Abstract
Key management techniques for secure wireless-sensor-networks-based applications must minimally incorporate confidentiality, authenticity, integrity, scalability, and flexibility. Signcryption is the proper primitive to do this. However, existing signcryption schemes are heavyweight and not suitable for resource-limited sensors. In this paper, we at first propose a braid-based signcryption scheme and then develop a key establishment protocol for wireless sensor networks. From the complexity view, our proposal is 215 times faster than RSA-based ones. As far as we know, our proposal is the first signcryption scheme based on noncommutative algebraic structures.
1. Introduction
Wireless sensor networks (WSNs) consist of a large number of micro, low-cost, low-power, and spatially distributed autonomous devices using sensors to cooperatively monitor physical or environmental conditions [1, 2]. WSNs are often deployed in potentially adverse or even hostile environment so that there are concerns on security issues therein. To protect the confidentiality and privacy of WSN-oriented applications, the traditional symmetric (i.e., private-key), even lightweight, cryptography is often used. A well-known drawback to do this is that the symmetric cryptography is not as flexible as the asymmetric (i.e., public-key) cryptography. The main obstacle of using public-key cryptography in WSNs is that with limited memory, computing and communication capacity, and power supply, sensor nodes cannot employ sophisticated cryptographic operations such as modular exponentiation and pairing computation. Therefore, it is interesting to probe new efficient and lightweight implementations on some wellknown public-key cryptographic primitives, such as what has been done in TinyECC [3] and in MicroECC [4]. No matter which type cryptography is adopted, key establishment is one of the utmost concerns. At least, key establishment techniques for a secure WSN-based application must minimally incorporate confidentiality, authenticity, integrity, scalability, and flexibility [5].
Signcryption, now an international standard for data protection (ISO/IEC 29150, Dec 2011), was invented in 1996 and first disclosed to the public at CRYPTO 1997 [6, 7]. It is a data security technology by which confidentiality is protected and authenticity is achieved seamlessly at the same time. This will also allow smaller devices, such as smartphones and PDAs, 3G and 4G mobile communications, as well as emerging technologies, such as radio frequency identifiers (RFIDs) and wireless sensor networks, to perform high-level security functions. And, by performing these two functions simultaneously, we can save resources, be it an individual's time or be it energy, as it will take less time to perform the task. Therefore, signcryption is very suitable for key management in wireless sensor networks and other resource-constrained environments.
Since the invention of the primitive of signcryption, various constructions were proposed and most of them are based on three kinds of cryptographic assumptions. The first category assumes that the integer factoring problem (IFP) is intractable, such as the constructions in [8, 9]. The second category assumes that the discrete logarithm problem (DLP) over finite fields or elliptic curves (i.e., ECDLP) is intractable, such as the constructions in [10, 11]. In this category, some constructions further utilize the bilinear pairing to enhance the functionalities and performance, such as the constructions in [12, 13]. The third category is based on some lattice hard problems [14, 15]. Up to now, the last category attracts a lot of attention since the so-called quantum attack-resistant property. However, these existing lattice-based signcryptions have disadvantage in key sizes. Thus, it is interesting to probe new construction of signcryption based on other cryptographic primitives than IFP- and DLP-related ones and meanwhile keeping the potential of quantum attack resistance.
Under this background, some noncommutative groups have attracted the attention. One of the most popular groups in this category is the braid group. At CRYPTO 2000, Ko et al. [16] proposed the first fully fledged braid-based cryptosystem. In braid-based cryptographic schemes [16–24], the conjugacy search problem (CSP) (i.e., given two braids a and
Another promising observation coming from [23] is that braid operations can be implemented with a complexity level of about
The main motivation of this paper covers two aspects: the first is to design a lightweight signcryption scheme based on noncommutative groups assuming that the CSP problem over the underlying groups are intractable, and the second is to construct efficient key management protocols for wireless sensor networks.
The rest contents are organized as follows. In Section 2, we at first give a simple introduction to the braid group, and then introduce the left self-distributive system and its properties. A building block—braid-based signcryption scheme is proposed in Section 3, and the full description of the key management protocol for wireless sensor networks is developed in Section 4. Performance evaluation and comparisons, including security level analysis, are given in Section 5, respectively. Concluding remarks are given in Section 6.
2. Preliminaries
2.1. Braid Group and Related Cryptographic Problems
The n-braid group

Geometrical illustration on identity and Artins generators [23].
Geometrically, the product of two braids is the braid obtained by merging the tail of the first braid with the head of the second braid. For example, Figure 2 shows the braid

An example of geometric braids [23].
There is a natural automorphism from
For arbitrary two braids
In sequel, we use
2.2. Conjugacy-Based Left Self-Distributive Systems
Under the intractability assumption of the conjugator search problems over certain noncommutative semigroups, Wang et al. [24] proposed several public-key cryptosystems based on conjugacy-based left self-distributive systems. The notations and related constructions are helpful for developing our main proposal in this paper. Therefore, let us recall the definition of the left self-distributive system that was firstly postulated by Dehornoy [32].
Definition 1 (left self-distributive system LD [32]).
Suppose that S is a nonempty set,
The terminology “left self-distributive” arises from the following analogical observation: if we consider
One can define the following LD system, named as Conj-LD system, which means an abbreviation of left self-distributive system defined by conjugate operations.
Definition 2 (Conj-LD system [24]).
Let G be a noncommutative semigroup and
It is easy to see that F caters to the rewritten formula (1). Thus,
Proposition 3 (power law [24]).
Let F be a Conj-LD system defined over a noncommutative semigroup G. Suppose that
Remark 4.
By using the notation of
Definition 5 (CSP-based decisional Diffie-Hellman: CSP-DDH [24]).
Let F be a Conj-LD system defined over a noncommutative semigroup G and let 𝒜 be an adversary. For arbitrary
Experiments for define CSP-DDH problem.
Intuitively, the CSP-DDH assumption states that the distributions:
Remark 6.
Intuitively, it is hard to solve the CSP-DDH problem without solving the CSP problem if G is modeled as a generic semigroup model. According to [33], we know that the discrete logarithm problem (DLP) over finite fields and the corresponding DDH problem are polynomially equivalent in a generic cyclic group. By an analogical manner, we speculate that the CSP problem and the CSP-DDH problem in a generic noncommutative semigroup are polynomially equivalent (see more details in [24]).
2.3. The Fujisaki-Okamoto Transformation [34, 35]
Without loss of generality, a public-key encryption scheme can be defined as a triple 𝒦 is the key generation algorithm that takes as input a system security parameter ℰ is the encryption algorithm that takes as inputs the public-key 𝒟 is the decryption algorithm that takes as inputs the secret key
In general, as for public-key encryption, one-wayness against chosen plaintext attacks (OW-CPA) is the lowest security requirement, while indistinguishability against adaptively chosen ciphertext attacks (IND-CCA2) is the most desirable and the standard security requirement. Cryptographic practise shows that it is always easier to design an OW-CPA secure encryption scheme than to directly design an IND-CCA2 secure one. Thus, it is desirable to have a general method for transforming an OW-CPA secure encryption scheme to an IND-CCA2 secure one [35]. Fortunately, one of this methods was invented by Fujisaki and Okamoto [34] at PKC 1999.
Theorem 7 (FO transformation [34]).
Suppose key generation algorithm encryption algorithm is defined as
decryption algorithm
output
3. Building Block: Noncommutative Signcryption
Before describing our proposal for WSN key management, let us at first propose a signcryption scheme from noncommutative semigroups where the CSP-related assumptions hold. We will see later, when this scheme is instantiated by using braids, we obtain a very efficient signcryption scheme that is
Suppose that G is a noncommutative semigroup so that the CSP problem and the CSP-DDH problem over G are intractable. Then, the public parameters of the proposed signcryption are given by a quintuple 𝔇 is a description of G and
Then, the proposed signcryption scheme consists of the following three algorithms:
pick compute
where operator “⊕” should be viewed as XOR operation over bit-strings that are encoding results of a pair in output
Theorem 8.
The proposed signcryption is consistent.
Proof.
Suppose that the sender and the receiver performs honestly, and their inputs are well formed. That is,
Theorem 9.
Suppose that
Proof.
To apply the well-known Fujisaki-Okamoto transformation theorem [34], we at first need to define an IND-CPA secure encryption scheme The encryption algorithm
pick compute output The decryption algorithm
Apparently, this is just the ElGamal-like variant based on CSP-DDH assumption. According to Theorem 1 of [24], this is IND-CPA secure. Then, according to Theorem 7, the FO variant
pick let let output The decryption algorithm
let let output
Now, let us show that in the same random oracle models, if there is a polynomlai-time adversary 𝒜 that can, with nonnegligible probability, break the IND-CCA2 security of the proposed signcryption scheme, there is another polynomial-time adversary ℬ that can, by controlling the response of the random oracles
In fact, if ℬ controls the response of the random oracles
The left thing is to show that ℬ, without knowing the receiver's private-key look up for each matched triple
for each
extract a possible This can be done since ℬ knows test whether the equality if up to now, ℬ has not output response to 𝒜 yet, then ℬ sends ⊥ to 𝒜 as the response.
Now, let us show that ℬ's simulation is perfect. It is reasonable to assume that without accessing hash queries on
Remark 10.
Note that although the signature scheme embedded in the proposed signcryption scheme merely achieves unforgeable against no-message attacks, the resulted signcryption is existentially unforgeable against external adaptively chosen message attack. Here, external forgeries means that it is neither the singer, nor the intended receiver. We know that it is reasonable to exclude the signer from forgeries. Let us explain why we further exclude the intended receiver from the forgeries. In fact, the primitive of signcryption provides confidentiality of the message against all entities except the intended receiver and meanwhile it provides the authenticity of the sender (i.e., the signer) for the intended receiver. That is, the authenticity embedded in the signcryption primitive is unidirectional, instead of bidirectional. Therefore, it seems that there is no reason for an intended receiver to forge a signature on behalf of some signer and then encrypt the signature for himself/herself, except for planting false evidence against some senders. In other words, in our proposal, we assume that the receiver who possesses the corresponding private-key for performing designcryption is honest. Otherwise, an existentially unforgeable signature scheme, such as the noncommutative signature scheme in [36] should be embedded therein. For further consideration of the insider security and the outsider security of signcryptions, one can refer to [37, 38].
4. Lightweight Implementation of Key Management Protocols for WSNs
In [5], Hagras et al. described an efficient key management scheme for WSNs based on elliptic curve signcryption. Our proposal follows their diagram. However, the main differences of our work lie in the following aspects:
firstly, the signcryption algorithm used by Hagras et al. is abstract and essentially hybrid where a symmetric encryption algorithm is involved. However, we will give a detailed specification of each algorithm; secondly, Hagras et al.'s proposal is based on commutative platforms, while as far as we known, our proposal is firstly based on noncommutative platforms.
Similar to [5], suppose that the network architecture is the standard clustered WSN architecture depicted in Figure 3. The proposed key management scheme supports three protocols: the first is used to generate private-/public-keys for each individual nodes, including base nodes, cluster headers, and cluster nodes; the second is essentially a signcryption scheme that is used by base node to send session keys to cluster heads; and the third is essential also a signcryption scheme that is used by cluster heads to send session keys to cluster nodes.

WSN Architecture.
Let
4.1. Key Generation Protocol
This protocol is responsible for creating public-/private-key pairs for base nodes (BNs), cluster heads (CHs), and cluster nodes (CNs).
Step 1.
Generate public-/private-key for based nodes.
Step 2.
Generate public-/private-key for cluster heads.
Step 3.
Generate public-/private-key for cluster nodes.
Step 4.
Session key generation for base node and cluster heads.
The base node creates the session key The jth cluster head creates the session key
Without loss of generality, here we assume that
Remark 11.
Note that in the last step, all session keys are newly generated by the base node and the cluster nodes, respectively. In fact, after the execution of Steps 1, 2 and 3, we know that the base node and the jth cluster head can calculate the shared session key
4.2. BN-CHs Signcryption
The base node signcrypts the session key pick send
Upon receiving the ciphertext compute accept K if
4.3. CH-CNs Signcryption
The jth cluster head signcrypts the session key pick Send
Upon receiving the ciphertext compute accept K if
5. Performance Evaluation
5.1. Complexity of Basic Operations
Now, let us compare the braid-based signcryption schemes with the RSA-based ones. According to Cha et al.'s implementation [39] and Maffre's test [40], the complexities of the braid operations, such as multiplication, inversion, and canonical form computation, are bounded by
Further, if we lift the security level of the RSA-based schemes to
5.2. Parameter Size
A braid in
Parameter length.
5.3. Security Levels
In [23], Wang et al. presented an analysis of the security levels of braid-based cryptosystems against two typical attacks: heuristic attacks and brute force attacks. In a similar manner, we can discuss the security levels of the proposed signcryption scheme. According to [23], the security level of a cryptosystem is modeled as the number of bit operations for breaking the cryptosystem. Since this number is in general huge, we always use its logarithm in evaluation and refer to as the logarithmic security level.
As for braid-based cryptosystems, heuristic attacks mean currently known smart attacks, such as length-based attacks [42, 43] and linear representation attacks. According to Maffre's test [40] and Wang et al.'s summarization [23], the logarithmic complexity of existing heuristic attacks against braid-based cryptosystems can be expressed as
Let us proceed to analyze the security level against brute force attacks. According to Ko et al. [29], when the private-keys of braid-based schemes are selected carefully, that is, avoiding the weak keys mentioned by Maffre [40], all known heuristic attacks will be unsuccessful. Further, according to the previous analysis given by Ko et al. [16], the complexity of carrying brute force attacks towards braid-based schemes is proportional to
In brief, we can summarize the performance comparisons in two cases: in Case I, we consider the currently acceptable parameter settings, and in Case II, we lift the security level of the RSA-based schemes to
Complexities and security levels.
Remark 12.
Although Table 3 seems very similar to that in [23], there are remarkable differences as follows: on one hand, in [23], the efficiencies of the signing process and the verifying process of the braid-based signature scheme in [23] are much different; signing can be implemented in the complexity proportional to
6. Conclusion
Lightweight cryptographic schemes are useful for securing WSN-oriented applications. To minimally incorporate confidentiality, authenticity, integrity, scalability, and flexibility, signcryption is the proper primitive to realize key management protocols for WSNs. However, most existing signcryption schemes are heavyweight and not suitable for resource-limited sensors. In this paper, we propose a braid-based signcryption scheme and then develop a key establishment protocol for wireless sensor networks. From the complexity view, the proposed scheme is
Footnotes
Acknowledgments
This work is partially supported by the National Natural Science Foundation of China (NSFC) (nos. 61003285, 61070251, 61103198), the NSFC A3 Foresight Program (no. 61161140320) and the JSPS A3 Foresight Program, JSPS Research Fellowships for Young Scientists Program, and NEC C&C Foundation.
