A Lightweight and Provable Secured Certificateless Signcryption Approach for Crowdsourced IIoT Applications

Abstract

Industrial Internet of Things (IIoT) is a new type of Internet of Things (IoT), which enables sensors to merge with several smart devices to monitor machine status, environment, and collect data from industrial devices. On the other hand, cloud computing provides a good platform for storing crowdsourced data of IIoT. Due to the semi-trusted nature of cloud computing and communication through open channels, the IIoT environment needs security services such as confidentiality and authenticity. One such solution is provided by the identity-based signcryption. Unfortunately, the identity-based signcryption approach suffers from the key escrow problem. Certificateless signcryption is the alternative of identity-based signcryption that can resolve the key escrow problem. Here, we propose a lightweight certificateless signcryption approach for crowdsourced IIoT applications with the intention of enhancing security and decreasing the computational cost and communication overhead. The security and efficiency of the proposed approach are based on the hyper elliptic curve cryptosystem. The hyper elliptic curve is the advance version of the elliptic curve having small parameters and key size of 80 bits as compared to the elliptic curve which has 160-bits key size. Further, we validate the security requirements of our approach through automated validation of Internet security protocols and applications (AVISPA) tool with the help of high level protocol specification language (HLPSL). Moreover, our lightweight and secured scheme will attract low resource devices and will become a perk in the environment of IIoT.

1. Introduction

Nowadays, the Internet of Things (IoT) is a growing technology, which not only enables conventional devices to communicate with each other, but also includes modern devices, e.g., sensors, mobile phones, smart camera, etc. Similarly, the merger of IoT with wireless sensor networks has increased the usage in our daily lives, for example, it is used in industrial automation, smart cities, smart transportation, smart homes, and health monitoring [1]. Among these, the Industrial Internet of Things (IIoT) is an emerging type of IoT, which provides smart factory systems for business and industries [2]. IIoT permits the sensors to merge with several smart devices to monitor machine status, environments, and collect data through industrial outturns. Further, IIoT uses the concept of crowdsourcing; it is the way toward the finishing tasks by requesting contributions from a vast gathering of individuals. Currently, crowdsourcing has turned out to be progressively predominant and is being utilized in a number of tasks such as open development and prediction, data collection, and labeling [3]. Furthermore, crowdsourcing empowers utilizing a substantial pool of workers, the nature of contributions that unequivocally relies on expert capacities and inspiration which varies from worker to worker. Specifically, since crowdsourcing experts are normally not specialists and since a few laborers probably won’t apply exertion, answers acquired might be wrong [4,5]. Thus, extending the accuracy and effectiveness of crowdsourcing is the basic zone of IIoT research [6,7]. To store such type of huge data in crowdsourced environment cloud computing plays an important role.

Cloud computing provides a suitable platform for IIoT i.e., to store data from a crowdsourced environment with cost efficiency [8]. This system enables the semi trusted cloud server in storing the data of crowdsourced IIoT devices. Further, the sensors integrate with different smart devices to collect data and measure the status of these devices during the industrial process and send it back to the cloud server by utilizing open networks. Due to the semi trusted cloud server and communications through an open network, the security requirements, for example, authenticity, confidentiality, integrity, unforgeability, and non-repudiation, must be ensured for IIoT data. To ensure these security services, one such solution is signature-then-encryption mechanism. This mechanism is not suitable for small IoT devices, because it generates the signature and encryption on a message in two different steps. So to improve the cost efficiency Zheng [9] coined a new type of security technique called signcryption. This method permits the originator of the message by combining the concept of signature and encryption in a single step. The method is also based on public key infrastructure (PKI). In PKI, the participant’s public key has some random number which belongs to some group, which does not provide participants with authenticity because group elements cannot offer the identity of the participants [10]. Therefore, to solve this problem the concept of a certificate authority (CA) is usedthat bounds the public key with certificates [11]. Public key infrastructure (PKI) has some deficiencies such as certificate distribution, storage, and manufacturing difficulties [12]. To improve these limitations, Shamir [13] was the first who introduced the concept of identity-based cryptography. The identity-based cryptography allows the participants to generate directly public keys from his/her identity like e-mail and a phone number without using a certificate authority (CA). The private keys for each participant are generated by the key generation center (KGC). The first identity-based signature was introduced by Shamir [13] while the first identity-based encryption scheme was contributed by Boneh and Fanklin [14]. Later on, to combine the functionality of identity-based signature and encryption into a single step, the concept of identity-based signcryption was introduced [15]. Identity-based signcryption schemes are suffering from the key escrow problem. To avoid the escrow problem of the key, Al-Riyami and Paterson [16] proposed a new type of cryptography called certificateless public key infrastructure. In certificateless public key infrastructure, the percipients’ full private key contains two parts: the first one is a partial private key which is created by the key generation center and the second one is a secret value which is made by the participants. The first certificateless signcryption was tossed by Barbosa and Farshim [17], which simultaneously fulfills the property of certificateless encryption and signature in a single step.

Normally, the security and efficiency of all the above discussed signcryption schemes are based on some computationally hard problems, for example, RSA, Bilinear pairing, and elliptic curve cryptosystems. The RSA [18,19] is based on a large factorization problem, which is huge and utilizes 1024 bits large key size, parameter, certificate size, and identity size [20]. This is not suitable for lower power IoT devices due to lack of processing resources. Further, bilinear pairing is 14.31 times worse than RSA [21], due to huge pairing and map-to-point function computation. To eliminate the deficiencies of RSA and bilinear pairing, a new type of cryptography called elliptic curve was introduced [22]. To build a new approach, elliptic curve cryptography utilizes fewer parameter sizes, public and private key size, identity, and certificate size, etc., further, the security hardiness and efficiency of the scheme based on 160-bit small keys, as compared to Bilinear pairing and RSA [23]. Still, the 160-bit key is not suitable and affordable for resource hungry IoT devices. A new type, the generalization of elliptic curve called hyper elliptic curve was proposed [24]. The hyper elliptic curve provides the same level security of elliptic curve, bilinear pairing, and RSA, using 80-bit key, identity and certificate size [25,26]. The hyper elliptic curve assumed to be a better choice for low power IoT devices.

1.1. Motivation and Contributions

Nowadays, IIoT is using the concept of crowdsourcing, which has become the hotest research topic in all over the world. On the other hand, cloud technology is most suitable for storing the huge data of the crowdsourced IIoT environment. Further, collecting data from IIoT devices through open channel needs secrecy and accessing data from cloud required authentication. Recently Karati et al. [8] proposed identity-based signcryption scheme for the crowdsourced IIoT applications. The proposed scheme efficiency and security is realized on a bilinear pairing. We investigate the following points in this paper.

• The scheme is using the concept of identity-based cryptosystem which suffers from the key escrow problem;
• Also, they used the mathematical concepts of bilinear pairing for the proposed scheme which needs huge computational power;
• Because of bilinear pairing, the scheme needs high bandwidth;
• The scheme does not fulfill the security property of resisting against a replay attack and forward secrecy;
• They did not validate the security requirement of their proposed scheme by utilizing the formal security validation tools like AVISPA, Scyther, etc.

Also, Karati et al. [27], proposed another scheme by using the concept of certificateless signature for the applications of crowdsourced IIoT. We found the following limitations in this scheme.

• The scheme has just provided the authentication of IIoT crowdsourced data;
• Also, they used the mathematical concepts of bilinear pairing for the proposed scheme which needs high computational power;
• Because of bilinear pairing, the scheme needs high bandwidth.
• The scheme does not fulfill the security property of resisting against replay attack, confidentiality, and forward secrecy;
• The authentication of the scheme is not validated through the formal security validation tools like AVISPA, Scyther, etc.

Moreover, we studied all the existing certificateless signcryption schemes. We found that these schemes are based on hard problems like elliptic curve, RSA, and bilinear pairing. Because of the heavy parameters and key sizes of these hard problems (elliptic curve, RSA, and bilinear pairing), the existing schemes are suffering from high computational cost and communication overhead. Also, all the existing certificatelesssigncryption schemes are not resisting against the replay attack and nor validated through the formal security validation tools like AVISPA, Scyther, etc. As we already discussed in the introduction section, the hyper elliptic curve is the new version of the elliptic curve which provides the same security level of elliptic curves, RSA, and bilinear pairing with low key size. So keeping in view the above discussion, to remove all the above limitations, we present a new scheme, called a lightweight and provable secured certificateless signcryption scheme for crowdsourced IIoT applications. We explain our contributions in the following steps.

• We design certificatelesssigncryption for crowdsourced IIoT based on the hyper elliptic curve;
• We remove the key escrow problem;
• We will showthe results for proving the efficiency in term of computational cost and communication overhead;
• Our scheme will provide security services such as confidentiality, anti-replay attack, integrity, authentication, sender authentication, message authentication, and unforgeability, respectively;
• We will validate our scheme security services through a well-known simulation tool AVISPA with the help of HLPSL language.

1.2. Outlines of Paper

The paper is organized such that Section 1 provides the introduction; Section 2 presents a comprehensive literature review; Section 3 provides the basic preliminaries of the hyper elliptic curve, and the basic notations used in the scheme; Section 4 shows the detail about the proposed model; Section 5 elaborates the generic model for certificatelesssigncryption; Section 6 provides the practical construction of the proposed scheme; Section 7 exhibits the correctness of the new scheme; Section 8 includes the detail discussion about the security properties of the new scheme; Section 9 discusses the computational cost; Section 10 illustrates the communication overhead details; Section 11 provides the final conclusion; and at the end, AVISPA code and simulation results are provided in the Appendix A.

2. Related Work

In modern communication systems, information security plays a vital role to secure critical data/information because people communicate through the public network. To secure critical data/information required to be hidden from illegal access (confidentiality), knowing about the message originator (authentication), protection from modification (integrity), and availability for a legal user when he/she requires [28]. Therefore, confidentiality can be ensured through encryption procedures, while the integrity and authenticity can be assured by using digital signature methods. In the old days before sending documents, the sender had to first sign the document and then encrypt it which is called the signature then encryption mechanism. But this method has some limitations such as it requires more machine cycles and more energy which affect the efficiency of the system.

To improve such deficiencies, Zheng [9] tossed a new scheme called signcryption that fulfills the task of signature and encryption in one step. The scheme is based on the public key infrastructure (PKI) and suffered from the deficiencies, for example, certificate distribution, storage, and manufacturing difficulties. Hence, to remove such deficiencies, Malone Lee [15] coined a new topic, by combining the capabilities of the identity-based signature and identity-based encryption into a single step, called identity-based signcryption. After the first identity-based signcryption scheme, a number of identity-based signcryption schemes were introduced in [29,30,31,32,33,34,35]. Hence, identity-based signcryption schemes are suffering from the key escrow problem.

Then, to avoid the escrow problem of the key, a certificateless signcryption was tossed by Barbosa and Farshim [17], which simultaneously fulfills the property of certificateless encryption and signature in a single step. After this scheme, another certificateless signcryption scheme [36] was contributed, but this scheme was based on the random oracle model. Hence, the random oracle model was not supposed to be used in a practical manner, therefore, to remove this shortcoming, the pioneer standard model-based certificateless signcryption was proposed by Liu et al. [37] in 2010. The limitation of this scheme is that Selvi etal. [38] show in their paper, this scheme cannot resist against a public key replacement attack. In the same year, by using the one-time Schnorr-based signature to the user’s public key, Jin et al. [39] give the improved version of the scheme proposed in [38]. After a year, in the Liu et al. scheme [40], Weng et al. [41] point out that the two malicious-but-passive KGCs attack. These attacks were managed in the improved scheme [40]. Also, in 2013, Miao et al. [42] pointed out the scheme [39] suffered from two types of public key replacement attacks. The attack one is same as [38] attack, the other one is a new kind of attack. After some time, there are two standard model-based certificateless signcryption schemes proposed by Xiong [43] and Cheng et al. [44], and up till now there are no flaws reported in these two schemes. In 2016, Abdul Wahida and Masahiro Mamb [45] contributed an elliptic curve-based certificateless signcryption and gave the implementations in Javascript. They gave comparisons with respect to computational and communication costs of the proposed and some existing schemes. They claimed from their comparisons that the newly presented scheme is better than existing schemes. A new standard model-based certificateless signcryption scheme was projected by Caixue et al [46]. They proved their scheme security requirements using the hard problem; a modified decisional bilinear Diffie–Hellman problem and unforgeability security requirement by assuming through a square computational Diffie–Hellman problem. Parvin Rastegari and Mehdi Berenjkoub [47] proposed another scheme called efficient certificatelesssigncryption based on the standard model. Their analysis shows that the presented scheme is more secure and efficient as compared to all the random oracle model-based certificatelesssigncryption schemes existing in the literature. In 2017, Yu And Yang [48] designed and analyzed a new certificateless signcryption scheme without bilinear pairing. The scheme security requirements are proven through the random oracle model. In addition, they claimed, the newly presented algorithm is more attractive for applications like an email system, online auction, and private contractual signature. Xi-Jun et al. [49] present the cryptanalysis of a pairing-free certificateless signcryption scheme [48]. They pointed out that their scheme could be totally broken since confidentiality and unforgeability are not captured. Zhou [50] proposed a new certificateless signcryption approach without using the concept of the random oracle model. The scheme security hardiness is based on bilinear pairing and security proofs realized on the standard model. Liling and Wancheng [51] proposed a new certificateless signcryption based on the efficiency and the hardiness of the elliptic curve cryptosystem. They claimed that the newly designed scheme is secured and needs a low computational cost due to elliptic curve low parameter and key size. Luo and Ma [52], proposed a certificatelesshybrid signcryption for to provide the best solutions forcloud storage.

3. Preliminary

The concept of the hyper elliptic curve was first introduced by N. Koblitz [53], which is the generalized form of elliptic curve [54]. Unlike the elliptic curve point, the points of the hyper elliptic curvecannot be derived from a group, it computes the additive Abelian group which is derived from the divisor. In contrast with elliptic curves, the hyper elliptic curve has acceptable constancy with a small base field size. According to the lower size of parameters, with the same security level of elliptic curves and RSA, the hyper elliptic curve is attractive in fewer hardware resource devices [55]. Let f be the ultimate field and suppose f^* is to be the algebraic closure of ultimate field f. Then the hyper elliptic curve H_ℇ of genus $𝒢$ where $𝒢$ > 1 over the ultimate field f which can be defined as H_ℇ: β² + $\mathscr{H}$(α)β = F(α), where (α, β) ∈ f* × f. Further, $\mathscr{H}$(α) ∈ f(α) is a polynomial and the degree of this is at most $𝒢$ and F(α) ∈ f(α)is the monic polynomial and have degree is 2$𝒢$ + 1. The divisor of the hyper elliptic curve is the pair of polynomials and can be represented by using the Mumford [56]. The most important factor of every cryptographic system is the discrete logarithm problem in some Abelian group. Suppose there is a randomly selected number 𝓍 from the Abelian group and computing 𝓍.$𝒟$ = $𝒟$ + $𝒟$ + $𝒟$ +………+ $𝒟$ is scalar multiplication of divisors. And it is said to be a hyper elliptic curve discrete logarithm problem because finding the random number 𝓍 from 𝓍.$𝒟$ = $𝒟$ + $𝒟$ + $𝒟$ +………+ $𝒟$ is infeasible. Also, the

Table 1. Notations used in the scheme.

No	Notation	Description
1	Hℇ	Hyper elliptic curve
2	$𝒟$	Divisor of hyper elliptic curve
3	$𝒢$	Means genus on a hyper elliptic curve
4	𝒽	Irreversible hash function
5	IDs	Identity of the IIoT data owner/ CLSR
6	IDr	Identity of the data consumer/ CLUR
7	$𝒴$s,$𝒴$r	The public keys of data owner/ CLSR and data consumer/ CLUR
8	𝘗s = ($𝒳$s,δs)	The private key pair of IIoT data owner/ CLSR
9	𝘗r = ($𝒳$r,δr)	The private key pair of data consumer/ CLUR
10	$n$	It is the largest prime number of Hℇ and $n$ = 280
11	Nc	It is the nonce
12	𝓂,$𝒞$	Represents the plaintext and cipher text
13	K	Shared secret key
14	EK, DK	Means encryption and decryption
15	S	Means digital signature
16	Ω	Means signcryption tuple

shows the symbols/notations used in the algorithm.

4. Proposed Model

Here, in Figure 1, we present our proposed model consisting of four entities calledthe network manager (NMR), crowdsourced IIoT, cloud server, and receiver, respectively. Note that, the NMR acts like a key generation center in the certificateless public key cryptosystem. When the process began, the crowdsourced IIoT and receiver gave their identities to the NMR and the NMR generates the partial private keys for both on the behalf of their identities. Further, the NMR is responsible for generating all the public parameters, the master secret, and public key and publishing the public parameters and master public key publicly. The crowdsourced IIoT is responsible for generating the certificateless signcryptionin IIoT plaintext, by using his private key and shared secret key and then sending this signcrypted text to the cloud. A cloud server is responsible for storing and processing of IIoT data for the users if required. If the receiver required the crowedsourced IIoT data, then it is obligatory for him to request first to the cloud for the signcrypted text. Then, the cloud gives this signcrypted text to the receiver, and the receiver performs the unsigncryption process by using his private key and the shared secret key.

5. Generic Model for Certificateless Signcryption

Our proposed scheme consists of six sub steps, namely, setup (STP), user key generation (UKG), set partial private key (SPPK), set private key (SPK), set private key (SPK), certificateless signcryption (CLSN), and CL-unsigncryption (CLUS), respectively.

5.1. Setup (STP)

This algorithm is executed by the network manager (NMR) which plays the role of key generation center, further, the NMR selects all the public parameters param (f*, f, Hℇ, 𝒽, α, β), master secret key mβ and master public key mσ. After selecting and generating the public parameters and keys, NMR will publish the master public key mσ and public parameters param (f*, f, Hℇ, 𝒽, α, β) publicly and keep secret the master secret key mβ.

5.2. User Key Generation (UKG)

This algorithm is run by each user with identity ID𝓊 for selecting the secret value $𝒳$𝓊 and computing a public key $𝒴$𝓊.

5.3. Set Partial Private Key (SPPK)

The NMR executed this algorithm, by taking each user’s identity ID𝓊 to produce a partial private key for every participant ($ℒ$u, δu). Later on, by using the safe channel NMR sends the partial private key = ($ℒ$u, δu) to each user.

5.4. Set Private Key (SPK)

This algorithm is executed by each user by taking input the received partial private key ($ℒ$u, δu) and identity ID𝓊 of each user to produce the private key ($𝒳$𝓊, δu) for each participant.

5.5. CertificatelessSigncryption (CLSN)

This algorithm is usually run by the IIoT data owner. It takes the private key pair 𝘗s = ($𝒳$s, δs) of Cl-Signrypter (CLSR)/ data owner, the identity IDs of CLSR and identity IDr of Cl-Un-Signcrypter (CLUR)/ data consumer, a plain text m, and the public key of CLUR $𝒴$r to produce the signcryption tuple Ω = ($𝒞$, S, H, $\mathrm{𝒵)}$.

5.6. CL-Unsigncryption (CLUS)

This algorithm is executed by the data consumer after getting the signcryption tuple Ω = ($𝒞$, S, H) from the data owner side. It takes input the signcryption tuple Ω = ($𝒞$, S, H, $\mathrm{𝒵)}$, the private key pair 𝘗r = ($𝒳$r, δr) and public key $𝒴$r of CLUR, the identity of CLUR IDr and IDs CLSR, and the public key $𝒴$s of CLSR for verification of signature and decryption of encrypted text

6. Proposed CertificatelessSigncryption

In this phase, we practically construct the certificateless signcryption for crowdsourced IIoT. The following steps explain the construction of our new scheme.

6.1. STP

The NMR, first of all, randomly picks their master secret key mβ from {1,2,3,…….,n − 1} and produces the master public key as: mσ = mβ. $𝒟$. Also, selects the public parameters param (f*, f, ℇ, 𝒽, α, β) and published a param (f*, f, Hℇ, 𝒽, α, β) and mσ publicly.

6.2. SPPK

The NMR first selects a random ru from {1,2,3,…., n − 1}, calculates $ℒ$u = ru. $𝒟$, then compute δu = ru + mβ (ID, $ℒ$u, $𝒴$𝓊), finally sends 𝜓 = ($ℒ$u, δu) to each user with identity IDu by using the secured channel.

6.3. UKG

Each user with identity ID𝓊 select randomly secret value $𝒳$𝓊 from {1,2,3,……., n−1}, further, compute the public key as: $𝒴$𝓊 = $𝒳$𝓊.$𝒟$.

6.4. SPK

In this phase, each user with identity IDu, after getting the partial private key from the NMR produces the private key 𝘗𝓊 = ($𝒳$𝓊, δu).

6.5. CLSN

In this phase, the CLSR takes his own private key pair 𝘗s = ($𝒳$s, δs), its own identity IDs, massage m, and the public key $𝒴$r and identity IDr of CLUR is an input and computes the signcryption tuple Ω = ($𝒞$, S, H, $\mathrm{𝒵)}$, after then, transmits it to the CL-Un-Signcrypter by using the insecure channel. For this purpose the CLSR first randomly picks a number 𝛶 from {1,2,3,……., n−1}, picks a fresh nonce Nc from {1,2,3,……., n−1}, calculates 𝛾 = $ℒ$r + mσ.(IDr,$ℒ$r,$𝒴$r), computes the hash value H = 𝒽(m, IDs, Nc), computes 𝒵 = 𝛶., generates a secret key for the encryption K = (𝛶. (𝛾 + ), 𝒵, IDr, $ℒ$r, $𝒴$r), produces the ciphertext $𝒞$ = EK(m, IDs, Nc), computes the digital signature S = $𝒳$s + H. ( 𝛶 + δs) mod n, and at the end sends the tuple Ω = ($𝒞$, S, H, $\mathrm{𝒵)}$ to the CL-Un-Signcrypter.

6.6. CLUS

This algorithm is executed by the receiver after getting the signcryption tuple Ω = ($𝒞$, S, H) from the CLSN side. It takes input the signcryption tuple Ω = ($𝒞$, S, H, $\mathrm{𝒵)}$, the private key 𝘗r =< $𝒳$r, δr>, and public key $𝒴$r of CLUR, identity of CLUR IDr and CLSR IDs, and the public key $𝒴$s of CLSR for the verification of digital signature and decryption of the signcrypted text. Thus, the CLUR first computes the secret key K = (𝒵. ($𝒳$r + δr ), 𝒵, IDr, $ℒ$r, $𝒴$r), recovers the plaintext from ciphertext (m, IDs, Nc ) = DK($𝒞$), compute β= $ℒ$s + mσ.(IDs, $ℒ$s, $𝒴$s ), and finally accepts the signcrypted text if S. $𝒟$ = β+ 𝒵.(m, IDs, Nc) + $𝒴$s. (m, IDs, Nc) is hold.

7. Correctness

The CLUR can recover the secret key easily if the following computations are successfully holding.

K = (𝒵. ($𝒳$r + δr ), 𝒵, IDr, $ℒ$r, $𝒴$r)

  K = (𝒵. ($𝒳$r + δr )) = (𝒵. ($𝒳$r + δr ))

  = (𝒵. ($𝒳$r + (rr + mβ (IDr,$ℒ$r, $𝒴$r) ))) where δr = rr + mβ (IDr, $ℒ$r, $𝒴$r)

  = (𝛶. $𝒟$. ($𝒳$r + (rr + mβ (IDr,$ℒ$r, $𝒴$r) ))) where 𝒵 = 𝛶. $𝒟$

  = (𝛶. ($𝒳$r.$𝒟$ + (rr.$𝒟$ + mβ.$𝒟$ (IDr,$ℒ$r, $𝒴$r))))

  = (𝛶. ($𝒴$r + ($ℒ$r+.(IDr, $ℒ$r, $𝒴$r)))) where $𝒴$r = $𝒳$r.$𝒟$$ℒ$r = rr. $𝒟$ and mσ = mβ.$𝒟$

  = (𝛶. ($𝒴$r + 𝛾)) where 𝛾 = $ℒ$r + mσ.(IDr,$ℒ$r,$𝒴$r)

  = K, hence proved.

Moreover, if the conflict occurs between CLSR and CLUR, then the key generation center resolves it by using the following computations.

S. $𝒟$ = β+ 𝒵.(m, IDs, Nc) + $𝒴$s. (m, IDs,Nc)

While δs.$𝒟$ = (rs + mβ (IDs,$ℒ$s, $𝒴$s)). $𝒟$

= (rs.$𝒟$ + mβ. $𝒟$ (IDs,$ℒ$s, $𝒴$s))

= ($ℒ$s +.(IDs, $ℒ$s, $𝒴$s)) where $ℒ$s = rs.$𝒟$ and mσ = mβ.$𝒟$

($ℒ$s +.(IDs, $ℒ$s, $𝒴$s))= β

Then,

S. $𝒟$ = (δs + H.(𝛶 + $𝒳$s)). $𝒟$

= (δs + (m, IDs,Nc).( 𝛶 + $𝒳$s)). $𝒟$ where H = (m, IDs, Nc)

= (δs +.(𝒽(m, IDs, Nc) + $𝒳$s.(𝒽(m, IDs, Nc))). $𝒟$

= (δs.$𝒟$+ 𝛶. $𝒟$ ((m, IDs,Nc) + $𝒳$s. $𝒟$ ((m, IDs,Nc))

= (β + ((m, IDs,Nc) + $𝒴$s (𝒽(m, IDs, Nc))) where δs. $𝒟$ = β, 𝛶. $𝒟$ = 𝒵, and $𝒳$s.$𝒟$ = $𝒴$s

= (β + 𝒵 ((m, IDs,Nc) + $𝒴$s (𝒽(m, IDs, Nc))) hence hold.

8. Security Analysis

This phase presents the security analysis of our designed approach. Our design scheme ensures the security requirements such as confidentiality, the resistance against replay attack, integrity, authenticity, and unforgeability.

8.1. Confidentiality

Our method ensures the requirements of confidentiality. In our method, if the intruder wants to steal the original contents of a message, then he must know about the secret key K. Thus, for knowing the secret key intruder must perform the following steps:

Step 1: Intruder easily gets the secret key K, if an intruder computes the Equation (1). For this, Intruder must need the secret random number 𝛶 from the Equation (2). Hence, getting $𝒱$ from the Equation (2), it is infeasible for the intruder and an equivalent is like solving the hyper elliptic curve discrete logarithm problem.

K = (𝛶 (𝛾 + $𝒴$),𝒵, IDr, $ℒ$r, $𝒴$r)

(1)

𝒵 = 𝛶. $𝒟$

(2)

Step 2: Intruder also gets easily the secret key K by computing Equation (3). Hence, computing Equation (3) intruder requires the private keys < $𝒳$r, δr > of CLSR from the Equations (4), (5) and (6). For this intruder must solve two hyper elliptic curve discrete logarithm problems which are infeasible.

K = (𝒵. ($𝒳$r + δr ), 𝒵, IDr, $ℒ$r, $𝒴$r)

(3)

$𝒴$r = $𝒳$r.$𝒟$

(4)

δr = rr + mβ (IDr, $ℒ$r, $𝒴$r)

(5)

$ℒ$r = rr.$𝒟$

(6)

8.2. Replay Attack

Our method resists against the security service of reply attack. In our scheme, if intruder wants to send the past messages to the CLUR, intruder generates and sends a tuple like Ω = ($𝒞$, S, H,) with fresh Nc to CLUR. Therefore, later the CLUR checks the validity of nonce Nc, if the nonce is fresh then the message is from the original sender otherwise not.

8.3. Integrity

Our designed mechanism enables the CLUR to verify that the ciphertext was modified or not at the time communication by using the Equation (7). If the intruder changes the ciphertext $𝒞$ to $𝒞$/, then the received plain text must be changed from 𝓂 to 𝓂/. Thus, our designed method meets the security service of integrity because the generated digital signature of 𝓂 is not the same as the digital signature of 𝓂/.

8.4. Authentication

In this section, we discuss two types of authentication, the first one is sender authentication and the second one is the message authentication.

(1) Sender Authentication

Our designed method meets the sender authentication security requirement. In our mechanism, the CLUR used the public key pair ($ℒ$s, $𝒴$s) and identity IDs of CLSR for verifying the originator of the message. The CLSR generates the digital signature by using their private key pair ($𝒳$s, δs). Thus, our designed method granted the security requirement of sender authentication.

(2) Message Authentication

In our scheme, before the delivery of the message to the CLUR, the CLSR generates a digital signature on it like S = $𝒳$s + H.(𝛶 + δs); by using the private key pair ($𝒳$s, δs) of CLSR. The CLUR can verify the message by using the received signature S, if the Equation (7) is held; it means that the message is coming from authentic CLSR.

S. $𝒟$ = β + 𝒵.(m, IDs, Nc) + $𝒴$s. (m, IDs, Nc)

(7)

8.5. Unforgeability

In our proposed mechanism, if the intruder tries to generate a valid signature, then he/she should first compute the Equation (8). For this, the intruder needs the private key pair ($𝒳$s, δs) of the CLSR. Therefore, to know about the private keys; an intruder should first compute the Equation (9) and (10). For Equation (9) Intruder has to solve the hyper elliptic curve discrete problem which is infeasible, while for (10) intruder needs the random rs from the Equation (11) which also leads to infeasibility. Hence our designed technique ensures the security service of unforgeability.

S = $𝒳$s + H.(𝛶 + δs)

(8)

$𝒴$s = $𝒳$s.$𝒟$

(9)

δs = rs + mβ (IDs, $ℒ$s, $𝒴$s)

(10)

$ℒ$s = rs.$𝒟$

(11)

9. Computational Cost

In this section we compare our approach with recently contributed certificateless signature for IIoT AIK [27], an identity-based signcryption scheme for IIoT ASGMPM [8], and the certificatelesssigncryption schemes such as PM [47], HB [48], ZC [50], LW [51], and LM [52] with respect to computational cost. We consider the major operations, for example, bilinear pairing operation (BP), exponential (EX), elliptic curve point multiplication (EM), and hyper elliptic curve divisor multiplication (HDM) in proposed scheme and those of ASGMPM [8], AIK [27], PM [47], HB [48], ZC [50], LW [51], and LM [52] for computational cost comparisons.

Table 2. Comparisons with respect to major operations.

Schemes	Signature/Signcryption	Verification/Un-Signcryption	Total
AIK [27]	2EX	2EPX + 1BP	4EX + 1BP
ASGMPM [8]	4EX	2EX + 2BP	6EX + 2BP
PM [47]	7EX + 2BP	1EX + 7BP	8EX + 9BP
HB [48]	5EX	5EX	10EX
ZC [50]	7EX + 1BP	5EX + 4BP	12EX + 5BP
LW [51]	7EM	5EM	12EM
LM [52]	4 EM	3 EM	7 EM
Proposed Scheme	4HDM	3HDM	7HDM

shows the consuming major operations of the proposed scheme and the existing schemes. We also provide comparisons of computational cost with respect to milliseconds (ms). For this purpose, we use the results of schemes [21,26] which shows the computational time in milliseconds of different cryptographic operations such as single BP consumes 14.31 ms, EX consumes 1.25 ms, EM consumes 0.97 ms, and HDM consumes 0.48 ms, respectively. For this experiment, the authors of the schemes [21,26], used the hardware resources, for example, 8 GB RAM, Intel Core i74510UCPU, and 2.0GHz processor. The software resources like window 7 and C++ with Multi-Precision Integer and Rational Arithmetic C Library (MIRACL). Further,

Table 3. Comparisons with respect to milliseconds (ms).

Schemes	Signature/Signcryption (ms)	Verification/ Un-Signcryption (ms)	Total (ms)
AIK [27]	3.94	18.25	22.19
ASGMPM [8]	7.88	32.56	40.44
PM [47]	42.59	102.14	144.73
HB [48]	9.85)	9.85	19.7
ZC [50]	28.1	67.09	95.19
LW [51]	6.79	4.85	11.64
LM [52]	3.88	2.91	6.79
Proposed Scheme	1.92	1.44	3.36

shows more clear comparisons shown in milliseconds (ms). Additionally, we use the reduction formula [57], for the reduction of the computational cost of the proposed and those of ASGMPM [8], AIK [27], PM [47], HB [48], ZC [50], LW [51], and LM [52], respectively. So for the reduction, we use the values of Table 3 and the following steps represent the clear reduction:

• The proposed scheme reduced at the computational time from AIK [27] is 4EX + 1BP − 7HDM/ 4EX + 1BP = 22.19 − 3.36/22.19 = 0.84*100 = 84.85%.
• The proposed scheme computational cost reduction From ASGMPM [8] is 6EX + 2BP − 7HDM/6EX + 2BP= 40.44 − 3.36/40.44 = 0.91*100 = 91.69%.
• The proposed scheme computational cost reduction from PM [47] is 8EX + 9BP − 7HDM/8EX + 9BP = 144.73 − 3.36/144.73 = 0.97*100 = 97%.
• The proposed scheme computational cost reduction from HB [48] is 10EX − 7HDM/10EX = 19.7 − 3.36/19.7 = 0.82*100 = 82.94%.
• The proposed scheme computational cost reduction from ZC [50] is 12EX + 5BP − 7HDM /12EX + 5BP = 95.19 − 3.36/95.19 = 0.96*100 = 96.47%.
• The proposed scheme computational cost reduction from LW [51] is 12EM − 7HDM /12EM = 11.64 − 3.36/11.64 = 0.71*100 = 71.13%.
• The proposed scheme computational cost reduction from LM [52] is 7EM − 7HDM /7EM = 6.79 − 3.36/6.79 = 0.50*100 = 50.51%.

10. Communication Overhead

Communication overhead means that how many extra bits will be sent along with the actual message. Bandwidth is an important part of the data communication channels. If the scheme needs fewer bits along with the message at the time of sending, it means the channel required low bandwidth. Here, we compare our proposed scheme with those ASGMPM [8], AIK [27], PM [47], HB [48], ZC [50], LW [51], and LM [52], with respect to communication overheads and shows that our scheme needs very little communication overhead. Our results based on [57,58], in which |G1| ≌ |G2| ≌ |G| ≌ 1024 bits for bilinear pairing, |P| ≌ 1024 bits for the discrete logarithm problem, |q| ≌ 160 bits for elliptic curve, |n| ≌ 80 bits for a hyper elliptic curve, and |𝓂| = 1024 bits, respectively. The following are the required communication overhead for ASGMPM [8], AIK [27], PM [47], HB [48], ZC [50], LW [51], and LM [52]:

• The communication overhead for AIK [27] is |𝓂| + 2|G| = 3072.
• The communication overhead for ASGMPM [8] is |𝓂| + 2|G1| + 2|G2| + |G| = 6144.
• The communication overhead for PM [47] is |𝓂| + 4|G1| + 1|G2| = 6144, for HB [48] is |𝓂| + 4|P| = 5120.
• The communication overhead for ZC [50] is |𝓂| + 3|G1| + 3|G2| = 7166.
• The communication overhead for LW [51] is |𝓂| + 2|q| = 1344, for LM [52] is |𝓂| + 2|q| = 1344.
• The communication overhead for the proposed scheme is |𝓂| + 3|n| = 1264.

Moreover, we conclude that the proposed scheme is better in the following steps:

• Our scheme is3072 − 1264/3072 = 58.85% efficient than AIK [27] in term of communication overhead.
• The proposed scheme is 6144 − 1264/6144 = 79.42% efficient than ASGMPM [8] and PM [47] in terms of communication overhead.
• Our scheme is also 5120 − 1264/5120 = 75.31% efficient than HB [48] concerning communication overhead.
• Our scheme is 7166 − 1264/7166 = 82.36% proficient than ZC [50] concerning communication overhead.
• Our scheme is 1344 − 1264/1264 = 5.95% efficient than LW [51] and LM [52] with respect to communication overhead.

11. Conclusions

This paper contributes, a lightweight and provable secured certificatelesssigncryption approach for the crowdsourced IIoT applications. The efficiency and security hardiness of the proposed approach is based on the hyper elliptic curve cryptography. The security requirements of the proposed approach are validated through the most famous tool, automated validation of Internet security protocols and applications (AVISPA). The proposed approach ensures the security services of resistance against replay attack, confidentiality, integrity, authentication (of sender and message), non-repudiation and unforgeability. Furthermore, our designed approach has reduced in computational cost from 71.13% to 97% and in communication overhead from 5.95% to 82.36%, compared to the existing approaches. Due to the cost efficiency and enhanced security, our approach is more attractive for low power devices of IIoT.

12. Future Work

In the future, we are planning to conduct a practical test to measure performance.