Efficient Signcryption Schemes based on Hyperelliptic ...

Efficient Signcryption Schemes based on Hyperelliptic Curve Cryptosystem Nizamuddin, Shehzad Ashraf Ch., Waqas Nasar, Qaisar Javaid Department of Computer Science & Software Engineering, International Islamic University Islamabad, Pakistan [email protected], [email protected], [email protected], [email protected]

ଵ ଶ are devisor in the Jacobian group such that order of ଵ is n, find an integer k, Ͳ ൑ ൑ െ ͳ such thatଶ ൌ ଵ .

Abstract— Securing data over wireless medium got significant importance because of inherent problems of power, memory and processing constraints. Hyper elliptic curve cryptosystem (HECC) is an emerging public key cryptosystem suitable for such resource constrained environment due to its high efficiency and shorter key size, HECC can be used for digital signatures and encryption to provide confidentiality and authenticity. In this paper, we proposed a resource efficient signcryption schemes based on Hyperelliptic curve cryptosystem. Compared with existing schemes our proposed scheme can save up to 40% computational cost and a minimum of 40% of Communication Overhead.

HECC is prioritized over other cryptosystem because it can provide the same security with shorter parameters, for example in case of genus 3, the 60-bits base field of HECC provide same security as ECC’s 180-bits and RSA’s 1024bits[5-7]. HECC have efficient implementation as in case of genus 3, 60-bits parameters can be implemented with a single computer word on 64-bits operating length computer. The algorithms to solve HCDLP have exponential complexity. On the same base field high genus ሺ ൑ Ͷሻ increase the no of curve so it becomes easy to select secure curves. With the introduction of asymmetric cryptographic techniques it become possible to achieve authenticity of the message, sender uses any one of the digital signature scheme depending upon the level of security. A decade before, message encryption and digital signature have been viewed as important but distinct building blocks, a two step approach as “Signature-Then-Encryption" This approach have main drawback of high processing and communication cost. It was become possible to combine both the operations logically in a single step. This process is called Signcryption [3]. Signcryption is a logical combination of two words the signature and encryption. The signcryption word coined by Y. Zheng [3], the purpose of signcryption is to combine both operations of signature and encryption into a single operation to reduce computation and communication overhead.

Keywords- Hyperelliptic curve cryptosystem; Jacobian group; genus; Signcryption; formatting; style; styling; insert (key words)

I.

INTRODUCTION

Information security is a major issue especially on shared media as wireless media. While sending a message over an insecure channel such as internet we must need confidentiality, integrity, authenticity and non-repudiation. These are the four major security aspects or goals. In early age cryptography was mostly dedicated to message confidentiality. There are significant number of encryption algorithms broadly categorized as Symmetric and Asymmetric. Symmetric encryption techniques are faster while asymmetric encryption technique has less problem of key distribution. Public key/asymmetric cryptosystem discovered nearly three decades ago and proved to be a revaluation in the world of cryptography [1-2]. Digital signature and encryption are used to provide secure and authenticated communication. Hyperelliptic curve cryptosystem invented by N. Koblitz [4] is the natural generalization of elliptic curve cryptosystem suitable for achieving high security in resource constrained environment. HECC is based on hyper elliptic curve, it was proved as an alternative to elliptic curve with added advantage of smaller base field while providing same level of security. Security of HECC is based on “difficulty of solving discrete logarithmic problem (HCDLP)” which is stated as

II.

A. Encryption 1.

RELATED WORK

Due to its high reliability and efficiency and shorter parameters Hyperelliptic curve cryptosystem moving from academic interest to industrial application. Hyperelliptic curve cryptosystem provide the functionality of both encryption and digital signature. In [8-10] architectures for secure banking and ecommerce communication using Hyperelliptic curve encryption were proposed using HEC-ElGamal technique [9] defined as follows

Calculate ൌ and ൌ ൫ሺሻǡ ሺሻ൯

Calculate ୩ ൌ ୠ and ୩ ൌ ൫ሺሻǡ ሺሻ൯ Calculate ୫ ൌ ሺǡ ୫ ൅ ୩ ሻ or ୫ ൌ ሺሺሺሺሻǡ ሺሻሻǡ ሺሺሻǡ ሺሻሻሻ

2. 3.

Let ሾሿୣ ‫ܬ ׷‬஼ ሺ‫ܨ‬௤ ሻ ՜ ܼ௤ be a mapping function use to map Jacobian group element to integer. Table 2: Notations used in our algorithms

Decryption Extract from ୫ ൌ ሺǡ ୫ ൅ ୩ ሻ 1. Calculate Șୠ 2. Extract ୫ ൅ ୩ from ୫ 3. Calculate ୫ ൌ ୫ ൅ ୩ െ Șୠ The architecture do not use standard digital signature to provide authenticity of information. In [11] author proposed generalized equations for hyperelliptic curve digital signature algorithms (HECDSA) and shorthand digital signature which is defined in Table 1

q: A large prime number ( ൒ ʹ଼଴) C: A Hyperelliptic Curve over prime field D: A devisor of large prime order n in

ୡ ሺ ሻǡ ൒ ʹ଼଴ ୟ : Sender Alice private key ୟ ‫א‬ ሼͲǡͳǡʹǡ ǥ ǥ െ ͳሽ ୟ : Sender Alice public key ୟ ൌ ୟ ୠ : Receiver Bob private key ୠ ‫א‬ ሼͲǡͳǡʹǡ ǥ ǥ െ ͳሽ

A.

Table 1: shorthand digital signature[10] HECDSA

Signing (r, s)

Verification

HECDSS1

ൌ ሺሾሿୣ ǡ ሻ ୩ ቁ ൌቀ

ൌ ሺୟ ൅ ሻ ᇱ ൌ ሾሿୣ Check ሺ ᇱ ǡ ሻ ൌ

ሺ୰ାୢ౗ ሻ

ൌ ሺሾሿୣ ǡ ሻ ൌ൬ ൰ ሺͳ ൅ Ǥ ୟ ሻ

HECDSS2

ൌ ሺୟ ൅ ሻ ᇱ ൌ ሾሿୣ Check ሺ ᇱ ǡ ሻ ൌ

If

Proposed Schemes

We proposed two efficient signcryption schemes based on hyperelliptic curve cryptosystem which are based on the shorthand digital signature standard. The scheme works as follows Select C a hyperelliptic curve of genus ൒ ʹ defined over finite field ‫ܨ‬௤ and defined by equation 1 ଶ ൅ ሺሻ ൌ ሺሻ (1) ሺሻ ‫ א‬ሾሿ ሺሻ ൑ ሺሻ ‫ א‬ሾሿ ሺሻ ൑ ʹ ൅ ͳ Unlike points on elliptic curve, points on hyperelliptic curve do not form a group. By soliciting points on C and a special point at infinity, an Abelian group called Jacobian group ‫ܬ‬஼ ሺ‫ܨ‬௤ ሻ can be formed. The order of Jacobian group is ሺ‫ܬ‬஼ ൫‫ܨ‬௤ ൯ሻ and is always defined as ሺඥ‫ ݍ‬െ ͳሻଶ௚ ൑ ሺ‫ܬ‬஼ ൫‫ܨ‬௤ ൯ሻ ൑ ሺඥ‫ ݍ‬൅ ͳሻଶ௚ After forming Jacobian group select an element ‫ ܦ‬called devisor such that ‫ ܦ‬is the generator of the group and represented in Mumford form as ௚ିଵ ௚ ‫ ܦ‬ൌ ൫ܽሺ‫ݔ‬ሻǡ ܾሺ‫ݔ‬ሻ൯ ൌ ሺσ௜ୀ଴ ܽ௜ ‫ ݔ‬௜ ǡ σ௜ୀ଴ ܾ௜ ‫ ݔ‬௜ ሻ ‫ܬ א‬஼ ሺ‫ܨ‬௤ ሻ 3

Signcryption

Sender obtained receiver public key ୟ from certificate authority and use Signcryption ሺǡ ୠ ǡ ୟ ǡ ୟ ǡ ǡ ሻ routine to generate signcrypted text for message m. Signcryptionሺǡ ୠ ǡ ୟ ǡ ୟ ǡ ǡ ሻ 1. Select a integer ‫ א‬ሼͳǡʹǡ͵ ǥ ǥ ǥ Ǥ െ ͳሽ 2. Compute ୠ 3. Compute ሺଵ ǡ ଶ ሻ = ሺሾୠ ሿୣ ሻ 4. ൌ ୏భ ሺሻ 5. Compute ൌ ୏మ ሺȁȁ୧୬୤୭ ሻ 6. Compute {

HECDSA and HEC-ElGamal are used to provide authenticity and confidentiality in hyperelliptic curve cryptosystem these cryptosystems still having high computation cost and communication overhead, so not suitable for resource constrained environments like wireless networks, satellite communication etc., to overcome this problem we proposed signcryption schemes base HECC using HECDSS1 HECDSS2. IV.

ୠ : Receiver Bob public key ୠ ൌ ୠ ሾሿୣ : A function which map a devisor to integer value H: a one way hash function KH: Keyed hash function m: Message c: Cipher text ୩ Ȁ୩ : Symmetric Encryption / Decryption

7. 8.

HECDSS1 is used

൰ ൌ൬ ሺ ൅ ୟ ሻ If HECDSS2 is used ൰ ൌ൬ ሺͳ ൅ Ǥ ୟ ሻ } Signcrypted text for message m is ሺǡ ǡ ሻ Send signcrypted text

B. Unsigncryption Receiver wills obtained sender public key from certificate authority, by using Unsigncryptionሺǡ ୠ ǡ ୟ ǡ ୠ ǡ ǡ ǡ ሻ original message is obtained. Unsigncryptionሺǡ ୠ ǡ ୟ ǡ ୠ ǡ ǡ ǡ ሻ 1. Compute ൌ ୠ 2. Compute ሺଵ ǡ ଶ ሻ {

If HECDSS1 is used ሺଵ ǡ ଶ ሻ ൌ ሺሾୟ ൅ ሿୣ ሻ

}

If HECDSS2 is used ሺଵ ǡ ଶ ሻ ൌ ሺሾୟ ൅ ሿୣ ሻ

Compute ‫ ݎ‬ƍ ൌ ୏మ ሺȁȁ̴ሻ Compute ൌ ୏భ ሺሻ Check ൌ ‫ ݎ‬ƍ , if satisfied accept the message, otherwise reject

3. 4. 5.

propose signcryption schemes have total 3 HECDM operations, 1 operation in signcryption phase and 2 operations in unsigncryption phase. On the base of these major operations ଶுா஼஽ெ Saving in computation cost is ൌ ͶͲΨ. ହுா஼஽ெ

B. Communication cost analysis

V. SECURITY ANALYSIS OF THE PROPOSED SCHEME

As in wireless media bandwidth usage is a major issue so less communication cost is necessary. For simplification we assume that

The proposed scheme fulfils the security notions presented by Zheng [3], confidentiality, unforgeability and non repudiation.

ȁሺሻȁ ൌ ȁሺሻȁ ൌ ȁȁ,

A. Confidentiality

ܿ ᇱ ǣ ܿ ‫ ׷‬

The information is to be made confidential and get secured from unauthorized user access. The proposed scheme uses symmetric encryption technique to encrypt the message. K1 is used as encryption key. In order to find K1, an attacker needs to calculate ୠ from ୠ ൌ ୠ which is computationally infeasible (HCDLP).

ȁȁ ൌ ȁȁ

ȁܿ ᇱ ȁ ൌ ʹȁ‫ܦ‬ȁ݂݅ȁ݉ȁ ൑ ȁȁܽ݊݀ȁܿ ᇱ ȁ ൒ ʹȁ݉ȁ݂݅ȁ݉ȁ ൒ ȁ‫ܦ‬ȁ

ȁ‫ܦ‬ȁ ൌ Ͷȁȁʹ Saving in communication overhead is ൫หܿԢ ห ൅ ȁሺሻȁ ൅ ȁȁ൯ െ ሺȁȁ ൅ ȁሺሻȁ ൅ ȁȁሻ ൫หܿԢ ห ൅ ȁሺሻȁ ൅ ȁȁ൯ Saving in communication overhead depend on the choice of parameters and amount of data Minimum saving in communication overhead is ͶͲΨ.

B. Unforgeability It is computationally infeasible for an attacker to generate sender Signcrypted text. To generate sender Signcrypted text an attacker needs private key of sender as well as secret k. To find sender private key da and secret k they should solve HCDLP ୟ ൌ ୟ which are computationally infeasible.

C. Non-repudiation

VII.

It is computationally feasible for a third party to resolve dispute between sender and receiver in an event where sender denies the origination of the Signcrypted text. In our proposed schemes using zero-knowledge protocol any trusted third party can resolve the dispute between sender and receiver.

Hyperelliptic curve cryptography is on its way from pure academic interest to industrial applications. Encryption techniques, based on ECC and HECC, did not gain popularity because of its probabilistic results and creating at least double expansion of the message. To overcome this problem signcryption technique can be used to provide the functionality of both Digital signature and encryption with a significant lower cost than the existing techniques. Our proposed signcryption schemes on Hyperelliptic curve shorthand digital signature algorithm fulfill all the security parameters of signcryption. The proposed scheme reduces 40% computation cost and a minimum of 40% communication overhead compare to existing signature and encryption

D. Public verifiability The property; when sender denies his sign the recipient can prove in a secure way that just legitimate sender has signed the message. In our proposed schemes receiver can verify the signcrypted text through judge using zero-knowledge protocol.

approaches and is more suitable for m-commerce and

VI. COMMUNICATION COST ANALYSIS OF THE PROPOSED SCHEME Cost is one of the major parameters of any cryptographic technique. We presented comparative computation and communication cost analysis of the proposed schemes.

wireless media due to small key size less computation cot and communication overhead.

REFERENCES

A. Comparative computational cost analysis

C. Paul and J, Menezes, A, Vanstone “Handbook of Applied Cryptography” CRC Press, 1996. [2] W. Diffie, M. Hellman, “New directions in cryptography” IEEE Trans. Inform. Theory Vol 22 Issue 6, pp 472–492, 1976 [1]

The major and expensive operation in HECC based schemes is hyperelliptic curve devisors scalar multiplication (HECDM). Signature and encryption technique have total 5 HECDM operations, 2 HECDM operations in sign and encrypt phase and 3 HECDM operations in verify and decrypt phase. Our

CONCLUSIONS

Y, Zheng. “Digital signcryption or how to achieve cost (signature encryption)