Type of the Paper (Article) 1

Unforgeable Digital Signature Integrated into Lightweight 2

Encryption Based on Effective ECDH for Cybersecurity Mech- 3

anism in Internet of Things 4

ADEL A. AHMED 1*, and OMAR M. BARUKAB 2 5

1 King Abdulaziz University, Jeddah, KSA; aaaabdullah1@[Link] 6

2 King Abdulaziz University, Jeddah, KSA; obarukab@[Link] 7
* Correspondence: aaaabdullah1@[Link]; Tel.: 00966563884738 8

Abstract: Cybersecurity protocol enables several levels of protection against cyberattacks (digital 9
attacks) that spread across network devices, platform programs, and network applications. In the 10
Internet of Things (IoT), the cyberattacks are generally intended to access, change/destroy sen- 11
sitive information which may reduce the IoT benefits. Moreover, the recent IoT systems experi- 12
ence a critical challenge to design a lightweight and robust cybersecurity mechanism on resource 13
constrained IoT devices. The challenges of cybersecurity on IoT that should be taking in the 14
consideration are identifying compromised devices, data/service protection, and identifying im- 15
pacted IoT users. This paper proposes an unforgeable digital signature integrated into an effec- 16
tive lightweight encryption (ELCD) mechanism that utilizes the secure key distribution in an 17
Elliptic Curve Diffie Hellman (ECDH) and resolves the weak bits problem in the shared secret 18
key due to the Diffie–Hellman exchange. The ELCD mechanism proposes a secure combination 19
between the digital signature and encryption, and it uses fast hash functions to confidentially 20
transfer a shared secret key among IoT devices over an insecure communication channel. Fur- 21
thermore, the ELCD mechanism certainly checks the true identity of the sender through the pro- 22
posed digital signature, which works based on the hash function and the three steps of curve 23
point inspection. Furthermore, the security of ELCD has been proven mathematically using the 24
random oracle model and the IoT adversary model. The findings of the emulation results show 25
the effectiveness of the ELCD in terms of CPU execution time, storage cost, and power con- 26
sumption that are less by 53.8%, 33-17%, and 68.7% respectively compared to the baseline 27
Citation: To be added by editorial
cryptographic algorithms. 28
staff during production.

Academic Editor: Firstname Last- Keywords: IoT; ECDH; Digital Signature; Random Oracle Model 29
name 30

Received: date
Accepted: date
Published: date 1. Introduction 31
The Internet of Things (IoT) facilitates communication capabilities to the electronic 32
Publisher’s Note: MDPI stays neu-
tral with regard to jurisdictional
devices and a variety of objects/things that have internetworking devices which can be 33

claims in published maps and institu-

configured with a unique IP address to implement numerous smart applications with- 34
tional affiliations. out human intervention. Moreover, the IoT devices are extremely heterogeneous, differ 35
in capabilities, and have very limited resources in terms of connectivity, source of en- 36
ergy, processing and memory capabilities, and input/output hardware features [1]. The 37
general architecture of the IoT is illustrated in Figure. 1. In this figure, the event area 38
Copyright: © 2022 by the authors.
Submitted for possible open access
depends on the real application that supports civilian and military environments such 39

publication under the terms and

as industrial, medical, smart home, and transportation. The wireless sensor nodes are 40
conditions of the Creative Commons attached to the electronic devices or objects (called IoT devices) to collect the measure- 41
Attribution (CC BY) license ment data from the environment and transfer it to the IoT gateway or actuators. Upon 42
([Link] receiving a command from the gateway or sensors, the actuators can be intervened to 43
s/by/4.0/).

Processes 2022, 10, x. [Link] [Link]/journal/processes

Processes 2022, 10, x FOR PEER REVIEW 2 of 31

change the physical conditions such as controlling equipment’s, switch on/off the light, 44
and increasing/decreasing engine rotation speed. Moreover, a gateway provides con- 45
nectivity between sensors/actuators and the remote IoT device, and it also facilitates 46
data compression, secure data transmission, and compatibility communication between 47
the event area sensors/actuators and the IoT remote devices [2-6]. 48

49
Figure.1. IoT general architecture 50

The cybersecurity issue remains a significant barrier to IoT adoption and deploy- 51
ment due to the vulnerability of software privacy and hardware cyberattacks. Gener- 52
ally, the cyberattacks use the internet for destroying, disrupting, disabling, gain unau- 53
thorized access to critical information of the IoT. Regardless of the network structure 54
layers, the IoT is susceptible to numerous kinds of cyberattacks at the sensing layer, the 55
application layer, and the network layer. For instance, the cyberattacks cause numerous 56
effects on the IoT which might include sensor capture, stolen-verifier and controlled 57
information, known secure key, denial of service (DoS), link sniffing, man-in-the-mid- 58
dle, forced delay, session hijacking, as well as brute force and dictionary attacks [7-10]. 59
Encryption and digital signature are the two essential solutions for cyberattack on 60
the IoT. The recent IoT cryptographic tools use two types of encryptions: the symmetric 61
(private-key) and the asymmetric (public-key) encryption methods. Symmetric-key al- 62
gorithms apply the same key at the source and at the destination for the cryptographic 63
process. Indeed, the strong point of the symmetric-key encryption relies on the distri- 64
bution of the private key among the IoT devices. Nevertheless, asymmetric-key algo- 65
rithms use two unique keys which are public and private. The private key is kept secret 66
and never distributed while the public key can be sent through a secure channel to the 67
valid entitled devices. The main advantage of asymmetric-key cryptography is the con- 68
struction of a digital signature, which is used to verify the original sender, prevent the 69
sender from disowning the message, and prove the integrity of the message. However, 70
the drawback of standard digital signatures is the uncertainty confirmation of the 71
sender identity. This means the sender private key could be counterfeited by an attacker 72
private key which can be used in the digital signature to mimic the identity of the true 73
sender. Moreover, the implementation of standard asymmetric-key algorithms in the 74
resource constrained devices (e.g., IoT) is more complex and experiences more energy 75
consumption and latency compared to the symmetric-key algorithms. Therefore, the 76
symmetric-key cryptography that uses the efficient key distribution scheme can 77
Processes 2022, 10, x FOR PEER REVIEW 3 of 31

provide a promising lightweight cybersecurity solution for the IoT network. Further- 78
more, the symmetric-key cryptography can use the hash function to provide sender au- 79
thenticity and digital fingerprint (integrity) for the distributed keys and plaintexts. 80
The efficient key distribution is the dilemma of the symmetric-key cryptography, 81
and it becomes the most significant challenge in the resource constrained devices such 82
as the IoT system. One of the practical solutions is to use Elliptic Curve Diffie Hellman 83
(ECDH) scheme which is considered an appropriate solution for resource constrained 84
devices. The ECDH has a smaller key size, a more efficient source code and a lower 85
power consumption compared with the Rivest-Shamir-Adleman (RSA) cryptosystem. 86
The common key can be directly derived from the shared secret key and used to encrypt 87
subsequent data flow between the source and the destination using a symmetric-key 88
cipher. 89
The cryptosystem standard solutions (e.g., RSA, AES, DES) require an imperative 90
computation overhead and a longer processing latency. Hence, they cannot be applied 91
directly to the most resource constrained devices such as IoT or sensors. Thus, it is a 92
challenging task to develop lightweight, fast, and efficient secure cryptographic mech- 93
anisms for the IoT which can verify the identity of the sender and prevent the revelation 94
of sensitive information by unauthorized attackers [11-16]. 95
1.1 Research Problem Statement 96
As IoT devices have limited power capacity and processing capability, they are not 97
capable of implementing complex mathematical operations. Therefore, the complicated 98
security approaches that rely on long key size and complex encryption and decryption 99
processing (e.g., RSA) are not a good solution for resource constrained IoT devices [5]. 100
The main challenge of developing an unforgeable digital signature is consideration re- 101
source constrained of IoT, verification the true identity of the signer, and resolving the 102
problem of key distribution and weak bits problem in the shared secret key. 103
1.2 Research Contribution 104
The following contributions are reported in this research: 105
• It proposes an efficacious digital signature, which certainly confirms the true 106
identity of the sender using a hash function and the three steps of curve point 107
inspection based on the ECDH scheme. 108
• It proposes a secure combination between encryption and digital signature, 109
and it studies the weaknesses of other combinations. 110
• It proposes a lightweight encryption mechanism which can resolve the weak 111
bits problem in the shared secret key due to the Diffie–Hellman exchange. 112
• It proposes a secure key distribution among a group of IoT devices that con- 113
fidentially transfer a shared secret over an insecure communication channel. 114
The shared group secret key (SGSK) is an ephemeral (dynamic) entity and is 115
calculated on the basis of the ECDH scheme. Actually, the perfect forward 116
secrecy which is recommended by the RFC8442 standard can be achieved 117
using the ephemeral shared key. 118
• A comprehensive probabilistic mathematical cryptanalysis using the ran- 119
dom oracle model (ROM) is employed to prove the security of the proposed 120
digital signature and the encryption in the IoT. 121
• Finally, several simulation experiments have been conducted to evaluate the 122
performance of the proposed mechanisms in terms of processing time, stor- 123
age cost, and energy consumption. Overall, the proposed system offers a 124
faster processing time, less memory and energy consumption, and an effec- 125
tive method of key distribution. 126
The rest of this paper is arranged as follows: Section 2 presents the related works 127
on encryption and digital signature based on the IoT platform. Section 3 describes the 128
construction of system design for all models in the ELCD mechanism. Section 4 ex- 129
plains the cybersecurity analysis based on ROM for the ELCD mechanisms. Section 5 130
Processes 2022, 10, x FOR PEER REVIEW 4 of 31

explains the emulation experiments and the evaluation of ELCD mechanism based on 131
the IoT system. Finally, the conclusion and future work are explained in Section 6. All 132
the notation used in the ELCD mechanism is summarized in Table 1. 133

Table 1. Frequently used notation 134

Notation Meaning Notation Meaning

C Ciphertext M Plaintext message
CCA Chosen-cipher attack m The integer number of M
CPA Chosen-plaintext attack n Order of G
d Private key O An extra point at infinity of
the curve
D Destination node P Modular prime
DS Digital signature Pb Random point in the curve
ECC Elliptic curve cryptog- Pb.X1 X coordinate of Pb
raphy
ECDH Elliptic Curve Diffie Hell- Q Public key
man
ELCD Effective, lightweight S Source node
cryptographic and digital
signature
G Base point generator SGSK Shared Group Secret Key
135

2. Related Works on Encryption and Digital Signature 136

As the IoT is still a relatively technology, a limited number of algorithms in the 137
literature so far have been developed to fit resource constrained devices such as actua- 138
tors, sensors, etc. In an earlier work that presented by A. A. Ahmed which is called 139
ESSC_DC [17], the digital certificate authority has been used to verify the true identity 140
of the sender by linking a public key to its owner. The advantages of the proposed al- 141
gorithm in this paper compared to the previous research in [17] can be described as 142
follows: 143
• The new proposed combination between the digital signature and encryp- 144
tion has the ability to verify the true identity of the sender and the receiver 145
which is considered the main function of the digital certificate in [17]. 146
• The verification process in the establishment the digital certificate necessi- 147
tates tedious work, consume excessive power, and requires extra processing 148
delay if used in the IoT platform. 149
• The QoS performance of the proposed algorithm outperforms the QoS per- 150
formance of the digital certificate in [17]. This is mainly due to the fact that 151
the digital certificate authority which is responsible for verifying the digital 152
certificate consumes excessive power and increases the end-to-end delay as 153
will be explained in Section 5. 154
Thus, the related works to this paper emphasizes the lightweight digital signature 155
and cryptographic algorithms on the IoT network. 156
157
2.1 Lightweight Digital Signatures on IoT 158
Elliptic curve cryptography (ECC) was used in numerous encryption algorithms, 159
including the public-key algorithm such as the elliptic curve digital signature algorithm 160
(ECDSA) [18]. This latter algorithm was recognized as an ISO standard, an ANSI stand- 161
ard, and as a combined IEEE and NIST standards in 1998, 1999 and 2000 respectively. 162
However, ECDSA has technical problems summarized in its slowness, design flaws and 163
insufficiently defensive implementations of the random number generator. Arif et al. 164
Processes 2022, 10, x FOR PEER REVIEW 5 of 31

[19] proposed shortened complex digital signature algorithm (SCDSA) which secures 165
the transmission channel between the sender and the receiver in a human centered IoT. 166
Also, Park et al. [20] proposed enhanced of the elliptic-curve Qu-Vanstone (ECQV) 167
which used the idea of a certificate issuing protocol that resolves the problems of an 168
implicit certificate for establishing lightweight security association on IoT system. How- 169
ever, this requiring protecting the certificate request between the sensor device and the 170
certificate authority. Furthermore, Atefeh et al. [21] proposed a secure data sharing 171
mechanism for device-to-device communication on 5G mobile system. In their research, 172
the virtual check concept has been applied as an encouragement system to stimulate 173
manipulators participation in the development of data sharing. Also, Adeel et al. [22] 174
proposed a secure authentication mechanism which relies on elliptic ElGamal encryp- 175
tion. In [22], the researchers integrated the elliptic-curve cryptosystem (ECC) with the 176
public key infrastructure (PKI) to produce a pair shared key which is exchanged be- 177
tween IoT devices. Moreover, the research offered by Yasir et al. [23] integrated the ECC 178
and ElGamal schemes over a public-key infrastructure (EEoP). Furthermore, Adel et al. 179
[24] proposed an effective multifactor authentication (CMA) which utilizes the idea of 180
combination of several hash functions and geolocation authentication over IoT. Like- 181
wise, Scincalepore et al. [25] developed a key management protocol (KMP) which com- 182
bines the ECDH scheme with digital certificates to authenticate the key generation. 183
184
2.2 Lightweight Encryption Algorithms on IoT 185
V. Shoup proposed the elliptic curve integrated encryption (ECIES) mechanism 186
which is integrated with a scheme of advanced standard encryption called ECIES_AES. 187
Also, ECIES is integrated with rabbit encryption as described in the RFC4503 standard 188
which is called ECIES_Ra. A lightweight authenticated encryptions with associated 189
data (AEAD) has been suggested by NIST which proposed to work with a resource 190
constrained device (e.g., IoT system) [26]. The AEAD scheme offers the cipher and the 191
tag which can be considered as a message authentication code (MAC). Hence, AEAD 192
offers data authentication, confidentiality, data integrity. For example, Seok et al. [27] 193
developed secure device-to-device communication using the idea of AEAD and ECC to 194
fit the IoT resource constrained system. Khan et al. [28] developed a secure ECC based 195
authentication and encryption which utilizes user credentials and biometric parameters 196
to improve the user authentication. Muhammad et al. [29] proposed Secure IoT (SIT) 197
which uses the idea of combination 64-bit ket of feistel cipher and a uniform substitu- 198
tion permutation. The integration of authentication and cryptography based on the Dif- 199
fie–Hellman scheme has been presented in Shah et al. [30]. The authentication uses mul- 200
tifactor to share a secret key over the IoT system. Hammi et al. [31] proposed one time 201
password (OTP) that relies on ECC and isogeny to guarantee IoT security. However, 202
the randomness of the OTP based on ECC is not ensured. Rangwani et al. [32] proposed 203
a secure system with privacy and authentication based on three-factor authentication 204
protocol for the industrial of IoT (IIoT). 205
The limitations of the previous literature studies [18–32] are summarized in Table 206
2. In this table, the main limitations can be classified into three facts: Firstly, most of the 207
research studies did not consider the combination of encryption and digital signature. 208
hardware resource constrained and the outstanding architecture of the IoT. Secondly, 209
the vulnerabilities of ECDH (i.e., weak bits and chosen ciphertext attack) were not in- 210
vestigated. Finally, the hardware resource constrained issue was not carefully taken 211
into the design of the digital signature and encryption mechanisms. 212

Table 2. Summary of Related Works 213

Approaches Date of Methodology and Features Limitations

publish
Processes 2022, 10, x FOR PEER REVIEW 6 of 31

ECDSA [18] 2001 It proposed elliptic curve Slowness, design

based digital signature algo- flaws and insuffi-
rithm. ciently defensive.
SCDSA and 2018 It secured communication It needs high pro-
MPS-SCDSA between smart devices in cessing resource and
[19] IoT. consumes extra en-
ergy.
C.S. Park et 2018 It proposed enhanced of the It consumes more
al. [20] elliptic-curve Qu-Vanstone power and latency
(ECQV) certificate issuance due to verification of
protocol. certificate at the cer-
tificate authority.
Adeel et al. 2019 It merged two algorithms: It lacks the adversary
[22] ECC to manage the public mode analysis.
key infrastructure (PKI),
and Elgamal to implement
the encryption.
Yasir et al. 2017 It developed a tiny crypto- The cryptanalysis was
[23] graphic system which de- not studied.
pends on ECC and ElGamal.
KMP [25] 2017 It integrates the ECDH ex- It does not fit IoT re-
change with digital certifi- source constrained
cate to authenticate the key due to power con-
generation. sumption of implied
certificate.
B. Seok et al. 2020 It proposed a secure device- The cryptanalysis was
[27] to-device communication not studied.
using the idea of AEAD and
ECC to fit IoT resource con-
strained system.
M. Ayoub et 2020 It developed a secure ECC It does not fit IoT re-
al. [28] based authentication and source constrained
encryption which utilizes due to vulnerability
user credentials and bio- of error of biometric
metric parameters to im- parameters.
prove the user authentica-
tion.
SIT [29] 2017 It uses the idea of combina- It does not fit IoT re-
tion 64-bit of feistel and a source constrained
uniform substitution per- due to power con-
mutation. sumption.
Shah et al. 2017 It combines the authentica- It does not prove the
[30] tion and the cryptography security for the combi-
based on Diffie–Hellman to nation.
distribute a secret key
among IoT devices.
B. Hammi et 2020 It proposed OTP that relies The randomness of the
al. [31] on the Elliptic Curve Cryp- OTP based on ECC is
tography and Isogeny. not ensured.
214
Processes 2022, 10, x FOR PEER REVIEW 7 of 31

3. System Design of the ELCD Algorithm 215

The proposed ELCD mechanism mainly contains three functions: key management 216
based on the ECDH scheme, encryption algorithms with a random padding scheme, 217
and digital signature based on multifactor of a hash function. The former two functions 218
have been combined to guarantee a high degree of security strength against the cyberat- 219
tacks on the IoT. The following assumptions have been used to design the three pro- 220
posed functions throughout this paper: 221
• The IoT gateway has a strong security protection system, and it is extremely 222
hard to be compromised. 223
• Each IoT device (sensor, actuator, remote IoT user, etc.) has two secure keys: 224
the public key which is available to all involved IoT devices and the private 225
key which is not known publicly. 226
• The domain parameters of the ECDH are embedded and uploaded into all 227
IoT devices during the programming session, which means that the ELCD 228
mechanism is very suitable in the industrial IoT (IIoT). 229
The following sections explain the detail of the proposed ELCD and how it will be func- 230
tioning on IoT networks. 231
232
3.1 The Key Management Algorithm 233
The main problem in traditional symmetric-key cryptography is the exchange of the 234
common key between the IoT devices over an insecure communication channel which 235
makes the IoT devices susceptible to many attacks. Thus, the proposed key manage- 236
ment algorithm uses the ECDH scheme with a dynamic shared key calculation to se- 237
curely come to agreement with a fresh new secret key for each session between IoT 238
devices (i.e., forward secrecy). Both ECC and ECDH schemes have been utilized to gen- 239
erate a secure shorter shared key which is more appropriate for IoT devices. The elliptic 240
curve is a set of points that are identified by solving the following equation: 241

E  ( x, y ) | y 2
 x  ax  b  O ,
3

where a ,b  K (Z pZ) ( 4 a  27b )  0

3 2

satisfy
(1) 242

where K defines a finite field of integer numbers over a modular prime P. In order to 243
do a mathematical operation such as adding point to itself, an extra point at infinity 244
(e.g., O ) has been added to the curve. Let us consider S and D as a source and a desti- 245
nation which they could be a sensor, an actuator, or remote IoT user. Primarily, the 246
domain parameters are p (the prime of the base finite field), a, b, G (the base point gen- 247
erator), n (the order of G), and h (the subgroup cofactor usually is 1) which demonstrate 248
the agreed information upon S and D to utilize the ECDH key exchange protocol. The 249
S and D should obtain the private key d which is determined using the random gener- 250
ator function between 1, and n-1. Figure. 2 illustrates the ECDH key establishment and 251
the process of exchange the public key between two IoT devices in order to compute a 252
shared secret key over an insecure communication channel. The public key, a point Q 253
is calculated as a scalar multiplication of d and G (e.g., Q = d × G). Let the S key-pair 254
be (dS, QS) and the D key-pair be (dD, QD). Each party of connection has to receive the 255
other party's public key prior to the implementation of the ECDH protocol. Hence, S 256
computes point K(XK, YK) = dS × QD and D computes point K(XK, YK) = dD × QS. As a 257
result, the shared secret key is XK which represents the x coordinate of the point K. The 258
shared secret key that is calculated by both parties is equal because dS × QD = dS × dD 259
× G = dD × dS × G = dD × QS. It is interesting to note that “ × ” is used to denote el- 260
liptic curve scalar multiplication. Moreover, the public key Q, the private key d, and 261
shared secret key (XK) in the proposed algorithm are ephemeral (dynamic) which means 262
that they change every new session between S and D. 263
Processes 2022, 10, x FOR PEER REVIEW 8 of 31

264
Figure.2. The ECDH key establishment process 265

266
• Shared Group Secret Key (SGSK) 267
The proposed key distribution mechanism between a pair of IoT devices is modified to 268
be applicable to a group of IoT devices. This eventually provides an advantage for the 269
ELCD scheme compared to the ECDH. For instance, the shared secret key can be calcu- 270
lated for five IoT devices (IoT_D) as shown in Figure. 3 as follows: 271
• IoT_D1 creates the first part of the group public key as Q1 = d1 × G. 272
• IoT_D1 sends Q1 to the next IoT_D (e.g., IoT_D2) which creates the second part of 273
the group public key as Q12 = d2 × Q1. 274
• This scenario will continue until the last IoT_D (e.g., IoT_D5) receives the previous 275
parts of the group public key (Q1234) which will be considered as the total group 276
public key created at IoT_D5 (QT5= Q1234). The total group public key at IoT_D 277
number v can be generalized for any number of nodes in the group as: 278

QTv  G   d i | d v 
i 1 (2) 279

where N represents the total number of IoT_D in the group. For example, we can calculate QT3 280
based on five IoT_D as d1 × d2 × d4 × d5 × G. 281
 Finally, the SGSK can be calculated at the IoT_D number v as (XK, YK) = dv × 282
QTv. For example, the SGSK at the IoT_D number 3 can be calculated as d3 × 283
QT3 while the SGSK at the IoT_D number 4 can be calculated as d4 × QT4. It is 284
interesting to note that d3 × QT3 = d4 × QT4, because d3 × QT3 = d3 × d1 × d2 285
× d4 × d5 × G = d4 × d1 × d2 × d3 × d5 × G = d4 × QT4. Each IoT_D 286
should verify the received QTv before doing any calculation. Therefore, if a mali- 287
cious node exists during the key distribution phase, he does not know the domain 288
parameters (i.e., n and G) and then he cannot calculate the appropriate QTv. There- 289
fore, each IoT device must receive QTv before creating the SGSK and performing 290
the digital signature and cryptographic algorithms. 291
Processes 2022, 10, x FOR PEER REVIEW 9 of 31

292

293
Figure. 3. Shared group secret key 294

3.2 The Lightweight Encryption Algorithm 295

The important function that prevents the disclosure and unauthorized reading of the 296

digital signature is encryption. Therefore, confidentiality of the sending message in- 297

cluding the IoT data and digital signature should be designed as a complete system. 298

The first stage in the proposed system is performing the encryption algorithm at the 299

source node using the following steps: 300

• Calculate a hash function for the shared secret key XK as E= 301

StrToInt(Hash(XK)), where the hash function represents a cryptographic 302

hash function like CMA [24] or SHA-256 [33]. 303

• Calculate the curve point Pb(X1,Y1) = E × G, which is hard to reverse be- 304

cause the scalar multiplication in the ECC has the one way function prop- 305

erty. 306

• Calculate the ciphertext C = (m × X1) mod n; where m is obtained by con- 307

verting M to an integer number using a padding scheme which should be 308

an agreed upon reversible protocol. In this paper, Each M has been parsed 309

to multiple chunks based on the message size in an elliptic curve (e.g., 310

Secp192r1)[34]. This means that the maximum length of each chunk is 127 311

bytes, and the minimum length is 24 bytes. 312

The decryption steps of ELCD at the destination node upon receiving C is performed 313

as follows: 314

• Calculate E= StrToInt(Hash(XK)), where Hash represents the similar cryp- 315

tographic hash used in the authentication code calculation. 316

• Calculate the curve point Pb(X1,Y1) = E × G. 317

• Calculate the integer number of the chunk m = (C × X1-1) mod n, where X1- 318
Processes 2022, 10, x FOR PEER REVIEW 10 of 31

1 mod n can be resolved using a modular multiplicative inverse. 319

• Convert the integer number m to the parse(i) of plaintext (M), where i is the 320

parse number. The concatenation of all parses would create back the origi- 321

nal message M. 322

323

3.3 The Proposed Digital Signature Algorithm 324

The traditional digital signature has a serious drawback in verifying the true identity of 325

the sender. For instance, an adversary could intercept the transmitted message along 326

with the digital signature and she/he could created her/his own set of public and private 327

keys using the sender’s identity. After that the adversary would pretend to be a legiti- 328

mate IoT sender and create a fictitious message with a different digital signature. Upon 329

receiving the message and the digital signature, the receiver would unknowingly re- 330

trieve the imposter public key (thinking it belonged to the sender) and decrypt it. This 331

problem can be solved using the digital certificate system which can certainly verify the 332

true identity of the sender; however, a digital certificate requires more power consump- 333

tion and latency due to third party verification (digital certificate authority). In contrast, 334

the proposed system resolves this problem using the three steps of curve point inspec- 335

tion and the integration idea between the encryption and the digital signature as de- 336

scribed in Figure. 4. The proposed digital signature consists of six phases, three at the 337

source IoT node and three at the destination IoT device. 338
Processes 2022, 10, x FOR PEER REVIEW 11 of 31

339

Figure. 4. The six phases in the proposed digital signature 340

The source node will implement the following steps: 341

 Phase 1, Create Digest. 342

1) Convert the plaintext message (M) to an integer number m using an agreed-upon re- 343

versible protocol identified as a padding scheme. 344

2) Calculate the digest for m as Z= StrToInt(Hash(m)) mod n, where the Hash represents 345

a cryptographic hash like CMA [24] or SHA-256 [33]. 346

 Phase 2, Create DS. 347

1) Encrypt the digest with the sender private key dS to calculate the digital signature as DS 348

= (dS-1 × YK × Z) mod n, where YK represents the y coordinate of the shared secret key. 349

2) Since dS is a random number (ephemeral) that changes every session, DS also changes 350

in each session as well. 351

 Phase 3, Encrypt Message with DS. 352

1) Encrypt the concatenation of m and DS with the shared secret key XK. The proposed 353

lightweight encryption algorithm is used to encrypt (m + DS), and the final output will 354
Processes 2022, 10, x FOR PEER REVIEW 12 of 31

be the ciphertext (C). 355

2) Calculate E= StrToInt(Hash(XK)). 356

3) Calculate the curve point Pb(X1,Y1) = E × G. 357

4) Calculate C = ((m + DS) × X1) mod n. 358

In order to authenticate the digital signature, the following steps will be implemented 359

at the destination: 360

 Phase 4, Decrypt Cyphertext. 361

1) Calculate E= StrToInt(Hash(XK)). 362

2) Calculate the curve point Pb(X1,Y1) = E × G. 363

3) Calculate the concatenation of m and DS: (m + DS) = (C × X1-1) mod n. 364

 Phases 5 and 6, DS Verification and Obtaining the Message. 365

1) Verify the true identity of the sender that is used in signing the plaintext (YK) using three 366

steps of curve point inspection: 1. Check that QS is not equal to the identity element O, 367

2. Check that QS lies on the curve, and 3. Check that n× QS = O. 368

2) Retrieve the digest from the received DS as U1 = (DS × YK-1 × QS) = Z × G. This works 369

because (DS× YK-1 ) × QS = ((dS-1 × YK × Z) × YK-1 × (dS × G) = Z × G, since the 370

product of an element's inverse and the element itself is the identity. 371

3) Create the digest for the received m as Z̄= StrToInt(Hash(m)) mod n. 372

4) If the created Z̄ × G = the received Z × G; the received DS is valid, otherwise the re- 373

ceived DS is invalid. 374

5) If the received DS is valid, accept the received message m and covert it back to M. 375

The advantages of the proposed lightweight digital signature can be summarized as 376

follows: 377

a) The domain parameters are not publicly exchanged between the IoT devices, rather they 378

are uploaded into all devices during the programming session. This means that the 379

attacker cannot create a valid public key Q. 380

b) The verification of DS in the proposed method can certainly verify the true identity. 381

This mean that the attacker needs to solve the elliptic curve discrete logarithm problem 382

(ECDLP) which is extremally hard to reverse DS and obtain the private key and make 383

her/his own fake private key. 384

c) The padded message m is hashed and digitally signed using the ECC and inverse 385

modular multiplication of the sender private key which is considered extremely hard to 386

reverse and to lead obtaining the original message. 387

d) More importantly, the CMA hash function [24] creates a random digest for any two 388

similar input messages. This is mainly due to the fact that the CMA is designed based 389

on a time-enhanced-based one-time password (TEOTP) and it includes a salt random 390

string to create random digest for similar input. 391

Processes 2022, 10, x FOR PEER REVIEW 13 of 31

392

Figure. 5 shows the proposed pseudo code. After the public key is calculated in each 393
party of the IoT system, it will be sent to all involved IoT devices which can calculate 394
the shared secret key. The digital signature scheme will be used in the first message of 395
each communication session to verify the authenticity and the genuineness of those de- 396
vices. If the first message with the digital signature is verified in any device, the rest of 397
the received messages will be decrypted to get the original plaintext. Otherwise, the 398
received messages will be discarded. 399

ELCD at IoT Sender (S)

Input: Secp192r1 domain parameters p, a, b, G, n, h;

Output: QS, DS, C; // QS: Public key of S, DS: Digital Signature; C: Ciphertext
Start Algorithm (ELCD)
1 | While (new session start) do
2 | Pick private key (dS); // 1 ≤ dS ≤ n
3 | QS = (dS × G);
4 | Send_Public_key (QS); // Send the public key to destination
5 | Receive_Public_key(QD); // Receive the public key of D
6 | K(XK,YK) = dS × QD; // calculate the shared key
Phase 1, Create Digest
7 | m=StrToInt(M); // convert the plaintext to an integer.
8 | Z= StrToInt(Hash(m)) mod n; // hash fun. for integer m
Phase 2, Create DS
9 | if (m is the first message) // first message of the session
10 | DS = (d S-1 × YK ×Z) mod n; // DS: Digital Signature
Phase 3, Encrypt (m + DS)
11 | E= StrToInt(Hash(XK)) mod n; // E: the hash fun. of key XK
12 | Pb(X1,Y1) = E × G;
13 | C = ((m + DS) × X1) mod n; // C: the ciphertext
14 | Send(“C”); // The source sends “C” only to D
15 | End; // if Statement
16 | End; // While loop
17 End; // Algorithm

ELCD at IoT Receiver (D)

Input: Secp192r1 domain parameters p, a, b, G, n, h;

Output: QD, DS, C; // QD: Public key of D
18 Start Algorithm (ELCD)
19 | While (new session start) do
20 | Pick private key (dD); // 1 ≤ dD ≤ n
21 | QD = (dD× G);
22 | Send_Public_key (QD); // Send the public key to source node
23 | Receive_Public_key(QS); // Receive the public key from S
Processes 2022, 10, x FOR PEER REVIEW 14 of 31

24 | K(XK,YK) = dD × QS; // if QS is a valid curve point, the shared

key will be calculated
25 | Foreach (C received and Flag==true) do
26 | if (first message received) // Receive the first message
Phase 4, Decrypt C
27 | Get(C); // Receive the ciphertext (C)
28 | E= StrToInt(Hash(XK)) mod n;
29 | Pb(X1,Y1) = E × G;
30 | m + DS = (C × X1-1) mod n;
Phase 5 and 6, DS Verification & Obtain Message
31 | Verify_Public_key(QS); // Receiver will verify QS
32 | U1 = (DS × YK-1 × QS) = Z × G mod n;
33 | Z̄ = StrToInt(Hash(m)) mod n; //Z̄ is digest for rec. m
34 | if (U1 == Z̄ × G)
35 | The signature is valid, and the source is legitimate;
36 | Get(m); // Obtain the m and
37 | else
38 | The signature is invalid, and the source is illegitimate;
39 | Flag= false;
40 | End; // if Statement
41 | else
42 | E= Hash(XK) mod n;
43 | Pb(X1,Y1) = E × G;
44 | m = (C × X1-1) mod n;
45 | End; // if Statement
46 | M =Convert_IntToStr(m); // convert m to M.
47 | End; // for loop
48 | End; // While loop
49 End; // Algorithm

Figure. 5. The ELCD pseudo code. 400

4. Cybersecurity Analysis 401

An adversary model is developed to measure the security performance of ELCD as will 402
be explained in this section. 403
4.1 Adversary Model for ELCD on the IoT 404

The detriment of adversary cyberattack on the IoT is mainly focused on disruption the 405
control function of the IoT using one or more vulnerabilities that can be exploited by a 406
malicious adversary to compromise the security system of the IoT environment [35, 36, 407
37]. The adversary is assumed to have the capability to read, transmit and forge the IoT 408
network traffic, which might dispute the sensed data, the privacy of IoT device, and the 409
control management of the gateway. The most crucial adversary attacks on ELCD are 410
described as follows: 411
Processes 2022, 10, x FOR PEER REVIEW 15 of 31

• Spoofing attack. The adversary intercepts or eavesdrops the IoT network 412
traffic to obtain the IoT device credential which is used to gain access to the 413
sensed information. 414
• A man-in-the-middle attack. The malicious adversary has the ability to lis- 415
ten to all traffic on a network and initiate a connection with any IoT devices. 416
Furthermore, if the adversary acts as an active man-in-the-middle, it can 417
modify the content of capture messages and resend them to the recipient. 418
• A replay attack. Instead of sending a message directly to the recipient, a 419
replay attack makes a copy of that message and then uses it later. This is 420
carried out by an adversary who intercepts the messages and delays, re- 421
plays, or retransmits those messages. 422
• A brute force attack. The malicious adversary tries every possible mixture 423
of letters, numbers, and characters to crack the shared secret key even if the 424
domain parameters that are used in the ECDH scheme by both parties are 425
extremely hard to obtain. 426
• A sensor capture attack. The impostor adversary captures a sensor node, 427
steals the domain parameters and the shared secret key to implement illegal 428
actions on the IoT network. 429
• A stolen-verifier attack. The impostor adversary who has stolen the shared 430
secret key from an IoT device can pretend to be an authorized device in 431
order to launch attacks against other IoT devices, steal data, or bypass ac- 432
cess controls. 433
434
4.2 Cryptoanalysis of ELCD 435

The random oracle model has been developed to study the impact of the most common 436
cryptanalysis attacks as described as follows 437
• Chosen-plaintext attack (CPA). The adversary is assumed to get the cipher- 438
texts for any plaintexts of its choice. Moreover, the adaptive CPA (CPA2) 439
means that the adversary has the ability to choose the new input to the en- 440
cryption of ELCD (ELCDE) based on the analysis of her/his previously se- 441
lected plaintext queries and their corresponding ciphertexts [38]. The defi- 442
nition of CPA can be represented mathematically by assuming that an ad- 443
versary A gains access to an encryption oracle with any pair of equal-length 444
messages (m1, m2) as input. The oracle will return a ciphertext as output. 445
446
Definition (1). let ELCDE = (𝐾, E, D) be an encryption mechanism in ELCD, E is encryption, 447
D is decryption, and K is the space of all keys. The advantage of indistinguishability chosen- 448
plaintext attack (IND-CPA) of A is defined as: 449

in-cpa
Adv ELCD
E
 A  P [k  K; C  Ek  m  : A(C)  1]
r 1
(3) 450
 P [k  K; C  Ek  m  : A(C)  1]
r 2

The above equation shows that ELCD is secure if the advantage of IND-CPA is negligible 451
which means that A is not doing well. In contrast, ELCDE is not secure if the advantage 452
of IND-CPA is non-negligible which means that A is doing well. 453
• Chosen-ciphertext attack (CCA). The adversary is assumed to get the de- 454
cryption of any ciphertext(s) of its choice. Moreover, the adaptive CCA 455
(CCA2) means that the adversary has the ability to choose the new input to 456
Processes 2022, 10, x FOR PEER REVIEW 16 of 31

the decryption of ELCD based on the analysis of her/his previously selected 457
queries [39]. 458
Definition (2). let ELCDE = (𝐾, E, D) be an encryption mechanism in ELCD, and A is an 459
adversary who has the ability to access the encryption (E) and decryption (D) oracle. The ad- 460
vantage of IND-CCA of A is defined as: 461
in-cca
Adv ELCD
E
 A  P [k  K; C  Ek  m  ; b  0,1 ;
r b

b  A Ek  . , Dk  .  : b  b]
(4) 462

The above definition shows that the adversary has the right to do unlimited access to 463
the decryption oracle using any ciphertext C except one restriction which is the previous 464
returned query of its encryption oracle. Consequently, ELCDE can be considered secure 465
against IND-CCP if the adversary who given access to the oracles can find negligible 466
advantage in distinguishing the two events of b (0/1). 467
468
4.3 The ELCD Cybersecurity Analysis 469

The ELCD scheme can offer significant security properties such as perfect forward 470
secrecy (PFS) and it has impersonation resilience against key compromise. Since the 471
hash function can be considered as a random oracle function, ELCD uses a hash func- 472
tion to create a pseudorandom function (PRF). As explained in section 3, the hash func- 473
tion in ELCD (i.e., CMA) utilizes the shared secret key (𝑿𝑲 ) as an input and produces 474
the secure random parameter (H(𝑿𝑲 )) which goes through scalar multiplication with 475
the base point (G) to produce a random point Pb(). This means Pb.X1 (i.e., the x coordi- 476
nate of Pb) is a random value that periodically changed to defend against IND-CPA 477
and replay attacks. 478
479
4.3.1 Proven Security for ELCD in the Random Oracle Model 480
L
The length of the shared secret key ( X K 0,1 ) can be represented as L = X K  n  p 481

which equals the length of used elliptic curve Secp192r1 (e.g., 192 bits). The proven se- 482
curity of ELCD uses ROM to instantiate the hash function as 𝐻(. ): {0,1}∗ → {0,1} . 483
484
Theorem (1). If Pb is a (t, ϵ)-pseudorandom function (PRF), then the ELCDE is secure against 485
IND-CPA. 486
• Methodology of Proof. The contradiction methodology is used to prove 487
Theorem 1. Let us assume there exists an adversary A that runs in PPT 488
which breaks the security of ELCDE. The algorithm A constructs a PPT dis- 489
tinguisher B that distinguishes the output of Pb from a random number 490
with non-negligible cost. Since Pb is PRF; this contradicts with the previous 491
conclusion that Pb is a random function. Therefore, the original assumption 492
is false and the ELCDE must be secure. 493

Proof. Let us assume A attacks ELCDE in the sense of IND-CPA and two messages 494
𝑴𝟎 , 𝑴𝟏 are used as follows: 495

*
Pr [H( X K )  Z ; Pb  H( X K )  G; C  M0  Pb. X1 : A(C)  0]
n
  (L) (5) 496
*
Pr [ H( X K )  Z ; Pb  H( X K )  G; C  M1  Pb. X1: A(C)  0]
n

where  ( L) is non-negligible. The algorithm B was constructed to distinguish Pb from 497

the random function. This can be done using the ability of B to call Pb to distinguish 498
whether it is PRF or a completely random function. B works as follows: 1) Pick a 499
Processes 2022, 10, x FOR PEER REVIEW 17 of 31

random 𝑏 ∈ {0,1}, 2) B computes C = Pb.X1 × 𝑀 𝑚𝑜𝑑 𝑛, 3) Run the experiment A(C) 500
to obtain b which denotes A’s guess which the message encrypted. A guessed cor- 501
rectly If 𝑏 = b which means B guesses PRF and this can be represented by B results 502
“1”. However, A did not guess correctly If 𝑏 ≠ b if B guesses a random function and 503
this can be represented by B results “0”. The algorithm B distinguishes the output of 504
Pb.X1 as: 505

Pr [H( X K )  Zn ; Pb   H( XK )  G ; y  Pb.X1: B( y)  1]
*

(6) 506
 Pr [ y  Zn : B( y)  1]
*

We will study each of these terms separately as: 𝑃 ≝ 𝑃 [𝐻(𝑋 ) ← ℤ∗ ; 𝑃𝑏 ← (𝐻(𝑋 ) × 507
𝐺); 𝑦 ← 𝑃𝑏. 𝑋1: 𝐵(𝑦) = 1], and 𝑃 ≝ 𝑃 [𝑦 ← ℤ∗ : 𝐵(𝑦) = 1]. In step 3, the algorithm B 508
did the following: 509

P1 = Pr [H(XK )  Z*n ; Pb  H(XK ) G ; y  Pb.X1:

(7) 510
b {0,1};b  A(Pb.X1 Mb ) : b  b]

By using the condition on 𝒃 we obtain: 511

P1 = Pr [H(XK ) Z*n ; y Pb.X1: A(Pb.X1 M0 )  0] Pr [b  0]

* (8) 512
Pr [H(XK ) Zn ; y Pb.X1: A(Pb.X1 M1 )  0] Pr [b 1]

With applying the fact: 513

P [b  0]  P [b  1]  1
r r 2
and 514

Pr [ H ( X K )  Z*n ; y  Pb. X 1 : A( Pb. X 1 M 1 )  1] 

(9) 515
1  Pr [ H ( X K )  Z*n ; y  Pb. X 1 : A( Pb. X 1 M 1 )  0]
we obtain: 516

1  1  Pr [H( XK )  Zn ; y  Pb.X1: A(Pb.X1 M0 )  0] 

*
1 1 
P1 = +   = +  (L)  (10) 517
2  2  Pr [H( XK )  Z*n ; y  Pb.X1: A(Pb.X1 M )  0] 2 2 
 1 

𝑃 is calculated as: 518

P2 = Pr [y Z*n : b{0,1};b  A(Pb.X1 Mb ): b  b] (11) 519

As before, we eventually get: 520

1  1  Pr [ y  Zn : A(Pb.X1 M0 )  0] 
*

P2 = +   (12) 521
2  2  Pr [ y  Z* : A(Pb.X1 M1 )  0]
 n 

Since 𝒚 is completely random and 𝑃𝑏 = 𝐻(𝑋 ) × 𝐺 , the probability of A winning 522

when breaking the one-time pad is 0. Therefore, 𝑷𝟐 is 1/2. The final result after using 523
all parameters together gives: 524
Processes 2022, 10, x FOR PEER REVIEW 18 of 31

Pr [H( X )  Zn ; Pb   H( X )  G ;
*
K K

= P P
1 2
y  Pb.X1: B( y)  1]  Pr [ y  Zn : B( y)  1]
*

(13) 525
1  (L) 1  (L)
=   
2 2 2 2

Since  ( L) was non-negligible, the term  ( L) is also non-negligible. This leads to 526
2
the fact that A has non-negligible advantage in breaking ELCDE and hence B has non- 527
negligible advantage in distinguishing the 𝑃𝑏 from the random result. Nevertheless, 528
this contradicts the fact that 𝑃𝑏 is a (t, ϵ)-PRF and such A does not exist. Hence, ELCDE 529
is secure against IND-CPA. 530

Theorem (2). For all PPT adversaries, the IND-CCA advantage when attacking ELCDE is neg- 531
ligible. 532
• Methodology of Proof. The adversary guessing methodology is used to 533

prove Theorem 2. Let us assume A is a PPT adversary algorithm that breaks 534

ELCDE in the sense of IND-CCA for which Adv ELCD

in-cca
E
 A  1 . To break ELCDE, 535

A gains access to an encryption oracle with any pair of equal-length mes- 536

sages (m0, m1) as input. The encryption oracle 𝑬𝑲 (mb) takes this input, and 537

returns an encryption of either (m0, m1). The goal of A is to determine the 538

value of b. If A guesses correctly, then ELCDE is not secure, otherwise ELCDE 539

is secure against IND-CCA. 540

Proof. Let us assume that A queries 𝑬𝑲 (mb) with pair of messages (m0, m1) and the out- 541

put of 𝑬𝑲 (mb) will be Cb. The challenge of A is to determine the value of b ∈ {0,1}. There- 542

fore, A can solve this challenge using the following mechanism. Firstly, A flips the bits 543

of Cb to get C̄b and inputs the valid query C̄b to the decryption oracle to obtain the mes- 544

sage M. Finally, A can flip the bits of M at the same position that flipped in Cb to obtain 545

M̄. As a result, if M̄ is equal one of the queried messages either (m0, m1), A guesses 546

correctly and ELCDE is not secure. Otherwise, A guesses incorrectly and ELCDE is se- 547

cure against IND-CCA. The procedure that A used to break ELCDE can be described as 548

follows: 549

A(E(mb), D (·)) { 550

m0⟵0n; m1⟵1n; Cb ⟵ 𝑬𝑲 (𝑚 , 𝑚 ), 𝑏 551

C̄b⟵ 𝐶  1n; 𝑀 ⟵ 𝑫𝑲 (C̄b); M̄ ⟵ 𝑀  1n; 552

If M̄ = m0 then return 1 else return 0} 553

Let us study the advantage of A in attacking ELCDE with IND-CCA in more precisely 554

as follows: 555

Advin-cca  A  P [Exp
r
ind-ccp-1
ELCDE
( A)]  Pr [Expind-ccp-0
ELCDE
( A)]
ELCD E (14) 556

We will study each part of Equation (14) individually. The first part is Exp ind-ccp-1
ELCDE
( A) 557

(b=1) as: C1 = 𝑬𝑲 (𝑚 , 𝑏) = 𝑃𝑏. 𝑋 × 𝑚 𝑚𝑜𝑑 𝑛. If the i bit of C1 has been flipped, re- th 558
sulting in a new ciphertext C̄1 and the decryption oracle with C̄1 is queried as: 559
Processes 2022, 10, x FOR PEER REVIEW 19 of 31

M= 𝑫𝑲 (C̄1) = 𝑃𝑏. 𝑋 × [(𝑃𝑏. 𝑋 × 𝑚 𝑚𝑜𝑑 𝑛) ⊕ 1 ] 𝑚𝑜𝑑 n.= 𝑃𝑏. 𝑋 × [(𝑃𝑏. 𝑋 × 1 𝑚𝑜𝑑 𝑛) ⊕ 560
1 ] 𝑚𝑜𝑑 n. (15) 561

The modular multiplication cannot be distributed over XOR (e.g., 562

(5 × (2 ⊕ 9)) ≠ (5 × 2) ⊕ (5 × 9)), and it also cannot be associated over XOR (e.g., 563
(5×(2⊕9))≠(5×2) ⊕9)). Hence, if A flips ith bit of M to obtain M̄, he cannot guess cor- 564
rectly with (m1) and the returned value is 0 which means Pr [Expind -ccp-1
ELCDE
( A)] is 0. Similarly, 565

the other part of Equation (14) can be proven as before in which Pr [Exp ind -ccp-0
ELCDE
( A) is 0. 566

Putting the two parts of Equation (14) together gives Adv ELCDE  A  = 0. Thus, the ad-
in-cca
567

vantage of A in attacking ELCDE with IND-CCA is negligible. 568

• Proven Security for Proposed Digital Signature in ROM 569

The security advantage of the proposed digital signature consists of two level: unforge- 570
able digital signature integrated into lightweight encryption. The popular methods to 571
implement combination between the digital signature and the encryption can be de- 572
scribed as follows: 573

• Method 1: Encrypt-and-Sign (EAS) which means that data should be en- 574
crypted using K1 as C = Ek1(M) and the digital signature should be calculated 575
using K2 as D = DSk2(M). The sending message is the pair (C, D) which 576
should be sent separately. 577
• Method 2: Sign-then-encrypt (STE) which means that D is first calculated, 578
and then the original data and D are concatenated and encrypted together. 579
The sending message is C = Ek1(M+D), where D = DSk2(M). 580
• Method 3: Encrypt-then-Sign (ETS) which means the original data M is first 581
encrypted using K1 as C = Ek1(M), and then the D is calculated over C. The 582
sending message is the pair (C, D) where D = MACk2(C). 583
Method 1 and method 3 are not secure because the adversary can eavesdrop the com- 584
munication channel between the sender and the receiver, capture all messages, strip off 585
the sender's signature, sign the ciphertext with the adversary’s own key, and send it to 586
the receiver to gain access to the IoT devices even though the adversary didn't know 587
the content of the messages. The following description will show that method 2 is the 588
secure combination between digital signature and encryption. 589

Let us assume that the digital signature function is 𝜎 = Sign(d, M) where 𝑑 ∈ {0,1} is 590
the private key, M is the plaintext that should be signed, and 𝜎 ∈ {0,1} is the output 591
of the digital signature function. The verifying function is VerfySign(Q, M, 𝜎) which 592
outputs 1 if the signature is valid or 0 if it is invalid. Let the symbol 𝑄 ∈ 𝐸 , (ℤ ) 593
denotes the public key and let 𝐻(𝑀): {0,1} ← 𝐷 (recall 𝐷 is the domain of 594
ELCDDS(𝑄)) be a hash function that is modeled as a random oracle function. Therefore, 595
to generate digital signature for M, the output 𝜎 = 𝑆𝑖𝑔𝑛 𝑑, 𝐻(𝑀) . Correspondingly, to 596
verify the digital signature 𝜎 on 𝑀, the 𝑆𝑖𝑔𝑛 (𝑄, 𝜎) ≟ 𝐻(𝑀𝑠) should be checked. 597

Theorem (3). Let ELCDE=(𝐾, E, D) be the encryption of ELCD that is secure under IND-CPA, 598
and if ELCDDS=(𝐾, D, V) is (t, qϵ)-secure (unforgeable against adaptive CPA). Then, ELCD=(𝐾 , 599
𝐸 , 𝐷 , 𝑉 ) created by the DS-then-encrypt is a secure combination between ELCDE and ELCADS. 600
(Where t is the upper bound for the adversary’s running time, q is the maximum number of 601
queries to the random oracle 𝐻, and ϵ is the maximum probability that the adversary does the 602
experiment). 603
• Methodology of Proof. The proof of Theorem (3) is divided into two parts: 604
the proof that ELCDDS is (t, qϵ)-secure against adaptive CPA, and the proof 605
ELCD=(𝐾 , 𝐸 , 𝐷 , 𝑉 ) created by the DS-then-encrypt is a secure combination 606
between ELCDE and ELCADS. The contradiction methodology is used to 607
Processes 2022, 10, x FOR PEER REVIEW 20 of 31

prove the two parts of Theorem (3). The methodology of the proof first part 608
of Theorem (3) can be described as follows: 609
1. Assume there exists an adversary A that runs in PPT which has the ability to gen- 610
erate a forgery digital signature for the original message M with a probability 𝛿. 611
2. If the probability 𝛿 is proven not negligible, this means that A is doing well and 612
ELCDDS is not secure. 613
3. However, If the probability 𝛿 is proven negligible, this means A is not doing well 614
and ELCDDS should be secure. 615
 Proof of the first part. Assume that A is used to construct an algorithm B that has 616
the ability to reverse the trapdoor permutation. B is given 𝑄 and a random digital 617
signature 𝜎 = 𝑦, and tries to obtain the digest of a signed message 𝑥= 𝐻(𝑀) such 618
that 𝑆𝑖𝑔𝑛 (𝑄, 𝑥) = 𝑦. We assume that before A ever asks for a signature on mes- 619
sage m, it has already queried 𝐻(𝑀). B(𝑄, 𝑦) works as follows: 620

•B chooses a random index i* ∈ {1, . . . , q}. 621

•B can only have one query for the random oracle H. 622
•B receives the ith query from A to H and responses as follows: 623
o Let mi represents the ith query from A to H: if i = i*, this means mi = m 624
and H will return 𝑦; otherwise, H chooses a random ri ← 𝐷 , 625
o Calculate Outi = 𝑆𝑖𝑔𝑛 (𝑄, 𝑟 ), return Outi. 626
 If A sends a signature request query on message m, B will choose i such that 627
mi= m; if i = i*, abort; otherwise, return ri as the signature. 628
 When A generates its forgery (m, σ), if m = mi* then B outputs σ; otherwise, 629
abort. 630
It is interesting to note that every response of signature queries from B is certainly a 631
correct signature. B is able to respond to all signature queries except if A asks for a 632
signature on mi*. Therefore, the forgery output (m, σ) is valid if A never queried a signa- 633
ture on m. In that case, m should be equaled to mj for query j, and it must be the case 634
that there is at least one index j for which A never requests a signature on mj. Subse- 635
quently, because i is randomly chosen, this means the probability that j = i is at least
* * 636
1/q. Hence, if A outputs a valid forgery (j = i ), then σ is definitely the inverse of y which
* 637
means that B succeeds to reverse the 𝑆𝑖𝑔𝑛 function. Nevertheless, this contradicts the 638
fact that the 𝑆𝑖𝑔𝑛 function is a (t, ϵ)-secure and our assumption must be wrong. This 639
can conclude that the proposed digital signature should be secure, and no such A can 640
exist. Since the probability of success to invert the 𝑆𝑖𝑔𝑛 function is at least 1/q times the 641
probability of generate a valid forgery by A (δ). We deduce that the probability of suc- 642
cess to invert the 𝑆𝑖𝑔𝑛 function is at least δ/q. Nevertheless, the 𝑆𝑖𝑔𝑛 function is as- 643
sumed to be a (t, ϵ)-secure, the probability of success to invert it is δ/q ≤ ϵ or δ ≤ qϵ) which 644
means it is negligible. This ends the proof of the first part of Theorem (3). 645
 Methodology of Proof the Second Part. The methodology of proof the second part 646
of Theorem (3) can be described as follows: 647
1. Assume there exists an adversary A that gains access to three random oracle 648
functions: Sign Oracle Function (SOF), Encryption Oracle Function (EOF) and 649
Decryption Oracle Function (DOF). The three functions simulate ELCADS and 650
ELCDE. 651
2. First, A queries SOF with any pair of equal-length messages (m0, m1) as input. 652
The output of SOF is a pair of bits (𝜎 , 𝜎 ). 653
3. Second, A flips a single bit in either (𝜎 , 𝜎 ). Let us assume that the single bit of 654
𝜎 has been flipped to be 𝜎 . 655
Processes 2022, 10, x FOR PEER REVIEW 21 of 31

4. Third, A queries EOF with a pair of equal-length digital signature (𝜎 , 𝜎 ). The 656
output of EOF is a pair of (𝐶 , 𝐶 ) = 𝐶 . 657
5. Fourth, A flips a single bit in 𝐶 at the same position that was flipped in 𝜎 to 658
get C̄b. After that, A queries DOF with C̄b. 659
6. The goal of A is to determine the value of b. If A guesses correctly, then combi- 660
nation between ELCDE and ELCADS in ELCD is not secure, otherwise it is secure 661
against IND-CCA. 662
663

Proof of the second part. The procedure that A used to break the combination between 664

ELCDE and ELCADS in ELCD can be described as follows: 665

A(SOF, EOF, DOF) { 666

m0⟵0 ; m1⟵1 ; 𝜎 b ⟵ 𝑫𝑺𝑲𝟐 (𝑚 , 𝑚 ), 𝑏

n n ; 667

𝜎 b ⟵ 𝜎  1n; Cb ⟵ 𝑬𝑲𝟏 (𝜎 , 𝜎 ), 𝑏 668

C̄b⟵ 𝐶  1n; 𝜎 b ⟵ 𝑫𝑲𝟏 (C̄b). 669

If 𝜎 b = m0 then return 1 else return 0} 670

Let us study the advantage of A in attacking ELCDE with IND-CCA in more precisely 671

as follows: 672

Adv ELCD  A  Pr [ExpELCD ( A)]  Pr [ExpELCD ( A)]

in-cca
(16)
ind-ccp-1 ind-ccp-0
673

We will study each part of Equation (16) individually. The first part is Expind -ccp-1
ELCD
( A) 674
(b=1) as: 𝜎 = 𝑫𝑺𝑲𝟐 (𝑚 , 𝑏) = (dS × YK × H(m1)) mod n. If the i bit of 𝜎 has been
-1 th 675
flipped, this result in a new digital signature 𝜎 b. Furthermore, if A queries EOF with a 676
pair of equal-length digital signature (𝜎 , 𝜎 ). The output of EOF is a pair of (𝐶 , 𝐶 ) = 677
𝐶 as follows: 678
𝐶 = 𝑃𝑏. 𝑋 × 𝜎 𝑚𝑜𝑑 𝑛. A flips a single bit in 𝐶 at the same position that was flipped 679
in 𝜎 to get C̄b. After that, A queries DOF with C̄b as: 680

𝜎b = 𝑫𝑲𝟏 (C̄b) = 𝑃𝑏. 𝑋 × [(𝑃𝑏. 𝑋 × 𝜎 𝑚𝑜𝑑 𝑛) ⊕ 1 ] 𝑚𝑜𝑑 n.= 𝑃𝑏. 𝑋 × 681

[(𝑃𝑏. 𝑋 × 1 𝑚𝑜𝑑 𝑛) ⊕ 1 ] 𝑚𝑜𝑑 n (17) 682

Similarly to Theorem (2), the modular multiplication cannot be distributed over XOR. 683
Hence, if A flips the ith bit of 𝜎 to obtain 𝜎 b, he cannot guess correctly with (𝜎 ) and 684
the returned value is 0 which means Pr [Exp ind -ccp-1
ELCD
( A)] is 0. Similarly, the other part of 685
Equation (16) can be proven as before in which case Pr [Exp ind -ccp-0
ELCD
( A) is 0. Putting the two 686
parts of Equation (16) all together gives in-cca
Adv ELCD  A  = 0. Thus, The advantage of A in 687

attacking the ELCD scheme with IND-CCA is negligible. 688

Theorem (4). The weak bits problem (weak bits are certain bits of information that can be cor- 689
rectly predicted with non-negligible advantage.) in the shared secret key due to the Diffie–Hell- 690
man exchange has been solved by ELCD. 691
Proof. Let us assume that an adversary exposes the vulnerability of the communication 692

channel to implement sniffing (eavesdropping) or a man-in-the-middle attack on the IoT 693

network. Furthermore, let us assume that the parties of IoT devices select the easier 694

domain parameters. Thus, the adversary who uses the brute force and sensor capture 695

attacks can collect enough residues of the public keys (QS, QD), digital signatures DS, and 696

ciphertexts C to derive the private keys (dS, dD) and shared secret keys (XK, YK) of the IoT 697
Processes 2022, 10, x FOR PEER REVIEW 22 of 31

parties. This problem is a well-known problem, and it is called the weak bits problem. Let 698

us assume that XK has been calculated which contains a weak bit problem, ELCD use 699

CMA (SHA-256 can be used) which is combined of three levels of hash functions and 700

random string (Salt) as: 701

H  H1,H 2,Salt    H1  K1  X K  || H 2  K 2  L    Salt

(18) 702

where H1(K1, Ci)= (K 1  Ci )mod (2 -1) ; and H2(K2, Ci) = (Geo_loc  K 2 ) mod (2 -1) .
31
703
31

Moreover, the variable Salt is the combination of random characters that are appended 704
to the digest to make the dictionary and brute force attacks very much slower and limit 705
the impact of rainbow tables attack. Three levels of hash functions and random string 706
guarantee the unpredicting of XK and they ensure the strongly robust property (pre- 707
serve the collision-resistance (CR), the pseudo-randomness (PRF), the message authen- 708
tication code (MAC), and one-wayness (OW)). Hence, ELCD uses multihash functions, 709
(e.g., Hash(m), and Hash(XK)) to remove the weak bits due to the Diffie–Hellman ex- 710
change even if the communication protocol is vulnerable to sniffing attacks. 711

4.3 Countermeasures Against Replay and Man-in-the-middle Attacks 712

The secure combination in ELCD has the ability to prevent the man-in-the-middle and 713
replay attacks from gaining access or replicating the digital signature. This is primarily 714
due to the fact that the digital signature is being protected by the encryption (Sign-then- 715
Encrypt) and the shared secret key YK that is used in the digital signature represents the 716
true identity of the signer. Moreover, ELCD will reject the received message from the 717
replay attacker due to the following reasons: 718
 The sender authentication based on YK in the digital signature should be checked 719
before processing the message from a man-in-the-middle attacker. 720
 The digital signature is calculated based on the private key of the sender which is 721
protected by a hash function and encryption after a digital signature is applied on 722
the plaintext. 723
 The replay attacks need to implement the three steps before resending the inter- 724
cepted message. These steps are shared secret key calculation, digital signature, 725
and message encryption which are very difficult to gain access without breach the 726
hash function and the shared secret key. 727
728
4.4 Countermeasures Against Brute Force Attacks 729
Since the shared secret key is ephemeral and must change every communication 730
session, then ELCD resolves the weak bits problem and provides perfect forward se- 731
crecy. Furthermore, the brute force attacker needs to resolve the elliptic curve discrete 732
logarithm problem (ECDLP) that requires 0.886∗√𝑘 steps. This means that the security 733
strength is 96, which is likely to be quite computationally intensive [34, 40]. 734
735
4.5. Countermeasures Against Session Hijacking and Spoofing Attacks 736
The shared secret key in ELCD is encrypted using secure hash function such as SHA-2 737
and CMA. This process leads to generate a random number (e.g., a digest of shared 738
secret key after using the hash function) which can be utilized in creation session iden- 739
tity. Thus, if the attacker succeeds to break the session ID, he needs to calculate the 740
digital signature to gain access to the communication channel between the IoT parties. 741
This is essentially due to the digital signature between the IoT sender, and the receiver 742
Processes 2022, 10, x FOR PEER REVIEW 23 of 31

of the session that is required in the verification process. Furthermore, The ELCD mech- 743
anism can defend against key spoof attack using the calculation of shared secret key 744
which means it will not be sent through the channel between the parties of the IoT sys- 745
tem. Therefore, the intruders have no chance to spoof this key. 746
747
4.6. Countermeasures Against Device Capture and Stolen-verifier Attacks 748
The ELCD cryptographic scheme can defend against IoT device capture and stolen-ver- 749
ifier attacks using the built-in multifactor hash functions (e.g., CMA) that are built dur- 750
ing the programming session inside all IoT devices. The multifactor hash functions that 751
are used in ELCD are flashed and converted into low level source code language as 752
explained in the assumption. Accordingly, a stolen key will not work without breaking 753
the hash functions which means that the intruder will not gain access to any secure 754
information at the IoT captured device. 755

5. Implementation and Performance Evaluation of ELCD on the IoT 756

The security software in the IoT platform should be evaluated based on the resource 757
constrained in terms of computational cost, storage usage, and power consumption. 758
Consequently, ELCD used the idea of ECDH for sharing the secret key which recom- 759
mended by SECG/NIST, namely Secp192r1 [34]. The advantages of using the Secp192r1 760
standard elliptic curve in ELCD can be described as follows: 761
 The size of encryption and authentication keys is 24 bytes (192 bits) and the exper- 762
imentally processing latency that has been estimated for the ECDH to create and 763
exchange the secret key is 0.576s [28]. 764
 The optimally recognized algorithm to resolve the k-size of ECDLP requires 765
0.886∗√𝑘 steps. Generally, a k-bit security strength can be achieved if the security 766
system practices at least 2*k-bit key size. Therefore, ELCD prefers to use the curve 767
Secp192r1 which can provide a 96-bit security strength [34, 40]. 768
 The maximum message size of the IoT device is 127 bytes and it can be imple- 769
mented based on the 6LowPAN protocol (40 bytes header) which is used to create 770
a connection association between the IoT device and the sensor nodes [41]. 771
The evaluation scenarios use the Mininet-IoT emulation software to implement and test 772
the performance of ELCD because it has the ability to simulate the IoT hardware and 773
communication description [42]. The experimental IoT network topology consists of 774
one IoT gateway (BaseST1), eight static IoT (sensor1 to sensor8), two intruders (Intrudr6 775
and Intrudr7), and one mobile IoT device (IoTDev5) as can be seen in Figure.6. The role 776
of intruders is mainly to implement the adversary model that has been discussed in the 777
previous section. All IoT hardware boards contain pairs of network interface cards: 778
communication with the IoT base station using IPv4 and IPv6 (i.e., 6LowPAN). Moreo- 779
ver, the proposed ELCD software is uploaded into all sensors, IoTDev5, and BaseST1. 780
Also, the exchange of public keys and secure packets between all valid IoT devices are 781
executed using client-server socket programming that combined with the ELCD code. 782
BaseST1 implements the server code while the client code is executed in all sensors and 783
IoTDev5. Table 3 illustrates the experiment’s parameters and configuration. In Mininet- 784
IoT, 802.15.4_hwsim and 802.11_hwsim wireless models are used to perform the 6Low- 785
PAN protocol on the TCP/IP model. Also, the propagation model of the wireless signal 786
is configured based on the shadowing model which reflects the actual signal degrada- 787
tion due to impairments of the signal such as attenuation, noise, and interference. The 788
mobility model of the mobile devices in the experiment is established using random 789
movement on a grid network area of 1000m x 900m. All experimental running time has 790
Processes 2022, 10, x FOR PEER REVIEW 24 of 31

been set to 1000s to study the impact of ELCD against the intruders when they imple- 791
ment dictionary and brute force attacks. 792
793

794
Figure.6. The IoT mesh topology 795

Table 3. Experiment Configuration. 796

Parameter Values
MAC and PHY 802.15.14_hmsim and
802.11_hmsim
Propagation Model Shadowing
Path loss exponent 3.0
Shadowing deviation 3.0
(dB)
Event area (1000m x 900m)
Cover of IoT device 150m
Cover range of Bas- 250m
eST1
Traffic Emulator TCP Socket client/server
;1000 messages.
Performance metrics CPU Execution Time, Stor-
age Cost, and Energy Con-
sumption
ECDH curve Secp192r1
Message Size 127 bytes
Key size 192 Bits
Emulation duration 1000s
797
5.1 Performance Evaluation and Results Discussion 798
The performance evaluation of the proposed integration of encryption and authen- 799
tication (e.g., ELCD) has been analyzed in terms of the CPU execution time, memory 800
usage, and power consumption costs. The comparison of performance analysis has been 801
investigated for the three methods of combination between authentication and encryp- 802
tion as presented in Figure.2. Furthermore, the performance of ELCD has been 803
Processes 2022, 10, x FOR PEER REVIEW 25 of 31

compared with three benchmark security algorithms which are ECIES_AES, ESSC_DC, 804
and ECIES_Ra [RFC4503]). All the source code is written in Python programming lan- 805
guage and implemented in the Mininet-IoT emulator. Also, the main source code of 806
each of the baseline algorithms is downloaded from the security website [43]. Many 807
scenarios have been conducted and all subsequent testbed is recured 10 times and for 808
each testbed 1000 packets are exchanged. Finally, the average results have been calcu- 809
lated with confidence interval reaching 95% based on a mean value and a standard de- 810
viation as 5% variation errors in the sample is accepted. Furthermore, the cProfile and 811
memory_profiler program provides deterministic cost profiling of ELCD and the base- 812
line mechanisms. The memory_profiler program can be used to measure the execution 813
time of an algorithm, its storage cost, and its energy consumption. The total cost of the 814
CPU execution time can be estimated as the multiplication of the CPU execution time 815
and the number of steps per execution (s/e). Also, the storage cost in each IoT device 816
can be calculated as the total cost of communication (sent/received message) data, 817
sensed information, and the cost of the source code in a time unit. Furthermore, the total 818
energy consumption (mJ) in the IoT devices can be estimated as the total energy con- 819
sumption for packet overhead that is used to execute the source code of the security 820
algorithm [44]. 821
822
5.1.1 Performance Comparison between ELCD Digital Signature and Baseline Algo- 823
rithms 824
The performance of using ELCD digital signature (ELCD_DS) has been evaluated and 825
compared with ECDSA, ESSC_DC, and ElGamal_DS. As can be shown in Figure. 7(a), 826
the ELCD_DS experiences on average 88.9% less execution time compared to ESSC_DC, 827
53.8% less execution time compared to ECDSA, and it experiences on average 33.5% less 828
execution time compared to ElGamal_DS. Moreover, 7(b) illustrates that ELCD_DS expe- 829
riences on average 37.02% less memory usage compared to ESSC_DC, 17.1% less memory 830
usage compared to ECDSA, and it experiences on average 29.8% less memory usage com- 831
pared to ElGamal_DS. Also, Figure. 7(c) shows that ELCD_DS consumes on average two- 832
fold less energy consumption compared to ESSC_DC, 68.7% less energy consumption 833
compared to ECDSA, and it consumes on average 44.4% less energy consumption com- 834
pared to ElGamal_DS. The results that have been presented in Figure. 7 show the superi- 835
ority of the ELCD_DS algorithm which is mainly achieved due to the following reasons: 836
Firstly, ELCD_DS uses a lightweight and secure calculation based on ECDH and a hash 837
function to create a random digest based on the private key. In contrast, ESSC_DC uses a 838
certificate authority to verify all digital certification processes which required extra re- 839
source in terms of energy, memory, and processing delay. Furthermore, ECDSA con- 840
sumes more resources in term of energy consumption, storage cost, and execution time 841
due to the higher execution and communication overhead in the frequently used of scalar 842
multiplication and the inverse modular multiplication. Moreover, ElGamal_DS does not 843
provide a certain solution; however, it provides four solutions which is not suitable in IoT 844
network. Finally, the lightweight hash (one-way direction) functions in ELCD_DS re- 845
quires less energy consumption, storage cost, and CPU time. 846
847
Processes 2022, 10, x FOR PEER REVIEW 26 of 31

848
(a) 849

850
(b) 851
Processes 2022, 10, x FOR PEER REVIEW 27 of 31

852
(c) 853

Figure.7. Performance comparison between ELCD digital signature and baseline algorithms on 854
IoT (a) Execution Time; (b) Storage Cost; (c) Energy Consumption. 855

5.1.2 Performance Comparison between ELCD Cryptographic and Baseline Algo- 856
rithms 857
The performance of ELCD encryption (ELCD_E) has been evaluated and compared with 858
ECIES_Ra and ECIES_AES. As can be shown in Figure. 8(a), the ELCD_E experiences 859
on average 50% less execution time compared to EDIDS_AES and it experiences on av- 860
erage 39.4% less execution time compared to ECIES_Ra. Furthermore, Figure. 8(b) de- 861
picts that the ELCD_E experiences on average 19.6% and 32% less memory usage com- 862
pared to ECIES_AES and ECIES_Ra respectively. Also, Figure. 8(c) shows that ELCD_E 863
consumes on average 41.2% less energy consumption compared to the energy con- 864
sumption in ECIES_AES, and it consumes on average 32.6% less energy consumption 865
compared to ECIES_Ra. The above results show that the ELCD_E outperforms 866
ECIES_AES and ECIES_Ra in terms of CPU time execution, storage cost, and energy 867
consumption. This is primarily due to the following reasons: Firstly, ELCD_E consumes 868
less energy consumption and processing time in the encryption and decryption process 869
which have been implemented based on an efficient mathematical random function. 870
ELCD_E creates an ephemeral shared secret key for each session between IoT devices 871
which will guarantee the perfect forward secrecy of the encrypted message. Secondly, 872
the ELCD_E consumes less storage cost due to the small number of functions called and 873
the fewer execution steps per function. Finally, ECIES_AES and ECIES_Ra use complex 874
and less effective encryption and decryption methods compared to ELCD_E. Overall, 875
the findings in the experimental results show that the proposed integration of authen- 876
tication and encryption in ELCD is effective, lightweight and provides outstanding per- 877
formance in terms of the CPU execution time, the storage cost, and the energy consump- 878
tion. More importantly, it resolves the problem of key distribution in the symmetric- 879
key cryptography, and it resolves the problem of verifying the sender identity in the 880
digital signature. 881
882
Processes 2022, 10, x FOR PEER REVIEW 28 of 31

883
(a) 884

885
(b) 886
Processes 2022, 10, x FOR PEER REVIEW 29 of 31

887

(c) 888

Figure.8. Comparison between ELCD encryption (ELCD_E) and baseline cryptographic algo- 889
rithms on IoT (a) Execution Cost; (b) Storage Cost; (c) Energy Consumption. 890

6. Conclusion and Future Work 891

The proposed ELCD algorithm has been presented and compared with standard light- 892
weight cryptographic and digital signature schemes. The ELCD mechanism utilized 893
ECDH to develop a pair and a group of shared secret keys on the IoT network. The 894
ELCD mechanism integrates the digital signature with the secure encryption which cer- 895
tainly confirms the true identity of the sender and provides perfect forward secrecy. 896
Furthermore, the security of the ELCD has been proven mathematically and the 897
cyberattacks have been investigated using the random oracle model. The performance 898
of the ELCD outperforms the baseline digital signature in terms of CPU execution time 899
which is less by 53.8%, storage cost which is less by 32-17%, and energy consumption 900
which is less by 68.7%. The future work of this research will focus on enhanced the 901
performance the tiny digital certificate based on the ECDH on IoT networks. 902

ACKNOWLEDGMENT 903

The Deanship of Scientific Research (DSR) at King Abdulaziz University (KAU), Jed- 904
dah, Saudi Arabia has funded this Project under grant no (G-039-830-1443). 905

References 906
1. Sarker, I.H., Khan, A.I., Abushark, Y.B. et al. Internet of Things (IoT) Security Intelligence: A Comprehensive Overview, 907
Machine Learning Solutions and Research Directions. Mobile Netw Appl 2022, pp. 1-17. [Link] 908
01937-3. 909
2. Sciancalepore, S., Piro, G., Vogli, E., Boggia, G., Grieco, L. A. and Cavone, G. LICITUS: A lightweight and standard compatible framework for securing 910
layer-2 communications in the IoT. Computer Networks 2016, vol. 108, pp. 66-77. 911
3. Kittur, A.S., Pais, A.R. A trust model based batch verification of digital signatures in IoT, J Ambient Intell Human Computer 912
2020, vol. 11, pp. 313–327. [Link] 913
4. Li, S., Zhang, T., Yu, B. and He, K. A Provably Secure and Practical PUF-Based End-to-End Mutual Authentication and Key 914
Exchange Protocol for IoT, IEEE Sensors Journal 2021, vol. 21, no. 4, pp. 5487-5501. [Link] 10.1109/JSEN.2020.3028872. 915
5. Arne, B., Le, N, Dominik, S., Stephan, S., and Lars C. W. Security Properties of Gait for Mobile Device Pairing. IEEE Transac- 916
tions on Mobile Computing 2019, vol.19, no.3, pp. 697-710. 917
Processes 2022, 10, x FOR PEER REVIEW 30 of 31

6. Diro, A.A., Chilamkurti, N. and Kumar, N. Lightweight Cybersecurity Schemes Using Elliptic Curve Cryptography in Pub- 918
lish-Subscribe fog Computing. Mobile Netw Appl 2017, vol. 22, pp. 848–858. [Link] 919
7. Khasawneh, S., Kadoch, M. Hybrid Cryptography Algorithm with Precomputation for Advanced Metering Infrastructure 920
Networks. Mobile Netw Appl 2018, vol. 23, pp. 982–993. [Link] 921
8. Lake, B., Mihailo, I., and Michel, A. K. A secure and robust scheme for sharing confidential information in IoT systems, Ad 922
Hoc Networks 2019, vol. 92, 101762. 923
9. Hendaoui, F., Eltaief, H. and Youssef, H. UAP: A unified authentication platform for IoT environment. Computer Networks 924
2021, vol.188, 107811. 925
10. Vidya, R. and Prema, K. V. Lightweight hashing method for user authentication in Internet-of-Things. Ad Hoc Networks 926
2019, vol. 89, pp. 97-106. 927
11. Chuang, Y.-H., Lo, N.-W, Yang, C.-Y., Tang, S.-W. A Lightweight Continuous Authentication Protocol for the Internet of 928
Things. Sensors 2018, vol. 18, 1104. 929
12. Fuentes, J.M., Gonzalez-Manzano, L., Lopez, J. et al. Editorial: Security and Privacy in Internet of Things. Mobile Netw Appl 930
2019, vol. 24, pp. 878–880. [Link] 931
13. Khaled, R., Huang, T., and Ke, L. A dynamic and hierarchical access control for IoT in multi-authority cloud storage." Journal 932
of Network and Computer Applications 2020, vol. 160, 102633. 933
14. Sairam, R., Bhunia, S. S., Thangavelu, V. and Gurusamy, M. NETRA: Enhancing IoT Security Using NFV-Based Edge Traffic 934
Analysis, IEEE Sensors Journal 2019, vol. 19, no. 12, pp. 4660-4671. [Link] 10.1109/JSEN.2019.2900097. 935
15. Zhou, M., Han, L., Lu, H. et al. Intrusion Detection System for IoT Heterogeneous Perceptual Network. Mobile Netw Appl 936
2021, vol. 26, pp. 1461–1474. [Link] 937
16. Alamer, A. An efficient group signcryption scheme supporting batch verification for securing transmitted data in the Internet 938
of Things. J Ambient Intell Human Comput 2020, pp. 1-18. [Link] 939
17. Ahmed, A.A. Lightweight Digital Certificate Management and Efficacious Symmetric Cryptographic Mechanism over In- 940
dustrial Internet of Things, Sensors 2021, vol. 21, no. 8, 2810. [Link]/10.3390/s21082810. 941
18. Johnson, D., Menezes A.J., and Vanstone, S. A. The elliptic curve digital signature algorithm (ECDSA), Int. J. Inf. Secur. 2001, 942
vol. 1, no. 1, pp. 36–63. 943
19. Arif, M. M., Luo, X., Ullah, A., Ullah, S. and Mahmood, Z. A lightweight digital signature based security scheme for human- 944
centered Internet of Things., IEEE Access 2018, vol. 6, pp. 31630-31643. 945
20. Park, C. A Secure and Efficient ECQV Implicit Certificate Issuance Protocol for the Internet of Things Applications, IEEE 946
Sensors Journal 2017, vol. 17, no. 7, pp. 2215-2223. [Link] 10.1109/JSEN.2016.2625821. 947
21. Mohseni-Ejiyeh, A., Ashouri-Talouki, M. Mahdavi, M. An Incentive-Aware Lightweight Secure Data Sharing Scheme for 948
D2D Communication in 5G Cellular Networks. ISeCure 2018, vol. 10, pp. 15–27. 949
22. Abro, A., Deng, Z., Memon, K. A. A Lightweight Elliptic-Elgamal-Based Authentication Scheme for Secure Device-to-Device 950
Communication. Future Internet 2019, vol. 11, no. 5, 108. 951
23. Javed, Y., Khan, A.S, Qahar, A., Abdullah, J. EEoP: A lightweight security scheme over PKI in D2D cellular networks. J. 952
Telecommun. Electron. Comput. Eng. 2017, vol. 9, pp. 99–105. 953
24. Ahmed, A.A., Ahmed, W.A. An Effective Multifactor Authentication Mechanism Based on Combiners of Hash Function over 954
Internet of Things. Sensors 2019, vol. 19, 3663. 955
25. Sciancalepore, S.; Piro, G.; Boggia, G.; Bianchi, G. Public Key Authentication and Key Agreement in IoT Devices with Minimal 956
Airtime Consumption. IEEE Embed. Syst. Lett. 2017, vol. 9, pp. 1–4. 957
26. NIST Computer Security Resource Center. Lightweight Cryptography Project. Available online: [Link] 958
jects/lightweight-cryptography (accessed on 27 November 2022). 959
27. Seok, B. Sicato, J.C.S., Erzhena, T., Xuan, C., Pan, Y., Park, J.H. Secure D2D Communication for 5G IoT Network Based on 960
Lightweight Cryptography. Appl. Sci. 2020, vol. 10, no. 1, 217. 961
28. Khan, M. A., Quasim, M. T., Alghamdi N. S. and Khan, M. Y. A Secure Framework for Authentication and Encryption Using 962
Improved ECC for IoT-based Medical Sensor Data, IEEE Access 2020, vol. 8, pp. 52018-52027. 963
29. Muhammad, U., Ahmed, I., Imran, M. A, Shujaat, K., and Usman, A. S. SIT: a lightweight encryption algorithm for secure 964
internet of things, International Journal of Advanced Computer Science and Applications 2017, vol. 8, no. 1, pp.:402-411. 965
30. Shah, R. H., and Salapurkar, D. P. A multifactor authentication system using secret splitting in the perspective of Cloud of 966
Things. In Proceedings of International Conference on Emerging Trends & Innovation in ICT (ICEI), IEEE, Pune, India, 03- 967
05 February 2017, pp. 1-4. 968
31. Hammi, B Fayad, A., Khatoun, R. Zeadally S. and Begriche, Y. A Lightweight ECC-Based Authentication Scheme for Internet 969
of Things (IoT), IEEE Systems Journal 2020, vol. 14, no. 3, pp. 3440-3450. 970
32. Rangwani, D., Sadhukhan, D., Ray, S. et al. A robust provable-secure privacy-preserving authentication protocol for Indus- 971
trial Internet of Things. Peer-to-Peer Netw. Appl. 2021, vol, 14, pp. 1548–1571. [Link] 972
33. NIST. Fips publication 180-2: Secure hash standard. Technical report, National Institute of Standards and Technology (NIST), 973
Announcing Approval of FIPS Publication 180-2, February 1, 2003. 974
Processes 2022, 10, x FOR PEER REVIEW 31 of 31

34. Lochter M. and Merkle, J. RFC 5639: Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation. 975
IETF, March 2010. 976
35. Li, X. Niu, J.W., Ma, J., Wang, W.D. and Liu, C.L. Cryptanalysis and improvement of a biometrics-based remote user authen- 977
tication scheme using smart cards. Journal of network and computer applications 2011, vol. 34, no. 1, pp. 73-79. 978
36. Wang, J, Han, K. Alexandridis, A. Zilic, Z., Pang, Y., Wu, W. and Jeon, G. A novel security scheme for Body Area Networks 979
compatible with smart vehicles. Computer Networks 2018, vol. 143, pp. 74-81. 980
37. Wang, Y., Yang, G., Li, T., Li, F., Tian, Y., and Yu, X. Belief and fairness: A secure two-party protocol toward the view of 981
entropy for IoT devices. Journal of Network and Computer Applications 2020, vol. 161, 102641. 982
38. Biryukov A. Adaptive Chosen Plaintext Attack. In: van Tilborg H.C.A., Jajodia S. (eds) Encyclopedia of Cryptography and 983
Security. Springer, Boston, MA, 2011. 984
39. Biryukov A. Related Key Attack. In: van Tilborg H.C.A., Jajodia S. (eds) Encyclopedia of Cryptography and Security. 985
Springer, Boston, MA., 2011. 986
40. Silverma, J.H. An introduction to the theory of elliptic curves, Summer School on Computational Number Theory and Ap- 987
plications to Cryptography, Brown University, pp. 1-89, July 2006. 988
41. IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs): Overview, Assumptions, Problem Statement, and 989
Goals. Available on: [Link] (accessed in 27 November 2022). 990
42. Mininet-IoT Emulator of Internet of Things, Available on [Link] (accessed in 27 No- 991
vember 2022). 992
43. A security Site. Available on [Link] (accessed in 27 November 2022). 993
44. Ahmed, A.A. An optimal complexity H. 264/AVC encoding for video streaming over next generation of wireless multimedia 994
sensor networks. Signal, image and video processing 2016, vol. 10, no. 6, pp. 1143-1150. 995
996
997