Noncommutative Lightweight Signcryption for Wireless Sensor Networks

Key management techniques for secure wireless-sensor-networks-based applications must minimally incorporate confidentiality, authenticity, integrity, scalability, and flexibility. Signcryption is the proper primitive to do this. However, existing signcryption schemes are heavyweight and not suitable for resource-limited sensors. In this paper, we at first propose a braid-based signcryption scheme and then develop a key establishment protocol for wireless sensor networks. From the complexity view, our proposal is 215 times faster than RSA-based ones. As far as we know, our proposal is the first signcryption scheme based on noncommutative algebraic structures.


Introduction
Wireless sensor networks (WSNs) consist of a large number of micro, low-cost, low-power, and spatially distributed autonomous devices using sensors to cooperatively monitor physical or environmental conditions [1,2].WSNs are often deployed in potentially adverse or even hostile environment so that there are concerns on security issues therein.To protect the confidentiality and privacy of WSN-oriented applications, the traditional symmetric (i.e., private-key), even lightweight, cryptography is often used.A well-known drawback to do this is that the symmetric cryptography is not as flexible as the asymmetric (i.e., public-key) cryptography.The main obstacle of using public-key cryptography in WSNs is that with limited memory, computing and communication capacity, and power supply, sensor nodes cannot employ sophisticated cryptographic operations such as modular exponentiation and pairing computation.Therefore, it is interesting to probe new efficient and lightweight implementations on some wellknown public-key cryptographic primitives, such as what has been done in TinyECC [3] and in MicroECC [4].No matter which type cryptography is adopted, key establishment is one of the utmost concerns.At least, key establishment techniques for a secure WSNbased application must minimally incorporate confidentiality, authenticity, integrity, scalability, and flexibility [5].
Signcryption, now an international standard for data protection (ISO/IEC 29150, Dec 2011), was invented in 1996 and first disclosed to the public at CRYPTO 1997 [6,7].It is a data security technology by which confidentiality is protected and authenticity is achieved seamlessly at the same time.This will also allow smaller devices, such as smartphones and PDAs, 3G and 4G mobile communications, as well as emerging technologies, such as radio frequency identifiers (RFIDs) and wireless sensor networks, to perform high-level security functions.And, by performing these two functions simultaneously, we can save resources, be it an individual's time or be it energy, as it will take less time to perform the task.Therefore, signcryption is very suitable for key management in wireless sensor networks and other resourceconstrained environments.
Since the invention of the primitive of signcryption, various constructions were proposed and most of them are based on three kinds of cryptographic assumptions.The first category assumes that the integer factoring problem (IFP) is intractable, such as the constructions in [8,9].The second category assumes that the discrete logarithm problem (DLP) over finite fields or elliptic curves (i.e., ECDLP) is intractable, such as the constructions in [10,11].In this category, some constructions further utilize the bilinear pairing to enhance the functionalities and performance, such as the constructions in [12,13].The third category is based on some lattice hard problems [14,15].Up to now, the last category attracts a lot of attention since the so-called quantum attack-resistant property.However, these existing lattice-based signcryptions have disadvantage in key sizes.Thus, it is interesting to probe new construction of signcryption based on other cryptographic primitives than IFP-and DLP-related ones and meanwhile keeping the potential of quantum attack resistance.
Under this background, some noncommutative groups have attracted the attention.One of the most popular groups in this category is the braid group.At CRYPTO 2000, Ko et al. [16] proposed the first fully fledged braid-based cryptosystem.In braid-based cryptographic schemes [16][17][18][19][20][21][22][23][24], the conjugacy search problem (CSP) (i.e., given two braids  and  −1 , output the braid ) and its variants play a core role.Although many heuristic attacks, such as lengthbased attacks linear representation attacks, have obtained remarkable success in attacking braid-based cryptosystems and lowered the initial enthusiasm on this subject, there is no deterministic polynomial algorithms that can solve the CSP problem over braid groups [25] till now.On one hand, Birman et al. launched a project, referred to as BGGM project, to find polynomial algorithms for solving the CSP problem over Garside groups, including braid groups [26][27][28].The BGGM project might be the strongest efforts known for solving the CSP problem over braid groups in polynomial-time (with respect to the input size).Up to now, the BGGM project has already made a great progress; except for rigid pseudo-Anosolov braids, the CSP instances over other braids can be solved in polynomial time [28].On the other hand, some researchers still keep on finding hard instances of the CSP problem in braid groups.For examples, in 2007, Ko et al. [29] proposed some ideas on generating hard instances for braid cryptography, and in 2010, Prasolov [30] constructed some small braids with large ultra summit set (USS).Prasolov's result represents a frustration toward the BGGM project, but an encouragement toward the intractability assumption of the CSP problem over braid groups.According to [31], if  and  are random braids, then the length of  −1 is, with a high probability, about the length of  plus the double of the length of .This is the reason why the length-based attacks work.This also suggests that one can defeat the length-based attacks by requiring that the length of  −1 is closer to the length of .This in turn requires that  should lie in its super summit set (SSS) [31].We know that USS ⊂ SSS.Therefore, if we can work with the braids suggested by Prasolov, then we reach the point to instantiate our proposal with braid groups in a secure manner.
Another promising observation coming from [23] is that braid operations can be implemented with a complexity level of about 2 15 bit operations, while the complexity level of  the exponentiation over 1024 bit RSA modular is about 2 30 bit operations.This suggests that braid-based cryptosystems admit ultra efficient, even lightweight, implementations.
The main motivation of this paper covers two aspects: the first is to design a lightweight signcryption scheme based on noncommutative groups assuming that the CSP problem over the underlying groups are intractable, and the second is to construct efficient key management protocols for wireless sensor networks.
The rest contents are organized as follows.In Section 2, we at first give a simple introduction to the braid group, and then introduce the left self-distributive system and its properties.A building block-braid-based signcryption scheme is proposed in Section 3, and the full description of the key management protocol for wireless sensor networks is developed in Section 4. Performance evaluation and comparisons, including security level analysis, are given in Section 5, respectively.Concluding remarks are given in Section 6.

Preliminaries
. Braid groups also admit a very intuitively geometrical illustration: the identity of braid groups, that is, the empty braid , and the Artin generators (e.g.,  ±1 2 in  4 ) as shown in Figure 1 [23].Geometrically, the product of two braids is the braid obtained by merging the tail of the first braid with the head of the second braid.For example, Figure 2 shows the braid [23].There is a natural automorphism from  2 to the integer additive group Z and this means that  2 is infinite and commutative.But for  ≥ 3, the braid group   is infinite and noncommutative.In addition, for each  (≤ ), the identity mapping on { 1 , . . .,  −1 } naturally induces an embedding of   into   [23].
For arbitrary two braids ,  ∈   , we say they are conjugate, written as  ∼ , if  =  −1  for some  ∈   .Here  or  −1 is called a conjugator.The conjugacy deciding problem (CDP) is to determine whether  ∼  for a given instance (, ) ∈  2  , while the conjugator searching problem (CSP) is to find a braid  ∈   such that  =  −1  for a given instance (, ) ∈  2   with  ∼ .At present, we know that both CDP and CSP over braid groups are solvable; that is, there is a deterministic algorithm that stops after finite steps, not necessarily polynomially bounded, and outputs an accurate solution.However, it seems that both of them are, at least in worst cases, intractable; that is, there is no probabilistic polynomial time algorithms that output an accurate solution with nonnegligible probability (with respect to the length of description of the input instances) [20,21,23].
In sequel, we use   to denote the conjugate braid  −1  when  ∈   .Meanwhile, we also use   to denote the multiplication braid  ⋅ ⋅ ⋅  ⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟  times when  ∈ N.

Conjugacy-Based Left
Self-Distributive Systems.Under the intractability assumption of the conjugator search problems over certain noncommutative semigroups, Wang et al. [24] proposed several public-key cryptosystems based on conjugacy-based left self-distributive systems.The notations and related constructions are helpful for developing our main proposal in this paper.Therefore, let us recall the definition of the left self-distributive system that was firstly postulated by Dehornoy [32].
Definition 1 (left self-distributive system LD [32]).Suppose that  is a nonempty set,  :  ×  →  is a well-defined function and let us denote (, ) by   ().If the following rewritten formula holds then, we call  ⋅ (⋅) a left self-distributive system, abbreviated as LD system.The terminology "left self-distributive" arises from the following analogical observation: if we consider   () as a binary operation  * , then the formula (1) becomes that is, the operation " * " is left self-distributive with respect to itself [32].One can define the following LD system, named as Conj-LD system, which means an abbreviation of left selfdistributive system defined by conjugate operations.
Definition 2 (Conj-LD system [24]).Let  be a noncommutative semigroup and  −1 ⊂  the set of all invertible elements.The binary function  given by the following conjugate operation: is an LD system, abbreviated as Conj-LD.
It is easy to see that  caters to the rewritten formula (1).Thus,   () is an LD system [24].Proposition 3 (power law [24]).Let  be a Conj-LD system defined over a noncommutative semigroup .Suppose that  ∈  −1 ⊂  and  ∈  are given and fixed.Then, for arbitrary three positive integers , , and  such that  =  + , one has Remark 4. By using the notation of  ⋅ (⋅), the intractability assumption of the CSP problem in  can be reformulated as follows: it is hard to retrieve   from the given pair (,   ()) such that   () =    () (see more details in [24]).
Definition 5 (CSP-based decisional Diffie-Hellman: CSP-DDH [24]).Let  be a Conj-LD system defined over a noncommutative semigroup  and let A be an adversary.For arbitrary  ∈  −1 and  ∈ , consider the following two experiments in a paralleled manner (see Table 1).Now define the advantage of A in violating the CSP-based decisional Diffie-Hellman assumption as Intuitively, the CSP-DDH assumption states that the distributions: are computationally indistinguishable when , , ℓ ∈ N are drawn at random.Remark 6. Intuitively, it is hard to solve the CSP-DDH problem without solving the CSP problem if  is modeled as a generic semigroup model.According to [33], we know that the discrete logarithm problem (DLP) over finite fields and the corresponding DDH problem are polynomially equivalent in a generic cyclic group.By an analogical manner, we speculate that the CSP problem and the CSP-DDH problem in a generic noncommutative semigroup are polynomially equivalent (see more details in [24]).[34,35].Without loss of generality, a public-key encryption scheme can be defined as a triple  = (K, E, D), where (i) K is the key generation algorithm that takes as input a system security parameter 1  and outputs a public-/private-key pair (, ).In general, this algorithm can be formulated as (, ) ← K(1  ).(ii) E is the encryption algorithm that takes as inputs the public-key  and a message  ∈ M and outputs a ciphertext  ∈ C, where M and C are message space and ciphertext space, respectively.In general, this algorithm can be formulated as  ← E  () or  ← E  (; ) when it is necessary to specify the random salt  used in the encryption process.(iii) D is the decryption algorithm that takes as inputs the secret key  and a ciphertext  ∈ C and outputs a message  ∈ M or a symbol ⊥, which indicates that  is invalid.In general, this algorithm can be formulated as / ⊥ ← D  ().

The Fujisaki-Okamoto Transformation
In general, as for public-key encryption, one-wayness against chosen plaintext attacks (OW-CPA) is the lowest security requirement, while indistinguishability against adaptively chosen ciphertext attacks (IND-CCA2) is the most desirable and the standard security requirement.Cryptographic practise shows that it is always easier to design an OW-CPA secure encryption scheme than to directly design an IND-CCA2 secure one.Thus, it is desirable to have a general method for transforming an OW-CPA secure encryption scheme to an IND-CCA2 secure one [35].Fortunately, one of this methods was invented by Fujisaki and Okamoto [34] at PKC 1999.
Theorem 7 (FO transformation [34]).Suppose  1 and  2 are two random oracles with required domains and ranges, respectively.Given a public-key encryption scheme that achieves the security of one-wayness against chosen plaintext attacks (OW-CPA), one can get another public-key encryption scheme

that achieves the security of indistinguishability against adaptively chosen ciphertext attacks (IND-CCA2), where
(1) key generation algorithm K  is identical to K; (2) encryption algorithm is defined as where  is picked at random; (3) decryption algorithm D   ( 1 ,  2 ,  3 ) performs the following steps:

Building Block: Noncommutative Signcryption
Before describing our proposal for WSN key management, let us at first propose a signcryption scheme from noncommutative semigroups where the CSP-related assumptions hold.We will see later, when this scheme is instantiated by using braids, we obtain a very efficient signcryption scheme that is 2 15 times faster than RSA-based signcryption (suppose that 1024 bit RSA modulus were used).Suppose that  is a noncommutative semigroup so that the CSP problem and the CSP-DDH problem over  are intractable.Then, the public parameters of the proposed signcryption are given by a quintuple ⟨D, , ,  (ii)  ∈  −1 ⊂  and  ∈  are two fixed elements that are picked at random; (iii)  1 :  →  2 and  2 :  2 →  are two cryptographic hash functions that are modeled as random oracles.
Then, the proposed signcryption scheme consists of the following three algorithms: (i) KG(1  ), key generation algorithm that takes as input the system security parameter 1  , picks an integer  ∈ {0, 1}  at random calculates  =    ∈ , and finally outputs (, ) as the private-/public-key pair.
Proof.Suppose that the sender and the receiver performs honestly, and their inputs are well formed.That is,  =    and  =    .Then, since we have Then,   =  will be output correctly.

Theorem 9. Suppose that 𝐻 1 and 𝐻 2 are random oracles. The proposed signcryption is indistinguishable against adaptively chosen ciphertext attack (IND-CCA2) assuming that the CSP-DDH problem over the underlying noncommutative semigroup 𝐺 is intractable.
Proof.To apply the well-known Fujisaki-Okamoto transformation theorem [34], we at first need to define an IND-CPA secure encryption scheme  = (K, E, D) and then establish the security relationship between the proposed signcryption scheme and the enhanced encryption scheme   , that is, an FO transformation from .This can be done by setting  = (K, E, D) as follows: (i) K(1  ) := KG(1  ).That is, the key generation algorithm remains unchanged.
Apparently, this is just the ElGamal-like variant based on CSP-DDH assumption.According to Theorem 1 of [24], this is IND-CPA secure.Then, according to Theorem 7, the FO variant   = (K  , E  , D  ) is IND-CCA2 secure when  1 and  2 are modeled as random oracles, where (ii) E  (; ) performs the following steps: (1) pick  ∈  at random; (iii) The decryption algorithm D(;  1 ,  2 ,  3 ,  4 ) that takes as inputs the receiver's private-key  ∈ {0, 1}  and the ciphertext qudruple ( 1 ,  2 ,  3 ,  4 ), and then performs the following steps: (1) let   ← D(;  1 ,  2 ); (2) let   ←  3 ⊕  1 (  ); (3) output   if  4 =  2 (  ,   ) and ⊥ otherwise.Now, let us show that in the same random oracle models, if there is a polynomlai-time adversary A that can, with nonnegligible probability, break the IND-CCA2 security of the proposed signcryption scheme, there is another polynomialtime adversary B that can, by controlling the response of the random oracles  1 and  2 , break the IND-CCA2 security of   .However, this is contrary to the fact that   is IND-CCA2 secure.Therefore, A's advantage of breaking the proposed signcryption scheme must be negligible.
In fact, if B controls the response of the random oracles  1 and  2 , then it can break the IND-CCA2 security of   with nonnegligible probability.This is apparently, since  controls the response of  2 , whenever seeing a ciphertext ( 1 ,  2 ,  3 ,  4 ), it can retrieve the message  and random salt  by looking up the response list of  2 under the reasonable assumption that the probability for different pair (  ,   ) with same hash value with the pair (, ) is negligible.
The left thing is to show that B, without knowing the receiver's private-key  ∈ {0, 1}  , how to simulate the response on decryption queries for A in a perfect manner.Whenever  invokes a decryption query by submitting a signcryption pair ( 1 ,  2 ), B responds as follows: (1) look up (ℎ 2 ,   ,  1 ) in  2 -list.If there is no matched triple, B sends ⊥ to A as the response; (2) for each matched triple (ℎ 2 ,   ,  1 ), B performs the following steps: (a) for each (ℎ 1 ,   ) in  1 -list, do the following steps: (i) extract a possible   according to the following formula: This can be done since B knows  2 ,   and ℎ 1 at this stage; (ii) test whether the equality    1 =  ℎ 2  1 holds?(recall that  is the verification key of the singer).If so, replies A with   and end of the response; otherwise, continue; (3) if up to now, B has not output response to A yet, then B sends ⊥ to A as the response.
Now, let us show that B's simulation is perfect.It is reasonable to assume that without accessing hash queries on  1 and  2 , A's probability for submitting a valid signcryption pair ( 1 ,  2 ) is negligible.Thus, whenever A invokes hash queries on  1 and  2 for forming a valid signcryption pair, related materials are recorded and B can retrieve them and finally send A a perfect response.
Remark 10.Note that although the signature scheme embedded in the proposed signcryption scheme merely achieves unforgeable against no-message attacks, the resulted signcryption is existentially unforgeable against external adaptively chosen message attack.Here, external forgeries means that it is neither the singer, nor the intended receiver.We know that it is reasonable to exclude the signer from forgeries.Let us explain why we further exclude the intended receiver from the forgeries.In fact, the primitive of signcryption provides confidentiality of the message against all entities except the intended receiver and meanwhile it provides the authenticity of the sender (i.e., the signer) for the intended receiver.That is, the authenticity embedded in the signcryption primitive is unidirectional, instead of bidirectional.Therefore, it seems that there is no reason for an intended receiver to forge a signature on behalf of some signer and then encrypt the signature for himself/herself, except for planting false evidence against some senders.In other words, in our proposal, we assume that the receiver who possesses the corresponding private-key for performing designcryption is honest.Otherwise, an existentially unforgeable signature scheme, such as the noncommutative signature scheme in [36] should be embedded therein.For further consideration of the insider security and the outsider security of signcryptions, one can refer to [37,38].

Lightweight Implementation of Key Management Protocols for WSNs
In [5], Hagras et al. described an efficient key management scheme for WSNs based on elliptic curve signcryption.Our proposal follows their diagram.However, the main differences of our work lie in the following aspects: (i) firstly, the signcryption algorithm used by Hagras et al. is abstract and essentially hybrid where a symmetric encryption algorithm is involved.However, we will give a detailed specification of each algorithm; (ii) secondly, Hagras et al. 's proposal is based on commutative platforms, while as far as we known, our proposal is firstly based on noncommutative platforms.
Similar to [5], suppose that the network architecture is the standard clustered WSN architecture depicted in Figure 3.The proposed key management scheme supports three protocols: the first is used to generate private-/public-keys for each individual nodes, including base nodes, cluster headers, and cluster nodes; the second is essentially a signcryption scheme that is used by base node to send session keys to cluster heads; and the third is essential also a signcryption scheme that is used by cluster heads to send session keys to cluster nodes.
Let   be the braid group and ,  ∈   .Suppose that (⋅, ⋅) is the Conj-LD system defined over braid group   , while  1 :  →  2 and  2 :  2 →  are two cryptographic hash functions.Our proposal consists of three protocols that are described in the following subsections.

Key Generation
Protocol.This protocol is responsible for creating public-/private-key pairs for base nodes (BNs), cluster heads (CHs), and cluster nodes (CNs).
Step 1. Generate public-/private-key for based nodes.
BN ∈ {0, 1}  : the private-key for the base node is a positive integer chosen uniformly at random. BN ∈   : the corresponding public-key for the base node is calculated as  BN = (  BN , ).
Step 2. Generate public-/private-key for cluster heads.
CH  ∈ {0, 1}  : the private-key for the th cluster head is a positive integer chosen uniformly at random. CH  ∈   : the corresponding public-key for the th cluster head is calculated as  CH  = (  CH  , ).
Step 3. Generate public-/private-key for cluster nodes.
CN  ∈ {0, 1}  : the private-key for the th cluster head is a positive integer chosen uniformly at random.
CN  ∈   : the corresponding public-key for the th cluster head is calculated as  CN  = (  CN  , ).
Step 4. Session key generation for base node and cluster heads.
(1) The base node creates the session key  BN−CH  which will be used for secure communication between the th cluster head and the base node.
(2) The th cluster head creates the session key  CH  −CN  which will be used for secure communication between the th cluster head and the th cluster node.
Without loss of generality, here we assume that  BN−CH  and  CH  −CN  are elements of  picked at random.(In fact, we can always employ an encoding algorithm to map elements of  into valid session keys.)Remark 11.Note that in the last step, all session keys are newly generated by the base node and the cluster nodes, respectively.In fact, after the execution of Steps 1, 2 and 3, we know that the base node and the th cluster head can calculate the shared session key  BN−CH  = (  BN + CH  , ), and the th cluster head and the th cluster node can calculate the shared session key  CH  −CN  = (  CH  + CN  , ).However, it is not a good choice to use this kind of session keys since they are totally determined by long-term private-keys.Instead, we suggest to renew a session key instantly to guarantee its freshness.

CH-CNs
Signcryption.The th cluster head signcrypts the session key  CH  −CN  using its private-key and sends the ciphertext ( 1 ,  2 ) to the th cluster node as follows: (1) pick  ∈ {0, 1}  at random.
Upon receiving the ciphertext ( 1 ,  2 ) from the th cluster head, the th cluster node designcrypts the session key as follows: (1) compute ‖  =  2 ⊕ 1 ((  CN  ,  1 )), ℎ =  2 (,  1 ); (2) accept  if (,  1 ) = ( 1 ,  CH  ) and report "FAILURE" otherwise.Further, if we lift the security level of the RSA-based schemes to exp(92.80),which is comparable to the security level of our scheme (see Section 5.3), then the RSA modulus should be at least 2008 bits (see [23] for details).Then, the number of bit operations for implementing modular exponentials involved in RSA-based schemes is proportional to 2 33 .This suggests that at the same security level, our braidbased signcryption is even efficient than that of RSA-based ones.The security level of RSA-based schemes are evaluated according to the best known factoring method, that is, the number field sieve (NFS) method [41].

Parameter Size.
A braid in   with  canonical factors can be represented by a bit string of size ⌈ln log ⌉ [16].Thus, when  = 50 and  = 10, the sizes of the system parameters, the private-key, the public-key, and the ciphertexts are 5650 bits, 80 bits, 2822 bits, and 8466 bits, respectively.In total, it is about 17 Kbits (see Table 2).According to [5], a typical WSN node, MICA2 mote, developed by the University of California at Berkeley has an 8-bit 7.3 MHz processor with 4 KB (i.e., 32 Kbits) RAM and 128 KB programmable ROM.This suggests that although our scheme will take more memory than RSA-based ones, it is still compact enough to be deployed in typical WSN environments.

Security Levels.
In [23], Wang et al. presented an analysis of the security levels of braid-based cryptosystems against two typical attacks: heuristic attacks and brute force attacks.In a similar manner, we can discuss the security levels of the proposed signcryption scheme.According to [23], the security level of a cryptosystem is modeled as the number of bit operations for breaking the cryptosystem.Since this number is in general huge, we always use its logarithm in evaluation and refer to as the logarithmic security level.As for braid-based cryptosystems, heuristic attacks mean currently known smart attacks, such as length-based attacks [42,43] and linear representation attacks.According to Maffre's test [40] and Wang et al. 's summarization [23], the logarithmic complexity of existing heuristic attacks against braid-based cryptosystems can be expressed as log( 50 150 ) ≈ 92.80.
Let us proceed to analyze the security level against brute force attacks.According to Ko et al. [29], when the privatekeys of braid-based schemes are selected carefully, that is, avoiding the weak keys mentioned by Maffre [40], all known heuristic attacks will be unsuccessful.Further, according to the previous analysis given by Ko et al. [16], the complexity of carrying brute force attacks towards braid-based schemes is proportional to exp((1/2) ln log ).Therefore, when we adopt Maffre's suggestion by setting the braid index and the canonical length of the involved braids to  = 50 and  = 10, respectively, the security level of our scheme against brute force attacks is proportional to exp(978).This suggests that in the foreseeable future it is infeasible to launch exhaustive attacks towards our proposal.
In brief, we can summarize the performance comparisons in two cases: in Case I, we consider the currently acceptable parameter settings, and in Case II, we lift the security level of the RSA-based schemes to exp(92.80) by increasing the length of the corresponding RSA modulus.The results are listed in Table 3.We can conclude that our scheme is very fast in signcrypting and designcrypting, but acceptably larger in storage requirement.
Remark 12.Although Table 3 seems very similar to that in [23], there are remarkable differences as follows: on one hand, in [23], the efficiencies of the signing process and the verifying process of the braid-based signature scheme in [23] are much different; signing can be implemented in the complexity proportional to 2 15 , while the complexity of verifying is proportional to 2 34 .However, the efficiencies of the signcrypting process and the designcrypting process in this paper are same: both of them are proportional to 2 15 since in our new proposal it is unnecessary to solve the CDP problem over braid groups; on the other hand, the braidbased scheme in [23] is merely a signature scheme, while the proposal in this paper is a signcryption scheme.This suggests that our signcryption scheme is much efficient than Wang et al. 's signature scheme [23].In brief, our proposal does more and faster than that in [23].

Conclusion
Lightweight cryptographic schemes are useful for securing WSN-oriented applications.To minimally incorporate confidentiality, authenticity, integrity, scalability, and flexibility, signcryption is the proper primitive to realize key management protocols for WSNs.However, most existing signcryption schemes are heavyweight and not suitable for resource-limited sensors.In this paper, we propose a braidbased signcryption scheme and then develop a key establishment protocol for wireless sensor networks.From the complexity view, the proposed scheme is 2 15 times faster than RSA-based ones.As far as we know, this proposal is the first signcryption scheme based on noncommutative algebraic structures.In addition, the analysis of the basic operations and parameter sizes suggests that our proposal can be efficiently deployed in typical WSN environments.
1 ,  2 ⟩, where (i) D is a description of  and  −1 ⊂ .Without loss of generality, we assume the length of D is bounded by O(log ||) for finite .When  is infinite but admits a finite presentation, say () = ⟨ | ⟩, the length of D is the sum of the length of  and the length of .However, for braid group   , D admits even efficient description since whenever the braid index  is given, the generator set  = { 1 , . . .,  −1 } and the relation set  = {    =     : | − | > 1} ∪ {      = : | − | = 1} (1 ≤ ,  ≤  − 1) is totally specified.That is, for braid group   , D = ; log ) in the sense of bit operations, where  and  are the braid index and the canonical length of involved braids, respectively.If we follow Maffre's suggestions by setting  = 50 and  = 10, then the number of bit operations for implementing these braid operations is proportional to 215.We know that the number of bit operations for implementing modular exponentials involved in RSAbased schemes is proportional to 2 30 when the bit length of RSA modulus is set to 1024.This suggests that the proposed braid-based signcryption is about 2 15 times faster than RSAbased ones.

Table 2 :
Parameter length.It is enough to use 80-bit private keys in WSN-oriented applications.2Thelength of  2 is about equivalent to the length of two braids.

Table 3 :
Complexities and security levels.