Secure D2D Communication for 5G IoT Network Based on Lightweight Cryptography

: Device-to-device (D2D) communication is a direct means of communication between devices without an intermediate node, and it helps to expand cell coverage and to increase radio frequency reuse in a 5G network. Moreover, D2D communication is a core technology of 5G vehicle-to-everything (V2X) communication, which is an essential technology for autonomous driving. However, typical D2D communication in an 4G network which is typical telecommunication network has various security challenges including impersonation, eavesdropping, privacy snifﬁng, free-riding attack, etc. Moreover, when IoT technology emerges with 5G networks in massive machine type communication (mMTC) and ultra-reliable low latency communication (URLLC) application scenarios, these security challenges are more crucial and harder to mitigate because of the resource-constrained nature of IoT devices. To solve the security challenges in a 5G IoT environment, we need a lightweight and secure D2D communication system that can provide secure authentication, data conﬁdentiality/integrity and anonymity. In this paper, we survey and analyze existing results about secure D2D communication systems in terms of their security considerations and limitations. Then, we lastly propose a secure D2D communication system to address the aforementioned security challenges and the limitations of the existing results. The proposed secure D2D communication was designed based on elliptic curve cryptography (ECC) and lightweight authenticated encryption with associated data (AEAD) ciphers to cover resource-constrained IoT devices.


Introduction
D2D communication is a peer-to-peer communication mechanism between devices without an intermediate node [1,2]. D2D communication has many advantages in mobile networks [3]. First, it can expand coverage of each cell in a cellular network as a communication bridge for transmitting data to the node located outside of cell coverage. Second, D2D communication helps to reduce the energy consumption of the base station by transmitting data directly between devices. Lastly, the efficiency of reusing the same radio frequency is increased. In D2D communication, the distance between devices is quite shorter than the distance between a device and a base station. This means the interference of radio frequency decrease in D2D communication scenario, and it helps to transmit the multiple data using the same radio frequency. Moreover, D2D communication is a core technology of V2X communication [4]. Due to these advantages, the 5G network also includes D2D communication technology such as the LTE-advanced (4G) network.
The remainder of this paper is organized as follows. Section 2 introduces related works where we surveyed D2D communication and analyzed security considerations for secure D2D communication.
In Section 3, we propose a secure D2D communication system for a 5G IoT network. In Section 4, we show the simulation results of our proposed D2D communication system. In Section 5, we analyze our proposed D2D communication system based on our security considerations and finally conclude in Section 6.

Typical Security Threats of D2D Communication
D2D communication involves three steps, device discovery, link setup and data transmission, to make a direct connection between devices. In the device discovery step, the device searches for nearby devices. Then devices that are discovered in the previous step make a connection for transmitting data in the link setup step. After a connection is established, the data is transmitted through a direct link in the data transmission step. However, if there are no proper security measures, the data can be vulnerable to some security threats by attackers. Typical security threats of D2D communication introduced in [5] are as follows: • Impersonation attack. In this attack the attacker acts like a legitimate user by using an identity such as an international mobile subscriber identity (IMSI). To prevent this attack proper authentication of users has to be considered. • Eavesdropping. This is a type of attack where the attacker passively listens to communication between users and thereby the attacker can capture the transmitted data and also can fabricate the data. To prevent this attack, data confidentiality and integrity have to be considered. • Privacy sniffing. D2D communication has to broadcast request messages to search for nearby devices. However, the attacker uses this feature to find and track the victim device. To mitigate this security threat, the devices have to use an anonymous identity, and it has to be authenticated. • Free riding attack. Selfish devices receive the desired data from other devices but do not share their resources because of energy consumption and because of this they reduce system availability.
To mitigate this attack, the user identity has to be authenticated and managed by a base station.

•
Location spoofing. In this attack a malicious device may broadcast a request message with wrong or artificial location information to disrupt D2D communication in the device discovery step.
To mitigate this attack, the request message has to be processed only from validated devices in D2D communication.

Security Considerations for a 5G IoT Network
In a 5G network, IoT applications correspond to mMTC and URLLC scenarios. For the security of D2D communication against threats, the D2D communication system has to provide security functions including authentication, data confidentiality/integrity and anonymity. However, IoT devices have limited resources in terms of performance, memory and power consumption. Therefore, the security functions must also provide efficiency, meaning that each security function has to be implemented lightly and run faster. The detailed description of security considerations are as follows: • Authentication. Authentication is a key requirement for securing D2D communication in the 5G IoT network. For most types of attacks, proper user authentication is the most basic and appropriate solution. Every network should be able to verify the identity of users in order to guarantee the security of the network.

•
Data confidentiality and Integrity. The data transmitted in the IoT network contains sensitive information, and due to a variety of attacks that can eavesdrop on or modify that information, confidentiality and integrity are a big concern. For providing this, we have to encrypt the transmitted data and use hash functions or message authentication algorithms.
• Anonymity. Anonymity refers to hiding the identity of origin and sensitive information such as location. Anonymity is a necessary security function to prevent attackers from targeting specific users for their purpose. In such cases, when anonymity is not provided, the attacker can choose a specific target for the attack. If you take the example of autonomous vehicles, the attacker may decide to attack a specific car. Therefore, anonymity should be considered extensively.

•
Efficiency. Efficiency is the communication system's ability to be implemented and to operate economically. This consideration is about availability, which means that authorized users can access the information at any time they request it. This consideration is especially critical when it comes to the IoT network because IoT devices have limited resources.

Existing Research
Mingsheng Cao et al. [11] proposed a secure lightweight D2D communication system with multiple sensors. Their proposed communication system is designed based on lightweight key generation and a distribution scheme by leveraging an acceleration sensor and secure near field authentication by using a device's microphone and speaker as sensors and for data transmission, which includes encryption/decryption by audio and RF channels. Adeel Abro et al. [12] proposed a lightweight authentication scheme based on elliptic ElGamal encryption, which is public key algorithm based on elliptic curve discrete logarithm problem (ECDLP). This paper presents an authentication scheme based on public key infrastructure (PKI) and uses a combination of ECC to select key pair and ElGamal encryption to exchange the secret key. Yasir Javed et al. [13] also proposed a lightweight security scheme based on ECC and ElGamal encryption over public key infrastructure. This paper uses ECC to create keys and ElGamal for encryption and decryption. Atefeh Mohseni-Ejiyeh et al. [14] proposed an incentive-aware lightweight secure data sharing scheme for D2D communication in 5G networks. In their proposed scheme, users obtain digital signatures to prove successful data sharing and, in the sharing process, the symmetric encryption algorithm and MAC are used. Haowen Tan et al. [15] proposed a D2D authenticating mechanism employing smartphone sensor behaviour analysis. Their authentication scheme is designed based on certificateless cryptography for group authentication and user's behavior analysis extracted from smartphone sensors is employed for continuous authentication. Sheeba Backia, Mary Baskaran et al. [16] proposed a lightweight key exchange mechanism for LTE-A assisted D2D communication that can be applied in 5G networks. Their mechanism is designed by using ECC-based symmetric keys. Yunqing Sun et al. [17] proposed privacy protection device discovery and an authentication mechanism for D2D using the identity-based prefix encryption and ECDH key agreement protocol. All of these studies can provide authentication and data confidentiality/integrity and most of them use ECC based cryptographic algorithms. However, they have some limitations in that some of the results cannot provide anonymity or the researches did not deeply consider the data transmission step of D2D communication. Moreover, most of the existing schemes use only lightweight public key algorithms not lightweight symmetric encryption algorithms. Table 1 shows a taxonomy of strategies of existing research in terms of the security functions provided (confidentiality/integrity, authentication, anonymity) and the steps considered (device discovery, link setup, data transmission). Since our proposed system uses ECC and lightweight AEAD cipher for covering our security considerations and all of the steps in D2D communication, it can improve the efficiency and security of D2D communication. Table 1. Taxonomy of strategies of existing secure device-to-device (D2D) communication.

Proposed D2D System Model
In this section, we propose a secure D2D communication mechanism for a 5G IoT network based on lightweight AEAD ciphers. The proposed secure D2D communication model is shown in Figure 1. Objects participating in D2D communication consist of 5G network components including user equipment (UE), general node-B (gNB), access and mobility management function (AMF)/security anchor function (SEAF) and user data management (UDM). UE is a device that is a mobile entity in a 5G network, and UE is an actual device that communicates with other devices directly in our system. gNB is a base station responsible for connecting UE to mobile networks. In our system, gNBs share their public key with other gNBs in advance and use their private key to generate D2D tokens (D2DTK gNB x ) via ECDSA. Moreover, AMF is responsible for the management of a mobile entity. SEAF is a middle entity of authentication between UE and a 5G network and is co-located with AMF. UDM stores information about mobile entities in a 5G network. A 5G network provides the authentication framework using 5G-AKA to verify the identity of the UE. 5G-AKA is used to authenticate the UE's validity before generating a D2D token for use in communication in the proposed secure D2D communication. It is corresponded to step 0 in the proposed D2D system, and this process is performed only once for each UE.
After generating a D2D token, the D2D communication process has three steps similar to a typical D2D communication system: Device discovery, link setup and secure data transmission. However, in each process, there are features for security such as anonymity, authentication and confidentiality/integrity. We will discuss the details of these features in Section 3.2. The brief descriptions of each process are as follows: • Device discovery is a process that searches for nearby nodes. In this step, nodes in a network broadcast a request message to discover other nodes. If a node receives a request message, it sends a response message to another node. The broadcast or response message in this process includes each UE's encrypted identity SUCI and the issued D2D token. • Link setup is a process for making a peer-to-peer connection between two nodes. During this process, each node sends a verification request to its base station, gNB, with the SUCI and D2D token of the target UE being received in the device discovery phase. After verification, ECDH is used to exchange secret keys for secure data transfer. • Secure data transmission is a process where data is transmitted. The main feature of this step is that the data is encrypted using a lightweight AEAD cipher before transmission. In the encryption process, the sender node uses its D2D token identity and context sequence, thereby the confidentiality and integrity of the data are ensured. Moreover, authentication is processed in every transmission.

Details of Communication Mechanism
This section deals with the detailed process for the proposed D2D communication system. As described in the system model, the proposed D2D communication system has four steps in total. These four steps may be classified into one pre-processing step performed before D2D communication and the remaining three steps in which actual D2D communication is performed. The pre-processing step is the D2D token generation step (corresponding to step 0), and the steps in which D2D communication is performed are device discovery, link setup and secure data transmission (corresponding to steps 1-3, respectively).
First, in the D2D token generation step, each UE sends a request to the gNB to generate a D2D token for later use in D2D communication. The gNB that receives the D2D token generation request first verifies the identity of the UE that sent the request. At this time, the identity of the UE verifies the SUCI, which is an encrypted identity that emerges for user privacy in a 5G network. Unlike IMSI, the identity of the UE used in existing 4G networks, the SUCI can provide anonymity for the UE as a result of encrypting the IMSI using a public key (PUK). The verification for SUCI is performed using 5G-AKA, an authentication framework for performing primary authentication of UE registration in 5G networks. The subject that performs the actual verification is AMF/SEAF, and the verification is performed by comparing the credentials obtained by decrypting SUCI with the user credentials stored in the UDM. When the SUCI verification is completed, the result is transmitted to the gNB, and accordingly the gNB generates a D2D token and transmits it to the requesting UE. The generation of the D2D token uses the digital signature value calculated by the ECDSA of the UE's SUCI using the gNB's private key (PRK). The issued D2D token may also give anonymity to the UE with a value generated through a cryptographic algorithm by using the identity of the UE like SUCI. The issued D2D token can be verified if the SUCI of the UE and the public key of the gNB are known (note that each gNB shares the public key we mentioned in the previous section). The D2D token generation procedure is shown in Figure 2. From now on, actual D2D communication performing steps will be described. The whole process of proposed D2D communication is shown in Figure 3.
Step 1 is device discovery, which is a process of searching for a nearby device with which to perform D2D communication. Here, each UE desiring D2D communication broadcasts a message requesting to perform D2D communication, and UEs in a state capable of D2D communication transmit a response message to the received D2D request message. Here, the broadcast message or response message includes the D2D token issued in step 0 and its SUCI. If a response message to the broadcasted request message is received, the process proceeds to the next step.
The second stage of D2D communication is the link setup to establish a communication session. In this step, prior to establishing a communication session, verification is performed on the D2D token exchanged through device discovery. The verification of the D2D token performed here is similar to the UE identity verification performed in the D2D token generation, but the authentication is performed in the gNB without connecting to the core network. The D2D token can be verified using the public key and SUCI of each gNB, which authenticates that the D2D token has been issued from the gNB by request by a pre-authenticated UE. When the verification of the D2D token is completed, the secret key exchange used in the encryption process of the data transmission step is performed according to the result. The exchanged secret key is a secret key derived from the secret keys of both UEs using ECDH. Therefore, even if the attacker taps the data transmitted in the middle of the key exchange, the secret key cannot be derived. Secure data transmission, the last step of the proposed D2D communication, performs data encryption communication. At this time, encryption uses a lightweight AEAD cipher. The lightweight AEAD cipher is a cryptographic algorithm that provides not only confidentiality but also integrity and authenticity. It encrypts the data to be transmitted and creates a MAC for authenticating data integrity. Moreover, in the encryption process, the AEAD cipher uses additional information about a communication session and the other party, called the associated data (AD), thereby the AEAD cipher provides authenticity, which means the message is transmitted from the right party at the right time. In the proposed D2D communication system, the AD consists of the D2D token and context sequence information and manages the sequence for each transmission. Upon receiving the cipher text using the AD configured as described above, the UE may check whether the other UE performing D2D communication has received data corresponding to the current situation along with authentication. The data format used in secure data transmission is shown in Figure 4. In this step, any lightweight AEAD cipher can be applied according to available resources. Table 2 shows available lightweight AEAD ciphers which are candidate cipher from NIST lightweight cryptography standardization (Round 2) [10].

Simulation Results
In this section, we conduct a simulation to evaluate the proposed D2D communication system in terms of performance and efficiency. The performance in this section shows the whole processing time of the proposed D2D communication process. Moreover, for evaluating the efficiency of the proposed D2D communication, we perform analysis of implementation cost of lightweight AEAD ciphers, and simulate energy consumption according to AEAD ciphers.
The proposed D2D communication includes cryptographic algorithms for providing our security considerations (authentication, data confidentiality/integrity, anonymity). In detail, the applied cryptographic algorithms are the digital signature, the Diffie-Hellman key exchange algorithm and the AEAD cipher. We suppose that the processing time of each cryptographic algorithm is as follows.
The processing time for signing of a digital signature t DS sign , the processing time for verification of a digital signature t DS ver , the processing time for key exchange t DH and the processing time for the AEAD cipher t AEAD . Then we suppose the transmission latency in D2D communication is l tr . Finally, we can estimate the total length of the D2D communication processing time t D2D through Equation (1).
For calculating the summation of each processing time, we analyze the proposed D2D communication in terms of the number of transmissions and the usage count of the cryptographic algorithm at each step. In D2D token generation (step 0), there are two transmissions, request and response, for a D2D token; this step also includes 5G-AKA for user identity authentication. The 5G-AKA have 10 transmissions between UEs, gNB, AMF and UDM. In terms of the usage of the cryptographic algorithm, the D2D token generation step uses ECDSA-signing to process token generation. Moreover, we assume that the 5G-AKA consists of ECDSA-signing and ECDSA verification because the 5G-AKA is based on the ECC certificate. In device discovery (step 1), the requested UE broadcasts the request message; this means that the number of transmissions for a request message equal the number of devices (m), which are located near the sender UE. Moreover, in this step, there is a transmission to response. In link setup (step 2), when two devices set the connection, there are transmissions, including two for token verification, two for response of verification and two for key exchange, and there are the usages of the cryptographic algorithm, including two for ECDSA verification and one for ECDH. Lastly, the secure data transmission (step 3) has transmissions according to the amount of data (n bytes), and we assumed that data are transmitted in packets and in units of 1460 bytes, which is a general maximum transmission unit (MTU) size. Moreover, the AEAD cipher is used twice (encryption/decryption) in this step. Then we can finally calculate the summation of processing time by multiplying each processing time by the number of transmissions or the usage count of the cryptographic algorithm. Table 3 shows the summary of processing time at each step of proposed D2D communication. Table 3. The summary of processing time of proposed D2D communication. Step

ECDSA-Sign ECDSA-Verify ECDH AEAD
Step 0 (2+10) * l tr (1+1) * t DS sign 1 * t DS ver -- Step 1 (m+1) * l tr ---- Step 2 (2+2+2) * l tr -2 * t DS ver 1 * t DH - Step 3 (n/1460) * l tr -- When we simulate Equation (1) using processing time in Table 3, we set each time parameter based on 5G network requirements and existing implementation results of the cryptographic algorithm. The 5G network requires a transmission latency of 1 ms [18]; accordingly, we set l tr as 0.001. Moreover, we set the processing time of the ECC-based algorithm based on the performance presented in [19] (t DS sign = 0.122, t DS ver = 0.458, t DS DH = 0.1672). In the case of t AEAD , we can calculate processing time by multiplying the throughput (Mbps) of the algorithm by the amount of data (n (Mb) = n (MB) * 8/10 6 ). For simulating various AEAD ciphers, we set the parameter following five AEAD ciphers (AES-GCM, ASCON, SpoC, Spook and GIFT-COFB) based on the performance results presented in [20]. Each case of t AEAD is as follows (power measured: 50 MHz): t AES−GCM = n (Mb)/31.2 (Mbps), t ASCON = n (Mb)/39.0 (Mbps), t SpoC = n (Mb)/28.8 (Mbps), t Spook = n (Mb)/88.3 (Mbps), t GIFT−COFB = n (Mb)/120.8 (Mbps). Figure 5 shows the simulation result of the proposed D2D communication. The AEAD ciphers used in the simulation consist of one general-purpose AEAD cipher (AES-AEAD) and four lightweight AEAD ciphers. Simulation results show that three lightweight AEAD ciphers (ASCON, Spook and GIFT-COFB) are faster than AES-GCM (optimized). In particular, GIFT-COFB shows about 18.71% faster performance than AES-GCM when transmitting 10 KB data. However, because 5G IoT networks have limited resources, good performance of cryptographic algorithms may not cover all of the 5G IoT devices. This means the cryptographic algorithm has to be implemented lightly and must consume a small amount of power. Table 4 shows the hardware implementation results of AEAD block ciphers [19]. Even though Spook is faster than AES-GCM (optimized), Spook has the highest implementation cost, as in the mentioned area for implementing a look-up tables (LUTs).  Figure 6 shows energy consumption by amount of data based on energy efficiency in Table 4. In terms of energy consumption, GIFT-COFB and ASCON consume less energy than AES-GCM (optimized), but SpoC and Spook consume more energy. Considering that both GIFT-COFB and ASCON show better performance than AES-GCM (optimized) in the performance simulation, when GIFT-COFB or ASCON is applied to the proposed D2D communication, both speed and energy efficiency of the proposed D2D communication are better than for AES-GCM (optimized)-based D2D communication.

Security Analysis
In this section, we perform security analysis of the proposed secure D2D communication system. As we mentioned before, secure D2D communication requires authentication, data confidentiality/integrity and anonymity. In addition, considering the resource-constrained nature of a 5G IoT network, it must be implemented lightly and must perform efficiently. We first discuss the proposed D2D communication system based on our security considerations. Moreover, we discuss security against typical threats of D2D communication.

Analysis Based on Security Considerations
• Authentication: The proposed D2D communication system performs primary authentication using 5G-AKA, which is an authentication framework provided by 5G, to perform authentication for a UE before issuing a D2D token. Moreover, the issued token can perform secondary authentication through verification of the process of creating a link of D2D communication through the gNB's public key and SUCI. Finally, in the data transmission step, the token is used as an AD to authenticate the other party for each transmission of data. In this way, authentication of the UE is performed in all processes of data communication before issuing a token for D2D communication so that more secure communication can be performed.

•
Data confidentiality and integrity: The proposed D2D communication system generates D2D communication using SUCI, which is the encrypted UE identity, and the secret key of the gNB during the D2D generation process. In this process, there is no case where the identity of the unencrypted UE is transmitted. In addition, in the step of actual data transmition after creating a D2D link, encryption is performed using a lightweight AEAD cipher. AEAD cryptography can provide integrity and authentication as well as data confidentiality. Therefore, the proposed D2D communication system can guarantee the confidentiality/integrity of the identity and communication data of the UE. • Anonymity: In 5G networks, SUCI is an encrypted identity for UE anonymity, which provides anonymity for the UE itself. Moreover, the D2D token used in the proposed D2D communication is a value obtained by signing SUCI with the private key of the gNB, which also provides anonymity by not being able to recognize the identity of the UE directly.
• Efficiency: Both the authentication process and the data encryption process used in the proposed D2D communication system are based on lightweight cryptography. The lightweight ciphers used in this paper are the ECC-based public key cryptosystem and the lightweight AEAD cipher. The ECC-based public key cryptosystem uses a 256-bit key and operates faster than RSA, which uses a 1024-bit key. Moreover, the lightweight AEAD cipher is designed to be efficiently implemented in a resource-constrained environment such as in IoT and provides data confidentiality/integrity and authentication.

Security against Typical Threats
• Impersonation attack. In D2D the token generation step, each UE is issued a D2D token, which is signed by the gNB. When gNBs generate the token, they authenticate the validity of the UE by comparing the identity of the UE in UDM. After this authentication process, gNBs complete the generation of D2D tokens by using their private key. Because of this procedure, the attacker cannot impersonate other UE.

•
Eavesdropping. In a secure data transmission step, every instance of data transmission is protected by the lightweight AEAD cipher. In the AEAD encryption process, UE uses its D2D token and context sequence as associated data. Using this associated data, MAC is generated, and thereby UE can check the integrity of the message and the validity of the sender UE. For these reasons, the attacker cannot eavesdrop and cannot fabricate a message. • Privacy sniffing. The proposed D2D communication system uses the D2D token, which is generated based on SUCI of UE and digital signature of gNB using ECDSA. The D2D token can provide anonymity as a cryptographic identity. For this reason, the attacker cannot recognize the original identity of the UE.

•
Free riding attack and location spoofing. When the D2D token is generated by gNB, the validity of the UE is authenticated. This means that each instance of validating a UE is managed by gNB. The D2D token is authenticated in the link setup step in the proposed D2D communication system, and the data transmission is protected by AEAD encryption using a D2D token. Therefore, if a free-riding attack or location spoofing occurs in D2D communication, gNB can handle these situations by eliminating malicious UE.

Conclusions
In this paper, we propose a secure D2D communication system in a 5G IoT environment. The proposed D2D communication is designed based on an ECC-based public key cryptosystem and a lightweight AEAD cipher for efficiency in 5G use cases corresponding to IoT scenarios, mMTC and URLLC. Before the D2D communication is performed, the UE identity is verified based on the 5G-AKA provided by the 5G network, and then a token is used as the ECDSA for the D2D communication. The generated token could authenticate the legitimacy of the corresponding UE identity in the link setup process after device discovery. This can be done without connecting to the core network. In addition, by performing the encrypted communication through the lightweight AEAD cipher using the token as the associated data in the secure data communication step, the confidentiality/integrity of the data and authentication of the UE can be performed in each data transmission step. This approach can provide higher performance and energy efficiency than a general-purpose AEAD cipher-based communication system, and can also provide security against security threats such as impersonation, eavesdropping, privacy sniffing, free-riding and location spoofing.