Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx

Contents lists available at ScienceDirect

Journal of King Saud University –

Computer and Information Sciences
journal homepage: www.sciencedirect.com

A forward secure signcryption scheme with ciphertext authentication for

e-payment systems using conic curve cryptography
Renu Mary Daniel ⇑, Elijah Blessing Rajsingh, Salaja Silas
Department of Computer Sciences Technology, Karunya Institute of Technology and Sciences, Tamil Nadu 641114, India

a r t i c l e i n f o a b s t r a c t

Article history: Signcryption is an authenticated encryption technique that concurrently establishes message confiden-
Received 10 November 2017 tiality, authenticity, integrity and non-repudiation. In this paper, we propose an efficient signcryption
Revised 22 January 2018 scheme, based on the hardness of RSA assumption and discrete logarithm problem on conic curves over
Accepted 10 February 2018
a ring Z n . The protocol ensures forward secrecy, in case the sender’s secret keys are exposed and supports
Available online xxxx
ciphertext authentication by an external entity, without full decryption. The protocol remains secure, as
long as, either one of the hardness assumptions hold. The scheme is implemented over conic curves,
Keywords:
which facilitates effective message encoding and decoding, as well as, efficient point operations and
Signcryption
Conic curve cryptography
inverses. Conic-based RSA assumption offers resistance to low public key and low private key exponent
Forward secrecy attacks, prevalent in the original RSA cryptosystem. The proposed protocol is used to design a Business to
Ciphertext authentication Customer (B2C) e-commerce system, with security against replay attacks, man-in-the-middle attacks,
E-commerce impersonation attacks, server spoofing and double spending. The protocol is validated using automated
ProVerif cryptographic verification tool ProVerif.
Ó 2018 The Authors. Production and hosting by Elsevier B.V. on behalf of King Saud University. This is an
open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

1. Introduction functionalities of both encryption and digital signature in a single

In public key cryptosystems, message confidentiality, integrity,
authenticity and non-repudiation is ensured by first signing the
message with the sender’s private key and then encrypting the
message-signature pair using an ephemeral session key.
Subsequently, the session key is encrypted using the receiver’s
public key before transmission. On receiving the randomized ses-
sion key and the encrypted message-signature pair, the receiver
retrieves the session key using his private key. Then, the receiver
decrypts the encrypted message-signature pair using the session
key. Finally, the receiver confirms the authenticity and integrity
of the message by verifying the signature using the sender’s public
key. To reduce the cost of the conventional ‘‘signature then
encryption” approach, Zheng (1997) proposed an authenticated
encryption primitive called signcryption, which combines the
⇑ Corresponding author.
E-mail addresses: renumarydaniel@karunya.edu.in (R.M. Daniel), elijahble-
ssing@karunya.edu (E.B. Rajsingh), salaja_cse@karunya.edu (S. Silas).
Peer review under responsibility of King Saud University.
Production and hosting by Elsevier
logical step. Zheng’s signcryption scheme was based on Discrete
Logarithm Problem (DLP) over a finite field. Later, a variant of the
scheme based on the elliptic curve analog of DLP (ECDLP), was pro-
posed by Zheng and Imai (1998). Ideally, a signcryption scheme
must ensure the following security attributes:

Public verifiability – Public verifiability implies that given the
original message, the ciphertext components and some optional
information, an external entity can verify the message authen-
ticity, without the recipient’s private key (Ahmed et al., 2010).

Ciphertext authentication – Ciphertext authentication implies
that the external judge can authenticate the message origin
from the ciphertext components and some intermediate
decryption results provided by the receiver. The receiver need
not reveal the original message or the private key to an external
judge, to ensure non-repudiation.

Public ciphertext authentication – Public ciphertext authentica-
tion implies that an external entity can verify the message ori-
gin solely from the ciphertext components, without any
intervention of the recipient.

Ciphertext anonymity – Ciphertext anonymity ensures that no
useful information about the sender can be derived from the
ciphertext components. It is to be noted that, public ciphertext
authentication and ciphertext anonymity cannot be attained
simultaneously.

https://doi.org/10.1016/j.jksuci.2018.02.004
1319-1578/Ó 2018 The Authors. Production and hosting by Elsevier B.V. on behalf of King Saud University.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
2 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx

Forward secrecy – Forward secrecy property deters an adversary
in possession of the sender’s secret keys, from decrypting previ-
ously encrypted messages.
1.1. Previous work
The initial signcryption scheme proposed by Zheng (1997)
lacked public verifiability. Hence, in Zheng’s scheme, the receiver
had to reveal his private key to the external verifier, to ensure
non-repudiation. Bao and Deng (1998) modified Zheng’s protocol
so that, the recipient’s private key is no longer required for signa-
ture verification. Instead, the recipient must produce the original
message along with the ciphertext components to the external
entity. The property is termed as public verifiability. The protocol
was implemented in finite field, based on strong Gap Diffie-
Hellman (Gap-DH) assumption. However, public verifiability prop-
erty is unsuitable for applications requiring content filtering by
firewalls, since, verification by an external entity is not possible
until the decryption of the ciphertext, by the intended recipient.
Gamage et al. (1999) proposed the first signcryption scheme with
public ciphertext authentication property. In Gamage’s scheme,
any external entity can verify the signature solely from the cipher-
text components, without the intervention of the recipient. The
protocol is based on standard Computational Diffie-Hellman
(CDH) assumption. Apparently, the protocol lacks ciphertext anon-
ymity, since, an adversary can perform random checks to detect
the message origin (Chow et al., 2003). Hence, public ciphertext
authentication property is undesirable for applications like e-
commerce, where the sender’s identity has to be preserved. None
of the above mentioned protocols provide forward secrecy prop-
erty. Chow et al. proposed a forward secure signcryption scheme
with public ciphertext authentication property, under Modified
Decisional Bilinear Diffie-Hellman (MDBDH) assumption on elliptic
curves. However, the protocol incurs higher computational com-
plexity due to expensive bilinear pairing operations. Later, Han
et al. (2004) proposed a forward secure signcryption scheme with
ciphertext authentication and ciphertext anonymity based on
Elliptic Curve Discrete Logarithm Problem (ECDLP). The protocol
offers better efficiency than Chow et al.’s scheme, since it does
not involve bilinear pairing computations. Subsequently, several
forward secure elliptic curve based protocols with public verifiabil-
ity were proposed (Bala et al., 2013; Hwang et al., 2005; Hwang
and Sung, 2011; Toorani and Shirazi, 2009; Xiang-Xu et al.,
2005). Mohamed and Elkamchouchi (2009) proposed a forward
secure, signcryption scheme with public ciphertext authentication
based on ECDLP, without any pairing computations. Subsequently,
similar constructions with forward secrecy and public ciphertext
authentication were proposed (Iqbal and Afzal, 2013; Mohapatra,
2010). Recently, Chaudhry et al. (2016) designed an efficient e-
commerce system using signcryption based on ECDLP, however,
the protocol lacks forward secrecy, as well as, basic public
verifiability.
1.2. Motivation
The intractability of private keys and ephemeral secrets in an
algorithm, can be reduced to the intractability of the underlying
hardness assumptions. The security of all the previously discussed
signcryption schemes depends on individual hardness assump-
tions. If an attacker successfully solves the hardness assumption,
he can trivially compute the private keys of individual users in
the system (Gutub et al., 2017). Elkamchouchi, Nasr and Ismail
(2009) proposed a forward secure proxy signcryption scheme with
public verifiability, based on a combination of hard problems such
as, Integer Factorization Problem (IFP) and DLP in finite fields.
However, the protocol was designed using a composite modulus
comprising of four primes, rendering it inefficient. The modulus
size must be at least 4096 bits, to resist factoring attacks by elliptic
curve method (Ciet et al., 2002; Hinek, 2008). Moreover, the proto-
col lacks ciphertext authentication, hence, the original message
must be revealed to the external verifier for dispute redressal. In
this paper, we propose a novel efficient signcryption scheme based
on Conic Based RSA (CBRSA) assumption, as well as, Conic Curve
DLP (CCDLP) that ensures public verifiability, ciphertext authenti-
cation, ciphertext anonymity and forward secrecy, in addition to
confidentiality, authenticity, non-repudiation and integrity. Each
user has a pair of private keys corresponding to CBRSA and CCDLP,
respectively. An encrypted ephemeral session key can only be
retrieved by the authorized recipient in possession of both the pri-
vate keys. Also, a valid signature can be created only by a user in
possession of both the private keys. The probability that an adver-
sary simultaneously solves two hardness assumptions is negligible,
hence, the protocol offers better security. A comparison of the
security attributes of the proposed scheme with the existing proto-
cols in the literature, is provided in Table 1. The proposed scheme
is implemented on conic curves, which facilitates effective mes-
sage encoding and decoding, as well as, efficient point operations
and inverses, when compared to elliptic curves. We derive theo-
rems to substantiate the security of the proposed scheme against
low exponent attacks prevalent in the original RSA cryptosystem.

Table 1
Comparison of the security attributes of the proposed scheme with other signcryption schemes in the literature.

Scheme Forward Secrecy Public Verifiability Ciphertext Authentication Ciphertext Anonymityj Public Ciphertext Authentication Assumption
(Bao’98) No Yes No Yes No Gap-DH
(Gamage’99) No Yes Yes No Yes CDH
(Chow’03) Yes Yes Yes No Yes MDBDH
(Han’04) Yes Yes Yes Yes No ECDLP
(Hwang’05) Yes Yes No Yes No ECDLP
(Xiang-Xu’05) No Yes No Yes No ECDLP
(Xiang-Xu’05) Yes No No Yes No ECDLP
(Toorani’09) Yes Yes No Yes No ECDLP
(Elkam’09) Yes Yes No Yes No IFP, DLP
(Moham’09) Yes Yes Yes No Yes ECDLP
(Mohapat’10) Yes Yes Yes No Yes ECDLP
(Ahmed’10) No Yes No Yes No CDH
(Hwang’11) Yes Yes No Yes No CDH
(Bala’13) Yes Yes No Yes No ECDLP
(Iqbal’13) Yes Yes Yes No Yes ECDLP
(Chaudhry’16) No No No Yes No ECDLP
Our Scheme Yes Yes Yes Yes No CBRSA, CCDLP
j
Ciphertext anonymity and public ciphertext authentication are mutually exclusive properties.

Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx
The proposed scheme is used to secure a B2C model e-commerce
system. The reachability properties and correspondence assertions
are validated using the automated software tool ProVerif.
The rest of the paper is organized as follows; Section 2 gives a
brief introduction to conic curve cryptography. The proposed sign-
cryption scheme is presented in Section 3. Section 4 provides the
detailed security analysis. The efficiency of the scheme is evaluated
in Section 5. Section 6 explores the applicability of the protocol in
securing e-commerce systems. The proposed e-payment scheme is
presented in Section 6.1. The security of the protocol against sev-
eral attack scenarios is discussed in Section 6.2. A detailed numer-
ical simulation of the proposed e-commerce application is
provided in Section 6.3. The suitability of ProVerif tool for protocol
validation is discussed in Section 6.4. Section 7 provides the con-
cluding remarks. The ProVerif code is included in the Appendix
for reference.
2. Conic curve cryptography
The concept of conic curve cryptography was introduced by Cao
(1998, 1999), after Zhang’s (1996) proposal that conic curve groups
over a finite field forms an additive abelian group. Owing to the
simplicity of group operations, conic curve analogues of classical
cryptosystems like RSA (Chen and Song, 2007; Bellini and Murru,
2016), Diffie-Hellman key exchange (Zheng Fu, 1998), and El-
Gamal encryption scheme (Zhang et al., 2004), along with numer-
ous signature schemes (Lin et al., 2009; Lu et al., 2005; Shi and
Xiong, 2013; Song and Chen, 2009) were formulated since then.
Dai et al. (2001) proved that the DLP over a conic curve group
can be reduced to DLP over the multiplicative group of a finite field.
Nonetheless, conic curve groups are still widely researched as a
cryptographic tool, since it supports effective message encoding
and decoding, as well as, efficient point operations and inverses.
2.1. Conic curve group over a finite field F p
Let F p denote the multiplicative group of a finite field F p with
order p, where p is an odd prime. Then, F p ¼ f0; 1; . . . ; ðp  1Þg
and F p ¼ F P =f0g. The conic curve over an affine plane A2 ðF P Þ,
denoted by C p ða; bÞ can be represented by the equation,
C p ða; bÞ : y2  ax2  bxðmod pÞ; ða; bÞ 2 F p
It is evident that the coordinates of the origin Oð0; 0Þ, satisfies
Eq. (1). Substituting y ¼ xt in Eq. (1), for x–0, we get,
b ¼ xða  t 2 Þ; ða; bÞ 2 F p
If a–t2 , from Eq. (2) we get,
1 1
x ¼ bða  t 2 Þ ; y ¼ btða  t 2 Þ
For any t 2 F p , such that,t –a, let PðtÞ denote a point on C p ða; bÞ
2 in the system. Assuming user A to be the sender and user B
with coordinates ðx; yÞ satisfying Eq. (3). Then, the mapping
P : H ! C p ða; bÞdenotes a bijection from the set of points
H ¼ ft 2 F p ; t 2 –ag[fOg to C p ða; bÞ, where t–O and O ¼ ð0; 0Þ. ðÞ1
denotes multiplicative inverse. An addition operation  can be
defined over the elements of the curve C p ða; bÞ using Eqs. (4) and (5).
8PðtÞ 2 C p ða; bÞ; t 2 H; PðtÞ  PðOÞ ¼ PðOÞ  PðtÞ ¼ PðtÞ
For every Pðt 1 Þ; Pðt 2 Þ 2 C p ða; bÞ, ðt1 ; t2 Þ 2 H and ðt 1 ; t 2 Þ–O,
Pðt1 Þ  Pðt 2 Þ ¼ Pðt3 Þ
( KHk2 ð:Þ
ðt1 t2 þ aÞðt 1 þ t 2 Þ1 ðmod pÞ; ðt 1 þ t 2 Þ–0
t3 ¼
O; ðt 1 þ t 2 Þ ¼ 0
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
3
Apparently, t 3 2 H and the addition operation  is commuta-
tive. Also, for any PðtÞ 2 C p ða; bÞ; the negative element can be
defined by,
PðOÞ ¼ PðOÞ; PðtÞ ¼ PðtÞ ð6Þ
Eqs. (4)–(6) suggests that the addition operation  over C p ða; bÞ is
 
associative. Thus, C p ða; bÞ; ; PðOÞ forms a finite abelian group,
 
with cardinality jC p ða; bÞj ¼ p  pa , where, pa denotes the Legen-
dre symbol. Hence, 8PðtÞ 2 C p ða; bÞ, jC p ða; bÞjPðtÞ ¼ PðOÞ and k:PðtÞ
implies the repeated addition of PðtÞ, k times (also known as scalar
multiplication). For a message m 2 H=fOg, the corresponding point
on the curve PðmÞ ¼ ðxm ; ym Þ, can be obtained by the message encod-
1 1
ing formula, xm ¼ bða  m2 Þ ; ym ¼ bmða  m2 Þ . The message can
be decoded from PðmÞ, using the equation x1
m ym ðmod pÞ ¼ m.
2.2. Conic curve over a ring Z n
Let Z n denote a residue class ring modulon. The conic curve
over Z n is represented by the congruence equation C n ða; bÞ :
y2  ax2  bxðmod nÞ, where n ¼ pq, ða; bÞ 2 Z n and n is co-prime
to both a and b. Let p and q be large distinct odd primes, such that,
ðp þ 1Þ ¼ 2r and ðq þ 1Þ ¼ 2s. If ðpaÞ ¼ ðaqÞ ¼ 1, the cardinality
jC n ða; bÞj can be computed as N n ¼ lcmðjC p ða; bÞj; jC q ða; bÞjÞ ¼
lcmð2r; 2sÞ ¼ 2rs, where lcmðÞ symbolizes the function for calculat-
ing the least common multiple. Thus, given PðtÞ 2 C n ða; bÞ,
N n PðtÞ ¼ PðOÞ. For more details, please refer (Biao et al., 2009).
1. Let e be a random number mutually prime to N n . Calculate d
such that, ed  1ðmod N n Þ. For PðmÞ 2 C n ða; bÞ, let PðcÞ ¼ ePðmÞ,
then, dPðcÞ ¼ edPðmÞ ¼ PðmÞ: Conic Based RSA assumption
states that, given ðPðcÞ; e), no probabilistic polynomial time
adversary can compute PðmÞ such that PðcÞ ¼ ePðmÞ, with
non-negligible advantage. The intractability of RSA assumption
is based on IFP.
2. Conic Curve DLP (CCDLP), states that, given PðmÞ 2 C n ða; bÞ and
PðcÞ ¼ k:PðmÞ, no probabilistic polynomial time adversary can
compute k 2 Z Nn with non-negligible advantage.
3. Proposed forward secure signcryption scheme with
ð1Þ ciphertext authentication
The proposed signcryption scheme is designed using conic curve
over Z n , n being a composite modulus, hard to factor. All communi-
ð2Þ cating entities decide on a security parameter k, which determines
the size of the group elements and keys. For instance, in a cloud envi-
ronment, the Cloud Service Provider (CSP) chooses the security
parameter, as well as the curve parameters a and b. This forms the
ð3Þ
system Public Parameters (PP). Table 2 depicts the notations used
to be the intended recipient, the protocol is executed using four
algorithms: ExtractðA; PPÞ ! fPr A ; PuA g, ExtractðB; PPÞ ! fPr B ; PuB g,
SigncryptðPrA ; PuB ; MÞ ! ðc; s; sÞ and unsigncryptðPr B ; PuA ; ðc; s; sÞÞ
! M.
Table 2
Explanation for notations used in the system.
ð4Þ
Notations Meaning
hashðÞ Secure hash function, hash : f0; 1g ! ff0; 1gl1 ; f0; 1gl2 g
ð5Þ fEk1 ð:Þ; Dk1 ð:Þg Symmetric encryption and decryption using key k1 of length
l1 , e.g., AES
keyed hash function using the key k2 of length l2
PP ¼ fk; ða; bÞg
Public parameter = {Security parameter, Curve parameters}
fIDA ; IDB g Identity of user A, user B
fPr A ; PuA g {Private key, Public key} of user A
4 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx

3.1. Extract(A,PP) against the conic based RSA assumption. The security properties of
the protocol like ciphertext authentication, forward secrecy and
User A computes nA ¼ ðpA :qA Þ, N nA ¼ lcmðjC pA ða; bÞj; jC qA ða; bÞjÞ ¼ ciphertext anonymity are also substantiated in this section.
   
2 ðpA2þ1Þ  ðqA2þ1Þ ¼ 2ðr A  sA Þ, after choosing large secure dis-
4.1. Direct attack against a legitimate user
tinct odd prime numbers pA and qA .
An adversary can decrypt a signcrypted message, only by
1. User A chooses xA 2 Z Nn and computes Y A ¼ xA GA ðmod nA Þ, accessing both the private keys of the receiver ðdB ; xB Þ. To compute
A

where GA is the base point of C nA ða; bÞ.
2. User A selects an integer eA , which is co-prime to N nA and com-
putes dA , such that, eA dA  1ðmod N nA Þ.
3. User A’s public parameters include PuA ¼ ðnA ; GA ; Y A ; eA Þ and the
secret key is comprised of the tuple PrA ¼ ðN nA ; xA ; dA Þ.
Following the same procedure, user B generates the public
parameters PuB ¼ ðnB ; GB ; Y B ; eB Þ and the corresponding secret key
PrB ¼ ðN nB ; xB ; dB Þ. It is assumed that the public keys of all entities
are certified by a trusted certificate authority.
3.2. Signcrypt(PrA, Pu B, M)
User A signcrypts the message M as follows:
1. A random integer v is chosen, such that, v 2 Zn . can be obtained. The adversary attempts to retrieve the session
B
the private keys from the corresponding public keys ðeB ; Y B Þ, the
adversary must simultaneously solve conic-based RSA assumption
and CCDLP. A possible method to solve the RSA assumption is by
factorizing the public modulus nB . To prevent integer factorization
attacks, the randomly chosen component prime numbers pB and qB
must be roughly of the same size, for instance 512 bits. Thus, the
modulus size must be at least 1024 bits, for security. Also, a mas-
querader cannot create the valid ciphertext component s, without
both the private keys of the sender.
4.1.1. Integer factorization attack
Assuming that an adversary has successfully solved the integer
factorization problem to obtain component primes pB and qB , the
attacker can further compute N nB ¼ lcmððpB þ 1Þ; ðqB þ 1ÞÞ. Thus,
the private key component dB corresponding to the public key eB
key a using the known private key component. The computation

2. Compute a  v GB ðmod nB Þ, if a ¼ 0, return to step1, otherwise,

dB s ¼ v ðdB eB ÞY B ðmod nB Þ ¼ v xB GB ðmod nB Þ–v GB ðmod nB Þ–a.
determine hashðaÞ ¼ ðk1 ; k2 Þ.
Hence, the adversary cannot determine a, as long as the second pri-
3. Compute c ¼ Ek1 ðP B ðMÞÞ, whereP B ðMÞ denotes the mapping of
vate key component xB is unknown. Similarly, while forging a
the message M to a point on C nB ða; bÞ.
ciphertext on behalf of user B, the signature component s will be
4. Determine r ¼ KHk2 ðckIDA kIDB Þ, s ¼ v eB Y B ðmod nB Þ and
malformed, since the adversary has no clue about x1 B .
s ¼ dA x1
A rðmod N nA Þ.

4.1.2. Conic curve discrete logarithm attack

User A conveys the ciphertext tupleðc; s; sÞ to User B.
Assuming that an adversary has successfully solved the CCDLP
assumption to obtain the private key component xB corresponding
3.3. UnsigncryptðPrB ; PuA ; ðc; s; sÞÞ to the public key Y B , the attacker attempts to decrypt ciphertext
component s. The computation x1 B s ¼ v ðxB xB ÞeB GB ðmod nB Þ ¼
1
The intended recipient (User B) unsigncrypts the ciphertext
v eB GB ðmod nB Þ–v GB ðmod nB Þ–a. Hence, the adversary cannot
tuple ðc; s; sÞ as follows:
retrieve a as long as dB is unknown. Also, ciphertexts cannot be
forged on behalf of user B, without the knowledge of dB .
1. Compute dB x1 B s ¼ v GB ðmod nB Þ ¼ a
2. Compute hashðaÞ ¼ ðk1 ; k2 Þ 4.2. Attacks against conic based RSA assumption
3. Decrypt Dk1 ðcÞ ¼ PB ðMÞ and compute KHk2 ðckIDA kIDB Þ ¼ r
4. Compute eA Y A sðmod nA Þ ¼ L1 Boneh and Venkatesan (1998) proved that breaking RSA
5. Verify if rGA ðmod nA Þ ¼ L1 . If the equality check succeeds, user B might not be as hard as factoring, since the classical RSA cryp-
accepts ðc; s; sÞ as a valid ciphertext and retrieves M from P B ðMÞ tosystems were vulnerable to low exponent attacks. Low expo-
using the decoding algorithm, otherwise, the message is nent attacks can be categorized into low public exponent
discarded. attacks such as Coppersmith’s attack (Coppersmith, 1997) or
Hastad’s broadcast attack (Hastad, 1988) and low private expo-
3.4. Correctness of the protocol nent attacks such as Weiner’s attack (Boneh, 1999; Wiener,
1990). We note that conic based RSA is secure against the com-
During Unsigncryption, user B computes dB x1 B s to retrieve the mon modulus attack (Cao, 1999). Moreover, in the proposed
ephemeral session key a. The computation yields dB x1 B s ¼
scheme, each user computes a separate modulus, hence, there
v ðdB eB Þðx1
B xB ÞG B ðmod nB Þ ¼ v G B ðmod n B Þ ¼ a. Only the intended is no scope for such an attack. Biao et al. (2009), suggested the
recipient in possession of both the private key components ðdB ; xB Þ security of conic-based RSA against Hastad’s attack. Further, it
can retrieve a. For sender verification, the signature s has been established that conic based RSA cryptosystems can
must be verified using both the public keys ðeA ; Y A Þ of the withstand Coppersmith’s attack (Cao, 1999; Dong et al., 2009).
sender. User B performs the computation eA Y A sðmod nA Þ ¼ We give proofs to show that the proposed scheme is also secure
ðeA dA Þðx1 against Weiner’s attack.
A xA ÞrGA ðmod nA Þ ¼ rGA ðmod nA Þ ¼ L1 .

Theorem 1 ((Boneh, 1999; Wiener, 1990)). Let n ¼ pq be an RSA

4. Security analysis
modulus, where,p and q are primes, such that, q < p < 2q. Let d be
the private exponent and e be the corresponding public exponent,
In this section, we evaluate the security of the proposed scheme 1  
such that, ed ¼ kN n þ 1. Then, for 1 < d < 1 n4 ,  e  k < 12 . Hence,
against several attack scenarios. Further, we show that the protocol 3 n d 2d
can withstand low exponent attacks and common modulus attacks an adversary can efficiently compute d, given ðn; eÞ.

Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx 5

Theorem 2. Let n ¼ pq be the conic-based RSA modulus where, p 2. ComputeeA Y A sðmod nA Þ ¼ L1

and q are primes, such that, q < p < 2q and
N n ¼ lcmððp þ 1Þ; ðq þ 1ÞÞ. Let d be the private exponent and e be Verify if rGA ðmod nA Þ ¼ L1 . If the equality check succeeds, then,
the corresponding public exponent, such that, ed ¼ k:N n þ 1. Then, the message authenticity is verified. Evidently, the original mes-
1
for 1 < d < 13 n4 , the proposed scheme remains secure against low sage need not be revealed to an external entity for dispute redres-
private key exponent attacks, given ðn; eÞ. sal. The protocol offers ciphertext anonymity, since, it is impossible
to determine the sender from the ciphertext tuple ðc; s; sÞ.

Proof. In the proposed scheme, we consider ðp þ 1Þ ¼ 2r and

ðq þ 1Þ ¼ 2s, where r; s are two prime numbers, then, 5. Efficiency analysis
N n ¼ lcmð2r; 2sÞ ¼ 2rs ¼ ðpþ1Þðqþ1Þ
2
. The equation ed ¼ k:N n þ 1
implies, kN n < ed. For 1 < e < N n , the inequality kN n < ed holds if There are two major mathematical structures for implementing
and only if, k < d. Given, q < p < 2q, we know that, n ¼ pq > q2 . cyclic groups: finite fields and elliptic curves. Protocols imple-
pffiffiffi pffiffiffi pffiffiffi mented on prime finite fields ðF p Þ are based on the intractability
Hence, q < n; p < 2 n and p þ q < 3 n. Consider, the equation
 e k of DLP. Owing to the existence of sub-exponential discrete log
  , it yields the following:
n d
  algorithms like index calculus, the field sizes must be at least
 
       ðPþ1Þðqþ1Þ
 kn 3072 bits for attaining 128 bit security level. This inadvertently
 e k ed  kn ð1 þ kNn Þ  kn 1 þ k
  ¼   ¼ 2

n d  nd  ¼  nd   nd  increases the storage, communication and computation overheads
  of algorithms implemented in F p . Algorithms based on the multi-
 
2 þ kðpq þ p þ q þ 1Þ  2kn plicative subgroups of a residue class ring Z n (n being the product
¼  
 of two large prime numbers), depend on the hardness of the IFP. A
2nd
    well-known example is the RSA cryptosystem based on the RSA
2 þ kðn þ p þ q þ 1Þ  2kn 2 þ kðp þ q þ 1Þ  kn
¼  ¼
 


assumption. There are several known algorithms used to solve
2nd 2nd IFP, like the Number Field Sieve (NFS) and the Quadratic Sieve
 
kðn  ðp þ q þ 1ÞÞ  2 (QS). Hence, the NIST recommended factoring modulus (n) size
¼  

2nd for RSA is 3072 bits. Elliptic curve cryptosystems implemented
on groups of points on an elliptic curve over a finite field EðF p ),
To prove that, the system is secure, we show that Eq. (7) does
depend on the intractability of ECDLP. Encouragingly, the fastest
not hold.
known discrete log algorithms for solving ECDLP (i.e., Pollard rho
 
kðn  ðp þ q þ 1ÞÞ  2
 < 1 ð7Þ
and Lambda methods) incurs exponential time complexity (Lynn,
 2nd  2 2007). Hence, the security of a 256 bit elliptic curve group is
2d
roughly equivalent to a 3072 bit finite field (Barker, 2016). This
We use proof by contradiction. Let (7) be true, then, leads to efficient protocols with reduced storage and computation
dkðn  ðp þ q þ 1ÞÞ  2d < n, implies, dkðn  ðp þ q þ 1ÞÞ < n þ 2d. overheads. Elliptic curve cryptography is being widely researched
For k P 1 and d P 2, 2ðn  ðp þ q þ 1ÞÞ < n þ 2d, which yields, and over the years, dedicated elliptic curve cryptographic co-
pffiffiffi pffiffiffi
n < 2ðp þ q þ 1Þ þ 2d < 2ð3 n þ 1Þ þ 2d, since, p þ q < 3 n. processors have been designed to speed up elliptic curve scalar
1 p ffiffiffi p ffiffiffi 1
Given, d < 13 n4 , hence, n < 2ð3 n þ 1Þ þ 2d < 2ð3 n þ 1 þ 13 n4 Þ. multiplications (Ghouti et al., 2013, 2012; Gutub, 2010, 2006,
 2005) and inverses (Gutub, 2007; Gutub and Ferreira, 2004).
pffiffiffi 1 1
n < 2 3 n þ 1 þ n4 : ð8Þ However, for designing cryptosystems based on the intractabil-
3
ity of both IFP and DLP, neither Z n , nor EðZ n Þ provides a suitable
pffiffiffi
Dividing LHS and RHS in Eq. (8) by n, we get, algebraic structure with desired security. As noted by Biao et al.
pffiffiffi   pffiffiffi (2009), the classical RSA cryptosystem over Z n has homomorphism
n < 2 3 þ p1ffiffin þ 3p14ffiffin . But, we know that, q < n. Therefore,
  and is vulnerable to low exponent attacks. The elliptic curve ana-
q < 2 3 þ p1ffiffin þ 3p14ffiffin . Thus, the inequality (7) holds if and only if, logs of RSA signature, implemented on EðZ n Þ (Demytko, 1994;
q < 7. Hence, we have proved that, the system remains secure Koyama et al., 1991), is vulnerable to Hastad broadcast attack
against low private key exponent attacks, when q > 7. h (Kurosawa et al., 1995) and Wiener attack (Pinch, 1995). Studies
have proven that the implementation of IFP based cryptosystems
on EðZ n Þ, requires existence of points with order
4.3. Forward secrecy N n ¼ lcmðjEðF p Þj; jEðF q ÞjÞ (Wen-yu and Qi, 2005). However, this
requirement is not attainable in general elliptic curves over Z n .
Assume that an adversary has obtained the private key compo- As illustrated in Section 4.2 conic based RSA assumption offers
 
nents xA ; dA ; N nA of the sender A. Nevertheless, the attacker can- resistance to low exponent attacks and common modulus attacks.
not recover any of the messages previously signcrypted by the Further, the computation complexity of the cryptosystems on CðZ n Þ
compromised user A, from the stored tuple ðc; s; sÞ. To decrypt is lower than that of cryptosystems implemented on EðZ n Þ. In this
the ciphertext component c containing the original message, the regard, conic curve over Z n , ideally provides an efficient and secure
attacker must retrieve the ephemeral session key v . The session algebraic structure for the realization of a signcryption scheme
key cannot be gleaned from s without the knowledge of both the based on both IFP and DLP.
private keys of the intended recipient. Table 3 compares the computation complexity of each scheme
during signcryption, unsigncryption and verification. The proposed
4.4. Ciphertext authentication and anonymity scheme is efficient when compared to the signcryption schemes
based on DLP over F p and ECDLP. This is due to the fact that, the
In case of a dispute regarding the message authenticity, the proposed scheme does not involve expensive pairing computa-
receiver must provide the tuple ðc; k2 ; sÞ to the external verifier. tions, group exponentiations or comparatively expensive elliptic
The verifier validates the message origin, as follows: curve point operations (Dai et al., 2001; Lin et al., 2009). Further,
conic curves offer efficient message encoding and decoding. The
1. Compute KHk2 ðckIDA kIDB Þ ¼ r time complexity of the proposed scheme is mainly attributed by

Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
6 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx

Table 3
Comparison of the computation overhead, storage overhead and the underlying group structure in the proposed scheme, with other signcryption schemes.

Scheme Computation Overhead Storage Overhead Implemented on

Signcryption Unsigncryption Verification Ciphertext size Verification Component size
(Bao’98) 2Exp þ 1mM 3Exp þ 1M 2Exp þ 1M 128j,2Z p f0; 1g ; 2Z p Fp
(Gamage’99) 2Exp þ 1mM 3Exp þ 1M 2Exp þ 1M 128j, 2Z p 128j; 2Z p Fp
(Chow’03) 2SM þ 2Pair 1SM þ 4Pair þ 2M 1M þ 2Pair þ 1Exp 1G1 ; 128j, 1Z p 1G1 ; 128j, 1Z p EðF p )
(Han’04) 2SM þ 1mM 3SM þ 2mM þ 1PA 2SM þ 2mM þ 1PA 1G1 ; 128j, 1Z p 1G1 ; 128j, 1Z p EðF p )
(Hwang’05) 2SM þ 1mM 3SM þ 1PA 2SM þ 1PA 1G1 ; 128j, 1Z p 1G1 ; f0; 1g , 1Z p EðF p )
(Xiang-Xu’05) 2SM þ 1mM 3SM þ 1PA 2SM þ 1PA 128j, 2Z p f0; 1g ; 2Z p EðF p )
(Xiang-Xu’05) 2SM þ 1mM 1SM þ 1PA þ 1mM N/A 1G1 ; 128j, 1Z p N/A EðF p )
(Toorani’09) 2SM þ 1mM 4SM þ 2PA 2SM þ 1PA 1G1 ; 128j, 1Z p l1 ; 1G1 ; 128j; 1Z p ; f0; 1g EðF p )
(Elkam’09) 2Exp þ 1M þ 1mM 4Exp þ 3M 2Exp þ 1M 128j,2Z p f0; 1g ; 2Z p Zn
(Moham’09) 3SM þ 1mM 3SM þ 1PA 2SM þ 1PA 1G1 ; 128j, 1Z p 1G1 ; 128j, 1Z p EðF p )
(Mohapat’10) 3SM þ 1mM 3PM þ 1PA 2SM þ 1PA 1G1 ; 128j, 1Z p 1G1 ; 128j, 1Z p EðF p )
(Ahmed’10) 2Exp þ 1M þ 1mM 2Exp þ 2M 1Exp þ 2M þ 1mM 128j, 2Z p 1G1 ; 128j, 2Z p Fp
(Hwang’11) 3Exp þ 1mM 2Exp þ 1M 3Exp þ 1M 1G1 ; 128j, 1Z p 128j, 2Z p Fp
(Bala’13) 2SM þ 1mM 2SM þ 1PA þ 1mM 2SM þ 1PA 1G1 ; 128j, 1Z p 2G1 ; 128j, 1Z p EðF p )
(Iqbal’13) 2SM þ 1mM 3SM þ 1PA 2SM þ 1PA 1G1 ; 128j, 1Z p 1G1 ; 128j, 1Z p EðF p )
(Chaudhry’16) 1SM þ 1mM 2SM þ 1PA N/A 128j, 1Z p N/A EðF p )
Our Scheme 2SM þ 1mM 3SM 2SM 128j, 2Z p 128j, 1Z p , l2 CðZ n )

Exp-Exponentiation, mM-Modular Multiplication, M-Multiplication of group elements, SM-Scalar Multiplication, Pair-Bilinear Pairing, PA-Point Addition, N/A - Does not
support public verifiability property. j-number of blocks in AES cipher, f0; 1g -message size, l1 - length of key k1 , l2 -length of key k2 . F p -Finite field, EðF p ) – Elliptic curve over
F p , Z n -residue class ring, CðZ n ) – Conic curve over Z n .

simple conic curve scalar multiplications and modular multiplica-
tions. Experimental simulations suggests that the execution time
of conic curve scalar multiplications and inverses is negligible (Li
and Li, 2013). The computation cost of inexpensive hash functions,
as well as, symmetric message encryption and decryption is not
considered for comparison. The proposed scheme is efficient in
terms of space complexity, since the ciphertext does not contain
conic curve group elements. Compared to similar schemes in the
literature that supports ciphertext authentication, the size of the
verification components required for dispute resolution by an
external verifier, is minimized, increasing storage and communica-
tion efficiency.
6. Application of the proposed scheme in a cloud based e-
commerce system
Electronic commerce, which facilitates business trading via the
internet, is a pedestal for market-savvy companies to retain their
competitive edge and also to improve their revenue. The funda-
mental dynamics that prompt customer decision-making in the
online world is customer experience, availability, trust and secu-
rity. Manufacturers and wholesalers are striving to offer greater
flexibility of choice, transparency, best price and dynamic scalabil-
ity to sustain their ever increasing customer base. Naturally, cloud
computing proves to be an open platter of benefits to marketing
giants, as well as, new entrants. Cloud-related services relieve
companies of capital and operational costs, offers data manage-
ment, scalability and rapid service delivery. As B2C and B2B models
are gaining leverage through cloud, a critical area of concern is the
security of e-payments.
A basic e-payment model using blind signatures was suggested
by Chaum (1983), subsequently, numerous other e-payment
frameworks were introduced (Chen et al., 2014; Eslami and
Talebi, 2011; Lysyanskaya and Ramzan, 1998; Yen et al., 2012;
Zhang et al., 2011). However, as noted by Yang, Chang and Chen
(2013) the signature schemes in the existing e-payment systems
could not preserve ciphertext anonymity. They proposed an effi-
cient authenticated encryption scheme with ciphertext anonymity,
confidentiality and integrity. Further, the protocol was used to
design an e-payment system with security against replay attacks,
double spending, server spoofing and impersonation attacks.
Recently, Chaudhry et al. (2016) proved that the system is vulner-
able to impersonation attacks. Chaudhry et al. improvised the
scheme to ensure all the security properties claimed by Yang,
Chang and Chen. Nevertheless, we found that Chaudhry et al.’s e-
payment system lacks forward secrecy and public verifiability. This
implies that if the sender’s private keys are compromised, all the
previously encrypted messages can be retrieved. Another major
concern is that, for dispute redressal, the receiver has to produce
his private keys to the external verifier. Inevitably, the receiver
must renew his keys and publish the new public parameters after
each dispute resolution. We propose an e-payment system that
ensures fair-exchange, customer anonymity, forward secrecy and
dispute resolution by ciphertext authentication. Further, we prove
that the system also provides resistance to impersonation attacks,
replay attacks, double spending and server spoofing. The security
of the protocol is validated by ProVerif. The ProVerif code is
included in the Appendix for reference.
6.1. System design
For the system design, we adopt the workflow in Yang et al.
(2013) e-payment scheme. The protocol includes set-up phase,
buying phase, payment phase, exchange phase and transferring
phase.
6.1.1. System Set-up phase
In this phase the curve parameters and security parameters are
determined. Further, the hash function hash: f0; 1g !
n o
f0; 1gl1 ; f0; 1gl2 is defined, such that, l1 denotes the length of
the key k1 , for the symmetric encryption/decryption function
fEk1 ð:Þ; Dk1 ð:Þg and l2 denotes the length of the key k2 for the keyed
hash function KHk2 ð:Þ. Hash function H1 : f0; 1g ! f0; 1gL is also
defined, where, L denotes the length of the order information.
The communicating entities like Customer, Merchant and Bank
separately executes the key extraction algorithm in Section 3.1,
to derive their public-private key pairs. Each entity’s public param-
eters will be of the form Pui ¼ ðni ; Gi ; Y i ; ei Þ and private key will be
denoted as Pri ¼ ðxi ; di ; N ni Þ. Also, Y i ¼ xi Gi ðmod ni Þ and

Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx 7

ei di ðmod N ni Þ  1.Pi ðMÞ denotes the encoding of message M on 5. The tuple ðc1 ; s1 ; s1 ; T 1 Þ will be sent to the Bank.
curve C ni ða; bÞ. The identity of an entity i is denoted as IDi . Fig. 1
illustrates the workflow of the system. The tuple ðc1 ; s1 ; s1 ; T 1 Þ is referred to as the payment directive,
which specifies the amount to be transferred to the Merchant.
6.1.2. Buying phase
The buying phase is initiated when a customer selects some 6.1.3. Payment phase
electronic goods. The Customer obtains the Good’s Information On receiving the encrypted payment directive ðc1 ; s1 ; s1 ; T 1 Þ from
(GI) and price of each item ðpricei Þ from the Merchant’s website. the Customer, the Bank unsigncrypts the ciphertext as follows:
Then the customer generates the payment directive to be sent to
the Bank, using the following steps: 1. UnsigncryptðPrB ; PuC ; ðc1 ; s1 ; s1 ÞÞ ! M 1
2. Obtain M 1 ¼ ðIDC kOIkPkk1 kT 1 Þ. Bank proceeds if and only if k1
1. A random integer v 1 is chosen, such that, v 1 2 Z nB . and T 1 can be verified.
2. Compute a1  v 1 GB ðmod nB Þ, if a1 ¼ 0, return to step1, else,
determine hashða1 Þ ¼ ðk1 ; k2 Þ. Following successful unsigncryption, Bank deducts the amount
P
3. Compute aggregate price P ¼ pricei and generate order infor- Pfrom the corresponding Customer’s account and transfers it to a
mation OI ¼ H1 ðGIkPkIDB Þ. The message to the bank is temporary account. Further, an expiry period Exp is chosen by
M1 ¼ ðIDC kOIkPkk1 kT 1 Þ, where T 1 denotes the current time the Bank.
stamp. The Bank creates a digital signature DS for the data fOIkExpg,
4. Compute c1 ¼ Ek1 ðP B ðM 1 ÞÞ, r 1 ¼ KHk2 ðc1 kIDC kIDB Þ, s1 ¼ v 1 eB Y B using a conic curve digital signature algorithm as in Lu et al.
ðmod nB Þ and s1 ¼ dC x1
C r 1 ðmod N nC Þ. (2000). The message to the Customer will be M2 ¼ DSkExpkk1 kT 2 .

Fig. 1. Workflow in the proposed e-payment system.ðPr i ; Pui Þ- denotes the public-private key pair of entity i.

Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
8 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx
Finally, the Bank computes c2 ¼ Ek1 ðPC ðM 2 ÞÞ and r 2 ¼
KHk2 ðc2 kIDB kIDC Þ using the same session key ðk1 ; k2 Þand sends the
tuple ðc2 ; r2 ; T 2 Þ to the Customer. The Bank stores the data
fOIkExp; DSgin its repository.
6.1.4. Exchange phase
On receiving the ciphertext tuple ðc2 ; r 2 ; T 2 Þ the Customer
unsigncrypts as follows:
1. Decrypt Dk1 ðc2 Þ ¼ P C ðM 2 Þ and check if KHk2 ðc2 kIDB kIDC Þ ¼ r 2 .
2. Obtain M2 ¼ ðDSkExpkk1 kT 2 Þ. Customer proceeds if and only if
k1 , T 2 and r 2 can be cross-verified.
After verification, Customer obtains DS and Exp and creates the
payment voucher to be transferred to the Merchant as follows:
1. A random integer v 2 is chosen, such that, v 2 2 Zn M
. in creating a valid ciphertext to the bank. The adversary executes
2. Compute a2  v 2 GM ðmod nM Þ, if a2 ¼ 0, return to step1, else,
0 0
determine hashða2 Þ ¼ ðk1 ; k2 Þ.
3. The message to the Merchant is M 3 ¼ ðIDB kDSkExpkGIkk1 kT 3 Þ,
0
where T 3 denotes the current time stamp.
4. Compute c3 ¼ Ek01 ðP M ðM 3 ÞÞ, r 3 ¼ KHk02 ðc3 kIDC kIDM Þ, s3 ¼ v 2 eM Y M
ðmod nM Þ, as well as, s3 ¼ dC x1 C r 3 ðmod N nC Þ.
5. The tuple ðc3 ; s3 ; s3 ; T 3 Þ will be sent to the Merchant.
The Merchant on obtaining the tuple ðc3 ; s3 ; s3 ; T 3 Þ, unsigncrypts
the ciphertext as follows:
1. UnsigncryptðPrM ; PuC ; ðc3 ; s3 ; s3 ÞÞ ! M 3
0
2. Obtain M 3 ¼ ðIDB kDSkExpkGIkk1 kT 3 Þ. Merchant proceeds if and
0
only if k1 and T 3 are cross-verified.
P
The Merchant then computes P ¼ pricei , OI ¼ H1 ðGIkPkIDB Þ,
and calculates OIkExp. It verifies the signature DS using Bank’s pub-
lic keys. If the signature is valid, the Merchant sends the encrypted
0 money back to the Customer. After, the completion of payment,
goods M4 ¼ ðIDM kGIkGoodskk1 kT 4 Þ to the Customer. Compute,
c4 ¼ Ek01 ðPC ðM 4 ÞÞ and r4 ¼ KHk02 ðc4 kIDM kIDC Þ, using the shared ses-
0 0
sion key ðk1 ; k2 Þ. Send the tuple ðc4 ; r 4 ; T 4 Þ to the Customer.
6.1.5. Transferring phase
The Customer acquires the goods from the Merchant by the fol-
lowing steps:
1. Decrypt Dk01 ðc4 Þ ¼ P C ðM 4 Þ and check if KHk02 ðc4 kIDM kIDC Þ ¼ r 4 .
0 keys, the adversary must obtain both the private keys of the Bank.
2. Obtain M 4 ¼ ðIDM kGIkGoodskk1 kT 4 Þ. Customer proceeds if and
0
only if k1 , T 4 and r4 can be cross-verified.
If the Customer fails to receive the electronic goods, he requests
the Bank to decline payment. Then, the Bank transfers the money
in the temporary account back to the Customer’s account. Other-
wise, the Merchant forwards the digital signature DS as payment
proof to the Bank, before the expiry period. Bank transfers the
amount from the temporary account to the Merchant’s account
and deletes the stored tuple fOIkExp; DSgafter the expiry period.
6.2. Security against common attacks
In this section, we show that the e-payment system remains
secure against replay attacks, man-in-the-middle attacks, imper-
sonation attacks, double spending and server spoofing. We assume
that an adversary has access to the communication channel and
can intercept or modify messages.
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
6.2.1. Replay attack
Assume that an adversary intercepts the tuple ðc1 ; s1 ; s1 ; T 1 Þ
transferred to the Bank by the Customer. If the tuple is used for a
replay attack at a later time period, the Bank detects it from the
value of T 1 . If the signature s1 is inserted into another ciphertext
tupleðc; s; s; TÞ, the function UnsigncryptðPrB ; PuC ; ðc; s; s1 ÞÞ will fail.
6.2.2. Man-in-the-middle attack
Assume that the message ðc1 ; s1 ; s1 ; T 1 Þ is intercepted and send
to the Bank with the recent time stamp T 0 . Even then, the Bank
detects the attack, during the verification of the time stamp recov-
ered from the encrypted message c1 .
6.2.3. Impersonation attacks
Adversary cannot impersonate a Customer to create a valid
tuple ðc1 ; s1 ; s1 Þ as long as at least one of the private keys ðxC ; dC Þ
is unknown. Assume that an adversary tries to imitate a Customer
the following steps:
1. Adversary chooses a random integer v1 is chosen, such that,
v 1 2 ZnB .
2. Compute a1  v 1 GB ðmod nB Þ, ifa1 ¼ 0, return to step1, else,
determine hashða1 Þ ¼ ðk1 ; k2 Þ.
3. Compute M 1 ¼ ðIDC kOIkPkk1 kT 1 Þ, where T 1 denotes the current
time stamp, fOIkPg are some random values.
4. Compute c1 ¼ Ek1 ðPB ðM 1 ÞÞ, r 1 ¼ KHk2 ðc1 kIDC kIDB Þ, s1 ¼ v 1 eB Y B
ðmod nb Þ
The adversary can create fake ðc1 ; s1 Þ, but cannot create valid
s1 ¼ dC x1
C r 1 ðmod N nC Þ, unless he obtains both private keys of the
Customer ðxC ; dC Þ.
6.2.4. Double spending
The Bank stores the tuple fDS; OIkExpg, until it completes the
payment to the Merchant or aborts the process and returns the
the Bank deletes the tuple fDS; OIkExpg. Hence, it cannot be re-
used by the Merchant or the adversary. The resistance to double
spending is further validated using ProVerif (see Appendix).
6.2.5. Server spoofing
Adversary can impersonate the Bank only if it can successfully
generate the payment voucher ðc2 ; r 2 ; T 2 Þ. But the adversary cannot
complete this task without accessing the session keys ðk1 ; k2 Þ
shared by the Bank and the Customer. To compute the session
6.3. Numerical simulation
In this section, we provide a detailed numerical example of the
proposed e-payment system.
6.3.1. System set-up phase
During the system set-up phase, the curve parameters are cho-
sen. Let a ¼ 2 and b ¼ 1. The communicating entities like Cus-
tomer, Merchant and Bank separately executes the key extraction
algorithm in Section 3.1, to derive their public-private key pairs,
as shown in Fig. 2. Table 4 provides a summary of each user’s keys
and parameters.
6.3.2. Buying phase
The Customer obtains the Good’s Information (GI) and price of
each item ðpricei Þ from the Merchant’s website. Generate aggregate
P
price P¼ pricei and generate order information
 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx 9

Fig. 2. Simulation of the key extraction algorithm (as executed by the Merchant, Customer and Bank). Point additions are computed based on Eq. (5) in Section 2.1.

Table 4 4. Send the payment directive ðc1 ¼ 88; s1 ¼ 50Pð58Þ; s1 ¼ 5;

Summary of user keys and curve parameters. T 1 ¼ 1255Þ to the Bank.
Entity Curve Equation Public Key Private key
ðni ; Gi ; Y i ; ei Þ ðN ni ; xi ; di Þ 6.3.3. Payment phase
Merchant y2  2x2  x(mod 143) ð143; Pð4Þ; Pð70Þ; 11Þ (84,25,23) On receiving the payment directive, the Bank unsigncrypts as
Customer y2  2x2  x(mod 91) ð91; Pð2Þ; Pð68Þ; 23Þ (56,5,39) follows:
Bank y2  2x2  x(mod 65) (65,P(3),P({58}),5) (42,19,17)
1. As per Eqs. (13) and (14) in Fig. 2, the Bank computes dB x1 B s1 ¼

OI ¼ H1 ðGIkPkIDB Þ. Then the Customer generates the payment 17  31  50Pð58Þðmod 65Þ ¼ 17  31  5  10  Pð58Þ ¼ 10
directive to be sent to the Bank, using the following steps: 175ð31Pð58ÞÞ ¼ 10175Pð3Þ ¼ 10ð17Pð32ÞÞ ¼ 10Pð3Þmod
65 ¼ Pð14Þ ¼ a1 .
1. Let v 1 ¼ 10 2 Z 65 . Bank’s base point GB ¼ Pð3Þ. Compute 2. Compute hashð14Þ ¼ ð27; 32Þ ¼ ðk1 ; k2 Þ, D27 ð88Þ ¼ 732 ¼
a1 ¼ 10Pð3Þmod 65 ¼ Pð14Þ. Let hashð14Þ ¼ ð27; 32Þ, which PB ðM 1 Þ, KH32 ð88kIDC kIDB Þ ¼ 15 ¼ r 1 . Using decoding algorithm,
implies, k1 ¼ 27 and k2 ¼ 32. obtain message M 1 . Verify the values of T 1 and k1 in M 1 .
2. Let T 1 ¼ 1255, M1 ¼ ðIDC kOIkPkk1 kT 1 Þ, PB ðM 1 Þ ¼ 732, 3. Check the integrity of the message PB ðM 1 Þ, by computing
c1 ¼ E27 ð732Þ ¼ 88, r1 ¼ KH32 ð88kIDC kIDB Þ ¼ 15. eC s1 Y C ðmod nC Þ ¼ 23  5  Pð68Þðmod 91Þ ¼ 5  23Pð68Þ ¼
3. Compute s1 ¼ v 1 eB Y B ¼ 10  5  Pð58Þ ¼ 50Pð58Þðmod 65Þ, 5f2ð2ð2ð2Pð68ÞÞÞÞ þ 2ð2Pð68ÞÞ þ 2Pð68Þ þ Pð68Þg ¼ 5fPð82Þþ
Pð12ÞþPð30ÞþPð68Þg ¼ 5fPð86ÞþPð2Þg ¼ 5Pð33Þ ¼ f2ð2Pð33ÞÞþ
s1 ¼ dC x1
C r 1 ¼ 39  45  15ðmod 56Þ  5ðmod 56Þ.
Pð33Þg ¼ Pð5ÞþPð33Þ ¼ Pð2Þ ¼ L1 .

Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
10 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx
4. Compute r1 GC ðmod nC Þ ¼ 15Pð2Þðmod 91Þ ¼ 10Pð2Þ þ 5Pð2Þ ¼
Pð30Þþ Pð68Þ ¼ Pð2Þ: Thus, r1 GC ðmod nC Þ ¼ L1 .
Following successful unsigncryption, the Bank deducts the
amount P from the corresponding customer’s account and trans-
fers it to a temporary account. Further, an expiry period Exp is
chosen by the bank. Bank creates a digital signature DS for the data
fOIkExpg, using a conic curve digital signature algorithm as in Lu
et al. (2005). Using the same key pair ðk1 ; k2 Þ ¼ ð27; 32Þ shared with
the customer, the Bank encrypts message M 2 ¼ DSkExpkk1 kT 2 . Let
T 2 ¼ 1302 and PC ðM 2 Þ ¼ 345. Compute c2 ¼ E27 ð345Þ ¼ 911,
r2 ¼ KH32 ð911kIDB kIDC Þ ¼ 78: Send the tuple ðc2 ¼ 911; r 2 ¼ 78;
T 2 ¼ 1302Þ to the customer.
6.3.4. Exchange phase
On receiving the tuple ðc2 ¼ 911; r2 ¼ 78; T 2 ¼ 1302Þ, the
Customer computes D27 ð911Þ ¼ 345 ¼ PC ðM 2 Þ and KH32 ð911kIDB k
IDC Þ ¼ 78 ¼ r 2 . The Customer obtains the message M 2 , from
PC ðM 2 Þ using the decoding algorithm and verifies the value of
k1 ; T 2 and r 2 . After verification, the Customer obtains DS and Exp
from M2 and creates the payment voucher to be transferred to
the Merchant as follows:
1. Let v 2 ¼ 15 2 Z 143 . Merchant’s base point GM ¼ Pð4Þ. Compute
a2 ¼ 15Pð4Þðmod143Þ ¼ 5Pð4Þþ10Pð4Þ ¼ Pð121Þ. Let hashð121Þ¼
0 0
ð49; 77Þ, which implies, k1 ¼ 49 and k2 ¼ 77. Let T 3 ¼ 1315;
0
then, message M 3 ¼ ðIDB kDSkExpkGIkk1 kT 3 Þ.
2. Let PM ðM 3 Þ ¼ 676, c3 ¼ E49 ð676Þ ¼ 93, r 3 ¼ KH77 ð93kIDC k
IDM Þ ¼ 40.
3. Compute s3 ¼ v 2 eM Y M ¼ 15  11  Pð70Þ ¼ 165Pð70Þðmod 143Þ
and verify the signature s3 ¼ dC x1
C r 3 ¼ 39  45  40ðmod 56Þ
 32ðmod 56Þ.
4. The tuple ðc3 ¼ 93; s3 ¼ 165Pð70Þ; s3 ¼ 32; T 3 ¼ 1315Þ is sent to
the Merchant.
The Merchant unsigncrypts the tuple ðc3 ; s3 ; s3 ; T 3 Þ as follows:
1. As per Eqs. (9) and (10) in Fig. 2, the Merchant computes
dM x1
M s3 ¼ 23  37  165Pð70Þðmod 143Þ ¼ 23  37  11  15
Pð70Þ¼151123ð37Pð70ÞÞ¼152311Pð4Þ¼15ð23Pð18ÞÞ¼
15Pð4Þmod 143 ¼ Pð121Þ ¼ a2 .
0 0
2. Compute hashð121Þ ¼ ð49; 77Þ ¼ ðk1 ; k2 Þ, D49 ð93Þ ¼ 676 ¼
PM ðM 3 Þ, KH77 ð93kIDC kIDM Þ ¼ 40 ¼ r 3 . Using decoding algorithm,
0
obtain message M3 . Verify the values of T 3 and k1 in M 3 .
3. Check the integrity of the message PM ðM 3 Þ, by computing
eC s3 Y C ðmod nC Þ ¼ 23  32  Pð68Þðmod 91Þ ¼ 32  23Pð68Þ ¼
32f2ð2ð2ð2Pð68ÞÞÞÞ þ 2ð2Pð68ÞÞ þ 2Pð68Þþ Pð68Þg ¼ 32Pð33Þ ¼
f2ð5Pð33ÞÞ þ 2ð5Pð33ÞÞ þ 2ð5Pð33ÞÞ þ 2Pð33Þg ¼ f2Pð2Þ þ 2Pð2Þþ
2Pð2Þ þ Pð51Þg ¼ fPð9Þ þ Pð47Þ þ Pð51Þg ¼ Pð44Þ ¼ L2 .
4. Compute r 3 GC ðmod nC Þ ¼ 40Pð2Þðmod 91Þ ¼ 4ð10Pð2ÞÞ ¼
4ðPð30ÞÞ ¼ Pð44Þ. Thus, r3 GC ðmod nC Þ ¼ L2 .
P by simple conic curve scalar multiplications. Messages can be
The Merchant then computes P ¼ pricei , OI ¼ H1 ðGIkPkIDB Þ, and
calculates OIkExp. It verifies the signature DS using the Bank’s pub-
lic key. If the signature is valid, the Merchant sends the encrypted
0 0
goods to the Customer, using the same key pair ðk1 ; k2 Þ. Let,
0
T 4 ¼ 1355, M4 ¼ ðIDM kGIkGoodskk1 kT 4 Þ and P C ðM 4 Þ ¼ 889. Com-
pute c4 ¼ E49 ð889Þ ¼ 56 and r 4 ¼ KH77 ð56kIDM kIDC Þ ¼ 34. Send
the tuple ðc4 ¼ 56; r4 ¼ 34; T 4 ¼ 1355Þ to the customer
6.3.5. Transferring phase
On receiving the tuple ðc4 ¼ 56; r 4 ¼ 34; T 4 ¼ 1355Þ, the cus-
tomer computes D49 ð56Þ ¼ 889 ¼ PC ðM 4 Þ, KH77 ð56kIDM kIDC Þ ¼ 34.
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
The customer obtains the message M 4 , from PC ðM 4 Þ using the
0
decoding algorithm and verifies the value of k1 ; T 4 and r4 .
6.4. Protocol validation using ProVerif
ProVerif is a verification tool that provides automated reason-
ing about the security features of a cryptographic protocol. The
security criterions, like confidentiality, authenticity, anonymity,
verifiability and non-repudiation can be generalized into two
classes, namely, indistinguishability and reachability properties.
Reachability properties are used to model the derivable states
in the protocol. For example, if a private information cannot be
derived from all possible executions of the protocol, then, it
ensures confidentiality. Indistinguishability establishes complex
properties like anonymity through observational equivalence
(Smyth, 2011). ProVerif is capable of evaluating reachability
properties, indistinguishability properties and correspondence
assertions for multiple communication sessions (Blanchet et al.,
2016). ProVerif is powerful enough to model multiple
unbounded sessions and message space. The robustness and
security of the proposed e-payment system is analyzed using
ProVerif. We model the Customer, Bank and Merchant as sepa-
rate processes. The secrecy of the session keys fa1 ; a2 g (repre-
sented in the code as K 1 ; K 2 ) are evaluated using reachability
properties. Further, four correspondence assertions are evaluated
to ensure security against double spending in multiple parallel
sessions.
RESULT inj-event(termCustM(k_49))==>inj-event
(acceptMerch(k_49)) is true.
RESULT event(termMerch(k_2241,y))==>event(accept-
CustM(k_2241,y)) is true.
RESULT inj-event(termCust(k_4434))==>inj-event
(acceptBank(k_4434)) is true.
RESULT event(termBank(k_6447,y_6448))==>event(acc
eptCust(k_6447,y_6448)) is true.
RESULT not attacker(K2[]) is true.
RESULT not attacker(K1[]) is true.
7. Conclusion
In this paper we propose a novel signcryption scheme based
on two hardness assumptions, namely, conic based RSA assump-
tion and conic curve discrete logarithm problem. In addition to
security properties like confidentiality, integrity and authenticity,
the proposed scheme ensures forward secrecy, ciphertext authen-
tication, as well as, ciphertext anonymity. Even if a legitimate
user’s private keys are exposed, an attacker cannot recover the
previously encrypted messages. Further, the receiver need not
reveal his private keys or the original message to the verifier
for dispute resolution. The scheme is designed on conic curve
groups over Z n , hence, computational cost is mainly attributed
easily encoded and decoded in conic curves. Moreover, the pro-
posed signcryption scheme remains secure against low private
key exponent attacks prevalent in the original RSA cryptosystem.
The proposed protocol was used to design a secure e-payment
system with forward secrecy, ciphertext authentication and
ciphertext anonymity. The resulting e-payment system offers
resistance to replay attacks, man-in-the-middle attacks, server
spoofing, impersonation attacks and double spending. The work-
flow of the protocol was illustrated using a detailed numerical
example. The reachability properties and correspondence asser-
tions of the system was analyzed and validated by automated
cryptographic verification tool ProVerif.
 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx 11

Acknowledgements fun getk2(bitstring):bitstring.

fun keyedhash(bitstring,bitstring):bitstring.
This work was funded by the Ministry of Electronics and Informa- fun mul(bitstring,bitstring):bitstring.
tion Technology (MeitY), Government of India, through Visves- fun inverse(bitstring):bitstring.
varaya Ph.D. scheme for Electronics and IT. fun sign(bitstring):bitstring.
(⁄ Destructors and Equations ⁄)
Appendix reduc forall m:bitstring,k:bitstring;sdec(senc(m,k),
k)=m.
The ProVerif validation code for the proposed e-payment system equation forall a:bitstring;inverse(inverse(a))=a.
is provided in the Appendix. The declaration section contains the
definition of free names, private names, channels, constructors, The events used to define the correspondence assertions are as
equations and destructors. Free names and channels are available follows:
to the adversary, while private names are not accessible by the
adversary. In ProVerif, cryptographic primitives like encryption, (⁄ Events ⁄)
decryption, signatures, hash functions, etc., are depicted using con- event acceptBank(bitstring).
structors. Destructors define the expected behavior of the construc- event termBank(bitstring,bitstring).
tors and capture the relationships among them. Further, equations event acceptCust(bitstring,bitstring).
are used to represent the algebraic relations between terms in con- event termCust(bitstring).
structors. The communicating entities, namely, the Bank, Merchant event acceptCustM(bitstring,bitstring).
and Customer, are modeled as individual processes. event termCustM(bitstring).
The reachability properties like secrecy is analyzed by the pred- event acceptMerch(bitstring).
icate attackerðKÞ, where, K is a private term. If the query, event termMerch(bitstring,bitstring).
querynotattackerðKÞ returns true, it implies that the secrecy and
The Customer, Bank and Merchant are modeled as three distinct
authentication is preserved. All public parameters and public keys
processes. Initially, the Customer conveys his public keys to the
of the participants are made available to the attacker. The code is
Merchant and Bank. The Customer obtains the public keys of Mer-
derived based on the e-payment protocol described in Section 6.1
chant and Bank via the corresponding channels. Then, the Cus-
and Fig. 1. Initially, two public channels are defined. Ch1 is dedi-
tomer computes the session key K 1 to be shared with the Bank
cated for communication between the Bank and Customer. Ch2
and completes signcryption to form the tuple ðc1 ; s1 ; t1 Þ corre-
facilitates communication between Customer and Merchant.
sponding to ðc1 ; s1 ; s1 Þ in the protocol. The tuple along with times-
tamp T 1 is sent to the Bank. After receiving the payment voucher
(⁄ Channels ⁄)
ðc2 ; r 2 ; T 2 Þ from the Bank, the Customer verifies k1 ; T 1 ; r2 and com-
free ch1:channel. (⁄ Customer to Bank ⁄)
putes session key K 2 to be shared with Merchant. After signcryp-
free ch2:channel. (⁄ Customer to Merchant ⁄)
tion, the ciphertext and timestamp ðc3 ; s3 ; t 3 ; T 3 Þ is sent to the
The constants and variables used in the system are given below: Merchant.

(⁄ Constants and Variables ⁄)

(⁄⁄⁄⁄⁄⁄⁄⁄⁄⁄⁄⁄⁄Customer Process *******************)
free Gc:bitstring.
let pUser=
free Gm:bitstring.
let Yc=mul(xc,Gc) in
free Gb:bitstring.
let dc=inverse(ec) in
free GI:bitstring [private].
out(ch1,(Yc,ec));
free xc:bitstring [private].
out(ch2,(Yc,ec));
free xm:bitstring [private].
in(ch1,(XYb:bitstring,Xeb:bitstring));
free xb:bitstring [private].
in(ch2,(XYm:bitstring,Xem:bitstring));
free ec:bitstring [private].
new v:bitstring;
free em:bitstring [private].
new T1:bitstring;
free eb:bitstring [private].
let z=mul(v,Gb) in
const p:bitstring [private].
let K1=hash(z) in
const IDc:bitstring.
event acceptCust(K1,XYb);
const IDb:bitstring.
let OI=hash(append(GI,append(p,IDb))) in
const IDm:bitstring.
let c1=senc((IDc,OI,p,getk1(K1),T1),getk1(K1)) in
let r1=keyedhash((c1,IDc,IDb),getk2(K1)) in
Variables Gc ; Gb ; Gm defines the base points chosen by the enti-
let s1=mul(v,mul(Xeb,XYb)) in
ties customer, bank and merchant. GI denotes goods information.
let t1=mul(dc,mul(inverse(xc),r1)) in
Private variables xc ; xb ; xm represents the private keys correspond-
out(ch1,(c1,s1,t1,T1));
ing to CCDLP, ec ; eb ; em denotes the public keys corresponding to
in(ch1,(Xc2:bitstring,Xr2:bitstring,XT2:
CBRSA. The public keys ec ; eb ; em will be later made available to
bitstring));
the adversary via the free channels. The variable p denotes the
let (XDS:bitstring,XE:bitstring,Xk1:bitstring,XXT2:
aggregate price of goods.IDc ; IDb ; IDm corresponds to the identity
bitstring)=sdec(Xc2,getk1(K1)) in
of the Customer, Bank and Merchant respectively. The construc-
if Xk1=getk1(K1) then
tors, destructors and equations are as follows:
if XXT2=XT2 then
(⁄ Constructors ⁄) let r2=keyedhash((Xc2,IDb,IDc),getk2(K1)) in
fun senc(bitstring,bitstring):bitstring. if r2=Xr2 then
fun append(bitstring,bitstring):bitstring. event termCust(K1);
fun hash(bitstring):bitstring. new v1:bitstring;
fun getk1(bitstring):bitstring. new T3:bitstring;

Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
12 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx

let z1=mul(v1,Gm) in let q=senc(XGI,getk1(K2)) in

let K2=hash(z1) in out(ch2,q);
event acceptCustM(K2,XYm); event termMerch(K2,Ym).
let c3=senc((IDb,XDS,XE,GI,getk1(K2),T3),getk1(K2))
in We model the execution of multiple parallel sessions of the pro-
let r3=keyedhash((c3,IDc,IDm),getk2(K2)) in tocol in the main process,
let s3=mul(v1,mul(Xem,XYm)) in
let t3=mul(dc,mul(inverse(xc),r3)) in (********* Main Process ******************)
out(ch2,(c3,s3,t3,T3)); process
event termCustM(K2). ((!pUser)|(!pBank)|(!pMerchant))
The secrecy of the session keys ðK 1 ; K 2 Þ is validated by the
The Bank decrypts and verifies the payment directive query:
ðc1 ; s1 ; t 1 ; T 1 Þ and forwards the payment voucher ðc2 ; r2 ; T 2 Þ to the (⁄ Query ⁄)
Customer, using the same session key K 1 . free K1:bitstring [private].
free K2:bitstring [private].
(****************Bank Process *********************) query attacker(K1).
let pBank= query attacker(K2).
let Yb=mul(xb,Gb) in
let db=inverse(eb) in Further, it is essential that, when the customer requests pay-
in(ch1,(XYc:bitstring,Xec:bitstring)); ment from the bank, the latter should complete the transaction
out(ch1,(Yb,eb)); only once for each transaction initiated by the customer. The same
in(ch1,(Xc1:bitstring,Xs1:bitstring,Xt1:bitstring, condition holds for the merchant. Hence, we evaluate the injective
XT1:bitstring)); correspondence assertions using the queries,
let Z=mul(db,mul(inverse(xb),Xs1)) in
let K1=hash(Z) in query k:bitstring,y:bitstring;event(termBank(k,y))
let (=IDc,XOI:bitstring,Xp:bitstring,Xkx:bitstring, ==>event(acceptCust(k,y)).
XXT1:bitstring)=sdec(Xc1,getk1(K1)) in query k:bitstring;inj-event(termCust(k))==>inj-
if Xkx=getk1(K1) then event(acceptBank(k)).
if XXT1=XT1 then query k:bitstring,y:bitstring;event(termMerch(k,y)
let r1=keyedhash((Xc1,IDc,IDb),getk2(K1)) in )==>event(acceptCustM(k,y)).
let N1=mul(Xec,mul(Xt1,XYc)) in query k:bitstring;inj-event(termCustM(k))==>inj-
if N1=mul(r1,Gc) then event(acceptMerch(k)).
event acceptBank(K1); We obtained the following result after protocol verification:
new T2:bitstring; RESULT inj-event(termCustM(k_49))==>inj-event
new E:bitstring; (acceptMerch(k_49)) is true.
let DS=sign(append(XOI,E)) in RESULT event(termMerch(k_2241,y))==>event(accept-
let c2=senc((DS,E,getk1(K1),T2),getk1(K1)) in CustM(k_2241,y)) is true.
let r2=keyedhash((c2,IDb,IDc),getk2(K1)) in RESULT inj-event(termCust(k_4434))==>inj-event
out(ch1,(c2,r2,T2)); (acceptBank(k_4434)) is true.
event termBank(K1,Yb). RESULT event(termBank(k_6447,y_6448))==>event(acc
eptCust(k_6447,y_6448)) is true.
The Merchant process verifies the payment voucher RESULT not attacker(K2[]) is true.
ðc3 ; s3 ; t 3 ; T 3 Þ from the Customer and validates the digital signature. RESULT not attacker(K1[]) is true.
After successful verification, it forwards the encrypted goods to the
Customer. The first two results prove that the authentication from Cus-
tomer to Merchant holds and vice versa. The preceding two results
(*************** Merchant Process **********************) confirm that the authentication between Customer and Bank holds.
let pMerchant= The secrecy of the session keys K1 (corresponding to a1 ) and K2
let Ym=mul(xm,Gm) in (corresponding to a2 ) is validated by the final results. The corre-
let dm=inverse(em) in spondence assertions are validated by the results of the injective
in(ch2,(XYc:bitstring,Xec:bitstring)); event queries. Thus, the Bank processes the payment request only
out(ch2,(Ym,em)); once for each unique session initiated by the Customer and the
in(ch2,(Xc3:bitstring,Xs3:bitstring,Xt3:bitstring, Merchant proceeds with the transfer of the encrypted goods only
XT3:bitstring)); once for each session initiated by the Customer, thereby, prevent-
let Z1=mul(dm,mul(inverse(xm),Xs3)) in ing replay attacks.
let K2=hash(Z1) in
let (=IDb,XDS:bitstring,XE:bitstring,XGI:bitstring,
References
Xkx:bitstring,XXT3:bitstring)=sdec(Xc3,getk1(K2)) in
if Xkx=getk1(K2) then Ahmed, F., Bashir, F., Masood, A., 2010. A publicly verifiable low cost signcryption
if XXT3=XT3 then scheme ensuring confidentiality. NSWCTC 2010 – 2nd Int. Conf. Networks
let OI=hash(append(GI,append(p,IDb))) in Secur. Wirel. Commun. Trust. Comput. 1, 232–235. doi: 10.1109/
NSWCTC.2010.61.
if sign(append(OI,XE))=XDS then Bala, S., Sharma, G., Verma, A.K., 2013. An improved forward secure elliptic curve
let r3=keyedhash((Xc3,IDc,IDm),getk2(K2)) in signcryption key management scheme for wireless sensor networks. In: IT
let N3=mul(Xec,mul(Xt3,XYc)) in Convergence and Security, 2012, Lecture Notes in Electrical Engineering.
Springer, pp. 141–149. https://doi.org/10.1007/978-94-007-5860-5.
if mul(r3,Gc)=N3 then
Bao, F., Deng, R.H., 1998. A Signcryption Scheme with Signature Directly Verifiable
event acceptMerch(K2); by Public Key 55–59.

Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx
Barker, E., 2016. Recommendation for Key Management. doi: https://doi.org/10.
6028/NIST.SP.800-57pt1r4.
Bellini, E., Murru, N., 2016. An efficient and secure RSA-like cryptosystem exploiting
Rédei rational functions over conics. Finite Fields their Appl. 39, 179–194.
https://doi.org/10.1016/j.ffa.2016.01.011.
Biao, W., YingJue, F., HongGang, L., Yi, L., 2009. The improved QV signature scheme
based on conic curves over Z. Sci. China Ser. F Inf. Sci. 52, 602–608. https://doi.
org/10.1007/s11432-009-0083-z.
Blanchet, B., Smyth, B., Cheval, V., Sylvestre, M., 2016. ProVerif 1.96: Automatic
Cryptographic Protocol Verifier, User Manual and Tutorial.
Boneh, D., 1999. Twenty years of attacks on the RSA cryptosystem 1 introduction.
Not. Am. Math. Soc. 46, 203–213.
Boneh, D., Venkatesan, R., 1998. Breaking RSA May Be Easier Than Factoring, in:
Advances in Cryptology—Eurocrypt’98, Lecture Notes in Computer Science,
1223. pp. 58–71.
Cao, Z., 1999. Conic analog of RSA cryptosystem and some improved RSA
cryptosystems. J. Nat. Sci. Heilongjiang Univ. 4, 15–18.
Cao, Z., 1998. A public key cryptosystem based on a conic over finite fields Fp. In:
Advances in Cryptology- Chinacrypt’98. Sci. Press, Beijing, pp. 45–49.
Chaudhry, S.A., Farash, M.S., Naqvi, H., Sher, M., 2016. A secure and efficient
authenticated encryption for electronic payment systems using elliptic curve
cryptography. Electron. Commer. Res. 16, 113–139. https://doi.org/10.1007/
s10660-015-9192-5.
Chaum, D., 1983. Blind Signatures for Untraceable Payments. Adv. Cryptol. doi:
10.1007/978-1-4757-0602-4_18.
Chen, X., Li, J., Ma, J., Lou, W., Wong, D.S., 2014. New and efficient conditional e-
payment systems with transferability. Futur. Gener. Comput. Syst. 37, 252–258.
https://doi.org/10.1016/j.future.2013.07.015.
Chen, Z.G., Song, X.X., 2007. A public-key cryptosystem scheme on conic curves over
Zn. Proc. Sixth Int. Conf. Mach. Learn. Cybern. ICMLC 2007 4, 2183–2187. doi:
10.1109/ICMLC.2007.4370507.
Chow, S.S.M., Yiu, S.-M., Hui, L.C.K., Chow, K.P., 2003. Efficient forward and provably
secure {ID}-Based Signcryption Scheme with Public Verifiability and Public
Ciphertext Authenticity. Inf. Secur. Cryptology-ICISC Lect. Notes Comput. Sci.
2971, 352–369.
Ciet, M., Koeune, F., Laguillaumie, F., Quisquater, J.-J., 2002. Short Private Exponent
Attacks on Fast Variants of RSA. UCL Crypto Gr. Tech. Rep. Ser. CG-2002/4, Univ.
Cathol. Louvain. 1–24.
Coppersmith, D., 1997. Small solutions to polynomial equations, and low exponent
RSA vulnerabilities. J. Cryptol. 10, 233–260. https://doi.org/10.1007/
s001459900030.
Dai, Z.-D., Ye, D.-F., Pei, D.-Y., Yang, J.-H., 2001. Cryptanalysis of ElGamal type
encryption schemes based on conic curves. Electron. Lett. 37, 426. https://doi.
org/10.1049/el:20010272.
Demytko, N., 1994. A New Elliptic Curve Based Analogue of RSA, in: EUROCRYPT
1993: Advances in Cryptology — EUROCRYPT ’93. pp. 40–49.
Dong, X., Qian, H., Cao, Z., 2009. Provably secure RSA-type signature based on conic
curve 217–225. doi: 10.1002/wcm.
Elkamchouchi, H., Nasr, M., Ismail, R., 2009. A New Efficient Strong Proxy
Signcryption Scheme Based on a Combination of Hard Problems. In: IEEE
International Conference on Systems, Man and Cybernetics. pp. 5123–5127.
Eslami, Z., Talebi, M., 2011. A new untraceable off-line electronic cash system.
Electron. Commer. Res. Appl. 10, 59–66. https://doi.org/10.1016/j.
elerap.2010.08.002.
Gamage, C., Leiwo, J., Zheng, Y., 1999. Encrypted Message Authentication by
Firewalls 69–81. doi: 10.1007/3-540-49162-7_6
Ghouti, L., Ibrahim, M.K., Gutub, A.A.-A., 2013. Elliptic polynomial cryptography
with secret key embedding (No. US 8351601). USPTO: United States
Patents & Trademark Office. Filing date: Feb 18, 2010, Patent Issue date:
Jan 8, 2013.
Ghouti, L., Ibrahim, M.K., Gutub, A.A.-A., 2012. Method of Generating a Password
Protocol Using Elliptic Polynomial Cryptography (No. US_8332651). USPTO:
United States Patents & Trademark Office. Filing date: Feb 18, 2010, Patent Issue
date: Dec 11, 2012.
Gutub, A.A., 2010. Preference of efficient architectures for GF (p) elliptic curve
crypto operations using multiple parallel multipliers. Int. J. Secur. 4, 46–63.
Gutub, A.A.-A., 2007. High speed hardware architecture to compute galois fields GF
(p) montgomery inversion with scalability features, in: IET Computers & Digital
Techniques, 1(4). IEEE, pp. 389–396.
Gutub, A.A.-A., 2006. Fast 160-Bits GF(p) elliptic curve crypto hardware of high-
radix scalable multipliers. Int. Arab J. Inf. Technol. 3, 342–349.
Gutub, A.A.-A., 2005. Area flexible GF(2_k) elliptic curve cryptography coprocessor.
Int. Arab J. Inf. Technol. 4, 1–10.
Gutub, A.A., Ferreira, A.T., 2004. Efficient scalable VLSI architecture for Montgomery
inversion in GF ð p Þ. Integr. VLSI J. 37, 103–120. https://doi.org/10.1016/j.
vlsi.2003.12.001.
Gutub, A., Al-Juaid, N., Esam, K., 2017. Counting-based secret sharing technique for
multimedia applications. Multimed. Tools Appl. doi: https://doi.org/10.1007/
s11042-017-5293-6.
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
13
Han, Y., Yang, X., Hu, Y., 2004. Signcryption based on elliptic curve and its multi-
party schemes. In: Proc. 3rd Int. Conf. Inf. Secur. 216–217. doi: 10.1145/
1046290.1046336
Hastad, J., 1988. Solving simultaneous modular equations of low degree. SIAM J.
Comput. 17, 336–341.
Hinek, M.J., 2008. On the security of multi-prime RSA. J. Math. Cryptol. 2, 117–147.
https://doi.org/10.1016/S0019-9958(82)90401-6.
Hwang, R.-J., Lai, C.-H., Su, F.-F., 2005. An efficient signcryption scheme with
forward secrecy based on elliptic curve. Appl. Math. Comput. 167, 870–881.
10.1016/j.amc.2004.06.124.
Hwang, S.J., Sung, Y.H., 2011. Confidential deniable authentication using promised
signcryption. J. Syst. Softw. 84, 1652–1659. https://doi.org/10.1016/j.
jss.2011.04.024.
Iqbal, W., Afzal, M., 2013. An Efficient Elliptic Curve Based Signcryption Scheme for
Firewalls. IEEE, pp. 67–72. https://doi.org/10.1109/NCIA.2013.6725326.
Koyama, K., Maurer, U.M., Okamoto, T., Vanstone, S.A., 1991. New Public-Key
Schemes Based on Elliptic Curves over the Ring Z n 2 Elliptic Curves over a Finite
Field, in: CRYPTO 1991: Advances in Cryptology — CRYPTO ’91, Lecture Notes in
Computer Science, Vol 576. Springer, Berlin,Heidelberg, pp. 252–266. doi:
https://doi.org/10.1007/3-540-46766-1_20.
Kurosawa, K., Okada, K., Tsujii, S., 1995. Low exponent attack against elliptic curve
RSA. Inf. Process. Lett. 53, 77–83. https://doi.org/10.1016/0020-0190(94)00179-
3.
Li, H., Li, H., 2013. Forward-Secure Group Signature Based On Conic Curve Over Ring.
In: 2012 International Conference on Graphic and Image Processing. pp.
876855–876855. doi: 10.1117/12.2011871.
Lin, S., Wang, B., Li, Z., 2009. Digital multisignature on the generalized conic curve
over Z n. Comput. Secur. 28, 100–104. https://doi.org/10.1016/
j.cose.2008.09.002.
Lu, R.X., Cao, Z.F., Zhou, Y., 2005. Threshold undeniable signature scheme based on
conic. Appl. Math. Comput. 162, 165–177. https://doi.org/10.1016/j.
amc.2003.12.084.
Lynn, B., 2007. On the Implementation of Pairing-Based Cryptosystems. Stanford
University. https://doi.org/10.1007/s00145-004-0311-z.
Lysyanskaya, A., Ramzan, Z., 1998. Group Blind Digital Signatures: A Scalable
Solution to Electronic Cash 184–197.
Mohamed, E., Elkamchouchi, H., 2009. Elliptic Curve Signcryption with Encrypted
Message Authentication and Forward Secrecy 9, 395–398.
Mohapatra, R.K., 2010. Signcryption Schemes with Forward Secrecy Based on
Elliptic Curve Cryptography.
Pinch, R.G., 1995. Extending the wiener attack to RSA-type cryptosystems. Electron.
Lett. 31, 1736–1738.
Shi, Y., Xiong, G., 2013. An undetachable threshold digital signature scheme based
on conic curves. Appl. Math. Inf. Sci. 7, 823–828.
Smyth, B., 2011. Formal Verification of Cryptographic Protocols with Automated
Reasoning. Dr. Diss. Univ. Birmingham.
Song, X., Chen, Z., 2009. An Efficient Conic Curve Threshold Digital Signature.
Cisst’09 Proc. 3Rd Wseas Int. Conf. Circuits, Syst. Signal Telecommun. 149–153.
Toorani, M., Shirazi, A.A.B., 2009. Cryptanalysis of an elliptic curve-based
signcryption scheme with Forward Secrecy. J. Appl. Sci. 9, 1025–1035. https://
doi.org/10.3923/jas.2009.1025.1035.
Wen-yu, Z., Qi, S., 2005. The elliptic curves over Z_n and Key Exchange Protocol (in
Chinese). Acta Electron. Sin. 33, 83–87.
Wiener, M.J., 1990. Cryptanalysis of Short RSA Secret Exponents. IEEE Trans. Inf.
Theory 36, 553–558. https://doi.org/10.1109/18.54902.
Xiang-Xu, L., Ke-fei, C., Shi-quin, L., 2005. Cryptanalysis and improvement of
signcryption schemes on Elliptic Curves. Wuhan Univ. J. Nat. Sci. 10, 231–234.
https://doi.org/10.1007/BF02828657.
Yang, J., Chang, Y., Chen, Y., 2013. An Efficient Authenticated Encryption
Scheme Based on ECC and its Application for Electronic Payment 42, 315–324.
Yen, Y., Wu, T., Lo, N., Tsai, K., 2012. A Fair-Exchange E-Payment Protocol For Digital
Products With Customer Unlinkability 6, 2956–2979.
Zhang, D., Liu, M., Yang, Z., 2004. Zero-knowledge proofs of identity based on
ELGAMAL on conic. E-Commerce Technol. Dyn. E-Business, 2004. IEEE Int. Conf.
216–223. doi: 10.1109/CEC-EAST.2004.77.
Zhang, L., Zhang, F., Qin, B., Liu, S., 2011. Provably-secure electronic cash based on
certificateless partially-blind signatures. Electron. Commer. Res. Appl. 10, 545–
552. https://doi.org/10.1016/j.elerap.2011.01.004.
Zhang, M.Z., 1996. Factoring integers with conics. J. Sichuan Univ. Natural Sci. Ed.
33, 356–359.
Zheng, Y., 1997. Digital signcryption or how to achieve cost (signature & encryption)
cost (signature)+ cost (encryption). Adv. Cryptol. — Crypto ’97 165–179. doi:
10.1007/BFb0052234.
Zheng, Y., Imai, H., 1998. How to construct efficient signcryption schemes on elliptic
curves. Inf. Process. Lett. 68, 227–233. https://doi.org/10.1016/S0020-0190(98)
00167-7.
Zheng Fu, C., 1998. A public key cryptosystem based on conic curves over finite field
Fp. In: Advances in Cryptoogy, ChinaCrypt. Science Press, pp. 45–49.