A Signcryption Scheme based on Elliptic Curve Cryptography · A Signcryption Scheme based on...

A Signcryption Scheme based on Elliptic Curve Cryptography

R. K. Pateriya

Computer Science & Information Tech. Dept.

Maulana Azad National Institute of Technology

Bhopal, India

e-mail: [email protected]

Shreeja Vasudevan

M.Tech. (Computer Science) Scholar

Computer Science & Information Tech. Dept.

Maulana Azad National Institute of Technology

Bhopal, India

e-mail: [email protected]

Abstract

In Public key cryptography a message is sent after applying

the digital signature and encryption techniques by the

sender. These techniques are used so that the message

properties such as confidentiality, integrity and

unforgeability are maintained and the non-repudiation can

be ensured at the receiving end. The digital signatures and

encryption mechanisms can be combined to form a single

logical step called Signcryption. In this paper a

Signcryption scheme is suggested which is based on Elliptic

Curve Cryptography (ECC). The scheme provides

additional security features which include the property of

forward secrecy, public verifiability and counter steps for

resistance to Side Channel Attacks (SCAs) are also taken.

The proposed scheme provides better performance aspect

for the security feature provided; compared to the

traditional Signature-then-Encryption schemes based on

ECC.

Keywords- Signcryption, Elliptic Curve Cryptography, public

verifiability, forward secrecy, Side Channel Attacks.

1. Introduction Security in computers means that the information is

protected from unauthorized or accidental disclosure while

the information is in transit (either electronically or

physically) and while information is in storage.

One essential aspect for secure communications is that of

cryptography. Cryptography not only protects data from

theft or alteration, but can also be used for user

authentication. The common cryptographic schemes

typically used are secret key (or symmetric) cryptography

and public-key (or asymmetric) cryptography.

With secret key cryptography, a single key is used for

both encryption and decryption. The sender uses the key in

order to encrypt the plaintext and sends the ciphertext to the

receiver. The receiver applies the same key in order to

decrypt the message to recover the plaintext. Since a single

key is used for both functions, the difficulty with this

approach is that of the distribution of the key.

The public key cryptography technique employs two

keys that are mathematically related. One key is used to

encrypt the plaintext and the other key is used to decrypt the

ciphertext. One key is called the private key which is kept

secret and other key is designated as the public key and may

be advertised as widely as the owner wants. In this scheme

there is no difficulty regarding the distribution of keys. But

the computational cost is greater than symmetric key

cryptography.

Now-a-days public key cryptography is used extensively

due its stronger security features than symmetric key

cryptography. The public key cryptography technique relies

upon the digital signatures and encryption methods to send a

message ensuring the confidentiality, integrity,

unforgeability and non-repudiation of communication.

Accordingly the steps involved in the traditional method of

Signature-then-Encryption are:-

The Sender first digitally signs and then encrypts the

message.

Receiver verifies the Sender‟s signature and decrypts

the encrypted message.

The digitally signing and encrypting steps can be

combined into a single logical step, called Signcryption.

The public key cryptographic technique has evolved and

ECC has been proved to be better in terms of security

provided per bit compared to the traditional technique, such

as RSA. Similarly the adoption of ECC in Signcryption

schemes has also proved out to be beneficial.

Signcryption is relatively a new term in the literature;

introduced in 1996. The efficacy of Signcryption became

evident in 1997 when Yuliang Zheng [1] illustrated that the

Cost (Signcryption) << Cost (Signature) + Cost

(Encryption) in terms of computational cost as well as

communicational overhead. The Signcryption scheme was

Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034

IJCTA | JULY-AUGUST 2011 Available [email protected]

1025

ISSN:2229-6093

based on ElGamal Signature and Encryption techniques

with savings of 50% in computational cost and 85% in

communication overhead. With increasing size of the

security parameters the cost economy has also increased. In

1999 Y. Zheng and H. Imai [2] suggested a Signcryption

scheme which was based on ECC, saves about 58%

computational cost and about 40% of communication cost

than Signature-then-Encryption scheme based on elliptic

curve but lacked forward secrecy of message confidentiality

and public verifiability.

F. Bao, R.H. Deng [3] enhanced Zheng‟s Signcryption

that the judge can verify signature without the recipient‟s

private key. C. Gamage et al. [4] modified Zheng‟s

Signcryption that anyone can verify the signature of

ciphertext, but the application area was limited to firewalls

only. H.Y. Jung et al. [5] showed that Zheng‟s scheme does

not provide forward secrecy of message confidentiality

when the sender‟s private key is revealed. The Signcryption

was based on Discrete Logarithm Problem (DLP) with

forward secrecy. Ren-Junn Hwang [6] proposed

Signcryption scheme with public verifiability and forward

secrecy. The security was based on Elliptic Curve Discrete

Logarithm Problem (ECDLP) and Elliptic Curve Diffie-

Hellman Problem (ECDHP). Some flaws and shortcomings

of the Hwang‟s scheme are discussed in [7]. Jun-Bum Shin

et al. [8] proposed a Signcryption scheme using standard

DSA algorithm in the verification phase with no forward

secrecy. Raylin Tso [9] has modified the Shin et al.‟s

scheme with standard algorithm for verification based on

Elliptic Curve Digital Signature Algorithm (ECDSA) and

ensured the property of forward secrecy. M. Toorani and A.

A. Beheshti Shirazi [10] have proposed a Signcryption

scheme with both the properties of public verifiability and

forward secrecy.

In this paper we have introduced a Signcryption scheme

which not only provides the security features introduced so

far by the previous works but has considered the measures

to resist Side Channel Attacks (SCAs); which were not

considered by any of the previous

schemes[1,2,3,4,5,6,8,9,10]. The security features provided

by the Signcryption scheme includes; confidentiality,

integrity, unforgeability, non-repudiation, forward secrecy

and public verifiability. The scheme also provides better

performance aspects compared to the traditional Signature

and then Encryption schemes based on ECC. The distinction

of the proposed scheme with the other relevant works is also

discussed. The paper is organized with preliminaries on

ECC, Side Channel Attacks (SCAs) and Signcryption

followed by introduction to the proposed Signcryption

scheme, discussion on the security features and study of

computational as well as communicational characteristics

and finally the conclusion is made on the proposed

Signcryption scheme.

2. Preliminaries 2.1. Elliptic Curve Cryptography (ECC)

Elliptic curves (EC) were suggested for cryptography

by Victor Miller and Neal Koblitz in 1985 as Elliptic Curve

Cryptography (ECC). ECC follows Public Key Encryption

technique and the security provided is based on the hardness

of Discrete Logarithm Problem (DLP) called Elliptic Curve

Discrete Logarithm Problem (ECDLP). According to

ECDLP, kP = Q, where P, Q are the points on an elliptic

curve and k is a scalar. If k is significantly large then it is

unviable to calculate k when the values of P and Q are

given. Here k is the discrete logarithm of Q, having base P.

ECC‟s advantage is that the inverse operation gets

difficult to compute at a rapid phase, for increase in key size

compared to the inverse operations in RSA. Commercially

1024 bit RSA and 160 bit ECC systems are shown as

offering nearly same security status. The smaller key size

causes faster cryptographic computations and makes smaller

software or smaller chip deployment possible. Thus ECC

has a great potential to be used in environments with limited

resources.

2.1.1. ECC Basics. An elliptic curve E can be defined over

a Prime field Fq or Binary field F2m

[11], here the

Weierstrass form curve has been considered; a type of

elliptic curve defined over Fq: -

Elliptic Curve defined over Prime field E(Fq): Fq

consists of integers modulo q, and having the integers

in the range [0, q–1], where q is prime number, which is

large enough. Elliptic curve over the prime field Fq is

represented as:

y2 mod q = x

3 + ax + b mod q

where the condition 4a3 + 27b

2 mod q ≠ 0 is kept to

so the elliptic curve is non-singular [12]. The domain

parameters for Elliptic curve over Fq can be

represented as q, a, b, G, n and h.

Where q is prime number which is large enough,

„a‟ and „b‟ are curve parameters, G is a point on the

elliptic curve called a generator point (xG, yG), n is the

order of the elliptic curve. h is the cofactor defined as;

h = (number of points on elliptic curve E(Fq)) /n.

The Prime field operations involve modular

arithmetic consisting of the operations – Addition,

subtraction, multiplication, division, multiplicative

inverse, and modulus. Prime field operations are more

suitable in software implementations of ECC.

The domain parameters and other parameters that

must be mutually agreed upon by the two entities which

want to have a secure and trusted communication using

ECC. The points, which lie on the elliptic curve are; a



1026

ISSN:2229-6093

point at infinity and the points, which satisfy the

Elliptic Curve equation. The standard domain

parameters are defined [13]. The protocols

implementing ECC can also specify the domain

parameters.

2.1.2 ECC operations. ECC follows the group law and

logarithm problem. From the ECDL problem it is evident

that the major operation involved in ECC is point

multiplication. i.e. multiplication of a scalar k with a point P

on the curve to obtain another point Q on the curve.

Point Multiplication: Points P and Q lie on the elliptic

curve such that when P is multiplied with a scalar k to

obtain the point Q,

kP=Q,

The point multiplication operation involves series

of point addition and point doubling operations. The

doubling and addition method is illustrated as follows:-

If k = 23, then kP = 23∙P = 2(2(2(2P) + P) + P) + P

The scalar which is used for point multiplication is

chosen from the range [0, n – 1]. The hierarchy of

operations involved in the multiplication operation is

shown in Figure 1. The EC point multiplication involve

the EC point Addition and EC point double operations;

which in turn involve the prime field operations −

addition, subtraction, multiplication and division /

inverse.

Figure 1. Hierarchy of the operations involved in Point

Multiplication.

In case of the prime field arithmetic; the point

addition and point doubling operations require

computation of multiplicative inverse, which is an

expensive operation. Representation of Elliptic curve

points (affine coordinates) as projective coordinates has

the advantage of reducing the multiplicative inverse

operation [6]. With projective coordinates just a single

multiplicative inverse operation is required. The

number of scalar multiplications required in the case of

projective coordinate system is more in contrast to the

affine coordinate system. Thus scalar multiplications on

projective coordinates should be more efficient

compared to the multiplicative inverse operation. The

Standard projective coordinates and the Jacobian

projective coordinates are defined as follows: -

Standard projective coordinate in the field Fq: Here

a point is represented as (X, Y, Z) and the

corresponding affine coordinate point is (X/Z, Y/Z).

The equation for the elliptic curve is:

Y2 Z = X

3 + aXZ

2 + bZ

3,

where Z ≠ 0. The point (0, 1, 0) is considered as the

point at infinity.

Jacobian Projective coordinate in field Fq: In

Jacobian projective coordinate system a point is

represented as point (X, Y, Z) and the

corresponding affine coordinate point as (X/Z2,

Y/Z3). The equation for the elliptic curve is:

Y2 = X

3 + aXZ

4 + bZ

6,

where Z ≠ 0. The point (1, 1, 0) is considered as the

point at infinity.

The NIST, ANSI and SEC2 specification

recommend curves with domain parameter value a = –3

for more efficient EC double operations and Z = 1 for

EC addition operations.

2.2. Side Channel Attacks

Side Channel attacks are the attacks which are based on

the Side Channel Information obtained from the physical

implementation of the cryptosystems. The Side Channel

Information can be power consumption, timing information

and electromagnetic leaks.

Power consumption attacks: These attacks are based on

analyzing the power consumption of the unit while it

performs the cryptographic operations. It can be Simple

Power Analysis (SPA) attack or Differential Power

Analysis (DPA) attack. SPA is a technique that

involves direct interpretation of power consumption

measurements collected during cryptographic

operations. DPA consists of visual and also statistical

analysis and error-correction statistical methods, to

obtain the information about the keys. The high

computational complexity of the multiplication

operations in case of asymmetric operations tend to

strong signal leakage.



1027

ISSN:2229-6093

Timing attacks: These attacks are based on measuring

the time it takes for a unit to perform operations. For

e.g. by carefully measuring the amount of time required

to perform the private key operations, can lead to the

information about the secret keys. Timing attacks are

considered as type of Simple Power Analysis (SPA)

attack.

We have considered only the SPA and DPA attacks

on the secret keys involved in the Signcryption and

Unsigncryption phases respectively.

2.2.1 Algorithms for SCA resistance. The point

multiplication algorithms involves the Add and Double

algorithms. The Add and Double algorithms have different

running times for addition and doubling; Algorithm 1 is

such an algorithm which is used to point multiply a scalar d

with the elliptic curve point P . Since the execution times of

addition and doubling times are different ;thus via SPA

attack an adversary can collect the information which may

reveal the secret key. The SPA attack can be resisted by

using the point addition and point doubling algorithms

which have the same running times, for e.g. the add-and-

double always method [14]; which has the same

computation times for add and double algorithms

respectively; but involves dummy operations. Montgomery

ladder [15] is an efficient method which is SPA resistant

and takes the x-coordinates of the Elliptic curve points as

input and the output is the x-coordinate of the product k ∙ P,

where k is a scalar and P is an Elliptic curve point. The

algorithm uses the xECADD algorithm for addition and

xECDBL for doubling operations respectively. The

corresponding addition formula and addition chain are

required for computing the scalar multiplication.

Input: d, P, n

Output: d∙P

Step 1: Q[0] = P.

Step 2: for i = n – 2 down to 0.

Step 3: Q[0] = ECDBL(Q[0]).

Step 4: if d[i] = = 1.

Step 5: Q[0] = ECADD(Q[0],P).

Step 6: return Q[0].

Algorithm 1. Add-and-double.

The Montgomery ladder method for point multiplication

was suggested only for Montgomery form curves. For

applying the same method to the standardized curves, for

e.g. Weierstrass form curves; first the Montgomery form

curve needs to be converted into Weierstrass form curve.

All of the Weierstrass form curves cannot be converted into

Montgomery curves since Montgomery form curves have the

typical characteristics that the order of the curve should be

divisible by 4.

The xECADD and xECDBL algorithms of Montgomery

ladder method for point multiplication were modified by

Brier-Joye[16] and Izu Takagi[17] for applicability to

Weierstrass form curves.

In [18] a modified algorithm based on Montgomery

ladder is introduced where the algorithms, xECADD and

xECDBL are combined to form xECADDDBL algorithm due

to the benefit that the auxiliary variables can be shared in

the formulas. The algorithm has the advantage that it can be

applied to Weierstrass form curves which are standardized

curve examples found in NIST, ANSI and SEC2. The

xECADDDBL algorithm, the algorithm for y-coordinate

recovery and the xECDBL algorithm [18] are given in the

Appendix A (Algorithm A.1, Algorithm A.2 and Algorithm

A.3). The modified Montgomery algorithm is as follows.

Input: d, P, n

Output: d∙P

Step 1: Q[0] = P, Q[1] = xECDBL(P)

Step 2: for i = n – 2 down to 0

Step 3: (Q[d[i] + 1], Q[d[i]])

= xECADDDBL(Q[d[i] + 1], Q[d[i]])

Step 4: return Q[0]

Algorithm 2. Improved Montgomery ladder.

A SPA resistant algorithm can be made DPA resistant

also by incorporating the randomization of some parameters

accordingly. Coron [14] has proposed a method in which the

coordinates of the point P are represented in projective

coordinate system (X,Y,Z) and are multiplied by a random

number r Є Fq to obtain (rX,rY,rZ). Another method is

proposed by Joye Tymen[19] which randomizes the base

point P to (r2X,r

3Y,Z) and the parameters a and b are also

randomized to r4a and r

6b.In this method the Z-coordinate

can be taken as 1; which adds to the efficiency of the point

multiplication.

TABLE I shows the operations involved in the EC

double, EC addition and xECADDDBL algorithms. The

operations considered are Multiplication (M), Squaring (S),

Inversion (I) and Addition (A) in the prime field Fp . The

operations are represented in the form of prime field

multiplications with assumptions [21]; S = 0.8M, A =

0.01M, and I = 30M.

2.3. Signcryption A Signcryption scheme performs both the tasks of

digital signature and encryption with better economy in

computation as well as communication costs compared to

the costs involved in the Signature-then-Encryption counter

part.

In a Signcryption scheme there exits a pair of

algorithms (S;U), where S is the Signcryption algorithm

which is used to signcrypt the message, while U is the



1028

ISSN:2229-6093

TABLE I. THE COMPUTATIONS REQUIRED FOR ALGORITHM 1 AND ALGORITHM 2

Unsigncryption algorithm which is used to unsigncrypt the

signcrypted message. (S;U) satisfy the following conditions;

1) Unique Unsigncryption: If S is used to signcrypt a

message M, the U must uniquely unsigncrypt the

signcrypted message back to the original message M.

2) Security: The Signcryption scheme should maintain

the message security feature of confidentiality of message

contents, unforgeability and non- repudiation.

3) Efficient: The Signcryption method should yield

better performance, both in terms computation and

communication than the Signature-then-Encryption counter

part.

Prior to the application of algorithms (S;U) an

initialization phase is introduced where the domain

parameters are chosen, the keys of the sender and the

receiver are generated and the suitable parameters are

distributed.

In the Signcryption algorithm the sender uses its private

key for signature generation and recipient‟s public key to

generate a secret key for symmetric encryption of the

message.

In the Unsigncryption phase the recipient of the

encrypted message and the signature uses his private key to

obtain the same secret key.

The traditional Signcryption scheme provides the direct

verifiability through the sender and indirect verifiability

through a judge who performs the verification with the help

of the parameters provided by the recipient of the message.

The judge verification phase is optionally required to ensure

non-repudiation when there is a disagreement between the

sender and the recipient; i.e when the sender denies the

sending of the message to the receiver.

3. The Proposed Signcryption Scheme

The proposed Signcryption scheme is based on ECC with

performance advantages over the traditional Signature and

then Encryption schemes. The measures to resist the Side

Channel Attacks (SCAs) are also taken; which were not

considered in any of the previous works. The scheme

provides the security properties of message confidentiality,

authentication, integrity, unforgeability and non-repudiation,

along with forward secrecy of message confidentiality and

public verifiability. The Signcryption scheme presents a

trade off between the additional security and performance

prospects with respect to the previous works [6, 10] which

is discussed in the following sections. There are four phases involved; namely Initialization

phase, Signcryption phase, Unsigncryption phase and Judge

Verification phase. The Signcryption phase, Unsigncryption phase and Judge Verification phase are explained with the

help of respective algorithms.

3.1 Initialization phase A large prime number q is selected, where q > 2

160. E the

selected elliptic curve over finite field q: y2 mod q = x

3 + ax

+ b mod q. „a‟ and „b‟ are smaller than q and satisfy 4a3

+

27b2

mod q ≠ 0 . Some preconditions are suggested [10] so

that the scheme is resistant to the attacks on the elliptic

curve. The base point G of elliptic curve E(Fq) should be of

a prime order n, or equivalently n · G = O, where O is a

elliptic curve point at infinity, to resist the small subgroup

attacks. The parameter n and q should be chosen in such a

way that n < 4 √q and n should not divide qi - 1 for all 1 ≤ i

≤ V (where V = 20 meets the requirements), n ≠ q should be

satisfied, and the curve should be non-supersingular. In

order to keep the intractability of ECDLP to the Pollard-rho

Algorithm Parameter values

Coordinate System

Counter step against DPA attack

Computation for n = 160

In terms of M,S,A and I In terms of

M

Algorithm 1 (Add and Double) a ≠ –3 , Z ≠1 Jacobian

Projective - (4M + 6S) (n-1)+(12M + 4S) (n-1) / 2 2607.6M

Algorithm 1 (Add and Double) a ≠ – 3 , Z =1 Jacobian Projective

- (4M + 6S) (n-1)+(8M + 3S) (n-1) / 2 2289.2M

Algorithm 1 (Add and Double) a = – 3 , Z ≠ 1 Jacobian

Projective - (4M + 4S) (n-1)+(12M + 4S) (n-1) / 2 2353.2M

Algorithm 1 (Add and Double) a = – 3 , Z = 1 Jacobian Projective

- (4M + 4S) (n-1)+(8M + 3S) (n-1) / 2 2034.8M

Algorithm 2 (Improved

Montgomery ladder ) + Algorithm A.1(xECADDDBL)

a ≠ – 3 Standard

Projective

Coron (13n+7)M + (4n+1)S + 1I 2629.8M

Joye -Tymen (13n+14)M + (4n+3)S + 1I 2638.4M

Algorithm 2 (Improved

Montgomery ladder ) +

Algorithm A.1(xECADDDBL)

a = – 3 Standard Projective

Coron (11n+9)M + (4n+1)S + 1I 2311.8M

Algorithm A.2 ( y-coordinate recovery )

- Standard Projective

- 13M+2S+1I 44.6M



1029

ISSN:2229-6093

and Pohlig- Hellman algorithms, the condition; n > 2160

should be satisfied.

H is a one-way hash function such as SHA-1. Ek and Dk

are the symmetric encryption and decryption algorithms

respectively, such as AES with private key k. The private

and public key pair of the sender Alice (dA, UA) and of

receiver Bob (dB, UB) is generated and both acquire

certificates for their public keys and identifiers IDA and IDB

for Alice and Bob respectively from CA.

3.2 Signcryption Phase The Signcryption algorithm involves the following steps

which are performed by the sender Alice.

Step 1: The intended receiver Bob’s public key UB is

verified by using Bob’s certificate.

Step 2: Integer r is selected randomly, r Є R [1, n – 1].

Step 3: Computes R = r ∙ G = (r1, r2).

Step 4: Computes K = r ∙ UB = x1, if K = O (point at

infinity, then go to Step 2.

Step 5: k1 = H (x1 || IDA || IDB).

Step 6: A symmetric encryption algorithm is used to

generate the cipher text C = Ek1 (M), where the

secret key k1 is the encryption key.

Step 7: Generates v = H (C || r1 || IDA || r2 || IDB ).

Step 8: Computes s = dA – vr mod q.

Step 9: Sends the signcrypted text (R, C, s) to Bob.

First Alice verifies Bob‟s public key by verifying the

Bob‟s certificate. A number r is selected randomly from [1,

n-1] which is point multiplied with the generator point G to

obtain r1 and r2 , the x and y coordinates of the product

respectively; using Coron method for parameter

randomization , Algorithm 2 and Algorithm A.2 for y-

coordinate recovery . Using Coron method for parameter

randomization and Algorithm 2, the value of K is calculated

in step 4 giving the x-coordinate of the product as x1. It is

checked that whether K is equal to the point at infinity, if

true then the random integer r is selected again, otherwise k1

is calculated. The encryption key k1 is calculated by

concatenation followed by hashing of x1, IDA and IDB, where

IDA and IDB are the identifiers of Alice and Bob obtained

from Certifying Authority (CA). C is derived by

symmetrically encrypting message M with Key k1. C, r1,

IDA, r2 and IDB, are concatenated. The concatenated string is

hashed to obtain v. The signature s is calculated in step 8. In

step 9, Alice sends the signcrypted message (R, C, s) to Bob.

3.3 Unsigncryption Phase The Unsigncryption algorithm involves the following

steps which are performed by the recipient of the message

Bob.

Step 1: Alice‟s public key UA is verified by using Alice’s

certificate.

Step 2: Computes K = dB ∙ R = x1.

Step 3: k1 = H (x1 || IDA || IDB ).

Step 4: A symmetric decryption algorithm is used to

generate plain text M = Dk1(C), where the secret

key k1 is used for decryption.

Step 5: Computes v = H (C || r1 || IDA || r2 || IDB ).

Step 6: Verifies s∙G + v∙R = UA, If it is true then accept the

message, since M is correct plain text which is sent

by Alice ; otherwise reject message M.

After receiving the signcrypted message, Bob verifies

Alice’s public key by using Alice’s certificate. K is

calculated in step 2 using Coron method for and Algorithm

2, where x1 is the x-coordinate of the product. The

symmetric secret key k1 is derived in step 3. The cipher text

C is decrypted using k1 to obtain the original message M. v

is calculated identically to the step 7 of the Signcryption

phase. The value of; (s∙G + v∙R) can be calculated using the

Shamir’s method [20] for fast multiplication. The value thus

obtained is compared with UA, if true, the message is

accepted since it is verified that the message was sent by

Alice otherwise the message is rejected.

3.4 Judge Verification phase In the judge verification algorithm the judge verifies that

the message was indeed sent by Alice. The steps are

identical to the steps 1, 5 and 6 which were used by Bob for

verification in the Unsigncryption algorithm.

Step 1: Alice’s public key UA is verified by using Alice’s

certificate.

Step 2: Computes v = H (C || r1 || IDA || r2 || IDB ).

Step 3: Verifies s∙G + v∙R = UA, If it is true then the sender

Alice actually did sent the message M to the

recipient Bob; otherwise Alice did not send this

message to the recipient Bob.

4. Security Analysis The security analysis is discussed with respect to the

security features which the proposed protocol should satisfy. The identifiers of the communicating entities are also

used to derive the encryption key for the message to avoid

the Unknown Key-Share (UKS) attack [7]. If Alice sends the

same message exceptionally with the same random number

r to different receivers, the Signcrypted message will be

different for each Signcryption, since for each message the

value of identifiers will be different.

Confidentiality – The property of confidentiality is

maintained by the scheme, as the secret key k1 is

derived by relying on the secrecy of r.

Authentication – The authentication property is made

sure by the verifying s∙G + v∙R = UA. If the comparison

evaluates to be true, only then the message is

considered to be authentic.



1030

ISSN:2229-6093

Integrity – If the message content is changed then the

ciphertext C is changed to C and consequently a value

v is obtained, instead of v. This change is detected at

the time of verification and the message gets rejected.

So the integrity of the message is confirmed.

Unforgeability – For forging the message the private

key of Bob (dB) is required, which is kept secured with

Bob. Thus the property of unforgeability is maintained

with the secrecy of the secret key dB.

Non-repudiation – In the case of denial by Alice

regarding the sending of the message, Bob can send the

parameters (R, C, s) required by the judge to verify and

ensure the property of non - repudiation.

Forward secrecy of message confidentiality – The

disclosure of the private key of Alice, dA is not enough

to decrypt the previous messages encrypted by Alice.

The parameters r and v both should also be known to

decrypt the messages. For each message the values of r

and v are different. For obtaining r and v the ECDLP

have to be solved.

Publicly verifiability – The steps involved in

verification does not involve the session keys or the

secret keys of any party. So any entity can verify

without the need of decryption of the message.

Resistance against the SPA and DPA attacks – Point

multiplication performed using Algorithm 2 along with

the randomization of parameters using Coron or Joye

Tymen method for parameter randomization, provides

resistance from the SPA and DPA attacks respectively.

Thus the security features provided by the

Signcryption scheme, mainly depends on the secrecy of

r and dB, which are the empirical and static secret keys,

respectively which are used in the Signcryption and

Unsigncryption phases.

Algorithm 2 (SCA resistant) is not used in the point

multiplication operations involved in calculating; s∙G + v∙R.

So the values of s and v can be obtained by the adversary

through SCA. Even then the security properties are

maintained by the scheme since the random number r

remains secret.

The flaws in the Hwang‟s scheme [7] are also removed

by the protocol, by carefully selecting the parameters and

deriving the secret key from random number r, and

including the identifiers of the communicating parties.

In TABLE II, the comparison of the Signcryption

schemes which were introduced earlier and the proposed

Signcryption scheme is shown. The comparison is based on

the key security features. The description „Directly’ in the

Non-repudiation column means that the Signcryption

scheme provides the property of Non-repudiation without

the need of zero knowledge proof protocol.

5. Costs Analysis The costs involved in the Signcryption schemes are

represented in the terms of the computational cost and the

communication overhead. The operational costs involving

machine cycles take the form of the computational cost. The

additional bits which are transferred excluding the message

bits, is referred to as the communication overhead. The

compliance of the proposed scheme with the condition of

efficiency (Section 2.3 (3)) of the Signcryption scheme is

presented as follows.

5.1. Computational Cost

The computational cost is the most for the point

multiplication operation. TABLE III presents the

mathematical operations involved in the different

Signcryption schemes. The traditional Signature-then-

Encryption method based on ECC involves 6 point

TABLE II. COMPARISION OF THE SIGNCRYPTION SCHEMES BASED ON THE SECURITY FEATURES

a According to M. Toorani and Beheshti Shirazi [7]

Signcryption Scheme Confidentiality Integrity Unforgeability Non- repudiation

Public Verifiability

Forward Secrecy

Side Channel Attack

countermeasures Proposed Scheme Yes Yes Yes Directly Yes Yes Yes

R.J. Hwang et al.[6] Noa Noa Noa Directly Yes No No

H.Y. Jung et al.[5] Yes Yes Yes Additional Protocol

No Yes No

C. Gamage et al.[4] Yes Yes Yes Directly Yes No No

F. Bao & R. H. Deng[3] Yes Yes Yes Directly Yes No No

Y. Zheng and H. Imai[2] Yes Yes Yes Additional

Protocol No No No

Y. Zheng[1] Yes Yes Yes Additional Protocol

No No No



1031

ISSN:2229-6093

TABLE III. MATHEMATICAL OPERATIONS INVOLVED IN THE DIFFERENT SIGNCRYPTION SCHEMES

multiplications. The proposed Signcryption scheme involves

5 point multiplications.

Both the schemes have an expression of the form

(aP+bQ) where Shamir’s method [20] for simultaneous

point multiplication can be applied; thus reducing 2 point

multiplications to 1.17 point multiplications [2].

Accordingly, the number of point multiplications is

reduced from 6 to 5.17 and from 5 to 4.17, respectively. The

cost of computation for the Signature-then-Encryption

scheme is calculated by referring to the Table I for the

minimum value of the number of modular multiplications

(M) for Algorithm 1 ( Add and Double). The value obtained

is multiplied with the number of point multiplications

involved in the Signature-then–Encryption scheme;

5.17 × 2034.8M = 10520M.

Similarly, the cost of the proposed scheme is calculated

by considering the minimum value of the number of

modular multiplications (M) for Algorithm 1 ( Add and

Double) as well as for Algorithm 2 (Improved Montgomery

ladder ) + Algorithm A.1(xECADDDBL) and Algorithm A.2

( y-coordinate recovery ), respectively;

((1.17 × 2034.8M) + (2 × (2311.8M)) + 44.6M) = 9361M.

Thus the saving in the computational cost is;

Saving (%) = (10520M – 9361M) / 10520M = 11%

The saving in computation is 11% compared to the

Signature-then–Encrypt scheme based on ECC.

Comparing the proposed Signcryption scheme with the

previous works; the graphs have been plotted considering

the combinations of the values of domain parameters a and

Z; thus providing idea of computational cost of the

Signcryption scheme for various range of curves (Figure 2-

5).

It can be derived from the statistics that the best case is

when a = –3 and Z ≠ 1. The saving in Signcryption phase of

the proposed scheme, compared to the other two schemes is

0.8 %. In the Unsigncryption phase the savings compared to

M. Toorani and A.A.B. Shirazi scheme[10] is 34% and to

R.J. Hwang et al. scheme [6] is 0.6 %.

It can be observed that even if the Signcryption phase is

costlier in most of the cases the Unsigncryption phase is

always economical compared to the M. Toorani and A.A.B.

Shirazi scheme [10].

5.2. Communicational Cost The proposed scheme involves a lower communication

cost than the Signature-then-Encrypt counterpart based on

ECC. Some assumptions are made regarding the number of bits

which are transferred:-

|q| ≈ |pm|, here the elliptic curve is defined over the

prime field E(Fpm), where m=1.

|H | = ½ |q|.

Signcryption schemes

Candi- -dates

Modular Exponen-

-tiation

Modular Division / inverse

Elliptic Curve Point

Multiplication (ECPM)

Elliptic Curve Point Addition

(ECPA)

Modular Multiplic-

-ation

Modular Addition

Hash / Keyed Hash

Proposed Scheme Alice - - 2 - 1 1 2

Bob - - 3 1 - - 2

M. Toorani & A.A Beheshti Shirazi [10]

Alice - - 2 - 2 2 2

Bob - - 4 2 - - 2

R. J. Hwang et al.[6] Alice - - 2 - 1 1 1

Bob - - 3 1 - - 1

H.Y. Jung et al.[5] Alice 2 1 - - - 1 2

Bob 3 - - - 1 - 2

C. Gamage et al.[4] Alice 2 1 - - - 1 2

Bob 3 - - - 1 - 2

F. Bao & R. H. Deng [3]

Alice 2 1 - - - 1 3

Bob 3 - - - 1 - 3

Y. Zheng and H. Imai [2] Alice - 1 1 - 1 1 2

Bob - - 2 1 2 - 2

Y. Zheng [1] Alice 1 1 - - - 1 2

Bob 2 - - - 2 - 2



1032

ISSN:2229-6093

Figure 2. Comparison of the various Signcryption schemes

with a ≠ –3 and Z ≠ 1


with a = –3 and Z ≠1.


with a ≠ –3 and Z = 1.

Point compression is used to represent the points

belonging to Elliptic Curve E.

Here p is a prime, m is an integer and q is a large prime

having size approximately equal to |pm|, H is a one-way hash

function.

The communication overhead measured in bits for

Signature-then-Encryption [2] (based on SECDSS1 and

ElGamal encryption) is;

| H(∙)| + |q| + | pm + 1 | ≈ |H(∙)| + 2|q|

The communication overhead measured in bits for the

proposed Signcryption scheme is ;

|q| + | q + 1 | ≈ 2|q|

Economy = ((|H(∙)| + 2|q|) – (2|q|)) / (|H(∙)| + 2|q|) = 20%

The saving in communication overhead is 20% compared

to the Signature-then–Encrypt scheme based on ECC.


with a = –3 and Z = 1.

6. Conclusion

In this paper we have discussed a Signcryption scheme

which provides the security properties of message

confidentiality, authentication, integrity, unforgeability and

non-repudiation, (without the need of zero knowledge proof

protocol) along with forward secrecy of message

confidentiality and public verifiability. The measures

against SCA are also considered by the proposed method

which was not considered by the previous works. The

Signcryption along with the deployment of ECC has

tremendous scope attributed to the suitability in constrained

environments due to and savings in computational and

communicational overhead.

7. References [1] Yuliang Zheng , “ Digital signcryption or How to Achieve

Cost(Signature & Encryption) Cost(Signature) + Cost (Encryption) ” , Advances in Cryptology (Crypto97LNCS), Vol. 1294, Springer-Verlag, 1997, pp. 165–179.

[2] Yuliang Zheng and Hideki Imai, “How to construct efficient signcryption schemes on elliptic curves”, Information Processing Letters, Vol. 68, Issue 5, 1998 pp. 227–233.



1033

ISSN:2229-6093

[3] F. Bao, R.H. Deng, “A signcryption scheme with signature directly verifiable by public key”, Proceedings of PKC98, LNCS 1431, Springer-Verlag, 1998, pp. 55–59.

[4] C. Gamage, J. Leiwo, Y. Zheng, “Encrypted message authentication by firewalls”, Proceedings of 1999 International Workshop on Practice and Theory in Public Key Cryptography (PKC99), LNCS 1560, Springer-Verlag, 1999, pp. 69–81.

[5] H.Y. Jung, K.S. Chang, D.H. Lee, J.I. Lim, “Signcryption schemes with forward secrecy”, Proceeding of WISA 2, 2001, pp. 403–475.

[6] Ren-Junn Hwang, Chih-Hua Lai and Feng-Fu Su, “An Efficient Signcryption Scheme with Forward Secrecy Based on Elliptic Curve ”,.Applied Mathematics and Computation ,Vol.167, No.2, Elsevier Inc., New York, 2005, pp.870-881.

[7] Mohsen Toorani, Ali Asghar Beheshti Shirazi, “Cryptanalysis of an efficient signcryption scheme with forward secrecy based on elliptic curve”, International Conference on Computer and Electrical Engineering (ICCEE'08), 2008, pp.428-432.

[8] Jun-Bum Shin, Kwangsu Lee and Kyungah Shim, “New DSA-Verifiable Signcryption Schemes”, Information Security and Cryptology — ICISC 2002, LNCS 2587, Springer-Verlag , 2003 , pp. 35–47.

[9] Raylin Tso, “Signcryption Scheme with Standardized Verification Algorithm”, IEEE Aisa-Pacific Services Computing Conference (APSCC), 2008, pp.1369-1374.

[10] Mohsen Toorani and Ali Asghar Beheshti Shirazi, “An Elliptic Curve-based Signcryption Scheme with Forward Secrecy”, Journal of Applied Sciences, Vol. 9, No. 6 , 2009, pp. 1025-1035.

[11] Anoop MS, “ Elliptic Curve Cryptography - An implementation guide”, May 2007.

[12] Darrel Hankerson, Alfred Menezes and Scott Vanstone, Guide to Elliptic Curve Cryptography, Springer-Verlag New York, 2004.

[13] Certicom Research, “SEC 1: Elliptic Curve Cryptography, Version1.0”, Certicom Corporation, September 2000.

[14] J. Coron, “Resistance against differential power analysis for elliptic curve cryptosystems,” CHES’99, LNCS 1717, Springer-Verlag, 1999, pp.292–302.

[15] Peter L. Montgomery, “Speeding the Pollard and elliptic curve methods for factorizations,” Mathematics of Computation, Vol.48, Issue 177, 1987, pp.243–264.

[16] E. Brier and M. Joye, “Weierstraß Elliptic Curves and Side-Channel Attacks,” PKC2002, LNCS, Vol. 2274, Springer-Verlag, 2002, pp.335–345.

[17] T. Izu and T. Takagi, “A fast parallel elliptic curve multiplication resistant against side channel attacks,” PKC 2002, LNCS, Vol. 2274, 2002, pp.280–296.

[18] T. Izu and T. Takagi, “Fast Elliptic Curve Multiplications Resistant against Side Channel Attacks,” IEICE Trans. Fundamentals, Vol. E88-A, No.1, 2005, pp.161–170.

[19] M. Joye and C. Tymen, “Protections against differential analysis for elliptic curve cryptography,” CHES2001, LNCS 2162, Springer-Verlag, 2001, pp.377–390.

[20] ElGamal, “A public-key cryptosystem and signature scheme based on discrete logarithms,” The IEEE Transactions on Information Theory, Vol. 31, 1985, pp 469-472.

[21] K. Okeya, H. Kurumatani, and K. Sakurai, “Elliptic curves with the Montgomery form and their cryptographic applications,” PKC2000, LNCS, Vol. 1751, Springer-Verlag, 2000, pp.446–465.

Appendix A: Algorithm A.1, Algorithm A.2 and

Algorithm A.3.

Algorithm A.1: xECADDDBL Algorithm.

Algorithm A.2: Algorithm for y-coordinate recovery.

Algorithm A.3: xECDBL Algorithm.



1034

ISSN:2229-6093

A Signcryption Scheme based on Elliptic Curve Cryptography · A Signcryption Scheme based on...

Documents

Transcript of A Signcryption Scheme based on Elliptic Curve Cryptography · A Signcryption Scheme based on...