A Certificateless Conditional Anonymous Authentication Scheme for Satellite Internet of Things

Abstract

The satellite Internet of Things (satellite IoT) has the characteristics of large space-time span and highly open communication links. While effectively expanding the spatial capability of the traditional Internet of Things, it will face security threats such as impersonation, replay, tampering and eavesdropping of the traditional Internet of Things and satellite communication. In this paper, an SM2-based certificateless integrated signature and encryption scheme (SM2-CL-ISE) is proposed for satellite IoT with key optimization and conditional anonymity. Then incorporating Geostationary Earth Orbit (GEO) satellite, a Low Earth Orbit (LEO) satellite authentication protocol and a static terminal device authentication protocol are designed. In addition, we prove the security of SM2-CL-ISE under the formal security model, and further discuss how the proposed authentication schemes can satisfy those essential security requirements. To evaluate the effectiveness of our proposed protocols, we conducted several experiments and compared their performance with that of existing protocols. The experimental results show that our scheme achieves more efficient performance with a slightly increased communication overhead on authentication.

Supported by the National Key Research and Development Program of China (No. 2019YFB2101700).

Appendix A Provable Security of SM2-CL-ISE

Here, we prove Theorem 1 via the following Lemma 1 and Lemma 2.

Lemma 1

If the SM2 certificateless encryption scheme satisfies Type-I-IND-CCA security and the SM2 certificateless signature scheme satisfies Type-I-EU-CMA security, then the SM2-CL-ISE scheme satisfies Type-I jointly security.

Proof

Since the SM2-CL-ISE scheme consists of encryption and signature components, for a Type-I adversary, Type-I joint security can be proven if it can be shown that the encryption part satisfies Type-I-IND-CCA security in the presence of signature queries. Therefore, this paper proves Lemma 1 through the following game simulation.

Game 0: In a real Type-I joint security experiment, the challenger \(\mathcal {C}\) and the adversary \(\mathcal {A}\) do the following:

Initialization phase: \(\mathcal {C}\) calls the Setup algorithm to generate the master public key \(mpk=(E,a,b,q,\mathbb {G}_1,n,P,\) \(T_{pub},P_{pub},\mathcal {H}_v,\mathcal {H})\), the tracing key \(\alpha \), and the derived key \(\beta \), and initializes the sets \(L = \emptyset \), \(U_1 = \emptyset \), \(U_2 = \emptyset \), \(S = \emptyset \), \(D = \emptyset \), and \(H = \emptyset \). \(\mathcal {C}\) returns the master public key mpk to \(\mathcal {A}\).

First query phase: \(\mathcal {C}\) responds to \(\mathcal {A}\) the following queries:

\(\mathcal {O}_{h}\): Input \((AID,A,G,P_{pub})\). If \(\{(AID,A,G,P_{pub},e)\}\in H\), \(\mathcal {C}\) retrieves e from H; otherwise, \(\mathcal {C}\) randomly selects \(e\in \mathbb {Z}_n^*\) and updates \(H=H\cup {(AID,A,G,P_{pub},e)}\). Finally, \(\mathcal {C}\) returns e to \(\mathcal {A}\).

\(\mathcal {O}_{reg}\): \(\mathcal {A}\) generates a pseudonym \(AID=(AID_1,AID_2)\). If \(AID\notin L\), \(\mathcal {C}\) calls the PKGen algorithm, UKGen algorithm, and SetPK algorithm to generate \((P,s_1,s_2)\), and updates \(L=L\cup \{(AID,P,s_1,s_2)\}\). Otherwise, \(\mathcal {C}\) retrieves P from L. Finally, \(\mathcal {C}\) returns P to \(\mathcal {A}\).

\(\mathcal {O}_{psk}\): Input AID and P. If \(AID\notin L\), \(\mathcal {C}\) calls \(\mathcal {O}_{reg}\) to obtain \((P,s_1,s_2)\), and updates \(L=L\cup \{(AID,P,s_1,s_2)\}\). Otherwise, \(\mathcal {C}\) retrieves \(s_1\) from L. It finally updates \(U_1=U_1\cup \{(AID,P)\}\), and returns \(s_1\) to \(\mathcal {A}\).

\(\mathcal {O}_{usk}\): Input AID and P. If \(AID\notin L\), \(\mathcal {C}\) calls \(\mathcal {O}_{reg}\) to obtain \((P,s_1,s_2)\), and updates \(L=L\cup \{(AID,P,s_1,s_2)\}\). Otherwise, \(\mathcal {C}\) retrieves \(s_2\) from L. It finally updates \(U_2=U_2\cup \{(AID,P)\}\), and returns \(s_2\) to \(\mathcal {A}\).

\(\mathcal {O}_{rpk}\): Input AID and \(P'\). \(\mathcal {C}\) replaces P with \(P'\) in L.

\(\mathcal {O}_{sign}\): Input AID and m. If \(AID\in L\) and P has not been replaced, \(\mathcal {C}\) retrieves \(s_1\) and \(s_2\) from L, calls the SetSK and the ISE-Sign algorithms to generate a signature \(\sigma \), updates \(S=S\cup \{AID,m\}\), and returns \((m,\sigma )\) to \(\mathcal {A}\).

\(\mathcal {O}_{dec}\): Given AID and C, if \(AID \in L\) and P has not been replaced, \(\mathcal {C}\) first retrieves \(s_1\) and \(s_2\) from L. It calls the SetSK algorithm to obtain the full private key d, and then calls ISE-Dec to decrypt C to obtain m. Finally, \(\mathcal {C}\) updates \(D = D\cup \{(AID,C)\}\), and returns m to \(\mathcal {A}\).

Challenge phase: \(\mathcal {A}\) submits a challenge \((AID^*, P^*, m_1, m_2)\) to \(\mathcal {C}\), who selects a random bit \(b \in {0,1}\) and computes \(e=\mathcal {H}(AID^*,A,G,P_{pub})\), \(T=P^*+eP_{pub}\), \(r \in Z_n^*\), \(C_1^* = rG\), \(W=rT=(x_W,y_W)\), \(f=\mathcal {H}_v(x_W,y_W)\), and \(C_2^*=m_b\bigoplus f\), \(C_3^*=\mathcal {H}(x_W||m_b||y_W)\). Finally, \(\mathcal {C}\) returns \(C^*=(C_1^*,C_2^*,C_3^*)\) to \(\mathcal {A}\).

Second query phase: \(\mathcal {A}\) receives the challenge ciphertext \(C^*\) and is allowed to ask the various oracles from the first query phase, but is forbidden from asking for the key \(s_1\) corresponding to \((AID^*,P^*)\) and the plaintext \(m_b\) corresponding to \((AID^*,C^*)\). \(\mathcal {C}\) responds to each query as in the first query phase.

Guessing phase: \(\mathcal {A}\) outputs a guessed bit \(b'\). \(\mathcal {A}\) wins Game 0 if and only if \(b=b'\). According to the definition of Game 0, let \(Adv_{\mathcal {A}}(\lambda ) = \Pr [G_0] -\frac{1}{2}\).

Game 1: Similar to Game 0, \(\mathcal {C}\) simulates \(\mathcal {A}\)’s queries. The only difference is that \(\mathcal {C}\) no longer responds to \(\mathcal {O}_{reg}\) using a key, but instead uses a random oracle:

\(\mathcal {O}_{reg}\): \(\mathcal {A}\) generates pseudonymous information \(AID=(AID_1,AID_2)\) by itself. If \((AID,A)\notin L\), then \(\mathcal {C}\) selects \(t,e\in \mathbb {Z}_n^*\), calculates \(A=tG-eP_{pub}\), updates \(H=H\cup \{(AID,A,G,P_{pub},e)\}\), and returns \(P_1=A\) to \(\mathcal {A}\). If \((AID,*)\in L\), then \(\mathcal {C}\) aborts the response.

Let E be the event of \(\mathcal {C}\) aborting the response in Game 1. Let \(Q_h\) and \(Q_s\) be the maximum numbers of hash queries and signature queries, respectively. Then the probability of event E occurs is \(\Pr [E]\le \frac{Q_h Q_s}{n}\le negl(\lambda )\), which implies that \(|\Pr [G_1]-\Pr [G_0]| \le \Pr [E] \le negl(\lambda )\). Furthermore, we show that \(\Pr [G_1]\) can be ignored.

Assume there exists a PPT adversary \(\mathcal {A}\) that wins Game 1 with a non-negligible advantage. We can construct a PPT adversary \(\mathcal {B}\) that breaks the Type-I-IND-CCA security of the SM2 certificateless encryption scheme with non-negligible probability. This is mainly because in Game 1, \(\mathcal {C}\) can respond to \(\mathcal {O}_{sign}\) without any key information by relying on \(\mathcal {O}_{reg}\). Therefore, \(\mathcal {B}\) can directly use the guessed result \(b'\) from Game 1 as the guess for the Type-I-IND-CCA security of the SM2 certificateless encryption scheme, and thus \(\mathcal {B}\) successfully simulates Game 1.

In conclusion, based on the values of \(|\Pr [G_1] - \Pr [G_0]|\) and \(\Pr [G_1]\) being negligible, \(\Pr [G_0]\) is negligible. Therefore, Lemma 1 is proved.

Lemma 2

If the SM2 certificateless encryption scheme satisfies Type-II-IND-CCA security and the SM2 certificateless signature scheme satisfies Type-II-EU-CMA security, then the SM2-CL-ISE scheme is Type-II joint-secure.

Proof

The proof of Lemma 2 is similar to that of Lemma 1, with the main difference being: (1) In Game 0, the adversary \(\mathcal {A}\) of Lemma 2 cannot query \(\mathcal {O}_{rpk}\), but can query \(\mathcal {O}_{dk}\). This implies that there is no need to restrict P from being replaced in \(\mathcal {O}_{sign}\) and \(\mathcal {O}_{dec}\); (2) In Game 1, since the adversary \(\mathcal {A}\) obtains the derived key \(\beta \), \(\mathcal {C}\) only needs to respond to \(\mathcal {O}_{sign}\) without using the user’s second private key \(s_2=b\), which can be successfully simulated in the generic model. Therefore, the Type-II joint security of the SM2-CL-ISE scheme can also be reduced to the Type-II-IND-CCA security of the SM2 certificateless encryption scheme, thus proving Lemma 2.