Questioning the security and efficiency of the ESIoT approach

Abstract

ESIoT is a secure access control and authentication protocol introduced for Internet of Things (IoT) applications. The core primitive of ESIoT is an identity-based broadcast encryption scheme called Secure Identity-Based Broadcast Encryption (SIBBE). SIBBE is designed to provide secure key distribution among a group of devices in IoT networks, and enable devices in each group to perform mutual authentication. The scheme is also designed to hide the structure of the group from nodes outside of the group. We identify multiple efficiency and security issues in this primitive that prove SIBBE unsuitable for IoT applications. First, we show that contrary to what was claimed, the size of the ciphertexts generated by the encryption function is not constant but in fact linear in the number of devices in the group. Additionally, we demonstrate that the encryption and decryption costs are also linear in the number of nodes in the group, implying scalability issues thus inefficiency for IoT applications. In terms of security, we prove that SIBBE does not achieve the desired property of anonymity and allows an attacker to gain information on the structure of any given group. Finally, we demonstrate how SIBBE does not achieve the claimed chosen-ciphertext security. We however prove its security for a weaker security notion (namely selective-ID indistinguishability against chosen-plaintext attacks) under a variant of the GDDHE assumption.