An Elliptic Curve-based Signcryption Scheme with Forward ...
A Signcryption Scheme based on Elliptic Curve Cryptography · A Signcryption Scheme based on...
Transcript of A Signcryption Scheme based on Elliptic Curve Cryptography · A Signcryption Scheme based on...
A Signcryption Scheme based on Elliptic Curve Cryptography
R. K. Pateriya
Computer Science & Information Tech. Dept.
Maulana Azad National Institute of Technology
Bhopal, India
e-mail: [email protected]
Shreeja Vasudevan
M.Tech. (Computer Science) Scholar
Computer Science & Information Tech. Dept.
Maulana Azad National Institute of Technology
Bhopal, India
e-mail: [email protected]
Abstract
In Public key cryptography a message is sent after applying
the digital signature and encryption techniques by the
sender. These techniques are used so that the message
properties such as confidentiality, integrity and
unforgeability are maintained and the non-repudiation can
be ensured at the receiving end. The digital signatures and
encryption mechanisms can be combined to form a single
logical step called Signcryption. In this paper a
Signcryption scheme is suggested which is based on Elliptic
Curve Cryptography (ECC). The scheme provides
additional security features which include the property of
forward secrecy, public verifiability and counter steps for
resistance to Side Channel Attacks (SCAs) are also taken.
The proposed scheme provides better performance aspect
for the security feature provided; compared to the
traditional Signature-then-Encryption schemes based on
ECC.
Keywords- Signcryption, Elliptic Curve Cryptography, public
verifiability, forward secrecy, Side Channel Attacks.
1. Introduction Security in computers means that the information is
protected from unauthorized or accidental disclosure while
the information is in transit (either electronically or
physically) and while information is in storage.
One essential aspect for secure communications is that of
cryptography. Cryptography not only protects data from
theft or alteration, but can also be used for user
authentication. The common cryptographic schemes
typically used are secret key (or symmetric) cryptography
and public-key (or asymmetric) cryptography.
With secret key cryptography, a single key is used for
both encryption and decryption. The sender uses the key in
order to encrypt the plaintext and sends the ciphertext to the
receiver. The receiver applies the same key in order to
decrypt the message to recover the plaintext. Since a single
key is used for both functions, the difficulty with this
approach is that of the distribution of the key.
The public key cryptography technique employs two
keys that are mathematically related. One key is used to
encrypt the plaintext and the other key is used to decrypt the
ciphertext. One key is called the private key which is kept
secret and other key is designated as the public key and may
be advertised as widely as the owner wants. In this scheme
there is no difficulty regarding the distribution of keys. But
the computational cost is greater than symmetric key
cryptography.
Now-a-days public key cryptography is used extensively
due its stronger security features than symmetric key
cryptography. The public key cryptography technique relies
upon the digital signatures and encryption methods to send a
message ensuring the confidentiality, integrity,
unforgeability and non-repudiation of communication.
Accordingly the steps involved in the traditional method of
Signature-then-Encryption are:-
The Sender first digitally signs and then encrypts the
message.
Receiver verifies the Sender‟s signature and decrypts
the encrypted message.
The digitally signing and encrypting steps can be
combined into a single logical step, called Signcryption.
The public key cryptographic technique has evolved and
ECC has been proved to be better in terms of security
provided per bit compared to the traditional technique, such
as RSA. Similarly the adoption of ECC in Signcryption
schemes has also proved out to be beneficial.
Signcryption is relatively a new term in the literature;
introduced in 1996. The efficacy of Signcryption became
evident in 1997 when Yuliang Zheng [1] illustrated that the
Cost (Signcryption) << Cost (Signature) + Cost
(Encryption) in terms of computational cost as well as
communicational overhead. The Signcryption scheme was
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034
IJCTA | JULY-AUGUST 2011 Available [email protected]
1025
ISSN:2229-6093
based on ElGamal Signature and Encryption techniques
with savings of 50% in computational cost and 85% in
communication overhead. With increasing size of the
security parameters the cost economy has also increased. In
1999 Y. Zheng and H. Imai [2] suggested a Signcryption
scheme which was based on ECC, saves about 58%
computational cost and about 40% of communication cost
than Signature-then-Encryption scheme based on elliptic
curve but lacked forward secrecy of message confidentiality
and public verifiability.
F. Bao, R.H. Deng [3] enhanced Zheng‟s Signcryption
that the judge can verify signature without the recipient‟s
private key. C. Gamage et al. [4] modified Zheng‟s
Signcryption that anyone can verify the signature of
ciphertext, but the application area was limited to firewalls
only. H.Y. Jung et al. [5] showed that Zheng‟s scheme does
not provide forward secrecy of message confidentiality
when the sender‟s private key is revealed. The Signcryption
was based on Discrete Logarithm Problem (DLP) with
forward secrecy. Ren-Junn Hwang [6] proposed
Signcryption scheme with public verifiability and forward
secrecy. The security was based on Elliptic Curve Discrete
Logarithm Problem (ECDLP) and Elliptic Curve Diffie-
Hellman Problem (ECDHP). Some flaws and shortcomings
of the Hwang‟s scheme are discussed in [7]. Jun-Bum Shin
et al. [8] proposed a Signcryption scheme using standard
DSA algorithm in the verification phase with no forward
secrecy. Raylin Tso [9] has modified the Shin et al.‟s
scheme with standard algorithm for verification based on
Elliptic Curve Digital Signature Algorithm (ECDSA) and
ensured the property of forward secrecy. M. Toorani and A.
A. Beheshti Shirazi [10] have proposed a Signcryption
scheme with both the properties of public verifiability and
forward secrecy.
In this paper we have introduced a Signcryption scheme
which not only provides the security features introduced so
far by the previous works but has considered the measures
to resist Side Channel Attacks (SCAs); which were not
considered by any of the previous
schemes[1,2,3,4,5,6,8,9,10]. The security features provided
by the Signcryption scheme includes; confidentiality,
integrity, unforgeability, non-repudiation, forward secrecy
and public verifiability. The scheme also provides better
performance aspects compared to the traditional Signature
and then Encryption schemes based on ECC. The distinction
of the proposed scheme with the other relevant works is also
discussed. The paper is organized with preliminaries on
ECC, Side Channel Attacks (SCAs) and Signcryption
followed by introduction to the proposed Signcryption
scheme, discussion on the security features and study of
computational as well as communicational characteristics
and finally the conclusion is made on the proposed
Signcryption scheme.
2. Preliminaries 2.1. Elliptic Curve Cryptography (ECC)
Elliptic curves (EC) were suggested for cryptography
by Victor Miller and Neal Koblitz in 1985 as Elliptic Curve
Cryptography (ECC). ECC follows Public Key Encryption
technique and the security provided is based on the hardness
of Discrete Logarithm Problem (DLP) called Elliptic Curve
Discrete Logarithm Problem (ECDLP). According to
ECDLP, kP = Q, where P, Q are the points on an elliptic
curve and k is a scalar. If k is significantly large then it is
unviable to calculate k when the values of P and Q are
given. Here k is the discrete logarithm of Q, having base P.
ECC‟s advantage is that the inverse operation gets
difficult to compute at a rapid phase, for increase in key size
compared to the inverse operations in RSA. Commercially
1024 bit RSA and 160 bit ECC systems are shown as
offering nearly same security status. The smaller key size
causes faster cryptographic computations and makes smaller
software or smaller chip deployment possible. Thus ECC
has a great potential to be used in environments with limited
resources.
2.1.1. ECC Basics. An elliptic curve E can be defined over
a Prime field Fq or Binary field F2m
[11], here the
Weierstrass form curve has been considered; a type of
elliptic curve defined over Fq: -
Elliptic Curve defined over Prime field E(Fq): Fq
consists of integers modulo q, and having the integers
in the range [0, q–1], where q is prime number, which is
large enough. Elliptic curve over the prime field Fq is
represented as:
y2 mod q = x
3 + ax + b mod q
where the condition 4a3 + 27b
2 mod q ≠ 0 is kept to
so the elliptic curve is non-singular [12]. The domain
parameters for Elliptic curve over Fq can be
represented as q, a, b, G, n and h.
Where q is prime number which is large enough,
„a‟ and „b‟ are curve parameters, G is a point on the
elliptic curve called a generator point (xG, yG), n is the
order of the elliptic curve. h is the cofactor defined as;
h = (number of points on elliptic curve E(Fq)) /n.
The Prime field operations involve modular
arithmetic consisting of the operations – Addition,
subtraction, multiplication, division, multiplicative
inverse, and modulus. Prime field operations are more
suitable in software implementations of ECC.
The domain parameters and other parameters that
must be mutually agreed upon by the two entities which
want to have a secure and trusted communication using
ECC. The points, which lie on the elliptic curve are; a
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034
IJCTA | JULY-AUGUST 2011 Available [email protected]
1026
ISSN:2229-6093
point at infinity and the points, which satisfy the
Elliptic Curve equation. The standard domain
parameters are defined [13]. The protocols
implementing ECC can also specify the domain
parameters.
2.1.2 ECC operations. ECC follows the group law and
logarithm problem. From the ECDL problem it is evident
that the major operation involved in ECC is point
multiplication. i.e. multiplication of a scalar k with a point P
on the curve to obtain another point Q on the curve.
Point Multiplication: Points P and Q lie on the elliptic
curve such that when P is multiplied with a scalar k to
obtain the point Q,
kP=Q,
The point multiplication operation involves series
of point addition and point doubling operations. The
doubling and addition method is illustrated as follows:-
If k = 23, then kP = 23∙P = 2(2(2(2P) + P) + P) + P
The scalar which is used for point multiplication is
chosen from the range [0, n – 1]. The hierarchy of
operations involved in the multiplication operation is
shown in Figure 1. The EC point multiplication involve
the EC point Addition and EC point double operations;
which in turn involve the prime field operations −
addition, subtraction, multiplication and division /
inverse.
Figure 1. Hierarchy of the operations involved in Point
Multiplication.
In case of the prime field arithmetic; the point
addition and point doubling operations require
computation of multiplicative inverse, which is an
expensive operation. Representation of Elliptic curve
points (affine coordinates) as projective coordinates has
the advantage of reducing the multiplicative inverse
operation [6]. With projective coordinates just a single
multiplicative inverse operation is required. The
number of scalar multiplications required in the case of
projective coordinate system is more in contrast to the
affine coordinate system. Thus scalar multiplications on
projective coordinates should be more efficient
compared to the multiplicative inverse operation. The
Standard projective coordinates and the Jacobian
projective coordinates are defined as follows: -
Standard projective coordinate in the field Fq: Here
a point is represented as (X, Y, Z) and the
corresponding affine coordinate point is (X/Z, Y/Z).
The equation for the elliptic curve is:
Y2 Z = X
3 + aXZ
2 + bZ
3,
where Z ≠ 0. The point (0, 1, 0) is considered as the
point at infinity.
Jacobian Projective coordinate in field Fq: In
Jacobian projective coordinate system a point is
represented as point (X, Y, Z) and the
corresponding affine coordinate point as (X/Z2,
Y/Z3). The equation for the elliptic curve is:
Y2 = X
3 + aXZ
4 + bZ
6,
where Z ≠ 0. The point (1, 1, 0) is considered as the
point at infinity.
The NIST, ANSI and SEC2 specification
recommend curves with domain parameter value a = –3
for more efficient EC double operations and Z = 1 for
EC addition operations.
2.2. Side Channel Attacks
Side Channel attacks are the attacks which are based on
the Side Channel Information obtained from the physical
implementation of the cryptosystems. The Side Channel
Information can be power consumption, timing information
and electromagnetic leaks.
Power consumption attacks: These attacks are based on
analyzing the power consumption of the unit while it
performs the cryptographic operations. It can be Simple
Power Analysis (SPA) attack or Differential Power
Analysis (DPA) attack. SPA is a technique that
involves direct interpretation of power consumption
measurements collected during cryptographic
operations. DPA consists of visual and also statistical
analysis and error-correction statistical methods, to
obtain the information about the keys. The high
computational complexity of the multiplication
operations in case of asymmetric operations tend to
strong signal leakage.
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034
IJCTA | JULY-AUGUST 2011 Available [email protected]
1027
ISSN:2229-6093
Timing attacks: These attacks are based on measuring
the time it takes for a unit to perform operations. For
e.g. by carefully measuring the amount of time required
to perform the private key operations, can lead to the
information about the secret keys. Timing attacks are
considered as type of Simple Power Analysis (SPA)
attack.
We have considered only the SPA and DPA attacks
on the secret keys involved in the Signcryption and
Unsigncryption phases respectively.
2.2.1 Algorithms for SCA resistance. The point
multiplication algorithms involves the Add and Double
algorithms. The Add and Double algorithms have different
running times for addition and doubling; Algorithm 1 is
such an algorithm which is used to point multiply a scalar d
with the elliptic curve point P . Since the execution times of
addition and doubling times are different ;thus via SPA
attack an adversary can collect the information which may
reveal the secret key. The SPA attack can be resisted by
using the point addition and point doubling algorithms
which have the same running times, for e.g. the add-and-
double always method [14]; which has the same
computation times for add and double algorithms
respectively; but involves dummy operations. Montgomery
ladder [15] is an efficient method which is SPA resistant
and takes the x-coordinates of the Elliptic curve points as
input and the output is the x-coordinate of the product k ∙ P,
where k is a scalar and P is an Elliptic curve point. The
algorithm uses the xECADD algorithm for addition and
xECDBL for doubling operations respectively. The
corresponding addition formula and addition chain are
required for computing the scalar multiplication.
Input: d, P, n
Output: d∙P
Step 1: Q[0] = P.
Step 2: for i = n – 2 down to 0.
Step 3: Q[0] = ECDBL(Q[0]).
Step 4: if d[i] = = 1.
Step 5: Q[0] = ECADD(Q[0],P).
Step 6: return Q[0].
Algorithm 1. Add-and-double.
The Montgomery ladder method for point multiplication
was suggested only for Montgomery form curves. For
applying the same method to the standardized curves, for
e.g. Weierstrass form curves; first the Montgomery form
curve needs to be converted into Weierstrass form curve.
All of the Weierstrass form curves cannot be converted into
Montgomery curves since Montgomery form curves have the
typical characteristics that the order of the curve should be
divisible by 4.
The xECADD and xECDBL algorithms of Montgomery
ladder method for point multiplication were modified by
Brier-Joye[16] and Izu Takagi[17] for applicability to
Weierstrass form curves.
In [18] a modified algorithm based on Montgomery
ladder is introduced where the algorithms, xECADD and
xECDBL are combined to form xECADDDBL algorithm due
to the benefit that the auxiliary variables can be shared in
the formulas. The algorithm has the advantage that it can be
applied to Weierstrass form curves which are standardized
curve examples found in NIST, ANSI and SEC2. The
xECADDDBL algorithm, the algorithm for y-coordinate
recovery and the xECDBL algorithm [18] are given in the
Appendix A (Algorithm A.1, Algorithm A.2 and Algorithm
A.3). The modified Montgomery algorithm is as follows.
Input: d, P, n
Output: d∙P
Step 1: Q[0] = P, Q[1] = xECDBL(P)
Step 2: for i = n – 2 down to 0
Step 3: (Q[d[i] + 1], Q[d[i]])
= xECADDDBL(Q[d[i] + 1], Q[d[i]])
Step 4: return Q[0]
Algorithm 2. Improved Montgomery ladder.
A SPA resistant algorithm can be made DPA resistant
also by incorporating the randomization of some parameters
accordingly. Coron [14] has proposed a method in which the
coordinates of the point P are represented in projective
coordinate system (X,Y,Z) and are multiplied by a random
number r Є Fq to obtain (rX,rY,rZ). Another method is
proposed by Joye Tymen[19] which randomizes the base
point P to (r2X,r
3Y,Z) and the parameters a and b are also
randomized to r4a and r
6b.In this method the Z-coordinate
can be taken as 1; which adds to the efficiency of the point
multiplication.
TABLE I shows the operations involved in the EC
double, EC addition and xECADDDBL algorithms. The
operations considered are Multiplication (M), Squaring (S),
Inversion (I) and Addition (A) in the prime field Fp . The
operations are represented in the form of prime field
multiplications with assumptions [21]; S = 0.8M, A =
0.01M, and I = 30M.
2.3. Signcryption A Signcryption scheme performs both the tasks of
digital signature and encryption with better economy in
computation as well as communication costs compared to
the costs involved in the Signature-then-Encryption counter
part.
In a Signcryption scheme there exits a pair of
algorithms (S;U), where S is the Signcryption algorithm
which is used to signcrypt the message, while U is the
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034
IJCTA | JULY-AUGUST 2011 Available [email protected]
1028
ISSN:2229-6093
TABLE I. THE COMPUTATIONS REQUIRED FOR ALGORITHM 1 AND ALGORITHM 2
Unsigncryption algorithm which is used to unsigncrypt the
signcrypted message. (S;U) satisfy the following conditions;
1) Unique Unsigncryption: If S is used to signcrypt a
message M, the U must uniquely unsigncrypt the
signcrypted message back to the original message M.
2) Security: The Signcryption scheme should maintain
the message security feature of confidentiality of message
contents, unforgeability and non- repudiation.
3) Efficient: The Signcryption method should yield
better performance, both in terms computation and
communication than the Signature-then-Encryption counter
part.
Prior to the application of algorithms (S;U) an
initialization phase is introduced where the domain
parameters are chosen, the keys of the sender and the
receiver are generated and the suitable parameters are
distributed.
In the Signcryption algorithm the sender uses its private
key for signature generation and recipient‟s public key to
generate a secret key for symmetric encryption of the
message.
In the Unsigncryption phase the recipient of the
encrypted message and the signature uses his private key to
obtain the same secret key.
The traditional Signcryption scheme provides the direct
verifiability through the sender and indirect verifiability
through a judge who performs the verification with the help
of the parameters provided by the recipient of the message.
The judge verification phase is optionally required to ensure
non-repudiation when there is a disagreement between the
sender and the recipient; i.e when the sender denies the
sending of the message to the receiver.
3. The Proposed Signcryption Scheme
The proposed Signcryption scheme is based on ECC with
performance advantages over the traditional Signature and
then Encryption schemes. The measures to resist the Side
Channel Attacks (SCAs) are also taken; which were not
considered in any of the previous works. The scheme
provides the security properties of message confidentiality,
authentication, integrity, unforgeability and non-repudiation,
along with forward secrecy of message confidentiality and
public verifiability. The Signcryption scheme presents a
trade off between the additional security and performance
prospects with respect to the previous works [6, 10] which
is discussed in the following sections. There are four phases involved; namely Initialization
phase, Signcryption phase, Unsigncryption phase and Judge
Verification phase. The Signcryption phase, Unsigncryption phase and Judge Verification phase are explained with the
help of respective algorithms.
3.1 Initialization phase A large prime number q is selected, where q > 2
160. E the
selected elliptic curve over finite field q: y2 mod q = x
3 + ax
+ b mod q. „a‟ and „b‟ are smaller than q and satisfy 4a3
+
27b2
mod q ≠ 0 . Some preconditions are suggested [10] so
that the scheme is resistant to the attacks on the elliptic
curve. The base point G of elliptic curve E(Fq) should be of
a prime order n, or equivalently n · G = O, where O is a
elliptic curve point at infinity, to resist the small subgroup
attacks. The parameter n and q should be chosen in such a
way that n < 4 √q and n should not divide qi - 1 for all 1 ≤ i
≤ V (where V = 20 meets the requirements), n ≠ q should be
satisfied, and the curve should be non-supersingular. In
order to keep the intractability of ECDLP to the Pollard-rho
Algorithm Parameter values
Coordinate System
Counter step against DPA attack
Computation for n = 160
In terms of M,S,A and I In terms of
M
Algorithm 1 (Add and Double) a ≠ –3 , Z ≠1 Jacobian
Projective - (4M + 6S) (n-1)+(12M + 4S) (n-1) / 2 2607.6M
Algorithm 1 (Add and Double) a ≠ – 3 , Z =1 Jacobian Projective
- (4M + 6S) (n-1)+(8M + 3S) (n-1) / 2 2289.2M
Algorithm 1 (Add and Double) a = – 3 , Z ≠ 1 Jacobian
Projective - (4M + 4S) (n-1)+(12M + 4S) (n-1) / 2 2353.2M
Algorithm 1 (Add and Double) a = – 3 , Z = 1 Jacobian Projective
- (4M + 4S) (n-1)+(8M + 3S) (n-1) / 2 2034.8M
Algorithm 2 (Improved
Montgomery ladder ) + Algorithm A.1(xECADDDBL)
a ≠ – 3 Standard
Projective
Coron (13n+7)M + (4n+1)S + 1I 2629.8M
Joye -Tymen (13n+14)M + (4n+3)S + 1I 2638.4M
Algorithm 2 (Improved
Montgomery ladder ) +
Algorithm A.1(xECADDDBL)
a = – 3 Standard Projective
Coron (11n+9)M + (4n+1)S + 1I 2311.8M
Algorithm A.2 ( y-coordinate recovery )
- Standard Projective
- 13M+2S+1I 44.6M
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034
IJCTA | JULY-AUGUST 2011 Available [email protected]
1029
ISSN:2229-6093
and Pohlig- Hellman algorithms, the condition; n > 2160
should be satisfied.
H is a one-way hash function such as SHA-1. Ek and Dk
are the symmetric encryption and decryption algorithms
respectively, such as AES with private key k. The private
and public key pair of the sender Alice (dA, UA) and of
receiver Bob (dB, UB) is generated and both acquire
certificates for their public keys and identifiers IDA and IDB
for Alice and Bob respectively from CA.
3.2 Signcryption Phase The Signcryption algorithm involves the following steps
which are performed by the sender Alice.
Step 1: The intended receiver Bob’s public key UB is
verified by using Bob’s certificate.
Step 2: Integer r is selected randomly, r Є R [1, n – 1].
Step 3: Computes R = r ∙ G = (r1, r2).
Step 4: Computes K = r ∙ UB = x1, if K = O (point at
infinity, then go to Step 2.
Step 5: k1 = H (x1 || IDA || IDB).
Step 6: A symmetric encryption algorithm is used to
generate the cipher text C = Ek1 (M), where the
secret key k1 is the encryption key.
Step 7: Generates v = H (C || r1 || IDA || r2 || IDB ).
Step 8: Computes s = dA – vr mod q.
Step 9: Sends the signcrypted text (R, C, s) to Bob.
First Alice verifies Bob‟s public key by verifying the
Bob‟s certificate. A number r is selected randomly from [1,
n-1] which is point multiplied with the generator point G to
obtain r1 and r2 , the x and y coordinates of the product
respectively; using Coron method for parameter
randomization , Algorithm 2 and Algorithm A.2 for y-
coordinate recovery . Using Coron method for parameter
randomization and Algorithm 2, the value of K is calculated
in step 4 giving the x-coordinate of the product as x1. It is
checked that whether K is equal to the point at infinity, if
true then the random integer r is selected again, otherwise k1
is calculated. The encryption key k1 is calculated by
concatenation followed by hashing of x1, IDA and IDB, where
IDA and IDB are the identifiers of Alice and Bob obtained
from Certifying Authority (CA). C is derived by
symmetrically encrypting message M with Key k1. C, r1,
IDA, r2 and IDB, are concatenated. The concatenated string is
hashed to obtain v. The signature s is calculated in step 8. In
step 9, Alice sends the signcrypted message (R, C, s) to Bob.
3.3 Unsigncryption Phase The Unsigncryption algorithm involves the following
steps which are performed by the recipient of the message
Bob.
Step 1: Alice‟s public key UA is verified by using Alice’s
certificate.
Step 2: Computes K = dB ∙ R = x1.
Step 3: k1 = H (x1 || IDA || IDB ).
Step 4: A symmetric decryption algorithm is used to
generate plain text M = Dk1(C), where the secret
key k1 is used for decryption.
Step 5: Computes v = H (C || r1 || IDA || r2 || IDB ).
Step 6: Verifies s∙G + v∙R = UA, If it is true then accept the
message, since M is correct plain text which is sent
by Alice ; otherwise reject message M.
After receiving the signcrypted message, Bob verifies
Alice’s public key by using Alice’s certificate. K is
calculated in step 2 using Coron method for and Algorithm
2, where x1 is the x-coordinate of the product. The
symmetric secret key k1 is derived in step 3. The cipher text
C is decrypted using k1 to obtain the original message M. v
is calculated identically to the step 7 of the Signcryption
phase. The value of; (s∙G + v∙R) can be calculated using the
Shamir’s method [20] for fast multiplication. The value thus
obtained is compared with UA, if true, the message is
accepted since it is verified that the message was sent by
Alice otherwise the message is rejected.
3.4 Judge Verification phase In the judge verification algorithm the judge verifies that
the message was indeed sent by Alice. The steps are
identical to the steps 1, 5 and 6 which were used by Bob for
verification in the Unsigncryption algorithm.
Step 1: Alice’s public key UA is verified by using Alice’s
certificate.
Step 2: Computes v = H (C || r1 || IDA || r2 || IDB ).
Step 3: Verifies s∙G + v∙R = UA, If it is true then the sender
Alice actually did sent the message M to the
recipient Bob; otherwise Alice did not send this
message to the recipient Bob.
4. Security Analysis The security analysis is discussed with respect to the
security features which the proposed protocol should satisfy. The identifiers of the communicating entities are also
used to derive the encryption key for the message to avoid
the Unknown Key-Share (UKS) attack [7]. If Alice sends the
same message exceptionally with the same random number
r to different receivers, the Signcrypted message will be
different for each Signcryption, since for each message the
value of identifiers will be different.
Confidentiality – The property of confidentiality is
maintained by the scheme, as the secret key k1 is
derived by relying on the secrecy of r.
Authentication – The authentication property is made
sure by the verifying s∙G + v∙R = UA. If the comparison
evaluates to be true, only then the message is
considered to be authentic.
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034
IJCTA | JULY-AUGUST 2011 Available [email protected]
1030
ISSN:2229-6093
Integrity – If the message content is changed then the
ciphertext C is changed to C and consequently a value
v is obtained, instead of v. This change is detected at
the time of verification and the message gets rejected.
So the integrity of the message is confirmed.
Unforgeability – For forging the message the private
key of Bob (dB) is required, which is kept secured with
Bob. Thus the property of unforgeability is maintained
with the secrecy of the secret key dB.
Non-repudiation – In the case of denial by Alice
regarding the sending of the message, Bob can send the
parameters (R, C, s) required by the judge to verify and
ensure the property of non - repudiation.
Forward secrecy of message confidentiality – The
disclosure of the private key of Alice, dA is not enough
to decrypt the previous messages encrypted by Alice.
The parameters r and v both should also be known to
decrypt the messages. For each message the values of r
and v are different. For obtaining r and v the ECDLP
have to be solved.
Publicly verifiability – The steps involved in
verification does not involve the session keys or the
secret keys of any party. So any entity can verify
without the need of decryption of the message.
Resistance against the SPA and DPA attacks – Point
multiplication performed using Algorithm 2 along with
the randomization of parameters using Coron or Joye
Tymen method for parameter randomization, provides
resistance from the SPA and DPA attacks respectively.
Thus the security features provided by the
Signcryption scheme, mainly depends on the secrecy of
r and dB, which are the empirical and static secret keys,
respectively which are used in the Signcryption and
Unsigncryption phases.
Algorithm 2 (SCA resistant) is not used in the point
multiplication operations involved in calculating; s∙G + v∙R.
So the values of s and v can be obtained by the adversary
through SCA. Even then the security properties are
maintained by the scheme since the random number r
remains secret.
The flaws in the Hwang‟s scheme [7] are also removed
by the protocol, by carefully selecting the parameters and
deriving the secret key from random number r, and
including the identifiers of the communicating parties.
In TABLE II, the comparison of the Signcryption
schemes which were introduced earlier and the proposed
Signcryption scheme is shown. The comparison is based on
the key security features. The description „Directly’ in the
Non-repudiation column means that the Signcryption
scheme provides the property of Non-repudiation without
the need of zero knowledge proof protocol.
5. Costs Analysis The costs involved in the Signcryption schemes are
represented in the terms of the computational cost and the
communication overhead. The operational costs involving
machine cycles take the form of the computational cost. The
additional bits which are transferred excluding the message
bits, is referred to as the communication overhead. The
compliance of the proposed scheme with the condition of
efficiency (Section 2.3 (3)) of the Signcryption scheme is
presented as follows.
5.1. Computational Cost
The computational cost is the most for the point
multiplication operation. TABLE III presents the
mathematical operations involved in the different
Signcryption schemes. The traditional Signature-then-
Encryption method based on ECC involves 6 point
TABLE II. COMPARISION OF THE SIGNCRYPTION SCHEMES BASED ON THE SECURITY FEATURES
a According to M. Toorani and Beheshti Shirazi [7]
Signcryption Scheme Confidentiality Integrity Unforgeability Non- repudiation
Public Verifiability
Forward Secrecy
Side Channel Attack
countermeasures Proposed Scheme Yes Yes Yes Directly Yes Yes Yes
R.J. Hwang et al.[6] Noa Noa Noa Directly Yes No No
H.Y. Jung et al.[5] Yes Yes Yes Additional Protocol
No Yes No
C. Gamage et al.[4] Yes Yes Yes Directly Yes No No
F. Bao & R. H. Deng[3] Yes Yes Yes Directly Yes No No
Y. Zheng and H. Imai[2] Yes Yes Yes Additional
Protocol No No No
Y. Zheng[1] Yes Yes Yes Additional Protocol
No No No
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034
IJCTA | JULY-AUGUST 2011 Available [email protected]
1031
ISSN:2229-6093
TABLE III. MATHEMATICAL OPERATIONS INVOLVED IN THE DIFFERENT SIGNCRYPTION SCHEMES
multiplications. The proposed Signcryption scheme involves
5 point multiplications.
Both the schemes have an expression of the form
(aP+bQ) where Shamir’s method [20] for simultaneous
point multiplication can be applied; thus reducing 2 point
multiplications to 1.17 point multiplications [2].
Accordingly, the number of point multiplications is
reduced from 6 to 5.17 and from 5 to 4.17, respectively. The
cost of computation for the Signature-then-Encryption
scheme is calculated by referring to the Table I for the
minimum value of the number of modular multiplications
(M) for Algorithm 1 ( Add and Double). The value obtained
is multiplied with the number of point multiplications
involved in the Signature-then–Encryption scheme;
5.17 × 2034.8M = 10520M.
Similarly, the cost of the proposed scheme is calculated
by considering the minimum value of the number of
modular multiplications (M) for Algorithm 1 ( Add and
Double) as well as for Algorithm 2 (Improved Montgomery
ladder ) + Algorithm A.1(xECADDDBL) and Algorithm A.2
( y-coordinate recovery ), respectively;
((1.17 × 2034.8M) + (2 × (2311.8M)) + 44.6M) = 9361M.
Thus the saving in the computational cost is;
Saving (%) = (10520M – 9361M) / 10520M = 11%
The saving in computation is 11% compared to the
Signature-then–Encrypt scheme based on ECC.
Comparing the proposed Signcryption scheme with the
previous works; the graphs have been plotted considering
the combinations of the values of domain parameters a and
Z; thus providing idea of computational cost of the
Signcryption scheme for various range of curves (Figure 2-
5).
It can be derived from the statistics that the best case is
when a = –3 and Z ≠ 1. The saving in Signcryption phase of
the proposed scheme, compared to the other two schemes is
0.8 %. In the Unsigncryption phase the savings compared to
M. Toorani and A.A.B. Shirazi scheme[10] is 34% and to
R.J. Hwang et al. scheme [6] is 0.6 %.
It can be observed that even if the Signcryption phase is
costlier in most of the cases the Unsigncryption phase is
always economical compared to the M. Toorani and A.A.B.
Shirazi scheme [10].
5.2. Communicational Cost The proposed scheme involves a lower communication
cost than the Signature-then-Encrypt counterpart based on
ECC. Some assumptions are made regarding the number of bits
which are transferred:-
|q| ≈ |pm|, here the elliptic curve is defined over the
prime field E(Fpm), where m=1.
|H | = ½ |q|.
Signcryption schemes
Candi- -dates
Modular Exponen-
-tiation
Modular Division / inverse
Elliptic Curve Point
Multiplication (ECPM)
Elliptic Curve Point Addition
(ECPA)
Modular Multiplic-
-ation
Modular Addition
Hash / Keyed Hash
Proposed Scheme Alice - - 2 - 1 1 2
Bob - - 3 1 - - 2
M. Toorani & A.A Beheshti Shirazi [10]
Alice - - 2 - 2 2 2
Bob - - 4 2 - - 2
R. J. Hwang et al.[6] Alice - - 2 - 1 1 1
Bob - - 3 1 - - 1
H.Y. Jung et al.[5] Alice 2 1 - - - 1 2
Bob 3 - - - 1 - 2
C. Gamage et al.[4] Alice 2 1 - - - 1 2
Bob 3 - - - 1 - 2
F. Bao & R. H. Deng [3]
Alice 2 1 - - - 1 3
Bob 3 - - - 1 - 3
Y. Zheng and H. Imai [2] Alice - 1 1 - 1 1 2
Bob - - 2 1 2 - 2
Y. Zheng [1] Alice 1 1 - - - 1 2
Bob 2 - - - 2 - 2
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034
IJCTA | JULY-AUGUST 2011 Available [email protected]
1032
ISSN:2229-6093
Figure 2. Comparison of the various Signcryption schemes
with a ≠ –3 and Z ≠ 1
Figure 4. Comparison of the various Signcryption schemes
with a = –3 and Z ≠1.
Figure 3. Comparison of the various Signcryption schemes
with a ≠ –3 and Z = 1.
Point compression is used to represent the points
belonging to Elliptic Curve E.
Here p is a prime, m is an integer and q is a large prime
having size approximately equal to |pm|, H is a one-way hash
function.
The communication overhead measured in bits for
Signature-then-Encryption [2] (based on SECDSS1 and
ElGamal encryption) is;
| H(∙)| + |q| + | pm + 1 | ≈ |H(∙)| + 2|q|
The communication overhead measured in bits for the
proposed Signcryption scheme is ;
|q| + | q + 1 | ≈ 2|q|
Economy = ((|H(∙)| + 2|q|) – (2|q|)) / (|H(∙)| + 2|q|) = 20%
The saving in communication overhead is 20% compared
to the Signature-then–Encrypt scheme based on ECC.
Figure 5. Comparison of the various Signcryption schemes
with a = –3 and Z = 1.
6. Conclusion
In this paper we have discussed a Signcryption scheme
which provides the security properties of message
confidentiality, authentication, integrity, unforgeability and
non-repudiation, (without the need of zero knowledge proof
protocol) along with forward secrecy of message
confidentiality and public verifiability. The measures
against SCA are also considered by the proposed method
which was not considered by the previous works. The
Signcryption along with the deployment of ECC has
tremendous scope attributed to the suitability in constrained
environments due to and savings in computational and
communicational overhead.
7. References [1] Yuliang Zheng , “ Digital signcryption or How to Achieve
Cost(Signature & Encryption) Cost(Signature) + Cost (Encryption) ” , Advances in Cryptology (Crypto97LNCS), Vol. 1294, Springer-Verlag, 1997, pp. 165–179.
[2] Yuliang Zheng and Hideki Imai, “How to construct efficient signcryption schemes on elliptic curves”, Information Processing Letters, Vol. 68, Issue 5, 1998 pp. 227–233.
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034
IJCTA | JULY-AUGUST 2011 Available [email protected]
1033
ISSN:2229-6093
[3] F. Bao, R.H. Deng, “A signcryption scheme with signature directly verifiable by public key”, Proceedings of PKC98, LNCS 1431, Springer-Verlag, 1998, pp. 55–59.
[4] C. Gamage, J. Leiwo, Y. Zheng, “Encrypted message authentication by firewalls”, Proceedings of 1999 International Workshop on Practice and Theory in Public Key Cryptography (PKC99), LNCS 1560, Springer-Verlag, 1999, pp. 69–81.
[5] H.Y. Jung, K.S. Chang, D.H. Lee, J.I. Lim, “Signcryption schemes with forward secrecy”, Proceeding of WISA 2, 2001, pp. 403–475.
[6] Ren-Junn Hwang, Chih-Hua Lai and Feng-Fu Su, “An Efficient Signcryption Scheme with Forward Secrecy Based on Elliptic Curve ”,.Applied Mathematics and Computation ,Vol.167, No.2, Elsevier Inc., New York, 2005, pp.870-881.
[7] Mohsen Toorani, Ali Asghar Beheshti Shirazi, “Cryptanalysis of an efficient signcryption scheme with forward secrecy based on elliptic curve”, International Conference on Computer and Electrical Engineering (ICCEE'08), 2008, pp.428-432.
[8] Jun-Bum Shin, Kwangsu Lee and Kyungah Shim, “New DSA-Verifiable Signcryption Schemes”, Information Security and Cryptology — ICISC 2002, LNCS 2587, Springer-Verlag , 2003 , pp. 35–47.
[9] Raylin Tso, “Signcryption Scheme with Standardized Verification Algorithm”, IEEE Aisa-Pacific Services Computing Conference (APSCC), 2008, pp.1369-1374.
[10] Mohsen Toorani and Ali Asghar Beheshti Shirazi, “An Elliptic Curve-based Signcryption Scheme with Forward Secrecy”, Journal of Applied Sciences, Vol. 9, No. 6 , 2009, pp. 1025-1035.
[11] Anoop MS, “ Elliptic Curve Cryptography - An implementation guide”, May 2007.
[12] Darrel Hankerson, Alfred Menezes and Scott Vanstone, Guide to Elliptic Curve Cryptography, Springer-Verlag New York, 2004.
[13] Certicom Research, “SEC 1: Elliptic Curve Cryptography, Version1.0”, Certicom Corporation, September 2000.
[14] J. Coron, “Resistance against differential power analysis for elliptic curve cryptosystems,” CHES’99, LNCS 1717, Springer-Verlag, 1999, pp.292–302.
[15] Peter L. Montgomery, “Speeding the Pollard and elliptic curve methods for factorizations,” Mathematics of Computation, Vol.48, Issue 177, 1987, pp.243–264.
[16] E. Brier and M. Joye, “Weierstraß Elliptic Curves and Side-Channel Attacks,” PKC2002, LNCS, Vol. 2274, Springer-Verlag, 2002, pp.335–345.
[17] T. Izu and T. Takagi, “A fast parallel elliptic curve multiplication resistant against side channel attacks,” PKC 2002, LNCS, Vol. 2274, 2002, pp.280–296.
[18] T. Izu and T. Takagi, “Fast Elliptic Curve Multiplications Resistant against Side Channel Attacks,” IEICE Trans. Fundamentals, Vol. E88-A, No.1, 2005, pp.161–170.
[19] M. Joye and C. Tymen, “Protections against differential analysis for elliptic curve cryptography,” CHES2001, LNCS 2162, Springer-Verlag, 2001, pp.377–390.
[20] ElGamal, “A public-key cryptosystem and signature scheme based on discrete logarithms,” The IEEE Transactions on Information Theory, Vol. 31, 1985, pp 469-472.
[21] K. Okeya, H. Kurumatani, and K. Sakurai, “Elliptic curves with the Montgomery form and their cryptographic applications,” PKC2000, LNCS, Vol. 1751, Springer-Verlag, 2000, pp.446–465.
Appendix A: Algorithm A.1, Algorithm A.2 and
Algorithm A.3.
Algorithm A.1: xECADDDBL Algorithm.
Algorithm A.2: Algorithm for y-coordinate recovery.
Algorithm A.3: xECDBL Algorithm.
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034
IJCTA | JULY-AUGUST 2011 Available [email protected]
1034
ISSN:2229-6093