#### Abstract

Nowadays wireless sensor network (WSN) is increasingly being used in the Internet of Things (IoT) for data collection, and design of an access control scheme that allows an Internet user as part of IoT to access the WSN becomes a hot topic. A lot of access control schemes have been proposed for the WSNs in the context of the IoT. Nevertheless, almost all of these schemes assume that communication nodes in different network domains share common system parameters, which is not suitable for cross-domain IoT environment in practical situations. To solve this shortcoming, we propose a more secure and efficient access control scheme for wireless sensor networks in the cross-domain context of the Internet of Things, which allows an Internet user in a certificateless cryptography (CLC) environment to communicate with a sensor node in an identity-based cryptography (IBC) environment with different system parameters. Moreover, our proposed scheme achieves known session-specific temporary information security (KSSTIS) that most of access control schemes cannot satisfy. Performance analysis is given to show that our scheme is well suited for wireless sensor networks in the cross-domain context of the IoT.

#### 1. Introduction

Wireless sensor network (WSN) is a distributed network which contains a large number of sensor nodes. We can collect the target data through the sensor nodes to obtain valuable information. Due to the flexibility and convenience of data capture, WSN has been integrated into the IoT. The integration of WSN applications and low-power sensing nodes with the Internet may be accomplished with various approaches and strategies [1], and the popular integration solutions include cloud-based integration approaches [2, 3], front-end proxy integration approaches [4], architecture frameworks [5], and the integration via standard Internet communication protocols [6, 7]. In the cloud-based integration solution, some important security requirements including privacy, trust, and anonymity cannot be addressed. This approach also does not support the secure integration with data sources from other sensing devices or heterogeneous WSN domains. For the front-end proxy integration solution, the wireless sensor nodes communicate with the Internet hosts through a proxy server; thus this integration approach does not support direct communications between WSN nodes and Internet hosts, and the shortcoming of this approach is that the proxy server is vulnerable to cyberattacks and may become the bottleneck. In the integration solution via standard Internet communication protocols, most of approaches employ specialized middleware layers instead of supporting generic Internet communication mechanisms that can implement heterogeneous applications. However, these proposed solutions developed in the context of the architecture frameworks currently do not support Internet communications in WSN environments. For the integration via standard Internet communication protocols, a large number of access control schemes using public key infrastructure (PKI) are proposed. PKI, however, has a serious problem of certificate management. Subsequently, a series of access control schemes using identity-based cryptography (IBC) or certificateless cryptography (CLC) are designed, and even a new idea of integrating IBC with CLC into an access control scheme is introduced. In particular some access control schemes using heterogeneous signcryption schemes are generated, in which an Internet sender as part of IoT belongs to the CLC environment and a wireless sensor receiver is in the IBC environment. However, almost all of these access control schemes assume that communication nodes share common system parameters in different network domains, which are not suitable for cross-domain IoT environment in practical situations. Moreover, we find that most of these schemes cannot satisfy known session-specific temporary information security (KSSTIS, which means that the attacker cannot obtain the plaintext message when the ephemeral key and the access request message are leaked). Thus, it is necessary to design a more secure and efficient access control scheme and make it more suitable for wireless sensor networks in the cross-domain context of the IoT.

##### 1.1. Related Work

Zhou et al. proposed an access control scheme for WSNs using elliptic curve (EC) cryptography [8], which is more efficient than the PKI-based schemes. However, to authenticate a sensor node, the scheme of Zhou et al. needed high computational and communicational costs. Next, Huang [9] proposed an efficient access control protocol (EACP) based on the EC, which is quite adequate for low-powered sensor nodes. Consequently, Kim and Lee [10] pointed out that EACP scheme is susceptible to a message replay attack, and they proposed an enhanced access control protocol (ENCP). However, Lee et al. [11] showed that ENCP is subjected to a new node masquerade attack and message forgery attack, and then they proposed a practical access control protocol (PACP). In 2015, Chen et al. [12] claimed that the PACP is susceptible to the adversary attacks and needs huge key storage resources. Recently, Kumar et al. [13] proposed a more secure and efficient scheme for WSNs, which provides robust security and achieves the access control while taking care of the identity privacy. However, these schemes above cannot provide message confidentiality and unforgeability at the same time. In order to simultaneously authenticate the sensor node and protect the confidentiality of messages with a low cost, Yu et al. [14] and Ma et al. [15] proposed the access control schemes using signcryption approach (ACSC). Signcryption performs the signature and the encryption in one logical step. Compared with the signature-then-encryption method, signcryption has less cost. But these above ACSC schemes are based on the public key infrastructure (PKI). In PKI, the certificate authority (CA) generates a digital certificate for each user, which triggers the PKI’s certificate management problem. In order to avoid this problem and reduce the burden on traditional PKI, identity-based public key cryptography (IBC) and certificateless public key cryptography (CLC) were proposed, where certificate used in PKI is not needed. Recently, many security mechanisms for WSNs using IBC [16, 17] or CLC [18, 19] have been generated. All the above schemes are homogeneous means that sender and receiver must belong to the same security domain (PKI or IBC or CLC environment). Heterogeneous signcryption allows the sender to send a message to the receiver in different security domain. Huang et al. [20] proposed a heterogeneous signcryption scheme that the sender is in the IBC environment and the receiver belongs to the PKI environment. In 2016, Li et al. [21] proposed a novel access control scheme (NACS) for sensor networks in the context of the IoT. The NACS uses heterogeneous signcryption (HSC) in which an Internet sender as part of IoT belongs to the CLC environment and a wireless sensor receiver is in the IBC environment, which conforms the characteristics of the WSNs in the context of the IoT.

##### 1.2. Our Contribution

In this paper, we propose an access control scheme for WSNs in the cross-domain context of the IoT using heterogeneous signcryption. We define the generic model and security model of the cross-domain heterogeneous signcryption (CDHSC) and then propose a CDHSC scheme that proves to be safe under the Bilinear Inverse Diffie-Hellman Problem (BIDH) and Computational Diffie-Hellman Problem (CDHP) assumptions in the random oracle model. Compared with NACS scheme [21] through performance analysis, our scheme has the following merits: our scheme allows an Internet user in a certificateless cryptography (CLC) environment to communicate a sensor node in an identity-based cryptography (IBC) environment with different system parameters so that it can be used for WSNs in the cross-domain context of the IoT; our scheme has less computation cost (not including precomputation cost). For the Signcryption algorithm, our scheme has the same computation cost as the NACS scheme. But for the Unsigncryption algorithm, our scheme only needs three bilinear pairings computations, while the NACS scheme requires four. As we all know, bilinear pairing computation is the most expensive operation in a signcryption scheme from bilinear pairing; our scheme satisfies the known session-specific temporary information security attribute.

##### 1.3. Organization

The remainder of our paper is organized as follows. The preliminaries for network model, bilinear pairings, and difficult mathematical problems are given in the next section. The third section elaborates on the definition of the cross-domain heterogeneous signcryption (CDHSC), proposes a specific CDHSC scheme, and gives the security analysis of the proposed scheme. In the fourth section we propose a secure and efficient access control scheme for wireless sensor networks in the cross-domain context of the IoT and perform an efficiency analysis on it. In the last section, we make a summary.

#### 2. Preliminaries

In this part, we give the basic network model of access control scheme, some prior knowledge of bilinear pairings, and difficult mathematical problems.

##### 2.1. Network Model

In the network model of access control for wireless sensor networks in the cross-domain context of the IoT, there are five types of communication entities including Internet user, a trusted third party called key generation center (KGC) in the CLC environment, WSN node, the other trusted third party named private key generator (PKG) in the IBC environment, and a gateway used to connect the CLC domain with the IBC domain. PKG and KGC are used to complete the registration of WSN nodes and Internet users, respectively. The PKG calculates the public key and a private key for each WSN node. The KGC is responsible for producing a part of the private key of Internet users, and the other part of the private key is generated by the users themselves. In the network model, each PKG and KGC has different system parameters. In the KGC environment, when an Internet user wants to access the information collected by the sensor nodes from WSN, he needs to signcrypt and submit the query message to the gateway. The gateway belonging to this WSN will first authenticate the access request message from the Internet user. If the verification is passed, the gateway will forward the query message to the WSN. Then the WSN transmits the collected data to the Internet user with unsigncryption key. Otherwise, gateway refuses to provide the service.

In the network model of access control, the access request message generated by the Internet user should satisfy confidentiality, integrity, authentication, nonrepudiation, and known session-specific temporary information security (KSSTIS) simultaneously when it is transmitted to the gateway. Figure 1 shows the overview of the network model.

##### 2.2. Bilinear Pairings

Let and be two cyclic groups, which have the same prime order . is an additive group and is a multiplicative group. Let be a generator of . A bilinear pairing is a map that meets the following properties:(1)Bilinearity: , for all and .(2)Nondegeneracy: there exists , such that , where is the identity element of .(3)Computability: can be successfully computed for all .

The security of our scheme relies on the following two hard mathematical problems.

*Definition 1. *Bilinear Inverse Diffie-Hellman (BIDH) Problem is to compute given , where .

*Definition 2. *Computational Diffie-Hellman (CDH) Problem is to compute given , where .

#### 3. Cross-Domain Heterogeneous Signcryption

For the cross-domain heterogeneous signcryption (CDHSC) which can be used in access control for WSNs in the context of the IoT, we first define the generic model and security model. Then we present the specific CDHSC scheme. Finally we show the correctness analysis and the security proof of the proposed scheme.

##### 3.1. Generic Model

Our CDHSC scheme consists of nine algorithms as follows.

*Setup*. The trusted third party PKG and KGC execute this probabilistic algorithm to produce a series of system parameters. Firstly they input a security parameter then output their master secret key and corresponding system parameters. Different PKG and KGC use different and output different .

*CL-PPUKE*. The partial public key extraction algorithm is executed by the KGC in CLC environment, which takes as input a KGC’s master secret key and an Internet user’s identity , and outputs the user’s partial public key .

*CL-PPKE*. The partial private key extraction algorithm is executed by the KGC in CLC environment, which takes as input a KGC’s master secret key and an Internet user’s identity , and generates the user’s partial private key .

*CL-SVS*. The secret value setup algorithm is performed by the Internet users in CLC environment. Taking as inputs a user’s identity , the algorithm outputs the user’s secret value .

*CL-PKG*. The main public key generation algorithm is executed by the users in the context of CLC, which takes as input the secret value , and outputs the user’s main public key .

*IB-PKE*. The public key extraction algorithm is performed by the PKG in IBC circumstance. Taking as inputs a PKG’s master secret key and the user’s identity , the algorithm outputs the user’s public key .

*IB-KE*. The key extraction algorithm is performed by the PKG in IBC environment. Taking as inputs a PKG’s master secret key and the user’s identity , the algorithm outputs the user’s private key .

*SC*. The signcryption algorithm is performed by an Internet user under the circumstance of CLC. Taking as inputs the plaintext message , sender’s partial private key , sender’s secret value , sender’s identity , and the receiver’s identity , the algorithm outputs the ciphertext .

*USC*. The unsigncryption algorithm is performed by the receiver in IBC environment. Taking as inputs the ciphertext , the sender’s identity and the main public key , sender’s partial public key , and the receiver’s private key and identity , the algorithm outputs the plaintext if is a valid ciphertext. Otherwise the output is the symbol .

Note that the ciphertext should meet the need of the public verifiability with confidentiality. That is to say, ciphertext verification process of the unsigncryption algorithm can be performed by any verifier (generally the WSN gateway) without the knowledge of the plaintext message .

##### 3.2. Security Model

The standard security notion for a CDHSC scheme is confidentiality and unforgeability. In the following definitions, Definition 3 describes the confidentiality and the unforgeability is depicted in Definition 5.

*Definition 3 ( confidentiality). *A CDHSC scheme is semantically secure against adaptive chosen ciphertext attacks property (IND-CDHSC-CCA2) if no probabilistic polynomially time adversary has a nonnegligible advantage in the following Game 1.

*Game 4. * *Initial*. The challenger runs Setup algorithm with a parameter , then he returns the system parameters to .*Phase 1*. executes a polynomially bounded number of queries.*Partial Public Key Extraction (PPUKE) Queries*. chooses an identity and forwards it to . Then executes algorithm and forwards the corresponding partial public key to .*Public Key (PK) Queries*. On a new public key query for identity , executes and algorithm to compute the user’s secret value and main public key then adds to the list . Finally, returns to .*Public Key Replacement (PKR) Queries*. can replace a main public key with a value selected by himself.*Corruption Query*. On a corruption query, checks the list and returns the secret value .*Partial Private Key Extraction (PPKE) Queries*. chooses an identity and forwards it to . Then executes algorithm and forwards the corresponding partial private key to .*Public Key Extraction (PKE) Queries.* When receiving an identity from , executes algorithm and forwards the corresponding public key to .*Key Extraction (KE) Queries*. When receiving an identity from , executes algorithm and forwards the corresponding private key to .*Signcryption Queries*. submits a plaintext , a sender’s identity , and a receiver’s identity . Firstly, performs* Corruption* query and PPKE query with to obtain and , performs PKE query with to obtain , and then executes algorithm to get the signcryption . If the sender’s public key has been replaced, the sender’s secret value is provided by . Finally returns ciphertext to .*Unsigncryption Queries*. submits a signcryption , a sender’s identity , and a receiver’s identity . Firstly, performs PPUKE query and PK query with to obtain and P, performs KE query with to obtain , and then executes USC algorithm to check the validity of ciphertext . If the ciphertext is valid, sends plaintext to ; otherwise it outputs character .*Challenge*. After Phase , outputs two plaintexts which are of the same length, a sender’s identity and a receiver’s identity on which he wants to be challenged. Note that cannot be the identity that has been used for KE query in Phase . randomly takes a bit of and calculates and forwards it to .*Phase 2*. can make a polynomially bounded number of queries just like in Phase , whereas, it cannot make a KE query on and cannot perform an* Unsigncryption* query on ciphertext under and to obtain the plaintext unless the sender’s public key is replaced after the challenge phase.*Guess*. outputs a bit of . If , he wins the game.

We define the advantage of to be .

For unforgeability, there are two types of adversaries named and since the signcryption is generated in the CLC environment. Type I adversary does not know the KGC’s master key, but he is able to replace public keys of arbitrary identities with other public keys of his choice. In contrast, Type II adversary possesses the KGC’s master secret key, while he cannot replace public key of any user during the game.

*Definition 5 ( unforgeability). *A CDHSC scheme is existentially unforgeable against an adaptive chosen-message attacker (EUF-CDHSC-CMA) if no probabilistic polynomially time adversary has a nonnegligible advantage in the following Game 2.

*Game 6. * *Initial*. The challenger runs the* Setup* algorithm defined in generic model and gives the resulting system parameters to the adversary . For Type II adversary, sends him the master secret keys of PKG and KGC in addition to the system parameters.*Probing*. The challenger is probed by the adversary who executes a polynomially bounded number of queries just like Phase of the confidentiality game. Note that does not need to perform PKR, PPKE, and KE queries.*Forge*. The adversary returns a ciphertext , a sender’s identity , and a receiver’s identity . Let the tuple be the result of unsigncrypt algorithm under the private key corresponding to . wins the game if the tuple satisfies the following requirements: (1)This ciphertext is a valid one, when the result of unsigncrypt algorithm is not character but .(2) has never asked the secret value of the user with identity .(3) has never asked the* Signcryption* query on .

##### 3.3. CDHSC Scheme

In this section, we propose a CDHSC scheme based on bilinear pairings. We follow the generic model of a general CDHSC scheme that we presented in Section 3.1, and we add KSSTIS property to it. The scheme is described below.

*Setup*. Given a parameter , the KGC chooses an additive group and a multiplicative group which have the same prime order , a generator of , a bilinear map , and three hash functions , , and . Similarly, given a security parameter , the PKG chooses an additive group and a multiplicative group which have the same prime order , a generator of , a bilinear map , and one hash function . The KGC randomly chooses a master secret key and calculates the master public key . Then KGC outputs the system parameters and keeps secret. Similarly, the PKG outputs the system parameters and keeps secret.

*CL-PPUKE*. This algorithm accepts an identity of an Internet user and generates the partial public key for the user, where . Then the KGC runs the algorithm.

*CL-PPKE*. After executing the algorithm, the KGC calculates the partial private key for the user. Finally, the KGC sends securely to the user.

*CL-SVS*. This algorithm accepts an identity of an Internet user and randomly chooses a secret value for the user. Then the user runs the algorithm.

*CL-PKG*. After executing the algorithm, the user calculates his public key .

*IB-PKE*. This algorithm accepts an identity of a WSN node and generates the public key for the node, where . Then the PKG runs the algorithm.

*IB-KE*. After executing the algorithm, the PKG calculates the private key for the node. Finally, the PKG sends securely to the WSN node.

*SC*. To signcrypt a message using the partial private key , secret value , and the receiver’s identity , a sender with identity performs the following steps:(1)Selecting randomly.(2)Calculating and .(3)Calculating .(4)Calculating .(5)Calculating , .(6)Calculating .(7)Outputting the ciphertext .

*USC*. To unsigncrypt the ciphertext using the private key , sender’s partial public key , and the main public key , the receiver with identity performs the following steps:(1)Calculating .(2)Checking if holds. If the equation holds, the receiver executes the following step. Otherwise, he rejects this ciphertext and outputs the symbol .(3)Calculating .(4)Calculating .(5)Recovering the message .

Note that any user can verify the ciphertext by computing and verifying whether , where nothing about the plaintext message will be lost. Thus, we can shift the computational cost of signcryption verification to the WSN gateway (he just needs to obtain the public parameters and the ciphertext ) in the cross-domain context of the IoT.

##### 3.4. Correctness

The consistency of the CDHSC scheme is easy to verify.(1)In the signcryption verification stage,(2)In the signcryption decryption stage,

##### 3.5. Security Proof

In this section, we use some mathematical difficult problems to prove the confidentiality and unforgeability of the CDHSC scheme in the random oracle model. In addition, we demonstrate that our scheme satisfies the known session-specific temporary information security (KSSTIS). In our scheme, the generation algorithms of public key and private key for the node in the IBC environment are the same as the generation algorithms of partial public key and partial private key for the user in the CLC environment, so the KGC can act as the roles of KGC and PKG simultaneously in a small wireless sensor networks in a single domain context of the IoT. Moreover, in the following security proofs of our proposed scheme, for reasons of proof brevity, we assume that the KGC plays the roles of the KGC and PKG at the same time in a single domain.

*(1) Confidentiality*

Theorem 7. *Our CDHSC scheme is indistinguishable against any IND-CDHSC-CCA2 adversary in the random oracle model assuming that the BIDH problem in is intractable.*

*Proof. *Let be a BIDH problem attacker. Then is an adversary who interacts with following Game 1. is given as an input to the BIDH problem and aims to compute , where and .*Initial*. sets . The value is the master key of the KGC, which is unknown to , and gives system parameters to .*Phase 1*. We show that can use to solve the BIDH problem. needs to maintain three lists , , and that are initially empty and are used to keep track of answers to queries asked by to oracles , , and , respectively. What is more, maintains two lists: and of the queries made by to oracles and PPUKE (or PKE), respectively. Subsequently, simulates the challenger and plays the game described in Definition 3 with the adversary as follows.*Partial Public Key Extraction (PPUKE) or Public Key Extraction (PKE) Queries*. Suppose that makes at most queries to this oracle. First, chooses randomly. When makes this query on , if (we let at this point), returns and adds to ( cannot compute ; he just considers to be ). Otherwise picks a random , returns , and adds to .* Queries*. When makes this query on , forwards to if has the entry . If the list does not contain , randomly picks , returns , and adds to .* Queries*. When makes query on , if the list has the entry , answers to . Otherwise, randomly picks as the output and inserts into the list .* Queries*. For query on , if the list has the entry , answers to . Otherwise, randomly picks as the output and inserts into the list .*Partial Private Key Extraction (PPKE) or Key Extraction (KE) Queries*. When makes this query on , if , aborts the simulation and returns . Otherwise, the list should have the entry . returns to .*Public Key (PK) Queries*. When makes this query on , if the list has the entry , then answers to . Otherwise, selects randomly, computes , and then returns and adds to .*Corruption Queries*. We assume that has made query on before this query. The list should have the entry . returns to .*Public Key Replacement (PKR) Queries*. can replace the main public key of user with a value he selects. When executes a* public key replacement* query with the entry , updates the list with entry (, ).*Signcryption Queries*. When asks for a query on a message with a sender’s identity and a receiver’s identity , if , aborts the simulation and returns . Otherwise, first executes* Corruption* query and PPKE query with to obtain and , performs PPUKE query with to obtain , and then executes algorithm to return the signcryption . If the sender’s public key has been replaced, the sender’s secret value is provided by . Finally returns ciphertext back to .*Unsigncryption Queries*. When asks for this query on a signcryption with a sender’s identity and a receiver’s identity , if , aborts the simulation and returns . Otherwise, computes and checks if holds. If not, aborts the simulation and returns . Otherwise, executes the KE query to get and calculates . Then executes query to obtain and finally calculates and returns .*Challenge*. outputs two plaintexts which have the same length and picks a sender’s identity and a receiver’s identity on which he wishes to be challenged. Note that fails if has asked a KE query on during the first stage. If , aborts the simulation and returns . Otherwise selects a random number and generates the challenge ciphertext as follows. At first, chooses the value . Then he sets and computes and , in which ( is the candidate answer for the BIDH problem). Finally forwards the ciphertext to .*Phase 2*. then performs a second series of queries, and can handle these queries as in the first stage. Whereas, it cannot make a KE query on and cannot perform an* Unsigncryption* query on ciphertext under and to obtain the plaintext unless the sender’s public key is replaced after the* challenge* phase.*Guess*. produces a bit of . If , then answers 1 as the result to the BIDH problem since he has generated a valid signcrypted message of using the knowledge of . Otherwise, answers 0.

So, the adversary can defeat the signcryption by means of analyzing the ciphertext, and at the same time he can solve the BIDH problem with nonnegligible advantage. But we all know that there is no algorithm that can be used to work out the BIDH problem in the probabilistic polynomial time; hence our scheme has the indistinguishability against adaptive chosen ciphertext attack.

*(2) Unforgeability*

Theorem 8. *Our CDHSC scheme is existentially unforgeable against any EUF-CDHSC-CMA adversary in the random oracle model assuming that the CDH problem in is intractable.*

*Proof. *Let be an CDH problem attacker. Then is the adversary who interacts with following Game 2. is given as an input to the CDH problem and aims to compute , where and .*Initial*. The challenger runs the* Setup* algorithm defined in generic model and gives the resulting system parameters to the adversary . For the Type II adversary, sends him the master secret keys of KGC in addition to the system parameters.*Probing*. We show that can use to solve the CDH problem. needs to maintain three lists , , and that are initially empty and are used to keep track of answers to queries asked by to oracles , , and , respectively. What is more, maintains two lists: and of the queries made by to oracles and PPUKE (or PKE), respectively. Subsequently, simulates the challenger and plays the game described in Definition 5 with the adversary . The performs a polynomially bounded number of the following queries, and does not need to perform PKR, PPKE, and KE queries.*Partial Public Key Extraction (PPUKE) or Public Key Extraction (PKE) Queries*. When makes this query on , if the list has the entry , then answers to . Otherwise, selects randomly, computes and , then returns , and adds to .*Partial Private Key Extraction (PPKE) or Key Extraction (KE) Queries*. We assume that has made PPUKE (or PKE) query on before this query. The list should have the entry . returns to .*Public Key (PK) Queries*. We assume that makes at most queries to this oracle and has made PPUKE (or PKE) query on before this query. First, chooses randomly. When makes this query on , if (we let at this point), returns and adds to . Otherwise selects randomly, computes , then returns , and adds to .*Corruption Queries*. When makes this query on , if , aborts the simulation and returns . Otherwise, the list should have the entry . returns to .*, **, **, PKR, and Signcryption Queries*. This proof is the same as the proof of Theorem 7.*Unsigncryption Queries*. When asks for this query on a signcryption with a senders identity and a receivers identity , computes and checks if holds. If not, aborts the simulation and returns . Otherwise, executes the KE query to get and calculates . Then executes query to obtain and finally calculates and returns .*Forgery*. outputs a ciphertext and picks a sender’s identity and a receiver’s identity on which he wishes to be challenged. If , aborts the simulation and returns . Otherwise, he runs the simulation algorithm to obtain ; we can have and ( is a candidate for the CDH problem). Finally, checks if , if the condition is not satisfied, fails and outputs 0; otherwise, answers 1.

So, the adversary can forge a valid signcryption by means of analyzing ciphertext, and he can solve the CDH problem with nonnegligible advantage at the same time. But we all know that there is no algorithm that can be used to work out the CDH problem in the probabilistic polynomial time; hence our scheme is existentially unforgeable against adaptive chosen-message attacker .

*(3) Known Session-Specific Temporary Information Security (KSSTIS)*. Assume that at the th communication, session-specific temporary key and signcryption are leaked. In our CDHSC scheme, the encryption key is . An external adversary can get through the ciphertext and the identity of the receiver, but he cannot acquire the secret value of the sender or the private key of the receiver. So, the external adversary is hard to obtain the plaintext since he cannot compute . Hence, our scheme can achieve the KSSTIS attribute. But in NACS [21], when the external adversary obtains the temporary key of th communication, he can compute easily, and it is easy for the adversary to obtain the message with the ciphertext .

#### 4. An Efficient Access Control Scheme

We come up with a secure and efficient access control scheme for wireless sensor networks in the cross-domain context of the IoT using our CDHSC scheme. The proposed scheme includes four phases: system initialization, user registration, authentication with key establishment, and leaked key revocation phase. The workflow of access control scheme is shown in Figure 2.

##### 4.1. System Initialization Phase

Without loss of generality, we select two domains and assume that the KGC and PKG are in different communication domains and they generate different system parameters. The KGC outputs the system parameters and obtains his master secret key and the master public key . The PKG gets his master secret key and the master public key , and he runs the and algorithms to generate the users public key and private key for each WSN node in the IBC environment. The PKG loads the system parameters, , , and , into a smart card and issues this card to the WSN node.

##### 4.2. User Registration Phase

At this stage, an Internet user with identity in the context of CLC wants to register for his partial public/private key pair; he submits his identity to the KGC. KGC examines if the user’s information (e.g., the user’s IP address) is reasonable. If the information is incorrect, the KGC will reject the user’s request. Otherwise, the KGC executes and algorithms to get partial public key and partial private key , where and selected by the KGC randomly. The KGC returns to user. After receiving , the Internet user executes the and algorithms to obtain his secret value and public key . The user can store the public parameters in a plaintext file and (, ) in a ciphertext file.

##### 4.3. Authentication with Key Establishment Phase

When an Internet user wants to access the information collected by a sensor node from WSN, the user firstly acquires the current time stamp in order to detect the replay attack, then generates the query request message, and performs a signcryption operation on it. The ciphertext is , where and . Then he sends the ciphertext to the gateway belonging to the destination WSN. The gateway first calculates and examines whether and is fresh or not. If not, the gateway denies the access to the WSN. Otherwise, the user passes the authentication, and the gateway sends to the WSN node. The WSN node calculates , and gets query request message . After that, the WSN node can encrypt the response data using symmetric encryption algorithm with the session key . In this process, confidentiality, nonrepudiation, and KSSTIS are all achieved according to the security proof of Section 3.5. The message integrity is ensured by using the hash value . The functions of authentication and session key establishment are implemented by verifying the signature (,) and calculating the session key , respectively.

##### 4.4. Leaked Key Revocation Phase

Assume that the partial private key of an Internet user with identity is leaked; then the user should send a key revocation request message to the KGC for a new key. The user submits his identity to the KGC. KGC randomly chooses another value to compute the new partial public key and partial private key with the same identity . Then the KGC returns to user.

##### 4.5. Performance Evaluation

We compare the performance of our method with the NACS [21]. The comparative result is shown in Table 1. In the table, we use , , and as abbreviations for point multiplications in , exponentiations in , and pairing operations, respectively. Moreover, we use notations KSSTIS as abbreviations for whether the scheme achieves known session-specific temporary information security.

From the computational point of view, the signcryption operation of our CDHSC scheme needs three point multiplications in and one exponentiation in which is the same as NACS [21]. The unsigncryption operation of our CDHSC scheme needs one exponentiation and three pairings, but NACS requires four pairings. As we all know, the pairing operation is several times more expensive than the exponentiation. So the computational cost of our CDHSC scheme is more efficient than the NACS. In addition to efficiency improvement, our CDHSC scheme also enhances the security, since it achieves KSSTIS attribute. Most importantly, our scheme allows an Internet user under the circumstance of CLC to communicate a sensor node in IBC environment with different system parameters.

For energy consumption, according to [21], a point multiplication in (or an exponentiation in ) operation and a pairing operation consume mJ and mJ, respectively. Therefore, the computational energy cost of NACS and our scheme are mJ and mJ, respectively, and the communication energy cost of NACS and our scheme are the same for the sensor node (the cost is mJ [21]).

Hence, consider the wireless sensor networks in the single-domain or cross-domain context of the IoT; it may be that our access control scheme is more applicable.

#### 5. Conclusion

In this paper, we proposed a cross-domain heterogeneous signcryption scheme that allows a sender in the CLC environment to send the request signcryption message to a recipient in the IBC environment with different system parameters, and we proved that it has the confidentiality under the BIDH problem and unforgeability under the CDH problem in the random oracle model. Based on the CDHSC scheme, we designed a secure and efficient access control scheme for wireless sensor networks in the cross-domain context of the IoT.

Compared with NACS, our scheme not only needs less computation costs but also has stronger security since it achieves KSSTIS attribute. We believe that the proposed access control scheme can be feasible in many practical single-domain or cross-domain WSN applications.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

The authors thank the anonymous referees for their valuable suggestions and comments. This work is supported by the National Natural Science Foundation of China (nos. 61662046 and 61601215) and the Science and Technology Research Project of Jiangxi Province of China (no. 20171BCB23014 and no. 20142BBE50019).