Development of a New Elliptic Curve Cryptosystem with Factoring Problem

: Problem statement: The security of elliptic curve cryptosystems are based on elliptic curve discrete logarithm problem (ECDLP). However, if an attacker finds a solution to ECDLP, the elliptic curve-based systems will no longer be secure. Approach: To improve this, we develop a new elliptic curve cryptosystem using one of the old/novel problem in computational number theory; factoring problem (FAC). Specifically, our encrypting and decrypting equations will heavily depends on two public keys and two secret keys respectively. Results: We show that, the newly designed cryptosystem is heuristically secure against various algebraic attacks. The complexity of the scheme shows that the time complexity for each encryption and decryption are given by 299T mul and 270T mul . Conclusion: The new system provides greater security than that system based on a single hard problem. The attacker has not enough resources to solve the two hard problems simultaneously in a polynomial time.


INTRODUCTION
were the first to propose the idea of transmitting secret message between two communicating parties; a sender and a receiver in an insecure channel (with the presence of attackers). Their idea (is called cryptosystem) consists of these following properties: • The sender first encrypts the message using receiver's public key and sends the encrypted message to the receiver • The receiver who possesses the secret key can decrypt and read the original message • The security of the system is depends on the underlying hard problems in computational number theory • Knowing only the public key of receiver, the attacker is not able to read the message since he has no information about the corresponding secret key Unfortunately, they did not develop any such system. The first realization was developed by Rivest et al. (1978) and is called RSA cryptosystem after their first names. The security of RSA is based on the hardness of solving factoring problem (FAC). Informally, if the attacker manages to solve FAC, the underlying system will no longer be secure. With the proper selection of parameters, no one is able to break the novel RSA system. Rabin (1979) designed a new cryptosystem whose security is depends heavily on residuosity problem (RES). His system relies on the difficulty of finding prime divisors of a given large composite integer as in RSA. However, no concrete relationship between the hardness of solving FAC and RES is found. Six years later, Elgamal (1985) proposed his new cryptosystem based on Discrete Logarithm Problem (DLP). Later, Koblitz (1987) and Miller (1986) independently proposed the use of elliptic curve in cryptosystems. Their security lies on the so-called Elliptic Curve Discrete Logarithm Problem (ECDLP). Their systems are more efficient than previous systems since the size of the main parameter is only 160-bits. Many such systems were then been developed (Menezes, 1993;Rabah, 2005). One common feature of these schemes is that the security of the systems is based on a single hard problem. If one day in a near future an attacker solves the hard problem, the underlying system will no longer be secure. Thus to overcome this disadvantage, many designers are proposing cryptosystems based on two hard problems (Baocang and Yupu, 2005;Elkamchouchi et al., 2004;Harn, 1994;Ismail and Hijazi, 2011). If the attacker find a solution to one of these hard problem the system stays secure as the another problem is still hard to solve. It is impossible for the attacker to solve the two problem simultaneosly. In this study, we develop a new cryptosystem based on two hard problems; ECDLP and FAC. A desirable system with two hard problems should come with the following criteria: (1) the system uses only one pair of public and private keys; (2) each user uses common arithmetic modulus; and (3) the system uses the most novel two hard mathematical problems for its security base. Our system enjoys the last two criteria.

MATERIALS AND METHODS
An elliptic curve in a general form is given by: y 2 + axy + by = x 3 + cx 2 + dx + e where, a, b, c, d and e are real numbers. We define on this curve an elliptic curve addition operation with a point at infinity and we denote this point as ∞. Now, suppose that q is a 160-bits prime with characteristics neither two nor three. We thus obtain an elliptic group over the Galois Field E(F q ) defined by: The coefficients a, b < q are non-negative integers and satisfy the condition 4a 3 +27b 2 ≠ 0 (mod q). This condition guarantees that the defined elliptic curve has no multiple roots of unity.
The laws for elliptic curve addition over the elliptic group E(F q ) are given as follows: • If three elliptic curve points are on a straight line and intersects an elliptic curve, then their sum equals the point at infinity ∞ • Suppose that Q = (r, s) and N = (t, u) are two elliptic curve points in E(F q ). Then: iii. If Q ≠ N, then Q + N = (e, f) where e = µ 2 -r-t (mod q) and f = µ(r-e)-s (mod q) and the number µ is calculated by µ = (u-s)/(t-r) if r≠t and µ=(3r 2 +a)/2s if r=t, s≠0. iv. If n is a positive integer greater than 1, we can calculate nQ = Q + Q + Q + … (n times) in E(F q ).
If Q is a point on the elliptic curve and m is the smallest positive integer satisfying mQ = ∞, then we say that Q has an order m and Q is called the base point of E(F q ). Washington (2003) for a solid material on elliptic curve and its application in cryptography. We now define the two hard problems that we apply in our new system.
Definition 1: (ECDLP problem) Let Q and N be two elliptic curve points in E(F q ) where q is a 160-bits prime. Then find a positive integer k satisfying kQ = N.
Definition 2: (FAC problem) Let n be a large composite integer with n = rs where r and s are two large strong primes of 512-bits. Then find the primes r or s.

RESULTS
We propose a new cryptosystem based on FAC and ECDLP problems. The scheme consists of three phases: • Initialization • Encryption • Decryption with two communicating parties; a sender and a receiver. In Initialization phase, the reciever first selects and computes all required parameters and modulus for the system. Then two pairs of public and private keys for the sender are calculated. The computed public keys will then be published in an open public key directory but the private keys are kept secret to the receiver. In Encryption phase, an encrypted original message is computed by the sender using the receiver's public key and sender's one-time secret number. The resulted encrypted message is then delivered to the receiver. In Decryption phase, the reciever decrypts the encrypted message to recover the original message using his own private keys. No one can learn the actual message without these private keys. Now we give the description for each phase.
Initialization: The receiver obtains his or her public and private keys as below: • Select a 160-bits prime q and this prime determines the order of field F q • Choose two numbers a and b in F q . These coefficients define the elliptic curve y 2 = x 3 + ax + b (mod q) over F q . Let E(F q ) represents a group of all points on this curve and #E(F q ) represents the group order • Pick a base elliptic curve point G with a large prime order m and this gives us mG = ∞ • Choose two strong and safe primes r and s (Gordon, 1984) and compute the modulus, n = rs. This modulus determines the multiplicative group Z n * = {z|gcd(z,n) = 1} • Calculate the phi-Euler function φ(n) = (r-1)(s-1).
• Select two integers e < n with gcd(e, φ(n)) = 1 and f < m • Compute d = e −1 mod φ(n) and Z = fG = (f 1 ,f 1 ) The public keys of the system are formed by (Z,n,e) and can be publicly accessed in the open directory while the private keys of the system are given by (r,s,d,f) and kept secret by the receiver. One has to confirm that the group order, #E(F q ) must be divisible by a sufficiently large prime number to avoid the Pohlig-Hellman attack and Pollard's rho attack (Pohlig and Hellman, 1978). For maximum resistance to these attacks is by confirming that #E(F q ) is prime or almost prime.

Encryption:
To encrypt any message, m, the sender does the following: • Choose randomly the secret integer p < m • Calculate T = pZ = (r 1 ,r 2 ) and K = pG • Compute s 1 = m-f 1 r 1 (mod n) • Calculate c = (s 1 ) e mod n • Send (c, K) to the receiver Decryption: To decrypt the received ciphertext (c,K), the receiver needs to do the following: • Compute R = fK • Calculate L = (c) d mod n • Recover m = s 1 + f 1 r 1 (mod n) The abovementioned three phases or algorithms complete the newly developed cryptosystem based on two hard problems. We now discuss our system according to the following criteria: • Exactness of the new cryptosystem • Security analysis • Efficiency performance To validate the newly designed cryptosystem, we prove that the decrypting equation in Decryption is always true for any ciphertext (c,K) developed in Encryption.

Exactness:
We validate our new scheme by proving the following theorem.
Theorem: If the first two algorithms; Initialization and Encryption run smoothly, then the decryption process of the encrypted message in Decryption is correct.

Proof:
The decrypting equation is true for all encrypted message (c,K) using the following steps: • Calculate R = fK = f(pG) = p(fG) = pZ = (r 1 ,r 2 ) • Compute L = (c) d = (s 1 ) ed = s 1 mod n Knowing r 1 and s 1 with the public key Z, the original message can be recovered as below: s 1 + f 1 r 1 = m mod n.
Security analysis: We analyse our system by applying a technique from heuristic security. We do this by considering possible cryptographic attacks by an attacker for the system.
First, we define each attack and give the corresponding analysis of why this attack would fail.

Attack 1:
The attacker tries to obtain the private keys of the system and to manipulate the system parameters.
In this attack, the attacker needs to solve: ed = 1 mod φ(n) and Z = fG For d and f respectively. However these are hard to solve due to the difficulty of solving factoring and elliptic curve discrete logarithm problems. Lenstra et al. (1993) developed the method to factorize the modulus n = pq but it is siza-dependent. Díaz and Masque (2005) said in their paper, to increase the security of the scheme and to avoid attacks using special-purpose factorization algorithms, one must select strong primes in the Initialization phase.
Attack 2: Suppose that the attacker manages to solve factoring problem. Thus he knows the secret d and (c,K). He then computes s 1 = c e mod n and learns the original message, m, if he knows r 1 via m = s 1 + f 1 r 1 (mod n).
Unfortunately the integer r 1 is calculated via R = fK where f is a secret number from Z = fG. Finding f is hard due to nonexistence of polynomial algorithm to solve elliptic curve discrete logarithm problem for public Z and G.
Attack 3: Suppose that the attacker can solve elliptic curve discrete logarithm problem. He thus manages to get the secret value, f. He also knows (c,K) and obtains r 1 via R = fK = (r 1 ,r 2 ). He can obtain the original message, m, if he knows s 1 via: m = s 1 + f 1 r 1 (mod n) Unfortunately the integer s 1 is computed via L = c d = s 1 mod n. Finding s 1 is hard due to nonexistence of polynomial algorithm to solve ed = 1 mod φ(n) for d due to the hardness of solving factoring problem.
Attack 4: Assume that the attacker collects two ciphertext (c 1 ,K 1 ) and (c 2 ,K 2 ). These ciphertext corresponds to the following equations: s 11 + f 11 r 11 = m 11 mod n, and s 12 + f 11 r 12 = m 12 mod n where, f 11 is a public key. These two equations have six unknowns and the attacker fails to obtains m 11 and m 12 . However let us assume that Attack 2 is solvable then the attacker knows s 11 and s 12 . This make the above system of equations now has four unkowns. Still, it will give us infinitely many solutions for m 11 and m 12 . The case where we assume Attack 3 is solvable goes similarly.
Efficiency performance: We measure and describe the efficiency performance of our system in terms of number of keys used, computational complexity overhead and the communication costs for each algorithm; encryption and decryption. We use the following notations to analyse the performance of the system: • SK and PK denote the number of private and public keys respectively • T exp is the time complexity taken for a modular exponentiation • T mul is the time complexity taken for a modular multiplication • T ec-mul is the time complexity for executing the multiplication on elliptic curve points • T ec-add is the time complexity for executing the addition of two elliptic curve points • T hash is the time complexity taken for performing a hash function • |x| denotes the bit length of x We assume that the time complexity for modular addition or subtraction is negligible. We also assume that the probability of the bit being chosen as 0 or 1 is 0.5. Note that, the time complexity for Encryption is given by 2T ec-mul + T mul + T exp and the time complexity for Decryption is T ec-mul + T exp + T mul . The communication costs of the system is only 4|n|. We use the conversions T exp = 240T mul , T ec-mul = 29T mul and T ecadd = 0.12T mul given by Koblitz et al. (2000) to measure the performace in terms of T mul time complexity. The summary of efficiency performance is given in Table 1.

DISCUSSION
So far, the security of most of the developed cryptosystems was based on a single hard problem like discrete logarithm, residuosity, factoring, and elliptic curve discrete logarithm and knapsack problems. These existing systems are no longer secure if one finds a solution to these hard problems and thus, designing a cryptosystem based on two hard problems is a good alternative. The only way the attacker can break the system is by solving the two problems simultaneously and this is very unlikely to happen and with negligible probability. If the attacker manages to find a solution to one of the hard problem, the system remains secure as the other problem is still hard to solve. The new system is shown secure against the common cryptographic attacks.

CONCLUSION
We designed a new cryptosystem based on multiple hard problems; elliptic curve discrete logarithm and factoring. The developed system requires only 299T mul and 270T mul for each Encryption and Decryption. Some possible algebraic attacks have also been analysed and scheme is heuristically secure from those attacks.