An Efficient Scheme for Industrial Internet of Things Using Certificateless Signature

Department of Information Technology, Hazara University, Mansehra 21120, Khyber Pakhtunkhwa, Pakistan Hamdard Institute of Engineering & Technology, Hamdard University, Islamabad 44000, Pakistan STC’s Artificial Intelligence Chair, Department of Information Systems, College of Computer and Information Sciences, King Saud University, Riyadh 11543, Saudi Arabia Computer Engineering Department, Engineering College, Hadhramout University, Hadhramout, Yemen Institute of Computing, Kohat University of Science and Technology, Kohat 2600, Pakistan


Introduction
Internet of ings (IoT) is a network of physical interconnected devices, which incorporate embedded technologies such as RFID, sensors, and other smart devices [1,2], networked together for communicating with the external environments via the Internet [3,4]. On the other hand, IoT is growing its scope through linking cities to mature smart systems. ese smart systems are designed to combine our routine items with smart devices to create a fully automated intelligent system (AIS) that has the potential to reduce human effort. According to a recent Ericsson report, about 18 billion smart IoT devices will be connected to the Internet by 2022 [5]. is new innovative trend has paved the way for integrating these innovative technologies into various fields such as healthcare, data mining, transportation, and commerce [6][7][8][9][10]. Since its first proposal [11], IoT has attained considerable admiration among the research community in both pedagogy and industries [12].
devices. It can collect the relevant data throughout the industrial production system and send it to the controller. However, additional information can be collected using the services of sensors. e collected data are then forwarded to the cloud server by the controller over the Internet. Cloud servers have the potential to address the serious challenges of data storage, data processing, and data classification through data-based services to improve the reliability of IIoT environment [14]. Besides the positive aspects, the cloud servers can easily be intercepted where frequent sensitive data and information can be easily disclosed and leaked.
Despite the constant development and research in the IIoT technology, security risks still fail its comprehensive applications [15][16][17][18][19]. Consider the generic IIoT scenario in which the application sends collected data through a public channel. In such case, due to the open nature of the channel contact, an attacker can carry out multiple attacks, such as injecting, intercepting, responding, and modifying. By doing so, the attacker could damage the repute and assets of data owners and data consumers [20][21][22][23][24].
To preserve a strategic distance from the above results, a significant number of studies have been conducted to confirm the integrity of the IIoT data for structural information [25][26][27][28].
ough, in the IIoT infrastructure [15,21,29], digital signature-based cryptography (DSBC) is considered to be efficient and reliable cryptography to achieve data integrity. Using DSBC, sensitive information can be easily authenticated in a nonreversible manner for the entire transmission phase period [30].
A certificateless signature approach is an auspicious contender that reduces the overhead of certificate managing and solves the key escrow that comes with identity-based signing approaches. e certificateless signature cryptography is based on a third party termed as the key generation center (KGC) which has a master secret key. Additionally, KGC also offers users a partial private key (PPK) that can be computed from each user's identity. e receiver user has a selected secret value that combines the secret value and PPK to create its own private key [31]. Next, the user associates the public parameter set with a secret value for generating their public key. Taking advantage of the above discussion, several schemes have been devised to prevent data authentication in IIoT structural information [32][33][34][35][36][37]. However, the mentioned schemes sustain high communication and computing costs.
Normally, to provide efficient and strong security with minimal computational and communicational overheads, the most common techniques used are RSA, bilinear pairing (BPG), elliptic curve cryptosystem (ECC), and hyperelliptic curve cryptosystem (HECC), respectively [38][39][40][41][42][43][44]. Among them, the HECC gives the same security with fewer key and parameter sizes [45,46]. erefore, the HECC is considered as an appropriate and efficient cryptographic mechanism that offers an improved performance in contrast to RSA, BPG, and ECC. Furthermore, the HECC uses 80 bits keys with efficient and strong security that can suit the IIoT environments.

Motivation and Contribution.
Inspired from the abovementioned discussion, a new certificateless signature scheme has been proposed for IIoT infrastructure. e proposed scheme is primarily based on HECC categorized by its smaller key length. e main contribution of this work is listed.
(i) A cost-effective certificateless signature scheme is constructed for IIoT environment using HECC (ii) We provide a proper algorithm for the proposed scheme that avoids key escrow problems and guarantees the security assets of unforgeability, man-in-the-middle attack, and antireplay attack  (iii) We validated the designed approach using a widely accepted validation tool (AVISPA) by using the popular backend protocols, i.e., on-the-fly model checker (OFMC) and constraint logic-based Attack Searcher (AtSe) (iv) We also give the AVISPA code and simulation results that are available in the simulation study (Appendix) in Section 8 (v) In the end, a comprehensive comparative analysis against relevant schemes have been given which shows how our proposed scheme is better in terms of both communication and computation costs from them

Road Map of the Article.
e article is arranged as follows: Section 2 discusses literature presented for IIoT environment. Section 3 discusses the threat model and the preliminaries of our proposed certificateless signature construction (CLSC) scheme. Similarly, Section 4 describes the proposed network model for certificateless signature. Section 5 includes the proposed algorithm. In Section 6, we described the informal security analysis for CLSC scheme. In Section 7, we compared the CLSC scheme against relative existing certificateless signature schemes. In Section 8, we give the simulation study (Appendix), and in Section 9, we concluded our proposed scheme.

Related Work
In order to minimize data management overhead due to the popularity and introduction of IIoT into modern digitization, most organizations are outsourcing their respective data on the cloud server. However, this revolution requires and needs to create some low overhead data authentication schemes.
For this purpose, Karati et al. [32] proposed a novel scheme for IIoT environment in certificateless settings. e authors claim that their scheme is safe against type I and type II adversaries under the standard model. Later, the scheme of Karati et al. [32] was found unsafe by [33,34], against both type I and type II adversaries. Also, the security of Karati et al. scheme is on BPG. Naturally, BPG has the worst performance in terms of computing and communication resources and therefore does not correspond to the resourcelimited setting of IIoT.
Zhang et al. [33] broke the scheme mentioned in [32] by showing that their scheme cannot resist type I and type II adversaries. However, the authors in [33] did not construct a new scheme for the claimed statements. Later in 2019, Zhang et al. [34] also improved the scheme of [32] by constructing a robust technique for IIoT in certificateless settings. e authors in [34] utilized the ECC algorithm to reduce the cost consumption of IIoT. Unfortunately, ECC works on 160 bits key size, which needs to be reduced further to suit the resource-constrained devices of IIoT. In the same year, Yang et al. [35] claim that the scheme of [34] is not secure against the public key replacement attack. According to Yang et al., an invader can effortlessly forge a valid signature utilizing a fake public key. However, the authors in [35] did not construct a new scheme for the claimed statements.
In 2019, Xiong et al. [36] presented a key-insulated signature scheme for IIoT using certificateless signature. e authors utilized the ECC algorithm under the random oracle model (ROM) to reduce the cost consumption of IIoT. As mentioned, ECC works on 160 bits key size that needs to be reduced further for resource-limited devices. Later, Rezaeibagha et al. [37] also improved the scheme of [32] by proposing a more concrete certificateless signature scheme under the standard model. e authors claim that their scheme is safe against type I and type II adversaries. However, Shim [47] proved the invalidity of the designed scheme against the type I adversary. Also, the security of [37] is based on BPG which does not correspond to the resourcelimited setting of IIoT due to heavy pairing operations.

Outcomes of the Literature.
e above schemes are constructed on the notion of BPG and ECC and hence withstand high computing and communication costs. Furthermore, the schemes mentioned in [33,35] are unable to provide proper schemes for the claimed statements. Additionally, none of the previous schemes are validated by proper formal security tools such as AVISPA. For this reason, we suggest a lightweight certificateless signature scheme for IIoT using HECC.

reat Model.
e most well-known Dolev-Yao threat model was used for this study's certificateless signature scheme [48]. In this model, an adversary can intercept any open channel communications between two parties, which creates the possibility of eavesdropping, exchanging, and modifying messages. Given the use of wireless communications in IIoT environments, adversaries can contribute to sensitive data leakages.
Type I (A 1 ) and type II (A 11 ) challenges were considered for security clarification of the CLE scheme [49]. A description of these challenges is given as follows: Type I (A 1 ): A 1 is a malicious adversary, frequently regarded as an external attacker without master key access Type II (A 11 ): A 11 is frequently regarded as an internal attacker (also a malicious KGC) with master key access but without the ability to replace public keys Concerning the purpose of A 1 and A 11 adversaries, these produce fake digital signatures for the scheme of core certificateless signature.

Network Model
e proposed scheme consists of entities comprised of application provider (AP), data owner (DO), cloud server (CS), and data clients as shown in Figure 2. e detailed descriptions of their role are given.
AP: it plays the role of KGC. e AP is accountable for selecting the master secret key and master public key. Moreover, it is also answerable for issuing mathematical parameters in the entire network. Additionally, it is answerable for producing a partial private key for all the participants. DO: it is accountable for producing its respective private key and certificateless signature data of IIoT. Later, after signing, the DO sends the signed IIoT data to the CS, while the CS then sends the signed data to the intended clients, respectively. CS: the CS is a potential service for both short-term and long-term data storage Data clients: the data client is responsible for verifying the intended received data using his/her own private key.

Certificateless Signature Construction (CLSC) Scheme.
Consisting of the following four phases, the signature component is extracted from [50]: first, setup; second, key generation; third, signature; and fourth, verification. ese phases lead to the practical formulation of a novel certificateless signature for real-world IIoT settings. Prior to beginning the algorithm's process, it is worth consulting the notation presented in Table 1.

Setup.
A series of initial tasks are undertaken by an application provider (AP), which carries out the role of KGC. ese tasks are as follows: (i) AP chooses a prime number Q to serve as a master private key, where Q ≼ 1 ≼ n − 1 (ii) AP generates the master public key by computing R � Q · D (iii) Public parameter set param � (R, D, n � 280, hEC) is selected (iv) e chosen master private key Q is kept in AP storage memory, while param and R are issued in the entire network.

Key Generation.
is phase consists of the following tasks: (i) Partial private key generation (PPK): for a user with an identity (I du), an AP undertakes the onward process for PPK. is involves the following steps: choosing ru, where ru≼1≼n − 1; computing Xu � ru · D; concatenating Lu � (I du‖Xu); computing Vu � (ru + Q · Lu); and last, the AP sending (Vu, Xu) to the users. Together, the DC and DO calculate Vu · D � Xu + Lu · R, at the receiving end, thereby confirming a receiving PPK pair (Vu, Xu).
where Xu � Υu · D and R � Q · D. (1) (ii) Secret value generation: the secret value Qu is chosen randomly by the users (DO and DC), where Qu≼1≼n − 1 (iii) Private key generation: the users (DO and DC) generate the private key by computing Ωu � (Vu, Qu) (iv) Public key generation: the users (DO and DC) generate the associated public key in the following way: computing Wu � (Qu · D), concatenating uu � (I du‖Wu), computing Pu � (Xu‖uu · Wu), and at last, setting the public key by concatenating βu � (Xu‖u).

Signature.
To generate a signature, the DO undertakes the following: (ii) Calculate z � (m‖I dD o‖τ), where Id Do denotes identity DO (iii) Calculate δ � Q Do + (V Do + w) · Z, (Q Do , V Do) is DO's private key pair (iv) Calculate the DC signature as Φ � (N, δ)

Verification.
e DC validates the signature through the following computations: +h(m‖I dD o‖τ)

Consistency.
Here, DC accepts ϕ upon successful computation.

eorem A (Unforgeability).
A certificateless signature scheme has the property of unforgeability if it is impossible for adversaries A 1 and A 11 to undermine the sender's private key and produce a forged signature on data.
Proof. Initially in the design scheme, a sender generates a signature on plaintext δ � Q Do + (V Do + w) · Z. With the public channel, the signature Φ � (N, δ) is forwarded to the receiver.
Case 1 If A 1 tries to create a forge digital signature, then it needs to calculate w from Q Do + (V Do +w) · Z, and to do so, it further requires w from N � w · D, where w is not known and D is a divisor of HECC. Subsequently, it is not feasible for A 1 to solve HCDLP. Hence it is proved from the mentioned discussion that the designed scheme meets the security requirements of unforgeability against an outside attacker. Case 2 If A 1 tries to forge a signature, it will need to calculate Q Do from Q Do + (V Do + w) · Z  Mathematical Problems in Engineering 5 that further requires Q Do from W Do � Q Do · D, where Q Do is a secret value of the DO and D is a divisor of HECC. Consequently, it is not achievable for A 1 to solve HCDLP. Hence it is proved from the mentioned discussion that the designed scheme meets the security requirements of unforgeability against an outside attacker in case two. Case 3 In the given case, if A 1 tries to create a forge digital signature, it will need to calculate V Do Case 1 If A 11 tries to create a forge digital signature, then it will need to calculate w from Q Do + (V Do + w) · Z, and to do so, it further requires w from N � w · D, where w is not known and D is a divisor of HECC. Subsequently, it is not feasible for A 1 to solve HCDLP. Hence it is proved from the mentioned discussion that the designed scheme meets the security requirements of unforgeability against insider attackers. Case 2 If A 1 tries to forge a signature, it will need to calculate Q Do from Q Do + (V Do + w) · Z that further requires Q Do from W Do � Q Do · D, where Q Do is a secret value of the DO and D is a divisor of HECC. Consequently, it is not achievable for A 11 to solve HCDLP. Hence it is proved from the mentioned discussion that the designed scheme meets the security requirements of unforgeability against insider attack in case two.

eorem of Antireplay Attack.
A certificateless signature scheme is supposed to accomplish the security requirement of an antireplay attack, if there is no possible adversary that can capture some old communication messages and resent them again to the intended receiver.
Proof. In the proposed scheme, at first, the data consumer (DC) sends a request to the data owner (DO) with a fresh nonce τ. e DO then sends τ with the original signature computed by him. After the given process, the DO sends the signed message � Q Do + (Do + w) · Z to the DC. erefore, the DC checks the freshness of τ. □

eorem of Man-in-the-Middle Attack.
A certificateless signature scheme is supposed to attain the security requirements of man-in-the-middle attack, if there is no possible adversary that can obtain the signature made by DO.
Proof. If the adversary tries to obtain the signature, it first needs to calculate V Do , w, and Q Do from δ � Q Do ough, it has been demonstrated in the abovementioned eorem 1. Hence, we can claim that the designed scheme is safe against the security issue of man-inthe-middle attack.

Performance Analysis
Here, we analyze the performance of the designed approach in contrast to Zhang et al. [34], Karati et al. [32], Rezaebagha et al. [37], and Xiong et al. [36]. Moreover, we will also discuss the efficiency of the proposed scheme over the previous schemes in terms of computation cost and communication overhead.

Computational Cost.
For performance efficiency in terms of computation cost, we compared our proposed scheme with Zhang et al. [34], Karati et al. [32], Rezaebagha et al. [37], and Xiong et al. [36]. e results of the comparison are given in Table 2.
ough, previous schemes utilized BPG and ECC very expensive for a resource-limited environment. erefore, we used the HECC to reduce the computation cost for the IIoT.
From [41,51], we observed the timing of the major observations used in the comparative analysis in terms of computation cost. According to [41,51], a single bilinear pairing (Bp) operation will take 14.90 ms, paring-based point multiplication (pBM) will take 4.31 ms, scalar point multiplication (EppM) will take 0.97 ms, and modular exponentiation (ME) will take 1.25 ms, respectively. Similarly, a single hyperelliptic curve divisor multiplication (HEppM) will take 0.48 ms [52,53]. For measuring the efficiency, we take the MIRACL library with the given specifications: Intel Core i74510 CPU with 2.0 GHz processor, 8 GB RAM, and OS of 64 bits Windows 7 [41].
Similarly, we also compare the designed scheme with the scheme of Zhang et al. [34], Karati et al. [32], Rezaebagha et al. [37], and Xiong et al. [36] in terms of communication overhead. For our comparative analysis, we take the variables and their size as 1024 bits for bilinear pairing, 160 bits for elliptic curves, and 80 bits for the hyperelliptic curve. Moreover, the communication overhead of all the related schemes and the proposed scheme is given in Table 2.
e findings of the comparative analysis are shown in Table 3, Figures 3 and 4. Furthermore, Tables 4 and 5 show a clear improvement in both communication overhead and computation cost.

Simulation Study (Appendix)
AVISPA [54], an industrial-grade security simulator, was used for security validation of the proposed scheme. e AVISPA simulator can be in one of two states: SAFE if the scheme is resistant to malicious attacks, and otherwise, UNSAFE ( Figure 5). For GUI support, AVISPA is combined with SPAN, and the rule-oriented high-level protocol specification language (HLPSL) is available for specifying a scheme. rough intermediate format (IF) specifications, an HLP2IF translator is used to compile HLPSL into machine language [46,48].
Regarding the role of these IF specifications, they serve as inputs to the backend checker, which can be the SAT-based model-checker (SATMC), on-the-fly-model checker (OFMC), tree-automata-based protocol analyzer (TA4SP), or CL-based attack searcher (CL-AtSe). Based on the proposed cryptographic scheme's requirements, the functionality of every backend is distinctive [55]. DO and DC are the primary roles in the proposed scheme verification process, and the results indicate that the security of the scheme is grounded in CL-AtSe and OFMC. Information about the signature and verification codes and simulation results are presented in Figures 6-9 .

Conclusion
is study presents an efficient scheme for IIoT using certificateless signature with the help of the hyperelliptic curve cryptosystem (HCC). e presented approach is proven to be unforgeable against the challenges of type I and type II attackers. e security of the proposed work is tested through a popular tool "AVISPA." A comprehensive comparative analysis against relevant schemes has been given which shows how our proposed scheme is better in terms of both communication and computation costs from them. Based on the above claims, we argue that the designed scheme will be the best option for the resource-limited devices in terms of cost consumptions.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.