Wireless mesh networks (WMNs) provide an efficient and flexible method to the field of wireless networking, but also bring many security issues. A mesh point may lose all of its available links during its movement. Thus, the mesh point needs to handover to a new mesh point in order to obtain access to the network again. For multidomain WMNs, we proposed a new IDbased signcryption scheme and accordingly present a novel IDbased handover protocol for mesh points. The mutual authentication and key establishment of two mesh points which belong to different trust domains can be achieved by using a single oneround message exchange during the authentication phase. The authentication server is not involved in our handover authentication protocol so that mutual authentication can be completed directly by the mesh points. Meanwhile, the data transmitted between the two mesh points can be carried by the authentication messages. Moreover, there are no restrictions on the PKG system parameters in our proposed multidomain IDbased signcryption scheme so our handover scheme can be easily applied to real WMNs circumstances. Security of the signcryption scheme is proved in the random oracle model. It shows that our protocol satisfies the basic security requirements and is resistant to existing attacks based on the security of the signcryption. The analysis of the performance demonstrates that the protocol is efficient and suitable for the multidomain WMNs environment.
1. Introduction
W
ireless mesh networks (WMNs)
[1]
use a new crucial technology for wireless network structure, with many features including multihops, selforganization, low installation costs, largescale deployment and faulttolerance. Mesh nodes consist of mesh clients (MCs) and mesh points (MPs). The MCs are often laptops, cell phones and other wireless devices. The MPs form a wireless mesh backbone to provide network access from one mesh node to another or to the Internet. A subset of mesh points work as mesh access points (MAPs) to connect mesh clients to the WMNs. Due to the features of distributed architecture, multihop wireless backbone and dynamic network topology, the WMNs provide an efficient and flexible networking method, but also bring great security challenges.
The IEEE 802.11s
[2]
defines the security of WMNs that are still using the IEEE 802.11i
[3]
standards with IEEE 802.11x
[4]
and 4way handshake protocols. Current research of WMNs is based on a shared key scheme or a public key system. The shared key scheme relies heavily on key management, and the conventional public key infrastructure (PKI) has a requirement for large storage and management of the public key certifications. The IEEE 802.11s presents a new security structure MSA (Mesh Security Association)
[5]
, however, its key framework is quite complicated. Numerous security schemes for WMNs using identitybased (IDbased) cryptography have been proposed over the years. The concept of IDbased cryptography (IBC)
[6]
was first introduced by Shamir in 1984. The basic idea of IDbased cryptosystem is that the entity’s public key is directly derived from its publicly known identity information such as an email address, an IP address, a telephone number or any other string of characters. The private key is issued by a trusted authority called the Private Key Generator (PKG). IBC completely eliminates the need for publickey distribution realized by conventional publickey certificates.
WMNs usually consist of several cooperating subnetworks called mesh trust domains. Establishing trust relationships between multidomains is necessary and important in roaming scenarios. Most of the existing IDbased authentication protocols are based on the assumption that there exists only one single PKG. They consider the situation in which all the users belong to the same network. However, next generation wireless network is expected to establish a hybrid heterogeneous network with several types of wireless access technologies. In the circumstance of ubiquitous wireless network, there exists multiple independent and autonomous trust domains. It is unreasonable to assume that different trust domains use a single PKG. Different trust domains may be maintained by different PKGs in the real networks. Therefore, another kind of security handover scheme is needed for WMNs, namely an IDbased multidomain security scheme with different PKGs.
A MP may lose all available current links when it moves away. Thus, it should be handed over to another MP in order to obtain access to the network again. Mutual authentication and key agreement are important for supporting the MPs’ secure and fast roaming ability across different trust domains. We propose an IDbased multidomain WMNs security structure. We will present a novel multidomain handover protocol based on the IDbased multidomain security structure. The scheme is quite suitable for real WMNs circumstances because the system parameters of the PKGs can be totally different. Multihops wireless communication between the Authentication Server (AS) and MPs would result in high latency, low stability and potential service interruption. In our protocol, the AS is not involved during the handover authentication process. Thus, the protocol is well suitable for selforganized WMNs. By using the multidomain IDbased signcryption technique we proposed, two MPs which belong to different trust domains will be able to achieve both a mutual authentication and an authenticated key establishment in a single oneround message exchange during the authentication phase. Furthermore, the transmitted data of both sides can be carried by the authentication messages.
2. Related Work
IEEE 802.11i defines a complete mutual authentication mechanism based on the EAP (Extensible authentication protocol) and IEEE 802.1x. However we believe it is not suitable for WMNs due to its centralized operations and multihops communication between the authentication server and the access points. The mutual reauthentication process still needs the AS to participate in executing the total IEEE 802.11i authentication procedures for any handover to occur. The IEEE 802.11s inherits the security architecture from IEEE 802.11i, so it will also suffer the abovementioned drawbacks.
The shared key scheme has a key management burden, and the conventional public key infrastructure (PKI) has a large overhead storage requirement and has to deal with the management of the public key certifications. Shamir first presented the concept of IDbased cryptography in 1984. Several IDbased signature schemes have been proposed since then. It was not until 2001 that a satisfying IDbased encryption scheme was devised by Boneh and Franklin
[7]
using bilinear maps (the Wail or Tate pairing) over supersingular elliptic curves.
Confidentiality, integrity, nonrepudiation and authentication are the important security attributes for many cryptographic applications. The traditional approach to achieve these security attributes is “signthenencrypt”. A new standard for data protection called signcryption
[8]
was proposed by Zheng in 1997. Signcryption simultaneously fulfills both the functions of digital signature and public key encryption in a single logical step, and with a cost significantly lower than that required by "signature followed by encyption". Signcryption plays an important part in the application environments which demand to complete both encryption and signature. A signcryption scheme is deemed to be secure if it possesses confidentiality, unforgeability and nonrepudiation. MaloneLee
[9]
first presented IDbased signcryption by using bilinear pairing. Li
[10]
presents IDbased multiPKG signcryption schemes which can achieve multidomain signcryption. But these schemes require an assumption that different domains own different master private keys but still share the same pairing parameters.
Caimu Tang et al.
[11]
presented a mobile authentication scheme for wireless networks. In his protocol, a MC is registered to its home network and can be authenticated by visiting a network through a delegation passcode. However, the communication between the HLR (home location register) and the VLR (visited location register) will lead to high latency and low stability. Li et al.
[12]
proposed a ticketbased authentication protocol to support a faster handover in wireless local area networks. The authentication server predistributes the tickets to clients, one for each neighbor AP of the current AP. The client will deliver the corresponding ticket to the target AP for mutual authentication when it moves to the target AP. The protocol does not apply any publickey cryptography in order to minimize the reauthentication latency. But their schemes may not be suitable for all WMNs circumstances, for risk and cost caused by the multihop communication should be considered. Celia Li et al.
[13
,
14]
proposed a mesh handover scheme, in which the AS is not required. But the major problem of the protocol for handover authentication is that all the neighbours of the current MAP share the same keys for handover authentication. For this reason, the client can not verify the AP’s identity because any AP that owns the authentication keys can impersonate the target AP. Li et al.
[15]
achieved roaming authentication without any home AS’s participation, which can not be applied in the environment of multidomain wireless networks.
Zhu et al.
[16]
presented a more secure scheme for multidomain wireless mesh networks combing PKI and IBC techniques. The MC which belongs to trust domain B can be authenticated by the target network of trust domain A. However, trusted authorities of both sides need to be involved during the authentication process, and the trust relationship between home domain and visited domain should be negotiated through PKI. He et al.
[17]
accomplished the authentication between mesh nodes belongs to different trust domains, but the home AS still needs to be involved, and system time synchronization is required. The interaction between home domain and visited domain causes high latency and low efficiency. A nonrepudiable authentication scheme for wireless mesh networks was proposed in paper
[18]
. Although interdomain authentication in the scheme is actualized by an IDbased signature, the author assumes that different domains share the same PKG system parameters. Gao et al.
[19]
applied IDbased proxy signature to multidomain authentication protocols for WMNs. Authentication and key agreement depend on a trust relationship between the broker and the domain. Besides that, delegating the signing rights from the original signer to a proxy signer would result in more security risks. And proxy signature mechanism is sure to increase system complexity. As discussed above, the IDbased multidomain authentication schemes, except Zhu’s, are based upon the assumption that: all the different domains share the same pairing parameters. The assumption limits the application scalabilities of these schemes. It is infeasible to satisfy the above assumption for real networks especially heterogeneous networks.
We are proposing a novel IDbased multidomain handover protocol for mesh points in WMNs in which there are no restrictions on the PKG system parameters. As a result different domains may have totally different PKG system parameters including public system parameters, master keys and system public keys.
3. IDbased multidomain handover protocol for mesh points in WMNs
 Preliminaries
(1) Bilinear pairings：Let
G
_{1}
be an additive group and
G
_{2}
be a multiplicative group of the prime order
q
. Let
P
be an arbitrary generator of
G
_{1}
. The pairing
e
:
G
_{1}
×
G
_{1}
→
G
_{2}
is called an admissible bilinear map if it has the following properties:
1）Bilinear: For ∀
P
,
Q
∈
G
_{1}
and
a
,
b
∈
,
e
(
aP
,
bQ
)=
e
(
P
,
Q
)
^{ab}
.
2）Nondegenerate: ∀
P
,
Q
∈
G
_{1}
,
e
(
aP
,
bQ
)≠
1
_{G2}
, for
1
_{G2}
is an arbitrary generator of
G
_{2}
.
3）Computable: For ∀
P
,
Q
∈
G
_{1}
, there exists an efficient algorithm to compute
e
(
P
,
Q
).
(2) Decisional Bilinear DiffieHellman Problem (DBDHP): Given (
P
,
aP
,
bP
,
cP
), for some
a
,
b
,
c
∈
Z
^{∗}
_{q}
and an element
θ
∈
G
_{2}
, decide whether
θ
=
e
(
P
,
Q
)
^{abc}
.
 3.1 IDbased multidomain security structure of WMNs
The network model we considered in this paper is portrayed in
Fig. 1
. There are multiple independent and autonomous trust domains in the WMNs. Each domain has its own PKG which generates and distributes the private keys for the nodes in the domain. The PKGs are supposed to be trusted. In order to make our scheme applicable in real WMNs circumstances, we have allowed each PKG to use totally different system parameters, including different public parameters <
G
_{1}
,
G
_{2}
,
e
,
P
,
H
_{1}
,
H
_{2}
,
H
_{3}
>, system master key
s
and system public key
Pub
=
sP
. For each node in the domain, the public key is its identity information, and the private key is generated by PKG using its identity information.
IDbased multidomain security structure of WMNs
A MP may lose all currently available links during its movement. Thus, the MP must handover to another MP in order to obtain access to the network again.
Fig. 2
shows the IDbased multidomain handover for MPs in WMNs. We take the networks U and V for instance.
IDbased multidomain handover for mesh points in WMNs
 3.2 IDbased multidomain signcryption protocol
The encrypted random numbers used as challenges will enhance the security during the handover protocol. However, a simple signature scheme cannot implement random numbers encryption. Both signature and encryption should be considered in the scheme. Signcryption simultaneously fulfills both signature and public key encryption in a single logical step with a cost significantly lower than that required by "signature followed by encyption". Therefore, we have proposed a novel IDbased multidomain signcryption scheme which can be used to achieve secure handovers for MPs in WMNs in the future. There are no restrictions on PKG system parameters so they can be totally different in the different trust domains. Let us describe the signcryption scheme before representing the handover protocol. The scenario studied in this section is pictured in
Fig. 2
.
Setup:
The system parameters for network domain U are generated as follows. Define
be an additive group and
be a multiplicative group of the prime order
q_{U}
.
P_{U}
is an arbitrary generator of
. The pairing
e_{U}
:
×
→
is a bilinear map. Let
,
and
be three cryptography hash functions where
:{0,1}
^{∗}
→
,
:
→{0,1}
^{∗}
,
:{0,1}
^{∗}
×
→
. The PKG
_{U}
chooses a master private key
s_{U}
∈
randomly and computes a corresponding system public key
Pub_{U}
=
s_{U}
P_{U}
. The PKG
_{U}
publishes
Pub_{U}
and keeps the master private key
s_{U}
secret. The public system parameters of PKG
_{U}
are <
,
,
q_{U}
,
P_{U}
,
Pub_{U}
,
e_{U}
,
,
,
>.
The similar process is implemented for network domain V. Define
be an additive group and
be a multiplicative group of the prime order
q_{V}
.
P_{V}
is an arbitrary generator of
. The pairing
e_{V}
:
×
→
is a bilinear map. Let
,
and
be three cryptography hash functions where
:{0,1}
^{∗}
→
,
:
→{0,1}
^{∗}
,
:{0,1}
^{∗}
×
→
. The PKG
_{V}
chooses a master private key
s_{V}
∈
randomly and computes a corresponding system public key
Pub_{V}
=
s_{V}
P_{V}
. The PKG
_{V}
publishes
Pub_{V}
and keeps the master private key
s_{V}
secret. The public system parameters of PKG
_{V}
are <
,
,
q_{V}
,
P_{V}
,
Pub_{V}
,
e_{V}
,
,
,
>.
Extract:
Suppose Alice that registers with PKG
_{U}
and gets its private key
where
Q_{Alice}
=
(
ID_{Alice}
),
ID_{Alice}
∈{0,1}
^{∗}
.
Suppose Bob that registers with PKG
_{V}
and gets its private key
where
Q_{Bob}
=
(
ID_{Bob}
),
ID_{Bob}
∈{0,1}
^{∗}
.
Signcrypt:
To send a message
m
to Bob,
Alice operates as follows.

1. Choose random numbersa1∈,a2∈and computeTA1=a1PU,TA2=a2PV.

2. Computew=eV(a2PubV,QBob)

3. Computec=(w)⊕m. (The plaintextmis encrypted by Bob’s public keyQBob.)

4. Computeh=(c,TA1).

5. Computeσ=a1PubU+hSAlice. (The ciphertextcis signatured by Alice using its private keySAlice.)
The
Signcrypt_{Alice,Bob}
(
m
) is {
c
,
TA
_{1}
,
TA
_{2}
,
σ
}.
Unsigncrypt:
When receiving
Signcrypt_{Alice,Bob}
(
m
), Bob operates as follows.

1. Compute. (Bob checks Alice’s signature using Alice’s public keyQAliceto make sure that the message is from Alice indeed.) Bob accepts the ciphertextcif and only if the above equation holds.

2. Computew∗=eV(TA2,SBob).

3. Recoverm=(w∗)⊕c. (The plaintextmis recovered from the ciphertextcby Bob’s private keySBob. Thus no one but Bob is able to obtainm.)
The correctness can be easily verified by the following equations.
A brief security analysis is described as follows. Our signcryption scheme possesses confidentiality, unforgeability and nonrepudiation. More details see in Section 4.1.
confidentiality
It is computationally infeasible for an attacker who may be anyone other than Alice and Bob to obtain any partial information on the contents of a signcrypted text. No one except Bob can achieve
m
from {
c
,
TA
_{1}
,
TA
_{2}
,
σ
}, because only Bob owns
S_{Bob}
to calculate the decryption key
w
^{∗}
=
e_{V}
(
TA
_{2}
,
S_{Bob}
).
unforgeability
It is computationally infeasible for an attacker to impersonate Alice in creating a signcrypted text. An attacker can obtain
Pub_{U}
and
h
, but cannot get
a
_{1}
nor
S_{Alice}
. For
σ
=
a
_{1}
Pub_{U}
+
hS_{Alice}
, no one can forge a Alice’s signature.
nonrepudiation
It is computationally infeasible for anyone to deny the fact that they are the originator of a signcrypted text. Once Bob verifies Alice’s signature, Alice cannot repudiate the signature because nobody is able to forge her signature.
 3.3 IDbased multidomain handover protocol
We propose an IDbased multidomain handover protocol for mesh points in WMNs based upon the signcryption scheme in 3.2. A MP loses all links with other MPs in its home domain U if it roams to visited domain V. It should handover to one MP in domain V to acquire network service. Thus a fast and secure handover authentication process is needed to avoid a great deal of data loss. The detailed procedure of the protocol is described in
Fig. 3
.
Procedures for the IDbased multidomain handover protocol for the mesh points in WMNs
When MP
_{i}
moves to the visited network V, it can obtain the identifiers, frequencies and link qualities of its surrounding mesh access points. According to some decision algorithms, MP
_{i}
chooses only one mesh access point. Let us take the access point MP
_{j}
for example. The detailed description of crossdomain handover authentication protocol is as follows.
In the open system authentication phase, MP
_{i}
sends an association requirement message to MP
_{j}
. MP
_{j}
then replies to MP
_{i}
’s requirement with an association response message indicating acceptance or rejection. MP
_{i}
and MP
_{j}
generate random numbers
and
respectively. The random numbers are used as challenges for authentication. Then MP
_{i}
and MP
_{j}
exchange the random numbers and their respective public system parameters of PKGs: <
,
,
q_{U}
,
P_{U}
,
Pub_{U}
,
e_{U}
,
,
,
> and <
,
,
q_{V}
,
P_{V}
,
Pub_{V}
,
e_{V}
,
,
,
>.
In the authentication phase, the procedure is described below.
1. MP
_{i}
→
MP
_{i}
signcrypts
m
_{1}
and
with its own private key
S_{MPi}
and MP
_{j}
’s public key
.
m
_{1}
is a plaintext to be transferred from MP
_{i}
to MP
_{j}
, and its value is null if there is no message to be delivered.
(1) Choose
a
_{1}
∈
,
a
_{2}
∈
randomly and compute
TA
_{1}
=
a
_{1}
P_{U}
,
TA
_{2}
=
a
_{2}
P_{V}
.
(2) Compute
w_{MPi}
=
e_{V}
(
a
_{2}
Pub_{V}
,
).
(3) Compute the ciphertext
c_{MPi}
=
⊕
, where
(MP
_{i}
encyptes the
by using MP
_{j}
’s public key
, thus only MP
_{j}
is able to decypt the ciphertext
c_{MPi}
.)
(4) Compute
(5) Compute the signature
(The ciphertext
c_{MPi}
is signed by MP
_{i}
using its private key
S_{MPi}
.)
Then MP
_{i}
sends to MP
_{j}
the message: {
ID_{MPi}
,
ID_{MPj}
,
Signcrypt_{MPi,MPj}
(
)}, where
Signcrypt_{MPi,MPj}
(
{
c_{MPi}
,
TA
_{1}
,
TA
_{2}
,
σ_{MPi}
}
2. When receiving the message: {
ID_{MPi}
,
ID_{MPj}
,
Signcrypt_{MPi,MPj}
(
)} from MP
_{i}
, MP
_{j}
follows these steps;
(1) Validate
ID_{MPi}
and
ID_{MPj}
to confirm the identity of each other.
(2) Compute
Accept the message
c_{MPi}
if and only if the equation holds. (MP
_{j}
checks MP
_{i}
’s signature using MP
_{i}
’s public key
Q_{MPi}
to make sure that the message is indeed from MP
_{i}
.)
Step (2) is using MP
_{i}
’s public key
Q_{MPi}
to confirm MP
_{i}
’s signature of the message in order to authenticate the identity of MP
_{i}
.
(3) Compute
w_{MPi}
^{∗}
=
e_{V}
(
TA
_{2}
,
S_{MPj}
).
(4) Recover
=
(
w_{MPi}
^{∗}
)⊕
c_{MPi}
. (The plaintext
is recovered from the ciphertext
c_{MPi}
by MP
_{j}
’s private key
S_{MPi}
. Thus no one but MP
_{j}
is able to obtain
.)
Step (3) (4) is using MP
_{j}
’s private key
S_{MPi}
to recover the message
,
=
m
_{1}
∥
. MP
_{j}
then gets data
m
_{1}
and random number
.
(5) Confirm the challenge number
.(MP
_{j}
decides whether
is the challenge number it sent to MP
_{i}
. This step is to resist replay attacks.)
At this point the identity of MP
_{i}
is confirmed by MP
_{j}
. Meanwhile, the data
m
_{1}
is successfully received by MP
_{j}
.
3. MP
_{j}
® MP
_{i}
: {
ID_{MPj}
,
ID_{MPi}
,
Signcrypt_{MPj,MPi}
(
)}.
MP
_{j}
signcrypts
m
_{2}
and
with its own private key
S_{MPj}
and MP
_{i}
’s public key
Q_{MPi}
.
m
_{2}
is a plaintext to be transferred from MP
_{j}
to MP
_{i}
, and its value is null if there is no message to be delivered.
(1) Choose
b
_{1}
∈
,
b
_{2}
∈
randomly and compute
TB
_{1}
=
b
_{1}
P
_{V}
,
TB
_{2}
=
b
_{2}
P
_{U}
.
(2) Compute
=
e_{U}
(
b
_{2}
Pub
_{U}
,
Q_{MPi}
).
(3) Compute the ciphertext
c_{MPj}
=
(
)⊕
m_{MPj}
, where
m_{MPj}
=
m
_{2}
∥
. (MP
_{j}
encyptes the
m_{MPj}
by using MP
_{i}
’s public key
Q_{MPi}
, thus only MP
_{i}
is able to decrypt the ciphertext
c_{MPj}
.)
(4) Compute
h_{MPj}
=
(
c_{MPj}
,
TB
_{1}
)
(5) Compute the signature
σ_{MPj}
=
b
_{1}
Pub_{V}
+
h_{MPj}
S_{MPj}
. (The ciphertext
c_{MPj}
is signed by MP
_{j}
using its private key
S_{MPj}
.)
Then MP
_{j}
sends to MP
_{i}
the message: {
ID_{MPj}
,
ID_{MPi}
,
Signcrypt_{MPj,MPi}
(
m_{MPj}
)}, where
Signcrypt_{MPj,MPi}
(
m_{MPj}
)={
c_{MPj}
,
TB
_{1}
,
TB
_{2}
,
σ_{MPj}
}
In addition, MP
_{j}
is able to calculate the session key between MP
_{i}
and MP
_{j}
. MP
_{j}
computes
K_{MPj,MPi}
=
e_{V}
(
S_{MPj}
,
TA
_{2}
)
e_{U}
(
Q_{MPi}
,
b
_{2}
Pub_{U}
),
=
b
_{2}
TA
_{1}
,
=
b
_{1}
TA
_{2}
, and then gets the session key
sk_{MPj,MPi}
=
H
(
K_{MPj,MPi}
,
,
,
TA
_{1}
,
TA
_{2}
,
TB
_{1}
,
TB
_{2}
,
ID_{MPi}
,
ID_{MPj}
), where
H
:{0,1}
^{∗}
→{0,1}
^{k}
,
k
is the length of the session key.
4. When receiving the message: {
ID_{MPj}
,
ID_{MPi}
,
Signcrypt_{MPj,MPi}
(
m_{MPj}
)} from MP
_{j}
, MP
_{i}
follows these steps;
(1) Validate
ID_{MPj}
and
ID_{MPi}
to confirm the identity of each other.
(2) Compute
. Accept the ciphertext
c_{MPj}
if and only if the equation holds. (MP
_{i}
checks MP
_{j}
’s signature using MP
_{j}
’s public key
to make sure that the message is indeed from MP
_{j}
.)
Step (2) is using MP
_{j}
’s public key
to confirm MP
_{j}
’s signature of the message in order to authenticate the identity of MP
_{j}
.
(3) Compute
=
e_{U}
(
TB
_{2}
,
S_{MPi}
).
(4) Recover
m_{MPj}
=
(
)⊕
c_{MPj}
. (The plaintext
m_{MPj}
is recovered from the ciphertext
c_{MPj}
by MP
_{i}
’s private key
S_{MPi}
. Thus no one but MP
_{i}
is able to obtain
m_{MPj}
.)
Step (3) (4) is using MP
_{i}
’s private key
S_{MPi}
to recover the message
m_{MPj}
,
m_{MPj}
=
m
_{2}
∥
. MP
_{i}
then gets data
m
_{2}
and random number
.
(5) Confirm the challenge number
. (MP
_{i}
decides whether
is the challenge number it sent to MP
_{j}
. The step is to resist replay attacks.)
At this point the identity of MP
_{j}
is confirmed by MP
_{i}
. Meanwhile, the data
m
_{2}
is successfully received by MP
_{i}
.
MP
_{i}
is able to calculate the session key between MP
_{i}
and MP
_{j}
. MP
_{i}
computes
K_{MPi,MPj}
=
e_{U}
(
S_{MPi}
,
TB
_{2}
)
e_{V}
(
a
_{2}
Pub_{V}
),
=
a
_{1}
TB
_{2}
,
=
a
_{2}
TB
_{1}
, and then gets the session key
sk_{MPi,MPj}
=
H
(
K_{MPi,MPj}
,
,
,
TA
_{1}
,
TA
_{2}
,
TB
_{1}
,
TB
_{2}
,
ID_{MPi}
,
ID_{MPj}
), where
H
:{0,1}
^{∗}
→{0,1}
^{k}
,
k
is the length of the session key.
To this, mutual authentication between MP
_{i}
and MP
_{j}
is completed.
The correctness of the session key can be easily verified. It is easy to verify
K_{MPi,MPj}
=
K_{MPj,MPi}
,
=
and
=
by the following equations.
K_{MPi,MPj}
=
e_{U}
(
S_{MPi}
,
TB
_{2}
)
e_{V}
(
,
a
_{2}
Pub_{V}
)=
e_{U}
(
s_{U}
Q_{MPi}
,
b
_{2}
P_{U}
)
e_{V}
(
,
a
_{2}
s_{V}P_{V}
)
=
e_{U}
(
Q_{MPi}
,
P_{U}
)
^{sUb2}
e_{V}
(
,
P_{V}
)
^{a2sV}
K_{MPj,MPi}
=
e_{V}
(
S_{MPj}
,
TA
_{2}
)
e_{U}
(
Q_{MPi}
,
b
_{2}
Pub_{U}
)=
e_{V}
(
s_{V}
,
a
_{2}
P_{V}
)
e_{U}
(
Q_{MPi}
,
b
_{2}
s_{U}P_{U}
)
=
e_{V}
(
,
P_{V}
)
^{sVa2}
e_{U}
(
Q_{MPi}
,
P_{U}
)
^{b2sU}
=
=
a
_{1}
b
_{2}
P_{U}
=
=
a
_{2}
b
_{1}
P_{V}
For
sk_{MPi,MPj}
=
sk_{MPj,MPi}
, MP
_{i}
and MP
_{j}
share the same session key.
4. Security analysis
 4.1 Security analysis of the IDbased multidomain signcryption protocol
First of all, the security definitions for multidomain IDbased signcryption scheme (MPIDSC) are described in
[10]
.
Definition 1 (Confidentiality). A multiPKG IDbased signcryption scheme is said to have indistinguishability against adaptive chosen ciphertext attacks (INDMPIDSCCCA2) if no polynomially bounded adversary has a nonnegligible advantage in the game. (More details about the game are given in definition3 of
[10]
).
Definition 2 (Unforgeability). A multiPKG IDbased signcryption scheme is said to have existential unforgeability against adaptive chosen message attacks (EUFMPIDSCCMA) if no polynomially bounded adversary has a nonnegligible advantage in the game. (More details about the game are given in definition4 of
[10]
).
Similarly, we can prove that our scheme is both INDMPIDSCCCA2 and EUFMPIDSCCMA secure.
Theorem 1 (Confidentiality). In the random oracle model, we assume we have an INDMPIDSCCCA2 adversary called Α that is able to distinguish ciphertext during the game of Definition 1 with an advantage
ε
when running in a time
t
and asking at most
times
(
i
=1,2,3,
j
=
U
,
V
) queries, at most
q_{S}
times signcryption queries and
q_{U}
times unsigncryption queries. And there exists a distinguisher Χ that can solve the DBDH problem in a time
t
'=
t
+(
q_{S}
+4
q_{U}
)
t_{e}
with an advantage
, where
t_{e}
denotes the computation time of the bilinear map.
Proof. We assume that the distinguisher Χ receives a random instance (
P_{V}
,
aP_{V}
,
bP_{V}
,
cP_{V}
,
h
) of the DBDH problem to decide whether
h
=
e_{V}
(
P_{V}
,
P_{V}
)
^{abc}
is true or not. Χ will run Α as a subroutine and act as Α’s challenger in the INDMPIDSCCCA2 game. Α will consult Χ for answers to queries of random oracles
(
i
=1,2,3,
j
=
U
,
V
), signcryption and unsigncryption. Correspondingly, Χ maintains 10 lists to store the answers. The lists are
(
i
=1,2,3,
j
=
U
,
V
),
respectively.
At the beginning of the game, Χ gives Α the system parameters with
Pub_{V}
=
cP_{V}
and
Pub_{U}
=
dP_{U}
, where
c
and
d
respectively simulate the master key for PKG
_{V}
and PKG
_{U}
.
c
and
d
are not known to Χ.
queries: Χ chooses a random number
l
∈{1,2,...,
}. At the
u
th
query, if
u
=
l
, then Χ answers
(
ID_{u}
)=
bP_{V}
; if
u
≠
l
, Χ chooses a random number
x
∈
, answers
(
ID_{u}
)=
xP_{V}
and then puts (
ID_{u}
,
x
) in the list
.
queries: Χ chooses a random number
x
∈
, answers
(
ID_{u}
)=
xP_{U}
and then puts (
ID
_{u}
,x) in the list
.
/
queries: When Α asks the queries, Χ will check the list
/
. If the corresponding hash value exists, the hash value will be returned to Α; otherwise, a random value
h
_{2}
∈(0,1)
^{∗}
will be chosen by Χ, and Χ then stores the query and answer in the list.
/
queries: When Α asks the queries, Χ will check the list
/
. If the corresponding hash value exists, the hash value will be returned to Α; otherwise, a random value
h_{3}
will be chosen by Χ, and Χ then stores the query and answer in the list.
Extract_{V}
queries: If
ID_{u}
=
ID_{l}
, then Χ fails. Otherwise, Χ finds entry (
ID_{u}
,
x
) from list
, computes the private key corresponding to
ID_{u}
:
S_{IDu}
=
cxP_{V}
, and returns to Α.
Extract_{U}
queries: Χ finds entry (
ID_{u}
,
x
) from list
, computes the private key corresponding to
ID_{u}
:
S_{IDu}
=
dxP_{U}
, and returns to Α.
Singcrypt
queries: Let
ID_{1}
and
ID_{2}
denote the sender and the receiver respectively and
m
is the plaintext. There are two cases to consider.
Case 1:
ID_{1}
≠
ID_{l}
. Χ can get the private key of
ID_{1}
:
S_{ID1}
. Χ chooses random numbers
a
_{1}
∈
and
a
_{2}
∈
randomly and computes
TA
_{1}
=
a
_{1}
P_{U}
,
TA
_{2}
=
a
_{2}
P_{V}
. Then Χ calculates
w
=
e_{V}
(
a
_{2}
Pub_{V}
,
Q_{ID2}
),
c
=
m
⊕
(
w
),
h
=
(
c
,
TA
_{1}
),
σ
=
a
_{1}
Pub_{U}
+
hS_{ID1}
. Χ returns message: {
c
,
TA
_{1}
,
TA
_{2}
,
σ
} to Α.
Case 2:
ID_{1}
=
ID_{l}
. Χ cannot get
S_{ID1}
, but can obtain
S_{ID2}
. Χ chooses random numbers
a
_{1}
,
h
∈
and
a
_{2}
∈
randomly. Then Χ computes
TA
_{2}
=
a
_{2}
P_{V}
, calculates
w
=
e_{V}
(
TA
_{2}
,
S_{ID2}
), and runs
c
=
m
⊕
(
w
). Χ computes
TA
_{1}
=
a
_{1}
P_{U}

hQ_{ID1}
and
σ
=
a
_{1}
Pub_{U}
. Χ returns {
c
,
TA
_{1}
,
TA
_{2}
,
σ
} to Α and puts it to list
.
Unsingcrypt
queries: For an unsigncryption query on ciphertext {
c
,
TA
_{1}
,
TA
_{2}
,
σ
}, there are two cases to consider.
Case 1:
ID
_{2}
≠
ID_{l}
. Χ checks if
holds. If the equation holds, Χ can get the private key of
ID
_{2}
:
S
_{ID2}
to compute
w
=
e_{V}
(
TA
_{2}
,
S_{ID2}
), and retruns
m
=
c
⊕
(
w
) to Α.
Case 2:
ID
_{2}
=
ID_{l}
. Χ always answers Α that the ciphertext: {
c
,
TA
_{1}
,
TA
_{2}
,
σ
} is invalid.
Α can ask a polynomially bounded number of queries adaptively again as in the first stage. Then Α will pick a challenged pair of identities : {
ID
_{A}
,
ID
_{B}
} and output two messages: {
m
_{0}
,
m
_{1}
}. Χ chooses
v
∈{0,1} and signcrypts
m_{v}
. Then Χ randomly chooses
σ
^{∗}
∈
,
∈
, sets
=
aP_{V}
,
θ
=
w
(
θ
is the candidate answer for the DBDH problem). Finally, Χ computes
c
^{∗}
=