A CAE Scheme Using ECC Based Self Certified PKC

: The Convertible Authentication Encryption (CAE) scheme, allows the signer to generate an authentic ciphertext signature, which can be recuperated and validated by a specific recipient only. In case of any kind of dispute the recipient is capable enough to convert the ciphertext signature as a normal signature and that can be validated publicly. The CAE schemes are used for transformation of confidential information over insecure networks, because they provide confidentiality, authenticity and integrity for the transmitted message or information. We propose a new CAE scheme by integrating the concepts of ECC-based self-certified public keys and encryption scheme. The security analysis shows that the proposed CAE scheme fulfill the basic security conditions such as indistinguishability of ciphertext signature, unforgeability and non-repudiation. The performance analysis shows that our proposed CAE scheme has little advantage over Wu and Lin scheme regarding computational complexity and timings.


Introduction
, introduced the public key cryptosystem (PKC) and cryptographic security of their PKC rely on the intractability of the Discrete Log Problem (DLP). In this system, every participant compute a public key, corresponding to his secret key. This system is not safe, because, an adversary can attack by replacing a forge public key. To avoid such attacks, a certificate-based approach is used, in which the Certifying Authority (CA) can generate a certificate and authenticate public keys of each user. This approach is costly due to additional communication and computation costs. Shamir (1984), introduced the Identity based (IDbased) PKC. In this approach every users public key is his public identity, so no need to put extra efforts for checking certificates. In this ID-based approach private key of user is derived by the Private Key Generator (PKG). No one has the valid secret key, without the secret trapdoor value from PKG. One of the negative aspects of this approach is, the PKG can masqueraded as a legal user without being detected, because he has the control over secret key of each user. To eliminate was of the previous approaches, Girault (1991), proposed a novel system for public keys, which is known as Self-Certified Public Key (SCPK) system. In SCPK system, the tasks of the public key validation and the signature validation can be done in only one step, which cut down the computation as well as communication cost. SCPK approach is cost optimizing and more efficient than certificate and identity based approach. Koblitz (1987) and Miller (1985), independently introduced Elliptic Curve Cryptosystem (ECC). The significant difference from the other traditional PKC is that, much shorter keys provide similar security. This will help in faster execution of algorithms and also requirement of bandwidth is reduced. ECC is useful in such situation where the storage space and computational power is limited. Tsaur (2005), presented an effectual ECC based SCPK cryptosystem.
The presented cryptosystem combine the merits of IDbased SCPK and ECC.
The confidentiality of the transmitted message in any electronic communication or transaction is very crucial. At the same time it is also important that the message is being received by only the designated receiver. No other entity is able to recuperate the original message and check the genuineness of the signature attached with the message. Horster et al. (1994), introduced the concept of Authenticated Encryption (AE) scheme which encrypt and authenticate message simultaneously in a very efficient manner. One of the draw backs of their scheme is non -repudiation, because, the message recipient is not able to prove that the message he receives is sent by the specified user only. Zheng (1997), in his paper gave a new method for AE called signcryption. In his approach the parties involved (Message signer, Message receiver and Third party) have more interaction than the Horster et al. (1994). In this way the problem of nonrepudiation is removed. This method of Zheng (1997), is a little costly regarding both computational and communication cost. Petersen and Michels (1998), found that there is lack of confidentiality in the Zheng (1997), scheme and then proposed an improved scheme. He and Wu (1999), showed that, the scheme of Petersen and Michels (1998), failed to satisfy unforgeability property and improve their scheme further. Araki et al. (1999), presented a signature scheme equipped with convertibility, which differ from usual AE. In their scheme the process of signature conversion requires some extra information from the actual signer. This approach is not successful, if the signer doesn't want to co-operate. Wu and Hsu (2003), proposed an efficient CAE scheme, in which the conversion procedure is very easy and only recipient can solely manage this process, without any heavy computation. Huang and Chang (2003), point out that Wu and Hsu (2003), scheme is not safe, since the adversary is capable of signature conversion, if he has the knowledge of the actual message and project an improvised scheme. Unfortunately, Wang et al. (2004), scheme given by Huang and Chang (2003), is also insecure against known plain text attack. They analyzes that a new ciphertext can be decrypted by an adversary, if he has an idea of some of the of previous valid ciphertext. Lv et al. (2005), finds security was in Wu and Hsu (2003) and Huang and Chang (2003), schemes and presented better schemes based on SCPK. Shao (2006), realize the weakness of Lv et al. (2005), scheme and then puts forward a new scheme. Wu and Lin (2008), presented an ECC based new CAE scheme using SCPK. Next year Lee et al. (2009), presented a new CAE scheme, on the basis of ElGamal cryptosystem, but unfortunately Lin et al. (2011), have demonstrated that their scheme fail, to resist the chosen plain text attack and then presents a better variant with provable security. Further in recent years other variants (Hsu and Lin, 2014;Huang et al., 2015;Lin, 2015;Liu et al., 2015;Wu et al., 2013), of CAE scheme, based on different assumption and mathematical problems are proposed by researchers.
In this study using the merits of ECC-based SCPK we design a new CAE scheme. The rest of the paper is structured as: Next section, is about the prerequisite mathematical background. Our proposed CAE scheme is given in section 3. The discussion regarding security of the proposed scheme and its performance is given in section 4 and at last, the final section concludes our paper.

Mathematical Background
Our CAE scheme is based on ECC and security of the our scheme rely on ECDLP and OWHF, therefore these preliminaries are precisely defined as follows:

Elliptic Curve (EC)
The elliptic curve denoted by E, is of the form: Provided 4a 3 +27b 2 ≠ 0: The points on EC, together a special point O at infinity form a cyclic group under addition operation. The order of group G is n. Let us consider two points P = Q ∈ G, on the straight line L, this line becomes tangent line if P = Q. If P = Q or P ≠ Q, in both the situation point addition formulaes are defined. Scalar multiplication for the points on E is also defined. For elliptic curve algebra interested readers may refer (Stallings, 2011).

Elliptic Curve Discrete Logarithm Problem (ECDLP)
Let us consider an elliptic curve E, which is defined over a finite field F p , where p is a large prime. Suppose a point P of prime order n on E and the other point Q is such that Q = αP for some integer α. The ECDL problem is that, if Q, is given then find α. Select p, E and P, such that the solution of ECDLP is infeasible.

One Way Hash Function (OWHF)
The OWHF defined as: The input for h may be of variable length, but its output is of fixed length. The resultant hash of the message is known as hash value or message digest (Stallings, 2011). Characteristics of OWHF are as follows: • The hash function can be used for any arbitrary length of message

Proposed CAE Scheme
The System Setup Phase The system parameters generated by System Authority (SA) and their notations are as follows: Denote the public key of U i .

ID i
The identity information associated with user U i . || Concatenation of two strings. All the above system parameters are published, but secret key of each user and SA, should be kept secret. Hash h(P), of an elliptic curve point P, means h(P x ||P y ), where P = (P x , P y ).

User Registration (UR) Phase
Let the user U i , along with his identity information ID i , would like to register with SA. For this every user performs the following steps: The user U i , first select t i ∈[2, q-2], as the master key and compute: Then transmit (V i , ID i ), to SA. Now SA selects an integer z i ∈[2, q-2] and calculates a public key Y i and corresponding witness w i for each U i respectively as: Every user U i , computes his secret key x i and check its validity as: If the above equation holds then, U i accepts (x i , Y i ) as his secret and public key.

Theorem 1
The secret key xi and public key Y i of the user U i satisfy the Equation 3.5.

Proof
We have from the Equation 3.5:

The Signature Generation and Verification (SGV) Phase
Suppose a user U a wants to transmit U b an authenticated ciphertext for the message M with embedded redundancy. To do this U a , chooses first an integer k∈ [2, q-2] and computes: The tuple (r 1 , r 2 , S), is the signature for M and is then send to U b , after receiving this signature (r 1 , r 2 , S), U b compute: The message M, can be recovered as: Next, U b can verify the signature (r 1 , r 2 , S) through the equation: If this equation holds then only the signature is valid, simultaneously the public key Y a of signer U a is also authenticated.

Theorem 2
The signature recipient U b , can recover the message M, with the embedded redundancy with Equation 3.13.

Proof
We have from the Equation 3.13:

Theorem 3
The signature (r 1 , r 2 , S), must satisfy the Equation 3.14, through this equation the public key Y a automatically get authenticated.

Proof
We have from the Equation 3.14:

The Signature Conversion (SC) Phase
In circumstances of some dispute or disagreement, U b the signature receiver can simply release the converted signature (r 2 , S, C 1 ) and the recuperated M. Suppose someone is validating the signature, first he will have to calculate K, through Equation 3.10, then check the signature through Equation 3.14. If Equation 3.14, holds then only he assures that the signature is generated by U a only.

The Signature Recipient Proof (RP) Phase
Let the signature recipient U b , is looking to convince some other user U c , that he is the actual recipient, to do this U b perform the following computations: • The user U b , sends the converted signature (r 2 , S, C 1 ) to U c • The other user U c , calculate K through Equation 3.10, then check the signature through Equation 3.14. If this equation holds, then only U c proceed further • U c , chooses an integer d randomly and compute: and send back Q to U c .
• Now U c computes Q′ = d⋅C 1 and compare Q with Q′, if Q = Q′, then only U c accept of the that U b is the specified recipient

Security and Performance Analysis
This section is divided into two subsection, in the first the cryptographic security of the proposed CAE scheme is analyzed and in the second, performance of our scheme is analyzed.

Security Analysis
First of all we show that our scheme is secure against some active attacks. The safety of our scheme is due to ECDLP and OWHF. We focus on the three security properties namely: Confidentiality, non-repudiation and unforgeability.

Confidentiality
The confidentiality of the secret key (γ) of SA, is maintained due to ECDLP. If some attacker is looking to get secret key γ, through public key Q = γP, of SA, or from Equation 3.3 of the registration phase, then the attacker will have to encounter the intractability of the ECDLP. It is difficult to obtain from Equation 3.3, because of random value z i , which is also secured due to ECDLP through Equation 3.2. Same level of difficulty will have to faced to obtain from Equation 3.4.
To break the confidentiality of recovered message M, the attacker has to retrieve the key Y ab , from the Equation 3.10 and 3.12, but again he will have to solve ECDLP to achieve this goal.
The proposed CAE, keep indistinguishability of the confidentiality. The attacker cannot distinguish the particular message from the two messages M 1 ,M 2 . To distinguish the messages attacker will have to verify the Equation 3.14 and it is not mathematically feasible for him, due to unavailability of secret key x b . So in this way the authenticated encryption messages are indistinguishable.

Non-Repudiation
The designated signature recipient U b , can only validate the signature tuple (r 1 , r 2 , S) generated by the signer U a only. In the circumstances of some dispute, the receiver can transmit the tuple (r 2 , S, C 1 ) to a particular one whom the recipient would like to convince that the signature is generated by U a . From signature generation phase it is clear that the signature is generated using the secret key of U a and U b , that's why it is not possible for them to deny their participation.

Unforgeability
To forge a genuine signature (r 1 , r 2 , S), for a random message of his choice M 0 , an adversary will have to select randomly (r′ 2 , S′), then compute K′, which satisfy the Equation 3.10. After this he will have to choose a new value C′ 1 , using this value he can compute r′ 1 which satisfy the Equation 3.13. The randomly selected values chosen (r′ 2 , S′), cannot satisfy the Equation 3.14. Due to the intractability of ECDLP, it is not feasible to find out the secret key (x b ), of the signer to forge a genuine signature.
Forgery of the public key from Equation 3.5, is impossible for an adversary because of the secured assumptions of the OWHF and ECDLP.

Performance Analysis
To describe the algorithmic complexity of our scheme, we use the subsequent notations.

Notation Description T h
The time taken for hashing.

T m
The time taken to compute modular multiplication.

T i
The time taken to compute modular inversion.

T EA
The time taken to perform modulo addition over elliptic curve.

T EM
The time taken to perform scalar multiplication to a point on elliptic curve.
The Table 1, shows the time complexity of our proposed scheme is less than the Wu and Lin (2008) scheme. The communication costs are same for both schemes.
The Table 2, shows the computational timings. The computational timing calculation is based on (Ramasamy and Prabakar, 2011). The communication costs are same for both schemes.
As it is clear from the Table 2, that every stage of our scheme is cost efficient than the corresponding stages of Wu and Lin (2008) scheme. Overall time consumption of our scheme is reduced by approximately 6% than Wu and Lin (2008)

Conclusion
In this study a new CAE scheme based on ECC and self-certified PKC is proposed. This scheme is computationally indistinguishable and security is based on ECDLP and OWHF. This scheme has advantage over certificate based approach, since no extra efforts are required to verify certificates. The task of signature verification and authentication of the public key can be performed in single step. If there will be some dispute then the signature recipient is able to prove his genuineness to this third party. The receiver of signature is also able to transform the signature into a usual signature with very little computational efforts. The previous section shows that the proposed scheme satisfies the basic security properties. The performance analysis shows that the proposed CAE scheme has little advantage over Wu and Lin ECC-based CAE scheme, regarding time complexity. The use of ECC gives an advantage, if availability of storage and computational resources is limited like personalized digital gadgets.