ISSN:2229-6093
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034
R. K. Pateriya
Computer Science & Information Tech. Dept.
Maulana Azad National Institute of Technology
Bhopal, India
e-mail: pateriyark@gmail.com
In Public key cryptography a message is sent after applying
the digital signature and encryption techniques by the
sender. These techniques are used so that the message
properties such as confidentiality, integrity and
unforgeability are maintained and the non-repudiation can
be ensured at the receiving end. The digital signatures and
encryption mechanisms can be combined to form a single
logical step called Signcryption. In this paper a
Signcryption scheme is suggested which is based on Elliptic
Curve Cryptography (ECC). The scheme provides
additional security features which include the property of
forward secrecy, public verifiability and counter steps for
resistance to Side Channel Attacks (SCAs) are also taken.
The proposed scheme provides better performance aspect
for the security feature provided; compared to the
traditional Signature-then-Encryption schemes based on
ECC.
Keywords- Signcryption, Elliptic Curve Cryptography, public
verifiability, forward secrecy, Side Channel Attacks.
Security in computers means that the information is
protected from unauthorized or accidental disclosure while
the information is in transit (either electronically or
physically) and while information is in storage.
One essential aspect for secure communications is that of
cryptography. Cryptography not only protects data from
theft or alteration, but can also be used for user
authentication. The common cryptographic schemes
typically used are secret key (or symmetric) cryptography
and public-key (or asymmetric) cryptography.
With secret key cryptography, a single key is used for
both encryption and decryption. The sender uses the key in
order to encrypt the plaintext and sends the ciphertext to the
receiver. The receiver applies the same key in order to
decrypt the message to recover the plaintext. Since a single
IJCTA | JULY-AUGUST 2011
Available online@www.ijcta.com
Shreeja Vasudevan
M.Tech. (Computer Science) Scholar
Computer Science & Information Tech. Dept.
Maulana Azad National Institute of Technology
Bhopal, India
e-mail: shreeja_vasudevan@yahoo.com
key is used for both functions, the difficulty with this
approach is that of the distribution of the key.
The public key cryptography technique employs two
keys that are mathematically related. One key is used to
encrypt the plaintext and the other key is used to decrypt the
ciphertext. One key is called the private key which is kept
secret and other key is designated as the public key and may
be advertised as widely as the owner wants. In this scheme
there is no difficulty regarding the distribution of keys. But
the computational cost is greater than symmetric key
cryptography.
Now-a-days public key cryptography is used extensively
due its stronger security features than symmetric key
cryptography. The public key cryptography technique relies
upon the digital signatures and encryption methods to send a
message ensuring the confidentiality, integrity,
unforgeability and non-repudiation of communication.
Accordingly the steps involved in the traditional method of
Signature-then-Encryption are:-
The Sender first digitally signs and then encrypts the
message.
Receiver verifies the S
the encrypted message.
The digitally signing and encrypting steps can be
combined into a single logical step, called Signcryption.
The public key cryptographic technique has evolved and
ECC has been proved to be better in terms of security
provided per bit compared to the traditional technique, such
as RSA. Similarly the adoption of ECC in Signcryption
schemes has also proved out to be beneficial.
Signcryption is relatively a new term in the literature;
introduced in 1996. The efficacy of Signcryption became
evident in 1997 when Yuliang Zheng [1] illustrated that the
Cost (Signcryption) << Cost (Signature) + Cost
(Encryption) in terms of computational cost as well as
communicational overhead. The Signcryption scheme was
1025

Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034
point at infinity and the points, which satisfy the
Elliptic Curve equation. The standard domain
parameters are defined [13]. The protocols
implementing ECC can also specify the domain
parameters.
ECC follows the group law and
logarithm problem. From the ECDL problem it is evident
that the major operation involved in ECC is point
multiplication. i.e. multiplication of a scalar k with a point P
on the curve to obtain another point Q on the curve.
Point Multiplication: Points P and Q lie on the elliptic
curve such that when P is multiplied with a scalar k to
obtain the point Q,
kP=Q,
The point multiplication operation involves series
of point addition and point doubling operations. The
doubling and addition method is illustrated as follows:-
If k = 23, then kP P = 2(2(2(2P) + P) + P) + P
The scalar which is used for point multiplication is
chosen from the range [0, n 1]. The hierarchy of
operations involved in the multiplication operation is
shown in Figure 1. The EC point multiplication involve
the EC point Addition and EC point double operations;
addition, subtraction, multiplication and division /
inverse.
Side Channel attacks are the attacks which are based on
the Side Channel Information obtained from the physical
implementation of the cryptosystems. The Side Channel
Information can be power consumption, timing information
and electromagnetic leaks.
Figure 1. Hierarchy of the operations involved in Point
Multiplication.
In case of the prime field arithmetic; the point
addition and point doubling operations require
computation of multiplicative inverse, which is an
expensive operation. Representation of Elliptic curve
points (affine coordinates) as projective coordinates has
the advantage of reducing the multiplicative inverse
operation [6]. With projective coordinates just a single
IJCTA | JULY-AUGUST 2011
Available online@www.ijcta.com
ISSN:2229-6093
multiplicative inverse operation is required. The
number of scalar multiplications required in the case of
projective coordinate system is more in contrast to the
affine coordinate system. Thus scalar multiplications on
projective coordinates should be more efficient
compared to the multiplicative inverse operation. The
Standard projective coordinates and the Jacobian
projective coordinates are defined as follows: -
Standard projective coordinate in the field Fq: Here
a point is represented as (X, Y, Z) and the
corresponding affine coordinate point is (X/Z, Y/Z).
The equation for the elliptic curve is:
Y2 Z = X3 + aXZ2 + bZ3,
where Z 0. The point (0, 1, 0) is considered as the
point at infinity.
Jacobian Projective coordinate in field Fq: In
Jacobian projective coordinate system a point is
represented as point (X, Y, Z) and the
corresponding affine coordinate point as (X/Z2,
Y/Z3). The equation for the elliptic curve is:
Y2 = X3 + aXZ4 + bZ6,
where Z 0. The point (1, 1, 0) is considered as the
point at infinity.
The NIST, ANSI and SEC2 specification
recommend curves with domain parameter value a = 3
for more efficient EC double operations and Z = 1 for
EC addition operations.
Power consumption attacks: These attacks are based on
analyzing the power consumption of the unit while it
performs the cryptographic operations. It can be Simple
Power Analysis (SPA) attack or Differential Power
Analysis (DPA) attack. SPA is a technique that
involves direct interpretation of power consumption
measurements collected during cryptographic
operations. DPA consists of visual and also statistical
analysis and error-correction statistical methods, to
obtain the information about the keys. The high
computational complexity of the multiplication
operations in case of asymmetric operations tend to
strong signal leakage.
1027
 ISSN:2229-6093
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034

TABLE I. THE COMPUTATIONS REQUIRED FOR ALGORITHM 1 AND ALGORITHM 2

In terms of
In terms of M,S,A and I
M
Jacobian
Algorithm 1 (Add and Double) - (4M + 6S) (n-1)+(12M + 4S) (n-1) / 2 2607.6M
Projective
Jacobian
Algorithm 1 (Add and Double) 3 , Z =1 - (4M + 6S) (n-1)+(8M + 3S) (n-1) / 2 2289.2M
Projective
Jacobian
Algorithm 1 (Add and Double) a= - (4M + 4S) (n-1)+(12M + 4S) (n-1) / 2 2353.2M
Projective
Jacobian
Algorithm 1 (Add and Double) a= 3,Z=1 - (4M + 4S) (n-1)+(8M + 3S) (n-1) / 2 2034.8M
Projective
Algorithm 2 (Improved Coron (13n+7)M + (4n+1)S + 1I 2629.8M
Standard
Montgomery ladder ) + 3
Projective Joye -Tymen (13n+14)M + (4n+3)S + 1I 2638.4M
Algorithm A.1(xECADDDBL)
Algorithm 2 (Improved
Standard
Montgomery ladder ) + a= 3 Coron (11n+9)M + (4n+1)S + 1I 2311.8M
Projective
Algorithm A.1(xECADDDBL)
Algorithm A.2 ( y-coordinate Standard
- - 13M+2S+1I 44.6M
recovery ) Projective

Unsigncryption algorithm which is used to unsigncrypt the

signcrypted message. (S;U) satisfy the following conditions;
1)Unique Unsigncryption: If S is used to signcrypt a
message M, the U must uniquely unsigncrypt the
signcrypted message back to the original message M.
2) Security: The Signcryption scheme should maintain
the message security feature of confidentiality of message
contents, unforgeability and non- repudiation.
3) Efficient: The Signcryption method should yield
better performance, both in terms computation and
communication than the Signature-then-Encryption counter
part.
Prior to the application of algorithms (S;U) an
initialization phase is introduced where the domain
parameters are chosen, the keys of the sender and the
receiver are generated and the suitable parameters are
distributed.
In the Signcryption algorithm the sender uses its private
public key to
generate a secret key for symmetric encryption of the
message.
In the Unsigncryption phase the recipient of the
encrypted message and the signature uses his private key to
obtain the same secret key.
The traditional Signcryption scheme provides the direct
verifiability through the sender and indirect verifiability
through a judge who performs the verification with the help
of the parameters provided by the recipient of the message.
The judge verification phase is optionally required to ensure
non-repudiation when there is a disagreement between the
sender and the recipient; i.e when the sender denies the
sending of the message to the receiver.
The proposed Signcryption scheme is based on ECC with
performance advantages over the traditional Signature and
then Encryption schemes. The measures to resist the Side
Channel Attacks (SCAs) are also taken; which were not
considered in any of the previous works. The scheme
provides the security properties of message confidentiality,
authentication, integrity, unforgeability and non-repudiation,
along with forward secrecy of message confidentiality and
public verifiability. The Signcryption scheme presents a
trade off between the additional security and performance
prospects with respect to the previous works [6, 10] which
is discussed in the following sections.
There are four phases involved; namely Initialization
phase, Signcryption phase, Unsigncryption phase and Judge
Verification phase. The Signcryption phase, Unsigncryption
phase and Judge Verification phase are explained with the
help of respective algorithms.
A large prime number q is selected, where q > 2 160. E the
selected elliptic curve over finite field q: y2 mod q = x3 + ax
+ b mod q. a b q and satisfy 4a3 +
2
27b mod q . Some preconditions are suggested [10] so
that the scheme is resistant to the attacks on the elliptic
curve. The base point G of elliptic curve E(Fq) should be of
a prime order n, or equivalently n · G = O, where O is a
elliptic curve point at infinity, to resist the small subgroup
attacks. The parameter n and q should be chosen in such a
way that n < 4 q and n should not divide qi - 1 for all i
V (where V = 20 meets the requirements), n q should be
satisfied, and the curve should be non-supersingular. In
order to keep the intractability of ECDLP to the Pollard-rho

IJCTA | JULY-AUGUST 2011 1029

Available online@www.ijcta.com
 ISSN:2229-6093
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034

Integrity If the message content is changed then the
ciphertext C is changed to and consequently a value
is obtained, instead of v. This change is detected at
the time of verification and the message gets rejected.
So the integrity of the message is confirmed.
Unforgeability For forging the message the private
key of Bob (dB) is required, which is kept secured with
Bob. Thus the property of unforgeability is maintained
with the secrecy of the secret key dB.
Non-repudiation In the case of denial by Alice
regarding the sending of the message, Bob can send the
parameters (R, C, s) required by the judge to verify and
ensure the property of non - repudiation.
Forward secrecy of message confidentiality The
disclosure of the private key of Alice, dA is not enough
to decrypt the previous messages encrypted by Alice.
The parameters r and v both should also be known to
decrypt the messages. For each message the values of r
and v are different. For obtaining r and v the ECDLP
have to be solved.
Publicly verifiability The steps involved in
verification does not involve the session keys or the
secret keys of any party. So any entity can verify
without the need of decryption of the message.
Resistance against the SPA and DPA attacks Point
multiplication performed using Algorithm 2 along with
the randomization of parameters using Coron or Joye
Tymen method for parameter randomization, provides
resistance from the SPA and DPA attacks respectively.
Thus the security features provided by the
Signcryption scheme, mainly depends on the secrecy of
r and dB, which are the empirical and static secret keys,
respectively which are used in the Signcryption and
Unsigncryption phases.
Algorithm 2 (SCA resistant) is not used in the point
multiplication operations involved in calculating; .
So the values of s and v can be obtained by the adversary
through SCA. Even then the security properties are
maintained by the scheme since the random number r
remains secret.
heme [7] are also removed
by the protocol, by carefully selecting the parameters and
deriving the secret key from random number r, and
including the identifiers of the communicating parties.
In TABLE II, the comparison of the Signcryption
schemes which were introduced earlier and the proposed
Signcryption scheme is shown. The comparison is based on
the key security features. The description Directly in the
Non-repudiation column means that the Signcryption
scheme provides the property of Non-repudiation without
the need of zero knowledge proof protocol.
The costs involved in the Signcryption schemes are
represented in the terms of the computational cost and the
communication overhead. The operational costs involving
machine cycles take the form of the computational cost. The
additional bits which are transferred excluding the message
bits, is referred to as the communication overhead. The
compliance of the proposed scheme with the condition of
efficiency (Section 2.3 (3)) of the Signcryption scheme is
presented as follows.
The computational cost is the most for the point
multiplication operation. TABLE III presents the
mathematical operations involved in the different
Signcryption schemes. The traditional Signature-then-
Encryption method based on ECC involves 6 point

TABLE II. COMPARISION O F THE SIGNCRYPTION SCHEMES BASED ON THE SECURITY FEATURES

Proposed Scheme Yes Yes Yes Directly Yes Yes Yes

a a a
R.J. Hwang et al.[6] No No No Directly Yes No No
Additional
H.Y. Jung et al.[5] Yes Yes Yes No Yes No
Protocol
C. Gamage et al.[4] Yes Yes Yes Directly Yes No No
F. Bao & R. H. Deng[3] Yes Yes Yes Directly Yes No No
Additional
Y. Zheng and H. Imai[2] Yes Yes Yes No No No
Protocol
Additional
Y. Zheng[1] Yes Yes Yes No No No
Protocol
a
According to M. Toorani and Beheshti Shirazi [7]

IJCTA | JULY-AUGUST 2011 1031

Available online@www.ijcta.com
 ISSN:2229-6093
Shreeja Vasudevan et al, Int. J. Comp. Tech. Appl., Vol 2 (4), 1025-1034

Figure 2. Comparison of the various Signcryption schemes Figure 4. Comparison of the various Signcryption schemes
with a 3 and Z with a = 3 and Z 1.

Figure 3. Comparison of the various Signcryption schemes Figure 5. Comparison of the various Signcryption schemes
with a 3 and Z = 1. with a = 3 and Z = 1.

Point compression is used to represent the points

belonging to Elliptic Curve E. In this paper we have discussed a Signcryption scheme
which provides the security properties of message
Here p is a prime, m is an integer and q is a large prime confidentiality, authentication, integrity, unforgeability and
having size approximately equal to |pm|, H is a one-way hash non-repudiation, (without the need of zero knowledge proof
function. protocol) along with forward secrecy of message
The communication overhead measured in bits for confidentiality and public verifiability. The measures
Signature-then-Encryption [2] (based on SECDSS1 and against SCA are also considered by the proposed method
ElGamal encryption) is; which was not considered by the previous works. The
Signcryption along with the deployment of ECC has
|H q| + | pm H | + 2|q| tremendous scope attributed to the suitability in constrained
environments due to and savings in computational and
The communication overhead measured in bits for the communicational overhead.
proposed Signcryption scheme is ;

|q| + | q q| [1] Achieve

Cost(Signature & Encryption) Cost(Signature) + Cost
Economy = ((|H q|) (2|q|)) / (|H q|) = 20% Advances in Cryptology (Crypto97LNCS),
Vol. 1294, Springer-Verlag, 1997, pp. 165 179.
The saving in communication overhead is 20% compared [2]
signcryption schemes on elliptic Information
to the Signature-then Encrypt scheme based on ECC. Processing Letters, Vol. 68, Issue 5, 1998 pp. 227 233.

IJCTA | JULY-AUGUST 2011 1033

Available online@www.ijcta.com