Signcryption based on elliptic curve cryptosystems
advertisement
Signcryption based on elliptic curve cryptosystems 1 Ajay Rana, 2Kanika Singhal, 3Shweta rathour 1† Student, SOIT, Centre for Development of Advanced Computing (CDAC), B-30, sec-62 noida-201307, U.P. (India) #ajay.scott@gmail.com ‡2,3. Lecturer,ITS group of institutions,greater noida *kanikasinghal28@gmail.com” Abstract— An efficient signcryption scheme based on elliptic curve cryptography (ECC) is discussed in this paper which performs both the functions of digital signature and message encryption logically in a single step, in a way more efficient than the traditional signature-then-encryption technique. The main benefit of this scheme is that it uses the elliptic curve for encrypting the message instead of using a separate symmetric cipher. The main operation involved in ECC i.e. point addition is used to for the purpose of encryption which is safe and efficient from transmission point of view. The proposed signcryption scheme is based on elliptic curves over finite fields and for the purpose of signature generation uses one way hash function. In addition to the major security aspects the scheme also provides public verification i.e. any third party can verify directly the signature of the sender of original message with out the sender’s private key when dispute occurs. The scheme can be applied to lower computational power devices such as mobile devices and smart card based applications due to its lower computational cost Keywords— Signcryption, public key cryptography, Elliptic curve, digital signature, hash function. officially replaced by the Advanced Encryption Standard (AES) which has a 128 bit block size. The second was the publication of the paper ‘New Directions in Cryptography’ in 1976 by Whitfield Diffie and Martin Hellman [9]. It was introduced in this paper a specific method of exchanging cryptographic keys known as Diffie-Hellman key exchange. This method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. The article also stimulated the birth of a new class of enciphering algorithms, the asymmetric key algorithms [10]. In contrast to symmetric key algorithms, asymmetric key encryption uses a pair of mathematically related keys, each of which decrypts the encryption performed using the other. By designating one key of the pair as private, and the other as public, no secure channel is needed for key exchange. Public key cryptography is used to solve various problems that symmetric key algorithms cannot. In particular, it can be used to provide privacy, and non-repudiation. . II. I. LITERATURE REVIEW INTRODUCTION Information is an asset that has a value like any other asset. As an asset, information needs to be secured from attacks. While sending a message to a person over an insecure channel such as internet we must provide confidentiality, integrity, authenticity and non-repudiation [1]. These are the four major security aspects [2] or goals. Cryptography word is made from the two Greek words’krypto’, which means ‘hidden’ and ‘grafo’, which means ‘to write’[10]. It implies how to make what you write obscure, unintelligible to everyone except whom you want to communicate with. Till the 1970s cryptography was based on symmetric encryption. But the mid 1970s was a crucial phase in cryptography as two major breakthroughs were achieved. First was the invention of Data Encryption Standard (DES). DES is a 64 bit symmetric block cipher i.e. it takes a block of 64 bit of plain text and return 64 bit of cipher text block. By symmetric algorithm it means that the same key is used for encrypt and decrypt operations. Later on in 2001, DES was SIGNCRYPTION The term ‘signcryption’ was coined by Yuliang Zheng in 1997. A signcryption scheme is a cryptographic method that performs two distinct operations (signature and encryption) simultaneously. In public key schemes, a traditional method is to digitally sign a message then followed by an encryption, named signaturethen-encryption. A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender such that they cannot deny sending it (authentication and non-repudiation). Various signcryption schemes [1-7] are introduced throughout the years. The first signcryption scheme was introduced by Yuliang Zheng. In the signcryption scheme, introduced by Zheng the sender uses the receiver’s public key to derive a secret key for symmetric encryption. After the receiver receives the cipher text and digital signature, he uses his private key to derive the same secret key. Zheng [2] introduced another signcryption scheme that is based on elliptic curve, which saves about 58% computational cost and saving about 40% communication cost than signature-then-encryption scheme based on elliptic curve. Jung et al. [3] analysis showed that Zheng’s [1] scheme does not provide forward secrecy property. Message confidentiality is lost when the sender’s private key disclosed. He also introduced a new signcryption scheme based on discrete logarithm problem with forward secrecy. Bao and Deng [4] enhanced Zheng’s [1] signcryption scheme, so that the judge can verify the authenticity of signature without the need of recipient’s private key. Gamage et al. [5] modified Zheng’s [1] signcryption scheme such that anyone can verify the signature of cipher text. Their scheme is capable of verifying signature without disclosing the content of the original message. Mohsen Toorani and Ali Asghar Beheshti Shirazi proposed an Elliptic Curve-based Signcryption Scheme with additional Forward Secrecy property [8]. Laura Savu [l0] this paper describes a new signcryption method which is based on the Schnorr digital signature algorithm and also various signcryption schemes that already exist. In many applications, both confidentiality and authenticity are needed together. Such applications include secure email (S/MIME), secure shell (SSH), and secure web browsing (HTTPS). More recently, the importance of signcryption in real- world applications has gained appreciation by experts in data security. A global standard for data protection has been developed by the International Organization for Standards (ISO) named ISO/IEC 29150, Information technology Security techniques – Signcryption [11]. The current version of the standard (ISO/IEC 29150:2011) contains four efficient signcryption mechanisms: 1. 2. 3. 4. Discrete logarithm based signcryption mechanism (DLSC) Discrete logarithm on elliptic curves based signcryption mechanism (ECDLSC) Integer factorization based signcryption mechanism (IFSC) Encrypt-then-sign based signcryption mechanism (EtS) Any signcryption scheme should have the following properties: 1. Correctness: Any signcryption scheme should be correctly verifiable. 2. Efficiency: The computational costs and communication overheads of a signcryption scheme should be smaller than those of the best known signature-then-encryption schemes with the same provided functionalities. 3. Security: A signcryption scheme should simultaneously fulfill the security attributes of an encryption scheme and those of a digital signature. Such additional properties mainly include: Confidentiality means that only the intended recipient of a signcrypted message should be able to read its contents. Integrity means that only the intended or authenticated user can modify the content of the message. Unforgeability implies that there should not be two signcrypted messages which give the same plain text. Otherwise an adaptive attacker can create an authentic signcrypted text that can be accepted by the unsigncryption algorithm. Authenticity means that the recipient of a signcrypted message can verify the sender’s identity. It is not possible for an attacker to send a message, claiming to be someone else. Non-repudiation means that the sender of a message cannot later deny having sent the message. That is, the recipient of a message can prove to a third party that the sender indeed sent the message. Signature schemes always provide non-repudiation, since anyone can verify a signature using only the sender’s public key. ELLIPTIC CURVE CRYPTOGRAPHY In 1985 Neal Koblitz [14] and Victor Miller [13] from the University of Washington proposed a new public key cryptosystem namely the elliptic curve cryptography (ECC). They found that discrete logarithm on Elliptic curves over finite fields appeared to be intractable and hence ElGamal encryption and signature schemes defined on finite fields have natural counterparts on these curves. The definition of elliptic curve is: ‘An elliptic curve E over the field F is a smooth curve in the so called “long Weierstrass form” Y2 + a1XY + a3Y = X3 + a2X2 + a4X + a6, ai є F. We let E (F) denote the set of points (x, y) є F 2 that satisfy this equation, along with a “point at infinity” denoted O.’ Elliptic Curve Cryptography (ECC) is a public key cryptography. In public key cryptography each user or the device taking part in the communication generally have a pair of keys, a public key and a private key, and a set of operations associated with the keys to do the cryptographic operations. Elliptic curve cryptosystems do not introduce new cryptographic algorithms, but they implement existing publickey algorithms using elliptic curves. The mathematical operations of ECC is defined over the 2 3 3 2 elliptic curve y = x + ax + b, where 4a + 27b ≠ 0. Each value of the coefficients ‘a’ and ‘b’ gives a different elliptic curve. All points (x, y) which satisfies the above equation plus a point at infinity lies on the elliptic curve. The public key is a point in the curve and the private key is a random number. The public key is obtained by multiplying the private key with the generator point G in the curve. The generator point G, the curve parameters ‘a’ and ‘b’, together with few more constants constitutes the domain parameter of ECC. For the purpose of implementing an elliptic curve accurately and more efficiently, the curve cryptography is defined over two finite fields. • Prime field Fp and m • Binary field F2 Prime field is easy to implement for software platform whereas binary field is easy to implement from hardware point of view. III. PROPOSED APPROACH Signcryption is a cryptographic scheme that protects confidentiality and authenticity, seamlessly and simultaneously. For example, when you log in to your online bank account, signcryption prevents your username and password from being seen by unauthorized individuals. At the same time, it confirms your identity for the bank. Proposed is a signcryption scheme where elliptic curve is used for encryption purpose instead of a symmetric cipher and a traditional signature scheme is being utilised. Symbols and notations mod × modulo operator Elliptic curve point multiplication (x, y) x and y coordinates of a point on elliptic curve ║ = H () a<b Concatenation The sender A randomly selects an integer as his private key then computes public key. private key of sender; X a < n public key of sender; Ya= Xa×G The receiver B also selects an integer as his private key and then computes public key. private key of receiver; Xb < n public key of receiver; Yb= Xb×G Signcryption Signcryption is generally a probabilistic algorithm. Assume that A wants to send a message M of arbitrary length to B. A generates the signcrypted text in the following steps: Step Step Step Step 1 2 3 4 Randomly selects an integer r, where r < n Computes U= r×G = (r1,r2) Computes V= r×Yb Calculate C= [U, (M+V)] This algo will generate a pair of encrypted points. Step 5 Uses the one-way hash function to generate h = H (M║r1), where r1 is generated in Step 2. Step 6 Computes s = Xa − h•r modn. Step 7 Sends the signcrypted text (C, U, s) to Bob. Unsigncryption It is most likely to be a deterministic algorithm. B receives the signcrypted text (C, U, s). He decrypts the cipher text C using his private key. C = [U, (M+V)] C= [ (r×G), (M+ r×Yb)] The x coordinate of C is multiplied by receiver’s private key; C= [ (r×G) Xb, (M+ r×Yb)] But Xb×G = Yb C= [(r×Yb), (M+ r×Yb)] Subtracting the x coordinate from y coordinate we get the message M. (M+ r×Yb) – (r×Yb) = M Proposed scheme consists of three algorithms: Initialization, The plain text is retrieved from the cipher text. Signcryption and Unsigncryption For signature verification we follow the following steps: Initialization Step 1 Using M and r1 (x coordinate of R) compute In this phase we select and define the domain parameters h= H (M║r1). used in the signcryption scheme. They are as follows: Step 2 Verifies s×G + h×R is equal to Xa or not. If it is true then accept M is correct plain text which is p large prime number, where p > 2160. sent by Alice; otherwise reject M. a, b two integer elements which are smaller than p and 3 2 satisfy, 4a + 27b modq ≠ 0. Ep the selected elliptic curve over finite field p: Judge verification If by some reasons, we need the trusted y2 = x3 + ax + bmodp. third party such as judge to decide that the sender A has sent G a base point of elliptic curve E p with order n. the message M to recipient B. Then the judge performs the O a point of Ep at infinite. signature verification steps and can verify that A has actually N the order of point G, where n is a prime, n × G = O and sent the message or not. 160 n>2 . Sender cannot deny having sent the message because of judge H a one-way hash function. verification. Equality one way hash function ‘a’ can take any random value less than ‘b’ User randomly generates the pair of private and public keys. IV. SECURITY ANALYSIS The main advantage of ECC over RSA and DSA is that the best algorithm known for solving the fundamental hard mathematical problem in ECC, the elliptic curve discrete logarithm problem (ECDLP) takes full exponential time, while RSA and DSA take sub-exponential time. This proves that considerably smaller parameters can be used in ECC than in other systems such as RSA and DSA, but with comparable levels of security. ECC can present equal security with substantially smaller key sizes. Benefits of smaller key size- lower power consumption, as well as memory and bandwidth savings. Figure 1 given below compares the time that is required to solve problem based on ECC and problem based on Integer factorization problem (IFP) or DLP. Here the time is measured in MIPS. As standard, it is generally accepted that 1012 MIPS years represents reasonable security at this time. MIPS year: computing time of one year on a machine capable of performing one million instructions per second. In Figure the time required to solve problem RSA and DSA are grouped together because the asymptotic running time for both is same. To achieve reasonable security, RSA and DSA should employ 1024-bit modulo, while a 160-bit modulus should be sufficient for ECC. Moreover, the security gap between the systems increases dramatically as the modulo sizes increases. (The Elliptic Curve Discrete Logarithm Problem) Let P and Q be two points of an elliptic curve with order n and n is a prime. The point Q = k × P where k < n. Given these two points P and Q, find the correct of Q. Up to now, it is computational infeasible to generate k from P and Q (The Elliptic Curve Diffie–Hellman Problem) Let G be a point of an elliptic curve with a prime order n and P = c × G and Q = d × G. Given two points P and Q without c and d, find another point K = c ∙ d × G Like ECDLP, ECDHP is a computational infeasible problem [12]. The number of dominant operations involved in a signcryption scheme adds up to the computational cost of the scheme. In our approach on the sender’s part there are 2 elliptic curve point multiplications, 1 elliptic curve point addition, 1 modular multiplication, 1 modular addition and 1 hash function. Computational complexity and communication overhead of algorithms that is based on Discrete logarithm problem (DLP) is less as compared to other schemes. Computational cost of various schemes: Entity ECPM ECPA EXP DIV MUL ADD HASH A - - 1 1 - 1 2 B - - 2 - 2 - 2 Zheng and Imai, 1998 A 1 - - 1 1 1 2 B 2 1 - - 2 1 2 Bao and Deng, 1998 A - - 2 1 - 1 3 B - - 3 - 1 - 3 Gamal et. al, 1999 A - - 2 1 - 1 2 B - - 3 - 1 - 2 H.Y.Jung , 2001 A - - 2 1 - 1 2 B - - 3 - 1 - 2 R.J.Hwa ng, 2005 A 2 - - - 1 1 1 B 3 1 - - - - 1 A 2 1 - - 1 1 1 B 3 2 - - - - 1 Zheng, 1997 Our scheme Table 1 Fig.1 Most of the security functions are justified on the basis of two problems: Elliptic Curve Discrete Logarithm Problem (ECDLP) and the elliptic curve Diffie–Hellman problem (ECDHP). Up to now both of these problems are hard. Abbreviations: ECPM the number of elliptic curve point multiplication operation. ECPA the number of elliptic curve point addition operation. EXP the number of modular exponentiation operation. DIV the number of modular division (inverse) operation. MUL the number of modular multiplication operation. ADD the number of modular addition operation. HASH the number of one-way or keyed one-way hash function operation. Security Attributes The security functions provided by proposed scheme are: Message confidentiality Integrity Unforgeability Non-repudiation Public verifiability Forward secrecy of message confidentiality: This property can be maintained by frequently changing the ECC generating parameters. Comparison based on security attributes: Schemes MC I U NR PV Zheng, 1997 Yes Yes Yes Directly No Zheng and Imai, 1998 Yes Yes Yes Directly No Bao and Deng, 1998 Yes Yes Yes Another Yes Gamal et. al, 1999 Yes Yes Yes Directly Yes H.Y.Jung, 2001 Yes Yes Yes Another No R.J.Hwang, 2005 Yes Yes Yes Directly Yes M. Toorani & A.A Beheshti Shirazi, 2010 Yes Yes Yes Directly Yes Our scheme Yes Yes Yes Directly Yes where, MC Message confidentiality I Integrity U Unforgeability NR Non-Repudiation PV Public verifiability V. CONCLUSION In this paper we have discussed a signcryption scheme which achieves all the major security goals of cryptography. It also has the attribute of public verifiability so any third party can verify the signature without any need for the private keys of the participants. ECC has been used, because of its unique property of ECDLP (Elliptic curve discrete logarithm problem) which is significantly more complicated than either the IFP (Integer factorizing problem) or DLP. The key point of the proposed scheme is that it uses only elliptic curve for encrypting the message and message transmission is in the form of a point P(m) embedded in Elliptic Curve. Now since no symmetric key algorithm is used, the proposed approach is less complex and saves itself on communication overhead. VI. REFERENCES [1] Y. Zheng, "Digital signcryption or how to achieve Cost (Signature & Encryption) << Cost (Signature) + Cost (Encryption)", Advances in Cryptology– CRYPTO'97, LNCS 1294, Springer-Verlag, 1997, pp.165-179. [2] Y. Zheng, and H. Imai, "How to construct efficient signcryption schemes on elliptic curves", Information Processing Letters, pp.227-233, Elsevier Inc., 1998,Vol.68. [3] H.Y. Jung, K.S. Chang, D.H. Lee, and J.I. Lim, “Signcryption schemes with forward secrecy,” Proceeding of Information Security ApplicationWISA 2001, pp.403- 475 . [4] F. Bao, and R.H. Deng, “A signcryption scheme with signature directly verifiable by public key,” Advances in Cryptology–PKC'98, LNCS 1431, Springer-Verlag, 1998 , pp.55-59. [5] C. Gamage, J. Leiwo, and Y. Zheng, “Encrypted message authentication by firewalls,” International Workshop on Practice and Theory in Public Key Cryptography (PKC- 99), LNCS 1560, SpringerVerlag, March 1999 , pp.69-81. [6] Y. Han, X. Yang, and Y. Hu, “Signcryption Based on Elliptic Curve and Its Multi-Party Schemes”, 3rd ACM International Conference on Information Security (InfoSecu'04), pp.216-217. [7] R.-J. Hwang, C.-H. Lai, and F.-F. Su, “An efficient signcryption scheme with forward secrecy based on elliptic curve,” Journal of Applied Mathematics and Computation, Elsevier, 2005, Vol.167, No.2, pp.870881 [8] M. Toorani ,"Cryptanalysis of an Elliptic Curvebased Signcryption Scheme", International Journal of Network Security, Jan. 2010,Vol.10, No.1, pp.51–56. [9] Whitfield Diffie, Martin Hellman, ―New Directions in Cryptography. [10] Laura Savu “Combining Public Key Encryption with Schnorr Digital Signature” Journal of Software Engineering and Applications, 2012, 5, 102-108. [11] International Organization for Standardization, “IT Security Techniques—Signcryption,” ISO/IEC 29150, 2011. [12] Certicom Research, Standards for efficient cryptography, SEC 1: elliptic curve cryptography, Standards for efficient cryptography group (SECG), September 20, 2000. [13] V. Miller, Use of elliptic curves in cryptography, CRYPTO 85, 1985. [14] N. Koblitz, Elliptic curve cryptosystems, in Mathematics of Computation 48, 1987, pp. 203–209
