Documente Academic
Documente Profesional
Documente Cultură
a r t i c l e i n f o a b s t r a c t
Article history: Signcryption is an authenticated encryption technique that concurrently establishes message confiden-
Received 10 November 2017 tiality, authenticity, integrity and non-repudiation. In this paper, we propose an efficient signcryption
Revised 22 January 2018 scheme, based on the hardness of RSA assumption and discrete logarithm problem on conic curves over
Accepted 10 February 2018
a ring Z n . The protocol ensures forward secrecy, in case the sender’s secret keys are exposed and supports
Available online xxxx
ciphertext authentication by an external entity, without full decryption. The protocol remains secure, as
long as, either one of the hardness assumptions hold. The scheme is implemented over conic curves,
Keywords:
which facilitates effective message encoding and decoding, as well as, efficient point operations and
Signcryption
Conic curve cryptography
inverses. Conic-based RSA assumption offers resistance to low public key and low private key exponent
Forward secrecy attacks, prevalent in the original RSA cryptosystem. The proposed protocol is used to design a Business to
Ciphertext authentication Customer (B2C) e-commerce system, with security against replay attacks, man-in-the-middle attacks,
E-commerce impersonation attacks, server spoofing and double spending. The protocol is validated using automated
ProVerif cryptographic verification tool ProVerif.
Ó 2018 The Authors. Production and hosting by Elsevier B.V. on behalf of King Saud University. This is an
open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
https://doi.org/10.1016/j.jksuci.2018.02.004
1319-1578/Ó 2018 The Authors. Production and hosting by Elsevier B.V. on behalf of King Saud University.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
2 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx
Forward secrecy – Forward secrecy property deters an adversary based on ECDLP, without any pairing computations. Subsequently,
in possession of the sender’s secret keys, from decrypting previ- similar constructions with forward secrecy and public ciphertext
ously encrypted messages. authentication were proposed (Iqbal and Afzal, 2013; Mohapatra,
2010). Recently, Chaudhry et al. (2016) designed an efficient e-
commerce system using signcryption based on ECDLP, however,
1.1. Previous work
the protocol lacks forward secrecy, as well as, basic public
verifiability.
The initial signcryption scheme proposed by Zheng (1997)
lacked public verifiability. Hence, in Zheng’s scheme, the receiver
had to reveal his private key to the external verifier, to ensure 1.2. Motivation
non-repudiation. Bao and Deng (1998) modified Zheng’s protocol
so that, the recipient’s private key is no longer required for signa- The intractability of private keys and ephemeral secrets in an
ture verification. Instead, the recipient must produce the original algorithm, can be reduced to the intractability of the underlying
message along with the ciphertext components to the external hardness assumptions. The security of all the previously discussed
entity. The property is termed as public verifiability. The protocol signcryption schemes depends on individual hardness assump-
was implemented in finite field, based on strong Gap Diffie- tions. If an attacker successfully solves the hardness assumption,
Hellman (Gap-DH) assumption. However, public verifiability prop- he can trivially compute the private keys of individual users in
erty is unsuitable for applications requiring content filtering by the system (Gutub et al., 2017). Elkamchouchi, Nasr and Ismail
firewalls, since, verification by an external entity is not possible (2009) proposed a forward secure proxy signcryption scheme with
until the decryption of the ciphertext, by the intended recipient. public verifiability, based on a combination of hard problems such
Gamage et al. (1999) proposed the first signcryption scheme with as, Integer Factorization Problem (IFP) and DLP in finite fields.
public ciphertext authentication property. In Gamage’s scheme, However, the protocol was designed using a composite modulus
any external entity can verify the signature solely from the cipher- comprising of four primes, rendering it inefficient. The modulus
text components, without the intervention of the recipient. The size must be at least 4096 bits, to resist factoring attacks by elliptic
protocol is based on standard Computational Diffie-Hellman curve method (Ciet et al., 2002; Hinek, 2008). Moreover, the proto-
(CDH) assumption. Apparently, the protocol lacks ciphertext anon- col lacks ciphertext authentication, hence, the original message
ymity, since, an adversary can perform random checks to detect must be revealed to the external verifier for dispute redressal. In
the message origin (Chow et al., 2003). Hence, public ciphertext this paper, we propose a novel efficient signcryption scheme based
authentication property is undesirable for applications like e- on Conic Based RSA (CBRSA) assumption, as well as, Conic Curve
commerce, where the sender’s identity has to be preserved. None DLP (CCDLP) that ensures public verifiability, ciphertext authenti-
of the above mentioned protocols provide forward secrecy prop- cation, ciphertext anonymity and forward secrecy, in addition to
erty. Chow et al. proposed a forward secure signcryption scheme confidentiality, authenticity, non-repudiation and integrity. Each
with public ciphertext authentication property, under Modified user has a pair of private keys corresponding to CBRSA and CCDLP,
Decisional Bilinear Diffie-Hellman (MDBDH) assumption on elliptic respectively. An encrypted ephemeral session key can only be
curves. However, the protocol incurs higher computational com- retrieved by the authorized recipient in possession of both the pri-
plexity due to expensive bilinear pairing operations. Later, Han vate keys. Also, a valid signature can be created only by a user in
et al. (2004) proposed a forward secure signcryption scheme with possession of both the private keys. The probability that an adver-
ciphertext authentication and ciphertext anonymity based on sary simultaneously solves two hardness assumptions is negligible,
Elliptic Curve Discrete Logarithm Problem (ECDLP). The protocol hence, the protocol offers better security. A comparison of the
offers better efficiency than Chow et al.’s scheme, since it does security attributes of the proposed scheme with the existing proto-
not involve bilinear pairing computations. Subsequently, several cols in the literature, is provided in Table 1. The proposed scheme
forward secure elliptic curve based protocols with public verifiabil- is implemented on conic curves, which facilitates effective mes-
ity were proposed (Bala et al., 2013; Hwang et al., 2005; Hwang sage encoding and decoding, as well as, efficient point operations
and Sung, 2011; Toorani and Shirazi, 2009; Xiang-Xu et al., and inverses, when compared to elliptic curves. We derive theo-
2005). Mohamed and Elkamchouchi (2009) proposed a forward rems to substantiate the security of the proposed scheme against
secure, signcryption scheme with public ciphertext authentication low exponent attacks prevalent in the original RSA cryptosystem.
Table 1
Comparison of the security attributes of the proposed scheme with other signcryption schemes in the literature.
Scheme Forward Secrecy Public Verifiability Ciphertext Authentication Ciphertext Anonymityj Public Ciphertext Authentication Assumption
(Bao’98) No Yes No Yes No Gap-DH
(Gamage’99) No Yes Yes No Yes CDH
(Chow’03) Yes Yes Yes No Yes MDBDH
(Han’04) Yes Yes Yes Yes No ECDLP
(Hwang’05) Yes Yes No Yes No ECDLP
(Xiang-Xu’05) No Yes No Yes No ECDLP
(Xiang-Xu’05) Yes No No Yes No ECDLP
(Toorani’09) Yes Yes No Yes No ECDLP
(Elkam’09) Yes Yes No Yes No IFP, DLP
(Moham’09) Yes Yes Yes No Yes ECDLP
(Mohapat’10) Yes Yes Yes No Yes ECDLP
(Ahmed’10) No Yes No Yes No CDH
(Hwang’11) Yes Yes No Yes No CDH
(Bala’13) Yes Yes No Yes No ECDLP
(Iqbal’13) Yes Yes Yes No Yes ECDLP
(Chaudhry’16) No No No Yes No ECDLP
Our Scheme Yes Yes Yes Yes No CBRSA, CCDLP
j
Ciphertext anonymity and public ciphertext authentication are mutually exclusive properties.
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx 3
The proposed scheme is used to secure a B2C model e-commerce Apparently, t 3 2 H and the addition operation is commuta-
system. The reachability properties and correspondence assertions tive. Also, for any PðtÞ 2 C p ða; bÞ; the negative element can be
are validated using the automated software tool ProVerif. defined by,
The rest of the paper is organized as follows; Section 2 gives a
brief introduction to conic curve cryptography. The proposed sign-
PðOÞ ¼ PðOÞ; PðtÞ ¼ PðtÞ ð6Þ
cryption scheme is presented in Section 3. Section 4 provides the Eqs. (4)–(6) suggests that the addition operation over C p ða; bÞ is
detailed security analysis. The efficiency of the scheme is evaluated
associative. Thus, C p ða; bÞ; ; PðOÞ forms a finite abelian group,
in Section 5. Section 6 explores the applicability of the protocol in
securing e-commerce systems. The proposed e-payment scheme is with cardinality jC p ða; bÞj ¼ p pa , where, pa denotes the Legen-
presented in Section 6.1. The security of the protocol against sev- dre symbol. Hence, 8PðtÞ 2 C p ða; bÞ, jC p ða; bÞjPðtÞ ¼ PðOÞ and k:PðtÞ
eral attack scenarios is discussed in Section 6.2. A detailed numer- implies the repeated addition of PðtÞ, k times (also known as scalar
ical simulation of the proposed e-commerce application is multiplication). For a message m 2 H=fOg, the corresponding point
provided in Section 6.3. The suitability of ProVerif tool for protocol on the curve PðmÞ ¼ ðxm ; ym Þ, can be obtained by the message encod-
validation is discussed in Section 6.4. Section 7 provides the con- 1 1
ing formula, xm ¼ bða m2 Þ ; ym ¼ bmða m2 Þ . The message can
cluding remarks. The ProVerif code is included in the Appendix be decoded from PðmÞ, using the equation x1
m ym ðmod pÞ ¼ m.
for reference.
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
4 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx
3.1. Extract(A,PP) against the conic based RSA assumption. The security properties of
the protocol like ciphertext authentication, forward secrecy and
User A computes nA ¼ ðpA :qA Þ, N nA ¼ lcmðjC pA ða; bÞj; jC qA ða; bÞjÞ ¼ ciphertext anonymity are also substantiated in this section.
2 ðpA2þ1Þ ðqA2þ1Þ ¼ 2ðr A sA Þ, after choosing large secure dis-
4.1. Direct attack against a legitimate user
tinct odd prime numbers pA and qA .
An adversary can decrypt a signcrypted message, only by
1. User A chooses xA 2 Z Nn and computes Y A ¼ xA GA ðmod nA Þ, accessing both the private keys of the receiver ðdB ; xB Þ. To compute
A
where GA is the base point of C nA ða; bÞ. the private keys from the corresponding public keys ðeB ; Y B Þ, the
2. User A selects an integer eA , which is co-prime to N nA and com- adversary must simultaneously solve conic-based RSA assumption
putes dA , such that, eA dA 1ðmod N nA Þ. and CCDLP. A possible method to solve the RSA assumption is by
3. User A’s public parameters include PuA ¼ ðnA ; GA ; Y A ; eA Þ and the factorizing the public modulus nB . To prevent integer factorization
secret key is comprised of the tuple PrA ¼ ðN nA ; xA ; dA Þ. attacks, the randomly chosen component prime numbers pB and qB
must be roughly of the same size, for instance 512 bits. Thus, the
Following the same procedure, user B generates the public modulus size must be at least 1024 bits, for security. Also, a mas-
parameters PuB ¼ ðnB ; GB ; Y B ; eB Þ and the corresponding secret key querader cannot create the valid ciphertext component s, without
PrB ¼ ðN nB ; xB ; dB Þ. It is assumed that the public keys of all entities both the private keys of the sender.
are certified by a trusted certificate authority.
4.1.1. Integer factorization attack
3.2. Signcrypt(PrA, Pu B, M) Assuming that an adversary has successfully solved the integer
factorization problem to obtain component primes pB and qB , the
User A signcrypts the message M as follows: attacker can further compute N nB ¼ lcmððpB þ 1Þ; ðqB þ 1ÞÞ. Thus,
the private key component dB corresponding to the public key eB
1. A random integer v is chosen, such that, v 2 Zn . can be obtained. The adversary attempts to retrieve the session
key a using the known private key component. The computation
B
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx 5
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
6 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx
Table 3
Comparison of the computation overhead, storage overhead and the underlying group structure in the proposed scheme, with other signcryption schemes.
Exp-Exponentiation, mM-Modular Multiplication, M-Multiplication of group elements, SM-Scalar Multiplication, Pair-Bilinear Pairing, PA-Point Addition, N/A - Does not
support public verifiability property. j-number of blocks in AES cipher, f0; 1g -message size, l1 - length of key k1 , l2 -length of key k2 . F p -Finite field, EðF p ) – Elliptic curve over
F p , Z n -residue class ring, CðZ n ) – Conic curve over Z n .
simple conic curve scalar multiplications and modular multiplica- double spending, server spoofing and impersonation attacks.
tions. Experimental simulations suggests that the execution time Recently, Chaudhry et al. (2016) proved that the system is vulner-
of conic curve scalar multiplications and inverses is negligible (Li able to impersonation attacks. Chaudhry et al. improvised the
and Li, 2013). The computation cost of inexpensive hash functions, scheme to ensure all the security properties claimed by Yang,
as well as, symmetric message encryption and decryption is not Chang and Chen. Nevertheless, we found that Chaudhry et al.’s e-
considered for comparison. The proposed scheme is efficient in payment system lacks forward secrecy and public verifiability. This
terms of space complexity, since the ciphertext does not contain implies that if the sender’s private keys are compromised, all the
conic curve group elements. Compared to similar schemes in the previously encrypted messages can be retrieved. Another major
literature that supports ciphertext authentication, the size of the concern is that, for dispute redressal, the receiver has to produce
verification components required for dispute resolution by an his private keys to the external verifier. Inevitably, the receiver
external verifier, is minimized, increasing storage and communica- must renew his keys and publish the new public parameters after
tion efficiency. each dispute resolution. We propose an e-payment system that
ensures fair-exchange, customer anonymity, forward secrecy and
dispute resolution by ciphertext authentication. Further, we prove
6. Application of the proposed scheme in a cloud based e-
that the system also provides resistance to impersonation attacks,
commerce system
replay attacks, double spending and server spoofing. The security
of the protocol is validated by ProVerif. The ProVerif code is
Electronic commerce, which facilitates business trading via the
included in the Appendix for reference.
internet, is a pedestal for market-savvy companies to retain their
competitive edge and also to improve their revenue. The funda-
mental dynamics that prompt customer decision-making in the 6.1. System design
online world is customer experience, availability, trust and secu-
rity. Manufacturers and wholesalers are striving to offer greater For the system design, we adopt the workflow in Yang et al.
flexibility of choice, transparency, best price and dynamic scalabil- (2013) e-payment scheme. The protocol includes set-up phase,
ity to sustain their ever increasing customer base. Naturally, cloud buying phase, payment phase, exchange phase and transferring
computing proves to be an open platter of benefits to marketing phase.
giants, as well as, new entrants. Cloud-related services relieve
companies of capital and operational costs, offers data manage- 6.1.1. System Set-up phase
ment, scalability and rapid service delivery. As B2C and B2B models In this phase the curve parameters and security parameters are
are gaining leverage through cloud, a critical area of concern is the determined. Further, the hash function hash: f0; 1g !
n o
security of e-payments.
f0; 1gl1 ; f0; 1gl2 is defined, such that, l1 denotes the length of
A basic e-payment model using blind signatures was suggested
by Chaum (1983), subsequently, numerous other e-payment the key k1 , for the symmetric encryption/decryption function
frameworks were introduced (Chen et al., 2014; Eslami and fEk1 ð:Þ; Dk1 ð:Þg and l2 denotes the length of the key k2 for the keyed
Talebi, 2011; Lysyanskaya and Ramzan, 1998; Yen et al., 2012; hash function KHk2 ð:Þ. Hash function H1 : f0; 1g ! f0; 1gL is also
Zhang et al., 2011). However, as noted by Yang, Chang and Chen defined, where, L denotes the length of the order information.
(2013) the signature schemes in the existing e-payment systems The communicating entities like Customer, Merchant and Bank
could not preserve ciphertext anonymity. They proposed an effi- separately executes the key extraction algorithm in Section 3.1,
cient authenticated encryption scheme with ciphertext anonymity, to derive their public-private key pairs. Each entity’s public param-
confidentiality and integrity. Further, the protocol was used to eters will be of the form Pui ¼ ðni ; Gi ; Y i ; ei Þ and private key will be
design an e-payment system with security against replay attacks, denoted as Pri ¼ ðxi ; di ; N ni Þ. Also, Y i ¼ xi Gi ðmod ni Þ and
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx 7
ei di ðmod N ni Þ 1.Pi ðMÞ denotes the encoding of message M on 5. The tuple ðc1 ; s1 ; s1 ; T 1 Þ will be sent to the Bank.
curve C ni ða; bÞ. The identity of an entity i is denoted as IDi . Fig. 1
illustrates the workflow of the system. The tuple ðc1 ; s1 ; s1 ; T 1 Þ is referred to as the payment directive,
which specifies the amount to be transferred to the Merchant.
6.1.2. Buying phase
The buying phase is initiated when a customer selects some 6.1.3. Payment phase
electronic goods. The Customer obtains the Good’s Information On receiving the encrypted payment directive ðc1 ; s1 ; s1 ; T 1 Þ from
(GI) and price of each item ðpricei Þ from the Merchant’s website. the Customer, the Bank unsigncrypts the ciphertext as follows:
Then the customer generates the payment directive to be sent to
the Bank, using the following steps: 1. UnsigncryptðPrB ; PuC ; ðc1 ; s1 ; s1 ÞÞ ! M 1
2. Obtain M 1 ¼ ðIDC kOIkPkk1 kT 1 Þ. Bank proceeds if and only if k1
1. A random integer v 1 is chosen, such that, v 1 2 Z nB . and T 1 can be verified.
2. Compute a1 v 1 GB ðmod nB Þ, if a1 ¼ 0, return to step1, else,
determine hashða1 Þ ¼ ðk1 ; k2 Þ. Following successful unsigncryption, Bank deducts the amount
P
3. Compute aggregate price P ¼ pricei and generate order infor- Pfrom the corresponding Customer’s account and transfers it to a
mation OI ¼ H1 ðGIkPkIDB Þ. The message to the bank is temporary account. Further, an expiry period Exp is chosen by
M1 ¼ ðIDC kOIkPkk1 kT 1 Þ, where T 1 denotes the current time the Bank.
stamp. The Bank creates a digital signature DS for the data fOIkExpg,
4. Compute c1 ¼ Ek1 ðP B ðM 1 ÞÞ, r 1 ¼ KHk2 ðc1 kIDC kIDB Þ, s1 ¼ v 1 eB Y B using a conic curve digital signature algorithm as in Lu et al.
ðmod nB Þ and s1 ¼ dC x1
C r 1 ðmod N nC Þ. (2000). The message to the Customer will be M2 ¼ DSkExpkk1 kT 2 .
Fig. 1. Workflow in the proposed e-payment system.ðPr i ; Pui Þ- denotes the public-private key pair of entity i.
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
8 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx
Finally, the Bank computes c2 ¼ Ek1 ðPC ðM 2 ÞÞ and r 2 ¼ 6.2.1. Replay attack
KHk2 ðc2 kIDB kIDC Þ using the same session key ðk1 ; k2 Þand sends the Assume that an adversary intercepts the tuple ðc1 ; s1 ; s1 ; T 1 Þ
tuple ðc2 ; r2 ; T 2 Þ to the Customer. The Bank stores the data transferred to the Bank by the Customer. If the tuple is used for a
fOIkExp; DSgin its repository. replay attack at a later time period, the Bank detects it from the
value of T 1 . If the signature s1 is inserted into another ciphertext
tupleðc; s; s; TÞ, the function UnsigncryptðPrB ; PuC ; ðc; s; s1 ÞÞ will fail.
6.1.4. Exchange phase
On receiving the ciphertext tuple ðc2 ; r 2 ; T 2 Þ the Customer 6.2.2. Man-in-the-middle attack
unsigncrypts as follows: Assume that the message ðc1 ; s1 ; s1 ; T 1 Þ is intercepted and send
to the Bank with the recent time stamp T 0 . Even then, the Bank
1. Decrypt Dk1 ðc2 Þ ¼ P C ðM 2 Þ and check if KHk2 ðc2 kIDB kIDC Þ ¼ r 2 . detects the attack, during the verification of the time stamp recov-
2. Obtain M2 ¼ ðDSkExpkk1 kT 2 Þ. Customer proceeds if and only if ered from the encrypted message c1 .
k1 , T 2 and r 2 can be cross-verified.
6.2.3. Impersonation attacks
After verification, Customer obtains DS and Exp and creates the Adversary cannot impersonate a Customer to create a valid
payment voucher to be transferred to the Merchant as follows: tuple ðc1 ; s1 ; s1 Þ as long as at least one of the private keys ðxC ; dC Þ
is unknown. Assume that an adversary tries to imitate a Customer
1. A random integer v 2 is chosen, such that, v 2 2 Zn M
. in creating a valid ciphertext to the bank. The adversary executes
2. Compute a2 v 2 GM ðmod nM Þ, if a2 ¼ 0, return to step1, else, the following steps:
0 0
determine hashða2 Þ ¼ ðk1 ; k2 Þ.
3. The message to the Merchant is M 3 ¼ ðIDB kDSkExpkGIkk1 kT 3 Þ,
0
1. Adversary chooses a random integer v1 is chosen, such that,
where T 3 denotes the current time stamp. v 1 2 ZnB .
4. Compute c3 ¼ Ek01 ðP M ðM 3 ÞÞ, r 3 ¼ KHk02 ðc3 kIDC kIDM Þ, s3 ¼ v 2 eM Y M 2. Compute a1 v 1 GB ðmod nB Þ, ifa1 ¼ 0, return to step1, else,
ðmod nM Þ, as well as, s3 ¼ dC x1 C r 3 ðmod N nC Þ.
determine hashða1 Þ ¼ ðk1 ; k2 Þ.
5. The tuple ðc3 ; s3 ; s3 ; T 3 Þ will be sent to the Merchant. 3. Compute M 1 ¼ ðIDC kOIkPkk1 kT 1 Þ, where T 1 denotes the current
time stamp, fOIkPg are some random values.
The Merchant on obtaining the tuple ðc3 ; s3 ; s3 ; T 3 Þ, unsigncrypts 4. Compute c1 ¼ Ek1 ðPB ðM 1 ÞÞ, r 1 ¼ KHk2 ðc1 kIDC kIDB Þ, s1 ¼ v 1 eB Y B
the ciphertext as follows: ðmod nb Þ
1. UnsigncryptðPrM ; PuC ; ðc3 ; s3 ; s3 ÞÞ ! M 3 The adversary can create fake ðc1 ; s1 Þ, but cannot create valid
0
2. Obtain M 3 ¼ ðIDB kDSkExpkGIkk1 kT 3 Þ. Merchant proceeds if and s1 ¼ dC x1
C r 1 ðmod N nC Þ, unless he obtains both private keys of the
0
only if k1 and T 3 are cross-verified. Customer ðxC ; dC Þ.
P
The Merchant then computes P ¼ pricei , OI ¼ H1 ðGIkPkIDB Þ, 6.2.4. Double spending
and calculates OIkExp. It verifies the signature DS using Bank’s pub- The Bank stores the tuple fDS; OIkExpg, until it completes the
lic keys. If the signature is valid, the Merchant sends the encrypted payment to the Merchant or aborts the process and returns the
0 money back to the Customer. After, the completion of payment,
goods M4 ¼ ðIDM kGIkGoodskk1 kT 4 Þ to the Customer. Compute,
c4 ¼ Ek01 ðPC ðM 4 ÞÞ and r4 ¼ KHk02 ðc4 kIDM kIDC Þ, using the shared ses- the Bank deletes the tuple fDS; OIkExpg. Hence, it cannot be re-
0 0 used by the Merchant or the adversary. The resistance to double
sion key ðk1 ; k2 Þ. Send the tuple ðc4 ; r 4 ; T 4 Þ to the Customer.
spending is further validated using ProVerif (see Appendix).
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx 9
Fig. 2. Simulation of the key extraction algorithm (as executed by the Merchant, Customer and Bank). Point additions are computed based on Eq. (5) in Section 2.1.
OI ¼ H1 ðGIkPkIDB Þ. Then the Customer generates the payment 17 31 50Pð58Þðmod 65Þ ¼ 17 31 5 10 Pð58Þ ¼ 10
directive to be sent to the Bank, using the following steps: 175ð31Pð58ÞÞ ¼ 10175Pð3Þ ¼ 10ð17Pð32ÞÞ ¼ 10Pð3Þmod
65 ¼ Pð14Þ ¼ a1 .
1. Let v 1 ¼ 10 2 Z 65 . Bank’s base point GB ¼ Pð3Þ. Compute 2. Compute hashð14Þ ¼ ð27; 32Þ ¼ ðk1 ; k2 Þ, D27 ð88Þ ¼ 732 ¼
a1 ¼ 10Pð3Þmod 65 ¼ Pð14Þ. Let hashð14Þ ¼ ð27; 32Þ, which PB ðM 1 Þ, KH32 ð88kIDC kIDB Þ ¼ 15 ¼ r 1 . Using decoding algorithm,
implies, k1 ¼ 27 and k2 ¼ 32. obtain message M 1 . Verify the values of T 1 and k1 in M 1 .
2. Let T 1 ¼ 1255, M1 ¼ ðIDC kOIkPkk1 kT 1 Þ, PB ðM 1 Þ ¼ 732, 3. Check the integrity of the message PB ðM 1 Þ, by computing
c1 ¼ E27 ð732Þ ¼ 88, r1 ¼ KH32 ð88kIDC kIDB Þ ¼ 15. eC s1 Y C ðmod nC Þ ¼ 23 5 Pð68Þðmod 91Þ ¼ 5 23Pð68Þ ¼
3. Compute s1 ¼ v 1 eB Y B ¼ 10 5 Pð58Þ ¼ 50Pð58Þðmod 65Þ, 5f2ð2ð2ð2Pð68ÞÞÞÞ þ 2ð2Pð68ÞÞ þ 2Pð68Þ þ Pð68Þg ¼ 5fPð82Þþ
Pð12ÞþPð30ÞþPð68Þg ¼ 5fPð86ÞþPð2Þg ¼ 5Pð33Þ ¼ f2ð2Pð33ÞÞþ
s1 ¼ dC x1
C r 1 ¼ 39 45 15ðmod 56Þ 5ðmod 56Þ.
Pð33Þg ¼ Pð5ÞþPð33Þ ¼ Pð2Þ ¼ L1 .
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
10 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx
4. Compute r1 GC ðmod nC Þ ¼ 15Pð2Þðmod 91Þ ¼ 10Pð2Þ þ 5Pð2Þ ¼ The customer obtains the message M 4 , from PC ðM 4 Þ using the
0
Pð30Þþ Pð68Þ ¼ Pð2Þ: Thus, r1 GC ðmod nC Þ ¼ L1 . decoding algorithm and verifies the value of k1 ; T 4 and r4 .
Following successful unsigncryption, the Bank deducts the 6.4. Protocol validation using ProVerif
amount P from the corresponding customer’s account and trans-
fers it to a temporary account. Further, an expiry period Exp is ProVerif is a verification tool that provides automated reason-
chosen by the bank. Bank creates a digital signature DS for the data ing about the security features of a cryptographic protocol. The
fOIkExpg, using a conic curve digital signature algorithm as in Lu security criterions, like confidentiality, authenticity, anonymity,
et al. (2005). Using the same key pair ðk1 ; k2 Þ ¼ ð27; 32Þ shared with verifiability and non-repudiation can be generalized into two
the customer, the Bank encrypts message M 2 ¼ DSkExpkk1 kT 2 . Let classes, namely, indistinguishability and reachability properties.
T 2 ¼ 1302 and PC ðM 2 Þ ¼ 345. Compute c2 ¼ E27 ð345Þ ¼ 911, Reachability properties are used to model the derivable states
r2 ¼ KH32 ð911kIDB kIDC Þ ¼ 78: Send the tuple ðc2 ¼ 911; r 2 ¼ 78; in the protocol. For example, if a private information cannot be
T 2 ¼ 1302Þ to the customer. derived from all possible executions of the protocol, then, it
ensures confidentiality. Indistinguishability establishes complex
properties like anonymity through observational equivalence
6.3.4. Exchange phase (Smyth, 2011). ProVerif is capable of evaluating reachability
On receiving the tuple ðc2 ¼ 911; r2 ¼ 78; T 2 ¼ 1302Þ, the properties, indistinguishability properties and correspondence
Customer computes D27 ð911Þ ¼ 345 ¼ PC ðM 2 Þ and KH32 ð911kIDB k assertions for multiple communication sessions (Blanchet et al.,
IDC Þ ¼ 78 ¼ r 2 . The Customer obtains the message M 2 , from 2016). ProVerif is powerful enough to model multiple
PC ðM 2 Þ using the decoding algorithm and verifies the value of unbounded sessions and message space. The robustness and
k1 ; T 2 and r 2 . After verification, the Customer obtains DS and Exp security of the proposed e-payment system is analyzed using
from M2 and creates the payment voucher to be transferred to ProVerif. We model the Customer, Bank and Merchant as sepa-
the Merchant as follows: rate processes. The secrecy of the session keys fa1 ; a2 g (repre-
sented in the code as K 1 ; K 2 ) are evaluated using reachability
1. Let v 2 ¼ 15 2 Z 143 . Merchant’s base point GM ¼ Pð4Þ. Compute properties. Further, four correspondence assertions are evaluated
a2 ¼ 15Pð4Þðmod143Þ ¼ 5Pð4Þþ10Pð4Þ ¼ Pð121Þ. Let hashð121Þ¼ to ensure security against double spending in multiple parallel
0 0
ð49; 77Þ, which implies, k1 ¼ 49 and k2 ¼ 77. Let T 3 ¼ 1315; sessions.
0
then, message M 3 ¼ ðIDB kDSkExpkGIkk1 kT 3 Þ.
2. Let PM ðM 3 Þ ¼ 676, c3 ¼ E49 ð676Þ ¼ 93, r 3 ¼ KH77 ð93kIDC k RESULT inj-event(termCustM(k_49))==>inj-event
IDM Þ ¼ 40. (acceptMerch(k_49)) is true.
3. Compute s3 ¼ v 2 eM Y M ¼ 15 11 Pð70Þ ¼ 165Pð70Þðmod 143Þ RESULT event(termMerch(k_2241,y))==>event(accept-
and verify the signature s3 ¼ dC x1 CustM(k_2241,y)) is true.
C r 3 ¼ 39 45 40ðmod 56Þ
32ðmod 56Þ. RESULT inj-event(termCust(k_4434))==>inj-event
4. The tuple ðc3 ¼ 93; s3 ¼ 165Pð70Þ; s3 ¼ 32; T 3 ¼ 1315Þ is sent to (acceptBank(k_4434)) is true.
the Merchant. RESULT event(termBank(k_6447,y_6448))==>event(acc
eptCust(k_6447,y_6448)) is true.
The Merchant unsigncrypts the tuple ðc3 ; s3 ; s3 ; T 3 Þ as follows: RESULT not attacker(K2[]) is true.
RESULT not attacker(K1[]) is true.
1. As per Eqs. (9) and (10) in Fig. 2, the Merchant computes
dM x1
M s3 ¼ 23 37 165Pð70Þðmod 143Þ ¼ 23 37 11 15
7. Conclusion
Pð70Þ¼151123ð37Pð70ÞÞ¼152311Pð4Þ¼15ð23Pð18ÞÞ¼
15Pð4Þmod 143 ¼ Pð121Þ ¼ a2 .
0 0
In this paper we propose a novel signcryption scheme based
2. Compute hashð121Þ ¼ ð49; 77Þ ¼ ðk1 ; k2 Þ, D49 ð93Þ ¼ 676 ¼ on two hardness assumptions, namely, conic based RSA assump-
PM ðM 3 Þ, KH77 ð93kIDC kIDM Þ ¼ 40 ¼ r 3 . Using decoding algorithm, tion and conic curve discrete logarithm problem. In addition to
0
obtain message M3 . Verify the values of T 3 and k1 in M 3 . security properties like confidentiality, integrity and authenticity,
3. Check the integrity of the message PM ðM 3 Þ, by computing the proposed scheme ensures forward secrecy, ciphertext authen-
eC s3 Y C ðmod nC Þ ¼ 23 32 Pð68Þðmod 91Þ ¼ 32 23Pð68Þ ¼ tication, as well as, ciphertext anonymity. Even if a legitimate
32f2ð2ð2ð2Pð68ÞÞÞÞ þ 2ð2Pð68ÞÞ þ 2Pð68Þþ Pð68Þg ¼ 32Pð33Þ ¼ user’s private keys are exposed, an attacker cannot recover the
f2ð5Pð33ÞÞ þ 2ð5Pð33ÞÞ þ 2ð5Pð33ÞÞ þ 2Pð33Þg ¼ f2Pð2Þ þ 2Pð2Þþ previously encrypted messages. Further, the receiver need not
2Pð2Þ þ Pð51Þg ¼ fPð9Þ þ Pð47Þ þ Pð51Þg ¼ Pð44Þ ¼ L2 . reveal his private keys or the original message to the verifier
4. Compute r 3 GC ðmod nC Þ ¼ 40Pð2Þðmod 91Þ ¼ 4ð10Pð2ÞÞ ¼ for dispute resolution. The scheme is designed on conic curve
4ðPð30ÞÞ ¼ Pð44Þ. Thus, r3 GC ðmod nC Þ ¼ L2 . groups over Z n , hence, computational cost is mainly attributed
P by simple conic curve scalar multiplications. Messages can be
The Merchant then computes P ¼ pricei , OI ¼ H1 ðGIkPkIDB Þ, and easily encoded and decoded in conic curves. Moreover, the pro-
calculates OIkExp. It verifies the signature DS using the Bank’s pub- posed signcryption scheme remains secure against low private
lic key. If the signature is valid, the Merchant sends the encrypted key exponent attacks prevalent in the original RSA cryptosystem.
0 0
goods to the Customer, using the same key pair ðk1 ; k2 Þ. Let, The proposed protocol was used to design a secure e-payment
0
T 4 ¼ 1355, M4 ¼ ðIDM kGIkGoodskk1 kT 4 Þ and P C ðM 4 Þ ¼ 889. Com- system with forward secrecy, ciphertext authentication and
pute c4 ¼ E49 ð889Þ ¼ 56 and r 4 ¼ KH77 ð56kIDM kIDC Þ ¼ 34. Send ciphertext anonymity. The resulting e-payment system offers
the tuple ðc4 ¼ 56; r4 ¼ 34; T 4 ¼ 1355Þ to the customer resistance to replay attacks, man-in-the-middle attacks, server
spoofing, impersonation attacks and double spending. The work-
flow of the protocol was illustrated using a detailed numerical
6.3.5. Transferring phase example. The reachability properties and correspondence asser-
On receiving the tuple ðc4 ¼ 56; r 4 ¼ 34; T 4 ¼ 1355Þ, the cus- tions of the system was analyzed and validated by automated
tomer computes D49 ð56Þ ¼ 889 ¼ PC ðM 4 Þ, KH77 ð56kIDM kIDC Þ ¼ 34. cryptographic verification tool ProVerif.
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx 11
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
12 R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004
R.M. Daniel et al. / Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx 13
Barker, E., 2016. Recommendation for Key Management. doi: https://doi.org/10. Han, Y., Yang, X., Hu, Y., 2004. Signcryption based on elliptic curve and its multi-
6028/NIST.SP.800-57pt1r4. party schemes. In: Proc. 3rd Int. Conf. Inf. Secur. 216–217. doi: 10.1145/
Bellini, E., Murru, N., 2016. An efficient and secure RSA-like cryptosystem exploiting 1046290.1046336
Rédei rational functions over conics. Finite Fields their Appl. 39, 179–194. Hastad, J., 1988. Solving simultaneous modular equations of low degree. SIAM J.
https://doi.org/10.1016/j.ffa.2016.01.011. Comput. 17, 336–341.
Biao, W., YingJue, F., HongGang, L., Yi, L., 2009. The improved QV signature scheme Hinek, M.J., 2008. On the security of multi-prime RSA. J. Math. Cryptol. 2, 117–147.
based on conic curves over Z. Sci. China Ser. F Inf. Sci. 52, 602–608. https://doi. https://doi.org/10.1016/S0019-9958(82)90401-6.
org/10.1007/s11432-009-0083-z. Hwang, R.-J., Lai, C.-H., Su, F.-F., 2005. An efficient signcryption scheme with
Blanchet, B., Smyth, B., Cheval, V., Sylvestre, M., 2016. ProVerif 1.96: Automatic forward secrecy based on elliptic curve. Appl. Math. Comput. 167, 870–881.
Cryptographic Protocol Verifier, User Manual and Tutorial. 10.1016/j.amc.2004.06.124.
Boneh, D., 1999. Twenty years of attacks on the RSA cryptosystem 1 introduction. Hwang, S.J., Sung, Y.H., 2011. Confidential deniable authentication using promised
Not. Am. Math. Soc. 46, 203–213. signcryption. J. Syst. Softw. 84, 1652–1659. https://doi.org/10.1016/j.
Boneh, D., Venkatesan, R., 1998. Breaking RSA May Be Easier Than Factoring, in: jss.2011.04.024.
Advances in Cryptology—Eurocrypt’98, Lecture Notes in Computer Science, Iqbal, W., Afzal, M., 2013. An Efficient Elliptic Curve Based Signcryption Scheme for
1223. pp. 58–71. Firewalls. IEEE, pp. 67–72. https://doi.org/10.1109/NCIA.2013.6725326.
Cao, Z., 1999. Conic analog of RSA cryptosystem and some improved RSA Koyama, K., Maurer, U.M., Okamoto, T., Vanstone, S.A., 1991. New Public-Key
cryptosystems. J. Nat. Sci. Heilongjiang Univ. 4, 15–18. Schemes Based on Elliptic Curves over the Ring Z n 2 Elliptic Curves over a Finite
Cao, Z., 1998. A public key cryptosystem based on a conic over finite fields Fp. In: Field, in: CRYPTO 1991: Advances in Cryptology — CRYPTO ’91, Lecture Notes in
Advances in Cryptology- Chinacrypt’98. Sci. Press, Beijing, pp. 45–49. Computer Science, Vol 576. Springer, Berlin,Heidelberg, pp. 252–266. doi:
Chaudhry, S.A., Farash, M.S., Naqvi, H., Sher, M., 2016. A secure and efficient https://doi.org/10.1007/3-540-46766-1_20.
authenticated encryption for electronic payment systems using elliptic curve Kurosawa, K., Okada, K., Tsujii, S., 1995. Low exponent attack against elliptic curve
cryptography. Electron. Commer. Res. 16, 113–139. https://doi.org/10.1007/ RSA. Inf. Process. Lett. 53, 77–83. https://doi.org/10.1016/0020-0190(94)00179-
s10660-015-9192-5. 3.
Chaum, D., 1983. Blind Signatures for Untraceable Payments. Adv. Cryptol. doi: Li, H., Li, H., 2013. Forward-Secure Group Signature Based On Conic Curve Over Ring.
10.1007/978-1-4757-0602-4_18. In: 2012 International Conference on Graphic and Image Processing. pp.
Chen, X., Li, J., Ma, J., Lou, W., Wong, D.S., 2014. New and efficient conditional e- 876855–876855. doi: 10.1117/12.2011871.
payment systems with transferability. Futur. Gener. Comput. Syst. 37, 252–258. Lin, S., Wang, B., Li, Z., 2009. Digital multisignature on the generalized conic curve
https://doi.org/10.1016/j.future.2013.07.015. over Z n. Comput. Secur. 28, 100–104. https://doi.org/10.1016/
Chen, Z.G., Song, X.X., 2007. A public-key cryptosystem scheme on conic curves over j.cose.2008.09.002.
Zn. Proc. Sixth Int. Conf. Mach. Learn. Cybern. ICMLC 2007 4, 2183–2187. doi: Lu, R.X., Cao, Z.F., Zhou, Y., 2005. Threshold undeniable signature scheme based on
10.1109/ICMLC.2007.4370507. conic. Appl. Math. Comput. 162, 165–177. https://doi.org/10.1016/j.
Chow, S.S.M., Yiu, S.-M., Hui, L.C.K., Chow, K.P., 2003. Efficient forward and provably amc.2003.12.084.
secure {ID}-Based Signcryption Scheme with Public Verifiability and Public Lynn, B., 2007. On the Implementation of Pairing-Based Cryptosystems. Stanford
Ciphertext Authenticity. Inf. Secur. Cryptology-ICISC Lect. Notes Comput. Sci. University. https://doi.org/10.1007/s00145-004-0311-z.
2971, 352–369. Lysyanskaya, A., Ramzan, Z., 1998. Group Blind Digital Signatures: A Scalable
Ciet, M., Koeune, F., Laguillaumie, F., Quisquater, J.-J., 2002. Short Private Exponent Solution to Electronic Cash 184–197.
Attacks on Fast Variants of RSA. UCL Crypto Gr. Tech. Rep. Ser. CG-2002/4, Univ. Mohamed, E., Elkamchouchi, H., 2009. Elliptic Curve Signcryption with Encrypted
Cathol. Louvain. 1–24. Message Authentication and Forward Secrecy 9, 395–398.
Coppersmith, D., 1997. Small solutions to polynomial equations, and low exponent Mohapatra, R.K., 2010. Signcryption Schemes with Forward Secrecy Based on
RSA vulnerabilities. J. Cryptol. 10, 233–260. https://doi.org/10.1007/ Elliptic Curve Cryptography.
s001459900030. Pinch, R.G., 1995. Extending the wiener attack to RSA-type cryptosystems. Electron.
Dai, Z.-D., Ye, D.-F., Pei, D.-Y., Yang, J.-H., 2001. Cryptanalysis of ElGamal type Lett. 31, 1736–1738.
encryption schemes based on conic curves. Electron. Lett. 37, 426. https://doi. Shi, Y., Xiong, G., 2013. An undetachable threshold digital signature scheme based
org/10.1049/el:20010272. on conic curves. Appl. Math. Inf. Sci. 7, 823–828.
Demytko, N., 1994. A New Elliptic Curve Based Analogue of RSA, in: EUROCRYPT Smyth, B., 2011. Formal Verification of Cryptographic Protocols with Automated
1993: Advances in Cryptology — EUROCRYPT ’93. pp. 40–49. Reasoning. Dr. Diss. Univ. Birmingham.
Dong, X., Qian, H., Cao, Z., 2009. Provably secure RSA-type signature based on conic Song, X., Chen, Z., 2009. An Efficient Conic Curve Threshold Digital Signature.
curve 217–225. doi: 10.1002/wcm. Cisst’09 Proc. 3Rd Wseas Int. Conf. Circuits, Syst. Signal Telecommun. 149–153.
Elkamchouchi, H., Nasr, M., Ismail, R., 2009. A New Efficient Strong Proxy Toorani, M., Shirazi, A.A.B., 2009. Cryptanalysis of an elliptic curve-based
Signcryption Scheme Based on a Combination of Hard Problems. In: IEEE signcryption scheme with Forward Secrecy. J. Appl. Sci. 9, 1025–1035. https://
International Conference on Systems, Man and Cybernetics. pp. 5123–5127. doi.org/10.3923/jas.2009.1025.1035.
Eslami, Z., Talebi, M., 2011. A new untraceable off-line electronic cash system. Wen-yu, Z., Qi, S., 2005. The elliptic curves over Z_n and Key Exchange Protocol (in
Electron. Commer. Res. Appl. 10, 59–66. https://doi.org/10.1016/j. Chinese). Acta Electron. Sin. 33, 83–87.
elerap.2010.08.002. Wiener, M.J., 1990. Cryptanalysis of Short RSA Secret Exponents. IEEE Trans. Inf.
Gamage, C., Leiwo, J., Zheng, Y., 1999. Encrypted Message Authentication by Theory 36, 553–558. https://doi.org/10.1109/18.54902.
Firewalls 69–81. doi: 10.1007/3-540-49162-7_6 Xiang-Xu, L., Ke-fei, C., Shi-quin, L., 2005. Cryptanalysis and improvement of
Ghouti, L., Ibrahim, M.K., Gutub, A.A.-A., 2013. Elliptic polynomial cryptography signcryption schemes on Elliptic Curves. Wuhan Univ. J. Nat. Sci. 10, 231–234.
with secret key embedding (No. US 8351601). USPTO: United States https://doi.org/10.1007/BF02828657.
Patents & Trademark Office. Filing date: Feb 18, 2010, Patent Issue date: Yang, J., Chang, Y., Chen, Y., 2013. An Efficient Authenticated Encryption
Jan 8, 2013. Scheme Based on ECC and its Application for Electronic Payment 42, 315–324.
Ghouti, L., Ibrahim, M.K., Gutub, A.A.-A., 2012. Method of Generating a Password Yen, Y., Wu, T., Lo, N., Tsai, K., 2012. A Fair-Exchange E-Payment Protocol For Digital
Protocol Using Elliptic Polynomial Cryptography (No. US_8332651). USPTO: Products With Customer Unlinkability 6, 2956–2979.
United States Patents & Trademark Office. Filing date: Feb 18, 2010, Patent Issue Zhang, D., Liu, M., Yang, Z., 2004. Zero-knowledge proofs of identity based on
date: Dec 11, 2012. ELGAMAL on conic. E-Commerce Technol. Dyn. E-Business, 2004. IEEE Int. Conf.
Gutub, A.A., 2010. Preference of efficient architectures for GF (p) elliptic curve 216–223. doi: 10.1109/CEC-EAST.2004.77.
crypto operations using multiple parallel multipliers. Int. J. Secur. 4, 46–63. Zhang, L., Zhang, F., Qin, B., Liu, S., 2011. Provably-secure electronic cash based on
Gutub, A.A.-A., 2007. High speed hardware architecture to compute galois fields GF certificateless partially-blind signatures. Electron. Commer. Res. Appl. 10, 545–
(p) montgomery inversion with scalability features, in: IET Computers & Digital 552. https://doi.org/10.1016/j.elerap.2011.01.004.
Techniques, 1(4). IEEE, pp. 389–396. Zhang, M.Z., 1996. Factoring integers with conics. J. Sichuan Univ. Natural Sci. Ed.
Gutub, A.A.-A., 2006. Fast 160-Bits GF(p) elliptic curve crypto hardware of high- 33, 356–359.
radix scalable multipliers. Int. Arab J. Inf. Technol. 3, 342–349. Zheng, Y., 1997. Digital signcryption or how to achieve cost (signature & encryption)
Gutub, A.A.-A., 2005. Area flexible GF(2_k) elliptic curve cryptography coprocessor. cost (signature)+ cost (encryption). Adv. Cryptol. — Crypto ’97 165–179. doi:
Int. Arab J. Inf. Technol. 4, 1–10. 10.1007/BFb0052234.
Gutub, A.A., Ferreira, A.T., 2004. Efficient scalable VLSI architecture for Montgomery Zheng, Y., Imai, H., 1998. How to construct efficient signcryption schemes on elliptic
inversion in GF ð p Þ. Integr. VLSI J. 37, 103–120. https://doi.org/10.1016/j. curves. Inf. Process. Lett. 68, 227–233. https://doi.org/10.1016/S0020-0190(98)
vlsi.2003.12.001. 00167-7.
Gutub, A., Al-Juaid, N., Esam, K., 2017. Counting-based secret sharing technique for Zheng Fu, C., 1998. A public key cryptosystem based on conic curves over finite field
multimedia applications. Multimed. Tools Appl. doi: https://doi.org/10.1007/ Fp. In: Advances in Cryptoogy, ChinaCrypt. Science Press, pp. 45–49.
s11042-017-5293-6.
Please cite this article in press as: Daniel, R.M., et al. A forward secure signcryption scheme with ciphertext authentication for e-payment systems using
conic curve cryptography. Journal of King Saud University – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.004