Message mapping and reverse mapping in elliptic curve cryptosystem

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2016; 9: Published online 22 November 2016 in Wiley Online Library (wileyonlinelibrary.com) RESEARCH ARTICLE Message mapping and reverse mapping in elliptic curve cryptosystem Aritro Sengupta* and Utpal Kumar Ray Department of Information Technology, Jadavpur University, Kolkata, India ABSTRACT Elliptic curve cryptography is used as a public-key cryptosystem for encryption and decryption in such a way that if one has to encrypt a message, then they attempt to map the message to some distinct point on the elliptic curve by modifying the message using a mapping algorithm. Although the arithmetic involved in elliptic curve cryptography is computationally less complex than other cryptographic algorithms, but conversion of simple messages to points on the elliptic curve has always been challenging. In this paper, we discuss the different schemes of message mapping in elliptic curve cryptosystem, the flaws of each method, and how vulnerable they are to cryptanalysis. We also derive the guidelines of a good message mapping scheme in elliptic curve cryptosystem. In the later part of this paper, we will discuss about a new mapping scheme that is resistible to frequency analysis and other forms of cryptanalysis. Copyright 2016 John Wiley & Sons, Ltd. KEYWORDS elliptic curve; elliptic curve cryptography; message mapping; public key cryptosystem; encryption; decryption; security analysis *Correspondence Aritro Sengupta, Department of Information Technology, Jadavpur University, Kolkata, India. asg.ju2012@gmail.com 1. INTRODUCTION Elliptic curve cryptography (ECC) was discovered in the year 1985 by Neal Koblitz and Victor Miller [1]. ECC schemes are public-key mechanism similar to RSA and other primitive algorithms. ECC is an attractive publickey cryptosystem for resource-constrained devices because compared with traditional cryptosystems like RSA/DH, it offers equivalent security with smaller key sizes, faster computation, lower power consumption, and memory and bandwidth savings [2]. Cryptographic algorithms based on discrete logarithm problem [3,4] and ElGamal algorithm can be efficiently implemented using elliptic curves. Unlike standard public-key methods that operate over integer fields, the elliptic curve cryptosystems operate over points on an elliptic curve. Similar to other public key cryptosystem, the security level of ECC also depends on the sizes of the keys used [5]. 2. ELLIPTIC CURVE CRYPTOGRAPHY Elliptic Curve Discrete Logarithmic Problem (ECDLP): Elliptic curve cryptosystems over finite field have some advantages compared with other cryptosystems. First of all, the key size of ECC is much smaller compared with other cryptosystems like RSA, Diffie-Hellman [6]. Secondly, ECC relies on the difficulty of solving the ECDLP [4]. ECDLP states that if there exists an elliptic curve E defined over a finite field F p, two point P, Q 2 E(p), then it is very difficult to find the integer k such that Q = kp. Elliptic curve cryptography consists of three distinct operations: key generation, encryption, and decryption [1,7,8]. These three operations are very much required to formulate a valid cryptosystem. In ECC, the message is mapped to a valid point P m on the curve. The message point P m is then encrypted, and we obtain a pair of cipher points C m. Subsequently, this C m is decrypted to obtain back the original message point P m. For the key generation operation, we need a point G, also called as the generator point. The order of G is always equal to the order of the elliptic curve group E p (a, b) where a, b are elliptic curve parameters and p is a large prime integer. A large integer n B (n B < p) is kept as the Private Key, and the point P B = n B G is declared as public. It is to be noted that the information about the elliptic curve E p (a, b) and the corresponding generator point G has to be made public also. Otherwise, the encryption would not be possible. Copyright 2016 John Wiley & Sons, Ltd. 5363

2 Message mapping and reverse mapping in elliptic curve cryptosystem A. Sengupta and U. K. Ray For encryption, the sender chooses a random positive integer k(k < p). He then uses the public key P B to generate the cipher point C m that consists of two points. The cipher point C m is given by C m =[{k G}, {P m + (k P B )}]. The sender then sends the pair of cipher point C 1 and C 2 (both together C m ) to the receiver. The receiver upon receiving the cipher point pair C m multiplies the first point in the pair by its own secret or private key and subtracts the result from the second point as shown in the following. 2nd point n B * 1st point = C 2 n B C 1 ={P m +(k P B )}{n B (k G)} = P m + k*(n B G)n B (k G) = P m P m is the original (x, y) point on the curve that was encrypted by the sender. 3. MESSAGE MAPPING IN ELLIPTIC CURVE CRYPTOGRAPHY The primary question that arises at this stage with respect to this paper is that, what is message mapping and why it is so important in elliptic curve cryptography? We all know that smaller key size, faster computational ability makes ECC too important to be ignored even in the era of transition from classical cryptography to quantum cryptography. The problem with ECC is that it deals with (x, y) coordinates only, whereas messages that are sent generally consists of alphabets, numbers, and symbols. In ECC, a point P m on the curve is encrypted to a pair of points C m (C 1, C 2 ) on the curve as discussed earlier. But the area of concern lies in the generation of point P m from plaintext message M. The process of generation of point P m from plaintext message M is known as mapping. Our focus should not only be confined to mapping the message but it must also ensure that after the receiver decrypts C m,he can obtain back the original message M from P m. This process is known as reverse mapping. The total process is illustrated in Figure GUIDELINES FOR A GOOD MESSAGE MAPPING SCHEME A good mapping scheme must follow several guidelines. These guidelines have been derived in the following: (a) Mapped points should be on the elliptic curve. This is the first and foremost requirement for a successful mapping scheme. We know that the ECC algorithm encrypts a point on the elliptic curve to a pair of cipher points. So intuitively, it can be said that unless the message is mapped to a point on the elliptic curve, encryption using ECC will be impossible. F(m)! (x, y) 2 E p (a, b) where m is the message and F is the mapping function. (b) Secondly, mapping should always be invertible so that the receiver after decryption can reverse map the points to original plain text. If F(m)! (x, y), then it is possible to obtain back m by F 1 (x, y). (c) It has been discussed earlier that the hardness of ECDLP makes ECC less vulnerable compared with other classical cryptographic algorithms. Message mapping in ECC also plays a significant role as it decides how vulnerable the encrypted message is to attacks. For example, consider a mapping scheme, where a character m in a message M is always mapped to a single point P m on the curve. P m is subsequently encrypted to a pair of points C m.itis worth a note that the character m will always yield the same pair of points C m. Upon observing the frequency of C m, an attacker can perform frequency analysis and determine the character m that corresponds to C m. This example gives an idea of how crucial message mapping in ECC is. So another criteria for successful mapping is that it should avoid frequency analysis. (d) The hardness of ECDLP depends on the key size. An optimal level of security in ECC is achieved Figure 1. Pictorial representation of mapping and reverse mapping in elliptic curve cryptography (ECC) Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

3 A. Sengupta and U. K. Ray Message mapping and reverse mapping in elliptic curve cryptosystem only if the key size is large enough. An ECC with p-bit key size would produce pair of cipher points C m (= C 1, C 2 ) comprising of 4*p bits (because each point contains two coordinates x and y of p-bits each). If each character in a message is mapped separately, then for each character 4*p-bit bandwidth is used. Thus, if the message contains n characters, a total of 4*p*n bits (say S where S is total size) would be sent to the receiver. We know that p needs to be large and its size cannot be compromised. If the size of the message is large, then S will be significantly large, and this would make the data transmission expensive and unhealthy as it may lead to network congestion and data integration loss. A good mapping scheme should ensure that S is relatively small even if n and p are large. In other words, a good message mapping scheme must reduce the use of unnecessary bandwidth. (e) A good mapping scheme should not take much time to map the message to points on the map. Bulk of the time in ECC is consumed during key generation, encryption, and decryption. If the mapping and reverse mapping takes significant amount of time, then it makes the total ECC algorithm ineffective as time is an important factor in public key cryptosystem. 5. VARIOUS MESSAGE MAPPING SCHEMES There are several mapping schemes that are used to map a plaintext message to a point on the elliptic curve. Some of the schemes are discussed in the following: 5.1. Description of existing schemes SCHEME I: The first mapping scheme [9] finds a generator point G (also known as base point) and maps each character in the plaintext to a point on the elliptic curve by multiplying the ASCII value of the corresponding character of plaintext with the generator point G. For example, we know that the ASCII value of character A is 65 so it will be mapped to point 65*G where G is the generator point of E p (a, b). This scheme is a primitive scheme and faster than other mapping scheme. It is still in use where the time taken to map is given more priority than the security involved in it. SCHEME II: Another mapping scheme [10] is the matrix-based mapping scheme. This method is the combination of the previous generator point-based mapping and a matrix to permute the position of the points. Alice chooses an elliptic curve E p (a, b) and a generator point G and declares these as public. She then maps the alphabet A to G, Bto2*G, Cto3*G, and so on. She stores these values in a file called Elliptic Curve Data File and declares it public. The message is padded with space ((0,0) on E p (a, b)) to make the message size a multiple of 3. The message points are arranged to form a 3 r matrix called M. She then selects a non-singular matrix A such that det(a) = 1 and multiplies to obtain Q = AM. Because A is a non-singular matrix consisting of integers and M is a matrix consisting of points in E p (a, b), Q = AM is nothing but a matrix of size 3 r of various points situated on the curve E p (a, b). Now, the elements of Q matrix (which are points on elliptic curve E p (a, b)) will be encrypted, and the corresponding cipher points will be generated. These points will be sent to Bob. Bob decrypts all the cipher points to obtain back matrix Q. Once Q is generated Bob obtains back original message matrix M from M = A 1 Q. Using matrix M, Bob will obtain back the original message. SCHEME III: The third mapping scheme is Fixed Length Block Mapping Technique [11]. It says that the text message could be represented with all 128 symbols included in the standard ASCII codes. The mapping algorithm for fixed length block message is given in the following. Mapping algorithm at the sender: At first, the number of blocks in the message is determined. The first block is XORed with the initial vector (IV). Then this value (AT) is multiplied with the generator point to obtain the transformed point P mt. Similarly, the subsequent ith blocks are XORed with the (i 1) th block and the same process is repeated till the whole message is mapped. So, we obtain an array of P mt s. All these P mt s are encrypted by the sender using ECC and then sent to the destination. Reverse mapping algorithm at the destination: Firstly, we obtain back the P mt s after decrypting the received message. Then the first P mt will be divided by the generator point to obtain back AT. This AT value is XORed with initial vector (IV) to obtain back the original character in the message. Similarly, the subsequent ith blocks are XORed with the (i 1) th block, and this process will be repeated till the total message is retrieved back. SCHEME IV: The next mapping scheme [12] gives a probabilistic mapping method to map plaintext messages on an elliptic curve. Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 5365

4 Message mapping and reverse mapping in elliptic curve cryptosystem A. Sengupta and U. K. Ray A message M(8-bit ASCII) is transformed to x j =(M.K + j) mod p; where K is a random integer such that (M +1)K < p. If z j (x 3 j + ax j + b) mod p has a quadratic residue y j (say) then map M to (x j, y j ) else return unsuccessful in attempt to map M to an EC point. SCHEME V: The next mapping scheme [13] considers only digits (0 9) and alphabets (A Z) and converts them to numbers from 0 to 35 (say m). A base parameter k is chosen, and both parties agree upon this. For each number m, x is calculated from the equation x = mk + i. If a corresponding y exist for x, then (x, y) is the mapped coordinate for m ; else i is increased by one and again x is calculated and the value of corresponding y is sought. The value of (x and y) is expected to be solved before x = mk + k 1. At the receiving end, the value of m is obtained by performing (x 1)/k, and it is reverse mapped to the corresponding digit or alphabet Security analysis of previous message mapping schemes SCHEME I: The mapping discussed in scheme I is always one-to-one, and hence, there is a chance that the cryptanalyst may observe the encrypted points and then analyze the regularities of the language by frequency analysis. Let E p (a, b) be the elliptic curve used. Character m in message M is mapped to a point P m on the curve, and P m is subsequently encrypted to C m. The frequency analysis takes place as follows: Step 1: The attacker Eve snoops into the conversation between sender and receiver. Step 2: Eve gathers the entire C m s sent by the sender. Step 3: Eve finds the frequency of all C m s. Step 4: Eve maps the most frequently occurred C m to the alphabet e and so on. The distribution list of English alphabet is readily available [14]. Step 5: Likewise, Eve can obtain the original plaintext M and generate a list that contains the plaintext character m and its corresponding cipher C m. The frequency analysis helps the attacker to obtain a plaintext character and its corresponding cipher point. He can consult it in the near future to obtain the original plaintext by snooping on the sent cipher points. Also this kind of mapping is vulnerable to all attacks where a plaintext character and its corresponding cipher point pair is readily available to the attacker. So this scheme is vulnerable to known plaintext attack, chosen plaintext attack, and chosen ciphertext attack where an attacker can obtain a plaintext character and cipher point pair. SCHEME II: In this scheme, each connection needs to have a separate matrix M for permutation. Maintaining a separate matrix M for each connection is hectic. Moreover, matrix M needs to be sent securely to the receiver before transmitting the encrypted data. Although the paper does not talk about any protocol to exchange the matrix, but if one wishes to use a key exchange protocol, it will be susceptible to man-in-the-middle attack. The matrix multiplication discussed in this scheme helps to permute the points to avoid direct frequency analysis, but this method becomes vulnerable if the intruder somehow manages to know the matrix A used for multiplication. The matrix can be easily retrieved by an intruder by using a chosen plaintext attack and then consulting the Elliptic Curve Data File. For example, Alice has a non-singular matrix A (it is kept secret) whose contents are given in the following: A = The chosen plaintext attack takes place as follows: Step 1: Eve, the intruder submits a message consisting of only character A to Alice to obtain the cipher points. Step 2: The contents of the 3 1 matrix M used by Alice for multiplication would be 2 3 G M = = (9, 10) where G is a generator point (9,10) in E 31 (1,13). Character A is represented by 1 G = G Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

5 A. Sengupta and U. K. Ray Message mapping and reverse mapping in elliptic curve cryptosystem Step 3: Multiplication of A and M yields (9, 10) Q = AM = (9, 21) = 4 (18, 2) 5 (9, 10) Step 4: The three points (9,21), (18,2), and (9,10) are sent to Eve. Step 5: Upon consulting the three points and the Elliptic Curve Data File, Eve will find out that (9,21) is nothing but 1 G. Similarly, (18, 2) = 2 G and (9, 10) = 1 G. These values ( 1, 2, 1) represent the first column of the matrix. Step 6: Similarly the other columns can be determined easily. Step 7: Once the matrix A is retrieved, the inverse of A is used by Eve to obtain future messages sent by Alice because M = A 1 Q. Matrix M contains elliptic curve points without any permutation. Step 8: Frequency analysis on the points in matrix M will give the original plaintext. So, this scheme is vulnerable to a chosen plaintext attack. SCHEME III: Although the method discussed in scheme III eliminates direct frequency analysis by using XOR function to substitute the original points but the cryptanalyst can exploit the properties of XOR function to find the initial vector using chosen plaintext attack. Once the initial vector is known to the cryptanalyst, he can retrieve the points without substitution and then observe the pattern of the points for frequency analysis. We all know the properties of XOR are A A=0 and (A B) C=A (B C). In this scheme, P m is the generator or base point in E p (a, b). Eve has the cipher points for every point P mt = i*p m for i = 1 to 256. The attack takes place as follows: Step 1: Eve sends a string consisting of a single alphabet of ASCII value X (say) to Alice to encrypt it. Step 2: Alice applies XOR on X and IV. The resultant point would be mapped to P mt = AT*P m where AT is the ASCII value of (X IV) and P m is the generator of E p (a, b). Step 3: Alice now encrypts the point P m to cipher point C m and sends it to Eve. Step 4: As discussed ealier, Eve has the cipher points for every point P mt = i*p m for i = 1 to 256. Eve determines the value of i that corresponds to C m. This value is ASCII of (X IV). Step 5: Eve can determine the value of IV by exploiting the properties of XOR. Because ASCII value of X is already known to Eve he can find out IV by doing XOR with ASCII of (X IV). ASCII of (X IV) ASCII (X) = ASCII of (X IV X) = ASCII of (X X IV) = ASCII of (0 IV) = ASCII of (IV). So it can be concluded that using chosen plaintext attack an intruder can find out the initial vector easily. Upon the discovery of initial vector IV, the intruder can find out the mapping points without permutations. He can apply frequency analysis on this data and find out the original plaintext. Secondly, the initial vector IV should be sent to the receiver securely. No key exchange protocol is discussed in this scheme, but the initial vector must be exchanged securely using some key exchange protocol. This makes this scheme vulnerable to man-in-the-middle attack. SCHEME IV: The drawback of the method in scheme IV is that it is probabilistic in nature. This method maps a character to a point if x 3 j +ax j+b is the quadratic residue modulus p. However, the probability of x 3 j + ax j + b being a quadratic residue mod p is 1/2 because the number of quadratic residues mod p is always p/2. So there may be some characters that can never be mapped to a point in the elliptic curve. For example, if we consider a message m = 22 and p = 23 then according to the equation (M +1)K < p, K will be 1. The message m will not be mapped to any point in the elliptic curve thereby returning unsuccessful attempt to map. Secondly, any message of size M can have 26 M possibilities (considering 26 alphabets only), and if the size of p is not sufficiently larger than 26 M, then a collision attack can easily break this method of mapping because there will be collision at some point while mapping. Choosing p to be greater than 26 M is impossible for large values of M. Hence, this method is vulnerable to a collision attack. Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 5367

6 Message mapping and reverse mapping in elliptic curve cryptosystem A. Sengupta and U. K. Ray SCHEME V: The method discussed in scheme V fails against chosen plaintext attack. For example, as given in the paper, the character B in E 751 ( 1,188) will always be mapped to (224,248). So a frequency analysis on the encrypted points will yield the original plaintext (as shown in the cryptanalysis of scheme I). Not only this method is vulnerable to chosen plaintext attack but a frequency analysis after known plaintext attack and chosen ciphertext attack will break this method of mapping. 6. PROPOSED MESSAGE MAPPING SCHEME Our proposed scheme is based on grouping the characters of the message and mapping it. We will take M characters at a time and map it Reverse mapping algorithm Algorithm 2 : Reverse Mapping Algorithm Input: Distinct points (X, Y) on the Elliptic Curve E p (a, b). Output: Original message sent by sender. Steps of the algorithm: Step 1: Begin Step 2: Ignore Y coordinate Step 3: Convert X coordinate into binary number and ignore the last N bits Step 4: Extract the rest of the bits and put it in a bit array Step 5: Start from the right most bit. Consider 8 bits from the array at a time: this 8-bit is nothing but the original alpha-numeric ASCII character which formed the original plaintext. Repeat this step until M characters are retrieved item Step 6: Repeat the earlier steps for each cipher point pair sent by the sender Step 7: End 6.1. Mapping algorithm Algorithm 1 : Mapping Algorithm Input: Message consisting of characters belonging to extended ASCII set. Output: Distinct points (X, Y) on the Elliptic curve E p (a, b) corresponding to the Message. Steps of the algorithm: Step 1: Begin Step 2: a: Consider M characters of the message at a time b: Convert each character into 8-bit ASCII codes c: Insert each 8-bit binary number into an array of length M 8 bits Step 3: Append N 0 s at the end of the array Step 4: Extract the (M 8+N)-bit number from the array, convert it to a decimal number, and store it in X Step 5: a: Find Y from the equation Y 2 X 3 +ax +b mod p b: If Y does not have a solution increment X by 1 and go to step 5a Step 6: After obtaining Y use the distinct point (X, Y) for encryption using ECC Step 7: Repeat step 2 to step 6 until the end of message Step 8: End The value of M and N depends on the overlapping problem and equation (i) described later in this section. The mapping and reverse mapping algorithm is diagrammatically represented in Figures 2 and 3, respectively. X 1, X 2 :::X m represents M characters, and (b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 ) represents 8-bit binary representation of each character Overlapping problem The only problem faced by this algorithm is the overlapping problem. Let us consider first (M 8) bits (where M is the number of characters taken at a time) and N appended zeros at the end (as shown in Figure 4) that forms the x coordinate. Then there remains a possibility that the x coordinate may not find a corresponding y coordinate in any of the 2 N iterations in E(p). So, two or more strings of message may point to only one point on the elliptic curve leading to overlapping and thereby making the algorithm non-invertible. In order to prevent overlapping of points, we should find the optimal size of N for mapping (M 8) bits in E(p). We need to ensure that the number of iterations 2 N is greater than the maximum possible interval of two consecutive x coordinates in E(p). In general, because there is no known algorithm, the maximum interval between two successive x coordinates can be determined only if we find all the coordinates in the curve E p (a, b). But finding out all coordinates in E p (a, b) is equivalent to solving the ECDLP. For curves used in today s communication that have large prime fields p, solving the ECDLP is infeasible, and therefore, finding out all coordinates in a particular curve is impractical. It has been said [15 17] that the points in an elliptic curve E p (a, b) are uniformly distributed. Hence, the maximum possible 5368 Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

7 A. Sengupta and U. K. Ray Message mapping and reverse mapping in elliptic curve cryptosystem Figure 2. Steps 2 6 of Algorithm 1. Figure 3. Steps 2 5 of Algorithm 2. Figure 4. Format of x coordinate. intervals of two consecutive x coordinates in E(p) remain almost constant for different values of a and b. From experiments performed in different National Institute of Standards and Technology (NIST) curves, it has been observed that the maximum gap never exceeds a certain value, and 8 bits are enough to prevent overlapping problem [18 20]. Thus, the value of N is taken as 8 bits. The remaining (p 8) bits are used for mapping M characters. Thus, given a value of p, the number of characters that can be mapped in one coordinate is p 8 M 8 (1) Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 5369

8 Message mapping and reverse mapping in elliptic curve cryptosystem A. Sengupta and U. K. Ray 7. ENCRYPTION AND DECRYPTION USING PROPOSED MESSAGE MAPPING SCHEME The total elliptic curve encryption and decryption process (including mapping and reverse mapping) takes place as described in the following: At the sender side: Step 1: The value of N is taken as 8 bits. Step 2: Select a value of M that satisfies equation (i). The value of M depends on the sender. In general, the sender must select large value of M as discussed in Section 9. Step 3: Apply mapping algorithm for every M characters in the plaintext. If the number of characters in the plaintext is less than M, extra zeros should be appended. Step 4: After obtaining P m for every M characters, apply ECC to obtain pair of cipher points C m. Step 5: Send C m s to the receiver. At the Receiver side: Step 1: Decrypt all pair of cipher points (C m s) to obtain back the distinct points P m. Step 2: Consider each P m =(x, y) at a time. Step 3: Apply reverse mapping algorithm for each (x, y) coordinate. The total ECC encryption and decryption (including mapping and reverse mapping) process is pictorially shown in Figure EXAMPLE AND ILLUSTRATION The proposed mapping scheme discussed earlier produces a(m*8 + N)-bit decimal number after mapping that is later considered to be the x coordinate in E(p). As discussed earlier, to prevent overlapping and make the mapping invertible, the size of N should be equal j to 8k bits and the value M should be less than or equal to p 8 8. The elliptic curve taken in the example in the following is an NIST recommended curve [21] and abides by the rules of NIST curve. The parameters are a= 3 b = p = In this example, we have taken 192-bit key size elliptic curve. A plaintext message MAPPING AND REVERSE MAPPING IN ELLIPTIC CURVE CRYPTOSYSTEM is taken as input. The total process works as follows: At the sender side: Step 1: The value of N is taken as 8 bits. Step 2: We j choose k a value of M that satisfies equation (i). M We take M as 23. At a time, every consecutive 23 characters will be mapped to a point on the elliptic curve. Step 3: a: The first 23 characters MAPPING AND REVERSE MAP is considered first. Figure 5. Elliptic curve cryptography (ECC) encryption and decryption (including mapping and reverse mapping) Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

9 A. Sengupta and U. K. Ray Message mapping and reverse mapping in elliptic curve cryptosystem b: Converted them to 8-bit ASCII values and put it in an array. It produces the following bit string: c: N = 8, so eight zeros are appended at the end of this string d: Assign the 192-bit string to an integer X. The result is X = e: Find Y from the equation Y 2 X 3 + ax + b mod p. The first iteration will yield no solution of Y. Subsequently, X is incremented by one. In the second iteration, Y will yield a nonzero value. So P m for the first 23 characters is ( , ) f: Repeat step 3 until all the characters are mapped. Because number of characters is 58, this mapping algorithm will produce three distinct points P m. Step 4: All three distinct points are encrypted using ECC to produce pair of cipher points C m. Step 5: Cipher points are then sent to the receiver. At the receiver side: Step 1: Decrypt all pair of cipher points to obtain three distinct point P m. Step 2: Consider the first coordinate (X, Y). Step 3: a: We know that N = 8 bits. b: Ignore Y. It is of no use. c: Convert X = to binary number. The result is X = d: N = 8, so 8 bits from the right is ignored. The result is e: Bits are considered at a time from the right and converted to characters. The result is MAP- PING AND REVERSE MAP f: Step 5: Repeat step 3 until all P m s are reversed mapped and all characters are retrieved. It is worth a note that the total number of characters in the plaintext message is 58 and the mapping algorithm yields only 3 mapped points. This is a major improvement as discussed in points (d) and (e) of Section 4. The other advantages of this algorithm is discussed in Sections 9 and SECURITY ANALYSIS OF PROPOSED MESSAGE MAPPING SCHEME It was discussed in Sections 4 and 5 that message mapping in ECC plays a significant role as it decides how vulnerable the encrypted message is to attacks. We know that the security of ECC depends on the hardness of ECDLP. But message mapping makes ECC vulnerable to many primitive security attacks. So in this section, cryptanalysis based on the primitive cryptographic attacks are discussed. The proposed scheme is free from all known cryptographic attacks and provides several security attributes as described in the following: A1: Known plaintext attack The known plaintext attack is an attack model for cryptanalysis where the attacker has both the plaintext and the ciphertext. The plaintext and ciphertext pairs are stored by the attacker and he snoops for any such repetition of Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 5371

10 Message mapping and reverse mapping in elliptic curve cryptosystem A. Sengupta and U. K. Ray the stored plaintext ciphertext pair. The frequency of occurrence is taken into account to exploit the encryption function. Our proposed scheme can map any string of characters belonging to 256 extended ASCII table to distinct points on the elliptic curve. Because we are mapping M characters at a time, we have 256 M pair of distinct cipher points and the chance of repetition of the same string of M characters in the future is 1 256M. As the value of M increases, the value of 1 256M decreases. Considering large values of M, this attack would do no good for the attacker. A2: Chosen plaintext attack A chosen plaintext attack is an attack model for cryptanalysis that assumes that the attacker can choose random plaintexts to be encrypted and obtain the corresponding ciphertext. The attacker intelligently chooses a plaintext and obtains the corresponding ciphertext to find any regularities of the encryption algorithm that can help him to uncover the key. Chosen plaintext attacks are effective if the relation between plaintext and ciphertext is one-to-one as this helps in frequency analysis [14]. Although our mapping is one-to-one, it still avoids frequency analysis. The main advantage of this mapping scheme is the difficulty in frequency analysis if M is greater than 4. Researchers have found that a maximum up to four consecutive character analysis is possible. Unigram count frequency analysis, bigram count frequency analysis, trigram count frequency analysis, and four-gram count frequency analysis are possible but frequency analysis of M consecutive character (M >4) count is practically impossible. For example, in unigram analysis, the alphabet e appears most frequently followed by the alphabet t. Similarly, in bigram analysis, the pair th appears most frequently followed by the pair he. These distributions remain more or less the same when any English phrase is considered. But when we analyze the frequency of M (M >4) consecutive characters, the distribution fluctuates and attack using frequency analysis becomes infeasible [14]. So this attack is infeasible if M is sufficiently large. A3: Chosen ciphertext attack A chosen ciphertext attack is an attack model for cryptanalysis in which the cryptanalyst gathers information, by choosing a ciphertext and obtaining its corresponding plaintext. Similar to chosen plaintext attack, this attack is effective if the relation between plaintext and ciphertext is one-to-one. But as shown earlier, frequency analysis of M consecutive characters (M >4) is practically impossible. So this kind of attack is also infeasible as frequency analysis is not possible in this method. A4: Collision attack A collision attack attempts to find two input strings of a hash function that produce the same hash result. Because hash functions have infinite input length and a predefined output length, there is a possibility of two different inputs that produce Table I. Security comparison of proposed scheme with other schemes. A1 A2 A3 A4 A5 Scheme I N N N Y Y Scheme II Y N Y Y N Scheme III Y N Y Y N Scheme IV Y Y Y N Y Scheme V N N N Y Y Proposed scheme Y Y Y Y Y Y, prevents the attack; N, unable to prevent the attack. the same output hash. If two separate inputs produce the same hash output, it is called a collision. This collision can then be exploited by comparing two hashes together. Our proposed scheme is a deterministic approach and does not use any hash function, and hence, collision attack will not be successful. A5: Man-in-the-middle attack A man-in-the-middle attack is a type of cyber-attack where a malicious actor inserts himself into a conversation between two parties, impersonates both parties, and gains access to information that the two parties were trying to send to each other. In our proposed mapping scheme, there is no need to share any information prior to the mapping process. The value of p and N are public and the sender can determine the value of M from equation (i). The receiver too does the same. So no key or information is shared. Hence, a man in the middle attack would be useless in this case (Table I). The security comparison of our proposed mapping scheme with the previous schemes is given in Table I. It shows that our scheme is secure from all known cryptographic attacks which the other schemes are vulnerable to. 10. RESULTS AND COMPARISON All experiments have been conducted in a machine with Intel XeonE5645@2.40 GHz (6core, each core hyper threaded) and 16-GB RAM. The OS is 64-bit Scientific Linux release 6.4 (carbon). The compiler is gcc version The two graphs in the following compare the time taken for encryption (including mapping time) and decryption (including reverse mapping time) by our proposed mapping scheme and scheme V as discussed in Section 5. Figure 6 shows the encryption time taken by scheme V and our proposed scheme; while Figure 7 shows the decryption time taken by scheme V and our proposed scheme. As shown in Figure 6, the time taken to encrypt using our proposed scheme is much less than the time taken by scheme V when large data is considered. It takes 370 s to encrypt a message of size 10 MB using scheme V whereas using our proposed scheme the same data can be encrypted in 27 s. The reason for this huge difference is that in our algorithm, we have considered M characters (in example, we have taken 23 characters) at a time. In comparison, mapping using scheme V (like all other schemes discussed in Section 5) considers only one 5372 Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

11 A. Sengupta and U. K. Ray Message mapping and reverse mapping in elliptic curve cryptosystem Figure 6. Encryption time of proposed scheme versus scheme V. Figure 7. Decryption time of proposed scheme versus scheme V. character at a time. Similarly, the time taken for decryption using our proposed scheme is much less than the time taken by scheme V. 11. COMPLIANCE TO THE GUIDELINES OF A GOOD MESSAGE MAPPING SCHEME Our proposed mapping scheme follows all the guidelines of a good mapping scheme discussed in Section 4. The details of the compliance are given in the following: a: Our proposed mapping scheme takes M consecutive characters at once and maps it to a distinct point on the elliptic curve. M consecutive characters are converted to 8-bit binary ASCII values and N consecutive zeros are appended at the end. This value is then assigned to x, and we obtain the corresponding y from the quadratic congruence equation y 2 x 3 + ax + b mod p. If(x 3 + ax + b) is a quadratic residue, then y has solutions. We obtain y by solving the quadratic equation. But if (x 3 + ax + b) isa quadratic non-residue, then y has no solutions. In this case, the value of x is increased by one, and we again calculate (x 3 +ax+b). At one stage, we will obtain an x that has corresponding y. This (x, y) pair is the mapped point. So it can be concluded that no matter what the initial value of x is, at one stage, we will definitely obtain a corresponding y coordinate provided the value of N is taken as 8 bits and equation (i) is followed. This complies with the first guideline that says that the mapped points should be on the elliptic curve. b: The x coordinate contains two parts: 8-bit binary ASCII values of M characters followed by N appended zeros. So when x is increased, only N Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 5373

12 Message mapping and reverse mapping in elliptic curve cryptosystem A. Sengupta and U. K. Ray is changed while M*8 bits remain unaltered. After decryption at the receiver end, we obtain the original mapped (x, y) points. The y coordinate is of no use, and it is ignored. The last N bits of the x coordinate is ignored, and the first M*8 bits are considered. The M*8 bits contain the binary ASCII values of M consecutive characters. We obtain back M characters by converting the ASCII values to characters. Therefore, this new mapping scheme is invertible. c: According to the proposed scheme, two strings of same M consecutive characters will always map to the same point (x, y) on the elliptic curve E p (a, b). Because we are mapping M characters at a time, the chance of repetition of the same string of characters in the future is 1 256M as the characters belong to 256 extended ASCII table. Although mapping is one-toone, it still avoids frequency analysis of the points on the curve. The main advantage of this mapping is the difficulty in frequency analysis if M is greater than 4. Researchers have found that a maximum up to four consecutive character analyses is possible. Monogram count analysis, diagram count analysis, trigram count analysis, and quad-gram count analysis are possible but an analysis of M character (M >4) count is practically impossible. Hence, we can conclude that this method of mapping prevents any kind of frequency analysis if M is sufficiently large. d: As discussed in the example earlier, the plaintext contains 58 characters but the cipher text contains only three coordinates. The size of key is 192 bits, so total bits that should be sent is 4*3*192 bits = 2304 bits. Using this mapping scheme, we reduce the bandwidth usage approximately by 23 times that is nothing but M. Thus, if the value of M is large, then frequency analysis can be avoided as well as bandwidth usage is reduced. If 58 characters were mapped separately, total bits sent = 4*58*192 = bits. d: It has been discussed in Section 10 that it takes 370 s to encrypt a message of size 10 MB using scheme V, whereas using our proposed scheme, the same data can be encrypted in 27 s. There is huge reduction as far as time is concerned. This is because M consecutive characters are considered while mapping instead of mapping each character at a time. 12. CONCLUSION In this paper, a new message mapping scheme in elliptic curve cryptosystem has been proposed. Also, the guidelines for a good mapping scheme have been derived. It has been shown that our proposed mapping scheme follows all the guidelines and is a good mapping scheme. Security analysis of the proposed scheme and the previous schemes show that our proposed scheme prevents many attacks that the previous schemes are vulnerable to. Our proposed mapping scheme is faster than the previously discussed schemes. The main advantage of this scheme is that no information needs to be shared before the mapping or reverse mapping process. In a nutshell, it can be inferred that our proposed mapping scheme is efficient and secure compared with other mapping schemes. REFERENCES 1. Koblitz N. Elliptic curve cryptosystems. Mathematics of Computation 1987; 48(177): Barreto PSLM, Libert B, McCullagh N, Quisquater JJ. Efficient and provably-secure identity-based signatures and sign encryption from bilinear maps. In Advances in Cryptology - ASIACRYPT 2005, vol. 3788, Lecture Notes in Computer Science. Springer: Chennai, India; Odlyzko AM. Discrete logarithms and their cryptographic significance. In Advances in Cryptology: Proceedings of Eurocrypt 84. Springer-Verlag: New York, 1985; ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 1985; IT 31: Pateriya RK, Vasudevan S. Elliptic curve cryptography in constrained environments: a review. IEEE 2011 International Conference on Communication Systems and Network Technologies, Bhopal,India, Sep-2011; Diffie W, Hellman M. New directions in cryptography. IEEE Transactions on Information Theory 1976; 22: Hankerson D, Menezes A, Vanstone S. Guide to Elliptic Curve Cryptography. Springer: New York, ISBN ROSEN KH, WASHINGTON LC. Discrete Mathematics and Its Applications, 4th Revised edition. McGraw Hill Education: New York. 9. Hankerson D, Menezes A, Vanstone S. Guide to Elliptic Curve Cryptography. Springer: New York, pp Amounas F, El Kinani EH. Fast mapping method based on matrix approach for elliptic curve cryptography. International Journal of Information & Network Security 2012; 1(2): Muthukuru J, Sathyanarayana B. Fixed and variable size text based message mapping techniques using ECC. Global Journal of Computer Science and Technology 2012; 12(3): 12 18, Version Trappe W, Washington LC. Introduction to Cryptography with Coding Theory, 2nd Edition. Prentice Hall: New Jersey, Bh P, Chandravathi D, Prapoorna Roja P. Encoding and decoding of a message in the implementation of 5374 Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

13 A. Sengupta and U. K. Ray Message mapping and reverse mapping in elliptic curve cryptosystem elliptic curve cryptography using Koblitz s method. International Journal on Computer Science and Engineering 2010; 2(5): Lewand RE. Cryptological mathematics. The Mathematical Association of America, ISBN-13: Elligator: Elliptic-curve points indistinguishable from uniform random strings; Daniel J. Bernstein, Mike Hamburg, Anna Krasnova, Tanja Lange; Department of Computer Science, University of Illinois at Chicago, USA. 16. Elligator Squared; Uniform Points on Elliptic Curves of Prime Order as Uniform Random Strings; Mehdi Tibouchi. 17. Extractors for binary elliptic curves; Reza Rezaeian Farashahi, Ruud Pellikaan and Andrey Sidorenko; Department of Mathematics and Computing Science, Eindhoven University of Technology. 18. The distribution of quadratic residues and nonresidues; D. A. Burgess. 19. The probability that the number of points on an elliptic curve over a finite field is prime; Steven Galbraith and James Mckee. 20. Numerical evidence on the uniform distribution of power residues for elliptic curves; Jeffrey Hatley and Amanda Hittson. 21. Recommended elliptic curves for federal government use; July Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 5375