CASCF: Certificateless Aggregated SignCryption Framework for Internet-of-Things Infrastructure

The increasing number of devices in the age of Internet-of-Thing (IoT) has arisen a number of problems related to security. Cryptographic processes, more precisely the signatures and the keys, increase and generate an overhead on the network resources with these huge connections. Therefore, in this paper we present a signcryption framework to address the above problems. The solution highlights the use of aggregate signcryption and certiﬁcaless approach based on bilinear pairings. The use of signcryption with aggregation and certiﬁcateless authentication reduces the time consumption, overhead and complexity. The solution is also able to solve the key staling problems. Experimental results and comparative analysis based on key parameters, memory utilization and bandwidth utilization have been measured. It conﬁrms that the presented work is efﬁcient for IoT infrastructure.


I. INTRODUCTION
Internet-of-Thing (IoT) is a technology enabler in present world. It derives an ecosystem made up of people, process and technology; with more insights, the infrastructure of IoTs uses web enabled smart devices with embedded systems, cloud storages, underlying internet structure and applications used by the users [1]. The objectives of making life smoother and easier have craved the pathway of IoT in out technology. It is able to shape both the industrial and consumer worlds. The advantages of IoTs have showed potentials in various domains such as healthcare, agriculture, finance, logistics, supply chains, education and many more [2]. With the increasing number of applications and forecasting of increased device connections also posing severe challenges [3]. Security is one of the major concerns among the all [4], [5].
The associate editor coordinating the review of this manuscript and approving it for publication was Muhammad Imran .
Inheriting the security problems of wireless networks, IoT also faces some severe security issues such as: authentication attacks, denial-of-services, camouflages, espionages, routing attacks and others [6]. Authentication attacks take another dimension in IoT where heterogeneous devices are connected to the network. Therefore, the security mechanism should be strict enough to provide sufficient strength to the network without reducing the performance. Such a solution for IoT security has been provided in the present work. In the following subsections discussion is made on some background of the existing security mechanism and technology and relevant security derivations in recent years.

A. BACKGROUND OF SECURITY
Security is defined by a logical interpretation of being free from threats. It is obvious in this present world of internet technology that the attacks are present everywhere and making strategies for gaining access to the network data. Therefore, it is required that any system requires some security parameters to be obtained by using security tools. In IoT perspectives, the security requirements are as follows [7].
Confidentiality: The data in communication should not be accessed by a third party.
Authentication: The sender and receiver must prove their identity for data access.
Integrity: The data sent by the sender should be received by the receiver without any modification or alteration.
Non-repudiation: The sender or the receiver cannot deny about their responsibility of sending or receiving the data.
Availability: The data should be available always by the authenticated users in the network whenever and wherever required.
Apart from these access control and accountability are also required for IoT to manage the network properly. To accomplish these requirements cryptographic protocols are used rigorously. Hash functions, symmetric/asymmetric key cryptography, digital signatures are used by all the IoT infrastructures [8]. Such cryptographic functionalities make security backbone overall and therefore, such algorithms need to be robust enough. Encryption techniques provide confidentiality, digital signatures provide integrity, authentication and non-repudation. In generic security frameworks, these two techniques are processed separately. However, researches have been conducted to integrate these two in single logical step and thus, signcryption processes come into existence in cryptography [9].

B. SIGNCRYPTION, AGGREGATES AND RECENT DEVELOPMENTS
Signcryption, as single logical step for digital signature and encryption, is able to reduce the computational costs and communication overheads as compared with the traditional signature-then-encryption schemes. Correctness, efficiency, security in terms of forward secrecy, unforgeability are some of the essential features of signcryption [10]. Various signcryption algorithms have been developed in recent years. A standard model of signcryption is shown in [11]. Various hyper elliptic curve based signcryption techniques are researched which prove their efficiency in terms of security [12]. Some other significant use of signcryption in various IoT based infrastructures are also worth mentioning [13]- [20]. To enhance the performance of signcryptions blockchain based signcryption is also derived [21]. With the need of post quantum resistance, lattices are introduced in signcryption [22].
The successful implementation of signcryption for reducing computation and communication overhead in IoTs has been processed forward by aggregating the signatures. Signature aggregation schemes allow multiple signatures generated by multiple public keys for multiple messages to be aggregated into a single signature and verified accordingly [23]. Various aggregate signature schemes are researched in recent times. Significant use of aggregate signatures in vehicular ad hoc networks are observed [24], [25]. Another such scheme for healthcare-based application is researched [26].
Aggregation schemes can be enhanced further by doing aggregations on the overall signcryptions. The objective of providing required security with reduced overhead and computation has led to such developments. An obfuscating aggregate signcryption development for IoT is worth mentioning here [27]. An application specific use of signcryption aggregation is shown in [28] Another recent construction of such aggregation is shown in [29]. The algorithms shown in [27]- [29] are chosen for the comparison with the proposed certificateless scheme. Emphasizing on the last three research works, some problems are identified. Firstly, the algorithms of [27] and [28] are unable to provide a certificateless scheme therefore, having a scope of improvement with certificateless schemes. Secondly, key staling is a problem in all these three algorithms. These identified problems have motivated us to find a signcryption solution for IoT framework.
The rest of the paper is organized as follows. Section II explain the proposed approach/scheme detailing about the preliminaries and phase wise descriptions with algorithms. Section III explains the experimental results, comparative analysis and security validation. Section IV concludes the paper highlighting the major findings of the experiment.

II. PROPOSED CASCF SCHEME
In this section, we explain the problem definition, preliminaries used for the proposed scheme, network model followed by the detailed description of the functions.

A. PROBLEM DEFINITION
In IoTs, the devices are connected over Internet. IoT communication is affected by various security issues. To safeguard the data of IoT devices in communication and to provide the required security services cryptography solutions have become integral part. Hence, the present work shows a solution for the IoTs. It ensures confidentiality, authentication, integrity and non-repudiation services. The solution objectifies the following.
• To reduce the time consumption by using signcryption method • To reduce the overhead by the cryptographic processes by using aggregate signcryption.
• To reduce the complexity of certificates by using certificateless approach

B. PRELIMINARIES
Let G 1 and G 2 be the cyclic groups of same order q where G 1 is additive group and G 2 is multiplicative group. A bilinear map e: G 1 × G 2 → G e is a function such that ∀u ∈ G 1 and ∀v ∈ G 2 ; a, b ∈ Z it has the following [30]: These maps are also called as bilinear pairings as they associate the elements of G 1 and G 2 to the elements of G e . Assuming g 1 and g 2 be the group generators of G 1 and G 2 respectively, the admissible bilinear map is admissible VOLUME 8, 2020 if e(g 1 , g 2 ) is able to generate the elements of G e and e is efficiently computable. Such admissible mapping should also possess the property of non-degeneracy and computability as defined below.

1) NON-DEGENERACY
A bilinear map e : G 1 × G 2 → G e is non-degenerate if it satisfies the conditions: There exists an efficient algorithm to compute e(g 1 , g 2 ), for g 1 ∈ G 1 and g 2 ∈ G 2 .

3) COMPUTATIONAL DIFFIE-HELLMAN (CDH) PROBLEM
For a cyclic group G of order q, CDH states that: For a given (g, g a , g b ) with any random generator g ∈ G and random a, b ∈ Z q , it is computationally intractable to compute g ab .

4) DECISIONAL BILINEAR DIFFIE-HELLMAN (DBDH) PROBLEM
Let G be cyclic group of order q and with generator g. For a given g a and g b with uniformly and independently chosen a, b ∈ Z q , it is to be calculated g ab is random in G.

5) GAP DIFFIE-HELLMAN (GDH) PROBLEM
Let G be cyclic group of order q and with generator g. Given, (g a , g b ) ∈ G 1 with unknown a, b ∈ Z q , then compute g ab ∈ G 1 with the help of DBDH oracle.

C. SYSTEM MODEL
In the proposed scheme, two Raspberry Pi, three minicomputers, five mobile phones and one desktop are considered to develop the IoT model. One Raspberry Pi 3 is made as client model and it is connected with DHT-11 and MQ-135 sensors to collect the environmental data (experimental room). This data is signed and forwarded to another Raspberry Pi 3 model which acts as a server for the sensor network capability. Mobile phones are working as end devices. The desktop is working as a server where the sensor network server is also connected and the verification of the message is carried out here. Table-1 summarizes some important notations and symbols used in the proposed work and Figure 1 shows the system model carried out.

D. FUNCTIONAL DESCRIPTION
The proposed scheme follows the work shown in [29]. The scheme involves the prime entities: Key Generation Center (KGC), a sender u s and receiver u r , an aggregating set a of n users and Aggregate Signcryption Generator (ASG). KGC is responsible for generating keys. Sender and receiver are the parts of communicating nodes where u s , u r ∈ a. ASG creates  the final signcryption and validates the incoming signcryptions. The modifications in the existing algorithm [29] deals with the changes in the key generation process and master key creation. Subsequently, we obtain an improved framework for IoT signcryption. However, we have followed the same stages of execution as shown in the above mentioned process. The proposed framework modules are shown in Figure 2. The functioning of the scheme is sub categorized as: Setup, Partial private key extract, User key generate, Signcrypt, Aggregate, Aggregate verify and Aggregate unsigncrypt. Some of the assumptions made for the scheme are: • KGC is secure and trusted.
• Aggregation of signcryptions are done by a special module ASG linking to a set of users separately.
• Aggregate unsigncryption is done by the receiver. The detailed functioning of the scheme in the IoT framework is shown below.

1) SETUP
This function is processed by KGC. It inputs a random point on an elliptic curve E over a finite field Z q with an order o = q k where, random prime number q and k is an integer, and the other two integer elements a, b such that: It then stores the master secret key (msk) with itself and publishes system parameters (param) as shown in Algorithm 1.
Algorithm 1 Set Up 1: Input: y 2 = x 3 + ax + b 2: Output: msk, param 3: Obtain a cyclic additive group G 1 from Z q of prime order q with generator g 1 4: Obtain the non-zero elements of Z q to generate the cyclic multiplicative group G 2 . The order of this group should be q and generator is g 2 . 5: e: G 1 × G 1 → G 2 6: Select a random number r ∈ Z * q → msk, G 1 ⊆ Z * q 7: Master public key (mpk) = r.g 1 .g 2 8: Initialize the hash functions Once the system parameters are set up, KGC initializes the process of key generation for the users registering for the network. KGC takes input param,msk, the identity of the user ID u i registering for the network and timestamp t of 128 bits. Timestamp helps for preventing stale or revocation of keys. Note that, the proposed scheme uses ICMetrics to generate the identity of the users and converted them into 128-bit binary representation: ID u i = {0, 1} 128 [31]. This identity is generated by an individual user. KGC returns a partial private key Pr u i for the user u i through an assumed secure channel. The process is shown in Algorithm-2.

3) USER KEY PAIR GENERATION
After getting the partial private key from KGC, each user executes a process to generate public-private key pair. The process inputs param and user's identity ID u i . It outputs a private key Pr u i and a corresponding public key Pu u i for the user u i . The private key is kept secret with the user and the public key is shared without any certification. The process is summarized in Algorithm 3. Signcrypt: Whenever Aggregate Signcryption Generator (ASG) follows the process of aggregation. It inputs an aggregating set a of n users, some VOLUME 8, 2020 state information , the identity of senders ID u i and their public keys Pu u i , signcrypted ciphertexts C i . It outputs an aggregate ciphertext C. The process is shown in Algorithm 5.

Algorithm 5 Aggregation
1: Input: a, , ID u i , Pu u i , C i , ID u r 2: Output: Any receiver who is receiving C is able to verify the aggregated signcryption. For this, the inputs the receiver needs appropriate public keys of the receivers for which that C is generated. The adversaries are unable to verify because the lack of key components availability. It compares the outputs and process further to unsigncryption if the comparison is valid else connection is aborted. The process is shown in Algorithm 6.
then accept C else discard and abort 8: return NULL

6) AGGREGATE UNSIGNCRYPT
Once the verification is done for C, the receiver executes the unsigncryption process. The receiver uses C, the state information , identity ID u r and its public-private key pair {Pu u r , Pr u r }, all the senders' identities ID u i and their corresponding public keys Pu u i and outputs n number of plaintexts. The unsigncryption process is shown in Algorithm 7.
The overall scheme is summarized in Figure 3. It shows the connection between KGC, users (sender and receiver) and ASG. The numbers in the figure represents the sequence of operation in the presented work.

III. EXPERIMENTAL RESULTS
In this section, performance of the proposed scheme has been measured. The scheme is also compared with the existing schemes shown in [27][28] and [29]. Performance metrics, comparative analysis and security analysis are shown in the following subsections.

A. PERFORMANCE METRICS
Performance of the schemes are measured based on the following metrics.

1) THROUGHPUT
Throughput is defined as the number of messages successfully delivered per unit time. In this case, we have assumed that, the network throughput is fixed and measurement is done only for the message signcryption functions. It has been measured in bits/seconds.

2) DELAY
It is defined as the round-trip time in the network. Generally, delay is comprised of processing delay, queuing delay,transmission delay and propagation delay. Assuming that all the other delays are static, only processing delay has been measured and compared.

3) ENERGY CONSUMPTION
IoT is comprised of devices which are resource constrained. Therefore, the schemes developed for IoT security should provide less energy consumption. This metric is measured with residual energy parameter and represented in percentage.

4) MEMORY CONSUMPTION
This metric is measured in terms of kilobytes required for overall storage of keys, intermediate values and certificates (wherever the comparison approaches use certificates)

5) COMPLEXITY
The complexity of the schemes is measured in their individual operation complexity basis. The less complex algorithms are more suitable for IoT framework.

B. EXPERIMENTAL RESULTS
For the experimentation, we have used overall 5000 messages in the network setup as shown in Figure-1. Memory in KGC is maintained with 8GB RAM configuration and 1GB ROM separately only for aggregate signcryption process. Message size has been varied from 10 KB to 2MB with average size of 1000KB. The comparative result is shown in Figure-4. The result shows that with the increasing number of messages (number of bits), the performance of the schemes degrades. However, in comparison the degradation in the proposed scheme is less. It shows that CASCF is able to produce 28.3%, 43.6%, and 17.9% better throughput as compared to the schemes in [27], [28] and [29] respectively. The reason behind this throughput behaviour of CASCF is the use of certificate-less approach and reducing the number steps involved in the processing as shown in the exiting schemes. In the next experiment we have measured the processing delay of the schemes. The size of the message does not affect the cryptographic schemes. So, the delay is the overall processing of the signcrypted message, aggregation and receiver's aggregate unsigncryption. This has been measured by subtracting the queuing delay, transmission delay and propagation delay from the roundtrip time where those delays are assumed to be constant and the transmission channel is congestion free. The delay output is shown in Figure-5. Figure-5 shows that CASCF possess the reduced delay as compared to other schemes. The certificateless signcryption creates an effect on this as the delays for creating certificates and verifying certificate are avoided here. The approach in [29] uses similar  kind of certificateless approach and therefore having similar kind of output. However, the reduction steps in CASCF produces less delay. Overall, CASCF is able to obtain 25% less delay as compared to other algorithms.
Energy is another parameter which is very much important in IoT framework. The measurement has been calculated as the average residual energy of all the end devices cumulatively. The result is shown in Figure-6. The energy comparison shown in the Figure-6 depicts that the algorithms of [27] and [28] have an average energy consumption 45% of the total energy; however, at the beginning energy consumption is more for [28] and after 3000 messages [27] degrades more rapidly in residual energy. On the other hand, CASCF and algorithm in [29] are better than the other two algorithms due to the avoidance of certificates. Further, CASCF is more efficient by changing the key generation mechanism by reducing the energy consumption by 48%, 49.7% and 15.6% as compared to [27]- [29] respectively. Memories are important for any cryptographic process. With the increasing number of messages, it is obvious that individual memory consumption increases but in comparison results show that CASCF is more advantageous in term of memory as the consuming memory amount is less in the work. The other three algorithms show VOLUME 8, 2020  memory usage of 25%, 36% and 18% more than the CASCF. Therefore, in view of memory utilization CASCF proves its efficiency. The comparison result is shown in Figure-7.
The measurement of the complexity has been done in two parts: receiver side computational complexity and communication complexity. We have followed the similar parameters and notation for this metric as mentioned in [29]. The notations are summarized in Table-2 and the comparison is shown  in Table-3. Table-3 shows that the communication complexity is less as compared to the schemes describe in [27] and [28]; however, [29] and CASCF show the similar kind of communication complexity. On the other hand, for sender side complexity is more for CASCF but receiver side computation complexity and aggregator computation complexity are the least among the all. As an overall, CASCF is efficient in terms of complexity of computation and communication cost.

C. SECURITY VALIDATION
The security analysis of CASCF with IoT infrastructure is explained here. The analysis consists of discussion about the Diffie-Hellman problems and other security features as required. CASCF uses the same attacker adversary model with challenge response game to validate the Diffie-Hellman assumptions [29]. However, we have provided an intuitive discussion to validate the work. As before the aggregation, the base is signcryption, we have not included any explicit discussion of signcryption security as it is mentioned in [32].

1) DIFFIE-HELLMAN PROBLEMS
We have analysed a reduction for CDH as if g an is solvable from a given g a , then CDH problem is solvable. Let A be an adversary that uses g a for random a and outputs g a2 with a probability P. A construction is made as A who receives u = g a and v = g b and works as follows. A runs A for n times on input u, v and u.v. If A returns correct answer every time then A have A = g an , B = g b n and C = g (a+b) n . Thus, A gives output as n C A.B where, n √ is the prime modulo q. The probability of this calculation if it is correct for a random generator g and unknown a, b becomes: P n ,where a. b → 0. It validates that the proposed scheme is intractable under CDH problem.
Similarly, for DBDH, we first try to calculate the advantage for the adversary A. It takes a quadruple input as: (g, g a , g b , g ab ) and attempts to get the advantage of getting a random g abc in G. If a, b are chosen uniformly with a random c in G, the correlation to make g abc will be difficult. The probability of such advantage for A is given as: For, the polynomial time-based systems like the proposed scheme, the advantage becomes zero. This infers that the CASCF is unable to solve DBDH, and hence it is safe. Now, extending the CDH problem with a random oracle, the GDH validation is conducted as mentioned in [29]. For an attacker Å, it uses the proposed scheme with a master public key mpk with a generator g a and a random number l q H 1 , where H 1 is the oracle and q is the maximum number of iterations in oracle and receives a GDH tuple (g, g a , g b ) in G 1 from an adversary A. Å sends A : G 1 , G 2 , e, g, mpk. As the queries allowed for Å is only H 1 therefore, for H 2 queries it checks if DBDH is true and checks if e(U , Pu) = e(U , g); if it is true and the tuple exist with a value of h, Å returns it or chooses a random h, updates itself and sends to A. A then sends identities of the uses, public keys, and the messages, a forged ciphertext C * and some state information. Each identity to be chosen from the set of n identities having the same probability. Moreover, the aggregate verification process should also return true on the forged aggregated signcrypted message which leads for Å to calculate g ab . This ensures that the proposed scheme is secure against GDH assumption.

2) OTHER SECURITY REQUIREMENTS a: CORRECTNESS
The following equality proves the verifiable correctness of the proposed work.
( Pr u i + r i H i + r u H ), g The proposed CASCF in signcryption mode is unforgeable against adaptive chosen message attacks. Two cases are considered here. A challenge-response game is initiated as mentioned in [33]. A challenger C generates the public parameters param and msk by executing the setup algorithm. It sends param to an adversary A . A then performs series of queries and outputs (ID u s , ID u r , δ ). In this, it is to be assured that A has not extracted the partial private key as it uses a random number and timestamp with hash. Another assumption is that for the chosen message, A is unable to use set keys or private key queries on ID u s . As a result, The output of aggregation verification is false and A is unable to proceed further. In an extensive scenario, if A is able to input a forged ciphertext C in the aggregation, it cannot retract the key pairs as the challenger C wins the game by prohibiting A from getting the partial private key or replacing the public keys.

c: INTRACTABILITY
Intractability of the proposed CASCF is discussed through CDH and GDH assumptions.

d: FORWARD SECRECY
CASCF ensures the property of forward secrecy. In our scheme, if the master secret key msk of a KGC is compromised, the attacker is able to get the partial secret key but unable to obtain the private key of the user as it is generated with msk and a random number. This random number is user specific and secret too. Therefore, to generate the private key, the attacker needs the random number r u , which is private to the user only. Thus, generation of private key is infeasible. Furthermore, timestamp is added to generate the keys which preserves the freshness of the secret key. The above discussion clearly says that the proposed scheme is secure.

IV. CONCLUSION
In the present work, a solution for IoT security has been shown. It uses the aggregate signcryption to enhance the network performance. Bilinear map is used in scheme. Moreover, timestamp is used in key generation process to obtain the freshness of the keys. The framework uses a set of nodes as aggregate signature generator. Most viably, it is to be used fog layer of IoT infrastructure. Performance is measured based on throughput, delay, energy consumption, memory consumption. Results are compared with some existing schemes. The complexities of the schemes are compared. Comparative analysis infers that the proposed scheme is efficient for IoTs. Moreover, security analysis confirms the accomplishment of security objectives of the work. In the sender side, the computation complexity is more which is considered as a future objective. He has more than 100 research articles. He is a Cyber-Security Researcher and a Practitioner with industry and academic experience. His research is multidisciplinary that focuses on cyber security and digital forensics of computer systems including current and emerging issues in the cyber environment like cyber-physical systems and the Internet of Things, by taking into consideration the unique challenges present in these environments, with a focus on cybercrime detection and prevention. He presented many invited keynotes talks and panels at conferences and venues nationally and internationally (22 events in 2018 alone). He is an Editor on multiple editorial boards, including an Associate Editor of IEEE ACCESS and an Editor of Security and Communication Networks journal.
WILLIAM J. BUCHANAN is currently a Professor of cryptography. He also leads the Blockpass ID Lab, Edinburgh Napier University. He has authored 30 academic books and over 250 research articles. His main research interests include distributed ledger technology, identity systems, trust-based infrastructures, and cryptography. Along with this his work has supported the creation of a number of spin-out companies and international patents. He was awarded an OBE for his services to cybersecurity, in 2017.
MRITUNJAY KUMAR RAI received the M.Eng. degree in digital system from the Motilal Nehru National Institute of Technology, Allahabad, India, and the Ph.D. degree from the ABV Indian Institute of Information Technology and Management, Gwalior, India. He worked as an Associate Professor at Lovely Professional University, Phagwara, India. He had published more than 50 research articles in reputed international conferences and journals. His research interests include wireless networks, network security, and cognitive radio networks.
G. GEETHA is currently working as a Professor with Lovely Professional University, India. Her research interests include security and cryptography, cyber-physical systems, and software engineering.
REJI THOMAS received the Ph.D. degree from IIT Delhi. He is currently a Professor with Lovely Professional University, Phagwara, India. His research interests include logic, memory, and energy storage devices.