Improved Attribute-Based Encryption Using Chaos Synchronization and Its Application to MQTT Security

: In recent years, Internet of Things (IoT) has developed rapidly and been widely used in industry, agriculture, e-health, smart cities, and families. As the total amount of data transmission will increase dramatically, security will become a very important issue in data communication in the IoT. There are many communication protocols for Device to Device (D2D) or Machine to Machine (M2M) in IoT. One of them is Message Queuing Telemetry Transport (MQTT), which is quite prevalent and easy to use. MQTT is designed for resource-constrained devices, so its security is not as strong as other communication protocols. To enhance MQTT security, it needs an additional function to overcome its weakness. However, considering the limited computational abilities of resource-constrained devices, they cannot use too powerful or complicated cryptographic algorithms. Therefore, this paper proposes novel improved attribute-based encryption (ABE) integrated with chaos synchronization to enhance the MQTT security. Finally, a small size of IoT is implemented to simulate resource-constrained devices equipped with a human–machine interface and monitoring software to show and verify the performance of MQTT communication with this improved ABE algorithm.


Introduction
In recent years, Internet of Things (IoT) technology has flourished, which has led to the development of many peripheral and emerging markets. The IoT is a physical object which contains embedded wireless devices and sensors, and sends its data to the processing platform through internet communication technologies. Therefore, IoT has a wide range of applications in various fields. For resource-constrained devices in IoT, Message Queuing Telemetry Transport (MQTT) is a lightweight publish/subscribe communication protocol, and is quite prevalent and easy to use. For example, the MQTT protocol has been applied in a structural monitoring scenario [1] and a long-term energy monitoring system [2]. In the IoT application, each information processing platform can be connected to another one to form a huge network. Obviously, most IoT data is opened and stored on the Internet or in IoT devices, so many new security and privacy issues have been derived [3]. Taking smart meters, for example, the hacker can know when you will be at home and what devices you have used. Therefore, for these resource-constrained devices, the absence of security or weak security mechanisms will cause an unpredictable crisis, and the use of these devices will then be limited in some aspects. However, considering the limited computational abilities of resource-constrained

Elliptic Curve Cryptography
In 1985, Koblitz and Miller first proposed the new cryptographic algorithm of elliptic curve cryptography, called ECC. The elliptic curve-E p (a, b)-is defined by the equation below: where p is the prime value. Because of the advantage of ECC, which has a shorter key length and faster calculation speed compared with RSA algorithm [14], as solving the elliptic curve discrete logarithm problem (ECDLP) is more difficult than factoring an integer, the application of it has become a very popular research topic in cryptography. To be specific, the elliptic curve must be a cyclic group over a finite field GF(p), given a base point g called a generator with order r, and given Q = tg, t ∈ Z r . It is tough to find an integer t with g and Q. ECC can be generally divided into the four steps below.
(1) Set up The plain text is first mapped to a point M on the elliptic curve, and A and B then agree on the same elliptic curve E p (a, b) with a generator g.
(2) Key generation A selects an integer t a ∈ Z r as its private key and computes g a = t a g as the corresponding public key. B also selects an integer t b ∈ Z r as its private key and computes g b = t b g as the corresponding public key.
(3) Encryption A randomly selects an integer k ∈ Z r and computes C 1 = kg and C 2 = M + kg b , and then transmits both to B.

(4) Decryption
After B receives C 1 and C 2 , B then computes C 2 − t b C 1 to get point M. Finally, M can be mapped back to the original plain text.
Besides, ECC can define bilinear pairing such as Weil pairing and Tate pairing, which has been widely used in Identity-Based Encryption (IBE) [15] and ABE.

Attribute-Based Encryption
When it comes to ABE, it has an access structure and Linear Secret Sharing Schemes (LSSS) [16]. The access structure stipulates who the eligible users are, and what the corresponding attributes should be. LSSS is an expressive monotone access structure used to generate the matrix of access structure for mathematical calculation. Because we designed it for resource-constrained devices with MQTT, we made use of the characteristics with topic names like in [6]. Figure 1 shows the access structure. We used MQTT topic names such as User1, WiFiDevice, Led, Temp, and Humidity.
When it comes to ABE, it has an access structure and Linear Secret Sharing Schemes ( LSSS ) [16]. The access structure stipulates who the eligible users are, and what the corresponding attributes should be. LSSS is an expressive monotone access structure used to generate the matrix of access structure for mathematical calculation. Because we designed it for resource-constrained devices with MQTT, we made use of the characteristics with topic names like in [6]. Figure 1 shows the access structure. We used MQTT topic names such as User1, WiFiDevice, Led, Temp, and Humidity. The Boolean formula of it is defined as User1 ⋀ WiFiDevice ⋀ (Led ⋁ Temp ⋁ Humidity).
The Boolean formula of it is defined as As long as the access structure is constructed by the data owner, it can be transformed to an LSSS matrix according to the method. Our matrix was generated as below: Each row of N is associated with the attributes User1, WiFiDevice, Led, Temp, and Humidity, respectively. Given an attribute set S, the LSSS is said to be satisfied by S only if the rows of the N labeled by the attributes in S include the vector (1, 0, 0) in their span.
The research presented in [11] is different from the other ABE algorithm, as its LSSS matrix has no polynomials, which can reduce some computation. Second, replacing the bilinear map with simple scalar multiplication by ECC also reduces some computation.
PF-CP-ABE generally consists of four parts: Set up, Key generation, Encryption, and Decryption [13]. In Set up, the authority selects its main public keys and private key, and everyone should agree on the same elliptic curve. Key generation is employed to generate a key of every attribute for each user and store them in a corresponding user list. In the Encryption part, the plain text is ciphered by an access structure and corresponding attributes. Then, in the Decryption part, the data user should ask the authority to verify the attributes they possess, and requires a result to correctly calculate the secret number and then map the ciphertext back to the plain text. The algorithm will be described in detail in Section 3.

Chaos Synchronization
In order to reduce the time required for the transmission of certification data and maintain its security of PF-CP-ABE, we propose Chaos Synchronization Attribute-Based Encryption (CS-ABE). As is well-known, the chaos system is a complex nonlinear system and possesses properties such as a broadband noise-like waveform, and is sensitive to initial values like a butterfly effect, etc. The state response does not converge and does not diverge and is limited to strange attractors with a random-like characteristic. These properties offer some advantages for applications in secure communication. Since the concept of the master-slave system emerged and research on the synchronization controller of the chaos system was launched [17], there has been extensive research on it. There are many different design methodologies for synchronization controllers, such as the sliding mode controller [18], adaptive controller [19], etc., but most of them applied in secure communication are analog chaos systems. In this study, since we dealt with digital information, it was necessary to transform it to a discrete chaos system so that we could discuss and implement a relevant control method, and then apply it to the design of our CS-ABE algorithm.
There are many types of continuous chaos systems, the most well-known of which is the Lorentz system. This paper uses the Lorenz equation and its dynamics can be described as follows: In consequence, in this paper, we will describe the approach for transforming a continuous system model to a discrete system one. The dynamic equation of the continuous system can be described as follows: .
where g(x(t)) ∈ R n is a nonlinear vector. B ∈ R n×m , A, and B are controllable, so the optimal discrete time system can be matched with System (5) as follows: where 20], and T is the sampling time. We can rearrange (5) with a matrix representation satisfying (6): .
According to (7), by selecting the sampling time T = 0.0001s, a = 10, b = 8 3 , and c = 28, we get the discrete system of (5) as The simulation of the discrete chaos system (9) is shown in Figure 2. From this, we can identify some characteristics, such as strange attractors and the unpredictability of its random-like signal. [20], and T is the sampling time. We can rearrange (5) with a matrix representation satisfying (6): According to (7), by selecting the sampling time = 0.0001 , = 10, = , and = 28, we get the discrete system of (5) as The simulation of the discrete chaos system (9) is shown in Figure 2. From this, we can identify some characteristics, such as strange attractors and the unpredictability of its random-like signal. For secure communication application, a synchronization controller is needed to synchronize master and slave chaos systems. When both systems are synchronized with each other, they can be applied to our cryptographic algorithm. We used a sliding mode controller, because it has a better robustness and fewer control parameters, to ensure the synchronization. Similar to [21], master and For secure communication application, a synchronization controller is needed to synchronize master and slave chaos systems. When both systems are synchronized with each other, they can be applied to our cryptographic algorithm. We used a sliding mode controller, because it has a better robustness and fewer control parameters, to ensure the synchronization. Similar to [21], master and slave systems were designed as follows: where x 1m , x 2m , and x 3m are state variables of the master system (10); x 1s , x 2s , and x 3s are state variables of slave system (11); and u is the proposed controller. To synchronize both systems, error functions are defined as e i = x is − x im , i = 1, 2, 3. If e i can converge to zero, it means that the master and slave systems can be synchronized. To achieve synchronization, we used a sliding mode controller to ensure that the system reached the switching function we designed and the switching function in the sliding manifold ensured that e i could converge to zero, thus achieving synchronization. The switching function for the sliding mode control was selected as follows: If the system smoothly goes into sliding mode with u, in other words, s(k) = 0, then e 2 (k) = −ce 1 (k). Applied to the error equation of the master-slave system, we have When the parameter c is selected to satisfy |0.99 − 0.01c| < 1, e 1 will converge to zero. Due to system sliding, s(k) = 0, so e 2 will also converge to zero. Eventually, e 3 becomes e 3 (k + 1) = 0.997e 3 (k), and will also converge to zero. In this moment, two systems achieve synchronization. In order to let the error function in sliding mode, we used a similar design in [21] for the controller u(k), given as follows: where 0 < α < 1, and Computing If 0 < α < 1, (16) will be transposed to s(k + 1) = (1 − α)s(k), and s(k) will converge to zero. It is obvious that the parameter α is relative to the convergence speed of the switching function s(k). To test the synchronization control design, the initial condition and parameters were selected as The result is presented in Figure 3, showing that e 1 and e 2 converge quickly, and e 3 needs some time to converge.

Chaos Synchronization Attribution-Based Encryption Scheme
In this section, we give the detailed algorithm of our brand-new system, which combines PF-CP-ABE with chaos synchronization. The synchronization characteristic in PF-CP-ABE is utilized to give another approach to get the secret number. Although PF-CP-ABE greatly reduces the complexity and computation of CP-ABE, if there are a lot of data and they keep being sent, the users should also employ the algorithm every time when receiving the data. This is quite ineffective, so we applied another algorithm to improve it. Due to it combining the concept of ABE with synchronization

Chaos Synchronization Attribution-Based Encryption Scheme
In this section, we give the detailed algorithm of our brand-new system, which combines PF-CP-ABE with chaos synchronization. The synchronization characteristic in PF-CP-ABE is utilized to give another approach to get the secret number. Although PF-CP-ABE greatly reduces the complexity and computation of CP-ABE, if there are a lot of data and they keep being sent, the users should also employ the algorithm every time when receiving the data. This is quite ineffective, so we applied another algorithm to improve it. Due to it combining the concept of ABE with synchronization characteristics of the chaos system, we have given it the name Chaos Synchronization Attribute-Based Encryption (CS-ABE), which can be divided into four parts, as shown below. Set up.
An elliptic curve E p (a, b) over a finite field GF(p) of order r with generator g is agreed upon. The point g generates a cyclic subgroup in E p (a, b). In addition, a hash function {0, 1} * → Z * r is defined to map every user's ID to Z r , and every user's ID is unique, which means H(ID) user1 H(ID) user2 .
The trust authority, which can be a broker, randomly selects an integer t ∈ Z r as the authority's main private key and then computes tg to be the main public key. At the same time, the authority randomly selects an integer k i ∈ Z r for every attribute i and computes PK i = k i g to be its public key.
Appl. Sci. 2019, 9, 4454 8 of 13 (2) Encryption The plain text is first mapped to a point M on the elliptic curve E p (a, b). State variables of the chaos system are selected to generate an integer s ∈ Z r called a secret number, and then compute The encryption algorithm is associated with an access structure and does not need any polynomials. The data owner defines the access structure and transforms it to an n × l LSSS matrix, and then randomly selects a vector v ∈ Z l r with s as its first entry and lets λ x denote N x ·v, where N x is row x of N. They also randomly select a vector u ∈ Z l r with 0 as its first entry and let ω x denote N x ·u. The ciphertext would be (3) Decryption The user transmits their ID and (C 2,x , ρ(x)) to the authority, and lets the authority verify its identity. If the authority confirms that the user is valid, it secretly sends back a result according to each (C 2,x , ρ(x)). The result is computed as below: With the above result, the user can then compute Then, an integer c x ∈ Z r is selected such that x c x N x = (1, 0, 0, . . . , 0) and computes The secret number s is generated from the state variable of the chaos master system, and compared with the state variable of the chaos slave system, such as x 1s , x 2s , or x 3s . If the chaos system does not achieve synchronization, the ciphertext is processed by the above, and the synchronization controller still works. Then, if the chaos system does synchronize, the ciphertext will no longer require the above algorithm, and it can be done by itself, using the same state variable to generate s.
Finally, the user can compute the formula below to get point M and map it back to the plain text on the same elliptic curve.

Implementation Results
There are four elements in MQTT message transmission, which are the publisher, subscriber, broker, and topic. To simulate resource-constrained devices, we used ESP8266 (ESP-01 and ESP-12F) to act as a publisher and subscriber, respectively, as shown in Figure 4, and raspberry pi 3 to act as the broker, which can also be the authority too. The entire system architecture is shown in Figure 5. ESP-12F and ESP-01 are two wireless IoT devices, and both are equipped with MQTT protocol, a chaos system, and PF-CP-ABE. All the messages are transmitted in an MQTT format, and are passed through the network to everyone. ESP-01 is the data owner (publisher), and it possesses a chaos master system. It needs to transmit all the parameters of chaos synchronization and attributes them to ESP-12F, which possesses a chaos slave system. ESP-01 with a temperature sensor will keep publishing ciphertext of the temperature, and ESP-12F will subscribe, decrypt, and show it on the displayer. There are some simulation situations where, if the temperature is too high, the alarm led will be lit up, and the switch on ESP-12F will act as a remote controller. All the values and states of devices will be published, and will be analyzed by an open source utility MQTT-SPY, monitoring software on a computer, and the MQTT tool, an IOS application on a cell phone.
ESP-12F and ESP-01 are two wireless IoT devices, and both are equipped with MQTT protocol, a chaos system, and PF-CP-ABE. All the messages are transmitted in an MQTT format, and are passed through the network to everyone. ESP-01 is the data owner (publisher), and it possesses a chaos master system. It needs to transmit all the parameters of chaos synchronization and attributes them to ESP-12F, which possesses a chaos slave system. ESP-01 with a temperature sensor will keep publishing ciphertext of the temperature, and ESP-12F will subscribe, decrypt, and show it on the displayer. There are some simulation situations where, if the temperature is too high, the alarm led will be lit up, and the switch on ESP-12F will act as a remote controller. All the values and states of devices will be published, and will be analyzed by an open source utility MQTT-SPY, monitoring software on a computer, and the MQTT tool, an IOS application on a cell phone.  The encryption and decryption of the CS-ABE flow chart are shown in Figures 6 and 7, respectively, where the state variable of the master system also encrypted like , = + , and is one of the parameters of the synchronization controller. At first, before chaos synchronization, both ESP-01 and ESP-12F establish the same elliptic curve and chaos system. The data owner, ESP-01, sets an access structure and generates from its master system, and then publishes all parameters of attributes and synchronization. On the other side, ESP-12F subscribes it and sends its identity to the authority to request a valid result. After the identity is validated and the result is received, ESP-12F can calculate all the values to get the plain text of the temperature, and the synchronization controller still works. After both master and slave systems are synchronized, ESP-01 will stop publishing the parameters of attributes and only publish those of chaos synchronization, as shown in Figure 8. When ESP-12F receives them, it can generate from its slave system to decrypt the ciphertext.  The encryption and decryption of the CS-ABE flow chart are shown in Figures 6 and 7, respectively, where the state variable of the master system also encrypted like M, x s = x 1m + sg, and u m is one of the parameters of the synchronization controller. At first, before chaos synchronization, both ESP-01 and ESP-12F establish the same elliptic curve and chaos system. The data owner, ESP-01, sets an access structure and generates s from its master system, and then publishes all parameters of attributes and synchronization. On the other side, ESP-12F subscribes it and sends its identity to the authority to request a valid result. After the identity is validated and the result is received, ESP-12F can calculate all the values to get the plain text of the temperature, and the synchronization controller still works. After both master and slave systems are synchronized, ESP-01 will stop publishing the parameters of attributes and only publish those of chaos synchronization, as shown in Figure 8. When ESP-12F receives them, it can generate s from its slave system to decrypt the ciphertext.
12F can calculate all the values to get the plain text of the temperature, and the synchronization controller still works. After both master and slave systems are synchronized, ESP-01 will stop publishing the parameters of attributes and only publish those of chaos synchronization, as shown in Figure 8. When ESP-12F receives them, it can generate from its slave system to decrypt the ciphertext.   From the analysis of MQTT-SPY, we recorded 80 data for the original temperature and the secret number in the master and slave system, respectively. Then, we used the plot tool in Matlab to produce a graph, shown in Figure 8. The upper line is the temperature sensed on ESP-01, and the lower two lines are the secret number of both the master and slave system used to check that they are the same. From this, we can find out that the secret number is different at the beginning, because The plain text  From the analysis of MQTT-SPY, we recorded 80 data for the original temperature and the secret number in the master and slave system, respectively. Then, we used the plot tool in Matlab to produce a graph, shown in Figure 8. The upper line is the temperature sensed on ESP-01, and the lower two lines are the secret number of both the master and slave system used to check that they are the same. From this, we can find out that the secret number is different at the beginning, because chaos systems are not synchronized, and the secret number is solved by the PF-CP-ABE algorithm. After synchronization, the two randomly secret numbers become consistent, which means that the The plain text From the analysis of MQTT-SPY, we recorded 80 data for the original temperature and the secret number s in the master and slave system, respectively. Then, we used the plot tool in Matlab to produce a graph, shown in Figure 8. The upper line is the temperature sensed on ESP-01, and the lower two lines are the secret number s of both the master and slave system used to check that they are the same. From this, we can find out that the secret number is different at the beginning, because chaos systems are not synchronized, and the secret number is solved by the PF-CP-ABE algorithm. After synchronization, the two randomly secret numbers become consistent, which means that the CS-ABE we proposed does work.

Data Security
Under the characteristics of ABE, if the user (subscriber) does not meet the attributes set by the data owner (publisher), the user cannot obtain the corresponding private keys. The user meets the conditions and transmits the attribute data to the authority, and the authority then calculates the result related to the data user sent back. After receiving it, the user can correctly resolve the secret number. The plain text is ciphered by the secret number on the elliptic curve, and the secret number is generated by the random chaos signal. It is hard to find out any information in the ciphertext. With LSSS, if you want to get the correct secret number, you must meet the attributes to calculate it. Based on the characteristics of elliptic curves, the difficulty of ECDLP is a well-known problem. Finally, after chaos synchronization, the information about the attributes will not be transmitted and will only be about the synchronization parameters of the chaos system. Due to the chaos system, which is sensitive to initial values, if there is not the same chaos system, the signal will diverge. Then, the eavesdropper cannot get the correct secret number. Therefore, the entire transmitted data is encrypted by it, and it is extremely difficult to identify the plain text.

Computation
By using chaos synchronization, instead of PF-CP-ABE, to obtain the secret number, the computation can be further reduced. The original encryption means that the user takes their private keys of each attribute, and the secret number can be further calculated. On the contrary, if both Lorenz systems synchronize, the secret number can be generated. Excluding external factors, a comparison of the encryption and decryption times is shown in Figure 9. The horizontal axis is the number of attributes, and the vertical axis is the time (ms). Our system, CS-ABE, could be divided into non-synchronization (Non-syn CS-ABE) and synchronization (Syn CS-ABE). Obviously, the greater the number of attributes, the more time is needed for encryption and decryption. However, for the chaos system, the encryption and decryption times are the same, no matter how great the attributes are. If we use a higher order elliptic curve or a more complex computing technique, both the encryption and decryption times will be even longer. Therefore, the benefit of chaos synchronization determined by the difficulty of elliptic curve calculation. be about the synchronization parameters of the chaos system. Due to the chaos system, which is sensitive to initial values, if there is not the same chaos system, the signal will diverge. Then, the eavesdropper cannot get the correct secret number. Therefore, the entire transmitted data is encrypted by it, and it is extremely difficult to identify the plain text.

Computation
By using chaos synchronization, instead of PF-CP-ABE, to obtain the secret number, the computation can be further reduced. The original encryption means that the user takes their private keys of each attribute, and the secret number can be further calculated. On the contrary, if both Lorenz systems synchronize, the secret number can be generated. Excluding external factors, a comparison of the encryption and decryption times is shown in Figure 9. The horizontal axis is the number of attributes, and the vertical axis is the time (ms). Our system, CS-ABE, could be divided into nonsynchronization (Non-syn CS-ABE) and synchronization (Syn CS-ABE). Obviously, the greater the number of attributes, the more time is needed for encryption and decryption. However, for the chaos system, the encryption and decryption times are the same, no matter how great the attributes are. If we use a higher order elliptic curve or a more complex computing technique, both the encryption and decryption times will be even longer. Therefore, the benefit of chaos synchronization determined by the difficulty of elliptic curve calculation.

Conclusions
In this paper, we have proposed a new system combining the PF-CP-ABE with chaos synchronization to improve the security of MQTT. Because the original MQTT specification only has TLS/SSL communication encryption, we designed another encryption system especially for resource-

Conclusions
In this paper, we have proposed a new system combining the PF-CP-ABE with chaos synchronization to improve the security of MQTT. Because the original MQTT specification only has TLS/SSL communication encryption, we designed another encryption system especially for resource-constrained devices using MQTT protocol, which offers the devices additional security. Associated MQTT topic names with attributes and the PF-CP-ABE algorithm reduced the computational burden of previous CP-ABE, and the proposed CS-ABE algorithm can be implemented in a resource-constrained device. Combined with chaos synchronization, this gives another way to obtain the secret number. After the chaos systems are synchronized, the secret number is taken from the state variable of the chaos system instead of attribute-based encryption, which skips the mathematical calculation of the elliptic curve. Finally, we made a small size IoT, and designed and simulated a resource-constrained device, equipped with a human-machine interface and monitoring software to show the performance of MQTT communication and the CS-ABE algorithm.