Você está na página 1de 4

Proceeding of the 3rd International Conference on Informatics and Technology, 2009

PRIVATE DATA RETRIEVAL BASED ON HYBRID-MODE ASSUMPTIONS


1 2
Eddie Shahril Ismail , Mohammad Saleh Nahar Hijazi
1,2
School of Mathematical Sciences, Faculty of Science and Technology
Universiti Kebangsaan Malaysia, 43600 UKM Bangi, Selangor, Malaysia
Email: esbi@ukm.my and mhdhijazi578@yahoo.com

ABSTRACT

The past years have seen many attempts to construct cryptosystems based on a single hard problem, like factoring,
discrete logarithms, residuosity, and elliptic curve discrete logarithms. In the near future, those systems will no longer be
secure if the solutions of these hard problems are discovered. In this paper, we propose a new cryptosystem based on
hybrid-mode cryptographic assumptions; elliptic curve discrete logarithms and residuosity. The major advantage of our
scheme is that it is very unlikely that two assumptions can be efficiently solved simultaneously, and therefore offers a
higher security than that scheme based on a single cryptographic assumption. We show that the scheme is resistant to
some attacks and the performance of the scheme requires only reasonable number of operations in both encryption and
decryption.

Keywords: Cryptography, cryptosystem, cryptographic assumptions

1.0 INTRODUCTION

Diffie and Hellman [12] have proposed their brilliant idea in a seminal paper on public key cryptography. They showed
how to transmit a private message in an open channel so that it will arrive in the right hand. Such a system is called
cryptosystem, the first of which was invented in 1978 [9]. The security of the scheme is solely based on the hardness of
factoring problem (FAC). A year later, Rabin [13] designed a cryptosystem based on residuosity problem (RES). His
system depends on the difficulty of finding prime divisors of a given large integer. But no concrete relationship between
the FAC and RES is found. In 1985, the first discrete logarithm (DL)-based cryptosystem [10] was developed. Since then
many cryptosystems have been developed based on these three assumptions or problems. One common feature of
these schemes is that they are depending on a number-theoretical problem (except for RES) and thus its implementation
heavily depends on modular exponentiation which is known to be time consuming and costly.

In the mid-1980s, Koblizt [6] and Miller [11] independently implemented the elliptic curve into cryptography and showed
how this curve can be used as a remarkable tool in designing cryptographic schemes. They proposed cryptographic
schemes whose security lie on the so-called elliptic curve discrete logarithm problem (ECDL) and proved that ECDL-
based scheme provides higher security and greater efficiency than both integer factorization systems and discrete
logarithm systems. Their proposal became a turning point of the rigorous development of ECDL-schemes in the literature
[8, 3, 4, 5, 6, 11, 1].

In this paper, we propose a new cryptosystem based on hybrid-mode assumptions, ECDL and RES with two
contributions. First, the new scheme offers a higher security than that schemes based on ECDL, RES or any other
assumptions since it is very unlikely for an enemy to solve the two assumptions simultaneously. The second, our scheme
is efficient since it involves no modular exponentiations in each phase or stage.

2.0 BACKGROUND THEORIES

A general elliptic curve has the form 𝑦𝑦 2 + 𝑎𝑎𝑎𝑎𝑎𝑎 + 𝑏𝑏𝑏𝑏 = 𝑥𝑥 3 + 𝑐𝑐𝑥𝑥 2 + 𝑑𝑑𝑑𝑑 + 𝑒𝑒, where 𝑎𝑎, 𝑏𝑏, 𝑐𝑐, 𝑑𝑑 and 𝑒𝑒 are real numbers. On this
curve we define a special addition operation with the inclusion of a point at infinity denoted as ∞. Let a prime 𝑞𝑞 be the
characteristics and 𝑞𝑞 is neither two nor three. Then we obtain an elliptic group over the Galois Field 𝐸𝐸�𝐹𝐹𝑞𝑞 � for

𝑦𝑦 2 = 𝑥𝑥 3 + 𝑎𝑎𝑥𝑥 + 𝑏𝑏 (mod 𝑞𝑞) where 0 ≤ 𝑥𝑥 < 𝑞𝑞.

The numbers 𝑎𝑎, 𝑏𝑏 < 𝑞𝑞 are non-negative integers satisfying the condition 4𝑎𝑎 3 + 27𝑏𝑏2 ≠ 0 (mod 𝑞𝑞).

The rules for addition over the elliptic group 𝐸𝐸�𝐹𝐹𝑞𝑞 � are defined as follows:

(a) If three points are on a line that intersects an elliptic curve, then their sum equals the point at infinity ∞.
(b) Let the points 𝐴𝐴 = (𝑟𝑟, 𝑠𝑠) and 𝐵𝐵 = (𝑡𝑡, 𝑢𝑢) be in the elliptic group 𝐸𝐸�𝐹𝐹𝑞𝑞 �.
i. 𝐴𝐴 + ∞ = 𝐴𝐴 = ∞ + 𝐴𝐴 and if 𝐵𝐵 = −𝐴𝐴 = (𝑟𝑟, −𝑠𝑠) then 𝐴𝐴 + 𝐵𝐵 = ∞

©Informatics '09, UM 2009 RDT6 - 186


Proceeding of the 3rd International Conference on Informatics and Technology, 2009

ii. If 𝐴𝐴 ≠ 𝐵𝐵, then 𝐴𝐴 + 𝐵𝐵 = (𝑒𝑒, 𝑓𝑓) where 𝑒𝑒 = 𝜆𝜆2 − 𝑟𝑟 − 𝑡𝑡 (mod 𝑞𝑞) and 𝑓𝑓 = 𝜆𝜆(𝑟𝑟 − 𝑒𝑒) − 𝑠𝑠 (mod 𝑞𝑞). The number 𝜆𝜆
is calculated using the formula below:
𝑢𝑢 − 𝑠𝑠
, 𝑟𝑟 ≠ 𝑡𝑡
𝑡𝑡 − 𝑟𝑟
𝜆𝜆 = � 2
3𝑟𝑟 + 𝑎𝑎
, 𝑟𝑟 = 𝑡𝑡, 𝑠𝑠 ≠ 0
2𝑠𝑠

iii. If 𝑛𝑛 is a positive integer, we can compute 𝑛𝑛𝑛𝑛 = 𝐶𝐶 = 𝐴𝐴 + 𝐴𝐴 + ⋯ + 𝐴𝐴 (𝑛𝑛 times) where 𝐶𝐶 is also in 𝐸𝐸�𝐹𝐹𝑞𝑞 �.

If 𝐷𝐷 is a point on the elliptic group and 𝑚𝑚 is the smallest positive integer satisfying the equation 𝑚𝑚𝑚𝑚 = ∞, then we say that
𝐷𝐷 has an order 𝑚𝑚 and is called the base point.

The important part is ECDL and RES. We define them as follows:

 ECDL: Assume that we are given two elliptic points 𝐴𝐴 and 𝐶𝐶. Then it is very difficult to obtain the positive integer
𝑛𝑛 such that 𝑛𝑛𝑛𝑛 = 𝐶𝐶.
 RES: Assume that we are given a large integer 𝛾𝛾 = 𝜆𝜆2 (mod 𝑟𝑟𝑟𝑟) where 𝑟𝑟 and 𝑠𝑠 are two strong primes and
𝛾𝛾, 𝜆𝜆 ∈ ℤ∗𝑟𝑟𝑟𝑟 . Then it is very hard to find the number 𝜆𝜆.

3.0 THE PROPOSED SCHEME

We present a new cryptosystem design over an elliptic curve by utilizing a residuosity assumption. Three phases are
used to establish a secured encryption mechanism between two users (sender and receiver). The scheme process is
shown as follows:

3.1 Initialization

The receiver chooses the domain parameters are consists of:

• The field order 𝑞𝑞.


• Two coefficients 𝑎𝑎, 𝑏𝑏 ∈ 𝐹𝐹𝑞𝑞 that define the equation 𝑦𝑦 2 = 𝑥𝑥 3 + 𝑎𝑎𝑥𝑥 + 𝑏𝑏 (mod 𝑞𝑞) of the elliptic curve 𝐸𝐸 over 𝐹𝐹𝑞𝑞 .
• The number of points in 𝐸𝐸�𝐹𝐹𝑞𝑞 �, denoted #𝐸𝐸�𝐹𝐹𝑞𝑞 �.
• Two field elements 𝑥𝑥1 and 𝑦𝑦1 in 𝐹𝐹𝑞𝑞 that define a finite point 𝐺𝐺 = (𝑥𝑥1 , 𝑦𝑦1 ). 𝐵𝐵 has a large prime order 𝑚𝑚 and is called the
base point.
• Publishes a one-way hash function ℎ(∙).
• Parameters (𝑑𝑑, 𝑟𝑟, 𝑠𝑠) as his private keys, where 𝑟𝑟 and 𝑠𝑠 are two large strong primes.
• Calculates his public keys 𝑍𝑍 = 𝑑𝑑𝑑𝑑 = (𝑑𝑑1 , 𝑑𝑑2 ) and 𝑛𝑛 = 𝑟𝑟𝑟𝑟.

In order to prevent the Pohlig-Hellman attack and Pollard’s rho attack, it is necessary that #𝐸𝐸�𝐹𝐹𝑞𝑞 � be divisible by a
sufficiently large prime number [14] and the maximum resistance to these attacks is by selecting 𝐸𝐸�𝐹𝐹𝑞𝑞 � so that #𝐸𝐸�𝐹𝐹𝑞𝑞 � is
prime or almost prime.

3.2 Encryption

To encrypt a message ℎ(𝑚𝑚), the sender does the following:

• Selects a secret integer 1 < 𝑟𝑟 < 𝑞𝑞.


• Computes 𝑇𝑇 = 𝑟𝑟𝑟𝑟 = (𝑟𝑟1 , 𝑟𝑟2 ) and 𝐾𝐾 = 𝑟𝑟𝑟𝑟.
• Calculates 𝑤𝑤 = �𝑑𝑑1 𝑟𝑟1 + ℎ(𝑚𝑚)� (mod 𝑛𝑛) and 𝛼𝛼 = 𝑤𝑤 2 (mod 𝑛𝑛).
• Send (𝛼𝛼, 𝐾𝐾) to the receiver.

3.3 Decryption

Upon receiving the encrypted message (𝛼𝛼, 𝐾𝐾), the receiver does the following:

• Calculates 𝑅𝑅 = 𝑑𝑑𝑑𝑑 = (𝑟𝑟1 , 𝑟𝑟2 ).


• Extract the number 𝑤𝑤 from the received 𝛼𝛼 (refer to [13] for the extraction process for 𝑤𝑤).
• Obtains the original message as ℎ(𝑚𝑚) = (𝑤𝑤 − 𝑑𝑑1 𝑟𝑟1 ) (mod 𝑛𝑛).

©Informatics '09, UM 2009 RDT6 - 187


Proceeding of the 3rd International Conference on Informatics and Technology, 2009

4.0 EVALUATION OF THE SCHEME

We evaluate our presented scheme based on the exactness, security analysis and efficiency performance. For exactness
we prove the following theorem.

Theorem: If the Setup and Encryption processes in the above scheme run smoothly, the decrypting equation in
Decryption is correct.

Proof: From the received encrypted message (𝛼𝛼, 𝐾𝐾), receiver with the information of 𝑟𝑟 and 𝑠𝑠 can extract 𝑤𝑤 = 𝑑𝑑1 𝑟𝑟1 + ℎ(𝑚𝑚)
from 𝛼𝛼 (refer to [13] for the extraction process for 𝑤𝑤). Since he possesses the private key 𝑑𝑑 he can get the number 𝑟𝑟1 via
𝑅𝑅 = 𝑑𝑑𝑑𝑑. Thus he can read the original message by computing 𝑤𝑤 − 𝑑𝑑1 𝑟𝑟1 = 𝑑𝑑1 𝑟𝑟1 + ℎ(𝑚𝑚) − 𝑑𝑑1 𝑟𝑟1 = ℎ(𝑚𝑚) since 𝑑𝑑1 is public.

For security analysis [2, 7] we deliver the scheme to the most common considering attacks; KEY-ONLY attack, RES
attack and ECDL attack. We show that for these attacks the adversaries (Adv) would fail.

KEY-ONLY attack: Adv wishes to obtain all secret keys using all information that is available from the system. In this
case, Adv needs to solve ECDLP and RES, which is clearly infeasible.

RES attack: Assume that Adv can solve the RES assumption. He then knows the prime factorization of 𝑛𝑛 and can extract
the integer 𝑤𝑤 from 𝛼𝛼 = 𝑤𝑤 2 mod 𝑛𝑛. Obtaining the number 𝑑𝑑, the Adv can obtain the original ℎ(𝑚𝑚) since ℎ(𝑚𝑚) = 𝑤𝑤 − 𝑑𝑑1 𝑟𝑟1 .
But this is impossible due to the hardness of ECDL assumption. Note that in this attack, the integer 𝑟𝑟1 should not be used
more than once. If not, the Adv can have 𝑤𝑤 − 𝑤𝑤1 − ℎ(𝑚𝑚) = ℎ(𝑚𝑚1 ) where ℎ(𝑚𝑚1 ) = 𝑤𝑤1 − 𝑑𝑑1 𝑟𝑟1 . If the message ℎ(𝑚𝑚1 ) is his
then the original ℎ(𝑚𝑚) can be generated.

ECDL attack: Now let say that Adv can solve the ECDL assumption. He then can figure out the integer 𝑟𝑟1 from the relation
of 𝑅𝑅 = 𝑑𝑑𝑑𝑑 = (𝑟𝑟1 , 𝑟𝑟2 ). Unfortunately, to read the message ℎ(𝑚𝑚) is still hard since no information on 𝑤𝑤 is available.

Next, we investigate the efficiency performance of our scheme in terms of number of keys, computational complexity and
communication costs. We use the following notations to analyze the performance of the scheme.

• 𝑁𝑁𝑆𝑆𝑆𝑆 is the number of secret keys,


• 𝑁𝑁𝑃𝑃𝑃𝑃 is the number of public keys,
• 𝑇𝑇𝑚𝑚𝑚𝑚𝑚𝑚 is the time complexity for executing the modular multiplication,
• 𝑇𝑇𝑒𝑒𝑒𝑒𝑒𝑒 is the time complexity for executing the modular exponentiation,
• 𝑇𝑇𝑠𝑠𝑠𝑠𝑠𝑠 is the time complexity for executing the modular square,
• 𝑇𝑇𝑠𝑠𝑠𝑠𝑠𝑠 is the time complexity for executing the modular square root,
• 𝑇𝑇𝑎𝑎𝑎𝑎𝑎𝑎 is the time complexity for executing the modular addition,
• 𝑇𝑇𝑖𝑖𝑖𝑖𝑖𝑖 is the time complexity for executing the modular inversion,
• 𝑇𝑇𝑒𝑒𝑒𝑒 −𝑚𝑚𝑚𝑚𝑚𝑚 is the time complexity for executing the multiplication on elliptic curve points,
• 𝑇𝑇𝑒𝑒𝑒𝑒 −𝑎𝑎𝑎𝑎𝑎𝑎 is the time complexity for executing the addition of two elliptic curve points,
• 𝑇𝑇𝑟𝑟𝑟𝑟𝑟𝑟 is the time complexity for selecting a random integer,
• 𝑇𝑇ℎ𝑎𝑎𝑎𝑎ℎ is the time complexity for performing a one-way hash function, ℎ.

The performance of our new cryptosystem is described as follows: The number of keys of the new scheme is 𝑁𝑁𝑆𝑆𝑆𝑆 = 3
and 𝑁𝑁𝑃𝑃𝑃𝑃 = 2. The computational complexity for encryption is given 𝑇𝑇𝑟𝑟𝑟𝑟𝑟𝑟 + 2𝑇𝑇𝑒𝑒𝑒𝑒 −𝑚𝑚𝑚𝑚 𝑙𝑙 + 𝑇𝑇𝑚𝑚𝑚𝑚𝑚𝑚 + 𝑇𝑇𝑠𝑠𝑠𝑠𝑠𝑠 + 𝑇𝑇ℎ𝑎𝑎𝑎𝑎ℎ whereas the
time complexity for decryption is 𝑇𝑇𝑒𝑒𝑒𝑒 −𝑚𝑚𝑚𝑚𝑚𝑚 + 𝑇𝑇𝑚𝑚𝑚𝑚𝑚𝑚 + 𝑇𝑇𝑠𝑠𝑠𝑠𝑠𝑠 . Finally the communication costs or size of parameters for
encryption and decryption are respectively given by 2|𝑛𝑛| and |𝑛𝑛|.

5.0 CONCLUSION

We proposed a new cryptosystem based on hybrid-mode problems; elliptic curve discrete logarithm and residuosity
problems. The proposed scheme is shown secure against the three considering attacks for hybrid-mode-based
cryptosystem. The adversary has to solve two hard problems in order to break the scheme and this is happen with
negligible probability. Our scheme is also efficient since it requires no modular exponentiation in both encryption and
decryption.

ACKNOWLEDGEMENT
We acknowledge the financial support received from Universiti Kebangsaan Malaysia under the Research University
Grant UKM-OUP-ICT-36-177/2009 and UKM-GUP-NBT-08-29-120.

©Informatics '09, UM 2009 RDT6 - 188


Proceeding of the 3rd International Conference on Informatics and Technology, 2009

REFERENCES

[1] A. Menezes, Elliptic Curve Public Key Cryptosystem. Kluwer Academic Publishers. Boston, Dordrecht, London.
1993.

[2] A. Menezes et al., Handbook of Applied Cryptography. CRC Press, USA. 1996.

[3] C. Lawrence, Elliptic Curves Number Theory and Cryptography. CRC Press. Washington. 2003.
[4] C. Popescu, An Identification Scheme Based on the Elliptic Curve Discrete Logarithm Problem, in Proceedings
th
of The 4 International Conference on High-Performing Computing in the Asia-Region, Vol. 2, pp. 624-625
2000.

[5] K. Rabah, Elliptic Curve ElGamal Encryption and Signature Schemes. Information Technology Journal 13(3).
2005, pp. 299-306.

[6] N. Koblitz, Elliptic Curve Cryptosystems. Mathematics of Computation 48(177). 1987, pp. 203-209.

[7] N. Koblitz and A. Menezes, Another Look at ‘Provable Security’. Journal of Cryptology 20(1). 2007, pp. 3-37.

[8] N. Koblizt et al., The State of Elliptic Curve Cryptography. Design, Code Cryptography 19(2-3). 2000, pp. 173-
193.

[9] R. L. Rivest et al., A Method for Obtaining Digital Signature and Public Key Cryptosystems. Commun. ACM
21(2). 1978, pp. 120-126.

[10] T. ElGamal, Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithm. IEEE Trans.
Inform. Theory, IT-31. 1985, pp. 469-472.

[11] V. Miller, Uses of Elliptic Curve in Cryptography. Advances in Cryptology-Proceeding of CRYPTO’85. Lecture
Notes in Computer Sciences, 218. Springer-Verlag. 1986, pp. 417-426.

[12] W. Diffie and M. E. Hellman, New Direction in Cryptography. IEEE Trans. Inform. Theory, 22(6). 1976, pp. 644-
654.

[13] M. O. Rabin, Digitalized Signatures and Public Key Functions as Intractable as Factorization. Technical report
MIT/LCS/TR-212, MIT Laboratory for Computer Science. 1979.

[14] S. C. Pohlig and M. E. Hellman, An Improved Algorithm for Computing Logarithms Over GF(p) and Its
Cryptographic Significance. IEEE Transactions on Information Theory 24(1). 1978, pp. 106-110.

BIOGRAPHY

Eddie Shahril Ismail is a senior lecturer at School of Mathematical Sciences, Faculty of Science and Technology,
Universiti Kebangsaan Malaysia. He obtained his PhD in Cryptography from Universti Sains Malaysia in 2004. His
research interests include digital signature, cryptosystem and threshold-like scheme. He has produced a number of
articles related to these areas. He is also a member of International Association Cryptographic Research (IACR) since
2008.

Mohammad Saleh Nahar Hijazi is a phD student at School of Mathematical Sciences, Faculty of Science and
Technology, Universiti Kebangsaan Malaysia. He is currently working on the development of cryptosystem based on
hybrid-mode problems.

©Informatics '09, UM 2009 RDT6 - 189

Você também pode gostar