Download - Distributed access control with adaptive privacy preserving property for wireless sensor networks

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks (2013)

Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.777

RESEARCH ARTICLE

Distributed access control with adaptive privacypreserving property for wireless sensor networksChangsha Ma, Kaiping Xue* and Peilin Hong

The Information Network Lab of EEIS Department, University of Science and Technology of China (USTC), Hefei 230027, China

ABSTRACT

Access control plays an important role in protecting security-sensitive sensor data from being utilized by malicious users.Despite the numerous studies on access control for wireless sensor networks (WSNs), however, few of them pay attentionto preserving user privacy, which has recently been an urgent demand of the network users. In this paper, we propose twoaccess control schemes with different privacy preserving properties for WSNs, which can adaptively satisfy the demandsof the sensor network users. First, on the basis of our signcryption approach, we propose a distributed query protectedaccess control scheme where the query message is encrypted in the process of user authentication. Because no other userscould decrypt and read the query message, the user can preserve the privacy of the target data type. With the additional helpwith proxy signature, we then design a distributed anonymous access control scheme. Apart from protecting the data typeinformation, distributed anonymous access control preserves the privacy of the user’s access behavior by anonymizing theuser’s identity. In contrast to the previous privacy-preserved access control schemes for WSNs, our schemes can efficientlyprotect the privacy of users without significantly increasing the network overhead and the energy consumption on sensors.Copyright © 2013 John Wiley & Sons, Ltd.

KEYWORDS

distributed access control; privacy; signcryption; proxy signature; wireless sensor networks

*Correspondence

Kaiping Xue, The Information Network Lab of EEIS Department, University of Science and Technology of China (USTC),Hefei 230027, ChinaEmail: [email protected]

1. INTRODUCTION

Wireless sensor networks (WSNs) play an important rolein the development of the next generation networks, due tothe ubiquitous nature, ease of deployment, and widespreadapplication. Typically, WSNs consist of a large number ofresource-constrained sensor nodes, some sink nodes, andone or more base stations (BSs). Sensors sense the envi-ronment and translate the environment information intodata, which is further collected and processed by sinknodes. BSs connect the sensor network with the outsidenetworks. In the future practical deployment of sensor net-works, sensors may provide network users with differentservices, such as collecting environment data, monitoringcritical infrastructures, and tracking targets [1]. In manyapplication scenarios, sensor data are security-sensitive,and hence may be only available to specific users to avoidthat malicious ones make use of them to cause negativeeffects. An example would be that a user should be autho-rized to access the sensor data in his office, rather than

that in other offices. Otherwise, the user’s abuse of sensordata may hurt the interests of others. Additionally, becausethe resource-constrained sensors are fragile under securityattacks, such as denial of service (DoS) attack, malicioususers without authorization or authorized users with badbehaviors should be excluded from the sensor networks.Hence, to properly control the access behavior of sensornetwork users, designing an access control scheme thataims at authorizing, authenticating, and revoking networkusers becomes important. Apart from these basic functionsof access control, privacy preserving in access control isreceiving increasing attention, because the users’ demandof the concealment of access information such as when andwhere they accessed the data and the data types that inter-est them is becoming urgent [2–4]. However, the fact thataccess control have already brought considerable burdenon the resource-constrained sensors makes it challenge-able to design practical privacy preserved access controlschemes for WSNs. Among the previously proposed pri-vacy preserved access control schemes for WSNs [4–7],

Copyright © 2013 John Wiley & Sons, Ltd. 1

Distributed access control with adaptive privacy preserving property C. Ma, K. Xue and P. Hong

none of them have not obviously heightened the energyconsumption on sensors.

In this paper, we make use of signcryption, a novelcryptography algorithm, which combines encryption andsignature to achieve confidentiality and authenticity simul-taneously [8], to encrypt and sign the query messages sentby a network user in the process of access control. Becausethe query messages are not transmitted in plaintext any-more, the data type information of the accessing user willnot be exposed to other users. In this way, we can preservethe privacy of the user in the process of access control.Furthermore, with the help of proxy signature, the networkuser can signcrypt the query message with the proxy keypair (PKP). The access point (a sensor) can verify whetherthe query message is signcrypted by a proxy delegateeof the trusted third party (TTP), but cannot identify theuser. Through preserving the identity information, the usercan preserve the privacy of the access behavior. In con-trast to previous privacy preserved access control schemesfor WSNs, our approaches efficiently protect the privacyof users without significantly increasing the network over-head and the energy consumption on sensors. What’s more,the proposed access control schemes have provable secu-rity features including the confidentiality and integrity ofquery messages, forward security, user authenticatablity,and the security of session key negotiation.

The major contributions of this paper are as follows:

(1) We propose an efficient signcryption approach, andon this basis design a distributed query-protectedaccess control (DQAC) scheme, which is able topreserve users’ privacy of the data types that interestthem during access control.

(2) On the basis of DQAC, we further introduceproxy signature to anonymize the user identity andpropose a distributed anonymous access control(DAAC) scheme that can additionally preserveusers’ privacy of access behavior.

(3) The proposed access control schemes efficientlyprotect the user privacy with low cost, which is anice feature absent in most previous schemes.

The rest of the paper is organized as follows. InSection 2, we summarize the related work and their weak-nesses. Section 3 presents the system models. The detailsof the proposed schemes are presented in Section 4.Correctness proof and security analysis of the proposedschemes are described in Section 5. Performance evalu-ation, including computation and communication cost, ispresented in Section 6. Section 7 concludes this paper.

2. RELATED WORK

The currently proposed access control schemes can typ-ically be divided into two categories, namely, central-ized access control (CAC) and distributed access control(DAC). In CAC, sensors first transmit data to sink nodes.

The data is then transmitted through a BS to an exter-nal data logger, which centrally handles users’ querymessages. In DAC, sensors can directly transmit data tousers when receiving the access queries of users. We con-sider DAC in this paper because it is superior to CAC intwo aspects. First, DAC works without a BS, meaning thatusers could access the data even when the BS breaks down.This is specifically meaningful in the large scale sensornetworks, where there are large amount of sensor nodesand the BS will be laid too much load if adopting CAC.Second, because data are no longer necessarily first trans-mitted through several hops to a centralized location, DACconsumes less bandwidth. Among the currently proposedDAC schemes for WSNs [9–23], public key cryptography(PKC)-based schemes have received wide attention due tothe high security and scalability [17–23]. Although PKChas high computation complexity, and hence may con-sume relatively high energy on sensors, optimized RSAalgorithm is shown to be feasible on resource-constrainedsensor nodes [17]. Moreover, elliptic curve cryptography(ECC), which is more computationally efficient than RSAdue to the smaller key size and lower computation over-head [24], could further improve the computational effi-ciency of PKC-based schemes [10,18]. Additionally, withthe development of sensor technology, the computationcapability, and storage capability of sensors are obviouslyimproved, making it possible to fully take into accountboth security and efficiency when designing PKC-basedDAC schemes for WSNs.

When accessing the sensor networks, network usersmay expect to conceal some information, such as the datacontent they are accessing, the data type they are interestedin, and even when and where they accessed the network.The data content can be protected through encryption,which is usually accomplished by establishing the sessionkey during the process of access control. Such mechanismhas been widely used and is able to protect the data con-tent effectively. Whereas the protection of the data typeand other access information that can divulge the privacyof network users has received few concern. Among therelated work, blind signature [6,25] and ring signature [5,7]are two main strategies to preserve users’ privacy duringaccess control. A typical access control scheme that adoptsblind signature is the DP2AC (a distributed privacy pre-serving access control in sensor networks) proposed in [6].In the scheme, a network user keeps secret of the identitywhen applying for tokens from the network owner. In theprocess of access control, the sensors can verify the valid-ity of the tokens but cannot link the tokens with identities.The privacy of the users is thus preserved. However, theintegrity check of user queries is not supported by DP2AC,which leaves adversaries the opportunity to modify thequery message of users. More importantly, the total com-munication cost of the scheme is very high because of thetoken reuse detection. In another privacy preserved accesscontrol scheme called PRICCESS [7], network users areclassified by the network owner into groups according totheir privileges. The privacy of a network user is preserved

2 Security Comm. Networks (2013) © 2013 John Wiley & Sons, Ltd.

DOI: 10.1002/sec.777

C. Ma, K. Xue and P. Hong Distributed access control with adaptive privacy preserving property

by enabling some members in its group to generate a ringsignature. The privacy protection level is proportional tothe size of the ring. However, because the communica-tion and computation cost is also proportional to the ringsize, high energy consumption on sensors is caused togain a satisfactory privacy protection level. Furthermore,PRICCESS is inflexible to handle the authorization andrevocation problem, namely, when new users join in orleave the network, the BS is laid the obligation to informall of the existed users in the same group. From the previ-ous analysis, we can conclude that neither blind signaturenor ring signature is an effective cryptographic primitivefor designing privacy preserved access control schemesfor WSNs. In this paper, we adopt new cryptographicprimitives, that is, signcryption and proxy signature, toprotect the user privacy in the process of access control.The proposed privacy preserved access control schemeshave not increased the network overhead and the energyconsumption on sensors.

3. SYSTEM MODELS

3.1. Network model

In this paper, we focus on single-owner multi-user sensornetwork. The overview of the network model is shown inFigure 1. There are four kinds of entities in the system,that is, the network owner, the sensor, the network user,and the TTP. The network owner deploys a sensor networkcomposed of multiple sensors, which sense events in theirsurroundings and produce data continuously for the net-work owner as well as many network users. A networkuser who wants to access the sensor network should firstregister with the network owner. The network owner willgenerate a registration certificate on the public key and theidentity of the user, and assign the access privilege, that is,a list that shows the identities and public keys of the acces-sible sensors, to the user. A sensor network user could alsoapply for the anonymous privilege from the network ownerafter the registration. If the network owner agrees, it willgenerate a voucher on the anonymous privilege and send it

to the user. This verifiable voucher is then used to apply fora temporal proxy delegation from the TTP, which is trustedby all of the other network entities. Because sensors act asaccess points and transmit data to network users directly, aBS for bridging the sensor network and the outside networkis unnecessary.

3.2. Trust model

In the proposed architecture, the network owner is assumedto be reputable but unreliable. By reputable, we mean thatthe network owner is trusted to authorize registered usersto obtain the valid access privilege, which is commensu-rate with the payment of users. By unreliable, we meanthat it is possible for the network owner to be interestedin the information of network users. In contrast, the TTPis always reliable to other parties. The network users areassumed to be selfish and rational. The network users areselfish so that they always try to pay less for more data.For example, a network user may try to use his expiredprivilege, or even forged privileges to access the network.Besides, users are rational so that they would not misbe-have unless they can benefit from doing so. For example,normal network users do not perform DoS attack because itis not in favor of their interest [6]. We also assume that thenetwork users are privacy-sensitive. They are unwilling toexpose their access information to other parties when theyaccess the sensor network. Some of them care about keep-ing secret of the data type and the data content. Some ofthem may also want to preserve the privacy of their accessbehaviors such as when they access the network and theiraccess targets.

3.3. Adversary model

The adversary could be either an external intruder or aregistered network user who is interested in other users’data. The purposes of the adversaries include three aspects,namely, to obtain data without the authorization of access,to tamper other users’ data without causing their aware-ness, and to compromise user privacy by intercepting querymessages or linking user identities with data transmitted

Figure 1. The network model of the proposed architecture.

Security Comm. Networks (2013) © 2013 John Wiley & Sons, Ltd. 3DOI: 10.1002/sec.777


in the sensor network. The adversaries are assumed to beable to perform both passive and active attacks. There-fore, the attacks may be carried out by impersonating,replaying, eavesdropping, or tampering the transmittingmessages in the sensor network. For example, it is possiblefor the adversaries to impersonate an authorized networkuser to access the network by forging access privilegesor replaying historical messages, which may result in theeconomic loss of the network owner. They may also eaves-drop the messages sent by sensors to authenticated usersfor obtaining data or for other purposes, or tamper thequery messages of network users sent to the sensors formaking users unable to receive correct data. Addition-ally, the adversaries have the ability to compromise somesensors and users.

4. THE PROPOSED SCHEMES

The proposed access control schemes provide adaptiveprivacy preserving property for network users of WSNs.Specifically, the DQAC scheme preserves the user’sprivacy of the target data type by using signcryptionto encrypt and sign on the query messages simultane-ously. The DAAC scheme additionally preserves the user’sprivacy of access behavior by anonymizing the user’s iden-tity with the help of proxy signature. In this section,we first introduce the proposed signcryption approach.Second, we describe how to build the DQAC scheme onthe signcryption approach. Third, we show how the pro-posed DQAC scheme can be converted into the proposedDAAC scheme that provides stronger privacy preservingproperty for network users with the help of proxy signa-ture. Finally, we make a summary of the proposed accesscontrol schemes.

4.1. Signcryption

The proposed signcryption approach is the basis of the pro-posed privacy preserved access control schemes for WSNs.

It contains three algorithms including setup, signcrypt,and unsigncrypt.

4.1.1. Setup.

The system parameters, including the key pairs and twostrong one-way hash functions, are initialized by runningthe setup algorithm. The key pairs of the signcrypter andthe unsigncrypter are (xSc, ySc), (xUs, yUs), respectively.The two hash functions are chosen as H1 : G0 ! {0, 1}n,and H2 : {0, 1}n � {0, 1}n ! Z*

q . The system secureparameter, namely, the ECC key size and the length ofrandom values, is denoted by k0. The previous systemparameters as well as other relevant parameters used in theproposed schemes are summarized in Table I.

4.1.2. Signcrypt.

To signcrypt a message, the signcrypter first chooses theinput (m, r, xSc, yUs), where m is the message to be sign-crypted, r(r 2 Z*

q ) is a random value, xSc is the private keyused by the signcrypter, and yUs is the public key of theunsigncrypter. The algorithm is then carried out as follows.

� The signcrypter calculates R = rP and K = ryUs.The session key k is then calculated according tok = H1(K).

� With the session key, the signcrypter encrypts maccording to c = m˚ k.

� Furthermore, the signcrypter computes the signa-ture on the message, denoted by � , according to� = xSc – �0r, where �0 = H2(c, H1(R)).

The output of the signcrypt algorithm is (c, R, � ).Then, the signcrypter sends the output message to theunsigncrypter.

4.1.3. Unsigncrypt.

Taking the (c, R, � , xUs, ySc), where c, R, � are receivedfrom the signcrypter, xUs is the private key of the unsign-crypter, and ySc is the public key used by the signcrypter,

Table I. Relevant notations in the proposed architecture.

Notation Implication Notation Implication

xSc, ySc Private key and public key of the signcrypter k0 System secure parameterxUs, yUs Private key and public key of the unsigncrypter cert. Registration certificatexT , yT Private key and public key of the TTP mv Application informationxO, yO Private key and public key of the network owner �v ||Rv VoucherxS, yS Private key and public key of the sensor aU , sU , rU Proxy delegation for userxU , yU Private key and public key of the user xP, yP Proxy key pair of userG0 Cyclic group with order q, generator P kTUi(i=1,2,3) Proxy delegation encryption keys{0, 1}n n-bit-size string � Authentication signatureH1 Strong one-way hash: G0 ! {0, 1}n m Message (query message)H2 Strong one-way hash: {0, 1}n � {0, 1}n ! Z*

q k Session key between user and sensorZ*

q Positive integers no more than q c Encrypted message (query message)r Random value selected in signcryption R Session key parameter in signcryption

xI(I=T ,U,S,O,P,Sc,Us), r, sU ,� ,�v, kTU3 2 Z*q ; yI , rU , Rv, kTU1 2 G0; mv, m, aU , kTU2, k, c 2 {0, 1}n


DOI: 10.1002/sec.777


as the input, the unsigncrypter carries out the unsigncryptalgorithm as follows.

� The unsigncrypter computes the session key k0

according to k0 = H1(K0) = H1(xUsR).� With the calculated session key, the unsigncrypter

decrypts the message according to m0 = c˚ k0.� Then the unsigncrypter computes � 00 = H2(c, H1(R)).� It outputs > if �P + � 00R = ySc is satisfied, demon-

strating that it confirms the session key and acceptsthe decrypted message. Otherwise, it outputs ?.

4.2. DQAC

On the basis of the proposed signcryption approach,we construct the DQAC scheme, which contains fourphases: the initialization phase, the authorization phase, theauthentication phase, and the revocation phase. The systemparameters are initialized in the initialization phase. In theauthorization phase, the network user registers with thenetwork owner, applies for the access privilege, and obtainsthe registration certificate from the network owner. In theauthentication phase, the recipient sensor authenticates theuser and builds secure channels with the authenticated user.In the revocation phase, the access privilege of the user isdeprived because of the expiration of the access privilegeor the user’s malicious behaviors. One of the typical mali-cious behaviors could be DoS attack, which could be easilyidentified by supervising the network flow. The overviewof the proposed DQAC scheme is shown in Figure 2.

4.2.1. Initialization.

The setup algorithm of the proposed signcryptionapproach is ran in this phase. Additionally, the TTP, thenetwork owner, and the network user choose their key pairs

(xT , yT ), (xO, yO), and (xU , yU), respectively. The sensoris assigned a key pair (xS, yS) by the network owner. Notethat xI(I=T ,O,S,U) 2 Z*

q represents an ECC private key, andyI = xIP 2 G0 represents an ECC public key. yO and yTare bound with the certificates issued by the authenticationcenter. They are accessible and verifiable by other entities,and are stored in the sensor’s memory. yU is bound with theregistration certificate issued by the network owner afterthe user registered with the network owner. yS may alsobe bound with a certificate, which does not influence ourdiscussion.

4.2.2. Authorization.

To obtain the access privilege of the sensor network, anetwork user should first register with the network owner.In the process of registration, the user hands over his or herpublic key yU , the identity, and the payment to the networkowner. We assume that each network user holds an iden-tity certificate granted by the authentication center, whichcan be verified by the network owner. When receives theregistration application, the network owner first checks theuser’s identity. If the identity is valid, the network ownerwill assign an access privilege to the user according tothe payment. The access privilege refers to a list of thepublic keys and identities of the accessible sensors, whichmay vary with the payment in practice. For simplicity, wewill not differentiate the privileges in this paper. The net-work owner will also generate a registration certificate witha specific deadline on yU and the user’s identity. Then,the network owner sends the certificate and the accessprivilege to the user.

4.2.3. Authentication.

With the registration certificate obtained from thenetwork owner, the network user is able to access the

Figure 2. The overview of the proposed distributed query-protected access control scheme.



sensor network. The authentication phase contains twoparts, that is, query and authenticate. In particular, theuser encrypts and signs on the query message based onthe signcrypt algorithm in the query part. The recipientsensor decrypts the query message and verifies the sig-nature on it based on the unsigncrypt algorithm in theauthenticate part.

Query To access the sensor, the network user sets theinput as (m, r, xU , yS) and runs the signcrypt algorithm asin the proposed signcryption scheme. Note that here mis the query message, and r is a newly selected randomvalue. Then the user obtains the output (c, R, � ), wherec represents the encrypted query message, R representsthe session key parameter, and � represents the signatureon the encrypted query message. Then, the signcryptersends the output as well as the registration certificate tothe sensor.

Authenticate When receiving the query message fromthe user, the sensor first checks whether the registrationcertificate is valid. If the certificate has expired or has beenrevoked, the sensor rejects the access requirement from thenetwork user. If not, the sensor extracts the public key ofthe user from the registration certificate. Then, the sensorsets the input as (c, R, � , xS, yU), and runs the unsign-crypt algorithm as in the proposed signcryption scheme. Ifthe output is >, the sensor confirms the session key andaccepts the decrypted query message. The data later trans-mitted between the user and the sensor are protected by thesession key k0, which is equal to k. If the output is ?, thesensor refuses the query request of the user.

4.2.4. Revocation.

A registration certificate expires when the current timeexceeds the deadline. Because sensors refuse to authen-ticate a user with an overdue certificate, the revocationof the user will be performed automatically. However, ifthe user’s access privilege has to be revoked before theexpiration of the certificate due to some reasons such asthe user’s malicious behaviors such as DoS, the networkowner should broadcast the revoked identity to the sensorsin the sensor network. The sensors should keep a list ofrevoked identities to identify the validity of a registrationcertificate. The length of the revocation list cannot increaseunlimitedly because the identities linked with the expiredcertificates will be removed from the list.

4.3. DAAC

A network user could keep the target data type private byencrypting his or her query messages in DQAC. However,the adversary can still track the user and learn the user’saccess behavior such as the access time and the accesstargets. What’s worse, if the adversary has intercepted thehistorical messages exchanged between the sensor and theuser, it is able to decrypt the data and thus invade the user’sprivacy by capturing the sensor. Besides, if the networkowner is interested in the privacy of the user, it can alsoeasily learn the user’s access information by controlling

some sensors. To provide further privacy protection fornetwork users, we propose the DAAC scheme, where weallow those old users who have never been revoked to applyfor the anonymous privilege from the network owner. Withthe verifiable anonymous privilege, the user then appliesfor a PKP from the TTP and uses it to signcrypt the subse-quent query messages sent to the sensor. The sensor is ableto authenticate the user by verifying the signature usingthe user’s proxy public key. However, because the proxypublic key could not be mapped to the user’s identity by allof the network entities except for the TTP and the user, theuser will not be identified by others in the process of accesscontrol. Therefore, the user can access the sensor networkwithout the divulgence of privacy.

We introduce the proxy signature scheme in [26], wherethe proxy delegation is protected from misuse by a proxywarrant, to authorize a network user to obtain the PKP. Toenhance the efficiency of the proxy signature scheme, wereconstruct it on elliptic curve. Additionally, we define thatthe proxy warrant contains the deadline of the proxy dele-gation, whereas excluding the identity information. Hence,network users can be prevented from misusing the proxydelegation while not exposing their identities.

The DAAC scheme contains three phases: the autho-rization phase, the authentication phase, and the revocationphase. Specially, a network user obtains the anonymousprivilege from the network owner, and applies for a proxydelegation from the TTP in the authorization phase. Inthe authentication phase, the user can anonymously accessthe sensor network without exposing their identities. Therevocation phase starts when the anonymous privilege isoverdue, or when users behave maliciously in the sensornetwork. Because system parameters have been initializedin the DQAC scheme, which is carried out before theDAAC scheme, there is no initialization phase in DAAC.The overview of the proposed DAAC scheme is shownin Figure 3.

4.3.1. Authorization.

Because the network users in the DAAC scheme havealready obtained the access privilege and the registrationcertificate, the authorization phase in the proposed DAACscheme only includes anonymous privilege application andproxy delegation, which are accomplished in the Apply partand the Delegate part, respectively.

Apply A registered user who has successfully obtainedthe anonymous privilege from the network owner willreceive the anonymous privilege mv and the correspondingvoucher �v||Rv from the network owner. The voucher isgenerated by the network owner according to Rv = rvP and�v = xO – H2(mv, H1(Rv))rv, in which rv is a random valuechosen by the network owner.

Delegate To apply for the proxy delegation from theTTP, the network user shows its application informationand the voucher, as well as the registration certificateto the TTP. The TTP verifies the legality of the user’sprivilege by comparing �vP + H2(mv, H1(Rv))Rv with yO.The verification succeeds when the two results are equal.


DOI: 10.1002/sec.777


Figure 3. The overview of the proposed distributed anonymous access control scheme.

The TTP then randomly chooses a value kU�kU 2 Z*

q�, and

creates a proxy delegation (aU , rU , sU) for the user, whereaU is the proxy warrant that shows the validity period ofthe proxy delegation, rU = kUP is the public part of theproxy delegation, and sU = xT H2(aU , H1(rU)) + kU is theprivate part of the proxy delegation. An example of aUcan be that rU @ 24/6/18/12, which means that the proxydelegation with the public part of rU expires at 24:00 on18 June 2012. Note that the TTP should keep the delega-tion information in case that the identity of the user hasto be exposed to the public. The deadline of the proxydelegation should not be later than that of the access priv-ilege. Besides, because kU is randomly chosen, aU , rU , sUare all unique. To securely send the proxy delegation tothe user, the TTP computes the keys kTU1, kTU2, kTU3according to kTU1 = xT yU , kTU2 = H1(kTU1), kTU3 =H2(aU , kTU2), respectively. The proxy delegation is thentransmitted to the user as

�aU ˚ kTU2, rU ˚ kTU1, sU ˚

kTU3�. When obtaining the proxy delegation, the user first

calculates k0TU1 = xUyT , k0TU2 = H1�k0TU1

�, and k0TU3 =

H2�aU , k0TU2

�. Then, the user decrypts the proxy delega-

tion according to a0U = aU ˚ kTU2 ˚ k0TU2, r0U = rU ˚

kTU1 ˚ k0TU1, and s0U = sU ˚ kTU3 ˚ k0TU3. Furthermore,

the user checks if s0UP = yT H2�a0U , H1

�r0U��

+ r0U holds.

If the equation holds, the user confirms that the results ofdecryption are right and the proxy signature is valid, andthen generates the PKP (xP, yP), in which xP = sU and yP =xPP = yT H2(aU , H1(rU)) + rU . Otherwise, the user shouldperform another application for the proxy delegation.

4.3.2. Authentication.

In this phase, the sensor authenticates the networkuser who sends query messages to it. Specifically, theuser encrypts and signs on the query message with theproxy private key in the query part. The recipient sen-sor decrypts the query message and verifies the signatureon it to authenticate the user in the authenticate part.The network user’s privacy will be preserved because noidentity information is required for authentication.

Query When accessing the sensor, the network user setsthe input as (m, r, xP, yS) and runs the signcrypt algorithmas in the proposed signcryption scheme. Then, the userobtains the output (c, R, � ) and sends the output as well asrU , aU to the recipient sensor.

Authenticate When receiving the message from theuser, the sensor first checks the deadline of the proxywarrant. If the current time has exceeded the tolerantinterval over the deadline, the sensor will consider thatthe proxy delegation is overdue, and will disregard the



query. Otherwise, the sensor tentatively considers thatthe warrant is valid, and computes yP according toyP = yT H2(aU , H1(rU)) + rU . Then, it sets the input as(c, R, � , xS, yP), and runs the unsigncrypt algorithm as inthe proposed signcryption scheme. If the output is >, thesensor confirms the session key and accepts the decryptedquery message. The data later transmitted between the userand the sensor are protected by the session key k0, which isequal to k. If the output is ?, the sensor refuses the queryrequest of the user.

4.3.3. Revocation.

A proxy delegation expires when the current timeexceeds the deadline shown in the proxy warrant. Then,the revocation will perform automatically because sensorsrefuse to authenticate a user whose proxy warrant demon-strates that the proxy delegation is overdue. However,when a user has to be excluded from the sensor networkbefore the proxy delegation expires, the network ownershould broadcast the revoked proxy warrant to the sen-sors in the sensor network. Thus, the sensors should keepa list of revoked proxy warrants to identify the validity of awarrant. The length of the revocation list will not increaseunlimitedly, because expired warrants can be removedfrom the list. However, even if the anonymous privilegeis revoked, the user can still access the sensor network ifthe corresponding ECC certificate is not revoked. The usercan access the network through adopting DQAC scheme,or applying for another proxy delegation from the TTP. Toavoid such condition, the network owner could require theTTP to expose the identity linked with the revoked proxywarrant, and further revoke the certificate of the user. Therevocation of the certificates is the same as the revocationphase of the proposed DQAC scheme.

4.4. Summary

In the proposed DQAC scheme, a network user shouldfirst register with the network owner to acquire the accessprivilege and apply for a registration certificate from thenetwork owner to access the sensor network. Thequery message sent to the sensor follows the format(c, R, � , cert.). In the process of access, the confidential-ity and integrity of the queries are provided, and thus, thenetwork user keeps the target data type private from otherusers. In the proposed DAAC scheme, the user applies theanonymous privilege from the network owner and obtainsthe proxy delegation from the TTP. The query messagesent to the sensor then follows the format (c, R, � , rU , aU).The access behavior of the network user is completely pro-tected by concealing the identity of the user. Because theconversion between the two schemes only depends on theproxy delegation, it is convenient for a network user toupgrade his or her privacy preserving mechanism. In addi-tion, when a network user is required to be excluded fromthe sensor network, the revocation can be convenientlyperformed by broadcasting the revoked identities (and theproxy warrant) to the sensors.

5. CORRECTNESS PROOF ANDSECURITY ANALYSIS

In this section, we present the correctness proof and thesecurity analysis of the proposed schemes.

5.1. Correctness proof

The proposed schemes are built on elliptic curve cryptosys-tem (ECC) [24]. The correctness proof of the schemes isalso based on the features of ECC. In this subsection, wefirst introduce the definition and the features of ECC, andthen prove the correctness of the proposed schemes.

5.1.1. Elliptic curve cryptosystem.

An elliptic curve is an abelian group over a finite fieldwith a certain order. In the abelian group, for two arbitraryparameters a and b, a � b = b � a always holds. Namely, theabelian group satisfies the commutative law of multiplica-tion. G0 and Z*

q in the proposed scheme are both abeliangroups.

In elliptic curve system, a point that is the result of theaddition of two points on a curve is also on the curve. Suchaddition operation is called elliptic curve point addition(ECADD). The operation of adding a point to itself i(i � 1)times is called scalar multiplication.

The security of ECC depends on the difficulty of theelliptic curve discrete logarithm problem, namely, giventwo points P1 and P2 in the group; it is hard to find anumber j that satisfies P2 = jP1.

5.1.2. Correctness of the signcryption scheme.

Correctness of message recoveryAccording to the commutative law of multiplication in

Z*q , the following equations hold.

k0 = H1(K0) = H1(xUsR) = H1(xUsrP) = H1(rxUsP)

= H1(ryUs) = k.

Therefore, the message m0, which is obtained throughthe decryption by the unsigncrypter, is equal to the originalmessage m, because m0 = c˚ k0 = c˚ k = m.

Correctness of authenticationThe signcrypter can be verified by checking whether

�P + � 00R = ySc holds, because if the signcrypter uses thevalid key pair to generate the signature, then the followingequations will hold.

� 00 = H2(c, H1(R)) = �0;

�P + � 00R = (xSc – �0r)P + �0R = ySc – �0R + �0R = ySc.

5.1.3. Correctness of DQAC.

Correctness of query message recovery The correct-ness proof is the same as the correctness proof of messagerecovery in the signcryption scheme.


DOI: 10.1002/sec.777


Correctness of user authentication The correctnessproof is the same as the correctness proof of authenticationin the signcryption scheme.

5.1.4. Correctness of DAAC.

Correctness of voucher verificationIn the authorization phase of the proposed DAAC

scheme, the TTP should determine whether to assign theproxy delegation to a network user by verifying the user’svoucher. The verification is carried out by comparing theresult of �vP + H2(mv, H1(Rv))Rv with yO. If the twoare equal, the TTP will consider the user as a registereduser. This is correct because if the signature �v is fromthe network owner and the registration information mv iscorrect, then the following equations hold.

�vP = (xO –H2(mv, H1(Rv))rv)P = yO –H2(mv, H1(Rv))Rv;

�vP + H2(mv, H1(Rv))Rv = yO.

Correctness of proxy delegation verificationWhen obtaining the proxy delegation from the TTP,

the network user first computes k0TU1 = xUyT , k0TU2 =H1�k0TU1

�, and k0TU3 = H2

�aU , k0TU2

�, and then decrypts

the proxy delegation. The decryption keys are correctbecause according to the commutative law of multiplica-tion in Z*

q , the following equations hold.

k0TU1 = xUyT = xUxT P = xT xUP = xT yU = kTU1;

k0TU2 = H1�k0TU1

�= H1(kTU1) = kTU2;

k0TU3 = H2�aU , k0TU2

�= H2(aU , kTU2) = kTU3 .

Therefore, the proxy delegation the user obtains,denoted by

�a0U , r0U , s0U

�, is equal to the original one

because a0U = aU˚ kTU2˚ k0TU2 = aU , r0U = rU˚ kTU1˚

k0TU1 = rU , and s0U = sU ˚ kTU3 ˚ k0TU3 = sU . Further-more, the verification of the proxy delegation is carried outby checking if s0UP = yT H2

�a0U , H1

�r0U��

+ r0U is satisfied.This is correct because if sU = xT H2(aU , H1(rU)) + kUand rU = kUP, then according to the commutative law ofmultiplication in Z*

q , the following equations hold.

s0UP = sUP = (xT H2(aU , H1(rU)) + kU)P

= H2(aU , H1(rU))xT P + kUP

= yT H2(aU , H1(rU)) + rU

= yT H2(a0U , H1(r0U)) + r0U .

Correctness of query message recoveryThe correctness proof is the same as in the signcryption

scheme.Correctness of user authenticationThe user can be verified by the sensor through checking

whether �P + � 00R = yP = yT H2(aU , H1(rU)) + rU holds,

because if the user has a valid PKP from the TTP, and usesthe PKP to generate the authentication signature, then thefollowing equations hold.

�P + � 00R = (xP – �0r)P + �0R = yP – �0R + �0R

= yP = yT H2(aU , H1(rU)) + rU .

5.2. Security analysis

Among the phases of the proposed DQAC and DAACschemes, the authorization phase and the authenticationphase are likely to be attacked by adversaries. Becausethe authentication phase is performed online and is muchmore likely to be attacked, we mainly focus on the securityanalysis of this phase of the proposed schemes. Thesecurity analysis of the authorization phase that is per-formed off-line will be briefly introduced at the end of thissubsection.

In the authentication phase, the proposed schemes pro-vide security features including the confidentiality andintegrity of query messages, forward security, user authen-ticatablity, and the security of session key negotiation.The proposed DAAC scheme additionally provides useranonymity. The forward security and user authenticat-ablity are respectively based on the indistinguishabilityand unforgeability of the proposed signcryption approach.Because the proof and analysis of the former four securityfeatures of the proposed DQAC scheme can be directlyapplied in the proposed DAAC scheme, we prove thesesecurity features of DQAC and only prove the useranonymity of DAAC. We first review the complexityassumptions and the security model under the proposedschemes.

5.2.1. Complexity assumption.

Definition 1. Computational Diffie–Hellman (CDH)problem. Let P be the CDH parameter generator ofthe group G, and p be the corresponding order. Given(P, aP, bP 2 G) for some unknown a, b 2 Zp, computeabP. The success probability of a polynomial algorithm Ain solving CDH problem is denoted as:

WinCDHA,G = Pr[A(P, aP, bP) = abP : a, b 2 Zp].

Definition 2. Computational Diffie–Hellman (CDH)assumption. Let P be the CDH parameter generator ofthe group G, and p be the corresponding order. Given(P, aP, bP 2 G) for some unknown a, b 2 Zp, WinCDH

A,G isnegligible.

5.2.2. Security model.

The forward security, and the user authenticatablity arebased on the indistinguishability and the unforgeabilityof the proposed signcryption approach, respectively. Wedefine the indistinguishability and the unforgeability ofthe signcryption approach under the oracle model [27,28].



In addition, we use Signcrypt(m, xi, yj) to represent that i(the signcrypter), whose private key is xi, signcrypts m,and sends the result to j (unsigncrypter), whose publickey is yj.

Definition 3. Indistinguishability. The proposed sign-cryption approach provides indistinguishability againstadaptive chosen ciphertext attacks (IND-CCA) if no poly-nomially bounded adversary has a non-negligible advan-tage in the following game. In the game, the adversary isassumed to have access to the private keys of some parties.In other words, even the private key of the signcrypter iscompromised, the confidentiality of the former producedqueries of the signcrypter is also preserved, that is, thescheme provides forward security.

(1) The challenger C runs the setup algorithm to uploadthe system parameters params, and generates keypairs for the system parties. Then, C sends theparams and the list of parties and the correspondingpublic keys to the adversary A, but keeps privatekeys secret.

(2) The adversary A performs a polynomially boundednumber of queries. Each query may depend onthe answers to the previous queries, namely, thesequeries may be made adaptively.Key extract queries: A selects a system party t andreceives the corresponding private key xt from C.Signcrypt queries: A selects two parties i, j and pro-duces a query message m. C finds xi and computes� = signcrypt(m, xi, j) and sends � to A.Unsigncrypt queries: A selects two parties i, j anda ciphertext � . C finds xj and sends the result ofunsigncrypt(� , xj, i) to A. The result may be thesymbol ? if � is an invalid ciphertext.

(3) A chooses two plaintexts, m0 and m1, and two par-ties, t1 and t2, on which it wishes to be challenged.Note that the private key of t2 cannot be obtained byA’s ask for key extract queries.

(4) C randomly chooses a bit b, computes � =signcrypt(mb, xt1, t2), and sends it to A.

(5) A adaptively asks a polynomial number of queriesagain as in Definition 3. Note that it is not allowedto extract the private key of t2, and hence, it isnot allowed to make an unsigncrypt query for �under t2.

(6) Finally, A produces a bit b0 and wins the game ifb0 = b. The advantage of A is defined as Adv(A) =|0.5 – Pr[b0 = b]|, where Pr[b0 = b] denotes theprobability that b0 = b.

Definition 4. Unforgeability. The proposed signcryptionapproach provides unforgeability against adaptive chosenmessage attacks (UF-CMA) if no polynomially boundedadversary has a non-negligible advantage in the followinggame. Namely, the scheme provides user authenticatability.An adversary cannot forge the signature of others even if ithas a valid private key.

(1) The challenger C runs the setup algorithm to obtainthe system parameters params, and generates keypairs for the system parties. Then, C sends theparams and the list of parties and the correspondingpublic keys to the adversary A, and keeps theprivate keys secret.

(2) A adaptively performs a polynomially boundednumber of queries as in Definition 3.

(3) Finally, A produces a new triple (� , t1, t2), wherethe private key of t1 was not asked in b), andsends it to C. A wins the game if the result ofunsigncrypt(� , xt2, t1) is not the ? symbol. Theadversary’s advantage is its probability of victory.

5.2.3. Security proof.

We first prove the forward security and the authen-ticatability of users by proving the indistinguishabilityand unforgeability of the proposed signcryption approachunder the complexity assumption and the security modelintroduced previously. Then, we analyze the confidential-ity and integrity of query messages, the security of thesession key negotiation of the proposed DQAC scheme.Furthermore, we prove the user anonymity provided in theproposed DAAC scheme.

Theorem 1. In the proposed signcryption approach(with the ECC key size of k0), if an adversaryA(qH1 , qH2 , qE, qS, qU), where qH1 , qH2 , qE, qS, and qUare the number of H1 queries, H2 queries, key extractqueries, signcrypt queries, and unsigncrypt queries, respec-tively, with a running time t has a non-negligible advantage" in the IND-CCA game, then there exists a distinguisher Cthat can solve the CDH problem in running time t0 = O(t)with a non-negligible advantage of

"0 �"

2qH1 + qH2

�qE

2k0�

�1 –

qS(qS + qH2 )

2k0

��

�1 –

qU

2k0

�

Proof. See the appendix. �

Theorem 2. If an adversary can forge a valid message(query message) of the proposed scheme in the UF-

CMA game with probability " �10(qS+1)(qS+qH2 )

2k0, there

exists a distinguisher that can solve the CDH problem inpolynomial time.

Proof. The proof is the same as that of Theorem 1.Namely, the challenger C stimulates the oracles, andanswers to the queries of A as in the proof of Theorem 1[29]. �

Theorem 3. Query confidentiality and integrity. Theencrypted query messages in the proposed DQAC schemecan only be decrypted by the target sensor. The decryptedresults are only accepted by sensors after verification.No adversary can tamper the query message sent by a


DOI: 10.1002/sec.777


legitimate user and further make the recipient sensor acceptthe tampered query message.

Proof. Because the query message is transmitted inciphertext, an adversary needs to acquire the session keyk to decrypt the query message. The adversary can obtainthe public parameters such as R and yS. However, becausecomputing k according to R and yS is a CDH problem,the confidentiality of query messages is guaranteed. If theadversary wants to tamper the query message, it has totamper c in the query message. Assume that the querymessage decrypted from the tampered message is m0, andthe probability of the sensor accepting it as the correctquery message is p0. Because the sensor only accepts thequery message when �P + � 00R = yU holds, the adver-sary succeeds only when � 00 = �0. In other words, givena specific query message, p0 is equal to the probability ofH2 outputting the same result for different inputs, that is,1 – [1 – (1/q)]j, where q is the total number of possible out-puts of H2, and j is the number of the tampering attackson the same user. To make p0 = 1, the adversary hasto generate j =

pq inputs for each access query. If we

adopt the 160-bit ECC algorithm [21,30] in the proposedDAAC scheme, then j =

pq =

p2160 = 280, mean-

ing that the adversary has to store 280 � 160-bit randominputs for each query message in a set with the size of2160. Because the cost of tampering the query message istoo high for adversaries, the proposed DQAC scheme canprovide query integrity. �

Theorem 4. Session key negotiation security. In theproposed DQAC scheme, the session key negotiationbetween the network user and the recipient sensor is securewhen suffering the man-in-the-middle attack.

Proof. The Diffie–Hellman public parameters in theprocess of session key negotiation are R and yS. Extractingthe session key from R and yS is a CDH problem, which isinfeasible according to the CDH assumption. Nonetheless,it is possible for the man-in-the-middle attacker to tamperR to be Rw, aiming at letting the recipient sensor computethe wrong session key kw according to kw = H1(xSRw).However, such tampering attack is also infeasible becausethe verification of the signature that is signed on Rw willfail, and hence, the sensor will reject the wrong sessionkey. Even if the man-in-the-middle attacker is a legiti-mate network user, it cannot create a valid signature on Rwbecause of the lack of private keys of other users. There-fore, the session key negotiation is secure and is able toresist the man-in-the-middle attack. �

Theorem 5. Anonymity. The proposed DAAC schemeprovides user anonymity.

Proof. Given a message (c, � , R, rU , aU) sent by a userU to the recipient sensor S, the parameters R and rUare uniformly distributed because r and kU are randomly

generated, and aU is also equally spaced. The computationwith respect to c = m˚H1(K) only involves the public keyof the recipient sensor S. Its decryption does not involveany information of U either. Therefore, R, rU , aU , and ccannot leak the information of U. In addition, although �is generated with the aid of the proxy private key of U,there is no existential mapping relationship between thePKP and the identity. Therefore, � cannot make the iden-tity of U exposed. Even the adversary has the ability tomonitor the off-line operations, it still cannot link a certainproxy delegation with the user identity because the proxydelegation is not transmitted publicly. Hence, an adversarycannot identify the actual sender of a query message in theproposed DAAC scheme. �

5.2.4. Summary.

From the previous analysis, the proposed access controlschemes can provide the confidentiality and the integrityof query messages, the forward security, the user authen-ticatability, and the security of session key negotiation inthe authentication phase. Besides, the proposed DAACscheme provides user anonymity. In the off-line authoriza-tion phase, the TTP checks the application information,which demonstrates the anonymous privilege of a net-work user, by verifying the voucher created by the networkowner. Such process is secure because a network userthat has not registered with the network owner cannotforge a valid registration voucher. The security proof canbe inherited from that of the user authenticatability inthe authentication phase. Furthermore, the TTP can alsosecurely send the proxy delegation to the specific networkuser by virtue of the protection of the session key builtbetween the TTP and the user. The security proof can alsobe inherited from that of the session key negotiation secu-rity in the authentication phase. To sum up, the proposedarchitecture is secure under common security attacks.

6. PERFORMANCE EVALUATION

In this section, we evaluate the performance of the pro-posed schemes by analyzing their costs, including thecomputation cost and the communication cost. Becausethe performance of the proposed access control schemes isbased on the efficiency of the signcryption algorithm, wefirst evaluate the efficiency of the proposed signcryptionapproach. In particular, we compare it with four sign-cryption approaches that are also based on public keyinfrastructure and designed on elliptic curve, in terms ofthe involved computation operations. Furthermore, by cit-ing the experimental results of the implementation of theseoperations on MICA2 motes [35], and the performanceparameters of the MICA2 motes, we give the numericalvalues of the costs of the proposed DQAC scheme andDAAC scheme. Note that we only consider the cost ofonline operations, including the online computation opera-tions and the online message exchanges performed by thenetwork users and the sensors. Besides, only the relatively



Table II. Efficiency comparison of the signcryptionapproaches.

Scheme Hwang Libert Han Zhang Ours

Hash 1 3 4 2 3Scal. Mul. 3 1 3 3 3AES 1 –– –– 1 ––

Pairing –– 2 –– –– ––

costly computation operations are considered, whereas themuch less costly operations that have negligible impacton the performance of a certain scheme are disregarded.Therefore, the computation operations including hash,scalar multiplication, and AES algorithm are considered.

6.1. Efficiency of the proposedsigncryption approach

Similar to our signcryption approach, Hwang’s scheme[31], Libert’s scheme [32], Han’s scheme [33], andZhang’s scheme [34] are also based on ECC and publickey infrastructure. The differences are the computationoperations used in the schemes. We listed the costly com-putation operations of these schemes and summarizedthe comparison results in Table II. Note that we onlyconsider the cost in the unsigncrypter’s side, becausethe signcryption approach is used in WSNs, and thus,the evaluation of consumption on sensors is the mostmeaningful. Because the cost of these operations sat-isfies: cost(Hash)<cost(AES)<cost(Scalar multiplication)<cost(Pairing), it is obvious that our signcryption scheme isthe most efficient one among these schemes.

6.2. Computation cost of DQAC and DAAC

For ease of presentation, we use h and mul to representhash operation and scalar multiplication on elliptic curve,respectively. The computation operations on sensors of theproposed DQAC and DAAC scheme are 3h + 3mul and5h + 4mul, respectively. The computation time of the twooperations on sensors are 3.636 and 810 ms, respectively,according to the experimental results of implementation onMICA2 motes [35]. Using E = UIt and the parametersI = 8 mA and U = 3.0 V of MICA2 mote, we can compute

that the energy cost on sensors of the proposed DQAC andDAAC are 58.58 and 78.19 mJ, respectively. To evaluatethe results, we choose the ECC scheme in [21], which isa typical distributed access control scheme for WSNs, forcomparison. The ECC scheme also has the features of userauthenticatability and secure session key negotiation as theproposed schemes do. However, the ECC scheme does notprovide query protection or user anonymity, namely, it isnot privacy preserved. The computation energy cost onsensors of the ECC scheme is 58.58 mJ, meaning that weadd the privacy preserving property without significantlyadding the computation cost of sensors.

6.3. Communication cost of DQACand DAAC

In the proposed DQAC scheme and DAAC scheme,sensors only need one message reception. Besides, thelength of the message received by sensors is (n + 2k0 +len(cert.)) bits and (2n + 3k0) bits in the proposed DQACand DAAC, respectively. Without loss of generality, weset n = 256, k0 = 160, and len(cert.) = 912 [21]. Giventhe 250 kbps radio transmission rate of MICA2 mote, wecan know that the energy consumption for receiving a byteand transmitting a byte on sensors are 2.066 and 1.847 uJ,respectively [21]. Then, the communication energy cost onsensors of the proposed DQAC and DAAC schemes 384.3and 256.2 uJ, respectively. By comparison, the commu-nication cost on sensors of the ECC scheme is 594.8 uJ.Therefore, we add the privacy preserving property withoutadding the overhead of the network and the communicationcost of sensors. The comparison results of the proposedschemes and the ECC scheme in terms of the computationcost and the communication cost are shown in Figure 4.

7. CONCLUSION

In this paper, we present an access control architecturethat deals with privacy preserved distributed data accesscontrol for WSNs. To begin with, we design an efficientsigncryption algorithm, and tailor it to construct an effi-cient DQAC scheme in WSNs. In the proposed DQACscheme, users’ privacy of their target data type is pre-served by encrypting the query messages in the process of

0

100

200

300

400

500

600

700

Com

mun

icat

ion

Cos

t (uJ

)

0102030405060708090

ECC DQAC DAAC ECC DQAC DAAC

Com

puta

tion

Cos

t (m

J)

Figure 4. Comparison of energy consumption on sensors.


DOI: 10.1002/sec.777


access control. With the additional help of proxy signature,we further add user anonymity feature to the DQAC, andaccordingly convert it into the DAAC scheme. In this way,a network user that holds a valid PKP can anonymouslyaccess the sensor networks without divulging the privacyof access behavior. Security analysis shows that the pro-posed access control schemes provide the confidentialityand integrity of query messages, forward security, the userauthenticatability, and the security of session key negoti-ation. The proposed DAAC scheme additionally providesuser anonymity. Besides, performance evaluation showsthat the proposed access control schemes provide privacypreserving property without adding the energy consump-tion on sensors. Future work can be focused on implement-ing the access control architecture on WSN platform toconfirm its feasibility.

ACKNOWLEDGEMENTS

This work is supported by the National Natural ScienceFoundation of China under Grant No.60903216, theNational ST Major Project of China under Grant No.2010ZX03003-002 and No.2011ZX03005-006.

REFERENCES1. Akyildiz IF, Su W, Sankarasubramaniam Y, Cayirci E.

Wireless sensor networks: a survey. ComputerNetworks 2002; 38(4): 393–422.

2. Zhou Y, Zhang Y, Fang Y. Access control in wirelesssensor networks. Ad hoc networks. Special Issue onSecurity in Ad Hoc and Sensor Networks 2007; 5 (1):3–13.

3. Ren K, Lou W, Kim K, Deng R. A novel privacy pre-serving authentication and access control scheme forpervasive computing environment. IEEE Transactionson Vehicular Technology 2006; 55(4): 1373–1384.

4. Carbunar B, Yu Y, Shi L, Pearce M, Vasudevan V.Query privacy in wireless sensor networks, Proceed-ings of IEEE Communications Society Conference onSensor, Mesh and Ad Hoc Communications and Net-works (SECON), San Diego, California, USA, 2007;203–212.

5. Guo JH, Baugh JP, Wang SQ. A group signature basedsecure and privacy-preserving vehicular communica-tion framework, Proceeding of the Mobile Networkingfor Vehicular Environment (MOVE) workshop in con-junction with IEEE INFOCOM, Anchorage, Alaska,USA, 2007; 103–108.

6. Zhang R, Zhang Y, Ren K. DP2AC: Distributedprivacy preserving access control in sensor net-works, Proceedings of IEEE International Conference

on Computer Communications (INFOCOM), Rio deJaneiro, Brazil, 2009; 1251–1259.

7. He DJ, Bu JJ, Zhu SC, Chan S, Chen C. Distributedaccess control with privacy support in wireless sensornetworks. IEEE Transaction on Wireless Communica-tions 2011; 10(10): 3472–3481.

8. Zheng YL. Digital signcryption or how to achievecost (signature & encryption)� cost (signature)+ cost(encryption), Advances in CRYPTO’97, Santa Barbara,California, USA, 1997; 165–179.

9. He DJ, Bu JJ, Zhu SC, Yin MJ, Gao Y, Wang HD,Chan S, Chen C. Distributed privacy-preserving accesscontrol in a single-owner multi-user sensor network,IEEE International Conference on Computer Com-munications (INFOCOM) Mini-Conference, Shanghai,China, 2011; 331–335.

10. Wang H, Li Q. Distributed user access control insensor networks. IEEE/ACM Distributed Computing inSensor Systems 2006; 4026(2006): 305–320.

11. Wong KHM, Zheng Y, Cao JN, Wang SW. Adynamic user authentication scheme for wireless sen-sor networks, Proceedings of Sensor Networks, Ubiq-uitous, and Trustworthy Computing, Newport Beach,California, USA, 2006; 244–251.

12. Tseng HR, Jan RH, Yang W. An improved dynamicuser authentication scheme for wireless sensornetworks, Proceedings of IEEE Global Telecommu-nications Conference (Globecom), Washington, DC,USA, 2007; 986–990.

13. Das ML. Two-factor user authentication in wire-less sensor networks. IEEE Transaction on WirelessCommunication 2009; 8: 1086–1090.

14. Khan MK, Alghathbar K. Cryptanalysis and secu-rity improvements of ‘Two-factor user authenticationin wireless sensor networks’. Sensors 2010; 10 (3):2450–2459.

15. He D, Gao Y, Chan S, Chen C, Bu J. An enhancedtwo-factor access control scheme in wireless sensornetworks. Ad Hoc & Sensor Wireless Networks 2010;10(4): 361–371.

16. Morchon OG, Baldus H. Efficient distributed securityfor wireless medical sensor networks, InternationalConference on Intelligent Sensors, Sensor Networksand Information Processing, Sydney, Australia, 2008;249–254.

17. Watro R, Kong D, Cuti SF, Gardiner C, Lynn C,Kruus P. Tinypk: securing sensor networks with publickey technology, Proceedings of the 2nd ACM Work-shop on Security of Ad Hoc and Sensor Nsetworks,Washington, DC, USA, 2004; 59–64.

18. Malan D J, Welsh M, Smith Michael. A public-keyinfrastructure for key distribution in tinyos based on



elliptic curve cryptography, IEEE CommunicationsSociety Conference on Sensor and Ad Hoc Communi-cations and Networks, Santa Clara, CA, USA, 2004;71–80.

19. Shao M, Zhu S, Zhang W, Cao G. pDCS: security andprivacy support for data-centric sensor networks, Pro-ceedings of IEEE International Conference on Com-puter Communications (INFOCOM), Rio de Janeiro,Brazil, 2009; 1298–1306.

20. Li M, Lou W, Ren K. Data security and privacy inwireless body area networks. IEEE Wireless Commu-nication 2010; 17(1): 51–58.

21. Wang HD, Sheng B, Li Q. Elliptic curve cryp-tography based access control in sensor networks.International Journal of Security and Networks 2006;1(3-4): 127–137.

22. Benenson Z, Gedicke N, Raivio O. Realizing robustuser authentication in sensor networks, Workshop onReal-World Wireless Sensor Networks, Sweden, 2005;135–142.

23. Yu S, Ren K, Lou W. FDAC: toward fine-graineddistributed data access control in wireless sensor net-works, Proceedings of IEEE International Conferenceon Computer Communications (INFOCOM), Rio deJaneiro, Brazil, 2009; 963–971.

24. Koblitz N. Elliptic curve cryptosystems. Mathematicsof Computation 1987; 48(177): 203–209.

25. Sun JY, Zhang C, Fang YG. A security architectureachieving anonymity and traceability in wireless meshnetworks, IEEE INFOCOM: The 27th Conference onComputer Communications, Phoenix, AZ, USA, 2008;1687–1695.

26. Kim S, Park S, Won D. Proxy signatures, revisited,International Conference on Information and Commu-nication Security, Lecture Notes in Computer Science,Beijing, China, 1997; 223–232.

27. Baek J, Steinfeld R, Zheng Y. Formal proofs for thesecurity of signcryption. Journal of Cryptology 2007;20: 203–235.

28. Chow SSM, Yiu SM, Hui LCK, Chow KP. Efficientforward and provably secure ID-based signcryptionscheme with public verifiability and public ciphertextauthenticity, International Conference on Informationand Communication Security, ICISC 2003, LNCS,Vol. 2971, Seoul, Korea, 2004; 352–369.

29. Barreto PSLM, Libert B, McCullagh N, QuisquaterJJ. Efficient and provably-secure identity-based signa-tures and signcryption from bilinear maps. Advancesin Cryptology 2005; 3788: 515–532.

30. Hasegawa T, Nakajima J, Matsui M. A prac-tical implementation of elliptic curve cryptosys-tems over gf(p) on a 16-bit microcomputer, Public

Key Cryptography, Pacifico Yokohama, Japan, 1998;182–194.

31. Hwang RJ, Lai CH, Su FF. An efficient signcryp-tion scheme with forward secrecy based on ellipticcurve. Applied Mathematics and Computation 2004;167(2005): 870–881.

32. Libert B, Quisquater JJ. Efficient signcryption withkey privacy from gap Diffie-Hellman groups, PKC,2004; 187–200.

33. Han YL, Yang XY, Wei P. ECGSC: ellipticcurve based generalized signcryption, UbiquitousIntelligence and Computing, Wuhan, China, 2006;956–965.

34. Zhang CR, Chi L, Zhang YQ. Secure and efficientgeneralized signcryption scheme based on a shortECDSA, 2010 Sixth International Conference on Intel-ligent Information Hiding and Multimedia SignalProcessing, Darmstadt, Germany, 2010; 466–469.

35. Lee XH, Lee S, Butun I, Khalid M, Sankar R, Kim M,Han MH, Lee YK, Lee H. An energy-efficient accesscontrol scheme for wireless sensor networks based onelliptic curve cryptography. Journal of Communica-tion and Networks, Special Issues on Secure WirelessNetworking 2009; 11(6): 599–606.

APPENDIX

Proof of Theorem 1.Let the distinguisher C receive a random instance

(P, aP, bP, h) of the CDH problem. Its objective is todecide whether h = abP holds. To solve the problem, Cruns A as a subroutine and acts as the challenger of Ain the IND-CCA game. In the authorization phase, C runsthe setup algorithm, and sends the public system parame-ters (G0, P, H1, H2) to A. However, we assume that C canacquire the key pairs of any parties, apart from the key pairof tl, that is, (xtl, ytl = xtlP).

Queries: C simulates the hash oracles (H1, H2), keyextract oracle, signcrypt oracle, and unsigncrypt oracle. Aperforms the queries adaptively. To respond to the queries,C initializes a counter c to one. Throughout the IND-CCAgame, we assume that H1, H2-queries are distinct fromeach other.

H1 queries: On input (r, tc), where r represents therandom value used for key agreement, and tc representsthe input of the cth key extract query, C answers thecorresponding communication result and adds one to c.Then C stores the output information of (r, tc) in a storagelist L1.

H2 queries: On input (mc 2 Z*q , tc), where mc repre-

sents the query message chosen by tc, C returns the definedvalue if tc exists, and otherwise a random authentica-tion signature � 0c 2 Z*

q . To anticipate possible subsequent


DOI: 10.1002/sec.777


unsigncrypt queries, C additionally simulates random ora-cle H2, and obtains � 0c 2 Z*

q as defined in the proposedscheme. C stores the output information of (mc, tc) in thestorage list L1.

Key extract queries: Given the target tc, if c = l, then Cfails. Otherwise, it knows the corresponding key pairs andreturns them to A.

Signcrypt queries: A can perform a signcrypt query fora message m and a designated recipient t. As long as thet is not tl, C runs the signcrypt algorithm and returns thesigncrypted message to A. However, for a t not to be tl, Cwill abort running the signcrypt algorithm if the output ofH1 on t is the same as that on tl.

Unsigncrypt queries: A can perform an unsigncryptquery for a certain ciphertext and the recipient t at any time.C will notify A that the ciphertext sent by A is invalidif t = tl. If the ciphertext is a valid one, A will wronglyfind it with the probability no more than 2–k0 . Otherwise,C runs the unsigncrypt algorithm and returns the decryptedmessage to A.

Challenge: After the queries, A selects two messages(m0, m1), and two parties (t0, t1). The private key of t1cannot be obtained by A. If t1 ¤ tl, C aborts the game.Otherwise, C returns the challenge, that is, the signcryptionresult of m0 or m1, to A. C produces the result by fetchinga random entry from the list L1.

A adaptively asks a polynomial number of queries againas in b), but it cannot obtain the plaintext corresponding to

the challenge sent by C. Then, A outputs a bit b0, whichdemonstrates that it believes the signcryption on mb0 ise-qual to the challenge sent by C. If the right element iscontained in L1, C will return the correct feedback to A.Because there are at most 2qH1 + qH2 records in L1, theprobability of the fact that the right element is contained inL1 is 1

2qH1 +qH2.

We can conclude that C will fail if one of the followingindependent events occurs:

� E1: A key extract query is made on tl.� E2: C aborts the game in a signcrypt query because of

a collision on H2.� E3: C falsely responds to a valid ciphertext in the

game.

From the previous analysis, we can obtain Pr[E1] =qE2k0

, Pr[E2] �qS(qS+qH2 )

2k0, and Pr[E3] = qU

2k0. Thus,

Pr[:E1^:E2^:E3] � qE2k0�

�1 –

qS�qS+qH2

�2k0

��

1 – qU2k0

�.

Therefore, the advantage for C to solve the CDH problemcan be described as:

"0 �"

2qH1 + qH2

�qE

2k0�

�1 –

qS(qS + qH2 )

2k0

��

�1 –

qU

2k0

�

Therefore, the result conflicts with the CDH assumption.


Download - Distributed access control with adaptive privacy preserving property for wireless sensor networks

Top Related