Hyper Elliptic Curve Based Certificateless Signcryption Scheme for Secure IIoT Communications

: Industrial internet of things (IIoT) is the usage of internet of things (IoT) devices and applications for the purpose of sensing, processing and communicating real-time events in the industrial system to reduce the unneces-sary operational cost and enhance manufacturing and other industrial-related processes to attain more profits. However, such IoT based smart industries need internet connectivity and interoperability which makes them susceptible to numerous cyber-attacks due to the scarcity of computational resources of IoT devices and communication over insecure wireless channels. Therefore, this necessitates the design of an efficient security mechanism for IIoT environment. In this paper, we propose a hyperelliptic curve cryptography (HECC) based IIoT 51.31% more efficient in computational cost and communication overhead, respectively, compared to the most recent protocol.


Outline of the Paper
The remainder of the paper is presented as follows. Section 2 contains related work; Section 3 shows the system model and threat models; Section 4 presents the proposed scheme; Section 5 demonstrates the proof of correctness; Section 6 presents the security evaluation; Section 7 presents the comparative analysis; Section 8 discusses the conclusion and finally Section 9 shows future work.

Related Work
Information security is important to protect critical information in modern communication systems where the communication is held through an insecure public networks. The research community is also echoing the significance of such a topic [24][25][26]. Hassija et al. [27] addressing the evolving security issues in IoT environments, emphasizing the significance of maintaining secure communication among IoT nodes. To safeguard sensitive data/information, it must be concealed from unauthorized access (confidentiality), identify who sent the message (authentication), be protected from alteration (integrity), and be available to a legitimate user [28]. Therefore, encryption techniques are used to ensure confidentiality, whereas digital signatures are applied to guarantee integrity and authenticity. In the conventional encryption mechanism known as signature-then-encryption in which the sender has to first sign and then encrypt the data. However, this approach has some drawbacks, such as requiring more machine cycles and energy, which reduces the performance. To address these shortcomings, the concept of Signcryption was introduced in [5]. However, this approach is based on PKC in which the public key of a participating entity contains a random number belonging to some group that does not offer authenticity to the participating entity as the group elements provide no identity to the participating entities [6]. To address Signcryption flaws in [5], IBS scheme were suggested in [10]. However, it turned out that IBS scheme suffer from the key escrow problem. To address this issue, CS scheme was introduced in [12]. Following this scheme, another CS scheme based on random oracle model (ROM) was proposed [29]. Wahid et al. [30] proposed EC-based CS efficient scheme. Zhou et al. [31] proposed a new SM based CS scheme. They used the modified decisional bilinear Diffie Hellman problem and square computational Diffie Hellman problem to prove their scheme's security requirements. Rastegari et al. [32] proposed SM based CS scheme. Yu et al. [33] proposed a new CS scheme and demonstrated their scheme's security by using ROM. Lin et al. [34] presented the cryptanalysis of the of scheme in [33] and found that since the requirements of confidentiality and unforgeability are not fulfilled, their scheme may be completely thwarted. Zhou [35] suggested a new BP based CS scheme using SM for security proof.

System and Threat Model
This section shows the details of the system model and threat model considered for the proposed IIoT-CS scheme.

System Model
Primarily, an IIoT environment consists of multiple IoT domains made up of IoT devices called nodes such as sensors, actuators, and other devices as shown in Fig. 1. These IoT devices routinely collect information and transmit it to other devices in the network. The focus of this article is to design an authentication schemes to secure the communication among IoT nodes. The IoT nodes have minimal computing resources, while the KGC is a trusted server which has ample resources. We further assume that certain cryptographic elements are preloaded into the memory of all participating nodes and the nodes have to transmit their public keys and identities to KGC and other nodes to which they want to communicate.

Threat Model
In the proposed scheme, we considered a powerful threat model called Dolev-Yao (DY) threat model [36], which allows an adversary to execute passive and active attacks. According to DY threat model, the adversary has access to the communication network and can listen in to all communications between participating entities. Furthermore, the adversary has complete knowledge of all public parameters of participants in the system, however the adversary has no access to the participant's private data. Furthermore, the adversary can impersonate any device in the system by replaying messages previously eavesdropped from the communication channel.

Proposed Scheme
The proposed IIoT-CS scheme is based on HEC certificateless Signcryption and involves two phases, namely: pre-deployment phase and authentication phase, as shown in Fig. 2. The notations used in the proposed IIoT-CS scheme are shown in Tab. 1.

Pre-Deployment Phase
The predeployment phase is performed by the system administrator before the effective deployment of the system. In this phase, the IoT nodes are equipped with the basic cryptographic parameters necessary to establish secret session keys. This process is divided into two parts, namely, the system initialization stage and the registration stage. Receiver IoT node ID i , ID j Identity of sender node and receiver node (V i , U i ) First part of private and public key of ith-node (X i , Y i ) Second part of private and public key of ith-node (V j , U j ) First part of private and public key of jth-node (X j , Y j ) Second part of private and public key of jth-node T i , T j Time stamp produced by the ith-node and jth-node n i Nonce m, C Plaintext and cipher text SK Session Key established between ith-node and jth-node E SK ( ), D SK ( ) Encryption and decryption algorithms S Digital signature

System Initialization Phase
This process is carried out by the KGC, during which the following cryptographic information are initialized and made public.
i) The hyperelliptic curve E/F q over a prime finite field F q .
ii) The algebraic closure f* of F q .
iii) The Divisor group D of the curve E. iv) Hashing function H: {0, 1} → Z * q , where Z * q , = {1, 2,. . ., q − 1} In addition, the KGC generates its master private key V s ∈ R Z * q and master public key U s = V s .D. Finally, it makes the public parameters params = {F q , f*, q, x, y, D, U s , H}, publicly available to all participants.

Registration Phase
During the registration stage, the system's IoT nodes communicate with the KGC across a secure network in order to obtain dedicated cryptographic components. During the registration stage, the IoT nodes participating in the system communicate with the KGC through a secure communication channel to register their self and receive dedicated cryptographic information from the KGC. The flow of interaction of IoT nodes with the KGC is described below and shown in Fig. 2.
Step 1: The intended IoT node (say ith-node), that requires to be registered with the KGC, generates its identity ID i and private key as V i ∈ R Z * q . Next, the node computes the first part of its public key as U i = V i .D. The node then, computes a string W i = (ID i || U i ), and transmits it to the KGC using a secure channel.
Step 2: Upon receiving {W i }, the KGC performs the following operations to compute the corresponding second part of the private and public keys on behalf of ith-node.
i) The KGC selects a random value r i ∈ R Z * q , compute Y i = r i .D and sets it as the second part of the public key of the ith-node.
ii) The KGC computes h i = H(W i || Y i ) and X i = ((r i + h i .V s ) mod q) and sets X i as the second part of the private key of the ith-node. The KGC delivers X i and Y i to the ith-node using a secure channel.
Step 3: Upon receiving the second part of its private and public keys from KGC, the ith-node can verify the authenticity of these keys by using the equation If this equation is validated, then the keys could be deemed valid and correctly generated by the KGC. Thus, the ith-node can set its full private key as (V i , X i ) and full public key as (U i , Y i ).

Authentication Phase
The authentication process is initiated by an IoT node (say ith-node) with the intention of communicating with the other IoT nodes (say jth-node) as depicted in Fig. 2. As described in the predeployment phase, each IoT node is preloaded with certain cryptographic information. Furthermore, to begin the authentication process, the ith-node generate a message M1 = W i , Y i and transmit it to the jth-node. On receiving M1 the jth-node replies with a new message M2 = W j , Y j . On receiving M2 from the jth-node, the ith-node generates a fresh session key, ciphertext, and signature by using the certificateless Signcryption operation as described below.
i) Generate a timestamp T i , select a fresh nonce n i ∈ {1, 2, 3, . . ., q − 1} and a random secret The ith-node sends M3 = T i , C, S, Z to the jth-node using insecure channel.
On receiving M3, the jth-node check the validity of T i and if it is found to be valid, then proceed with the authentication procedure, otherwise terminate the session. The jth-node validates the digital signature and decrypt the ciphertext by using certificateless Un-Signcryption operation as described below.

i) Computes the secret session key
Finally, the jth-node generate time stamp T j and send the message M4 = T j , Auth to the ith-node. The ith-node after receiving M4 from the jth-node, first validate T j and if it is found to be valid, then proceed with the authentication procedure, otherwise terminate the session.
If Auth = Auth , then the jth-node is authenticated successfully.

Proof of Correctness
This section presents the proof of the correctness of the secret session key and signature verification.

Proof of Signature Verification
⇒ S.D, hence correctness of digital signature is verified.

Security Evaluation
We conducted both formal and informal security assessments to illustrate the potential of the IIoT-CS scheme against various attacks. The two computational problems that are useful in performing the formal security analysis are described below.
It is a "deterministic mathematical function that accepts a variable-length input string and produces a n-bit fixed-length output string". According to HECDLP, it is infeasible for an attacker to extract a value j from the relation L = j.D, whereas j ∈ Z * q is the random number from Z * q = {1, 2,. . ., q − 1}.

Formal Security Analysis Using RoR Model
We used ROR model [37] in which an adversary simulates real attacks to target the communication between IoT nodes. In the proposed IIoT-CS scheme, an adversary is represented by Ad and the participating nodes are represented by ith-node and jth-node. Further, we assume the instances of ith-node and jth-node are represented by = { i and j}. Ad initiates the following queries to interact with . i) Execute query: Ad eavesdrops on the communication channel and intercepts all communication between . ii) Send query: Ad transmits a message to and obtains a reply from it consequently. iii) Reveal query: Ad attempts to recover the session key between i and j. iv) Test query: Ad requests for session key and it responds with a random bit c.
Moreover, H(.) is modeled as a random oracle which is available to all participants and adversary Ad. In the proposed IIoT-CS scheme, we demonstrated the existence of session key security (semantic security) by using Theorem 1 as stated below.
Theorem 1: Assume Ad runs in a polynomial time pt and attempts to break the session key security between i and node j then Ad's advantage in breaching the session key security can be written as follows: where the variables |Hash|, q 2 h , and Adv HECDLP Ad (pt) represent the range space of H(.), the number of hash queries, and the non-negligible winning advantage of breaking HECDLP respectively.
Proof of Theorem 1: To prove Theorem 1, we used three Games Gi (i = 1, 2, 3). Within each game Gi, Ad attempts to guess the bit c by applying the test query. If wins G i Ad , is an event where Ad accurately guesses c, so Ad's advantage is as follows: Game G1: This game is similar like the real scheme that runs in RoR model. We obtain the following result in this game.

Adv IIoT−CS
Game G2: In G2, Ad intercepts all messages exchanged between i and j, these messages are m1 = {Wi, Yi}, m2 = {Wj, Yj}, m3 = {C, R, S, Z} and m4 = {Auth}. Next, Ad employs the Execute query to retrieve the session key, then employs the Reveal and Test queries to examine if the obtained session key is original or randomly generated. In the proposed IIoT-CS scheme, the session key can be produced as SK = b(U j + α) = SK = Z(V j + X j ). To obtain this key correctly, Ad needs the secret values b, V j and X j . It implies that just eavesdropping of m1, m2, m3, and m4 would not improve Ad's winning probability. Hence, G1 and G2 are indistinguishable as shown in the following equation.

Adv IIoT−CS
Game 3: This game makes use of the Send and Hash queries. In G2, we know that eavesdropping on m1, m2, m3, and m4 between i and j, would not result in hash collision as these messages are safeguarded by HECDLP and hash function. HECDLP protects the variables b, V s , V i , and V j used within Z, U s , U i and U j respectively, while the hash function protects the variable S and the encryption algorithm protects the variables C, and Auth. Moreover, G2 and G3 are indistinguishable except G3 solves HECDLP and performs the Hash and Send queries. The advantage of solving HECDLP by A is Adv HECDLP A (pt), and, as per the birthday paradox, using such a hash oracle query has a probability q 2 h 2|hash| . Overall, the following result is obtained.
Now Ad executes all queries and guessing the bit c, the following result is obtained From Eqs. (3) and (4), we obtain the following result.

Formal Security Verification Using AVISPA
We used AVISPA tool [38] to verify the proposed IIoT-CS scheme security towards known attacks. AVISPA gives the results by using the keywords SAFE, or UNSAFE, which denotes whether the protocol is secure or not secure against various attacks. We applied two backends of AVISPA simulation tool, namely: OFMC and CL-ATSe to verify the security of our scheme. The result show that the IIoT-CS scheme is secure against various attacks under the DY threat model as shown in Fig. 3.

Informal Security Analysis
The following assumptions were taken into account for the informal security analysis. The secret values (b, V s , V i and V j ) are only known to the corresponding participating entity (KGC and IoT nodes) and the adversary has no knowledge about it. The encryption algorithm (E SK ) is secure enough that an attacker cannot not decrypt C and {Auth}.

Confidentiality
Confidentiality refers to the assurance that private information will be kept secret during transmission. In the start, the ith-node and jth-node share their public keys and identities in the form of plain text with each other because they are not required to be kept secret. The ith-node, then transmit the message {T i , C, S, Z} to the jth-node. The time stamp T i which discloses no information. The adversary cannot interpret the ciphertext C as it requires the secret session key SK which depends on the private random number b. According to HECDLP, an adversary is unable to compute b given Z and D. Similarly, Ad is unable to extract any knowledge from S because it depends on the private values (V i and b) of ith-node. The messages {T j , Auth} sent by the jth-node to the ith-node also reveals no information. T j is the time stamp and Auth is a hash message in which an adversary cannot extract any information. As a result, the existing protocol successfully provides confidentiality features.

Authentication
To ensure secure communication between IoT nodes, they must authenticate each other at the start within each session and vice versa.
ith-node authentication: The jth-node calculates the session key SK after obtaining the message {C, S, Z} from ith-node. The jth-node verify the signature S = If this equation hold then the ith-node is successfully authenticated by the jth-node. Suppose an adversary imitates to be a legitimate node, in that scenario, it would need to generate a valid S. However, S is based on the private values of ith-node which are only known to the ith-node so any adversary would not be able to produce the right value of S. jth-node authentication: After receiving {Auth} from the jth-node, the ith-node computes{Auth }.
The ith-node check if Auth = Auth , then jth-node is successfully authenticated by the ith-node. If an adversary pretends itself as a legitimate node, it must send the right message {Auth}. However, {Auth} is hashed message which is based on private key of jth-node, making it difficult for an adversary to transmit the right message {Auth}.

Non-Repudiation
The value of S transferred to the jth-node by the ith-node is based on the private key of ithnode. Similarly, the message {Auth} sent by the jth-node to the ith-node is based on the private key of the jth-node. If the jth-node verified ith-node signature i.e., if S.
is hold, the ith-node will not deny that it sent the message to the jth-node, and if Auth = Auth , the jth-node will not deny that it delivered the message to the ith-node.

Integrity
The proposed scheme can verify that whether a cipher text C was changed or not during the communication, by using the equation S.D = β + (Z + U i )H(ID i || m || n i ). If an adversary modifies C, then this equation will not hold, otherwise this equation will hold. Similarly, if an adversary modifies the message {Auth}, it can be quickly detected because it would not be the same as {Auth }. In both cases, the authentication would not succeed, and the session would be terminated. Thus, integrity is ensured in the proposed scheme.

Unforgeability
In the proposed IIoT-CS scheme, if Ad tries to produce a legitimate signature, then Ad must compute the equation For this, Ad would need the private key pair (V i , X i ) of the ith-node. To compute the private keys, Ad must solve HECDP which is infeasible. Hence, the proposed IIoT-CS schemes provides security against unforgeability.

Forward Secrecy
In the proposed IIoT-CS scheme, the secret session key is renewed after every session completion process. The secret session key depends on the private values b, V j and X j of participating nodes, and it is infeasible for an adversary to find these private values due to HECDLP. Thus, the adversary Ad is not able to read and use the previous messages later. Hence, the proposed scheme ensures forward secrecy.

Security from Replay Attack
An adversary can obtain the previous messages {W i , Y i }, {W j , Y j }, {T i , C, S, Z}, and {T j , Auth} eavesdropping on the communication channel between ith-node and jth-node. The adversary replays such messages to produce an invalid effect. In the proposed IIoT-CS scheme, the value of C depends on fresh nonce ni, the value S depends on the fresh private random numbers b and V i , the value of Z depends on b, and the value of Auth depends on ni and private key V j . This means that for every session the values of C, S, Z, and Auth are updated. Therefore, the adversary in the next communication session is incapable to utilize the past messages. Thus, the proposed IIoT-CS scheme ensures security against replay attack.

Security from Eavesdropping Attacks
In the proposed IIoT-CS scheme, the messages are transmitted in plain text, hashed and cipher text format. The plain text messages contain no confidential information and provide no advantage to the adversary. Furthermore, all messages containing confidential information are always protected by using HECDLP, one-way hash function and encryption algorithm, rendering the retrieval of the confidential information computationally infeasible for an adversary. Therefore, the proposed IIoT-CS scheme prevents eavesdropping attacks.

Security from Denial of Service (DoS) Attack
In the proposed IIoT-CS scheme, the participating nodes first check the validity of the received timestamps. If the timestamps are not valid, then the messages are rejected. Furthermore, the information transmitted are complemented by an integrity checks in the form of signature and the encrypted message always contain the latest timestamp. Thus, the proposed scheme can identify incorrect messages and avoid DoS attacks by essentially terminating the session.

Security Against Impersonation Attack
In node impersonation attack, an adversary mimics the behavior of legitimate IoT nodes by eavesdropping on the communication channel. In the proposed IIoT-CS scheme, if the Ad mimics the behavior of a valid sender node (ith-node). In doing so, Ad produces a message {W a , Y a } and sends it to a valid receiver node (jth-node). The jth-node replies the adversary with a message {W j , Y j }. The adversary A, when receiving {W j , Y j }, generate the message {C , S , Z } and send it to the jth-node. As the adversary is incapable to compute the private keys of a valid sender node, the message {C , S , Z } transmitted by the adversary is incorrect. The jth-node, upon obtaining this inaccurate message {C , S , Z }, decrypt C to validate the signature, but since S .D = β + (Z + U i ).H(ID i || m || n i ), thus the authentication fails. Furthermore, the adversary Ad is unable to mimics the behavior of the valid receiver (jth-node) because it is not feasible for Ad to compute the private key V j of jth-node, and thus is unable to correctly produce the message {Auth}, as a result the nodes finish the session. Thus, the proposed scheme ensures security against impersonation attack.

Security from Man in the Middle (Mitm) Attack
In MitM attack, an adversary attempts to modify the messages from ith-node to the jthnode and vice versa. The adversary pretends itself as a valid participating entity and passes the updated messages to either node. The proposed scheme performs the mutual authentication using the messages {C, S, Z} and {Auth}. Ad can only spoof a valid participant if it can produce any of these messages correctly. However, according to HECDLP the retrieval of the private key is computationally not feasible. Thus, the proposed scheme can easily withstand MitM attacks.

Security from Key Compromise Attack
The private key V j and secret value b are used to obtain the secret session key SK, the adversary is incapable to get the private values due to HECDLP, as a result the adversary can't generate the secret session key and hence, the proposed IIoT-CS scheme can ensure security against key compromise attack.

Comparative Analysis
This section presents the comparative analysis of computational cost, communication overhead and security features.

Computational Cost
The computational overhead depends on the execution time of different cryptographic operations involved in an authentication scheme. Garg et al. [23] show that the time required to execute elliptic curve scalar multiplication (ECSM) and hash-to-point (HtP) operations is 0.986 and 14.293 ms, respectively, using MIRACL [39]. The execution time of Hyperelliptic Curve Divisor Multiplication (HECDM) is considered as 0.48 ms [40]. The time consumption of cryptographic operations is very small compared to the time consumption of ECSM and HECDM and therefore can be ignored. In the proposed scheme, each sender node (ith-node) and the receiver node (jthnode) performs 3 HECDM operations. Therefore, the time consumed by the sender and receiver node together is 6 × 0.48 = 2.88 ms. The KGC performs 3 HECDM operations for at least 2 IoT nodes in the system to authenticate each other. Therefore, the time consumed by the KGC is 3 × 0.48 = 1.44 ms. The total time consumed by the KGC and nodes to for mutual authentication is 2.88 ms + 1.44 ms = 4.32 ms. The comparison of the computational cost of IIoT-CS scheme with the existing schemes [15,23,41] is shown in Tab. 2 and Fig. 4a. It is clear from the results that IIoT-CS scheme is less expensive in computational cost as compared to the existing schemes.

Comparison of Security Attributes
We compare the proposed scheme's security functionality with existing state-of-the-art [15,23,41]. The proposed scheme offers mutual authentication, non-repudiation, unforgeability, forward secrecy, resist, replay, eavesdropping, DoS, impersonation, MitM, and key compromise attacks as shown in the Tab. 4. It is obvious that the proposed IIoT-CS scheme is by far the most secure scheme amongst the existing protocols.

Conclusion
In this study, we used HEC based CS scheme in the developing of an efficient and secure authentication mechanism for IIoT environment. The proposed scheme uses 80-bit HEC rather than 160-bit ECC for security and performance. We apply both formal and informal security analysis to evaluate the proposed scheme's security. We performed the formal security analysis by using AVISPA tool and RoR model, which affirms the security of the proposed scheme. It has been shown in the analysis that the proposed scheme offers confidentiality, mutual authentication, integrity, and non-repudiation and is also robust to a range of security attacks such as replay, eavesdropping, impersonation, MitM, DoS, and key compromise attacks etc. Our proposed scheme is relatively less expensive compared to the current state-of-the-art. Our proposed scheme is 31.25% and 51.31% more efficient in computational cost and communication overhead, respectively, compared to the most recent protocol. Thus, our proposed scheme is a viable option for IoT devices with inadequate resources.

Future Work
We want to incorporate and evaluate the proposed IIoT-CS scheme in a real-world IIoT environment in the future. This will make more improvements to the proposed scheme and will encourage us to evaluate its security and efficiency more accurately.