An Access Control Scheme Using Heterogeneous Signcryption for IoT Environments

: When the Wireless Sensor Network (WSN) is combined with the Internet of Things (IoT), it can be employed in a wide range of applications, such as agriculture, industry 4.0, health care, smart homes, among others. Accessing the big data generated by these applications in Cloud Servers (CSs), requires higher levels of authenticity and confidentiality during communication conducted through the Internet. Signcryption is one of the most promising approaches nowadays for overcoming such obstacles, due to its combined nature, i.e., signature and encryption. A number of researchers have developed schemes to address issues related to access control in the IoT literature, however, the majority of these schemes are based on homogeneous nature. This will be neither adequate nor practical for heterogeneous IoT environments. In addition, these schemes are based on bilinear pairing and elliptic curve cryptography, which further requires additional processing time and more communication overheads that is inappropriate for real-time communication. Consequently, this paper aims to solve the above-discussed issues, we proposed an access control scheme for IoT environments using heterogeneous signcryption scheme with the efficiency and security hardiness of hyperelliptic curve. Besides the security services such as replay attack preven-tion, confidentiality, integrity, unforgeability, non-repudiations, and forward secrecy, the proposed scheme has very low computational and communication costs, when it is compared to existing schemes. This is primarily because


Introduction
The Internet of Things (IoT) represents a system of interconnected objects/things and devices that communicate through the Internet in a continuous manner [1][2][3]. The notion "things" in this context may refer to any virtual or physical object that can be assigned a unique identity, such as an internet protocol (IP) address or an identity number (ID). Most of these services are equipped with sensors to enable a dynamic communication of information and events [4]. So, the IoT in basic terms can be expressed as a roadmap of things. The majority of IoT devices are referred to as smart because of its ability to communicate data received from their surroundings without the need for human intervention [5]. Besides that, when looking at networks, we find out that people have already witnessed connecting objects or devices through wires, often known as cabled or wired connections, then wireless sensor networks have also been implemented (connected through wireless protocols) [6]. The mobile internet has encountered exponential growth multiple times since the establishment of Wireless Sensor Networks (WSN) and has become the backbone of information networks connecting human society [7]. As a result, it is apparent that WSN is associated with IoT due to certain unique features and functionalities [8].
Prior studies within this field have noted the importance of security as a crucial requirement for IoT communications [9], with an increased emphasis on cryptography, which is described as "the practice and analysis of techniques for secure data communication while being transmitted through networks." There are three main techniques associated with cryptography. These are public key infrastructure (PKI), certificateless cryptosystem (CLC), and identity-based cryptosystem (IBC). The first technique in cryptography types is PKI based method. The most prominent limitation in PKI is its unsuitable traditional implementation in IoT. The projecting factor to this is the certificate management overhead i.e., storage, distribution, and revocation of certificates [10]. The second technique in cryptography types is IBC [11], which was introduced to reduce the burden on traditional PKI. IBC recommends using a publicly recognized string as a public key, which reduces the cost of PKI certificate renewal. The IBC, being Identity-Based, appeared to be more vulnerable to third party hacker attacks (key escrow problem). This is classified as a major obstacle that needs to be tackled [12]. To solve this issue, the third technique of cryptography, called CLC, was developed with certificate-less based cryptography [13]. CLC is a form of IDbased cryptography that addresses the problem of key escrow. The key generation center (KGC) creates a partial private key for users and distributes it over a secure network. The user will then create his/her private and public keys using the partial private key obtained and some randomly generated numbers. All of the above-mentioned debates used homogeneous cryptography, which meant that the sender and receiver shared the same security domain, making the network more vulnerable. The vulnerability necessitates the use of a heterogeneous signcryption scheme, in which the sender and receiver have separate security domains, thus protecting the network from different cyber or intruder attacks [7]. Combining both PKI and CLC techniques is required to generate heterogeneous signcryption keys. The advantage of combining CLC and PKI is that it protects the network from intruders by only disclosing the original keys to the sender and receivers.
In addition, previous studies of access control for IoT environments have developed various schemes that encountered the mutual shortcoming in terms of their roots as mathematical algorithms, their massive costs and huge computations. Bilinear pairing method is the first algorithm that has contributed significantly in this context [14], which experiences huge pairing and RSA ("Rivest-Shamir-Adleman). The Bilinear Pairing method appeared to be worse than RSA since it requires large pairing computations and passes through a map-to-function calculation [14]. In order to address the mutual inefficiencies in both RSA and Bilinear, a recent approach called "Elliptic Curve Cryptography," or "ECC," was developed [15][16][17]. The most distinguished attributes of ECC seem to be its small size of parameter, private key, identity, public key and certificate. The inflexibility and efficiency of security in ECC is based on small key size of 160 bits [18]. For devices that highly require resources, the 160 bit key-size of ECC is insufficient, as it was not suitable and affordable. To address this issue, we propose a new method called "Hyper Elliptic Curve Cryptography," or "HECC," which is a generalized form of ECC. It provides the same security level as RSA, Bilinear, and ECC, but with a smaller key, identity and certificate size of just 80 bits [19]. For energy-constrained devices, HECC is proved to be the most appropriate, cost-effective, and efficient scheme. As a result, we have incorporated the following new features to this paper: • We designed a heterogeneous signcryption (Users belongs to CLC and the sensor nodes uses the concept of IBC) based on Hyper elliptic curve. • The new scheme assures that the security properties of Replay Attack, confidentiality, integrity, Unforgeability, Non-repudiations, and forward secrecy, respectively. • The AVISPA Tool is used to simulate the security requirements of the proposed scheme and the result under two backbends (Constraint Logic-based Attack Searcher (CL-b-AtSER) and On-the-Fly Model Checker (ON-t-FL-MCR)) are SAFE when the proposed scheme is coded in HLPSL language. • By applying the concept of hyper elliptic curve, this scheme will significantly reduce the computational cost timing and require smaller amount of bits for communication.
The paper is organized as follows: Section 1 contains a brief introduction, Section 2 encompasses the advantages and disadvantages of related work, Section 3 includes the syntax of heterogeneous signcryption, Section 4 represents the network model, Section 5 comprises the proposed heterogeneous signcryption for IoT, Section 6 covers the security analysis, Section 7 covers the computational cost, and Section 8 involves the communication cost, Section 9 includes scheme simulation, and Section 10 presents the conclusion.

Literature Review
Recently, access control techniques for IoT environments have attracted a considerable amount of scholars due to its vital roles in achieving higher levels of security. Li et al. [20], have developed a new concept about an access control strategy for IoT environments. The study incorporated the heterogeneous signcryption (e.g., the sender belongs to CLC and the receiver uses the concept of IBC) on the basis of bilinear pairing cryptosystem. However, since bilinear pairing requires additional resources, this scheme must be slower in terms of computational time and communication delay time. Challa et al. [21], proposed an ECC based scheme to provide an access control mechanism to contemporary IoT environments. Then, Chaudhry et al. [22], claimed that the Challa et al. scheme has higher correctness rates and capable of address certain issues. After that, Luo et al. [8], developed a new scheme using signcryption in heterogeneous nature (e.g., the sender belongs to CLC and the receiver uses the concept of IBC). However, due to more resources demanding nature of bilinear pairing, the presented scheme suffers from the issur of slow computational time and communication delays. Das et al. [4] designed a new approach for device-to-device access control in IoT on the bases of ECC. Nevertheless, Chaudhry et al. [23], proved that Das et al. scheme was vulnerable to impersonation and man-in-middle attacks. The Authors then proposed a new scheme to address such issues. Malani et al. [24], offered an anonymous scheme which provide access control policy for IoT devices. ECC is also used in this scheme. As a result of ECC's higher resource requirements, the proposed schemes in [4,21,23,24] must be slower in computational time and communication delay time, and are not suitable for heterogeneous IoT environments, because they used the same nature cryptography for sender and receiver, which can be vulnerable at certain times. As a result, providing a heterogeneous access control scheme based on heterogeneous signcryption has become vital (e.g., the sender belongs to CLC and the receiver uses the concept of PKI) using the difficult problem of a hyper elliptic curve, that requires smaller keys and parameters. As a result, such a scheme is expected to achieve higher levels of security for IoT environments.

Setup
Given J as a security parameter, the application provider (AP), first choose ζ as his secret key and make his public key as δ. Then, it makes β as a public parameter param and keeps secret ζ then published β.

PKI Key Generation
A receiver with PKI picks a private key R pr with a random manner and calculates his/her public key as R pb .

Certificateless (CL) Key Generation (CLKG) 3.3.1 CL-Partial Private Key Processing (CL-PPKG)
The application provider (AP) picks a random number and generates X , η, and W. It sets W is a partial private key and send the tuple (X, W) via a secure channel to sender.

CL-Secret Value Selection (CL-SVS)
The sender picks a random number ω s and set ω s is a secret value.

CL-Private Key Processing (CL-PKG)
The sender makes his private key like that S pr = (W, ω s ).

CL-Public Key Processing (CL-PBKG)
The sender makes his public key like that S pb = (X, μ s ).

CL-Signcrypt (CL-SCT)
By using the message (M), R pb , and S pr as an input, the sender can make and send ψ to the receiver.

CL-Un-Signcrypt (CL-Un-SCT)
By using ψ, S pb , and R pr as an input, the receiver can verify ψ that it is either valid or not.

Network Model
Fig. 1 illustrates our new model for access control of wireless sensor network within the IOT environments utilizing heterogeneous signcryption (Certificateless to PKI). Itcontains six participants, named, the internet users, cloud server, network manager, sensor nodes, the Internet, and controller, respectively. When users require data from sensor nodes, they send their identity to the network manager, who then generates a partial private key for them and transfer it back to them through a secure network. After that, using the concept of a certificateless based Cryptosystem, users perform the signcryption process on the data request query and transmit it to the controller through an open network. The controller first verifies the public key of the receiver from the network manager and then verifies the received signcrypted query by performing the unsigncryption process. Note that for the unsigncryption process the controller used the functionality of PKI. After verifying the signcrypted query, the controller collects the data from sensors and encrypt this data by using the "Advanced Encryption Standard (AES)" algorithm and transmits the encrypted data to the users. In this case, the cloud server is responsible for storing the vast amount of data generated by the relevant users.

Construction of Proposed Heterogeneous Signcryption for IoT
The explanation of each step-in construction of the proposed scheme is described in the following subsections.

Setup
Given J as a security parameter, the application provider (AP), first choose ζ ∈ {1, 2, 3, . . . , n − 1} his secret key and make his public key as δ = ζ · D. Then, it selects a triple (h x , h y ) as a hash function and set β = (h x , h y , h y , δ, D, J, HEC) as a public parameter param. Then, AP keeps secret ζ and published β.

PKI Key Generation
A receiver with PKI pick a private key R pr ∈ {1, 2, 3, . . . , n − 1} with a random manner and calculates his/her public key as R pb = D R pr .

Certificateless (CL) Key Generation (CLKG)
It contains the following four steps:

CL-Partial Private Key Processing (CL-PPKG)
The application provider (AP) picks a random number ∈ {1, 2, 3, . . . , n − 1} and make X = · D, η = h x (id, X), and W = + ζ η. It sets W is a partial private key and send the tuple (X , W) via a secure channel to sender.

CL-Private Key Processing (CL-PKG)
The sender makes his private key like that S pr = (W, ω s ).

CL-Public Key Processing (CL-PBKG)
The sender makes his public key like that S pb = (X, μ s = ω s · D).

CL-Signcrypt (CL-SCT)
By using the message (M), R pb , and S pr as an input, the sender can do the following process: ∇, P), and send ψ to the receiver.

Security Analysis
It contains the correctness and the descriptive analysis about replay attack, confidentiality, integrity, unforgeability, non-repudiations, and forward secrecy. Most of the security services are based on hyper elliptic curve discrete logarithm problem. Suppose a D is the devisor belonging to hyper elliptic curve (HEC) and σ is the point from prime field of 80 bits, so, finding σ from F = σ · D is called hyper elliptic curve discrete logarithm problem.

Correctness
The receiver first checks the correctness of S = R pr · P as follows: Then it checks the correctness of Q = S + ∇(μ s + X + η · δ)) as follows: Finally it accepts only ψ, if S = r· D − ∇(μ s + X + η · δ), the correctness as follows:

Replay Attack
A replay attack occurs when someone attempts to capture an old message and replay to it. In our scheme, a replay attack is impossible because we add a NC to the message prior to sending it. In this case, NC is included within the message. The receiver then can check whether a NC is new, thus, a replay attack is unachievable in our scheme.

Confidentiality
Confidentiality means no one can see the original contents of message other than sender and receiver. In our scheme, sender at the first step encrypts the message (Z = M ⊕ h z (Q)) through secret key (Q). The secret key is as follows in Eq. (1): The attacker has to solve Eq. (1) in order to access the original contents. After solving this equation they have to solve for r because in this, r is private number and it will be calculated by the following Eq. (2): To solve Eq. (2), the attacker has to generate a real value for r, which is not possible due to the one way nature of hash function. So, it is quite impossible for an attacker to solve this Eq. (1) because hyper elliptic curve discrete algorithms are required to be solved and this is infeasible for attacker. Hence it is proved that this scheme provides higher levels of confidentiality.

Integrity
Integrity means that the receiver receives the message in the same format which has been sent by the sender. In our scheme, before sending the data, sender calculates the hash function of the message is shown as = h y (M, S). Now, if the attacker wants to make any changes to the cipher text (Z), he has to change the plane text (M) as well but he will not be able to do so because he has to solve r= h y (M, S) for which he requires to compute S = U.D that was solvable only if it captured U, which is not possible according to HECDLP. And overall, hash functions are irreversible and the attacker cannot generate the same equation again because the hash function produces new values each time it appears in a message and values are never repeated. As a result, our scheme demonstrates that it is provides the required integrity.

Unforgeability
Unforgeability means that no one else than the sender can generate the digital signature. In our scheme, a sender generates digital signature ∇ = r− U W + ω s using his three private numbers i.e., (r, U, ω s ). Now if the attacker wants to forge the signature. First of all he has to solve for r which is solved through r= h y (M, S), for which he requires to compute S = U · D that was solvable only if it captured U, which is not possible according to HECDLP. And overall, hash functions are irreversible and the attacker cannot generate the same equation again because the hash function produces new values each time it appears in a message and values are never repeated. Secondly, he has to solve for U which is solved through S = U · D that was solvable only if it captured U, which is not possible according to HECDLP. Thirdly, he has to solve for ω s which is solved through μ s = ω s · D that was solvable only if it captured ω s , which is not possible according to HECDLP. Thus, making solution three times for HECDLP is infeasible, so, we claim that our scheme provides unforgeability.

Forward Secrecy
It means that in case if even the private key (ω s ) of sender gets compromised, still the messages the message (Z = M ⊕ h z (Q)) of the sender remain confidential because sender uses session key (Q = r· D) for the encryption and decryption. The attacker has to make value for Q for accessing the message contents. After making Q = r· D they have to solve for r because in this, r= h y (M, S) is private number for which attacker requires to compute S = U · D that was solvable only if it captured U, which is not possible according to HECDLP. And overall, hash functions are irreversible and the attacker cannot generate the same equation again because the hash function produces new values each time it appears in a message and values are never repeated. Therefore, our scheme confirmed that it provides forward secrecy.

Non-repudiation
Non-repudiation means that no one can deny something they said did or commit. In the context of our research, it means that the sender can not deny the signatures because he/she uses his/her private key (ω s ), and this is directly associated with the public key of the sender. If he/she denies this signature the network manager can prove it because it is only known by network manager. Hence, it is proved that our scheme also provides non-repudiation.

Cost Analysis
Before doing the comparison, one must remember that the computational costs are always the main concern for both the sender and receiver. Now in this case, the existing schemes used elliptic curve point multiplication and bilinear pairing.
The Tab. 1 represents the major operations used in proposed and those Li et al. [20], Challa et al. [21], Luo et al. [8], Das et al. [4], Chaudhry et al. [23], and Malani et al. [24] as well as the total consumed time in ms. Then, we make Fig. 2 which clearly shows the superiority of our scheme in terms of computational cost.

Communication Cost
Here, we perform some computations in Tab. 2 regarding making of communication cost comparisons with existing ones that are Li et al. [20], Challa et al. [21], Luo et al. [8], Das et al. [4], Chaudhry et al. [23], and Malani et al. [24]. So, we suppose the following terms: • |M| represents plaintext or cipher text size and equals to 60 bits • |G| the group size of bilinear pairing and equals to 256 bits • |Q| the size of ECC point and equals to 160 bits • |N| the size of HECC devisor and equals to 80 bits • |H| the size of hash value and equals to 512 bits • |NON/T| the size of nonce or time stamp and equals to 80 bits in hyper elliptic curve environment and 80 bits in elliptic curve based environment • |ID| represents the size of identity and equals to 80 bits in hyper elliptic curve environment and 160 bits in elliptic curve based environment • |CERT| represents the size of certificate and equals to 80 bits in hyper elliptic curve environment and 160 bits in elliptic curve-based environment.

Simulation Results and Analysis
By analyzing the security requirement of our scheme regarding man in the middle attack (confidentiality, integrity, Unforgeability, Non-repudiations, and forward secrecy) and Replay Attack, we used AVISPA tool to simulate. AVISPA working under four backend protocol (SATbased Model Checker (SAT-b-MCR), Constraint Logic-based Attack Searcher (CL-b-AtSER), On-the-Fly Model Checker (ON-t-FL-MCR), and Tree automata based on Automatic Approximations for Analysis of Security Protocol (TA-4-SP)) when the scheme is pseudo code is written in High-Level-Protocol-Specification-Language (H-L-P-S-L) and converted to intermediate format (IF) [19]. So, we first convert our scheme algorithm into H-L-P-S-L code which contains two main roles that are Sender and Receiver in which we used the public and private keys of sender and receiver. The code for Sender and Receiver roles is represented in Figs. 4 and 5. We also used nonce and hash functions for sender and receiver. We also set two goals that are authentication on auth_1 and secrecy of sec_2, which mean that security and authenticity. As we mentioned above the proposed scheme ensures the security services of confidentiality, integrity, Unforgeability, Non-repudiations, forward secrecy, and replay attack. So, in this regard, the goal "authentication on auth_1" ensures integrity, Unforgeability, and Non-repudiations and goal "secrecy of sec_2" ensures confidentiality, forward secrecy, and replay attack. We show the simulation result of our scheme in Fig. 6. and it is confirmed that the scheme is secured under the functionality of SAT-b-MCR and CL-b-AtSER.

Conclusion
Achieving higher levels of security in IoT environments is critical for protecting users' privacy and enhancing the overall functionality of such interconnected systems. In this work, we have proposed "an efficient heterogeneous signcryption scheme for access control within IoT environments to address the computational and communication cost issues of the existing approaches. We demonstrated that the proposed scheme prevented various attacks such as confidentiality, integrity, Unforgeability, Non-repudiations, Forward secrecy, and Replay attacks. AVISPA was utilized to perform formal security simulations, and the results supported our claim. We then compared the proposed scheme to existing schemes in terms of "computational costs" and "communication costs". As a result, our proposed scheme efficiently reduced both computational and communication costs. Accordingly, the proposed scheme proved to be more practical and appropriate than existing schemes for heterogeneous IoT applications.