- About this Journal ·
- Abstracting and Indexing ·
- Advance Access ·
- Aims and Scope ·
- Annual Issues ·
- Article Processing Charges ·
- Articles in Press ·
- Author Guidelines ·
- Bibliographic Information ·
- Citations to this Journal ·
- Contact Information ·
- Editorial Board ·
- Editorial Workflow ·
- Free eTOC Alerts ·
- Publication Ethics ·
- Reviewers Acknowledgment ·
- Submit a Manuscript ·
- Subscription Information ·
- Table of Contents

International Journal of Distributed Sensor Networks

Volume 2013 (2013), Article ID 818917, 10 pages

http://dx.doi.org/10.1155/2013/818917

## Noncommutative Lightweight Signcryption for Wireless Sensor Networks

^{1}Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China^{2}School of Computer Science, Communication University of China, Beijing 100024, China^{3}School of Computer Science and Engineering, The University of Aizu, Aizu Wakamatsu 965-8580, Japan^{4}Department of Information and Electronic Engineering, Muroran Institute of Technology, Muroran 050-8585, Japan

Received 3 January 2013; Accepted 6 February 2013

Academic Editor: Anfeng Liu

Copyright © 2013 Lize Gu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Key management techniques for secure wireless-sensor-networks-based applications must minimally incorporate confidentiality, authenticity, integrity, scalability, and flexibility. Signcryption is the proper primitive to do this. However, existing signcryption
schemes are heavyweight and not suitable for resource-limited sensors. In this paper, we at first propose a braid-based signcryption
scheme and then develop a key establishment protocol for wireless sensor networks. From the complexity view, our proposal is 2^{15}
times faster than RSA-based ones. As far as we know, our proposal is the first signcryption scheme based on noncommutative
algebraic structures.

#### 1. Introduction

Wireless sensor networks (WSNs) consist of a large number of micro, low-cost, low-power, and spatially distributed autonomous devices using sensors to cooperatively monitor physical or environmental conditions [1, 2]. WSNs are often deployed in potentially adverse or even hostile environment so that there are concerns on security issues therein. To protect the confidentiality and privacy of WSN-oriented applications, the traditional symmetric (i.e., private-key), even lightweight, cryptography is often used. A well-known drawback to do this is that the symmetric cryptography is not as flexible as the asymmetric (i.e., public-key) cryptography. The main obstacle of using public-key cryptography in WSNs is that with limited memory, computing and communication capacity, and power supply, sensor nodes cannot employ sophisticated cryptographic operations such as modular exponentiation and pairing computation. Therefore, it is interesting to probe new efficient and lightweight implementations on some wellknown public-key cryptographic primitives, such as what has been done in TinyECC [3] and in MicroECC [4]. No matter which type cryptography is adopted, key establishment is one of the utmost concerns. At least, key establishment techniques for a secure WSN-based application must minimally incorporate confidentiality, authenticity, integrity, scalability, and flexibility [5].

Signcryption, now an international standard for data protection (ISO/IEC 29150, Dec 2011), was invented in 1996 and first disclosed to the public at CRYPTO 1997 [6, 7]. It is a data security technology by which confidentiality is protected and authenticity is achieved seamlessly at the same time. This will also allow smaller devices, such as smartphones and PDAs, 3G and 4G mobile communications, as well as emerging technologies, such as radio frequency identifiers (RFIDs) and wireless sensor networks, to perform high-level security functions. And, by performing these two functions simultaneously, we can save resources, be it an individual’s time or be it energy, as it will take less time to perform the task. Therefore, signcryption is very suitable for key management in wireless sensor networks and other resource-constrained environments.

Since the invention of the primitive of signcryption, various constructions were proposed and most of them are based on three kinds of cryptographic assumptions. The first category assumes that the integer factoring problem (IFP) is intractable, such as the constructions in [8, 9]. The second category assumes that the discrete logarithm problem (DLP) over finite fields or elliptic curves (i.e., ECDLP) is intractable, such as the constructions in [10, 11]. In this category, some constructions further utilize the bilinear pairing to enhance the functionalities and performance, such as the constructions in [12, 13]. The third category is based on some lattice hard problems [14, 15]. Up to now, the last category attracts a lot of attention since the so-called quantum attack-resistant property. However, these existing lattice-based signcryptions have disadvantage in key sizes. Thus, it is interesting to probe new construction of signcryption based on other cryptographic primitives than IFP- and DLP-related ones and meanwhile keeping the potential of quantum attack resistance.

Under this background, some noncommutative groups have attracted the attention. One of the most popular groups in this category is the braid group. At CRYPTO 2000, Ko et al. [16] proposed the first fully fledged braid-based cryptosystem. In braid-based cryptographic schemes [16–24], the conjugacy search problem (CSP) (i.e., given two braids and , output the braid ) and its variants play a core role. Although many heuristic attacks, such as length-based attacks linear representation attacks, have obtained remarkable success in attacking braid-based cryptosystems and lowered the initial enthusiasm on this subject, there is no deterministic polynomial algorithms that can solve the CSP problem over braid groups [25] till now. On one hand, Birman et al. launched a project, referred to as BGGM project, to find polynomial algorithms for solving the CSP problem over Garside groups, including braid groups [26–28]. The BGGM project might be the strongest efforts known for solving the CSP problem over braid groups in polynomial-time (with respect to the input size). Up to now, the BGGM project has already made a great progress; except for rigid pseudo-Anosolov braids, the CSP instances over other braids can be solved in polynomial time [28]. On the other hand, some researchers still keep on finding hard instances of the CSP problem in braid groups. For examples, in 2007, Ko et al. [29] proposed some ideas on generating hard instances for braid cryptography, and in 2010, Prasolov [30] constructed some small braids with large ultra summit set (USS). Prasolov’s result represents a frustration toward the BGGM project, but an encouragement toward the intractability assumption of the CSP problem over braid groups. According to [31], if and are random braids, then the length of is, with a high probability, about the length of plus the double of the length of . This is the reason why the length-based attacks work. This also suggests that one can defeat the length-based attacks by requiring that the length of is closer to the length of . This in turn requires that should lie in its super summit set (SSS) [31]. We know that . Therefore, if we can work with the braids suggested by Prasolov, then we reach the point to instantiate our proposal with braid groups in a secure manner.

Another promising observation coming from [23] is that braid operations can be implemented with a complexity level of about bit operations, while the complexity level of the exponentiation over 1024 bit RSA modular is about bit operations. This suggests that braid-based cryptosystems admit ultra efficient, even lightweight, implementations.

The main motivation of this paper covers two aspects: the first is to design a lightweight signcryption scheme based on noncommutative groups assuming that the CSP problem over the underlying groups are intractable, and the second is to construct efficient key management protocols for wireless sensor networks.

The rest contents are organized as follows. In Section 2, we at first give a simple introduction to the braid group, and then introduce the left self-distributive system and its properties. A building block—braid-based signcryption scheme is proposed in Section 3, and the full description of the key management protocol for wireless sensor networks is developed in Section 4. Performance evaluation and comparisons, including security level analysis, are given in Section 5, respectively. Concluding remarks are given in Section 6.

#### 2. Preliminaries

##### 2.1. Braid Group and Related Cryptographic Problems

The -braid group is presented by the Artin generators and relations for and for (). Braid groups also admit a very intuitively geometrical illustration: the identity of braid groups, that is, the empty braid , and the Artin generators (e.g., in ) as shown in Figure 1 [23].

Geometrically, the product of two braids is the braid obtained by merging the tail of the first braid with the head of the second braid. For example, Figure 2 shows the braid [23].

There is a natural automorphism from to the integer additive group and this means that is infinite and commutative. But for , the braid group is infinite and noncommutative. In addition, for each , the identity mapping on naturally induces an embedding of into [23].

For arbitrary two braids , we say they are conjugate, written as , if for some . Here or is called a conjugator. The conjugacy deciding problem (CDP) is to determine whether for a given instance , while the conjugator searching problem (CSP) is to find a braid such that for a given instance with . At present, we know that both CDP and CSP over braid groups are solvable; that is, there is a deterministic algorithm that stops after finite steps, not necessarily polynomially bounded, and outputs an accurate solution. However, it seems that both of them are, at least in worst cases, intractable; that is, there is no probabilistic polynomial time algorithms that output an accurate solution with nonnegligible probability (with respect to the length of description of the input instances) [20, 21, 23].

In sequel, we use to denote the conjugate braid when . Meanwhile, we also use to denote the multiplication braid when .

##### 2.2. Conjugacy-Based Left Self-Distributive Systems

Under the intractability assumption of the conjugator search problems over certain noncommutative semigroups, Wang et al. [24] proposed several public-key cryptosystems based on conjugacy-based left self-distributive systems. The notations and related constructions are helpful for developing our main proposal in this paper. Therefore, let us recall the definition of the left self-distributive system that was firstly postulated by Dehornoy [32].

*Definition 1 (left self-distributive system LD [32]). *Suppose that is a nonempty set, is a well-defined function and let us denote by . If the following rewritten formula holds
then, we call a left self-distributive system, abbreviated as LD system.

The terminology “left self-distributive” arises from the following analogical observation: if we consider as a binary operation , then the formula (1) becomes
that is, the operation “” is left self-distributive with respect to itself [32].

One can define the following LD system, named as Conj-LD system, which means an abbreviation of left self-distributive system defined by conjugate operations.

*Definition 2 (Conj-LD system [24]). *Let be a noncommutative semigroup and the set of all invertible elements. The binary function given by the following conjugate operation:
is an LD system, abbreviated as Conj-LD.

It is easy to see that caters to the rewritten formula (1). Thus, is an LD system [24].

Proposition 3 (power law [24]). *Let be a Conj-LD system defined over a noncommutative semigroup . Suppose that and are given and fixed. Then, for arbitrary three positive integers , , and such that , one has
*

*Remark 4. *By using the notation of , the intractability assumption of the CSP problem in can be reformulated as follows: it is hard to retrieve from the given pair such that (see more details in [24]).

*Definition 5 (CSP-based decisional Diffie-Hellman: CSP-DDH [24]). *Let be a Conj-LD system defined over a noncommutative semigroup and let be an adversary. For arbitrary and , consider the following two experiments in a paralleled manner (see Table 1). Now define the advantage of in violating the CSP-based decisional Diffie-Hellman assumption as

Intuitively, the CSP-DDH assumption states that the distributions: are computationally indistinguishable when are drawn at random.

*Remark 6. *Intuitively, it is hard to solve the CSP-DDH problem without solving the CSP problem if is modeled as a generic semigroup model. According to [33], we know that the discrete logarithm problem (DLP) over finite fields and the corresponding DDH problem are polynomially equivalent in a generic cyclic group. By an analogical manner, we speculate that the CSP problem and the CSP-DDH problem in a generic noncommutative semigroup are polynomially equivalent (see more details in [24]).

##### 2.3. The Fujisaki-Okamoto Transformation [34, 35]

Without loss of generality, a public-key encryption scheme can be defined as a triple , where (i)is the key generation algorithm that takes as input a system security parameter and outputs a public-/private-key pair . In general, this algorithm can be formulated as . (ii) is the encryption algorithm that takes as inputs the public-key and a message and outputs a ciphertext , where and are message space and ciphertext space, respectively. In general, this algorithm can be formulated as or when it is necessary to specify the random salt used in the encryption process. (iii) is the decryption algorithm that takes as inputs the secret key and a ciphertext and outputs a message or a symbol , which indicates that is invalid. In general, this algorithm can be formulated as .

In general, as for public-key encryption, one-wayness against chosen plaintext attacks (OW-CPA) is the lowest security requirement, while indistinguishability against adaptively chosen ciphertext attacks (IND-CCA2) is the most desirable and the standard security requirement. Cryptographic practise shows that it is always easier to design an OW-CPA secure encryption scheme than to directly design an IND-CCA2 secure one. Thus, it is desirable to have a general method for transforming an OW-CPA secure encryption scheme to an IND-CCA2 secure one [35]. Fortunately, one of this methods was invented by Fujisaki and Okamoto [34] at PKC 1999.

Theorem 7 (FO transformation [34]). *Suppose and are two random oracles with required domains and ranges, respectively. Given a public-key encryption scheme
**
that achieves the security of one-wayness against chosen plaintext attacks (OW-CPA), one can get another public-key encryption scheme
**
that achieves the security of indistinguishability against adaptively chosen ciphertext attacks (IND-CCA2), where *(1)*key generation algorithm is identical to ; *(2)*encryption algorithm is defined as
where is picked at random; *(3)*decryption algorithm performs the following steps: (a) ; (b); (c)output if and otherwise.*

#### 3. Building Block: Noncommutative Signcryption

Before describing our proposal for WSN key management, let us at first propose a signcryption scheme from noncommutative semigroups where the CSP-related assumptions hold. We will see later, when this scheme is instantiated by using braids, we obtain a very efficient signcryption scheme that is times faster than RSA-based signcryption (suppose that 1024 bit RSA modulus were used).

Suppose that is a noncommutative semigroup so that the CSP problem and the CSP-DDH problem over are intractable. Then, the public parameters of the proposed signcryption are given by a quintuple , where (i) is a description of and . Without loss of generality, we assume the length of is bounded by for finite . When is infinite but admits a finite presentation, say , the length of is the sum of the length of and the length of . However, for braid group , admits even efficient description since whenever the braid index is given, the generator set and the relation set (, ) is totally specified. That is, for braid group , ; (ii) and are two fixed elements that are picked at random; (iii) and are two cryptographic hash functions that are modeled as random oracles.

Then, the proposed signcryption scheme consists of the following three algorithms: (i), key generation algorithm that takes as input the system security parameter , picks an integer at random calculates , and finally outputs as the private-/public-key pair.(ii), signcryption algorithm that takes as inputs the sender’s private-key , the receiver’s public-key , and the message , and performs the following steps: (1) pick at random; (2) compute where operator “” should be viewed as XOR operation over bit-strings that are encoding results of a pair in ; (3) output .

Theorem 8. *The proposed signcryption is consistent.*

*Proof. *Suppose that the sender and the receiver performs honestly, and their inputs are well formed. That is, and . Then, since
we have
Then, will be output correctly.

Theorem 9. *Suppose that and are random oracles. The proposed signcryption is indistinguishable against adaptively chosen ciphertext attack (IND-CCA2) assuming that the CSP-DDH problem over the underlying noncommutative semigroup is intractable.*

*Proof. *To apply the well-known Fujisaki-Okamoto transformation theorem [34], we at first need to define an IND-CPA secure encryption scheme and then establish the security relationship between the proposed signcryption scheme and the enhanced encryption scheme , that is, an FO transformation from . This can be done by setting as follows: (i). That is, the key generation algorithm remains unchanged. (ii)The encryption algorithm that takes as inputs the receiver’s public-key and the intended message and then performs the following steps:(1)pick at random; (2)compute and ;(3)output . (iii)The decryption algorithm that takes as inputs the receiver’s private-key and the ciphertext pair and then outputs the intended message .

Apparently, this is just the ElGamal-like variant based on CSP-DDH assumption. According to Theorem 1 of [24], this is IND-CPA secure. Then, according to Theorem 7, the FO variant is IND-CCA2 secure when and are modeled as random oracles, where (i). (ii) performs the following steps: (1)pick at random; (2)let ; (3)let and ; (4)output . (iii)The decryption algorithm that takes as inputs the receiver’s private-key and the ciphertext qudruple , and then performs the following steps: (1)let ; (2)let ; (3)output if and otherwise.

Now, let us show that in the same random oracle models, if there is a polynomlai-time adversary that can, with nonnegligible probability, break the IND-CCA2 security of the proposed signcryption scheme, there is another polynomial-time adversary that can, by controlling the response of the random oracles and , break the IND-CCA2 security of . However, this is contrary to the fact that is IND-CCA2 secure. Therefore, ’s advantage of breaking the proposed signcryption scheme must be negligible.

In fact, if controls the response of the random oracles and , then it can break the IND-CCA2 security of with nonnegligible probability. This is apparently, since controls the response of , whenever seeing a ciphertext , it can retrieve the message and random salt by looking up the response list of under the reasonable assumption that the probability for different pair with same hash value with the pair is negligible.

The left thing is to show that , without knowing the receiver’s private-key , how to simulate the response on decryption queries for in a perfect manner. Whenever invokes a decryption query by submitting a signcryption pair , responds as follows: (1)look up in -list. If there is no matched triple, sends to as the response; (2)for each matched triple , performs the following steps: (a) for each in -list, do the following steps: (i) extract a possible according to the following formula:
This can be done since knows , and at this stage; (ii) test whether the equality holds? (recall that is the verification key of the singer). If so, replies with and end of the response; otherwise, continue; (3)if up to now, has not output response to yet, then sends to as the response.

Now, let us show that ’s simulation is perfect. It is reasonable to assume that without accessing hash queries on and , ’s probability for submitting a valid signcryption pair is negligible. Thus, whenever invokes hash queries on and for forming a valid signcryption pair, related materials are recorded and can retrieve them and finally send a perfect response.

*Remark 10. *Note that although the signature scheme embedded in the proposed signcryption scheme merely achieves unforgeable against no-message attacks, the resulted signcryption is existentially unforgeable against external adaptively chosen message attack. Here, external forgeries means that it is neither the singer, nor the intended receiver. We know that it is reasonable to exclude the signer from forgeries. Let us explain why we further exclude the intended receiver from the forgeries. In fact, the primitive of signcryption provides confidentiality of the message against all entities except the intended receiver and meanwhile it provides the authenticity of the sender (i.e., the signer) for the intended receiver. That is, the authenticity embedded in the signcryption primitive is unidirectional, instead of bidirectional. Therefore, it seems that there is no reason for an intended receiver to forge a signature on behalf of some signer and then encrypt the signature for himself/herself, except for planting false evidence against some senders. In other words, in our proposal, we assume that the receiver who possesses the corresponding private-key for performing designcryption is honest. Otherwise, an existentially unforgeable signature scheme, such as the noncommutative signature scheme in [36] should be embedded therein. For further consideration of the insider security and the outsider security of signcryptions, one can refer to [37, 38].

#### 4. Lightweight Implementation of Key Management Protocols for WSNs

In [5], Hagras et al. described an efficient key management scheme for WSNs based on elliptic curve signcryption. Our proposal follows their diagram. However, the main differences of our work lie in the following aspects: (i)firstly, the signcryption algorithm used by Hagras et al. is abstract and essentially hybrid where a symmetric encryption algorithm is involved. However, we will give a detailed specification of each algorithm; (ii)secondly, Hagras et al.’s proposal is based on commutative platforms, while as far as we known, our proposal is firstly based on noncommutative platforms.

Similar to [5], suppose that the network architecture is the standard clustered WSN architecture depicted in Figure 3. The proposed key management scheme supports three protocols: the first is used to generate private-/public-keys for each individual nodes, including base nodes, cluster headers, and cluster nodes; the second is essentially a signcryption scheme that is used by base node to send session keys to cluster heads; and the third is essential also a signcryption scheme that is used by cluster heads to send session keys to cluster nodes.

Let be the braid group and . Suppose that is the Conj-LD system defined over braid group , while and are two cryptographic hash functions. Our proposal consists of three protocols that are described in the following subsections.

##### 4.1. Key Generation Protocol

This protocol is responsible for creating public-/private-key pairs for base nodes (BNs), cluster heads (CHs), and cluster nodes (CNs).

*Step 1. *Generate public-/private-key for based nodes. : the private-key for the base node is a positive integer chosen uniformly at random. : the corresponding public-key for the base node is calculated as .

*Step 2. *Generate public-/private-key for cluster heads. : the private-key for the th cluster head is a positive integer chosen uniformly at random. : the corresponding public-key for the th cluster head is calculated as .

*Step 3. *Generate public-/private-key for cluster nodes. : the private-key for the th cluster head is a positive integer chosen uniformly at random. : the corresponding public-key for the th cluster head is calculated as .

*Step 4. *Session key generation for base node and cluster heads.(1)The base node creates the session key which will be used for secure communication between the th cluster head and the base node. (2)The th cluster head creates the session key which will be used for secure communication between the th cluster head and the th cluster node.

Without loss of generality, here we assume that and are elements of picked at random. (In fact, we can always employ an encoding algorithm to map elements of into valid session keys.)

*Remark 11. *Note that in the last step, all session keys are newly generated by the base node and the cluster nodes, respectively. In fact, after the execution of Steps 1, 2 and 3, we know that the base node and the th cluster head can calculate the shared session key , and the th cluster head and the th cluster node can calculate the shared session key . However, it is not a good choice to use this kind of session keys since they are totally determined by long-term private-keys. Instead, we suggest to renew a session key instantly to guarantee its freshness.

##### 4.2. BN-CHs Signcryption

The base node signcrypts the session key using its private-key and sends the ciphertext to the th cluster head as follows: (1)pick at random; (2); (3); (4); (5); (6)send to the th cluster head.

Upon receiving the ciphertext from the base node, the th cluster head designcrypts the session key as follows: (1)compute , ; (2)accept if and report “FAILURE” otherwise.

##### 4.3. CH-CNs Signcryption

The th cluster head signcrypts the session key using its private-key and sends the ciphertext to the th cluster node as follows: (1)pick at random. (2). (3). (4). (5). (6)Send to the th cluster node.

Upon receiving the ciphertext from the th cluster head, the th cluster node designcrypts the session key as follows: (1)compute , ; (2)accept if and report “FAILURE” otherwise.

#### 5. Performance Evaluation

##### 5.1. Complexity of Basic Operations

Now, let us compare the braid-based signcryption schemes with the RSA-based ones. According to Cha et al.’s implementation [39] and Maffre’s test [40], the complexities of the braid operations, such as multiplication, inversion, and canonical form computation, are bounded by in the sense of bit operations, where and are the braid index and the canonical length of involved braids, respectively. If we follow Maffre’s suggestions by setting and , then the number of bit operations for implementing these braid operations is proportional to . We know that the number of bit operations for implementing modular exponentials involved in RSA-based schemes is proportional to when the bit length of RSA modulus is set to 1024. This suggests that the proposed braid-based signcryption is about times faster than RSA-based ones.

Further, if we lift the security level of the RSA-based schemes to , which is comparable to the security level of our scheme (see Section 5.3), then the RSA modulus should be at least 2008 bits (see [23] for details). Then, the number of bit operations for implementing modular exponentials involved in RSA-based schemes is proportional to . This suggests that at the same security level, our braid-based signcryption is even efficient than that of RSA-based ones.

##### 5.2. Parameter Size

A braid in with canonical factors can be represented by a bit string of size [16]. Thus, when and , the sizes of the system parameters, the private-key, the public-key, and the ciphertexts are 5650 bits, 80 bits, 2822 bits, and 8466 bits, respectively. In total, it is about 17 Kbits (see Table 2). According to [5], a typical WSN node, MICA2 mote, developed by the University of California at Berkeley has an 8-bit 7.3 MHz processor with 4 KB (i.e., 32 Kbits) RAM and 128 KB programmable ROM. This suggests that although our scheme will take more memory than RSA-based ones, it is still compact enough to be deployed in typical WSN environments.

##### 5.3. Security Levels

In [23], Wang et al. presented an analysis of the security levels of braid-based cryptosystems against two typical attacks: heuristic attacks and brute force attacks. In a similar manner, we can discuss the security levels of the proposed signcryption scheme. According to [23], the security level of a cryptosystem is modeled as the number of bit operations for breaking the cryptosystem. Since this number is in general huge, we always use its logarithm in evaluation and refer to as the logarithmic security level.

As for braid-based cryptosystems, heuristic attacks mean currently known smart attacks, such as length-based attacks [42, 43] and linear representation attacks. According to Maffre’s test [40] and Wang et al.’s summarization [23], the logarithmic complexity of existing heuristic attacks against braid-based cryptosystems can be expressed as .

Let us proceed to analyze the security level against brute force attacks. According to Ko et al. [29], when the private-keys of braid-based schemes are selected carefully, that is, avoiding the weak keys mentioned by Maffre [40], all known heuristic attacks will be unsuccessful. Further, according to the previous analysis given by Ko et al. [16], the complexity of carrying brute force attacks towards braid-based schemes is proportional to . Therefore, when we adopt Maffre’s suggestion by setting the braid index and the canonical length of the involved braids to and , respectively, the security level of our scheme against brute force attacks is proportional to . This suggests that in the foreseeable future it is infeasible to launch exhaustive attacks towards our proposal.

In brief, we can summarize the performance comparisons in two cases: in Case , we consider the currently acceptable parameter settings, and in Case , we lift the security level of the RSA-based schemes to by increasing the length of the corresponding RSA modulus. The results are listed in Table 3. We can conclude that our scheme is very fast in signcrypting and designcrypting, but acceptably larger in storage requirement.

*Remark 12. *Although Table 3 seems very similar to that in [23], there are remarkable differences as follows: on one hand, in [23], the efficiencies of the signing process and the verifying process of the braid-based signature scheme in [23] are much different; signing can be implemented in the complexity proportional to , while the complexity of verifying is proportional to . However, the efficiencies of the signcrypting process and the designcrypting process in this paper are same: both of them are proportional to since in our new proposal it is unnecessary to solve the CDP problem over braid groups; on the other hand, the braid-based scheme in [23] is merely a signature scheme, while the proposal in this paper is a signcryption scheme. This suggests that our signcryption scheme is much efficient than Wang et al.’s signature scheme [23]. In brief, our proposal does more and faster than that in [23].

#### 6. Conclusion

Lightweight cryptographic schemes are useful for securing WSN-oriented applications. To minimally incorporate confidentiality, authenticity, integrity, scalability, and flexibility, signcryption is the proper primitive to realize key management protocols for WSNs. However, most existing signcryption schemes are heavyweight and not suitable for resource-limited sensors. In this paper, we propose a braid-based signcryption scheme and then develop a key establishment protocol for wireless sensor networks. From the complexity view, the proposed scheme is times faster than RSA-based ones. As far as we know, this proposal is the first signcryption scheme based on noncommutative algebraic structures. In addition, the analysis of the basic operations and parameter sizes suggests that our proposal can be efficiently deployed in typical WSN environments.

#### Acknowledgments

This work is partially supported by the National Natural Science Foundation of China (NSFC) (nos. 61003285, 61070251, 61103198), the NSFC A3 Foresight Program (no. 61161140320) and the JSPS A3 Foresight Program, JSPS Research Fellowships for Young Scientists Program, and NEC C&C Foundation.

#### References

- M. Dong, K. Ota, X. Li, X. Shen, S. Guo, and M. Guo, “HARVEST: a task-objective efficient data collection scheme in wireless sensor and actor networks,” in
*Proceedings of the 3rd International Conference on Communications and Mobile Computing (CMC '11)*, pp. 485–488, April 2011. View at Publisher · View at Google Scholar · View at Scopus - K. Ota, M. Dong, and X. Li, “TinyBee: mobile-agent-based data gathering system in wireless sensor networks,” in
*Proceedings of the IEEE International Conference on Networking, Architecture, and Storage (NAS '09)*, pp. 24–31, IEEE Press, July 2009. View at Publisher · View at Google Scholar · View at Scopus - A. Liu and P. Ning, “TinyECC: a configurable library for elliptic curve cryptography in wireless sensor networks,” in
*Proceedings of the International Conference on Information Processing in Sensor Networks (IPSN '08)*, pp. 245–256, April 2008. View at Publisher · View at Google Scholar · View at Scopus - M. Varchola, T. Guneysu, and O. Mischke, “MicroECC: a lightweight reconfigurable elliptic curve crypto-processor,” in
*Proceedings of the International Conference on Reconfigurable Computing and FPGAs (RECONFIG ’11)*, pp. 204–210, IEEE Computer Society, Washington, DC, USA, 2011. - E. A. A. A. Hagras, D. El-Saied, and H. H. Aly, “Energy efficient key management scheme based on elliptic curve signcryption for Wireless Sensor Networks,” in
*Proceedings of the 28th National Radio Science Conference (NRSC '11)*, April 2011. View at Publisher · View at Google Scholar · View at Scopus - A. Dent and Y. Zheng,
*Practical Signcryption*, Springer, Berlin, Germany, 2010. - Y. Zheng, “Digital signcryption or how to achieve cost(signature & encryption) ≪ cost(signature) + cost(encryption), advances,” in
*Proceedings of the Advances in Cryptology (CRYPTO '97)*, vol. 1294 of*Lecture Notes in Computer Science*, pp. 165–179, Springer, 1997. - R. Steinfeld and Y. Zheng, “A signcryption scheme based on integer factorization,” in
*Proceedings of the Information Security Workshop (ISW '00)*, vol. 1975 of*Lecture Notes in Computer Science*, pp. 308–322, Springer, 2000. - J. Malone-Lee and W. Mao, “Two birds one stone: signcryption using RSA,” in
*Proceedings of the Cryptographers’ Track at the RSA Conference (CTRSA '03)*, vol. 2612 of*Lecture Notes in Computer Science*, pp. 211–225, Springer, 2003. - Y. Zheng and H. Imai, “How to construct efficient signcryption schemes on elliptic curves,”
*Information Processing Letters*, vol. 68, no. 5, pp. 227–233, 1998. View at Scopus - M. Toorani and A. A. Beheshti, “A directly public verifiable signcryption scheme based on elliptic curves,” in
*Proceedings of the IEEE Symposium on Computers and Communications (ISCC '09)*, pp. 713–716, IEEE Computer Society, July 2009. View at Publisher · View at Google Scholar · View at Scopus - L. Zhang and T. Mo, “A signcryption scheme for WEP in WLAN based on bilinear pairings,” in
*Proceedings of the International Conference on Computer Application and System Modeling (ICCASM '10)*, vol. 8, pp. 126–130, IEEE Computer Society, October 2010. View at Publisher · View at Google Scholar · View at Scopus - J. Zhang, Y. Yang, and X. Niu, “A novel identity-based multi-signcryption scheme,”
*International Journal of Distributed Sensor Networks*, vol. 1, no. 5, p. 28, 2009. - F. Li, F. Muhaya, M. Khan, and T. Takagi, “Lattice-based signcryption,”
*Concurrency and Computation*, vol. 2, pp. 1–10, 2012. View at Publisher · View at Google Scholar - F. Wang, Y. Hu, and C. Wang, “Post-quantum secure hybrid signcryption from lattice assumption,”
*Applied Mathematics and Information Sciences*, no. 6, pp. 23–28, 2012. - K. Ko, S. Lee, J. Cheon, and J. Han, “New public-key cryptosystem using braid groups,” in
*Proceedings of the Advances in Cryptology (CRYPTO '00)*, vol. 1880 of*Lecture Notes in Computer Science*, pp. 166–183, Springer, Berlin, Germany, 2000. - I. Anshel, M. Anshel, B. Fisher, and D. Goldfeld, “New key agreement protocols in braid group cryptography,” in
*The Cryptographers’ Track at RSA Conference (CT-RSA '01)*, vol. 2020 of*Lecture Notes in Computer Science*, pp. 13–27, Springer, Berlin, Germany, 2001. - I. Anshel, M. Anshel, and D. Goldfeld, “An algebraic method for public-key cryptography,”
*Mathematical Research Letters*, vol. 6, no. 3-4, pp. 287–291, 1999. View at Scopus - M. Anshel, “Braid group cryptography and quantum cryptoanalysis,” in
*Proceedings of the 8th International Wigner Symposium*, pp. 13–27, GSUCCUNY, May 2003. - K. Ko, D. Choi, M. Cho, and J. Lee, “New signature scheme using conjugacy problem,” Preprint, 2002, http://eprint.iacr.org/2002/168.
- L. Wang, Z. Cao, P. Zeng, and X. Li, “One-more matching
conjugate problem and security of braid-based signatures,” in
*Proceedings of the 2nd ACM Symposium on Information, Computer and Communications security (ASIACCS ’07)*, pp. 295–301, ACM Press, March 2007. - L. Wang, Z. Cao, S. Zheng, X. Huang, and Y. Yang, “Transitive signatures from braid groups,” in
*Proceedings of the Progress in Cryptology (INDOCRYPT '07)*, vol. 4859 of*Lecture Notes in Computer Science*, Springer, December 2007. - L. Wang, L. Wang, Z. Cao, Y. Yang, and X. Niu, “Conjugate adjoining problem in braid groups and new design of braid-based signatures,”
*Science in China, Series F*, vol. 53, no. 3, pp. 524–536, 2010. View at Publisher · View at Google Scholar · View at Scopus - L. Wang, L. Wang, Z. Cao, E. Okamoto, and J. Shao, “New constructions of public-key encryption schemes from conjugacy search problems,” in
*Proceedings of the International Conference Information Security and Cryptology (Inscrypt '11)*, vol. 6584 of*Lecture Notes in Computer Science*, pp. 1–17, Springer, 2011. - V. Shpilrain and A. Ushakov, “An authentication scheme based on the twisted conjugacy problem,” in
*Proceedings of the Applied Cryptography and Network Security (ACNS '08)*, vol. 5037 of*Lecture Notes in Computer Science*, pp. 366–372, Springer, Berlin, Germany, 2008. - J. S. Birman, V. Gebhardt, and J. González-Meneses, “Conjugacy in garside groups—I: cyclings, powers, and rigidity,”
*Groups, Geometry and Dynamics*, vol. 1, no. 3, pp. 221–279, 2007. - J. S. Birman, V. Gebhardt, and J. González-Meneses, “Conjugacy in Garside groups—III: periodic braids,”
*Journal of Algebra*, vol. 316, no. 2, pp. 746–776, 2007. View at Publisher · View at Google Scholar · View at Scopus - J. S. Birman, V. Gebhardt, and J. González-Meneses, “Conjugacy in garside groups II: structure of the ultra summit set,”
*Groups, Geometry and Dynamics*, vol. 2, no. 1, pp. 16–31, 2008. - K. H. Ko, J. W. Lee, and T. Thomas, “Towards generating secure keys for braid cryptography,”
*Designs, Codes, and Cryptography*, vol. 45, no. 3, pp. 317–333, 2007. View at Publisher · View at Google Scholar · View at Scopus - M. Prasolov, “Small braids having a big ultra summit set,” http://arxiv.org/abs/0906.0076.
- P. Dehornoy, “Braid-based cryptography,”
*Contemporary Mathematics—American Mathematical Society*, vol. 360, pp. 5–33, 2004. - P. Dehornoy, “Using shited conjugacy in braid-based cryptography,”
*Algebraic Methods in Cryptography, Contemporary Mathematics—American Mathematical Society*, vol. 418, pp. 65–74, 2006. - U. Maurer, “Abstract models of computation in cryptography,” in
*Proceedings of the Cryptography and Coding*, N. P. Smart, Ed., vol. 3796 of*Lecture Notes in Computer Science*, pp. 1–12, Springer, Heidelberg, Germany, 2005. - E. Fujisaki and T. Okamoto, “How to enhance the security of public-key encryption at minimum cost,” in
*Proceedings of the International Workshop on Practice and Theory in Public Key Cryptography (PKC '99)*, H. Imai and Y. Zheng, Eds., vol. 1560 of*Lecture Notes in Computer Science*, pp. 53–68, Springer, Heidelberg, Germany, 1999. - L. Gu, L. Wang, K. Ota, M. Dong, Z. Cao, and Y. Yang, “New public key cryptosystems based on non-abelian factorization problems,”
*Security and Communication Networks*. In press. View at Publisher · View at Google Scholar - D. Kahrobaei and C. Koupparis, “Non-commutative digital signatures,”
*Groups Complexity and Cryptology*, vol. 4, pp. 377–384, 2012. - A. Dent, “Hybrid signcryption schemes with insider security,” in
*Proceedings of the 10th Australasian Conference on Information Security and Privacy (ACISP '05)*, vol. 3574 of*Lecture Notes in Computer Science*, pp. 253–266, Springer, 2005. - A. Dent, “Hybrid signcryption schemes with outsider security,” in
*Proceedings of the 8th International Conference on Information Security (ISC '05)*, vol. 3650 of*Lecture Notes in Computer Science*, pp. 203–217, Springer, 2005. - J. Cha, K. Ko, S. Lee, et al., “An efficient implementation of braid groups,” in
*Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT '01)*, vol. 2248 of*Lecture Notes in Computer Science*, pp. 144–156, Springer, Berlin, Germany, 2001. - S. Maffre, “A weak key test for braid based cryptography,”
*Designs, Codes, and Cryptography*, vol. 39, no. 3, pp. 347–373, 2006. View at Publisher · View at Google Scholar · View at Scopus - D. Coppersmith, “Modifications to the number field sieve,”
*Journal of Cryptology*, vol. 6, no. 3, pp. 169–180, 1993. View at Publisher · View at Google Scholar · View at Scopus - J. Hughes, “The left sss attack on ko-lee-cheon-han-kang-park key
agreement scheme in ${b}_{45}$,” in
*Rump Session Crypto*, 2000. - J. Hughes, “A linear algebraic attack on the aafg1 braid group cryptosystem,” in
*Proceedings of the 7th Australasian Conference on Information Security and Privacy (ACISP ’02)*, vol. 2384 of*Lecture Notes in Computer Science*, pp. 176–189, Springer, Berlin, Germany, 2002.