DESIGN AND ANALYSIS OF MULTI RECEIVER SIGNCRYPTION …
Transcript of DESIGN AND ANALYSIS OF MULTI RECEIVER SIGNCRYPTION …
DESIGN AND ANALYSIS OF MULTI RECEIVER
SIGNCRYPTION SCHEMES ON ELLIPTIC CURVES
NIZAMUD DIN
DEPARTMENT OF INFORMATION TECHNOLOGY
HAZARA UNIVERSITY MANSEHRA
2016
ii
DESIGN AND ANALYSIS OF MULTI RECEIVER
SIGNCRYPTION SCHEMES ON ELLIPTIC CURVES
SUBMITTED BY NIZAMUD DIN
RESEARCH SUPERVISOR DR. ARIF IQBAL UMAR
Assistant Professor
Department of Information Technology
DEPARTMENT OF INFORMATION TECHNOLOGY
HAZARA UNIVERSITY MANSEHRA
2016
iii
iv
v
DEDICATION
To those who dedicated their lives to serves Humanity
vi
CONTENTS
1.1 MULTICAST SECURITY ...................................................................................................... 2
1.2 ELLIPTIC CURVE CRYPTOGRAPHY IN PRACTICE .............................................................. 3
1.3 MULTI RECEIVER SIGNCRYPTION ..................................................................................... 4
1.4 MOTIVATION ..................................................................................................................... 5
1.5 RESEARCH QUESTION ....................................................................................................... 5
1.6 PROPOSED SOLUTION ....................................................................................................... 6
1.7 OBJECTIVE ......................................................................................................................... 6
1.8 THESIS ORGANIZATION .................................................................................................... 6
2.1 ALGEBRAIC STRUCTURES .................................................................................................. 8
2.2 ELLIPTIC CURVES .............................................................................................................. 9
2.2.1 Points on Elliptic Curve ......................................................................................... 9
2.2.2 Elliptic Curve Point Addition ............................................................................. 10
2.2.3 Elliptic Curve Point Scalar Multiplication ......................................................... 11
2.2.4 Kinds of Elliptic Curves ....................................................................................... 11
2.2.5 Choice of Base Points ............................................................................................ 11
2.2.6 Recommended Elliptic Curves ............................................................................ 12
2.3 LITERATURE REVIEW ...................................................................................................... 12
ABBREVIATIONS .................................................................................................................... X
LIST OF TABLES ................................................................................................................... XII
LIST OF FIGURES ............................................................................................................... XIV
ACKNOWLEDGEMENTS ................................................................................................... XV
ABSTRACT .......................................................................................................................... XVI
CHAPTER 1 .............................................................................................................................. 1
1 INTRODUCTION ................................................................................................................. 1
CHAPTER 2 .............................................................................................................................. 7
2 INTRODUCTION ................................................................................................................. 8
vii
2.3.2 Signcryption Schemes Based on Elliptic Curves .............................................. 13
2.3.3 Multi Message Signcryption Schemes ............................................................... 14
2.3.4 Multi Receiver Signcryption Schemes in PKI ................................................... 14
2.3.5 ID based Multi Receiver Signcryption Schemes ............................................... 18
2.3.6 Certificateless Multi Receiver Signcryption Schemes ...................................... 23
3.1 BILINEAR PAIRING .......................................................................................................... 24
3.2 COMPUTATIONAL PRIMITIVES ........................................................................................ 24
3.3 PUBLIC KEY CRYPTOGRAPHY .......................................................................................... 26
3.3.1 Public Key Infrastructure ..................................................................................... 26
3.3.2 Identity-Based Encryption ................................................................................... 27
3.3.3 Certificateless Cryptography .............................................................................. 27
3.4 FORMAL MODALS ........................................................................................................... 28
3.4.1 Key Generation ...................................................................................................... 28
3.4.2 Multi Receiver Public Key Encryption ............................................................... 28
3.4.3 Digital Signature ................................................................................................... 28
3.4.4 Multi Receiver Signcryption ................................................................................ 29
3.4.5 Generalized Multi Receiver Signcryption ......................................................... 29
3.4.6 Blind Multi Receiver Signcryption ..................................................................... 30
3.4.7 Proxy Multi Receiver Signcryption .................................................................... 31
3.5 SECURITY PARAMETERS OF MULTI RECEIVER SIGNCRYPTION ...................................... 32
3.5.1 Confidentiality ....................................................................................................... 32
3.5.2 Authenticity ........................................................................................................... 32
3.5.3 Non Repudiation ................................................................................................... 32
3.5.4 Forward Secrecy .................................................................................................... 32
3.5.5 Sender Anonymity ................................................................................................ 32
3.5.6 Sender Message Unlinkability ............................................................................ 33
3.5.7 Message Public Verifiability ................................................................................ 33
2.3.1 MULTI RECEIVER ENCRYPTION SCHEMES ........................................................ 12
CHAPTER 03 .......................................................................................................................... 24
3 INTRODUCTION ............................................................................................................... 24
viii
3.5.8 Ciphertext Public Verifiability ............................................................................ 33
3.5.9 Random Oracle ...................................................................................................... 33
3.5.10 Indistinguishability-Adaptive Chosen Ciphertext Attack ............................ 33
3.5.11 Existentially Unforgeable-Adaptive Chosen Message Attack ..................... 34
3.6 COST ANALYSIS PARAMETERS OF MULTI RECEIVER SIGNCRYPTION ............................ 35
3.6.1 Computational Cost Analysis ............................................................................. 35
3.6.2 Communication Cost/Overhead Analysis ....................................................... 36
4.1 AN EFFICIENT MULTI RECEIVER SIGNCRYPTION SCHEME ............................................ 38
4.1.1 Setup ....................................................................................................................... 38
4.1.2 Key Generation ...................................................................................................... 38
4.1.3 Multi-Receiver Signcryption ............................................................................... 38
4.1.4 Unsigncryption ...................................................................................................... 39
4.1.5 Analysis of MRSC ................................................................................................. 40
4.1.5.3 Efficiency Analysis ............................................................................................. 45
4.2 MULTI RECEIVER SIGNCRYPTION SCHEME WITH FORWARD SECRECY.......................... 47
4.2.1 Setup ....................................................................................................................... 47
4.2.2 Key Generation ...................................................................................................... 47
4.2.3 Multi Receiver Signcryption ................................................................................ 47
4.2.4 Unsigncryption ...................................................................................................... 48
4.2.5 Analysis of MRSCFS ............................................................................................. 49
4.3 MULTI-RECEIVER SIGNCRYPTION FOR FIREWALL .......................................................... 53
4.3.1 Setup ....................................................................................................................... 53
4.3.2 Key Generation ...................................................................................................... 54
4.3.3 Multi Receiver Signcryption ................................................................................ 54
4.3.4 Verification by Firewalls ...................................................................................... 54
4.3.5 Unsigncryption ...................................................................................................... 55
4.3.6 Analysis of MESCFV ............................................................................................ 55
4.4 GENERALIZED MULTI RECEIVER SIGNCRYPTION ........................................................... 60
CHAPTER 4 ............................................................................................................................ 37
4 INTRODUCTION ............................................................................................................... 37
ix
4.4.1 Setup ....................................................................................................................... 60
4.4.2 Key Generation ...................................................................................................... 60
4.4.3 Generalized Signcryption .................................................................................... 61
4.4.4 Generalized Unsigncryption ............................................................................... 61
4.4.5 Generalized Signcryption in Different Modes .................................................. 62
4.4.6 Analysis of GMRSC .............................................................................................. 66
4.5 BLIND MULTI RECEIVER SIGNCRYPTION SCHEME ......................................................... 72
4.5.1 Participants ............................................................................................................ 73
4.5.2 Setup ....................................................................................................................... 74
4.5.3 Key Generation ...................................................................................................... 74
4.5.4 Blind Multi Receiver Signcryption ..................................................................... 74
4.5.5 Blind Unsigncryption ........................................................................................... 76
4.5.6 Analysis of BMRSC ............................................................................................... 77
4.6 PROXY MULTI RECEIVER SIGNCRYPTION SCHEME ........................................................ 81
4.6.1 Setup ....................................................................................................................... 83
4.6.2 Key Generation ...................................................................................................... 83
4.6.3 Proxy Warrant Generation .................................................................................. 83
4.6.4 Proxy Warrant Verification ................................................................................. 83
4.6.5 Proxy Multi Receiver Signcryption .................................................................... 84
4.6.6 Proxy Unsigncryption .......................................................................................... 84
4.6.7 Analysis of PMRSC ............................................................................................... 85
5.2 FUTURE WORK ................................................................................................................ 92
CHAPTER 5 ............................................................................................................................ 90
5.1 CONCLUSION ................................................................................................................. 90
REFERENCES ......................................................................................................................... 93
x
ABBREVIATIONS
Certificate Authority
A finite field of order where
where
A base point on elliptic curve with order
Private key of user
Public key of user where
Hash Function
Keyed Hash Function
Symmetric Encryption
Symmetric Decryption
Message/Ciphertext
Reject
Randomly Generated Numbers
Random Oracle Modal
Standard Modal
Confidentiality
Integrity
Authenticity
Unforgeability
Non-Repudiation
Ciphertext Verifiability
Forward Secrecy
Number of receivers in the multicast group
xi
Moduler Exponentiation
Elliptic Curve Point Scalar Multiplication
Time required for one Elliptic Curve Point Scalar Multiplication
Time required for one Moduler Exponentiation
Time required for one Moduler Addition
Time required for one Elliptic Curve Point Addition
Time required for one Symmetric encryption
Time required for one Symmetric decryption
Time required for one hash
xii
LIST OF TABLES
TABLE NO DESCRIPTION PAGE NO
1.1 NIST Recommended Key Size (bits) Comparison 4
2.1 Security Comparison of DLP Based MRSC 15
2.2 Cost Analysis of DLP Based MRSC 16
2.3 Security Analysis of ECDLP Based GMRSC 16
2.4 Cost Analysis of ECDLP Based GMRSC 17
2.5 Security Analysis of Bilinear Pairing Based MRSC 17
2.6 Cost Analysis of Bilinear Pairing Based MRSC 17
2.7 Security Analysis of Bilinear Pairing Based GMRSC 18
2.8 Cost Analysis of Bilinear Pairing Based GMRSC 18
2.9 Security Analysis of ID Based MRSC 20
2.10 Cost Analysis of ID Based MRSC 20
2.11 Security Analysis of ID Based Anonymous MRSC 21
2.12 Cost Analysis of ID Based Anonymous MRSC 22
2.13 Security Analysis of ID Based GMRSC 22
2.14 Cost Analysis of ID Based GMRSC 22
2.15 Security Analysis of Certificateless MRSC 23
2.16 Cost Analysis of Certificateless MRSC 23
3.1 NIST Recommended Crypto Primitives and Key Sizes 36
4.1 Computational cost comparison of existing schemes and
proposed MRSC 46
4.2 Communication overhead comparison of existing schemes and
proposed MRSC 46
4.3 Computational cost comparison of existing schemes and
proposed MRSCFS 51
xiii
4.4 Communication overhead comparison of existing schemes and
proposed MRSCFS 52
4.5 Computational Cost Comparison of existing schemes and
proposed MRSCFV 59
4.6 Communication overhead comparison of existing schemes and
proposed MRSCFV 59
4.7 Security Analysis of proposed GMRSC 69
4.8 Computational cost comparison of existing schemes and
proposed GMRSC 70
4.9 Communication overhead comparison of existing schemes and
proposed GMRSC 71
4.10 Security Analysis of proposed BMRSC 80
4.11 Computational cost analysis of proposed BMRSC 80
4.12 Communication overhead of proposed BMRSC 80
4.13 Computational cost analysis of PMRSC 89
4.14 Computational overhead analysis of PMRSC 89
xiv
LIST OF FIGURES
FIGURE NO DESCRIPTION PAGE NO
1.1 Multicast Communication 1
2.1 Algebraic Structures
2.2 Elliptic Curves Over Fq 9
2.3 Geometric Addition and doubling of E points 10
4.1 Application-Level Firewalls for Incoming Message
Authentication 53
4.2 Blind Multi Receiver Signcryption 73
4.3 Proxy Multi Receiver Signcryption 82
xv
ACKNOWLEDGEMENTS
I would like to express my immense gratitude to my advisors Dr. Arif Iqbal Umar for
their support, enthusiasm and motivation to my PhD study. It would not have been
successful without their unreserved support and kind assistance.
Special thanks to Mr. Noor ul Amin for all their care guidance, and love. Without his
guidance, support, encouragement and help it would have not been possible to start
and complete this thesis. He teaches me, belief on patience a key to success.
Thanks to PhD pre submission Committee Chair Prof. Dr. Habib Ahmed (TI) and
committee member Dr. Mohsin Nawaz, Dr. Saleem Abdullah and Dr. Bin Amin for
valuable feedback.
I express my most sincere appreciation to my Ex-advisor Shehzad Ashraf Chaudhry
at International Islamic University Islamabad. Shehzad was very kind, provide me a
labyrinthine research environment and insist me to pursue higher study.
I express my special thanks to my parents for their unconditional love, prayers and
giving me the freedom to pursue my own interests. I also gratified my brothers,
sisters and all family members. Thanks to Bai Jan and his family members for
astonishing hospitality during my postgraduate study.
Thanks to Abdul Waheed and Jawaid Iqbal who give me, a lot of delighted hours and
always company me in my bright and dark time.
Thanks to all my research fellows for all great ideas, discussions and arguments. They
are Abdul Baser, Arifa Rasheed, Asfandyar Khan, Hizbullah, Junaid Iqbal,
Mohibullah, Riaz Ullah, Shamsherullah, Sagheer Ahmad Jan, Taayba Bibi, Zahab
Khan and Zill-e-Huma.
Thanks to Muaz and Masab, my cute flowers and source of happiness. Finally yet
importantly, I am seriously gratified to my wife and love for her support,
understanding and endless care throughout the duration of my postgraduate study.
To all of you thank you very much!
Nizamud Din
xvi
ABSTRACT
Multicast is an efficient means of information dissemination to a set of nodes. It has
low utilization of bandwidth and communication resources as compare to unicast.
Secure multicast preserves confidentiality and authenticity of information to
legitimate group members, adopted in emerging commercialization of wireless
applications.
Elliptic curves cryptography has promising industrial attraction. National Security
Agency (NSA) of USA purchased license of ECC from Certicom. It will use ECC in its
cryptographic modernization initiative, which aims to replace about 1.3 million
existing security equipments over the next 10 years. Public Key Infrastructure (PKI) is
the most popular centralized and hierarchical infrastructure, consists of trusted third
parties registration authority and certificate authority and provides solution for
proving authenticity of public keys.
Multi receiver signcryption ensure confidential and authenticated dissemination of
information to multicast group member instead of multi recipient encryption and
digital signature. It is attractive for stateful secure multicast to distribute and update
session keys and stateless secure multicast to disseminate multicast messages.
In this thesis, we proposed six multi-receiver signcryption schemes on elliptic curve
in PKI setting.
First, multi-receiver signcryption scheme has functionalities of confidential and
authenticated multicast session key agreement and instant secure message
communication. It is efficient in term of computation and communication cost and
suitable for secure multicast communication.
Second, multi receiver signcryption with forward secrecy has additional functionality
of forward secrecy of messages. It ensures confidentiality even if an attacker has
stolen the sender private key. Its low communication overhead could make this
construction a better option for use in resource constrained secure multicast
communication.
xvii
Third, multi receiver signcryption for firewalls has additional functionality of
encrypted message authentication. It enables firewall to verify encrypted message
without disclosing message contents and obtaining any secret parameter from the
participants. In case of dispute judge can also verify the authenticity of ciphertext and
solve the dispute with obtaining any secret parameter from the participants. Its
security attributes and cost effectiveness makes it suitable choice for efficient and
secure multicast firewalls applications.
Fourth, generalized multi receiver signcryption scheme based on elliptic curves has
functionality of digital signature or multi receiver encryption or multi receiver
signcryption with single algorithm.
Fifth, blind multi receiver signcryption scheme has additional functionality of sender
anonymity. It has significance in applications as privacy preserving multicast
communication; electronic voting and payment system to protect the sender privacy
and guarantees the freedom of thoughts and freedom of opinion.
Sixth, proxy multi receiver signcryption scheme has functionality of designated a
proxy agent, who makes multicast communication on the behalf of original user. It
has applications in privilege delegation mechanism, an essential service in modern
enterprises and organizations to extend and operate business via designated agent
due to temporal absence, lack of time or processing capability.
1
Chapter 1
INTRODUCTION
1 Introduction
Multicast is an efficient means of information dissemination to a set of nodes.
Compare to unicast multicast has low utilization bandwidth and communication
resources. Each router in the multicast may forward the received packet through
several of its interfaces. (Mockapetris 1983) first Analyze and compare several
families of reliable multicast transmissions for LAN such as Ethernet (Corporation
1981) and Token Ring (Donnan 1985).
For internetwork using IP routers (Deering 1991) first proposed multicast service
model called Host Group Model (HGM) and proposed store-and-forward
algorithms for multicasting in a datagram internetwork. According to HGM the
internetwork multicast groups may be of arbitrary size and member may change
membership dynamically, and local or global in scope. Sender may not be the
member of the multicast group and need not know the membership of the groups.
Wireless networks standards committees, including IEEE 802.16 and 3GPP have
standardized the Multicast Broadcast Services (MBS) which can commercialize
efficient group communications(Park et al. 2013).
Fig.1. 1 Multicast Communication
2
Multicast communication is broadly categorized as one-to-may multicast and many-
to-many multicast.
In One-to-Many multicast one sender disseminate information to a group of
receivers called multicast group member and applications are:
• Push media such as news headlines, sports scores, and weather updates
multicast(Islam & Atwood 2007)
• Distributed application e.g. distributed simulations(Holbrook et al. 1995) and
file multicasting with forward error correction(Gemmell & Gray 2000)
• Distributed database(Gifford 1979) where a user can parallel process queries
on multiple database servers.
• Announcement network time, session schedules, session announcement
protocol (SAP) (Handley 2000).
In many-to-many multicast, each user in multicast group share a common
communication channel and most or all multicast group members can disseminate
multicast messages and receive other sender multicast messages of in the group as
well(Ding et al. 2013).
It has applications in emerging multimedia networks as:
• Multi-Player Gaming, Chat Groups
• Multimedia Conferencing/Interactive Distance Learning
• Distributed Interactive Simulations
1.1 Multicast Security
Secure multicast preserve confidentiality and integrity of information to legitimate
group members is adopted in emerging wireless applications (Tran et al. 2013;
Nicanfar et al. 2014; Keoh et al. 2014; Wang et al. 2014; Rajamanickam & Veerappan
2014; Yavuz 2014) for successful multicast commercialization. A secure multicast
system categorized as stateless and stateful:
3
In stateful secure multicast, user provides keys that may be updated after new user
joins or existing user revokes. Multicast groups keys are shared with group members
using multicast signcryption and the multicast messages are encrypted with these
keys. The problem with this approach is key management, such as rekeying is
needed when members join or leave the group and to get latest key receiver group,
member must be stateful and always online.
In stateless secure multicast, users having long-term private and public keys that
never changed throughout the system lifetime. Messages are signcrypted using
multicast signcryption and multicast to group members. This approach has low key
storage and no key update cost while have high computation and communication
cost compare to stateful secure multicast (Curtmola 2007).
1.2 Elliptic Curve Cryptography in Practice
In 1985, (Koblitz 1987) of Washington University and (Miller 1994) of IBM
independently designed elliptic curves public-key cryptography (ECC). Victor
Miller's talk at Crypto '85 excited Scott Alexander Vanstone a Professor of
Mathematics and Computer Science at the University of Waterloo and head of
Certicom company (Kapoor et al. 2008). He focused much of his research on the
security analysis of ECC and optimizing its implementation for scarce resource
environments, such as smart cards and wireless handheld computers at Certicom.
Although it should be cleared, that Certicom was not explicitly founded for ECC
research(Anon n.d.), holds more than 130 patents related to ECC.
National Security Agency (NSA) of USA purchased a license of ECC from Certicom
to protect information of US and allied government. It plans to use the ECC with key
size (256, 384, and 521 bits) published by NIST, to protect both unclassified and
classified national security information. It will use ECC for key agreement and
digital signatures in the US DoD in its Cryptographic Modernization Initiative,
which aims to replace about 1.3 million security equipments in next 10 years.
Moreover, NATO nations such as the USA, UK, Canada have adopted ECC for the
4
protection of intra and inter exchange of classified information(Service(NSA/CSS) &
Service(NSA/CSS) 2009).
Cryptographic sanity checks (Bos et al. 2014) explore the insufficient entropy and
implementation bugs of ECC deployed in Bitcoin, SSH, TLS, and the Austrian citizen
card.
Table 1. 1 NIST Recommended Key Size (bits) Comparison
Symmetric Encryption RSA and Diffie-Hellman (DH)
Elliptic Curves (ECC)
Ratio of RSA/DH: ECC
80 1024 160 3:1
112 2048 224 6:1
128 3072 256 10:1
192 7680 384 32:1
256 15360 521 64:1
1.3 Multi Receiver Signcryption
The word Signcryption (Zheng 1997) coined by Zheng, combined digital signature
(DS) and public key encryption (PKE) into a single logical phase based on El-Gamal
cryptosystem. In comparison to DSS and El-Gamal encryption, first signcryption
scheme has 50% computational efficiency and 76.8% to 96.0% less communication
efficiency. It got attraction in resource constrained environment due to its cost
efficiency and have applications in MANET (Holzinger et al. 2010)(Bohio & Miri
2004)(Vijayan R 2011)(Yavuz, Alagoz, et al. 2006)(Yavuz et al. 2010)(Chuanrong &
Hong 2009), sensor networks (In Tae Kim & Seong Oun Hwang 2011)(Li & Xiong
2013), satellite communication, electronic and mobile commerce (Wang & Li 2004)
(Chiu et al. 2000) etc.
Multi receiver signcryption by (Zhang 1998) ensure confidential and authenticated
dissemination of information to multicast group member instead of multi recipient
encryption scheme (Kurosawa 2002) and digital signature. Since then a set of
proposed multi receiver signcryption reviewed in the literature review section. Multi
receiver signcryption is a best choice for stateful secure multicast to distribute and
5
update session keys and stateless secure multicast to disseminate multicast
messages.
1.4 Motivation
Elliptic curves gets industries attraction in most wide spread Public Key
Infrastructure (PKI). Multi receiver Signcryption scheme based on elliptic Curves
have significance due to its cost efficiency and suitable choice for smart and secure
multicast communication. However, unlike signcryption schemes minor
contribution reported in multi receiver signcryption. While for multi receiver
signcryption with additional properties like forward secure, public verifiability,
blind (sender anonymous) and proxy (designated agents) no contribution have been
noted in the literature.
1.5 Research Question
The thesis addresses the following research questions:
Q 1 How to design an efficient multi receiver signcryption scheme using
elliptic curves?
Q 2 How to design multi receiver signcryption scheme with forward secrecy
using elliptic curves?
Q 3 How to design multi receiver signcryption scheme with firewalls verifiability
using elliptic curves?
Q 4 How to design generalized multi receiver signcryption scheme
using elliptic curves?
Q 5 How to design blind multi receiver signcryption scheme using
elliptic curves?
Q 6 How to design proxy multi receiver signcryption scheme using
elliptic curves?
6
1.6 Proposed Solution
This study proposed six with different application requirement using
elliptic curves for secure multicast communication solution.
First, an efficient multi receiver signcryption scheme using elliptic
curves.
Second, multi receiver signcryption scheme with forward secrecy
using elliptic curves.
Third, multi receiver signcryption scheme with firewalls verifiability
using elliptic curves.
Fourth, generalized multi receiver signcryption scheme using elliptic
curves.
Fifth, blind multi receiver signcryption scheme using elliptic curves.
Sixth, proxy multi receiver signcryption scheme using elliptic
curves?
1.7 Objective
The proposed research work is to design efficient signcryption schemes based on
ECC, gets industries attraction in most wide spread Public Key Infrastructure (PKI).
We proposed six schemes that is: an efficient , with forward
secrecy, for firewalls verifiability, generalized (Signature, Encryption,
Signcryption) , Blind (Sender anonymous) , Proxy (Designated
agents) for secure multicast communication. Proposed Schemes have
applications both in stateful secure multicast to securely disseminate and update key
with group members or stateless secure multicast messages.
1.8 Thesis Organization
Chapter 1 consists of introduction, motivation, research question, proposed solution
and objective. Chapter 2 provides background study and detailed literature
7
reviewed. Chapter 3 consists of material and methods, basic formal models, security
parameters and cost analysis parameter. Chapter 4 consists of proposed solution
result and discussion. Chapter 5 concludes the thesis and presents some possible
future directions.
Chapter 2
BACKGROUNDS STUDY
8
2 Introduction
Public key cryptosystems are purely mathematical and its security is based on the
hardness of solving various mathematical problems. This chapter presents the
comprehension of basic abstract algebraic structure, elliptic curve cryptography and
security notions of signcryption. The detail reader may consult the abstract algebra
[40, 41] for number theory are [42] and for Elliptic curve(Hankerson et al. 2006) and
security notions of signcryption(Dodis 2010)
2.1 Algebraic Structures
The algebraic structure generally refers to a set (called underlying set) with one or
more finitary operators (takes a finite number of input) defined on it such as Group,
Ring, Field etc.
Additive Groups formed by a set under addition arithmetic operator and
multiplicative Groups formed by a set under multiplication operator satisfying
certain axioms. Field is formed by a set under two binary arithmetic
operators satisfying certain axioms. Algebraic structures are demonstrated in the
figure 2.1.
Fig.2. 1 Algebraic Structures
9
2.2 Elliptic Curves
Let be a prime order finite field. An Elliptic Curve (EC) is a smooth projective
curve of genus one having at least one rational point. It can be defined over in
two dimensions coordinate by short Weierstrass equation
, where .
Let be an elliptic curve defined over . The number of points in denoted
as , According to Hasse Theorem .
Fig.2. 2 Elliptic Curves Over Fq
2.2.1 Points on Elliptic Curve
Rational points on with a special point at infinity (denoted by ) form an
Abelian group under addition operator having order . This group is cyclic
and having a fixed generator usually called the base point.
Let be point on with a Special Point at Infinity
1. (Closure Under Addition)
2. (Associative Under Addition)
3. ( is Additive Identity )
4. (Additive Inverse )
5. (Commutative Under Addition )
10
2.2.2 Elliptic Curve Point Addition
Points on elliptic curves are added using geometric method for understandings
propose and algebraic method which is derived from geometric method and used
for real cryptographic applications.
Geometrically point addition and doubling performed as: Let and
be two points on . Geometrically the sum is the project of a third
point that is if we draw a line through intersects the EC defined as:
Points Addition Point doubling
Fig.2. 3 Geometric Addition and doubling of E points
Algebraically two points on are added using chord-and-tangent rule as in
Algorithm 1.1 to give a third point in .
Algorithm 2.1 Elliptic Curve Points Addition
Input ; )
Out Put
1.
2.
Return
11
2.2.3 Elliptic Curve Point Scalar Multiplication
Elliptic Curve Point Scalar Multiplication is performed by MSB-Set Comb
Method for (Feng et al. 2006), an average point doublings and
points addition is required.
Algorithm 2.2 Elliptic Curve Point Scalar Multiplication
Input: A point , an integer
Output:
Pre-computation Stage:
1. Require
2. Compute
3.
Evaluation Stage
4. For
If then else
End for
5. Return
2.2.4 Kinds of Elliptic Curves
In standard ECC, Curves are categorized in two broad categories: Pseudo-random
and special curves.
In Pseudo-random curve, coefficients are generated using hash function such as
SHA-1 as specified in ANS X9.62. To optimize efficiency, a special curves coefficient
is selected from underlying field.
2.2.5 Choice of Base Points
An EC of order is supplied base point
. However, users can
select their own base points as specified in IEEE Standard 1363-2000 or ANS X9.62,
to ensure cryptographic networks separation.
12
2.2.6 Recommended Elliptic Curves
NIST recommends five elliptic curves for use in the ECDSA for different security
levels In the FIPS 186-4 (U.S. Department of Commerce. National Institute of
Standards and Technology 2013). Over prime fields and pseudo-random elliptic
curves , where , NIST
recommend five elliptic curves: .
Over field of degree , pseudo-random curve ,
NIST recommends five elliptic curves:
. Over binary field of degree , Special Koblitz curve of the form
, NIST recommends five elliptic curves: K-163,
Curves: .
Certicom also recommended elliptic curves in the Standards for Efficient
Cryptography SEC2 (Research 2010). Over prime fields it defines five pseudo-
random elliptic curves: secp192r1, secp224r1, secp256r1, secp384r1, secp521r1 and
five Koblitz curve special curves: secp192k1, secp224k1, secp256k1, secp384k1,
secp521k1. Over binary field of degree , it defines six pseudo-random elliptic
curves: sect163r1, sect163r2, sect233r1, sect283r1, sect409r1, sect571r1 and five Special
Koblitz curve: sect233k1, sect239k1, sect283k1, sect409k1, sect571k1 are defined for
different security levels.
2.3 Literature Review
Literature review is divided in five parts: Multi Receiver Encryption, Signcryption
Schemes Based on Elliptic Curves, Multi Message Signcryption Scheme, Multi
Receiver Signcryption ( ) Schemes in PKI setting, ID based ( ) Schemes
and Certificates ( ) Schemes.
2.3.1 Multi Receiver Encryption Schemes
Multi-Recipient Encryption approach is extended concept of the approach specified
in S/MIME (Ramsdel & Turner 2010), generates random key and encrypting the
13
message and encrypting the random key with each receiver public key called
(KEM/DEM).
First MRES (Kurosawa 2002) with a shortened ciphertext having reduced bandwidth
requirements. In (Smart 2005) introduced mKEM notion, as an efficient key
encapsulation technique for multiple recipients. (Bellare et al. 2003)(Bellare et al.
2007) systematically studied the technique of randomness reuse and provided
several generic and efficient constructions for MRES. (Barbosa 2007) proposed the
notion of weak reproducibility which enabled them to construct a wider class of
efficient (single message) MRESs. Another approach considered by (Hiwatari et al.
2009) of examining the behavior of a simulator in a security proof. Proposed
broadcast encryption (Fiat & Naor 1994), share a similar goal of multi-recipient
encryption, researchers differentiate between these two types of security techniques
by noting how public/secret key pairs for recipients are generated.
2.3.2 Signcryption Schemes Based on Elliptic Curves
First proposed signcryption on elliptic curves (Zheng & Imai 1998), saves about 58%
computational and 40% communication cost compare to previous approach. First
signcryption with forward secrecy on ECC (Hwang et al. 2005) also provides
message public verifiability. In (Han et al. 2004) proposed public verifiable
signcryption. In (T Okamoto, E Okamoto 2008) proposed a scheme with forward
secrecy and ciphertext verifiability in the ROM.
The notion of generalized signcryption first coined by (Han & Yang 2006) and
developed generalized signcryption scheme based on ECC. Generalized
signcryption has features of signcryption or digital signature only or encryption
only. Based on specific parameters the primitive can be executed in these three
different modes. In (Wang et al. 2010) analyzed (Han & Yang 2006) generalized
signcryption and report the incorrect security proof and proposed an improved
scheme, define security notions for his new primitive with correct proofs. In (Toorani
& Shirazi 2008) presented analysis of (Hwang et al. 2005) scheme and reported nine
security flaws. Although these papers claim cryptanalysis but actually they present
14
analysis because the assumption such as: ECDLP is hard and random numbers are
random; are assumed by Hwang et al (Hwang et al. 2005). Proposed scheme
(Toorani & Shirazi 2010) provide forward secrecy and public verifiability of plain
text of message. In (Toorani & Shirazi 2010) analyzed security of Han et al
signcryption scheme, security flaws and shortcomings are enlisted.
Blind signcryption using elliptic curves (Ullah et al. 2014) having additional
properties of message unlink-ability, sender anonymity, and applications in mobile
phone voting and m-commerce.
In (Hassan M. Elkamchouchi , Eman F. Abu Elkhair 2013) proposed two proxy
signcryption schemes based on DLP and ECDLP. The receiver can verify the origin
of the ciphertext and authorized proxy agent can create valid proxy signatures after
verifying the identity of the original sender.
2.3.3 Multi Message Signcryption Schemes
Multi-message signcryption (PKMMS) scheme (Elkamchouchi, A. M. Emarah, et al.
2007) were proposed for confidential and authenticated transmission of multiple
messages, efficient compared to Zheng scheme. In (Elkamchouchi & Hagras 2009)
proposed multi-message Elliptic Curve signcryption (PK-MMECS) scheme based on
ECDLP and efficient compare to (Elkamchouchi, A. M. Emarah, et al. 2007), and also
proposed Public Key Threshold Multi-Message Signcryption (PK-TMMS) with (t, n)
shared verification (Elkamchouchi 2007) based on discrete logarithm problem using
multi key generator.
2.3.4 Multi Receiver Signcryption Schemes in PKI
In 1998, (Zhang 1998) proposed first multiple recipients signcryption scheme, for
confidential and authenticated broad casting of messages to multiple users working
on the same mission. The basic idea is to use dual keys that is a message-encryption
key and a receiver specific key. The message-encryption key is used to encrypt a
message and receiver specific key is used to encrypt the message encryption key
with symmetric cipher. Proposed N -Tier Satellite Multicast Security Protocol
15
(NAMEPS) (Yavuz, Alagz, et al. 2006) for dynamic, heavy and secure satellite
multicast systems based on (Zhang 1998). In proposed signcryption based on
ECC and its multi-party version (Han et al. 2004), for unicast and multicast secure
communication; the description of multicast scheme is omitted from original paper.
In 2007, (Elkamchouchi, A. A. M. Emarah, et al. 2007) extended the concept of public
key multi-message signcryption (PKMMS) Schemes with public key multi messages
multi-recipients signcryption (PK-MM-MRS) scheme. In (Han et al. 2008) proposed
two schemes, first and second Multiple Messages . The first scheme
has high communication overhead, produce copies of a single message to
multicast; while (H Elkamchouchi et al. 2009) proposed Multiple Broadcasters
Signcryption Scheme (MBSS) with added property of ciphertext authenticity allows
the gateway to filter the false ciphertext, reduce the receiver's workload having
application in secure distributed networks. It is vulnerable to man in the middle
attack. In (Elkamchouchi 2009) presented verifiable signcryption scheme and its
multi party variants. It claims that multi recipient variant is suitable for firewalls
implementation but it does not provide ciphertext verification and cannot be
implemented on firewalls. In (Ahmed et al. 2010) proposed message public verifiable
multi recipient signcryption scheme is vulnerable to Man in the Middle Attack.
The security features of different in PKI are summarized in Table 2.1 and
comparative computation cost and communication overhead of above existing
schemes is shown in Table 2.1.
Table 2. 1 Security Comparison of DLP Based MRSC
Schemes Model
1998 (Zhang 1998) Yes Yes Yes Yes Yes No No
2006 (Yavuz, Alagz, et al. 2006) Yes Yes Yes Yes Yes No No
2007 (Elkamchouchi, A. A. M.
Emarah, et al. 2007) Yes Yes Yes Yes Yes No No
2009 (Han & Gui 2009b) Yes Yes Yes Yes Yes No No
2009 (H Elkamchouchi et al. 2009) Yes Yes Yes Yes Yes Yes No
2009 (Elkamchouchi 2009) Yes Yes Yes Yes Yes No No
2010 (Ahmed et al. 2010) Yes Yes Yes Yes Yes No No
16
Table 2. 2 Cost Analysis of DLP Based MRSC
2.3.4.1 Generalized Multi-Receiver Signcryption
Generalized Multi-Receiver Signcryption (GMRSS) (Yang et al. 2008), fulfills the
functions of multi-receiver signcryption or multi-receiver encryption or signature.
The scheme does not provide confidentiality. The security features of different
GMRSS in PKI are summarized in Table 3, and computation cost and
communication overhead is shown in Table 4.
Table 2. 3 Security Analysis of ECDLP Based GMRSC
Schemes
Computation Cost
Communication
Overhead
Signcryption Cost
(Sender)
Unsigncryption Cost
(Each Receiver)
(Zhang 1998)
(Yavuz, Alagz, et al.
2006)
(Elkamchouchi, A. A.
M. Emarah, et al. 2007)
(Han & Gui 2009b)
Scheme1
Scheme2
+ | | + | |
(H Elkamchouchi et al.
2009)
(Elkamchouchi 2009)
(Ahmed et al. 2010)
Schemes Model
(Yang et al. 2008) No Yes Yes Yes Yes No No
17
Table 2. 4 Cost Analysis of ECDLP Based GMRSC
Scheme Computation Cost Communication
Overhead Signcryption Cost
(Sender)
Unsigncryption Cost
(Each Receiver)
(Yang et al.
2008)
Sig Mode
Enc Mode
Signc Mode
2.3.4.2 Multi-Receiver Signcryption on Bilinear Pairing
First based on bilinear pairing (BP) (Li et al. 2007) proved their semantic
security and unforgeability; under GDHP assumption in ROM. In (S. Selvi & Vivek
2008), shows that (Li et al. 2007) is not IND-CCA2 secure and propose a new BP
based in PKI setting with formal proof in the ROM. In (Han et al. 2008),
define formal security model and proposed a secure scheme in ROM on GDH
problem. In (Han et al. 2010), proposed and claim to reduce computational
and transmission overheads by using randomness reuse and cipher text aggregation
respectively. The security comparison is shown in Table 2.5 and cost comparison is
presented in Table 2.6.
Table 2. 5 Security Analysis of Bilinear Pairing Based MRSC
Schemes Model
2007 (Li et al. 2007) Yes Yes Yes Yes Yes Yes No
2008 (S. Selvi & Vivek 2008) Yes Yes Yes Yes Yes No No
2008 (Han et al. 2008) Yes Yes Yes Yes Yes No No
2010 (Han et al. 2010) Yes Yes Yes Yes Yes No No
Table 2. 6 Cost Analysis of Bilinear Pairing Based MRSC
Schemes
Computation Cost
Communication
Overhead
Signcryption Cost Signcryption Cost
(Li et al. 2007) - - -
(S. Selvi & Vivek 2008)
Scheme(I-IBMSC)
Scheme (N-MSC)
(Han et al. 2010)
18
2.3.4.3 Generalized Multi-Receiver Signcryption Based Bilinear Pairing
In (Han & Gui 2009a), proposed generalized scheme GMRSC for adaptive secure
multicast framework based on the GDH problem, but lacks communication
efficiency. In (Zhou 2012b), show that (Han & Gui 2009a) multi-receiver GSC scheme
is not IND-CCA2 secure in the pure and hybrid encryption mode, and presents an
improved scheme to be IND-CCA2 secure and UF-CMA under (CDH) assumption.
The security comparison is shown in Table 2.7 and cost comparison is presented in
Table 2.8.
Table 2. 7 Security Analysis of Bilinear Pairing Based GMRSC
Schemes Model
2009 (Han & Gui 2009a) No Yes Yes Yes Yes Yes No
2012 (Zhou 2012b) Yes Yes Yes Yes Yes Yes No
Table 2. 8 Cost Analysis of Bilinear Pairing Based GMRSC
Scheme Mode
Computation Cost
Communication
Overhead
GM Signcryption Cost G Unsigncryption Cost
(Han & Gui 2009a)
Sig
Enc
Signc
(Zhou 2012b)
Sig
Enc
Signc
2.3.5 ID based Multi Receiver Signcryption Schemes
First ID-based multicast signcryption (Bohio & Miri 2004) is inconvenient, as it needs
a pre-agreement common secret key establishment. In (Duan & Cao 2006), proposed
first identity based setting, and claim that it is secure against IND-CCA2 and
UF-CMA in ROM. However, (Zhang et al. 2012) prove that (Duan & Cao 2006) is
IND-CCA2 insecure. In (Yu et al. 2007), proposed scheme and claim that it is
semantically secure under the hardness of BDHP and has unforgeability under the
CDH assumption. However, (S. S. D. Selvi & Vivek 2008), showed that Yu et al.’s
19
scheme is insecure too and presented an improved scheme. In (Li et al. 2009), show
that both Yu et al. and Selvi et al schemes are insecure and proposed a new
scheme, that it is semantically secure and having unforgeability in the random
oracle modal. New multi receiver scheme (Sharmila Deva Selvi, Sree Vivek,
Srinivasan, et al. 2009) using shared master secret key MSK of the system having
efficiency but flaw as system become insecure due to compromise of this single
secret key. In (Khullar et al. 2013b), proposed signcryption scheme using ECC
instead of multi receiver, although the title of the paper is multi receiver
signcryption. An ID based threshold signcryption scheme for multi-receiver (Qin et
al. 2011) proved its chosen-ciphertext security of the scheme in the random oracle
model. However, (Zhang et al. 2012) analyze the security of Qin et.al's and shows
that the presented scheme is insecure and proposed an improved scheme. In
standard model, (B. Zhang & Q.-L. Xu 2010) proposed the first identity-based
. In (Zhang & Mao 2009), proposed an identity based multi-signcryption
scheme using bilinear pairings and claimed it is secure against IND-CCA2 and UF-
CMA, but (Sharmila Deva Selvi, Sree Vivek & Pandu Rangan 2009) shows that this
scheme is not secure against IND-CCA2 and UF-CMA and proposed an improved
scheme. In (Elkamchouchi & Abouelseoud 2007b)(Elkamchouchi & Abouelseoud
2007a), proposed a tree-based identity-based having same structure as in
complete sub tree broadcast encryption scheme (Naor et al. 2001). Possible
applications of the proposed scheme are suggested as well.
The security comparison is shown in Table 2.9 and cost comparison is presented in
Table 2.10.
20
Table 2. 9 Security Analysis of ID Based MRSC Schemes Model
2006 (Duan & Cao 2006) No Yes Yes No Yes No No
2007 (Yu et al. 2007) No Yes Yes No Yes No No
2007 (Elkamchouchi &
Abouelseoud 2007a) Yes Yes Yes No Yes No No
2007 (Elkamchouchi &
Abouelseoud 2007a) Yes Yes Yes No Yes No No
2008 (S. S. D. Selvi & Vivek 2008) No Yes Yes Yes Yes No No
2009 (Li et al. 2009) Yes Yes Yes Yes Yes No Yes
2009
(Sharmila Deva Selvi, Sree
Vivek, Srinivasan, et al.
2009)
Yes Yes Yes Yes Yes No No
2009 (Zhang & Mao 2009) No Yes Yes No Yes No No
2009
(Sharmila Deva Selvi, Sree
Vivek & Pandu Rangan
2009)
Yes Yes Yes Yes Yes No No
2010 (Qin et al. 2011) No Yes Yes No Yes No No
2010 (Zhang et al. 2012) Yes Yes Yes Yes Yes No No
2012 (B. Zhang & Q.-L. Xu 2010) Yes Yes Yes Yes Yes No No
Table 2. 10 Cost Analysis of ID Based MRSC
Schemes
Computation Cost
Signcrypted Text
Size
Signcryption Cost Signcryption Cost
(Duan & Cao 2006)
(Yu et al. 2007)
(Elkamchouchi &
Abouelseoud 2007a)
(Elkamchouchi &
Abouelseoud 2007a)
(S. S. D. Selvi & Vivek 2008)
(Li et al. 2009)
(Sharmila Deva Selvi, Sree
Vivek, Srinivasan, et al. 2009)
(Sharmila Deva Selvi, Sree
Vivek & Pandu Rangan 2009)
(Zhang et al. 2012)
(B. Zhang & Q.-L. Xu 2010)
21
2.3.5.1 Anonymous ID-Based Multiple Receivers Signcryption Scheme
Anonymous signcryption have additional property of ciphertext unlinkability and
sender anonymity. First anonymous ID-based (Lal & Kushwah 2009) is
proved secure in ROM. In SM (B. Zhang & Q. Xu 2010)(B. Zhang & Q. Xu 2010)
proposed an identity based anonymous scheme. However, (Wang et al.
2012), shows that both Lal et al. and Zhang et al. are insecure and against IND-CCA2
and improve their corresponding schemes. Improved schemes satisfy the security
properties: sender anonymity, semantic security and unforgeability. Using bilinear
pairing (Wu 2012) proposed an ID provable secure in ROM and suitable for
secure communication in MANET. In (Hien et al. 2010), proposed an identity-based
broadcast signcryption scheme with ciphertext authenticity and can be implemented
in firewalls applications. In (Khullar et al. 2013a), presented a survey of signcryption
along with identity based multi receiver signcryption technique. The survey does not
cover the literature.
The security comparison is shown in Table 2.11 and cost comparison is presented in
Table 2.12.
Table 2. 11 Security Analysis of ID Based Anonymous MRSC
Schemes Model
(Lal & Kushwah 2009) No Yes Yes No Yes No No
(B. Zhang & Q. Xu
2010)(B. Z. B. Zhang & Xu
2010)
No Yes Yes No Yes No No
(Wang et al. 2012)
Lal et al Improved
Zhang et al Improved
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
(Hien et al. 2010) Yes Yes Yes Yes Yes Yes No
(Wu 2012) Yes Yes Yes Yes Yes No Yes
22
Table 2. 12 Cost Analysis of ID Based Anonymous MRSC
Schemes
Computation Cost
Signcrypted Text
Size
Signcryption Cost Signcryption Cost
(Lal & Kushwah 2009) - -
(B. Zhang & Q. Xu
2010)(B. Z. B. Zhang & Xu
2010)
-
(Wang et al. 2012)
Lal et al Improved
Zhang et al Improved
-
-
-
(Wu 2012) -
(Hien et al. 2010)
2.3.5.2 Generalized ID-based Multiple Receivers Signcryption Scheme
First identity-based multi-receiver GSC scheme (Zhou 2011) proved to be
confidential under the BDH assumption and existential unforgeable under the CDH
assumption in ROM.
The security comparison is shown in Table 2.13 and cost comparison is presented in
Table 2.14.
Table 2. 13 Security Analysis of ID Based GMRSC
Schemes Model
2011 (Zhou 2011) Yes Yes Yes Yes Yes No No
Table 2. 14 Cost Analysis of ID Based GMRSC
Scheme Mode
Computation Cost
Communication
Overhead
Signcryption Cost
(Sender)
Unsigncryption Cost
(Each Receiver)
(Zhou 2011)
Sig
Enc
Signc
23
2.3.6 Certificateless Multi Receiver Signcryption Schemes
First certificateless MRSC scheme (Selvi et al. 2008) proved secure in ROM against
insider attacks. In (Selvi et al. 2009), proved that (Selvi et al. 2008) scheme is insecure
against IND-CCA2 and proposed an enhanced scheme.
A cryptanalysis of (Selvi et al. 2009) is presented by (Miao et al. 2010), proved that it
is insecure against the UF-CMA adversary. In (Sun & Li 2010), presented
heterogeneous signcryption and its multi-receiver construction between public key
cryptosystem and identity based cryptosystem that is provably secure in the ROM.
The security comparison is shown in Table 2.15 and cost comparison is presented in
Table 2.16.
Table 2. 15 Security Analysis of Certificateless MRSC
Schemes Model
2008 (Selvi et al. 2008) No Yes Yes No No No Yes
2009 (Selvi et al. 2009) Yes Yes Yes No No No Yes
2010 (Sun & Li 2010) Yes Yes Yes Yes Yes No No
Table 2. 16 Cost Analysis of Certificateless MRSC
Schemes
Computation Cost
Communication
Overhead
Signcryption Cost Signcryption Cost
(Selvi et al. 2008) -
(Selvi et al. 2009)
(Sun & Li 2010)
24
Chapter 03
MATERIAL AND METHODS
3 Introduction
Let be a finite field of order where and let be an elliptic curve
defined by equation , where
, A base point of elliptic curve with order . The number of receiver is and if
the message is not properly encrypted or signed ( ).
3.1 Bilinear Pairing
Let an aditive cyclic group and is the genrator with prime order . Let
a multiplicative cyclic group and is the genrator with same prime
order. A Bilinear Pairing (Meffert 2009) is a map having following
properties of bilinearity, non-degenaracy and computability
3.2 Computational Primitives
Security of elliptic curves cryptography based on the hardness of ECDLP, ECDHP
and BDHP. Solving these problems is still infeasible for sufficient security
parameters (Certicom Research 2009).
Definition 2.2 (DLP)
Let be the generator of finite field of order , given
finding an integer – is the discrete logarithm problem. The
algorithm success probability in solving the on is defined as:
.
Definition 2.3 (DLP Assumption)
At present with sufficient given security parameter , the success probability
in time is negligible quantity and solving is hard.
25
Definition 2.2 (ECDLP)
Let be a base point on of order , , given find an integer
– is the ECDLP. The algorithm success probability in solving
the on is defined as:
Definition 2.3 (ECDLP Assumption)
At present with sufficient given security parameter , the success probability
in time is negligible quantity and solving is hard.
Definition 2.4 ECDHP
Let be a base point on of order and . Given two points
Compute – . The algorithm success
probability in solving the on is defined as:
Definition 2.5 (ECDHP Assumption)
At present with sufficient given security parameter , the success probability
in time is negligible quantity and solving is hard.
Definition 5.8 (BDHP)
Let be the genrator of given for some
. Compute is . The success probability of an algorithm
in solving the defined as:
Definition 2.5 (BDHP Assumption)
At present with sufficient given security parameter , the success probability
in time is negligible quantity and solving is hard.
26
Definition 3 (Collision resistance Hash Functions)
Collision Resistance Hash Functions ( ) (Ishai et al. 2005) applies to a family of
functions uses the terminology of secret-coin (Franklin et al. 2004) that map a
variable size message to a fixed size digest, for .
Definition 5.10 (Random Oracle)
Hash function shares the features of Random Oracle. The output of hash function
is random and uniform.
3.3 Public key Cryptography
Cryptography have enabled confidential communication science in the age of
Ancient Egypt and Rome to the Second World War and even more important in
today’s era of globalization.
Cryptography has two broad categories Secret Key Cryptography (SKC) having
roots in Ancient Egypt and Rome, provides confidentiality and Public Key
Cryptography (PKC) appeared in 1976 provides additional service of authenticity.
In PKC user generates a keys pair called private and public key. The public key is
bind with user identity, and distributed through insecure channel, eliminating the
need of secure channel for key distribution in SKC and reduces the number of keys
required for secure communication but limitation of providing authenticity of the
public keys.
In 1976, called cryptography zero year, Diffie proposed the concept of PKC(Diffie &
Hellman 1976) while (Rivest et al. 1978) proposed first practicable public key
encryption on the hardness of solving large integer prime factorization problem
(IFP). In 1985 , (Elgamal 1985) present the concept of digital signature based on DLP.
3.3.1 Public Key Infrastructure
Public Key Infrastructure (PKI) is the most popular centralized and hierarchical
infrastructure, consists of trusted third parties Registration Authority (RA) and
27
Certificate Authority (CA), and provides solution for proving authenticity of public
keys. User requests RA to issue digital certificate for their public keys. Upon
successful verification of user credentials, CA generates and sign certificate, which
contains user’s identity and public key. It is scalable and most common and easy to
use on the Internet, so issues such as securing Certificate Authorities, Identity
checking and naming semantics in certificates are precisely analyzed. PKI has
limitations of heavyweight and expensive infrastructure, and difficult to verify,
store, distribute and revoke certificates.
3.3.2 Identity-Based Encryption
The idea of Identity Based Encryption (IBE) presented idea in 1984(Shamir 1985) and
practical implemented by (Boneh & Franklin 2003) using Weil Pairing over elliptic
curves and finite fields. In IBE public key are unique string like an email address or a
phone number, eliminate the need of CA to authenticate the public key. It uses
Private Key Generator (PKG) that generates the private keys of all of its users and
distribute through secure channel. The problem is lack of scalability and cannot be
used on public internet, compromise of PKG lead to whole system compromise and
over authority of PKG of signcrypt any message and unsigncryption any
signcrypted text in an IBSC scheme.
3.3.3 Certificateless Cryptography
Certificateless Public Key Cryptography (CL-PKC), first presented by Riyami and &
Paterson (Al-Riyami & Paterson 2003). Its functionality is between traditional
certified PKI and IBE and more flexible. Private Key generation split between user
and trusted third party/Key Generation Center (KGC) and user’s public key is a
composed pair of identity ID and public key PA of user’s. CL-PKC does not require
expensive infrastructure like PKI composed of different kind of authorities and
similar to IBE, only Key Generation Center and Public Parameters Server are
required.
28
3.4 Formal Modals
3.4.1 Key Generation
A Randomized Key Generation algorithm takes User information and
security parameters as input, and generates private key and public key :
.
3.4.2 Multi Receiver Public Key Encryption
A Multi Receiver Encryption scheme consists of three
Probabilistic Polynomial Time and one Deterministic Polynomial Time
algorithm.
Setup: This is algorithm takes input security parameter k, and outputs the
public system parameters such as finite fields, elliptic curve, and base point.
Key Generation : This is a Key Generation algorithm takes
User information and security parameters as input, and generates
private key and public key : .
Multi Receiver Encryption : This is a Multi Receiver Encryption
Algorithm takes input message and return ciphertext
.
Decryption : This is a Decryption Algorithm, takes input and
return .
3.4.3 Digital Signature
A Signature scheme consists of three and one
algorithm.
Setup: This is algorithm takes input security parameter k, and outputs
the public system parameters such as Finite fields, Elliptic curve, and base
point.
29
Key Generation : This is a Key Generation algorithm takes
User information and security parameters as input, and generates
private key and public key .
Signature : This is a Signature Algorithm takes input
and returns signature
Verify : This is a Verification takes input and returns
3.4.4 Multi Receiver Signcryption
A scheme consists of three and one
algorithm.
Setup: This is algorithm takes input security parameter k, and outputs
the public system parameters such as Finite fields, Elliptic curve, and base
point.
Key Generation : This is a Key Generation algorithm takes
User information and security parameters as input, and generates
private key and public key .
Multi Receiver Signcryption : This is a Multi Receiver
Signcryption algorithm takes input and returns Multi
Receiver Signcrypted text .
Unsigncryption This is Unsigncryption algorithm, takes
input and return .
3.4.5 Generalized Multi Receiver Signcryption
A generalized multi receiver signcryption scheme
consists of three and one algorithm.
Setup: This is algorithm takes input security parameter k, and outputs
the public system parameters such as Finite fields, Elliptic curve, and base
point.
30
Key Generation : This is a Key Generation algorithm takes
User information and security parameters as input, and generates
private key and public key : .
Generalized Multi Receiver Signcryption : This is a generalized
multi receiver signcryption , takes input
and returns generalized multi receiver signcrypted
.
When
When
When
Generalized Unsigncryption : This is a generalized
unsigncryption algorithm takes input and return
.
When ,
When ,
When
3.4.6 Blind Multi Receiver Signcryption
Blind multi receiver signcryption scheme
consists of five and one algorithm.
Setup: This is algorithm takes input security parameter k, and outputs
the public system parameters such as Finite fields, Elliptic curve, and
base point.
Key Generation : This is a Key Generation algorithm takes
User information and security parameters as input, and generates
private key and public key : .
Blind factor : This is a Blind factor algorithm takes input
and output blind factor .
31
Blind signature : This is a Blind signature algorithm,
takes input and generates output blind signature
.
Blind Multi Receiver Signcryption : This is a blind multi
receiver signcryption algorithm . It takes input and
output
Blind unsigncryption : This is a blind unsigncryption
algorithm. It takes input and returns output
.
3.4.7 Proxy Multi Receiver Signcryption
Proxy multi-receiver signcryption scheme
consists of four and two algorithms.
Setup: This is algorithm takes input security parameter k, and outputs
the public system parameters such as Finite fields, Elliptic curve, and base
point.
Key Generation : This is a Key Generation algorithm takes
User information and security parameters as input, and generates
private key and public key : .
Proxy warrant generation : This is a proxy warrant generation
algorithm, it takes input and returns ,
Proxy verification : This is proxy warrant verification
algorithm, it takes input and returns .
Proxy Multi Receiver Proxy Signcryption : This is proxy multi
receiver proxy signcryption algorithm, it takes and
returns
Proxy Unsigncryption : This is Proxy Unsigncryption
algorithm. It takes input and
returns .
32
3.5 Security Parameters of Multi Receiver Signcryption
This section presents the security function provided by different multi receiver
signcryption schemes in this dissertation.
3.5.1 Confidentiality
A channel is perfectly confidential if an eavesdropper gets no information about the
content of transmitted plaintext message. It is infeasible for an adaptive attacker to
lesion the contents of the signcrypted message.
3.5.2 Authenticity
Sender authentication means that receiver knows the identity of the sender; while
message authentication means that receiver can validate that, the message was send
by legitimate sender.
3.5.3 Non Repudiation
Sender cannot deny from the signcrypted text he sent. In case of dispute, it is
computationally feasible for a judge/third party to settle the dispute between sender
and receiver in case of such dispute.
3.5.4 Forward Secrecy
It is property of key-agreement protocols ensuring that a session key derived from
private key cannot be compromised if the long-term private key compromised
(Diffie et al. 1992).
3.5.5 Sender Anonymity
Sender anonymity states that the sender concealed his identity from the set of all
possible users or the adversary select two users, he cannot decide which of them
have been communicating(Backes & Kate 2013).
33
3.5.6 Sender Message Unlinkability
It states that, for a challenge message an adversary does not know whether
they come from the same user or from different users; or for any two actions, the
adversary cannot determine whether the same or different users execute it.
3.5.7 Message Public Verifiability
Let a multi-receiver signcryption scheme is Public
Verifiable with respect to auxiliary algorithms and if
3.5.8 Ciphertext Public Verifiability
Let a multi-receiver signcryption scheme is be public
verifiable with respect to auxiliary algorithms and (Gonz et al. 2013) if
3.5.9 Random Oracle
Hash function shares the features of random oracle. The output of hash function
is random and uniform. It has limitation as no finite algorithm computable function
can implement a true random oracle.
3.5.10 Indistinguishability-Adaptive Chosen Ciphertext Attack
A is said to be Indistinguishability-Adaptive Chosen Ciphertext
Attack secure, if a adversary has a negligible advantage in
the game played between a hypothetical challenger and an
attacker .
34
Setup: Challenger generates sender and each receiver key pairs of algorithm
Give sender and receiver public key pair and each receiver pubic
keys to while keeping sender receiver private key secret.
Phase 1: makes polynomially bounded adaptive queries to the and
Oracles as:
Oracle - produce messages , any receiver Public key and
requires the result of for an attacked receiver private
key . Challenger runs algorithm and retuns the output to .
Oracle - produces and arbitrary sender Public key and requires the
result of for the attacked user private key . runs algorithm
and retuns the output to .
produces two equal-length messages and submit to which flip a
coin to compute a multi receiver signcrypted
text under the attacked user public key and returns to
as challenge.
Phase 2: makes new queries as in Phase 1 while differently should not query
the
Guess: Eventually outputs a bit , wins the game if
The advantege of is defned as:
3.5.11 Existentially Unforgeable-Adaptive Chosen Message Attack
A is said to be existentially unforgeable-adaptive chosen message attack
secure if adversary has a negligible advantage in the
35
following game named , played between a hypothetical challenger
and an attacker .
Setup: Challenger generates sender and each receiver key pairs according to the
definition 5.1of Algorithm
Give sender pubic keys to while keeping sender private key secret.
Attack: can adaptively perform queries to the same oracles defined in Definition 3.
Forgery: At the end of the game produces a cipher text and arbitrary receiver
key . wins the game if under the attack user public key the result of
is a valid message and is not the output
of
.
The advantege of is defned as:
3.6 Cost Analysis Parameters of Multi Receiver Signcryption
Multi receiver signcryption ( ) cost analysis parameters are computational cost
and communication cost/overhead.
3.6.1 Computational Cost Analysis
Computational cost is the time and energy consumption of various crypto
operations. The computational costs measured in term of count of major and minor
operations.
Like standard public key cryptosystem Multi Receiver Signcryption the most costly
operations are Modular Exponentiation ( ), Elliptic Curve Point Scalar
Multiplication ( ) and Bilinear Pairing ( ).
Minor operations are Modular Addition ( ), Modular Multiplication ( ),
Modular Inversion ( ), Elliptic Curve Point Addition ( ), Symmetric
Encryption and Decryption and hash .
36
3.6.2 Communication Cost/Overhead Analysis
Communication cost is the total number of bits transmitted during communication
while communication overhead is the number of extra bits excluding original
message transmitted. The communication overhead depends on the choice cipher
primitive and size of parameters. We assume the NIST minimal security key sizes
are provided in bits (Barker et al. 2011) (Giry 2013) in Table 2.
Table 3. 1 NIST Recommended Crypto Primitives and Key Sizes
Date Minimum of
Strength Symmetric Algorithms
Factoring Modulus
Discrete Logarithm Elliptic Curve
Hash Key
Group
2010 (Legacy)
80 2DES 1024
160 1024 160
SHA-1 SHA-224 SHA-256 SHA-384 SHA-512
2011 – 2030 112 3DES 2048 224 2048 224
SHA-224 SHA-256 SHA-384 SHA-512
> 2030 128 AES-128 3072 256 3072 256 SHA-256-512
37
Chapter 4
RESULTS AND DISCUSSION
4 Introduction
In this Chapter, we propose six different types of multi receiver signcryption
schemes ( ) based on elliptic curves for secure message multicast.
In section 4.1, proposed efficient multi-receiver signcryption scheme has security
features of multicast messages confidentiality, integrity, sender authenticity and
non-repudiation; fulfills the security parameters of signcryption. Forward secrecy is
one of considerable property of message confidentiality. Existing forward
signcryption schemes are for secure unicast communication not multicast; and multi-
receiver signcryption schemes lack forward secrecy. In section 4.2, proposed multi-
receiver signcryption scheme with forward secrecy. Firewalls play an important role
to prevent malicious traffic. Firewalls verifiable signcryption enable it to verify
encrypted traffic. Existing firewalls verifiable signcryption are for unicast not
multicast, and multi receiver signcryption schemes lack firewalls verifiability. In
section 4.3, proposed multi-receiver signcryption scheme for firewalls has additional
feature of encrypted message authentication used for firewalls application. In section
4.4, proposed generalized multi-receiver signcryption scheme has the functionality
of digital signature, multi- receiver encryption and multi receiver signcryption and
has security features of multicast messages confidentiality, integrity, sender
authenticity and non-repudiation; fulfill the security parameters of signcryption. In
section 4.5, proposed blind multi-receiver signcryption scheme has the functionality
of sender anonymous multi receiver signcryption and has security features of
multicast messages confidentiality, integrity, sender authenticity, non-repudiation
and forward secrecy. In section 4.6, proposed proxy multi-receiver signcryption
scheme. It has the functionality of designated agent multi receiver signcryption and
has security features of multicast messages confidentiality, integrity, sender
authenticity and non-repudiation.
38
4.1 An Efficient Multi Receiver Signcryption Scheme
Proposed efficient multi-receiver signcryption consists of four phases: Setup, Key
Generation, Multi-Receiver Signcryption and Unsigncryption.
4.1.1 Setup
In setup phase, the security parameters such as finite field, elliptic curve, and base
point are defined and published in-group members.
4.1.2 Key Generation
In key generation phase member of the multicast group randomly
generate private key and computes public key
where . Each member of the multicast group get certificate of his
public key from the CA and publish to the group member.
4.1.3 Multi-Receiver Signcryption
Let Alice (Sender) wants to multicast a message vector to a group of
receivers having identities ( in a confidential and authenticated way.
Sender runs algorithm 4.1 to generate signcrypted text and multicast it to
group of receivers.
39
Algorithm 4.1 MRSC
1. Verifies each receiver public key by using their certificates
2. Selects randomly an integer
3. Computes
4. Computes
5. Computes
6. Selects randomly an integer
7. For each recipient
i. Computes
ii. Computes
8. Computes
9.
Multicast the Signcrypted text
4.1.4 Unsigncryption
Each member of multicast group gets multicast signcrypted text , obtains the
message and verifies the authenticity of sender and message contents using
deterministic algorithm 4.2.
Algorithm 4.2 USC
1. Verifies sender public key by using his certificate
2. Computes
3. Computes
4. Computes
5. Computes
6. Generates
7. Computes
8. Verify: if accept else
40
4.1.5 Analysis of MRSC
4.1.5.1 Correctness Analysis
Theorem 4.1
The Multi-Receiver Signcryption Schemes is correct if the equation
holds.
Proof:
The equation established so the is correct.
4.1.5.2 Security Analysis
Our proposed multicast instant message communication protocol ensures the basic
security properties of signcryption under the established assumption that solving
with sufficient security parameters is infeasible.
4.1.5.2.1 Confidentiality
Our proposed scheme ensures the multicast message confidentiality. We present the
possible attacks that an attacker can try to break the message confidentiality.
Case 1: An attacker can compute from equation if he computes from
equation . The attacker gets easily but if tries to generate from
equation , and then he has to solve .
41
Case 2: An attacker can compute from equation (4.4) and (4.5) if he computes
from equation (4.3). The attacker gets easily but if tries to generate from
equation , and then he has to solve .
4.1.5.2.2 IND-CCA2
Theorem 4.2
Let denotes the time required for one computation, if no adversary can
solve the in probabilistic polynomial time , performs
queries, queries and queries to oracles run in , the proposed
withstand the in the random oracle modal where
Proof:
The algorithm tries to resolve by taking an input ,
simulates itself as the challenger to serve in the following game, where can ask
at most time of oracles times of and times of
in polynomial time .
Setup: runs the setup algorithm to produce all necessary public parameters
, set at least one receiver public key as the challenge
public key and send to .
Phase 1: Performs a first series of queries handled by of the following kinds as
explained below:
Simulator:
42
A list is maintained by , to keep track the answer given to oracle queries
on . When query on his chosen input , check in lists , if it is
previously defined, that value is retuned, else it pick a random value form range
store in , and returned to .
Simulator:
Produces a message vector and arbitrary receiver public keys
and calls a query. Then run the
oracles as follows:
Selects , Queries , Queries
Computes
Selects randomly an integer
For each recipient
Selects and compute
Queries
Computes
Computes
The ciphertext vector is is returned to
Simulator:
Produces a Multicast Signcrypted text , an arbitrary sender public
key and requires the result of
Then runs the oracles with a signcrypted message , searches the list
according to unsigncryption step and then recovers the message m.
43
Then checks if is in ; if not, moves to the next item of and begins again, else
retrieves and checks if If not, moves to the next item of and
begins again, else returns and stop. If no returns returns .
Challenge: produces two equal length messages never query before,
an arbitrary private key , receiver public keys and requires the
, which flip a coin to compute a multi receiver signcrypted
text and return to as challenge.
Phase 2: make polynomially bounded number of new queries as in Phase 1, but
should not call any query for the message . returns a
guess and realize that is a valid signcrypted text unless asks for one of the hash
value ,
for which . ignores ’s answer and looks into the list for
tuples of the form , retrieves and checks if ; if
this relation holds stops and outputs as the solution of the . If no tuple
of this kind satisfies the above equality, stops and outputs invalid.
Analysis of the game: Assessment of the probability in case of imperfect simulation,
the only case where it can occur when a valid signcrypted text is rejected in a
query. It is simple to see that for every item in , there is exactly one item in
providing a valid and to rejection probability of valid not greater than
.
Since makes total queries during the attack, so we have
and ’s computation time take from the fact that query
requires two operation while the extraction of the solution from implies to
compute at most thus .
4.1.5.2.3 Integrity
Proposed scheme ensures message integrity that no changes occur during
dissemination of message via insecure channel. Receiver obtains the message and
checks the integrity using equation (4.6) and (4.7).
44
If an attacker, change ciphertext the corresponding message also change from
to and message digest as well. It is infeasible for an attacker to change
and by the one-way hash function collision resistant property.
4.1.5.2.4 Unforgeability
Proposed scheme ensures infeasibility of an attacker/ legitimate receiver to compute
valid signature without knowing sender private key .
Let an attacker/ legitimate receiver tries to forge valid parameters
to he must generate from equation (14) for the message that
require to compute from equation (4.3) equivalent to solve . Therefore,
our proposed scheme is unforgeable.
4.1.5.2.5 UF-CMA
Theorem 4.3
The proposed withstand , if no forger with non-negligible can
can solve the in Probabilistic polynomial time , performs
queries, queries and queries to oracles runs in , in the random oracle
modal where
; denotes the time
required for one computing .
Proof:
The algorithm tries to resolve by taking an input , simulates
itself as the challenger and run adversary as subroutine and its goal is to
compute .
45
Setup: Setup: runs the setup algorithm to produce all necessary public
parameters , set sender public key as the
challenge public key and send to .
Phase 1: Performs a first series of queries handled by as in IND-CCA game.
Forgery: produces a cipher text and arbitrary sender key . Win the
game if under the attack user public key the result of is a valid
message and is not the output of
.
Analysis of the game: Now the event queries and queries to oracles run
in , in the random oracle modal where F out put a fake signcrypted text without
asking the corresponding queries is at most
and the probability is to reject
valid is
so the B advantage is
; denotes the time required for one computing .
4.1.5.2.6 Authenticity
Proposed scheme assure sender and received message authenticity. The sender
authenticity confirmed by sender public key certificate.
The message signature use to compute cipher text decryption session key
and further use collision resistance hash function
to verify the message validity.
4.1.5.2.7 Non-Repudiation
In case of a legitimate sender denies from the signcrypted text sent, then any
trusted third party can verify the message contents using Zero knowledge protocol.
Our proposed scheme provides the property of non-repudiation.
4.1.5.3 Efficiency Analysis
We analyzed the efficiency of the proposed scheme in multicast key distribution
phase and secure multicast instant message dissemination phase.
46
Schemes
Signcryption Cost (Sender) Unsigncryption Cost (Each Receiver)
Proposed
(Zhang 1998)
(Yavuz, Alagz,
et al. 2006)
(Elkamchouchi,
A. A. M.
Emarah, et al.
2007)
Schemes Communication Overhead
Proposed
(Zhang 1998)
(Yavuz, Alagz, et al. 2006)
(Elkamchouchi, A. A. M. Emarah, et al. 2007)
(Han & Gui 2009b)
Scheme1
Scheme2
+ | | + | |
(H Elkamchouchi et al. 2009)
(Elkamchouchi 2009)
(Ahmed et al. 2010)
Table 4. 1 Computational cost comparison of existing schemes and proposed MRSC
Table 4. 2 Communication overhead comparison of existing schemes and proposed MRSC
47
4.2 Multi Receiver Signcryption Scheme with Forward Secrecy
Message security attribute forward secrecy coined by (Diffie et al. 1992) is defined as
compromised of sender long-term private key should not result in compromise of
session keys(Boyd & Nieto 2011).
In (H.Y. Jung, K.S. Chang, D.H. Lee 2001), first proposed signcryption scheme with
forward secrecy based on will known . In (Hwang et al. 2005), proposed
signcryption scheme with forward secrecy and message public verifiability, (Toorani
& Shirazi 2008) presented security analysis of (Hwang et al. 2005) scheme. (Ashraf
Ch et al. 2012) proposed first forward secure scheme based on hyper elliptic curves
small key size compare to elliptic curves.
We proposed Multi Receiver Signcryption with Forward Secrecy ( ) based
on elliptic curves. It consists of four phases: Setup, Key Generation, Signcryption and
Unsigncryption.
4.2.1 Setup
In setup phase, the security parameters such as finite field, elliptic curve, and base
point are defined and published in-group members.
4.2.2 Key Generation
In key generation phase member of the multicast group randomly
generate private key and computes public key
where . Each member of the multicast group get certificate of his
public key from CA and publish to the group member.
4.2.3 Multi Receiver Signcryption
Let Alice (Sender) wants to multicast a message vector to a group of
receivers having identities ( and public keys in a
confidential and authenticated way with forward secrecy. Sender runs
algorithm 4.3 to generate signcrypted text and multicast it to group
of receivers.
48
Algorithm 4.3 MRSCFS
1. Verifies each receiver public key by using their certificates
2. Selects randomly an integer
3. Computes
4. Computes
5. Computes
6. Selects randomly an integer
7. For each recipient
iii. Computes
iv. Computes
8. Computes
9. Computes
10.
Multicast the Signcrypted text
4.2.4 Unsigncryption
In the Unsigncryption phase, each receiver in the multicast group having
identity select his relevant information from multicast signcrypted
text according to his position, gets and verify the message using
deterministic algorithm 4.4 USC.
Algorithm 4.4 USC
1. Verifies sender public key by using his certificate
2. Computes
3. Computes
4. Computes
5. Generates
6. Computes
Verifies If true then accept else
49
4.2.5 Analysis of MRSCFS
4.2.5.1 Correctness Analysis
Theorem 4.4
The Multi-Receiver Signcryption Schemes is correct if the equation
holds.
Proof:
( )
( )
( )
The equation established so the is correct.
4.2.5.2 Security Analysis
The proposed scheme possesses seven security attributes namely: multicast message
confidentiality, sender authentication, multicast message integrity, multicast
message unforgeability, sender non-repudiation and forward secrecy. The proofs are
based on the will known assumptions: that and are hard [10] and
hash function is one-way collision resistive. The security attributes of the proposed
scheme compared with existing schemes in Table 4.2.
4.2.5.2.1 Confidentiality
Our proposed scheme provides message confidentiality. Let the attacker
tries to derive the message from , he must obtained secret key .
However, the possible ways to generate is equivalent to solve the .
50
Case 1: An attacker can compute from equation (4.9) if he computes from
equation (4.1). The attacker gets easily but if tries to generate from
equation , and then attacker requires solving .
4.2.5.2.2 Integrity
In our proposed scheme recipient can verify that received message is either original
or corrupted by using equation (4.10) and equation (4.11).
If an attacker changes the related message is changed to such
that and . It is computationally infeasible for an attacker to modify
such that by the one-way hash function collision resistant property.
4.2.5.2.3 Unforgeability
The attacker/recipient cannot forge valid without the sender private
key . Let the attacker/recipient wants to forge a valid that
attacker eavesdropped/received. They must generate from equation (4.13) .
However, to compute , attacker must compute from equation (4.3) and from
equation (4.12) that is equivalent to solve two , and receiver should compute
from equation (4.3) that is equivalent to solve one . Therefore, the
proposed scheme is unforgeable.
4.2.5.2.4 Authentication
Proposed scheme assure sender and received message authenticity. The sender
authenticity confirmed by sender public key certificate. The message
51
signature used to compute session key, compute
message digest using collision resistance hash function
to verify the message validity.
4.2.5.2.5 Non-repudiation
In case of a legitimate sender deny from the signcrypted text sent,
and then any trusted third party can verify the message contents using ZKP.
4.2.5.2.6 Forward secrecy
If the sender’s long-term private key compromised, the attacker still cannot
recover any previous message from the Signcrypted text . Lets an
attacker gets the sender private key , and wants to compute pre-session key
random number from equation (4.14) still he need to compute using equation
(4.12) but computing from is equivalent to solve .
4.2.5.3 Cost Analysis
The computational efficiency of proposed scheme is analyzed and compared with existing schemes on the base of major operations as shown in Table 2.
Table 4. 3 Computational cost comparison of existing schemes and proposed MRSCFS
Schemes Signcryption Cost (Sender) Unsigncryption Cost (Each Receiver)
Proposed
(Zhang 1998)
(Yavuz, Alagz, et al. 2006)
(Elkamchouchi, A. A. M.
Emarah, et al. 2007)
52
Schemes Communication Overhead
Proposed
(Zhang 1998)
(Yavuz, Alagz, et al. 2006)
(Elkamchouchi, A. A. M. Emarah, et al. 2007)
(Han & Gui 2009b)
Scheme1
Scheme2
+ | | + | |
(H Elkamchouchi et al. 2009)
(Elkamchouchi 2009)
(Ahmed et al. 2010)
Table 4. 4 Communication overhead comparison of existing schemes and proposed MRSCFS
53
4.3 Multi-Receiver Signcryption for Firewall
Firewalls are installed either hardware devices or software applications to enforce
security policies within a network or between networks. It operates at different
layers and protects private local area networks from hostile intrusion. The
application layer firewalls provides the most comprehensive filtering of end user
message authentication.
Fig.4. 1 Application-Level Firewalls for Incoming Message Authentication
The objective of this research is to identify and implement the security requirements
of firewalls for multicast signcrypted messages. To achieve this objective, we
proposed an efficient multi receiver signcryption scheme based on elliptic curves
that enable firewalls to verify the authenticity of the network traffic without
disclosing the contents of the encrypted messages. Proposed multi-receiver
signcryption consists of four phases: Setup, Key Generation, Multi-Receiver
Signcryption and Unsigncryption.
4.3.1 Setup
In setup phase, the security parameters such as finite field, elliptic curve, and base
point are defined and published in-group members.
54
4.3.2 Key Generation
In key generation phase member of the multicast group randomly
generate private key and computes public key
where . Each member of the multicast group get certificate of his
public key from CA and publish to the group member.
4.3.3 Multi Receiver Signcryption
Let Alice (Sender) having identity wants to multicast a message vector
to a group of receivers having identities ( and public keys
in a confidential and authenticated way with firewalls verifiability.
Sender runs a PPT algorithm 4.5 to generate signcrypted text and
multicast it to group of receivers.
Algorithm 4.5 MRSCFV
1. Verifies each receiver public key by using their certificates
2. Selects randomly an integer
3. Computes
4. Computes
5. Selects randomly an integer
6. For each recipient
i. Computes
ii. Computes
7. Computes
8.
9. Computes
10. Computes
11. Return
Multicast the Signcrypted text to each group member
4.3.4 Verification by Firewalls
Firewalls verify the authenticity of received signcrypted text as
follow:
55
Algorithm 4.6 FV
1. Verifies sender public key using their certificate
2. Computes
3. Computes
4. Accept and forwards Signcrypted text if otherwise
4.3.5 Unsigncryption
Each receiver in multicast group having identity extracts his corresponding
parameters from signcrypted text , verifies and gets the
message using Unsigncryption algorithm as follows:
Algorithm 4.7 USC
1. Verifies sender public key by using his certificate
2. Computes
3. Computes
4. Accept Signcrypted text if otherwise
5. Computes
6. Computes
7. Computes
8. Computes
Message
4.3.6 Analysis of MESCFV
4.3.6.1 Correction Analysis
Theorem 4.5
Multi Receiver Signcryption firewalls verification is valid if the
sender and verifier conform to the applied protocols .
Proof:
56
=
The equation holds so the verification is correct.
Theorem 4.6
Multi Receiver Signcryption for firewalls is valid if sender and
receiver conform to the protocols.
Proof:
Clearly, the equation is established and is correct.
4.3.6.2 Security Analysis
The security analysis of the proposed scheme is presented, on the established
assumption that solving is hard for sufficient large security parameters.
4.3.6.2.1 Confidentiality
Let an attacker wants to derive the original message, then attacker must obtain the
secret key and further compute message session key . The following are the
possible cases to derive secret key:
Case 1: An attacker can compute from equation (4.15) and (4.16) if he computes
from equation (4.1). The attacker gets easily but if tries to generate from
equation , and then attacker requires solving .
57
Case 2: An attacker can compute from equation (4.5) and (4.17) if he computes
from equation (4.3). The attacker gets easily but if tries to generate from
equation , and then he has to solve .
4.3.6.2.2 Integrity
Proposed MRSCFV scheme provides message integrity. Firewalls and each recipient
can verify whether the received signcrypted text is the original, and sent by the
legitimate sender or altered using equation (4.18), (4.19) and (4.20). In Signcryption
phase the sender computes using one-way collision resistive hash function using
equation (4.19). If an attacker alter the original ciphertext or then is
changed to
.
It is computationally infeasible for an attacker to modify and due to
one-way hash function collision resistive property.
4.3.6.2.3 Unforgeability
Let the attacker tries to forge a valid from a previous
eavesdropped . They must generate from Equation (4.22) and (4.23) for
message . For computing valid signature , attacker has to compute sender
private key from Equation (4.3) or secret parameter from Equations (4.21)
equivalent to solve .
58
4.3.6.2.4 Encrypted Message Authentication/Firewalls Verifiability
Proposed scheme assures sender and received encrypted message authenticity.
Firewalls can verify whether received signcrypted text is sent by the legitimate
sender or not without disclosing message contents using deterministic algorithm 4.7
FV.
4.3.6.2.5 Public Verifiability
In case of dispute third party can verify the authenticity of the signcrypted text
using deterministic algorithm 4.7 FV.
4.3.6.2.6 Non-repudiation
Sender cannot deny from a previously sent signcrypted text . In case
of denying the text, third part can resolve the dispute. Sender private and only
known to sender is associated with sender public key . Third party settles the
dispute by verifying the sender public key and ciphertext contents using
deterministic Algorithm 4.4 FV.
4.3.6.3 Cost Analysis
The computational efficiency of proposed MRSCFV is analyzed based on two major
operations namely and . Table 3 illustrates the efficiency comparison of
the proposed scheme and existing schemes. The proposed scheme is based on elliptic
curve and efficient than based scheme.
59
Table 4. 5 Computational Cost Comparison of existing schemes and proposed MRSCFV
Schemes Signcryption Cost (Sender) Unsigncryption Cost (Each Receiver)
Proposed
(Zhang 1998)
(Yavuz, Alagz, et al.
2006)
(Elkamchouchi, A.
A. M. Emarah, et al.
2007)
Table 4. 6 Communication overhead comparison of existing schemes and proposed MRSCFV
Schemes Communication Overhead
Proposed
(Zhang 1998)
(Yavuz, Alagz, et al. 2006)
(Elkamchouchi, A. A. M. Emarah, et al. 2007)
(Han & Gui 2009b)
Scheme1
Scheme2
+ | | + | |
(H Elkamchouchi et al. 2009)
(Elkamchouchi 2009)
(Ahmed et al. 2010)
60
4.4 Generalized Multi Receiver Signcryption
Generalized signcryption adaptively works as a digital signature scheme, an
encryption scheme, or a signcryption scheme with only one algorithm, suitable for
storage-constrained environments. It is attractive for storage-constrained
environments like smart grid, smart cards, embedded systems, wireless sensor
networks.
Signcryption schemes are efficient, but will not be feasible when only one of three
function: confidentiality, authenticity, or confidentiality and authenticity are
required. To solve the mentioned problem (Han & Yang 2006) (Han et al. 2006)
proposed generalized signcryption scheme adaptively works as an encryption
scheme, a signature scheme or a signcryption scheme. In (Han 2007), first proposed a
multi-receiver GSC scheme in the ROM on assumption, this scheme lack the
functionality of signature only mode. on (Yang et al. 2008) can
adaptively work as signature, multi receiver encryption or multi-receiver
signcryption, but lack confidentiality. In (Han & Gui 2009a), proposed a multi-
receiver GSC scheme under the CDH assumption. However, (Zhou 2012a) (Zhou
2015), show multi-receiver GSC scheme (Han & Gui 2009a) is not IND-CCA2 secure
in the pure encryption and hybrid encryption mode and gives an improvement of
their scheme secure under the CDH assumption, however this is inefficient.
We proposed an efficient generalized multi receiver signcryption scheme. It
consists of four phases: Setup, Key, Generalized Multi Receiver Signcryption and
Generalized Unsigncryption.
4.4.1 Setup
In setup phase, the security parameters such as finite field, elliptic curve, and base
point are defined and published in-group members.
4.4.2 Key Generation
In key generation phase member of the multicast group randomly
generate private key and computes public key
61
where . Each member of the multicast group get certificate of his
public key from CA and publish to the group member.
4.4.3 Generalized Signcryption
Let a sender want to multicast a message to a group of receivers having
identities and public keys in an authenticated or
confidential, or confidential and authenticated manner, sender run the
algorithm to generate multi receiver signcrypted text .
Algorithm 4.8
1. Selects randomly an integer
2. Computes
3.
i. Selects randomly an integer
ii. Computes
iii. Computes
iv. Computes
v. For each recipient
a. Computes
b. Computes
c.
4.
5. Computes
6. Computes
Multicast the Signcrypted text
4.4.4 Generalized Unsigncryption
In the Unsigncryption phase, each receiver in the multicast group having
identity select his relevant information from multicast signcrypted
62
text according to his position, gets and verify the message using
deterministic Algorithm 4.9 GUSC.
Algorithm 4.9
1. Verifies sender public key by using their certificate
2.
{
i. Computes
ii. Computes
iii. Computes
iv. Computes
v. Computes
vi. Accept message if else }
3. {
a. Computes
b. Computes
Accept message as valid if else }
4.4.5 Generalized Signcryption in Different Modes
It will work in three different modes as Multi Receiver Encryption mode or signature
mode or Multi Receiver Signcryption mode according to the security requirement.
The scheme can be used to multicast a message in a confidential, or authenticated, or
confidential and authenticated manner.
Proposed Generalized Multi-Receiver signcryption can work in three different
modes according to need of security functions as signature only mode, encryption
on mode and Signcryption mode.
4.4.5.1 Signature only Mode
Alice signs a message using with variable values and ,
will be equivalent to signs a message.
63
Algorithm 4.10
1. Selects randomly an integer
2. Computes
3.
4.
i. Computes
ii. Computes
5. Return
Multicast the Signcrypted text
Any recipient who knows sender’s public key can verify the message as:
Algorithm 4.11
1. Verifies sender public key by using their certificate
2.
3.
i. Computes
ii. Computes
Accept message as valid if else
4.4.5.2 Encryption only Mode
The scheme will become multi-receiver encryption when
and Sender can encrypt a message receiver’s as:
64
Algorithm 4.12
1. Selects randomly an integer
2. Computes
3.
iii. Selects randomly an integer
iv. Computes
v. Computes
vi. Computes
vii. For each recipient
a. Computes
b. Computes
c.
4.
Multicast the Signcrypted text
To get the message each recipient runs deterministic algorithm
Algorithm 4.13
1. Verifies sender public key by using their certificate
2.
i. Computes
ii. Computes
iii. Computes
iv. Computes
v. Computes
vi. Accept message if else
4.
4.4.5.3 Signcryption only Mode
The scheme will be multi-receiver encryption when and . Any
Sender who knows the receiver’s public key can encrypt a message as:
65
Algorithm 4.14
1. Selects randomly an integer
2. Computes
3.
i. Selects randomly an integer
ii. Computes
iii. Computes
iv. Computes
v. For each recipient
a. Computes
b. Computes
c.
4.
5. Computes
6. Computes
Multicast the Signcrypted text
To get the verified message each recipient run deterministic algorithm
Algorithm 4.15
1. Verifies sender public key by using their certificate
2.
i. Computes
ii. Computes
iii. Computes
iv. Computes
v. Computes
vi. Accept message if else
3.
a. Computes
b. Computes
Accept message as valid if else
66
4.4.6 Analysis of GMRSC
This section presents the correctness, security and efficiency analysis in signature
only mode, encryption only mode and signcryption mode.
4.4.6.1 Correctness Analysis
This section presents the consistency proofs of proposed scheme in signature only
mode, encryption only mode, signcryption mode and judge verification.
Theorem 4.7
Multi Receiver Generalized Signcryption (signature only mode)
Signature/Verification is valid if sender and each receiver conform to the Equation.
Proof:
Clearly, the equation is established.
Theorem 4.8
Multi Receiver Generalized Signcryption (Encryption only mode)
Encryption/Decryption is valid if sender and receiver conform to the
Equation
Proof:
67
Clearly, the equation is established.
Theorem 4.9
Multi Receiver Generalized Signcryption (signcryption only mode)
Signcryption/Unsigncryption is valid if sender and receiver conform to the
Equations
and
Proof:
Clearly, both the equation holds as proved in theorem 4.8 and 4.9.
4.4.6.2 Security Analysis
The proposed scheme possesses seven security attributes namely: multicast message
confidentiality, sender authentication, multicast message integrity, multicast
message unforgeability, sender non-repudiation and forward secrecy. The proofs are
based on the well known assumptions: that and are hard [10] and
hash function is one-way collision resistive.
4.4.6.2.1 Confidentiality
Let an attacker tries to derive the original message from signcrypted text
, he must obtained secret key . However, the possible ways to generate
is equivalent to solve the .
Case 1: An attacker can compute from equation (4.24) if he computes from
equation (4.3). The attacker gets easily but if tries to generate from
equation , and then attacker requires solving .
Case 2: An attacker knows and can compute from
equation (4.26) if he computes from equation (4.25) but if tries to compute
from and , is solving .
68
4.4.6.2.2 Integrity
In proposed recipient can verify that received message is either original or
corrupted by using equation (4.27) and equation (4.28). If an attacker
changes the related message is changed to such that and
. It is computationally infeasible for an attacker to modify such that
by the one-way hash function collision resistant property.
4.4.6.2.3 Unforgeability
Let an attacker/recipient wants to forge a valid from a previous one that
attacker eavesdropped/received. They must generate from equation (14) for the
message . However, to compute , attacker must compute from equation
(4.3) and from equation (4.21) that is equivalent to solve two , and receiver
should compute from equation (4.3) that is equivalent to solve one .
Therefore, the proposed scheme is unforgeable.
4.4.6.2.4 Message Authentication
Proposed scheme assures sender and received message authenticity. The sender
authenticity confirmed by sender public key certificate. Receiver computes message
digest using collision resistance hash function and message
signature used and verify the message validity using .
69
4.4.6.2.5 Non-repudiation
In case of dispute between sender and receiver, a trusted third party/Judge can
verify the message and settle the dispute. Receiver forwards to the
trusted third party/Judge the authenticity of message using determinist Algorithm
4.16 JV.
Algorithm 4.16 JV
1. Verifies sender public key using their certificate
2. Computes
3. Computes
Message is sent by the sender having public key if else
4.4.6.2.6 Forward secrecy
Let an attacker gets sender’s private key , still cannot recover any previous
message from the Signcrypted text . Lets an attacker gets the
sender private key , still he need to compute using equation (4.31) from
encrypted message. However, attacker has no access to message and cannot derive
the correct without knowing original message .
Table 4. 7 Security Analysis of proposed GMRSC
Schemes Model
Proposed Yes Yes Yes Yes Yes Yes Yes
(Yang et al. 2008) No Yes Yes Yes Yes No No
(Han & Gui 2009a) No Yes Yes Yes Yes Yes No
(Zhou 2012b) Yes Yes Yes Yes Yes Yes No
(Zhou 2011) Yes Yes Yes Yes Yes No No
70
4.4.6.3 Cost Analysis
For a single message; the efficiency measurement, computation operation and
multicast signcrypted text size are two important factors; we present the cost
analysis of proposed scheme and comparison with existing scheme. While designing
cryptographic technique for ubiquitous computing and bandwidth constrained
wireless communication media the most considerable important parameter is
communication overhead.
Proposed scheme is more efficient of all three different modes compared to existing
schemes, with respect to these most expensive operations in Table 4.5.
Table 4. 8 Computational cost comparison of existing schemes and proposed GMRSC
Schemes Mode
Signcryption Cost
(Sender)
Unsigncryption Cost
(Each Receiver)
Proposed
Sign
Enc
Signc
(Yang et al. 2008)
Sign
Enc
Signc
(Han & Gui 2009a)
Sign
Enc
Signc
(Zhou 2012b)
Sign
Enc
Signc
(Zhou 2011)
Sign
Enc
Signc
71
Table 4. 9 Communication overhead comparison of existing schemes and proposed GMRSC
Schemes Mode Communication Overhead
Proposed
Sign
Enc
Signc
(Yang et al. 2008)
Sign
Enc
Signc
(Han & Gui 2009a)
Sign
Enc
Signc
(Zhou 2012b)
Sign
Enc
Signc
(Zhou 2011)
Sign
Enc
Signc
72
4.5 Blind Multi Receiver Signcryption scheme
Anonymous communication has significance applications in electronic voting and
payment system. For anonymous authenticated communication, Chum first
introduces the concept of blind signature scheme having additional properties:
Blindness (signer is unable to see the content of messages) and Untraceability (signer
must not be able to trace the sender (requester), after disclosing the blind signature
to the public).
Blind Signcryption combines the functionalities of blind signature and encryption. It
has application in anonymous confidential communication and protects the sender
privacy to guarantee the freedom of thoughts and freedom of opinion in anonymous
preserved confidential communication like mobile phone voting and payment
system.
Blind signature (Chaum 1983), a variant of digital signature ensure sender
anonymity and demonstrated an online untraceable payment protocol. In (Brands
1994), presented the restrictive blind signature scheme, the requester blinds the
message with some restrictions. In (Nikooghadam & Zakerolhosseini 2009),
proposed blind signature scheme based on the hardness of solving elliptic curves
discrete logarithm problem and efficient compared to schemes based on . In
(Chakraborty & Mehta 2012), proposed a blind signature protocol based on elliptic
curves. Requester puts two locks on the message to ensure that the signer knows
nothing about original message. One lock can be unlocked by the signer. The second
lock is used for blinding the message from the signer.
First blind Signcryption (Awasthi & Lal 2005) is based on and lack public
verifiability. In (Yu & He 2008), first proposed public verifiable scheme based on
. Both the schemes based on have high cost and are not attractive for
scarce resource environment like mobile devices or smart cards based anonymous
confidential communication. In (Ullah et al. 2014), proposed blind signcryption
using elliptic curves cryptosystem. Which is cost efficient compare to based
schemes, it is efficient, but it has syntactical errors. In (Hai-Sheng et al. 2012)
73
proposed first certificateless blind signcryption scheme with partial message
recovery, based on the exiting certificateless blind signature and encryption scheme
with partial message recovery.
For anonymous multicast (Levine & Shields 2002) proposed a first multicast based
initiator anonymous protocol, while cryptographic scheme can be used for
authentication and confidentiality(Shin et al. 2006).
We proposed Blind Multi Receiver Signcryption ( ) using ECC having small
key size and efficiency and having application in anonymous scarce multimedia
service.
Proposed have three participants: signer, requester, verifier; and four
phases: setup, key generation, blind signcryption and unsigncryption.
Fig.4. 2 Blind Multi Receiver Signcryption
4.5.1 Participants
The details of participants in the proposed scheme are as under:
74
4.5.1.1 Sender
Requester is a sender wants to communicate anonymously with receiver. He sends
blind message to signer for sign and after un-blinds signature forward Blind
Signcrypted text to verifier.
4.5.1.2 Signer
Signer is any designated party who signs blinded message sent by requester and gets
zero knowledge about content of messages.
4.5.1.3 Verifier
Verifier is a legitimate receiver obtain message and verify the validity from Blind
Signcrypted text, if yes accept otherwise reject.
4.5.2 Setup
In this phase, the domain parameters of elliptic curve are defined and issued.
4.5.3 Key Generation
In this phase each users choose private key, compute their public key, obtain
certificate from Certificate Authority (CA) and publish.
Sender selects private key and computes public key
Signer selects private key and computes public key
Receiver selects private key and computes public key
=
4.5.4 Blind Multi Receiver Signcryption
Let anonymous sender having identity wants to anonymously multicast a
message vector to a group of receivers having identities (
and public keys in a confidential and authenticated way. Sender and
75
signer runs algorithm 1, 2 and 3 to generate signcrypted
text and multicast it to group of receivers.
4.5.4.1 Sender
Anonymous sender having identity generates blind factor ; sends to signer to
obtain blind signature; a message vector . Sender runs algorithm 1 to
generate blind factor .
Algorithm 4.17 BF
1. Selects randomly an integer
2. Computes
3. Computes
Sends blind factor to Signer
4.5.4.2 Signer
Designated signer gets the blind factor , generates blind signature using
algorithm 4.18 BS, and sends blind signature back to sender.
Algorithm 4.18 BS
1. Selects randomly an integer
2. Computes
3. Generates
Sends to Sender
4.5.4.3 Sender
Anonymous sender having identity anonymously multicasts a message vector
to a group of receivers having identities and public
keys in anonymous, confidential and authenticated way. Sender and
signer run algorithm 4.19 to generate signcrypted text
and multicast it to group of receivers.
76
Algorithm 4.19 BMRSC
1. Verifies each receiver public key by using their certificates
2. Selects randomly an integers
3. Computes
4. Selects randomly an integer
5. For each recipient
a. Computes
b. Computes
6. Computes
7.
Multicast blind signcrypted text
4.5.5 Blind Unsigncryption
In blind unsigncryption phase, each receiver in the multicast group having
identity select his relevant information from blind multicast
signcrypted text according to his position, from anonymous sender,
verify designated signer and its content validity using deterministic algorithm 4.20
BUSC , if verified accept otherwise reject.
Algorithm 4.20 BUSC
1. Computes
2. Computes
3. Computes
4. Generates
5. Computes
6. Verify: if accept else
77
4.5.6 Analysis of BMRSC
4.5.6.1 Correction Analysis
Theorem 4.10
The multi receiver blind signcryption scheme is correct if sender and
receiver confirm to the following equation:
Proof:
=
=
=
= =
The equation established so the is correct.
4.5.6.2 Security Analysis
The proposed scheme provides additionally security functions: forward secrecy
sender anonymity and message sender unlinkability.
4.5.6.2.1 Message Confidentiality
Let an attacker wants to breach the confidentially of original message, he must get
the secret key . We proved that, possible ways to compute is equivalent to
solve , which is computationally infeasible and provide message
confidentiality.
Case 1: Let an attacker tries to derive from equation (4.33) he should derive
receiver private key from equation (4.1). The attacker gets easily but if tries to
generate from equation , and then he has to solve .
78
Case 2: Let an attacker tries to derive from (4.5) and (4.35), he should derive secret
parameter from (4.34). However, attacker just knows the public parameter and
divisor and computing from (4) is equivalent to solve computational infeasible
problem .
4.5.6.2.2 Message Integrity
The proposed provides message integrity and receiver can verify that the
message is not altered by an attacker. Receiver obtain the message and check the
integrity using equation (4.36) and (4.37). If an attacker, change ciphertext the
corresponding message also change from to and message digest as
will. It is infeasible for an attacker to change and by one-way hash
function collision resistant property.
4.5.6.2.3 Unforgeability
In proposed scheme, neither attacker nor legitimate receiver can forge the
signature . For forging an eavesdropped or new message using (4.40) and
(4.41), an attacker/ receiver needs to compute signer private key and random
secret parameter from (4.38) and (4.39) is equivalent to solve two .
79
4.5.6.2.4 Signer and Message Authentication
Proposed scheme ensures authentication of signer and message. The receiver uses
the signer public key with its certificate to confirm the validity of the signer.
Signer public key used to compute message secret key using equation (4.38) and
further use collision resistance hash function to verify
the message validity. As signer public key associated with signer private key
insure that the message is signed by the legitimate signer having private
key , while computing from (4.38) by an attacker is equivalent to
solve .
4.5.6.2.5 Non-Repudiation
In case of a legitimate sender deny from sent, then any TTP can
verify the message contents using Zero knowledge protocol. Our proposed scheme
provides the property of non-repudiation.
4.5.6.2.6 Sender Anonymity
Proposed scheme provides sender anonymity. Sender only used random numbers
and sends to receiver, as receiver doesn’t use his private
key in generating signcrypted text, therefore the receiver or any third party has
no way to trace the original sender.
4.5.6.2.7 Message and Original Sender Unlinkability
Proposed scheme provides sender message unlinkability. Sender Computes
and sends to signer if the signer record . If later on
signcrypted messages are publically announce, still Signer/third
party cannot link with sender as sender can argue that Bob can also generate
such pair.
4.5.6.2.8 Forward Secrecy
Let sender and signer long-term private keys compromised, the attacker
still cannot recover any previous message from blind signcrypted text
80
. To compute session key from (4.42) and (4.43), an attacker should
compute from (4.39), equivalent to solve the .
The security comparison of proposed blind multi receiver signcryption and existing
blind signcryption schemes is presented and compared in Table 4.6.
Table 4. 10 Security Analysis of proposed BMRSC
Schemes Model Multi Receiver
Proposed Yes Yes Yes Yes Yes Yes Yes Yes Yes
(Ullah et al. 2014) Yes Yes Yes Yes Yes Yes Yes Yes No
(Awasthi & Lal 2005) Yes Yes Yes Yes Yes Yes Yes Yes No
(Yu & He 2008) Yes Yes No Yes Yes No No Yes No
(Hai-Sheng et al. 2012) Yes Yes No Yes Yes No No Yes No
4.5.6.3 Cost Analysis
The proposed signcryption is analyzed; it provides an optimal solution for resource
constrained environments.
Table 4. 11 Computational cost analysis of proposed BMRSC
Proposed Scheme Major Operations Minor Operations
Anonymous Sender
Designated Signer
Receiver
Table 4. 12 Communication overhead of proposed BMRSC
Between Anonymous Sender and
Designated Signer Between Anonymous Sender and Multicast Group
81
4.6 Proxy Multi Receiver Signcryption Scheme
Privilege delegation mechanism has become an essential service in modern
enterprises and organizations. It allows businessperson to extend and operate his
business via designated agent due to temporal absence or lack of time or processing
capability. It has applications in e-commerce such as online proxy auction and
business contract signing etc. Personal pervasive communications devices like
mobile phones, digital assistants have lack of computational capability or battery
power to perform heavy cryptographic computation. Therefore, proxy signature and
signcryption schemes have emerged to delegate intensive computation from a scarce
resource device to more powerful server(Elkamchouchi & Abouelseoud 2008). Proxy
provable data possession (PPDP)(Wang 2013) enable the proxy in public clouds to
connect the cloud service provider and evaluate the loss and discuss the reparation
according to the loss severity.
First the concept of proxy signature based on is coined by (Mambo et al. 1996a).
It allows a designated person, called a proxy signer, to sign on behalf of an original
signer. A complete proxy, partial proxy and entitlement certificate signature is
presented in (Mambo et al. 1996b).
For confidential proxy communication instead of proxy signature and encryption,
(Gamage et al. 1999) first proposed proxy signcryption scheme based on . It has
limitation as secure channel between original and to her proxy agent is required.
Proxy signcryption scheme (Zhang et al. 2004) have properties of forward secrecy
and message public verifiability but with limitation of cost deficiency. The formal e
syntax and notions of security of warrant-based proxy signcryption based on IF
assumption is defined in (Zhou et al. 2005). Another proxy signcryption scheme
(Hassan Elkamchouchi et al. 2009) was proposed with forward secrecy and public
verifiability for the original and proxy signcrypter. It is vulnerable to man in the
middle attack. Two proxy signcryption scheme were proposed in (Elkamshoushy et
al. 2006), first is based on the and second is based on and has been
implemented using Mathematica for realistic (256-bit) parameters.
82
First the concept of multi-proxy multi-signcryption scheme (Lal & Singh 2007) was
coined. In (Swapna et al. 2013), proposed a new identity based multi proxy multi-
signcryption scheme using bilinear pairings. (Elkamchouchi 2013) proposed two
proxy signcryption scheme one is based on the , second is based on and
has been implemented using Mathematica for realistic (256-bit) parameters.
Proxy signcryption scheme has three participants: original signer, proxy signcrypter
and group of designated receivers.
Original signer generates a proxy credential/warrant to delegate his/her signing
authority to a proxy agent. Proxy Agent generates and multicast signcrypted
message to group of receivers. Receiver unsigncryption the message content from
the received signcrypted message, verify its validity and accept or reject.
Fig.4. 3 Proxy Multi Receiver Signcryption
A proxy signcryption scheme consists of the following four phases.
Setup
Key Generation
Proxy Warrant Generation (PGG)
Proxy Warrant Verification (PWV)
Proxy Multi Receiver Signcryption (PMRSC)
Proxy Unsigncryption (US)
83
4.6.1 Setup
In setup phase, the security parameters such as finite field, elliptic curve, and base
point are defined and published in-group members.
4.6.2 Key Generation
Alice ,Proxy, Bob generate there private and compute public keys as:
Sender selects private key and computes public key
Proxy selects private key and computes public key
Receiver selects private key and computes public key
=
4.6.3 Proxy Warrant Generation
In this phase, the Alice signs a warrant message and sends to proxy. This is PPT
algorithm takes the private key of original signer and a warrant as input and
then returns a proxy credential .
Algorithm 4.21 PWG
1. Selects randomly an integer
2. Computes
3. Computes
4. Computes
Send to proxy agent
4.6.4 Proxy Warrant Verification
Proxy agent checks the validity of warrant message. This is deterministic algorithm
takes the public key of original signer , and verify and accept or reject the
warrant . Whether the message is sent by original signer or not. If the message is
from original signer, then accept otherwise reject.
84
Algorithm 4.22 PWV
1. Verifies each sender public key by using their certificates
2. Computes
3. Compute
Accept the warrant if else
4.6.5 Proxy Multi Receiver Signcryption
In this phase proxy on behalf of original user, generates proxy multi-receiver
signcrypted text by using algorithm takes a proxy credential , message ,
using his secret key , and receivers public keys and generates multicast proxy
signcrypted text.
Algorithm 4.23 PMRSC
1. Verifies each receiver public key by using their certificates
2. Selects randomly an integer
3. Computes
4. Computes
5. Computes
6. Selects randomly an integer
7. For each recipient
i. Computes
ii. Computes
8. Computes
9.
Multicast proxy signcrypted text
4.6.6 Proxy Unsigncryption
In proxy Unsigncryption phase, only the intending receiver can recover the plain
text from cipher text. This is deterministic algorithm takes a signcrypted message ,
public key of original user, public key of proxy agent, receiver private key and
returns a valid message otherwise returns an error .
85
Algorithm 4.24 PUSC
1. Verifies each Sender and proxy agent public key by using their
certificates
2. Computes
3. Compute
4. Computes
5. Computes
6. Generates
7. Computes
Verify: if accept else
4.6.7 Analysis of PMRSC
4.6.7.1 Correctness Analysis
Theorem 4.11
The proxy warrant generation/verification is correct if sender and receiver confirm
to the following equation:
Proof:
The equation established so the proxy multi-receiver signcryption warrant
generation/verification is correct.
Theorem 4.12
The proxy multi receiver signcryption is correct if sender and receiver
confirm to the following equation:
86
Proof:
= =
The equation established so the proxy multi-receiver signcryption scheme
is correct.
4.6.7.2 Security Analysis
Our proposed multicast instant message communication protocol ensures the basic
security properties under the established assumption that solving with
sufficient security parameters is infeasible.
4.6.7.2.1 Confidentiality
Our proposed scheme ensures the multicast message confidentiality. We present the
possible attacks that an attacker can try to break the message confidentiality.
Case 1: An attacker can compute from equation (4.2) if he computes from
equation (1). The attacker gets easily but if tries to generate from
equation , and then he has to solve .
Case 2: An attacker can compute from equation (4.45) and (4.46) if he computes
from equation (1). The attacker gets easily but if tries to generate from
equation , and then he has to solve .
4.6.7.2.2 Warrant Integrity
Proposed scheme ensures warrant integrity that no one change it during
dissemination via insecure channel to proxy. The sender calculates warrant digest
using equation (10) and sends to proxy.
87
If the attacker changes into the corresponding digest is changed to .
Proxy verifies warrant integrity using equation (4.47), (4.48) and (4.49). It is infeasible
for an attacker to change and by one-way hash function the
collision resistant property.
4.6.7.2.3 Message Integrity
Proposed scheme ensures message integrity that no changes occur during
dissemination of message via insecure channel. Receiver obtains the message and
checks the integrity using equation (4.50) and (4.51).
If an attacker, changes ciphertext the corresponding message also changes
from to and message digest as will. It is infeasible for an attacker to
change and by the one-way hash function the collision resistant
property.
4.6.7.2.4 Warrant Unforgeability
In proposed scheme, only sender generates valid signature of warrant and ensures
infeasibility of an attacker/ legitimate proxy to generate valid signature for a
warrant.
Let an attacker/ legitimate proxy tries to forge valid parameters
to he must generate from equation (4.52) for the message
that require to compute from equation (4.3) equivalent to solve .
Therefore, our proposed scheme is unforgeable.
88
4.6.7.2.5 Message Unforgeability
I proposed scheme only proxy generates a valid signature for message and ensures
infeasibility of an attacker/ legitimate receiver to generate valid signature for a
message.
Let an attacker/ legitimate receiver tries to forge valid parameters
to he must generate from equation (4.53) for the message that
require to computes from equation (4.44) equivalent to solve . Therefore,
our proposed scheme is unforgeable.
4.6.7.2.6 Authenticity
Proposed scheme assures sender and received message authenticity. The sender and
proxy authenticity confirmed by sender and proxy public key certificate.
The message signature used to compute
ciphertext decryption session key, and further use collision resistance hash
function to verify the message and warrant
validity.
4.6.7.2.7 Sender Non-Repudiation
Trusted third party/judge verifies and decides that warrant from sender or not
when proxy provides that verify as:
Algorithm 4.22 PWV
1. Verifies each sender public key by using their certificates
2. Computes
3. Compute
Accept the warrant if else
89
4.6.7.2.8 Proxy Non-Repudiation
In case of a legitimate proxy denies from the signcrypted text sent, then any
trusted third party can verify the message contents using Zero knowledge protocol.
Our proposed scheme provides property of non-repudiation.
4.6.7.3 Cost Analysis
The computational efficiency of proposed scheme is analyze and shown in Table 4.9.
Table 4. 13 Computational cost analysis of PMRSC
Proposed Scheme Major Operations Minor Operations
Original User
(Proxy Warrant Generation )
Proxy Agent
(Proxy Warrant Verification)
Proxy Agent
Signcryption
Receiver Unsigncryption
The communication overhead of proposed PMRSC is presented in Table 4.14.
Table 4. 14 Computational overhead analysis of PMRSC
Between Original User and Proxy Agent Between Proxy Agent and Receiver
90
Chapter 5
CONCLUSION AND FUTURE WORK
5.1 Conclusion
Securing multicast communication is an emerging challenge in future wired and
wireless networks. Elliptic curves cryptography has a step forward for
industrialization due to small key size and cost efficiency. Multi receiver
signcryption is a logical combination of digital signature and multi receiver
encryption eye-catching for securing multicast. Multi receiver signcryption schemes
on elliptic curves are more attractive for scarce resource in establish PKI.
This thesis aims to propose efficient construction of multi receiver signcryption
based on ECC. We proposed six multi-receiver signcryption schemes on ECC in PKI
setting.
We presented formal model of an efficient multi-receiver signcryption scheme, its
correctness and detail security analysis. The cost is analyzed and it seems efficient
than existing construction and have applications in confidential and authenticated
multicast session key agreement and instant secure message communication.
Forward secrecy is of prime importance in recent future internet services as 37.8% of
TLS-enabled websites for secure browsing have to use cipher suites with forward
secrecy. To address the requirements of forward secrecy in multicast secure
communication, we proposed multi receiver signcryption scheme with forward
secrecy on ECC in PKI. The correctness, security and cost analysis is given. It ensures
confidentiality of messages even if the sender private key has been stolen by an
attacker. Its low communication overhead could make this construction a better
option for use in resource constrained secure multicast communication.
To enable firewall in multicast setting, we proposed multi receiver signcryption for
firewalls with additional functionality of encrypted message authentication and
enables firewall to verify encrypted message without disclosing message contents
and obtaining any secret parameter from the participants. Its security attributes and
91
cost effectiveness make it a suitable choice for efficient firewall enabled secure
multicast applications.
The concept like Internet of things gained significant attention such that by 2020,
there will be 50 to 100 billion devices connected to the Internet and may require
miscellaneous multicast security requirements like confidentiality, authenticity, or
both. Our proposed generalized multi receiver signcryption scheme based on elliptic
curves endeavor to provide the functionality of digital signature or multi receiver
encryption or multi receiver signcryption with single algorithm, adaptively work in
three different modes according to the security requirement. The proposed scheme
formal model, correctness, security, and cost analysis is presented, that shows its
suitability.
Freedom of thoughts and freedom of opinion is a prime right of develop human
society on global village due to internet. Due biased and unbiased factors human
nature this will be only confirmed if the identity of communicator situates anonyms.
To assure such property in secure multicast environment, we proposed blind multi
receiver signcryption scheme which provides the functionality of sender anonymity.
It has significance in applications as privacy preserve multicast communication;
electronic voting and intelligence/spy services; to protect the sender privacy and
guarantee the freedom of thoughts and freedom of opinion.
People in modern global village are eventful than any human era and ubiquitous
communications devices have lack of computational capability or battery power,
while security become more imperative. To off load the burden of busy people and
scarce resource devices with security assurance in multicast setting we proposed
proxy multi receiver signcryption scheme with the functionality of designated a
proxy agent, makes secure multicast communication on behalf of the original user.
The formal model, correctness, security and cost analysis is given, that shows that
suitability of proposed scheme to off-load intensive computational load from a
scarce resource device to more powerful servers for efficient and secure proxy
communication.
92
5.2 Future Work
We can summarize the survey findings and future directions as follows:
Construction of Multi receiver signcryption for hybrid multicast secure
communication sensor networks like sensor networks and Internet of things (IoT) (Li
& Xiong 2013) wave of innovation to improve and optimize our daily life sensor and
smart object (Keoh et al. 2014).
Construction of new multi receiver signcryption provably secure in the standard
Model. For cost-effective secure post-quantum multicast security quantum attack
resistant multi-receiver signcryption scheme in IB and PKI setting is attractive. Find
new applications for multi receiver signcryption with scarce resource emerging
networks.
Smart grids are emerging to promote sustainable ways of living. Due to hierarchal
structure, multicast is envisioning in many smart grid applications such as various
operation and control, wide area protection, demand-response and in-substation
protection (Zhang & Gunter 2010)(Mahmoud et al. 2013)(Li & Cao 2011). Multi
receiver signcryption scheme can be used to efficiently solve important and
challenging concerns of security and privacy of multicast session key agreement and
instant secure message communication in smart grid.
Multi receiver signcryption can be used to share group temporal key for secure
multicast communication body sensor networks (Movassaghi et al. 2014) and mobile
health systems (Silva et al. 2015) include the use of mobile that interact with patients
and caretakers.
93
References
Ahmed, F., Masood, A. & Kausar, F., 2010. An efficient multi recipient
signcryption scheme offering non repudiation. In 10th International
Conference on Computer and Information Technology. pp. 1577 – 1581.
Al-Riyami, S.S. & Paterson, K.G., 2003. Certificateless Public Key
Cryptography. In Advances in Cryptology-ASIACRYPT 2003. pp. 452–
473.
Anon, Scott Vanstone Award Lecture; Rump Session. Available at:
http://research.microsoft.com/apps/video/default.aspx?id=140735
&r=1.
Ashraf Ch, S., Nizamuddin & Sher, M., 2012. Public Verifiable
Signcryption Schemes with Forward Secrecy Based on Hyperelliptic
Curve Cryptosystem. Communications in Computer and Information
Science, 285 CCIS, pp.135–142. Available at:
http://link.springer.com/10.1007/978-3-642-29166-1{_}12.
Awasthi, A.K. & Lal, S., 2005. An Efficient Scheme for Sensitive Message
Transmission using Blind Signcryption. In arXiv preprint cs/0504095.
Backes, M. & Kate, A., 2013. AnoA: A Framework For Analyzing
Anonymous Communication Protocols. In 26th IEEE Computer
Security Foundations Symposium. pp. 163–178.
Barbosa, M., 2007. Randomness reuse: extensions and improvements. In
Cryptography and Coding, LNCS. pp. 257–276. Available at:
94
http://dl.acm.org/citation.cfm?id=1782597.
Barker, E. et al., 2011. Transitions: Recommendation for Transitioning
the Use of Cryptographic Algorithms and Key Lengths. In NIST
Special Publication 800,131A.
Bellare, M. et al., 2007. Multirecipient encryption schemes: How to save
on bandwidth and computation without sacrificing security. IEEE
Transactions on Information Theory, 53(11), pp.3927–3943.
Bellare, M., Boldyreva, A. & Staddon, J., 2003. Multi-Recipient
Encryption Schemes: Security Notions and Randomness Re-Use.
Public Key Cryptography, Lecture Notes in Computer Science, 2567, pp.1–
30.
Bohio, M. & Miri, A., 2004. An Authenticated Broadcasting Scheme for
Wireless Ad hoc Network. In 2nd Annual Conference on
Communication Networks and Services Research. pp. 69 – 74.
Boneh, D. & Franklin, M., 2003. Identity-based encryption from the Weil
pairing. SIAM Journal on Computing. Available at:
http://epubs.siam.org/doi/abs/10.1137/S0097539701398521.
Bos, J., Halderman, J. & Heninger, N., 2014. Elliptic Curve Cryptography
in Practice. Financial Cryptography and Data Security, LNCS, 8437,
pp.157–175. Available at: http://cryptome.org/2013/11/ecc-
practice.pdf.
Boyd, C. & Nieto, J.G., 2011. On forward secrecy in one-round key
95
exchange. In Cryptography and Coding, LNCS 7089. pp. 451–468.
Brands, S., 1994. Untraceable off-line cash in wallet with observers. In
Advances in Cryptology—CRYPTO’93. pp. 302–318.
Certicom Research, 2009. Certicom ECC Challenge. , pp.1–50.
Chakraborty, K. & Mehta, J., 2012. A Stamped Blind Signature Scheme
based on Elliptic Curve Discrete Logarithm Problem. International
journal of Network Security, 14(6), pp.316–319.
Chaum, D., 1983. Blind signatures for untraceable payments. In Advances
in cryptology. pp. 199–203.
Chiu, Y.T., Lin, C.S. & Chang, C., 2000. A Secure Agent-based
Framework for Internet Trading in Mobile Computing
Environments. In Distributed and Parallel Databases. pp. 85–117.
Chuanrong, Z. & Hong, X., 2009. Threshold key management protocol in
mobile ad hoc networks using an ID-based signcryption scheme. In
2009 International Conference on Cyber-Enabled Distributed Computing
and Knowledge Discovery. pp. 233–237. Available at:
http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=
5342189.
Corporation, D.E., 1981. The ethernet: a local area network: data link
layer and physical layer specifications. ACM SIGCOMM Computer
Communication Review, 11(3), pp.20–66.
96
Curtmola, R., 2007. A Mechanism for Communication-Efficient
Broadcast Encryption over Wireless Ad Hoc. In Electronic Notes in
Theoretical Computer Science. pp. 57–69. Available at:
http://dx.doi.org/10.1016/j.entcs.2006.11.009.
Deering, S.E., 1991. Multicast routing in a datagram internetwork. PhD
Dissertation, Department of Computer Science Stanford University,
(December). Available at:
http://oai.dtic.mil/oai/oai?verb=getRecord{&}metadataPrefix=htm
l{&}identifier=ADA325909.
Diffie, W. & Hellman, M., 1976. New directions in cryptography. IEEE
Transactions on Information Theory, 22(6), pp.644 – 654.
Diffie, W., van Oorshot, P. & Wiener, M., 1992. Authentication and
Authenticated Key Exchange. Designs, Codes and Cryptography,
2(169), pp.107–125.
Ding, W., Wang, H. & Wei, X., 2013. Many-to-many multicast routing
schemes under a fixed topology. The Scientific World Journal, 2013,
pp.1–11.
Dodis, Y., 2010. Practical Signcryption A. Dent, Yuliang. Zheng, ed.,
Springer-Verlag Berlin Heidelberg. Available at:
http://www.springerlink.com/index/10.1007/978-3-540-89411-7.
Donnan, R.A., 1985. IEEE Standards for local area networks Token ring,
Duan, S. & Cao, Z., 2006. Efficient and provably secure multi-receiver
97
identity-based signcryption. In Information Security and Privacy,
LNCS. Springer Berlin Heidelberg, pp. 195–206. Available at:
http://link.springer.com/chapter/10.1007/11780656_17.
Elgamal, T., 1985. A public key cryptosystem and a signature scheme
based on discrete logarithms. Advances in cryptology LNCS, 196,
pp.10–18.
Elkamchouchi, H., 2009. A New Efficient Publicly Verifiable
Signcryption Scheme and its Multiple Recipients Variant for
Firewalls Implementation. In 26th National Radio Science Conference.
pp. 1–9.
Elkamchouchi, H., 2013. An efficient proxy signcryption scheme based
on the discrete logarithm problem. International Journal of ….
Elkamchouchi, H. & Abouelseoud, Y., 2007a. A Multi-Recipient Tree-
Based Signcryption Scheme. In International Conference on Signal
Processing and Communications. pp. 69–72.
Elkamchouchi, H. & Abouelseoud, Y., 2007b. A New Multi-Recipient
Tree-Based Signcryption Scheme. In International Conference on
Computer Engineering & Systems. pp. 126 – 130.
Elkamchouchi, H. & Abouelseoud, Y., 2008. A New Proxy Identity-
Based Signcryption Scheme for Partial Delegation of Signing Rights.
IACR Cryptology ePrint Archive 2008, 41.
Elkamchouchi, H., Nasr, M. & Ismail, R., 2009. A new efficient multiple
98
broadcasters signcryption scheme (MBSS) for secure distributed
networks. In 5th International Conference on Networking and Services.
pp. 204–209.
Elkamchouchi, H., Nasr, M. & Ismail, R., 2009. A new efficient strong
proxy signcryption scheme based on a combination of hard
problems. In IEEE International Conference on Systems, Man and
Cybernetics. pp. 5123–5127.
Elkamchouchi, H.M., 2007. A New Public Key Multi-Message Dynamic
Signcryption ( PK-MM-DS ) Scheme for Cryptographic
Transmission. In 24th National Radio Science Conference (NRSC 2007).
pp. 1–10.
Elkamchouchi, H.M., Emarah, A.A.M. & Hagras, E.A.A., 2007. A new
efficient public key multi-message multi-recipient signcryption (PK-
MM-MRS) scheme for provable secure communications. In
International Conference on Computer Engineering and Systems. pp. 89–
94.
Elkamchouchi, H.M., Emarah, A.M. & Hagras, E.A.A., 2007. Public Key
Multi-Message Signcryption (PK-MMS) scheme for secure
communication systems. In Fifth Annual Conference on Communication
Networks and Services Research. pp. 329–334.
Elkamchouchi, H.M. & Hagras, E., 2009. Public Key Threshold Multi-
Message Signcryption (PK-TMMS) scheme with (t, n) shared
verification. In National Radio Science Conference. pp. 1–9.
99
Elkamshoushy, D.H., AbouAlsoud, a. K. & Madkour, M., 2006. New
proxy signcryption scheme with DSA verifier. In National Radio
Science Conference. pp. 1–8.
Feng, M. et al., 2006. Signed MSB-Set Comb Method for Elliptic Curve
Point Multiplication. In Information Security Practice and Experience,
LNCS. pp. 13–24.
Fiat, A. & Naor, M., 1994. Broadcast encryption. In 13th annual
international cryptology conference on Advances in cryptology, LNCS. pp.
480–491.
Franklin, M., Hsiao, C.-Y. & Reyzin, L., 2004. Finding Collisions on a
Public Road, or Do Secure Hash Functions Need Secret Coins? In
Advances in Cryptology – CRYPTO 2004 - LNCS 3152. pp. 92–105.
Available at:
http://www.springerlink.com/content/8nabgcve9ht5lhtt/.
Gamage, C., Leiwo, J. & Zheng, Y., 1999. An Effcient Scheme for Secure
Message Transmission using Proxy-Signcryption. In 22nd
Australasian Computer Science Conference. pp. 420–431.
Gemmell, J. & Gray, J., 2000. Fcast Multicast File Distribution. IEEE
Network, 14(1), pp.58–68.
Gifford, D.K., 1979. Weighted voting for replicated data. In 7th ACM
symposium on Operating systems principles. pp. 150–162. Available at:
http://portal.acm.org/citation.cfm?doid=800215.806583.
100
Giry, D., 2013. Keylength - NIST Report on Cryptographic Key Length
and Cryptoperiod. Available at:
http://www.keylength.com/en/4/.
Gonz, J.M. et al., 2013. Publicly Verifiable Ciphertexts. Journal of
Computer Security, 21(5), pp.749–778.
H.Y. Jung, K.S. Chang, D.H. Lee, J.I.L., 2001. Signcryption schemes with
forward secrecy. In Proceeding of WISA 2. pp. 403–475.
Hai-Sheng, Q., Lei, Z. & Yan-Qiang, F., 2012. Certificateless Blind
Signcryption Scheme with Message Recovery Design. In In
International Conference on Computer Science & Service System. pp. 867–
870.
Han, Y. et al., 2006. ECGSC: Elliptic Curve based Generalized
Signcryption. In Ubiquitous Intelligence and Computing, LNCS-4159.
Springer Berlin Heidelberg, pp. 956–965.
Han, Y., 2007. Generalization of signcryption for resources constrained
environments. Wireless Communications and Mobile Computing, 7(7),
pp.919–931.
Han, Y. et al., 2010. Parallel multi-recipient signcryption for multicast
networks. International Journal of Innovative Computing, Information
and Control, 6(8), pp.1349–4198.
Han, Y. & Gui, X., 2009a. Adaptive Secure Multicast in Wireless
Networks. International Journal of Communication Systems, 22(9),
101
pp.1213–1239.
Han, Y. & Gui, X., 2009b. Multi Recipient Signcryption for Secure Group
Comomunication. In 4th IEEE Conference on Industrial Electronics and
Applications. pp. 161–165.
Han, Y., Gui, X. & Wang, X., 2008. Multi-Recipient Signcryption for
Secure Wireless Group Communication. In IACR Cryptology ePrint
Archive 253.
Han, Y. & Yang, X., 2006. ECGSC: Elliptic Curve based Generalized
Signcryption Scheme. In IACR Cryptology ePrint Archive:126.
Han, Y., Yang, X. & Hu, Y., 2004. Signcryption based on elliptic curve
and its multi-party schemes. In 3rd international conference on
Information security. pp. 216–217.
Handley, M., 2000. Session Announcement Protocol. In RfC. pp. 1–18.
Available at:
http://www.protocolbase.net/protocols/protocol_SAP.php.
Hankerson, D., Menezes, a J. & Vanstone, S., 2006. Guide to Elliptic Curve
Cryptography,
Hassan M. Elkamchouchi , Eman F. Abu Elkhair, Y.A., 2013. An Efficient
Proxy Signcryption Scheme. International Journal of Information
Technology, Modeling and Computing, 1(2), pp.7–19.
Hien, D.T., Tien, T.N. & Hien, T.T.T., 2010. An Efficient Identity-Based
102
Broadcast Signcryption Scheme. In 2nd International Conference on
Knowledge and Systems Engineering. pp. 209 – 216.
Hiwatari, H. et al., 2009. Multi-recipient Public-Key Encryption from
Simulators in Security Proofs. In Information Security and Privacy,
LNCS. pp. 293–308.
Holbrook, H.W., Singhal, S.K. & Cheriton, D.R., 1995. Log-Basecl
Receiver-Reliable Multicast for Distributed Interactive Simulation. In
ACM SIGCOMM. pp. 328–341.
Holzinger, A. et al., 2010. Towards life long learning: three models for
ubiquitous applications. Wireless Communications and Mobile
Computing, 10(10), pp.350–1365. Available at:
http://eprints.soton.ac.uk/266684/.
Hwang, R., Lai, C. & Su, F., 2005. An efficient signcryption scheme with
forward secrecy based on elliptic curve. Applied Mathematics and
Computation, 2005(167), pp.870–881.
In Tae Kim & Seong Oun Hwang, 2011. An efficient identity-based
broadcast signcryption scheme for wireless sensor networks. In
International Symposium on Wireless and Pervasive Computing. pp. 1–6.
Available at:
http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=
5751323.
Ishai, Y., Kushilevitz, E. & Ostrovsky, R., 2005. Sufficient Conditions for
103
Collision-Resistant Hashing. In Theory of Cryptography, LNCS-3378.
pp. 445–456.
Islam, S. & Atwood, J.W., 2007. A policy framework for multicast group
control. In 4th Annual IEEE Consumer Communications and Networking
Conference, CCNC07. pp. 1103–1107.
Kapoor, V., Abraham, V.S. & Singh, R., 2008. Elliptic curve
cryptography. Ubiquity, 2008(May), pp.1–8. Available at:
http://portal.acm.org/citation.cfm?doid=1386853.1378356.
Keoh, S.L., Kumar, S.S. & Tschofenig, H., 2014. Securing the Internet of
Things: A Standardization Perspective. IEEE Internet of Things
Journal, 1(3), pp.265–275.
Khullar, S., Richhariya, V. & Richhariya, V., 2013a. A survey of Identity
Based Multireceiver Signcryption scheme. International Journal of
Scientific & Engineering Research, 4(4), pp.744–746.
Khullar, S., Richhariya, V. & Richhariya, V., 2013b. An Efficient identity
based Multi-receiver Signcryption Scheme using ECC. International
Journal of Advancements in Research & Technology, 2(4), pp.189–193.
Koblitz, N., 1987. Elliptic curve cryptosystems. Mathematics of
Computation, 48(177), pp.203–203.
Kurosawa, K., 2002. Multi-Recipient Public- key encryption with
shortened ciphertext. In Public Key Cryptography, LNCS. pp. 48–63.
104
Lal, S. & Kushwah, P., 2009. Anonymous ID Based Signcryption Scheme
for Multiple Receivers. In IACR Cryptology ePrint Archive.
Lal, S. & Singh, T., 2007. New ID Based Multi-Proxy Multi-Signcryption
Scheme from Pairings. In arXiv preprint cs/0701044. pp. 1–9.
Levine, B. & Shields, C., 2002. Hordes: A Multicast Based Protocol for
Anonymity. Journal of Computer Security, 10(3), pp.213–240.
Li, F., Hu, Y. & Liu, S., 2007. Efficient and provably secure multi-
recipient signcryption from bilinear pairings. Wuhan University
Journal of Natural Sciences, 12(1), pp.17–20.
Li, F., Xiong, H.X.H. & Nie, X.N.X., 2009. A new multi-receiver ID-based
signcryption scheme for group communications. In International
Conference on Communications, Circuits and Systems. pp. 296–300.
Li, F. & Xiong, P., 2013. Practical secure communication for integrating
wireless sensor networks into the internet of things. IEEE Sensors
Journal, 13(10), pp.3677–3684.
Li, Q. & Cao, G., 2011. Multicast authentication in the smart grid with
one-time signature. IEEE Transactions on Smart Grid, 2(4), pp.686–696.
Mahmoud, M.M.E. a, Misic, J. & Shen, X., 2013. A scalable public key
infrastructure for smart grid communications. In IEEE Global
Telecommunications. pp. 784–789. Available at:
http://ieeexplore.ieee.org/xpls/abs{_}all.jsp?arnumber=6831168.
105
Mambo, M., Usuda, K. & Okamoto, E., 1996a. Proxy signatures for
delegating signing operation. In 3rd ACM conference on Computer and
communications security. pp. 48–57.
Mambo, M., Usuda, K. & Okamoto, E., 1996b. Proxy Signatures:
Delegation of the Power to Sign Messages. IEICE TRANSACTIONS
on Fundamentals of Electronics Communications and Computer Sciences,
E79-A(9), pp.1338–1354.
Meffert, D., 2009. Bilinear Pairings in Cryptography. In Master’s thesis,
Radboud Universiteit Nijmegen.
Miao, S., Zhang, F. & Zhang, L., 2010. Cryptanalysis of a certificateless
multi-receiver signcryption scheme. In International Conference on
Multimedia Information Networking and Security. pp. 593–597.
Miller, V., 1994. Use of elliptic curves in cryptography. In Advances in
Cryptology — CRYPTO ’85, LNCS. pp. 417–426.
Mockapetris, P. V, 1983. Analysis of reliable multicast algorithms for
local networks. ACM SIGCOMM Computer Communication Review,
13(4), pp.150–157.
Movassaghi, S. et al., 2014. Wireless Body Area Networks: A Survey.
IEEE Communications Surveys & Tutorials, 16(3), pp.1658–1686.
Naor, D., Naor, M. & Lotspiech, J., 2001. Revocation and Tracing
Schemes for Stateless Receivers. In Advances in Cryptology, LNCS. pp.
41–62.
106
Nicanfar, H. et al., 2014. Efficient authentication and key management
mechanisms for smart grid communications. IEEE Systems Journal,
8(2), pp.629–640.
Nikooghadam, M. & Zakerolhosseini, A., 2009. An Efficient Blind
Signature Scheme Based on the Elliptic Curve Discrete Logarithm
Problem. The ISC International Journal of Information Security, 1(2).
Park, M. et al., 2013. Key Management for Multiple Multicast Groups in
Wireless Networks. IEEE TRANSACTIONS ON MOBILE
COMPUTING, 12(9), pp.1712–1723.
Qin, H., Dai, Y. & Wang, Z., 2011. Identity based multi receiver
threshold signcryption scheme. Security and Communication Networks,
4(11), pp.1331–1337.
Rajamanickam, V. & Veerappan, D., 2014. Inter cluster communication
and rekeying technique for multicast security in mobile ad hoc
networks. IET Information Security, 8(4), pp.234–239.
Ramsdel, B. & Turner, S., 2010. RFC 5751: Secure/Multipurpose Internet
Mail Extensions (S/MIME) Version 3.2 Message Specification. IETF
Network Working Group, pp.1–45.
Research, C., 2010. Standards for Efficient Cryptography 2 (SEC 2):
Recommended Elliptic Curve Domain Parameters. , 2(Sec 2), pp.1–
33.
Rivest, R.L., Shamir, a. & Adleman, L., 1978. A method for obtaining
107
digital signatures and public-key cryptosystems. Communications of
the ACM, 21(2), pp.120–126.
Selvi, S. et al., 2008. Efficient and provably secure certificateless multi-
receiver signcryption. In Provable Security LNCS 5324. pp. 52–67.
Selvi, S. & Vivek, S., 2008. On the Provable Security of Multi-Receiver
Signcryption Schemes. In IACR Cryptology ePrint Archive.
Selvi, S.S.D. & Vivek, S.S., 2008. Cryptanalysis of id-based signcryption
scheme for multiple receivers. In Cryptology ePrint Archive, Report.
Selvi, S.S.D., Vivek, S.S. & Rangan, C.P., 2009. A note on the
Certificateless Multi-receiver Signcryption Scheme. IACR Cryptology
ePrint Archive.
Service(NSA/CSS), N.S.A.S. & Service(NSA/CSS), N.S.A.S., 2009. The
Case for Elliptic Curve Cryptography .
Shamir, A., 1985. Identity-based cryptosystems and signature schemes.
Advances in Cryptology CRYPTO 84, LNCS, 196, pp.47–53.
Sharmila Deva Selvi, S., Sree Vivek, S., Srinivasan, R., et al., 2009. An
efficient identity-based signcryption scheme for multiple receivers.
In Advances in Information and Computer Security, LNCS. pp. 71–88.
Sharmila Deva Selvi, S., Sree Vivek, S. & Pandu Rangan, C., 2009.
Breaking and fixing of an identity based multi-signcryption scheme.
In Provable Security, LNCS. pp. 61–75.
108
Shin, D. et al., 2006. Anonymous Voting Scheme on Multicast. , pp.1034–
1039.
Silva, B.M.C. et al., 2015. Mobile-health: A review of current state in
2015. Journal of biomedical informatics, 56(2015), pp.265–272.
Smart, N.P., 2005. Efficient Key Encapsulation to Multiple Parties. In
Security in Communication Networks. Springer Berlin Heidelberg, pp.
208–219.
Sun, Y.X. & Li, H., 2010. Efficient signcryption between TPKC and
IDPKC and its multi-receiver construction. Science China Information
Sciences, 53(3), pp.557–566. Available at:
http://link.springer.com/article/10.1007/s11432-010-0061-5.
Swapna, G., Reddy, P.V. & Gowri, T., 2013. Efficient identity based
multi-proxy multi-signcryption scheme using bilinear pairings over
elliptic curves. In International Conference on Advances in Computing,
Communications and Informatics. pp. 418–423.
T Okamoto, E Okamoto, R.T., 2008. ECDSA-Verifiable Signcryption
Scheme with Signature Verification on the Signcrypted Message. In
Information Security and Cryptology, LNCS 4990. pp. 11–24.
Toorani, M. & Shirazi, a. a B., 2008. Cryptanalysis of an efficient
signcryption scheme with forward secrecy based on elliptic curve. In
International Conference on Computer and Electrical Engineering. pp.
428–432. Available at:
109
http://linkinghub.elsevier.com/retrieve/pii/S0096300304005351.
Toorani, M. & Shirazi, A.A.B., 2010. Cryptanalysis of an elliptic curve-
based signcryption scheme. International Journal of Network Security,
10(6), pp.51–56.
Tran, T.T. et al., 2013. Secure wireless multicast for delay-sensitive data
via network coding. IEEE Transactions on Wireless Communications,
12(7), pp.3372–3387.
U.S. Department of Commerce. National Institute of Standards and
Technology, 2013. Digital Signature Standard ( DSS ). Federal
Information Processing Standards Publication 186-4, (FIPS PUB 186-4),
pp.1–121.
Ullah, R., Umar, A.I. & ul Amin, N., 2014. Blind signcryption scheme
based on elliptic curves. In Conference on Information Assurance and
Cyber Security (CIACS). IEEE, pp. 51–54.
Vijayan R, S.S., 2011. A Novel approach for Implementing Security over
Vehicular Ad hoc network using Signcryption through Network
Grid. International Journal of Advanced Computer Science and
Applications (IJACSA), 2(4), pp.44–48. Available at:
http://ijacsa.thesai.org/.
Wang, H., 2013. Possession in Public Clouds. IEEE TRANSACTIONS ON
SERVICES COMPUTING, 6(4), pp.551–559.
Wang, H., Zhang, Y. & Qin, B., 2012. Analysis and improvements of two
110
identity based anonymous signcryption schemes for multiple
receivers. In 11th IEEE Int. Conference on Ubiquitous Computing and
Communications. pp. 1057–1062.
Wang, X., Tao, M. & Xu, Y., 2014. Outage analysis of cooperative secrecy
multicast transmission. IEEE Wireless Communications Letters, 3(2),
pp.161–164.
Wang, X., Yang, X. & Han, Y., 2010. Provable Secure Generalized
Signcryption. Journal of Computers, 5(5).
Wang, Y. & Li, T., 2004. LITESET/A++: a new agent-assisted secure
payment protocol. In IEEE International Conference on E-Commerce
Technology. pp. 244–251.
Wu, L., 2012. An ID-Based Multi-Receiver Signcryption Scheme In
MANET. Journal of Theoretical & Applied Information Technology, 46(1),
pp.120–124.
Yang, X. et al., 2008. New ECDSA-verifiable multi-receiver
generalization signeryption. In 10th IEEE International Conference on
High Performance Computing and Communications, HPCC 2008. pp.
1042–1047.
Yavuz, A. a., AlagöZ, F. & Anarim, E., 2010. A new multi-tier adaptive
military MANET security protocol using hybrid cryptography and
signcryption. Turkish Journal of Electrical Engineering and Computer
Sciences, 18(1), pp.1–21.
111
Yavuz, A.A., 2014. An Efficient Real-Time Broadcast Authentication
Scheme for Command and Control Messages. IEEE
TRANSACTIONS ON INFORMATION Forensics And Security, 9(10),
pp.1733–1742.
Yavuz, A.A., Alagoz, F. & Anarim, E., 2006. HIMUTSIS: Hierarchical
Multi-tier Adaptive Ad-hoc Network Security Protocol Based on
Signcryption Type Key Exchange Schemes. In Computer and
Information Sciences – ISCIS 2006, LNCS. pp. 434–444.
Yavuz, A.A., Alagz, F. & Anarim, E., 2006. NAMEPS: N -tier satellite
multicast security protocol based on signcryption schemes. In IEEE
Global Telecommunications Conference. IEEE, pp. 1–6. Available at:
http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=
4151161.
Yu, X. & He, D., 2008. A new efficient blind signcryption. Wuhan
University Journal of Natural Sciences, 13(6), pp.662–664.
Yu, Y. et al., 2007. Efficient identity-based signcryption scheme for
multiple receivers. In Autonomic and Trusted Computing LNCS 4610.
Springer, Heidelberg 2007, pp. 13–21.
Zhang, B. & Xu, Q., 2010. An ID-based anonymous signcryption scheme
for multiple receivers secure in the standard model. In Advances in
Computer Science and Information Technology, LNCS. pp. 15–27.
Zhang, B. & Xu, Q.-L., 2010. Identity-Based Multi-Signcryption Scheme
112
without Random Oracles. Chinese Journal of Computers, 33(1), pp.103–
110.
Zhang, B.Z.B. & Xu, Q.X.Q., 2010. An ID-based Anonymous
Signcryption Scheme for Multiple Receivers. International Journal of
Advanced Science and Technology, 20, pp.9–24.
Zhang, J., Chen, Z. & Xu, M., 2012. On the security of ID-based multi-
receiver threshold signcryption scheme. In 2nd International
Conference Electronics, Communications and Networks (CECNet). pp.
1944 – 1948.
Zhang, J. & Gunter, C.A., 2010. Application-Aware Secure Multicast for
Power Grid Communications. IEEE International Conference on Smart
Grid Communications, 6(1), pp.40–52.
Zhang, J. & Mao, J., 2009. A novel identity-based multi-signcryption
scheme. Computer Communications, 32(1), pp.14–18.
Zhang, Y., 1998. Signcryption and its application in efficient public key
solution. In Information Security Workshop (ISW 97) LNCS. pp. 291–
312.
Zhang, Z., Dong, Q. & Cai, M., 2004. A new publicly verifiable proxy
signcryption scheme. In Progress on Cryptography, The International
Series in Engineering and Computer Science. pp. 53–57.
Zheng, Y., 1997. Digital signcryption or how to achieve cost (signature &
encryption) << cost (signature)+ cost (encryption). In Advances in
113
Cryptology — Crypto ’97 LNCS. pp. 165–179.
Zheng, Y. & Imai, H., 1998. How to construct efficient signcryption
schemes on elliptic curves. Information Processing Letters, 68(5),
pp.227–233.
Zhou, C., 2011. A Multi-Receiver ID-Based Generalized Signcryption
Scheme. In IACR Cryptology ePrint Archive. pp. 1–9.
Zhou, C., 2015. An Improved Multi-receiver Generalized Signcryption
Scheme. International Journal of Network Security, 17(3), pp.340–350.
Zhou, C., 2012a. Cryptanalysis and Improvement of a Multi Receiver
Generalized Signcryption Scheme. IACR Cryptology ePrint
Archive:638.
Zhou, C., 2012b. Cryptanalysis and Improvement of a Multi-Receiver
Generalized Signcryption Scheme. In ACR Cryptology ePrint Archive.
pp. 1–17.
Zhou, Y., Cao, Z. & Lu, R., 2005. Constructing Secure Warrant-Based
Proxy Signcryption Schemes. In Cryptology and Network Security,
LNCS. pp. 172–185.