This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Cryptography is widely used for securely sending the high sensitive informations. Due to the technology evolution, it should be increased the security facilities. Hybrid encryption used to send the secert key securely. Elliptic curve cryptography is an attractive choice to achieve the same level of security service with much smaller key size. In this paper, a new signcryption scheme based on elliptic curve is introduced that can effiently combine the functionalities of digital signature and key encryption. It provides confidentiality, authentication, integrity, unforgeability, non-repudiation, forward secrecy and public verification. Forward secrecy means, if the private key of sender is compromised, no one should be able to extract any information of the past messages. Public verification means, any third party can verify directly the signature of the sender of the orginal message without the receiver's private key.
Keywords - Hybrid system, digital signature, signcryption, authendication, confidentiality, forward secrecy, public verification.
Encryption means conversion of messages from a comprehensible form into an incomprehensible one and back again at the other end, rendering it unreadable by interceptors or eavesdroppers without secret knowledge (namely the key needed for decryption of that message). The sequence of data processing steps required for the transformation of the plaintext into cipher text is called message encryption. Various parameters used by an encryption algorithm, are derived from a secret key. We have a number of encryption algorithms. DES or AES can be used for message encryption. We can also use the RSA encryption algorithm for simplicity.
Digital signature is used for authenticating the message which is providing the assurance to thet message that has send by the authorized user. Depends on the message, the hash value is produced by hash function. Then that hash value is encrypted with sender's private key. The messages send to receiver with digital signature.
In cryptography, public-key cryptosystems are very convenient in that they do not require the sender and receiver to share a common secret in order to communicate securely. However, they often rely on complicated mathematical computations and are thus generally much more inefficient than comparable symmetric-key cryptosystems. In many applications, the high cost of encrypting long messages in a public-key cryptosystem can be prohibitive. A hybrid cryptosystem is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem.
A hybrid cryptosystem can be constructed using any two separate cryptosystems:
Key encapsulation scheme, which is a public-key cryptosystem, and
Data encapsulation scheme, which is a symmetric-key cryptosystem.
For very long messages the bulk of the work in encryption/decryption is done by the more efficient symmetric-key scheme, while the inefficient public-key scheme is used only to encrypt/decrypt a short key value.
Elliptic curve cryptography
Elliptic curve cryptography (ECC) is a public key cryptography. The mathematical operations of ECC is defined over the elliptic curve y2 = x3 + ax + b, where 4a3 + 27b2 ≠ 0. Each value of the 'a' and 'b' gives a different elliptic curve. All points (x, y) which satisfies the above equation plus a point at infinity lies on the elliptic curve. The public key is a point in the curve and the private key is a random number. The public key is obtained by multiplying the private key with the generator point G in the curve. The generator point G, the curve parameters 'a' and 'b', together with few more constants constitutes the domain parameter of ECC. One main advantage of ECC is its small key size. A 160-bit key in ECC is considered to be as secured as 1024-bit key in RSA.
Discrte logarithm problem
The security of ECC depends on the difficulty of Elliptic Curve Discrete Logarithm Problem. Let P and Q be two points on an elliptic curve such that kP = Q, where k is a scalar. Given P and Q, it is computationally infeasible to obtain k, if k is sufficiently large. k is the discrete logarithm of Q to the base P.
Hence the main operation involved in ECC is point multiplication. i.e. multiplication of a scalar k with any point P on the curve to obtain another point Q on the curve.
In point multiplication, a point P on the elliptic curve is multiplied with a scalar k using elliptic curve equation to obtain another point Q on the same elliptic curve. i.e. kP=Q.
Point multiplication is achieved by two basic elliptic curve operations
Point addition, adding two points P and Q to obtain another point L i.e., R = P + Q.
Point doubling, adding a point P to itself to obtain another point L i.e. Q = 2P.
Here is a simple example of point multiplication.
If k = 23 then kP = 23.P = 2(2(2(2P) + P) + P) + P.
Thus point multiplication uses point addition and point doubling repeatedly to find the result. The above method is called 'double and add' method for point multiplication. There are other efficient methods for point multiplication such as NAF (Non - Adjacent Form) and NAF (windowed NAF) method for point multiplication.
Message security and sender's authentication for communication in the open channel is a basic and important technology of Internet. For keeping message confidential and unforged, the sender uses a digital signature algorithm with his private key to sign the message, and encrypts the message and digital signature using a symmetric encryption algorithm using a randomly chosen secret key. The sender uses a public key encryption algorithm with the recevier's public key to encrypt this secret key as envelope. Then, the sender sends the envelope and cipher text to the recevier. After receiving the cipher text and envelope, the recevier uses his private key to decrypt the envelope to get secret key and decrypts cipher text to get plain text and signature by using this secret key. Finally, the recipient verifies the message based on this signature. This method is named signature-then-encryption.
The main disadvantage of this approach is that, digitally signing a message and then encrypting it, consumes more machine cycles and bloats the message by introducing extended bits to it. Hence, decrypting and verifying the message at the receivers end, a lot of computational power is used up. Thus the cost of delivering a message using signing-then-encryption is in effect the sum of the costs of both digital signatures and public key encryption.
Zheng  introduced a new cryptographic primitive called signcryption for secured and authenticated message delivery, which fulfills all the functions of digital signature and encryption, but with a far smaller cost than that required by the current standard signature-then-encryption methods. Security of the signcryption schemes has been proven and extensions of the schemes to multiple recipients have been carried out. This signcryption schemes have been based on ElGamal signature and encryption. We have not been successful in searching for a signcryption scheme employing RSA or other public key cryptosystems. Therefore it remains a challenging open problem to design signcryption schemes based factorization or other computationally hard problems.
Bao and Deng  modified the first Zheng's scheme so that the receiver's private key is no longer needed in signature verification. The computational cost of the modified scheme is higher than that of Zheng's scheme but lower that of the signature-then-encryption approach.
Bao and Deng  enhanced Zheng's  signcryption scheme such that the judge can verify signature without the recevier's private key. But a key exchange protocol is required in the process of verification. Gamage et al.  modified Zheng's  signcryption scheme so that anyone can verify the signature of cipher text. Their scheme only verifies the cipher text to protect confidentiality of message in firewall application. Then Zheng and Imai  suggested an ECC based signcryption scheme thus providing all the basic security features, with cost less than as required by signature-then-encryption. They choose ECC because elliptic curve based solutions are usually based on the difficulty of ECDLP. As it is based on elliptic curve cryptosystem the key size used is smaller as compare to the other schemes, which is one of the advantages of this scheme but still it needs forward secrecy.
The disadvantage of the above scheme is that it doesn't support forward secrecy and encrypted message authentication. From the above Zheng and Imai  scheme we can see that if Alice divulged his private key da inattentively then an adversary can get the information about the past messages. Now lets discuss Hwang et al signcryption scheme based on elliptic curve cryptosystem, which provides forward secrecy.
The Hwang  scheme satisfies all the security attributes. The signcryption phase involve with 2 elliptic curve point multiplication in the signcryption phase and 3 elliptic curve point multiplication in the unsigncryption phase. It's providing public verification without receiver's private key. But in the receiver side, all computations are only depends upon the receiver's private key, when the private may compromised, the confidentiality, Integrity and unforgeability also compromised.
In the signcryption phase, the sender Alice signs and encrypts a message. Then she sends the signcrypted text to the recipient Bob. In the unsigncryption phase, the recevier Bob derives secret key to decrypt plain text. He also verifies the signature. In the judge verification phase, a judge decides whether the sender Alice sent the signcrypted message or not, when dispute occurs. Our proposed scheme has following four phases.
In this phase, some public parameters are generated.
The steps are as follows:
p - a large prime number, where p is greater than 2160.
a, b are two integer elements which are smaller than p and satisfy the following condition
4a3 + 27b2 mod p ≠ 0
Let F the selected elliptic curve over finite field p:
y2 = x3 + ax + b mod p,
G - a base point of elliptic curve F with order n,
O - a point of F at infinite,
n - the order of point G, where n is a prime, n-G = O and n ≥ 2160. (The symbol - denotes the elliptic curve point multiplication,)
H - a one-way hash function,
Ek(c)/Dk(c) - symmetric encryption/decryption algorithm with private key k such as DES or AES.
The sender Alice randomly selects an integer da as her private key and da ≤ n-1. She computes her public key Ua= da.G. The recevier Bob also selects private key db and public key Ub = db.G by the same way as Alice. They need to get a certificate of their public key from the certificate authority (CA).
Assume that Alice wants to send a message m to Bob. Alice generates digital signature (R, s) of message m and uses the symmetric encryption algorithm and secret key k to encrypt m. Let c be the cipher text. Alice generates the signcrypted text (c, R, s) in the following steps.
Step 1: Verifies Bob's public key Ub by using his certificate.
Step 2: Randomly selects an integer r, where r < n.
Step 3: Computes k1 = H(rG).
Step 4: Computes (k2, k3) = H(rUb).
Step 5: Uses the symmetric encryption algorithm to generate
cipher text c = Ek2(m), where the secret k2 is generated in Step 4.
Step 6: Uses the one-way keyed hash function to generate
h = KHk3(c||k1||IDA||IDB), where IDA and IDB are the identifications given by the certificate authority(CA).
Step 7: Computes s = (r/(h + da)) mod p.
Step 8: Compute R = hG.
Step 9: Sends the signcrypted text (c, R, s) to Bob.
Bob receives the signcrypted text (c, R, s). He decrypts cipher text c by performing symmetric decryption algorithm with secret key k. He also verifies the signature. Bob gets the plain text as follows.
Step 1: Verifies Alice's public key Ua by using her certificate.
Step 2: Computes k1 = H(sR + sUa).
Step 3: Computes (k2,k3) = H(dbsR + dbsUa).
Step 4: Uses the one-way keyed hash function to generate
h = KHk3(c||k1||IDA||IDB), where IDA and IDB are the identifications given by the certification authority (CA).
Step 5: Uses a symmetric decryption algorithm to generate
plain text m = Dk2(c), where the secret key k2 is computed in Step 3.
Step 6: Bob accepts the message 'm' only when hG = R.
Otherwise he rejects.
Verification of the signcrypted message by a judge.
Step1: Compute k1=hash(sR+sUa).
Step2: Compute h=KHk2(c||k1||IDA||IDB).
Step 3: Accepts the message 'm' only,
when hG = R.
SECURITY FUNCTIONS OF THIS SCHEMES
Table 4.1 indicates the security features supported by existing signcryption schemes along with the proposed scheme. The proof is based on the fact that it is almost intractable to solve the elliptic curve discrete logarithmic problem (ECDLP). We should choose the parameters in such a way that it will become infeasible for an eavesdropper to solve ECDLP.
To be secure, the information needs to be hidden from unauthorized access. To achieve this we must make the data non-intelligible to the interceptor/eavesdropper. This is called confidentiality. In this discussion let us consider Eve as the attacker/eavesdropper. In the schemes, if Eve wants to derive the key k then he has to solve ECDLP. Suppose he has got hash (m) and he knows the seed value of the curve i.e. G which is public to all. Then it is quite infeasible for Eve to solve it.
In the proposed scheme, the recevier and the judge can use the sender's public key Ua with its certificate to authenticate the validity of the sender. When the recevier decrypted the cipher text c to get the plain text m, he can use the formula given below to authenticate the correctness of the received message. If the equation holds, the recevier is sure that the received message does not modify in the transmission process. Therefore, the proposed scheme provides the authentication of the sender's identity and the transmitted message. hG = R.
In our proposed scheme, the recipient can verify whether the received message is the original one that was sent by the sender. In the signcryption phase, the sender computes and sends (c, R, s) to the recipient. If the attacker changes the cipher text c to c' then by the property of Random Oracle Model it is infeasible to obtain two messages which give the same digest.
Dishonest Bob is the most powerful attacker to forge a signcrypted message, because he is the only person who knows the private key db which is required to directly verify a signcryption from Alice. Given a signcrypted text(c, R, s) Bob can use his private key db to decrypt the cipher text c and obtain (m, R, s). As we know, ECDSA is unforgeable against adaptive attack. Hence it is unforgeable.
Table: 4.1: Comparision based on security properties
Zheng and imai
Bao and Deng
Gamage et al.
Jung et al.
The target of non-repudiation is to prevent Alice from denying the signcryption she sent. Unforgeability implies non-repudiation if there is no duplication of the signcrypted message. If the signcryption text is forgeable, Alice will have opportunity to deny. When dispute occurs between sender and recevier, the recevier can send the signcrypted message to the judge for settling the original message M sent by the intended sender or not. Judge now run the verification algorithm and take the necessary action.
An adversary that obtains da will not be able to decrypt past messages. Previously recorded values of (c, R, s) that were obtained before the compromise cannot be decrypted because the adversary that has da will need to calculate h to decrypt. Calculating h requires solving the ECDLP on R, which is computationally infeasible.
Verification requires knowing only Alice's public key.All public keys are assumed to be available to all system users through a certification authority or a public directly.
This paper introduces elliptic curve based signcryption schemes for secure and authenticated message delivery, which fullfills all the functions of digital signature and encryption with a cost less than that required by the current standard signature-then- encryption method. The Zheng and Imai scheme discussed is the most efficient signcryption scheme based on ECC. But the drawback of the above scheme is that it does not provide forward secrecy. So it is necessary to provide forward secrecy. There are few schemes which can provide forward secrecy but the computational cost and communication overhead is more. The cost of the proposed schemes are comparatively lower than other schemes in terms of computational and communication overhead. ECC has been used for the implementation of our algorithm because of its unique property of ECDLP which is significantly more difficult than either the IFP or DLP. Proposed scheme will save more computational cost for the sender to suit the application of restricted computational devices like smart card based applications, mobile devices, etc.