Certificateless Scheme Based NTRU Cryptosystem for Ad-Hoc UWB-IR Network

From the radar and military research world’s, the Ultra-WideBand Impulse Radio (UWB-IR) was adopted in the telecommunications world in the 1990’. Currently, the UWB-IR technology is an interesting candidate for close range Wireless Sensors Networks (WSNs). It is particularly attractive for industrial sensor networks due to its resilience to multipath interference, simple transceiver circuitry, accurate ranging ability, and low transmission power. In order to secure data and communications in the Ad-Hoc UWB-IR networks, UWB-IR requires suitable encryption protocols. In this paper, we review and summarize the IEEE 802.15.4 security sub-layer protocol of UWB-IR based Symmetric Key Cryptography scheme. Then, we highlight the different vulnerabilities and weaknesses present in this type of scheme. Finally, we prove, after a deep examination of multiple Public Key Cryptography (PKC) schemes, that the certificateless one is the most suitable for Ad-Hoc UWB-IR networks characterized by nodes mobility. Indeed, we have also evaluated and analyzed the different public key cryptosystems (PKCS) and concluded that NTRU is the most optimum public key cryptosystem to be used with the certificateless scheme in order to secure data and communications in Ad-Hoc UWB-IR Networks. This is due to the fact that it is the fastest PKCS to provide different security levels at a high speed with very constrained resources.


INTRODUCTION
The Ulra-WideBand (UWB) technology is fairly new in the field of wireless communications. It was originally used for military radar and imaging systems. Its use for military application is very obvious due to its characteristics of low detection and interception probabilities, which allows secure transmission. Nowadays, Ad-Hoc UWB-IR networks are used to establish communications between different groups of soldiers during tactical operations.
In 2002, the FCC authorized the unlicensed commercial use of UWB spectrum. Since this date, there has been a great interest to apply UWB-IR technology in wireless communications. In terms of wireless communications, UWB transmission can be generally divided into two main categories: low data-rate (LDR) for long-link-distance applications, and high data-rate (HDR) for short-linkdistance applications [1]. In terms of standardization, UWB-IR technology was standardized as an alternative to ZigBee physical layer with the standard IEEE 802. 15.4a-2007 [2]. It was also standardized in 2012 as a possible physical layer for BAN networks with the IEEE 802.15.6 standard [3].
Like all WSNs, the Ad-Hoc UWB-IR networks are more vulnerable to different types of attacks (mainly active and passive) than the wired networks due to the lack of central coordination and shared wireless medium. Active attacks disrupt the operation of the network. Passive ones refer to attempts made by malicious nodes to perceive the nature of activities and to obtain information transacted in the network without disrupting its performance. The major security issues that exist in Ad-Hoc UWB-IR networks are as follow: Denial of service, resource consumption (Energy depletion, Buffer overflow), host impersonation, information disclosure and interference.
The major issue when implementing a symmetric key cryptography (SKC) in any type of network including Ad-Hoc UWB-IR one is the secure exchange of different symmetric keys (n nodes require n.(n − 1)/2 keys). In fact, Public Key Cryptography (PKC) overcomes this weakness. Thus, it provides a robust security model. However, the only requirement is to select the best Public Key Cryptography scheme and optimum Public Key Cryptosystem (PKCS) algorithm for such resource constraint sensor network environment that has less communication as well as less computational overhead. Furthermore, the packets must be lightweight in order to decrease the large amount of time needed to transmit large files [4]. Indeed, we prove that the Certificateless scheme based NTRU public key cryptosystem is the optimum way to implement public key concept in Ad Hoc UWB-IR environments.
This paper is organized in the following manner. The next section gives a brief review of the security of IEEE 802.15.4 protocol based upon Symmetric Key Cryptography (SKC) scheme and the problems associated with the use of Ad-Hoc UWB-IR Networks. Section 3 gives a servery of the commonly used Public Key Cryptography (PKC) schemes and demonstrates how the Certificateless (CL) scheme is the best security solution for Ad-Hoc UWB-IR wireless networks on harsh environnements. Finally, section 4 evaluates and compares the security level of Public Key Cryptosystems (PKCS) and proves how the NTRU is the most efficient and optimum algorithm for CL-PKC in the Ad-Hoc UWB-IR Networks.

IEEE 802.15.4 SECURITY OVERVIEW
The IEEE 802.15.4 MAC sub-layer can provide security services when it is requested by higher layers. Thus, security services, including access control, data encryption, frame sequential freshness, and integrity can be provided. Also, the used protocol provides different security modes such as ACL, secured, and unsecured modes. However, there is no implementation of security measures in the unsecured mode.
Indeed, the IEEE 802.15.4 offers three different security levels. These levels are depicted in Fig 1: the CTR security level provides confidentiality; the CBC-MAC security level provides authentication and replay detection; and, finally, the CCM security level provides authentication and confidentiality. Furthermore, there are three fields related to the security in the IEEE 802.15.4 MAC frame: -Frame Control (MAC Header).

ACCESS CONTROL LIST MODE
In Access Control List (ACL) mode, a node can communicate with some other network nodes previously selected by it. The communication is achieved using the maintained ACL. Each record contains the PAN identifier, the 64 bit extended address, the short address, the security suite and the related keying material of the device. The address of a source node of an incoming message is compared with ACL. The result can be passed to the higher layers which decide whether to accept or reject the message.

SECURED MODE
In Secured mode, different combinations of security options can be used. ACL functionality and cryptographic protection can be combined by MAC sub-layer on incoming and outgoing frames. The Advanced Encryption Standard (AES) algorithm is used. The security measures can be selected considering the following: -Access Control: This service is as described above for ACL mode, but the messages which come from unauthorized sources cannot be passed to the higher layers. -Encryption: Data is encrypted at the source and decrypted at the destination using the same key. The devices, which have the correct key, can only decrypt the encrypted data. Command, data and beacon payloads can only be encrypted. -Integrity: A Message Integrity Code (MIC) can be added to a message. This integrity code allows the detection of any message tampering by devices which don't use the correct encryption or decryption key.

SECURITY SUITES FOR UWB-IR
Security is handled at the MAC layer. The application specifies its security requirements by setting the appropriate control parameters into the radio stack. Indeed the security is not enabled by default. An application must explicitly enable it. The acknowledgement packets don't support security, other packet types can optionally support integrity and confidentiality protection. An application has to choose the security suites to enable the type of security protection to protect the transmitted Data packets. Each security suite offers a different set of security properties and different packet formats. There are eight different security suites defined in IEEE 802.15.4, we can classify them into four categories by the properties they cover: -No security (NO SEC).
The authentication category comes in three variants related to the size of the Message Integrity Code (MIC) it offers. Each variant is a different security suite. In fact, the MIC can be either four, eight, or sixteen bytes long. The IEEE 802.15.4 standard is based upon Symmetric Key Cryptography (SKC) with the adoption of AES-128 (Advanced Encryption Standard) algorithm with 128 bit key length encryption. The incorrect application suites of a good algorithm can morever destroy security. This can be avoided by so-called encryption modes, i.e. how a cryptographic algorithm is applied. The encryption is a defence technique against passive attacks (eavesdroppers,...). But, it is important to protect yourself from active attackers who send maliciously modified messages. The cryptography can detect unauthorized sent or modified messages by appending cryptographic checksums, so-called MACs (Message Authentication Code), in this context named MICs (Message Integrity Check). Indeed, the MIC guarantees that the message is generated by the sender and not by the attacker. The MIC proves that the secret key is not leaked. The CCM encryption mode allows to enable the integrity protection. Furthermore, the integrity protection has some important consequences: International Journal of Wireless & Mobile Networks (IJWMN) Vol. 9, No. 6, December 2017 -The message payload can not be modified by the attacker.
-The sender ID in the MIC excludes the spoofing attack.
-The frame counter in the MIC computation excludes replay attacks.
-The time stamps in the MIC computation excludes delay attacks.

VULNERABILITIES AD-HOC UWB-IR NETWORK BASED SKC
Symmetric key cryptography is used because it is much faster, and easier to implement. Indeed, due to the use of CCM mode in UWB-IR, only AES encryption is used. This allows simpler (and smaller) software and reduced encryption hardware. Furthermore, the same key is used for authentication and encryption, without compromising security. Thus key initialization is rare, firmware becomes smaller and faster. However, the use of SKC in Ad-Hoc UWB-IR Networks procures several disadvantages: -The Key transfer is risky : If the master key, which has to be distributed during initialization by out of band ways is compromised, security might be lost. -The CCM mode allows encryption without authentication: This mode is insecure.
-The message is encrypted twice: First for the MIC computation, and second for the encryption itself. -The MIC encryption is not necessary : Due to the nonce structure, there are no identical payloads. -The design of CCM mode is bad : The criticisms are classified into five categories: efficiency, parameterization, complexity, variable-tag-length subtleties, and some wrong security claims.

PUBLIC KEY CRYPTOGRAPHY SCHEME FOR AD-HOC UWB-IR NETWORK
Asymmetric Key Cryptography or Public Key Cryptography (PKC) scheme came to solve the problem of key management in Symmetric Key Cryptography (SKC) used in WSNs. Indeed, PKC provides two keys to each user (Secret (private) Key=sk, Public Key=pk). The pk is used to encrypt the messages and the sk is used to decrypt them. Moreover, the public key cryptography can ensure confidentiality, integrity and authentication. Many schemes of PKC are proposed: -Public Key Infrastructures.

PUBLIC KEY INFRASTRUCTURE (PKI)
The PKI scheme needs Trusted Certification Authority (CA) to issue certificates and verifies the link between the key-pair to a defined entity in network. The CA is the stone corner of Public Key Infrastructure (PKI). Often, the CA achieves these specification rolls: The management of generation, distribution, renewal and publication of these keys. During setting up a PKI, the most challenge is handling trust management. Indeed, the conventional solution is using certificates. Moreover, Certificates are issued by trusted central authorities and are cryptographically hard to forge but they are not easy to set-up and pose operational difficulties [7]. Furthermore, no universel solution is recommended to deploy a PKI. Many considerations must be taken to make it work properly [8].
International Journal of Wireless & Mobile Networks (IJWMN) Vol. 9, No. 6, December 2017 The CA which composes the public key infrastructure (PKI) is recognized as the efficient and powerful tool to ensure key management in conventional networks. However, PKI is omitted to use in WSNs, because of its great consumption of energy and bandwidth. Indeed, various reasons limited the success of PKIs in WSNs: -Certificate Revocation.
-Handling authorization and audit.
-Storage and distribution of certificates.
Besides, the computational cost of certificate verification (time, power, memory,...) is an important point of contention, specially for mobile devices [9] like UWB-IR.

IDENTITY-BASED CRYPTOSYSTEMS (IBC)
Due to the factors discussed in the previous paragraph, inadequate deployment and management of PKIs can compromise the security of the wireless networks. Hence, the need to find another solution to simplify certificates management rises. The first solution developed by Shamir in 1984 the notion "Identity-Based Cryptosystems and Signature Scheme was proposed" [10]. The idea is to use a unique identity (ID) for the user (MAC address, IP address ...) to derive its pk. This identity ID is used to send him encrypted messages. Indeed, This allowed parties to: -Communicate securely without the need to exchange pk or sk.
-Retain the key directories.
-Use the services of a third party.
The advantage of the IBC scheme is to simplify certificate management when compared to PKIs. Indeed, to send encrypted messages the user needs only to know the identity of the receiver. However, the use of a trusted Private Key Generator (PKG) is required to join the identity of the user (ID) and the key pair (sK, pk). The PKG possesses the master Key used to generate all private keys of the users in the network. The rogue of PKG destroy all privacy in the wireless network. Indeed, IBC is vulnerable to the key escrow attack. This problem limits the use of IBCs to closed organizations [11]. Other solutions focus on utilizing more key pairs, using threshold, and considering expired date for the master key. However, they have some drawbacks that make them unsuitable for Ad-Hoc networks such as too much overhead to the network, more computation /communication for nodes which are resource constrained devices [12].

SELF-CERTIFIED KEYS (SCK)
The first idea of Self-Certified Keys was introduced by D.Girault in Eurocrypt 1991 [13] and later enhanced by Petersen, Horster In Proc. Communications and Multimedia Security 1997 [14]. A self-certified system is based on the existence of a Trusted Third Party(TTP). The users generate their own key pair (sk, pk) and communicate their pk to the TTP which creates a witness w by combining the user's identity ID with his/her pk [13,14]. Several methods are proposed to generate this witness: -The TTP's signature on some combination of pk and ID.
-The part of a signature.
-The result of inverting a trapdoor one-way function derived from pk and ID.
This scheme allows any user from the network to extract pk from (w,ID). Although, the SCK scheme uses lightweight certificates and not the traditional certificates. Where the witness w binds the ID to the correct pk of the user. However, the sk is generated before the pk. For this reason, the SCK doesn't enforce cryptographic work flows [15].The rogue of TTP can reveal the private keys of all the users.

CERTIFICATELESS PUBLIC KEY CRYPTOGRAPHY
The idea of Certificateless Cryptography is proposed to avoid: -The need of CA for PKI.
-The need of Trusted management PKG of IBC or TTP of SKC.
-The problem of key escrow of IBC.
-The secret (private) key sk of a user is entirely generated by the PKG.
-The problem of the rogue (privacy of the system totally dependent upon the PKG).
However, the idea of certificateless is based on the fact that the secret is generated by the PKG and the user separately. This would eliminate the possibility of the PKG's rogue, additionally the scheme is kept certificateless to protect the user from a dishonest party. A Certificateless Public Key Cryptography (CL-PKC) scheme is similar to the IBC scheme in the aspect that it relies on the existence of a TTP which possesses a master key and the scheme also uses the identity of the user. Indeed, these ideas were formally developed by Al-Riyami and Paterson (2003) [16].There are three parties involved in a CL-PKC scheme: -The trusted third party : Key Generation Center (KGC).
-The Sender : the party sending the message.
-The Receiver : the party receiving the sent message.
The KGC uses master private key (msk) and the receiver's ID to generate a partial secret key psk. The receiver combines psk with a secret value a to derive his/her full secret key sk. The sk is known only by the receiver and key escrow is avoided. Furthermore, the receiver authenticates his identity (ID) to the KGC who must then securely transmit the psk. The receiver computes his/her sk by combining the same secret a value with the public parameters published by the KGC and distributes it. The generation of pk and sk is independent of each other and just requires the use of the same secret value a. The sender can obtain the pk related to an identity and uses it to send encrypted messages to the receiver [17]. Certificateless is the most adapted solution for the Ad-Hoc UWB-IR network. The question is how to choose the public key cryptosystems for this solution?

PUBLIC KEY CRYPTOSYSTEMS FOR CERTIFICATELESS
We demonstrate that CL-PKC is the best solution for securing data and communications in the Ad-Hoc Wireless based UWB radio. Indeed, CL-PKC is a public key based algorithm and it is mainly used for confidentiality, key distribution, authentication, integrity and non repudiation. The implementation of public key algorithms in very constrained devices such UWB-IR requires faster cryptosystems like all wireless devices (mobile phones smart cards, PDA etc).
The choice of Public Key CryptoSystems (PKCSs) for CL-PKC is the stone corner of our work. The public key pk is known to all and used to encrypt information. Only the person who has the corresponding private key sk can decrypt the information. The concept of asymmetric key cryptography was introduced by Whitfield Diffie and Martin Hellman [18].
The performance of a public key cryptographic system is measured in processing time, computational overheads, key size, and bandwidth. In the field where computing power, storage, and bandwidth are limited; carrying out complex operations on large data becomes an impractical approach to provide strong security. This is most obvious in constrained devices such as UWB-IR, which have very limited resources. 3. Compute ϕ(n) so that ϕ(n) = (p − 1) * (q − 1). 4. Choose the public key e so that gcd (ϕ(n), e) = 1; 1 < e < ϕ(n). 5. Select the private key d so that d * emodϕ(n) = 1. 6. Public key (pk) = (n, e) and Private key (sk) = (n, d).

ELLIPTIC CURVE CRYPTOSYSTEM ECC stands for Elliptic Curve Cryptography.
Let E an elliptic curve over a finite field F p (p = 2, 3). Then E is a curve which consists of points satisfying the equation y 2 = x 3 + ax + b ( a, b ∈ F p , 4a 3 + 27b 2 = 0). At first we have to choose the base elliptic curve point G with order divisible by a large prime. This point can be agreed before hand and can be made publicly available. Assume user A wishes to send message M to B Elliptic Curve Encryption/Decryption algorithm can be explained by following procedure: -Algorithm 1. A chooses a random positive integer k, a private key sk A . 2. Generates the public key pk A = sk A .G and has a public key pk B of B. Multiplication in the ring R is sometimes referred to as "Star Multiplication" based on the use of an asterisk as an operator symbol. It can be best described as the discrete convolution product of two vectors, where the coefficients of the polynomials form vectors are in the following way: a(x) = a 0 + a 1 x + a 2 x 2 + ... + a N − 1x N −1 = (a 0 , a 1 , a 2 , ..., a N −1 ). Then the coefficients c k of c(x) = a(x) b(x)modq, p are each computed as the summation of partial products a i b j with i + j ≡ kmodN . The modulus for reduction of each coefficient c k of the resulting polynomial is either q for Key Generation and Encryption, or p for Decryption, as briefly described below. A thorough description of these procedures along with an initial security analysis can be found in [20].

PERFORMANCES AND SECURITY ANALYSIS OF PKCS
The aim of the study is to analyze the performance and the security of various public key cryptosystems (RSA, ECC and NTRU). The object is to demonstrate the best chosen PKCS to be implemented within a certificaless scheme for Ad-Hoc UWB-IR networks. The implementations are done using Java as a programming language. We have optimized the implementations for ARM9-32-bit microcontrollers and have tried to keep the code portable to other platforms. In order to keep the memory requirements low, it would be possible to import the code to limited environments, and do not use large look-up tables.
This choice is not arbitrary, because, the microcontrollers are specially suitable for the wireless sensor network environment, due to their cost effectiveness (enough computational capabilities, memory for executing simple tasks, consuming less energy...). Table 2 show the most microcontrollers used in WSN market [21] and their capabilities (such as frequency, word size, RAM memory, Instruction memory, and so on). The performance of public key cryptosystems is evaluated and compared on the: -Mathematical complexity of problem.
-Speed of encryption and decryption operations.

PKCSs AND THEIR MATHEMATICAL PROBLEMS
Cryptographic algorithms are designed around computational hardness assumptions, making such algorithms hard to break in practice by any adversary. In PKC, sk and pk keys are mathematically related complex function f . It is very hard to get private key from the public key. In order to recover the sk to decrypt information a mathematical problem P related to complex function f must be solved. The security of PKCS depends on the difficulty to solve P . Table 3 shows the different mathematical complexity problem for RSA, ECC and NTRU. The PKCSs RSA and ECC are based on the complexity of number theoretic problems and their security is highly reliable to the distribution of prime numbers or based on the discrete logarithm problem on finite fields. NTRU cryptosystem is based on geometrical problems.

PKCSs AND KEY SIZE
In Symmetric key cryptography, the minimum length of a key that is considered securely strong is 80 bits. However, the key length of 128 bits is recommended for more security. The private (sk) and public (pk) keys in RSA and ECC can be chosen from almost equal lengths. The Table 4 in [22] shows the public key sizes of RSA, ECC and NTRU algorithms along with Symmetric key sizes. -If the symmetric key size increases, the key sizes for RSA increases faster than the ECC.
-ECC systems can offer more security per bit increase in key sizes compared to RSA and NTRU.
-ECC has the smallest key size which makes it the best in use of bandwidth and the NTRU's bandwidth usage becomes more efficient with respect to RSA as the security level increases.

COMPARING ENCRYPTION AND DECRYPTION IN RSA AND NTRU
The performance comparison of RSA and NTRU public key cryptosystems is shown in Table 5 -The RSA public and private keys have the same size.
-The private keys sk of NTRU are shorter than their pk.
-NTRU encrypts and decrypts more messages than RSA with the same key sizes.

COMPARING ENCRYPTION AND DECRYPTION IN ECC AND NTRU
The performance comparison of ECC and NTRU public key cryptosystems is shown in Table 6, Fig 6  for encryption and Fig 7 for Decryption, we can conclude that: -The NTRU is faster than ECC with all levels of security.
-The performance of NTRU is superior than ECC in both encryption and decryption.  The following is a global table of comparison among RSA, ECC and NTRU. Let |E| denote public key size. The ratio of M : |E| suggests better economical value per public key bit being used. At the same time the ratio between the message and the ciphertext is ≈ 1 : 1 which implies that the message expansion due to encryption is negligible [23].

CONCLUSION
In this paper, we proved that the security suites of IEEE 802.15.4 are not adapted to Ad-Hoc UWB-IR network. Indeed, they have multiple problems and vulnerabilities, due to the use of Symmetric Key Cryptosystem (AES) and specially the CCM mode. Unfortunately, the 802.15.4 standard, and all the chips that implement it, is not exempt of security flaws [24].
One of the security suites, AES-CTR, is deeply flawed, since it does not properly support replay detection and it is possible to launch denial of service (DoS) attacks sending a single forged packet. Also, the acknowledgement packets are not protected by a MAC, thus it is possible to forge them. Other minor problems include deleting the ACL when entering a low power mode.
Furthermore, we demonstrated that the best solution to secure data and communications in Ad-Hoc UWB-IR networks is certificateless based Public Key Cryptosystems. In fact, many PKCSs have been developed. Yet, in this work, we implemented, evaluated and compared the performance of three PKCSs: RSA, ECC and NTRU. From the obtained results, it was concluded that ECC has the best key size overall. NTRU was better than RSA if the security level starts from 192 bits to 256 bits. It is clear that the NTRU is very fast and achieves the highest security level compared to other PKCSs such ECC and RSA.
NTRU cryptosystem is slowly gaining more popularity thanks to many advantages like small key size, easy key generation, high speed encryption and decryption, and very low computation power. In addition, Operation speed is very fast, more efficient, consuming less space and it is more suitable for mobile devices. Furthermore, unlike RSA and ECC, NTRU is resistant to cryptographic attacks based upon quantum computing technics. As a result, NTRU was standardized as IEEE 1363.1-2008 and X9.98-2010. Consequently, it is the smallest public key cryptosystem available on market, and represents the first candidate to be adopted in UWB-IR infrastructures.
As a future work, we will focus on the analyse of NTRU cryptosystem efficiency in comparison with other alternative algorithms based on a different mathematical problem called the closest