Abstract
The satellite Internet of Things (satellite IoT) has the characteristics of large space-time span and highly open communication links. While effectively expanding the spatial capability of the traditional Internet of Things, it will face security threats such as impersonation, replay, tampering and eavesdropping of the traditional Internet of Things and satellite communication. In this paper, an SM2-based certificateless integrated signature and encryption scheme (SM2-CL-ISE) is proposed for satellite IoT with key optimization and conditional anonymity. Then incorporating Geostationary Earth Orbit (GEO) satellite, a Low Earth Orbit (LEO) satellite authentication protocol and a static terminal device authentication protocol are designed. In addition, we prove the security of SM2-CL-ISE under the formal security model, and further discuss how the proposed authentication schemes can satisfy those essential security requirements. To evaluate the effectiveness of our proposed protocols, we conducted several experiments and compared their performance with that of existing protocols. The experimental results show that our scheme achieves more efficient performance with a slightly increased communication overhead on authentication.
Supported by the National Key Research and Development Program of China (No. 2019YFB2101700).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cruickshank, H.S.: A security system for satellite networks. In: The Fifth International Conference on Satellite Systems for Mobile Communications and Navigation, London, UK, pp. 187–190. IET (1996)
Xu, G., Chen, X., Du, X.: New near space security handoff scheme based on context transfer. Comput. Sci. 40(4), 160–163 (2013)
He, D., Chen, C., Chan, S., et al.: Secure and efficient handover authentication based on bilinear pairing functions. IEEE Trans. Wireless Commun. 11(1), 48–53 (2012)
Wang, B., Chang, Z., Li, S., et al.: An efficient and privacy-preserving blockchain-based authentication scheme for low earth orbit satellite assisted internet of things. IEEE Trans. Aerosp. Electron. Syst. 58(6), 5153–5164 (2022)
Pan, M., He, D., Li, X., et al.: A lightweight certificateless non-interactive authentication and key exchange protocol for IoT environments. In: 2021 IEEE Symposium on Computers and Communications (ISCC), Athens, Greece, pp. 1–7 (2021)
Lin, C., He, D., Huang, X., Kumar, N., Choo, K.K.R.: BCPPA: a blockchain-based conditional privacy-preserving authentication protocol for vehicular ad hoc networks. IEEE Trans. Intell. Transp. Syst. 22(12), 7408–7420 (2020)
Chen, T., Lee, W., Chen, H.: A self-verification authentication mechanism for mobile satellite communication systems. Comput. Electr. Eng. 35(1), 41–48 (2009)
Yoon, E., Yoo, K., Hong, J., et al.: An efficient and secure anonymous authentication scheme for mobile satellite communication systems. EURASIP J. Wirel. Commun. Netw. 2011(86), 1–10 (2011)
Ibrahi, M.M., Kumari, S., Das, A., et al.: Jamming resistant non-interactive anonymous and unlinkable authentication scheme for mobile satellite networks. Secur. Commun. Netw. 9(18), 5563–5580 (2016)
Ni, J., Lin, X., Shen, X.: Efficient and secure service-oriented authentication supporting network slicing for 5G-enabled IoT. IEEE J. Sel. Areas Commun. 36(3), 644–657 (2018)
Huang, C., Zhang, Z., Zhu, L., et al.: A mutual authentication and key update protocol in satellite communication network. Automatika 61(3), 334–344 (2020)
Meng, W., Xue, K., et al.: Low-latency authentication against satellite compromising for space information network. In: 2018 IEEE 15th International Conference on Mobile Ad Hoc and Sensor Systems (MASS), Chengdu, China, pp. 237–244 (2018)
Yang, Q., Xue, K., Xu, J., et al.: AnFRA: anonymous and fast roaming authentication for space information network. IEEE Trans. Inf. Forensics Secur. 14(2), 486–497 (2019)
Zhu, H., Wu, H., Zha, H.O., et al.: Intersatellite networking authentication scheme for dual-layer satellite networks. J. Commun. 40(3), 1–9 (2019)
Fan, C., Shih, Y., Huang, J., et al.: Cross-network-slice authentication scheme for the 5th generation mobile communication system. IEEE Trans. Netw. Serv. Manage. 18(1), 701–712 (2021)
Cheng, Z., Chen, L.: Certificateless public key signature schemes from standard algorithms. In: Su, C., Kikuchi, H. (eds.) ISPEC 2018. LNCS, vol. 11125, pp. 179–197. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99807-7_11
Cheng, Z.: Certificateless public key encryption based on SM2. J. Cryptol. Res. 8(1), 87–95 (2021)
Zhou, X., Luo, M., Vijayakumar, P., Peng, C., He, D.: Efficient certificateless conditional privacy-preserving authentication for VANETs. IEEE Trans. Veh. Technol. 71(7), 7863–7875 (2022)
Lin, C., Huang, X., He, D.: EBCPA: efficient blockchain-based conditional privacy-preserving authentication for VANETs. IEEE Trans. Dependable Secure Comput. 20(3), 1818–1832 (2023)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A Provable Security of SM2-CL-ISE
Appendix A Provable Security of SM2-CL-ISE
Here, we prove Theorem 1 via the following Lemma 1 and Lemma 2.
Lemma 1
If the SM2 certificateless encryption scheme satisfies Type-I-IND-CCA security and the SM2 certificateless signature scheme satisfies Type-I-EU-CMA security, then the SM2-CL-ISE scheme satisfies Type-I jointly security.
Proof
Since the SM2-CL-ISE scheme consists of encryption and signature components, for a Type-I adversary, Type-I joint security can be proven if it can be shown that the encryption part satisfies Type-I-IND-CCA security in the presence of signature queries. Therefore, this paper proves Lemma 1 through the following game simulation.
Game 0: In a real Type-I joint security experiment, the challenger \(\mathcal {C}\) and the adversary \(\mathcal {A}\) do the following:
Initialization phase: \(\mathcal {C}\) calls the Setup algorithm to generate the master public key \(mpk=(E,a,b,q,\mathbb {G}_1,n,P,\) \(T_{pub},P_{pub},\mathcal {H}_v,\mathcal {H})\), the tracing key \(\alpha \), and the derived key \(\beta \), and initializes the sets \(L = \emptyset \), \(U_1 = \emptyset \), \(U_2 = \emptyset \), \(S = \emptyset \), \(D = \emptyset \), and \(H = \emptyset \). \(\mathcal {C}\) returns the master public key mpk to \(\mathcal {A}\).
First query phase: \(\mathcal {C}\) responds to \(\mathcal {A}\) the following queries:
\(\mathcal {O}_{h}\): Input \((AID,A,G,P_{pub})\). If \(\{(AID,A,G,P_{pub},e)\}\in H\), \(\mathcal {C}\) retrieves e from H; otherwise, \(\mathcal {C}\) randomly selects \(e\in \mathbb {Z}_n^*\) and updates \(H=H\cup {(AID,A,G,P_{pub},e)}\). Finally, \(\mathcal {C}\) returns e to \(\mathcal {A}\).
\(\mathcal {O}_{reg}\): \(\mathcal {A}\) generates a pseudonym \(AID=(AID_1,AID_2)\). If \(AID\notin L\), \(\mathcal {C}\) calls the PKGen algorithm, UKGen algorithm, and SetPK algorithm to generate \((P,s_1,s_2)\), and updates \(L=L\cup \{(AID,P,s_1,s_2)\}\). Otherwise, \(\mathcal {C}\) retrieves P from L. Finally, \(\mathcal {C}\) returns P to \(\mathcal {A}\).
\(\mathcal {O}_{psk}\): Input AID and P. If \(AID\notin L\), \(\mathcal {C}\) calls \(\mathcal {O}_{reg}\) to obtain \((P,s_1,s_2)\), and updates \(L=L\cup \{(AID,P,s_1,s_2)\}\). Otherwise, \(\mathcal {C}\) retrieves \(s_1\) from L. It finally updates \(U_1=U_1\cup \{(AID,P)\}\), and returns \(s_1\) to \(\mathcal {A}\).
\(\mathcal {O}_{usk}\): Input AID and P. If \(AID\notin L\), \(\mathcal {C}\) calls \(\mathcal {O}_{reg}\) to obtain \((P,s_1,s_2)\), and updates \(L=L\cup \{(AID,P,s_1,s_2)\}\). Otherwise, \(\mathcal {C}\) retrieves \(s_2\) from L. It finally updates \(U_2=U_2\cup \{(AID,P)\}\), and returns \(s_2\) to \(\mathcal {A}\).
\(\mathcal {O}_{rpk}\): Input AID and \(P'\). \(\mathcal {C}\) replaces P with \(P'\) in L.
\(\mathcal {O}_{sign}\): Input AID and m. If \(AID\in L\) and P has not been replaced, \(\mathcal {C}\) retrieves \(s_1\) and \(s_2\) from L, calls the SetSK and the ISE-Sign algorithms to generate a signature \(\sigma \), updates \(S=S\cup \{AID,m\}\), and returns \((m,\sigma )\) to \(\mathcal {A}\).
\(\mathcal {O}_{dec}\): Given AID and C, if \(AID \in L\) and P has not been replaced, \(\mathcal {C}\) first retrieves \(s_1\) and \(s_2\) from L. It calls the SetSK algorithm to obtain the full private key d, and then calls ISE-Dec to decrypt C to obtain m. Finally, \(\mathcal {C}\) updates \(D = D\cup \{(AID,C)\}\), and returns m to \(\mathcal {A}\).
Challenge phase: \(\mathcal {A}\) submits a challenge \((AID^*, P^*, m_1, m_2)\) to \(\mathcal {C}\), who selects a random bit \(b \in {0,1}\) and computes \(e=\mathcal {H}(AID^*,A,G,P_{pub})\), \(T=P^*+eP_{pub}\), \(r \in Z_n^*\), \(C_1^* = rG\), \(W=rT=(x_W,y_W)\), \(f=\mathcal {H}_v(x_W,y_W)\), and \(C_2^*=m_b\bigoplus f\), \(C_3^*=\mathcal {H}(x_W||m_b||y_W)\). Finally, \(\mathcal {C}\) returns \(C^*=(C_1^*,C_2^*,C_3^*)\) to \(\mathcal {A}\).
Second query phase: \(\mathcal {A}\) receives the challenge ciphertext \(C^*\) and is allowed to ask the various oracles from the first query phase, but is forbidden from asking for the key \(s_1\) corresponding to \((AID^*,P^*)\) and the plaintext \(m_b\) corresponding to \((AID^*,C^*)\). \(\mathcal {C}\) responds to each query as in the first query phase.
Guessing phase: \(\mathcal {A}\) outputs a guessed bit \(b'\). \(\mathcal {A}\) wins Game 0 if and only if \(b=b'\). According to the definition of Game 0, let \(Adv_{\mathcal {A}}(\lambda ) = \Pr [G_0] -\frac{1}{2}\).
Game 1: Similar to Game 0, \(\mathcal {C}\) simulates \(\mathcal {A}\)’s queries. The only difference is that \(\mathcal {C}\) no longer responds to \(\mathcal {O}_{reg}\) using a key, but instead uses a random oracle:
\(\mathcal {O}_{reg}\): \(\mathcal {A}\) generates pseudonymous information \(AID=(AID_1,AID_2)\) by itself. If \((AID,A)\notin L\), then \(\mathcal {C}\) selects \(t,e\in \mathbb {Z}_n^*\), calculates \(A=tG-eP_{pub}\), updates \(H=H\cup \{(AID,A,G,P_{pub},e)\}\), and returns \(P_1=A\) to \(\mathcal {A}\). If \((AID,*)\in L\), then \(\mathcal {C}\) aborts the response.
Let E be the event of \(\mathcal {C}\) aborting the response in Game 1. Let \(Q_h\) and \(Q_s\) be the maximum numbers of hash queries and signature queries, respectively. Then the probability of event E occurs is \(\Pr [E]\le \frac{Q_h Q_s}{n}\le negl(\lambda )\), which implies that \(|\Pr [G_1]-\Pr [G_0]| \le \Pr [E] \le negl(\lambda )\). Furthermore, we show that \(\Pr [G_1]\) can be ignored.
Assume there exists a PPT adversary \(\mathcal {A}\) that wins Game 1 with a non-negligible advantage. We can construct a PPT adversary \(\mathcal {B}\) that breaks the Type-I-IND-CCA security of the SM2 certificateless encryption scheme with non-negligible probability. This is mainly because in Game 1, \(\mathcal {C}\) can respond to \(\mathcal {O}_{sign}\) without any key information by relying on \(\mathcal {O}_{reg}\). Therefore, \(\mathcal {B}\) can directly use the guessed result \(b'\) from Game 1 as the guess for the Type-I-IND-CCA security of the SM2 certificateless encryption scheme, and thus \(\mathcal {B}\) successfully simulates Game 1.
In conclusion, based on the values of \(|\Pr [G_1] - \Pr [G_0]|\) and \(\Pr [G_1]\) being negligible, \(\Pr [G_0]\) is negligible. Therefore, Lemma 1 is proved.
Lemma 2
If the SM2 certificateless encryption scheme satisfies Type-II-IND-CCA security and the SM2 certificateless signature scheme satisfies Type-II-EU-CMA security, then the SM2-CL-ISE scheme is Type-II joint-secure.
Proof
The proof of Lemma 2 is similar to that of Lemma 1, with the main difference being: (1) In Game 0, the adversary \(\mathcal {A}\) of Lemma 2 cannot query \(\mathcal {O}_{rpk}\), but can query \(\mathcal {O}_{dk}\). This implies that there is no need to restrict P from being replaced in \(\mathcal {O}_{sign}\) and \(\mathcal {O}_{dec}\); (2) In Game 1, since the adversary \(\mathcal {A}\) obtains the derived key \(\beta \), \(\mathcal {C}\) only needs to respond to \(\mathcal {O}_{sign}\) without using the user’s second private key \(s_2=b\), which can be successfully simulated in the generic model. Therefore, the Type-II joint security of the SM2-CL-ISE scheme can also be reduced to the Type-II-IND-CCA security of the SM2 certificateless encryption scheme, thus proving Lemma 2.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Tian, M., Li, F., Geng, K., Kou, W., Guo, C. (2023). A Certificateless Conditional Anonymous Authentication Scheme for Satellite Internet of Things. In: Wang, D., Yung, M., Liu, Z., Chen, X. (eds) Information and Communications Security. ICICS 2023. Lecture Notes in Computer Science, vol 14252. Springer, Singapore. https://doi.org/10.1007/978-981-99-7356-9_17
Download citation
DOI: https://doi.org/10.1007/978-981-99-7356-9_17
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7355-2
Online ISBN: 978-981-99-7356-9
eBook Packages: Computer ScienceComputer Science (R0)