Public Verifiable Signcryption Schemes with Forward ... - Springer Link

Public Verifiable Signcryption Schemes with Forward Secrecy Based on Hyperelliptic Curve Cryptosystem Shehzad Ashraf Ch, Nizamuddin, and Muhammad Sher Department of Computer Science International Islamic University Islamabad, Pakistan {shahzad,m.sher}@iiu.edu.pk, [email protected]

Abstract. Signcryption is a process of combining encryption and signature into a single logical step. Traditional signcryption schemes provide message confidentiality and sender authentication, sender authentication can only be provided after unsigncryption of signcrypted text, so the third part can only verify the sender after breaching the confidentiality. In public verifiable signcryption schemes a third party or judge can verify authenticity of sender without breaching the confidentiality and without knowing the receiver private key, the judge just needs the signcrypted text and some additional parameters. In this paper, we proposed a resource efficient Hyperelliptic curve cryptosystem based signcryption schemes to provide message confidentiality, authentication, integrity, unforgeability, non-repudiation, along with forward secrecy and public verifiability. In case of dispute the judge can verify signcrypted text directly without sender/receiver private parameters. Our schemes are resource efficient and can be applied to any resource constrained environments. Keywords: Hyperelliptic curve cryptosystem, Jacobian group, genus, Signcryption, Public Verifiability, Forward Secrecy.

1

Introduction

One of the main interests of information security on shared media such as wireless is to transmit information in confidential and authentic manner [19]. These two distinct operations of encryption and digital signatures are combined into a single operation named signcryption by Y. Zheng [3], which opened new dimensions of research. Forward secrecy and public verifiability are needed along with signcryption, forward secrecy implies that even if private key is compromised, it will cause no effect on session key, A scheme is said to be public verifiable if a third party can verify the authenticity of message without revealing the secret information. In this paper we have reviewed signcryption schemes based on elliptic curve and hyper elliptic curve, then two signcryption schemes are proposed which are based on hyper elliptic curve with added feature of forward secrecy and public verifiability, we have analyzed and compared the efficiency of our proposed schemes with schemes proposed by Hwang[5], Toorani[6] and Mohapatra[7]. The efficiency of our proposed algorithms is evident from these results. S. Dua et al. (Eds.): ICISTM 2012, CCIS 285, pp. 135–142, 2012. © Springer-Verlag Berlin Heidelberg 2012

136

2

S. Ashraf Ch, Nizamuddin, and M. Sher

Related Work

Y. Zheng [3] proposed the first signcryption scheme to combine encryption and signature operation into a single unit named signcryption, which reduced computation and communication overhead of separate and distinct encryption and signature schemes. Y. Zheng [4] Proposed first signcryption scheme based on elliptic curve cryptography. The scheme of [4] used small key size to provide equivalent security as compared to ElGamal and RSA Elliptic curve cryptosystems, which make it attractive for resource constrained environment. The proposed scheme reduces the computation cost up to 58% and communication cost up to 40% when compared with SignatureThen-Encryption schemes based on elliptic curve cryptography. The scheme is not public verifiable and there is no proof forward secrecy. Hwang et al [5] Proposed public verifiable and forward secure signcryption scheme based on ECC, the confidentiality of information sustain even if the sender private key disclosed. Trusted third party can verify the plaintext using (m, r, s). The scheme has less computational cost for sender side so more suitable for mobile devices. The verification is possible only after breaching the confidentiality of the message. Toorani et al [6] proposed signcryption scheme based on elliptic curve to decrease the computation and communication cost. The proposed scheme also provides public verifiability and forward secrecy, so it became suitable for store/forward applications and resource-constrained devices. In the verification phase the session key is provided to the judge which becomes a serious threat to confidentiality. The hyper elliptic curve is stirring from academics to real time industrial applications, as it provides same security while using very less base fields [16]. In [12-14] authors proposed security schemes for banking and e-commerce application using Hyperelliptic curve encryption and HEC-ElGamal technique [9]. These schemes do not provide authenticity of messages. In [15] authors proposed generalized equations for digital signature algorithms defined over hyper elliptic curve (HECDSA). In [16] author proposed signcryption schemes based on HECC, these schemes are resource efficient, these schemes reduced significant amount of high computation and communication costs as compared to signature-then-encryption techniques. The schemes of [16] are not public verifiable and there is no forward secrecy. Nizam et al. [17] proposed signcryption schemes based on HECC with forward secrecy. These proposed schemes need zero knowledge protocol for public verifiability and there is no direct verifiability.

3

Proposed Schemes

We have used hyper elliptic curve cryptosystem in two proposed signcryption schemes; these schemes are based on the shorthand digital signature standard. The schemes work as follows

Public Verifiable Signcryption Schemes with Forward Secrecy

137

Let C be hyper elliptic curve of genus g ≥ 2 defined over finite field Fq and defined by equation 1

y 2 + h( x) y = f ( x) mod q

(1)

h(x) ∈ F[x] is a polynomial and degree of h(x) ≤ g f(x) ∈ F[x] is a monic polynomial and degree of f(x) ≤ 2g+1 Primarily a jacobian group JC (Fq) is formed, then select a divisor D, where D is the generator of the group and its Mumford form is

D = (a(x), b(x) ) = (∑i =0 a i x i , ∑i =0 bi x i ) ∈ J C (Fq ) g

g -1

(2)

Let φ∶ JC (Fq)→Zq is a function which maps Jacobian group element to an integer. Let D be devisor of order n. da, and Pa be private and public key of sender and db and Pb be private and public key of receiver, h represents hash function, Ek/Dk represent Symmetric Encryption / Decryption. 3.1

Signcryption

Sender perform signcryption by obtaining receiver public key Pb from certificate authority and use a routine Signcryption (k,Pb,Pa,da,m) to compute signcrypted text. 3.1.1 Scheme One Signcryption(k,Pb,Pa,da,m) Select an integer k ∈ {1,2,3……….n-1} randomly Compute Bob (sender) public key scalar multiplication kPb (K1) = h(φ(kD)) (K2) = h(φ(kPb)) C = E K 2 ( m) Compute r = hk (c || bind_info) 1

Compute

⎛ k s = ⎜⎜ ⎝ ( r + da

⎞ ⎟ mod n ) ⎟⎠

Compute R= rD Transmit Signcrypted text (c, R, s) 3.1.2 Scheme Two Signcryption(k,Pb,Pa,da,h,m) Select an integer k ∈ {1,2,3……….n-1} randomly Compute Bob (sender) public key scalar multiplication kPb (K1) = h(φ(s-1 (Pa+R))) (K2) = h(φ(s-1 (db (Pa+R)))

C = E k 2 (m)

138

S. Ashraf Ch, Nizamuddin, and M. Sher

Compute r= hk (c || bind_info) 1

Compute s = k-1 (da + r) mod n Compute R = rD Transmit Signcrypted text (c, R, s) 3.2

Unsigncryption

Bob receive signcrypted text, to obtain plain Unsigncryption(k,Pb,Pa,db,h,c,R,s ) routine is used.

text

and

verify,

the

3.2.1 Scheme One Unsigncryption ( Pb,Pa,db,h,c,R,s ) Compute (K1,K2 ) (K1 ) = H(φ(s(Pa+R))) (K2 ) = H(φ(s(db (Pa+R))) Compute r = hk (c || bind_info) 1

m = DK 2 ( c ) Check rD = R if true accept the message, otherwise reject 3.2.2 Scheme Two Unsigncryption ( Pb,Pa,db,h,c,R,s ) Compute (K1, K2 ) (K1 ) = H(φ(s-1 (Pa+R))) (K2 ) = H(φ(s-1 (db (Pa+R)))) Compute r = hk (c || bind_info) 1

m = DK 2 ( c ) Check rD = R if true accept the message, otherwise reject

4

Security Analysis

The proposed schemes fulfils the security notions presented by Zheng [3], confidentiality, unforgeability and non repudiation, additionally provide the feature of forward secrecy and direct public verifiability. 4.1

Confidentiality

The use of symmetric encryption (AES) ensures the confidentiality of the message the private key used for encryption is K1, K1can be calculated by finding db from Pb=dbD which is infeasible as it is hyper elliptic curve discrete log problem (HECDLP).

Public Verifiable Signcryption Schemes with Forward Secrecy

4.2

139

Unforgeability

An attacker needs K and private key of sender to generate legitimate signcrypted text, finding da and K from equation Pa =daD is infeasible (HECDLP). 4.3

Non-repudiation

In our proposed schemes any trusted third party can resolve the dispute between sender and receiver. 4.4

Forward Secrecy

Forward secrecy implies that even if private key is compromised, it will cause no effect on session key. In our proposed schemes if an adversary get da for calculating session key k also need r which is computational hard problem. 4.5

Public Verifiability

In proposed schemes if sender denies the transmission of signcrypted text, a judge can verify the signature without revealing the contents of message. 4.6

Judge Verification

In case of dispute between sender and receiver the judge can resolve the dispute as: Judge wants bob to provide (c,Pa,s,R) and following steps to adjust the receiver claim. 4.6.1 Verification Phase of Scheme One Compute (K1) = h(φ(s(Pa+R))) Compute r = hk (c || bind_info) 1

Check rD = R if satisfied the signcrypted text is valid, otherwise not 4.6.2 Verification Phase of Scheme Two Compute (K1 ) = h(φ(s-1 (Pa+R))) Compute r= hk (c || bind_info) 1

Check rD = R if satisfied the signcrypted text is valid, otherwise not

5

Cost Analysis

One of the major concerns of a cryptosystem for resource constrained environments is cost, The cost can further bifurcated into computation cost and communication cost, the proposed schemes are analysed with respect to both aspects which are computation and communication.

140

5.1

S. Ashraf Ch, Nizam muddin, and M. Sher

putational Cost Analysis Comparative Comp

The most expensive operattion in the existing and proposed signcryption schemees is (ECPM) and (HECDM). Comparative computational costs analysis is based on thhese most expensive operations. Computation time of on ne scalar multiplication is 4.24 ms for elliptic curve pooint multiplication (ECPM) and 2.2 ms for hyper elliptic curve devisors scaalar multiplication (HECDM) on a PC with Intel Core 2DUO CPU [email protected] w with 4GB RAM and windows viista operating system using jdk1.6[14].

Fiig. 1. Computational cost Analysis 5.2

Comparative Comm munication Cost Analysis

The communication overheead is one of major issue and communication cost analyysis is of greater importance. Communication cost of sign nature and encryption technique is as in eq 3

(| c ' | + | H (u ) | + | n |)

(3)

Communication cost of ourr proposed signcryption schemes are shown in eq 4

(| c | + | D | + | n |)

(4)

Generalized formula for com mmunication overhead reduction i s shown in eq 5

(| c ' | + | H (u ) | + | n |) − (| c | + | D | + | n |) (| c ' | + | H (u ) | + | n |)

(5)

Overhead reduction depend ds on the choice of parameters and amount of data. T The proposed schemes reduce communication overhead from 30-49%.

Public Verifiable Signcryption Schemes with Forward Secrecy

6

141

Conclusion

Traditional Asymmetric cryptosystems are infeasible for resource constrained environments while due to its low base field Hyperelliptic curve cryptosystem proved its worth to be used instead of traditional asymmetric cryptosystems as it provides confidentiality, unforgeability, non-repudiation, forward secrecy and public verifiability while utilizing low resources, but hyper elliptic performs double expansion of message and its results are probabilistic, Signcryprion schemes can overcome this problem by providing significant reduction in cost. Our proposed public verifiable signcryption schemes defined over Hyperelliptic curve cryptography fulfill all the security requirements of signcryption and in addition also provide forward secrecy and public verifiability. In case of dispute judge or any third party can verify signcrypted text without disclosing secret parameters. The proposed scheme can reduce 30 to 49% communication overhead as compared to existing signature and encryption approaches, which makes it more suitable for all resource constrained environments.

References 1. Paul, C., Menezes, J., Vanstone, A.: Handbook of Applied Cryptography. CRC Press (1996) 2. Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inform. Theory 22(6), 472–492 (1976) 3. Zheng, Y.: Digital Signcryption or How to Achieve Cost (Signature & Encryption)