A Secure and Efficient ECC-Based Scheme for Edge Computing and Internet of Things

Abstract

Recent growth in the Internet of Things (IoT) has raised security concerns over the confidentiality of data exchanged between IoT devices and the edge. Many IoT systems adopt asymmetric cryptography to secure their data and communications. A drawback of asymmetric cryptography is the sizeable computation and space requirements. However, elliptic curve cryptography (ECC) is widely used in constrained environments for asymmetric cryptography due its superiority in generating a powerful encryption mechanism with small key sizes. ECC increases device performance and lowers power consumption, meaning it is suitable for diverse applications ranging from the IoT to wireless sensor network (WSN) devices. To ensure the confidentiality and security of data and communications, it is necessary to implement ECC robustly. A special area of focus in this regard is the mapping phase. This study’s objective was to propose a tested and trusted scheme that offers authenticated encryption (AE) via enhancing the mapping phase of a plain text to an elliptic curve to resist several encryption attacks such as Chosen Plaintext Attack (CPA) and Chosen Ciphertext Attack (CCA). The proposed scheme also undertakes evaluation and analysis related to security requirements for specific encryption attributes. Finally, results from a comparison of the proposed scheme and other schemes are presented, evaluating each one’s security characteristics and performance measurements. Our scheme is efficient in a way that makes so suitable to the IoT, and in particular to the Industrial IoT and the new Urbanization where the demands for services are huge.

1. Introduction

The continuous growth of industrialization and urbanization in recent years has led to the estimate that by 2025 there will be 21.5 billion actively connected Internet of Things (IoT) devices worldwide [1] as depicted in Figure 1. This remarkable growth of IoT shows that edge computing is increasingly used in today’s society [2]. In particular, the constrained properties of IoT devices, which include low performance in terms of computational resources and storage space, led to the adoption of edge computing [3]. For these reasons, the need to maintain data confidentiality and integrity has increased, which has caused an explosion of interest in cryptography schemes [4]. There are two types of encryption scheme, which are based on the nature of the key that will be used to encrypt and decrypt the data: which known as, symmetric cryptography and asymmetric cryptography [5]. The first type uses a one key for encryption and decryption, and it is useful if the two parties know the key before exchanging data. However, if the sender and the recipient cannot agree on a secure secret key exchange, then asymmetric cryptography is needed. In asymmetric cryptography, elliptic curve cryptography (ECC) is known for its superiority in producing a powerful encryption mechanism with small key sizes [6]. Therefore, ECC plays a valuable role in securing communications in constrained and resource-limited environments, including the IoT and wireless sensor networks (WSNs) [7].

Figure 1.

New technologies raised by the growth of industrialization and urbanization.

1.1. Encryption Attacks on Asymmetric Cryptography

Information security consists of three aspects: confidentiality, integrity, and availability (CIA) [8,9,10]. Confidentiality and integrity are assured via cryptography schemes. One such scheme is asymmetric cryptography, which uses two key types: a public key and a private key [11]. The public key is used by the sender to encrypt the plain text, which gives it its name. This key is publicly available for use by anyone. By contrast, the recipient uses the private key to decrypt the received cipher text, which means that it must be known only by the recipient.

Asymmetric cryptography settles the dilemma of securing a shared key between two parties. At the same time, however, asymmetric cryptography suffers from a drawback in the key sizes used to encrypt and decrypt messages. Larger key sizes correspond to larger computation overheads for encrypting and decrypting plain text. However, ECC provides the same level of security as the Rivest–Shamir–Adleman (RSA) algorithm with short keys [12]. Therefore, ECC has emerged as the preferred approach for solving key size issues and for maintaining performance in constrained environments [13].

Many known attacks weaken existing cryptography schemes. They exploit vulnerabilities in the encryption process. For instance, the Known Plain Text Attack (KPA), Chosen Plain Text Attack (CPA), Cipher Text Only Attack (COA), and several types of Chosen Cipher Text Attack (CCA) have been identified. The KPA occurs when an attacker obtains a plain text and its corresponding cipher text. Specifically, the attacker attempts to obtain the encryption key [14]. The CPA occurs when an attacker selects random plain texts and requests the corresponding cipher texts for each text. Thus, the attacker aims to reduce the security of the scheme by analyzing both the plain text and cipher text [15]. In COA, the assumption is made that an attacker only has access to a set of cipher texts, where they can extract the secret key and/or the plain text [16]. The final attack, the CCA, involves the attacker gaining information by obtaining a sample of decrypted cipher texts of his/her choice [17].

In this research, the following attacks are used for the security analysis phase, denoted as [18]:

• IND-CPA: Indistinguishable under chosen plain text attack

• IND-CCA: Indistinguishable under chosen cipher text attack

1.2. Elliptic Curve Cryptography

The first curve used in elliptic curve cryptography (ECC) was introduced by Koblitz in 1987 [19]. ECC is widely used for devices in constrained environments, including the IoT and WSN devices. This stems from ECC’s value in affording the same level of hardness in terms of encryption as other asymmetric cryptography schemes, with significantly smaller key sizes and a lower computation overhead. As an illustration, the complexity of encryption in the RSA algorithm with a 1024-bit key is the same as the ECC algorithm with a 160-bit key. This noticeable difference in key sizes reduces the requirement for computation, and it lowers the storage needed to perform encryption. As a result, ECC supports low computation device capabilities, enabling them to perform more effectively [20]. ECC applications vary in the ways keys are exchanged between senders and recipients, as well as the approach used to secure communications between the two parties. In addition, ECC maintains message integrity by signing plain texts to prevent forgery.

The elliptic curve group operations are denoted as “+” for the addition of two points. For instance, let $P=(x_1,y_1)$ and $Q=(x_2,y_2)$, Therefore, the addition of $P+Q$ can be expressed as $(x_1,y_1)+(x_2,y_2)=(x_3,y_3)$. In some cases, where $P=Q$, the group operation is denoted as multiplication $\alpha \times P$ on elliptic curve over ${\mathbb{Z}}_p,p>3$ that satisfy Equation (1), such that $a,b\in {\mathbb{Z}}_p$ and $4\times a^3+27\times b^2\ne 0modp$ where $\alpha$ is an integer value. For instance, $P+P=(x_1,y_1)+(x_1,y_1)=2P)$, similarly, $3P$ is equal to $(x_1,y_1)+(x_1,y_1)+(x_1,y_1)$, and so on. It is important to note the the EC must be nonsingular curves (i.e., have no multiples roots).

$$y^2\equiv x^3+a\times x+bmodp$$ (1)

The main operation in elliptic curves is the group multiplication operation [21,22,23,24]. For $dP$, this refers to d times of the addition of point P, which results in a new point $(x_j,y_j)$. The private key is a large integer d, and the value of the multiplication operation $(x_j,y_j)$ is known as the public key. The hardness of ECC is caused by the hardness of the mathematical problem, which states that, by knowing the public key point $(x_j,y_j)$ and the starting point P, it is not possible to compute d in polynomial time [25]. This hardness is known in the literature as the elliptic curve discrete logarithm problem (ECDLP).

Several phases are involved in ECC to secure communications and encrypt transmitted data [26,27,28]. These phases are used together and/or separately, and they are listed as follows:

• Initializing system parameters

• Converting text values to numerical values

• Mapping numerical values to the elliptic curve

• Encrypting mapped points

• Hashing the message (for signing)

Similarly, the decryption phases are listed below:

• Verifying integrity of received message (signature verification)

• Decrypting cipher text

• Decoding mapped points to numerical values

• Converting numerical values to text values to represent plain text

The main computation process involved in the first phase is the calculation of the public keys derived by the multiplication of d (i.e., the private key) and G (i.e., the base point) [29,30,31,32]. The following phase involves the conversion of the plain text into numerical values, which is required because ECC depends on the use of numbers [33]. Therefore, the text must be securely converted in order to resist encryption attacks. Similarly, the third phase involves mapping the encoded value $x_i$ to the generated elliptic curve to find corresponding value of $y_i$ such that $(x_i,y_i)\in E_p(a,b)$. If the mapping process fails in the first round, then $x_i$ is incremented by 1 until mapping is successful [34,35,36,37]. In the encryption phase, the cipher text is combined with the mapped point and secret key point $(x_{mapped},y_{mapped})+(x_{key},y_{key})$. The fifth phase maintains the integrity of the cipher text and ensures the sender’s nonrepudiation [38,39,40]. This is achieved by signing the cipher text using the sender’s signature, and it depends on the following steps [41,42,43]:

• Compute r, s.t. r is the $x_{R}modp$ of $(x_R,y_R)=k\ast G$, where k is a random number and G is a base point

• Compute $e=HASH\left(ciphertext\right)$ and obtain $z=leftmostpbitsofe$

• Compute s, where $s\equiv (d+z\ast r)k^{-1}modp$, and where d is the sender’s private key

• The sent message is $(ciphertext,(r,s\left)\right)$

Having provided an introductory overview, the rest of this paper is organized as follows: a literature review of other schemes is provided in Section 2; in Section 3, the details of the proposed scheme are described; in Section 4, security analysis and performance evaluations are presented in detail; and finally, concluding remarks and future research are discussed in Section 5.

2. Related Works

Elliptic curve cryptography (ECC) is frequently used to reduce the computational overhead caused by the limited capabilities of devices in constrained environments. Many schemes use ECC to secure communications between two parties by safeguarding the shared key exchange process. In particular, the elliptic curve integrated encryption scheme (ECIES) first employed the asymmetric approach by generating the shared key between two parties using ECC, after which the plain text was encrypted using the symmetric approach under the AES scheme [44,45,46,47]. On the other hand, many of these schemes failed to provide detail on how ECC was used to secure the plain text and/or how they were encoded into numerical values for use in ECC’s mapping phase.

Various proposed systems have enhanced key elements of the encryption process in ECC, but gaps have been identified in the literature. For instance, schemes proposed in [48,49,50] employ ECC without providing sufficient detail about how the plain text was encoded and mapped onto an elliptic curve. Therefore, enhancing these schemes tended to focus on performance rather than security. Similarly, [51,52,53] provided efficient algorithms for scalar multiplication in ECC that speed up the multiplication process. However, many schemes focus on securing ECC, and they offer more insights into the approach used to encode plain text and map it onto an elliptic curve. The rest of this literature review focuses on these schemes and, in particular, on the question of how the plain texts are encoded into numerical values, in addition, how these values are mapped onto the elliptic curve.

Several schemes proposed ways to secure plain text by encoding the characters to numerical values, thus giving them the ability to be mapped onto the elliptic curve. Many approaches use these schemes to encode the plain text. For instance, using the ASCII table, each character is converted into its decimal number [26,54,55,56]. In this case, the plain text “Hello” would be encoded to become “72” “101” “108” “108” “111”. These values are then mapped directly onto the elliptic curve as cipher text. However, this approach falls under the chosen plain text attack (CPA). This is because the attacker has the power to decrypt the chosen cipher text (in this case, a commonly used scheme). For this reason, other schemes manipulate the ASCII table by multiplying it by a secure number that is agreed on by both parties [57].

Critically, the issue of sharing the secure number is similar to the challenge of agreeing on the sharing of a secure key between the two parties. Such a scheme could also fall under the CPA and CCA. Similarly, other schemes are based on different encoding approaches that rely on matrix-based methods to conceal the matching table [58]. Specifically, these schemes use secret mapping tables that are unknown to anyone except the recipient, and which are used to encode and decode the plain text in a secure manner. While this may be true, there are two weakness associated with this approach: first, the dilemma of how to secure the delivery of the matrix table to the recipient in a secure way, thereby preventing CPA; and second, it is known that if the matrix-table is assumed to be securely delivered, then the cipher text falls under the CCA. This is because the same encrypted characters are repeated for the same plain characters in each encryption process.

The third approach to overcome flaws in ECC involves Block Chaining operations. The first step is to divide the plain text into a set of fixed-size blocks. In turn, the first block of the plain text is XORed with an initial vector $InV$ [59]. Following this, the result of the first XORed value is used for the second XOR operation with a second block, and the process is repeated for all plain text blocks. This is a good approach, but it is vulnerable to CPA and CCA when the plain text is divided into a set of blocks and all blocks are same (e.g., the plain text is a repeated character). As a result, the second XORing process results in the value of the $InV$ as following $InV\oplus B_1\oplus B_2=InV$. This is because $B_1=B_2$. Therefore, the result of the XORing operation becomes $B_1^{\prime },InV,B_1^{\prime },InV,...$, where $B_1^{\prime }=B_1\oplus InV$. Additionally, this scheme lacks AE property, which increases vulnerability to cipher text tampering attacks and nonrepudiation issues.

Barman et al. [60] proposed an encryption method to secure IoT communications informed by DNA-based ECC. For each set of characters in the plain text, a DNA genome sequence is mapped to it. There are many genome sequences publicly available, and so randomizing the selection of genome sequences is part of the encryption process for the plain text. Furthermore, the decryption process should use the same DNA genome sequences. Therefore, both parties, the sender and the recipient, must use the same sequences before encrypting and decrypting the plain text. For this reason, the DNA genome sequences should be securely used only by the sender and recipient. If an attacker discovers the sequence, the scheme will be vulnerable to encryption attacks such as CPA. Additionally, even if the sequence is delivered securely, the cipher text will be the same for each repeated plain text encryption process. Resultantly, the scheme is also vulnerable to other encryption attacks, including CCA.

Duarah et al. [61] introduced Securing IoT Using Machine Learning and ECC. In their scheme, the authors first classified the data set to enhance the transmitted data, where the accurate data were transmitted only to reduce computation efforts. If the data were clean, then they were moved into a second stage, namely encryption via ECC. However, if the data is malicious then it is discarded to save the encryption computation efforts. In the encryption phase, the authors wrote the key generation algorithms that use the ECC scalar multiplication operation $\delta =\left(P\right)\ast \left(d\right)$ s.t. P is a point in the elliptic curve, and d is the private random integer. In their encryption algorithm, the authors defined how the shared key is constructed in order to encrypt the plain text by the addition operation between the plain text and the shared key. Although the scheme produced a new strategy for performance enhancement in the IoT environment by limiting data transmission only to clean data, the security analysis indicates that it is vulnerable to CPA when the same data are encrypted and sent using the same scheme.

Joglekar et al. [62] proposed Lightweight ECC for Data Integrity and User Authentication in Smart Transportation IoT System. In their scheme, the authors use One Time Password (OTP) to exchange the shared key securely to prevent the man in the middle attack (MITM). The 4-digit OTP is encrypted using ECC and transmitted to the recipient to complete the registration process. The shared key between the two parties is constructed as follows: $S=d_A{Q}_B=d_B{Q}_A$, where $d_A,d_b$ are private keys for Sender A and Recipient B, respectively. Similarly, $Q_B=d_{B}G$ and $Q_A=d_{A}G$ are the public keys for Sender A and Recipient B. Using OTP to prevent the MITM is a good approach, but the authors neglected to state whether there is an assumption about the 4-digit OTP. It is relevant that the brute force attack needs ${10}^4=\mathrm{10,000}$ possible choices to break the OTP, which can be completed in several minutes. Furthermore, the authors did not state how to encrypt the OTP or how to map it onto an elliptic curve.

Finally, Das & Giri [55] proposed two encoding algorithms, which generate sets of numerical values via the sum of weight n with base b $IntegerDigits[n,b]-1$. The first encoding algorithm is used when the value of the base b is a dynamic integer. In this case, the highest accepted value is $\mathrm{65,536}$ (i.e., the highest value of ASCII table). In addition, n is the size of the prime field, where the authors suggest the use of a 192-bit key. Resultantly, the set of groups that can be combined based on their method is $IntegerDigits[192bit,\mathrm{65,536}]-1=11$. The base b can be reduced below $\mathrm{65,536}$, which increases the set of groups more than 11 based on b. However, the reduction of b should also contribute to a reduction in ASCII table mapping, and the authors did not provide a safe reduction mechanism. When b is not dynamic in the second algorithm, the suggested set of the combing group is equal to $\frac{Numberofpdigits}{IntegerDigits[n,b]-1}$. Based on the scheme described by the authors, it is $\frac{58-1}{11}=6$, and the number of groups based on both algorithms is small. Thus, the computation overhead will increase compared to other schemes. Notably, the encoding and mapping phases did not manipulate the plain text characters after using the ASCII table values, which heightened the scheme’s vulnerability to CPA.

All schemes in the literature are vulnerable to CPA and/or CCA, such that the encryption of the same plain texts always produce same cipher texts. Besides, these schemes use the appending method in the mapping phase which results in increasing the computation overhead. Although, some schemes that use the probability method to map points to EC failed to justify the chosen value of k. Moreover, many of the existing schemes fail to offer secure AE scheme, which means they are vulnerable to tampering attacks. An attacker can modify the transmitted cipher text without detection by the receiver. The cipher text offers confidentiality only; it does not offer integrity by itself. Therefore, to prevent tampering, to maintain the integrity of the cipher text, to ensure that the transmitted message is secured against encryption attacks, and to enhance the mapping phase performance, the proposed scheme ensures the AE property, resists CPA and CCA, and enhances the mapping phase performance.

3. The Proposed Scheme

The proposed scheme contains nine phases: initializing system parameters; converting the plain text message into numerical values (encoding); finding the mapping points on the elliptic curve; encrypting the mapped points; signing the aggregated mapped points as cipher text; and finally, undertaking the reverse of the previous phases by verifying and decrypting the received cipher text, decoding the mapped points, and converting the mapped points into plain text.

This study’s main contribution is to offer a secure and efficient encryption scheme in the form of ECC. It facilitates secure communication by creating a shared key for a group of parties, which they can use to secure their shared messages. Notably, shared key creation is undertaken in the first phase, and many recent studies neglect to highlight the importance of having a shared key between parties for shared message encryption. In addition, this study provides a secure and enhanced method to encode and map plaintext to EC. Therefore, this study focuses on the three phases that start the ECC because it constitutes a major feature of any system for securing group communication (e.g., IoT environments). Figure 2 shows the nine phases of the proposed scheme.

Figure 2.

High-level overview of proposed scheme.

3.1. Generating System Parameters

The aim of this phase is to generate the parameters needed to secure communication between all parties by setting up public and private keys. This phase contributes to the creation of the shared group key $g{k}_{sh}$, which is used to encrypt the message shared between group members. The notations that the system generates, which are used for each session in the proposed scheme, are illustrated in Table 1.

Table 1.

Notation relevant to the proposed scheme.

Notation	Description
$i{d}_{edge}$	Edge identification number
$i{d}_{ni}$	Node identification number
$d_{edge}$	Edge private key
$d_{ni}$	Node private key
G	EC base point
$P{U}_{edge}$	Edge public key = $d_b\ast G$
$P{U}_{ni}$	Node public key = $d_{ni}\ast G$
p	Large prime number (192-bit)
$a,b$	EC coefficients, s.t. $4a^3+27b^{2}modp\ne 0$
$y^2\equiv x^3+ax+bmodp$	EC map points equation
$H_1$	Hash function used only by edge
$nList$	Node list containing references and $H_1\left(i{d}_{ni}\right)$
$HASH$	Signing message $C_M$ hash function
$k_{sh}$	Shared group key
$g{k}_{sh}$	Shared group point ($k_{sh}\times G$)
$InV$	Random initial vector (192-bit)
$PRK$	Private random key (192-bit)
k	Random integer chosen from $[1,p-1]$
$C_M$	Cipher text (all encrypted points)
⊕	XOR used in mapping phase to secure mapped points
+	Addition operation used in ECC to encrypt mapped points with $g{k}_{sh}$

It is important for the edge to create and maintain the shared group key $k_{sh}$. This enables the parties to decrypt cipher text effectively. Therefore, $edge$ creates the initial $k_{sh}$ using its $H_1\left(i{d}_{edge}\right)$ and $PRK$. The key generation process is illustrated in Algorithm 1.

Algorithm 1:Edge algorithm for generating initial shared group key $k_{sh}$.

Input: $i{d}_{edge};H_1;PRK$

Output: $k_{sh}$

1  $k_{sh}=H_1\left(i{d}_{edge}\right)\oplus PRK$;

2  $Initialsharedgroupkey\leftarrow k_{sh}$

In a similar way, for every new node that joins the group, $k_{sh}$ is updated by the following Equation (2).

$$k_{sh}=H_1\left(i{d}_{ni}\right)\oplus k_{sh}$$ (2)

To maintain the forward and backward secrecy, it is important to ensure that all new nodes that join cannot decrypt the cipher text sent before it joined the group using $k_{sh}$. Similarly, any nodes that leave the group cannot decrypt the cipher text sent after their departure. To achieve this, the proposed scheme allows each node to perform certain operations to maintain $k_{sh}$.

For a new node to join the group, the edge sends the joined node hashed ID $H_1\left(i{d}_{ni}\right)$ to all current nodes. In turn, each node adds the hashed ID to its node list $nList$, and it simultaneously updates $k_{sh}$ using Equation (2). Similarly, the edge updates its $k_{sh}$ using the same equation. In turn, the edge sends $k_{sh}$ to the newly joined node, along with a list of all hashed IDs of existing node (with the exception of the hashed ID of the new node). Figure 3 illustrates this process, and Algorithm 2 describes the steps required to perform the joining process.

Algorithm 2:Updating $k_{sh}$, $g{k}_{sh}$, and $nList$ for a newly joined node.

Input: $i{d}_{ni};H_1;k_{sh}$

Output: $Updated{k}_{sh},g{k}_{sh}andnList$

1  $Newnoderequestsjoin\left(i{d}_{ni}\right)$;

2  $NewnodeandEdgestartMAprocess$;

3  $Edgebroadcast{H}_1\left(i{d}_{ni}\right)encryptedbycurrentg{k}_{sh}$;

4  $Edgeandcurrentnodesupdatekey{k}_{sh}=H_1\left(i{d}_{ni}\right)\oplus k_{sh}$;

5  $Edgeandcurrentnodesupdatesharedpointg{k}_{sh}=k_{sh}\times G$;

6  $Edgesends{k}_{sh}andnListtonewnode$;

7  $EdgeandcurrentnodesupdatetheirnList$

Figure 3.

Sequence diagram for new node joining the group.

Similarly, when the current node leaves the group, the edge sends its reference ID to all currently joined nodes, and each node updates $k_{sh}$ using Equation (2). At the same time, the corresponding hashed IDs are removed from the node list. Additionally, the edge updates $k_{sh}$ using Equation (2), and it removes the corresponding hashed ID from its node list. Figure 4 presents a sequence diagram illustrating the process, and Algorithm 3 describes the steps required to perform the leaving process.

Algorithm 3:Updating $k_{sh}$, $g{k}_{sh}$, and $nList$ for node leaving the group.

Input: $i{d}_{ni};H_1;k_{sh}$

Output: $Updated{k}_{sh},g{k}_{sh}andnList$

1  $Nodesendsleave\left(i{d}_{ni}\right)$;

2  $EdgebroadcastnodeLeave\left(Enc(g{k}_{sh},referenc{e}_{id})\right)$;

3  $Edgeandcurrentnodesupdatekey{k}_{sh}=H_1\left(i{d}_{ni}\right)\oplus g{k}_{sh}$;

4  $Edgeandcurrentnodesupdatesharedpointg{k}_{sh}=k_{sh}\times G$;

5  $EdgeandcurrentnodesupdatetheirnList$

Figure 4.

Sequence diagram for node leaving the group.

3.2. Encoding and Mapping the Plain Text

This study extended the encoding and mapping mechanism steps proposed in [63]. As described in related work, a security flaw exists in the study’s encoding process. The main encryption flaw associated with the encoding and mapping phases in ECC stems from the fact that using the same encryption scheme produces the same ciphertext. As such, by analyzing the ciphertext, the adversary can gain important information about the plaintext. To illustrate this flaw, Figure 5 shows how the same letter is encoded with the same value every time. Thus, the corresponding ciphertext of the encoded value is transformed into the same ciphertext value each time, which allows the adversary to distinguish between the set of ciphertexts to extract the plaintext, as shown in Figure 6.

Figure 5.

Repeated encoded characters using the ASCII table.

Figure 6.

Repeated mapped points to the designated elliptic curve using the ASCII table.

Every scheme discussed in this study’s literature review in Section 2 is vulnerable to an encryption flaw. Therefore, the study provides an improved encoding process to overcome this flaw by dividing the plain text into a set of blocks denoted by B. Then, the characters of each block B are counted, denoted by N, which can be calculated as follows:

$$N\le \lfloor \frac{p-8}{8}\rfloor$$ (3)

It is worth noting that 8 is subtracted from p to allow a maximum of 8 bits in terms of the padding bits used in the mapping phase. Therefore, in the proposed scheme, we can determine the value of N as follows:

$$N\le \lfloor \frac{192-8}{8}\rfloor =23$$ (4)

In a similar way, the number of blocks B needed in each plain text, denoted by the number of characters M, is determined by the following equation:

$$B= \lceil \frac{M}{N}\rceil$$ (5)

The to divide the plaintext to this length is because every block B must be mapped to the 192-bit ECC (field size 192). As discussed previously, 8 bits in every block are reserved for the mapping phase, in which they serve as padding bits to secure the number of rounds required to find the mapping points for each block. Figure 7 illustrates the process needed to convert the plain text M into set of blocks.

Figure 7.

Converting plain text into a set of blocks.

Algorithm 4 provides an overview of the steps involved in converting plain text into a set of blocks.

Algorithm 4:Converting a plain text into a set of blocks.

Input: $TheplaintextMandp$

Output: $Setofblocks$

1  $Sender:obtaintheplaintextM$;

2  $Sender:calculatethesizeofeachblock$;

3  $N\leftarrow \lfloor \frac{192-8}{8}\rfloor$;

4  $Sender:calculatethenumberofblocks$;

5  $B\leftarrow \lceil \frac{M}{N}\rceil$;

6  $Sender:dividethepalintextintoBblocksofsizeN$;

7  $fori=1;i<=B;i++$;

8  $forj=1;j<=N;j++$;

9  $Sender:obtainthe{B}_i=B_i+ASCII\left(c_{j+\left(\right(i-1)\ast N)}\right)$;

10  $Setofblocks\leftarrow theresults$

Following the conversion of M into a set of blocks, the next critical issue is to ensure that the blocks are secure against encryption attacks (e.g., CPA and CCA). Therefore, the Cipher Block Chaining (CBC) was used to make the blocks resistant to such attacks. Figure 8 shows the process of ⊕ the blocks to increase their security.

Figure 8.

Securing blocks for resistance against encryption attacks using Cipher Block Chaining (CBC).

Algorithm 5 describes the process that secures the blocks.

Algorithm 5:Securing blocks for resistance against encryption attacks.

Input: $Blocksretrieved\left(B_i\right)frommessageandInV$

Output: $EncodedblockswithInV$

1  $fori=0;i<noofblocksB;i++$;

2  $let{B_i}^{\prime }=B_i\oplus InV$;

3  $let{B_i}^m=map\left({B_i}^{\prime }\right)$;

4  $letInV={B_i}^m$;

5  $Encodedmessage\leftarrow thesetof{B_i}^{\prime }$

Mapping a point to an elliptic curve means that $(x_i,y_i)$ satisfies Equation (1). Therefore, it is important to find the value of $y_i$ corresponding to $x_i$ for each point. Every secured block is converted into a decimal value, and these values are then mapped to the elliptic curve generated in the first phase to find the corresponding value of $y_i$. Figure 9 illustrates the steps involved in mapping the secured blocks to an elliptic curve.

Figure 9.

Mapping secured blocks to an elliptic curve.

Algorithm 6 outlines the steps involved in mapping the secured blocks to an elliptic curve.

Algorithm 6:Mapping secured blocks to an elliptic curve.

Input: $Securedblocks$

Output: $Mappedpoints$

1  $fori=0;i<noofsecuredblocksB;i++$;

2  $Sender:obtainthedecimalvalue{x}_{i}forthesecuredblock$;

3  $Sender:x_i=x_i\times 16$;

4  $Sender:obtaincorresponding{y}_{i}usingtheequation$;

5  $Sender:if{y}_{i}cannotsatisfytheequation$;

6  $Sender:x_i=x_i+1$;

7  $Sender:repeattheloopuntilfind{y}_i$;

8  $Mappedpoints\leftarrow theresults$

3.3. Encrypting and Decrypting the Mapped Points

In many schemes, the assumption is made that the mapping phase is sufficient to secure the plain text and plays the encryption phase. However, this assumption is incorrect because the mapping phase to the elliptic curve means that these points belong to the generated elliptic curve and can benefit from the elliptic curve discrete logarithm problem (ECDLP). In our proposed scheme, we encrypt these points by adding them to $g{k}_{sh}$. Figure 10 illustrates the process for encrypting the mapped points.

Figure 10.

Encrypting mapped points using the shared group point.

The algorithm used to secure the transmitted message using the shared group point $g{k}_{sh}$ is given below.

Algorithm 7:Encrypting mapped points using the shared group point.

Input: $Mappedpoints(x_i,y_i),g{k}_{sh}$

Output: $Ciphertexts$

1  $Sender:Calculateg{k}_{sh}$;

2  $fori=0;i<noofmappedpointsB;i++$;

3  $(c_{xi},c_{yi})=g{k}_{sh}+(x_i,y_i)$;

4  $Sender:repeatuntilfinish$;

5  $(c_{xi},c_{yi})\leftarrow theresults$

The remaining phases constitute a reversal of the previous phases. Therefore, the secured points are decrypted, and the recipient subtracts them with $g{k}_{sh}$. As illustrated before, all parties have the same shared group point $g{k}_{sh}$, which is used to encrypt and decrypt the messages. In Figure 11, an illustration of how to decrypt secured points is given.

Figure 11.

Decrypting secured points using the shared group key.

Algorithm 8 provides an overview of the steps involved in completing the decryption process:

Algorithm 8:Decrypting cipher texts using the shared group key.

Input: $Encryptedpoints(c_{xi},c_{yi}),g{k}_{sh}$

Output: $Decryptedpoints$

1  $Recipient:Calculateg{k}_{sh}$;

2  $fori=0;i<noofEncryptedpointsB;i++$;

3  $(x_i,y_i)=(c_{xi},c_{yi})-g{k}_{sh}$;

4  $Recipient:repeatuntilfinish$;

5  $(x_i,y_i)\leftarrow theresults$

3.4. Decoding and Converting the Decrypted Points into Plain Text

The next phases are concerned with completing the previous phase, which focus on decoding and converting the decrypted points into a plain text M. There are two pairs on each set of these points, denoted $x_i$ and $y_i$. It is worth noting that $y_i$ is used in two phases only: the encryption and decryption phases. In these phases, the values are used to add and subtract two points on the elliptic curve. Therefore, in this phase, we are only concerned with $x_i$, that represent the binary values of the characters in the plain text. The process that describes the decoding phase is illustrated in Figure 12.

Figure 12.

Converting and decoding $x_i$ values into binary values.

Algorithm 9 demonstrates the steps required to convert the decrypted points $x_i$ into binary values:

Algorithm 9:Decoding decrypted points into binary values.

Input: $Decryptedpoints{x}_i,InV$

Output: $Binaryvalues$

1  $Recipient:obtain{x}_{i}valueforthedecryptedpoints$;

2  $fori=0;i<noofdecryptedpointsB;i++$;

3  $letIn{V}_{save}=x_i$;

4  $let{x}_i=x_i÷16$;

5  $let{x}_i=x_i\oplus InV$;

6  $letInV=In{V}_{save}$;

7  $Recipient:repeatuntilfinish$;

8  $Binaryvalues\leftarrow theresults{x}_i$

Finally, the binary values obtained in the previous phase are converted into their corresponding characters. These binary values represent the plain text message M, and so they need to be converted into their ASCII values. The conversion process is illustrated in Figure 13.

Figure 13.

Converting binary values into plain text M.

Algorithm 10 shows how to convert binary values into a plaintext M.

Algorithm 10:Converting binary values into plain text.

Input: $Binaryvalues,B$

Output: $TheplaintextmessageM$

1  $Recipient:Getthebinaryvalues$;

2  $fori=0;i<noofbinaryvaluesB;i++$;

3  $converteach8bitsintoitscorrespondingASCIIcode$;

4  $foreachNcharaggregatetosingleblock$;

5  $Recipient:repeatuntilfinish$;

6  $ThemessageM\leftarrow theresults$

3.5. Signing and Verifying the Encrypted Message

The intention of AE schemes using the encrypt then sign approach is to transmit messages between parties without compromising confidentiality, security, and integrity. In the proposed scheme, confidentiality (encryption) is maintained by the previous phases. Thus, to assure integrity (sign), the sender signs the message using his or her private key $d_s$, which relies on ECDSA. The message $M_{sent}$ consists of a set of tuples, which contain the encrypted points $C_M$ and $InV$, the timestamp $t_o$, and a random signature integer k. The signing process is illustrated in Figure 14.

Figure 14.

Sender ensures message integrity by signing it with $d_s$.

The following algorithm outlines the process used to sign the $C_M$:

Algorithm 11:Process of signing the message.

Input: $TheMessage{M}_{sent}$

Output: $Signaturepairs(r,s)$

1  $Sender:calculatee=HASH\left(M_{sent}\right)$;

2  $Sender:calculatez=leftmostpbitsofe$;

3  $Sender:selectrandomvaluek$;

4  $Sender:calculate(x_1,y_1)=k\times G$;

5  $Sender:calculater=x_{1}modpwherer\ne 0$;

6  $Sender:forr=0goto3$;

7  $Sender:calculates=(z+d_s\ast r)k^{-1}fors=0goto3$;

8  $Sender:(r,s)\leftarrow ciphertextsignature$

The receiver of a signed message verifies it using the sender’s public key. The verification process is illustrated in Figure 15.

Figure 15.

Receiver verifies signed message.

Algorithm 12 outlines the steps involved in verifying the integrity of the received message using the sender’s public key.

Algorithm 12:Recipient verification of a signed message.

Input: $M_{sent},(r,s),P{U}_s$

Output: $Verifiedciphertexts$

1  $Recipient:check(r,s)areintegers\in 1,2,3,...,p-1)$;

2  $Recipient:calculatee=HASH\left(M_{sent}\right)$;

3  $Recipient:calculatez=leftmostpbitsofe$;

4  $Recipient:calculate{u}_1=e{s}^{-1}modp$;

5  $Recipient:calculate{u}_2=r{s}^{-1}modp$;

6  $Recipient:calculate(x_1,y_1)=u_1\ast G+u_2\ast P{U}_s$;

7  $Verified\leftarrow r\equiv x_{1}modp$

4. Security Analysis and Performance Evaluation

Every scheme discussed in this study’s literature review is vulnerable to an encryption flaw. For instance, the encryption schemes presented in [55,60,61,62] produce the same cipher text when repeated several times, as outlined in Figure 16 and Figure 17.

Figure 16.

Cipher text generated by first encryption process.

Figure 17.

Cipher text generated by second encryption process using the same plain text as in Figure 16.

These schemes suffer from an encryption weakness because they offer the same cipher text if the sender encrypts the plain text using the same encryption key. The main factor that underlies this flaw is that the encryption process in these schemes neglects to consider the importance of manipulating plain text before encrypting and decrypting it. This ensures that a distinct cipher text is produced for every encryption process. Therefore, in the absence of a manipulation step, the adversary can learn from the cipher text, determining whether certain cipher texts are the same or different.

In the scheme proposed by [59], this flaw is resolved by using XOR with $InV$. Figure 18 shows that the cipher text outputted from the encryption process is different to the cipher text generated by the process depicted in Figure 19, which uses the same plain text. However, these schemes are vulnerable to the same flaw, particularly in the special cases outlined in Figure 20. This flaw occurs when the blocks divided for XOR with $InV$ are equal to $B_1=B_2=B_3=...=B_n$. In this case, $B_1^{\prime }=InV\oplus B_1$, $B_2^{\prime }=B_1^{\prime }\oplus B_2$, $B_3^{\prime }=B_2^{\prime }\oplus B_3$, and so on. Therefore, in the event that all blocks are the same, an attacker can exploit the encryption flaw because XOR with $InV$ operations become:

$$\begin{array}{c}\hfill B_1^{\prime }=InV\oplus B_1\\ \hfill B_2^{\prime }=B_1^{\prime }\oplus B_2\\ \hfill B_2=B_1\to \\ \hfill B_2^{\prime }=InV\oplus B_1\oplus B_1\\ \hfill Result\to B_2^{\prime }=InV\end{array}$$ (6)

Figure 18.

Cipher text generated by first encryption process using XOR with $InV$.

Figure 19.

Cipher text generated by second encryption process with XOR different $InV$ using the same plain text as in Figure 18.

Figure 20.

Cipher text generated via encryption of plain text, followed by XORing with $InV$ using a special text that produces the same blocks.

This encryption flaw is illustrated in Figure 20.

Based on the flaws identified in existing schemes, it is a valuable contribution to the literature to improve the encryption process with CBC. In the proposed scheme, all previous flaws are resolved by using CBC with $InV$ derived from mapping points to secure the cipher text in all forms, as described in Algorithm 5. The encryption operation generated by the optimized encryption process is illustrated in Figure 21.

Figure 21.

Improved encryption process generating different encrypted points even with the same blocks.

To evaluate the proposed schemes, security analysis was used with IND-CPA and IND-CCA. In the next subsections, results are given to show that the schemes examined in the literature review are not IND-CPA and IND-CCA. Therefore, it is necessary to prove that the novel scheme proposed in the presented study is both IND-CPA and IND-CCA.

4.1. Indistinguishability under Chosen Plain Text Attack IND-CPA

A scheme known as IND-CPA if the adversary has the power to submit as many $m_{i,0}$, $m_{i,1}$ $i=[1,2,..,q]$ as desired and also when he or she receives the cipher texts for each message. Then, the adversary must submit two distinct messages, $m_{0}and{m}_1,where|m_0|=|m_1|$, to the encryption oracle, receiving $c\leftarrow Enc(k,m_b)$. This is illustrated in Figure 22. The challenge is that the adversary is required to guess the value of b with a probability of the following:

$$\begin{array}{cc}\hfill Ad{v}_{IND-CPA}[A,E]& =\hfill \\ & =\left|Pr\right[EXP\left(0\right)=1]-Pr[EXP\left(1\right)=1\left]\right|\hfill \\ & =negligible\hfill \end{array}$$ (7)

Figure 22.

Adversary’s power to submit unlimited messages to encryption oracle in CPA.

Thus, schemes proposed in [55,60,61,62] are insecure under CPA. An adversary can win a challenging game by submitting two identical messages, $m_0,m_0$, to the encryption oracle. In turn, the encryption oracle sends the cipher text $c_0$, which is the cipher text for $m_0$. In an experiment, the adversary sends two messages, $m_0,m_1$ where $|m_0|=|m_1|$, and the encryption oracle responds by encrypting one message and sending one cipher text $c_b$. The adversary is then challenged to guess the value of $b=0or1$, and to determine which cipher text belongs to $m_0$ or $m_1$. However, the adversary can win the challenge with $Ad{v}_{IND-CPA}[A,E]=1$. This is because the encryption oracle in such schemes always encrypts the same messages with the same cipher texts and the same key. Therefore, since the adversary already has $c_0$, he or she can determine whether the value of b is 0 or 1. This is achieved by matching $c_b$ with $c_0$. If $c_b=c_0$, then $b=0$; otherwise, $b=1$. This process is illustrated in Figure 23.

Figure 23.

Steps needed for an adversary to win the Chosen Plain Text Attack (CPA) challenge.

Theorem 1.

The proposed scheme is (IND-CPA) such that the probability of the adversary to decrypt the message in the two experiments is negligible, as written in Equation (7).

Proof. 

This theorem is proven by the fact that the proposed scheme uses a different value of $InV$ for each experiment. Hence, the adversary can submit as many messages as he or she wants to the encryption oracle. The cipher texts generated by the experiment will not be the same, even for the same message. For example, in the second experiment, $InV$ in $EXP\left(0\right)$ was different compared to $InV$ in $EXP\left(1\right)$. Therefore, when the adversary submits the same message $m_0,m_0$ in $EXP\left(0\right)$, he or she will receive the corresponding cipher text in that experiment, which is $c_0$. However, when the adversary moves to $EXP\left(1\right)$ where the encryption oracle challenges the adversary, the two messages submitted by the adversary $m_0,m_1$ are not distinguishable. This is because the cipher text from $m_0$ in $EXP\left(1\right)$ is different from the cipher text from the same message $m_0$ in $EXP\left(0\right)$. For this reason, the probability that the adversary wins the challenge is $Ad{v}_{IND-CPA}[A,E]=0$

Let $\Pi =(Gen,Enc,Dec)$ be an ECC encryption scheme, and let us define the experiment between the challenger and the attacker A as follows:

• $IND-CP{A}_{\Pi }(A,k)$, where k is the key size:

  1. The challenger computes $(d,PU)\leftarrow Gen\left(2^k\right)$
  2. The attacker A submits $1,2,...,q$ queries to the challenger to encrypt a plain text of their choice
  3. The attacker A sends two messages $(m_0,m_1)$ for the challenger to encrypt
  4. The challenger computes $(c_b,InV)\leftarrow Enc(PU,(m_b\oplus InV))$
  5. The attacker A outputs the value $b=0$ or $b=1$, and A wins if the probability of A guessing a correct value is not negligible

Consider the following games:

Game (0)

The attacker A makes a request for encrypting a message $\left(m_0\right)$, and receives $(c_0,InV)\leftarrow Enc(PU,(m_0\oplus InV))$.

Game (1)

The attacker A sends two messages $(m_0,m_1)$, where $m_0$ is the same $m_0$ as in game 0. The challenger outputs $(c_b,In{V}^{\prime })\leftarrow Enc(PU,(m_b\oplus In{V}^{\prime }))$ to challenge A to guess the value of b.

Game (3)

The attacker A returns the value of b based on the comparison he or she can perform to distinguish between $(m_0,m_1)$, which relies on game 0 and 1. However, the probability that A achieves this is 0 because the $c_0\leftarrow Enc(PU,(m_0\oplus InV))$ in game 0 is not the same as $c_0\leftarrow Enc(PU,(m_0\oplus In{V}^{\prime }))$ in game 1. It is also relevant to note that the XOR operation in both games is undertaken with different $IV$. □

4.2. Indistinguishability under Chosen Ciphertext Attack IND-CCA

An encryption scheme is IND-CCA if the adversary has the ability to submit as cipher texts as he wants $c_{i,0}$, $c_{i,1}$$i=[1,2,..,q]$ and to receive the plain text for that cipher text. In addition, the adversary submits any two distinct messages $m_{i,0}$ and $m_{i,1}$, where $|m_{i,0}|=|m_{i,1}|$ to the encryption oracle and receives $c\leftarrow Enc(k,m_b)$. This process is depicted in Figure 24. The challenge is that the adversary is required to guess the value of b to differentiate between the two experiment’s games, with probability as follows:

$$\begin{array}{cc}\hfill Ad{v}_{IND-CCA}[A,E]& =\hfill \\ & =\left|Pr\right[EXP\left(0\right)=1]-Pr[EXP\left(1\right)=1\left]\right|\hfill \\ & =negligible\hfill \end{array}$$ (8)

Figure 24.

An adversary’s power to submit countless messages to the encryption oracle in CCA.

With the above in mind, the scheme proposed in [59] is not secure under CCA. The adversary can win the challenging game by submitting two messages, $m_0,m_1$, to the encryption oracle. In turn, the encryption oracle sends the cipher text $c\leftarrow E(k,m_b)=(InV,c_b)$, which is the cipher text for either $m_0$ or $m_1$. Subsequently, the adversary modifies c by XORing $InV$ with R, where $R\ne 0$. This produces $c^{\prime }=(InV\oplus R,c_b$ where $c_b=E(k,InV\oplus m_b$, which is sent to the decryption oracle for decryption.

The decryption oracle responds by decrypting the cipher text $D(k,c^{\prime })$. This process relies on the modified $InV\oplus R$. The result is that the decryption process is $m_b\oplus InV\oplus (InV\oplus R)=m_b\oplus R$. Consequently, an adversary can guess the value of $b=0$ or $b=1$ by XORing $m_b\oplus R$, after which it can be compared directly with the received message $m_b$. Therefore, the adversary can win the challenge with $Ad{v}_{IND-CCA}[A,E]=1$. This process is illustrated in Figure 25.

Figure 25.

Steps needed for an adversary to win the CCA challenge.

Theorem 2.

The proposed scheme is indistinguishable under IND-CCA such that the probability of the adversary decrypting the message in the two experiments is negligible, as written in Equation (8).

Proof. 

The proof for $Ad{v}_{CCA}[B_1,E]$ starts by noting the adversary’s ability to access both the encryption and decryption oracle. At the same time, the adversary cannot submit $c_i$ received from the encryption oracle and then submit it for decryption to distinguish the experiment game. However, the adversary can modify the received $c_i\leftarrow E(k,m_i)$ and submit it for decryption as the modified $c_i^{\prime }\ne c_i$. Thus, the adversary can win the challenging game by XORing $InV$ with a random R, thereby guessing $m_i$ (see Figure 25). The proposed scheme offers integrity to cipher texts. It also protects transmitted cipher texts from tampering. Therefore, the decryption oracle drops any modified $c_i$, meaning that the oracle responds to the adversary with $\perp \leftarrow <InV\oplus R,c_i)>$ for every modified message, as illustrated in Figure 26. Resultantly, the proposed scheme is negligible under Equation (8), meaning that it is indistinguishable under IND-CCA.

Let $\Pi =(Gen,Enc,Dec,Sign,Ver)$ be an ECC encryption scheme, and let us define an experiment between the challenger and attacker A as follows:

• $IND-CC{A}_{\Pi }(A,k)$, where k is the key size:

  1. The challenger computes $(d,PU)\leftarrow Gen\left(2^k\right)$
  2. The attacker A submits $1,2,...,q$ queries to the challenger to decrypt their chosen cipher text
  3. The attacker A sends two messages $(m_0,m_1)$ to the challenger for encryption
  4. The challenger computes $(c_b,InV,Sign)\leftarrow Enc(PU,(m_b\oplus InV))$
  5. The attacker A outputs the value of $b=0$ or $b=1$, where A wins if the probability of guessing A correctly is not negligible

Consider the following games:

Game (0)

The attacker A makes a request for encrypting a message $\left(m_0\right)$, and receives $(c_0,InV,Sign)\leftarrow Enc(PU,(m_0\oplus InV))$.

Game (1)

The attacker A modifies the cipher text from game 0 $(c_0,InV,Sign)$ to XOR the $InV$ with a random value $R\ne 0$. A request is made for the challenger to decrypt the cipher text $(c_0,InV\oplus R,Sign)$.

Game (3)

The attacker A can compute the plain text from $(m_b\oplus InV\oplus (InV\oplus R))\leftarrow Dec(c_0,InV\oplus R,Sign)$, which results in $(m_b\oplus R)$. In this case, A can compare $(m_b\oplus R)$ with $(m_0\oplus R)$ and $(m_1\oplus R)$. However, A will fail to win because the challenger will discard the modified $(c_0,InV\oplus R,Sign)$. This stems from the fact that $Sign$ is invalid, meaning that probability of the success of A is 0. □

Figure 26.

Proposed scheme IND-CCA proof.

4.3. Malleability Attack

Changing encrypted data can lead to the modification of the plain text after decryption, which is known as a malleability attack. For instance, the attacker modifies the $InV$ with the value of 1, which means that the first block of the plain text message will be XORed with 1. As a result, the reset of blocks in the CBC will also be modified. The steps involved in the malleability attack are depicted in Figure 27.

Figure 27.

Overview of the malleability attack.

Theorem 3.

The proposed scheme is resistant to the malleability attack.

Proof. 

It is known that an adversary can eavesdrop on the messages sent between the two parties. Adversaries can also change messages and return them to either party. However, the recipient checks the received message’s integrity before decrypting the cipher text. Therefore, the recipient ignores the received message because it has an invalid signature. An illustration of this proof is given in Figure 28

□

Figure 28.

Resistance of the proposed scheme to the malleability attack.

A security analysis comparison was undertaken between the scheme proposed in this study and others mentioned in the literature (see Table 2).

Table 2.

Security analysis comparison of proposed scheme and other schemes.

	1	2	3	4	5	6	7	8
Barman, [60]	N	N	N	N	N	$\mathcal{O}(nlogn)$	n	N
Joglekar, [62]	N	N	N	N	N	N/A	N/A	N
Muthukuru, [59]	Y	N	N	N	N	$\mathcal{O}(nlogn)$	n	N
Duarah, [61]	N	N	N	N	N	$\mathcal{O}(nlogn)$	n	N
Das, [55]	N	N	N	N	N	N/A	N/A	N
Proposed scheme	Y	Y	Y	Y	Y	$\mathcal{O}(nlogn)$	$2^n$	Y

1. IND-CPA; 2. IND-CCA; 3. Resistance to malleability attack; 4. Integrity; 5. Authenticated encryption; 6. Complexity of mapping phase; 7. No of rounds based on n appending bits; 8. Offers nonrepudiation

4.4. Performance Evaluation

The main goal of the proposed scheme was to provide a secure scheme that resolved encryption flaws that yield to CPA and CCA attacks. The study also sought to offer a scheme with a suitable level of performance in constrained environments. The security aspect of the proposed scheme was proven in the previous section, and this section evaluated the performance of the scheme based on two criteria: enhancing the process of mapping points to an elliptic curve; and time, space overhead, and power consumption in a simulation environment.

4.4.1. Mapping Points to an Elliptic Curve

Mapping points to an elliptic curve should be undertaken correctly and efficiently. As illustrated in Figure 29, 50% of $x_i$ points cannot be mapped to the EC as there is no $y_i$ axis that meets the EC’s equation. Therefore, it is necessary to increase the value of $x_i$ by 1, and then to recompute $y_i$ until a value is found that matches. As a result, the $x_i$ point is eventually mapped. In many schemes, the characters in plain text are converted into numerical values based on the ASCII table, which facilitates their mapping onto the elliptic curve. Therefore, when these values are not mapped from the beginning, the value to be mapped increases. However, this step changes the original value, and the plain text is lost. For this reason, to overcome this problem, two methods are widely used to map points: the probability method and the appending method.

Figure 29.

Probability of successfully mapping points to an elliptic curve based on number of rounds.

In the probability method, which was introduced by King (2009) [64], the value of k is defined, which represents the number of rounds needed to map the points. This value is multiplied by $x_i$, and the product is used in the mapping phase with ability to increment it in k rounds. In turn, the value of $x_i$ can be restored by calculating the value of the mapped point: $\lfloor \frac{mappedpoint}{k}\rfloor$. In the second method, the appending method, $x_i$ is appended by number of bits representing the number of rounds required. For instance, if the scheme defines the appended bits as 000, then the number of rounds that can be safely used in the mapping phase is $2^3=8$ rounds.

Each method has advantages and disadvantages relating to computational efficiency and the maximum number of rounds. The probability method is more efficient and less complex than the appending method. Using the Harvey-Hoeven algorithm [65], the multiplication operation complexity is $\mathcal{O}(nlogn)$, where n is the numerical value size in bits. However, the complexity of appending two texts (i.e., concatenations) is denoted as $\mathcal{O}\left(n^2\right)$ [66], which highlights the fact that the appending method is more complex than the probability method. This is illustrated in Figure 30.

Figure 30.

Complexity comparison of probability and appending mapping methods.

The appending method guarantees to provide a maximum number of rounds base on the appended bits. As the appending methods concatenate fixed bits b to the corresponding binary $x_i$ value, $x_i$ can be incremented $2^b$ times. In contrast, the probability method increases the same size of bits, but in many cases, it would allow fewer round increments compared to the appending method. This is outlined in Figure 31.

Figure 31.

Comparison of number of rounds used in mapping phase method and the size of bits added to $x_i$.

In the proposed scheme, the probability method was used to improve performance. Hoevewr, to increase the efficiency of the choice of k, the proposed scheme took advantage of the appending method to select this value. This was achieved by recalculating $k^{\prime }=2^{logk}$, which was used to set the number of rounds to the maximum value of the extra bits added to the value of $x_i$, as shown in Figure 32.

Figure 32.

Recalculating $k^{\prime }$ to increase the maximum number of rounds to the size of added bits.

The enhancement made to the probability method increases the number of mapping rounds with same size of the padding bit. As a result, the efficiency was more than 80% in some cases. Figure 33 shows the percentage of improvement that the proposed enhanced selection of k method offers compared to the probability method.

Figure 33.

Percentage improvement between the enhanced selection of k provides in comparison with probability method.

4.4.2. Simulation Performance Evaluation

The performance evaluation of the proposed scheme focused on whether the enhancement of the encoding and mapping phases, which was intended to improve resistance to encryption attacks, negatively affected performance. Therefore, the performance of the proposed scheme against other schemes took place to evaluate time overhead, space usage, and power consumption. The schemes are divided to three groups: schemes that did not use $InV$ or any other methods to manipulate the mapped points as [55,60,61,62]; schemes that used fixed $InV$ to overcome CPA, including [59]; and finally, schemes that used CBC to overcome the CCA (in this case, only the proposed scheme).

The performance evaluation involved running an experimental simulation 5 times for 20 s each using a low computation device. Figure 34 illustrates time overhead in the three groups included in the performance evaluation. Notably, all three groups were associated with similar levels of utilization. Therefore, it is reasonable to conclude that improving the security of the proposed scheme did not affect the time overhead. Space usage variation was identified during the experiment, as illustrated in Figure 35. Additionally, power consumption for each group was determined based on values (high, medium, low, or none), which are shown in Figure 36. The results indicate that power consumption was similar across the three groups.

Figure 34.

Comparison of time overhead between the proposed scheme and other schemes.

Figure 35.

Comparison of space usage between the proposed scheme and other schemes.

Figure 36.

Comparison of power consumption between the proposed scheme and other schemes.

It is worth mentioning that, the proposed scheme was simulated, tested and compared to the state of the art schemes in a simulated environment using an Android Virtual Device (AVD). AVD has variety of low computation devices images built by Android OS, and it provides processing space and power consumption monitoring and logging. In addition, we used the Bluej Java Development Environment to code the proposed scheme. The platform used to host the AVD is based on Windows 10, and, in terms of hardware, an Intel Core i7-4510U was used with a 128 GB SSD and 8 GB RAM.

5. Conclusions and Future Research

This study proposes a novel approach to elliptic curve cryptography (ECC) that offers AE properties to secure cipher text and to enhance the encoding of text effectively and map the encoded text to an elliptic curve. Previous schemes neglect to consider the importance of the encoding phase, which makes them vulnerable to attack. Therefore, this study focused on the encoding phase, seeking to secure it against several encryption attacks, including CPA, CCA, and malleability attacks. This study also undertook a security analysis to present a proof for the resistance of the proposed scheme against specific encryption attacks. Additionally, the study conducted a performance evaluation to compare the impact of the security enhancement of the proposed scheme on time overhead, space usage, and power consumption to other schemes. The simulation experiment shows that the proposed scheme performed just as well as the other schemes, with no noticeable increase in computation overhead. As a result, the proposed scheme outperforms the security of other schemes and maintains the same computational overhead.

In future research, the authors intend to implement the proposed scheme in different environments such as enhance the protection using TPM-based for mobile agents. Moreover, adapt the scheme in Monitoring the cloud computing architecture to enhance Dynamic Security Properties. In addition, apply the proposed scheme with Policy Based Management to increase the Security of Cloud Computing. These application of proposed scheme lead to study the security analysis and performance evaluation in comparison with other similar schemes. Additionally, more security properties may be added to the study to increase the security requirements, which might be required in new environments.

Abbreviations

The following abbreviations are used in this manuscript:

ECC	Elliptic Curve Cryptography
IoT	Internet of Things
InV	Initial Vector
CBC	Cipher Block Chaining
AE	Authenticated Encryption
CPA	Chosen Plaintext Attack
CCA	Chosen Ciphertext Attack
ECIES	Elliptic Curve Integrated Encryption Scheme
ECDLP	Elliptic Curve Discrete Logarithm Problem

Author Contributions

Conceptualization, H.A. and A.A.; methodology, A.A.; software, H.A.; validation, A.A.; formal analysis, H.A.; investigation, H.A.; resources, A.A.; data curation, A.A.; writing—original draft preparation, H.A.; writing—review and editing, A.A.; visualization, H.A.; supervision, A.A.; project administration, A.A.; funding acquisition, A.A. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Conflicts of Interest

The authors declare no conflict of interest.