Secure Hybrid Mode-Based Cryptosystem

.


INTRODUCTION
The security of a cryptosystem depends heavily on a hard mathematical problem used in the system. Some novel hard problems that have been used in many cryptosystems were discrete logarithms (ElGamal, 1985), factoring (Rivest et al., 1978), elliptic curve discrete logarithm (Koblitz, 1987;Miller, 1986), residuosity (Rabin, 1979) and many other problems. Although such problems remain hard today, it is conjectured that one day in the future those problems could be easily solved. As soon as this occurs, cryptosystems based on such problems will no longer be secure. This scenario has led designers to create cryptosystems based on hybrid mode problems (Harn, 1994;Elkamchouchi et al., 2004;Baocang and Yupu, 2005;Ismail and Hijazi, 2011). The major advantage of doing this is that these types of schemes provide greater level of security than that the schemes based on only a single hard problem. As a result, an adversary needs a longer period of time in order to break the hybrid modebased cryptosystems since it is very unlikely for the adversary to obtain the solutions of these problems simultaneously. Developing of such system is still a field in need of cultivation. It is always one aims to have system with the following criteria: (1) the system uses only one pair of public and private keys; (2) each user uses common arithmetic modulus; and (3) the system uses the most novel two hard mathematical problems for its security base.
In this study, we created a new hybrid modebased cryptosystem using factoring and discrete logarithm problems. With the greater level of security confirmed, we showed that the performance of the scheme requires acceptable time complexity unit operations in both encryption and decryption algorithms, which makes the system implementable for real world applications. Next, our new system also enjoys the three mentioned criteria.

Some notations and parameters:
Throughout the study, we use the following notations and parameters unless otherwise specified: • Two large strong random primes p and q which are safe primes (Gordon, 1984) and set the system modulus as n = pq • A phi-Euler function φ(n) = (p-1) (q-1) • A primitive element, g in multiplicative group Z n * = {z|gcd(z,n) = 1} with order n satisfying g n−1 = 1 (mod n) where gcd (a,b) denotes the greatest common divisor of a and b • A cryptographic hash function h(.) (Schneier, 1996) whose maps an arbitrarily length of string to an output of a t-bit length and we assume here that t = 128

MATERIALS AND METHODS
We present a new cryptosystem based on hybridmode problems; factoring and discrete logarithms. The scheme is made up of three phases namely Initialization, Encryption and Decryption. In Initialization phase, the two pairs of public and private keys of users are calculated using the user's parameters n, φ(n) and g. The generated public keys will be then published in an accessible public key directory while the private keys are kept secret to the owners. In Encryption phase, an encrypted message is developed using the receiver's public key and sender's commitment of secret number. This is done by first get the message hashed using the appropriate cryptographic hash function h(.). This function determines a fixed length of output by hashing any arbitrarily length of input. The encrypted message is then sent to the legal receiver. In Decryption phase, upon obtaining the encrypted message, the receiver recovers the original message by using his own private keys and without these keys no one can learn the original message.
Initialization phase: The user or receiver derives his public and private keys as follows: • Select at random two integers 3 ≤ e, x < n from Z n * • Calculate d = e −1 mod φ(n) • Compute y = g x mod n The public keys are formed by (e, y) and can be accessed in the public directory and the private keys are given by (d, x) and are kept secret by the receiver.

Encryption:
The sender encrypts his original message, m as follows: • Pick at random an integer c < n from Z n * • Hash the original message to obtain h(m) • Computes c 1 = h(m) e + y c (mod n) • Calculate c 2 = g c (mod n) Send the encrypted message (c 1 ,c 2 ) to the receiver. We compute the first component of encrypted message, c 1 with two public keys e and y as if we disguise the original message 'twice' and this is one of the techniques to realize the hybrid mode-based cryptosystem.

Decryption:
The receiver decrypts the obtained encrypted message (c 1 ,c 2 ) as below. Compute the following: • (c 1 -c 2 x ) d = h(m) mod n.

RESULTS
We discuss our results according to the following criteria: • Validation of the new cryptosystem • Security analysis • Efficiency performance To validate the newly developed cryptosystem, we prove that the decrypting equation is always true for any corrected encrypted message (c 1 , c 2 ).
For security consideration, we use a technique from heuristic security to show that the scheme is secure. We do this by delivering the scheme to the literature for attacks. We consider common possible attacks for cryptosystem by which an adversary (Adv) may try to take down the new scheme. In particular, we define each attack and give the corresponding analysis of why this attack would fail.
For efficiency performance, we evaluate the time complexity for both phases; encryption and decryption in terms of various operation units. Finally we compute the communication cost of overall performance of the scheme.

Validation:
We validate our new scheme by proving the following theorem.
Theorem: If the algorithms of Initialization and Encryption run smoothly, then the decryption process of the encrypted message in decryption is correct.

Proof:
The decrypting equation is true for all encrypted message (c 1 , c 2 ) since (c 1 -c 2 x ) d = (h(m) e + y c -g cx ) d = (h(m) e + g xc -g cx ) d = h(m) ed = h(m) mod n.

Security attack:
We show that our scheme is heuristically secure by considering the following common algebraic attacks.
Attack 1: Adv tries to obtain the private keys from the corresponding public keys in the system. In this case, Adv needs to solve ed = 1 mod φ(n) and y = g x mod n for d and x respectively. This is impossible due to the hardness of solving factoring and discrete logarithms. The best way to factorize the modulus n = pq, is by using the number field sieve method (Lenstra et al., 1990). However, this method is just dependent on the size of modulus n and it is computationally infeasible to factor an integer of size 1024-bit and above. Next, to increase the security of our scheme, we must select strong primes (Diaz and Masque, 2005) to avoid attacks using special-purpose factorization algorithms. We also can achieve and maintain the same security level for discrete logarithm problem by selecting the modulus n = pq where (p-1)/2 and (q-1)/2 respectively are product of two 512-bit strong primes.
Attack 2: Say, the Adv collects t encrypted messages (c 1i , c 2i ) where i=1,2,…,t. Adv then has the following system of equations (c 1i -c 2i x ) = h(m i ) e mod n. Note that, the above system contains t equations with t+1 variables; x and h(m i ) and solving this gives us infinitely many solutions which is hardly to detect the true one.
Attack 3: Assume that the Adv successfully solves the factoring problem so that he knows the secret d. With this, he learns that (c 1 -c 2 x ) = h(m) e mod n. From the above equation, to recover the original message h(m), one has to compute (c 1 -c 2 x ) d and this obviously can be done if one knows the secret number x. Since at this stage the discrete logarithm problem remains hard to solve then the Adv would fail.
Attack 4: Assume otherwise that the Adv is able to solve the discrete logarithm problem and hence obtain the secret integer x. He then recovers h(m) e via the relation (c 1 -c 2 x ) = h(m) e mod n. It is clear that, Adv is only able to read the original message if he has the secret d. Efficiency performance: We now describe and determine the performance of our scheme in terms of number of keys used, computational complexity overhead and the communication costs. The measurement is determined using numbers or units. The following notations are used to analyse the performance of the developed scheme.
• SK and PK denote the number of private and public keys respectively • T exp is the time complexity taken for a modular exponentiation • T mul is the time complexity taken for a modular multiplication • T hash is the time complexity taken for performing a hash function and |x| denotes the bit length of x We neglect the time complexity for modular addition or subtraction and we assume that the probability of the bit being selected as 0 or 1 is 0.5. The efficiency of the new cryptosystem is summarized in Table 1.
From Table 1, the sender performs 720T mul + T hash time complexity for encryption and the receiver performs 480T mul time complexity for decryption using the conversion T exp = 240T mul (Koblitz et al., 2000). Finally the communication costs or size of parameters of the scheme is only 3|n|.

DISCUSSION
The security of most of the designated cryptosystems was based on a single hard problem like factoring, discrete logarithm and elliptic curve discrete logarithm problems. These schemes are no longer secure if one day an enemy successfully finds a polynomial algorithm to solve the underlying problem. To prevent this, developing a scheme based on two hard problems is a good strategy. The enemy only can break this scheme if he can solve the two problems simultaneously and this is very unlikely to happen. If he manages to find a solution to one of the underlying hard problem, the scheme remains secure as the other problem remains hard to solve for at least another period of time. Our newly developed scheme is protected against the most common considering algebraic attacks. The performance analysis of the developed scheme requires only minimal and acceptable number of operations units in Encryption and Decryption phases and thus makes it very efficient.

CONCLUSION
We presented a secure hybrid mode-based cryptosystem using on factoring and discrete logarithms problems. The proposed scheme only requires 720T mul + T hash and 480T mul respectively for encryption and decryption. Some possible algebraic attacks have also been considered and we showed that the scheme is heuristically secure from those attacks.