Certificate-Based Signcryption Scheme for Securing Wireless Communication in Industrial Internet of Things

The Industrial Internet of Things (IIoT) community is concerned about the security of wireless communications between interconnected industries and autonomous systems. Providing a cyber-security framework for the IIoT offers a thorough comprehension of the whole spectrum of securing interconnected industries, from the edge to the cloud. Several signcryption schemes based on either identity-based or certificateless configurations are available in the literature to address the IIoT’s security concerns. Due to the identity-based/certificateless nature of the available signcryption schemes, however, issues such as key escrow and partial private key distribution occur. To address these difficulties, we propose a Certificate-Based Signcryption (CBS) solution for IIoT in this article. Hyperelliptic Curve Cryptosystem (HECC), a light-weight version of Elliptic Curve Cryptosystem (ECC), was employed to construct the proposed scheme, which offers security and cost-efficiency. The HECC utilizes 80-bit keys with fewer parameters than the ECC and Bilinear Pairing (BP). The comparison of performance in terms of computation and communication costs reveals that the proposed scheme provides robust security with minimal communication and communication costs. Moreover, we used Automated Validation of Internet Security Protocols and Applications (AVISPA) to assess the security toughness, and the results show that the proposed scheme is secure.


I. INTRODUCTION
Industrial Internet of Things (IIoT) refers to sensors, instruments, and other devices that are networked with industrial computer applications, such as production and energy management [1]. This connectivity enables the gathering, sharing, and analysis of data, which may facilitate The associate editor coordinating the review of this manuscript and approving it for publication was Ali Kashif Bashir . productivity and efficiency gains as well as other economic benefits. This, in turn, will help manufacturers develop products more efficiently and sustainably. In addition, the resulting IoT-node-embedded devices will also be included into the IIoT; this will allow for more efficient resource use, hence boosting consumer satisfaction and product quality. In addition, with the integration of Cyber-Physical Systems (CPS) and modern networking technologies, the monitoring and control capabilities of industrial systems have considerably improved [2], [3]. Industry 4.0 is a revolution in which wireless networking and CPS are coupled with sensors on products to monitor the whole product flow in order to make intelligent decisions [4], [5]. As the IIoT grows, new security risks emerge. Each new device or component that connects to the IIoT represents a potential vulnerability. It can be challenging to maintain security in the face of growing connectivity. Insecure IIoT systems can have serious adverse impact, including operational interruption and financial loss. Exposed ports, insufficient authentication procedures, and old software all contribute to the emergence of threats. The aforementioned unsatisfactory situation will result in the demise of industrial output. Therefore, a strong security mechanism is essential to ensure the security of data transfer between users and sensing equipment.
Signature and encryption are fundamental cryptographic procedures for secure communication [6]. Encryption provides confidentiality, whereas signature provides authenticity independently. If both signature and encryption are required simultaneously, signcryption [7] is used. The majority of signcryption schemes rely on cryptography certificates with public keys [8]. Therefore, a new collaboration in the form of an ID-based cryptosystem, in which the user's encryption key is the correct string for the user's identity [9]. However, as the Private Key Generator (PKGR) possesses all the information pertaining to the private keys of the individual members, this could result in an overwhelming Key Escrow (KE) problem [10], [11]. In 2003, Al-Riyami and Patterson [12] introduced the concept of a certificateless cryptosystem consisting of two components: the secret value and partial private key, in line with the KE. The Key Generation Center (KGC) offers a partial private key (PPK), while the participants determine the secret value. Similarly, certificateless cryptosystems are susceptible to the PPKDP problem inherent to certificateless cryptography, as the key distribution requires a secure connection between the KGCR and the recognised parties. In the same year, Gentry [13] introduced the concept of a certificate-based cryptosystem (CBC) in which a user can create his or her own private/public key pair while the Certifier Authority (CA) checks for a certain public key. Since the CA does not know the private keys of the participating users, the CBC avoids the KE. In addition, a secure connection between the user and the CA is not required.
Typically, computationally hard problems, such as Bilinear Pairing (BP), Revest-Shamir-Edelman (RSA), Diffie-Hellman (DFHMN), and ECC [14], [15], [16], [17], [18], [19], [20], are used to evaluate the performance of security schemes. The RSA cryptosystem operates with 1024-bit keys. Similarly, the BP is 14.31% worse than the RSA [21] because to its extensive map-to-point computation and operation features. Similarly, an ECC was devised to alleviate the drawbacks of RSA and BPRNG's high key sizes [22]. Compared to the supplied cryptosystems, the security efficiency and security hardness of the ECC depend on 160-bit short keys [23]. Even with 160-bit keys, the ECC is unsuitable for IIoT data collected from the public. Consequently, the HCC, a new type of cryptosystem that is essentially a generalization of the ECC, is presented. The HCC provides correspondent-level security for the BP, RSA, DFHMN, and HCC with keys that are accordingly 80 bits shorter [24], [25]. In light of the preceding considerations, an ECC is seen a good option for crowdsourcing IIoT data.
The above explanation encourages us to propose a new CBS for IIoT with the objective of removing the KE problem of identity-based cryptography and the PPKDP problem of certificateless cryptography with minimal cost and complexity. The proposed scheme is favorable to the environment since it employs the Hyperelliptic Curve Cryptosystem (HECC), which requires much smaller key sizes than bilinear pairing, RSA, and elliptic curves. Listed below are the characteristics of the proposed scheme.
• We provide a Certificate-Based Signcryption (CBS) solution for IIoT using Hyperelliptic Curve Cryptosystem (HECC), a lightweight variant of Elliptic Curve Cryptosystem. (ECC). Using small key sizes makes the proposed scheme lightweight, which is the most desirable characteristic of HECC.
• The proposed scheme offers confidentiality, unforgeability, integrity, anti-reply, forward secrecy, and non-repudiation as security characteristics.
• We also investigate the performance of the proposed scheme and compare it to relevant existing schemes in order to validate its computational and communication capabilities.
• The proposed scheme is validated using AVISPA, a wellknown security verification and simulation tool. The findings demonstrate that the proposed scheme is SAFE in terms of the security claims based on the working idea of two back-end protocol checkers, OF-MC and CL-AtSe. The rest of the article is organized as follows: in Section 2, related work is covered. The Preliminaries for the construction and complexity analysis are presented in Section 3. Section 4 demonstrates the construction of the proposed scheme. The section 5 security analysis is followed by the section 6 cost analysis. Section 7 concludes the study.

II. RELATED WORK
Information security is vital to the security of a communication systems. The fundamental security features highlight the confidentiality and authenticity of the data. In the literature, we have researched the proposed security schemes for IIoT infrastructure. A certificateless signature scheme for the IIoT infrastructure is proposed [27], however Zhang et al. [28] and Yang et al. [29] showed the scheme to be vulnerable against both Type 1 and Type 2 adversaries. In addition, the scheme makes use of BP's fragility, which has the worst potential in terms of cost complexity. Therefore, in [29], the authors strengthened the security of scheme [27] using ECC; nonetheless, the scheme is not suited for real IIoT applications due to PPKDP and ECC's larger key sizes. The authors assert in [29] that the public key replacement attack exists in the method described in [28]. The authors then introduced the key insulated signature method using BP in [30]. Similarly, the presented method relied on ECC, which conducts intensive calculation and requires a larger bandwidth for transmission. Later, Qiao et al. [31] proposed a secure CBAS scheme for IIoT in order to enhance the CBAS scheme and offer a real implementation for it. In the random oracle model, based on the complexity of the discrete logarithm problem, the proposed scheme's security is demonstrated. Compared to prior CBAS schemes, the proposed scheme structure provides excellent security and computation and communication efficiency.
The aforementioned schemes provide the security feature of authentication solely. As the IIoT architecture needs confidentiality with authenticity. For this purpose, in 2017, Karate et al. [32], introduced a novel identity-based signcryption technique for IIoT crowdsourcing employing bilinear pairing. The presented method has an issue with over-reliance on PKG, which is inborn in identity-based signcryption schemes, because it requires the PKG to create a complete private key. Furthermore, the security of the system is substantially affected once the PKG is attacked. In addition, the given scheme does not meet with the security criteria of confidentiality and forward secrecy. Besides, the suggested technique also suffers from the use of high bandwidth use and significant computation cost due to the utilization of bilinear pairing.
In 2019, Ullah et al. [33], introduced a lightweight CLC scheme for crowdsourced IIoT applications with the aim of increasing security and minimizing communicational and computational expenses. However, the given scheme has an issue of PPKDP inborn with certificateless signcryption, since the key distribution needs a secure connection between KGCR and the respected participants. Unfortunately, the authors didn't offer a formal demonstration of the proposed scheme in any security model such as random oracle or standard model. In 2020, Dharminder et al. [34], introduces an identity-based signcryption system for IIoT crowdsourcing. Performance study with comparable schemes suggests that the offered strategy is efficient in terms of both computing and communicational expenses. However, the suggested strategy suffers from the use of high bandwidth use and hefty computation cost due to the employment of bilinear pairing.
All of the aforementioned approaches are proposed to secure the IIoT's infrastructure. However, the offered solutions suffer from significant computational costs and communication overheads, as well as key escrow and private key distribution issues. In addition, the security hardness of the aforementioned systems is based on ECC and bilinear pairing, which is appropriate for the Industrial Internet of Things. We proposed a new CBS strategy for IIoT crowdsourcing for this reason. The proposed scheme is effective and devoid of KE and PPKDP problems. Using the HECC, the proposed scheme reduces the high computational cost and communication overheads.

III. PRELIMINARIES
This section covers formal definitions, Threat model, and notions used in the proposed scheme in table form (Table.1

B. THREAT MODEL
The Dolev-Yao adversary model, which distinguishes between adversary (AVR) and forger (FR), has been taken into account when designing our proposed scheme. To break the forward security, integrity, and confidentiality of the proposed scheme, AVR's job is to launch an attack against it. Meanwhile, FR's job is to make the signature of the proposed scheme compromised.

IV. CONSTRUCTION OF THE PROPOSED SCHEME
This section discusses the construction of the proposed scheme, including the syntax, network model, and proposed algorithm.

A. GENERIC SYNTAX
In this phase, we provide the definitions for the working structure of each part of CBS in the following steps.
Setup: The Certificate Authority (CA), initially pick a security parameter 1 ε , further outputs the secret key ϑ and global parameter set .
Public Number Generation: Given global parameter set and entity identity ID e , it outputs the public number and the entity of identity ID e transmits a pair (ID e , β e ) to CA.
Certificate Generation: Assumed the entity identity ID e , , and a pair (ID e , β e ), it outputs a certificate C e , and then sends a pair (C e , µ) to an entity of identity ID e in open network.
Key Generation: Assumed and a pair (C e , µ), the entity of identity ID e generates his private key P e and public key B e . CB-Signcryption: Specified a plaintext m, global parameter param, the identities of the CB-Signcrypter and CB-Un-Signcrypter (ID cs , ID cus ), the certificate and private key of CB-Signcrypter (C cs , P cs ), the CB-Signcrypter and CB-Un-Signcrypter public keys (B cs , B cus ), it outputs a CB-signcrypted tuple φ.
CB-Un Signcryption: Upon arrival φ, CB-Un-Signcrypter considerers the following is an input: identities of the CB-Signcrypter and CB-Un-Signcrypter (ID cs , ID cus ), its own certificate and private key, its own public key and sender public key, and the global parameter param, it verifies the signature and outputs a plaintext m. Application Provider: This entity serves as a Certificate Authority (CA) and is responsible for generating a certificate for a requesting user.
Crowdsourced Industrial internet of Things: Utilizing intelligent devices to capture sensing data from industrial IoT devices, crowdsourced IIoT offers a paradigm for data collecting and sensing. The data from sensors/mobiles and crowd tasks are saved, processed, evaluated, and shown graphically. On the request of the controller, the collected data is then sent to the controller.
Controller: In the proposed network model, the mobile phone is considered a controller. This entity is responsible for calculating the signcryption of collected data from sensor nodes and transferring it to data user.
Data User: This entity plays the role of the end user and delivers a signcrypted access request query to the controller if it requires Crowd-sourced IIoT data.
Cloud Server: Cloud Server is only responsible for storing massive amounts of crowdsourced data if required; otherwise, it transfers the signcrypted text to the data user.

C. PROPOSED ALGORITHM
The proposed scheme contains the following steps.
Setup: The certificate authority (CA), initially picks a security parameter 1 ε and performs the following sub steps: It chooses a hyper elliptic curve (HEC) over finite field of order F γ with Genus δ    Calculates a certificate C e = X e + β e and a value µ = η e .H 1 (C e , ID e ) + ϑ Then sends the pair (C e , µ) to an entity of identity ID e on an open network.
Key Generation: Upon arrival (C e , µ), given , the entity of identity ID e generates his private key P e and public key B e utilizing the below computations.
Computes CB-Un Signcryption: Upon arrival φ, CB-Un-Signcrypter considerers the following parameters are set as an input: Identities of the CB-Signcrypter and CB-Un-Signcrypter (ID cs , ID cus ), Its own certificate and private key (C cus , P cus ), and its own public key and sender public key (B cus , B cs ) The global parameter set , it verifies the signature and outputs a plaintext m as followed.

D. CORRECTNESS
In the following computations, the entity of identity can confirm the originality of private key P e and public key B e :

Theorem 1← Confidentiality
Confidentiality is that security property of this newly contributed scheme, in which the encryption key of legitimate sender cannot be compromised by any adversary (AV ).
Proof 1: An encryption key of K = V.B cus is first made by the sender in the proposed certificate-based signcryption scheme then by using K to encrypt the plaintext like Z = ⊕H 2 (K). AV , however, will need K = V.B cus , which in turn wants V from Y = V.D in order to recover the contents of Z. This is not feasible for AVr, and it is the same as hyperelliptic curve discrete problems. In addition, the AV can recover the decryption key from K / = Y / .P cus , which further needed P cus from B cus = P cus .D. AV cannot solve this problem, thus it equals a discrete hyperelliptic curve problem. As a result, the proposed certificate-based generalized signcryption scheme meets the confidentiality requirements.

Theorem 2 ← Unforgeability
It is expected that a CBS scheme will achieve unforgeability as long as there is no forger (FR) capable of compromising the sender's dedicated private key and forging the digital signature.
Proof 2: By using the public network, the sender must generate a W = V + Q.P cs a signature, send the Ciphertext, and generate the hash value φ = (Q, Z, W) along with the signature.
FR however, must be capable of figuring out W = V + Q.P cs , if it attempts to produce a forgery signature, which further want V from Y = V. D and P cs from B cs = P cs .D. Consequently, it is not feasible for FR and equals to process two times HECDLP. Thus, the scheme discussed above meets the unforgeability benchmarks as evidenced by the above discussion.

Theorem 3 ← Integrity
CBS technique is most likely to obtain the integrity security package If there are no AV that generates the same hash value for two distinct size/nature messages.
Proof 3: In our scenario, the sender generated the hash function of a plaintext as Q = H 3 (C cs , , Y, ID cs , B cs ) and sent a Ciphertext and signature φ = (Q, Z, W) across an open channel to the receiver. Additionally, the AV attempts to retrieve a plaintext from Q = H 3 (C cs , , Y, ID cs , B cs ) for modification, which is not possible because to the irreversible nature of hash functions. In light of the preceding discussion, this method protected the property's integrity.

Theorem 4 ← Non-Repudiation
CBS technique is meant to succeed the security amenity of non-repudiation If a sender cannot reject his signcryptext former.
Proof 4: In our designed CBS method, the sender cannot revoke signature W = V + Q.P cs that has been sent. Though,   if the sender disputes the signature, the judge does the following computation to resolve the conflict between the receiver and the sender. Therefore, the foregoing computations conclude that the sender cannot dispute his signature, as he utilized his private key P cs at the time of digital signature creation as W = V + Q.P cs , which is interconnected with their public key B cs .

Theorem 5 ← Forward Secrecy
A CBS system is presumed to realise the security property of forward secrecy if there is no AV , which compromises message confidentiality by revealing the sender's private key.
Proof 5: Our technique employs a secret key K in addition to the sender's private key P cs . Here, even AV is compromised with the sender's private key P cs however, it also requires the receivers secret key K / , which is not possible for AV because the AV can recover the decryption key from K / = Y / .P cus , which further needed P cus from B cus = P cus .D. AVr cannot solve this problem, thus it equals a discrete hyperelliptic curve problem Consequently, we can conclude from the preceding statements that this design possesses forward secrecy.

Theorem 6 ← Anti-Replay Attack
If there is no AV , it is anticipated that a CBS Approach will replace the security asset of Anti-Replay Attack, which may be able to collect old messages and resend them to the intended recipient several times.
Proof 5: In the given approach, the receiver first encrypts a nonce r using the sender's public key, and then delivers it over to the sender. Once this nonce is decrypted, the recipient generates a new nonce and encrypts the two nonce values ( r , s ) and the message as Z = ( , r , s ) ⊕ H 2 (K) with the secrete key K. The recipient receives the cypher text Z from the sender after this operation. As a result, the receiver will verify the freshness of the new nonce s and the validity of the old r , and if it is true, the Ciphertext will be accepted as a new message; otherwise, the receiver will add this message to the revocation list. Since these two nonces ( r , s ) are renewed with each new session, our system is resistant to replay attacks.

VI. COST ANALYSIS
In this section, we compare the proposed scheme to that of Karati et al. [32], Ullah et al. [33], and Dharminder et al. [34] in terms of communication and computation costs. The computational efficiency is defined by the algorithm's computation cost, whereas the communication efficiency is determined by the length of the ciphertext.
The symbols EXPN , BIPG,HYDM , |m|, |G|, and |n| indicate, respectively, Exponentiation, bilinear pairing, Hyper Elliptic Curve Divisor Multiplication, message size in bits, group size in bilinear pairing, and Hyperelliptic Curve parameter size in bits. Here, we neglected the cost of other operations such as hashing, subtraction, and addition, since this operation requires far less time.
The operation and its time are detailed in Tab 2 below, per [35]. In addition, the simulation uses the following hardware and software: Intel Core i74510UCPU, Processor 2.0 with 8GB RAM, Windows 7 and C Library (MIRACL) [37]. HYDM will also need 0.48 milliseconds (ms) [36]. Tab 3 displays the principal operations and their respective costs in milliseconds.
Tab. 5 shows the variables and their corresponding sizes used in the comparative study of communication costs [1]. Tab 6 presents a comparison of communication costs based on our variable assumption. Tabs 4 and 6 provide a comparison of our work with Karati et al. [32], Ullah et al. [33], and Dharminder et al. [34] in terms of computation and communication overheads. According to our comparison study, the presented plan demonstrates the effectiveness of computational and communication overheads, as seen in Fig.2 and Fig. 3. In addition, Tab. 5 and Tab. 7 demonstrate a significant decrease in communication and computation costs.

VII. CONCLUSION
This paper proposes the formal development of an efficient signcryption scheme in a certificate-based IIoT environment. The proposed scheme can be used in large industrial settings. The proposed scheme satisfies confidentiality, unforgeability, VOLUME 10, 2022 integrity, anti-replay attack, non-repudiation, and forward secrecy. Moreover, the proposed scheme is tested and simulated using AVISPA, a well-known security verification tool. On the basis of two back-end protocol checkers, OF-MC and CL-AtSe, the simulation results indicate that the proposed approach is SAFE in terms of its security assurances. To evaluate the cost-complexity of the proposed scheme, we assess the performance of the proposed scheme and compare it to a variety of relevant existing schemes. The results revealed that the proposed scheme is better in terms of computation and communication costs than the counterpart schemes.

APPENDIX A. IMPLEMENTATION OF THE PROPOSED SCHEME IN AVISPA
Using the popular simulation tool AVISPA [37], [38], we simulate the proposed scheme. AVISPA is a top-down formal validation and verification tool that uses an expressive and flexible High-Level Specification Protocol (HLPSL) [39] to activate the provided code and find security vulnerabilities in the provided protocol. To assess safety standards, the AVISPA tool incorporates four backends checkers, including On-the-fly Model-Checker (OFMC), Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP), and SAT-based Model-checker (SATMC) with HLPSL. The essential framework AVISPA is seen in Fig. 4 where the HLPSL is first converted to the Intermediate Format (IF) with the assistance of the HLPSL2IF translator. This IF is then allocated to the AVISPA back-end safety check tools. The result shows whether or not the suggested protocol is secure and usable in a real setting. In addition, Tabulator 8 and Figures 5 and 6