV
For skMPi,MPj = skMPj,MPi , MP i and MP j share the same session key.
4. Security analysis
- 4.1 Security analysis of the ID-based multi-domain signcryption protocol
First of all, the security definitions for multi-domain ID-based signcryption scheme (MPIDSC) are described in [10] .
Definition 1 (Confidentiality). A multi-PKG ID-based signcryption scheme is said to have indistinguishability against adaptive chosen ciphertext attacks (IND-MPIDSC-CCA2) if no polynomially bounded adversary has a non-negligible advantage in the game. (More details about the game are given in definition3 of [10] ).
Definition 2 (Unforgeability). A multi-PKG ID-based signcryption scheme is said to have existential unforgeability against adaptive chosen message attacks (EUF-MPIDSC-CMA) if no polynomially bounded adversary has a non-negligible advantage in the game. (More details about the game are given in definition4 of [10] ).
Similarly, we can prove that our scheme is both IND-MPIDSC-CCA2 and EUF-MPIDSC-CMA secure.
Theorem 1 (Confidentiality). In the random oracle model, we assume we have an IND-MPIDSC-CCA2 adversary called Α that is able to distinguish ciphertext during the game of Definition 1 with an advantage ε when running in a time t and asking at most
PPT Slide
Lager Image
times
PPT Slide
Lager Image
( i =1,2,3, j = U , V ) queries, at most qS times signcryption queries and qU times unsigncryption queries. And there exists a distinguisher Χ that can solve the DBDH problem in a time t '= t +( qS +4 qU ) te with an advantage
PPT Slide
Lager Image
, where te denotes the computation time of the bilinear map.
Proof. We assume that the distinguisher Χ receives a random instance ( PV , aPV , bPV , cPV , h ) of the DBDH problem to decide whether h = eV ( PV , PV ) abc is true or not. Χ will run Α as a subroutine and act as Α’s challenger in the IND-MPIDSC-CCA2 game. Α will consult Χ for answers to queries of random oracles
PPT Slide
Lager Image
( i =1,2,3, j = U , V ), signcryption and unsigncryption. Correspondingly, Χ maintains 10 lists to store the answers. The lists are
PPT Slide
Lager Image
( i =1,2,3, j = U , V ),
PPT Slide
Lager Image
respectively.
At the beginning of the game, Χ gives Α the system parameters with PubV = cPV and PubU = dPU , where c and d respectively simulate the master key for PKG V and PKG U . c and d are not known to Χ.
PPT Slide
Lager Image
queries: Χ chooses a random number l ∈{1,2,...,
PPT Slide
Lager Image
}. At the u -th
PPT Slide
Lager Image
query, if u = l , then Χ answers
PPT Slide
Lager Image
( IDu )= bPV ; if u l , Χ chooses a random number x
PPT Slide
Lager Image
, answers
PPT Slide
Lager Image
( IDu )= xPV and then puts ( IDu , x ) in the list
PPT Slide
Lager Image
.
PPT Slide
Lager Image
queries: Χ chooses a random number x
PPT Slide
Lager Image
, answers
PPT Slide
Lager Image
( IDu )= xPU and then puts ( ID u ,x) in the list
PPT Slide
Lager Image
.
PPT Slide
Lager Image
/
PPT Slide
Lager Image
queries: When Α asks the queries, Χ will check the list
PPT Slide
Lager Image
/
PPT Slide
Lager Image
. If the corresponding hash value exists, the hash value will be returned to Α; otherwise, a random value h 2 ∈(0,1) will be chosen by Χ, and Χ then stores the query and answer in the list.
PPT Slide
Lager Image
/
PPT Slide
Lager Image
queries: When Α asks the queries, Χ will check the list
PPT Slide
Lager Image
/
PPT Slide
Lager Image
. If the corresponding hash value exists, the hash value will be returned to Α; otherwise, a random value h3 will be chosen by Χ, and Χ then stores the query and answer in the list.
ExtractV queries: If IDu = IDl , then Χ fails. Otherwise, Χ finds entry ( IDu , x ) from list
PPT Slide
Lager Image
, computes the private key corresponding to IDu : SIDu = cxPV , and returns to Α.
ExtractU queries: Χ finds entry ( IDu , x ) from list
PPT Slide
Lager Image
, computes the private key corresponding to IDu : SIDu = dxPU , and returns to Α.
Singcrypt queries: Let ID1 and ID2 denote the sender and the receiver respectively and m is the plaintext. There are two cases to consider.
Case 1: ID1 IDl . Χ can get the private key of ID1 : SID1 . Χ chooses random numbers a 1
PPT Slide
Lager Image
and a 2
PPT Slide
Lager Image
randomly and computes TA 1 = a 1 PU , TA 2 = a 2 PV . Then Χ calculates w = eV ( a 2 PubV , QID2 ), c = m
PPT Slide
Lager Image
( w ), h =
PPT Slide
Lager Image
( c , TA 1 ), σ = a 1 PubU + hSID1 . Χ returns message: { c , TA 1 , TA 2 , σ } to Α.
Case 2: ID1 = IDl . Χ cannot get SID1 , but can obtain SID2 . Χ chooses random numbers a 1 , h
PPT Slide
Lager Image
and a 2
PPT Slide
Lager Image
randomly. Then Χ computes TA 2 = a 2 PV , calculates w = eV ( TA 2 , SID2 ), and runs c = m
PPT Slide
Lager Image
( w ). Χ computes TA 1 = a 1 PU - hQID1 and σ = a 1 PubU . Χ returns { c , TA 1 , TA 2 , σ } to Α and puts it to list
PPT Slide
Lager Image
.
Unsingcrypt queries: For an unsigncryption query on ciphertext { c , TA 1 , TA 2 , σ }, there are two cases to consider.
Case 1: ID 2 IDl . Χ checks if
PPT Slide
Lager Image
holds. If the equation holds, Χ can get the private key of ID 2 : S ID2 to compute w = eV ( TA 2 , SID2 ), and retruns m = c
PPT Slide
Lager Image
( w ) to Α.
Case 2: ID 2 = IDl . Χ always answers Α that the ciphertext: { c , TA 1 , TA 2 , σ } is invalid.
Α can ask a polynomially bounded number of queries adaptively again as in the first stage. Then Α will pick a challenged pair of identities : { ID A , ID B } and output two messages: { m 0 , m 1 }. Χ chooses v ∈{0,1} and signcrypts mv . Then Χ randomly chooses σ
PPT Slide
Lager Image
,
PPT Slide
Lager Image
PPT Slide
Lager Image
, sets
PPT Slide
Lager Image
= aPV , θ =