Sage Journals: Discover world-class research

Abstract

As a potential technology, the identity-based online/offline encryption scheme is split into two phases (the offline phase and the online phase) which is especially suitable for sensor nodes with limited computation resources in that most of the works can be executed offline. However, a challenging issue is the well-known identity-based online/offline encryption schemes unable to resist continual key leakage attacks of the secret keys. To address the above security challenge, we put forth the first continual leakage-resilient identity-based online/offline encryption scheme which is suitable for ensuring secure communications in wireless sensor networks. More specifically, our formal security proofs analysis indicates that the proposed scheme can guarantee security even if partial information of the secret key is continually leaked due to side-channel attacks or fault injection attacks. Above all, compared to the existing identity-based online/offline encryption schemes, an identity-based online/offline encryption scheme with continual leakage resilient meets wireless sensor networks with strong security.

Keywords

Identity-based encryption online/offline encryption continual leakage resilience wireless sensor networks provable security

Introduction

Wireless sensor networks (WSNs) as a major technique is an academic hotspot that possesses the advantages of building the Internet of things (IoT). Due to the demand for sensing, gathering, and monitoring data, individual users and enterprises make better management control and decision-making. For example, individual users equipped with tiny sensor nodes continuously monitor their sensitive data such as health records and so on which is necessary to be encrypted before transmitting to the base stations (BSs). However, the security and efficiency challenges need to design access control systems in WSNs. For one thing, the sensor nodes have the limited capabilities. For another, most of the existing access control schemes were proposed in a weak security model. In order to solve the above problems, researchers directly utilized typical identity-based encryption (IBE) schemes to design access control systems. IBE^1–4 is one of the powerful cryptographic mechanisms to realize the above functionality. The encryption procedure of IBE simply employs the user’s identity which was composed of an arbitrary string. However, the IBE system always requires the user to execute expensive computations, such as pairings over points on the elliptic curve and exponentiations in groups which is not desirable for weak users with limited computation resources. Especially in WSNs, the nodes have very limited computation resources, memory, and storage capabilities. These make many cryptographic primitives impractical. A good solution to reduce the computational overhead of encryption procedure is the model of identity-based online/offline encryption (IBOOE) which splits the encryption process into two phases: the offline phase and the online phase. In the offline phase, the vast majority of the work is to be done and it requires neither the information of the message to be encrypted nor the receiver’s identity. This division of computational tasks makes most of the works executed offline. However, the security and efficiency challenges have appeared when traditional IBOOE schemes are directly utilized in the WSN environment. In such applications, it is usually assumed that the adversary cannot get any information about the internal secret states. In contrast, this assumption no longer holds in WSNs in that a malicious adversary can obtain partial information from side-channel attacks⁵ which will lead to the leakage of important sensitive information. Then, a natural question arises: Can we design a provable secure IBOOE scheme resilient to the continual leakage of secret keys? A plausible solution to the above problem might be dual system encryption which has the potential to address the problem of continual key leakage for traditional IBOOE schemes.

Related work

In this subsection, we summarize leakage-resilient IBE (lr-IBE) cryptography and the online/offline encryption cryptography.

Leakage resilience was first studied in public key setting by Akavia et al.⁶ It is a powerful tool to ensure security-protecting data confidential against side-channel attacks. Naor and Segev⁵ extended leakage resilience to the public key encryption. More broadly, Alwen et al.⁷ first introduced leakage-resilient security to identity-based setting and constructed lr-IBE scheme using the identity-based hash proof system (IB-HPS). Unfortunately, only the third scheme was proved in the standard model based on Gentry’s IBE system.³ So far, two main models have been proposed: bound leakage model (BLM) and the continual leakage model (CLM). The first line of work constructs lr-IBE schemes that are proven secure in the BLM. In CCS, Chow et al.⁸ proposed three lr-IBE schemes assuming that each secret-key holder had two randomness that applied to secret keys and master secret keys. The first two lr-IBE schemes based on BB-IBE¹ and Waters-IBE², respectively, which had selective security and the third scheme was fully secure and short public parameters using Lewko and Waters’s dual system encryption.⁴ Namely, they showed how to go from IB-HPS to lr-IBE scheme. Li et al.⁹ investigated how to accomplish chosen ciphertext attack (CCA) security of the lr-IBE scheme by applying a hash proof technique into Gentry’s IBE scheme.³ However, the lr-IBE schemes presented in Alwen et al.,⁷ Chow et al.,⁸ and Li et al.⁹ cannot resistant to continual key leakage attack. Another line of work is so-called the CLM. It divides the lifetime of the cryptosystem into some periods, and updates the secret keys at the end of each period. Lewko et al.¹⁰ first proposed the IBE scheme under continual leakage resilient which allows continual leakage of user’s key and master key. Subsequently, Li et al.¹¹ developed the first identity-based broadcast encryption scheme under continual leakage of secret keys of any identity. To improve the security level, Zhou et al.^12–14 gave exciting new continual leakage-resilient constructions for IBE from decisional bilinear Diffie–Hellman (DBDH), truncated augmented bilinear Diffie–Hellman exponent (q-TABDHE) assumptions, and a new primitive called updatable identity-based hash proof system (U-IB-HPS). Recently, many BLMs and CLMs were surveyed in Zhang et al.¹⁵ and Yael et al.¹⁶

Online/offline encryption technology has been widely accepted as an effective method to protect data security and privacy in online/offline scenarios and becomes a useful tool to achieve effective encryption such that only the authorized users can access the data. Online/offline encryption technology mainly focuses on efficient encryption which is different from efficient decryption.¹⁷ Guo et al.¹⁸ first introduced encryption schemes which split the encryption procedure into two phases: the offline phase and the online phase. In the offline phase without input of plaintext and user’s identity, it outputs the offline ciphertext. Then, in the online phase, it efficiently generates the online ciphertext concerning plaintext and the identity of the user. Subsequently, Liu et al.¹⁹ presented a more efficient IBOOE scheme in the random oracles which is especially suitable for embedded devices of limited computation power such as smart cards or wireless sensors. Later, Chu et al.²⁰ proposed a practical IBOOE scheme in the selective-ID model, which is suitable for WSN which removed the elements in the group $G_{T}$ from the offline storage. The notion of ID-based online/offline key encapsulation mechanism (IBOOKEM) was introduced by Chow et al.²¹ and a generic construction of the IBOOE scheme to achieve CCA security in the ROM. However, the above scheme has the following property: the security, storage, and computation have relied on symmetric encryption mechanism. By utilizing a novel notion to obtain an efficient semi-generic transformation from IBOOKEM²² scheme to IBOOE scheme in the standard model. Recently, to address the problem of large ciphertext, efficient IBOOE and signcryption with short ciphertext were proposed by Lai et al.²³ Nevertheless, according to the technologies of side-channel attacks and new attack methods are appearing, the conventional IBOOE scheme will be threatened. Thus, those schemes mentioned above will be broken by key leakage attacks. As an attractive technique for naturally leading to leakage resilience, dual system encryption holds very strong security proofs based on three static assumptions. In this article, our goal is to propose an IBOOE scheme in the continual key leakage security model.

Motivation and our contribution

The primary challenge for the IBOOE schemes is to achieve leakage resilience. In this article, we consider the continual leakage resilience in IBOOE schemes. Specifically, the contributions of this work are elaborated as follows:

Motivated by the aforementioned application to leakage tolerance in WSNs, we study IBOOE resilient to a stronger form of leakage. We first introduce the notion of the continual leakage-resilient IBOOE (clr-IBOOE) and formalize its framework. In clr-IBOOE, the encryption procedure is split into two phases, that is, an offline phase and an online phase. To support continual leakage functionality, we expand the space of secret key and ciphertext to $n + 2$ and $n + 5$ dimensional vectors, respectively. Here, the parameter $n (n > 3)$ will determine the leakage tolerance.

We utilize the semi-functional structures and a hybrid argument which was used in the security proof by a sequence of games. The main difficulty in constructing our scheme is to implement nominally semi-functional secret keys that can decrypt semi-functional ciphertext without the adversary awareness of. Nominality permits the simulator to produce nominal semi-functional keys which is decrypt successfully the interrelated challenge ciphertext while the adversary was unaware of the above process.

We provide provable security of clr-IBOOE, including indistinguishability of normal secret keys and semi-function secret keys, indistinguishability of normal ciphertext and semi-function ciphertext, and continual leakage of secret keys. In addition, we conduct a comprehensive performance evaluation compared with the existing IBOOE schemes, our scheme not only enjoys continual leakage resilience but also avoids the additional online computation. Specifically, clr-IBOOE dramatically realizes the strongest features of continual leakage. This is because that in update process, the secret key is updated over time.

The rest of the article is organized as follows: in section “Preliminaries,” we describe the notation used in this article, composite order bilinear and complexity assumptions. In section “System architecture and security model,” we first present a continual leakage-resilient security model and a formal definition for IBOOE, respectively. Then, we propose a clr-IBOOE scheme based on three assumptions in which encryption can be afforded by mobile devices with limited computation power. We elaborate on formal security proof in the standard model based on the new security model in section “System architecture and security model.” And in section “Provable secure IBOOE with continual leakage resilience in WSNs,” we give efficiency results and security of the new scheme compared to the existing IBOOE schemes. At last, we conclude this article in section “Security proof and efficiency comparisons.”

Preliminaries

In this section, we introduce the preliminary knowledge on some cryptographic background used throughout this article.

Notations

Assuming that all the algorithms take as input the security parameter represented in unary, that is, 1^λ. Let $N$ be a positive integer. For a set $R$ , $| R |$ represents its cardinality and means that the variable s is chosen uniformly at random from $R$ . Let symbols · and * denote dot product of two vectors and component-wise product of two elements, respectively. In addition, the useful notations for IBOOE scheme are listed in Table 1. These notations are employed throughout this literature.

Table 1.

Notations.

Notation	Description
λ	The security parameter
PPT	Probabilistic polynomial-time
$negl (λ)$	A negligible function of security parameter λ
s ← S(·)	Run a randomized algorithm S(·) and output s
$x \leftarrow^{$} Z_{N}$	The operation of choosing an element x of Z_N uniformly at random
$\vec{x} = (x_{1}, \dots, x_{n})$	A vector $\vec{x}$ includes n elements in group
$〈 \cdot, \cdot, \cdot, \cdot 〉$	Angle brackets denote vectors
$(\cdot, \cdot, \cdot, \cdot)$	Parentheses denote collections of elements of different types

Composite order bilinear groups

Three assumptions based on the pairing over composite order groups^4,10 are as follows. Let the parameters be N = p₁p₂p₃, where p₁, p₂, p₃ are three numbers. The group generator algorithm I takes as input a security parameter 1^λ and outputs the description of a bilinear group (N = p₁p₂p₃, G, G_T, e). In the group description, p₁, p₂, p₃ are three distinct numbers; G and G_T are cyclic groups of order N; and e:G × G → G_T is a bilinear map. We assume that the generator algorithm outputs the values of p₁, p₂, p₃ and g_i is generator of subgroup G_i of order p_i. Moreover, let G_ij denote the subgroup of order p_ip_j which implicitly have $e (h_{i}, h_{j}) = 1_{G_{T}}$ , $h_{i} \in G_{i}$ and $h_{j} \in G_{j}$ for $i \neq j$ .

Complexity assumptions

Assumption 1

Given D¹ = (N, G, G_T, e, g₁, g₃), it is hard for an adversary to distinguish $T_{0}^{1} = g_{1}^{z}$ from $T_{1}^{1} = g_{1}^{z} g_{2}^{v}$ where $z, v \leftarrow^{$} Z_{N}$ .

Assumption 2

Given D² = (N, G, G_T, e, g₁, g₃, $g_{1}^{z} g_{2}^{v}$ , $g_{2}^{u} g_{3}^{ρ}$ ), it is hard for an adversary to distinguish $T_{0}^{2} = g_{1}^{w} g_{3}^{σ}$ from $T_{1}^{2} = g_{1}^{w} g_{2}^{k} g_{3}^{σ}$ where $w, k, σ \leftarrow^{$} Z_{N}$ .

Assumption 3

Given D³ = (N, G, G_T, e, g₁, g₂, g₃, $g_{1}^{α} g_{2}^{v}$ , $g_{1}^{z} g_{2}^{u}$ ), it is hard for an adversary to distinguish $T_{0}^{3} = e (g_{1}, g_{1})^{α z}$ from $T_{1}^{3} \in G_{T}$ .

The advantage of an algorithm A in Assumption i where i ∈ {1, 2, 3} is defined as

{Adv}_{A}^{i} (λ) = | \Pr [A (D^{i}, T_{0}^{i}) = 1] - \Pr [A (D^{i}, T_{1}^{i}) = 1] |

Security theorem

In the context of Lewko and Waters,¹⁰ it expands the semi-functional space to n + 2 dimensional vectors, where $n \geq 3$ . Notice that, the leakage depends only on the size of the $G_{2}$ subgroup, and not on the size of $p_{1}$ or $p_{3}$ . They give the Lemma 1 as follows.

Lemma 1

Under Assumptions 1, 2, 3 and for $l_{MK} = (n - 1 - 2 c) \log (p_{2}), l_{SK} = (n - 1 - 2 c) \log (p_{2})$ where $c > 0$ is a fixed positive constant, our dual system IBE scheme is $(l_{MK}, l_{SK}) - master - leakage$ secure.

System architecture and security model

Before giving the formalized security model, we first lay out the system architecture and specification of an IBOOE scheme with the key update algorithm which is the underlying technique of the proposed secure identity-based online/offline scheme with continual leakage resilience for WSNs.

Network model

In WSNs, we focus on single-SP (service provider) multi-user sensor network. The overview of the network model is shown in the following Figure 1. There are four different entities in the system, that is, the SP, the sensor node, the gateway, and the network user.

SP is an authority who deploys a sensor network composed of multiple sensors, such as the registration of sensor nodes and users. The SP is a trusted third party.

Sensor nodes are battery powered which is a big challenge for network designers. Note that sensor nodes can offline.

Gateway: compared with sensor nodes, it has much higher storage and processing capability.

Users: a user can join the system by registering with the SP to join the WSN.

Figure 1.

Network model.

It is assumed that all the entities except SP are “honest-but-curious.” Sensor nodes generate offline ciphertexts, encrypt a file, and outsource the final ciphertext to SP. When users use the encrypted data, he downloads a ciphertext from SP. Then, he decrypts it based on the secret keys if the ciphertext is legitimate.

Specification of clr-IBOOE

An IBOOE scheme typically consists of six algorithms: Setup, Ext, UpdateSK, Enc^off, Enc^on, and Dec. In the continual leakage setting, we require an additional algorithm UpdateSK which updates the secret key of users. We define a continual leakage resilience IBOOE scheme, clr-IBOOE in short. Note that the public key remains unchanged. The definition below summarizes the above.

Definition 1 (clr-IBOOE)

IBOOE schemes are defined by a tuple of algorithms and protocols $Π = (Setup, Ext, UpdateSK, En c^{off}, En c^{on}, Dec)$ where

Setup(1 ^λ ) takes the security parameter λ to return the master public key mpk and the master secret key msk.

Ext(mpk, I, msk) takes as input the master public key mpk, master secret key msk, an identity I ∈ $I$ and returns a secret key sk_I for I.

UpdateSK(sk_I, I, mpk) takes in a secret key $s k_{I}$ and outputs a re-randomized key $s k'_{I}$ , such that the distribution of a secret key $s k'_{I}$ is indistinguishable from the distribution of a secret key sk_I.

Enc ^off (mpk) takes mpk to return an offline ciphertext c^off.

Enc ^on (m, mpk, I, c ^off ) takes as input the message m, the master public key mpk, an identity I ∈ $I$ , and an offline ciphertext c^off and returns the ciphertext c.

Dec(mpk, sk_I, c) takes a secret key sk_I and ciphertext c to return a message m or a special reject symbol ⊥ indicating c is invalid.

Correctness. With probability 1 over the randomness of (Setup, Ext, UpdateSK, Enc^off, Enc^on, Dec), we have that Dec(mpk, sk_I, Enc^on(m, mpk, I, Enc^off(mpk))) = m where (mpk, msk) ← Setup(λ) and sk_I ← Ext(mpk, I, msk).

Security model

In our surroundings, there exist two adversaries either an external intruder or a registered network user who intended to obtain other users’ data without the authorization of access according to work.²⁴ Based on the adversary’s ability and the specification of IBOOE scheme, we formalize the security model by specifying the ability of adversaries. To define continual leakage security, we extend the CLM of Li and Zhang¹¹ to online/offline identity-based setting. The security model is defined through a game played by a probabilistic polynomial-time (PPT) adversary A and a challenger (also called simulator). Assuming A cannot win the following security game $cLeak$ with probability greater than $(1 / 2) + negl (λ)$ . All the queries in the following security can happen adaptively, that is, they can depend on previous ones.

Setup: The simulator B runs the Setup(1^λ) algorithm, obtains the public secret key mpk and the master secret key msk. The master secret key is kept secret. The challenger gives mpk to the adversary A. B creates a set L = Ø to keep track of Ext queries and key leakage queries. Moreover, another set K = N corresponds with Reveal queries. The set L of triples of handles, identities, secret keys, and a counter, that is, (h, I, SK, Cntr) ∈ H × I × SK × N. Note that a handle counter h is set to 0.

Phase 1: The adversary A makes Ext, Leak, Reveal, UpdateSK, and Decrypt queries as follows:

Ext(h, I): h is a handle that has to refer to a secret key. Given an identity I, the challenger B looks up the item with the identity I in the list L. If it exists, B terminates. Otherwise, it creates a key for this identity I by calling the key extraction algorithm Ext(I, MSK) → SK_I, updates h ← h + 1 and adds the item (h, I, SK_I, 0) into the list L.

Leak(h, f): Given a handle h, the challenger looks up the item with the handle h in L. A selects a polynomial-time computable function f of constant output size acting on the set of keys. If the handle h exists, B checks if Cntr + |f(SK_I)| ≤ l_SK where l_SK is the leakage bound for the secret key. If this is true, it responds with f(SK_I) and updates the Cntr with Cntr + |f(SK_I)|.

Reveal (h): The attacker A requests the entire secret key for handle h. The simulator looks up in the list L. If it finds the item, it denotes the tuple by (h, I, SK_I, Cntr). B returns this item and adds the identity I to the set K.

UpdateSK (I): The simulator queries a new secret key of I with a polynomial-time computable function f. B looks up the item with the handle h in L. Then, it runs algorithm UpdataSK(SK_I) to get the updated secret key $S K'_{I}$ . B forwards the updated secret key $S K'_{I}$ and refreshes the set L with (h, I, $S K'_{I}$ , 0).

Decrypt (I, c): The adversary queries a message for (I, c), the simulator looks up the list L to get the secret key SK_I. The simulator calls the algorithm Dec(sk_I, c) to recover the corresponding plaintext m and sends it to the adversary.

Challenge: Once A decides that Phase 1 is over, it outputs two equal-length messages m₀ and m₁. The simulator B chooses b ∈ {0, 1} randomly and encrypts m_b under I^* by calling algorithm Enc^on(m_b, mpk, I^*, Enc^off(mpk)) → c^*. It sends c^* to A.

Phase 2: The same as Phase 1, except that I^* may not be submitted for all the oracles in Phase 1.

Guess: Finally, A outputs a guess bit b′ ∈ {0, 1}. If b′ = b, A wins the game. The advantage of an adversary A in attacking the IBOOE scheme $Π$ with security parameter λ is defined as ${Adv}_{A, Π}^{cLeak} (λ, l) = | \Pr [b' = b] - 1 / 2 |$ .

Definition 2

If for all PPT adversaries A, the advantage ${Adv}_{A, Π}^{cLeak} (λ, l)$ in the above game $cLeak$ is negligible, that is, ${Adv}_{A, Π}^{cLeak} (λ, l) \leq negl (λ)$ , we say that a clr-IBOOE scheme $Π = (Setup, Ext, UpdateSK, En c^{off}, En c^{on}, Dec)$ is fully secure against l-continual leakage attacks, the total amount of leakage on each secret key of user has to be bounded by λ. Note that in all definitions and lemmas we will not write the dependence of Adv in $λ, l$ for easiness of notation.

Provable secure IBOOE with continual leakage resilience in WSNs

In this section, we first present the proposed IBOOE with continual leakage resilience in WSNs and then show its correctness. Our clr-IBOOE scheme Π comprises six algorithms detailed as follows.

Details of the proposed IBOOE scheme

Our construction of clr-IBOOE scheme employs a composite order bilinear groups I = (N = p₁p₂p₃, G, G_T, e) where p₁, p₂, p₃ are three λ-bits length primes; G, G_T are cyclic groups with order N = p₁p₂p₃; and e is such a bilinear map e:G × G → G_T. Assume that each identity is an element in Z_N and every message is an element in group G_T. In our scheme, the secret key is randomized by subgroup G₃. The elements of subgroup G₂ will not be used in the real scheme, but it supplies semi-functional property.

Setup(1 ^λ ): The setup algorithm picks $〈 α, x_{1}, \dots, x_{n} 〉 \leftarrow^{$} Z_{N}^{n + 1}$ , u₁, g₁, h₁ ∈ G₁ at random. It computes R₁ = e(g₁, g₁)^α. Finally, it outputs the master secret key msk = α and the master public key $mpk = (u_{1}, g_{1}, h_{1}, R_{1}, g_{1}^{x_{1}}, \dots, g_{1}^{x_{n}})$ .

Ext(I, msk, mpk): On input the master public key mpk, the master secret key msk, and an identity I ∈ $I$ , the algorithm picks n + 1 random exponents $〈 r, y_{1}, \dots, y_{n} 〉 \leftarrow^{$} Z_{N}^{n + 1}$ and returns the secret key $s k_{I} = ({\vec{k}}_{1}, k_{2}, k_{3}) = (g_{1}^{y_{1}}, \dots, g_{1}^{y_{n}}, g_{1}^{α} \cdot (u_{1}^{I} h_{1})^{- r} Π_{i = 1}^{n} g_{1}^{- x_{i} y_{i}}, g_{1}^{r})$ .

Enc ^off (mpk): On input the master public key mpk, the algorithm chooses $x, s, w \in Z_{N}$ and computes the offline ciphertext $c^{off} = ({\vec{c}}_{1}, c_{2}, c_{3}, c_{4}, c_{5}, w) = ((g_{1}^{x_{1}})^{s}, \dots, (g_{1}^{x_{n}})^{s}, g_{1}^{s}, (u_{1}^{x} h_{1})^{s}, u_{1}^{sw}, R_{1}^{s}, w)$ .

The offline storage is $c^{off} = ({\vec{c}}_{1}, c_{2}, c_{3}, c_{4}, c_{5}, w)$ .

Enc ^on (m, mpk, I, c ^off ): On input message m, master public key mpk, an identity I ∈ $I$ , and offline ciphertext c^off, the algorithm picks $x \in Z_{N}$ and encrypts the message by computing $c_{0} = m \cdot c_{5}$ and $w_{1} = w^{- 1} (I - x) modN$ . Finally, it outputs the final ciphertext $c = (c_{0}, {\vec{c}}_{1}, c_{2}, c_{3}, c_{4}, w_{1})$ .

Dec(sk_I, c, mpk): Let the ciphertext c be parsed as $(c_{0}, {\vec{c}}_{1}, c_{2}, c_{3}, c_{4}, w_{1})$ . The decryption algorithm calculates the blinding factor e(g₁, g₁)^αs using the secret key sk_I

\begin{matrix} e ({\vec{k}}_{1}, {\vec{c}}_{1}) \cdot e (k_{2}, c_{2}) \cdot e (k_{3}, c_{3} \cdot c_{4}^{w_{1}}) \\ = e (g_{1}^{y_{1}}, {(g_{1}^{x_{1}})}^{s}) \dots e (g_{1}^{y_{n}}, {(g_{1}^{x_{n}})}^{s}) e \\ (g_{1}^{α} \cdot {(u_{1}^{I} h_{1})}^{- r} Π_{i = 1}^{n} g_{1}^{- x_{i} y_{i}}, g_{1}^{s}) \cdot \\ e (g_{1}^{r}, {(u_{1}^{x} h_{1})}^{s} \cdot {(u_{1}^{sw})}^{w^{- 1} (I - x)}) \\ = e (g_{1}, g_{1})^{α s} \end{matrix}

Finally, the message is computed as $m = (c_{0} / (e (g_{1}, g_{1})^{α s}))$ . It proves correctness of decryption procedure.

Continual leakage

To implement re-randomization, we give here the update algorithm for the secret keys.

UpdateSK(sk_I, I, mpk): The update algorithm picks n + 1 exponents $〈 r', z_{1}, \dots, z_{n} 〉 \leftarrow^{$} Z_{N}^{n + 1}$ and a random vector $\vec{ρ}' \leftarrow^{$} Z_{N}^{n + 2}$ . It outputs the new secret key as follows

\begin{matrix} s k'_{I} = ({\vec{k}}_{1}, k_{2}, k_{3}) \\ = s k_{I} * 〈 g_{1}^{z_{1}}, \dots, g_{1}^{z_{n}}, {(u_{1}^{I} h_{1})}^{- r'} Π_{i = 1}^{n} g_{1}^{- x_{i} z_{i}}, g_{1}^{r'} 〉 * g_{3}^{\vec{ρ}'} \end{matrix}

Semi-functionality

All the secret keys and ciphertext generated by the above algorithms are normal which has no group G₂ parts. To get semi-functional key and ciphertext, we add a factor of G₂ into the normal key and normal ciphertext as follows:

KeygenSF(I, msk): Let sk_I be a normal secret key of user I which was generated by calling key extraction algorithm Ext(I, msk, mpk) and g₂ be a generator of group G₂. Then picks random $\vec{θ} \leftarrow^{$} Z_{N}^{n}, θ_{n + 1}, θ_{n + 2} \in Z_{N}$ and calculates the semi-functional secret key ${sk}_{I}^{semi} = ({\vec{k}}_{1} * g_{2}^{\vec{θ}}, k_{2} * g_{2}^{θ_{n + 1}}, k_{3} * g_{2}^{θ_{n + 2}})$ .

EncryptSF(sk_I, I, mpk): It first calls the online encryption algorithm Enc^on(m, mpk, I, Enc^off(mpk)) to obtain a normal ciphertext $c = (c_{0}, {\vec{c}}_{1}, c_{2}, c_{3}, c_{4}, w_{1})$ . Then, it picks random $\vec{δ} \leftarrow^{$} Z_{N}^{n}, δ_{n + 1}, δ'_{n + 2}, δ' \in Z_{N}$ and calculates a semi-functional ciphertext $c^{semi} = (c_{0}, {\vec{c}}_{1} * g_{2}^{\vec{δ}}, c_{2} * g_{2}^{δ_{n + 1}}, c_{3} * g_{2}^{δ'_{n + 2}}, c_{4} * g_{2}^{δ'}, w_{1})$ . Here, we contract the $n + 2$ factors of semi-functional coefficient by $δ_{n + 2} = δ'_{n + 2} + δ'$ .

Procedure of decryption

First, we contract the two terms $\vec{θ}$ , $\vec{δ}$ the semi-functional parameters of the secret key and the ciphertext, respectively. The algorithm Dec(sk_I, c, mpk) shows the detailed procedure on how to decrypt the normal ciphertext using the normal secret key. That is, it concludes $e (g_{1}, g_{1})^{α s}$ by computing $e ({\vec{k}}_{1}, {\vec{c}}_{1}) \cdot e (k_{2}, c_{2}) \cdot e (k_{3}, c_{3} \cdot c_{4}^{w_{1}})$ . Second, we elaborate on the whole derivation of decryption procedure about two types of secret keys and ciphertexts.

1. The normal secret key decrypts the semi-functional ciphertext as follows

\begin{matrix} e ({\vec{k}}_{1}, {\vec{c}}_{1} * g_{2}^{\vec{δ}}) \cdot e (k_{2}, c_{2} * g_{2}^{δ_{n + 1}}) \cdot \\ e (k_{3}, c_{3} * g_{2}^{δ'_{n + 2}} \cdot {(c_{4} * g_{2}^{δ'})}^{w_{1}}) = e {(g_{1}, g_{1})}^{α s} \end{matrix}

2. The semi-functional secret key decrypts the normal ciphertext as follows

\begin{matrix} e ({\vec{k}}_{1} * g_{2}^{\vec{θ}}, {\vec{c}}_{1}) \cdot e (k_{2} * g_{2}^{θ_{n + 1}}, c_{2}) \cdot \\ e (k_{3} * g_{2}^{θ_{n + 2}}, c_{3} \cdot c_{4}^{w_{1}}) = e {(g_{1}, g_{1})}^{α s} \end{matrix}

3. The semi-functional secret key decrypts the semi-functional ciphertext as follows

\begin{matrix} e ({\vec{k}}_{1} * g_{2}^{\vec{θ}}, {\vec{c}}_{1} * g_{2}^{\vec{δ}}) \cdot e (k_{2} * g_{2}^{θ_{n + 1}}, c_{2} * g_{2}^{δ_{n + 1}}) \cdot \\ e (k_{3} * g_{2}^{θ_{n + 2}}, c_{3} * g_{2}^{δ'_{n + 2}} \cdot {(c_{4} * g_{2}^{δ'})}^{w_{1}}) \\ = e ({\vec{k}}_{1}, {\vec{c}}_{1}) \cdot e {(g_{2}, g_{2})}^{\vec{θ} \vec{δ}} \cdot e (k_{2}, c_{2}) \cdot \\ e {(g_{2}, g_{2})}^{θ_{n + 1} δ_{n + 1}} \cdot e (k_{3}, c_{3} \cdot c_{4}^{w_{1}}) \cdot \\ e {(g_{2}, g_{2})}^{θ_{n + 2} (δ'_{n + 2} + δ' w_{1})} \end{matrix}

Here, we write $e (g_{2}, g_{2})^{\vec{θ} \vec{δ}} \cdot e (g_{2}, g_{2})^{θ_{n + 1} δ_{n + 1}} \cdot e (g_{2}, g_{2})^{θ_{n + 2} (δ'_{n + 2} + δ' w_{1})} = e (g_{2}, g_{2})^{{\vec{θ}}_{n + 2} {\vec{δ}}_{n + 2}}$ where implicitly include $δ_{n + 2} = δ'_{n + 2} + δ' w_{1}$ .

Through the above analysis, we obtain an additional entry $e (g_{2}, g_{2})^{{\vec{θ}}_{n + 2} {\vec{δ}}_{n + 2}}$ by the pairing. That is, a semi-functional secret key of identity I_k with parameter $\vec{θ}$ is nominal relative to a semi-functional ciphertext for identity I_c with parameter $\vec{δ}$ if and only if $\vec{θ} \cdot \vec{δ} = 0 \mod p_{2}$ for I_k = I_c.

Security proof and efficiency comparisons

Security proof

Theorem 1

If Assumptions 1, 2, and 3 hold in G, G_T, then the above proposal Π is l_SK-fully secure against key leakage attacks.

Proof

Each secret key sk_I is a $n + 2$ dimensional vector where $n \geq 3$ is a parameter determining the leakage tolerance. Based on lemma 1 in section “Security theorem,” we have leakage parameters $l_{SK} = (n - 1 - 2 c) λ$ . To prove theorem, we will build a PPT simulator B that breaks Assumption 1, 2, 3 with the help of a PPT adversary A that breaks the adaptive security of our proposal Π. First, we consider the following sequence of hybrid games.

$cLeak$ . This game is the original game as defined in the section “Security model.”

$Lea k_{i}$ . This game has the following differences from $cLeak$ : first, the simulator responses a semi-functional ciphertext as the challenge ciphertext. Second, the first i keys generated by Ext queries are semi-functional for i = 0, …, q. Remark that the simulator returns normal secret keys for key extraction queries and a semi-functional challenge ciphertext for challenge phase in game $Lea k_{0}$ . Moreover, the simulator returns semi-functional secret keys for key queries in game $Lea k_{q}$ .

$Lea k_{F}$ . It is the same as $Lea k_{q}$ , except that the simulator encrypts a random message to get the challenge ciphertext.

By the following lemmas, we prove these games are indistinguishable.

Lemma 2

Suppose there exists a PPT algorithm A such that ${Adv}_{A, Π}^{cLeak} - {Adv}_{A, Π}^{Lea k_{0}} \geq ε$ . Then, we can build a PPT algorithm B with advantage at least $ε / 2$ in breaking Assumption 1.

Proof

The algorithm B simulates fully the encryption scheme Π as follows. B receives D¹ = (N, G, G_T, e, g₁, g₃) and T where $T = g_{1}^{z}$ or $g_{1}^{z} g_{2}^{v}$ . Then, B randomly chooses $〈 a, b, α, x_{1}, \dots, x_{n} 〉 \leftarrow^{$} Z_{N}^{n + 3}$ and calculates $u_{1} = g_{1}^{a}$ , $h_{1} = g_{1}^{b}, g_{1}^{x_{1}}, \dots, g_{1}^{x_{n}}$ , R₁ = e(g₁, g₁)^α using group element g₁ in Assumption 1. B sets $msk = α$ as the master secret key and has ability to provide two types of secret keys for all identities to answer all key extraction queries and key leakage queries. Moreover, B makes normal ciphertext as well as semi-functional one for any message in the challenge phase.

Both games, B always calculates normal secret keys for all identities as follows. B randomly chooses $〈 r, y_{1}, \dots, y_{n} 〉 \leftarrow^{$} Z_{N}^{n + 1}$ and a random vector $\vec{ρ} \leftarrow^{$} Z_{N}^{n + 2}$ , creates the secret key of identity I

s k_{I} = g_{1}^{y_{1}}, \dots, g_{1}^{y_{n}}, g_{1}^{- r (aI + b)} Π_{i = 1}^{n} g_{1}^{- x_{i} y_{i}}, g_{1}^{r} * g_{3}^{\vec{ρ}}

In the challenge phase, B gets two messages m₀, m₁ and the challenge identity I^* from A. Then, it randomly chooses b ∈ {0, 1}, $x, w \in Z_{N}$ and creates the following challenge ciphertext using the challenge term T from Assumption 1.

$c^{*} = (m_{b} \cdot e (g_{1}, T)^{α}, T^{x_{1}}, \dots, T^{x_{n}}, T, T^{ax + b}, T^{aw}, w_{1}^{*})$ where $w_{1}^{*} = w^{- 1} (I^{*} - x) \mod N$ .

Phase 2: B works in the same way as Phase 1.

If $T = g_{1}^{z}$ , then $c^{*} = (m_{b} \cdot e (g_{1}, g_{1})^{α z}, (g_{1}^{z})^{x_{1}}, \dots, (g_{1}^{z})^{x_{n}}, g_{1}^{z}, (g_{1}^{z})^{ax + b}, (g_{1}^{z})^{aw}, w_{1}^{*})$ which has no $G_{2}$ components. Hence, it is a normal ciphertext. In other words, B has properly simulate game $cLeak$ . Because it set $u_{1} = g_{1}^{a}$ and $h_{1} = g_{1}^{b}$ at the begin, that is, it has $(g_{1}^{z})^{ax + b} = u_{1}^{x} h_{1}$ .

If $T = g_{1}^{z} g_{2}^{v}$ , the challenge ciphertext generated as follows

\begin{matrix} c^{*} = (m_{b} \cdot e {(g_{1}, g_{1})}^{α z}, {(g_{1}^{z} g_{2}^{v})}^{x_{1}}, \dots, \\ {(g_{1}^{z} g_{2}^{v})}^{x_{n}}, g_{1}^{z} g_{2}^{v}, {(g_{1}^{z} g_{2}^{v})}^{ax + b}, {(g_{1}^{z} g_{2}^{v})}^{aw}, w_{1}^{*}) \end{matrix}

This implicitly has s = z. We get the semi-functional parameter $\vec{δ} = v 〈 x_{1}, \dots, x_{n}, (ax + b + aw) 〉$ according to decryption. A plays game $Lea k_{0}$ . Hence, if B answers b = 0 when A succeeds, he has advantage in breaking Assumption 1. Thus, if Assumption 1 holds, these two successive games $cLeak$ and $Lea k_{0}$ are indistinguishable.

Lemma 3

Suppose there exists a PPT algorithm A such that ${Adv}_{A, Π}^{Lea k_{i - 1}} - {Adv}_{A, Π}^{Lea k_{i}} \geq ε (i \in 1, \dots, q)$ . Then, we can build a PPT algorithm B with advantage at least $ε / 2$ in breaking Assumption 2.

Proof

If the challenge instance B simulates fully, the encryption scheme Π as follows. B receives D² = (N, G, G_T, e, g₁, g₃, $g_{1}^{z} g_{2}^{v}$ , $g_{2}^{u} g_{3}^{v}$ ) and T where $T = g_{1}^{w} g_{3}^{σ}$ or $g_{1}^{w} g_{2}^{k} g_{3}^{σ}$ . Then, B constructs the public parameters and the secret parameters as lemma 1. At some point, the adversary A sends identity I to simulator B. B simulates the secret key as below.

If k < i, B generates the semi-functional secret key for identity I as follows

\begin{matrix} s k_{I} = (g_{1}^{z} g_{2}^{v})^{y_{1}}, \dots, (g_{1}^{z} g_{2}^{v})^{y_{n}}, g_{1}^{α} \cdot (g_{1}^{z} g_{2}^{v})^{- x (aI + b)} \\ Π_{i = 1}^{n} g_{1}^{- x_{i} y_{i}}, g_{1}^{z} g_{2}^{v} * g_{3}^{\vec{ρ}} \end{matrix}

If k = i, B simulates the challenge secret key for identity I as follows

s k_{I} = T^{y_{1}}, \dots, T^{y_{n}}, g_{1}^{α} \cdot T^{- (aI + b)} \cdot Π_{i = 1}^{n} T^{- x_{i} y_{i}}, T * g_{3}^{\vec{ρ}}

If k > i, B creates the secret key of identity sk_I like lemma 1.

In challenge phase, B selects two distinct and random messages m₀, m₁ with equal length and the challenge identity I^*. It sends the messages to A. Then, it randomly chooses b ∈ {0, 1}, x, w ∈ Z_N and returns the challenge ciphertext as follows

\begin{matrix} c^{*} = m_{b} \cdot e (g_{1}^{α}, g_{1}^{z} g_{2}^{v}), {(g_{1}^{z} g_{2}^{v})}^{x_{1}}, \dots, {(g_{1}^{z} g_{2}^{v})}^{x_{n}}, \\ g_{1}^{z} g_{2}^{v}, {(g_{1}^{z} g_{2}^{v})}^{ax + b}, {(g_{1}^{z} g_{2}^{v})}^{aw}, w_{1}^{*} \end{matrix}

Here, it has $w_{1}^{*} = w^{- 1} (I^{*} - x) \mod N$ .

This implicitly has s = z and $\vec{δ} = v (x_{1}, \dots x_{n}, 1, a I^{*} + b)$ . Hence, if B answers b = 0 when A succeeds, he has advantage in breaking Assumption 2. Thus, if Assumption 2 holds, $Lea k_{i - 1}$ and $Lea k_{i}$ successive games are indistinguishable.

Lemma 4

Suppose there exists a PPT algorithm A such that ${Adv}_{A, Π}^{Lea k_{p}} - {Adv}_{A, Π}^{Lea k_{F}} \geq ε$ . Then, we can build a PPT algorithm B with advantage at least $ε / 2$ in breaking Assumption 3.

Proof

B simulates fully the encryption scheme Π as follows. B receives D³ = (N, G, G_T, e, g₁, g₂, g₃, $g_{1}^{α} g_{2}^{v}$ , $g_{1}^{z} g_{2}^{u}$ ) and T where $T = e (g_{1}, g_{1})^{α z}$ or $T \in G_{T}$ . The public parameter mpk and the master secret key msk as lemma 1. When B receives secret key queries, he constructs the semi-functional secret key

s k_{I} = 〈 {(g_{1}^{z} g_{2}^{v})}^{y_{1}}, \dots, {(g_{1}^{z} g_{2}^{v})}^{y_{n}}, g_{1}^{α} \cdot {(g_{1}^{z} g_{2}^{v})}^{- x (a I + b)} \prod_{i = 1}^{n} g_{1}^{- x_{i} y_{i}}, g_{1}^{z} g_{2}^{v} 〉 * g_{3}^{\vec{ρ}}

In the challenge phase, the challenge ciphertext generates as follows

\begin{matrix} c^{*} = \\ (m_{b} \cdot T, {(g_{1}^{z} g_{2}^{u})}^{x_{1}}, \dots, {(g_{1}^{z} g_{2}^{u})}^{x_{n}}, g_{1}^{z} g_{2}^{u}, {(g_{1}^{z} g_{2}^{u})}^{ax + b}, {(g_{1}^{z} g_{2}^{u})}^{w}, w_{1}^{*}) \end{matrix}

Here, it has coefficient $w_{1}^{*} = w^{- 1} (I^{*} - x) \mod N$ .

If $T = e (g_{1}, g_{1})^{α z}$ , then this is a semi-functional ciphertext of message m_b. This is because the semi-functional parameters s = z and $\vec{δ} = 〈 u x_{1}, \dots u x_{n}, u, u (a I^{*} + b) 〉$ implicitly $δ_{n + 2} = δ'_{n + 2} + δ_{n + 3} w_{1}$ . It is easy to verify vector $\vec{δ}$ is properly distributed since all terms $〈 x_{1}, \dots, x_{n}, 1, (a I^{*} + b) 〉$ are random modulo $p_{2}$ .

Finally, in game Leak_F value of b is information theoretically hidden from the adversary A. Consequently, A has no advantage in winning Leak_F. Hence, cLeak is indistinguishable from Leak_F if Assumption 1, 2, and 3 hold. As a result, the adversary has negligible advantage in winning game cLeak. Lemma 2, Lemma 3, and Lemma 4 conclude the proof of Theorem 1. Thus, we finish the proof of Theorem 1.

Theorem 2

If Assumptions 1, 2, and 3 hold in G, G_T, our proposed scheme $Π$ has continual leakage resilience in the standard model.

Proof

According to the algorithm UpdateSK given in section “Continual leakage,” we get continual leakage resilience. The algorithm UpdateSK inputs the secret key sk_I, identity I, and master public key mpk and then outputs a new secret key $s k'_{I}$ . In our update algorithm, it picks n + 1 values from Z_N, adds extra G₁ part and G₃ part to all the n + 2 parts of the secret key sk_I in turn. Hence, the generated secret key has the same distribution with the old one. As a result, we achieve continual leakage resilience by calling UpdateSK periodically.

Leakage resilience and performance analysis

In this section, we draw a comparison between the proposed scheme and the existing IBOOE schemes in Table 2. The computation efficiency and offline-storage cost are determined by the computation costs of the encryption algorithm which constitutes two subroutines Enc^off(mpk) and Enc^on(m, mpk, I, c^off). When evaluate the computation efficiency, we omit minor factors such as hash functions. We calculate only the dominant operations which are the exponentiations in G_i or G_T denoted as E and the multi-exponentiations in G_i or G_T denoted as ME. For modular computation in Z_p and Z_N, we denote by m_c(Z_p) and m_c(Z_N). Without loss of generality, we assume that one multi-exponentiation is equal to two exponentiations in group G_i or G_T. Moreover, the size of element in the group G_i and G_T is denoted by |G_i| and |G_T|, the size of element in Z_N is denoted by n. Furthermore, to avoid a large number of calculations at the online encryption phase, we place it in the offline encryption phase. According to Table 2, we can obtain that our proposal have the minimum computation of Enc^on(·,·,·,·) algorithm and achieve leakage resilience. This is suitable for WSNs which were interconnected sensor nodes that communicate wirelessly to collect data about the surrounding circumstance. Moreover, LR and CLR denote the security of leakage resilience and continual leakage resilience, respectively. Even though the offline storage has a larger size than other two traditional IBOOE schemes. From Table 2, it is clear that our scheme resolves the problem of continual leakage resilience which can be obtained naturally using the techniques of dual system encryption.

Table 2.

Comparisons of the existing IBOOE and clr-IBOOE scheme.

	Off-storage	On-encrypt	Assumption	Security model	LR	CLR
CLZ²⁰	4\|G₁\|	ε + 2m_c(Z_p)	DBDH	Standard	×	×
LMG¹⁹	3\|G₁\| + \|G_T\|	2m_c(Z_p)	k-CAA1	ROM	×	×
Ours	(n + 4)\|G₁\| + \|G_T\|	1m_c(Z_N)	1, 2, 3	Standard	√	√

IBOOE: identity-based online/offline encryption; clr-IBOOE: continual leakage-resilient IBOOE; LR: leakage resilience; CLR: continual leakage resilience; DBDH: decisional bilinear Diffie–Hellman.

Conclusion

In this article, we propose the first clr-IBOOE scheme which is suitable for WSNs. Especially, sensor nodes in WSN with limited computation ability, but it also brings some security challenges. To avoid the problems of continual key leakage attacks in the existing IBOOE schemes, we formalize the notion and the security model for clr-IBOOE. Furthermore, we propose the first clr-secure IBOOE scheme based on three static assumptions in composite order groups. To the best of our knowledge, this is the first IBOOE resilient to continual key leakage. It achieves fully secure and continual leakage resilience against chosen plaintext attacks in the standard model. Compared with the schemes,^20,19 performance analysis shows the proposed scheme has low computation overhead in the online encryption phase which is suitable for WSN with limited sensor nodes. As a direction of future work, designing secure IBOOE resilient to master secret key leakage would be another interesting work.

Footnotes

Acknowledgements

The authors would like to thank the reviewers for their detailed reviews and constructive comments, which have helped improve the quality of this article.

Handling Editor: Zheng Chang

Author note

The author Xingbing Fu is now affiliated to Guangxi Key Laboratory of Cryptography and Information Security.

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work is supported by the National Natural Science Foundation of China (No. 61802249, No. U1936213, No. 61902283), the Key Technology Research and Development Program of Sichuan Province and Chengdu Municipality (NO. szjj2015-054), the Project of Shandong Province Higher Educational Science and Technology Program under grant J16LN56, the Weifang Science and Technology Development Plan Project (2017GX002), the Doctoral Research Fund of Weifang University (No. 2015BS11), Zhejiang Provincial Natural Science Foundation of China under Grant No. LY19F020045; Guangxi Key Laboratory of Cryptography and Information Security (No. GCIS201718); the Opening Project of Guangdong Provincial Key Laboratory of Information Security Technology (No. 2017B030314131-05); and the Key Research Project of Zhejiang Province (No. 2017C01062).

ORCID iD

Xiujie Zhang

References

Boneh

Boyen

. Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin

Camenisch

(eds) Advances in cryptology —EUROCRYPT, LNCS 3027. Berlin: Springer, 2004, pp.223–238.

Waters

. Efficient identity-based encryption without random oracles. In: Cramer

(ed.) Advances in Cryptology -EUROCRYPT, LNCS 3494. Berlin: Springer, 2005, pp.114–127.

Gentry

. Practical identity-based encryption without random oracles. In: Vaudenay

(ed.) Advances in Cryptology—EUROCRYPT. Berlin: Springer, 2006, pp.445–464.

Lewko

Waters

. New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Lewko

Waters

(eds) Proceedings of the 7th theory of cryptography conference, LNCS 5978. Berlin: Springer, 2010, pp.455–479.

Naor

Segev

. Public-key cryptosystems resilient to key leakage. SIAM J Comput 2012; 41(4): 772–814.

Akavia

Goldwasser

Vaikuntanathan

. Simultaneous hardcore bits and cryptography against memory attacks. In: Dwork

(ed.) Proceedings of the 6th theory of cryptography conference, LNCS 5444. Berlin: Springer, 2009, pp.474–495.

Alwen

Dodis

Naor

, et al. Public-key encryption in the bounded-retrieval model. In: Advances in Cryptology—EUROCRYPT 2010, 29th annual international conference on the theory and applications of cryptographic techniques, French Riviera, 30 May–3 June 2010, pp.113–134. Berlin, Heidelberg: Springer.

Chow

SSM

Dodis

Rouselakis

, et al. Practical leakage-resilient identity-based encryption from simple assumptions. In: Proceedings of the 17th ACM conference on computer and communications security, Chicago, IL, 4–8 October 2010, pp.152–161. New York: ACM.

Teng

Zhang

, et al. A leakage-resilient CCA-secure identity-based encryption scheme. Comput. J 2016; 59(7): 1066–1075.

10.

Lewko

Waters

. Achieving leakage resilience through dual system encryption. In: Proceedings of the 8th theory of cryptography conference, Providence, RI, 28–30 March 2011, pp.70–88. Berlin, Heidelberg: Springer.

11.

JGYQH

Zhang

. Identity-based broadcast encryption with continuous leakage resilience. Inf Sci 2018; 429: 177–193.

12.

Zhou

Yang

. Continuous leakage-resilient identity-based encryption without random oracles. Comput J 2018; 61(4): 586–600.

13.

Zhou

Yang

, et al. Continuous leakage-resilient access control for wireless sensor networks. Ad Hoc Netw 2018; 80: 41–53.

14.

Zhou

Yang

. Continuous leakage-resilient identity-based encryption with leakage amplification. Des Codes Cryptogr 2019; 87(9): 2061–2090.

15.

Zhang

Wang

HXX

. Identity-based key-exposure resilient cloud storage public auditing scheme from lattices. Inform Sci 2019; 472: 223–234.

16.

Yael

Leonid

. A survey of leakage-resilient cryptography. Prov Sound Found Cryptograp 2019; 727–794: 1–55.

17.

Nie

, et al. Large universe attribute based access control with efficient decryption in cloud storage system. J Syst Softw 2018; 135: 157–164.

18.

Guo

Chen

. Identity-based online/offline encryption. In: Tsudik

(ed.) Financial cryptography and data security, LNCS 5143. Berlin: Springer, 2008, pp.247–261.

19.

Liu

Zhou

. An efficient identity-based online/offline encryption scheme. In: Abdalla

Pointcheval

Fouque

, et al. (eds) Applied cryptography and network security, LNCS 5536. Berlin: Springer, 2009, pp.156–167.

20.

Chu

Liu

Zhou

, et al. Practical ID-based encryption for wireless sensor network. In: Proceedings of the 5th ACM symposium on information, computer and communications security, ASIACCS’10, Beijing, China, 13–16 April 2010, pp.337–340. New York: ACM.

21.

Chow

SSM

Liu

Zhou

. Identity-based online/offline key encapsulation and encryption. In: Proceedings of the 6th ACM symposium on information, computer and communications security, Hong Kong, China, 22–24 March 2011, pp. 52–60. New York: ACM, 2011.

22.

Lai

Guo

, et al. Improved identity-based online/offline encryption. In: Foo

Stebila

(eds) Information security and privacy (20th Australasian Conference, LNCS 9144). Berlin: Springer, 2015, pp. 160–173.

23.

Lai

Guo

. Efficient identity-based online/offline encryption and signcryption with short ciphertext. Int J Inform Secur 2017; 16(3): 299–311.

24.

Xue

Hong

. Distributed access control with adaptive privacy preserving property for wireless sensor networks. Secur Commun Netw 2014; 7(4): 759–773.

Provable secure identity-based online/offline encryption scheme with continual leakage resilience for wireless sensor network

Abstract

Keywords

Introduction

Related work

Motivation and our contribution

Preliminaries

Notations

Composite order bilinear groups

Complexity assumptions

Assumption 1

Assumption 2

Assumption 3

Security theorem

Lemma 1

System architecture and security model

Network model

Specification of clr-IBOOE

Definition 1 (clr-IBOOE)

Security model

Definition 2

Provable secure IBOOE with continual leakage resilience in WSNs

Details of the proposed IBOOE scheme

Continual leakage

Semi-functionality

Procedure of decryption

Security proof and efficiency comparisons

Security proof

Theorem 1

Proof

Lemma 2

Proof

Lemma 3

Proof

Lemma 4

Proof

Theorem 2

Proof

Leakage resilience and performance analysis

Conclusion

Footnotes

Acknowledgements

Author note

Declaration of conflicting interests

Funding

ORCID iD

References